02-Introduction to Kubernetes.md

Introduction to Kubernetes

Welcome

Chapter 1. From Monolith to Microservices

Chapter 2. Container Orchestration

Chapter 3. Kubernetes

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.

Kubernetes由google创建,后捐给CNCF,功能包含:

  • 容器调度
  • 自我修复
  • 水平扩展
  • 服务发现和负载均衡
  • 自动部署和回滚
  • 机密和配置管理
  • 存储编排
  • 批处理

The Cloud Native Computing Foundation (CNCF) is one of the projects hosted by the Linux Foundation. CNCF aims to accelerate the adoption of containers, microservices, and cloud-native applications.

Chapter 4. Kubernetes Architecture

  • One or more master nodes
  • One or more worker nodes
  • Distributed key-value store, such as etcd.

Networking Challenges

  • Container-to-container communication inside Pods
  • Pod-to-Pod communication on the same node and across cluster nodes
  • Pod-to-Service communication within the same namespace and across cluster namespaces
  • External-to-Service communication for clients to access applications in a cluster.

Chapter 4. Kubernetes Architecture

Chapter 5. Installing Kubernetes

Chapter 6. Minikube - A Local Single-Node Kubernetes Cluster

Chapter 7. Accessing Minikube

Chapter 8. Kubernetes Building Blocks

Label Selectors

  • Equality-Based Selectors
  • Set-Based Selectors

ReplicationControllers vs ReplicaSets

ReplicationControllers已经不推荐使用, ReplicaSets support both equality- and set-based selectors, whereas ReplicationControllers only support equality-based Selectors. Currently, this is the only difference.

ReplicaSets 可以用于控制pod,但是功能有限,推荐使用Deployments,它自动创建 ReplicaSet,用于控制pod。

Deployments

DeploymentController是master node的组件之一,用来确定现状和需求是否一致,并且提供滚动更新和回滚的功能。在滚动更新时,DeploymentController会创建一个新的ReplicaSet B。

  • kubectl rollout history deploy [deploy-name] [--revision=n],显示部署历史
  • kubectl set image deployment [deploy-name] [container-name]=[image-name],更新image

Namespaces

可以给不同的团队建立不同的Namespaces来控制资源。

k8s集群建立以后,默认有4个ns:

  • kube-system:包含由k8s系统创建的对象
  • kube-public:可以被任何人查看其中的内容
  • kube-node-lease:which holds node lease objects used for node heartbeat data.
  • default:包含由管理员或开发人员创建的对象

可以给ns分配Resource Quotas

Chapter 9. Authentication, Authorization, Admission Control

Authentication

k8s包含2种用户:Normal Users(集群外管理,User/Client Certificates等)和Service Accounts(集群中管理),当然,也支持匿名访问和模拟用户访问

https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies

Chapter 10. Services

Service在逻辑上对Pod进行了分组并定义了访问Pod的策略,避免直接访问pod带来的一系列问题。

Services can expose single Pods, ReplicaSets, Deployments, DaemonSets, and StatefulSets.

kind: Service
apiVersion: v1
metadata:
  name: frontend-svc
spec:
  selector:
    app: frontend
  ports:
  - protocol: TCP
    port: 80
    targetPort: 5000 # 如果没有指定,则默认同 port

service会根据满足条件的pod自动创建和管理 endpoint(eg. 10.0.1.3:5000)

kube-proxy

所有工作节点都运行一个名为kube-proxy的守护进程,该守护进程监视主节点上的API server以了解服务和端点的添加和删除。

Service Discovery

两种:

  • Environment Variables:需要注意service启动顺序
  • DNS(推荐的方式):my-svc.my-namespace.svc.cluster.local,同一个ns下,可以直接用service名称访问,不同ns下可以再加上ns访问,如 redis-master.my-ns

