From f7436a55e1bcbafb66a43df2d206dfed2c8db6b4 Mon Sep 17 00:00:00 2001
From: lauk001 <liukuo@kylinos.cn>
Date: Thu, 29 Sep 2022 09:17:21 +0800
Subject: [PATCH] Submit documents about containerized deployment of Kubernetes
 in NestOS

---
 .../k1.PNG"                                   | Bin 0 -> 20190 bytes
 .../k2.PNG"                                   | Bin 0 -> 5785 bytes
 ...\226\351\203\250\347\275\262kubernetes.md" | 723 ++++++++++++++++++
 3 files changed, 723 insertions(+)
 create mode 100644 "docs/graph/K8S\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262/k1.PNG"
 create mode 100644 "docs/graph/K8S\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262/k2.PNG"
 create mode 100644 "docs/use_sample/Kubernetes/\345\237\272\344\272\216NestOS\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262kubernetes.md"
diff --git "a/docs/graph/K8S\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262/k1.PNG" "b/docs/graph/K8S\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262/k1.PNG"
new file mode 100644
index 0000000000000000000000000000000000000000..41433cf000eca88945739d8b83613b81c5b8e532
GIT binary patch
literal 20190
zcmbrlcT`i~{w*2{pwdKCK)|R-QAz|9L`p;yR1mOHqy(uV9TY@TR78*#IwB=1O{I5`
z5|9!)Qj~6Jp(7-akiK8=d(Q8kbMJlcpSQ+<?2MhU_gZ_c{h6ORKXbh`H8$WsaO?mG
z1meGO{puYMXpcPS_{%<S&VPB_r$d~NU4C~Au7C=AC6+i}_PXfa(glG^(7eotT%7Ow
zy{}vPfj|PyJAb=yUY{L7AY;E9S9R|_vt3Kq{-X-@#QDV(-1SPAxdu{qt?JzssePr;
z&b_AUT<Lb$ONlwbRUwHxUV1kYJ`=m2*)kP%o@L-4oxXkg+U?DG6m1a0-ZHD1{9X0>
z4)UHSdV2*u%<z#((d{u~R}Dd}SqqH9M8wPSSu%ST4c*P?@R9q|w+$}BF>(@jae6m3
zbY4w<dprKnx8Y41QU%QjJhaQ*tO2*iZos>$eoR!Hp&+l~gW|wyaU^l_y1I(Gtbt{r
zFRAC|jGV6o=ck-&yyzMj&0kI1=d*htcG@3Rhbej%Lc1pZH6}m$bY{Yw@l)W#t<n9$
zl6ugtsh%r!uOLrSn{>VttQa@CL~gX17ptz!1VTE+)11oeM+4S-I&;|S!byac)WmTH
zo=xoAhOvoN+t{xJ&aFTe!AI2Or*BJExbLcWY)`!XU92dlYwwVezD5Uu|7M-l9B|y&
zAN~DthrI`u5l<G1gZ>`r&zTFvbjnKVV2i(aP*06(oc_#wG-NnwdgdMb;YPu&S5A1Z
zj(+<KfYq)f!gy*T3K(ZVfo(tnpse52*tx6ObaPKQ1mzuf{Vjf_)qI*jBX!nIi1H=W
zp6&+sT~FPw7)aS)X=oAQI0T(FDb1cMFI?{xN=+1(hQ{+jE(M$ua=rpEsc~3&A)FpP
zT;&J%2{0<-(Nl&xxq0F`n4fj&Ic2s~D+NNHUEQ9-A~eTk@~?sO#pBeM8@qaeTnDLu
zb_Kwj(E83%MWPdo?$Cda+9t!2cxyse#rqidwjT!n8I!U3VL@`lN&%nYirnO3G<Z%}
zk|xrF*JYEjz&a}#3y@h0SYVTd0qT*AondV#jN~WW=q|To$Zvj(6!vR404ao95d@46
zUJ#ojZe27VkuXiw5hHbcuAO0j9rqSbJzZ-uk;4vjzX$bjzUUJaDI0PPxc#d<Wd^wG
zoA~EIO-uJmGoU?!GK5~u!9Ru@;gAmwDa4ccJPndR3P!zcgN)b4Dw0K(R&=Pw2hp)$
zliF*6v_CNqu#F@^H)bLH4N9IKKp3)}I6;((im%@z$+&c0gQsJTmt@EoW9wOvD&FN`
zn@Bg<A)5jFfPEt<rU(nbvU$+2b{4aEsa@HOaKpz^h0%)6R^@BlRl7c14FSOMM=>$4
zfl$XG{OF^om+Jcp<f|0GvIb9#Brz|IPPJBBG@PA|xJMUT#D2smv(7GDjbom=u}1kh
z;KTd1IY9paV<VAS2~9*4yHCTD6sgSzlTg<g*Rt4GSd~acR=^X8>$28|4viKbk`rNO
zM3&|C5&IS1#FT8(-c5n7Lu;`Boh_(!U?*a@x6xA*KROoORYIRpF-kpxF~Z?$27HEf
zV6J5Js|0jJ_H)<S%i@wHyL?T>l|Ih<KT0F>&g+~EPfa&6*3eNdbT9MG^`ky6cGru>
zuVNl8%0^*N53cWKI9VV+HF|K_Xr}tqKEUiB<?&LP75V<GSq}&>|4Dl%gSj$f(gn>Y
z3MTT_8$2gpctDAYth`%#4{7OA#uiBk_3Ne$hNzza;DEG{y3FzIeHPzRXVy!nZlB}y
z+D^PT&_z0JytZs+EWqP1!nGsXU!k!N+jq0m(aPR>&^ZLxccb*WXE~AQJxiTX>W=F!
z!_=iFst%a<uIY;N#%hu9%-=W2qW7*)e54Q)EF0y4;Yoy0bbP-U#+2Ox%|bXL3MPhb
zm~6kwLF|#ltYvON4cRZGVG$=;if8&#v{5`$+xK#!jHcF6_xpCjYNLwUNWM|(zGN-<
zhS4`Y!^fg2aMQ`(n)2|56?sEP3x7iIO|8)7E_~vsbJ-PA>s%dt9$5|~A;XNYuNmE{
z6&mTP_E<TSAIaZRrb@-W(Zaq7CiQh~>H@*+Smx~#bgeyf8GrQ)FygYEo*0eL)~?;^
zn3KnuCka;o-r9x@+<s(r3!NY~Jd!jbf~~qUf!JAsjhEa@Es5xrAKWkE4;eGB&ZwIG
ziG`h>nLGVcF)lgs?AtrN3$Nb@r;Vs#9TnSV3Mmn#mitpypo_+n`9o`)yxS_45^Jzw
z!RCPXS;*X$5mg*g3f-jaCi6OOKx8yS*Z-H7+Miwe%-}JPG1-wS=KK3!SBke_$!G@l
za{FkS;8|pMp$(<zJK#>!&Ve7}XAx$T*~4-so5}8$?bt``2cN}-fsuDX(>j_0obJBJ
zhF4pTro?!A5^vn`J}>Ym!u+!P*Po;dv8jQa(;!fAud}pm&0JnQ?55+qx0D!cW_cxF
zzH4gaFgtY4--cSEL|a-V^$sN2mF?cSo)`yCKrdGA=*(wB-_-0M$=|t%9rr(<oI`>A
zob!L%3%yr8JE+QOQ!zuSN7yO{p*UN3X9coD2d-1Db$r<cqw=)xOQ@eipe`jysI_bJ
z&t?g6GxI)6q~j|>t>Pr?11)e+h!$-WgED9A0yQ4_G6O4N^WhAn*xa_hYf^LQQ@NLv
zbhdS_VO7$}qb%;Y7+4&tMGuU%#4pLB77FP7Gq&tvbvJ6?8+z58_+y}*4&~EF-t@0_
zM1FfQ?<~!`51ub{BJae~@}Q6Z5AVp}{lLu{x8}r%O8NHwbW&@}sRdLE{*&CwX3K}o
z&A071agvbERK)%kkCy$eodMoy%%Cwr5J>5!7|=;}Ij`eCTNGBm6@ZL3@y#I@GK1VA
z$(AQjR{5XGbPR^*;mFON&T4pV@d!%o7gic`*$bGWLl3BK4mz_LdYlK_w|)20DX@Ip
zr09vWq5NcU+SIq%)jIb2N5^5YlDmaNeZlvU`5C4PCYqNsev7?g){b&+UKoA|C?&g`
z(|JIws%_}-Ymh`2kS#yRmSs@rS|5`v=_x1iN){w5%ESX83BJ36mAL|(C}#mPw58qe
zQxi2cZH&BW7D=o0JdHoU?pm7tTEKS5^<LELD8#31CbD?edYxXanJy2<f04pmNHL-b
z7$>0Acc$aonOQI_FuLTPyt!Bymc%4UyoyhQW|&l&<uqVlmFVz}b@;k4cULrg!oXSJ
zWG|7MG#5r+8)qhj7uUenK<HHH<{($Ox_t8ir-j3sP5JDIv|m-RvbBR{{u%bNOEUY?
z!Cf81c%PdN#F{6@YOc>o{2IXtQA?{&(E2$*`YI0yWS$j{f`p^(*TmkU^@!?BNpuHw
zZDYk28T-d@>z9kJs^y<3*v6=Hh-iYBh#3*XPxk7NeN=_AV}W00u**uP#+wBGqzM7l
za_K!csVF1UYsE%y^BCi@tsSmi^l2clR8y?^%~<Y@*jKT67;#S2Z;*#g^BpN8Xo_aD
z1FFCvkoD_R?3!x1+3Cx0iD;~lj?7F|?&m7;R=UC?>9R>8?-0F{zBcCOIW|UG`+k5O
zUslRir0wnLx!KmVg#vw}n{VDN`Ixc>9{z~6+#e3tS$elGX*G-XM)#tFUP{Mhj9ltU
z3!7&-fUsiS;R8Q~k8PiWhOsy=)q#7&BFw65cNA8MV%A~Xzn)RtZI5_c9yiLSr(w*0
zV(KkV9{YRGyCpe0_bi~uM`r<her%%@p{>p#%4+f_4;HJ$m!0WMczUc;!r1?esCI{U
z)sW7uqiUXhDv6>bA={&L&5Y(MMF{yqv3)+id}q8z6xsYOeQyJa$+HFQ*8Fre`CoK}
zAMut!i0JZ_&CHJJiv^P@$DP}&c*iU>DMcgyv+Pg-?m*Gz-2vBp2O2I!SzTWFVwR)%
zeKWoj1tgWxY|4SG!CKI*U2=&XeZMb^nOKlQ9Q;r&*%@0r*~ftGHO_P=X9+`X_{wKy
zO_@i?jstNe9AsK7?Av`IrJ@ZIz0#r9)M51tDvkRDzt>>17>Q~}h27ej@#v~mzelX~
zsBFMnq07WI^Sj7kx_}MqMwL*HfO+Qczd?)>ry6%PI`3c)r+Hs5w%m#LoF;MTZx+0B
z7@GAve}X#rVr<xe+lSmG64q#W9VX~!;a^w3j%O!6pf2QCP%sN%9)pI@;?T<vePjTd
zBOH|WM)DUJ)TqRXp-=Qzt3wN>G5Dr|L9VS4=9np3IEs-;eCgx4?bJaUpksSS9e!M4
z)I#(<w6I>=d2~6CCzu3-!>|u~a9pX0N0(*ikztu*LhPl{F{q-pq&1o}h$iIT(q<19
z5f<*Ss=rU}yHTh5FnYWyb-1XnYHlTIbNxyRhMVOL&x9|d+_o@Lz_tD3$Fb8>Q1wfn
z_5`Sx($n7(>7k$KPnK=zP))<NJ~H{~55y%4PO2l*V?AKq<78dHs(%Rky%b$muk(`g
zJRZQmiNZquc0-KPH_q^9Om)7?&i%PX{Ro$2dhL#NZ!+-Q4)x_Ki0zhl43O*g8ONd?
zb__!V*K)a(+@rrbQk#iUrS|Z&Vbm8q(WlU$yea;Wz9Em!nI1ywUBE8Ee<4ar*4mG?
