文档
主页
kubeadm 概述
Getting started
Release notes and version skew
Learning environment
Production environment
Container runtimes (EN)
Installing Kubernetes with deployment tools
Bootstrapping clusters with kubeadm
Installing kubeadm (EN)
Troubleshooting kubeadm (EN)
Creating a single control-plane cluster with kubeadm (EN)
Customizing control plane configuration with kubeadm (EN)
Options for Highly Available topology (EN)
Creating Highly Available clusters with kubeadm (EN)
Set up a High Availability etcd cluster with kubeadm (EN)
Configuring each kubelet in your cluster using kubeadm (EN)
Configuring your kubernetes cluster to self-host the control plane (EN)
Installing Kubernetes with KRIB (EN)
Installing Kubernetes with kops (EN)
Installing Kubernetes with Kubespray (EN)
Turnkey Cloud Solutions
Running Kubernetes on AWS EC2 (EN)
Running Kubernetes on Alibaba Cloud (EN)
Running Kubernetes on Azure (EN)
Running Kubernetes on CenturyLink Cloud (EN)
Running Kubernetes on Google Compute Engine (EN)
Running Kubernetes on Multiple Clouds with IBM Cloud Private (EN)
Running Kubernetes on Multiple Clouds with Stackpoint.io (EN)
Running Kubernetes on Tencent Kubernetes Engine (EN)
On-Premises VMs
kubeadm init
安装 kubeadm
使用 kubeadm 创建一个单主集群
概念
概念
概述
Kubernetes Architecture
Containers
Taint 和 Toleration
工作负载
工作负载
Pods
Services, Load Balancing, and Networking
存储
Configuration
Configuration Best Practices (EN)
Resource Bin Packing for Extended Resources (EN)
Managing Compute Resources for Containers (EN)
Pod Overhead (EN)
Assigning Pods to Nodes (EN)
Taints and Tolerations (EN)
Secrets (EN)
Organizing Cluster Access Using kubeconfig Files (EN)
Pod Priority and Preemption (EN)
Scheduling Framework (EN)
Cluster Administration
Extending Kubernetes
Extending your Kubernetes Cluster (EN)
Extending the Kubernetes API
Compute, Storage, and Networking Extensions
Operator pattern (EN)
Service Catalog (EN)
Poseidon-Firmament - An alternate scheduler (EN)
DNS Pod 与 Service
Kubernetes 中的代理
Kubernetes集群中使用Sysctls
Managing Compute Resources for Containers
Master 节点通信
Nodes
Pod 安全策略
Secret
Service
云供应商
使用 HostAliases 向 Pod /etc/hosts 文件添加条目
安装扩展(Addons)
容器环境变量
应用连接到 Service
概念模板示例
网络策略
联邦
设备插件
证书
资源配额
镜像
集群管理概述
Tasks
Install Tools
Configure Pods and Containers
Assign Memory Resources to Containers and Pods (EN)
Assign CPU Resources to Containers and Pods (EN)
Configure GMSA for Windows pods and containers (EN)
Configure RunAsUserName for Windows pods and containers (EN)
Configure Quality of Service for Pods (EN)
Assign Extended Resources to a Container (EN)
Configure a Pod to Use a Volume for Storage (EN)
Configure a Pod to Use a PersistentVolume for Storage (EN)
Configure a Pod to Use a Projected Volume for Storage (EN)
Configure a Security Context for a Pod or Container (EN)
Configure Service Accounts for Pods (EN)
Pull an Image from a Private Registry (EN)
Configure Liveness and Readiness Probes (EN)
Assign Pods to Nodes (EN)
Configure Pod Initialization (EN)
Attach Handlers to Container Lifecycle Events (EN)
Configure a Pod to Use a ConfigMap (EN)
Share Process Namespace between Containers in a Pod (EN)
Create static Pods (EN)
Translate a Docker Compose File to Kubernetes Resources (EN)
