DaemonSet
, which runs one on each node of Kubernetes
the cluster Pod
, Linux
like a "daemon" ( Daemon
) in the system.
1. Cause
Deployment
, it can create any number of Pod
instances and maintain Pod
the normal operation of these to ensure that the application is always available.
However, Deployment
it doesn't care which nodes of the cluster these Pod
will run on. From its point of view, Pod
the operating environment and functions of s are irrelevant. As long Pod
as the number of s is sufficient, the application should work normally.
This assumption is no problem for most businesses, for example Nginx
, , WordPress
, MySQL
, they do not need to know the details of the cluster and nodes, as long as the environment variables and storage volumes are configured, it is the same wherever they "run".
However, there are some special services that are not completely independent of the system, but have a "binding" relationship with the host, and must be attached to the node to generate value, for example:
- A network application such as
kube-proxy
, must run one on each nodePod
, otherwise the node cannot joinKubernetes
the network . - For monitoring applications (such as
Prometheus
), each node must have a nodePod
to monitor the status of the node and report information in real time. - A log application (such as
Fluentd
), must run one on each nodePod
to be able to collect log data generated when the container is running. - For security applications, similarly, each node must have one
Pod
to perform security audits, intrusion checks, and vulnerability scans.
These services are not suitable Deployment
for deployment, because the numberDeployment
managed by is fixed and may "drift" in the cluster, but the actual requirement is to run on every node in the cluster , and That is to say, the number of is kept in sync with the number of nodes.Pod
Pod
Pod
Therefore, Kubernetes
a new API
object DaemonSet
, which is Deployment
similar is both management control Pod
, but the management scheduling strategy is different.
DaemonSet
The goal is to run on each node of the cluster and only run one Pod
, as if a node is equipped with a "watchdog" to faithfully "guard" the node, which is the origin of DaemonSet
the name .
2. YAML description
DaemonSet
Deployment
and belong to online business, so they are also apps
group, you kubectl api-resources
can use the command to know its abbreviation isds
$ kubectl api-resources | grep daemonset
daemonsets ds apps/v1 true DaemonSet
YAML
The file header information should be:
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: xxx-ds
kubectl
Does not provide the function of automatically creating DaemonSet YAML
templates , that is, we cannot use the command kubectl create
to directly create a DaemonSet
object .
However, you Kubernetes
can find an example of the official website of ( https://kubernetes.io/zh-cn/docs/concepts/workloads/controllers/daemonset/ ) , copy it, and then remove the redundant part, you can Make your own boilerplate file, which probably looks like this:DaemonSet
YAML
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: redis-ds
labels:
app: redis-ds
spec:
selector:
matchLabels:
name: redis-ds
template:
metadata:
labels:
name: redis-ds
spec:
containers:
- image: redis:5-alpine
name: redis
ports:
- containerPort: 6379
YAML
Simply compare this Deployment
object with the object in the previous lesson, and you will find that:
-
The previous part
kind
ismetadata
the unique information of the object, which is naturally different, butspec
the partDaemonSet
also hasselector
the field , which matches the tag intemplate
the , which is almost exactly the same as the object .Pod
labels
Deployment
-
However, there is no field in
DaemonSet
, which is a key difference between it and , which means that it will not create multiple copies of in the cluster, but only one instance .spec
replicas
Deployment
Pod
Pod
That is to say, DaemonSet
it is only different from in Pod
its deployment scheduling strategy Deployment
, and everything else is the same. To some extent, we can also DaemonSet
regard as Deployment
a special case of .
The difference between the two:
Knowing these differences, now we can use a workaround to DaemonSet
create YAML
the template of the , you only need to use kubectl create
to create a Deployment
object first, then kind
change to DaemonSet
, and spec.replicas
then , for example:
export out="--dry-run=client -o yaml"
# change "kind" to DaemonSet
kubectl create deploy redis-ds --image=redis:5-alpine $out
3. Use DaemonSet
Execute the command kubectl apply
, YAML
send to Kubernetes
, let it create DaemonSet
the object , and then use kubectl get
to view the status of the object:
Although we didn't DaemonSet
specify Pod
the number to run in , it will find the nodes in the cluster and create them in the nodes Pod
. Because there is Master
one Worker
, and does not run the application Master
by default , so DaemonSet
only one is generated Pod
and runs on worker
the node .
