zoukankan      html  css  js  c++  java
  • 02-Introduction to Kubernetes.md

    Introduction to Kubernetes

    Welcome

    Chapter 1. From Monolith to Microservices

    Chapter 2. Container Orchestration

    Chapter 3. Kubernetes

    Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.

    Kubernetes由google创建,后捐给CNCF,功能包含:

    • 容器调度
    • 自我修复
    • 水平扩展
    • 服务发现和负载均衡
    • 自动部署和回滚
    • 机密和配置管理
    • 存储编排
    • 批处理

    The Cloud Native Computing Foundation (CNCF) is one of the projects hosted by the Linux Foundation. CNCF aims to accelerate the adoption of containers, microservices, and cloud-native applications.

    Chapter 4. Kubernetes Architecture

    • One or more master nodes
    • One or more worker nodes
    • Distributed key-value store, such as etcd.

    Networking Challenges

    • Container-to-container communication inside Pods
    • Pod-to-Pod communication on the same node and across cluster nodes
    • Pod-to-Service communication within the same namespace and across cluster namespaces
    • External-to-Service communication for clients to access applications in a cluster.

    Chapter 4. Kubernetes Architecture

    Chapter 5. Installing Kubernetes

    Chapter 6. Minikube - A Local Single-Node Kubernetes Cluster

    Chapter 7. Accessing Minikube

    Chapter 8. Kubernetes Building Blocks

    Label Selectors

    • Equality-Based Selectors
    • Set-Based Selectors

    ReplicationControllers vs ReplicaSets

    ReplicationControllers已经不推荐使用, ReplicaSets support both equality- and set-based selectors, whereas ReplicationControllers only support equality-based Selectors. Currently, this is the only difference.

    ReplicaSets 可以用于控制pod,但是功能有限,推荐使用Deployments,它自动创建 ReplicaSet,用于控制pod。

    Deployments

    DeploymentController是master node的组件之一,用来确定现状和需求是否一致,并且提供滚动更新和回滚的功能。在滚动更新时,DeploymentController会创建一个新的ReplicaSet B。

    • kubectl rollout history deploy [deploy-name] [--revision=n],显示部署历史
    • kubectl set image deployment [deploy-name] [container-name]=[image-name],更新image

    Namespaces

    可以给不同的团队建立不同的Namespaces来控制资源。

    k8s集群建立以后,默认有4个ns:

    • kube-system:包含由k8s系统创建的对象
    • kube-public:可以被任何人查看其中的内容
    • kube-node-lease:which holds node lease objects used for node heartbeat data.
    • default:包含由管理员或开发人员创建的对象

    可以给ns分配Resource Quotas

    Chapter 9. Authentication, Authorization, Admission Control

    Authentication

    k8s包含2种用户:Normal Users(集群外管理,User/Client Certificates等)和Service Accounts(集群中管理),当然,也支持匿名访问和模拟用户访问

    https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies

    Chapter 10. Services

    Service在逻辑上对Pod进行了分组并定义了访问Pod的策略,避免直接访问pod带来的一系列问题。

    Services can expose single Pods, ReplicaSets, Deployments, DaemonSets, and StatefulSets.

    kind: Service
    apiVersion: v1
    metadata:
      name: frontend-svc
    spec:
      selector:
        app: frontend
      ports:
      - protocol: TCP
        port: 80
        targetPort: 5000 # 如果没有指定,则默认同 port
    

    service会根据满足条件的pod自动创建和管理 endpoint(eg. 10.0.1.3:5000)

    kube-proxy

    所有工作节点都运行一个名为kube-proxy的守护进程,该守护进程监视主节点上的API server以了解服务和端点的添加和删除。

    Service Discovery

    两种:

    • Environment Variables:需要注意service启动顺序
    • DNS(推荐的方式):my-svc.my-namespace.svc.cluster.local,同一个ns下,可以直接用service名称访问,不同ns下可以再加上ns访问,如 redis-master.my-ns