Administer a Cluster
Administration with kubeadm
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace (EN)
Configure Default CPU Requests and Limits for a Namespace (EN)
Configure Minimum and Maximum Memory Constraints for a Namespace (EN)
Configure Minimum and Maximum CPU Constraints for a Namespace (EN)
Configure Memory and CPU Quotas for a Namespace (EN)
Configure a Pod Quota for a Namespace (EN)
Install a Network Policy Provider
Access Clusters Using the Kubernetes API (EN)
Access Services Running on Clusters (EN)
Advertise Extended Resources for a Node (EN)
Autoscale the DNS Service in a Cluster (EN)
Change the Reclaim Policy of a PersistentVolume (EN)
Change the default StorageClass (EN)
Cluster Management (EN)
Configure Multiple Schedulers (EN)
Configure Out Of Resource Handling (EN)
Configure Quotas for API Objects (EN)
Control CPU Management Policies on the Node (EN)
Control Topology Management Policies on a node (EN)
Customizing DNS Service (EN)
Debugging DNS Resolution (EN)
Declare Network Policy (EN)
Developing Cloud Controller Manager (EN)
Enabling Endpoint Slices (EN)
Encrypting Secret Data at Rest (EN)
Guaranteed Scheduling For Critical Add-On Pods (EN)
IP Masquerade Agent User Guide (EN)
Kubernetes Cloud Controller Manager (EN)
Limit Storage Consumption (EN)
Namespaces Walkthrough (EN)
Operating etcd clusters for Kubernetes (EN)
Reconfigure a Node's Kubelet in a Live Cluster (EN)
Reserve Compute Resources for System Daemons (EN)
Safely Drain a Node while Respecting the PodDisruptionBudget (EN)
Securing a Cluster (EN)
Set Kubelet parameters via a config file (EN)
Set up High-Availability Kubernetes Masters (EN)
Share a Cluster with Namespaces (EN)
Using CoreDNS for Service Discovery (EN)
Using NodeLocal DNSCache in Kubernetes clusters (EN)
Using a KMS provider for data encryption (EN)
Using sysctls in a Kubernetes Cluster (EN)
Manage Kubernetes Objects
Inject Data Into Applications
Define a Command and Arguments for a Container (EN)
Define Environment Variables for a Container (EN)
Expose Pod Information to Containers Through Environment Variables (EN)
Expose Pod Information to Containers Through Files (EN)
Distribute Credentials Securely Using Secrets (EN)
Inject Information into Pods Using a PodPreset (EN)
Run Applications
Run a Stateless Application Using a Deployment (EN)
Run a Single-Instance Stateful Application (EN)
Run a Replicated Stateful Application (EN)
Update API Objects in Place Using kubectl patch (EN)
Scale a StatefulSet (EN)
Delete a StatefulSet (EN)
Force Delete StatefulSet Pods (EN)
Perform Rolling Update Using a Replication Controller (EN)
Horizontal Pod Autoscaler (EN)
Horizontal Pod Autoscaler Walkthrough (EN)
Specifying a Disruption Budget for your Application (EN)
Run Jobs
Access Applications in a Cluster
Web UI (Dashboard) (EN)
Accessing Clusters (EN)
Configure Access to Multiple Clusters (EN)
Use Port Forwarding to Access Applications in a Cluster (EN)
Use a Service to Access an Application in a Cluster (EN)
Connect a Front End to a Back End Using a Service (EN)
Create an External Load Balancer (EN)
Configure Your Cloud Provider's Firewalls (EN)
List All Container Images Running in a Cluster (EN)
