|NO.Z.00226|——————————|CloudNative|——|KuberNetes&細粒度許可權控制.V10|------------------------------------------------|RBAC.v02|臨時容器配置|
阿新 • • 發佈:2022-03-31
[CloudNative:KuberNetes&細粒度許可權控制.V10] [Applications.KuberNetes] [|DevOps|k8s|細粒度許可權控制|RBAC|臨時容器概念和配置|使用臨時容器線上debug|]
一、臨時容器配置:開啟k8s元件中--feature-gates功能
### --- 開啟k8s元件功能:在k8s的kubelet元件開啟--feature-gates功能(所有節點) ~~~ 所有節點都執行 ~~~ 首先在kubelet下開啟EphermeralContainers: [root@k8s-master01 ~]# vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf [Service] Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig" Environment="KUBELET_SYSTEM_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin" Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2" --feature-gates="EphemeralContainers=true" # 這行末尾新增如下引數:--feature-gates="EphemeralContainers=true" Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' " ExecStart= ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS
~~~ # 通過這個命令也是可以檢視的,預設是false
[root@k8s-master01 ~]# kubelet -h | grep EphemeralContainers
EphemeralContainers=true|false (ALPHA - default=false)### --- 開啟kubelet-conf配置檔案引數 [root@k8s-master01 ~]# vim /etc/kubernetes/kubelet-conf.yml featureGates: EphemeralContainers: true // 在檔案末尾新增此引數
### --- daemon-reload:先重啟一個節點,檢視是否會報錯
[root@k8s-node02 ~]# systemctl daemon-reload
[root@k8s-node02 ~]# systemctl restart kubelet
[root@k8s-node02 ~]# systemctl status kubelet
Active: active (running) since Tue 2021-05-04 12:24:52 CST; 6s ago二、開啟k8s元件功能:在k8s的kube-proxy元件開啟--feature-gates功能(所有節點)~~~ # 檢視日誌沒有error,再執行其它容器 [root@k8s-node02 ~]# tail -f /var/log/messages
### --- 所有節點執行,在kube-proxy修改如下引數
[root@k8s-master01 ~]# vim /usr/lib/systemd/system/kube-proxy.service
[Service]
ExecStart=/usr/local/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy.conf \
--feature-gates=EphemeralContainers=true \ // 此行新增次引數,這是開啟一個feature,若是開啟多個的話逗號隔開即可
--v=2### --- 重啟
[root@k8s-node02 ~]# systemctl daemon-reload
[root@k8s-node02 ~]# systemctl restart kube-proxy
[root@k8s-node02 ~]# systemctl status kube-proxy### --- 在master節點執行修改kube-apiserver的元件說明
[root@k8s-master01 ~]# vim /usr/lib/systemd/system/kube-apiserver.service
--feature-gates=EphemeralContainers=true \ // 新增這行引數
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
# --token-auth-file=/etc/kubernetes/token.csv### --- 在master節點執行修改controller manager的元件說明
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--feature-gates=EphemeralContainers=true \ // 新增這行引數
--node-cidr-mask-size=24### --- 在master節點執行修改kube-scheduler.service的元件說明
--leader-elect=true \
--feature-gates=EphemeralContainers=true \ // 新增這行引數
--kubeconfig=/etc/kubernetes/scheduler.kubeconfig[root@k8s-master01 ~]# systemctl daemon-reload
[root@k8s-master01 ~]# systemctl restart kube-apiserver kube-controller-manager kube-scheduler.service
[root@k8s-master01 ~]# systemctl status kube-apiserver kube-controller-manager kube-scheduler.service
● kube-apiserver.service - Kubernetes API Server
Active: active (running) since Tue 2021-05-04 13:32:21 CST; 4min 55s ago
● kube-controller-manager.service - Kubernetes Controller Manager
Active: active (running) since Tue 2021-05-04 13:32:40 CST; 4min 35s ago
● kube-scheduler.service - Kubernetes Scheduler
Active: active (running) since Tue 2021-05-04 13:23:31 CST; 13min ago
[root@k8s-master01 ~]# tail -f /var/log/messages===============================END===============================
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart ——W.S.Landor
來自為知筆記(Wiz)