zkZb9QLhLazg?Azo`djl%=6SlVuP8|Wtf?P<4D4GK(p;qqKI!fWzpJ3>HlNnIH(qnd
zwAc9eZw<PYH`1jraeHZfbv!~(>sJ9-29}^0%k?Ijsf#i(HwJX<gJwcy)pHYys-Iux
z?anm+(|db0EzCTGS-tER$sRqf$g<qaIz9>&iGp@Q5ck;U(&Pnk(nD=SI^&@@>L<Vb
z51#mH@-M;$GqbEbmx>_xQu%-}W-`^{pp#*FVR4O5c#n^0z&HxdSexsK^Fjt@R4Yhe
zLNsBnP>R=b?uiwAS7DTPlyW&f4G()c_as2L4y?YgFSAoElifc>Jgnlvb{UmT>e8@n
ztun4@?%TB<bPc9QCP<vb&%S1UW@ip$$Q~oN9@T_COeNL*T(!Al>uv#GXzeypVBD^$
zXy77^(D;|B>B^5Vu&i23AAv66`m>Pe5<Qouumo|**OF)n!%M1~0cQoH)saqbqHd9-
z9sKOK+ULGVoJ;lgXMHm^HfLW!l|%)a3nov`Nd>ilZ2nBFpRWO*d9l$#nSDzT=;=N3
zy!ZkmnSPg<*)`4bo2CZC@4j#Xwia;o=x9{ii+5a0Rt|7QmK9|^VVu6wp?(o+wYTPY
z7N*+nYbx<Xa>bN+Ny`=(?`bW^dL`B7*`a;{x?)ZbeT+51so(4Zj97CCtlE+@3pum8
zP)n?WA?HzDL!*R~`19#JS>>9e$>0t{hw@cnW~LZEpTu_!wTC>5w>`d&!EIrVTK5&b
zd|s2ap_>bqhYI;t%m;qjBA&3K2RSok@|i8A7_;BuP#9YBA#!UL>x98))mRcWHCt~4
zmzK@mKX+E<&iuj7tEq%@));<+-jVnDA(8!o2-;=D8>fLbuMP;~C=R>e9u7bHo_#^n
z+#5#FFazGO6<(nv$DtyT_yiLPx3OH=<|(QIL%qvjjFW@B!ziX%e{9e+gZLkpk9Dk5
z7}dz6?BCE&By_}wM8ow+o5~cRdZg7)8XWDFkOcG$pa-BB@wQ8?M#l}^2hncf+3a<S
z^~j+l?4TD8qNUH0npyqB>eVZ$ey;LSG=3<U04`(YE_UVjJ=Gt_zZYC9iYn2~U>qFK
zv7b<ZP6N3b9Sct!^Tz@l4iMcgH=J}H^~ym+5euRRQ9sa{Z6(%=-i<ogn+|1HI)iBG
zu!@))PWoA@e2IQB^6hCIn#_B)<pv&Fu0+z>VRI!(U){TD!}%uVX(Ms4Xq2E!JgaJI
zZ>Qo$I5RfZKh4u^{K<+dVE`&2$*83(tn0Gwy1`2C=>+DFqGvW^`zcT{gG)+Jg+Ff%
zTe^RVVl&gepgiCw^`8inZ`XfbGjR+M%%?jubpK?<k24B?OVYgI(a}gLYjaH<1Lzp>
z9>&oQJVh$KMGvB%-t-H_Jv)^zdyOZ07b{=|obde*X}L(gY86|qrPq)Dy5`jrN(pdS
zZ0UOubht_)Spq8>&}lNGj6}ywV`*?77oAU)eWqY%<j>4xOuh&HqE3N3?|eHX+M&$8
zzHEliQkGs>8gZ!<P5`CL+_gN)=%yDg{W2$<pTkd%S~S?6nDw>28lvz%`n;z3qi>>1
z*aa|m=yqSoY}H&c?!7O?QFI9F1US>e*b0)j&M&wKXLE+?tg_UVr{P97xyAk*FO9if
zxMWk&8agYU?UekGRZbUd&=o(ZH2b>UL;q{f$kjr;*Qb%Q0|O@dx$N6t+U}3s-n`a@
zT1aq_qpPm)0PmGiRkL>)@(yx~9;f4wE!70)5d2A_te)?xD@CKoCKqCDGRA_E>Wa4=
zm620RR<WSGeTqD|$rWUF$J1!t=&twK46!HVC9elsOgvdNxUk2<cq8*rA8yKCZ*8;Y
zu8qp)OJa3tTKy_g=wFbn6HA@z%WEs{{myhv;fE?XY--=?bJnOix0@uH0oiiVzWd<L
zh&1IwM?)FvP(&MqC3`B^GHVv2SbMc?%WD*C<GE5K1&(raM^;U<MWEcj28syK5GD~m
zik609wHCEU<tHr9ux1B|QKT=((#<XQB=yW~UnfUY^7*&)Dg&LWn=GVYWyqh@-){(M
zXI+P(3S;o@=s+NCKDY{X9F<7VB#7OV5c}L$d4_e@3+1L$g&N0x*Su6fyw2KJe}25n
zy=!C*5`k~Z@zIf|l&t0^R?XY{O^DAhA}^htVOTSm2RRf$>3Pbh>u)`E?WtTYf#N!H
z<2GWv3md9GzZ5pZl>Nvyv~p_X3G8i~KUC>n*TlCfwx~E|jrdF{;AC1sQlAN*i3YnH
zdFbIn&g!xTi=A%bM7Zm%s__z~bPT(N3ERm05|x2E8}Y2|16z?3BNSO=f_OT{qmy{1
zp=TimUmj;IqInj3!U*_SVn}mMBM*Bk&?0@~blJV(o5Y(2oFKvd6}Yf<m*H6ptoEN8
zw$%_IVJ;$n58b0r9;4uYpssXVdI-3PlF@v)PdCk=8He|9&v==^+SK#vvLbc$$gGJl
zQjKOn0Y&{G7o+OQp?SmKmBmp*=tr3;m<^3PYIz8IS7zm=a2L{v=}r)F5B+_q=14kK
zXIKY%wcfJkAVd2&CozJCB`L5)uPYeq%M+pJ(~8$)AAw^`)&g$U0!kvk^Qn0v46VPv
zYcKLLE4I|sVOl)?CcaQKfbsRa(V+%4&PuXLxxc!w?rB#Ra9pXz(g!X2dK~qDqt3nH
zzg#LHU_yJh9Epo*+Vz5kj5UOE?`SQYb`i1%GSau#{FiYQs^%xGq!>o8tzX|BrxiV(
z8okdsFD7D%0)b>W{4`xi)3){34pE)=t%VpSCI14R#<+ntRPD+JUI~xD1YTpy52m@7
zea9DKbikIVW5Z{8Knl`G<ge&hy7?L03iv>kQrpPPY?n#HT>U=U(wHD}S~Bf8Ezr5n
zPnBCuUa{D+=8dGmMNUq-N}8KGx{zBIPhC#GF95Q*PTk$Vc|%-4UjH#HJ8dVuS()iU
z3t}E0#{q4o7GAH|2Qes~0OBhYR3^WlfY#q5=~otq{2*_L3<t@_*PH$ZZWlYj{1#yv
zo)7_|MHTY;pHJ@l<8D_DCqNh1mpW-*Z@7E0(NYNGGqBjO&7yCV&Pk2%bYbGx4`6dd
zbU$=FGaDKqmt6kw9rbt~A`ZiBN{%m*hn}ryhuWMww8n*bw~8O`o6wZ{wSH+T01UDa
z4u|~l+>L88i{xvsP*(nTLJ|;N{#0+dF&wW)tS@6n779*MvC;}bNM#G`CU@c6?aBH1
z^K%Cn^Jp9=;h4U$HS^XsQ3UtZ?rLY${^PQ3@FO=)8?rmE7=aK|q9!@t9ZlNiTh{vp
zGWfcZ9V=IcpZb0yiO?fF;HnRwkYcs%Unm9qVMY`W7U{$@A8M6Md>pNL_0$sMK!K2R
zsRqeYutDxuYsp<+6-9|%t!L#SYnuD2rdNiVIx6r(eIHOVb?`NLKQj%`l<F2${b7%G
z9(&iB;cMX-__S=4&pGI$w)K}(osWy_&1Bs+;8w}jp2AzjK(PBClH)?&cS<1~&m?|6
zuP%>tF*o{p&y!24$h|^K#-YcTx3KR`rk&Jy%wd)JrpF(2npIqP0zD#P7VoEaO^5du
z@IGC>x`-r^htfkGjbORC(&Q!tM$<&TyMMet*0+zW0PrR7`n=^V4(j2IymV35HvUYu
z(6sVx_<OlO%*QKlhJue^d#Fmcx2m2YM&4zCeS{(z&{Xh?K5vTPO0A|o^2G4s9C!;g
zojj7y>0wq~GM;wdJS0m+%C}T7vCB@R{Z)v`NDk?f_TyRF^ALZknWgJhp?&33j=y9d
z>}vTRxUL@5NW1DrGSDA$RXUpf{6Wo@paG6;#=76>gnxOPwwK*`eJ#j_b?!;@66SSK
zf<nBTtp><$|4pW0<V64KPpF)Pd`R~W(!!+K{++7a!x;29{zW~5hoORlw)(i6<p-Eq
zSW0!6Wv~8DjCi`|JQQCf6H(Hazy976ao<>vJ((Uwkl%tOZk{^p*#9JJwC2iS>vcdI
zI9JT<b4O)O9NPxz_VPgHM@JM`bLC87@gpEgj<Ec(O*NNni_KeKeL8r9x2ld{l9M<%
zXjP}<erpm%9=TL~F1)Xj36sD%J5B8%oKCFesLI77eeiGeE%jSEKozkU)YP{Mo#YK=
zuPY7dU^IV92Pd@!Jky|c1~||4(?gD*wxQY7BhnSe+!xcs=2dHLQIy1{2L>!QFY64u
z|Jt(pDOt^joRz1(B3#BCj9pQx6zQ78E3)3P#WI=-S1&x^y!kvC3u9xm3)PZ?V`RaI
zN?T_feAUnaGMje<%QM4xUCM@6>%diQ>Fn8On-#mQ!C>*3V`yBXK8GFuOcZ{T@a}lx
zw8#cw`24HVuA-OO-vo?5Qz<?Qm_t=UbLwAfP#$_s)gMf`mF(--r!$SzYDwVlqmOCK
zmW_njzExQvf6vasjKOt0?Vg#A^n%Quh}g-7ZC99agKZQl1x0VYPB*MM(NktpFB+<%
zJ5aw9tHLmSGznql8xgm~ILT#mNoCwmv}~(riA*^u*qM1ed_B;zlFj#1gov4Sb7PJ3
z)#y}!H@VESyG>rN-vEvvBYMIsIk-?=&k_HoQcsjz6szw!2%0)*{jBWOcpfKaH-rV6
zbFB(Mf5}59VLBSSK^G;GC-SK{ER}NX&)1!(e&UYK8_ii|M-FASrYr9V)ST8BDE6!g
zDO1faaC5_GqhYlGH39||U#i+>A@!_xP4RH3yL;cu_@Cn}B#TQh^$6(KLghJsg#uvZ
z#4u>erO`Q?OV(oF>y=`?(z8%t94<3TJBztHl7dBGbUeDryrX5L;Z$sjPGYMX?;JIV
zoJT4}(MAbj)463^fG*?cNdAkiY3P)SiuzX3o#<icVNaWc65Y43Mi54c{qzk<IOb)~
zO<s4i-BsIbl^e_W<oNr^5*ypBV8LYQ&86uqEoR$I=Y@@@?+#zSLduAXGR-(D3Iwd@
z`O$KX3g{o<)xa*Dk^Fr6)3g){*0m%QUVMqWQK?0Pp2Z(pp-;Va<2ZPJ2r5eW)-Gap
zar%L(t+fQ8X?^lIH)}dC8{2Gw+<o&e3+BmvcllAOP)g)$63O7?=2fTB;fqxB`rN!>
z2vO`xPW{Cehe^6I+d}4g$0x6%GpHZ<!Nkq`@guejoa}HekQr<YwqcbCjJ|=WCy7Xt
zovz@kz&~XX3{vq)Ip(aA#|asw!K$KGiwzg7b4^~W`4^0hSOpV%nyOb?Z;4-oQhlKs
zi;MV{N2qqJ6>DMBG_LLQl7S|7qh}1bwsyakIY0KELvtkEATvB!b=E;4*Wod<s#8)&
zpH98Ab>SW!_wkZWhhOC@Cy|w1vA6(lkGgfWP2mM>(8B+TDcKzhK!bS)8e4i$*jh^C
z>%Mqxu~gv&1I=eD3b44*LfCM}QYUN?QW*=g!5@_ck4kYb`YvR26phFle})UIc|r?V
z1JImGOMnfBp?>HnzC!7=*x&d1RgJc@YVB1(ClpnBO^XZwyk}t&pYdx@=9<WZH+$Zf
zr+-8VXR>wyf5?!&cq1GFSnD|kGSF=iN*qh}+aacr$>*`O?^lmy9>H4&9>?3)y;~0G
zR6We%A3~#o0_WRsAr|yq!!je-6ihV<v5CtZ;JgCqHp*Y_)EtSdEB#4&7pc~zSgj)-
z{VK{`?@s$Wp1hZIzOJk&d>o9T7>(*1Jxt3d-302@^666al4Ze>+z>bDPykNuq3O}Q
z@@ijvVtS1L1H~s(QedhdG45yx1dN+^Iyz+`ivWq=VWeldItq;L%*XgGuS^shRor?n
z^y#^u9qO|01$JHBy_z~!C-`o&_cQA1GozDAfpX@bGmPZgPLu6gQGSS+9l{|_bamsf
zj7yCyOpjor%SA@nq&V#cNsx}+=vpVBaoHu7Ckge;-lCg_{u`7`{{f{N9Z_Dn4W((a
zuWx#*tOyr?>^mShY-m{r`$D;|D>(F1S$i7MV4iAlG1m(djj~w70h>V=`GB5<Tup=D
z0XaHe>$ScCr?uy=Zf4O$bu|jFSFtYxT$aAjPcS#+k@MpsYcfD3-Gp#@&-gpE`P0`x
z#gl!Fe~K}c^TzLRlehef*t*j+ImaY(lnrfz2^9Z}CN}<N1tU^sF*6rA!ltHte!hyU
z<Q@OpvZ;|P+=~hBNlyP8cDcEqe?Ul#e(qsGQ5~yd=6-O+$b`d75p*avI6iE@rq?kG
