1.部署运行容器应用
1.1. 登录tkc集群
jianhua@napp:~/tkc$ kubectl vsphere login --server=192.168.203.194 \
--tanzu-kubernetes-cluster-name tkc-dev-cluster \
--tanzu-kubernetes-cluster-namespace tkc-01 \
--vsphere-username administrator@vsphere.local \
--insecure-skip-tls-verifyKUBECTL_VSPHERE_PASSWORD environment variable is not set. Please enter the password below
Password:
Logged in successfully.You have access to the following contexts:192.168.203.194tkc-01tkc-dev-clusterIf the context you wish to use is not in this list, you may need to try
logging in again later, or contact your cluster administrator.To change context, use `kubectl config use-context <workload name>`
jianhua@napp:~/tkc$ jianhua@napp:~/tkc$ kubectl config use-context tkc-dev-cluster
Switched to context "tkc-dev-cluster".
jianhua@napp:~/tkc$
1.2.运行容器配置设置
不进行配置设置,运行容器时会出现如下报错
jianhua@napp:~/tkc$ kubectl run nginx --image=nginx:latest Error from server (Forbidden): pods "nginx" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "nginx" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "nginx" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "nginx" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "nginx" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") jianhua@napp:~/tkc$
1.2.1pod security配置
jianhua@napp:~/tkc$ kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
namespace/default labeled
jianhua@napp:~/tkc$
1.2.2.rolebindings配置
jianhua@napp:~/tkc$ cat rolebindings-default-namespace.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: rolebinding-default-privileged-sa-ns_defaultnamespace: default
roleRef:kind: ClusterRolename: psp:vmware-system-privilegedapiGroup: rbac.authorization.k8s.io
subjects:
- kind: GroupapiGroup: rbac.authorization.k8s.ioname: system:serviceaccounts
jianhua@napp:~/tkc$
- 配置示例
jianhua@napp:~/tkc$ kubectl apply -f rolebindings-default-namespace.yaml
rolebinding.rbac.authorization.k8s.io/rolebinding-default-privileged-sa-ns_default created
jianhua@napp:~/tkc$ kubectl get rolebindings
NAME ROLE AGE
rolebinding-default-privileged-sa-ns_default ClusterRole/psp:vmware-system-privileged 7s
jianhua@napp:~/tkc$
1.3 运行容器
- 运行容器
jianhua@napp:~/tkc$ kubectl run nginx --image=quay.io/jitesoft/nginx
pod/nginx created
jianhua@napp:~/tkc$ kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx 0/1 ContainerCreating 0 1s
jianhua@napp:~/tkc$
jianhua@napp:~/tkc$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 62s 172.20.18.2 tkc-dev-cluster-tck-dev-worker-zt5ls-779c467dd4xwbb9p-kl9tx <none> <none>
jianhua@napp:~/tkc$
- 对外暴露端口
jianhua@napp:~$ kubectl expose pod nginx --port=80 --target-port=80 --type=LoadBalancer --name=nginx-svc
service/nginx-svc exposed
jianhua@napp:~$ kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 19h <none>
nginx-svc LoadBalancer 172.20.10.50 <pending> 80:32720/TCP 2s run=nginx
supervisor ClusterIP None <none> 6443/TCP 19h <none>
jianhua@napp:~$ kubectl get svc -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 19h <none>
nginx-svc LoadBalancer 172.20.10.50 192.168.203.196 80:32720/TCP 8s run=nginx
supervisor ClusterIP None <none> 6443/TCP 19h <none>
jianhua@napp:~$