VMware vSphere Tanzu部署_14_部署容器应用

1.部署运行容器应用

1.1. 登录tkc集群

jianhua@napp:~/tkc$ kubectl vsphere login --server=192.168.203.194 \
--tanzu-kubernetes-cluster-name  tkc-dev-cluster \
--tanzu-kubernetes-cluster-namespace tkc-01 \
--vsphere-username administrator@vsphere.local \
--insecure-skip-tls-verifyKUBECTL_VSPHERE_PASSWORD environment variable is not set. Please enter the password below
Password: 
Logged in successfully.You have access to the following contexts:192.168.203.194tkc-01tkc-dev-clusterIf the context you wish to use is not in this list, you may need to try
logging in again later, or contact your cluster administrator.To change context, use `kubectl config use-context <workload name>`
jianhua@napp:~/tkc$ jianhua@napp:~/tkc$ kubectl config use-context tkc-dev-cluster
Switched to context "tkc-dev-cluster".
jianhua@napp:~/tkc$ 

1.2.运行容器配置设置

不进行配置设置，运行容器时会出现如下报错

jianhua@napp:~/tkc$ kubectl run nginx --image=nginx:latest
Error from server (Forbidden): pods "nginx" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
jianhua@napp:~/tkc$

1.2.1pod security配置

jianhua@napp:~/tkc$ kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
namespace/default labeled
jianhua@napp:~/tkc$ 

1.2.2.rolebindings配置

jianhua@napp:~/tkc$ cat rolebindings-default-namespace.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: rolebinding-default-privileged-sa-ns_defaultnamespace: default
roleRef:kind: ClusterRolename: psp:vmware-system-privilegedapiGroup: rbac.authorization.k8s.io
subjects:
- kind: GroupapiGroup: rbac.authorization.k8s.ioname: system:serviceaccounts
jianhua@napp:~/tkc$ 

• 配置示例

jianhua@napp:~/tkc$ kubectl apply -f rolebindings-default-namespace.yaml 
rolebinding.rbac.authorization.k8s.io/rolebinding-default-privileged-sa-ns_default created
jianhua@napp:~/tkc$ kubectl get rolebindings
NAME                                           ROLE                                       AGE
rolebinding-default-privileged-sa-ns_default   ClusterRole/psp:vmware-system-privileged   7s
jianhua@napp:~/tkc$ 

1.3 运行容器

• 运行容器

jianhua@napp:~/tkc$ kubectl run nginx --image=quay.io/jitesoft/nginx
pod/nginx created
jianhua@napp:~/tkc$ kubectl get pod
NAME    READY   STATUS              RESTARTS   AGE
nginx   0/1     ContainerCreating   0          1s
jianhua@napp:~/tkc$
jianhua@napp:~/tkc$ kubectl get pod -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP            NODE                                                          NOMINATED NODE   READINESS GATES
nginx   1/1     Running   0          62s   172.20.18.2   tkc-dev-cluster-tck-dev-worker-zt5ls-779c467dd4xwbb9p-kl9tx   <none>           <none>
jianhua@napp:~/tkc$ 

• 对外暴露端口

jianhua@napp:~$ kubectl expose pod nginx --port=80 --target-port=80 --type=LoadBalancer --name=nginx-svc
service/nginx-svc exposed
jianhua@napp:~$ kubectl get svc -o wide
NAME         TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE   SELECTOR
kubernetes   ClusterIP      172.20.0.1     <none>        443/TCP        19h   <none>
nginx-svc    LoadBalancer   172.20.10.50   <pending>     80:32720/TCP   2s    run=nginx
supervisor   ClusterIP      None           <none>        6443/TCP       19h   <none>
jianhua@napp:~$ kubectl get svc -o wide
NAME         TYPE           CLUSTER-IP     EXTERNAL-IP       PORT(S)        AGE   SELECTOR
kubernetes   ClusterIP      172.20.0.1     <none>            443/TCP        19h   <none>
nginx-svc    LoadBalancer   172.20.10.50   192.168.203.196   80:32720/TCP   8s    run=nginx
supervisor   ClusterIP      None           <none>            6443/TCP       19h   <none>
jianhua@napp:~$