session to keep
how session held inside the service it? Of course, it is set in the service of yaml years.
Add the following code in sepc yaml the service's:
sessionAffinity: ClientIP sessionAffinityConfig: clientIP: timeoutSeconds: 10800
This opened the session maintained. The following timeoutSeconds refers to the session to keep time, this time the default is 10,800 seconds, which is three hours.
So the principle is Shane? When the session is not set up to maintain, service rules are forwarded to the background pod polling. When the session is set to maintain, k8s will come forward based on ip access request to the pod he visited before, this session will hold up.
Container root privileges
you must be very strange, obviously into the container, you can see the root user ah, why set the container root privileges? This is because although the vessel appears to be root, but there is no root of all the features. When you need to modify system files, it is not allowed. If your app is just going to modify system files, then you need to understand how to set up the container root privileges.
root privileges want to open the container, need to do the following:
1. Set the kube-apiserver and kubelet
-allow-privileged=true
This allows the nodes on the container opening privileged.
See how current it is not as true?
ps -ef | grip cube
Then look carefully, you will see that not be true.
So how do you set the parameters above it?
Because kube-apiserver and kubelet are binary files that run directly, so the addition of the above parameters directly when restarting the line. More simply, if systemd startup has been set, then go to the / etc / systemd / system / file corresponding .service found, which parameters change, then directly through line systemctl restart command.
2. Set yaml files (e.g. yaml deploy the file) containing the contariners, added at containers:
securityContext: privileged: true
For example pod of yaml file:
apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: - name: hello-world-container # The container definition # ... securityContext: privileged: true
This is well understood, but remember to take this apart and podSecurityContext.
podSecurityContext is in pod.spec properties, although it is also written SecurityContext
SecurityContext attributes within container are
examples podSecurityContext follows:
apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: fsGroup: 1234 supplementalGroups: [5678] seLinuxOptions: level: "s0:c123,c456"
Multi-port container
if the app needs to open two ports, how to do it?
There are two ways
- the first one is from 2 service, each service to open a port
- the second one and the same service open two ports
Here are two ways to analyze.
Since two service
obviously can get a service, why play two service it? I think the service is to make more clear, a service charge of a service.
For example, there is app, 9200 and 9300 while developing the port. 9200 to provide web services, 9300 to provide api. Then, with two service, named app-http and app-api, 9200 and 9300 were exposed port, respectively nodePort and clusterIP way, this level of clarity.
With a service open two ports
in general, when we have only one port, yaml file in the service:
ports: - nodePort: 8482 port: 8080 protocol: TCP targetPort: 8080
And if you want to open two ports, copy and paste can not do, k8s will prompt you have to add name. So, if you want to open more ports to specify a name for each port, such as:
apiVersion: v1 kind: Service metadata: name: my-service spec: selector: app: MyApp ports: - name: http protocol: TCP port: 80 targetPort: 9376 - name: https protocol: TCP port: 443 targetPort: 9377
https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
turn: https: //blog.csdn.net/bingzhilingyi/article/details/79862791