标签：mat   cluster   组件   ranch   local   nes   节点   ret   ack   

Introduction to Kubernetes

Welcome

Chapter 1. From Monolith to Microservices

Chapter 2. Container Orchestration

Chapter 3. Kubernetes

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.

Kubernetes由google创建，后捐给CNCF，功能包含：

• 容器调度
• 自我修复
• 水平扩展
• 服务发现和负载均衡
• 自动部署和回滚
• 机密和配置管理
• 存储编排
• 批处理

The Cloud Native Computing Foundation (CNCF) is one of the projects hosted by the Linux Foundation. CNCF aims to accelerate the adoption of containers, microservices, and cloud-native applications.

Chapter 4. Kubernetes Architecture

• One or more master nodes
• One or more worker nodes
• Distributed key-value store, such as etcd.

Networking Challenges

• Container-to-container communication inside Pods
• Pod-to-Pod communication on the same node and across cluster nodes
• Pod-to-Service communication within the same namespace and across cluster namespaces
• External-to-Service communication for clients to access applications in a cluster.

Chapter 4. Kubernetes Architecture

Chapter 5. Installing Kubernetes

Chapter 6. Minikube - A Local Single-Node Kubernetes Cluster

Chapter 7. Accessing Minikube

Chapter 8. Kubernetes Building Blocks

Label Selectors

• Equality-Based Selectors
• Set-Based Selectors

ReplicationControllers vs ReplicaSets

ReplicationControllers已经不推荐使用, ReplicaSets support both equality- and set-based selectors, whereas ReplicationControllers only support equality-based Selectors. Currently, this is the only difference.

ReplicaSets 可以用于控制pod，但是功能有限，推荐使用Deployments，它自动创建 ReplicaSet，用于控制pod。

Deployments

DeploymentController是master node的组件之一，用来确定现状和需求是否一致，并且提供滚动更新和回滚的功能。在滚动更新时，DeploymentController会创建一个新的ReplicaSet B。

• kubectl rollout history deploy [deploy-name] [--revision=n]，显示部署历史
• kubectl set image deployment [deploy-name] [container-name]=[image-name]，更新image

Namespaces

可以给不同的团队建立不同的Namespaces来控制资源。

k8s集群建立以后，默认有4个ns：

• kube-system：包含由k8s系统创建的对象
• kube-public：可以被任何人查看其中的内容
• kube-node-lease：which holds node lease objects used for node heartbeat data.
• default：包含由管理员或开发人员创建的对象

可以给ns分配Resource Quotas

Chapter 9. Authentication, Authorization, Admission Control

Authentication

k8s包含2种用户：Normal Users（集群外管理，User/Client Certificates等）和Service Accounts（集群中管理），当然，也支持匿名访问和模拟用户访问

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies

Chapter 10. Services

Service在逻辑上对Pod进行了分组并定义了访问Pod的策略，避免直接访问pod带来的一系列问题。

Services can expose single Pods, ReplicaSets, Deployments, DaemonSets, and StatefulSets.

kind: Service
apiVersion: v1
metadata:
  name: frontend-svc
spec:
  selector:
    app: frontend
  ports:
  - protocol: TCP
    port: 80
    targetPort: 5000 # 如果没有指定，则默认同 port

service会根据满足条件的pod自动创建和管理 endpoint（eg. 10.0.1.3:5000）

kube-proxy

所有工作节点都运行一个名为kube-proxy的守护进程，该守护进程监视主节点上的API server以了解服务和端点的添加和删除。

Service Discovery

两种：

• Environment Variables：需要注意service启动顺序
• DNS(推荐的方式)：my-svc.my-namespace.svc.cluster.local，同一个ns下，可以直接用service名称访问，不同ns下可以再加上ns访问，如 redis-master.my-ns

