Pod初始化容器

在启动主容器之前还存在一个初始化容器（init containers）。初始化容器的特点在于其若是启动失败，后续的主容器将不会执行。

初始化容器可以存在多个，他们之间依次执行，当多有初始化容器执行完毕后，主容器开始执行。

在之前post start hook示例中，由于需要将送往8080的请求转发给80端口，不得不给主容器授予特权级别，用来让其在postStart中执行iptables规则，但是规则执行完毕后，主容器依旧拥有特权操作的权限，这种操作是不合理的。

所以我们可以将需要执行特权级别的操作放到初始化容器中，当初始化容器执行完毕就退出。免得主容器一直拥有特殊权限。

初始化容器示例

1.编写配置清单

root@k8s-master01:~/yaml/chapter04# vim init-container-demo.yaml
apiVersion: v1
kind: Pod
metadata:
  name: init-container-demo
  namespace: default
spec:
  initContainers:
  - name: iptables-init
    image: ikubernetes/admin-box:latest
    imagePullPolicy: IfNotPresent
    command: ['/bin/sh','-c']
    args: ['iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80']
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
  containers:
  - name: demoapp
    image: ikubernetes/demoapp:v1.0
    imagePullPolicy: IfNotPresent
    ports:
    - name: http
      containerPort: 80

2.应用配置清单

root@k8s-master01:~/yaml/chapter04# kubectl apply -f init-container-demo.yaml
pod/init-container-demo created

root@k8s-master01:~/yaml/chapter04# kubectl get pods init-container-demo -o wide
NAME                  READY   STATUS    RESTARTS   AGE   IP            NODE         NOMINATED NODE   READINESS GATES
init-container-demo   1/1     Running   0          60s   10.244.3.20   k8s-node03   <none>           <none>

3.测试

# 在容器中执行iptables命令，会发现没权限
root@k8s-master01:~/yaml/chapter04# kubectl exec init-container-demo -- iptables -t nat -nvL
Defaulted container "demoapp" out of: demoapp, iptables-init (init)
iptables v1.8.3 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
command terminated with exit code 3

# 访问容器的8080端口，被正常的转发到80
root@k8s-master01:~/yaml/chapter04# curl 10.244.3.20:8080
iKubernetes demoapp v1.0 !! ClientIP: 10.244.0.0, ServerName: init-container-demo, ServerIP: 10.244.3.20!