问题[kubernetes](unix)

在 kubernetes 1.29.x 集群中。首先确保命名空间包含 configmap：

➜  migration kubectl get configmaps -n reddwarf-cache

NAME                           DATA   AGE
cruise-redis-configuration     3      2y334d
cruise-redis-health            6      2y334d
cruise-redis-scripts           2      2y334d
kube-root-ca.crt               1      2y334d
reddwarf-redis-configuration   3      451d
reddwarf-redis-health          6      451d
reddwarf-redis-scripts         2      451d

当我尝试使用此命令获取 kubernets configmap 时：

➜  migration kubectl get configmaps -o yaml -n reddwarf-cache- > reddwarf-cache-configmap.yaml

➜  migration cat reddwarf-cache-configmap.yaml
apiVersion: v1
items: []
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

configmap 为空，我确定我可以访问 configmap，为什么无法从 kubernetes 集群获取 configmap yaml 配置？我也尝试过：

kubectl get cm -o yaml -n reddwarf-cache- > reddwarf-cache-configmap.yaml

我想知道Kubernetes 中的resources: {}in是什么pod.spec.containers.resources意思？

我有一个容器化的 unimrcp 服务器，它作为 kubernetes pod 运行。当我进入容器并做ps -ef它的输出是这样的：

[root@unimrcp-0 fd]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0 99 13:13 ?        01:07:38 ./unimrcpserver
root        75     1  0 13:13 ?        00:00:00 [arping] <defunct>
root        76     1  0 13:13 ?        00:00:00 [arping] <defunct>
root       154     0  0 13:14 pts/0    00:00:00 /bin/bash
root       209   154  0 14:21 pts/0    00:00:00 ps -ef

另外，如果我这样做cat /proc/[pid]/fd/1，我会看到一些损坏的输出，如下所示：

未知指令：▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

为什么进程没有附加控制终端。我已禁用 Unimrcp 记录到标准输出。CPU 利用率也为 99%。有人可以帮忙解决这个问题吗？

这是容器的入口点

#!/bin/sh
source /ip-conf.sh; set_control_media_network "UNIMRCP"
CONTROL_IP=$(get_control_ipv4)
MEDIA_IP=$(get_media_ipv4)
LOG_LEVEL=$(echo $LOG_LEVEL | tr -s " " | xargs)
LOG_OUTPUT=$(echo $LOG_OUTPUT | tr -s " " | xargs)
LOG_HEADERS=$(echo $LOG_HEADERS | tr -s " " | xargs)
sed -i 's+<priority>.*</priority>+''<priority>'$LOG_LEVEL'</priority>+g' 
/usr/local/unimrcp/conf/logger.xml
sed -i 's+<output>.*</output>+''<output>'$LOG_OUTPUT'</output>+g' 
/usr/local/unimrcp/conf/logger.xml
sed -i 's+<headers>.*</headers>+''<headers>'$LOG_HEADERS'</headers>+g' 
/usr/local/unimrcp/conf/logger.xml
sed -i 's+<!-- <ip>.*</ip> -->+''<ip>'$CONTROL_IP'</ip>+g' 
/usr/local/unimrcp/conf/unimrcpserver.xml
sed -i 's+<!-- <rtp-ip>.*</rtp-ip> -->+''<rtp-ip>'$MEDIA_IP'</rtp-ip>+g' 
/usr/local/unimrcp/conf/unimrcpserver.xml 
cd /usr/local/unimrcp/bin/
exec ./unimrcpserver

