diff --git a/.idea/workspace.xml b/.idea/workspace.xml
index 09e94a3..efca515 100644
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@@ -23,12 +23,14 @@
   </component>
   <component name="ChangeListManager">
     <list default="true" id="324ab38d-4c70-4233-93c6-a05922f326a0" name="Default Changelist" comment="提交笔记">
+      <change afterPath="$PROJECT_DIR$/note/Kubernetes/常用服务部署.md" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/README.md" beforeDir="false" afterPath="$PROJECT_DIR$/README.md" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/note/Kubernetes/k8s常用操作命令.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/Kubernetes/k8s常用操作命令.md" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/note/Kubernetes/k8s-Deployment.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/Kubernetes/k8s-Deployment.md" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/note/Kubernetes/k8s-Service.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/Kubernetes/k8s-Service.md" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/note/Kubernetes/k8s-pod.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/Kubernetes/k8s-pod.md" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/note/Kubernetes/volume.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/Kubernetes/volume.md" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/note/MySQL/MySQL-常用配置.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/MySQL/MySQL-常用配置.md" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/note/cdh/Centos7.7-CDH6.2.1安装教程.md" beforeDir="false" afterPath="$PROJECT_DIR$/note/cdh/Centos7.7-CDH6.2.1安装教程.md" afterDir="false" />
     </list>
     <option name="SHOW_DIALOG" value="false" />
     <option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -126,13 +128,6 @@
       <workItem from="1592910045624" duration="27000" />
       <workItem from="1592910168547" duration="597000" />
     </task>
-    <task id="LOCAL-00107" summary="提交笔记">
-      <created>1610690401523</created>
-      <option name="number" value="00107" />
-      <option name="presentableId" value="LOCAL-00107" />
-      <option name="project" value="LOCAL" />
-      <updated>1610690401523</updated>
-    </task>
     <task id="LOCAL-00108" summary="提交笔记">
       <created>1610888572376</created>
       <option name="number" value="00108" />
@@ -469,7 +464,14 @@
       <option name="project" value="LOCAL" />
       <updated>1637771271653</updated>
     </task>
-    <option name="localTasksCounter" value="156" />
+    <task id="LOCAL-00156" summary="提交笔记">
+      <created>1642523469557</created>
+      <option name="number" value="00156" />
+      <option name="presentableId" value="LOCAL-00156" />
+      <option name="project" value="LOCAL" />
+      <updated>1642523469558</updated>
+    </task>
+    <option name="localTasksCounter" value="157" />
     <servers />
   </component>
   <component name="TimeTrackingManager">
diff --git a/README.md b/README.md
index 916849a..db05360 100644
--- a/README.md
+++ b/README.md
@@ -381,6 +381,7 @@
 
 * [CentOS7 YUM安装 docker](note/docker/CentOS7安装Docker.md)
 * [CentOS7 离线安装 docker](note/docker/CentOS7离线安装Docker.md)
+* [CentOS7 降级 Docker](note/docker/CentOS7降级Docker.md)
 * [Docker 常用命令](note/docker/Docker常用命令.md)
 * [Docker 镜像](note/docker/Docker镜像.md)
 * [Docker 容器数据卷](note/docker/Docker容器数据卷.md)
@@ -409,9 +410,10 @@
 * [Kubernetes 部署 Dashboard](note/Kubernetes/k8s-dashboard.md)
 * [Kubernetes 工作负载 | Pod实践](note/Kubernetes/k8s-pod.md)
 * [Kubernetes 工作负载 | Deployment实践](note/Kubernetes/k8s-Deployment.md)
-* [Kubernetes 工作负载 | Service实践](note/Kubernetes/k8s-Service.md)
+* [Kubernetes 工作负载 | 服务网络和负载均衡](note/Kubernetes/k8s-Service.md)
 * [Kubernetes 工作负载 | RS、RC、DaemonSet、StatefulSet、Job、CronJob实践](note/Kubernetes/k8s-RS&RC.md)
 * [Kubernetes 存储 | 卷的实践](note/Kubernetes/volume.md)
+* [Kubernetes 常用服务部署](note/Kubernetes/常用服务部署.md)
 * [Kubernetes label](note/Kubernetes/k8s-label.md)
 * [Kubernetes Volume挂载相关](note/Kubernetes/k8s-Volume.md)
 * [Kubernetes 特殊 Volume](note/Kubernetes/k8s-特殊Volume.md)
diff --git a/note/Kubernetes/k8s-Deployment.md b/note/Kubernetes/k8s-Deployment.md
index 4421da5..223fcdb 100644
--- a/note/Kubernetes/k8s-Deployment.md
+++ b/note/Kubernetes/k8s-Deployment.md
@@ -369,7 +369,22 @@ $ kubectl rollout undo deployment deployment-test -n day11
 $ kubectl rollout undo deployment deployment-test -n day11 -to-revision=1
 ```
 
-# 五、比例缩放
+# 五、deployment 更新策略
+
+当升级 deployment 时，可以使用 `.spec.strategy` 指定新 Pod 替换旧 Pod 的策略。
+
+`.spec.strategy.type` 可以是 `Recreate` 或 `RollingUpdate`。`RollingUpdate` 是默认值。
+
+
+
+## 5.1 Recreate 重新创建
+
+如果 `.spec.strategy.type==Recreate`，在创建新 Pods 之前，所有现有的 Pods 会被杀死。
+
+## 5.2 RollingUpdate 滚动更新
+
+`.spec.strategy.type==RollingUpdate` 有两个参数:  `maxSurge`, `maxUnavailable`
+
 ```yaml
 apiVersion: apps/v1
 kind: Deployment
diff --git a/note/Kubernetes/k8s-Service.md b/note/Kubernetes/k8s-Service.md
index 3f285a9..a48928d 100644
--- a/note/Kubernetes/k8s-Service.md
+++ b/note/Kubernetes/k8s-Service.md
@@ -63,102 +63,147 @@ Kubernetes 网络解决了四类问题:
 
