-
Notifications
You must be signed in to change notification settings - Fork 0
02 INTRODUCTION TO KUBERNETES
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.
Kubernetes由google创建,后捐给CNCF,功能包含:
- 容器调度
- 自我修复
- 水平扩展
- 服务发现和负载均衡
- 自动部署和回滚
- 机密和配置管理
- 存储编排
- 批处理
The Cloud Native Computing Foundation (CNCF) is one of the projects hosted by the Linux Foundation. CNCF aims to accelerate the adoption of containers, microservices, and cloud-native applications.
- One or more master nodes
- One or more worker nodes
- Distributed key-value store, such as etcd.
- Container-to-container communication inside Pods
- Pod-to-Pod communication on the same node and across cluster nodes
- Pod-to-Service communication within the same namespace and across cluster namespaces
- External-to-Service communication for clients to access applications in a cluster.
- Equality-Based Selectors
- Set-Based Selectors
ReplicationControllers已经不推荐使用, ReplicaSets support both equality- and set-based selectors, whereas ReplicationControllers only support equality-based Selectors. Currently, this is the only difference.
ReplicaSets 可以用于控制pod,但是功能有限,推荐使用Deployments,它自动创建 ReplicaSet,用于控制pod。
DeploymentController是master node的组件之一,用来确定现状和需求是否一致,并且提供滚动更新和回滚的功能。在滚动更新时,DeploymentController会创建一个新的ReplicaSet B。
- kubectl rollout history deploy [deploy-name] [--revision=n],显示部署历史
- kubectl set image deployment [deploy-name] [container-name]=[image-name],更新image
可以给不同的团队建立不同的Namespaces来控制资源。
k8s集群建立以后,默认有4个ns:
- kube-system:包含由k8s系统创建的对象
- kube-public:可以被任何人查看其中的内容
- kube-node-lease:which holds node lease objects used for node heartbeat data.
- default:包含由管理员或开发人员创建的对象
可以给ns分配Resource Quotas
k8s包含2种用户:Normal Users(集群外管理,User/Client Certificates等)和Service Accounts(集群中管理),当然,也支持匿名访问和模拟用户访问
https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies
Service在逻辑上对Pod进行了分组并定义了访问Pod的策略,避免直接访问pod带来的一系列问题。
Services can expose single Pods, ReplicaSets, Deployments, DaemonSets, and StatefulSets.
kind: Service
apiVersion: v1
metadata:
name: frontend-svc
spec:
selector:
app: frontend
ports:
- protocol: TCP
port: 80
targetPort: 5000 # 如果没有指定,则默认同 port
service会根据满足条件的pod自动创建和管理 endpoint(eg. 10.0.1.3:5000)
所有工作节点都运行一个名为kube-proxy的守护进程,该守护进程监视主节点上的API server以了解服务和端点的添加和删除。
两种:
- Environment Variables:需要注意service启动顺序
- DNS(推荐的方式):my-svc.my-namespace.svc.cluster.local,同一个ns下,可以直接用service名称访问,不同ns下可以再加上ns访问,如 redis-master.my-ns
- ClusterIP:默认,仅能在集群内访问
- NodePort:在工作节点的30000-32767端口随机开放一个以供集群外部访问
- 自动创建 ClusterIP 和 NodePort,然后路由向 NodePort
- service在每个node开放的端口是静态且相同的
提供 CNAME 功能,可以像这样访问服务:my-database.example.com,当在同一个ns下时,也可以通过 my-database 访问
- kubectl get pods -L [colume-names,]
- kubectl get pods -l [label=value]
- kubectl expose deployment webserver --name=web-service --type=NodePort
- Liveness Probe:确认pod是否还活着,否则会启动新的pod并移除旧的
- Readiness Probe:确认pod是否已经准备好,进而可以加入endpoint处理请求
可以通过如下3种方式定义:
- Liveness command
- Liveness HTTP request
- TCP Liveness Probe.
- emptyDir
- An empty Volume is created for the Pod as soon as it is scheduled on the worker node. The Volume's life is tightly coupled with the Pod. If the Pod is terminated, the content of emptyDir is deleted forever.
- hostPath
- With the hostPath Volume Type, we can share a directory from the host to the Pod. If the Pod is terminated, the content of the Volume is still available on the host.
- gcePersistentDisk
- With the gcePersistentDisk Volume Type, we can mount a Google Compute Engine (GCE) persistent disk into a Pod.
- awsElasticBlockStore
- With the awsElasticBlockStore Volume Type, we can mount an AWS EBS Volume into a Pod.
- azureDisk
- With azureDisk we can mount a Microsoft Azure Data Disk into a Pod.
- azureFile
- With azureFile we can mount a Microsoft Azure File Volume into a Pod.
- cephfs
- With cephfs, an existing CephFS volume can be mounted into a Pod. When a Pod terminates, the volume is unmounted and the contents of the volume are preserved.
