An shirya fassarar labarin a jajibirin fara karatun .
Idan kuna karanta wannan, tabbas kun ji wani abu game da Kubernetes (kuma idan ba haka ba, ta yaya kuka ƙare anan?) Amma menene ainihin Kubernetes? Wannan ? Ko ? Menene ma'anar wannan?
A gaskiya ban tabbata 100% ba. Amma ina tsammanin yana da ban sha'awa don tono cikin abubuwan ciki kuma ku ga ainihin abin da ke faruwa a Kubernetes a ƙarƙashin yawancin yadudduka na abstractions. Don haka kawai don jin daɗi, bari mu kalli yadda ƙaramin “Kubernetes cluster” yake a zahiri. (Wannan zai fi sauƙi fiye da .)
Ina tsammanin kuna da ainihin ilimin Kubernetes, Linux, da kwantena. Duk abin da muke magana game da shi a nan don dalilai ne na bincike/ilimi kawai, kar a saka ko ɗaya cikin samarwa!
Siffar
Kubernetes ya ƙunshi abubuwa da yawa. Bisa lafazin , tsarin gine-gine yayi kama da haka:
Akwai aƙalla sassa takwas da aka nuna anan, amma za mu yi watsi da yawancin su. Ina so in bayyana cewa mafi ƙarancin abin da za a iya kiran shi da kyau Kubernetes ya ƙunshi manyan abubuwa uku:
- cubelet
- kube-apiserver (wanda ya dogara da etcd - bayanan sa)
- kwantena runtime (Docker a cikin wannan yanayin)
Bari mu ga abin da takaddun ke faɗi game da kowannensu (., .). Da farko cubelet:
Wakili mai gudana akan kowane kumburi a cikin tari. Yana tabbatar da cewa kwantena suna gudana a cikin kwasfa.
Sauti mai sauƙi isa. Me game da kwantena runtimes (kwantena runtime)?
Lokacin aikin kwantena shiri ne da aka ƙera don gudanar da kwantena.
Mai ba da labari sosai. Amma idan kun saba da Docker, to yakamata ku sami cikakkiyar masaniyar abin da yake yi. (Bayani dalla-dalla game da rabuwar alhakin tsakanin lokacin aikin kwantena da kubelet hakika suna da dabara sosai kuma ba zan shiga cikin su anan ba.)
И API ɗin uwar garken?
API ɗin uwar garken shine bangaren kula da Kubernetes wanda ke fallasa Kubernetes API. Sabar API ita ce gefen abokin ciniki na kwamitin kula da Kubernetes
Duk wanda ya taɓa yin wani abu tare da Kubernetes dole ne ya yi hulɗa tare da API ko dai kai tsaye ko ta hanyar kubectl. Wannan ita ce zuciyar abin da ke sa Kubernetes Kubernetes - kwakwalwar da ke juya tsaunukan YAML duk mun sani da ƙauna (?) zuwa kayan aikin aiki. Da alama a bayyane yake cewa API ɗin ya kamata ya kasance a cikin ƙaramin tsari na mu.
Sharuɗɗa
- Linux kama-da-wane ko na'ura ta zahiri tare da samun tushen tushen (Ina amfani da Ubuntu 18.04 akan injin kama-da-wane).
- Kuma duka!
M shigarwa
Muna buƙatar shigar da Docker akan injin da za mu yi amfani da shi. (Ba zan yi cikakken bayani game da yadda Docker da kwantena ke aiki ba; idan kuna sha'awar, akwai ). Bari mu kawai shigar da shi da apt:
$ sudo apt install docker.io
$ sudo systemctl start docker
Bayan haka, muna buƙatar samun Kubernetes binaries. A zahiri, don ƙaddamar da farkon “gungu” ɗinmu kawai muke buƙata kubelet, tunda don gudanar da sauran abubuwan haɗin uwar garken za mu iya amfani da su kubelet. Don yin hulɗa tare da gunkin mu bayan yana gudana, za mu kuma yi amfani da shi kubectl.