 
 
-# 二、Service 基础概念
+
+
+# 二、Service
+
+## 2.1 Service 基础概念
 
 - Service 可以让一组 Pod 可以被别人进行服务发现（Service 选择 一组 Pod）。别人只需要访问这个 Service 就可以访问到被选中的 Pod。
 - Service 还会基于 Pod 的探针机制(ReadinessProbe: 就绪探针)完成 Pod 的自动剔除和上线工作。
 - Service 即使是无头服务，不能通过 Ip 访问，但是还是可以用 Service 名当域名访问。
 - Service 的名字还能当成域名被 Pod 解析。
 
+## 2.2 常用 Service 类型
 
-
-
-# 二、常用 Service 类型
-- ExternalName：通过返回 `CNAME` 和对应值，可以将服务映射到 `externalName` 字段的内容；(例如: aaa.bar.example.com.cn)。无需创建任何类型的代理；
-- ClusterIP(默认): 通过集群的内部Ip 暴露服务，选择该值时，服务只能在集群内部访问；
-- NodePort: 通过每个节点上的IP 和 静态端口(`NodePort`)暴露服务，`NodePort` 服务会路由到自动创建的 `ClusterIP` 服务。通过请求 `节点IP:节点端口`可以从集群外部访问一个 `NodePort` 服务；
+- `ExternalName`：通过返回 `CNAME` 和对应值，可以将服务映射到 `externalName` 字段的内容；(例如: aaa.bar.example.com.cn)。无需创建任何类型的代理；
+- `ClusterIP(默认)`: 通过集群的内部Ip 暴露服务，选择该值时，服务只能在集群内部访问；
+- `NodePort`: 通过每个节点上的IP 和 静态端口(`NodePort`)暴露服务，`NodePort` 服务会路由到自动创建的 `ClusterIP` 服务。通过请求 `节点IP:节点端口`可以从集群外部访问一个 `NodePort` 服务；
   - NodePort 端口由 kube-proxy 在机器上开
   - 机器ip+暴露的 NodePort 流量先来到 kube-proxy
-- LoadBalancer: 使用云提供商的负载均衡器向外部暴露服务，外部负载均衡器可以将流量路由到自动创建的 `NodePort` 服务和 `ClusterIP` 服务上；
+- `LoadBalancer`: 使用云提供商的负载均衡器向外部暴露服务，外部负载均衡器可以将流量路由到自动创建的 `NodePort` 服务和 `ClusterIP` 服务上；
 
-# 三、简单的 Service 案例
+## 2.3 简单的 Service 案例
 
 ```yaml
 $ vi service01.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deploy
+  namespace: svc
+spec:
+  selector:
+    matchLabels:
+      app: my-deploy
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: my-deploy
+    spec:
+      containers:
+      - name: my-deploy
+        image: nginx
+        ports:
+        - containerPort:  80
+          name: my-nginx
+      - name: my-redis
+        image: redis
+        ports:
+        - containerPort: 6379
+          name: my-redis
+      restartPolicy: Always
+---
 apiVersion: v1
 kind: Service
 metadata:
-  name: my-service
-  namespace: day13
+  name: my-svc
+  namespace: svc
 spec:
   selector:
-    app: nginx-test
-  # type: ClusterIP   # type 很重要, 不写默认是 ClusterIP
+    app: my-deploy
+  ## type: ClusterIP   # type 很重要, 不写默认是 ClusterIP
   ## type 有四种类型
   ##     ClusterIP & ExternalName & NodePort & LoadBalancer
+  type: ClusterIP
   ports:
-  - name: my-service
-    port: 80           # service 的端口
-    targetPort: 80     # Pod 的端口
+  # 外部访问 http://serviceIp:80 时, 会访问到这个 service selector 选中的 pod 的 80 端口 
+  - name: my-nginx
     protocol: TCP
-  #- name: my-service2
-  #  port: 3306           # service 的端口
-  #  targetPort: 3306     # Pod 的端口
-  #  protocol: TCP  
-
----
-apiVersion: v1
-kind: Pod
-metadata:
-  name: nginx-pod
-  namespace: day13
-  labels:
-    app: nginx-test
-spec:
-  containers:
-  - name: nginx-pod
-    image: nginx
-    ports:
-    - name: nginx
-      containerPort: 80
-  restartPolicy: Always
+    port: 80
+    targetPort: 80
+  # 外部访问 http://serviceIp:81 时, 会访问到这个 service selector 选中的 pod 的 6379 端口 
+  - name: my-redis
+    protocol: TCP
+    port: 81
+    targetPort: 6379
   
-$ kubectl get pod,svc -n day13
-NAME            READY   STATUS    RESTARTS   AGE
-pod/nginx-pod   1/1     Running   0          98s
-
-NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
-service/my-service   ClusterIP   10.103.122.157   <none>        80/TCP    98s
-
-$ curl 10.103.122.157
-<!DOCTYPE html>
-<html>
-<head>
-<title>Welcome to nginx!</title>
-<style>
-...
+$ kubectl get pod,svc -n svc
+NAME                             READY   STATUS    RESTARTS   AGE     IP             NODE        NOMINATED NODE   READINESS GATES
+pod/my-deploy-56d756ddc4-6j972   2/2     Running   0          9m28s   10.233.81.52   k8s-node1   <none>           <none>
+
+NAME             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE     SELECTOR
+service/my-svc   ClusterIP   10.233.16.140   <none>        80/TCP,81/TCP   9m28s   app=my-deploy
+
+$ kubectl describe service/my-svc -n svc
+Name:              my-svc
+Namespace:         svc
+Labels:            <none>
+Annotations:       <none>
+Selector:          app=my-deploy
+Type:              ClusterIP
+IP Family Policy:  SingleStack
+IP Families:       IPv4
+IP:                10.233.16.140
+IPs:               10.233.16.140
+Port:              my-nginx  80/TCP
+TargetPort:        80/TCP
+Endpoints:         10.233.81.52:80
+Port:              my-redis  81/TCP
+TargetPort:        6379/TCP
+Endpoints:         10.233.81.52:6379
+Session Affinity:  None
+Events:            <none>
 ```
 
