学习 Kubernetes 基础知识
Tasks
Install Tools
Install and Set Up kubectl (EN)
Install Minikube (EN)
Setup an extension API server
Configure Pods and Containers
Configure Pods and Containers
Assign Memory Resources to Containers and Pods (EN)
Assign CPU Resources to Containers and Pods (EN)
Configure GMSA for Windows pods and containers (EN)
Configure Quality of Service for Pods (EN)
Assign Extended Resources to a Container (EN)
Configure a Pod to Use a Volume for Storage (EN)
Configure a Pod to Use a PersistentVolume for Storage (EN)
Configure a Pod to Use a Projected Volume for Storage (EN)
Configure a Security Context for a Pod or Container (EN)
Configure Service Accounts for Pods (EN)
Pull an Image from a Private Registry (EN)
Configure Liveness and Readiness Probes (EN)
将 Pod 分配给节点
Configure Pod Initialization (EN)
Attach Handlers to Container Lifecycle Events (EN)
Configure a Pod to Use a ConfigMap (EN)
Share Process Namespace between Containers in a Pod (EN)
Translate a Docker Compose File to Kubernetes Resources (EN)
给容器分配非透明整型资源
Administer a Cluster
Administration with kubeadm
Certificate Management with kubeadm (EN)
Upgrading kubeadm HA clusters from v1.11 to v1.12 (EN)
Upgrading kubeadm HA clusters from v1.12 to v1.13 (EN)
Upgrading kubeadm clusters from v1.11 to v1.12 (EN)
Upgrading kubeadm clusters from v1.12 to v1.13 (EN)
Upgrading kubeadm clusters from v1.13 to v1.14 (EN)
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace (EN)
Configure Default CPU Requests and Limits for a Namespace (EN)
Configure Minimum and Maximum Memory Constraints for a Namespace (EN)
Configure Minimum and Maximum CPU Constraints for a Namespace (EN)
Configure Memory and CPU Quotas for a Namespace (EN)
Configure a Pod Quota for a Namespace (EN)
Install a Network Policy Provider
Use Calico for NetworkPolicy (EN)
Use Cilium for NetworkPolicy (EN)
Use Kube-router for NetworkPolicy (EN)
Romana for NetworkPolicy (EN)
Weave Net for NetworkPolicy (EN)
Access Clusters Using the Kubernetes API (EN)
Access Services Running on Clusters (EN)
Advertise Extended Resources for a Node (EN)
Autoscale the DNS Service in a Cluster (EN)
Change the Reclaim Policy of a PersistentVolume (EN)
Change the default StorageClass (EN)
Cluster Management (EN)
Configure Multiple Schedulers (EN)
Configure Out Of Resource Handling (EN)
Configure Quotas for API Objects (EN)
Control CPU Management Policies on the Node (EN)
Customizing DNS Service (EN)
Debugging DNS Resolution (EN)
Declare Network Policy (EN)
Developing Cloud Controller Manager (EN)
Encrypting Secret Data at Rest (EN)
Guaranteed Scheduling For Critical Add-On Pods (EN)
IP Masquerade Agent User Guide (EN)
Kubernetes Cloud Controller Manager (EN)
Limit Storage Consumption (EN)
Namespaces Walkthrough (EN)
Operating etcd clusters for Kubernetes (EN)
Reconfigure a Node's Kubelet in a Live Cluster (EN)
Reserve Compute Resources for System Daemons (EN)
Safely Drain a Node while Respecting Application SLOs (EN)
Securing a Cluster (EN)
Set Kubelet parameters via a config file (EN)
Set up High-Availability Kubernetes Masters (EN)
Share a Cluster with Namespaces (EN)
Static Pods (EN)
Storage Object in Use Protection (EN)
Using CoreDNS for Service Discovery (EN)
Using a KMS provider for data encryption (EN)
Using sysctls in a Kubernetes Cluster (EN)
Accessing Clusters
Inject Data Into Applications
Inject Data Into Applications
为容器设置启动时要执行的命令及其入参
为容器设置环境变量
使用 PodPreset 将信息注入 Pods
使用 Secret 安全地分发凭证
通过文件将Pod信息呈现给容器
通过环境变量将Pod信息呈现给容器
Run Applications
Run a Stateless Application Using a Deployment (EN)
Run a Single-Instance Stateful Application (EN)
Run a Replicated Stateful Application (EN)
Update API Objects in Place Using kubectl patch (EN)
Scale a StatefulSet (EN)
Delete a StatefulSet (EN)
Force Delete StatefulSet Pods (EN)
Perform Rolling Update Using a Replication Controller (EN)
Horizontal Pod Autoscaler (EN)
Horizontal Pod Autoscaler Walkthrough (EN)
Specifying a Disruption Budget for your Application (EN)
Use Port Forwarding to Access Applications in a Cluster
Run Jobs
Run Jobs
Running Automated Tasks with a CronJob
Parallel Processing using Expansions (EN)
Coarse Parallel Processing Using a Work Queue (EN)
使用工作队列进行精细的并行处理
Provide Load-Balanced Access to an Application in a Cluster
Access Applications in a Cluster
Web UI (Dashboard) (EN)
Accessing Clusters (EN)
Configure Access to Multiple Clusters (EN)
Use Port Forwarding to Access Applications in a Cluster (EN)
Use a Service to Access an Application in a Cluster (EN)
Connect a Front End to a Back End Using a Service (EN)
Create an External Load Balancer (EN)
Configure Your Cloud Provider's Firewalls (EN)