Set up Ingress on Minikube with the NGINX Ingress Controller (EN)
Communicate Between Containers in the Same Pod Using a Shared Volume (EN)
Configure DNS for a Cluster (EN)
Monitoring, Logging, and Debugging
Application Introspection and Debugging (EN)
Auditing (EN)
Auditing with Falco (EN)
Debug Init Containers (EN)
Debug Pods and ReplicationControllers (EN)
Debug Services (EN)
Debug a StatefulSet (EN)
Debugging Kubernetes nodes with crictl (EN)
Determine the Reason for Pod Failure (EN)
Developing and debugging services locally (EN)
Events in Stackdriver (EN)
Get a Shell to a Running Container (EN)
Logging Using Elasticsearch and Kibana (EN)
Logging Using Stackdriver (EN)
Monitor Node Health (EN)
Resource metrics pipeline (EN)
Tools for Monitoring Resources (EN)
Troubleshoot Applications (EN)
Troubleshoot Clusters (EN)
Troubleshooting (EN)
Extend Kubernetes
Federation
Manage Cluster Daemons
Install Service Catalog
Extend kubectl with plugins (EN)
Manage HugePages (EN)
Schedule GPUs (EN)
Tutorials
Hello Minikube (EN)
Learn Kubernetes Basics
Online Training Courses
Configuration
Stateless Applications
Stateful Applications
Clusters
Services
授权概述
Reference
Standardized Glossary (EN)
Kubernetes Issues and Security
Using the Kubernetes API
Accessing the API
Controlling Access to the Kubernetes API (EN)
Authenticating (EN)
Authenticating with Bootstrap Tokens (EN)
Using Admission Controllers (EN)
Dynamic Admission Control (EN)
Managing Service Accounts (EN)
Authorization Overview (EN)
Using RBAC Authorization (EN)
Using ABAC Authorization (EN)
Using Node Authorization (EN)
Webhook Mode (EN)
API Reference
Setup tools reference
Kubeadm
Overview of kubeadm (EN)
kubeadm init (EN)
kubeadm join (EN)
kubeadm upgrade (EN)
kubeadm config (EN)
kubeadm reset (EN)
kubeadm token (EN)
kubeadm version (EN)
kubeadm alpha (EN)
kubeadm init phase (EN)
kubeadm join phase (EN)
kubeadm reset phase (EN)
kubeadm upgrade phase (EN)
Implementation details (EN)
Command line tools reference
kubectl CLI
Tools (EN)
使用 Salt 配置 Kubernetes 集群
Contribute
Start contributing (EN)
Intermediate contributing (EN)
Advanced contributing (EN)
Documentation style overview
Reference docs overview
Localizing Kubernetes Documentation (EN)
Participating in SIG Docs (EN)
(EN)
ABAC 模式
Advanced Topics (EN)
Docker 用户使用 kubectl 命令指南
Docs smoke test page (EN)
Foundational (EN)
Foundational (EN)
Intermediate (EN)
Intermediate (EN)
JSONPath 支持
Kubelet authentication/authorization
Kubernetes API访问控制
Search Results (EN)
TLS bootstrapping
Tasks
Install Tools
Setup an extension API server
Configure Pods and Containers
Configure Pods and Containers
Assign Memory Resources to Containers and Pods (EN)
Assign CPU Resources to Containers and Pods (EN)
Configure GMSA for Windows pods and containers (EN)
Configure RunAsUserName for Windows pods and containers (EN)
Configure Quality of Service for Pods (EN)
Assign Extended Resources to a Container (EN)
Configure a Pod to Use a Volume for Storage (EN)
Configure a Pod to Use a PersistentVolume for Storage (EN)
Configure a Pod to Use a Projected Volume for Storage (EN)
Configure a Security Context for a Pod or Container (EN)
Configure Service Accounts for Pods (EN)
Pull an Image from a Private Registry (EN)