ServiceType: ClusterIP and NodePort

  • ClusterIP:默认,仅能在集群内访问
  • NodePort:在工作节点的30000-32767端口随机开放一个以供集群外部访问

ServiceType: LoadBalancer

  • 自动创建 ClusterIP 和 NodePort,然后路由向 NodePort
  • service在每个node开放的端口是静态且相同的

ServiceType: ExternalIP

ServiceType: ExternalName

提供 CNAME 功能,可以像这样访问服务:my-database.example.com,当在同一个ns下时,也可以通过 my-database 访问

Chapter 11. Deploying a Stand-Alone Application

  • kubectl get pods -L [colume-names,]
  • kubectl get pods -l [label=value]
  • kubectl expose deployment webserver --name=web-service --type=NodePort

Liveness and Readiness Probes

  • Liveness Probe:确认pod是否还活着,否则会启动新的pod并移除旧的
  • Readiness Probe:确认pod是否已经准备好,进而可以加入endpoint处理请求

可以通过如下3种方式定义:

  • Liveness command
  • Liveness HTTP request
  • TCP Liveness Probe.

Chapter 12. Kubernetes Volume Management

  • emptyDir

    • An empty Volume is created for the Pod as soon as it is scheduled on the worker node. The Volume‘s life is tightly coupled with the Pod. If the Pod is terminated, the content of emptyDir is deleted forever.
  • hostPath
    • With the hostPath Volume Type, we can share a directory from the host to the Pod. If the Pod is terminated, the content of the Volume is still available on the host.
  • gcePersistentDisk
    • With the gcePersistentDisk Volume Type, we can mount a Google Compute Engine (GCE) persistent disk into a Pod.
  • awsElasticBlockStore
    • With the awsElasticBlockStore Volume Type, we can mount an AWS EBS Volume into a Pod.
  • azureDisk
    • With azureDisk we can mount a Microsoft Azure Data Disk into a Pod.
  • azureFile
    • With azureFile we can mount a Microsoft Azure File Volume into a Pod.
  • cephfs
    • With cephfs, an existing CephFS volume can be mounted into a Pod. When a Pod terminates, the volume is unmounted and the contents of the volume are preserved.
  • nfs
    • With nfs, we can mount an NFS share into a Pod.
  • iscsi
    • With iscsi, we can mount an iSCSI share into a Pod.
  • secret
    • With the secret Volume Type, we can pass sensitive information, such as passwords, to Pods. We will take a look at an example in a later chapter.
  • configMap
    • With configMap objects, we can provide configuration data, or shell commands and arguments into a Pod.
  • persistentVolumeClaim
    • We can attach a PersistentVolume to a Pod using a persistentVolumeClaim. We will cover this in our next section.

PersistentVolume (PV) && PersistentVolumeClaim (PVC)

Container Storage Interface (CSI)

csi

Chapter 13. ConfigMaps and Secrets

ConfigMaps

创建ConfigMap的两种方式:

  • kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2

    configmap/my-config created

apiVersion: v1
kind: ConfigMap
metadata:
  name: customer1
data:
  key1: value1
  key2: value2

Use ConfigMaps Inside Pods

使用 envFrom 来加载所有的配置到环境变量,或者使用 env 来加载特定 key 到环境变量,或者使用 configMap 挂载到 volume 使用

...
  containers:
  - name: myapp-full-container
    image: myapp
    envFrom:
    - configMapRef:
      name: full-config-map
...

...
  containers:
  - name: myapp-specific-container
    image: myapp
    env:
    - name: SPECIFIC_ENV_VAR1
      valueFrom:
        configMapKeyRef:
          name: config-map-1
          key: SPECIFIC_DATA
    - name: SPECIFIC_ENV_VAR2
      valueFrom:
        configMapKeyRef:
          name: config-map-2
          key: SPECIFIC_INFO
...

...
  containers:
  - name: myapp-vol-container
    image: myapp
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
  - name: config-volume
    configMap:
      name: vol-config-map
...

