Kubernetes管理神器-插件管理器Krew
Krew是Kubernetes的一个插件管理器,它允许用户搜索、安装和管理kubectl插件。通过Krew,用户可以方便地扩展kubectl的功能,使用社区提供的各种插件。
类似于apt,dnf,brew等工具,截至目前,已提供超过200+的kubectl插件。
对于kubectl用户:Krew可以帮助你查找、安装和管理kubectl插件。
对于插件开发人员:Krew帮助您在多个平台上打包和分发插件。
官方仓库:https://github.com/kubernetes-sigs/krew
安装和配置krew
1. 准备工作
-
安装git;
-
需要确保系统已安装kubectl和一个兼容的Shell(如Bash或Zsh),通过命令
echo $SHELL确认shell类型;
2. 运行下面的命令下载安装krew
下面是官方提供的命令,自动判断当前环境的系统、架构等信息,安装最新版本的krnew。
(set -x; cd "$(mktemp -d)" &&OS="$(uname | tr '[:upper:]' '[:lower:]')" &&ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&KREW="krew-${OS}_${ARCH}" &&curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&tar zxvf "${KREW}.tar.gz" &&./"${KREW}" install krew
)
也可以手动下载解压安装,访问https://github.com/kubernetes-sigs/krew/releases/获取最新版本:
# 以v0.4.4版本为例
root@master1:~# wget https://github.com/kubernetes-sigs/krew/releases/download/v0.4.4/krew-linux_amd64.tar.gz
root@master1:~# tar zxvf krew-linux_amd64.tar.gz
./LICENSE
./krew-linux_amd64
root@master1:~# ./krew-linux_amd64 install krew
WARNING: To be able to run kubectl plugins, you need to add
the following to your ~/.bash_profile or ~/.bashrc:export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"and restart your shell.Updated the local copy of plugin index.
Installing plugin: krew
W0709 10:13:36.918064 12993 install.go:160] Skipping plugin "krew", it is already installed
- 将Krew的路径添加到你的环境变量中。将下面的命令添加到
.bashrc或.zshrc文件中。
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
重新打开shell或者source ~/.bashrc生效。
- 运行如下命令检查安装
# kubectl插件列表
root@master1:~# kubectl plugin list
The following compatible plugins are available:/root/.krew/bin/kubectl-krew# krew版本信息
root@master1:~# kubectl krew version
OPTION VALUE
GitTag v0.4.4
GitCommit 343e657
IndexURI https://github.com/kubernetes-sigs/krew-index.git
BasePath /root/.krew
IndexPath /root/.krew/index/default
InstallPath /root/.krew/store
BinPath /root/.krew/bin
DetectedPlatform linux/amd64
- 删除或卸载
root@master1:~# rm -rf /root/.krew
- krew帮助信息
root@master1:~# kubectl krew
krew is the kubectl plugin manager.
You can invoke krew through kubectl: "kubectl krew [command]..."Usage:kubectl krew [command]Available Commands:help Help about any commandindex Manage custom plugin indexesinfo Show information about an available plugininstall Install kubectl pluginslist List installed kubectl pluginssearch Discover kubectl pluginsuninstall Uninstall pluginsupdate Update the local copy of the plugin indexupgrade Upgrade installed plugins to newer versionsversion Show krew version and diagnosticsFlags:-h, --help help for krew-v, --v Level number for the log level verbosityUse "kubectl krew [command] --help" for more information about a command.
使用Krew
安装好Krew后,就可以通过kubectl krew命令来管理插件了。以下是一些常见的命令:
- 列出所有可用插件:
kubectl krew search
- 安装插件:
kubectl krew install <plugin-name>
- 列出已安装的插件:
kubectl krew list
- 更新插件:
kubectl krew upgrade <plugin-name>
- 查看插件信息:
kubectl krew info <plugin-name>
- 卸载插件:
kubectl krew uninstall <plugin-name>
示例
以下是如何使用Krew安装并使用一个名为ns(namespace switcher)的插件的示例:
- 搜索插件
kubectl krew search ns
- 安装插件
kubectl krew install nsroot@master1:~# kubectl krew install ns
Updated the local copy of plugin index.