z=UX~!?@nNa55|f+2iCPsxOXq3S{gRrRah!B1PSH3vzxR@*(yu<Es=4(7;fCPw-<yc
zwB9uGlVxz?W9w^agZ7DOfMFMB`J|8wsO1-)0(APW!nZSJihu~NL_na<j#H?URgt&i
zmSv^y&49DLU`j{U#v%!Op^r&$K4Y`Tn7;JoI9<b8&APO-FlYVa1+Yckfkgbz@!`==
zJxTRtpU~+X0#t!v7@$g{N2{WSpSlMh9Xx^dFI>@d!!vF@b&={cm^fbJIf^H1#(WcC
zkfS&#NJWy^we+guu>jOIYkV1>ZYX{&SNw6a$FZ)O>9P4D=?d1t7l`SauQ(YE@L2f@
z_^9G>7aW{<(*Zca4(L*?E;^;dHv~HjHgDVp<HTnWHOLoTGY)#z4iQX8I|S=~chAkI
zgx4pfzwz(a+uv%V({?CftuXD4A2o$>Z+N=sGu^<n8h-P)ehmJzv3X14rnRZu9uego
z3TEQ3`EMwE*SS{ok{oxn3;Ejxu2GRmHSkgvt1wCRg%hY;69H!gJ1!!6I=f=f=q=$c
zjU}@Nvw4xMHtvqE_%)0=<O(zkPj_>bWTlF(3DN?vr~ql@%IUGeqi)zRbQgbP)xL(5
zllEapXH_^MO+O;}p_VIqP(uajM$_f6EL2|I)hz-Y{1q}ITm&hbnLXA{{z4SxWGCs&
ztMsA`D|fT<p3acQH4aw+;rG66?O619!_k?izNa2RRq#}qb2Ml;*Jj~?5lN)G#-t)8
zz_Pez@6?F3Z`sW8CZDQdZ}Y!`bu3AFo}~N;)YxCW<zUCT7N@<~RM~jNGV&IeNSI2Q
zLRfwU%n<Ka219r2$W>W90E4_Adag5AZ>m9!f-iawjAZQbGV|PKkVWdEI14|b#SnJB
zEuwSk$HdXL=xj1da_$(2$v2W;KDC$srMIO2NPc@CSRHf2zoB#Cu>ZUl9w$#PM4k*X
z>%|J4`W<!C<7hi^d)b`e1dz%ag_=#&NAsU)jDd@bI~9|D@z@zMd93w+?PKL7%#sB|
ztVEnvZ_kLF`!MpxL<BgmN88`NgV$>EFFDe()id&XSL%^ui7>p(8Pwsy<_>Qve@u6;
z&W()SVL;GLwJU)S?3noatV>uuyPtxDX4cMlK=Oy?r{YoNLl2~wIj6U0HOPYcHA<wA
zBgWM+-h#6_pu>>MT&$D5ECC1FemPFMwZt<qGk<M7vfWW8!SB$>Zw)2JF&^M6?FsoC
z^L8C&<{<j%iYCn=<%D!ZLw(L)3Axw&mVFS0Sv{SbKsxi**&N8%tDNqN3PC-rGg@R&
zGU-`fu;XfbLr@dh{H0*+@>MtGqs-AF%Ri5a_m^GF^%Viges+wz*DrOB)H7isaET87
zWRBln@7kM5c*tC%+EoZP{*FO^+d<8U8tYGOZ^X!G{UZ>UHk^eqZiwoYs0okUD*3qR
z_PHTa8PkH3E?%|QK0%@i6h>`NIwNP80qacSyC>@MN*`zcgNU`S*-D%5urO2jlqgn3
zSSCnCO|}>9zu{=naJtL}TNpo>i2VU`pH1z<Ytq_}D_>65+%`hC>iAqCq!#-yT-TD>
z$`w8I?F9xsnBpqL+&p<S?|E4pV(<7_f9Jp~cm;wN8^eZ~(q=BRJb`I1><<-*A6aXB
zEWvYT_^$rnht)cRSzVNsnuj|h47>Qro>qJxc#%Min}@(gt~->^SiJ*!IOF4_^x~hf
z=XI364+vJPHL-h`Es5)?(Bp~o&aLaK;WrXH3+(0+3zBe-<(8gJ<WcX#?vCPdSK72J
z_=j99WIUKj%u+8OW>9ZVyGx=ueZAu0PjEl_KB`ei(VD@LVfFV1ms(`ECNc_FyPu8#
z4(Hx_gp?}OP*7EfY$G%M<!yT3bd(%AV7a*z-TDXt3D6XBOGu@lE!OrFt81B;2ZGNn
zq~8X@s-G>*#^qLT+T_=NF&+xO0EEu&$z1Hq-|714B^*w@O28X%+1#@s*2{L^)<?!M
zgV_+~p;XQ|LK3z~no#Z0;#aZvm4a<f@E(;gbqwr3UO|KtrEXfA!7QWSMynSdO6#Uy
zm49JD>LRXByO*N)3#`X*9~Tu=T$r&MY@yzz@!VOk8G{Hgj|()THfc+}x39<D#Z+zE
z)M&;XkN*@n0FV42VV-4$`T)FI{nHbMOkRWt%`qR9mFhD<tNeYL-;;%<*yDL9Q~NqT
zR97ChaN<4wFX$AEvAI_#p(Du}>@)w!q2D|2970%)*2|0h|HH%&&xg9E;}eBaQ&XcX
zS?G}}+#{BBYT|`49y_l~B{7I^sxI2;bc5_;=0XeQ7Sapb13Lo0Gb@|ubLPK6(2_$A
zG7=L^9L*~EjOm*DwP-sU=F&eJrUFO9bj+sECcY?%m7i~D?&^5^=zphpqnh&c5wR}h
z14a#MOLpZQV*Hs6PVJF0Kk3oJw}vuGJ^o&R+9!C+TI@;^3n6z#aBD@JB|;~%=2!t_
zXrskWzrV4bbM&j-(E@$<wbf{%j;#!TR`aLU+0}PwnCmLI1z<bteMcNo_W!^hpjIEo
zqa?h-w!{3O!DxOTeh5i;3H#j(H`7tEQyO(`KYZ=xll?r+kf|=5#SZ&pWqlJsE=3(G
zzNaJYCDrbAFIRr1Gf+t`;bnwq5wzo7T1S5@aIn{`YeBZ{o+pYwzuvNBZ2{4id{;9Z
zwRJT9HlzFu&O92{h)5>IL=FxY*YVM)*P$iMYqNL%UocNl`3@elIqIApEm+}h##tsI
zCg)hpurSe2t<`*)?AZPpCsC6Jcy3Z~enTW+7Wj6tiwwO7Yf-m_Ipc8IrhqHrvDO;_
zrO0wrEav)uk;BHObHW;+Uj9Q7@%`g`yFda>A?ot%$AX33yS-0vYOm(pYy_NILU^J+
zhIeY3KlH-EucId%#f<POnl3y53f<iy0kSji#J#J)neGA^%nYDk{;OWw+ttWRQEf^b
z#5?q=Vhvfm94wsDJiRUcCmgh~hciD(!9AVIHIpUp_7op6To9RGQ2Adv;D$WU_Y1fx
zigO578w^!k$~dDlo%}$JjEOaYwe@A%EA!YP+7^=8_dDZzO+<#_*3raJl<F02k@JnY
z5hzL8CZ8WZWd@(I!g})ZK9VDKx|X<>27-P`fU7FToTcIE(zon@?Ij)E`u9k$^>IZk
zeHqm(y=cX{UGlkEHqmAzbk|6T#^#FsW?7`$N%oZ6gV_<HxV2aS@e0%b0WEXVMh^Ad
z*YohEY_iFIprq3zlB1P|6Q&aQ8}=2eSn?BCV1yOrLNvR#<R7NjRDHYhYLY_0oFF~u
zn=gG^Xq+*J<A=7!K_YJqNWyA_PD*Zae@~1r>ZaW;_<+elouSAV87Y19J!cPoaQQj(
zY|R(oq6LpusIBp@VfjV5L_%sky;G4^TRXNiu5n*wZ{u`|GInn4-9;jEZl`2P#I<7W
zjqdQ2ShtzdGONsLg2_iaI~(3CGvJNGm>Q&_^J!%8$_%2aCeWMhHYdx)Q5+KqF7=xO
zlldE`pA)YZbw)VcKX*#HWpAV~v?2U-0-;EuWp58pG*MplVX3Tx-^}(S9+Ni&LzQvz
z$|VgO8ZWC=O(FC_{7Ke>S*f5l5bO`Lj1r6p4X!7^UJu^C%hqL7h!zV1Go-CN(hy3t
z2nccje5fyyyj1jRE&wXkk~Z9+#yj~m!h%2J>-_!&7qMY#?+b~{BbXiT=Af1KZ|>GN
zvpzv~J5x5JUM<nY7Ay^%I5&i~gUX`H?TsvZ{hW2#<x)L8;rP)b@n;jQn%d>96w#fJ
zldQZEY7$)Hqi?celm*T9kj0X2h-0O(t5y<Tn&V@9%K^RAeBT1r(Ik|{v*1R8j|wg%
zRID5pVX_(@<y8!5&<nPPOLXI4?!Mm;6;Jp;7H^cXUjuD?ztfiNqtIO$Go9`wl$=Yq
z1y8coXEFCPK5~$!sO6V4L;RdPGPrAc6-?p@i1d?;#mE330A8#+K{n9S>TYrwAUFr%
z$ttn@xT}Ff)W%9UwZ1t=@Y#hE<}qBnML)jOJwlH?YoH2=Da~3rWeZ(9@#9szCFT*=
zK|`bldzXt<`bpNIN#Yrt)PtJxqD%*@9IOlbYE35fM=!SSuD-|CnhP1s_8eU>UWnnl
zi?|Zqw~C<-p(Mil^s|_;Hvu6}gV<f5;@$PMBQqA8;j(_;X_hS)0?EUPRzz3Vz&D?;
z_y1E%R75>N#|1ERER7NGXkELOuw~yn&&KDRblNVo&KLhcqiJ3^6Nzv}3_n@P^F2oD
z^RDy|9r6l*M_sMC@40w!Ru~wF=6X+YdpH(~!`*mOeBTA0$3SPg1b^$6=3D-m7~22>
zVfs^GdOl09H_MJC*PXkLaw~bz)|X8X3ukxJpEBL6uv|}pH7b8$=s)DEi%Fb~y4keK
zbT#M}S+%@D`|!W1jO5+}@{#_}(M=sUcWP*pNu~8^@ShJT+Sb?~!CCUyJQvOJB)+BL
zW8jW@vZg#UVAbvG%9`1vr4ajqGr*mL_-=m)mq*>sVbAVUk$WlzgLVpUW!p9pIF`m;
zpzaUa*qmo~l5eGXBOeo$H0Nh;AFF*2mLnVdC0E7*L;tK;uC`hA>Qg#uEo9Um2fJy>
z{2c5t!Vvq@PPhM3tdF~L3@oW!uCxnLA67|jc3%pEkKEk<=q%>Y>|dP`@Vt{Nx}z~V
z_{ta<AO}b7#jR9w@EWsSl6b~zh%79YQYA`+WSD+Iyh0eYLmxvEcQF#yT-XH(MaxhD
zC!yXckjM&JiyJqz$?+xcZ)3(O>l0cw@80rcKD)yQZWk=2pAtwVNPmJ11Ez=)qz_YR
zhC#95gg$Xs6qYTEFCz(?ABUUA%xBy;R_Mg|bDTKV`zCBT>}TUvL(szm3OQ9`yFn7K
zc)iS+Kac-&;z+qXW6EN~p^7xPMMy`08mFu0oLiynYrFOZ><}(cj2yT*J!6^&BoY6A
z)Rd~4wh6hb0YUinD*U&zl|!7x;k_Suj=g6i)2__-0<r^%U34>C<87;%jOBZ&X2{yZ
zuHfU4r1BaIcoT=bpia(3&c0w3_Jkp5<E)v%K5}lZNn_5Y*WBPo;%4bP-pdXXP>z(C
zF@&9{+wzg_1+#nhk*$CHl@sR{f)^T8Td`3ph>Um4P_@(Kz+o#a2Tfk~gxj+HCVp30
zA)n6VEG6}RiRQmug>NnQqJFz|;01eq5b-^zf@Z!ljCdjCIrYrJKvx@hY&SF=-+4~t
za)$&^{SKA5snQLG-*S`CWWSJ~RkGb!7Yw;j$LwEIDrZ9jJ<u!IE*_)<OGRDYxI}Bp
zNF!wT#TTvX386cBqEl&Or!{E@UrPUlFVr1;S$+BszBD{OG|m`6uctL4B|a2@uPtw{
zd#tVu$M-jo>^l0^%J?9UL!WU;`ljSymq%Vv6s=*BjI(T*?Wkm}%HWADJb66>@%GjN
zCNmeN)TJJjjjU#c);?Gr7c1qZo^+;$Mi#skW{9A3V>D8s58w%x!U!tdVJ$rh0mZ+s
zSdI>xA~1qf`eEKj1+?Gm`H?MPZySz!sGi%4iXvBhVB6#(;g;p>_3Hs;-{Tis|C(X$
zbF452h4&d-KTDQPSlU6F=Knw%62}W81O4yX)Q~`hP$)+e&262ImD%@GaIFT*L&yA(
z$@G9(Aw7emv;D%JEVN+o<9rHk_{LJmG`wJx6LzcQ=)=rfH+(-EnvUYw7!-lNDgP&8
zpkh{L^brl&ts-CBJMeh}<3Z5^PB^TMH1W|fA#3hL9`0oqqEtQvHlE)d4xRGd%Ye4e
zEA{y_oONICWUROuL)sn@L(qyAK)_%7O0DmQk~-DV*BlY?bG~y8*RV_T?c!LE>j%U(
z?Jk&N9;TENtw>!Bt;EW*g6`?H+;e%T{atsW`%Blun4KE0;C?fV)K{$}O05Ou=?3@9
zE{AiGyy~-r3oLBN7FfBk5alupUd60@p0)anKaCxkd%}3UBnoPVp2aF?d_>jM%*=-8
zR;$R*2ImWN<idbFj;@BWguUhOp{U!LF?S_5k3#cNe?*IZo`T+D>jEOk(Fd^2iOQ=H
z5V*S?OZ!Ar&w(>jgaG8v=v!x1PsuV&1Nol3Qm}XyVobOeG}N})ihkxT#?{pscIx1x
zrVftzWOtY}RswiYR$!d4-cG5#D-OS4n4vm`dZQ+`|8b@({vnMQ({YfH?VeWwS&2|?
