我正在使用带有 Ceph-CSI 的 Kubernetes 在 Pod 中挂载 CephFS 卷。我想启用 FS-Cache,以便从 CephFS 读取的文件在节点本地缓存,以便更快地访问。
我在主机上安装了 cachefilesd,并在直接在主机上挂载 CephFS 时使用 -o fsc 选项启用了缓存。缓存是在 /var/cache/fscache/ 下创建的,但在检查 pod 中的挂载时,我没有看到启用了 fsc 选项。
如何使用 Ceph-CSI 为 Kubernetes pod 中的 CephFS 挂载启用 FS-Cache?
您好,感谢您抽出时间。我会尝试解释我的实验。我在 kubernetes 中部署了一个应用程序。我可以使用负载均衡器访问它。使用 traefik,我可以通过 http 访问它。我想通过 Https 访问它。为了实现该结果,我尝试关注 youtube 视频和 traefik 文档并使用证书管理器。我喜欢使用 yml 文件工作,但如果有更好的方法,请告诉我,因为我正在从实践中学习。我将发布所有理论上的 yml 文件,希望 serverfault 给我足够的空间来发布它们。
#001-role.yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
#002-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
#003-role-binding.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: default
#004-traefik.yml
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v3.2
args:
- --api.insecure
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
#005-traefik-service.yml
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: dashboard
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
spec:
type: LoadBalancer
ports:
- targetPort: web
port: 80
selector:
app: traefik
#006-program-frontend-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: program-frontend
name: program-frontend
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: program-frontend
template:
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: program-frontend
spec:
containers:
- env:
- name: API_GATEWAY_BASE_URL
value: http://edge-thinghy:9000
image: program-image
name: program-frontend
ports:
- name: program-frontend
containerPort: 3000
protocol: TCP
imagePullSecrets:
- name: ghcr-secret
restartPolicy: Always
#007-program-frontend-service.yml
apiVersion: v1
kind: Service
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: program-frontend
name: program-frontend
spec:
ports:
- name: program-frontend
protocol: TCP
port: 3000
targetPort: program-frontend
selector:
io.kompose.service: program-frontend
#008-edit-program-service.yml
apiVersion: v1
kind: Service
metadata:
name: program-frontend
spec:
ports:
- name: program-frontend
port: 80
targetPort: 3000
selector:
io.kompose.service: program-frontend
#009-program-ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: program-ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: program-frontend
port:
name: program-frontend
#010-challenge.yml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: program-challenge
namespace: default
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: program-issuer-account-key
solvers:
- http01:
ingress:
class: traefik
#011-ingress-rule.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: program-ssl-ingress
namespace: default
annotations:
cert-manager.io/issuer: "program-challenge"
spec:
tls:
- hosts:
- program-demo.example.domain
secretName: tls-program-ingress-http
rules:
- host: program-demo.example.domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: program-frontend
port:
name: program-frontend
#012-redirect-http-to-https.yml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: program-frontend-redirect
spec:
redirectScheme:
scheme: https
permanent: true
如果我理解正确的话,那么我应该能够访问https://program-demo.example.domain,但我只能访问http://program-demo.example.domain,我是不是误读了文档中的某些内容?我的推理有什么问题吗?提前感谢您的时间。
在集群 kubernetes 环境中,我有 Traefik v3.2.1 和 CertManager 1.16.1 以及我正在测试的程序。当我尝试应用此文件:022-red-ing.yml 时出现此错误:
