当前位置：首页 > news >正文

网站建设文化策划方案做旅游广告在哪个网站做效果好

news 2026/4/16 17:11:13

网站建设文化策划方案,做旅游广告在哪个网站做效果好,建立网站加强家园沟通和联系的利弊,网公司往期回顾#xff1a; 云端技术驾驭DAY01——云计算底层技术奥秘、云服务器磁盘技术、虚拟化管理、公有云概述云端技术驾驭DAY02——华为云管理、云主机管理、跳板机配置、制作私有镜像模板云端技术驾驭DAY03——云主机网站部署、web集群部署、Elasticsearch安装云端技术驾驭… 往期回顾云端技术驾驭DAY01——云计算底层技术奥秘、云服务器磁盘技术、虚拟化管理、公有云概述云端技术驾驭DAY02——华为云管理、云主机管理、跳板机配置、制作私有镜像模板云端技术驾驭DAY03——云主机网站部署、web集群部署、Elasticsearch安装云端技术驾驭DAY04——Logstash安装部署及插件模块云端技术驾驭DAY06——容器技术概述、镜像与容器管理、定制简单镜像、容器内安装部署服务云端技术驾驭DAY07——Dockerfile详解、容器镜像制作、私有仓库云端技术驾驭DAY08——部署容器服务、Compose微服务管理、harbor仓库部署及管理云端技术驾驭DAY09——k8s集群安装部署、calico插件部署、计算节点配置管理云端技术驾驭DAY10——kubectl命令详解、Pod创建过程、Pod的生命周期、定制Pod、资源对象文件云端技术驾驭DAY11——资源对象文件、Pod自定义命令、多容器Pod、资源监控工具云端技术驾驭DAY12——Pod调度策略、Pod标签管理、Pod资源配额与限额、全局资源配额与限额策略云端技术驾驭DAY13 Pod调度策略管理污点容忍策略污点概述污点策略容忍策略抢占与优先级优先级概述非抢占优先级抢占优先级 Pod安全特权容器特权容器概述特权容器 Pod安全策略安全概述限制特权容器 Pod调度策略管理污点容忍策略污点概述什么是污点污点Taint是使节点与Pod产生排斥的一类规则污点策略是如何实现污点策略通过嵌合在键值对上的污点标签进行声明污点标签尽量不调度PreferNoSchedule不会被调度NoSchedule驱逐节点NoExecute 管理污点标签污点标签必须绑定在键值对上格式为keyvalue:污点标签查看污点标签kubectl describe nodes [节点名字]设置污点标签kubectl taint node [节点名字] keyvalue:污点标签删除污点标签kubectl taint node [节点名字] keyvalue:污点标签- 污点策略污点验证为node-0001设置PreferNoschedule污点标签为node-0002设置NoSchedule污点标签 [rootmaster ~]# kubectl taint node node-0001 kv1:PreferNoSchedule node/node-0001 tainted [rootmaster ~]# kubectl taint node node-0002 kv2:NoSchedule node/node-0002 tainted [rootmaster ~]# kubectl describe nodes | grep Taints Taints: node-role.kubernetes.io/control-plane:NoSchedule Taints: kv1:PreferNoSchedule Taints: kv2:NoSchedule Taints: none Taints: none Taints: nonePod资源文件 [rootmaster ~]# vim myphp.yaml --- kind: Pod apiVersion: v1 metadata:name: myphp spec:containers:- name: phpimage: myos:php-fpmresources:requests:cpu: 1500m验证测试 [rootmaster ~]# sed s,myphp,php1, myphp.yaml | kubectl apply -f - pod/php1 created [rootmaster ~]# sed s,myphp,php2, myphp.yaml | kubectl apply -f - pod/php2 created [rootmaster ~]# sed s,myphp,php3, myphp.yaml | kubectl apply -f - // 创建三个Pod pod/php3 created [rootmaster ~]# kubectl get pods -o wide // 发现会优先使用没有污点的节点 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES php1 1/1 Running 0 35s 10.244.240.134 node-0004 none none php2 1/1 Running 0 30s 10.244.243.209 node-0003 none none php3 1/1 Running 0 26s 10.244.153.139 node-0005 none none在没有其他节点可用的时候使用PreferNoSchedule污点所在的节点运行Pod [rootmaster ~]# sed s,myphp,php4, myphp.yaml | kubectl apply -f - pod/php4 created [rootmaster ~]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES php1 1/1 Running 0 4m19s 10.244.240.134 node-0004 none none php2 1/1 Running 0 4m14s 10.244.243.209 node-0003 none none php3 1/1 Running 0 4m10s 