Configure Liveness and Readiness Probes (EN)
将 Pod 分配给节点
Configure Pod Initialization (EN)
为容器的生命周期事件设置处理函数
Configure a Pod to Use a ConfigMap (EN)
Share Process Namespace between Containers in a Pod (EN)
Create static Pods (EN)
Translate a Docker Compose File to Kubernetes Resources (EN)
给容器分配非透明整型资源
Administer a Cluster
Administration with kubeadm
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace (EN)
Configure Default CPU Requests and Limits for a Namespace (EN)
Configure Minimum and Maximum Memory Constraints for a Namespace (EN)
Configure Minimum and Maximum CPU Constraints for a Namespace (EN)
Configure Memory and CPU Quotas for a Namespace (EN)
Configure a Pod Quota for a Namespace (EN)
Install a Network Policy Provider
Access Clusters Using the Kubernetes API (EN)
Access Services Running on Clusters (EN)
Advertise Extended Resources for a Node (EN)
Autoscale the DNS Service in a Cluster (EN)
Change the Reclaim Policy of a PersistentVolume (EN)
Change the default StorageClass (EN)
Cluster Management (EN)
Configure Multiple Schedulers (EN)
Configure Out Of Resource Handling (EN)
Configure Quotas for API Objects (EN)
Control CPU Management Policies on the Node (EN)
Control Topology Management Policies on a node (EN)
Customizing DNS Service (EN)
Debugging DNS Resolution (EN)
Declare Network Policy (EN)
Developing Cloud Controller Manager (EN)
Enabling Endpoint Slices (EN)
Encrypting Secret Data at Rest (EN)
Guaranteed Scheduling For Critical Add-On Pods (EN)
IP Masquerade Agent User Guide (EN)
Kubernetes Cloud Controller Manager (EN)
Limit Storage Consumption (EN)
Namespaces Walkthrough (EN)
Operating etcd clusters for Kubernetes (EN)
Reconfigure a Node's Kubelet in a Live Cluster (EN)
Reserve Compute Resources for System Daemons (EN)
Safely Drain a Node while Respecting the PodDisruptionBudget (EN)
Securing a Cluster (EN)
Set Kubelet parameters via a config file (EN)
Set up High-Availability Kubernetes Masters (EN)
Share a Cluster with Namespaces (EN)
Using CoreDNS for Service Discovery (EN)
Using NodeLocal DNSCache in Kubernetes clusters (EN)
Using a KMS provider for data encryption (EN)
Using sysctls in a Kubernetes Cluster (EN)
Accessing Clusters
Manage Kubernetes Objects
Inject Data Into Applications
Run Applications
Run a Stateless Application Using a Deployment (EN)
Run a Single-Instance Stateful Application (EN)
Run a Replicated Stateful Application (EN)
Update API Objects in Place Using kubectl patch (EN)
Scale a StatefulSet (EN)
Delete a StatefulSet (EN)
Force Delete StatefulSet Pods (EN)
Perform Rolling Update Using a Replication Controller (EN)
Horizontal Pod Autoscaler (EN)
Horizontal Pod Autoscaler Walkthrough (EN)
Specifying a Disruption Budget for your Application (EN)
Use Port Forwarding to Access Applications in a Cluster
Run Jobs
Provide Load-Balanced Access to an Application in a Cluster
Access Applications in a Cluster
Web UI (Dashboard) (EN)
Accessing Clusters (EN)
Configure Access to Multiple Clusters (EN)
Use Port Forwarding to Access Applications in a Cluster (EN)
Use a Service to Access an Application in a Cluster (EN)
Connect a Front End to a Back End Using a Service (EN)
Create an External Load Balancer (EN)
Configure Your Cloud Provider's Firewalls (EN)