    ServiceType: ClusterIP and NodePort

    • ClusterIP:默认,仅能在集群内访问
    • NodePort:在工作节点的30000-32767端口随机开放一个以供集群外部访问

    ServiceType: LoadBalancer

    • 自动创建 ClusterIP 和 NodePort,然后路由向 NodePort
    • service在每个node开放的端口是静态且相同的

    ServiceType: ExternalIP

    ServiceType: ExternalName

    提供 CNAME 功能,可以像这样访问服务:my-database.example.com,当在同一个ns下时,也可以通过 my-database 访问

    Chapter 11. Deploying a Stand-Alone Application

    • kubectl get pods -L [colume-names,]
    • kubectl get pods -l [label=value]
    • kubectl expose deployment webserver --name=web-service --type=NodePort

    Liveness and Readiness Probes

    • Liveness Probe:确认pod是否还活着,否则会启动新的pod并移除旧的
    • Readiness Probe:确认pod是否已经准备好,进而可以加入endpoint处理请求

    可以通过如下3种方式定义:

    • Liveness command
    • Liveness HTTP request
    • TCP Liveness Probe.

    Chapter 12. Kubernetes Volume Management

    • emptyDir
      • An empty Volume is created for the Pod as soon as it is scheduled on the worker node. The Volume's life is tightly coupled with the Pod. If the Pod is terminated, the content of emptyDir is deleted forever.
    • hostPath
      • With the hostPath Volume Type, we can share a directory from the host to the Pod. If the Pod is terminated, the content of the Volume is still available on the host.
    • gcePersistentDisk
      • With the gcePersistentDisk Volume Type, we can mount a Google Compute Engine (GCE) persistent disk into a Pod.
    • awsElasticBlockStore
      • With the awsElasticBlockStore Volume Type, we can mount an AWS EBS Volume into a Pod.
    • azureDisk
      • With azureDisk we can mount a Microsoft Azure Data Disk into a Pod.
    • azureFile
      • With azureFile we can mount a Microsoft Azure File Volume into a Pod.
    • cephfs
      • With cephfs, an existing CephFS volume can be mounted into a Pod. When a Pod terminates, the volume is unmounted and the contents of the volume are preserved.
    • nfs
      • With nfs, we can mount an NFS share into a Pod.
    • iscsi
      • With iscsi, we can mount an iSCSI share into a Pod.
    • secret
      • With the secret Volume Type, we can pass sensitive information, such as passwords, to Pods. We will take a look at an example in a later chapter.
    • configMap
      • With configMap objects, we can provide configuration data, or shell commands and arguments into a Pod.
    • persistentVolumeClaim
      • We can attach a PersistentVolume to a Pod using a persistentVolumeClaim. We will cover this in our next section.

    PersistentVolume (PV) && PersistentVolumeClaim (PVC)

    Container Storage Interface (CSI)

    csi

    Chapter 13. ConfigMaps and Secrets

    ConfigMaps

    创建ConfigMap的两种方式:

    • kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2
      configmap/my-config created
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: customer1
    data:
      key1: value1
      key2: value2
    

    Use ConfigMaps Inside Pods

    使用 envFrom 来加载所有的配置到环境变量,或者使用 env 来加载特定 key 到环境变量,或者使用 configMap 挂载到 volume 使用

    ...
      containers:
      - name: myapp-full-container
        image: myapp
        envFrom:
        - configMapRef:
          name: full-config-map
    ...
    
    ...
      containers:
      - name: myapp-specific-container
        image: myapp
        env:
        - name: SPECIFIC_ENV_VAR1
          valueFrom:
            configMapKeyRef:
              name: config-map-1
              key: SPECIFIC_DATA
        - name: SPECIFIC_ENV_VAR2
          valueFrom:
            configMapKeyRef:
              name: config-map-2
              key: SPECIFIC_INFO
    ...
    
    ...
      containers:
      - name: myapp-vol-container
        image: myapp
        volumeMounts:
        - name: config-volume
          mountPath: /etc/config
      volumes:
      - name: config-volume
        configMap:
          name: vol-config-map
    ...
    

