operator

1、操作pod

1.1、打印所有pod使用的镜像

1.2、打印所有ep地址

kubectl get pods --all-namespaces -o=custom-columns=NAME:.metadata.name,Node-IP:.status.hostIP,Pod-IP:.status.podIP | grep 10.0.238.243

1.3、清理不正常的Pod

kubectl get pods --all-namespaces | grep Evicted| awk '{cmd=" kubectl delete pod "$2" -n "$1;system(cmd)}'

3、证书相关

3.1、k8s证书过期时间验证

for item in $(find /etc/kubernetes/pki -maxdepth 2 -name "*.crt"); do
    openssl x509 -enddate -noout -in "$item"
    echo "$item"
done

3.2、更新ingress-tls证书

https://iteshell.oss-cn-beijing.aliyuncs.com/bookshell/202401121030436.png

#获取ingress-对应的域名
kubectl  get ingress -A | grep file

#找到ingress之后，查看绑定的证书secret 
kubectl  get  ingress be-filesystem-api -n smart -o yaml | grep secretName

#创建证书-提前将证书上传到文件夹
kubectl  create secret tls be-filesystem-api-tls-20231123 --cert=filesystem-api.aaa.com_bundle.pem --key=filesystem-api.aaa.com.key  --dry-run=client -o yaml > be-filesystem-api-tls-20231123.yaml

#创建secret 
kubectl  apply -f fe-video-foundation-tls-20231123.yaml

#替换secret
kubectl  edit ingress be-filesystem-api -n smart

3.3、kubernetes集群证书更新

# k8s证书自动续签 
0 12 1 4,8,12 * cp -rf /etc/kubernetes /etc/kubernetes.bak;kubeadm certs renew all;mv /etc/kubernetes/*.conf /tmp/;kubeadm init phase kubeconfig all;systemctl restart kubelet;cp /etc/kubernetes/admin.conf ~/.kube/config;docker ps | grep -v pause | grep -E "etcd|scheduler|controller|apiserver" | awk '{print $1}' | awk '{print "docker","restart",$1}' | bash

4、镜像容器相关

4.1、清理k8s各个节点的镜像,需要验证

for i in `kubectl get nodes -o jsonpath='{range .items[*]}{.status.addresses[0].address}{"\n"}{end}' `; do
    ssh -i XXX USER@$i 'docker image prune -a -f'; exit 0
done

kubectl get nodes -o jsonpath='{range .items[*]}{.status.addresses[?(@.type=="InternalIP")].address}{"\n"}{end}'

4.2、patch镜像

kubectl patch deployment itz-test-aaa   --patch '{"spec": {"template": {"spec": {"containers": [{"name": "tz-test-aaa-1","image":"harbor.zlqit.com/tz_aaa/tz-test-aaa:1.1.93"}]}}}}' -n  tz-aaa

4.3、容器清理脚本

root@ekc10:/home/devops# cat /root/clear/clear_container.sh 
echo '---------------------------------------------------'
echo $(date)
cd /var/lib/docker/containers/
du -sh * | grep G
for m in $(du -sh * | grep G | awk -F' ' '{print $1":"$2}' | awk -F'G:' '{if ($1 > 5) print $2}')
do
  for i in $(docker ps -a | awk -F' ' '{print $1}')
  do
    docker inspect $i | grep $m && echo $(docker ps -a | grep $i)
    docker inspect $i | grep $m && echo $(docker ps -a | grep $i) | awk -F' ' '{print $1}' | xargs docker stop | xargs docker rm
  done
done

4.4、替换容器启动命令

    command: ["/bin/sh", "-c"]        
    args: ["sleep 1000000"]

