# K8s小技巧汇总
## 获取当前版本支持的API列表
使用如下命令:
```shell
# 等价于 kubectl get --raw /apis,但后者获取的是JSON内容
# - 添加 -o wide 可返回API的verbs
# - 结果不含API的子资源,如 pods/log
$ kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
...
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
roles rbac.authorization.k8s.io/v1 true Role
priorityclasses pc scheduling.k8s.io/v1 false PriorityClass
csidrivers storage.k8s.io/v1 false CSIDriver
csinodes storage.k8s.io/v1 false CSINode
csistoragecapacities storage.k8s.io/v1 true CSIStorageCapacity
storageclasses sc storage.k8s.io/v1 false StorageClass
volumeattachments storage.k8s.io/v1 false VolumeAttachment
```
返回结果中包含某些API资源的缩写。还有一些命令:
```shell
kubectl api-versions
```
查看某个API的子资源以及详情:
```shell
kubectl get --raw="/api/v1" # 注意/api/v1指的是v1
kubectl get --raw="/apis/storage.k8s.io/v1" # 除了v1组,查看其他API都需要加上`/apis`的前缀
```
## 查看/解释某个资源支持的所有配置字段
```shell
$ kubectl explain pods
KIND: Pod
VERSION: v1
DESCRIPTION:
Pod is a collection of containers that can run on a host. This resource is
created by clients and scheduled onto hosts.
FIELDS:
apiVersion <string>
APIVersion defines the versioned schema of this representation of an
object. Servers should convert recognized schemas to the latest internal
value, and may reject unrecognized values. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind <string>
Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client submits
requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata <Object>
Standard object's metadata. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec <Object>
Specification of the desired behavior of the pod. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
status <Object>
Most recently observed status of the pod. This data may not be up to date.
Populated by the system. Read-only. More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
```
其他:
```shell
kubectl explain pods.spec.containers
kubectl explain pods --recursive
```
## 使用nsenter在宿主机上调试容器
很多容器为了轻量化移除了很多基础命令,比如`ps`,`top`,`netstat`等。此时可以在宿主机上使用`nsenter`工具来调试容器。
通过nsenter可以使用宿主机上已安装的工具来调试容器,比如查看指定容器的防火墙规则,进程/CPU信息等。
Centos 7.9 默认安装了`nsenter`工具,如果没有安装,可以使用`yum install -y util-linux`命令自行安装,其他发行版请自行查找安装方式。
- [nsenter介绍](https://www.cnblogs.com/liugp/p/16344594.html)
调试步骤:
```shell
# 1. 获取容器ID
# - 下面的pod内含5个容器,根据名字找到任意一个容器的Container ID(除了init容器)
# - 因为Pod内的容器共享各命名空间,所以任一容器ID均可
$ kk describe po istio-client-test |grep erd -B 1
istio-init:
Container ID: containerd://1c35ebc2cbf03f2d7069594cae68db9698d666174141c80bfcd5fca15bb600cb
--
istio-client-test:
Container ID: containerd://e305d7f3fa5f9699e04586e87600adc40d2948271f5719af301a010034c2ca46
--
iptables:
Container ID: containerd://ad016ed6d79010854d12aaeb27b352d38d3459811e2039c6dcc472b268c1dbe0
--
tcpdump:
Container ID: containerd://5f993b223b5159db7efddf289db9f255c90833771ce3b47036a1c042b858fd38
--
istio-proxy:
Container ID: containerd://e1752cafdd3de5ce83debb377d62b4ab8314f896fedb738917397699dd412cb5
# 2. 进入容器所运行的宿主机上查看容器在宿主机上的进程ID,如下是42816
$ crictl inspect e305d7f3fa5f9699e04586e87600adc40d2948271f5719af301a010034c2ca46|grep pid
"pid": 42816,
"pid": 1
"type": "pid"
# 3. 使用nsenter命令查看容器内的iptables nat规则(此容器安装了envoy代理,所以会有包含15001端口的规则)
$ nsenter -t 42816 -n iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N ISTIO_INBOUND
-N ISTIO_IN_REDIRECT
-N ISTIO_OUTPUT
-N ISTIO_REDIRECT
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15090 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -p tcp -m tcp ! --dport 15008 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -p tcp -m tcp ! --dport 15008 -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
```
还可以直接进入该容器的命名空间调试,免去输入`nsenter`命令前缀:
```shell
$ nsenter -t 42816 -n
$ iptables -t nat -S
...
# 退出该容器的命名空间
$ exit
```
You can set it to show Context Menu by pressing the shortcut key.
Got it
Go to Settings | 