向虛擬節(jié)點(diǎn)中的Pod注入Sidecar容器
OpenKruise SidecarSet采用Admission Webhook機(jī)制,在創(chuàng)建Pod的階段對(duì)匹配了目標(biāo)Label的所有Pod注入Sidecar容器。但由于此時(shí)Pod還未調(diào)度到虛擬節(jié)點(diǎn),SidecarSet無(wú)法實(shí)現(xiàn)僅對(duì)調(diào)度到虛擬節(jié)點(diǎn)的Pod生效。您可以借助虛擬節(jié)點(diǎn)組件(ACK Virtual Node)僅為調(diào)度到虛擬節(jié)點(diǎn)上的Pod自動(dòng)注入Sidecar容器,來(lái)解耦虛擬節(jié)點(diǎn)中Pod的Sidecar容器與業(yè)務(wù)容器。
功能介紹
基本概念
Sidecar容器:將一個(gè)容器添加到另一個(gè)Pod中作為一個(gè)附加容器,以擴(kuò)展和增強(qiáng)主容器,而無(wú)需改變主容器本身。關(guān)于Sidecar容器在ACS集群中的配置方式,請(qǐng)參見功能說(shuō)明。
SidecarSet:是阿里云開源的云原生應(yīng)用自動(dòng)化引擎OpenKruise的核心功能之一。使用SidecarSet可以為集群中創(chuàng)建的符合條件的Pod自動(dòng)注入Sidecar容器,實(shí)現(xiàn)Sidecar容器(如監(jiān)控、日志等agent)的定義和生命周期與業(yè)務(wù)容器解耦。
SidecarSet使用說(shuō)明
您可以在SidecarSet中通過(guò)標(biāo)簽serverless.alibabacloud.com/virtual-node: "true"指定匹配所有調(diào)度到虛擬節(jié)點(diǎn)的Pod,該標(biāo)簽會(huì)在Pod確定調(diào)度到虛擬節(jié)點(diǎn)后打上,默認(rèn)會(huì)優(yōu)先使用ECI彈性實(shí)例。您還可以通過(guò)配置alibabacloud.com/compute-class: general-purpose來(lái)指定匹配ACS Pod類型的實(shí)例。
DaemonSet核心容器運(yùn)行經(jīng)常依賴ConfigMap,例如用于配置參數(shù)。當(dāng)將DaemonSet核心容器注入到業(yè)務(wù)Pod時(shí),業(yè)務(wù)Pod與ConfigMap通常在不同的命名空間。此時(shí),可以通過(guò)在Sidecar容器Volume中通過(guò)namespace/name方式引用其他命名空間的ConfigMap。跨命名空間訪問(wèn)ConfigMap和Secret需要授權(quán)。具體方式,請(qǐng)參見SidecarSetResourceBinding。
只對(duì)特定類型的Pod注入Sidecar
上述SidecarSet默認(rèn)將對(duì)所有調(diào)度到虛擬節(jié)點(diǎn)的Pod注入Sidecar容器。如果您只想針對(duì)虛擬節(jié)點(diǎn)的特定Pod進(jìn)行調(diào)度,可以通過(guò)修改.spec.selector實(shí)現(xiàn),示例如下。
apiVersion: apps.kruise.io/v1alpha1
kind: SidecarSet
metadata:
name: filebeat-sidecarset
spec:
containers:
...
