ProHoster > Блог > Gudanarwa > Littafin "Kubernetes don DevOps"

Littafin "Kubernetes don DevOps"

Littafin "Kubernetes don DevOps" Sannu, mazauna Khabro! Kubernetes yana ɗaya daga cikin mahimman abubuwa na yanayin yanayin girgije na zamani. Wannan fasaha tana ba da tabbaci, haɓakawa da juriya ga haɓakar kwantena. John Arundel da Justin Domingus suna magana game da yanayin yanayin Kubernetes kuma suna gabatar da ingantattun hanyoyin magance matsalolin yau da kullun. Mataki-mataki, zaku gina aikace-aikacen ku na asali na girgije da ƙirƙirar abubuwan more rayuwa don tallafawa ta, saita yanayin haɓakawa da ci gaba da tura bututun da zai taimaka muku yayin da kuke aiki akan aikace-aikacenku na gaba.

• Fara da kwantena da Kubernetes daga tushe: ba a buƙatar ƙwarewa na musamman don koyon batun. • Gudanar da gungu na ku ko zaɓi sabis ɗin Kubernetes da aka sarrafa daga Amazon, Google, da sauransu. • Haɓaka gungu dangane da farashi, aiki, juriya, ƙarfi da ƙima. Koyi mafi kyawun kayan aikin don haɓakawa, gwadawa, da tura aikace-aikacenku. • Yi amfani da ayyukan masana'antu na yanzu don tabbatar da tsaro da sarrafawa. • Aiwatar da ƙa'idodin DevOps a cikin kamfanin ku don ƙungiyoyin ci gaba su iya yin aiki cikin sassauƙa, da sauri, da inganci.

Wanene littafin?

Littafin ya fi dacewa ga ma'aikata na sassan gudanarwa da ke da alhakin sabobin, aikace-aikace da ayyuka, da kuma masu haɓakawa da ke da hannu a cikin gina sababbin ayyukan girgije ko ƙaura aikace-aikacen da ke akwai zuwa Kubernetes da girgije. Kada ku damu, ba kwa buƙatar sanin yadda ake aiki tare da Kubernetes ko kwantena - za mu koya muku komai.

Ƙwararrun masu amfani da Kubernetes kuma za su sami ƙima mai yawa, tare da ɗaukar hoto mai zurfi na batutuwa kamar RBAC, ci gaba da turawa, sarrafa bayanai masu mahimmanci, da lura. Muna fatan lalle shafukan littafin za su ƙunshi wani abu mai ban sha'awa a gare ku, ba tare da la'akari da ƙwarewarku da ƙwarewarku ba.

Waɗanne tambayoyi ne littafin ya amsa?

Yayin da muke tsarawa da rubuta littafin, mun tattauna fasahar girgije da Kubernetes tare da daruruwan mutane, yin magana da shugabannin masana'antu da masana da kuma cikakkun novices. A ƙasa akwai zaɓaɓɓun tambayoyin da suke son ganin an amsa a cikin wannan ɗaba'ar.

  • "Ina sha'awar dalilin da ya sa za ku kashe lokaci kan wannan fasaha. Wadanne matsaloli ne zai taimake ni da tawagara su magance?”
  • "Kubernetes da alama yana da ban sha'awa, amma yana da babban shinge ga shigarwa. Shirya misali mai sauƙi ba abu ne mai wahala ba, amma ci gaba da gudanarwa da lalata yana da ban tsoro. Muna son samun ingantacciyar shawara kan yadda mutane ke sarrafa gungu na Kubernetes a duniyar gaske da irin matsalolin da muke iya fuskanta."
  • “Shawarwari mai mahimmanci za ta taimaka. Tsarin yanayin Kubernetes yana ba sabbin ƙungiyoyin zaɓuɓɓuka da yawa don zaɓar daga. Lokacin da akwai hanyoyi da yawa don yin abu ɗaya, ta yaya za ku san wanda ya fi kyau? Yadda za a yi zabi?

Kuma watakila mafi mahimmancin duk tambayoyin:

  • "Ta yaya zan iya amfani da Kubernetes ba tare da rushe kamfanina ba?"

Bangaren. Kanfigareshan da Sirri abubuwa

Ikon raba dabaru na aikace-aikacen Kubernetes daga tsarin sa (wato, daga kowane dabi'u ko saitunan da zasu iya canzawa akan lokaci) yana da amfani sosai. Ƙimar daidaitawa yawanci sun haɗa da takamaiman saitunan muhalli, adiresoshin sabis na ɓangare na uku, da takaddun shaida.

