openshift常用命令(转载)

完颜振江

已于 2023-09-26 13:19:13 修改

阅读量1k

点赞数

文章标签： openshift docker 运维

于 2022-09-20 10:02:13 首次发布

本文提供了一份全面的OpenShift命令指南，覆盖了从集群管理到资源操作的各项常用指令。包括节点管理、Pod操作、资源配置等关键内容，适用于OpenShift集群的日常运维与开发工作。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

oc get nodes //获取集群所有节点
oc describe node node-name //查看对应节点详细信息，可以看到运行在该节点下的pod
oc get pods -n namespace-name //查看对应namespace下pod
oc get all //查看当前project下的所有资源
oc status //查看登录在哪个project下
oc get pods -o wide -n namespace-name //查看对应namespace下pod详情
oc describe pod pod-name -n namespace-name //查看pod详细信息
oc get limitrange -n namespace-name //获取对应namespace的limitrange配置文件
oc describe limitrange limitrange.config -n namespace-name //查看配置文件详情
oc edit limitrange limitrange.config -n namespace-name //修改limitrange配置
oc project project-name //切换到project
oc adm policy add-scc-to-user anyuid -z default //为该project下default账户开启anyuid，
可以使用root权限，一般是安装/运行某些软件时需要
oc adm policy remove-scc-from-user anyuid -z default //删除default的anyuid权限
oc get pod //查看该project下的pod
oc get service //查看该project下的service
oc get endpoints //查看该project下的Endpoints
oc delete pod pod-name -n namespace-name //重启pod
oc rollout history DeploymentConfig/dc-name //查看dc历史版本
oc rollout history DeploymentConfig/dc-name --revision=5 //回滚到5版本
oc scale dc pod-name --replicas=3 -n namespace //设置副本数为3
oc autoscale dc dc-name --min=2 --max=10 --cpu-percent=80 //设置自动伸缩最小2，最大10
oc get scc //查看scc
oc describe scc anyuid //查看anyuid详细信息,user即包含已经开启anyuid的project
oc describe clusterrole.rbac //查看集群管理员角色及权限
oc describe clusterrolebinding.rbac //查看用户组及绑定的角色
oc adm policy add-cluster-role-to-user cluster-admin username //添加username为cluster-admin
oc get routes --all-namespaces //查看所有namespace的route
oc logs -f pod-name //查看pod log
docker ps -a|grep pod-name //查看pod对应containerID
docker exec -it containerID /bin/sh //登录到container
oc new-project my-project //创建project
oc new-app https://github.com/sclorg/cakephp-ex //创建APP
oc status //查看当前项目状态
oc api-resources //查看server支持的api资源
oc adm must-gather //收集当前集群的状态信息
oc adm top pods //查看pod资源状态
oc adm top node //查看节点资源状态
oc adm top images //查看images使用情况
oc adm cordon node1 //标记node1为SchedulingDisabled
oc adm manage-node <node1> --schedulable = false //标记node1为unschedulable
oc adm manage-node node1 --schedulable //标记node1为schedulable
oc adm drain node1 //将node1进入维护模式
oc delete node //删除node
oc adm node-logs --role master -u NetworkManager.service //获取节点网络日志
oc get csr //查询CSR(certificate signing requests)
oc adm certificate approve csr-name //approve CSR
oc adm certificate deny csr_name //拒掉csr
oc get csr|xargs oc adm certificate approve csr //approve所有csr
echo 'openshift_master_bootstrap_auto_approve=true' >> /etc/ansible/hosts //设置自动approve csr
oc get project projectname //get project
oc describe project projectname //查看project信息
oc get pod pod-name -o yaml //查看pod-name yaml文件
oc get nodes --show-labels //查看节点label
oc label nodes node-name label-key=label-value //给node添加标签，pod也要有对应label（在第二层spec下添加nodeSelector），pod就会运行在指定的node上
oc label nodes node-name key=new-value --overwrite //更新指定key值的label
oc label nodes node-name key- //删除指定key值的label
oadm manage-node node-name --list-pods //查看运行在某node上的所有pod
