26-pod-Ephemeral Containers

cucytoman發表於2019-10-17

concepts/workloads/pods/ephemeral-containers/

FEATURE STATE: Kubernetes v1.16 alpha

This page provides an overview of ephemeral containers: a special type of container that runs temporarily in an existing Pod to accomplish user-initiated actions such as troubleshooting. You use ephemeral containers to inspect services rather than to build applications. 本頁提供了短暫容器的概述:一種特殊型別的容器,在現有的POD中臨時執行,以完成使用者發起的操作,例如故障排除。您使用臨時容器來檢查服務,而不是構建應用程式。

Warning: Ephemeral containers are in early alpha state and are not suitable for production clusters. You should expect the feature not to work in some situations, such as when targeting the namespaces of a container. In accordance with the Kubernetes Deprecation Policy, this alpha feature could change significantly in the future or be removed entirely. 警告:臨時容器處於早期alpha狀態,不適合生產叢集。您應該期望該功能在某些情況下不起作用,例如在以容器的名稱空間為目標時。根據kubernetes的deprecation策略,這個alpha特性在未來可能會發生顯著變化,或者被完全刪除。

Understanding ephemeral containers

Pods are the fundamental building block of Kubernetes applications. Since Pods are intended to be disposable and replaceable, you cannot add a container to a Pod once it has been created. Instead, you usually delete and replace Pods in a controlled fashion using deployments. pods是kubernetes應用程式的基本構建塊。由於pod是一次性和可替換的,因此一旦建立了容器,就不能將其新增到pod中。相反,您通常使用部署以受控方式刪除和替換pod。

Sometimes it’s necessary to inspect the state of an existing Pod, however, for example to troubleshoot a hard-to-reproduce bug. In these cases you can run an ephemeral container in an existing Pod to inspect its state and run arbitrary commands. 有時,有必要檢查現有POD的狀態,例如,為了解決難以重現的bug。在這些情況下,可以在現有的POD中執行一個短暫容器,以檢查其狀態並執行任意命令。

What is an ephemeral container?

Ephemeral containers differ from other containers in that they lack guarantees for resources or execution, and they will never be automatically restarted, so they are not appropriate for building applications. Ephemeral containers are described using the same ContainerSpec as regular containers, but many fields are incompatible and disallowed for ephemeral containers. 臨時容器與其他容器的不同之處在於,它們缺乏對資源或執行的保證,並且永遠不會自動重新啟動,因此不適合構建應用程式。使用與常規容器相同的“containerspec”來描述臨時容器,但許多欄位不相容,不允許用於臨時容器。

  • Ephemeral containers may not have ports, so fields such as ports, livenessProbe, readinessProbe are disallowed. 臨時容器可能沒有埠,因此不允許使用如“ports”、“livenessprobe”、“readinessprobe”等欄位。
  • Pod resource allocations are immutable, so setting resources is disallowed. POD資源分配是不可變的,因此不允許設定資源。
  • For a complete list of allowed fields, see the EphemeralContainer reference documentation. 有關允許欄位的完整列表,請參閱ephemeralcontainer參考文件。

Ephemeral containers are created using a special ephemeralcontainers handler in the API rather than by adding them directly to pod.spec, so it’s not possible to add an ephemeral container using kubectl edit. 臨時容器是使用API中的特殊臨時容器處理程式建立的,而不是直接將它們新增到pod.spec中,因此不可能使用kubectl edit新增臨時容器。

Like regular containers, you may not change or remove an ephemeral container after you have added it to a Pod. 與常規容器一樣,在將臨時容器新增到pod後,不能更改或移除該容器。

Uses for ephemeral containers

Ephemeral containers are useful for interactive troubleshooting when kubectl exec is insufficient because a container has crashed or a container image doesn’t include debugging utilities. 當“kubectl exec”因容器崩潰或容器映像不包含除錯實用程式而不足時,臨時容器對於互動式故障排除非常有用。

In particular, distroless images enable you to deploy minimal container images that reduce attack surface and exposure to bugs and vulnerabilities. Since distroless images do not include a shell or any debugging utilities, it’s difficult to troubleshoot distroless images using kubectl exec alone. 特別是,無發行版映像使您能夠部署最小的容器映像,從而減少攻擊面和暴露於錯誤和漏洞的風險。由於無發行版映像不包括shell或任何除錯實用程式,因此僅使用kubectl exec很難排除無發行版映像的故障。