- nfs
- With nfs, we can mount an NFS share into a Pod.
- iscsi
- With iscsi, we can mount an iSCSI share into a Pod.
- secret
- With the secret Volume Type, we can pass sensitive information, such as passwords, to Pods. We will take a look at an example in a later chapter.
- configMap
- With configMap objects, we can provide configuration data, or shell commands and arguments into a Pod.
- persistentVolumeClaim
- We can attach a PersistentVolume to a Pod using a persistentVolumeClaim. We will cover this in our next section.
创建ConfigMap的两种方式:
- kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2 configmap/my-config created
apiVersion: v1
kind: ConfigMap
metadata:
name: customer1
data:
key1: value1
key2: value2
使用 envFrom 来加载所有的配置到环境变量,或者使用 env 来加载特定 key 到环境变量,或者使用 configMap 挂载到 volume 使用
...
containers:
- name: myapp-full-container
image: myapp
envFrom:
- configMapRef:
name: full-config-map
...
...
containers:
- name: myapp-specific-container
image: myapp
env:
- name: SPECIFIC_ENV_VAR1
valueFrom:
configMapKeyRef:
name: config-map-1
key: SPECIFIC_DATA
- name: SPECIFIC_ENV_VAR2
valueFrom:
configMapKeyRef:
name: config-map-2
key: SPECIFIC_INFO
...
...
containers:
- name: myapp-vol-container
image: myapp
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: vol-config-map
...
使用Secrets,避免将密码等机密信息放到yaml文件中。但是请注意,Secrets是以明文的形式存储在etcd中,所以需要限制user对etcd的访问权限。
创建Secrets:
- kubectl create secret generic my-password --from-literal=password=mysqlpassword
$ echo mysqlpassword | base64
bXlzcWxwYXNzd29yZAo=
$ echo -n 'bXlzcWxwYXNzd29yZAo=' > password.txt
# Now we can create the Secret from the password.txt file:
$ kubectl create secret generic my-file-password --from-file=password.txt
secret/my-file-password created
通过 data 或 stringData 创建:
apiVersion: v1
kind: Secret
metadata:
name: my-password
type: Opaque
data:
password: bXlzcWxwYXNzd29yZAo=
apiVersion: v1
kind: Secret
metadata:
name: my-password
type: Opaque
stringData:
password: mysqlpassword
# Using Secrets as Environment Variables
....
spec:
containers:
- image: wordpress:4.7.3-apache
name: wordpress
env:
- name: WORDPRESS_DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-password
key: password
....
# Using Secrets as Files from a Pod
....
spec:
containers:
- image: wordpress:4.7.3-apache
name: wordpress
volumeMounts:
- name: secret-volume
mountPath: "/etc/secret-data"
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: my-password
....
An Ingress is a collection of rules that allow inbound connections to reach the cluster Services.
Ingress configures a Layer 7 HTTP/HTTPS load balancer for Services and provides the following:
- TLS (Transport Layer Security)
- Name-based virtual hosting
- Fanout routing
- Loadbalancing
- Custom rules.
An Ingress Controller is an application watching the Master Node's API server for changes in the Ingress resources and updates the Layer 7 Load Balancer accordingly
Unlike Labels, annotations are not used to identify and select objects. Annotations can be used to:
- Store build/release IDs, PR numbers, git branch, etc.
- Phone/pager numbers of people responsible, or directory entries specifying where such information can be found
- Pointers to logging, monitoring, analytics, audit repositories, debugging tools, etc.
- Etc.
We can set the following types of quotas per Namespace:
- Compute Resource Quota
- We can limit the total sum of compute resources (CPU, memory, etc.) that can be requested in a given Namespace.
- Storage Resource Quota
- We can limit the total sum of storage resources (PersistentVolumeClaims, requests.storage, etc.) that can be requested.
- Object Count Quota
- We can restrict the number of objects of a given type (pods, ConfigMaps, PersistentVolumeClaims, ReplicationControllers, Services, Secrets, etc.).
- Horizontal Pod Autoscaler (HPA)
- HPA is an algorithm based controller API resource which automatically adjusts the number of replicas in a ReplicaSet, Deployment or Replication Controller based on CPU utilization.
- Vertical Pod Autoscaler (VPA)
- VPA automatically sets Container resource requirements (CPU and memory) in a Pod and dynamically adjusts them in runtime, based on historical utilization data, current resource availability and real-time events.
- Cluster Autoscaler
- Cluster Autoscaler automatically re-sizes the Kubernetes cluster when there are insufficient resources available for new Pods expecting to be scheduled or when there are underutilized nodes in the cluster.
a specific type of Pod running on all nodes at all times.
新功能也支持用nodeSelectors and node affinity rules在指定的node上跑pod. 另外 DaemonSets 也支持 rolling updates and rollbacks.
- Metrics Server
- Prometheus