10.244.153.139 node-0005 none none php4 1/1 Running 0 2s 10.244.21.132 node-0001 none none继续创建Pod 即使Pod创建失败也不会使用NoSchedule所在节点 [rootmaster ~]# sed s,myphp,php5, myphp.yaml | kubectl apply -f - pod/php5 created [rootmaster ~]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES php1 1/1 Running 0 5m37s 10.244.240.134 node-0004 none none php2 1/1 Running 0 5m32s 10.244.243.209 node-0003 none none php3 1/1 Running 0 5m28s 10.244.153.139 node-0005 none none php4 1/1 Running 0 80s 10.244.21.132 node-0001 none none php5 0/1 Pending 0 2s none none none noneNoSchedule策略设置NoSchedule污点标签只对新建Pod有效对于已经创建完成的Pod不会产生影响 [rootmaster ~]# kubectl taint node node-0003 kv3:NoSchedule node/node-0003 tainted [rootmaster ~]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES php1 1/1 Running 0 8m38s 10.244.240.134 node-0004 none none php2 1/1 Running 0 8m33s 10.244.243.209 node-0003 none none php3 1/1 Running 0 8m29s 10.244.153.139 node-0005 none none php4 1/1 Running 0 4m21s 10.244.21.132 node-0001 none none php5 0/1 Pending 0 3m3s none none none none驱逐策略驱逐策略会删除该节点上的所有Pod [rootmaster ~]# kubectl taint node node-0004 kv4:NoExecute // 为node-0004设置NoExecute策略 node/node-0004 tainted [rootmaster ~]# kubectl describe nodes | grep Taints Taints: node-role.kubernetes.io/control-plane:NoSchedule Taints: kv1:PreferNoSchedule Taints: kv2:NoSchedule Taints: kv3:NoSchedule Taints: kv4:NoExecute Taints: none[rootmaster ~]# kubectl get pods -o wide // 查看Pod情况NoExecute污点所在节点的Pod已经被删除了 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES php2 1/1 Running 0 15m 10.244.243.209 node-0003 none none php3 1/1 Running 0 15m 10.244.153.139 node-0005 none none php4 1/1 Running 0 11m 10.244.21.132 node-0001 none none php5 0/1 Pending 0 9m57s none none none none删除实验所有污点策略 [rootmaster ~]# kubectl taint node node-000{1..4} k- node/node-0001 untainted node/node-0002 untainted node/node-0003 untainted node/node-0004 untainted容忍策略容忍策略是什么容忍策略与污点策略相反某些时候我们需要在有污点的节点上运行Pod这种无视污点标签的调度方式称为容忍策略容忍策略实验节点node-000{1…2}设置污点标签kv1:NoSchedule节点node-000{3…4}设置污点标签kv2:NoSchedule节点node-0005设置污点标签kv1:NoExecute 精确匹配策略 [rootmaster ~]# kubectl taint node node-000{1..2} kv1:NoSchedule node/node-0001 tainted node/node-0002 tainted [rootmaster ~]# kubectl taint node node-000{3..4} kv2:NoSchedule node/node-0003 tainted node/node-0004 tainted [rootmaster ~]# kubectl taint node node-0005 kv1:NoExecute node/node-0005 tainted[rootmaster ~]# vim myphp.yaml // 容忍kv1:NoSchedule污点 --- kind: Pod apiVersion: v1 metadata:name: myphp spec:tolerations:- operator: Equal // 完全匹配键值对key: k // 键value: v1 // 值effect: NoSchedule // 污点标签containers:- name: phpimage: myos:php-fpmresources:requests:cpu: 