zqgYY+8=z4%N`puM@*Ca9f)$FjVo#QNJ#r|cEi5jYcY;$^V4#c7*+TOVFF>U^b7ODY
z`IivE{!c>WM#~I3{B1=&ih2d{Ze{&nuq47d=_K;Bw4>Vd#r(qhP?iiOg={leP}J$#
z4s9M)o8F+z((A%_ZMv6X_FZ?z1Fj-<a$`Q87%Qt>xwNKEYiSrOxjYD1wO78jk<s25
zxkOR4K(IBQ(+j#tnoe=C4UOvqMD)kNr&oZlZPF0F0sMpf*iF<9W<tx5+Q9glm+mBr
z^M0><q`G$jtwfc+V)e6;k}&5YK-0cqM=wnLejujl%d`2xpSf695)E4raNOcy`C!n$
z<-*E@HNsq8Vd?txze-`+<D+VsF$`~tA1fYC44>s;nS0z2zm4c>sAS%(mF}%%Rz%V3
z?vHsXKf*8fhW{wa#wZm68K`lJ<T6$?*YOJy!P@cTKj%v8a$e+Sih2O==JjmUe69ck
z^KSm#eYtG<ry;On-&8|*ppGdt0-Ozp*=ccN)Q%*Go!8+$`n%~E$y~a@lo9a@ko;GP
zjQid3)+rJAze;2poD!MYMQPJ7%-isSOf*yf!Z!Za&BJ<;!x%@S-nqqguS-_$4pPRC
zu(9mfxvvKu-a3@8xpfpNygGu6?GJ7{wx%vx0!f!bxwI}>Y+YCe&Nk_21AoTM&v=o6
zex{!VoxpYK7dVhFdcOlVXH$!Y!9C+unAU>4C5wY&$1GqR9E*PUZyW=wX2S8TW1<eN
zU~i8s7K@$;?|T5V3EZ&Jtz?T6o%-omDY7%+$`oaJfB#W&j$dIvto9t&uaEx=%l;gy
zGB@G43qUW*UQwTN7}0H-E1A@L9yH~>BLaefnQ^!3Jl{*jBYQxgkw}vAK(9j^=!Ks5
z60UIv;y7)AQvqe9Om$Kl8j-0pDDx9_X*r7>XL-cShJall*=b4x-m6-E_l^wM`SS&<
zAvjxh(FdGFhl(!v18a^xOH`B%%8*7BU1?Y@C)BDXQ%nFkJ9>-GMXen@5b`?BN1_<x
z;>NIi{w@4?Ut1Wk=_MX!qUnN(*5Xa2Z@1^(pIuN!{lwvLMW{ql7TpiIuyAWj@Gstd
z_>T2ZMj(^sMLhPEZ_<l_MIX<4N=?HI#*(R3!WvBupdUzM!Z#)Ya*P<Z4-t1c!e9t*
zr>q3e>VjA$ehpEJ@Fuqp3_gC&G;QcQ=f}(eLW_VbuI~Win@L*HQOsl3H^GD!u4oaR
z2OFfKv-*-G^e5XBX5G%cR7ehXVEq+}L$ZQR;m>_n-x51o^Jp+d54J+{*|lw^YJzkS
z1KUUY`4iz7P&tbSA5fbCUpU^->@cQ2_GfM-^%ci1*f(VoP9}ux@dHJ0oTnV42G$8S
zyST3KFVATt*vZhb?N2*+Yx@adYh9{xI~$DGc*$C(6M8YLKYv0xARclu4G@m8G=(){
z@GKH?DVc+i*(75?=oUK8vnCsA*dR~{YX;<+&Y=>%X2bFtr1oAnH*UDzkN|5MLo#mx
z<}-RV8<1}*HTQs)9AZcRAS9W?((XWe8~!~0>gCd|lx*Kdb#lLzW`WYmxH8`jwPzkA
zjL`?s_;g>M6~%-^1pm*fnZbY*pjOM4-G7=R`7hzZOtgXWRYQevO!tA6h#Dl%@<`={
z-vOzW;-x0Wf1pnpd4*n@JDlwVOshYS6kYbs_s*3k2mQ5t6*R<HiM5NDe-qne<;8>N
z4BMtcXt5o4HBS6Dkai1R2m3x_gwTgz)|Wfwc`X@EfNsMXPzj4kD{0`+iHjf0PWZb;
znuuYcu>Q=fyBx<D1ST@<g$Jl2+2Avmee6W&;y=8qbdtM>T&#}PxzyPrCdT{QBMMX$
z{6OI+@Qd>>`ithPRCFA@HNWv;UtT~KG5qfYUSTC74K`E38aEuunYeI>*$&ruNgrjJ
za-Kp7{Aw_6%^}iO>C9LFeF>NQHVLUoiQ;Vg$!q?)V(7+-KJPHDzn7)`8Acg=tg6<f
zW3&eSGjWk^s`Jyv6I1`l(~Q|$=-qkmw~yIJ_X_LOM`aRkR?0{nq6Hlf+C|fclLh}n
zo2*-Nm-josI6^KUS(4s5d}Y1M;0vA|+>&!mLYI3jeGXnVFCQmEM}f~sY0H`m4PKGh
zSwO%RRHLPIRJmAnV*4`uQOP|ZljWDL$dvDZ9If$$DM|vn+o<yO$!VsjUJ+&;@vymb
zHqgZ(h-UDTohoDs`3T;t6005PsS>8v#(kf$;|_feA7GXlAzApl@Tp6Ch;9O9tLlRd
z)@D&YdTH!n<b<+q#Oo;M(Od#ld}roI@_(FwAs5WosM#t~17dGF>kp}_xR4H{cScY?
zM=eBvA5N(pNJ<nUyuR}v7SYC0Guh67dmIVbFsV}(eSvWseoAGGEjxQ1m+iSbk^MZP
z{{u2)A_bUSlBjCjH@_HggH;rX8F!<i!uSW%u=VS3t~`q$4B|sQR;Zd<gb62;%4Wt6
zu=jJg<h09T6qIU7K*b3!7j0<%C6es2fBQcpg6?g`BPT_l6Z<nOAvj1|!GbJ5kfk=j
zJ8{@04_9nmBZPgfz)`M7lDo>4JzFJc{ES6*SsUHoh`yeGQSWHH{q@mnl9mm=JCJ_Q
zCE~xR=B<l$tZHO`!+qP1;aJ#lx6aY{rbXzdj+2~uT<jaT%`;jQ6GVb~rpC)nN0e>3
z4XKm2qlls3CcH+Y)f#dNE)hSr-eHO4AIC^&vwk@#oh&H)tt^GGN$I7AGUs2@^ZtQ(
zGp5CZzx*D?2&iSPQJ-bbn6{bzaK}fQkeJGVJ1$gkCU?beiLTPzP+xk>^vPK#(el0+
zL=bNG=2{teo|lrJWqsy%O3u_hE!D;4K|JwSJgNJGn`)9Uv-kVvN6jFvioONor&gU5
zUs9n~>g!B0ulDtCq}t~n>!Zs&^iOV2uNquU(c$dNC{F(2cj;FN=Gc$DlWbvI^qPF`
zny(cKLHqWOEixAE`-QT;H2m4*5#23Gcm<96x<WsMkgYu(^hVyqo~g$f?g2XZzY>Gx
z1#2}u_2f)#cE|6hqb>W%xikm=ZbsMPB9}IiJgs2HS?043NHu5zwOo-I-AH1Ov7O2x
zWT~xBRk@6Xwb-J`G)NZp@){%@)1Tv30Qp#VL1g^-gaF=UNXUZ{Tvs?zjwV2nY>&!@
zwJ?rs)~OJ6YtL3yjD_oY(?Icaa<$C&_r9*!g~ac^OPgcvD6F;PG4<EX)7>-4vSRV7
z8kb0^y+_AK!h}am^1!kt3SK&XXUO70&ojmrM@=l}R4%a$Umw3e&MDlpEJ;sAH?RZ1
z1;+N)c)|LHj!0KUQH8rEvKd&Cph-Sg=k6bV1UI$(ipsA0$?>HoFPqbWb_Z{xY1QO5
zQLI|1ig7-avb5vaJde9Nk;fe0iBkXQtN3se@tHYZ1aB$z{1ro4GsYe0rzkCskQ?6_
z&z6gBuRYQ7iFzZyq=Byh@0kWJRE>}$2$xz>#E9TaE@fm7gJn+1ad9$ZF9`nj*Y^XB
zT(q%}GsObAktY9R+zfrXbdO`$nJE(3f_d)+<qJUl6ACM7d3M)-H=3L%ihSkZn@GL-
ze=}}Q%Uk{VCCc&f6z?H8TrU{k;1G0=gP30a)$NG?i<zeZQjFg|VRH*|Y-ZFP1fm}Q
z>*tx^+VS%c9ycOkdmsb5H<~B@bj1;Ns*w5j|5b&AT-(Vy@W~qxiU(;I&rSQeT%HvZ
z%{?HBH1hY)=*0iAY#Numg?g~!A%T$Z*a=B;KoaaA&&o+CI5NPq?Vlp!bJ}oCy;qf#
zEyA5s0)79-mG7r=;>OeX!;MTlb+0<e;AC&VtjEQCi!X>oUt?DA?ZOE7!w_Mm(-Y0r
zf}mDjQ(YAG@zVN~l5H4Xhf|>xUwoH(B-cW~Sb5iAoTY#rF@<Gn%l>Sa;jYAZzXw>J
z-)g?d@#1LyhZm<kuJxZ?DSu0fFgh_kbKL7QqVgnW^OIkgxv1V**&u)VcGKmFsP-rJ
z3<EIAb5-;9B4p6(X{6(Ij~MH$h#S8jG%R(xTlFrbed7Za%bXXSoZJh}Ev>OV<=|$o
z&&q6?J>%GGk3I?{kO@k|cC^f=W;M;Y>tJXEN1W{vwQa)}JRHp>r|7P-rI*Rt&9wDs
z+U(0EPqSx->YsfwC$yHF6^-?E*d16~+jyd=jw;Wq+_d%5f!S&FZna}1?ILunDgGfX
zuKPdsjTF`6y`M1n%fYfw8uq(y75z%47Y6I$q58zx!eC=W-Kt4EOex8ja-L$19js>7
z#QyRDHJW+5FSSOQMTS|B1+R<ApFt8slFzp_k*~E?i3;Y@)Bk6WN5&<#XLvRzvwp<_
zJNhN_XuytC1`sso(L6aj+c;|N?_~SRiv~L75tJIYI{!b+G(Dryp3pLc{!*rS4h6j0
z&3n7%$B|2NB4x^BZ?89K5PgjnqS{S7s{Tk2Yd)@Z<XR*panzvkMn6j{sol=j=a<1k
z$M1$29)IBWRaW?DK16Rt?<$A$qE53tuMeQB_qF~ni%f3Mmfk$L1G)%&hm=^ldYWAi
zgkU%G;*`I1ho!CR5mZLFO6{6<T}u*KyDe^Vvlp%j&&xmmY2V%l|7DW7MvHz7%|nFR
zm$jQB&{&m^6%N!;0!je?rqZ%wOu<Q&Ah;$2tEpf2-Hczp3tnxuHgOXM6)S7?S#1`I
zfKS!ac|sf#V=Qf1PYGsls~t%3`pMzv>+Gh6ZlZ~gMCy^1^dn|wDee4cYCp%{YU3C;
zv8Ycn@&93dsZU>9q^OR&RHJ9oY%T9&_RY?1+kRD%`PIKH&~Kvusot$toa9F7hz_AM
zd(m!q0L4x}$=TP<DeNtji^*z|(KjzB1x|;uf6XKx!O#D*jX|6k;J3`~!o6-vybZ4;
z06Q)mj>Wqyj`X&>GwDD1>Po-?>(r98siKow|2Gfkv;QdYNv0RXFv2KhW5c_@onFCO
zqQ<VbZ03@d(mJ7Ulnc`?jc*Pkmwg_QOw<mP%BFlzKk`toun#Qhy><u61p3-IVM!t*
zZ){9>{<DVc_`hwO92blEut+xhQ6TsB{g&aEbQZN%y8*cP``~(Qz*J-6M#;%}lLUjk
zs3(L0R0ux0HQvp^)9kCfEZ-Sr?E@_k@2(=(y-vxnpqo!6+2O^gmN#AC*5ONZ4(#{=
zlUbE~)-BIiH`=sD*V?gFWs;M~C<?13N-n~b+r)bmWs8S!-*HChKBD17+nlAhzCd2x
zYvav|$F!Xx_r*ldaS|5s{Wgwh+lvVMl08#FuWQmz&Rh@kS*x}mf~wTz+%KgQvo1K>
zAv%^Lo(?ELgb+3C&}GJmBq48ReZHNX_t&K2#6AT#`A?h5&pq}^bNJbF?0&1rU7+0E
z9K*_GCfC%)U#y@^g>N=p>~<zxX1{Db^y2?%<lMudTK71v_Q}a5Dk&;y@5<y*a&Mv;
zB)XlX(p3f%5o27!7PE$ITgj~pdSaSt5=R{5erZ-G<hC<}FoS8#W^!v>X2#stUc*zT
zv(G;JIqUCtJ?nYav)21QpYP=t5d8SI>EmVS${eca826=Tn9A$Y8ioEk+@Q#<j0SJ^