Secrets

使用Secrets,避免将密码等机密信息放到yaml文件中。但是请注意,Secrets是以明文的形式存储在etcd中,所以需要限制user对etcd的访问权限。

创建Secrets:

  • kubectl create secret generic my-password --from-literal=password=mysqlpassword
$ echo mysqlpassword | base64
 bXlzcWxwYXNzd29yZAo=

$ echo -n ‘bXlzcWxwYXNzd29yZAo=‘ > password.txt

# Now we can create the Secret from the password.txt file:
$ kubectl create secret generic my-file-password --from-file=password.txt
  secret/my-file-password created

通过 data 或 stringData 创建:

apiVersion: v1
kind: Secret
metadata:
  name: my-password
type: Opaque
data:
  password: bXlzcWxwYXNzd29yZAo=

apiVersion: v1
kind: Secret
metadata:
  name: my-password
type: Opaque
stringData:
  password: mysqlpassword

Use Secrets Inside Pods

# Using Secrets as Environment Variables
....
spec:
  containers:
  - image: wordpress:4.7.3-apache
    name: wordpress
    env:
    - name: WORDPRESS_DB_PASSWORD
      valueFrom:
        secretKeyRef:
          name: my-password
          key: password
....

# Using Secrets as Files from a Pod
....
spec:
  containers:
  - image: wordpress:4.7.3-apache
    name: wordpress
    volumeMounts:
    - name: secret-volume
      mountPath: "/etc/secret-data"
      readOnly: true
  volumes:
  - name: secret-volume
    secret:
      secretName: my-password
....

Chapter 14. Ingress

An Ingress is a collection of rules that allow inbound connections to reach the cluster Services.

Ingress configures a Layer 7 HTTP/HTTPS load balancer for Services and provides the following:

  • TLS (Transport Layer Security)
  • Name-based virtual hosting
  • Fanout routing
  • Loadbalancing
  • Custom rules.

Ingress Controller

An Ingress Controller is an application watching the Master Node‘s API server for changes in the Ingress resources and updates the Layer 7 Load Balancer accordingly

Chapter 15. Advanced Topics

Annotations

Unlike Labels, annotations are not used to identify and select objects. Annotations can be used to:

  • Store build/release IDs, PR numbers, git branch, etc.
  • Phone/pager numbers of people responsible, or directory entries specifying where such information can be found
  • Pointers to logging, monitoring, analytics, audit repositories, debugging tools, etc.
  • Etc.

Jobs and CronJobs

Quota Management

We can set the following types of quotas per Namespace:

  • Compute Resource Quota

    • We can limit the total sum of compute resources (CPU, memory, etc.) that can be requested in a given Namespace.
  • Storage Resource Quota
    • We can limit the total sum of storage resources (PersistentVolumeClaims, requests.storage, etc.) that can be requested.
  • Object Count Quota
    • We can restrict the number of objects of a given type (pods, ConfigMaps, PersistentVolumeClaims, ReplicationControllers, Services, Secrets, etc.).

Autoscaling

  • Horizontal Pod Autoscaler (HPA)

    • HPA is an algorithm based controller API resource which automatically adjusts the number of replicas in a ReplicaSet, Deployment or Replication Controller based on CPU utilization.
  • Vertical Pod Autoscaler (VPA)
    • VPA automatically sets Container resource requirements (CPU and memory) in a Pod and dynamically adjusts them in runtime, based on historical utilization data, current resource availability and real-time events.
  • Cluster Autoscaler
    • Cluster Autoscaler automatically re-sizes the Kubernetes cluster when there are insufficient resources available for new Pods expecting to be scheduled or when there are underutilized nodes in the cluster.

DaemonSets

a specific type of Pod running on all nodes at all times.

新功能也支持用nodeSelectors and node affinity rules在指定的node上跑pod. 另外 DaemonSets 也支持 rolling updates and rollbacks.