1500m[rootmaster ~]# for i in php{1..3};do sed s,myphp,${i}, myphp.yaml ;done|kubectl apply -f - pod/php1 created pod/php2 created pod/php3 created [rootmaster ~]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES php1 1/1 Running 0 6s 10.244.21.133 node-0001 none none php2 1/1 Running 0 6s 10.244.147.9 node-0002 none none php3 0/1 Pending 0 6s none none none none模糊匹配策略 ... ... spec:tolerations:- operator: Exists // 部分匹配key: keffect: NoSchedule ... ...容忍所有node污点 ... ... spec:tolerations:- operator: Exists // 模糊匹配key: k // 键effect: // 设置空或删除代表所有污点标签 ... ...抢占与优先级优先级概述优先级是什么优先级表示一个Pod相对于其他Pod的重要性优先级有什么用优先级可以保证重要的Pod被调度运行如何使用优先级和抢占配置优先级类PriorityClass创建Pod时为其设置对应的优先级 PriorityClasss PriorityClasss是一个全局资源对象它定义了从优先级类名称到优先级整数值的映射优先级在value字段中指定可以设置小于10亿的整数值值最大优先级最高 PriorityClasss还有两个可选字段 globalDefault用于设置默认优先级状态如果没有任何优先级设置Pod的优先级为零description用来配置描述性信息告诉用户优先级的用途优先级策略非抢占优先指的是在调度阶段优先进行调度分配一旦容器调度完成就不可以抢占资源不足时只能等待抢占优先强制调度一个Pod如果资源不足无法被调度调度程序会抢占较低优先级的Pod的资源来保证高优先级Pod的运行非抢占优先级定义优先级资源对象创建一个value为1000的优先级对象创建一个value为500的优先级对象设置非抢占策略Never [rootmaster ~]# vim mypriority.yaml --- kind: PriorityClass apiVersion: scheduling.k8s.io/v1 metadata:name: high-non // 指定优先级名字 preemptionPolicy: Never // 策略非抢占 value: 1000 // 优先级--- kind: PriorityClass apiVersion: scheduling.k8s.io/v1 metadata:name: low-non preemptionPolicy: Never value: 500[rootmaster ~]# kubectl apply -f mypriority.yaml priorityclass.scheduling.k8s.io/high-non created priorityclass.scheduling.k8s.io/low-non created [rootmaster ~]# kubectl get priorityclasses.scheduling.k8s.io NAME VALUE GLOBAL-DEFAULT AGE high-non 1000 false 15s low-non 500 false 15s system-cluster-critical 2000000000 false 5d21h system-node-critical 2000001000 false 5d21h验证Pod优先级调度策略所有Pod创建在node-0002上创建php1该Pod使用默认优先级cpu1500m创建php1该Pod使用低优先级cpu1500m创建php3该Pod使用高优先级cpu1500m rootmaster ~]# vim php1.yaml --- kind: Pod apiVersion: v1 metadata:name: php1 spec:nodeSelector:kubernetes.io/hostname: node-0004containers:- name: phpimage: myos:php-fpmresources:requests:cpu: 1500m[rootmaster ~]# vim php2.yaml --- kind: Pod apiVersion: v1 metadata:name: php2 spec:nodeSelector:kubernetes.io/hostname: node-0004priorityClassName: low-noncontainers:- name: phpimage: myos:php-fpmresources:requests:cpu: 1500m[rootmaster ~]# vim php3.yaml --- kind: Pod apiVersion: v1 metadata:name: php3 spec:nodeSelector:kubernetes.io/hostname: node-0004priorityClassName: high-non containers:- name: phpimage: myos:php-fpmresources:requests:cpu: 1500m[rootmaster ~]# kubectl apply -f php1.yaml pod/php1 created [rootmaster ~]# kubectl apply -f php2.yaml pod/php2 created [rootmaster ~]# kubectl apply -f