List All Container Images Running in a Cluster (EN)
Set up Ingress on Minikube with the NGINX Ingress Controller (EN)
Communicate Between Containers in the Same Pod Using a Shared Volume (EN)
Configure DNS for a Cluster (EN)
Use a Service to Access an Application in a Cluster
删除 StatefulSet
Monitor, Log, and Debug
Monitor, Log, and Debug
Application Introspection and Debugging (EN)
Auditing
Core metrics pipeline (EN)
Debug Init Containers (EN)
Debug Services (EN)
Debugging Kubernetes nodes with crictl (EN)
Determine the Reason for Pod Failure (EN)
Developing and debugging services locally (EN)
Events in Stackdriver (EN)
Get a Shell to a Running Container (EN)
Logging Using Elasticsearch and Kibana (EN)
Logging Using Stackdriver (EN)
Monitor Node Health (EN)
Tools for Monitoring Resources (EN)
Troubleshooting (EN)
应用故障排查
调试Pods和Replication Controllers
调试StatefulSet
集群故障排查
Create an External Load Balancer
Extend Kubernetes
Use Custom Resources
Extend the Kubernetes API with CustomResourceDefinitions (EN)
Versions of CustomResourceDefinitions (EN)
Configure the Aggregation Layer (EN)
Setup an Extension API Server (EN)
Use an HTTP Proxy to Access the Kubernetes API (EN)
配置你的云平台防火墙
TLS
Certificate Rotation (EN)
Manage TLS Certificates in a Cluster (EN)
List All Container Images Running in a Cluster
Federation - Run an App on Multiple Clusters
Federation - Run an App on Multiple Clusters
Set up Cluster Federation with Kubefed (EN)
Set up CoreDNS as DNS provider for Cluster Federation (EN)
Set up placement policies in Federation (EN)
Cross-cluster Service Discovery using Federated Services (EN)
Administer Federation Control Plane
Federated Cluster (EN)
Federated ConfigMap (EN)
Federated DaemonSet (EN)
Federated Deployment (EN)
Federated Events (EN)
Federated Horizontal Pod Autoscalers (HPA) (EN)
Federated Ingress (EN)
Federated Jobs (EN)
Federated Namespaces (EN)
Federated ReplicaSets (EN)
Federated Secrets (EN)
Configure DNS for a Cluster
Manage Cluster Daemons
Perform a Rollback on a DaemonSet (EN)
Perform a Rolling Update on a DaemonSet (EN)
Install Service Catalog
Install Service Catalog using Helm (EN)
Install Service Catalog using SC (EN)
Federation - Run an App on Multiple Clusters
Federation - Run an App on Multiple Clusters
Administer-clusters
Administration with kubeadm
Certificate Management with kubeadm (EN)
Upgrading kubeadm HA clusters from v1.11 to v1.12 (EN)
Upgrading kubeadm HA clusters from v1.12 to v1.13 (EN)
Upgrading kubeadm clusters from v1.11 to v1.12 (EN)
Upgrading kubeadm clusters from v1.12 to v1.13 (EN)
Upgrading kubeadm clusters from v1.13 to v1.14 (EN)
Manage Memory, CPU, and API Resources
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace
Configure Default CPU Requests and Limits for a Namespace
Configure Minimum and Maximum Memory Constraints for a Namespace
Configure Minimum and Maximum CPU Constraints for a Namespace
Configure Memory and CPU Quotas for a Namespace
Configure a Pod Quota for a Namespace (EN)
Install a Network Policy Provider
Install a Network Policy Provider
使用 Calico 作为 NetworkPolicy
使用 Cilium 作为 NetworkPolicy
使用 Kube-router 作为 NetworkPolicy
使用 Romana 作为 NetworkPolicy
使用 Weave Net 作为 NetworkPolicy
Access Clusters Using the Kubernetes API (EN)
Advertise Extended Resources for a Node (EN)
Autoscale the DNS Service in a Cluster (EN)
Configure Multiple Schedulers (EN)
Configure Out Of Resource Handling (EN)
Configure Quotas for API Objects (EN)
Debugging DNS Resolution (EN)
Developing Cloud Controller Manager (EN)
Encrypting Secret Data at Rest
IP Masquerade Agent User Guide (EN)
Kubernetes Cloud Controller Manager (EN)
Limit Storage Consumption (EN)
Namespaces Walkthrough (EN)
Operating etcd clusters for Kubernetes (EN)
Reconfigure a Node's Kubelet in a Live Cluster (EN)
Reserve Compute Resources for System Daemons (EN)
Safely Drain a Node while Respecting Application SLOs (EN)
Securing a Cluster (EN)
Set up High-Availability Kubernetes Masters (EN)
Share a Cluster with Namespaces (EN)
Storage Object in Use Protection (EN)
Using CoreDNS for Service Discovery (EN)
Using a KMS provider for data encryption (EN)
使用 Calico 来提供 NetworkPolicy
使用 Romana 来提供 NetworkPolicy
使用 Weave 网络来提供 NetworkPolicy
关键插件 Pod 的调度保证
在 Kubernetes 中配置私有 DNS 和上游域名服务器
在 Kubernetes 集群中使用 sysctl
声明网络策略
将 kubeadm 集群在 v1.8 版本到 v1.9 版本之间升级/降级
应用资源配额和限额
控制节点上的CPU管理策略
改变默认 StorageClass
更改 PersistentVolume 的回收策略
设置 Pod CPU 和内存限制
访问集群上运行的服务
通过配置文件设置 Kubelet 参数
配置命名空间下pod总数
集群管理
静态Pods
Extend kubectl with plugins (EN)
使用 Service 把前端连接到后端
使用Deployment运行一个无状态应用
同 Pod 内的容器使用共享卷通信
基于Replication Controller执行滚动升级
对 DaemonSet 执行回滚
弹缩StatefulSet
管理巨页(HugePages)
证书轮换
调度 GPU
运行一个单实例有状态应用
配置对多集群的访问

