kubernetes-notes
  • 目录
    • 序言
  • 云原生体系
    • 12-Factor
    • K8S知识体系
  • 安装与配置
    • 部署k8s集群
      • 使用kubeadm安装生产环境kubernetes
      • 使用kubespray安装kubernetes
      • 使用minikube安装kubernetes
      • 使用kind安装kubernetes
    • k8s证书及秘钥
    • k8s版本说明
  • 基本概念
    • kubernetes架构
      • Kubernetes总架构图
      • 基于Docker及Kubernetes技术构建容器云(PaaS)平台概述
    • kubernetes对象
      • 理解kubernetes对象
      • kubernetes常用对象说明
    • Pod
      • Pod介绍
      • Pod定义文件
      • Pod生命周期
      • Pod健康检查
      • Pod存储卷
      • Pod控制器
      • Pod伸缩与升级
    • 配置
      • ConfigMap
    • Workload
  • 核心原理
    • 核心组件
      • Api Server
      • Controller Manager
      • Scheduler
      • Kubelet
    • 流程图
      • Pod创建流程
      • PVC创建流程
  • 容器网络
    • Docker网络
    • K8S网络
    • 网络插件
      • Flannel介绍
    • CNI
      • CNI接口介绍
      • Macvlan介绍
  • 容器存储
    • 存储卷概念
      • Volume
      • Persistent Volume
      • Persistent Volume Claim
      • Storage Class
      • Dynamic Volume Provisioning
    • CSI
      • csi-cephfs-plugin
      • 部署csi-cephfs
      • 部署cephfs-provisioner
      • FlexVolume介绍
  • 资源隔离
    • 资源配额
    • Pod限额
    • 资源服务质量
    • Lxcfs资源视图隔离
  • 运维指南
    • kubectl工具
      • kubectl安装与配置
      • kubectl命令说明
      • kubectl命令别名
    • kubernetes集群问题排查
    • 节点调度
      • 安全迁移节点
      • 指定Node调度与隔离
    • 镜像仓库配置
      • 配置私有的镜像仓库
      • 拉取私有镜像
  • 开发指南
    • client-go的使用及源码分析
    • CSI插件开发
      • nfs-client-provisioner源码分析
      • csi-provisioner源码分析
    • operator开发
      • kubebuilder的使用
  • 问题排查
    • 节点相关问题
      • keycreate permission denied
      • Cgroup不支持pid资源
      • Cgroup子系统无法挂载
    • Pod驱逐
    • 镜像拉取失败问题
    • PVC Terminating
  • 源码分析
    • Kubernetes源码分析笔记
    • kubelet
      • NewKubeletCommand
      • NewMainKubelet
      • startKubelet
      • syncLoopIteration
      • syncPod
    • kube-controller-manager
      • NewControllerManagerCommand
      • DeploymentController
      • Informer机制
    • kube-scheduler
      • NewSchedulerCommand
      • registerAlgorithmProvider
      • scheduleOne
      • findNodesThatFit
      • PrioritizeNodes
      • preempt
    • kube-apiserver
      • NewAPIServerCommand
  • Runtime
    • Runtime
      • Runc和Containerd概述
    • Containerd
      • 安装Containerd
    • Docker
      • Docker学习笔记
    • Kata Container
      • kata容器简介
      • kata配置
    • GPU
      • nvidia-device-plugin介绍
  • Etcd
    • Etcd介绍
    • Raft算法
    • Etcd启动配置参数
    • Etcd访问控制
    • etcdctl命令工具
      • etcdctl命令工具-V3
      • etcdctl命令工具-V2
    • Etcd中的k8s数据
    • Etcd-Operator的使用
  • 多集群管理
    • k8s多集群管理的思考
    • Virtual Kubelet
      • Virtual Kubelet介绍
      • Virtual Kubelet 命令
    • Karmada
      • Karmada介绍
  • 边缘容器
    • KubeEdge介绍
    • KubeEdge源码分析
      • cloudcore
      • edgecore
    • OpenYurt部署
  • 虚拟化
    • 虚拟化相关概念
    • KubeVirt
      • KubeVirt的介绍
      • KubeVirt的使用
  • 监控体系
    • 监控体系介绍
    • cAdvisor介绍
    • Heapster介绍
    • Influxdb介绍
由 GitBook 提供支持