zG)3nS7mMYXr!mPjG3vTX!4|t^Iyy_-`mtWU-V?1gsLafI!N9ADd<O?+OsXVCp>_4^
z>X!7_#RN;;4@y#{{zCVZ#Z{;%^#GIoyDCgzdUZDY3*DHnDeN;#rJlhhOA5v_xpa3r
zT1JUYyA5{7)M1)`UW~K|lG)X@vdVPsRk)}g0Sb8`0{_Ocl5y!K(KSD5{get;Nw}OX
ze?knOc_tqn%S|&1k<Z|r@;S@3<+v)I|CLnq{bN@-d@rc0FOE;=h?9uElkK;rq1IY(
z?HtE^jB0Kfh{-aVLH3<%fMs0PjX9O(kZ=j^dnUp@z!Dk6W#HasXm(RslU9aGV$fwl
zh1)xZDZ(toB~-_;6S9_Hm%CNxACSA!wBEx1ahR0tEqCi^-$R_SEVADTppjP1!s!u_
zwD_bIJdfgtWIv?t(>g5Y9*A)Zvy!xY4nzPpDa6y!LJe98Au8}bVg|qR(&bg=u;;2P
zJ6uYw*Qq}yaEOAOp-e&w1uP3(su}D7e&3j!)+f7XbTiTn85=g;+6e|ygk6posnWI+
z0*YrQ@B=;SR-Bxais@0dxA)omxEdxWH!0}ezy4B`nk-V5z4pOan#Y>#4z#li=x#Nh
zX2@@tMi2HnFgwyOz1B2sK$rK2_(CHJBXPbti42>FO1fatS4v$F#TH{4A-xAMsYao&
zcPh9%Y$Nv(@q%E-`XZC$QlMWznfol><Jv4Qnx!(zhtdh577#0Bwz^kT+k>*{8Y-+_
zHV<2jHXRdfhgG`l`)6B9pP9)r-hIK<Y#3L^8b|MJqFj6Zi|03InP}Pgf!&_yK2)pL
zh6ht^2h#DXcJ9pfd%fJ2tc=9jQ8xDz;wfoE37`Glne~qNcyX94V(MrxbP^o}kDOpW
z{e+pv%bO;gRbzXIorzF1TOl<@_E0t8*(uAE80dO@<-Im7@mZvaAuyLfwr~mnYUXTF
zO(NS~u3~T8luvF-Gm{hb+MO+a97HKkj^2Gr$Rh*NM}Ff~Smw@bZKe&cPm=*$h}vIi
zXD+}yb~59|;Zd3MZe5VEWY0rrWnIR6_zKC?!LYKC$cThf&tYg+g-=KNA2l4Gn}s%}
zE25@VB%IH2JUW-q>Mio^cQH!y;~<@Q*yK`Y9bz|CLu1B$OT5?0L5<JRuVKA1<aS87
ztnNKz2f1HSlNpEz>5*oUe<%<KG|^Ur;@Q53%r$VNgRsNOg28-bYpv_J2^(KP@YgpD
z+7ATC4M&~}qm#()SGH1VUYRmqdRBXZY0%B?#j;{RMM;-2%xDeG@5gdCGL;3Qwf`26
zF|c?{^2*O4)ol$k`08bPJkk4KP<lq<FN2}f`ZRcIi+`&>pL-(4j6wnXfp+S@77(Q2
z;Yg~(DdTels7kC!RC{$<PRI)zTyBugww55Or+4v;M$`NR;lVaZ>VGaBS5`ZpN00ZV
zJgEYH>=BF#o2vQJXDo7$)Ai(sAD&E@8lMenT-fr8-|&*`=JCddu2bcmD*c&oTJm<E
z^pSy9GlD#L?kbt|2`n2?zVJ;eG1)b<2~|c7sO7sMSBb9dWf<fP1A{;p*mxIiqWXgy
ziN&(mh(}mQ^jn?iLz2Bi+S7iamOj%$qS`=aXZx>ATdU*me<}_Ts}-W4B?x7mEDlQL
ztpKu8iR$lOz#k`kV0)#@KX|8n&7)3=m_bAv)NuaZ`=;wG7}o46TjDQh#_W7NzllF^
z5p67aSB@_Z)LKV6qN_aJU2f9LinP%3FUtex&6p^O*OC@JLh@HVPB({m*2rS04)E=)
z&}~-%5G+wA>D3K7CoHdamrpcu;Kac8&0nIcWh9)rY7NZ~+!-bzWxVllp#1}IrWV$3
z26M?jp<U`iuTCaTPEdW!6l(Ml+bed^rDt+CNCSIRP#_D)hrDy{=8E}ziY?AY9P$6@
z(eH#*ZI<4{1X+cw-48S2{OKUxWr4=nhRH@^4$a=9W6G(H*_9tO-za*;4{zi42PJaN
zC;VW`)m)a>19?lP62D;QeH$y_`@b2Qe1*<a%QM;#9DRF$Qd@z&oa3tfd&zpY7g#H^
zFwF(FInav4H8CCtYR<JC%`_fw+ZxVjWrg_c`T<v`siT}0=J^opYC?(_OzI&vfbD{#
zGTc6Bb0!cKca!hDB_69v{tlhY(!Y@0wzrfxn^Sz5&pvFLzX4q&#ARgNq`E@~_y?sN
z;i<;FzlY2vP*;e=rgr~@nH_Bk%;YDOe1NwcGirCW-*hLgoh=R4^KdjIrw_fPxkD_g
zBvDBZD%ur)X160(upK_uORSaz?hK*+#^e19hsrfu@&q=yL&U5_<2FvNmI|+WeWb;R
z^6|k8mNM5}JxUrcv-?xjgzwnuigKb~KelqSRzG(`%{Lj?_rryaTnn4~bCi*w2DV^$
z9Qgtkz2Pgi*Dvsl^z2#>8b{K4(}kqB<v-@4-5?`YQ5Sy2Crr{}nfXNUP7M;-7OJ>W
zDL80fb_NNv_B5)-AOtL0jm99*=zTBGKiPg3pj%3=4W8e_D^rK&&gU}Jp=I&Ymv5HG
z+`$y8MfhI&C{w%yc%oYA8{Zwa1(eKPkF%2N%#NI9_g<^9haC;p<eKqZV>lsncc|CO
zs6saQSJe^aRO^Ux!&b0heYjBi=6NOSb|7bFz+UcXiPB!2uoG-4=gEm_^3jfq>_nX6
P0f!GBcl@V==Z)V0U@*N;

literal 0
HcmV?d00001

diff --git "a/docs/graph/K8S\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262/k2.PNG" "b/docs/graph/K8S\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262/k2.PNG"
new file mode 100644
index 0000000000000000000000000000000000000000..f3e13444ba32ef027c8b1cc305ec68b336d4c05f
GIT binary patch
literal 5785
zcmai&cTf|`x5pC*O%W8h6aj-$6#)eWLP-LM1VKQ>3rGnlRip?CA|*5hq=X_xDG@=6
z(gdkuf)^wdrI%1c?>z*PK$4gHd-MKzGjHC`?4I4(KhEs#?B{&XiL)>>I(6dg2><|a
z${2CuE&#wL#hTyX=46cx{z*YB1N6UZqz|a*kyvFdKyG@s^#Fjc=#$4z9IQ2uFT%zj
z0N`u=w*&D$CC&hVu(I(DJ<Asko4ML`^O}6GgU{y%5IkZeFO~SaO7nSwdp!S2lKbMU
zJ|jEC_n7}&xJrZ+CE2AjbsHSA>=1u}CsGRVgGnLv!oVyC06=gg2=uT09`*lNHF>GQ
z{VV~hS&VBFbPKnQUVrDzDQi1Md~oDT_Cd$ruVWu1Gbr?<z?o1#i8tMwyGLQ6rhkh8
zX0Anp7WNua(y&Btw7CC|9Ji;^z%lgdUW1*2URBrMS9L4;54@dY(&5^7m{7>O9EqmM
zg#{kOoPwVOP(}(60=fVUs_}nRJdo_vWCyMf))8pFmny{8hX~Jaxjst29XG<0Yh?sm
zp8-jo^Ef%>T9xQaeJM71hranRW7sRjxj81t)!uSlu_rZrf9Y_Fr=#eg{&WTh4>zEA
zISwR~Bd5{*cb}hcMM5M(XDwatlenX%@6&-Zy=xR=D{w=h`7+=wDX{S?G}2(%IZ+^S
z!bKVL{6(<d$H%oQrGyK;{@hwQEt7v_IzM=VB@a#<|DaBpB%M{M!HKj~O96p1`@C{e
z*yFAwOb#_S>4v|X4Elph6<8rKY1pS1!4oN2rRm-zRmhfrb2Y2}6n<}H)M!Q!^3CS8
z_NKPzWL6&xskP(AKlcKGyu*27jY{!f9^1fu0lQuZwcKBK{{zlk1UBgy=#c^!iP+rx
zdL`mImf$k+RE@Qk?jGh~U5c8G?vd}}W7E6s7GXbn{GG=FZJAAW9lF<WPjPO~!KvP(
z>Z_6Msl9pzj62lFHyS@B5??VSb(wnVyJg31pUI~Hgai(r*Z@<~g#)9${Ddeauu{DA
zkV9isE><>bGEezabhx?KORi=11Z`E<<)U%l&ReNd+VhR5bK=A1JSVhk)*A|}=teg8
zBHNg0t)^~1IW=V34vy=nay6!7-!=j5@f-6Op+QB>cqZV9So==(aBtWZ7jQ`XYkWuM
z>mmge%&*Q!>sNW9`|aCZB82*Ul$F`$uMgdsg3DCCYfGa}oe+c^G8x(9Lkx?}3%MT2
zSfItze}!JAex})9W_JD02?FN~Tx<aA>G58#dH38y0_^^Ydj**9g%7pE%}QTJx9xpx
z{phts(duZCYX7zOmzmDp6}Jz}H(~Ajo*RP3dnfTz8()g%fhQU-mqD%Tq+s=DHk@Mf
zLOZDO2#5iFdGmXIFwdyR>PV`8to%ZE*RMJ^8c`n=-)&Xq188wAGl##Hcu`>It>&C1
zcp5A<-|s)ZHNGr;0rkFCr-_ezR~6nFk9aIG)UK4fRP1<PhHpCV7f3GcUXpo&q6vH@
z_OQputNIj#;my2Z2=h38Z;De~QYmngSK6a~kv{sMwc05f$#l~lup{17#$CAsyMDBi
zh$^vL(H;2gb0?eF;jaC@cCTA2n~bY#mWFK(+9LtsQxLpZa+S|IZ>%S=HlJ24kyWeI
zG8!)ec`%kCI+_!{LxJq@6uTwDEH-hMtbDezTuAc0T8jz$_noXOtI=`$Pj}ra5lE3k
z86mD@4m3OL5!f%xIrK~Om$Zy64qf`SCv}Pa%nMX@UFzfgeQg=y$p!w)4n#ospBH*;
zs`8vY=Xo7km6Xk`lk!sdqSorRfU|UaWGCe6<?l~9Wws2+i^1k~#&87o#X@<d6Z!x-
z$e*&B>5IO6FPj9FCW$Qa&{TUZeaG0QxLrdDi)t=lyU}ja4QA9qinH1hUJ`;H*T^S>
zkDg4k4`d<DJsrlK_f~gT{XTvJSB$1rMt&(?GA$Eicy(G0Z{MYsGV{qC077o2j1<EX
z!tp#{Xyf-QHBrUG4(+kA{KBTL^DaV3{RB+zY3*`?Ix$wET{TW#qTxwOS~}l|DZJ}|
zT4cEjH#({(x9*6YFC{_<K^eb^9kL3p5rXxR7Jqrg>tOT(Mtsz_fHyay#>;!mlkH&~
zX=_?9X)4|LO{CO9Sp}CM%ym?GBC{HYJ<h8L5gwV0e?C`ld_<!CAxkeTH`*yM|NBe+
z1TFlDmWsqL_r#gD(<CN^VG$RA06;kX3=cx*pP7PacCF$#=R)b(XK!m(xKB4H=GTC`
z7|G$y!dRK}VD?eBZ~$QDR5T0vJB=$QLI<)I002Rdg<Do5Nd7OI3!9YO4Y9Y@&9I)1
zJ$vre;DiBv<Eu{Kyc0nqLoqK11AHOyoV_x5=$g)(mFaw`CBsx=iF+@q9-GZPE*h9K
zbUQ^=FRtp<?zD%x+J>5b3ryRLrQ`gMXW}h(iNJ%wrGhTEL*gvYE&9sykU-PG5NSq!