php3.yaml pod/php3 created [rootmaster ~]# kubectl get pods NAME READY STATUS RESTARTS AGE php1 1/1 Running 0 19s php2 0/1 Pending 0 16s php3 0/1 Pending 0 14s [rootmaster ~]# kubectl delete pod php1 pod php1 deleted [rootmaster ~]# kubectl get pods NAME READY STATUS RESTARTS AGE php2 0/1 Pending 0 70s php3 1/1 Running 0 68s抢占优先级定义优先级资源对象 [rootmaster ~]# vim mypriority.yaml --- kind: PriorityClass apiVersion: scheduling.k8s.io/v1 metadata:name: high-non preemptionPolicy: Never value: 1000--- kind: PriorityClass apiVersion: scheduling.k8s.io/v1 metadata:name: low-non preemptionPolicy: Never value: 500--- kind: PriorityClass apiVersion: scheduling.k8s.io/v1 metadata:name: high preemptionPolicy: PreemptLowerPriority // 策略抢占优先级 value: 1000--- kind: PriorityClass apiVersion: scheduling.k8s.io/v1 metadata:name: low preemptionPolicy: PreemptLowerPriority value: 500[rootmaster ~]# kubectl apply -f mypriority.yaml priorityclass.scheduling.k8s.io/high created priorityclass.scheduling.k8s.io/low created [rootmaster ~]# kubectl get priorityclasses.scheduling.k8s.io NAME VALUE GLOBAL-DEFAULT AGE high 1000 false 4s high-non 1000 false 2h low 500 false 4s low-non 500 false 2h system-cluster-critical 2000000000 false 21d system-node-critical 2000001000 false 21d验证抢占优先级 // 替换优先级策略 [rootmaster ~]# sed s,-non,, -i php?.yaml// 默认优先级 Pod [rootmaster ~]# kubectl apply -f php1.yaml pod/php1 created [rootmaster ~]# kubectl get pods NAME READY STATUS RESTARTS AGE php1 1/1 Running 0 6s// 高优先级 Pod [rootmaster ~]# kubectl apply -f php3.yaml pod/php3 created [rootmaster ~]# kubectl get pods NAME READY STATUS RESTARTS AGE php3 1/1 Running 0 9s// 低优先级 Pod [rootmaster ~]# kubectl apply -f php2.yaml pod/php2 created [rootmaster ~]# kubectl get pods NAME READY STATUS RESTARTS AGE php2 0/1 Pending 0 3s php3 1/1 Running 0 9sPod安全特权容器特权容器概述什么是特权容器容器是通过名称空间技术隔离的有时候我们执行一些应用服务需要使用或修改敏感的系统信息这时容器需要突破隔离限制获取更高的权限这类容器统称特权容器运行特权容器会有一些安全风险这种模式下运行容器对宿主机拥有root权限可以突破隔离直接控制宿主机的资源配置特权容器制作特权容器修改主机名和hosts文件 [rootmaster ~]# vim root.yaml --- kind: Pod apiVersion: v1 metadata:name: root spec:hostname: myhost // 修改容器主机名hostAliases: // 修改 /etc/hosts- ip: 192.168.1.30 // IP 地址hostnames: // 名称键值对- harbor // 主机名containers:- name: apacheimage: myos:httpd[rootmaster ~]# kubectl apply -f root.yaml pod/root created [rootmaster ~]# kubectl exec -it root -- /bin/bash [rootmyhost html]# hostname myhost [rootmyhost html]# cat /etc/hosts ... ... # Entries added by HostAliases. 