这是 unimrcp 容器内 /proc/1/fd/ 处 ls -l 的输出

total 0
lrwx------ 1 root root 64 Jan  2 12:04 0 -> /dev/null
l-wx------ 1 root root 64 Jan  2 12:04 1 -> pipe:[17601930]
l-wx------ 1 root root 64 Jan  2 12:04 10 -> pipe:[17605635]
lrwx------ 1 root root 64 Jan  2 12:04 11 -> socket:[17605636]
lrwx------ 1 root root 64 Jan  2 12:04 12 -> anon_inode:[eventpoll]
lrwx------ 1 root root 64 Jan  2 12:04 13 -> anon_inode:[eventfd]
lrwx------ 1 root root 64 Jan  2 12:04 14 -> anon_inode:[eventpoll]
lrwx------ 1 root root 64 Jan  2 12:04 15 -> anon_inode:[eventfd]
lrwx------ 1 root root 64 Jan  2 12:04 16 -> anon_inode:[eventpoll]
lrwx------ 1 root root 64 Jan  2 12:04 17 -> socket:[17602110]
lrwx------ 1 root root 64 Jan  2 12:04 18 -> socket:[17602111]
lrwx------ 1 root root 64 Jan  2 12:04 19 -> anon_inode:[eventpoll]
l-wx------ 1 root root 64 Jan  2 12:04 2 -> pipe:[17601931]
lrwx------ 1 root root 64 Jan  2 12:04 20 -> socket:[17603083]
lrwx------ 1 root root 64 Jan  2 12:04 21 -> socket:[17603084]
lr-x------ 1 root root 64 Jan  2 12:04 22 -> /dev/urandom
lrwx------ 1 root root 64 Jan  2 12:04 23 -> socket:[17603087]
lrwx------ 1 root root 64 Jan  2 12:04 24 -> socket:[17603088]
l-wx------ 1 root root 64 Jan  2 12:04 3 -> 
/usr/local/unimrcp/log/unimrcpserver_2020.01.02_12.04.08.988860.log
lrwx------ 1 root root 64 Jan  2 12:04 4 -> anon_inode:[eventpoll]
lr-x------ 1 root root 64 Jan  2 12:04 5 -> pipe:[17605633]
l-wx------ 1 root root 64 Jan  2 12:04 6 -> pipe:[17605633]
lrwx------ 1 root root 64 Jan  2 12:04 7 -> socket:[17605634]
lrwx------ 1 root root 64 Jan  2 12:04 8 -> anon_inode:[eventpoll]
lr-x------ 1 root root 64 Jan  2 12:04 9 -> pipe:[17605635]

我有以下yaml文件：

---
apiVersion: v1
kind: pod
metadata:
    name: Tesing_for_Image_pull -----------> 1
    spec:
        containers:
        - name: mysql ------------------------> 2
          image: mysql ----------> 3
          imagePullPolicy: Always ------------->4
          command: ["echo", "SUCCESS"]  -------------------> 5

运行后kubectl create -f my_yaml.yaml出现以下错误：

error: error converting YAML to JSON: yaml: line 10: did not find expected key

更新：yamllint我收到以下错误：

root@debian:~# yamllint my_yaml.yaml
my_yaml.yaml
  8:9       error    wrong indentation: expected 12 but found 8  (indentation)
  11:41     error    syntax error: expected <block end>, but found '<scalar>'

我的问题在哪里，我该如何解决？

部署所有 kubernetes 资源后port 443，我想打开. 我将它添加到我的白名单表中，但它仍然关闭。我的 80 端口也发生了同样的事情。在刷新所有表后，删除所有 kubernetes 资源并从头开始设置防火墙（包括白名单port 80），然后再次部署 kubernetesport 80终于打开了。

现在我更愿意理解为什么我不能打开port 443而不是再做一遍。我发现有一个表KUBE-FIREWALL（见下文），默认情况下会阻止所有内容。

这是我的主要问题：

KUBE-FIREWALL 的规则优先级是否比我的表 TCP 高？如果，我怎样才能改变优先级？

输入

Chain INPUT (policy DROP)
target     prot opt source               destination         
cali-INPUT  all  --  anywhere             anywhere             /* cali:Cz_u1IQiXIMmKD4c */
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

校准输入

Chain cali-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* cali:msRIDfJRWnYwzW4g */ mark match 0x10000/0x10000
cali-wl-to-host  all  --  anywhere             anywhere            [goto]  /* cali:y4fKWmWkTnYGshVX */
MARK       all  --  anywhere             anywhere             /* cali:JnMb-hdLugWL4jEZ */ MARK and 0xfff0ffff
cali-from-host-endpoint  all  --  anywhere             anywhere             /* cali:NPKZwKxJ-5imzORj */
ACCEPT     all  --  anywhere             anywhere             /* cali:aes7S4xZI-7Jyw63 */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000