zV_4L5jXE#!0ZApF85RPSzX<G%jK1D-CFPfM6YX1W`nkHN;ZKoDw|Nk)dQpkH=2;6!
z!jI&inVgd$c6I7Zwi@hJW)PdIGEvT*N_bbo0nSa&#B0B`guV^`w!!=}&xMR?r;&ZK
z<-`*wKGAchQD4Ywv7Skc?ZnD;@XgUm*_h&0q#cuems%JNipG`abCz?8M%_H)tRH$<
z8d#qz-^RSj<_CBQyxVsR{+Xn5r8|MzE0D~w=cR8Bb?d!3AUTR32Q5so97WP-*EekU
zfQ*Sm`*t-*(KIDtZ~53t3Ajqh>_e$QG3jr^?W|M$`o;i1_U^X3-*zqQ#d-J*6yo=W
zgb5;;e3IB_MVD2jf^vD0M5>5RdidpJAHi=SA<=^PwJ>qMo8Ie?4;6G=(DBU4K5N{U
z%|lShRaZu_1~v~R>VQiJ6)qzmGMklpvh!L6S&_W;X4eT3G26c}DnBUdd!RPt#Cs3t
z$r*Bkp#kX(xwqIhk^Y$n;mP3Wm6dAy5Rz>{D1JHb-K%H4n0n?2wM_ZBJoo_D6*e{g
zR-JZ+VcS->f%^EbFUQv-+g+f-zcA(r2)Mg}MAliyTXK^=pAh!2V~o61zJvteJ?xfH
zHAu?B1pc0NW$WT6%MftYwLP!MYV+;zSIxRyPU$AX6U?4@F0i>j{r!Pr>RbL@V(0S8
z?m_z~iJzmEY`dGS%e-*3%zR{en-t`|2a-`(4d~|Th>-1NdlfkhGED8a>iQ{OD(b5Q
z^ytBj`-HOTZ#1@?I2uaQm%Q4pbq6{aaWd~KQy0$<%{yQ{%n`d_azl~wOD}S})mtk8
zp17^nJ6}e3Rcx36AyBnTz&NpUV(w=h4fVbzeFp2X`JGmPPj`%&dN4X-$Id6po&G@;
z8CoZmwpN8UEu4HB5t8kgXz1n7m*esbmo9CS9o`&#Jkz>biQN9O8aNr_wKph`{DBK=
zC`G#SW7lTUZ(@gbKg^(SUuDG3WtTcB#Dm}!4dBe!POC8bYf%fBe;_n+Biw5SGV?0)
z88WDC&{XOrNu_Rrhx=#zwRM=XdT&WccAqFwM>yb;)2t`eo=vqoFP6`}g+bH`+Zp4n
zAg*4TX4j9P1)NfcI^x`Za=cU%^GvAB$2FJ-(`nKAb(;sB`=dK5hD_{suQ5C!@m~f2
zZ2vD|NQ%M5nN4M}x16Q4m-06nudNh*pOd7yHj<xAK{Yj%p^no()un)AX)J{o@@mwJ
zCH64o>>O<U)Sz}|$fqD!6N=G7xtbB)*FwT8n2Xx|#+N$03Q2eacB(md=Oo&E^GDWH
z!*b&zYFF<coT!YHZ1y-f0_1F4mxudPN&#zB4!}TjG`cE@(ToZ}&&o{=I}9s#VO~Zz
z$`TRB5IJ_9SX5F_m^wsfRD$U5E9|fYS76WGyF7$L$SGU<C{VRkKl1rl){!2L%=7Je
z(IjApEE(uVVB9)7%f{1D_hbcD=k|`-IlW8*lAt&lQ@H;Xro$}87&aE)k%KK{7S~-=
z|E&^KGiQLV3!zi|?cT6{5b2X%k+CAz!T}4w8thNb&~S~sNi`a<h|31I-XKb;@elT9
zMmAugH_Ea*1WMxM?$oI`faV<~lXb3nXOOp`Izp!+y7xe4>#UHhy*@KB_WY`N(qL*O
zgptIUYS6s+e6cY8iz)opQQXNj&G;K=BpRKIFogAB5x4=)VO!awgVAc0qJET2SAP8=
zH~B@+$DH^HpD`nISkg4jb7mY?!z4s;FyvSKN2WTCC9@Pz{u7>bfAXt@2!|kJ6X^6v
zJPa>u0=M>MlvU*cimSerAjEPKWjQ!G3LXE6Pf^8M)W@&EluaSVB7RB7rH_y?xnG|F
zqUhognsaI$;}p>?gSGHjv2QLjlbJ!BEvg?9`{$Q<Z8(_IlnI&@d2H-nD1`A)@7mIw
zq$bsPdd0H1`#vE}7h4F{U=FAg7=Cok_m8{@BK;e%hhwwcdW`Fv8k>*curUhnk>}hv
z>?@Oyj%8jPS!+3#6o-M!*;n3S!)R~mE>%p~P-x(eONU!|_v2&8xr@MEqtn+HNgo&e
zRCRtN&&_@0{i8EHY;eg!!AvVT()4E(-Aa;s^pNlJghn>}5eAWp)XZ~5UYGQVPW#oH
zZ6rB+DiN8I&Oc-ozhKQ*cD26N4}z@<Yog724LAC9UeScz!nY=L;R@-7G%*R}sf(E<
zfoGXt6)zik^8HY*p3!^^=8`klOt>odlD2w}<OPNBG3s42?RlxGbaWeL{*1usyT7L}
z4;AI*oSzwcyakHe>}~cGi+G+mNP}|e<>#E?(l;vHvp?c%1T@hFYmMXPM-#M8Uqlr)
z!AHd@4~H5S?|f7Qi=j-I2J<5E1)sVD9XnN46MddBhIJO2Td?ovMeR^2pEfJM@>^A`
zb<uR4k3LQfQqcCR6ik0m{ekv1edg^kZQAOLaw~cNu6C<t^m!Ix<#AkXN~*OMWxxj$
zY$3X}TkfZvZS|kluseP7e<&kYmOt~DdB5>yf|=+Je5|gRB78T&R*wDnyS!j#{l3pi
z`+H2opG(1tuaAHDL0;eCYMJ=_(!29Y39<eClex8W56q$`!N>|`hqCmZU%EYpbwAW$
zJTiY!{TO$8rH2TKJxG=<;xKt~)lGpKt5Xg$!4A}|?JmC%(#YQfEq2WU&$_|qpq8*u
zND4s?c%C}<?p?B;@)k1j-dww>pnCo6M9$$wd7HU)qo7Evy4J6HQ4{cE+u&nKx}Z&H
zL5O!uo#1n>opU+IGTWrXa8cUuybpnx6?&g${%xZoBF*#mk>rtRpZNsiLVuX0ZFOkB
za($36^DFpr%vJRwb!-Gxo5RdC>`mcy{!?^cv5CYiH}eMhq9T45WGAB}H-wc23)n(^
zQ2i`5B!AqJtsrn(P0&@g+AoJ)YRJBCtT?CiNxyy?r?*yebttyf)QsZJ+%qFj0tm57
zs#p^!t~*=4)}^7a#uBw4AaqY{U*wUNrAn_3eslM5AMDjWDzE$3;<<W@gR_Shx^|bV
zyQzzQs}}8&&!!j|gv>RhKD|BYl3?r!J;v6(E2f|5MWMW_#r2Fi=p_2_y7V!AWS@@a
zf2gG(aB|~_0Fun|J0#yL-`+1+|4cqVlBlRQI(nA+a(B65#`cP%M$fayJKc^PS*`j>
zlxGqAA$+!62P7H3N;V#D0uSaFW^rgHbM_h!H^!x)K%2l10J966u7WTI;$dX>^e7F#
zkD!H8{4o#^^KX*PY618L9x}V;;_bU&&^|u^@PS<*S=JP};7{|^V`BqoiW?nngGEv8
z0;j|3taV=7LW^Ep5$0-1!Dr1CShxi}lxk_>CJEzXdUx4(?$2ZgF4EkDX;r_Owv63o
zbVQHNHj#vXLcQs6ol(KK>E0Q*g!lc<6RR;p9b0tlGs5QkIsx{3TVm*A*6tTb-!}{R
zrgtFp+6K^#4vBV+<GffmI2&7w9yfM<mE805cJpZ44my-cb@-i~xeH+!Sjb4N+Mf3q
z=mM@DLY}F$2v?xi%<F!toa{<?Eq~SZh0Yn8p|Xs$ykS0b&(NA?s8<a|tC+WR9p1NK
zZj}MIzxTn3iDqza&yeTz)6PSUjOTv+11JyJQ$5M&DGeGn?M6^0ZI?pEV9?trW+4uZ
zk9xOqh^+3Z$D>gws_NV*jtC|`9CM^^r_*$-7{C5rhI|GZT>w=+U=ujTF-0$eb&mjD
z(1HMqE})Nh<u=UfS4?diWnl8)0W)viEr^A8ES7;b%?Q_Y!~aBXE(m2rrmC-e2p2Nd
z%t~qHeg3_HK{^P%siAm<5wIx1I~-Zv<-(Sl?nzZ*FF*Ga*A5Rfl$XjmKS*)e@mY)M
zzL-y0=-t)UPhEVHLVPWTUl-thC*)fVk7J`JJ)ifnVvHW*(QyaN<q3Z><XsBcm<T<8
zA-9^eG^%CA#tx7T)5S+|`52JKM;NdQ6Nf?9WM`({rVO*6j8U9#eSA#$g!{s^VnsQu
z#_^Wp3`O^p-XQVPvQpc02~^(Ccbv`lgWkh^G`;(uHkO`j1tcYj$NRy@&LGTDoF@C-
zC58fm8Q+-Vvol-Rw`Wt69{yI2ppYr&d##V@q}{Br=;+y_dABbiUUXi+>ErPog~}la
zfL$|K9_A=_`r*_Xs7+q}CrXINv>R28vOWWLfam$X2-*NS{y<ey>pnAtojU3j!X(kj
z;V)t`#9S}@%kT}*Vzj_ey9pEzP62MnE>>^1xYHBJoK4zYqKkKu6t`Dn;`GKZfd??w
z5@s=%oPwku@pSa!0~^Z`S4J|9OjN`W@Rpm-K${BWS8rQ4_)_g}9M=ddOHbmrl@2i*
zu2)+>{{B6|-b?!fxt`kqd!89=w-?Nc)shnbq4jX3@yN=hK5pyyZri=LWKx37faiL+
z5b1mxkfHk#Y-ai^(xwnq`{$B2+aHrFiJ*royogHdrQQ}<(VYi>%SxHL(MRdag1fVZ
zZM)a-wg2GwWx*-Mp&w+4s&sJToSbFgiHrC6`1>^31rGCR2AG<P{@d_K(?Sa(@}1s;
z#bH{s|B8&i11w2CA+X@yv+s}o#Eg%Om|xj>)>T)4{11Ko!z;DIAI-2sIfBpmYea}P
zayjdT&P@<u=U~j;!`LddpSMe9Jl>)X7=KeVR#C5ri`O?tJnq2Cd>(9nMHewG$;9+<
z%GX){W1|8Dyi3|SGQFdV2N*4X7y3z+2JsXe#ohgE%^fD*Y59Xo_N_eC{qop7QEW54
z@yQsYLsn+#RQ!tAZ;oxeTJKX^7={U9aI*8X_1(MTf&8Zg1LGhW=*qIU)a(EYtZ^H}
zg)!4rR5>V`v0Ug>f!xKNVm4laHYd!qp2A&QA}W$|8PDujZH@NvWhs>+xTKR<4)%a~
z(_&5_K+0{sB`mLP_CBljr#)LksmVFZDzH{5u^xDdVxqzrD!9+bO1;-3K%kIoO!_wS
zz4dbzBA@i;gqsdNy0xG!`F>9Bf$uH#YMA0`@_+A{Bj6O84s0thcv6%~=<C;Gs|FAL
zjfq<N-Vn7pMX{GSNK+LgZ>ObocIJ00l@%I19A?!5s;;A;41TArgD*nZ4B>w{Y;0(D
Kqe9;?^1lFQ$A%>U

literal 0
HcmV?d00001

diff --git "a/docs/use_sample/Kubernetes/\345\237\272\344\272\216NestOS\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262kubernetes.md" "b/docs/use_sample/Kubernetes/\345\237\272\344\272\216NestOS\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262kubernetes.md"
new file mode 100644
index 0000000..83c6a22
--- /dev/null
+++ "b/docs/use_sample/Kubernetes/\345\237\272\344\272\216NestOS\345\256\271\345\231\250\345\214\226\351\203\250\347\275\262kubernetes.md"
@@ -0,0 +1,723 @@
+# 	基于NestOS容器化部署Kubernetes
+
+​		
+
+## 整体方案
+
+Kubernetes（k8s）是为容器服务而生的一个可移植容器的编排管理工具。本指南旨在提供NestOS快速容器化部署k8s的解决方案。该方案以虚拟化平台创建多个NestOS节点作为部署k8s的验证环境，并通过编写Ignition文件的方式，提前将k8s所需的环境配置到一个yaml文件中。在安装NestOS操作系统的同时，即可完成对k8s所需资源的部署并创建节点。裸金属环境也可以参考本文并结合NestOS裸金属安装文档完成k8s部署。
+
+- 版本信息：
+
+  - NestOS镜像版本：22.09
+
+  - k8s版本：v1.23.10
+
+  - isulad版本：2.0.16
+
+- 安装要求
+  - 每台机器2GB或更多的RAM
+  - CPU2核心及以上
+  - 集群中所有机器之间网络互通
+  - 节点之中不可以有重复的主机名
+  - 可以访问外网，需要拉取镜像
+  - 禁止swap分区
+  - 关闭selinux
+- 部署内容
+  - NestOS镜像以集成isulad和kubeadm、kubelet、kubectl等二进制文件
+  - 部署k8s Master节点
+  - 部署容器网络插件
+  - 部署k8s Node节点，将节点加入k8s集群中
+
+## K8S节点配置
+
+NestOS通过Ignition文件机制实现节点批量配置。本章节简要介绍Ignition文件的生成方法，并提供容器化部署k8s时的Ignition配置示例。NestOS节点系统配置内容如下：
+
+| 配置项       | 用途                                   |
+| ------------ | -------------------------------------- |
+| passwd       | 配置节点登录用户和访问鉴权等相关信息   |
+| hostname     | 配置节点的hostname                     |
+| 时区         | 配置节点的默认时区                     |
+| 内核参数     | k8s部署环境需要开启部分内核参数        |
+| 关闭selinux  | k8s部署环境需要关闭selinux             |
+| 设置时间同步 | k8s部署环境通过chronyd服务同步集群时间 |
+
+### 生成登录密码
+
+使用密码登录方式访问NestOS实例，可使用下述命令生成${PASSWORD_HASH} 供点火文件配置使用：
+
+```
+openssl passwd -1 -salt yoursalt
+```
+
+### 生成ssh密钥对
+
+采用ssh公钥方式访问NestOS实例，可通过下述命令生成ssh密钥对：
+
+```
+ssh-keygen -N '' -f /root/.ssh/id_rsa
+```
+
+查看公钥文件id_rsa.pub，获取ssh公钥信息后供Ignition文件配置使用：
+
+```
+cat /root/.ssh/id_rsa.pub
+```
+
+### 编写butane配置文件
+
+本配置文件示例中，下列字段均需根据实际部署情况自行配置。部分字段上文提供了生成方法：
+
+- ${PASSWORD_HASH}：指定节点的登录密码
+- ${SSH-RSA}：配置节点的公钥信息
+- ${MASTER_NAME}：配置主节点的hostname
+- ${MASTER_IP}：配置主节点的IP
+- ${MASTER_SEGMENT}：配置主节点的网段
+- ${NODE_NAME}：配置node节点的hostname
+- ${NODE_IP}：配置node节点的IP
+- ${GATEWAY}：配置节点网关
+- ${service-cidr}：指定service分配的ip段
+- ${pod-network-cidr}：指定pod分配的ip段
+- ${image-repository}：指定镜像仓库地址，例：https://registry.cn-hangzhou.aliyuncs.com
+- ${token}：加入集群的token信息，通过master节点获取
+
+master节点butane配置文件示例：
+
+```yaml
+variant: fcos
+version: 1.1.0
+##passwd相关配置
+passwd:
+  users:
+    - name: root
+      ##登录密码
+      password_hash: "${PASSWORD_HASH}"
+      "groups": [
+          "adm",
+          "sudo",
+          "systemd-journal",
+          "wheel"
+        ]
+      ##ssh公钥信息
+      ssh_authorized_keys:
+        - "${SSH-RSA}"
+storage:
+  directories:
+  - path: /etc/systemd/system/kubelet.service.d
+    overwrite: true
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: ${MASTER_NAME}
+    - path: /etc/hosts
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+          ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+          ${MASTER_IP} ${MASTER_NAME}
+          ${NODE_IP} ${NODE_NAME}
+    - path: /etc/NetworkManager/system-connections/ens2.nmconnection
+      mode: 0600
+      overwrite: true
+      contents:
+        inline: |
+          [connection]
+          id=ens2
+          type=ethernet
+          interface-name=ens2
+          [ipv4]
+          address1=${MASTER_IP}/24,${GATEWAY}
+          dns=8.8.8.8
+          dns-search=
+          method=manual
+    - path: /etc/sysctl.d/kubernetes.conf
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          net.bridge.bridge-nf-call-iptables=1
+          net.bridge.bridge-nf-call-ip6tables=1
+          net.ipv4.ip_forward=1
+    - path: /etc/isulad/daemon.json
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          {
+              "exec-opts": ["native.cgroupdriver=systemd"],
+              "group": "isula",
+              "default-runtime": "lcr",
+              "graph": "/var/lib/isulad",