StatefulSets

statefulset

Network Policies

Monitoring and Logging

  • Metrics Server
  • Prometheus

Chapter 16. Kubernetes Community

Final Exam

原文地址:https://www.cnblogs.com/windchen/p/12697076.html

时间: 2024-11-13 05:44:18

02-Introduction to Kubernetes.md的相关文章

[Knowledge-based AI] {ud409} Lesson 2: 02 - Introduction to CS7637

Optional Readings : Putting Online Learning and Learning Sciences Togetherhttps://www.youtube.com/watch?v=N56ghCGmWWQ Understanding the Natural and Artificial Worldshttp://courses.washington.edu/thesisd/documents/Kun_Herbert%20Simon_Sciences_of_the_A

(译)An introduction to Kubernetes

原文:https://www.jeremyjordan.me/kubernetes/(博客园团队推荐的) 这篇博客文章将对Kubernetes进行介绍,以便您了解该工具背后的动机,含义以及使用方式.在后续文章中,我将讨论如何使用更具体的(数据科学)示例来利用Kubernetes增强数据科学工作负载.但是,这有助于您首先了解基本原理-这是本文的重点. 先决条件:我将假设您熟悉Docker等容器技术.如果您没有构建和运行容器映像的经验,建议您先熟悉之后,在继续阅读本文 总览 这是我们将在本文中讨论的

PRML 02 Introduction:贝叶斯概率

引言 概率密度 期望和协方差 Expectations and covariances 1加权平均值 2 多变量权重 3 条件期望 4 函数方差 5 协方差 Bayesian Probability 5高斯分布 重回多项式拟合 1理解误差函数 2 理解规则化 贝叶斯曲线拟合 主要讲解了贝叶斯概率与统计派概率的不同.概率论,决策论,信息论(probability theory, decision theory, and information theory)是以后用到的三个重要工具,本节主要介绍概

快速部署kubernetes单master集群-学习使用

五.ubuntu16/Centos7上部署安装k8s1.9(二进制包) 5.1 主机节点规划 角色 主机名 主机ip 组件 etcd etcd 192.168.0.106 etcd master kube-master 192.168.0.107 kube-apiserver,kube-controller-manager,kube-scheduler node1 kube-node1 192.168.0.108 kubelet,kube-proxy,docker node2 kube-node

二 master上部署k8s组件

接着第一篇,在部署Kubernetes之前一定要确保etcd.flannel.docker是正常工作的,否则先解决问题再继续. 主要部署 三个角色 :kube-apiserver kube-controller-manager kube-scheduler 一 生成证书(master上) 1 建立一个目录专门存放证书 cat > ca-config.json <<EOF { "signing": { "default": { "expir

高效系列:bat生成文件夹目录 & 折腾exe及icon配合

有时候我们需要新生成一套文件夹目录,就比如项目管理目录 大概的清单如下: ├─01.项目管理 │  ├─01.立项文档 │  ├─02.策划文档 │  ├─03.管理监控 │  ├─04.配置管理 │  ├─05.质量保证 │  ├─06.验收文档 │  ├─07.项目报告 │  ├─08.评审报告 │  ├─09.变更管理 │  ├─10.结项文档 │  ├─11.会议记录 │  └─12.其它文档 ├─02.需求文档 │  ├─01.用户需求说明书 │  └─02.需求规格说明书 ├─03.

Top 10 Algorithms of 20th and 21st Century

Top 10 Algorithms of 20th and 21st Century MATH 595 (Section TTA) Fall 2014 TR 2:00 pm - 3:20 pm, Room 341 Altgeld HallUniversity of Illinois at Urbana-Champaign, Department of Mathematics Instructors : Yuliy Baryshnikov and Anil N. Hirani Schedule:I

【Signals and Systems】 SYLLABUS

Signals and Systems MIT online Signals and Systems Description 6.003 covers the fundamentals of signal and system analysis, focusing on representations of discrete-time and continuous-time signals (singularity functions, complex exponentials and geom

2016.11.14 MIT challenge之课程总览

Degree Chartshttp://catalog.mit.edu/degree-charts/computer-science-engineering-course-6-3/ MIT Challengehttps://www.scotthyoung.com/blog/myprojects/mit-challenge-2/ MIT公开课地址: https://ocw.mit.edu/courses/physics/8-01-physics-i-fall-2003/ mooc上的MIT com