$ curl -L https://dl.k8s.io/v1.18.5/kubernetes-server-linux-amd64.tar.gz > server.tar.gz
$ tar xzvf server.tar.gz
$ cp kubernetes/server/bin/kubelet .
$ cp kubernetes/server/bin/kubectl .
$ ./kubelet --version
Kubernetes v1.18.5
Me zai faru idan muka gudu kawai kubelet?
$ ./kubelet
F0609 04:03:29.105194 4583 server.go:254] mkdir /var/lib/kubelet: permission denied
kubelet dole ne a gudu a matsayin tushen. Yana da ma'ana sosai, tun da yake yana buƙatar sarrafa duka kumburi. Bari mu kalli sigoginsa:
$ ./kubelet -h
<слишком много строк, чтобы разместить здесь>
$ ./kubelet -h | wc -l
284Kai, da yawa zažužžukan! Sa'ar al'amarin shine, muna buƙatar kawai kamar biyu daga cikinsu. Ga ɗaya daga cikin sigogin da muke sha'awar:
--pod-manifest-path stringHanyar zuwa kundin adireshi mai ƙunshe da fayiloli don madaidaitan kwasfan fayiloli, ko hanyar zuwa fayil ɗin da ke kwatanta kwasfan fayiloli. Fayilolin da ke farawa da dige-dige ana watsi da su. (DEPRECATED: Dole ne a saita wannan zaɓi a cikin fayil ɗin sanyi da aka wuce zuwa Kubelet ta zaɓi --config. Don ƙarin bayani, duba .)
Wannan zaɓi yana ba mu damar gudu - kwas ɗin da ba a sarrafa su ta Kubernetes API. Ba a cika yin amfani da kwas ɗin tsaye ba, amma sun dace sosai don haɓaka gungu da sauri, kuma wannan shine ainihin abin da muke buƙata. Za mu yi watsi da wannan babban gargaɗin (sake, kar a gudanar da wannan a cikin samarwa!) Mu ga ko za mu iya samun kwaf ɗin yana gudana.
Da farko za mu ƙirƙiri kundin adireshi don madaidaitan kwas ɗin da gudu kubelet:
$ mkdir pods
$ sudo ./kubelet --pod-manifest-path=podsSa'an nan, a cikin wani m / tmux taga / komai, za mu ƙirƙiri wani kwafsa bayyananne:
$ cat <<EOF > pods/hello.yaml
apiVersion: v1
kind: Pod
metadata:
name: hello
spec:
containers:
- image: busybox
name: hello
command: ["echo", "hello world!"]
EOF
kubelet ya fara rubuta wasu gargadi kuma da alama babu abin da ke faruwa. Amma wannan ba gaskiya ba ne! Bari mu dubi Docker:
$ sudo docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8c8a35e26663 busybox "echo 'hello world!'" 36 seconds ago Exited (0) 36 seconds ago k8s_hello_hello-mink8s_default_ab61ef0307c6e0dee2ab05dc1ff94812_4
68f670c3c85f k8s.gcr.io/pause:3.2 "/pause" 2 minutes ago Up 2 minutes k8s_POD_hello-mink8s_default_ab61ef0307c6e0dee2ab05dc1ff94812_0
$ sudo docker logs k8s_hello_hello-mink8s_default_ab61ef0307c6e0dee2ab05dc1ff94812_4
hello world!
kubelet Na karanta bayanan kwas ɗin kuma na ba Docker umarnin ƙaddamar da kwantena biyu bisa ga ƙayyadaddun mu. (Idan kuna mamakin akwati "dakata", hack Kubernetes ne - duba .) Kubelet zai kaddamar da kwantena busybox tare da ƙayyadadden umarnin kuma zai sake kunna shi har abada har sai an share kwas ɗin tsaye.
Ka taya kan ka murna. Mun zo da ɗaya daga cikin mafi ruɗar hanyoyi don fitar da rubutu zuwa tasha!