oadm manage-node node-name --schedulable=false //mark node as unschedulable
oc get svc //查看service
oc patch dc dc-name -p '{"spec":{"template":{"spec":{"containers":[{"name":"dc-name","securityContext":{"runAsUser": 1000160000}}],"securityContext":{"runAsUser": 1000160000,"fsGroup": 1000160000}}}}}'   //修改dc-name yaml文件
oc login --token=iz56jscHZp9mSN3kHzjayaEnNo0DMI_nRlaiJyFmN74 --server=https://console.qa.c.sm.net:8443 //使用命令行登录openshift，token是用你自己的账户在登录网址时生成的token
oc rsh -t //查看token
oc rsh pod-name //使用命令行登录pod
oc whoami --show-server //查看当前登录的服务地址
oc whoami //查看当前登录账户
oc get dc -n namespace //查看deployment config
oc get deploy -n namespace //查看deploy
oc edit deploy/deployname -o yaml -n namespace //编辑deploy yaml文件
oc get cronjob //查看cronjob
oc edit cronjob/cronjob-name -n namespace-name //编辑cronjob
oc describe cm/configmap-name -n namespace-name //查看cronjob
oc get configmap -n namespace-name //查询configmap
oc get cm -n namespace-name //查询configmap
cat /etc/origin/master/master-config.yaml|grep cidr //查看集群pod网段规划
oc edit vm appmngr54321-poc-msltoibh -n appmngr54321-poc -o yaml //编辑VM yaml文件
oc serviceaccounts get-token sa-name //获取sa-name的token
oc login url --token=token //使用token登录
oc scale deployment deployment-name --replicas 5 //扩展pod副本数量
oc config view //查看config
TOKEN=(𝑜𝑐𝑔𝑒𝑡𝑠𝑒𝑐𝑟𝑒𝑡(ocgetsecret(oc get serviceaccount default -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode ) //get token
APISERVER=(𝑜𝑐𝑐𝑜𝑛𝑓𝑖𝑔𝑣𝑖𝑒𝑤−−𝑚𝑖𝑛𝑖𝑓𝑦−𝑜𝑗𝑠𝑜𝑛𝑝𝑎𝑡ℎ=′.𝑐𝑙𝑢𝑠𝑡𝑒𝑟𝑠[0].𝑐𝑙𝑢𝑠𝑡𝑒𝑟.𝑠𝑒𝑟𝑣𝑒𝑟′)//𝑔𝑒𝑡𝑎𝑝𝑖𝑠𝑒𝑟𝑣𝑒𝑟𝑐𝑢𝑟𝑙(occonfigview−−minify−ojsonpath=′.clusters[0].cluster.server′)//getapiservercurlAPISERVER/api --header "Authorization: Bearer 𝑇𝑂𝐾𝐸𝑁"−−𝑖𝑛𝑠𝑒𝑐𝑢𝑟𝑒//𝑐𝑢𝑟𝑙𝐴𝑃𝐼𝑜𝑐𝑎𝑝𝑖−𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝑠//𝑔𝑒𝑡𝑎𝑝𝑖𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝑠𝑜𝑐𝑎𝑝𝑖−𝑟𝑒𝑠𝑜𝑢𝑟𝑐𝑒𝑠//𝑔𝑒𝑡𝑎𝑝𝑖−𝑟𝑒𝑠𝑜𝑢𝑟𝑐𝑒𝑠𝑜𝑐𝑔𝑒𝑡ℎ𝑝𝑎−−𝑎𝑙𝑙−𝑛𝑎𝑚𝑒𝑠𝑝𝑎𝑐𝑒𝑠//查询𝐻𝑃𝐴𝑜𝑐𝑑𝑒𝑠𝑐𝑟𝑖𝑏𝑒ℎ𝑝𝑎/ℎ𝑝𝑎𝑛𝑎𝑚𝑒−𝑛𝑛𝑎𝑚𝑒𝑠𝑝𝑎𝑐𝑒//查看𝐻𝑃𝐴，可以看到𝑀𝑒𝑡𝑟𝑖𝑐𝑠，𝐸𝑣𝑒𝑛𝑡𝑠𝑜𝑐𝑐𝑟𝑒𝑎𝑡𝑒𝑠𝑒𝑟𝑣𝑖𝑐𝑒𝑎𝑐𝑐𝑜𝑢𝑛𝑡𝑐𝑎𝑙𝑙𝑒𝑟//创建𝑠𝑎𝑜𝑐𝑎𝑑𝑚𝑝𝑜𝑙𝑖𝑐𝑦𝑎𝑑𝑑−𝑐𝑙𝑢𝑠𝑡𝑒𝑟−𝑟𝑜𝑙𝑒−𝑡𝑜−𝑢𝑠𝑒𝑟𝑐𝑙𝑢𝑠𝑡𝑒𝑟−𝑎𝑑𝑚𝑖𝑛−𝑧𝑐𝑎𝑙𝑙𝑒𝑟//赋予𝑐𝑙𝑢𝑠𝑡𝑒𝑟−𝑎𝑑𝑚𝑖𝑛权限𝑜𝑐𝑠𝑒𝑟𝑣𝑖𝑐𝑒𝑎𝑐𝑐𝑜𝑢𝑛𝑡𝑠𝑔𝑒𝑡−𝑡𝑜𝑘𝑒𝑛𝑐𝑎𝑙𝑙𝑒𝑟//𝑔𝑒𝑡𝑠𝑎𝑡𝑜𝑘𝑒𝑛𝑒𝑐ℎ𝑜TOKEN"−−insecure//curlAPIocapi−versions//getapiversionsocapi−resources//getapi−resourcesocgethpa−−all−namespaces//查询HPAocdescribehpa/hpaname−nnamespace//查看HPA，可以看到Metrics，Eventsoccreateserviceaccountcaller//创建saocadmpolicyadd−cluster−role−to−usercluster−admin−zcaller//赋予cluster−admin权限ocserviceaccountsget−tokencaller//getsatokenechoKUBECONFIG //获取kubeconfig文件位置
oc get cm --all-namespaces -l app=deviation //根据labelselector筛选cm
oc describe PodMetrics podname //查询pod CPU/mem usage，openshift4.X适用
oc api-resources -o wide   //查看shortnames、apiGroup、verbs
oc delete pod --selector logging-infra=fluentd //按selector删除
oc get pods -n logger -w //watch 某个pod状态
oc whoami //查看当前登录账户
oc explain pv.spec //查看资源对象的定义
oc get MutatingWebhookConfiguration   //查看MutatingWebhook
oc get ValidatingWebhookConfiguration //查看ValidatingWebhook
oc annotate validatingwebhookconfigurations <validating_webhook_name> service.beta.openshift.io/inject-cabundle=true   //给validatingwebhook注入CA
oc annotate mutatingwebhookconfigurations <mutating_webhook_name> service.beta.openshift.io/inject-cabundle=true   //给mutatingwebhook注入CA

