一、如果requests与limits相等,则为指定固定大小。也可不指定limits为无上限,但cpu不足1核心时,最多只能跑满一个核心。
apiVersionv1
kindPod
metadata
namestress-pod
spec
containers
namestress
imageikubernetes/stress-ng
command"/usr/bin/stress-ng" "-c 1" "-m 1" "--metrics-brief"
resources
requests#下阈值,最小阈值
memory"128Mi"
cpu"200m"
limits#上阈值,最大阈值
memory"512Mi"
cpu"400m"
#测试
kubectl exec stress-pod -- top
二、Pod的资源优先级
QoS Class:服务质量类别,代表了Pod的资源被优先满足的类别
Guaranteed:Pod内的每个容器都分别设定了CPU和Memroy资源需求和资源限制,CPU的需求与限制相等,而且Memory的需求与限制也相等;
Bustable:中间层
BestEffort:未为任何一个容器设定任何需求或限制;
三、pod 安全上下文、探针、sidecar、资源汇总示例
apiVersionv1
kindPod
metadata
nameall-in-one
namespacedefault
spec
initContainers
nameiptables-init
imageikubernetes/admin-boxlatest
imagePullPolicyIfNotPresent
command'/bin/sh''-c'
args'iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80'
securityContext
capabilities
add
NET_ADMIN
containers
namesidecar-proxy
imageenvoyproxy/envoy-alpinev1.13.1
command'/bin/sh''-c'
args'sleep 3 && envoy -c /etc/envoy/envoy.yaml'
lifecycle
postStart
exec
command'/bin/sh''-c''wget -O /etc/envoy/envoy.yaml http://ilinux.io/envoy.yaml'
livenessProbe
tcpSocket
port80
initialDelaySeconds5
readinessProbe
tcpSocket
port80
initialDelaySeconds5
namedemo
imageikubernetes/demoappv1.0
imagePullPolicyIfNotPresent
env
namePORT
value'8080'
livenessProbe
httpGet
path'/livez'
port8080
initialDelaySeconds5
readinessProbe
httpGet
path'/readyz'
port8080
initialDelaySeconds15
securityContext
runAsUser1001
runAsGroup1001
resources
requests
cpu0.5
memory"64Mi"
limits
cpu2
memory"1024Mi"
securityContext
supplementalGroups1002 1003
fsGroup2000
