# OpenShift 如何在 Deployment 不改設定的情況下，設 Deployment pods 跑在特定的某些節點上 ## **Step1: 建立 Project（Namespace）test** ``` oc new-project test ``` ## Step2: 給 worker 節點加上標籤，用以後續 Pod 排程條件 ``` oc label node worker-1 app=nginx oc label node worker-3 app=nginx ``` ## Step3: 在 Namespace 層級套用 nodeSelector，Namespace 底下所有沒有指定 nodeSelector 的 Pod 都會自動帶入這個條件 ``` oc annotate namespace test openshift.io/node-selector="app=nginx" ``` > 如果 Pods 有指定 `nodeSelector` 則不影響 ## Step4(可選): 允許該 Namespace 的 default ServiceAccount 使用 anyuid SCC，讓 app container 可以以 root (UID 0) 執行。 ``` oc adm policy add-scc-to-user anyuid -z default -n test ``` ## Step5(可選) : 設定 namespaace 層級 PSA ``` # 對 namespace "test" 加上 Pod Security Audit 等級為 "privileged" 的標籤 oc label namespace test \ pod-security.kubernetes.io/audit=privileged \ --overwrite ``` ``` # 對 namespace "test" 加上 Pod Security Warn 等級為 "privileged" 的標籤 oc label namespace test \ pod-security.kubernetes.io/warn=privileged \ --overwrite ``` ## Step6: 建立一個測試用 NGINX Deployment，並在 PodSpec 內指定 runAsUser: 0，讓 NGINX 以 root 身份啟動。 ``` echo 'apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: test spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: docker.io/library/nginx ports: - containerPort: 80 securityContext: runAsUser: 0' | oc apply -f - ``` ## Step7: 確認 Pod 執行節點與狀態，檢查是否都被正確排程到貼了 app=nginx 標籤的 Node。 ``` oc get pods -o wide ``` 執行結果 : ``` NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-77979fb7f9-6hh44 1/1 Running 0 9s 10.130.0.15 worker-3 <none> <none> nginx-77979fb7f9-nf6wg 1/1 Running 0 9s 10.128.2.98 worker-1 <none> <none> nginx-77979fb7f9-xz24w 1/1 Running 0 9s 10.130.0.16 worker-3 <none> <none> ``` ## Step8: 清理環境 ``` oc annotate namespace test openshift.io/node-selector- oc delete deploy nginx oc adm policy remove-scc-from-user anyuid -z default -n test oc label node worker-1 app- oc label node worker-2 app- oc delete project test ```