 - Service 创建后，会生成一组 EndPoint
 
   ```yaml
-  $ kubectl get ep -n day13
-  NAME         ENDPOINTS        AGE
-  my-service   10.244.2.94:80   3m35s
+  $ kubectl get ep -n svc
+  NAME     ENDPOINTS                           AGE
+  my-svc   10.233.81.52:6379,10.233.81.52:80   10m
+  
+  $ kubectl describe ep/my-svc -n svc
+  Name:         my-svc
+  Namespace:    svc
+  Labels:       <none>
+  Annotations:  endpoints.kubernetes.io/last-change-trigger-time: 2022-01-25T17:16:43+08:00
+  Subsets:
+    Addresses:          10.233.81.52
+    NotReadyAddresses:  <none>
+    Ports:
+      Name      Port  Protocol
+      ----      ----  --------
+      my-redis  6379  TCP
+      my-nginx  80    TCP
+  
+  Events:  <none>
   ```
 
 - type 有四种类型，每种对应不同的服务发现机制
 - Service 可以利用 Pod 的就绪探针机制，只负载就绪了的 Pod，没有就绪的Pod就删除
 
+## 2.4 创建无 Selector 的 Service(EndPoint)
 
+在创建 Service 的时候，可以不指定 Selector，然后手动创建 EndPoint指定一组 Pod 地址。
 
-# 四、创建无 Selector 的 Service(EndPoint)
-
-在创建 Service 的时候，可以不指定 Selector，然后手动创建 EndPoint指定一组 Pod 地址；
-
-
-
-此场景用于我们负载均衡其他中间件的场景
+此场景用于我们负载均衡其他中间件的场景。
 
 ```yaml
 # 先创建一个 3个副本的 deployment 
@@ -229,40 +274,97 @@ subsets:
     protocol: TCP
 ```
 
-# 五、ClusterIP
+## 2.5 ClusterIP
 
 ```yaml
+# 方式一: 不手动声明 IP 地址, 由 k8s 自动生成
+...
+type: ClusterIP
+...
+
+# 方式二: 手动指定 Cluster 的 IP 地址, 地址必须在合法范围内
+...
+type: ClusterIP
+clusterIP: 10.239.199.88
+...
+
+# 方式三: Service 不生成 IP, 通过域名访问该 Service, 或者 Ingress
 ...
 type: ClusterIP
-clusterIP:  ## 手动指定 Cluster 的 IP 地址, 地址必须在合法范围内
+clusterIP: None
 ...
+```
+
+示例: 
 
-# 例子
+```yaml
+# 方式一的例子
 apiVersion: v1
 kind: Service
 metadata:
-  name: my-service-clusterip-test
-  namespace: day13
+  name: my-service-clusterip-test1
+  namespace: svc
 spec:
   selector:
-    app: nginx-deployment
+    app: my-deploy
   type: ClusterIP
-  clusterIP: "10.102.1.87"   ## 手动指定 Cluster 的 IP 地址, 地址必须在合法范围内
   ports:
   - name: http
     port: 80
     targetPort: 80
     protocol: TCP
 
-# 这里的 CLUSTER-IP 就是手动指定的
-$ kubectl get svc -n day13
-NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
-my-service-clusterip-test   ClusterIP   10.102.1.87      <none>        80/TCP    6s
-```
+$ kubectl get svc -n svc
+NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE    SELECTOR
+service/my-service-clusterip-test    ClusterIP   10.233.2.214    <none>        80/TCP          3m54s   app=my-deploy
 
 
+---
+# 方式二的例子
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service-clusterip-test2
+  namespace: svc
+spec:
+  selector:
+    app: my-deploy
+  type: ClusterIP
+  clusterIP: 10.233.199.140   ## 手动指定 Cluster 的 IP 地址, 地址必须在合法范围内
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+    
+$ kubectl get svc -n svc
+NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE    SELECTOR
+service/my-service-clusterip-test2    ClusterIP   10.233.16.88    <none>        80/TCP          3m54s   app=my-deploy
+
+---
+# 方式三的例子
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service-clusterip-test3
+  namespace: svc
+spec:
+  selector:
+    app: my-deploy
+  type: ClusterIP
+  clusterIP: None
+  ports:
+  - name: http
+    port: 80
+    targetPort: 80
+    protocol: TCP
+    
+$ kubectl get svc -n svc
+NAME                                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE    SELECTOR
+service/my-service-clusterip-test3   ClusterIP   None            <none>        80/TCP          6s      app=my-deploy
+```
 
-# 六、NodePort
+## 2.6 NodePort
 
