mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
218 lines
4.6 KiB
Plaintext
218 lines
4.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * nodes/nodes-scheduler-node-affinity.adoc
|
|
|
|
:_mod-docs-content-type: REFERENCE
|
|
[id="nodes-scheduler-pod-affinity-example_{context}"]
|
|
= Sample pod affinity and anti-affinity rules
|
|
|
|
The following examples demonstrate pod affinity and pod anti-affinity.
|
|
|
|
[id="nodes-scheduler-pod-affinity-example-affinity_{context}"]
|
|
== Pod Affinity
|
|
|
|
The following example demonstrates pod affinity for pods with matching labels and label selectors.
|
|
|
|
* The pod *team4* has the label `team:4`.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: team4
|
|
labels:
|
|
team: "4"
|
|
# ...
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containers:
|
|
- name: ocp
|
|
image: docker.io/ocpqe/hello-pod
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
# ...
|
|
----
|
|
|
|
* The pod *team4a* has the label selector `team:4` under `podAffinity`.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: team4a
|
|
# ...
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
affinity:
|
|
podAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: team
|
|
operator: In
|
|
values:
|
|
- "4"
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- name: pod-affinity
|
|
image: docker.io/ocpqe/hello-pod
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
# ...
|
|
----
|
|
|
|
* The *team4a* pod is scheduled on the same node as the *team4* pod.
|
|
|
|
[id="nodes-scheduler-pod-affinity-example-antiaffinity_{context}"]
|
|
== Pod Anti-affinity
|
|
|
|
The following example demonstrates pod anti-affinity for pods with matching labels and label selectors.
|
|
|
|
* The pod *pod-s1* has the label `security:s1`.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: pod-s1
|
|
labels:
|
|
security: s1
|
|
# ...
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containers:
|
|
- name: ocp
|
|
image: docker.io/ocpqe/hello-pod
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
# ...
|
|
----
|
|
|
|
* The pod *pod-s2* has the label selector `security:s1` under `podAntiAffinity`.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: pod-s2
|
|
# ...
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
affinity:
|
|
podAntiAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: security
|
|
operator: In
|
|
values:
|
|
- s1
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- name: pod-antiaffinity
|
|
image: docker.io/ocpqe/hello-pod
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
# ...
|
|
----
|
|
|
|
* The pod *pod-s2* cannot be scheduled on the same node as `pod-s1`.
|
|
|
|
[id="nodes-scheduler-pod-affinity-example-no-labels_{context}"]
|
|
== Pod Affinity with no Matching Labels
|
|
|
|
The following example demonstrates pod affinity for pods without matching labels and label selectors.
|
|
|
|
* The pod *pod-s1* has the label `security:s1`.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: pod-s1
|
|
labels:
|
|
security: s1
|
|
# ...
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
containers:
|
|
- name: ocp
|
|
image: docker.io/ocpqe/hello-pod
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
# ...
|
|
----
|
|
|
|
* The pod *pod-s2* has the label selector `security:s2`.
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: pod-s2
|
|
# ...
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
affinity:
|
|
podAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: security
|
|
operator: In
|
|
values:
|
|
- s2
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- name: pod-affinity
|
|
image: docker.io/ocpqe/hello-pod
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: [ALL]
|
|
# ...
|
|
----
|
|
|
|
* The pod *pod-s2* is not scheduled unless there is a node with a pod that has the `security:s2` label. If there is no other pod with that label, the new pod remains in a pending state:
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE IP NODE
|
|
pod-s2 0/1 Pending 0 32s <none>
|
|
----
|