Tabbas, duk wannan ana iya saka shi kai tsaye a cikin lambar, amma wannan hanyar ba ta da sauƙi. Misali, canza ƙimar sanyi zai buƙaci sake ginawa da sake tura lambar ku. Mafi kyawun bayani zai kasance don raba tsari daga lambar kuma karanta shi daga fayil ko masu canjin yanayi.

Kubernetes yana ba da hanyoyi daban-daban don sarrafa tsari. Da farko, zaku iya ƙaddamar da ƙima zuwa aikace-aikacen ta hanyar masu canjin yanayi da aka ƙayyade a cikin ƙayyadaddun bayanan kundi (duba "Masu Canjin Muhalli" a shafi na 192). Na biyu, ana iya adana bayanan daidaitawa kai tsaye a cikin Kubernetes ta amfani da ConfigMap da Abubuwan Sirri.

A cikin wannan babi, mun bincika waɗannan abubuwa dalla-dalla kuma mu kalli wasu hanyoyi masu amfani don sarrafa tsari da bayanai masu mahimmanci ta amfani da aikace-aikacen demo.

Ana ɗaukaka harsashi lokacin da sanyi ya canza

Ka yi tunanin kana da aiki a cikin tarin ku kuma kuna son canza wasu dabi'u a cikin ConfigMap ɗin sa. Idan kun yi amfani da ginshiƙi na Helm (duba "Helm: Package Manager for Kubernetes" a shafi na 102), zaku iya gano canjin sanyi ta atomatik kuma ku sake loda harsashin kwas ɗinku a cikin dabara ɗaya mai kyau. Ƙara bayanin da ke gaba zuwa ƙayyadaddun ƙaddamar da aikinku:

checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") .
       | sha256sum }}

Samfurin turawa yanzu yana ƙunshe da jimlar ƙididdiga na sigogi: idan an canza sigogi, za a sabunta jimlar. Idan kuna gudanar da haɓaka helm, Helm zai gano cewa ƙayyadaddun ƙayyadaddun turawa ya canza kuma zai sake kunna duk kwafsa.

Bayani mai mahimmanci a cikin Kubernetes

Mun riga mun san cewa ConfigMap abu yana samar da tsari mai sassauƙa don adanawa da samun damar bayanan sanyi a cikin tari. Koyaya, yawancin aikace-aikacen suna da bayanai masu mahimmanci da mahimmanci, kamar kalmomin shiga ko maɓallan API. Hakanan ana iya adana shi a cikin ConfigMap, amma wannan maganin bai dace ba.

Madadin haka, Kubernetes yana ba da nau'in abu na musamman da aka tsara don adana mahimman bayanai: Sirrin. Na gaba, bari mu kalli misalin yadda za a iya amfani da wannan abu a aikace-aikacen mu na demo.

Don farawa, duba bayanan Kubernetes don Abun Asiri (duba hello-secret-env/k8s/secret.yaml):

apiVersion: v1
kind: Secret
metadata:
    name: demo-secret
stringData:
    magicWord: xyzzy

A cikin wannan misalin, maɓallin sirri na magicWord shine xyzzy (en.wikipedia.org/wiki/Xyzzy_(computing)). Kalmar xyzzy gabaɗaya tana da amfani sosai a duniyar kwamfutoci. Kama da ConfigMap, zaku iya adana maɓalli da ƙima da yawa a cikin wani abu na sirri. Anan, don sauƙi, muna amfani da maɓalli-daraja guda ɗaya kawai.

Amfani da Abubuwan Asirin azaman Maɓallin Muhalli

Kamar ConfigMap, Sirrin abu na iya samuwa a cikin akwati azaman masu canjin yanayi ko azaman fayil akan faifan sa. A cikin misali mai zuwa, za mu sanya madaidaicin yanayi zuwa ƙimar daga Asirin:

spec:
   containers:
       - name: demo
          image: cloudnatived/demo:hello-secret-env
          ports:
             - containerPort: 8888
          env:
             - name: GREETING
               valueFrom:
               secretKeyRef:
                  name: demo-secret
                  key: magicWord

Gudanar da umarni mai zuwa a cikin ma'ajiyar demo don amfani da bayanan:

kubectl apply -f hello-secret-env/k8s/
deployment.extensions "demo" configured
secret "demo-secret" created

Kamar yadda ya gabata, tura tashar jiragen ruwa zuwa wurin turawa don ganin sakamako a cikin burauzar ku:

kubectl port-forward deploy/demo 9999:8888
Forwarding from 127.0.0.1:9999 -> 8888
Forwarding from [::1]:9999 -> 8888

Lokacin buɗe adireshin Localhost: 9999 / ya kamata ku ga wadannan:

The magic word is "xyzzy"

Rubuta Abubuwan Sirrin zuwa Fayiloli

A cikin wannan misali, za mu haɗa abin da ke Asiri a cikin akwati azaman fayil. Lambar tana cikin babban fayil ɗin hello-asiri-fayil na ma'ajiyar demo.