Installing plugin: ns
Installed plugin: ns
\| Use this plugin:| kubectl ns| Documentation:| https://github.com/ahmetb/kubectx| Caveats:| \| | If fzf is installed on your machine, you can interactively choose| | between the entries using the arrow keys, or by fuzzy searching| | as you type.| /
/
WARNING: You installed plugin "ns" from the krew-index plugin repository.These plugins are not audited for security by the Krew maintainers.Run them at your own risk.ns插件用于切换k8s命名空间。
说明
如果需要配置代理,配置linux全局代理即可。
- 使用插件切换命名空间
kubectl ns <namespace-name>
切换默认命名空间后,可以简化部分操作:
root@master1:~# kubectl get ns
NAME STATUS AGE
calico-system Active 7d18h
default Active 7d18h
gitlab Active 4d22h
harbor Active 6d18h
ingress-nginx Active 7d16h
jenkins Active 5d20h
kube-node-lease Active 7d18h
kube-public Active 7d18h
kube-system Active 7d18h
metallb-system Active 4d23h
openebs Active 6d19h
tigera-operator Active 7d18h# 切换到harbor命名空间
root@master1:~# kubectl ns harbor
Context "kubernetes-admin@kubernetes" modified.
Active namespace is "harbor".# 此时harbor为默认的命名空间
root@master1:~# kubectl get pod
NAME READY STATUS RESTARTS AGE
harbor-core-568c4c7c74-zblkc 1/1 Running 5 (37m ago) 19h
harbor-database-0 1/1 Running 1 (37m ago) 20h
harbor-jobservice-7b5f6689f4-6tncs 1/1 Running 9 (36m ago) 19h
harbor-portal-7c5d84cbb8-t6v22 1/1 Running 4 (37m ago) 6d18h
harbor-redis-0 1/1 Running 1 (37m ago) 19h
harbor-registry-86f55b88fb-k6lwh 2/2 Running 8 (37m ago) 6d16h
harbor-trivy-0 1/1 Running 1 (37m ago) 19h
常用的一些插件
每个插件安装完成后都会给出使用的格式,可以使用–help查看更详细的说明。同时给出了插件的项目地址。
1. kubectl tree
显示Kubernetes资源的层次结构,以树状结构显示资源及其所有者关系。
仓库地址:https://github.com/ahmetb/kubectl-tree
# 插件安装
root@master1:~# kubectl krew install tree
Updated the local copy of plugin index.
Installing plugin: tree
Installed plugin: tree
\| Use this plugin:| kubectl tree| Documentation:| https://github.com/ahmetb/kubectl-tree| Caveats:| \| | * For resources that are not in default namespace, currently you must| | specify -n/--namespace explicitly (the current namespace setting is not| | yet used).| /
/
WARNING: You installed plugin "tree" from the krew-index plugin repository.These plugins are not audited for security by the Krew maintainers.Run them at your own risk.root@master1:~# kubectl tree --help
Show sub-resources of the Kubernetes objectUsage:kubectl tree KIND NAME [flags]Examples:kubectl tree deployment my-appkubectl tree kservice.v1.serving.knative.dev my-app
...# 查看deploy的层级关系
root@master1:~# kubectl tree deploy harbor-core
NAMESPACE NAME READY REASON AGE
harbor Deployment/harbor-core - 6d19h
harbor ├─ReplicaSet/harbor-core-568c4c7c74 - 6d17h
harbor │ └─Pod/harbor-core-568c4c7c74-zblkc True 20h
harbor └─ReplicaSet/harbor-core-fb5ff9588 - 6d19h
2. kubectl ctx & kubectl ns
快速切换Kubernetes上下文(ctx)和命名空间(ns)。
仓库地址:https://github.com/ahmetb/kubectx
安装:
kubectl krew install ctx
kubectl krew install ns
操作示例:
# switch to another cluster that's in kubeconfig
$ kubectx minikube
Switched to context "minikube".# switch back to previous cluster
$ kubectx -
Switched to context "oregon".# rename context
$ kubectx dublin=gke_ahmetb_europe-west1-b_dublin
Context "gke_ahmetb_europe-west1-b_dublin" renamed to "dublin".# change the active namespace on kubectl
$ kubens kube-system
Context "test" set.
