在上一篇文章中我们安装了pod的调试工具kubectl-debug,在这里我们安装示例nginx application,包括deployment,service,ingress等。对于这个示例application我们安装在default namespace里,然后再用上一篇文章中介绍的kubectl-debug调试一下这个application。
创建配置文件目录:
由于nginx application是以deployment的方式部署在k8s集群里的,一般都会有yaml部署文件,目前都放在此目录里。
mkdir -p /opt/application/k8s/nginx-app
cd /opt/application/k8s/nginx-app
patch service account:
k8s需要把image pull下来,我们这里用的是private repo(以前文章介绍过的harbor),需要得到private repo的认证才可以pull private project的image。对于k8s来说把private repo的认证信息存储在secret对象里。一般每个pod都属于一个namespace,每个namesapce都有一个默认的service account(即在声明的yaml中不指定service-account就会用这个默认的service-account)。我们可以把这个pull image的secret关联到这个默认的service-account,那么在声明的时候就不需要指定image pull secret了。
kubectl create secret docker-registry container-registry --docker-server=172.20.11.41:1034 \
--docker-username=admin --docker-password=abc123_ --namespace=default
kubectl describe secret container-registry -n default
kubectl patch serviceaccount default --namespace=default -p '{"imagePullSecrets": [{"name": "container-registry"}]}'
创建nginx application的deployment:
cat > /opt/application/k8s/nginx-app/nginx-deployment.yaml <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-nginx-app
namespace: default
spec:
replicas: 2
selector:
matchLabels:
k8s-app: nginx-app
template:
metadata:
labels:
k8s-app: nginx-app
spec:
containers:
- name: nginx-app
image: 172.20.11.41:1034/library/nginx:latest
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
livenessProbe:
failureThreshold: 3
httpGet:
path: /index.html
port: 80
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
readinessProbe:
failureThreshold: 3
httpGet:
path: /index.html
port: 80
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15
EOF
kubectl create -f /opt/application/k8s/nginx-app/nginx-deployment.yaml
kubectl describe deployment deployment-nginx-app -n default
创建nginx application的service:
这里把service定义成cluster-ip类型,后面通过定义ingress rule来把这个服务暴露给外部调用。
cat > /opt/application/k8s/nginx-app/nginx-app-service.yaml <<EOF
apiVersion: v1
kind: Service
metadata:
name: service-nginx-app
namespace: default
spec:
selector:
k8s-app: nginx-app
type: ClusterIP
ports:
- name: nginx-app-http
port: 80
targetPort: 80
protocol: TCP
EOF
kubectl create -f /opt/application/k8s/nginx-app/nginx-app-service.yaml
kubectl describe service service-nginx-app -n default
创建nginx application的ingress规则:
cat > /opt/application/k8s/nginx-app/nginx-app-ingress.yaml <<EOF
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-of-nginx-app
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /nginx
backend:
serviceName: service-nginx-app
servicePort: 80
EOF
kubectl create -f /opt/application/k8s/nginx-app/nginx-app-ingress.yaml
kubectl describe ingress ingress-of-nginx-app -n default
外部访问nginx application:
这里我们在创建nginx-ingress-controller的时候,这个nginx-ingress-controller会默认有http到https的跳转,所以虽然我们在container里面没有声明https,我们依然可以访问到。另外在证书详情里我们也可以看到这个证书就是我们以前文章中给nginx-ingress-controller配置的默认ssl证书。
查看nginx application的pods开启并调试:
这里我们看到nginx application一共2个pod,分别是10.1.79.4(在node 172.20.11.43上)和10.1.27.2(在node 172.20.11.42上)
kubectl get pods -n default
调试nginx pod:
这里我们debug进入10.1.79.4(在node 172.20.11.43上)中,分别用ping去ping 10.1.27.2(在node 172.20.11.42上)。用curl访问10.1.27.2(在node 172.20.11.42上)的nginx application,用tracroute去跟踪10.1.27.2(在node 172.20.11.42上),用nslookup去查询内部service的fqdn和外部域名的fqdn。