According DaemonSet
to the original intention of , an Pod
instance of should be running on each node, but Master
the node is excluded, which is not in line with our original idea.
Obviously, DaemonSet
the duty of "gatekeeper" has not been fulfilled, and its design conflicts with the working mechanism of Kubernetes
the cluster . Is there any way to solve it?
Of course, Kubernetes
this has been thought of for a long time. In order to deal with the "scheduling" and "eviction" problems Pod
at certain nodes, it defines two new concepts: taint ( taint
) and tolerance ( toleration
).
4. Stains and Tolerances
"Taint" and "tolerance" are two important concepts DaemonSet
related , which belong to Node
and respectively Pod
, and jointly determine the scheduling strategy Pod
of .
-
"Taint" is an attribute of a
Kubernetes
node , and its function is also to "label" the node, but in order not to belabels
confused with the existing fields, it was changedtaint
. -
The opposite of "stain" is
Pod
your "tolerance", as the name suggests, isPod
whether you can "tolerate" stains.
It's easier to understand if we put the two together. There are all kinds of nodes in the cluster. Some nodes are "pure and flawless" without "stains"; while some nodes have "stains" because of "mud" stuck to them for some reason. Pod
They also have different tempers. Some have serious "cleanliness" and can't tolerate "stains" and can only choose "clean" nodes; while Pod
others are less demanding, and can tolerate some small "stains" appropriately. ".
Kubernetes
When creating a cluster, it will automatically Node
add to facilitate Pod
scheduling and deployment. You can use kubectl describe node
to view the status ofMaster
and :Worker
It can be seen that Master
the node has one by default taint
, the name is node-role.kubernetes.io/master
, and its effect is NoSchedule
, that is to say, the taint will refuse Pod
to be scheduled to run on this node, and the fieldWorker
of the node is empty.taint
This is exactly the difference between Master
and Worker
in the Pod
scheduling strategy. Generally speaking Pod
, cannot tolerate any "taint", so the node with taint
the attribute Master
will Pod
be .
How to DaemonSet
make Master
it run on the node (or any other node), there are two ways.
4.1 Remove the taint on the Master node
The first method is to remove Master
the node taint
, so that Master
becomes as Worker
"pure and flawless" as , and DaemonSet
naturally there is no need to distinguish Master/Worker
.
Node
The "taint" attribute on the operation needs to use the command kubectl taint
, and then specify the node name, taint name and the effect of the taint, and an additional one is added to remove the taint -
.
For example, to Master
remove NoSchedule
the effect of the node, use this command:
$ kubectl taint node pylot node-role.kubernetes.io/master:NoSchedule-
Because DaemonSet
it has been monitoring the status of the cluster nodes, after the command is executed Master
, the node has no "taint", so it will immediately find the change, and then create a "guard" on Master
the node Pod
. You can use kubectl get
to see this change:
However, this method modifies the state Node
of , and the impact area will be relatively large, which may cause many Pod
to run on this node, so we can keep the "taint" Node
of , Pod
add "tolerance" for the required ones, and only let some Pod
Run on individual nodes to achieve "fine-grained" scheduling.
4.2 Add tolerance to Pod
Pod
Add fields tolerations
to make it "tolerant" to certain "taints", and it can run on any node.
tolerations
It is an array, which can list multiple "stains" that are "tolerated", and the name and effect of the "stains" need to be clearly written. The comparison especially uses operator
the field to specify how to match the "taint", which is generally used by us Exists
, that is to say, there is a "taint" with this name and effect.