www.huweihuang.com

在本页
  • 1. 读取数据key
  • 2. 集群数据
  • 2.1. node
  • 3. k8s对象数据
  • 3.1. namespace
  • 3.2. namespace级别对象
  • 4. 读取数据value
  • 5. 注意事项
  • 6. 快捷命令
  • 6.1. etcdhelper的使用
  • 7. RBAC

这有帮助吗?

在GitHub上编辑
  1. Etcd

Etcd中的k8s数据

1. 读取数据key

使用以下命令列出所有的key。

ETCDCTL_API=3 etcdctl --endpoints=<etcd-ip-1>:2379,<etcd-ip-2>:2379,<etcd-ip-3>:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt  --key=/etc/kubernetes/pki/apiserver-etcd-client.key  --cert=/etc/kubernetes/pki/apiserver-etcd-client.crt get / --prefix --keys-only

参数说明:

  --cacert=""				verify certificates of TLS-enabled secure servers using this CA bundle
  --cert=""					identify secure client using this TLS certificate file
  --key=""					identify secure client using this TLS key file
  --endpoints=[127.0.0.1:2379]		gRPC endpoints

可以使用alias来重命名etcdctl一串的命令

alias ectl='ETCDCTL_API=3 etcdctl --endpoints=<etcd-ip-1>:2379,<etcd-ip-2>:2379,<etcd-ip-3>:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt  --key=/etc/kubernetes/pki/apiserver-etcd-client.key  --cert=/etc/kubernetes/pki/apiserver-etcd-client.crt'

2. 集群数据

2.1. node

/registry/minions/<node-ip-1>
/registry/minions/<node-ip-2>
/registry/minions/<node-ip-3>

其他信息:

/registry/leases/kube-node-lease/<node-ip-1>
/registry/leases/kube-node-lease/<node-ip-2>
/registry/leases/kube-node-lease/<node-ip-3>

/registry/masterleases/<node-ip-2>
/registry/masterleases/<node-ip-3>

3. k8s对象数据

k8s对象数据的格式

3.1. namespace

/registry/namespaces/default
/registry/namespaces/game
/registry/namespaces/kube-node-lease
/registry/namespaces/kube-public
/registry/namespaces/kube-system

3.2. namespace级别对象

/registry/{resource}/{namespace}/{resource_name}

以下以常见k8s对象为例:

# deployment
/registry/deployments/default/game-2048
/registry/deployments/kube-system/prometheus-operator

# replicasets
/registry/replicasets/default/game-2048-c7d589ccf

# pod
/registry/pods/default/game-2048-c7d589ccf-8lsbw

# statefulsets
/registry/statefulsets/kube-system/prometheus-k8s

# daemonsets
/registry/daemonsets/kube-system/kube-proxy

# secrets
/registry/secrets/default/default-token-tbfmb

# serviceaccounts
/registry/serviceaccounts/default/default

service

# service
/registry/services/specs/default/game-2048

# endpoints
/registry/services/endpoints/default/game-2048

4. 读取数据value

由于k8s默认etcd中的数据是通过protobuf格式存储,因此看到的key和value的值是一串字符串。

alias ectl='ETCDCTL_API=3 etcdctl --endpoints=:2379,:2379,:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --key=/etc/kubernetes/pki/apiserver-etcd-client.key --cert=/etc/kubernetes/pki/apiserver-etcd-client.crt'