KUBE-防火墙

Chain cali-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* cali:msRIDfJRWnYwzW4g */ mark match 0x10000/0x10000
cali-wl-to-host  all  --  anywhere             anywhere            [goto]  /* cali:y4fKWmWkTnYGshVX */
MARK       all  --  anywhere             anywhere             /* cali:JnMb-hdLugWL4jEZ */ MARK and 0xfff0ffff
cali-from-host-endpoint  all  --  anywhere             anywhere             /* cali:NPKZwKxJ-5imzORj */
ACCEPT     all  --  anywhere             anywhere             /* cali:aes7S4xZI-7Jyw63 */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
claus@vmd33301:~$ sudo iptables -L KUBE-FIREWALL
Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

TCP

Chain TCP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

我想将所有节点上的服务绑定到端口 80 和 443，这样我将通过 DNS 名称（kubernetes）重定向到通过 HTTP/S 将我直接重定向到服务的任何节点，然后再到部署（nginx ）。但是，我不知道这是如何工作的，因为 NodePorts 的范围仅从 30000 到 32xxx。

这是我的设置

DNS-Name      IPv4
k8s-master    172.25.35.47
k8s-node-01   172.25.36.47
k8s-node-02   172.25.36.8
kubernetes    172.25.36.47
kubernetes    172.25.36.8

我的 yaml 文件

apiVersion: v1
kind: Service
metadata:
  name: proxy
spec:
  ports:
  - name: http
    nodePort: 80     
    port: 80            
    protocol: TCP      
    targetPort: 80     
  - name: https
    nodePort: 443     
    port: 443           
    protocol: TCP       
    targetPort: 443     
  selector:
    name: proxy
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: proxy
  labels:
    name: proxy
spec:
  selector:
    matchLabels:
      name: proxy
  replicas: 1
  template:
    metadata:
     labels:
       name: proxy
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
        - name: https
          containerPort: 443
          protocol: TCP

哪种类型的服务为我提供了公开此端口的功能，或者我如何实现我的心理设置？

沃尔克

我已经在 docker 中设置了一个私有注册表，可以通过域“makdom.ddns.net”访问，我可以在本地登录推送和拉取图像，即使是从 kubes 节点我也可以做到这一点，

但是当我编写一个 kubes 部署文件时，它无法从私有注册表中提取图像并且失败。

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: ssh-deployment
spec:
  template:
    metadata:
      labels:
        app: helloworld
    spec:
      containers:
      - name: ssh-demo
        image: makdom.ddns.net/my-ubuntu
        imagePullPolicy: IfNotPresent
        ports:
        - name: nodejs-port
          containerPort: 22
      imagePullSecrets:
      - name: myregistrykey

秘密：

DOCKER_REGISTRY_SERVER="https://makdom.ddns.net/v1/"
DOCKER_USER="user"
DOCKER_PASSWORD="password"
DOCKER_EMAIL="[email protected]" 

kubectl create secret docker-registry myregistrykey \
  --docker-server=$DOCKER_REGISTRY_SERVER \
  --docker-username=$DOCKER_USER \
  --docker-password=$DOCKER_PASSWORD \
  --docker-email=$DOCKER_EMAIL  

错误：

Events:
  Type     Reason                 Age               From                  Message
  ----     ------                 ----              ----                  -------
  Normal   Scheduled              1m                default-scheduler     Successfully assigned ssh-deployment-7b7c7bf977-m6stk to kubes-slave
  Normal   SuccessfulMountVolume  1m                kubelet, kubes-slave  MountVolume.SetUp succeeded for volume "default-token-mx7qq"
  Normal   Pulled                 1m (x3 over 1m)   kubelet, kubes-slave  Container image "makdom.ddns.net/my-ubuntu" already present on machine
  Normal   Created                1m (x3 over 1m)   kubelet, kubes-slave  Created container
  Normal   Started                1m (x3 over 1m)   kubelet, kubes-slave  Started container
  Normal   Pulling                34s (x2 over 1m)  kubelet, kubes-slave  pulling image "makdom.ddns.net/my-ubuntu"
  Warning  Failed                 34s (x2 over 1m)  kubelet, kubes-slave  Failed to pull image "makdom.ddns.net/my-ubuntu": rpc error: code = Unknown desc = Error: image my-ubuntu:latest not found
  Warning  Failed                 34s (x2 over 1m)  kubelet, kubes-slave  Error: ErrImagePull
  Warning  BackOff                19s (x6 over 1m)  kubelet, kubes-slave  Back-off restarting failed container