Edit This Page

通过文件将Pod信息呈现给容器

此页面描述Pod如何使用DownwardAPIVolumeFile把自己的信息呈现给pod中运行的容器。DownwardAPIVolumeFile可以呈现pod的字段和容器字段。

准备开始

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:

To check the version, enter kubectl version.

Downward API

有两种方式可以将Pod和Container字段呈现给运行中的容器:

这两种呈现Pod和Container字段的方式都称为*Downward API*。

存储Pod字段

在这个练习中,你将创建一个包含一个容器的pod。这是该pod的配置文件:

dapi-volume.yaml docs/tasks/inject-data-application 
apiVersion: v1
kind: Pod
metadata:
  name: kubernetes-downwardapi-volume-example
  labels:
    zone: us-est-coast
    cluster: test-cluster1
    rack: rack-22
  annotations:
    build: two
    builder: john-doe
spec:
  containers:
    - name: client-container
      image: k8s.gcr.io/busybox
      command: ["sh", "-c"]
      args:
      - while true; do
          if [[ -e /etc/podinfo/labels ]]; then
            echo -en '\n\n'; cat /etc/podinfo/labels; fi;
          if [[ -e /etc/podinfo/annotations ]]; then
            echo -en '\n\n'; cat /etc/podinfo/annotations; fi;
          sleep 5;
        done;
      volumeMounts:
        - name: podinfo
          mountPath: /etc/podinfo
          readOnly: false
  volumes:
    - name: podinfo
      downwardAPI:
        items:
          - path: "labels"
            fieldRef:
              fieldPath: metadata.labels
          - path: "annotations"
            fieldRef:
              fieldPath: metadata.annotations

在配置文件中,你可以看到Pod有一个downwardAPI类型的Volume,并且挂载到容器中的/etc

查看downwardAPI下面的items数组。每个数组元素都是一个DownwardAPIVolumeFile。 第一个元素指示Pod的metadata.labels字段的值保存在名为labels的文件中。 第二个元素指示Pod的annotations字段的值保存在名为annotations的文件中。

Note: 注意: 本示例中的字段是Pod字段,不是Pod中容器的字段。

创建 Pod:

kubectl create -f https://k8s.io/cn/docs/tasks/inject-data-application/dapi-volume.yaml

验证Pod中的容器运行正常:

kubectl get pods

查看容器的日志:

kubectl logs kubernetes-downwardapi-volume-example

输出显示 labelsannotations 文件的内容:

cluster="test-cluster1"
rack="rack-22"
zone="us-est-coast"

build="two"
builder="john-doe"

进入Pod中运行的容器,打开一个shell:

kubectl exec -it kubernetes-downwardapi-volume-example -- sh

在该shell中,查看labels文件:

/# cat /etc/labels

输出显示Pod的所有labels都已写入labels文件。

cluster="test-cluster1"
rack="rack-22"
zone="us-est-coast"