Kaddamar da dai sauransu
Babban burinmu shine gudanar da Kubernetes API, amma don yin hakan muna buƙatar fara gudu . Bari mu fara ƙaramin gungu na etcd ta hanyar sanya saitunan sa a cikin kundin adireshi (misali, pods/etcd.yaml):
apiVersion: v1
kind: Pod
metadata:
name: etcd
namespace: kube-system
spec:
containers:
- name: etcd
command:
- etcd
- --data-dir=/var/lib/etcd
image: k8s.gcr.io/etcd:3.4.3-0
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
hostNetwork: true
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-dataIdan kun taɓa yin aiki tare da Kubernetes, waɗannan fayilolin YAML yakamata ku saba da ku. Akwai maki biyu kacal da ya kamata a lura da su anan:
Mun dora babban fayil ɗin mai masaukin baki /var/lib/etcd a cikin kwasfa don adana bayanan etcd bayan sake kunnawa (idan ba a yi haka ba, za a goge jihar tari duk lokacin da aka sake kunna kwaf ɗin, wanda ba zai yi kyau ba don ko da ƙaramin shigar Kubernetes).
Mun shigar hostNetwork: true. Wannan saitin, ba abin mamaki ba, yana daidaitawa da dai sauransu don amfani da cibiyar sadarwar mai masaukin baki maimakon cibiyar sadarwa ta ciki (wannan zai sauƙaƙa wa uwar garken API don nemo gungu da sauransu).
Duba mai sauƙi yana nuna cewa da gaske etcd yana gudana akan localhost kuma yana adana bayanai zuwa diski:
$ curl localhost:2379/version
{"etcdserver":"3.4.3","etcdcluster":"3.4.0"}
$ sudo tree /var/lib/etcd/
/var/lib/etcd/
└── member
├── snap
│ └── db
└── wal
├── 0.tmp
└── 0000000000000000-0000000000000000.walFara uwar garken API
Gudanar da uwar garken API na Kubernetes ya fi sauƙi. Iyakar abin da ake buƙatar wucewa shine --etcd-servers, yayi abin da kuke tsammani:
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
containers:
- name: kube-apiserver
command:
- kube-apiserver
- --etcd-servers=http://127.0.0.1:2379
image: k8s.gcr.io/kube-apiserver:v1.18.5
hostNetwork: true
Sanya wannan fayil ɗin YAML a cikin kundin adireshi pods, kuma uwar garken API zata fara. Dubawa da curl yana nuna cewa Kubernetes API yana sauraron tashar jiragen ruwa 8080 tare da buɗewa gabaɗaya - ba a buƙatar tabbaci!
$ curl localhost:8080/healthz
ok
$ curl localhost:8080/api/v1/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/pods",
"resourceVersion": "59"
},
"items": []
}(Har ila yau, kada ku gudanar da wannan a cikin samarwa! Na ɗan yi mamakin cewa saitunan tsoho ba su da tsaro. Amma ina tsammanin wannan shine don sauƙaƙe ci gaba da gwaji.)
Kuma, abin mamaki mai daɗi, kubectl yana aiki daga cikin akwatin ba tare da ƙarin saitunan ba!
$ ./kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.5", GitCommit:"e6503f8d8f769ace2f338794c914a96fc335df0f", GitTreeState:"clean", BuildDate:"2020-06-26T03:47:41Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.5", GitCommit:"e6503f8d8f769ace2f338794c914a96fc335df0f", GitTreeState:"clean", BuildDate:"2020-06-26T03:39:24Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
$ ./kubectl get pod
No resources found in default namespace.matsala
Amma idan ka zurfafa zurfafa, da alama wani abu yana faruwa ba daidai ba:
$ ./kubectl get pod -n kube-system
No resources found in kube-system namespace.Matsalolin da muka kirkira sun tafi! A zahiri, ba a gano kumburin kubelet ɗinmu kwata-kwata:
$ ./kubectl get nodes
No resources found in default namespace.Akwai matsala? Idan kun tuna 'yan sakin layi da suka gabata, mun fara kubelet tare da saiti mai sauƙi na sigogin layin umarni, don haka kubelet bai san yadda ake tuntuɓar uwar garken API ba kuma ya sanar da shi halinsa. Bayan nazarin takardun, mun sami tutar da ta dace:
--kubeconfig string
Hanyar zuwa fayil kubeconfig, wanda ke ƙayyade yadda ake haɗawa da uwar garken API. samuwa --kubeconfig yana ba da damar yanayin uwar garken API, a'a --kubeconfig yana ba da damar yanayin layi.
