Kubernetes/K8S笔记

一、相关文档

1.Kubernetes API

https://kubernetes.io/docs/concepts/overview/kubernetes-api/

https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md

https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api_changes.md

2.Kubernetes backup and restore

https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#backing-up-an-etcd-cluster

https://github.com/etcd-io/website/blob/main/content/en/docs/v3.5/op-guide/recovery.md

https://www.youtube.com/watch?v=qRPNuT080Hk

3.K8S DNS

https://coredns.io/plugins/kubernetes/

https://github.com/kubernetes/dns/blob/master/docs/specification.md

4.K8S Networking

https://kubernetes.io/docs/concepts/cluster-administration/addons/

https://kubernetes.io/docs/concepts/cluster-administration/networking/#how-to-implement-the-kubernetes-networking-model

5.Kubernetes tools

Kubetools – A Curated List of Kubernetes Tools

二、相关使用

1.查看API权限

示例：

kubectl auth can-i create deployments --namespace dev
kubectl auth can-i create deployments --namespace prod
kubectl auth can-i list secrets --namespace dev --as dave

查看一个serviceAccount是否有list权限

kubectl auth can-i list pods \
	--namespace target \
	--as system:serviceaccount:dev:dev-sa

2.常用命令

1.查看所有API

_list=($(kubectl get --raw / |grep "^    \"/api"|sed 's/[",]//g')); for _api in ${_list[@]}; do _aruyo=$(kubectl get --raw ${_api} | jq .resources); if [ "x${_aruyo}" != "xnull" ]; then echo; echo "===${_api}==="; kubectl get --raw ${_api} | jq -r ".resources[].name"; fi; done

脚本

#!/bin/bash
SERVER="localhost:8080"
APIS=$(curl -s $SERVER/apis | jq -r '[.groups | .[].name] | join(" ")')
# do core resources first, which are at a separate api location
api="core"
curl -s $SERVER/api/v1 | jq -r --arg api "$api" '.resources | .[] | "\($api) \(.name): \(.verbs | join(" "))"'
# now do non-core resources
for api in $APIS; do
    version=$(curl -s $SERVER/apis/$api | jq -r '.preferredVersion.version')
    curl -s $SERVER/apis/$api/$version | jq -r --arg api "$api" '.resources | .[]? | "\($api) \(.name): \(.verbs | join(" "))"'
done

2.base64加密

echo -n "gcpuat" | base64 -w 0

3.base64解密secret内容

kubectl -n ada-datanaut get secret manual-file-upload-api-secret -o go-template='
{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'

4.密钥输出为一行

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' ada.chaos.mod.adag.dev.nonprod.c1.abc.com.cer

5.数据库带证书登录

mysql -u${DB_USER} -p${DB_PASSWD} -h${MYSQL_HOST} -P${MYSQL_PORT}  --ssl-ca=/tmp/certs/server-ca.pem  --ssl-cert=/tmp/certs/client-cert.pem  --ssl-key=/tmp/certs/client-key.pem

6.History配置

export HISTORY_FILE="/tmp/log/cmdlines"
export HISTFILESIZE=100000
export HISTSIZE=100000
export HISTTIMEFORMAT="$(whoami) %m/%d/%Y %H:%M "