# ectl get /registry/namespaces/test -w json |jq
{
  "header": {
    "cluster_id": 12113422651334595000,
    "member_id": 8381627376898157000,
    "revision": 12321629,
    "raft_term": 20
  },
  "kvs": [
    {
      "key": "L3JlZ2lzdHJ5L25hbWVzcGFjZXMvdGVzdA==",
      "create_revision": 11670741,
      "mod_revision": 11670741,
      "version": 1,
      "value": "azhzAAoPCgJ2MRIJTmFtZXNwYWNlElwKQgoEdGVzdBIAGgAiACokYWM1YmJjOTQtNTkxZi0xMWVhLWJiOTQtNmM5MmJmM2I3NmI1MgA4AEIICJuf3fIFEAB6ABIMCgprdWJlcm5ldGVzGggKBkFjdGl2ZRoAIgA="
    }
  ],
  "count": 1
}

其中key可以通过base64解码出来

echo "L3JlZ2lzdHJ5L25hbWVzcGFjZXMvdGVzdA==" | base64 --decode

# output
/registry/namespaces/test

alias ehelper='etcdhelper -key /etc/kubernetes/pki/apiserver-etcd-client.key -cert /etc/kubernetes/pki/apiserver-etcd-client.crt -cacert /etc/kubernetes/pki/etcd/ca.crt'

# ehelper get /registry/namespaces/test
/v1, Kind=Namespace
{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "test",
    "uid": "ac5bbc94-591f-11ea-bb94-6c92bf3b76b5",
    "creationTimestamp": "2020-02-27T05:11:55Z"
  },
  "spec": {
    "finalizers": [
      "kubernetes"
    ]
  },
  "status": {
    "phase": "Active"
  }
}

5. 注意事项

  • 由于k8s的etcd数据为了性能考虑,默认通过protobuf格式存储,不要通过手动的方式去修改或添加k8s数据。

  • 不推荐使用json格式存储etcd数据,如果需要json格式,可以使用--storage-media-type=application/json参数存储,参考:https://github.com/kubernetes/kubernetes/issues/44670

6. 快捷命令

由于etcdctl的命令需要添加很多认证参数和endpoints的参数,因此可以使用别名的方式来简化命令。

# etcdctl 
alias ectl='ETCDCTL_API=3 etcdctl --endpoints=<etcd-ip-1>:2379,<etcd-ip-2>:2379,<etcd-ip-3>:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt  --key=/etc/kubernetes/pki/apiserver-etcd-client.key  --cert=/etc/kubernetes/pki/apiserver-etcd-client.crt'

# etcdhelper
alias ehelper='etcdhelper -key /etc/kubernetes/pki/apiserver-etcd-client.key -cert /etc/kubernetes/pki/apiserver-etcd-client.crt -cacert /etc/kubernetes/pki/etcd/ca.crt'

6.1. etcdhelper的使用

etcdhelper文档参考:https://github.com/openshift/origin/tree/master/tools/etcdhelper

# 必要的认证参数
-key - points to master.etcd-client.key
-cert - points to master.etcd-client.crt
-cacert - points to ca.crt

# 命令操作参数
ls - list all keys starting with prefix
get - get the specific value of a key
dump - dump the entire contents of the etcd

示例

$ ehelper ls /registry/leases/
/registry/leases/kube-node-lease/<ip-1>
/registry/leases/kube-node-lease/<ip-2>
/registry/leases/kube-node-lease/<ip-3>