同样,查看annotations文件:

/# cat /etc/annotations

查看/etc目录下的文件:

/# ls -laR /etc

在输出中可以看到,labelsannotations文件都在一个临时子目录中:这个例子,..2982_06_02_21_47_53.299460680。在/etc目录中,..data是一个指向临时子目录 的符号链接。/etc目录中,labelsannotations也是符号链接。

drwxr-xr-x  ... Feb 6 21:47 ..2982_06_02_21_47_53.299460680
lrwxrwxrwx  ... Feb 6 21:47 ..data -> ..2982_06_02_21_47_53.299460680
lrwxrwxrwx  ... Feb 6 21:47 annotations -> ..data/annotations
lrwxrwxrwx  ... Feb 6 21:47 labels -> ..data/labels

/etc/..2982_06_02_21_47_53.299460680:
total 8
-rw-r--r--  ... Feb  6 21:47 annotations
-rw-r--r--  ... Feb  6 21:47 labels

用符号链接可实现元数据的动态原子刷新;更新将写入一个新的临时目录,然后..data符号链接完成原子更新,通过使用rename(2)

退出shell:

/# exit

存储容器字段

前面的练习中,你将Pod字段保存到DownwardAPIVolumeFile中。接下来这个练习,你将存储容器字段。这里是包含一个容器的pod的配置文件:

dapi-volume-resources.yaml docs/tasks/inject-data-application 
apiVersion: v1
kind: Pod
metadata:
  name: kubernetes-downwardapi-volume-example-2
spec:
  containers:
    - name: client-container
      image: k8s.gcr.io/busybox:1.24
      command: ["sh", "-c"]
      args:
      - while true; do
          echo -en '\n';
          if [[ -e /etc/podinfo/cpu_limit ]]; then
            echo -en '\n'; cat /etc/podinfo/cpu_limit; fi;
          if [[ -e /etc/cpu_request ]]; then
            echo -en '\n'; cat /etc/podinfo/cpu_request; fi;
          if [[ -e /etc/mem_limit ]]; then
            echo -en '\n'; cat /etc/podinfo/mem_limit; fi;
          if [[ -e /etc/mem_request ]]; then
            echo -en '\n'; cat /etc/podinfo/mem_request; fi;
          sleep 5;
        done;
      resources:
        requests:
          memory: "32Mi"
          cpu: "125m"
        limits:
          memory: "64Mi"
          cpu: "250m"
      volumeMounts:
        - name: podinfo
          mountPath: /etc/podinfo
          readOnly: false
  volumes:
    - name: podinfo
      downwardAPI:
        items:
          - path: "cpu_limit"
            resourceFieldRef:
              containerName: client-container
              resource: limits.cpu
          - path: "cpu_request"
            resourceFieldRef:
              containerName: client-container
              resource: requests.cpu
          - path: "mem_limit"
            resourceFieldRef:
              containerName: client-container
              resource: limits.memory
          - path: "mem_request"
            resourceFieldRef:
              containerName: client-container
              resource: requests.memory

在这个配置文件中,你可以看到Pod有一个downwardAPI类型的Volume,并且挂载到容器的/etc目录。

查看downwardAPI下面的items数组。每个数组元素都是一个DownwardAPIVolumeFile。

第一个元素指定名为client-container的容器中limits.cpu字段的值应保存在名为cpu_limit的文件中。

创建Pod:

kubectl create -f https://k8s.io/cn/docs/tasks/inject-data-application/dapi-volume-resources.yaml

进入Pod中运行的容器,打开一个shell:

kubectl exec -it kubernetes-downwardapi-volume-example-2 -- sh

在shell中,查看cpu_limit文件:

/# cat /etc/cpu_limit

你可以使用同样的命令查看cpu_request, mem_limitmem_request 文件.

Capabilities of the Downward API

下面这些信息可以通过环境变量和DownwardAPIVolumeFiles提供给容器:

此外,以下信息可通过DownwardAPIVolumeFiles获得:

Note: 如果容器未指定CPU和memory limits,则Downward API默认为节点可分配值。

投射密钥到指定路径并且指定文件权限

你可以将密钥投射到指定路径并且指定每个文件的访问权限。更多信息,请参阅Secrets.

Downward API的动机

对于容器来说,有时候拥有自己的信息是很有用的,可避免与Kubernetes过度耦合。Downward API使得容器使用自己或者集群的信息,而不必通过Kubernetes客户端或API服务器。

一个例子是有一个现有的应用假定要用一个非常熟悉的环境变量来保存一个唯一标识。一种可能是给应用增加处理层,但这样是冗余和易出错的,而且它违反了低耦合的目标。更好的选择是使用Pod名称作为标识,把Pod名称注入这个环境变量中。

接下来

反馈