+              "state": "/var/run/isulad",
+              "engine": "lcr",
+              "log-level": "ERROR",
+              "pidfile": "/var/run/isulad.pid",
+              "log-opts": {
+                  "log-file-mode": "0600",
+                  "log-path": "/var/lib/isulad",
+                  "max-file": "1",
+                  "max-size": "30KB"
+              },
+              "log-driver": "stdout",
+              "container-log": {
+                  "driver": "json-file"
+              },
+              "hook-spec": "/etc/default/isulad/hooks/default.json",
+              "start-timeout": "2m",
+              "storage-driver": "overlay2",
+              "storage-opts": [
+                  "overlay2.override_kernel_check=true"
+              ],
+              "registry-mirrors": [
+                  "docker.io"
+              ],
+              "insecure-registries": [
+                  "${image-repository}"
+              ],
+              "pod-sandbox-image": "k8s.gcr.io/pause:3.6",
+              "native.umask": "secure",
+              "network-plugin": "cni",
+              "cni-bin-dir": "/opt/cni/bin",
+              "cni-conf-dir": "/etc/cni/net.d",
+              "image-layer-check": false,
+              "use-decrypted-key": true,
+              "insecure-skip-verify-enforce": false,
+              "cri-runtimes": {
+                  "kata": "io.containerd.kata.v2"
+              }
+          }
+    - path: /root/pull_images.sh
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          #!/bin/sh
+          KUBE_VERSION=v1.23.10
+          KUBE_PAUSE_VERSION=3.6
+          ETCD_VERSION=3.5.1-0
+          DNS_VERSION=v1.8.6
+          CALICO_VERSION=v3.19.4
+          username=${image-repository}
+          images=(
+                  kube-proxy:${KUBE_VERSION}
+                  kube-scheduler:${KUBE_VERSION}
+                  kube-controller-manager:${KUBE_VERSION}
+                  kube-apiserver:${KUBE_VERSION}
+                  pause:${KUBE_PAUSE_VERSION}
+                  etcd:${ETCD_VERSION}
+          )
+          for image in ${images[@]}
+          do
+              isula pull ${username}/${image}
+              isula tag ${username}/${image} k8s.gcr.io/${image}
+              isula rmi ${username}/${image}
+          done
+          isula pull ${username}/coredns:${DNS_VERSION}
+          isula tag ${username}/coredns:${DNS_VERSION} k8s.gcr.io/coredns/coredns:${DNS_VERSION}
+          isula rmi ${username}/coredns:${DNS_VERSION}
+          isula pull calico/node:${CALICO_VERSION}
+          isula pull calico/cni:${CALICO_VERSION}
+          isula pull calico/kube-controllers:${CALICO_VERSION}
+          isula pull calico/pod2daemon-flexvol:${CALICO_VERSION}
+          touch /var/log/pull-images.stamp
+    - path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+      mode: 0644
+      contents:
+        inline: |
+          # Note: This dropin only works with kubeadm and kubelet v1.11+
+          [Service]
+          Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
+          Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+          # This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
+          EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
+          # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
+          # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
+          EnvironmentFile=-/etc/sysconfig/kubelet
+          ExecStart=
+          ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
+    - path: /root/init-config.yaml
+      mode: 0644
+      contents:
+        inline: |
+          apiVersion: kubeadm.k8s.io/v1beta2
+          kind: InitConfiguration
+          nodeRegistration:
+            criSocket: /var/run/isulad.sock
+            name: k8s-master01
+            kubeletExtraArgs:
+              volume-plugin-dir: "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/"
+          ---
+          apiVersion: kubeadm.k8s.io/v1beta2
+          kind: ClusterConfiguration
+          controllerManager:
+            extraArgs:
+              flex-volume-plugin-dir: "/opt/libexec/kubernetes/kubelet-plugins/volume/exec/"
+          kubernetesVersion: v1.23.10
+          imageRepository: k8s.gcr.io
+          controlPlaneEndpoint: "${MASTER_IP}:6443"
+          networking:
+            serviceSubnet: "${service-cidr}"
+            podSubnet: "${pod-network-cidr}"
+            dnsDomain: "cluster.local"
+          dns:
+            type: CoreDNS
+            imageRepository: k8s.gcr.io/coredns
+            imageTag: v1.8.6
+  links:
+    - path: /etc/localtime
+      target: ../usr/share/zoneinfo/Asia/Shanghai
+
+systemd:
+  units:
+    - name: kubelet.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=kubelet: The Kubernetes Node Agent
+        Documentation=https://kubernetes.io/docs/
+        Wants=network-online.target
+        After=network-online.target
+
+        [Service]
+        ExecStart=/usr/bin/kubelet
+        Restart=always
+        StartLimitInterval=0
+        RestartSec=10
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: set-kernel-para.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=set kernel para for Kubernetes
+        ConditionPathExists=!/var/log/set-kernel-para.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=modprobe br_netfilter
+        ExecStart=sysctl -p /etc/sysctl.d/kubernetes.conf
+        ExecStart=/bin/touch /var/log/set-kernel-para.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: pull-images.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=pull images for kubernetes
+        ConditionPathExists=!/var/log/pull-images.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=systemctl start isulad
+        ExecStart=systemctl enable isulad
+        ExecStart=sh /root/pull_images.sh
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: disable-selinux.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=disable selinux for kubernetes
+        ConditionPathExists=!/var/log/disable-selinux.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=bash -c "sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config"
+        ExecStart=setenforce 0
+        ExecStart=/bin/touch /var/log/disable-selinux.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: set-time-sync.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=set time sync for kubernetes
+        ConditionPathExists=!/var/log/set-time-sync.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=bash -c "sed -i '3aserver ntp1.aliyun.com iburst' /etc/chrony.conf"
+        ExecStart=bash -c "sed -i '24aallow ${MASTER_SEGMENT}' /etc/chrony.conf"
+        ExecStart=bash -c "sed -i '26alocal stratum 10' /etc/chrony.conf"
+        ExecStart=systemctl restart chronyd.service
+        ExecStart=/bin/touch /var/log/set-time-sync.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: init-cluster.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=init kubernetes cluster
+        Requires=set-kernel-para.service pull-images.service disable-selinux.service set-time-sync.service
+        After=set-kernel-para.service pull-images.service disable-selinux.service set-time-sync.service
+        ConditionPathExists=/var/log/set-kernel-para.stamp
+        ConditionPathExists=/var/log/set-time-sync.stamp
+        ConditionPathExists=/var/log/disable-selinux.stamp
+        ConditionPathExists=/var/log/pull-images.stamp
+        ConditionPathExists=!/var/log/init-k8s-cluster.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=kubeadm init --config=/root/init-config.yaml --upload-certs
+        ExecStart=/bin/touch /var/log/init-k8s-cluster.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+
+    - name: install-cni-plugin.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=install cni network plugin for kubernetes
+        Requires=init-cluster.service
+        After=init-cluster.service
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=bash -c "curl https://docs.projectcalico.org/v3.19/manifests/calico.yaml -o /root/calico.yaml"
+        ExecStart=/bin/sleep 6
+        ExecStart=bash -c "sed -i 's#usr/libexec/#opt/libexec/#g' /root/calico.yaml"
+        ExecStart=kubectl apply -f /root/calico.yaml --kubeconfig=/etc/kubernetes/admin.conf
+
+        [Install]
+        WantedBy=multi-user.target
+
+```
+
+Node节点butane配置文件示例：
+
+```yaml
+variant: fcos
+version: 1.1.0
+passwd:
+  users:
+    - name: root
+      password_hash: "${PASSWORD_HASH}"
+      "groups": [
+          "adm",
+          "sudo",
+          "systemd-journal",
+          "wheel"
+        ]
+      ssh_authorized_keys:
+        - "${SSH-RSA}"
+storage:
+  directories:
+  - path: /etc/systemd/system/kubelet.service.d
+    overwrite: true
+  files:
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: ${NODE_NAME}
+    - path: /etc/hosts
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
+          ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+          ${MASTER_IP} ${MASTER_NAME}	
+          ${NODE_IP} ${NODE_NAME}