List All Container Images Running in a Cluster (EN)
Set up Ingress on Minikube with the NGINX Ingress Controller (EN)
Communicate Between Containers in the Same Pod Using a Shared Volume (EN)
Configure DNS for a Cluster (EN)
Use a Service to Access an Application in a Cluster
删除 StatefulSet
Monitor, Log, and Debug
Monitor, Log, and Debug
Application Introspection and Debugging (EN)
Auditing
Auditing with Falco (EN)
Debug Init Containers (EN)
Debug Services (EN)
Debugging Kubernetes nodes with crictl (EN)
Determine the Reason for Pod Failure (EN)
Developing and debugging services locally (EN)
Events in Stackdriver (EN)
Get a Shell to a Running Container (EN)
Logging Using Elasticsearch and Kibana (EN)
Logging Using Stackdriver (EN)
Monitor Node Health (EN)
Resource metrics pipeline (EN)
Tools for Monitoring Resources (EN)
Troubleshooting (EN)
应用故障排查
调试Pods和Replication Controllers
调试StatefulSet
集群故障排查
Create an External Load Balancer
Extend Kubernetes
配置你的云平台防火墙
List All Container Images Running in a Cluster
Federation - Run an App on Multiple Clusters
Configure DNS for a Cluster
Manage Cluster Daemons
Install Service Catalog
Federation - Run an App on Multiple Clusters
Administer-clusters
Administration with kubeadm
Manage Memory, CPU, and API Resources
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace
Configure Default CPU Requests and Limits for a Namespace
Configure Minimum and Maximum Memory Constraints for a Namespace
Configure Minimum and Maximum CPU Constraints for a Namespace
Configure Memory and CPU Quotas for a Namespace
Configure a Pod Quota for a Namespace (EN)
Install a Network Policy Provider
Access Clusters Using the Kubernetes API (EN)
Advertise Extended Resources for a Node (EN)
Autoscale the DNS Service in a Cluster (EN)
Configure Multiple Schedulers (EN)
Configure Out Of Resource Handling (EN)
Configure Quotas for API Objects (EN)
Control Topology Management Policies on a node (EN)
Debugging DNS Resolution (EN)
Developing Cloud Controller Manager (EN)
Enabling Endpoint Slices (EN)
Encrypting Secret Data at Rest
IP Masquerade Agent User Guide (EN)
Kubernetes Cloud Controller Manager (EN)
Limit Storage Consumption (EN)
Namespaces Walkthrough (EN)
Operating etcd clusters for Kubernetes (EN)
Reconfigure a Node's Kubelet in a Live Cluster (EN)
Reserve Compute Resources for System Daemons (EN)
Safely Drain a Node while Respecting the PodDisruptionBudget (EN)
Securing a Cluster (EN)
Set up High-Availability Kubernetes Masters (EN)
Share a Cluster with Namespaces (EN)
Using CoreDNS for Service Discovery (EN)
Using NodeLocal DNSCache in Kubernetes clusters (EN)
Using a KMS provider for data encryption (EN)
使用 Calico 来提供 NetworkPolicy
使用 Romana 来提供 NetworkPolicy
使用 Weave 网络来提供 NetworkPolicy
关键插件 Pod 的调度保证
在 Kubernetes 中配置私有 DNS 和上游域名服务器
在 Kubernetes 集群中使用 sysctl
声明网络策略
将 kubeadm 集群在 v1.8 版本到 v1.9 版本之间升级/降级
应用资源配额和限额
控制节点上的CPU管理策略
改变默认 StorageClass
更改 PersistentVolume 的回收策略
设置 Pod CPU 和内存限制
访问集群上运行的服务
通过配置文件设置 Kubelet 参数
配置命名空间下pod总数
集群管理
静态Pods
Extend kubectl with plugins (EN)
使用 Service 把前端连接到后端
使用Deployment运行一个无状态应用
同 Pod 内的容器使用共享卷通信
基于Replication Controller执行滚动升级
对 DaemonSet 执行回滚
弹缩StatefulSet
管理巨页(HugePages)
证书轮换
调度 GPU
运行一个单实例有状态应用