If we want DaemonSet
the in Pod
to be able to run on Master
the node , we have to write this one tolerations
, which tolerates node-role.kubernetes.io/master:NoSchedule
this :
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
operator: Exists
The complete yml file content is as follows:
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: mq-ds
name: mq-ds
spec:
selector:
matchLabels:
app: mq-ds
template:
metadata:
labels:
app: mq-ds
spec:
containers:
- image: rabbitmq:latest
name: rabbitmq
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
operator: Exists
Now we first use kubectl taint
the command to Master
add the "stain" of :
kubectl taint node pylot node-role.kubernetes.io/master:NoSchedule
Delete the daemonset.
Then we redeployed with "tolerance" DaemonSet
:
You will see that there are DaemonSet
still two Pod
, running on the Master
and Worker
nodes respectively, which has the same effect as the first method.
It needs to be specially explained that "tolerance" is not a DaemonSet
unique concept, but subordinate to it Pod
, so after understanding "taint" and "tolerance", you can also add it to manage them Job/CronJob
in , so as to be more accurate. Flexible scheduling of applications.Deployment
Pod
tolerations
As for the stains and the effects of the stains, I won’t go into details. The Kubernetes
official website documents ( https://kubernetes.io/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/ ) are listed very clear.
5. Static Pods
DaemonSet
It is the most common way to run node-specific Kubernetes
in Pod
, but it is not the only way. It Kubernetes
also supports another application deployment method called "static Pod".
"Static Pod" is very special. It is not controlled by Kubernetes
the system and has no relationship with apiserver
and scheduler
, so it is "static".
But since it is Pod
, it must "run" on the container runtime, and there will be YAML
files to describe it, and the only Kubernetes
component that can manage it kubelet
is .
YAML
The files of "Static Pod" are stored in /etc/kubernetes/manifests
the directory of the node by default, which is a dedicated directory Kubernetes
of .
The following is the situation of the directory in Master
the node :
$ sudo ls -l /etc/kubernetes/manifests
总用量 16
-rw------- 1 root root 2242 2月 3 09:03 etcd.yaml
-rw------- 1 root root 4038 2月 3 09:03 kube-apiserver.yaml
-rw------- 1 root root 3543 2月 3 09:03 kube-controller-manager.yaml
-rw------- 1 root root 1464 2月 3 09:03 kube-scheduler.yaml
You can see that Kubernetes
the 4 core components apiserver
, etcd
, scheduler
, controller-manager
originally existed in a Pod
static form, which is why they can be Kubernetes
started before the cluster.
If you have some special needs DaemonSet
that cannot be met, you can consider using static Pod
, write a YAML
file put it in this directory, and the node kubelet
will periodically check the files in the directory, and if any changes are found, it will call the container runtime to create or delete the static Pod
.
Static can Pod
also achieve DaemonSet
the same effect as and , but it is not Kubernetes
controlled by and must be deployed purely manually on the node, so it should be used with caution.
The network plug-in Flannel is a DaemonSet, which is located in the namespace kube-system and can be seen with kubectl get ds -n kube-system.
Another concept related to "taint" and "tolerance" is "node affinity", which prefers which node to choose, but the usage is a little more complicated.
In Kubernetes v1.24, the master node will no longer use the taint node-role.kuberneters.io/master but node-role.kuberneters.io/control-plane.
6. Questions
- If a taint
node
is added to ,pod
will the taint running on it that cannot tolerate the taint automatically runnode
to .
Answer: If it has been scheduled, running on the node pod
will not care taint
about , because it taint
only takes effect when scheduling, and you can also try it yourself.
Test conclusion: When master
a node removes taint, pod
it will be dispatched master
; master
when a node adds taint, pod
it will not leave, and will not increase after manual deletion.
Taint tolerance configuration path location:
kubectl explain ds.spec.template.spec.tolerations
- Why is the tolerance in the field
pod
of and notds
on.
Answer: Because the unit of Kubernetes
scheduling pod
is DaemonSet
just management pod
.