使用containerd作為容器執行時拉取映象的方法
阿新 • • 發佈:2022-12-06
k8s v1.24版本後預設使用containerd作為容器執行時,很多映象庫使用的是gcr.io
,國內可能無法成功拉取。接下來將通過搭建Metrics Server
來演示該情況的解決方法。
components.yaml
apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: system:aggregated-metrics-reader rules: - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server name: system:metrics-server rules: - apiGroups: - "" resources: - nodes/metrics verbs: - get - apiGroups: - "" resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server-auth-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:metrics-server subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: ports: - name: https port: 443 protocol: TCP targetPort: https selector: k8s-app: metrics-server --- apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: selector: matchLabels: k8s-app: metrics-server strategy: rollingUpdate: maxUnavailable: 0 template: metadata: labels: k8s-app: metrics-server spec: containers: - args: - --kubelet-insecure-tls # access to kubelet - --cert-dir=/tmp - --secure-port=4443 - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - --metric-resolution=15s image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 name: metrics-server ports: - containerPort: 4443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS initialDelaySeconds: 20 periodSeconds: 10 resources: requests: cpu: 100m memory: 200Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 volumeMounts: - mountPath: /tmp name: tmp-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: metrics-server volumes: - emptyDir: {} name: tmp-dir --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: k8s-app: metrics-server name: v1beta1.metrics.k8s.io spec: group: metrics.k8s.io groupPriorityMinimum: 100 insecureSkipTLSVerify: true service: name: metrics-server namespace: kube-system version: v1beta1 versionPriority: 100
我們需要使用ctr
或者crictl
來代替docker命令,但是crictl
是沒有類似docker tag
功能的。當我們使用ctr
時需注意,ctr
和k8s一樣,都有名稱空間的概念,預設是default
,因此在操作時需要加上-n=k8s.io
,這樣k8s才會正確識別映象。
setup.sh
#!/bin/bash # # https://github.com/kubernetes-sigs/metrics-server # wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml # sed '/args:/a\ - --kubelet-insecure-tls' components.yaml # download and change yaml # wget -O- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml \ # | sed '/args:/a\ - --kubelet-insecure-tls' - > components.yaml # use ali registry to speed up repo=registry.aliyuncs.com/google_containers name=k8s.gcr.io/metrics-server/metrics-server:v0.6.1 # remove prefix #src_name=${name#k8s.gcr.io/} #src_name=${name#metrics-server/} src_name=metrics-server:v0.6.1 ctr -n=k8s.io image pull $repo/$src_name # rename to fit k8s ctr -n=k8s.io image tag $repo/$src_name $name ctr -n=k8s.io image rm $repo/$src_name # add args: - --kubelet-insecure-tls kubectl apply -f components.yaml
完成後我們可以檢視Metrics Server
的部署情況