$ ehelper get <key>

7. RBAC

附RBAC相关的key。

clusterrolebindings

/registry/clusterrolebindings/cluster-admin
/registry/clusterrolebindings/flannel
/registry/clusterrolebindings/galaxy
/registry/clusterrolebindings/helm
/registry/clusterrolebindings/kube-state-metrics
/registry/clusterrolebindings/kubeadm:kubelet-bootstrap
/registry/clusterrolebindings/kubeadm:node-autoapprove-bootstrap
/registry/clusterrolebindings/kubeadm:node-autoapprove-certificate-rotation
/registry/clusterrolebindings/kubeadm:node-proxier
/registry/clusterrolebindings/lbcf-controller
/registry/clusterrolebindings/prometheus-k8s
/registry/clusterrolebindings/prometheus-operator
/registry/clusterrolebindings/system:aws-cloud-provider
/registry/clusterrolebindings/system:basic-user
/registry/clusterrolebindings/system:controller:attachdetach-controller
/registry/clusterrolebindings/system:controller:certificate-controller
/registry/clusterrolebindings/system:controller:clusterrole-aggregation-controller
/registry/clusterrolebindings/system:controller:cronjob-controller
/registry/clusterrolebindings/system:controller:daemon-set-controller
/registry/clusterrolebindings/system:controller:deployment-controller
/registry/clusterrolebindings/system:controller:disruption-controller
/registry/clusterrolebindings/system:controller:endpoint-controller
/registry/clusterrolebindings/system:controller:expand-controller
/registry/clusterrolebindings/system:controller:generic-garbage-collector
/registry/clusterrolebindings/system:controller:horizontal-pod-autoscaler
/registry/clusterrolebindings/system:controller:job-controller
/registry/clusterrolebindings/system:controller:namespace-controller
/registry/clusterrolebindings/system:controller:node-controller
/registry/clusterrolebindings/system:controller:persistent-volume-binder
/registry/clusterrolebindings/system:controller:pod-garbage-collector
/registry/clusterrolebindings/system:controller:pv-protection-controller
/registry/clusterrolebindings/system:controller:pvc-protection-controller
/registry/clusterrolebindings/system:controller:replicaset-controller
/registry/clusterrolebindings/system:controller:replication-controller
/registry/clusterrolebindings/system:controller:resourcequota-controller
/registry/clusterrolebindings/system:controller:route-controller
/registry/clusterrolebindings/system:controller:service-account-controller
/registry/clusterrolebindings/system:controller:service-controller
/registry/clusterrolebindings/system:controller:statefulset-controller
/registry/clusterrolebindings/system:controller:ttl-controller
/registry/clusterrolebindings/system:coredns
/registry/clusterrolebindings/system:discovery
/registry/clusterrolebindings/system:kube-controller-manager
/registry/clusterrolebindings/system:kube-dns
/registry/clusterrolebindings/system:kube-scheduler
/registry/clusterrolebindings/system:node
/registry/clusterrolebindings/system:node-proxier
/registry/clusterrolebindings/system:public-info-viewer
/registry/clusterrolebindings/system:volume-scheduler