 ```yaml
 apiVersion: v1
@@ -282,7 +384,7 @@ spec:
     nodePort: 31180   ## 如果不指定，系统会在 30000-32765 之间随机分配
 ```
 
-# 七、ExternalName 和 LoadBalancer
+## 2.7 ExternalName 和 LoadBalancer
 
 ```yaml
 apiVersion: v1
@@ -293,7 +395,7 @@ metadata:
 spec:
   type: ExternalName
   externalName: www.json.cn  # 只能写 域名    注意跨域问题
-  # 无 selector, 自己写 EP
+  # 如果是无 selector, 得自己写 EP
 
 # ---
 # apiVersion: v1
@@ -302,21 +404,674 @@ spec:
 #   name: service-externalname-test
 #   namespace: default
 # spec:
-    # selector: 
-    #    app: nginx
+#   selector: 
+#      app: nginx
 #   type: LoadBalancer  ## 负载均衡，开放给云平台实现，阿里云、百度云
-    # ports:
-    #    port: 80
-    #    target: 888
-  ## k8s自动请求云平台，分配一个负载均衡器
+#   ports:
+#      port: 80
+#      target: 888
+## k8s自动请求云平台，分配一个负载均衡器
 ```
 
-
-
-# 八、externalIP(IP 白名单)
-
+# 三、Ingress
+## 3.1 Ingress 安装部署
 ```yaml
+$ vim install-ingress.yaml
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
 