Duk wannan lokacin, ba tare da saninsa ba, muna gudanar da kubelet a cikin "yanayin layi." (Idan mun kasance masu motsa jiki, za mu iya tunanin kubelet na tsaye a matsayin "Kubernetes mafi ƙarancin aiki", amma hakan zai zama mai ban sha'awa). Don yin aikin daidaitawar "ainihin", muna buƙatar wuce fayil ɗin kubeconfig zuwa kubelet don ya san yadda ake magana da sabar API. An yi sa'a yana da sauƙi (tun da ba mu da wani tabbaci ko takaddun shaida):
apiVersion: v1
kind: Config
clusters:
- cluster:
server: http://127.0.0.1:8080
name: mink8s
contexts:
- context:
cluster: mink8s
name: mink8s
current-context: mink8s
Ajiye wannan azaman kubeconfig.yaml, kashe tsari kubelet kuma zata sake farawa tare da ma'auni masu mahimmanci:
$ sudo ./kubelet --pod-manifest-path=pods --kubeconfig=kubeconfig.yaml(Af, idan kun yi ƙoƙarin samun damar API ta hanyar curl lokacin da kubelet ba ya gudana, za ku ga cewa har yanzu yana gudana! Kubelet ba "iyaye" ba ne na kwas ɗinsa kamar Docker, ya fi kama da" sarrafawa. daemon." Kwantena da kubelet ke sarrafawa za su ci gaba da gudana har sai kubelet ya dakatar da su.)
A cikin 'yan mintuna kaɗan kubectl ya kamata ya nuna mana kwasfa da nodes kamar yadda muke tsammani:
$ ./kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default hello-mink8s 0/1 CrashLoopBackOff 261 21h
kube-system etcd-mink8s 1/1 Running 0 21h
kube-system kube-apiserver-mink8s 1/1 Running 0 21h
$ ./kubectl get nodes -owide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
mink8s Ready <none> 21h v1.18.5 10.70.10.228 <none> Ubuntu 18.04.4 LTS 4.15.0-109-generic docker://19.3.6Da gaske mu taya kanmu murna a wannan karon (Na san na riga na taya kanmu murna) - muna da ƙaramin “gungu” Kubernetes wanda ke gudana tare da cikakken aiki API!
Mun kaddamar a karkashin
Yanzu bari mu ga abin da API ke iyawa. Bari mu fara da nginx pod:
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginxAnan mun sami kuskure mai ban sha'awa:
$ ./kubectl apply -f nginx.yaml
Error from server (Forbidden): error when creating "nginx.yaml": pods "nginx" is
forbidden: error looking up service account default/default: serviceaccount
"default" not found
$ ./kubectl get serviceaccounts
No resources found in default namespace.Anan mun ga yadda yanayin Kubernetes ya gaza cikawa - ba mu da asusu don ayyuka. Bari mu sake gwadawa ta hanyar ƙirƙirar asusun sabis da hannu mu ga abin da zai faru:
$ cat <<EOS | ./kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
EOS
serviceaccount/default created
$ ./kubectl apply -f nginx.yaml
Error from server (ServerTimeout): error when creating "nginx.yaml": No API
token found for service account "default", retry after the token is
automatically created and added to the service accountKo da lokacin da muka ƙirƙiri asusun sabis da hannu, ba a samar da alamar tabbatarwa ba. Yayin da muke ci gaba da gwaji tare da ƙaramin “gungu” ɗinmu, za mu ga cewa yawancin abubuwa masu amfani waɗanda yawanci ke faruwa kai tsaye za su ɓace. Sabar Kubernetes API ɗin ba ta da ƙaranci, tare da yawancin ɗagawa mai nauyi da daidaitawa ta atomatik da ke faruwa a cikin masu sarrafawa daban-daban da ayyukan baya waɗanda ba su gudana ba tukuna.