selector:
matchLabels:
serverless.alibabacloud.com/virtual-node: "true"
alibabacloud.com/compute-class: general-purpose
app: nginx 配置項(xiàng) | 說(shuō)明 |
serverless.alibabacloud.com/virtual-node | 必填,表示匹配所有調(diào)度到虛擬節(jié)點(diǎn)的Pod。 |
alibabacloud.com/compute-class | 可選,若只希望調(diào)度到ACS類型的虛擬節(jié)點(diǎn)上時(shí)必須配置。更多關(guān)于compute-class的內(nèi)容,請(qǐng)參見ACS Pod實(shí)例概述。 |
app | 可選,若只希望針對(duì)某個(gè)具體的應(yīng)用注入,可以配置自定義標(biāo)簽。 |
SidecarSetResourceBinding
出于安全考慮,在Sidecar容器Volume中引入其他命名空間的ConfigMap和Secret需要通過(guò)SidecarSetResourceBinding顯式授權(quán)。
該授權(quán)僅授予對(duì)ConfigMap和Secret的只讀權(quán)限(Get,List,Watch)。
# 授權(quán)filebeat-sidecarset,SidecarSet匹配的Pod能夠訪問(wèn)kube-system命名空間下filebeat-config ConfigMap。
apiVersion: sidecarset.alibabacloud.com/v1alpha1
kind: SidecarSetResourceBinding
metadata:
name: filebeat-sidecarset-resourcebinding
namespace: kube-system # 此SidecarSetResourceBinding只能對(duì)kube-system命名空間下的資源做授權(quán)。
spec:
subjects:
- kind: SidecarSet
name: filebeat-sidecarset
resourceRefs:
- kind: ConfigMap
name: filebeat-config
- kind: Secret
name: elasticsearch-master-certs容器啟動(dòng)和退出順序和Job類Pod
Sidecar容器常需要如下兩個(gè)訴求:
Sidecar容器需要在業(yè)務(wù)容器前啟動(dòng),在業(yè)務(wù)容器后退出。
對(duì)于Job類Pod而言,Sidecar容器需要在業(yè)務(wù)容器退出后主動(dòng)退出。
在ACS場(chǎng)景下,您可以在Sidecar容器上面設(shè)置環(huán)境變量__IS_SIDECAR__="true"來(lái)實(shí)現(xiàn)上述訴求。詳情內(nèi)容,請(qǐng)參見配置Sidecar容器啟停順序。
升級(jí)Sidecar容器
使用Sidecar模式后,您可能會(huì)有Sidecar容器升級(jí)等運(yùn)維需求。您可以使用OpenKruise已有的Sidecar熱升級(jí)功能,該方式能在不影響Pod可用性情況下無(wú)縫升級(jí)Sidecar容器,且與當(dāng)前虛擬節(jié)點(diǎn)方式完全兼容。
前提條件
已創(chuàng)建ACK集群Pro版、ACK專有集群或ACK Serverless集群Pro版,且集群版本在1.22及以上。具體操作,請(qǐng)參見創(chuàng)建ACK托管集群、創(chuàng)建ACK專有集群或創(chuàng)建ACK Serverless集群。
已安裝虛擬節(jié)點(diǎn)組件(ACK Virtual Node),且版本為v2.13.0及以上。更多信息,請(qǐng)參見ACK Virtual Node。
已安裝ack-kruise組件,且版本為v1.3.0及以上。更多信息,請(qǐng)參見ack-kruise。
已啟用
SidecarSetServerlessPod=true特性門控。具體操作,請(qǐng)參見自定義控制面組件參數(shù),在Kube API Server組件featureGates中設(shè)置SidecarSetServerlessPod=true。
操作示例
下文將以filebeat容器作為Sidecar容器注入到nginx業(yè)務(wù)Pod為例,展示完整的使用流程。
部署ConfigMap。
說(shuō)明此配置文件是kube-system命名空間的ConfigMap。本示例僅將該配置文件掛載到Sidecar容器并打印內(nèi)容,相關(guān)變量不生效,無(wú)需替換。
使用以下內(nèi)容,創(chuàng)建configmap.yaml。
apiVersion: v1 data: filebeat.yml: | filebeat.inputs: - type: log paths: - /var/log/* - /stdout/* output.elasticsearch: host: '${NODE_NAME}' hosts: '["https://${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}"]' username: '${ELASTICSEARCH_USERNAME}' password: '${ELASTICSEARCH_PASSWORD}' protocol: https ssl.certificate_authorities: [ "/usr/share/filebeat/certs/ca.crt" ] kind: ConfigMap metadata: name: filebeat-config namespace: kube-system執(zhí)行以下命令,部署ConfigMap。