+---
+# Source: ingress-nginx/templates/controller-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx
+  namespace: ingress-nginx
+automountServiceAccountToken: true
+---
+# Source: ingress-nginx/templates/controller-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+data:
+---
+# Source: ingress-nginx/templates/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+  name: ingress-nginx
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+---
+# Source: ingress-nginx/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx
+    namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/controller-role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx
+  namespace: ingress-nginx
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - endpoints
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - networking.k8s.io   # k8s 1.14+
+    resources:
+      - ingressclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    resourceNames:
+      - ingress-controller-leader-nginx
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+---
+# Source: ingress-nginx/templates/controller-rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx
+    namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/controller-service-webhook.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx-controller-admission
+  namespace: ingress-nginx
+spec:
+  type: ClusterIP
+  ports:
+    - name: https-webhook
+      port: 443
+      targetPort: webhook
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/component: controller
+---
+# Source: ingress-nginx/templates/controller-service.yaml：不要
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  type: ClusterIP  ## 改为clusterIP
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: https
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/component: controller
+---
+# Source: ingress-nginx/templates/controller-deployment.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ingress-nginx
+      app.kubernetes.io/instance: ingress-nginx
+      app.kubernetes.io/component: controller
+  revisionHistoryLimit: 10
+  minReadySeconds: 0
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/component: controller
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet   ## dns对应调整为主机网络
+      hostNetwork: true  ## 直接让nginx占用本机80端口和443端口，所以使用主机网络
+      containers:
+        - name: controller
+          image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/ingress-nginx-controller:v0.46.0
+          imagePullPolicy: IfNotPresent
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /wait-shutdown
+          args:
+            - /nginx-ingress-controller
+            - --election-id=ingress-controller-leader
+            - --ingress-class=nginx
+            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
+            - --validating-webhook=:8443
+            - --validating-webhook-certificate=/usr/local/certificates/cert
+            - --validating-webhook-key=/usr/local/certificates/key
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            runAsUser: 101
+            allowPrivilegeEscalation: true
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: LD_PRELOAD
+              value: /usr/local/lib/libmimalloc.so
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 5
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 10254
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+            - name: https
+              containerPort: 443
+              protocol: TCP
+            - name: webhook
+              containerPort: 8443
+              protocol: TCP
+          volumeMounts:
+            - name: webhook-cert
+              mountPath: /usr/local/certificates/
+              readOnly: true
+          resources:
+            requests:
+              cpu: 100m
+              memory: 90Mi
+      nodeSelector:  ## 节点选择器
+        node-role: ingress #以后只需要给某个node打上这个标签就可以部署ingress-nginx到这个节点上了
+        #kubernetes.io/os: linux  ## 修改节点选择
+      serviceAccountName: ingress-nginx
+      terminationGracePeriodSeconds: 300
+      volumes:
+        - name: webhook-cert
+          secret:
+            secretName: ingress-nginx-admission
+---
+# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+# before changing this value, check the required kubernetes version
+# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: ValidatingWebhookConfiguration
+metadata:
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+  name: ingress-nginx-admission
+webhooks:
+  - name: validate.nginx.ingress.kubernetes.io
+    matchPolicy: Equivalent
+    rules:
+      - apiGroups:
+          - networking.k8s.io
+        apiVersions:
+          - v1beta1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - ingresses
+    failurePolicy: Fail
+    sideEffects: None
+    admissionReviewVersions:
+      - v1
+      - v1beta1
+    clientConfig:
+      service:
+        namespace: ingress-nginx
+        name: ingress-nginx-controller-admission
+        path: /networking/v1beta1/ingresses
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-nginx-admission
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+  namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-nginx-admission
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-nginx-admission
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx-admission
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx-admission
+    namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ingress-nginx-admission
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+  namespace: ingress-nginx
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - create
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ingress-nginx-admission
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx-admission
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx-admission
+    namespace: ingress-nginx
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ingress-nginx-admission-create
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      name: ingress-nginx-admission-create
+      labels:
+        helm.sh/chart: ingress-nginx-3.30.0
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/version: 0.46.0
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: create
+          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - create
+            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
+            - --namespace=$(POD_NAMESPACE)
+            - --secret-name=ingress-nginx-admission
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      serviceAccountName: ingress-nginx-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
+---
+# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ingress-nginx-admission-patch