When using ephemeral containers, it’s helpful to enable process namespace sharing so you can view processes in other containers. 使用臨時容器時,啟用程式名稱空間共享很有幫助,這樣您可以檢視其他容器中的程式。

Examples

Note: The examples in this section require the EphemeralContainers feature gate to be enabled and kubernetes client and server version v1.16 or later. 注意:本節中的示例要求啟用ephemeralcontainers特性門,並啟用kubernetes客戶機和伺服器版本v1.16或更高版本。

The examples in this section demonstrate how ephemeral containers appear in the API. Users would normally use a kubectl plugin for troubleshooting that would automate these steps. 本節中的示例演示了短暫容器在api中的顯示方式。使用者通常會使用kubectl外掛進行故障排除,從而自動執行這些步驟。

Ephemeral containers are created using the ephemeralcontainers subresource of Pod, which can be demonstrated using kubectl --raw. First describe the ephemeral container to add as an EphemeralContainers list: 短命容器是使用pod的短命容器子資源建立的,可以使用kubectl--raw演示。首先描述要作為臨時容器列表新增的臨時容器:

{
    "apiVersion": "v1",
    "kind": "EphemeralContainers",
    "metadata": {
            "name": "example-pod"
    },
    "ephemeralContainers": [{
        "command": [
            "sh"
        ],
        "image": "busybox",
        "imagePullPolicy": "IfNotPresent",
        "name": "debugger",
        "stdin": true,
        "tty": true,
        "terminationMessagePolicy": "File"
    }]
}

To update the ephemeral containers of the already running example-pod: 要更新已執行示例pod的臨時容器,請執行以下操作:

kubectl replace --raw /api/v1/namespaces/default/pods/example-pod/ephemeralcontainers  -f ec.json

This will return the new list of ephemeral containers: 這將返回臨時容器的新列表:

{
   "kind":"EphemeralContainers",
   "apiVersion":"v1",
   "metadata":{
      "name":"example-pod",
      "namespace":"default",
      "selfLink":"/api/v1/namespaces/default/pods/example-pod/ephemeralcontainers",
      "uid":"a14a6d9b-62f2-4119-9d8e-e2ed6bc3a47c",
      "resourceVersion":"15886",
      "creationTimestamp":"2019-08-29T06:41:42Z"
   },
   "ephemeralContainers":[
      {
         "name":"debugger",
         "image":"busybox",
         "command":[
            "sh"
         ],
         "resources":{

         },
         "terminationMessagePolicy":"File",
         "imagePullPolicy":"IfNotPresent",
         "stdin":true,
         "tty":true
      }
   ]
}

You can view the state of the newly created ephemeral container using kubectl describe: 可以使用kubectl descripe檢視新建立的臨時容器的狀態:

kubectl describe pod example-pod
...
Ephemeral Containers:
  debugger:
    Container ID:  docker://cf81908f149e7e9213d3c3644eda55c72efaff67652a2685c1146f0ce151e80f
    Image:         busybox
    Image ID:      docker-pullable://busybox@sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
    State:          Running
      Started:      Thu, 29 Aug 2019 06:42:21 +0000
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:         <none>
...

You can attach to the new ephemeral container using kubectl attach: 您可以使用kubectl attach連線到新的臨時容器:

kubectl attach -it example-pod -c debugger

If process namespace sharing is enabled, you can see processes from all the containers in that Pod. For example, after attaching, you run ps in the debugger container: 如果啟用了程式名稱空間共享,則可以看到該pod中所有容器中的程式。例如,附加後,在偵錯程式容器中執行“ps”:

ps auxww

The output is similar to: 輸出類似於:

PID   USER     TIME  COMMAND
    1 root      0:00 /pause
    6 root      0:00 nginx: master process nginx -g daemon off;
   11 101       0:00 nginx: worker process
   12 101       0:00 nginx: worker process
   13 101       0:00 nginx: worker process
   14 101       0:00 nginx: worker process
   15 101       0:00 nginx: worker process
   16 101       0:00 nginx: worker process
   17 101       0:00 nginx: worker process
   18 101       0:00 nginx: worker process
   19 root      0:00 /pause
   24 root      0:00 sh
   29 root      0:00 ps auxww

Feedback

Was this page helpful?

Yes


本作品採用《CC 協議》,轉載必須註明作者和本文連結

相關文章