Active namespace is "kube-system".# go back to the previous namespace
$ kubens -
Context "test" set.
Active namespace is "default".
3. kubectl neat
简化kubectl get和kubectl describe的输出,只显示必要的信息。
仓库地址:https://github.com/itaysk/kubectl-neat
安装:
kubectl krew install neat
示例:
kubectl get pod mypod -o yaml | kubectl neat
kubectl get pod mypod -oyaml | kubectl neat -o json
kubectl neat -f - <./my-pod.json
kubectl neat -f ./my-pod.json
kubectl neat -f ./my-pod.json --output yaml
4. kubectl sniff
在Kubernetes pod上进行网络抓包,使用Wireshark格式,依赖wireshark。
ubuntu下安装wireshark:
sudo add-apt-repository universe
sudo apt update
sudo apt install wireshark
仓库地址:https://github.com/eldadru/ksniff
安装:
kubectl krew install sniff
示例:
# 抓取harbor-core容器的流量
root@master1:~# kubectl sniff harbor-core-568c4c7c74-zblkc -c core
INFO[0000] using tcpdump path at: '/root/.krew/store/sniff/v1.6.2/static-tcpdump'
INFO[0000] sniffing method: upload static tcpdump
INFO[0000] sniffing on pod: 'harbor-core-568c4c7c74-zblkc' [namespace: 'harbor', container: 'core', filter: '', interface: 'any']
INFO[0000] uploading static tcpdump binary from: '/root/.krew/store/sniff/v1.6.2/static-tcpdump' to: '/tmp/static-tcpdump'
INFO[0000] uploading file: '/root/.krew/store/sniff/v1.6.2/static-tcpdump' to '/tmp/static-tcpdump' on container: 'core'
INFO[0000] executing command: '[/bin/sh -c test -f /tmp/static-tcpdump]' on container: 'core', pod: 'harbor-core-568c4c7c74-zblkc', namespace: 'harbor'
INFO[0000] command: '[/bin/sh -c test -f /tmp/static-tcpdump]' executing successfully exitCode: '0', stdErr :''
INFO[0000] file found: ''
INFO[0000] file was already found on remote pod
INFO[0000] tcpdump uploaded successfully
INFO[0000] spawning wireshark!