ServiceType: ClusterIP and NodePort

• ClusterIP：默认，仅能在集群内访问
• NodePort：在工作节点的30000-32767端口随机开放一个以供集群外部访问

ServiceType: LoadBalancer

• 自动创建 ClusterIP 和 NodePort，然后路由向 NodePort
• service在每个node开放的端口是静态且相同的

ServiceType: ExternalIP

ServiceType: ExternalName

提供 CNAME 功能，可以像这样访问服务：my-database.example.com，当在同一个ns下时，也可以通过 my-database 访问

Chapter 11. Deploying a Stand-Alone Application

• kubectl get pods -L [colume-names,]
• kubectl get pods -l [label=value]
• kubectl expose deployment webserver --name=web-service --type=NodePort

Liveness and Readiness Probes

• Liveness Probe：确认pod是否还活着，否则会启动新的pod并移除旧的
• Readiness Probe：确认pod是否已经准备好，进而可以加入endpoint处理请求

可以通过如下3种方式定义:

• Liveness command
• Liveness HTTP request
• TCP Liveness Probe.

Chapter 12. Kubernetes Volume Management

• emptyDir
  • An empty Volume is created for the Pod as soon as it is scheduled on the worker node. The Volume‘s life is tightly coupled with the Pod. If the Pod is terminated, the content of emptyDir is deleted forever.
• hostPath
  • With the hostPath Volume Type, we can share a directory from the host to the Pod. If the Pod is terminated, the content of the Volume is still available on the host.
• gcePersistentDisk
  • With the gcePersistentDisk Volume Type, we can mount a Google Compute Engine (GCE) persistent disk into a Pod.
• awsElasticBlockStore
  • With the awsElasticBlockStore Volume Type, we can mount an AWS EBS Volume into a Pod.
• azureDisk
  • With azureDisk we can mount a Microsoft Azure Data Disk into a Pod.
• azureFile
  • With azureFile we can mount a Microsoft Azure File Volume into a Pod.
• cephfs
  • With cephfs, an existing CephFS volume can be mounted into a Pod. When a Pod terminates, the volume is unmounted and the contents of the volume are preserved.
• nfs
  • With nfs, we can mount an NFS share into a Pod.
• iscsi
  • With iscsi, we can mount an iSCSI share into a Pod.
• secret
  • With the secret Volume Type, we can pass sensitive information, such as passwords, to Pods. We will take a look at an example in a later chapter.
• configMap
  • With configMap objects, we can provide configuration data, or shell commands and arguments into a Pod.
• persistentVolumeClaim
  • We can attach a PersistentVolume to a Pod using a persistentVolumeClaim. We will cover this in our next section.

PersistentVolume (PV) && PersistentVolumeClaim (PVC)

Container Storage Interface (CSI)

csi

Chapter 13. ConfigMaps and Secrets

ConfigMaps

创建ConfigMap的两种方式：

• kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2
  configmap/my-config created

apiVersion: v1
kind: ConfigMap
metadata:
  name: customer1
data:
  key1: value1
  key2: value2

Use ConfigMaps Inside Pods

使用 envFrom 来加载所有的配置到环境变量，或者使用 env 来加载特定 key 到环境变量，或者使用 configMap 挂载到 volume 使用

...
  containers:
  - name: myapp-full-container
    image: myapp
    envFrom:
    - configMapRef:
      name: full-config-map
...

...
  containers:
  - name: myapp-specific-container
    image: myapp
    env:
    - name: SPECIFIC_ENV_VAR1
      valueFrom:
        configMapKeyRef:
          name: config-map-1
          key: SPECIFIC_DATA
    - name: SPECIFIC_ENV_VAR2
      valueFrom:
        configMapKeyRef:
          name: config-map-2
          key: SPECIFIC_INFO
...

...
  containers:
  - name: myapp-vol-container
    image: myapp
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
  - name: config-volume
    configMap:
      name: vol-config-map
...