oc get secrets/signing-key -n openshift-service-ca \
     -o template='{{index .data "tls.crt"}}' \
     | base64 -d \
     | openssl x509 -noout -enddate
//查看当前服务 CA 证书的到期日期
oc delete secret/signing-key -n openshift-service-ca //手动更新该服务证书

for I in (𝑜𝑐𝑔𝑒𝑡𝑛𝑠−𝑜𝑗𝑠𝑜𝑛𝑝𝑎𝑡ℎ=′𝑟𝑎𝑛𝑔𝑒.𝑖𝑡𝑒𝑚𝑠[∗].𝑚𝑒𝑡𝑎𝑑𝑎𝑡𝑎.𝑛𝑎𝑚𝑒"\n"𝑒𝑛𝑑′); 𝑑𝑜𝑜𝑐𝑑𝑒𝑙𝑒𝑡𝑒𝑝𝑜𝑑𝑠−−𝑎𝑙𝑙−𝑛(ocgetns−ojsonpath=′range.items[∗].metadata.name"\n"end′); doocdeletepods−−all−nI; \
      sleep 1; \
      done
//将新证书应用到所有服务，请重启集群中的所有 pod

oc annotate crd <crd_name> \

service.beta.openshift.io/inject-cabundle=true   //给CRD注入CA
oc annotate apiservice <api_service_name> service.beta.openshift.io/inject-cabundle=true   //给apiservice 注入CA
oc annotate configmap <config_map_name> service.beta.openshift.io/inject-cabundle=true   //给configmap 注入CA
oc annotate service <service_name> service.beta.openshift.io/serving-cert-secret-name=<secret_name>   //给service 添加服务证书
oc get pv --selector=='path=testforocp' //根据label查询pv

# oc get --raw "/apis/metrics.k8s.io/v1beta1" | jq .
{
"kind": "APIResourceList",
"apiVersion": "v1",
"groupVersion": "metrics.k8s.io/v1beta1",
"resources": [
    {
      "name": "nodes",
      "singularName": "",
      "namespaced": false,
      "kind": "NodeMetrics",
      "verbs": [
        "get",
        "list"
      ]
    },
    {
      "name": "pods",
      "singularName": "",
      "namespaced": true,
      "kind": "PodMetrics",
      "verbs": [
        "get",
        "list"
      ]
    }
]
}