INFO[0000] start sniffing on remote container
INFO[0000] executing command: '[/tmp/static-tcpdump -i any -U -w - ]' on container: 'core', pod: 'harbor-core-568c4c7c74-zblkc', namespace: 'harbor'
INFO[0000] command: '[/tmp/static-tcpdump -i any -U -w - ]' executing successfully exitCode: '1', stdErr :'static-tcpdump: any: You don't have permission to capture on that device
(socket: Operation not permitted)
'
ERRO[0000] failed to start remote sniffing, stopping wireshark error="executing sniffer failed, exit code: '1'"
INFO[0000] starting sniffer cleanup
INFO[0000] sniffer cleanup completed successfully
Error: signal: killed# 进行提权
root@master1:~# kubectl sniff harbor-core-568c4c7c74-zblkc -c core --privileged
正常运行后,会在ssh会话通过X11 Forwarding弹出wireshark界面,可以查看当前pod的流量。
5. kubectl view-utilization
显示集群中节点和pod的CPU和内存使用情况。
仓库地址:https://github.com/etopeter/kubectl-view-utilization
安装:
kubectl krew install view-utilization
根据节点、命名空间查看CPU、内存使用情况:
root@master1:~# kubectl view-utilization node
CPU : ▁▄▁
Memory: ▁▂▁CPU Memory
Node Requests %Requests Limits %Limits Requests %Requests Limits %Limits
master1 750 37 0 0 199229440 5 0 0
node1 400 19 1000 49 840957952 17 1073741824 22
node2 400 19 0 0 450887680 11 356515840 9
root@master1:~# kubectl view-utilization namespaces
Namespace CPU Requests CPU Limits Memory Requests Memory Limits
calico-system 0 0 0 0
harbor 200 1001 536870912 1073741824
ingress-nginx 300 0 283115520 0
kube-system 1050 0 671088640 356515840
metallb-system 0 0 0 0
openebs 0 0 0 0
6. kubectl score
对Kubernetes资源进行安全性和最佳实践评分,提供改进建议。
仓库地址:https://github.com/zegl/kube-score
安装:
kubectl krew install score
7. kubectl resource-capacity
以表格形式显示集群中资源(CPU、内存)的使用和分配情况。
仓库地址:https://github.com/robscott/kube-capacity
安装:
kubectl krew install resource-capacity
示例:
root@master1:~# kubectl resource-capacity
NODE CPU REQUESTS CPU LIMITS MEMORY REQUESTS MEMORY LIMITS
* 1550m (25%) 1000m (16%) 1422Mi (11%) 1364Mi (11%)
master1 750m (37%) 0m (0%) 190Mi (5%) 0Mi (0%)
node1 400m (20%) 1000m (50%) 802Mi (17%) 1024Mi (22%)
node2 400m (20%) 0m (0%) 430Mi (11%) 340Mi (9%)
8. kubectl access-matrix
显示用户或服务账户在不同资源上的权限矩阵。
仓库地址:https://github.com/corneliusweig/rakkess
安装:
kubectl krew install access-matrix
示例:
# Review access to cluster-scoped resources
$ kubectl access-matrix# Review access to namespaced resources in 'default'
$ kubectl access-matrix --namespace default# Review access as a different user
$ kubectl access-matrix --as other-user# Review access as a service-account
$ kubectl access-matrix --sa kube-system:namespace-controller# Review access for different verbs
$ kubectl access-matrix --verbs get,watch,patch# Review access rights diff with another service account
$ kubectl access-matrix --diff-with sa=kube-system:namespace-controller
9. kubectl tail
实时查看Kubernetes pod的日志,类似于Linux中的tail命令。
仓库地址:https://github.com/boz/kail
安装:
kubectl krew install tail
示例:
# pod日志
kubectl tail --pod=harbor-portal-7c5d84cbb8-t6v22
# 服务日志
kubectl tail --svc=harbor-core
# deloy日志
kubectl tail --deploy=harbor-portal
10. kubectl get-all
获取所有的k8s资源信息,相比kubectl get all获取到更多的资源信息。
仓库地址: https://github.com/corneliusweig/ketall
kubectl krew install get-all
示例:
root@master1:~# kubectl get-all
...
11. kubectl trace
使用BPF (Berkeley Packet Filter) 进行内核跟踪,调试和分析集群性能。
项目地址:<https://github.com/iovisor/kubectctl l-trace>
kubectl krew install trace
示例:
# Execute a bpftrace program from file on a specific node
kubectl trace run kubernetes-node-emt8.c.myproject.internal -f read.bt# Get all bpftrace programs in all namespaces
kubectl trace get --all-namespaces# Delete all bpftrace programs in a specific namespace
kubectl trace delete -n myns
Krew极大地增强了kubectl的可扩展性,使得管理和使用Kubernetes变得更加高效和便捷。通过Krew,你可以轻松地发现和使用各种有用的插件来简化日常操作和自动化任务。
)
)
)
