第24关揭秘K8s部署优化：利用亲和性、反亲和性、污点、容忍和节点选择器的威力

------> 课程视频同步分享在今日头条和B站

大家好，我是博哥爱运维。

学习这些枯燥难懂的知识点，最好的方式就是利用实战内容进行讲解。在第12关精通K8s下的Ingress-Nginx控制器：生产环境实战配置指南中，我们部署了ingress-nginx-controller，对于这个服务的yaml配置，里面就完美贴合了这节课我们要讲的所有内容，包含了亲和性、反亲和性、污点、容忍和节点选择器的使用，后面我们在其他生产服务上使用，依葫芦画瓢即可。

---
apiVersion: apps/v1
kind: DaemonSet
#kind: Deployment
metadata:name: nginx-ingress-controllernamespace: kube-systemlabels:app: ingress-nginxannotations:component.revision: "2"component.version: 1.9.3
spec:# Deployment need:# ----------------
#  replicas: 1# ----------------selector:matchLabels:app: ingress-nginxtemplate:metadata:labels:app: ingress-nginxannotations:prometheus.io/port: "10254"prometheus.io/scrape: "true"spec:# DaemonSet need:# ----------------hostNetwork: true# ----------------affinity:podAntiAffinity:  #反亲和性preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:labelSelector:matchExpressions:- key: appoperator: Invalues:- ingress-nginxtopologyKey: kubernetes.io/hostnameweight: 100nodeAffinity:  #节点亲和性requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: typeoperator: NotInvalues:- virtual-kubelet- key: k8s.aliyun.comoperator: NotInvalues:- "true"containers:- args:- /nginx-ingress-controller- --election-id=ingress-controller-leader-nginx- --ingress-class=nginx- --watch-ingress-without-class- --controller-class=k8s.io/ingress-nginx- --configmap=$(POD_NAMESPACE)/nginx-configuration- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services- --udp-services-configmap=$(POD_NAMESPACE)/udp-services- --annotations-prefix=nginx.ingress.kubernetes.io- --publish-service=$(POD_NAMESPACE)/nginx-ingress-lb- --validating-webhook=:8443- --validating-webhook-certificate=/usr/local/certificates/cert- --validating-webhook-key=/usr/local/certificates/key- --enable-metrics=false- --v=2env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace- name: LD_PRELOADvalue: /usr/local/lib/libmimalloc.soimage: registry-cn-hangzhou.ack.aliyuncs.com/acs/aliyun-ingress-controller:v1.9.3-aliyun.1imagePullPolicy: IfNotPresentlifecycle:preStop:exec:command:- /wait-shutdownlivenessProbe:failureThreshold: 5httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 1successThreshold: 1name: nginx-ingress-controllerports:- name: httpcontainerPort: 80protocol: TCP- name: httpscontainerPort: 443protocol: TCP- name: webhookcontainerPort: 8443protocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /healthzport: 10254scheme: HTTPinitialDelaySeconds: 10periodSeconds: 10timeoutSeconds: 1successThreshold: 1
#        resources:
#          limits:
#            cpu: 1
#            memory: 2G
#          requests:
#            cpu: 1
#            memory: 2GsecurityContext:allowPrivilegeEscalation: truecapabilities:drop:- ALLadd:- NET_BIND_SERVICErunAsUser: 101# if get 'mount: mounting rw on /proc/sys failed: Permission denied', use:
#          privileged: true
#          procMount: Default
#          runAsUser: 0volumeMounts:- name: webhook-certmountPath: /usr/local/certificates/readOnly: true- mountPath: /etc/localtimename: localtimereadOnly: truednsPolicy: ClusterFirstinitContainers:- command:- /bin/sh- -c- |if [ "$POD_IP" != "$HOST_IP" ]; thenmount -o remount rw /proc/syssysctl -w net.core.somaxconn=65535sysctl -w net.ipv4.ip_local_port_range="1024 65535"sysctl -w kernel.core_uses_pid=0fienv:- name: POD_IPvalueFrom:fieldRef:apiVersion: v1fieldPath: status.podIP- name: HOST_IPvalueFrom:fieldRef:apiVersion: v1fieldPath: status.hostIPimage: registry.cn-shanghai.aliyuncs.com/acs/busybox:v1.29.2imagePullPolicy: IfNotPresentname: init-sysctlresources:limits:cpu: 100mmemory: 70Mirequests:cpu: 100mmemory: 70MisecurityContext:capabilities:add:- SYS_ADMINdrop:- ALL# if get 'mount: mounting rw on /proc/sys failed: Permission denied', use:privileged: trueprocMount: DefaultrunAsUser: 0# choose node with set this label running# kubectl label node xx.xx.xx.xx boge/ingress-controller-ready=true# kubectl get node --show-labels# kubectl label node xx.xx.xx.xx boge/ingress-controller-ready-nodeSelector:  #节点选择器boge/ingress-controller-ready: "true"priorityClassName: system-node-criticalrestartPolicy: AlwaysschedulerName: default-schedulersecurityContext: {}serviceAccount: ingress-nginxserviceAccountName: ingress-nginxterminationGracePeriodSeconds: 300# 污点# kubectl taint nodes xx.xx.xx.xx boge/ingress-controller-ready="true":NoExecute# kubectl taint nodes xx.xx.xx.xx boge/ingress-controller-ready:NoExecute-# 容忍tolerations:- operator: Exists
#      tolerations:
#      - effect: NoExecute
#        key: boge/ingress-controller-ready
#        operator: Equal
#        value: "true"volumes:- name: webhook-certsecret:defaultMode: 420secretName: ingress-nginx-admission- hostPath:path: /etc/localtimetype: Filename: localtime---