kubectl apply -f configmap.yaml
部署filebeat容器的SidecarSet。
說(shuō)明本示例filebeat容器將會(huì)同時(shí)采集業(yè)務(wù)容器的文件日志和標(biāo)準(zhǔn)輸出。
使用以下內(nèi)容,創(chuàng)建sidecarset.yaml。
apiVersion: apps.kruise.io/v1alpha1 kind: SidecarSet metadata: name: filebeat-sidecarset spec: containers: - args: - -e - -E - http.enabled=true env: - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: ELASTICSEARCH_USERNAME value: elastic - name: ELASTICSEARCH_PASSWORD value: gpU11EevMYaf2EBS - name: __IS_SIDECAR__ # 為此容器設(shè)置環(huán)境變量 value: "true" # 標(biāo)記此容器為sidecar image: docker.elastic.co/beats/filebeat:8.5.1 imagePullPolicy: IfNotPresent name: filebeat podInjectPolicy: BeforeAppContainer resources: limits: cpu: "1" memory: 200Mi requests: cpu: 100m memory: 100Mi shareVolumePolicy: type: disabled upgradeStrategy: upgradeType: ColdUpgrade volumeMounts: - mountPath: /var/log name: varlog readOnly: true - mountPath: /stdout name: stdout-log readOnly: true - mountPath: /usr/share/filebeat/certs/ name: elasticsearch-master-certs - mountPath: /usr/share/filebeat/filebeat.yml name: filebeat-config readOnly: true subPath: filebeat.yml selector: matchLabels: serverless.alibabacloud.com/virtual-node: "true" # 表示匹配所有調(diào)度到虛擬節(jié)點(diǎn)的Pod。 updateStrategy: type: NotUpdate volumes: - name: elasticsearch-master-certs secret: secretName: kube-system/elasticsearch-master-certs - configMap: name: kube-system/filebeat-config name: filebeat-config # 采集文件日志 - emptyDir: {} name: varlog # 采集標(biāo)準(zhǔn)輸出 - name: stdout-log emptyDir: medium: Stdout --- apiVersion: v1 data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJakNDQWdxZ0F3SUJBZ0lSQUl0SDZxR2YzRG9VNFBuVWRJOUdITlV3RFFZSktvWklodmNOQVFFTEJRQXcKR3pFWk1CY0dBMVVFQXhNUVpXeGhjM1JwWTNObFlYSmphQzFqWVRBZUZ3MHlOREV3TWprd056RTNNamxhRncweQpOVEV3TWprd056RTNNamxhTUJzeEdUQVhCZ05WQkFNVEVHVnNZWE4wYVdOelpXRnlZMmd0WTJFd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFET1Zxc0svVXAvWTVNRVY5T3hzTUk2TTZMTFhYMGsKNFBGSjE0SklVNStUVnBRVVNhVmx3N0REeGtJaUQ3RDVHZ3I3Snh4WHV0cFNjVlo0QWN0UzNrNFJvV3lqdzg0cApoYW4wY3JZL2VaQmJlWjVFUUhCSXprU0ZhMWd4bkpUcVErSSsvR3lKSlNHNkQyR21UVHRqRXZ2R2pWL1loSDNHCk1DMnRadVNXN1hPYWZBKzFqWUNkVFpIZkNpeDdBZURVNU0zcVplNzR4MjhTeitDNkM4WUFCQ0ZSTnJsVGNFQW8KaGQ5WGNnellPUGdJY2VZSUJWb25DTDdzVWFPZGVKa1hrbmdBR2ZzWjB6RnJhMm1qZGZtcHVIaWZFM21LbUZ1agpydGhXVFZTdE9oZGtIUnZTck52NDZaSFdtYlErNXZCb1RiODllTFZuNTNwbzhmSkJIWWpHZ24zdEFnTUJBQUdqCllUQmZNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUgKQXdJd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTU2dmVtcDRMem9QdVJiOUY3bjlmcU9JNQp2blF3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUs2alBULzc2RnV2K0RLSmsxNG15b0ZzNThnRjRqbjlLWEUwCmFqOEMrZ1BUd2o2dUpUTjRLcWFmcnV0