Kubernetes 深入浅出

- Kubernetes Docker

Kubernetes 核心概念

1. 基本概念

2. 核心组件

3. 资源对象

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: ClusterIP

apiVersion: v1
kind: ConfigMap
metadata:
  name: game-config
data:
  game.properties: |
    enemy.types=aliens,monsters
    player.maximum-lives=5    

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

网络模型

1. Pod 网络

2. Service 网络

3. DNS 服务

存储管理

1. Volume

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      path: /data
      type: Directory

2. PersistentVolume(PV) 和 PersistentVolumeClaim(PVC)

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv0001
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: /mnt/data

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: myclaim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi

调度策略

1. 节点选择器(nodeSelector)

spec:
  nodeSelector:
    disktype: ssd

2. 亲和性和反亲和性(affinity/anti-affinity)

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/e2e-az-name
          operator: In
          values:
          - e2e-az1
          - e2e-az2

3. 污点与容忍(taint/toleration)

tolerations:
- key: "key1"
  operator: "Equal"
  value: "value1"
  effect: "NoSchedule"

安全机制

1. 认证(Authentication)

2. 授权(Authorization)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

3. 网络策略(Network Policy)

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978

监控和日志

1. Metrics Server

2. Prometheus 和 Grafana

apiVersion: monitoring.coreos.com/v1
kind: Prometheus
metadata:
  name: prometheus
spec:
  serviceAccountName: prometheus
  serviceMonitorSelector:
    matchLabels:
      team: frontend
  resources:
    requests:
      memory: 400Mi

3. Kubernetes Dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0/aio/deploy/recommended.yaml

Kubernetes 架构

1. Master 节点

+-------------------+
|    API Server     |
+-------------------+
|    Scheduler      |
+-------------------+
| Controller Manager|
+-------------------+
|      etcd         |
+-------------------+

2. Node 节点

+-------------------+
|     Kubelet       |
+-------------------+
|   Kube Proxy      |
+-------------------+
| Container Runtime |
+-------------------+

3. 整体架构

+-------------------+     +-------------------+
|      Master       | <-> |       Node        |
+-------------------+     +-------------------+
      ^                         ^
      |                         |
      v                         v
+-------------------+     +-------------------+
|      etcd         |     |      Pods         |
+-------------------+     +-------------------+

常见问题

1. Kubernetes 的核心组件有哪些?

2. Pod 和容器区别是什么

3. 如何实现 Kubernetes 的高可用?

4. Kubernetes 的网络模型是怎么样的?

5. 如何实现 Kubernetes 的自动扩展?

6. 如何管理 Kubernetes 的配置

7. Kubernetes 的调度策略有哪些?

8. 如何实现 Kubernetes 的持久化存储?

9. 如何监控 Kubernetes 集群?

10. 如何实现 Kubernetes 的滚动更新?