error: error validating "022-red-ing.yml": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false
我想正确定义该文件,但我缺少信息,因为我复制该文件的文档没有说明 apiVersion 和 kind。
该文件目前是这样的:
cat 022-红色-ing.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- program.example.domain
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: tls-program-ingress-http
mode: SIMPLE
- hosts:
- program.example.domain
port:
name: program-frontend
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- '*'
port:
name: http
number: 80
protocol: HTTP
我应该设置什么 apiVersion 和 kind?如果我添加以下代码:
apiVersion: extensions/v1beta1
kind: Ingress
我收到另一个错误。现在当我这样做时:
kubectl 应用-f 022-red-ing.yml
我明白了
error: error when retrieving current configuration of:
Resource: "networking.k8s.io/v1, Resource=ingresses", GroupVersionKind: "networking.k8s.io/v1, Kind=Ingress"
Name: "", Namespace: "default"
from server for: "022-red-ing.yml": resource name may not be empty
我做错了什么。
我正在运行一个 kubernetes 集群,并且有一个在 TestPort(实际上是 3000)上运行的 TestApplication。我设法启动并运行了 Traefik v3.2.1,并使用 http 质询启动并运行了 CertManager 1.16.1 以进行 letsencrypt。我想保护 TestApplication,让人们通过 TraefiK 端口 443 并进入 TestApplication:TestPort。如何为我的应用程序创建适当的 Ingress 资源?到目前为止,我做到了:
#001-app-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: app-frontend
name: app-frontend
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: app-frontend
template:
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: app-frontend
spec:
containers:
- env:
- name: API_GATEWAY_BASE_URL
value: http://edge-thinghy:9000
image: my-image-I-test
name: app-frontend
ports:
- name: app-frontend
containerPort: 3000
protocol: TCP
imagePullSecrets:
- name: ghcr-secret
restartPolicy: Always
#010-app-service.yml
apiVersion: v1
kind: Service
metadata:
name: app-frontend
spec:
ports:
- name: app-frontend
port: 80
targetPort: 3000
selector:
app: app-frontend
#011-app-ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-frontend
port:
name: app-frontend
#012-challenge.yml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: app-challenge
namespace: default
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: app-issuer-account-key
solvers:
- http01:
ingress:
class: traefik
#013-ingress-rule.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ssl-ingress
namespace: default
annotations:
cert-manager.io/issuer: "app-challenge"
spec:
tls:
- hosts:
- app.domain.example
secretName: tls-app-ingress-http
rules:
- host: app.domain.example
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-frontend
port:
name: app-frontend
由于证书已颁发,我原本希望 Traefik 能够自动工作,但当我转到https://app.domain.example时却超时了。我想我做错了什么。如果我打开 traefik pod 日志,我可以看到:
ERR Skipping service: no endpoints found ingress=app-ingress namespace=default providerName=kubernetes serviceName=app-frontend servicePort=&ServiceBackendPort{Name:app-frontend,Number:0,}
ERR Skipping service: no endpoints found ingress=app-ssl-ingress namespace=default providerName=kubernetes serviceName=app-frontend servicePort=&ServiceBackendPort{Name:app-frontend,Number:0,}
尽管我可以访问http://app.domain.example,但不能访问 https,如果我这样做
kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS
app-ingress traefik * 80
app-ssl-ingress traefik app.domain.example 80, 443
我有一个正在运行的 kubernetes 集群,我想公开一项服务。我有一个在端口 TestPort 3000 上运行的 TestApplication。如何配置 Traefik 以充当入口提供程序?在文档中,我不明白我必须在哪里指定
providers:
kubernetesIngress: {}
来源:https ://doc.traefik.io/traefik/providers/kubernetes-ingress/
这足以指定它必须充当 kubernetes 入口吗?