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+  labels:
+    helm.sh/chart: ingress-nginx-3.30.0
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.46.0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: admission-webhook
+  namespace: ingress-nginx
+spec:
+  template:
+    metadata:
+      name: ingress-nginx-admission-patch
+      labels:
+        helm.sh/chart: ingress-nginx-3.30.0
+        app.kubernetes.io/name: ingress-nginx
+        app.kubernetes.io/instance: ingress-nginx
+        app.kubernetes.io/version: 0.46.0
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/component: admission-webhook
+    spec:
+      containers:
+        - name: patch
+          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
+          imagePullPolicy: IfNotPresent
+          args:
+            - patch
+            - --webhook-name=ingress-nginx-admission
+            - --namespace=$(POD_NAMESPACE)
+            - --patch-mutating=false
+            - --secret-name=ingress-nginx-admission
+            - --patch-failure-policy=Fail
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+      restartPolicy: OnFailure
+      serviceAccountName: ingress-nginx-admission
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 2000
 ```
 
 
@@ -329,137 +1084,6 @@ spec:
 
 
 
-## Service 为 ClusterIP
-1. 导出 Nginx 的 Yaml 文件
-    ```bash
-    $ kubectl create deployment web --image=nginx --dry-run -o yaml > web.yaml
-    ```
-2. 根据导出的 Yaml 文件部署 Nginx
-    ```bash
-    $ kubectl apply -f web.yaml
-      
-    $ kubectl get pod,svc
-    NAME                       READY   STATUS              RESTARTS   AGE
-    pod/web-5dcb957ccc-c4fjh   0/1     ContainerCreating   0          14s
-    
-    NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
-    service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   8d
-    ```
-3. 导出 Service 的 Yaml 文件
-    ```bash
-    $ kubectl expose deployment web --port=80 --target-port=80 --dry-run -o yaml > service.yaml
-    ```
-4. 根据导出的 Service 的 Yaml 文件部署
-    ```bash
-    $ kubectl apply -f service.yaml
-    NAME                       READY   STATUS    RESTARTS   AGE
-    pod/web-5dcb957ccc-c4fjh   1/1     Running   0          2m42s
-    
-    NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
-    service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP   8d
-    service/web          ClusterIP   10.101.97.233   <none>        80/TCP    12s
-    ```
-5. 访问
-
-      可以看到 `service/web` 此时是对集群内使用的, 输入如下命令: 
-    ```html
-    $ curl 10.101.97.233`
-    <!DOCTYPE html>
-    <html>
-    <head>
-    <title>Welcome to nginx!</title>
-    <style>
-        body {
-            width: 35em;
-            margin: 0 auto;
-            font-family: Tahoma, Verdana, Arial, sans-serif;
-        }
-    </style>
-    </head>
-    <body>
-    <h1>Welcome to nginx!</h1>
-    <p>If you see this page, the nginx web server is successfully installed and
-    working. Further configuration is required.</p>
-    
-    <p>For online documentation and support please refer to
-    <a href="http:/nginx.org/">nginx.org</a>.<br/>
-    Commercial support is available at
-    <a href="http:/nginx.com/">nginx.com</a>.</p>
-    
-    <p><em>Thank you for using nginx.</em></p>
-    </body>
-    </html>
-    ```
-
-## Service 为 NodePort
-1. 修改 service.yaml 文件
-    ```yaml
-    apiVersion: v1
-    kind: Service
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: web
-      name: web
-    spec:
-      type: NodePort
-      ports:
-      - port: 80
-        protocol: TCP
-        targetPort: 80
-      selector:
-        app: web
-    status:
-      loadBalancer: {}
-    ```
-2. 重新部署
-    ```bash
-    $ kubectl apply -f service.yaml
-      
-    $ kubectl get pod,svc
-    NAME                       READY   STATUS    RESTARTS   AGE
-    pod/web-5dcb957ccc-c4fjh   1/1     Running   0          6m26s
-    
-    NAME                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
-    service/kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        8d
-    service/web          NodePort    10.101.97.233   <none>        80:32283/TCP   3m56s
-    ```
 
-3. 访问
 
-    此时, 可以看见 `service/web` 是对外暴露了 32283 端口的, 在浏览器中输入: <Master IP>:<PORT>, 可以看见 Nginx 页面.
-    
-## Service 为 LoadBalancer
-1. 修改 service.yaml 文件
-    ```yaml
-    apiVersion: v1
-    kind: Service
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: web
-      name: web
-    spec:
-      type: LoadBalancer
-      ports:
-      - port: 80
-        protocol: TCP
-        targetPort: 80
-      selector:
-        app: web
-    status:
-      loadBalancer: {}
-    ```
-   
-2. 重新部署
-    ```bash
-    $ kubectl apply -f service.yaml
-      
-    $ kubectl get pod,svc
-    NAME                       READY   STATUS    RESTARTS   AGE
-    pod/web-5dcb957ccc-c4fjh   1/1     Running   0          6m26s
-    
-    NAME                 TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
-    service/kubernetes   ClusterIP      10.96.0.1       <none>        443/TCP        8d
-    service/web          LoadBalancer   10.101.97.233   <pending>     80:32283/TCP   7m4s
-    ```
\ No newline at end of file
+
diff --git a/note/Kubernetes/k8s-pod.md b/note/Kubernetes/k8s-pod.md
index 1aa9ffb..5a3e60a 100644
--- a/note/Kubernetes/k8s-pod.md
+++ b/note/Kubernetes/k8s-pod.md
@@ -240,18 +240,22 @@ spec:
 这个yaml中, 在容器启动后, 执行 echo 输出了一句话, 在容器被杀死之前, 指定 nginx 的退出命令, 然后杀死容器, 实现了容器的 "优雅退出"
 
 # 八、Pod 健康检查(探针)
-Kubernetes 中, 有 3 种 探针, 实现了对 Pod 的健康检查
 
-- startupProbe 探针: 判断容器是否启动(start)
-- LivenessProbe 探针: 判断容器是否存活(running), 如果探针探测失败, 则标识容器也是失败
-- ReadinessProbe 探针: 用于判断容器是否启动完成(ready)
+Kubernetes 中, 有 3 种 探针, 实现了对 Pod 的健康检查：
+
+- 启动探针(startupProbe 探针): 判断容器是否启动(start)， 控制容器在启动后再进行就绪、存活检查。**启动探针为一次性的**。
+- 就绪探针(livenessProbe 探针): 判断容器是否准备好接受请求流量, 在未准备好时, 会从 Service 的负载均衡器中剔除，在就绪探针失败时，会重启容器。
+- 存活探针(readinessProbe 探针): 用于判断容器是否启动完成(ready)，如果捕捉到死锁，会重启容器。
+
+**以上三种探针, 在探测失败后, 都会重启容器。**
 
 Probe 支持三种检查方式:
 - httpGet: 发送 Http 请求, 返回 200-400 范围状态码为成功
 - exec: 执行 Shell 命令返回状态码是 0 为成功
 - tcpSocket: 发起 TCP Socket 建立成功
 
-httpGet 的方式:
+## 8.1 httpGet 的方式:
+
 ```yaml
 $ vim livenessProbe-httpGet.yaml
 apiVersion: v1
@@ -281,7 +285,8 @@ spec:
   restartPolicy: Always
 ```
 
-exec 的方式:
+## 8.2 exec 的方式:
+
 ```yaml
 $ vim livenessProbe-exec.yaml
 apiVersion: v1
@@ -315,7 +320,8 @@ spec:
   restartPolicy: Always
 ```
 
-tcpSocket 的方式:
+## 8.3 tcpSocket 的方式:
+
 ```yaml
 $ vim livenessProbe-tcp.yaml
 apiVersion: v1
@@ -373,6 +379,26 @@ spec:
 在这个例子中, nginx-container 和 debian-container 都声明挂载了 shared-data 这个 volume, 而 shared-data 是 hostPath 类型, 所以, 它对应宿主机上的目录就是 /data, 而这个目录, 就同时被绑定进了这两个容器中, 这样的话 nginx-container 容器就可以从 /usr/share/nginx/html 目录中读取到 debian-container 生成的 index.html 文件了
 