配置对多集群的访问
Tools
Tutorials
Hello Minikube (EN)
Online Training Courses
Configuration
Stateless Applications
Stateful Applications
Clusters
Services
学习 Kubernetes 基础知识
学习 Kubernetes 基础知识
Create a Cluster
运行应用程序的多个实例
Deploy an App
Expose Your App Publicly
Scale Your App
互动教程 - 创建集群
互动教程 - 应用外部可见
互动教程 - 应用程序探索
互动教程 - 扩展您的应用程序
互动教程 - 更新您的应用程序
互动教程 - 部署应用程序
使用 Minikube 创建一个集群
使用 kubectl 创建部署
使用服务发布您的应用程序
执行滚动更新
查看 Pod 和节点
运行应用程序的多个实例
Kubernetes 对象管理
StatefulSet 基本使用
使用 Source IP
使用ConfigMap来配置Redis
使用命令式的方式管理 Kubernetes 对象
基于 Persistent Volumes 搭建 WordPress 和 MySQL 应用
示例:使用 Stateful Sets 部署 Cassandra
运行 ZooKeeper, 一个 CP 分布式系统
Webhook Mode
kube-apiserver
kube-proxy
kube-scheduler
kubectl
kubectl概述
kubelet
使用准入控制插件
使用启动引导令牌(Bootstrap Tokens)认证
创建大规模集群
多区域运行
知名标签(Label)、注解(Annotation)和 Taints
管理Service Accounts
节点设置校验
Webhook Mode
WebHook 是一种 HTTP 回调:某些条件下触发的 HTTP POST 请求;通过 HTTP POST 发送的简单事件通知。一个基于 web 应用实现的 WebHook 会在特定事件发生时把消息发送给特定的 URL 。
具体来说,当在判断用户权限时,Webhook 模式会使 Kubernetes 查询外部的 REST 服务。
配置文件格式
Webhook 模式需要一个 HTTP 配置文件,通过 --authorization-webhook-config-file=SOME_FILENAME 的参数声明。
配置文件的格式使用 kubeconfig。 在文件中,”users” 代表着 API 服务器的 webhook,而 “cluster” 代表着远程服务。
使用 HTTPS 客户端认证的配置例子:
# clusters 代表远程服务。
clusters:
- name: name-of-remote-authz-service
cluster:
certificate-authority: /path/to/ca.pem # 对远程服务进行身份认证的CA。
server: https://authz.example.com/authorize # 远程服务的查询 URL. 必须使用 'https'。
# users 代表 API 服务器的 webhook 配置.
users:
- name: name-of-api-server
user:
client-certificate: /path/to/cert.pem # webhook plugin 使用的 cert。
client-key: /path/to/key.pem # cert 所对应的 key。
# kubeconfig 文件必须有 context 。 需要提供一个给 API 服务器。
current-context: webhook
contexts:
- context:
cluster: name-of-remote-authz-service
user: name-of-api-server
name: webhook请求载荷
在做认证决策时,API 服务器会 POST 一个 JSON 序列化的 api.authorization.v1beta1.SubjectAccessReview 对象来描述这个动作。这个对象包含了描述用户请求的字段,同时也包含了需要被访问资源或者请求特征的具体信息。
需要注意的是 webhook API 对象与其他 Kubernetes API 对象一样都同样都服从 版本兼容规则 。
实施人员应该了解 beta 对象的更宽松的兼容性承诺,同时确认请求的 “apiVersion” 字段以确保能被正确地反序列化。
此外,API 服务器还必须启用 authorization.k8s.io/v1beta1 API 扩展组(--runtime-config=authorization.k8s.io/v1beta1=true)。
一个请求内容的例子:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"resourceAttributes": {
"namespace": "kittensandponies",
"verb": "get",
"group": "unicorn.example.org",
"resource": "pods"
},
"user": "jane",
"group": [
"group1",
"group2"
]
}
}远程服务被预期能填写请求和反馈的 SubjectAccessReviewStatus 字段,无论是允许访问还是拒绝访问。 反馈内容的 “spec” 字段是被忽略的,也是可以被省略的。当请求是被允许的时候,返回的响应如下例所示:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": true
}
}如拒绝,远程服务器会返回:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"status": {
"allowed": false,
"reason": "user does not have read access to the namespace"
}
}对于非资源的路径访问是这么发送的:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"nonResourceAttributes": {
"path": "/debug",
"verb": "get"
},
"user": "jane",
"group": [
"group1",
"group2"
]
}
}非资源类的路径包括:/api, /apis, /metrics, /resetMetrics,
/logs, /debug, /healthz, /swagger-ui/, /swaggerapi/, /ui, and
/version。 客户端需要访问 /api, /api/*, /apis, /apis/*, 和 /version 以便
能发现服务器上有什么资源和版本。对于其他非资源类的路径访问在没有 REST API 访问限制的情况下拒绝。
更多信息可以参考 uthorization.v1beta1 API 对象和 webhook.go.
反馈
此页是否对您有帮助?
Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.