在 Kubernetes 主节点上运行用户 Pod 是否存在问题?
[英]Are there issues with running user pods on a Kubernetes master node?
问题描述
Many of the run-throughs for deploying Kubernetes master nodes suggest you use --register-schedulable=false to prevent user pods being scheduled to the master node (eg https://coreos.com/kubernetes/docs/latest/deploy-master.html ).
许多部署 Kubernetes 主节点的运行建议您使用--register-schedulable=false来防止用户 pod 被调度到主节点(例如https://coreos.com/kubernetes/docs/latest/deploy-master .html )。 On a very small Kubernetes cluster it seems somewhat a wasteful of compute resources to effectively prevent an entire node from being used for pod scheduling unless absolutely essential.在一个非常小的 Kubernetes 集群上,除非绝对必要,否则有效地阻止整个节点用于 pod 调度似乎有点浪费计算资源。
The answer to this question ( Will (can) Kubernetes run Docker containers on the master node(s)? ) suggests that it is indeed possible to run user pods on a master node - but doesn't address whether there are any issues associated with allowing this.这个问题的答案( Will (can) Kubernetes 在主节点上运行 Docker 容器吗? )表明确实可以在主节点上运行用户 pod - 但没有解决是否存在任何相关的问题允许这个。
The only information that I've been able to find to date that suggests there might be issues associated with allowing this is that it appears that pods on master nodes communicate insecurely (see http://kubernetes.io/docs/admin/master-node-communication/ and https://github.com/kubernetes/kubernetes/issues/13598 ).迄今为止,我能够找到的唯一信息表明,允许这样做可能存在相关问题,主节点上的 pod 似乎不安全地通信(请参阅http://kubernetes.io/docs/admin/master- node-communication/和https://github.com/kubernetes/kubernetes/issues/13598 )。 I assume that this would potentially allow a rogue pod running on a master node to access/hijack Kubernetes functionality not normally accessible to pods on non-master nodes.我认为这可能会允许在主节点上运行的流氓 Pod 访问/劫持非主节点上的 Pod 通常无法访问的 Kubernetes 功能。 Probably not a big deal with if only running pods/containers developed internally - although I guess there's always the possibility of someone hacking access to a pod/container and thereby gaining access to the master node.如果只运行内部开发的 pods/容器,可能没什么大不了的——尽管我猜总是有可能有人入侵 pod/容器,从而获得对主节点的访问权限。
Does this sound like a viable potential risk associated with this scenario (allowing user pods to run on a Kubernetes master node)?这听起来像是与此场景相关的可行的潜在风险(允许用户 Pod 在 Kubernetes 主节点上运行)吗? Are there any other potential issues associated with such a setup?是否存在与此类设置相关的任何其他潜在问题?
3 个解决方案
解决方案1
9 已采纳 2016-06-17 06:36:05
Running pods on the master node is definitely possible.在主节点上运行 pod 绝对是可能的。
The security risk you mention is one issue, but if you configure service accounts, it isn't actually much different for all deployed pods to have secure remote access to the apiserver vs. insecure local access.您提到的安全风险是一个问题,但是如果您配置服务帐户,对于所有已部署的 pod 而言,对 apiserver 进行安全远程访问与不安全本地访问实际上并没有太大区别。
Another issue is resource contention.另一个问题是资源争用。 If you run a rogue pod on your master node that disrupts the master components, it can destabilize your entire cluster.如果您在主节点上运行破坏主组件的恶意 Pod,它可能会破坏整个集群的稳定性。 Clearly this is a concern for production deployments, but if you are looking to maximize utilization of a small number of nodes in a development / experimentation environment, then it should be fine to run a couple of extra pods on the master.显然,这是生产部署的一个问题,但如果您希望在开发/实验环境中最大限度地利用少量节点,那么在主节点上运行几个额外的 pod 应该没问题。
Finally, you need to make sure the master node has a sufficiently large pod cidr allocated to it.最后,您需要确保主节点有足够大的 pod cidr 分配给它。 In some deployments, the master only gets a /30 which isn't going to allow you to run very many pods.在某些部署中,master 只得到一个 /30,这不会允许你运行很多 pod。
解决方案2
0 2022-01-06 01:11:24
Now Kubernetes and some Kubernetes distribution have what it calls taint.现在 Kubernetes 和一些 Kubernetes 发行版有了所谓的污点。 taint can decide if the master can run a pod or not. taint 可以决定 master 是否可以运行 pod。
although running the pod on the master node is not the best practice but it's possible to do so.尽管在主节点上运行 pod 不是最佳实践,但可以这样做。 medium 中等的
in Kubernetes, we can read the explanation about taint here and I believe this is also related to scheduler在Kubernetes中,我们可以在这里阅读关于taint的解释,我相信这也与调度程序有关
in Kubernetes or K3S, we can check if the nodes set the taint or not by describing the nodes.在 Kubernetes 或 K3S 中,我们可以通过描述节点来检查节点是否设置了污点。
# kubectl describe nodes | grep Taints
Taints: node.kubernetes.io/unreachable:NoExecute
Taints: node.kubernetes.io/unreachable:NoSchedule
Taints: node.kubernetes.io/unreachable:NoExecute
Taints: <none>
NoSchedule : Pods that do not tolerate this taint are not scheduled on the node. NoSchedule :不会在节点上调度不容忍这种污点的Pod 。
PreferNoSchedule: Kubernetes avoids scheduling Pods that do not tolerate this taint onto the node. PreferNoSchedule: Kubernetes 避免将不能容忍这种污点的 Pod 调度到节点上。
NoExecute : Pod is evicted from the node if it is already running on the node, and is not scheduled onto the node if it is not yet running on the node. NoExecute :如果 Pod 已经在节点上运行,则将其从节点中驱逐,如果尚未在节点上运行,则不会调度到该节点上。 source 来源
if you want to specify one of your nodes, rather master or agent, just mention the nodes如果要指定节点之一,而不是主节点或代理节点,只需提及节点
# kubectl describe nodes agent3 | grep Taints
Taints: <none>
# kubectl describe nodes master | grep Taints
Taints: <none>
this is how you apply the taint to your nodes这就是将污点应用到节点的方式
kubectl taint nodes agent1 key1=value1:NoSchedule
kubectl taint nodes agent2 key1=value1:NoExecute
when your nodes are not running automatically it will show NoSchedule or NoExecute, make sure to check your nodes before checking the taint.当您的节点未自动运行时,它将显示 NoSchedule 或 NoExecute,请确保在检查污点之前检查您的节点。
解决方案3
-3 2020-03-13 08:52:09
@robert have given a clear answer. @robert 给出了明确的答案。 I'm just trying to explain in a metaphorical way with a real-time example.我只是想通过一个实时示例以隐喻的方式进行解释。
Your company's MANAGER is a better coder.贵公司的经理是更好的编码员。 If he starts coding, your company's MANAGER kind of work will be stalled/less efficient, because he can handle one thing in an efficient way .如果他开始编码,您公司的 MANAGER 类型的工作将停滞不前/效率较低,因为他可以以有效的方式处理一件事。 that will put your entire company at risks.这将使您的整个公司面临风险。
To operate efficiently, Hire more devs to code and don't make your MANAGER code(in order to get the works for the amount you are paying him).为了有效地运作,雇用更多的开发人员来编写代码,而不是编写您的经理代码(为了获得您支付给他的金额的作品)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.