5、持久化

5.1、configmap热更新插件

https://github.com/stakater/Reloader

6、etcd相关

6.1、etcd操作

etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key member remove  chinatelecom-nm07-a100-naster2
etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key endpoint health --cluster -w table
etcdctl --endpoints 127.0.0.1:2379 --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt snapshot save /var/lib/etcd/etcd_snap_save.db

etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key member list
etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key 
etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key  endpoint health --cluster -w table


alias etcdctlnew='etcdctl --endpoints=https://127.0.0.1:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key'

etcdctlnew member list
etcdctlnew  member remove xxxx

6.2、kubernetes中etcd备份和恢复

备份方式

root@ekc10:/home/devops# cat /data/k8s/etcd_backup/etcd_backup.sh 
rm etcd_snap_save_$(date -d "10 days ago" +"%Y%m%d")*
/usr/local/bin/etcdctl --endpoints 127.0.0.1:2379 --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt snapshot save etcd_snap_save_$(date +"%Y%m%d%H%M").db

恢复方式

## 导出工具
find /var/lib/containerd -name etcdctl
...
[root@m51 ~]# cp /var/lib/containerd/xxxxx/d4cf2ee0ea5ba2105936897d3d478c38a23ba6fb65593dc808a559e2dc67667a/diff/usr/local/bin/etcdctl /usr/bin/
[root@m51 ~]# etcdctl version
etcdctl version: 3.5.3
API version: 3.5

## 备份
ETCDCTL_API=3 \
etcdctl \
--endpoints=<endpoints> \
--cacert=<trusted-ca-file>  \
--cert=<cert-file>  \
--key=<key-file> \
snapshot save <backup-file-location>

## 进行验证
[root@m51 etcd-back]# ETCDCTL_API=3 etcdctl --write-out=table snapshot status sn-23-05-24.db

恢复命令
ETCDCTL_API=3 etcdctl snapshot restore --data-dir /var/lib/etcd/ sn-23-05-24.db

8、自动化安装容器

###按照docker

#添加GPG key
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -

#验证指纹
sudo apt-key fingerprint 0EBFCD88

#添加docker-ce的仓库
sudo add-apt-repository \
   "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

#查看可以安装的版本
apt-cache madison docker 
apt install docker-ce=5:20.10.10~3-0~ubuntu-focal


###修改containerd配置
echo "[info] containerd is already installed"
docker_install_code=0
systemctl  stop ufw && systemctl  disable ufw
rm -f /etc/containerd/config.toml
mkdir -p /etc/containerd
containerd config default | tee /etc/containerd/config.toml

sed -i 's#SystemdCgroup = false#SystemdCgroup = true#' /etc/containerd/config.toml


sed -i 's@registry.k8s.io@registry.cn-hangzhou.aliyuncs.com/zlq_registry@'  /etc/containerd/config.toml

systemctl daemon-reload
systemctl restart containerd


apt-get update
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.23.0/crictl-v1.23.0-linux-amd64.tar.gz
tar zxvf crictl-v1.23.0-linux-amd64.tar.gz -C /usr/local/bin
cat > /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF

docker run --name k8s-manager --net host --restart=always -v /root:/root -d   registry.cn-hangzhou.aliyuncs.com/zlq_registry/k8s-manager:v1.0

1、操作pod​

1.1、打印所有pod使用的镜像​

1.2、打印所有ep地址​

1.3、清理不正常的Pod​

3、证书相关​

3.1、k8s证书过期时间验证​

3.2、更新ingress-tls证书​

3.3、kubernetes集群证书更新​

4、镜像容器相关​

4.1、清理k8s各个节点的镜像,需要验证​

4.2、patch镜像​

4.3、容器清理脚本​

4.4、替换容器启动命令​

5、持久化​

5.1、configmap热更新插件​

6、etcd相关​

6.1、etcd操作​

6.2、kubernetes中etcd备份和恢复​

8、自动化安装容器​

1、操作pod

1.1、打印所有pod使用的镜像

1.2、打印所有ep地址

1.3、清理不正常的Pod

3、证书相关

3.1、k8s证书过期时间验证

3.2、更新ingress-tls证书

3.3、kubernetes集群证书更新

4、镜像容器相关

4.1、清理k8s各个节点的镜像,需要验证

4.2、patch镜像

4.3、容器清理脚本

4.4、替换容器启动命令

5、持久化

5.1、configmap热更新插件

6、etcd相关

6.1、etcd操作

6.2、kubernetes中etcd备份和恢复

8、自动化安装容器