clusterroles

/registry/clusterroles/admin
/registry/clusterroles/cluster-admin
/registry/clusterroles/edit
/registry/clusterroles/flannel
/registry/clusterroles/kube-state-metrics
/registry/clusterroles/lbcf-controller
/registry/clusterroles/prometheus-k8s
/registry/clusterroles/prometheus-operator
/registry/clusterroles/system:aggregate-to-admin
/registry/clusterroles/system:aggregate-to-edit
/registry/clusterroles/system:aggregate-to-view
/registry/clusterroles/system:auth-delegator
/registry/clusterroles/system:aws-cloud-provider
/registry/clusterroles/system:basic-user
/registry/clusterroles/system:certificates.k8s.io:certificatesigningrequests:nodeclient
/registry/clusterroles/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
/registry/clusterroles/system:controller:attachdetach-controller
/registry/clusterroles/system:controller:certificate-controller
/registry/clusterroles/system:controller:clusterrole-aggregation-controller
/registry/clusterroles/system:controller:cronjob-controller
/registry/clusterroles/system:controller:daemon-set-controller
/registry/clusterroles/system:controller:deployment-controller
/registry/clusterroles/system:controller:disruption-controller
/registry/clusterroles/system:controller:endpoint-controller
/registry/clusterroles/system:controller:expand-controller
/registry/clusterroles/system:controller:generic-garbage-collector
/registry/clusterroles/system:controller:horizontal-pod-autoscaler
/registry/clusterroles/system:controller:job-controller
/registry/clusterroles/system:controller:namespace-controller
/registry/clusterroles/system:controller:node-controller
/registry/clusterroles/system:controller:persistent-volume-binder
/registry/clusterroles/system:controller:pod-garbage-collector
/registry/clusterroles/system:controller:pv-protection-controller
/registry/clusterroles/system:controller:pvc-protection-controller
/registry/clusterroles/system:controller:replicaset-controller
/registry/clusterroles/system:controller:replication-controller
/registry/clusterroles/system:controller:resourcequota-controller
/registry/clusterroles/system:controller:route-controller
/registry/clusterroles/system:controller:service-account-controller
/registry/clusterroles/system:controller:service-controller
/registry/clusterroles/system:controller:statefulset-controller
/registry/clusterroles/system:controller:ttl-controller
/registry/clusterroles/system:coredns
/registry/clusterroles/system:csi-external-attacher
/registry/clusterroles/system:csi-external-provisioner
/registry/clusterroles/system:discovery
/registry/clusterroles/system:heapster
/registry/clusterroles/system:kube-aggregator
/registry/clusterroles/system:kube-controller-manager
/registry/clusterroles/system:kube-dns
/registry/clusterroles/system:kube-scheduler
/registry/clusterroles/system:kubelet-api-admin
/registry/clusterroles/system:node
/registry/clusterroles/system:node-bootstrapper
/registry/clusterroles/system:node-problem-detector
/registry/clusterroles/system:node-proxier
/registry/clusterroles/system:persistent-volume-provisioner
/registry/clusterroles/system:public-info-viewer
/registry/clusterroles/system:volume-scheduler
/registry/clusterroles/view

rolebindings

/registry/rolebindings/kube-public/kubeadm:bootstrap-signer-clusterinfo
/registry/rolebindings/kube-public/system:controller:bootstrap-signer
/registry/rolebindings/kube-system/kube-proxy
/registry/rolebindings/kube-system/kube-state-metrics
/registry/rolebindings/kube-system/kubeadm:kubeadm-certs
/registry/rolebindings/kube-system/kubeadm:kubelet-config-1.14
/registry/rolebindings/kube-system/kubeadm:nodes-kubeadm-config
/registry/rolebindings/kube-system/system::extension-apiserver-authentication-reader
/registry/rolebindings/kube-system/system::leader-locking-kube-controller-manager
/registry/rolebindings/kube-system/system::leader-locking-kube-scheduler
/registry/rolebindings/kube-system/system:controller:bootstrap-signer
/registry/rolebindings/kube-system/system:controller:cloud-provider
/registry/rolebindings/kube-system/system:controller:token-cleaner

roles

/registry/roles/kube-public/kubeadm:bootstrap-signer-clusterinfo
/registry/roles/kube-public/system:controller:bootstrap-signer
/registry/roles/kube-system/extension-apiserver-authentication-reader
/registry/roles/kube-system/kube-proxy
/registry/roles/kube-system/kube-state-metrics-resizer
/registry/roles/kube-system/kubeadm:kubeadm-certs
/registry/roles/kube-system/kubeadm:kubelet-config-1.14
/registry/roles/kube-system/kubeadm:nodes-kubeadm-config
/registry/roles/kube-system/system::leader-locking-kube-controller-manager
/registry/roles/kube-system/system::leader-locking-kube-scheduler
/registry/roles/kube-system/system:controller:bootstrap-signer
/registry/roles/kube-system/system:controller:cloud-provider
/registry/roles/kube-system/system:controller:token-cleaner

参考:

  • https://github.com/etcd-io/etcd/tree/master/etcdctl

  • https://github.com/openshift/origin/tree/master/tools/etcdhelper

  • https://github.com/kubernetes/kubernetes/issues/44670

上一页etcdctl命令工具-V2下一页Etcd-Operator的使用

最后更新于2年前

这有帮助吗?

value是值可以通过安装工具解析出来。

etcdhelper
using-etcdctl-to-access-kubernetes-data
如何读取Kubernetes存储在etcd上的数据