7. ImagePullSecret ( 如果需要从外部pull 镜像的话需要设置, in deployment)
- qcloudregistrykey ,
it seems that TKE will automatically use `tencenthubkey` ?
8. secret can not be access across namespaces
to dup a secret from namespace A into namespace B
kubectl get secret <secret-name> --namespace=A --export -o yaml | kubectl apply --namespace=B -f -
使用 role / rolebinding 的一般方法
- create serveraccount
create serviceaccount <name>
, it will also create an secret- 任何namespace 下都有一个默认的 serviceacount: default
-
# create a role kubectl -n $_NS create role role_po --verb="list" --resource=po --dry-run -o yaml kubectl -n $_NS create role role_deploy --verb="get" --resource=deploy --dry-run -o yaml kubectl -n $_NS create role role_scale --verb="update" --resource=replicasets --dry-run -o yaml
- we also can merge different roles ,by merging --dry-run output into 1 yaml file then.
kubectl -n $_NS create -f role.yaml
- we also can merge different roles ,by merging --dry-run output into 1 yaml file then.
-
# To bind the "default" serviceaccount and "role_scale" kubectl -n $_NS create rolebinding default_scale_binding --serviceaccount="$_NS:default" --role=role_scale --dry-run -o yaml
{
"version": "2.0",
"statement": [
{
"action": [
"cos:*"
],
"resource": "qcs::cos:::BUCKET-NAME/*",
"effect": "allow"
}
]
}
更加精准的6段式资源:
{
"resource": "qcs::cos:ap-shanghai:uid/YourAccountID:BUCKETNAME-YourAccountID/access/path/*"
}
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": "finance:*",
"resource": "qcs::cvm:ap-beijing::*"
},
{
"effect": "allow",
"action": "cvm:*",
"resource": "qcs::*:ap-beijing::*"
}
]
}
如果要禁止 创建/修改 cvm 安全组,加上
{
"effect": "deny",
"action": [
"cvm:CreateSecurityGroup",
"cvm:CreateSecurityGroupPolicy",
"cvm:DeleteSecurityGroup",
"cvm:DeleteSecurityGroupPolicy",
"cvm:ModifySecurityGroupAttributes",
"cvm:ModifySecurityGroupPolicys",
"cvm:ModifySingleSecurityGroupPolicy"
],
"resource": [
"*"
]
}
- 更换证书
- 检查证书兼容性 https://myssl.com/
-
kubectl 查看node 状态
kubectl describe nodes
. -
登陆节点,查看硬盘占用
docker images | grep "<none>" | grep co-app-images | awk "{print \$3}" | xargs docker rmi
# more aggressive
docker images | grep co-app-images | awk "{print \$3}" | xargs docker rmi
很多原因会导致这个问题,可以先排除,是不是 node 坏了
k get po -o wide # this will show which Node is running the pod
k get nodes # Check status of that node... I got it NotReady
kubectl command ...
cur_ns="co-hse-dev"
dst_ns="co-hse-dev-vivo"
alias kbctl="kubectl_tke --context=co-k8s-cluster"
# create namespace
kbctl create namespace $dst_ns
# 先去webpage namespace下发一个secret 凭证
# dup service and then apply
kbctl -n $cur_ns get svc --export -o yaml | sed -e "s/namespace: $cur_ns/namespace: $dst_ns/" | yq eval 'del(.items[].metadata.resourceVersion, .items[].metadata.uid, .items[].metadata.annotations, .items[].metadata.creationTimestamp, .items[].metadata.selfLink, .items[].spec.clusterIP, .items[].spec.ports[].nodePort )' - | kbctl apply -f -
# dup role, and role banding, if necessary
kbctl -n $cur_ns get role,rolebinding --export -o yaml | sed -e "s/namespace: $cur_ns/namespace: $dst_ns/" | yq eval 'del(.items[].metadata.resourceVersion, .items[].metadata.uid, .items[].metadata.annotations, .items[].metadata.creationTimestamp, .items[].metadata.selfLink)' - | kbctl apply -f -
# dup deployment and then apply
kbctl -n $cur_ns get deploy --export -o yaml | sed -e "s/namespace: $cur_ns/namespace: $dst_ns/" | yq eval 'del(.items[].metadata.resourceVersion, .items[].metadata.uid, .items[].metadata.annotations, .items[].metadata.creationTimestamp, .items[].metadata.selfLink, .items[].status)' - | kbctl apply -f -
# update some other info, like mysql
# try container repository trigger
source | port | policy | comments |
---|---|---|---|
0.0.0.0/0 | TCP:30000-32767 | 允许 | alb |
0.0.0.0/0 | ICMP | 允许 | allow ping |
10.0.0.0/16 | ALL | 允许 | db |
172.16.0.0/12 | ALL | 允许 | k8s container network |
192.168.0.0/16 | ALL | 允许 |