    Secrets

    使用Secrets,避免将密码等机密信息放到yaml文件中。但是请注意,Secrets是以明文的形式存储在etcd中,所以需要限制user对etcd的访问权限。

    创建Secrets:

    • kubectl create secret generic my-password --from-literal=password=mysqlpassword
    $ echo mysqlpassword | base64
     bXlzcWxwYXNzd29yZAo=
    
    $ echo -n 'bXlzcWxwYXNzd29yZAo=' > password.txt
    
    # Now we can create the Secret from the password.txt file:
    $ kubectl create secret generic my-file-password --from-file=password.txt
      secret/my-file-password created
    

    通过 data 或 stringData 创建:

    apiVersion: v1
    kind: Secret
    metadata:
      name: my-password
    type: Opaque
    data:
      password: bXlzcWxwYXNzd29yZAo=
    
    apiVersion: v1
    kind: Secret
    metadata:
      name: my-password
    type: Opaque
    stringData:
      password: mysqlpassword
    
    

    Use Secrets Inside Pods

    # Using Secrets as Environment Variables
    ....
    spec:
      containers:
      - image: wordpress:4.7.3-apache
        name: wordpress
        env:
        - name: WORDPRESS_DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: my-password
              key: password
    ....
    
    # Using Secrets as Files from a Pod
    ....
    spec:
      containers:
      - image: wordpress:4.7.3-apache
        name: wordpress
        volumeMounts:
        - name: secret-volume
          mountPath: "/etc/secret-data"
          readOnly: true
      volumes:
      - name: secret-volume
        secret:
          secretName: my-password
    ....
    

    Chapter 14. Ingress

    An Ingress is a collection of rules that allow inbound connections to reach the cluster Services.

    Ingress configures a Layer 7 HTTP/HTTPS load balancer for Services and provides the following:

    • TLS (Transport Layer Security)
    • Name-based virtual hosting
    • Fanout routing
    • Loadbalancing
    • Custom rules.

    Ingress Controller

    An Ingress Controller is an application watching the Master Node's API server for changes in the Ingress resources and updates the Layer 7 Load Balancer accordingly

    Chapter 15. Advanced Topics

    Annotations

    Unlike Labels, annotations are not used to identify and select objects. Annotations can be used to:

    • Store build/release IDs, PR numbers, git branch, etc.
    • Phone/pager numbers of people responsible, or directory entries specifying where such information can be found
    • Pointers to logging, monitoring, analytics, audit repositories, debugging tools, etc.
    • Etc.

    Jobs and CronJobs

    Quota Management

    We can set the following types of quotas per Namespace:

    • Compute Resource Quota
      • We can limit the total sum of compute resources (CPU, memory, etc.) that can be requested in a given Namespace.
    • Storage Resource Quota
      • We can limit the total sum of storage resources (PersistentVolumeClaims, requests.storage, etc.) that can be requested.
    • Object Count Quota
      • We can restrict the number of objects of a given type (pods, ConfigMaps, PersistentVolumeClaims, ReplicationControllers, Services, Secrets, etc.).

    Autoscaling

    • Horizontal Pod Autoscaler (HPA)
      • HPA is an algorithm based controller API resource which automatically adjusts the number of replicas in a ReplicaSet, Deployment or Replication Controller based on CPU utilization.
    • Vertical Pod Autoscaler (VPA)
      • VPA automatically sets Container resource requirements (CPU and memory) in a Pod and dynamically adjusts them in runtime, based on historical utilization data, current resource availability and real-time events.
    • Cluster Autoscaler
      • Cluster Autoscaler automatically re-sizes the Kubernetes cluster when there are insufficient resources available for new Pods expecting to be scheduled or when there are underutilized nodes in the cluster.

    DaemonSets

    a specific type of Pod running on all nodes at all times.

    新功能也支持用nodeSelectors and node affinity rules在指定的node上跑pod. 另外 DaemonSets 也支持 rolling updates and rollbacks.

    StatefulSets

    statefulset

    Network Policies

    Monitoring and Logging

    • Metrics Server
    • Prometheus

    Chapter 16. Kubernetes Community

    Final Exam

  • 相关阅读:
    如何设置backBarButtonItem的title和action
    让navigationItem.leftBarButtonItem具有backBarButtonItem的外观样式
    在Xcode中添加空模板
    reason:'CALayer position contains NaN: [160 nan]'
    git的注册与使用:代码的版本控制器
    iOS开发零基础教程之Git的一些常用命令
    iOS开发零基础教程之生成git所需的SSH keys
    iOS开发零基础教程之在终端(Terminal)里安装oh my zsh
    iOS开发零基础教程之Homebrew的安装
    [原]ibatis 数据库时间 插入数据
  • 原文地址:https://www.cnblogs.com/windchen/p/12697076.html
Copyright © 2011-2022 走看看