Don haɗa Sirrin azaman fayil, za mu yi amfani da turawa mai zuwa:

spec:
   containers:
       - name: demo
          image: cloudnatived/demo:hello-secret-file
          ports:
              - containerPort: 8888
          volumeMounts:
              - name: demo-secret-volume
                mountPath: "/secrets/"
                readOnly: true
   volumes:
      - name: demo-secret-volume
        secret:
           secretName: demo-secret

Kamar yadda a cikin ƙaramin sashe "Ƙirƙirar fayilolin sanyi daga abubuwan ConfigMap" akan p. 240, mun ƙirƙiri ƙara (a cikin wannan yanayin demo-asirin-girman) kuma mu sanya shi zuwa akwati a cikin sashin ƙarar ƙararrawa na ƙayyadaddun bayanai. Filin mountPath shine /asirai, don haka Kubernetes zai ƙirƙiri fayil ɗaya a cikin wannan babban fayil don kowane maɓalli/darajar maɓalli da aka ayyana a cikin Abun Asirin.

A cikin misalinmu, mun ayyana maɓalli guda ɗaya kawai mai ƙima da ake kira magicWord, don haka bayyanuwar za ta ƙirƙiri fayil/asirai/magicWord guda ɗaya da ake karantawa tare da mahimman bayanai a cikin akwati.

Idan kun yi amfani da wannan bayyani ta hanya ɗaya da misalin da ya gabata, yakamata ku sami sakamako iri ɗaya:

The magic word is "xyzzy"

Karatun Abubuwan Sirrin

A cikin sashin da ya gabata, mun yi amfani da bayanin kubectl don nuna abubuwan da ke cikin ConfigMap. Za a iya yin haka da Sirrin?

kubectl describe secret/demo-secret
Name:          demo-secret

Namespace:      default
Labels:             <none>
Annotations:
Type:               Opaque

Data
====
magicWord: 5   bytes

Lura cewa bayanan da kansu ba a nuna su ba. Abubuwan sirri a Kubernetes nau'in Opaque ne, wanda ke nufin ba a nuna abubuwan da ke cikin su a kubectl siffanta fitarwa, shigarwar log, ko tasha, yana sa ba zai yiwu a bayyana mahimman bayanai ba da gangan.

Don duba sigar YAML mai rufaffen bayanai, yi amfani da kubectl samun umarni:

kubectl get secret/demo-secret -o yaml
apiVersion: v1
data:
   magicWord: eHl6enk=
kind: Secret
metadata:
...
type: Opaque

base64

Menene eHl6enk =, ya bambanta da ƙimar mu ta asali? Wannan haƙiƙan abu ne na Sirri, wanda aka wakilta a cikin bas64 encoding. Base64 tsari ne don ɓoye bayanan binary na sabani azaman jigon haruffa.

Saboda mahimman bayanai na iya zama binary kuma ba fitarwa ba (kamar yadda lamarin yake tare da maɓallin ɓoyewa na TLS), Abubuwan sirri koyaushe ana adana su cikin tsarin base64.

Rubutun beHl6enk= shine sigar sirrin kalmar mu xyzzy. Kuna iya tabbatar da wannan ta hanyar aiwatar da umarnin tushe64 — yanke hukunci a cikin tashar:

echo "eHl6enk=" | base64 --decode
xyzzy

Don haka, yayin da Kubernetes ke kare ku daga fitar da bayanai masu mahimmanci cikin bazata a cikin tasha ko fayilolin log, idan kun karanta izini akan abubuwan Asirin a cikin takamaiman sunan suna, za'a iya yin tushe64ed bayanan daga baya kuma a yanke su.

Idan kana buƙatar ɓoye wasu rubutu na base64 (misali, don saka shi a Sirri), yi amfani da umarnin base64 ba tare da gardama ba:

echo xyzzy | base64
eHl6enkK

Shiga Abubuwan Sirri

Wanene zai iya karantawa da gyara abubuwan sirri? RBAC ce ta ƙaddara wannan, hanyar sarrafa damar shiga (za mu tattauna dalla-dalla a cikin ƙaramin sashe "Gabatarwa zuwa Ikon Samun Rarraba-Aiki" a shafi na 258). Idan kuna gudanar da gungu wanda ba ya da RBAC ko ba a kunna shi ba, duk abubuwan sirrinku suna samuwa ga kowane masu amfani da kwantena (za mu yi bayani daga baya cewa bai kamata ku sami gungu na samarwa ba tare da RBAC ba).