192.168.1.30 harbor制作root特权容器 [rootmaster ~]# vim root.yaml --- kind: Pod apiVersion: v1 metadata:name: root spec:hostPID: true // 特权共享系统进程hostNetwork: true // 特权共享主机网络containers:- name: apacheimage: myos:httpdsecurityContext: // 安全上下文值privileged: true // root特权容器[rootmaster ~]# kubectl apply -f root.yaml pod/root created [rootmaster ~]# kubectl exec -it root -- /bin/bash [rootnode-0005 html]# pstree -p // 系统进程特权 systemd(1)--NetworkManager(595)--{NetworkManager}(617)| -{NetworkManager}(618)|-agetty(1129)... ... [rootnode-0005 html]# ifconfig eth0 // 网络特权 eth0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500inet 192.168.1.55 netmask 255.255.255.0 broadcast 192.168.1.255inet6 fe80::f816:3eff:fe74:cd03 prefixlen 64 scopeid 0x20linkether fa:16:3e:74:cd:03 txqueuelen 1000 (Ethernet) [rootnode-0005 ~]# mkdir /sysroot // root用户特权 [rootnode-0005 ~]# mount /dev/sda1 /sysroot [rootnode-0005 ~]# chroot /sysroot sh-4.4# // 此处已经是node节点上的root用户了Pod安全策略安全概述什么是Pod安全策略 Pod安全策略是集群级别的资源它能够控制Pod运行的行为以及它具有访问什么的能力如何使用Pod安全策略 Kubernetes服务器版本必须不低于v1.22确保PodSecurity特性门控被启用 Pod安全策略LEVEL privieged不受限制的策略提供最大可能范围的特权许可此策略允许特权提升baseline弱限制性的策略禁止已知的策略提升权限允许使用默认的Pod配置restricted非常严格的限制性策略遵循当前的保护Pod的最佳实践 Pod准入控制标签MODE Kubernetes定义了一组标签你可以设置这些标签来定义某个名字空间上Pod安全性标准级别。所选择的标签定义了检测到潜在违利时所要采取的动作 enforce策略违利会导致Pod被拒绝audit策略违利会触发审计日志但是Pod仍可被接受warn策略违利会触发用户可见的警告信息但是Pod仍是被接受的语法格式pod-security.kubernetes.io/MODE:LEVEL 限制特权容器设置严格的准入控制拒绝特权容器 [rootmaster ~]# kubectl create namespace myprod namespace/myprod created [rootmaster ~]# kubectl label namespaces myprod pod-security.kubernetes.io/enforcerestricted namespace/myprod labeled在创建特权容器时发出警告提示 [rootmaster ~]# kubectl create namespace mytest namespace/mytest created [rootmaster ~]# kubectl label namespaces mytest pod-security.kubernetes.io/warnbaseline namespace/mytest labeled创建特权容器 [rootmaster ~]# kubectl -n myprod apply -f root.yaml Error from server (Failure): ... ... // 创建失败 [rootmaster ~]# kubectl -n mytest apply -f root.yaml Warning: would violate latest version of baseline PodSecurity profile: host namespaces (hostNetworktrue, hostPIDtrue), privileged (container linux must not set securityContext.privilegedtrue) pod/root created创建安全的Pod [rootmaster ~]# vim nonroot.yaml --- kind: Pod apiVersion: v1 metadata:name: nonroot spec:restartPolicy: Alwayscontainers:- name: phpimage: myos:php-fpmsecurityContext:allowPrivilegeEscalation: falserunAsNonRoot: truerunAsUser: 65534seccompProfile:type: RuntimeDefaultcapabilities:drop: [ALL][rootmaster ~]# kubectl -n myprod apply -f nonroot.yaml pod/nonroot created [rootmaster ~]# kubectl -n myprod get pods NAME READY STATUS RESTARTS AGE nonroot 1/1 Running 0 6s [rootmaster ~]# kubectl -n myprod exec -it nonroot -- id // 没有root用户 uid65534(nobody) gid65534(nobody) groups65534(nobody)

查看全文

http://www.hkea.cn/news/14290440/