[k8s]k8s架构图解

k8s架构图解

启动参数及证书梳理

master端必须要装flannel

注: flannel网络能确保各节点间 Pod 网段实现互通
master 节点与 node 节点上的 Pods 通过 Pod 网络通信，所以需要在 master 节点上部署 Flannel 网络。

外部访问集群的方式:

• 1,ingress
• 2,通过apiserver 这种方式结合kube-proxy kubectl proxy --address='10.64.3.7' --port=8086 --accept-hosts='^*$'
  可以做一些内部url的一些限制.

浏览器访问 URL：http://10.64.3.7:8086/ui 自动跳转到：http://10.64.3.7:8086/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=default

如果不做kubectl proxy 则意味着外界访问api没任何限制,加上后可以做一些限制.

kubectl proxy -h
...
Options:
      --accept-hosts='^localhost$,^127.0.0.1$,^[::1]$': Regular expression for hosts that the proxy should accept.
      --accept-paths='^.*': Regular expression for paths that the proxy should accept.
      --address='127.0.0.1': The IP address on which to serve on.
      --api-prefix='/': Prefix to serve the proxied API under.
      --disable-filter=false: If true, disable request filtering in the proxy. This is dangerous, and can leave you
vulnerable to XSRF attacks, when used with an accessible port.
  -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
      --reject-methods='POST,PUT,PATCH': Regular expression for HTTP methods that the proxy should reject.
      --reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach': Regular expression for paths that the proxy should
reject.
  -u, --unix-socket='': Unix socket on which to run the proxy.
  -w, --www='': Also serve static files from the given directory under the specified prefix.
  -P, --www-prefix='/static/': Prefix to serve static files under, if static file directory is specified.

Usage:
  kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]

我认为 kubectl proxy --address='10.64.3.7' --port=8086 --accept-hosts='^*$' 不止可以加访问acl一个功能,还修改了监听地址.不然外界也访问不到.

[root@master]# kubectl clusterinfo
Command "clusterinfo" is deprecated, use "cluster-info" instead
Kubernetes master is running at http://localhost:8080
Heapster is running at http://localhost:8080/api/v1/namespaces/kube-system/services/heapster/proxy
KubeDNS is running at http://localhost:8080/api/v1/namespaces/kube-system/services/kube-dns/proxy
kubernetes-dashboard is running at http://localhost:8080/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy

traefix工作过程图解

ci流程