Rufe bayanan sirri

Me game da waɗanda ke da damar yin amfani da bayanai na etcd inda Kubernetes ke adana duk bayanan sa? Za su iya karanta bayanai masu mahimmanci ba tare da samun izinin karanta abubuwan Asirin ta API ba?

Tun daga sigar 1.7, Kubernetes yana goyan bayan ɓoye bayanan sirri. Wannan yana nufin cewa ana adana mahimman bayanai a ciki etcd rufaffiyar a kan faifai kuma waɗanda ke da damar shiga bayanan kai tsaye ba za su iya karantawa ba. Don rusa shi, kuna buƙatar maɓalli wanda uwar garken API ɗin Kubernetes kaɗai ke da shi. A cikin gungu da aka tsara yadda ya kamata, ya kamata a kunna ɓoyayyen ɓoyewa.

Kuna iya bincika idan ɓoyayyen ɓoye yana aiki a cikin tarin ku ta wannan hanya:

kubectl describe pod -n kube-system -l component=kube-apiserver |grep encryption
        --experimental-encryption-provider-config=...

Idan baku ga tutar gwaji-encryption-provider-config, ba a kunna ɓoyayyen ɓoyewa ba. Lokacin amfani da Injin Kubernetes na Google ko wasu ayyukan gudanarwa na Kubernetes, bayananku suna rufaffen ɓoye ta amfani da wata hanya dabam, don haka tutar ba za ta kasance ba. Bincika tare da mai siyar ku Kubernetes don ganin ko abun ciki da sauransu an rufaffen ɓoye.

Ajiye bayanan sirri

Akwai wasu albarkatun Kubernetes waɗanda bai kamata a taɓa cire su daga gungu ba, kamar abubuwan sirri masu mahimmanci. Kuna iya kare hanya daga sharewa ta amfani da bayanin da manajan Helm ya bayar:

kind: Secret
metadata:
    annotations:
        "helm.sh/resource-policy": keep

Dabarun Gudanar da Abun Sirri

A cikin misalin daga sashin da ya gabata, an kare mahimman bayanai daga shiga mara izini nan da nan bayan an adana su a cikin gungu. Amma a cikin bayanan bayanan an adana su azaman rubutu bayyananne.

Kada ku taɓa sanya bayanan sirri a cikin fayilolin da ke cikin sarrafa sigar. Ta yaya za ku iya sarrafa da adana wannan bayanan cikin aminci kafin amfani da su zuwa gungu na Kubernetes?

Kuna iya zaɓar kowane kayan aiki ko dabarun sarrafa bayanai masu mahimmanci a cikin aikace-aikacenku, amma har yanzu kuna buƙatar amsa aƙalla tambayoyi masu zuwa.

  • A ina ya kamata a adana mahimman bayanai don samun damar su sosai?
  • Yadda ake sa bayanai masu mahimmanci su isa ga aikace-aikacenku masu aiki?
  • Menene ya kamata ya faru da aikace-aikacenku lokacin da kuka canza ko gyara mahimman bayanai?

Game da marubuta

John Arundel mai ba da shawara ne mai shekaru 30 da gogewa a cikin masana'antar kwamfuta. Ya rubuta litattafai da yawa kuma yana aiki tare da kamfanoni da yawa daga ƙasashe daban-daban, yana ba su shawara game da abubuwan da suka shafi girgije da Kubernetes. A lokacinsa na kyauta, yana jin daɗin hawan igiyar ruwa, ƙwararren mai harbin bindiga ne, kuma yana buga piano a matsayin mai son. Yana zaune a cikin gidan almara a Cornwall, Ingila.

Justin Domingus - Injiniyan gudanarwa na tsarin aiki a cikin yanayin DevOps tare da Kubernetes da fasahar girgije. Yana jin daɗin ba da lokaci a waje, shan kofi, kaguwa, da zama a kwamfuta. Yana zaune a Seattle, Washington, tare da kyan gani mai ban sha'awa da mace mai ban sha'awa kuma babban aboki, Adrienne.

» Ana iya samun ƙarin bayani game da littafin a gidan yanar gizon mawallafi
» Abubuwan da ke ciki
» Musamman

Don Khabrozhiteley 25% rangwame ta amfani da coupon - Kubernetes

Bayan biyan nau'in takarda na littafin, za a aika da littafin lantarki ta imel.

source: www.habr.com

Add a comment