Secrets

使用Secrets，避免将密码等机密信息放到yaml文件中。但是请注意，Secrets是以明文的形式存储在etcd中，所以需要限制user对etcd的访问权限。

创建Secrets：

• kubectl create secret generic my-password --from-literal=password=mysqlpassword

$ echo mysqlpassword | base64
 bXlzcWxwYXNzd29yZAo=

$ echo -n ‘bXlzcWxwYXNzd29yZAo=‘ > password.txt

# Now we can create the Secret from the password.txt file:
$ kubectl create secret generic my-file-password --from-file=password.txt
  secret/my-file-password created

通过 data 或 stringData 创建：

apiVersion: v1
kind: Secret
metadata:
  name: my-password
type: Opaque
data:
  password: bXlzcWxwYXNzd29yZAo=

apiVersion: v1
kind: Secret
metadata:
  name: my-password
type: Opaque
stringData:
  password: mysqlpassword

Use Secrets Inside Pods

# Using Secrets as Environment Variables
....
spec:
  containers:
  - image: wordpress:4.7.3-apache
    name: wordpress
    env:
    - name: WORDPRESS_DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: my-password
          key: password
....

# Using Secrets as Files from a Pod
....
spec:
  containers:
  - image: wordpress:4.7.3-apache
    name: wordpress
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret-data"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: my-password
....

Chapter 14. Ingress

An Ingress is a collection of rules that allow inbound connections to reach the cluster Services.

Ingress configures a Layer 7 HTTP/HTTPS load balancer for Services and provides the following:

• TLS (Transport Layer Security)
• Name-based virtual hosting
• Fanout routing
• Loadbalancing
• Custom rules.

Ingress Controller

An Ingress Controller is an application watching the Master Node‘s API server for changes in the Ingress resources and updates the Layer 7 Load Balancer accordingly

Chapter 15. Advanced Topics

Annotations

Unlike Labels, annotations are not used to identify and select objects. Annotations can be used to:

• Store build/release IDs, PR numbers, git branch, etc.
• Phone/pager numbers of people responsible, or directory entries specifying where such information can be found
• Pointers to logging, monitoring, analytics, audit repositories, debugging tools, etc.
• Etc.

Jobs and CronJobs

Quota Management

We can set the following types of quotas per Namespace:

• Compute Resource Quota
  • We can limit the total sum of compute resources (CPU, memory, etc.) that can be requested in a given Namespace.
• Storage Resource Quota
  • We can limit the total sum of storage resources (PersistentVolumeClaims, requests.storage, etc.) that can be requested.
• Object Count Quota
  • We can restrict the number of objects of a given type (pods, ConfigMaps, PersistentVolumeClaims, ReplicationControllers, Services, Secrets, etc.).

Autoscaling

• Horizontal Pod Autoscaler (HPA)
  • HPA is an algorithm based controller API resource which automatically adjusts the number of replicas in a ReplicaSet, Deployment or Replication Controller based on CPU utilization.
• Vertical Pod Autoscaler (VPA)
  • VPA automatically sets Container resource requirements (CPU and memory) in a Pod and dynamically adjusts them in runtime, based on historical utilization data, current resource availability and real-time events.
• Cluster Autoscaler
  • Cluster Autoscaler automatically re-sizes the Kubernetes cluster when there are insufficient resources available for new Pods expecting to be scheduled or when there are underutilized nodes in the cluster.

DaemonSets

a specific type of Pod running on all nodes at all times.

新功能也支持用nodeSelectors and node affinity rules在指定的node上跑pod. 另外 DaemonSets 也支持 rolling updates and rollbacks.

StatefulSets

statefulset

Network Policies

Monitoring and Logging

• Metrics Server
• Prometheus

Chapter 16. Kubernetes Community

Final Exam

02-Introduction to Kubernetes.md

标签：mat   cluster   组件   ranch   local   nes   节点   ret   ack   

原文地址：https://www.cnblogs.com/windchen/p/12697076.html