Za mu iya magance wannan matsala ta hanyar saita zaɓi automountServiceAccountToken don asusun sabis (tunda ba za mu yi amfani da shi ba):
$ cat <<EOS | ./kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false
EOS
serviceaccount/default configured
$ ./kubectl apply -f nginx.yaml
pod/nginx created
$ ./kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx 0/1 Pending 0 13mA ƙarshe, kwas ɗin ya bayyana! Amma a gaskiya ba za a fara ba saboda ba mu da shi (mai tsarawa) wani muhimmin bangaren Kubernetes ne. Bugu da ƙari, mun ga cewa Kubernetes API yana da mamaki "bebe" - lokacin da kuka ƙirƙiri Pod a cikin API, yana yin rajistar shi, amma ba ya ƙoƙarin gano abin da kumburi zai kunna shi.
A gaskiya ma, ba kwa buƙatar mai tsarawa don gudanar da kwasfa. Za ka iya ƙara kumburi da hannu zuwa bayyani a cikin siga nodeName:
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- image: nginx
name: nginx
nodeName: mink8s
(Maye gurbin mink8s zuwa sunan node.) Bayan sharewa da amfani, mun ga cewa nginx ya fara kuma yana sauraron adireshin IP na ciki:
$ ./kubectl delete pod nginx
pod "nginx" deleted
$ ./kubectl apply -f nginx.yaml
pod/nginx created
$ ./kubectl get pods -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx 1/1 Running 0 30s 172.17.0.2 mink8s <none> <none>
$ curl -s 172.17.0.2 | head -4
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>Don tabbatar da cewa hanyar sadarwa tsakanin kwas ɗin tana aiki daidai, za mu iya tafiyar da curl daga wani kwafsa:
$ cat <<EOS | ./kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: curl
spec:
containers:
- image: curlimages/curl
name: curl
command: ["curl", "172.17.0.2"]
nodeName: mink8s
EOS
pod/curl created
$ ./kubectl logs curl | head -6
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>Yana da ban sha'awa sosai don tono cikin wannan mahallin don ganin abin da ke aiki da abin da ba ya aiki. Na gano cewa ConfigMap da Asiri suna aiki kamar yadda aka zata, amma Sabis da Aiwatarwa ba sa.
Nasara!
Wannan sakon yana da tsawo, don haka zan bayyana nasara kuma in ce wannan tsari ne mai dacewa wanda za a iya kira "Kubernetes" don taƙaitawa: binary hudu, sigogi biyar na umarni da kuma "kawai" 45 Lines na YAML (ba. da yawa ta ma'auni Kubernetes) kuma muna da abubuwa kaɗan da ke aiki:
- Ana sarrafa kwas ɗin ta amfani da Kubernetes API na yau da kullun (tare da ƴan hacks)
- Kuna iya loda ku sarrafa hotunan gandun jama'a
- Pods suna raye kuma suna sake farawa ta atomatik
- Sadarwar tsakanin kwas ɗin da ke cikin kumburi ɗaya yana aiki sosai
- ConfigMap, Asirin da aikin hawan ajiya mai sauƙi kamar yadda aka zata
Amma yawancin abin da ke sa Kubernetes da gaske yana da amfani har yanzu yana ɓacewa, kamar:
- Jadawalin Pod
- Tabbatarwa / izini
- Nodes masu yawa
- Cibiyar sadarwa na ayyuka
- DNS na ciki mai tari
- Masu kula da asusun sabis, turawa, haɗin kai tare da masu samar da girgije da mafi yawan sauran kyawawan abubuwan da Kubernetes ke kawowa.
To me muka samu a zahiri? API ɗin Kubernetes, yana gudana da kansa, da gaske kawai dandamali ne don kwantena sarrafa kansa. Ba ya yin yawa - aiki ne don masu sarrafawa da masu aiki daban-daban ta amfani da API - amma yana ba da daidaiton yanayi don sarrafa kansa.
Kara karantawa:
source: www.habr.com