Skip to content

Latest commit

 

History

History
249 lines (175 loc) · 7.33 KB

TencentK8sEngine.md

File metadata and controls

249 lines (175 loc) · 7.33 KB

TKE

kubectl

other usage

7. ImagePullSecret ( 如果需要从外部pull 镜像的话需要设置, in deployment)
    - qcloudregistrykey , 

it seems that TKE will automatically use  `tencenthubkey` ?

8. secret can not be access across namespaces 
   to dup a secret from namespace A  into namespace B

   kubectl get secret <secret-name> --namespace=A --export -o yaml | kubectl apply --namespace=B -f -

role , rolebinding

使用 role / rolebinding 的一般方法

  1. create serveraccount
    • create serviceaccount <name> , it will also create an secret
    • 任何namespace 下都有一个默认的 serviceacount: default
  2. create role

    # create a role
    kubectl -n $_NS create role role_po --verb="list" --resource=po --dry-run -o yaml
    kubectl -n $_NS create role role_deploy --verb="get" --resource=deploy --dry-run -o yaml
    kubectl -n $_NS create role role_scale --verb="update" --resource=replicasets --dry-run -o yaml
    • we also can merge different roles ,by merging --dry-run output into 1 yaml file then.
      • kubectl -n $_NS create -f role.yaml
  3. create rolebinding

    # To bind the "default" serviceaccount and "role_scale"
    kubectl -n $_NS create rolebinding default_scale_binding --serviceaccount="$_NS:default" --role=role_scale --dry-run -o yaml

腾讯云 用户管理

策略

访问 COS 某个bucket的策略

{
    "version": "2.0",
    "statement": [
        {
            "action": [
                "cos:*"
            ],
            "resource": "qcs::cos:::BUCKET-NAME/*",
            "effect": "allow"
        }
    ]
}

更加精准的6段式资源:

{
    "resource": "qcs::cos:ap-shanghai:uid/YourAccountID:BUCKETNAME-YourAccountID/access/path/*"
}

操作 北京 区的cvm, 无支付权限

{
    "version": "2.0",
    "statement": [
        {
            "effect": "allow",
            "action": "finance:*",
            "resource": "qcs::cvm:ap-beijing::*"
        },
        {
            "effect": "allow",
            "action": "cvm:*",
            "resource": "qcs::*:ap-beijing::*"
        }
    ]
}

如果要禁止 创建/修改 cvm 安全组,加上

        {
            "effect": "deny",
            "action": [
                "cvm:CreateSecurityGroup",
                "cvm:CreateSecurityGroupPolicy",
                "cvm:DeleteSecurityGroup",
                "cvm:DeleteSecurityGroupPolicy",
                "cvm:ModifySecurityGroupAttributes",
                "cvm:ModifySecurityGroupPolicys",
                "cvm:ModifySingleSecurityGroupPolicy"
            ],
            "resource": [
                "*"
            ]
        }

腾讯云 Misc

ingress 证书 对部分低版本Android设备不兼容,导致 ssl hand shake error.

k8s node 磁盘占用过高查找并清理

  • kubectl 查看node 状态 kubectl describe nodes .

  • 登陆节点,查看硬盘占用

清除不再使用的 image

docker images | grep "<none>" | grep co-app-images | awk "{print \$3}" | xargs docker rmi

# more aggressive 
docker images | grep co-app-images | awk "{print \$3}" | xargs docker rmi

Pod Stuck in Terminating

很多原因会导致这个问题,可以先排除,是不是 node 坏了

k get po -o wide # this will show which Node is running the pod
k get nodes # Check status of that node... I got it NotReady

Duplicate service , deployment one namespece to another namespace

kubectl command ...
cur_ns="co-hse-dev"
dst_ns="co-hse-dev-vivo"

alias kbctl="kubectl_tke --context=co-k8s-cluster"

# create namespace
kbctl create namespace $dst_ns

# 先去webpage   namespace下发一个secret 凭证

# dup service and then apply
kbctl -n $cur_ns get svc --export -o yaml | sed -e "s/namespace: $cur_ns/namespace: $dst_ns/"  | yq eval 'del(.items[].metadata.resourceVersion, .items[].metadata.uid, .items[].metadata.annotations, .items[].metadata.creationTimestamp, .items[].metadata.selfLink, .items[].spec.clusterIP, .items[].spec.ports[].nodePort )' - |  kbctl apply -f -

# dup role, and role banding, if necessary
kbctl -n $cur_ns get role,rolebinding --export -o yaml | sed -e "s/namespace: $cur_ns/namespace: $dst_ns/"  | yq eval 'del(.items[].metadata.resourceVersion, .items[].metadata.uid, .items[].metadata.annotations, .items[].metadata.creationTimestamp, .items[].metadata.selfLink)' - |  kbctl apply -f -


# dup deployment and then apply
kbctl -n $cur_ns get deploy --export -o yaml | sed -e "s/namespace: $cur_ns/namespace: $dst_ns/"  | yq eval 'del(.items[].metadata.resourceVersion, .items[].metadata.uid, .items[].metadata.annotations, .items[].metadata.creationTimestamp, .items[].metadata.selfLink, .items[].status)' - |  kbctl apply -f -


# update some other info, like mysql

# try container repository trigger

TKE node 常用 安全组

source port policy comments
0.0.0.0/0 TCP:30000-32767 允许 alb
0.0.0.0/0 ICMP 允许 allow ping
10.0.0.0/16 ALL 允许 db
172.16.0.0/12 ALL 允许 k8s container network
192.168.0.0/16 ALL 允许