VGxlZWM5cXhabVZjQTgzanJhTEkySzlNN2ZyVE9pVE1vSnhmNnFrU1AKZ1ozazF2OG40Z0JGbzhsczZpc2YrankvL1dpMiswUVdWOElIU1lRbDlucklCT0lpb25rS1ljbDVQY2tKWVo4RQpkYVJUYW1xbi8zRTFGODFGaXFDT3dPc0NGRk5IRHhPRDRRb25NbU5ReFFvb1I3Mks1V2R6TmQrTG5BbjE4eHZlCjE2b3gybzZNQ3hjQS9RWDE0d3dDVi9lb1Y4KzIwWlJRY01LT1U5Y0djSjZNYm9TSW1odzJzS0NpNkpYcUQwQWMKSFZscWFzTGh4cHZBc3lJdXY3TjB5VnVhVVdZVDVMV1oyOFBGUVozcmwvYTIvNHZHNStJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpRENDQW5DZ0F3SUJBZ0lSQUp3R2cyNVR5YUNEVmlxNWJEbDliREF3RFFZSktvWklodmNOQVFFTEJRQXcKR3pFWk1CY0dBMVVFQXhNUVpXeGhjM1JwWTNObFlYSmphQzFqWVRBZUZ3MHlOREV3TWprd056RTNNamxhRncweQpOVEV3TWprd056RTNNamxhTUI4eEhUQWJCZ05WQkFNVEZHVnNZWE4wYVdOelpXRnlZMmd0YldGemRHVnlNSUlCCklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUE0L1QzMUp5VzJTSCtHZjhVTHJXVmhYZmwKdHhJRytMcGFGK0l6Q2lnSGh6QW5ZZnoyM0luQTZLOG9WWWtsejZLZzRzbEZjeXRHbStxd01ta3c3QzZXeHRVRwpSWlZiUXloZDZ6L1laRGhGUVpCQXZMWDVRVnIwWmIyRlN0NjdQM3dNa3Z1RE16TVZnRXoxZ2x0TmRyOVZiOXQyCjRUTXBka09GeFpPV24rZ0IyM0l3YnlNb0ZIMVNDZ1ZtcC9EQTNHZU1ENGErWURUcGowd1dSUFRRemdNcXh4YkUKd3FFdGN5R01yLzF6Sm4ycDZ6SWdmV3E0K1pwM2lRU2VOdjFUWWpHVm5xYzdWWUhDd29nb3pSRDI5TldTbC9BMApVSTVsbld3SDI3aU51QU1pVWFQRmx4eWtNbTlFbSs4SUcrT2VsRks4aDlBSEl2TDVYSFJjT3VOQzk2SjU1d0lECkFRQUJvNEhDTUlHL01BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlRucTk2YW5ndk9nKzVGdjBYdQpmMStvNGptK2REQmZCZ05WSFJFRVdEQldnaFJsYkdGemRHbGpjMlZoY21Ob0xXMWhjM1JsY29JY1pXeGhjM1JwClkzTmxZWEpqYUMxdFlYTjBaWEl1WkdWbVlYVnNkSUlnWld4aGMzUnBZM05sWVhKamFDMXRZWE4wWlhJdVpHVm0KWVhWc2RDNXpkbU13RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQURwMVlXOFBmMm5YMldqeU5YZlVTSVJiamN0YQo2RTVpQzEwdENlbUxFZVpPZlpSRGtKOUVSaUNFQ2tUVUNCNy9QemFrTlE1UGNYQzVmcmYyWCtucGZ3RFFyREN4ClM0WkpEMWZFeHN0Yis3L29yQmgrWXNYcHJiUUJMbDJ6M0w0dm5tZ1kyb3V5bjdyT2NOdWQveENvWUdBVUd4a0YKdmVvUDNld0NUVzlaUVhGVWF0WUUzMno1bHRXTlRTOE5RU1hQRUtoSUlqYWNOL29SQ2ZhY1pRaTFoOUhTczdzQQpOcmludkRCTnE4bDl0b3g5NFZadCtXN3NmUXZvVU5hTTV1OXk0UU5Ib25rdUZ2enZMdkpGeEtvbWE0RmtFOHl5CmphR2RpUXh2NVFXdW1sTlBzZ3VOUUpSMnp3QzJEUkVVZUR1WC96Zk9xdDBucDFOZWpoWU11VTIyVk5zPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNC9UMzFKeVcyU0grR2Y4VUxyV1ZoWGZsdHhJRytMcGFGK0l6Q2lnSGh6QW5ZZnoyCjNJbkE2SzhvVllrbHo2S2c0c2xGY3l0R20rcXdNbWt3N0M2V3h0VUdSWlZiUXloZDZ6L1laRGhGUVpCQXZMWDUKUVZyMFpiMkZTdDY3UDN3TWt2dURNek1WZ0V6MWdsdE5kcjlWYjl0MjRUTXBka09GeFpPV24rZ0IyM0l3YnlNbwpGSDFTQ2dWbXAvREEzR2VNRDRhK1lEVHBqMHdXUlBUUXpnTXF4eGJFd3FFdGN5R01yLzF6Sm4ycDZ6SWdmV3E0CitacDNpUVNlTnYxVFlqR1ZucWM3VllIQ3dvZ296UkQyOU5XU2wvQTBVSTVsbld3SDI3aU51QU1pVWFQRmx4eWsKTW05RW0rOElHK09lbEZLOGg5QUhJdkw1WEhSY091TkM5Nko1NXdJREFRQUJBb0lCQUhSK3VEaDdYY3ZSUjE1WgpzU0s5d1kvWDJobFlxUjlyZktjLy9mMXV2NG9pM2IyQjNWYVBQM3FxS042dG5Ca2tienYyeC9zM1hucEgwWXV4Cm5rTFUvRkRZaE1BQ3VBVDJHQ2tsRTUwRDlNQ3d5NlNsQ3FDUHJ0NWZvRUxHMk1KMHpxZyt5S25kclZ0SCtSK0oKTVdsQ0ZwTjNnS1ZOMUI2UUcwa0JSN1NvaUdwd1ZhSEFOMEc2Q0NKTnR0eDByZHo5UVRpU3BCMmlzYmhaSVpRVgp2U1NwemY3R2ZzaU5pN1VaOTN0WkZ5S21PRE1CUW5yZm5xWkphVXdVeWhHYk02Y2h4YWpmY0dka1dadWJ6azZJCnUrTWFDcE5VOWsvSXpDUkhnNjVyZGhITlozeVdDYzh6UXRDdFNkaWFPRmFwclZ4aHhSeFU5WW9FT2hsaVlVS0wKNGhIN1VPRUNnWUVBNkkrL3MyMDN5WGx1R0tqb3VIRXc5Z29aNU9YNHk3WWFGb2dzTm9jMTBZdUxRSURjTEozTQpLWjc4aTZ1dlV3d2lVMVpKTmRYbHFhcFFDNFRBN2N0bktnTVpNRnhzYzFPQzZsTnJ6b3FXM3FST0NDNW9DRUJOCmVSQlR2V1FjOVhXUUxrK2wwcHBEZ3BaVFVjc0tYS2NJSldlakhVb0xuajMrcmo2ZjFsOHlhU01DZ1lFQSt1NXEKd1ZtU2NkQ1pqdXQzbktsZ3V6ZGlpbWpvZ0Jkc1VnRUg4WXhkK2QzTXgveVR0eGthdGNwMnYvTHNPQ3BMV1YzSQpNVTdCTUtVR3BpZGpOMzdYQ3FMREZHM3UzdHZhMHBjditsOENaYk45NWdVN3RNeHB2WjZyZjRwVFlKdG1Ya2RsCkVmUkNxMkhocU11UEpSUlhjMllOaDU2TjNSUW5CWnJRVmxLdjBtMENnWUVBb0Fvc2RpRjIvcU1kN01Kd1JGMUEKd0ZCN09WWTVQSmI0cFFEWXpEMkgvOGZ6OEZPOU1NYjJ0TDNBTmEzVVhXWkFTUEZjT0R3V2JBZlVSZGo1bTZzYQpONE1pVm5HRUFHazc4bDJ1RnRpd3NrNkhsSUc2L2RLaWZlbUtkdzdxRHREMGc2bzBCeFk1MXlmejlwbXZhOHRXCmc4Y3FMUUhEdFFZY3VYUkhNcE1ZY2RrQ2dZRUFrZHdxbys5OEo3cDR1Rkg1T2xCZWtSVFZxOXpsWVNlOGFFSi8KS3BKTVFpVUNsekVqY0NnZ2xaRjF5NGZhZFo5b0l5OVhZZ29FVkZGbzl3WW9MeWNFdXdMM1lKV3laMHJtL01pegpNOWNzWG8raVhDV29taVRFUmx2SUZxQUNiVUtIazcvdWFTeFI0S3RKNzhNN2x2TW5Ea1pCRVJkQ0lVTklsNEp4CkhleDhsVlVDZ1lCdlVMQUU3WkMyTkFnZUpYUmpRalFRd2laNU1jS09rTTBvVjlsYUlaR0xZUUVTOHVtYXA0THYKMVc5clN4UElxMTg3Q1haejBuOTdPN210aUpwYXhERDg1QVdZMEg5MGhFNitvZUltWmlPN3ZYbW5RTVRNZjNtWgp6dUcvNk84ckpsNWcyNnY4NTVBYjVUbC9ZQTNRcW1tOVdKdUt5eGw1bWxvMGkxNU14cWNia1E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= kind: Secret metadata: name: elasticsearch-master-certs namespace: kube-system type: kubernetes.io/tls執(zhí)行以下命令,部署SidecarSet。
kubectl apply -f sidecarset.yaml
授權(quán)filebeat容器能夠訪問(wèn)kube-system命名空間下的ConfigMap。
說(shuō)明由于業(yè)務(wù)Pod位于default命名空間下,filebeat容器被注入后跨Namespace訪問(wèn)ConfigMap需要顯式授權(quán)。
使用以下內(nèi)容,創(chuàng)建policy.yaml。
apiVersion: sidecarset.alibabacloud.com/v1alpha1 kind: SidecarSetResourceBinding metadata: name: filebeat-sidecarset-resourcebinding namespace: kube-system # 此SidecarSetResourceBinding只能對(duì)kube-system命名空間下的資源做授權(quán)。 spec: subjects: - kind: SidecarSet name: filebeat-sidecarset resourceRefs: - kind: ConfigMap name: filebeat-config - kind: Secret name: elasticsearch-master-certs執(zhí)行以下命令,部署SidecarSetResourceBinding。
kubectl apply -f policy.yaml
使用以下內(nèi)容,部署Nginx業(yè)務(wù)Pod。具體操作,請(qǐng)參見通過(guò)編排模板創(chuàng)建Linux應(yīng)用。
apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx alibabacloud.com/compute-class: general-purpose alibabacloud.com/compute-qos: default spec: containers: - name: nginx image: mirrors-ssl.aliyuncs.com/nginx:latest resources: limits: cpu: "1" memory: 200Mi requests: cpu: 100m memory: 100Mi volumeMounts: # Share log directory with filebeat sidecar container via volumeMount - mountPath: /var/log/nginx name: varlog volumes: - name: varlog emptyDir: {} nodeSelector: type: virtual-kubelet tolerations: - key: virtual-kubelet.io/provider operator: Equal value: alibabacloud effect: NoSchedule執(zhí)行以下命令,查看業(yè)務(wù)Pod。
kubectl get pods nginx-785d5xxxxx-xxxxx預(yù)期輸出:
NAME READY STATUS RESTARTS AGE nginx-785d5xxxxx-xxxxx 2/2 Running 0 10m可以看到,Pod包含2個(gè)容器,說(shuō)明注入成功。
驗(yàn)證filebeat容器已掛載業(yè)務(wù)Pod文件日志和標(biāo)準(zhǔn)輸出日志。
執(zhí)行以下命令,進(jìn)入filebeat容器。
kubectl exec -it deploy/nginx -c filebeat -- /bin/bash在容器中查看異常日志。
cat /var/log/error.log預(yù)期輸出:
2024/11/08 07:20:54 [notice] 1#1: using the "epoll" event method 2024/11/08 07:20:54 [notice] 1#1: nginx/1.27.2 2024/11/08 07:20:54 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 2024/11/08 07:20:54 [notice] 1#1: OS: Linux 5.10.134-17.2.1.lifsea8.x86_64 2024/11/08 07:20:54 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576 2024/11/08 07:20:54 [notice] 1#1: start worker processes 2024/11/08 07:20:54 [notice] 1#1: start worker process 29在容器中查看標(biāo)準(zhǔn)輸出日志。
cat /stdout/nginx/0.log預(yù)期輸出:
2024-11-08T15:20:53.99215101+08:00 stdout F /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration 2024-11-08T15:20:53.992173978+08:00 stdout F /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ 2024-11-08T15:20:54.003081339+08:00 stdout F /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 2024-11-08T15:20:54.085010761+08:00 stdout F 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf 2024-11-08T15:20:54.276107913+08:00 stdout F 10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf 2024-11-08T15:20:54.276263126+08:00 stdout F /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh 2024-11-08T15:20:54.276842182+08:00 stdout F /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh 2024-11-08T15:20:54.345892283+08:00 stdout F /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh 2024-11-08T15:20:54.347524813+08:00 stdout F /docker-entrypoint.sh: Configuration complete; ready for start up
驗(yàn)證filebeat容器已掛載跨命名空間的配置文件filebeat-config。
kubectl exec deploy/nginx -c filebeat -- cat /usr/share/filebeat/filebeat.yml預(yù)期輸出:
filebeat.inputs: - type: log paths: - /var/log/* - /stdout/* output.elasticsearch: host: '${NODE_NAME}' hosts: '["https://${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}"]' username: '${ELASTICSEARCH_USERNAME}' password: '${ELASTICSEARCH_PASSWORD}' protocol: https ssl.certificate_authorities: [ "/usr/share/filebeat/certs/ca.crt" ]出現(xiàn)此輸出則表明掛載正常。