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v3.2
args:
- --api.insecure
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
我刚刚开始学习 kubernetes。我在 digital-ocean 上创建了一个帐户并启动了一个 kubernetes 集群。然后我尝试按照这篇文章https://www.digitalocean.com/community/tutorials/how-to-secure-your-site-in-kubernetes-with-cert-manager-traefik-and-let-s-encrypt进行操作。但我对它的工作原理有一些疑问。现在我的情况是这样的:
kubectl get pods,services,deployments
NAME
pod/app-frontend
pod/app-backend
pod/cm-acme-http-solver-qh8ms
pod/company-service
pod/edge-service
pod/location-service
pod/traefik
pod/traefik-deployment
pod/user-service
NAME TYPE EXTERNAL-IP PORT(S)
service/app-frontend LoadBalancer app-ext-ip 3000:32459/TCP
service/app-backend ClusterIP <none> 5432/TCP
service/cm-acme-http-solver-fcgpr NodePort <none> 8089:30577/TCP
service/company-service ClusterIP <none> 9003/TCP
service/edge-service ClusterIP <none> 9000/TCP
service/kubernetes ClusterIP <none> 443/TCP
service/location-service ClusterIP <none> 9002/TCP
service/traefik LoadBalancer traefik-ext-ip 80:32591/TCP,443:30716/TCP
service/traefik-dashboard-service LoadBalancer tr-dash-ext-ip 8080:31431/TCP
service/traefik-web-service LoadBalancer tr-ws-ext-ip 80:31211/TCP
service/user-service ClusterIP <none> 9001/TCP
NAME
deployment.apps/app-frontend
deployment.apps/app-backend
deployment.apps/company-service
deployment.apps/edge-service
deployment.apps/location-service
deployment.apps/traefik
deployment.apps/traefik-deployment
deployment.apps/user-service
因此,我让 Traefik 工作,但没有充当代理;应用程序前端工作,但没有在 https 中工作;由 letsencrypt 颁发的证书没有在任何地方使用。例如
kubectl get issuer -o wide
NAME READY STATUS
challenge-http True The ACME account was registered with the ACME server
kubectl get certificateRequest -o wide
NAME APPROVED DENIED READY ISSUER REQUESTOR STATUS AGE
tls-app-ingress True False challenge-http system:serviceaccount:cert-manager:cert-manager Waiting on certificate issuance from order default/tls-app-ingress-http: "pending"
kubectl get certificates
NAME READY SECRET AGE
tls-app-ingress-http False tls-area-ingress-http 166m
当然,由于我从头开始学习,所以一切都在默认环境中。我该如何告诉 kubernetes 使用 Traefik 作为代理并通过 https 到达应用程序前端?如果你回答我一些文档供我阅读,我不会生气,只要给我指明正确的方向就行了。
如何确保部署“foo”没有注释“bar”?
我想在清单中定义这一点,以便 Flux 强制执行我想要的状态。
使用当前的 Kubernetes 资源模型可以实现这一点吗?
我定义了以下 ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployer-system
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- list
- nonResourceURLs:
- '*'
verbs:
- list
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployer-nonsystem
rules:
- apiGroups:
- '*'
resources:
- secrets
- PersistentVolumes
- Role
- RoleBinding
verbs:
- list
- apiGroups:
- '*'
resources:
- deployments
- pods
verbs:
- get
- list
- watch
- create
- update
- patch
- nonResourceURLs:
- '*'
verbs:
- list
我使用以下 RoleBindings 为用户分配上述 ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: theuser-nonsystem-role-binding
namespace: nonsystem-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployer-nonsystem
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: theuser
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: theuser-kube-system-role-binding
namespace: system-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployer-system
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: theuser
但是,他们可以运行kubectl -n [NAMESPACE] get secrets -o yaml并查看所有机密。根据上面的 ClusterRole 规范,我预计此调用将被禁止。
我是不是遗漏了什么或者误解了什么?为什么用户可以“获取”机密?
更新:请注意:我的问题不是他们可以列出秘密。我的问题是用户可以“获取”秘密(不同的动词!)
使用桥接 CNI 的最佳集群范围 IPAM 是什么?主机本地 IPAM 为每个节点分配一个地址块,这对于管理整个集群来说并不理想。请在答案中包含网络布局和 CNI 配置。
我已经使用 Helm 在我的 AKS 集群中安装了 Istio Ingress Gateway(图表使用的istio/base、istio/istiod、istio/gateway来自https://istio-release.storage.googleapis.com/charts)。
现在我想安装一个Istio Egress Gateway,但我不知道是否还有另一个 Helm 图表,或者我是否必须再次安装 istio/gateway 并将其配置为 Egress。
有人可以帮助我吗,因为 istio 文档中没有使用 Helm 的清晰安装指南?
我应该安装和配置什么来通过此 Egress Gateway 路由所有集群流量并限制每个工作负载对特定主机的访问。例如
apiVersion: networking.istio.io/v1
kind: ServiceEntry
metadata:
name: external-svc-https
namespace: testing
spec:
hosts:
- api.dropboxapi.com
- www.googleapis.com
- api.facebook.com
location: MESH_EXTERNAL
exportTo: "."
ports:
- number: 443
name: https
protocol: TLS
resolution: NONE
我已经找到了一种方法,使用 ServiceEntry 仅允许每个命名空间访问特定主机,并将以下配置更改为 istiod 安装。
meshConfig:
outboundTrafficPolicy:
mode: REGISTRY_ONLY