 
+
+对于 HTTP 或者 TCP 存活检测可以使用命名的 [ContainerPort](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#containerport-v1-core)
+
+```bash
+ports:
+- name: liveness-port
+  containerPort: 8080
+  hostPort: 8080
+
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: liveness-port
+```
+
+
+
+
+
+
 # 九、Pod 的镜像拉取策略
 ```yaml
 $ vim pod-imagePollPolicy.yaml
diff --git a/note/Kubernetes/volume.md b/note/Kubernetes/volume.md
index a939406..39f8642 100644
--- a/note/Kubernetes/volume.md
+++ b/note/Kubernetes/volume.md
@@ -653,4 +653,386 @@ mysql> show variables like '%max_connections%';
 | mysqlx_max_connections | 100   |
 +------------------------+-------+
 2 rows in set (0.00 sec)
-```
\ No newline at end of file
+```
+
+
+# 五、NFS
+[centos7 nfs安装部署](../../note/软件部署/centos/nfs.md)
+
+## 5.1 使用 nfs 挂载
+```bash
+vim nginx-nfs.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: storage
+  labels:
+    app: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort:  80
+          name: nginx
+        volumeMounts:
+        - name: nfs-volume
+          mountPath: /usr/share/nginx/html/
+      volumes:
+        - name: nfs-volume
+          nfs:
+            server: 192.168.156.60
+            path: /app/nfs
+      restartPolicy: Always
+ 
+ kubectl apply -f nginx-nfs.yaml
+ 
+ # 在 /app/nfs 目录下创建 index.html 文件
+ echo "hello nfs volume" > index.html
+ 
+ 
+ # 访问 nginx 
+ kubectl get pod -n storage -o wide
+ pod/nginx-5d59d8d7fd-v744j      1/1     Running            0          3m44s   10.244.2.11   flink03   <none>           <none>
+
+curl 10.244.2.11
+hello nfs volume
+```
+
+
+# 六、PV、PVC
+[官方 PV、PVC 实战](https://kubernetes.io/zh/docs/tasks/configure-pod-container/configure-persistent-volume-storage/)
+
+[PV、PVC 的官方文档](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#access-modes)
+
+## 6.1 持久卷（PersistentVolume ）
+
+- 持久卷（PersistentVolume，PV）是集群中的一块存储，可以由管理员事先供应，或者 使用[存储类（Storage Class）](https://kubernetes.io/zh/docs/concepts/storage/storage-classes/)来动态供应。
+- 持久卷是集群资源，就像节点也是集群资源一样。PV 持久卷和普通的 Volume 一样，也是使用 卷插件来实现的，只是它们拥有独立于使用他们的Pod的生命周期。
+- 此 API 对象中记述了存储的实现细节，无论其背后是 NFS、iSCSI 还是特定于云平台的存储系统。
+
+### 6.1.1 示例
+```bash
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-0001
+  namespace: storage
+spec:
+  capacity:
+    storage: 5Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Recycle
+  storageClassName: slow
+  nfs:
+    path: /app/nfs
+    server: 192.168.156/60
+```
+参数说明:
+1. capacity.storage: [该 PV 的容量](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#capacity)
+2. volumeMode: [卷模式, 默认为 Filesystem](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#volume-mode)
+3. accessModes: [访问模式](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#access-modes)
+    - ReadWriteOnce: 可以被一个节点以只读的方式挂载;
+    - ReadOnlyMany: 可以被多个节点以只读的方式挂载;
+    - ReadWriteMany: 可以被多个节点以读写的方式挂载;
+    - ReadWriteOncePod: 卷可以被单个 Pod 以只读的方式挂载。如果需要集群中只有一个 Pod 可以读写该 PVC, 就需要用此访问模式.
+4. persistentVolumeReclaimPolicy: [回收策略](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#reclaim-policy)
+5. storageClassName: [用于和 PVC 匹配](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#class)
+
+
+## 6.2 持久卷申请（PersistentVolumeClaim，PVC）
+
+- 表达的是用户对存储的请求
+- 概念上与 Pod 类似。 Pod 会耗用节点资源，而 PVC 申领会耗用 PV 资源。
+- Pod 可以请求特定数量的资源（CPU 和内存）；同样 PVC 申领也可以请求特定的大小和访问模式 （例如，可以要求 PV 卷能够以 ReadWriteOnce、ReadOnlyMany 或 ReadWriteMany 模式之一来挂载，参见[访问模式](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/#access-modes)）。
+
+### 6.2.1 示例
+```bash
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: myclaim
+  namespace: storage
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 8Gi
+  storageClassName: slow
+```
+
+## 6.3 PV、PVC 实操
+使用 PV、PVC、ConfigMap 部署一个单机版的 MySQL
+```bash
+# 1. 创建 my.cnf 文件并 create 为 configmap
+cat >> my.cnf << EOF
+[mysql]
+default-character-set=utf8
+
+[client]
+default-character-set=utf8
+
+[mysqld]
+# 字符集
+default-character-set=utf8
+init_connect='SET NAMES utf8'
+# 最大连接数
+max_connections=1000
+# binlog
+log-bin=mysql-bin
+binlog-format=ROW
+# 忽略大小写
+lower_case_table_names=2
+EOF
+
+kubectl create configmap mysql-config --from-file=my.cnf -n storage
+
+# 2. 创建 PV
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-mysql-1
+  namespace: storage
+spec:
+  capacity:
+    storage: 50Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Recycle
+  storageClassName: my-nfs
+  nfs:
+    path: /app/nfs
+    server: 192.168.156/60
+    
+# 3. 创建 PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-mysql-1
+  namespace: storage
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 50Gi
+  storageClassName: my-nfs
+
+# 4. 创建 deploy 
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mysql-pv
+  namespace: storage
+  labels:
+    app: mysql-pv
+spec:
+  selector:
+    matchLabels:
+      app: mysql-pv
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app:  mysql-pv
+    spec:
+      containers:
+      - name: mysql-pv
+        image: mysql:8
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          value: "123456"
+        ports:
+        - containerPort:  80
+          name: mysql-pv
+        volumeMounts:
+        - name: mysql-storage
+          mountPath: /var/lib/mysql
+        - name: my-config
+          mountPath: /etc/mysql/conf.d
+        - name: time-zone
+          mountPath: /etc/localtime
+      volumes:
+        - name: mysql-storage
+          persistentVolumeClaim:
+            claimName: pvc-mysql-1
+        - name: my-config
+          configMap: 
+            name: mysql-config
+        - name: time-zone
+          hostPath: 
+            path: /etc/localtime
+      restartPolicy: Always
+
+```
+
+## 6.4 存储类（Storage Class）
+
+- 尽管 PersistentVolumeClaim 允许用户消耗抽象的存储资源，常见的情况是针对不同的 问题用户需要的是具有不同属性（如，性能）的 PersistentVolume 卷。
+- 集群管理员需要能够提供不同性质的 PersistentVolume，并且这些 PV 卷之间的差别不 仅限于卷大小和访问模式，同时又不能将卷是如何实现的这些细节暴露给用户。
+- 为了满足这类需求，就有了 *存储类（StorageClass）* 资源。
+
+[官方部署文档](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner)
+
+### 6.4.1 部署
+```bash
+# 创建存储类