+    - path: /etc/NetworkManager/system-connections/ens2.nmconnection
+      mode: 0600
+      overwrite: true
+      contents:
+        inline: |
+          [connection]
+          id=ens2
+          type=ethernet
+          interface-name=ens2
+          [ipv4]
+          address1=${NODE_IP}/24,${GATEWAY}
+          dns=8.8.8.8;
+          dns-search=
+          method=manual
+    - path: /etc/sysctl.d/kubernetes.conf
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          net.bridge.bridge-nf-call-iptables=1
+          net.bridge.bridge-nf-call-ip6tables=1
+          net.ipv4.ip_forward=1
+    - path: /etc/isulad/daemon.json
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          {
+              "exec-opts": ["native.cgroupdriver=systemd"],
+              "group": "isula",
+              "default-runtime": "lcr",
+              "graph": "/var/lib/isulad",
+              "state": "/var/run/isulad",
+              "engine": "lcr",
+              "log-level": "ERROR",
+              "pidfile": "/var/run/isulad.pid",
+              "log-opts": {
+                  "log-file-mode": "0600",
+                  "log-path": "/var/lib/isulad",
+                  "max-file": "1",
+                  "max-size": "30KB"
+              },
+              "log-driver": "stdout",
+              "container-log": {
+                  "driver": "json-file"
+              },
+              "hook-spec": "/etc/default/isulad/hooks/default.json",
+              "start-timeout": "2m",
+              "storage-driver": "overlay2",
+              "storage-opts": [
+                  "overlay2.override_kernel_check=true"
+              ],
+              "registry-mirrors": [
+                  "docker.io"
+              ],
+              "insecure-registries": [
+                  "${image-repository}"
+              ],
+              "pod-sandbox-image": "k8s.gcr.io/pause:3.6",
+              "native.umask": "secure",
+              "network-plugin": "cni",
+              "cni-bin-dir": "/opt/cni/bin",
+              "cni-conf-dir": "/etc/cni/net.d",
+              "image-layer-check": false,
+              "use-decrypted-key": true,
+              "insecure-skip-verify-enforce": false,
+              "cri-runtimes": {
+                  "kata": "io.containerd.kata.v2"
+              }
+          }
+    - path: /root/pull_images.sh
+      mode: 0644
+      overwrite: true
+      contents:
+        inline: |
+          #!/bin/sh
+          KUBE_VERSION=v1.23.10
+          KUBE_PAUSE_VERSION=3.6
+          ETCD_VERSION=3.5.1-0
+          DNS_VERSION=v1.8.6
+          CALICO_VERSION=v3.19.4
+          username=${image-repository}
+          images=(
+                  kube-proxy:${KUBE_VERSION}
+                  kube-scheduler:${KUBE_VERSION}
+                  kube-controller-manager:${KUBE_VERSION}
+                  kube-apiserver:${KUBE_VERSION}
+                  pause:${KUBE_PAUSE_VERSION}
+                  etcd:${ETCD_VERSION}
+          )
+          for image in ${images[@]}
+          do
+              isula pull ${username}/${image}
+              isula tag ${username}/${image} k8s.gcr.io/${image}
+              isula rmi ${username}/${image}
+          done
+          isula pull ${username}/coredns:${DNS_VERSION}
+          isula tag ${username}/coredns:${DNS_VERSION} k8s.gcr.io/coredns/coredns:${DNS_VERSION}
+          isula rmi ${username}/coredns:${DNS_VERSION}
+          touch /var/log/pull-images.stamp
+    - path: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+      mode: 0644
+      contents:
+        inline: |
+          # Note: This dropin only works with kubeadm and kubelet v1.11+
+          [Service]
+          Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
+          Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+          # This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
+          EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
+          # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
+          # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
+          EnvironmentFile=-/etc/sysconfig/kubelet
+          ExecStart=
+          ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
+    - path: /root/join-config.yaml
+      mode: 0644
+      contents:
+        inline: |
+          apiVersion: kubeadm.k8s.io/v1beta3
+          caCertPath: /etc/kubernetes/pki/ca.crt
+          discovery:
+            bootstrapToken:
+              apiServerEndpoint: ${MASTER_IP}:6443
+              token: ${token}
+              unsafeSkipCAVerification: true
+            timeout: 5m0s
+            tlsBootstrapToken: ${token}
+          kind: JoinConfiguration
+          nodeRegistration:
+            criSocket: /var/run/isulad.sock
+            imagePullPolicy: IfNotPresent
+            name: ${NODE_NAME}
+            taints: null
+  links:
+    - path: /etc/localtime
+      target: ../usr/share/zoneinfo/Asia/Shanghai
+
+systemd:
+  units:
+    - name: kubelet.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=kubelet: The Kubernetes Node Agent
+        Documentation=https://kubernetes.io/docs/
+        Wants=network-online.target
+        After=network-online.target
+
+        [Service]
+        ExecStart=/usr/bin/kubelet
+        Restart=always
+        StartLimitInterval=0
+        RestartSec=10
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: set-kernel-para.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=set kernel para for kubernetes
+        ConditionPathExists=!/var/log/set-kernel-para.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=modprobe br_netfilter
+        ExecStart=sysctl -p /etc/sysctl.d/kubernetes.conf
+        ExecStart=/bin/touch /var/log/set-kernel-para.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: pull-images.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=pull images for kubernetes
+        ConditionPathExists=!/var/log/pull-images.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=systemctl start isulad
+        ExecStart=systemctl enable isulad
+        ExecStart=sh /root/pull_images.sh
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: disable-selinux.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=disable selinux for kubernetes
+        ConditionPathExists=!/var/log/disable-selinux.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=bash -c "sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config"
+        ExecStart=setenforce 0
+        ExecStart=/bin/touch /var/log/disable-selinux.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: set-time-sync.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=set time sync for kubernetes
+        ConditionPathExists=!/var/log/set-time-sync.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=bash -c "sed -i '3aserver ${MASTER_IP}' /etc/chrony.conf"
+        ExecStart=systemctl restart chronyd.service
+        ExecStart=/bin/touch /var/log/set-time-sync.stamp
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: join-cluster.service
+      enabled: true
+      contents: |
+        [Unit]
+        Description=node join kubernetes cluster
+        Requires=set-kernel-para.service pull-images.service disable-selinux.service set-time-sync.service
+        After=set-kernel-para.service pull-images.service disable-selinux.service set-time-sync.service
+        ConditionPathExists=/var/log/set-kernel-para.stamp
+        ConditionPathExists=/var/log/set-time-sync.stamp
+        ConditionPathExists=/var/log/disable-selinux.stamp
+        ConditionPathExists=/var/log/pull-images.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=kubeadm join --config=/root/join-config.yaml
+
+        [Install]
+        WantedBy=multi-user.target
+
+```
+
+### 生成Ignition文件
+
+为了方便使用者读、写，Ignition文件增加了一步转换过程。将Butane配置文件（yaml格式）转换成Ignition文件（json格式），并使用生成的Ignition文件引导新的NestOS镜像。Butane配置转换成Ignition配置命令：
+
+```
+podman run --interactive --rm quay.io/coreos/butane:release --pretty --strict < your_config.bu > transpiled_config.ign
+```
+
+
+
+## K8S集群搭建
+
+利用上一节配置的Ignition文件，执行下述命令创建k8s集群的Master节点，其中 vcpus、ram 和 disk 参数可自行调整，详情可参考 virt-install 手册。
+
+```
+virt-install --name=${NAME} --vcpus=4 --ram=8192 --import --network=bridge=virbr0 --graphics=none --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=${IGNITION_FILE_PATH}" --disk=size=40,backing_store=${NESTOS_RELEASE_QCOW2_PATH} --network=bridge=virbr1 --disk=size=40
+```
+
+Master节点系统安装成功后，系统后台会起一系列环境配置服务，其中set-kernel-para.service会配置内核参数，pull-images.service会拉取集群所需的镜像，disable-selinux.service会关闭selinux，set-time-sync.service服务会设置时间同步，init-cluster.service会初始化集群，之后install-cni-plugin.service会安装cni网络插件。整个集群部署过程中由于要拉取镜像，所以需要等待几分钟。
+
+通过kubectl get pods -A命令可以查看是否所有pod状态都为running：
+
+![](/docs/graph/K8S容器化部署/k1.PNG)
+
+在Master节点上通过下面命令查看token：
+
+```
+kubeadm token list
+```
+
+将查询到的token信息添加到Node节点的ignition文件中，并利用该ignition文件创建Node节点。Node节点创建完成后，在Master节点上通过执行kubectl get nodes命令，可以查看Node节点是否加入到了集群中。
+
+![](/docs/graph/K8S容器化部署/k2.PNG)
+
+至此，k8s部署成功
-- 
Gitee

