4.8 综合应用案例

下面的配置清单(all-in-one.yaml)中定义的Pod对象all-in-one将前面的用到的大多数配置整合在一起:它有一个初始化容器和两个应用容器,其中sidecar-proxy为Sidecar容器,负责为主容器demo代理服务客户端请求。

apiVersion: v1
kind: Pod
metadata:
  name: all-in-one
  namespace: default
spec:
  initContainers:
  - name: iptables-init
    image: ikubernetes/admin-box:latest
    imagePullPolicy: IfNotPresent
    command: ['/bin/sh','-c']
    args: ['iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT 
    --to-port 80']
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
  containers:
  - name: sidecar-proxy
    image: envoyproxy/envoy-alpine:v1.13.1
    command: ['/bin/sh','-c']
    args: ['sleep 3 && envoy -c /etc/envoy/envoy.yaml']
    lifecycle:
      postStart:
        exec:
          command: ['/bin/sh','-c','wget -O /etc/envoy/envoy.yaml https://
          raw.githubusercontent.com/iKubernetes/Kubernetes_Advanced_
          Practical_2rd/master/chapter4/envoy.yaml']
    livenessProbe:
      tcpSocket:
        port: 80
      initialDelaySeconds: 5
    readinessProbe:
      tcpSocket:
        port: 80
      initialDelaySeconds: 5
  - name: demo
    image: ikubernetes/demoapp:v1.0
    imagePullPolicy: IfNotPresent
    env:
    - name: PORT
      value: '8080'
    livenessProbe:
      httpGet:
        path: '/livez'
        port: 8080
      initialDelaySeconds: 5
    readinessProbe:
      httpGet:
        path: '/readyz'
        port: 8080
      initialDelaySeconds: 15
    securityContext:
      runAsUser: 1001
      runAsGroup: 1001
    resources:
      requests:
        cpu: 0.5
        memory: "64Mi"
      limits:
        cpu: 2 
        memory: "1024Mi"
  securityContext:
    supplementalGroups: [1002, 1003]
    fsGroup: 2000

配置清单的Pod对象的各容器中,主容器demo在Pod的IP地址上监听TCP协议的8080端口,以接收并响应HTTP请求;Sidecar容器sidecar-proxy监听TCP协议的80端口,接收HTTP请求并将其代理至demo容器的8080端口;初始化容器在Pod的Network名称空间中添加了一条iptables重定向规则,该规则负责把所有发往Pod IP上8080端口的请求重定向至80端口,因而demo容器仅能从127.0.0.1的8080端口接收到请求。读者朋友可将清单中的Pod对象创建到集群上,并逐一测试其各项配置的效果。

上一章目录下一章