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: managed-nfs-storage
+# provisioner: 指定供应商的名字
+provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
+parameters:
+  archiveOnDelete: "false"
+  
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nfs-client-provisioner
+  labels:
+    app: nfs-client-provisioner
+  # replace with namespace where provisioner is deployed
+  namespace: default
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: nfs-client-provisioner
+  template:
+    metadata:
+      labels:
+        app: nfs-client-provisioner
+    spec:
+      serviceAccountName: nfs-client-provisioner
+      containers:
+        - name: nfs-client-provisioner
+          image: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2
+          volumeMounts:
+            - name: nfs-client-root
+              mountPath: /persistentvolumes
+          env:
+            - name: PROVISIONER_NAME
+              value: k8s-sigs.io/nfs-subdir-external-provisioner
+            # 改成自己的 NFS 地址
+            - name: NFS_SERVER
+              value: 192.168.156.60
+            - name: NFS_PATH
+              value: /app/nfs
+      volumes:
+        - name: nfs-client-root
+          nfs:
+            server: 192.168.156.60
+            path: /app/nfs
+            
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfs-client-provisioner
+  # replace with namespace where provisioner is deployed
+  namespace: default
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: nfs-client-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: run-nfs-client-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: nfs-client-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-nfs-client-provisioner
+  # replace with namespace where provisioner is deployed
+  namespace: default
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-nfs-client-provisioner
+  # replace with namespace where provisioner is deployed
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: Role
+  name: leader-locking-nfs-client-provisioner
+  apiGroup: rbac.authorization.k8s.io
+```
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git "a/note/Kubernetes/\344\275\277\347\224\250kubeadm\351\203\250\347\275\262k8s\351\233\206\347\276\244.md" "b/note/Kubernetes/\344\275\277\347\224\250kubeadm\351\203\250\347\275\262k8s\351\233\206\347\276\244.md"
index 598e7d5..0d4dbe0 100644
--- "a/note/Kubernetes/\344\275\277\347\224\250kubeadm\351\203\250\347\275\262k8s\351\233\206\347\276\244.md"
+++ "b/note/Kubernetes/\344\275\277\347\224\250kubeadm\351\203\250\347\275\262k8s\351\233\206\347\276\244.md"
@@ -431,3 +431,4 @@ $ kubectl get pod,svc
 
 
 
+https://blog.csdn.net/a749227859/article/details/118732605
\ No newline at end of file
diff --git "a/note/Kubernetes/\345\270\270\347\224\250\346\234\215\345\212\241\351\203\250\347\275\262.md" "b/note/Kubernetes/\345\270\270\347\224\250\346\234\215\345\212\241\351\203\250\347\275\262.md"
new file mode 100644
index 0000000..15977db
--- /dev/null
+++ "b/note/Kubernetes/\345\270\270\347\224\250\346\234\215\345\212\241\351\203\250\347\275\262.md"
@@ -0,0 +1,133 @@
+
+
+
+
+
+---
+# 一、单机 MySQL8
+```bash
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mysql8-pv
+  namespace: database
+spec:
+  capacity:
+    storage: 50Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+    - ReadWriteMany
+  storageClassName: nfs-client 
+  persistentVolumeReclaimPolicy: Retain
+  nfs:
+    path: /app/nfs/
+    server: 192.168.1.122
+    
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mysql8-pvc
+  namespace: database
+spec:
+  accessModes:
+    - ReadWriteOnce
+    - ReadWriteMany
+  storageClassName: nfs-client 
+  resources:
+    requests:
+      storage: 50Gi
+
+--- 
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: mysql8-config
+  namespace: database
+data:
+  my.cnf: |-
+    [mysql]
+    default-character-set=utf8
+
+    [client]
+    default-character-set=utf8
+
+    [mysqld]
+    # 字符集
+    character_set_server=utf8
+    init_connect='SET NAMES utf8'
+    # 最大连接数
+    max_connections=1000
+    # binlog
+    log-bin=mysql-bin
+    binlog-format=ROW
+    # 忽略大小写
+    lower_case_table_names=2
+
+---
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mysql8
+  namespace: database
+spec:
+  selector:
+    matchLabels:
+      app: mysql8
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: mysql8
+    spec:
+      containers:
+      - image: mysql:8
+        name: mysql8
+        volumeMounts:
+        - name: time-zone
+          mountPath: /etc/localtime
+        - name: mysql8-persistent-storage
+          mountPath: /var/lib/mysql
+        - name: config
+          mountPath: /etc/mysql/conf.d
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          value: "123456"  # change: Ioubuy123
+        ports:
+        - containerPort: 3306
+          name: mysql8
+      volumes:
+        - name: mysql8-persistent-storage
+          persistentVolumeClaim:
+            claimName: mysql8-pvc
+        - name: time-zone
+          hostPath: 
+            path: /etc/localtime
+        - name: config
+          configMap:
+            name: mysql8-config
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mysql8-svc
+  namespace: database
+spec:
+  selector:
+    app: mysql8
+  type: NodePort
+  ports:
+  - name: mysql8-svc
+    protocol: TCP
+    port: 3306
+    targetPort: 3306
+    nodePort: 31236
+
+```
+
+
diff --git "a/note/MySQL/MySQL-\345\270\270\347\224\250\351\205\215\347\275\256.md" "b/note/MySQL/MySQL-\345\270\270\347\224\250\351\205\215\347\275\256.md"
index 7fbd02a..4c54a6f 100644
--- "a/note/MySQL/MySQL-\345\270\270\347\224\250\351\205\215\347\275\256.md"
+++ "b/note/MySQL/MySQL-\345\270\270\347\224\250\351\205\215\347\275\256.md"
@@ -69,4 +69,18 @@ show variables like '%max_connections%';
 
 # 查看当前连接数
 show status like 'Threads%';
-```
\ No newline at end of file
+```
+
+
+
+# 四、修改密码
+
+```mysql
+SET PASSWORD FOR 'root'@'localhost'= "Kino123.";
+```
+
+# 五、强制修改密码
+
+```bash
+```
+
