Kubernetes 1.14: bayyani na manyan sabbin abubuwa

Wannan daren zai faru saki na gaba na Kubernetes - 1.14. Bisa ga al'adar da ta samo asali don shafin yanar gizon mu, muna magana ne game da manyan canje-canje a cikin sabon sigar wannan samfurin Buɗe Tushen.

An samo bayanan da aka yi amfani da su don shirya wannan kayan Kubernetes kayan haɓɓaka aikin bin tebur, CHANJI-1.14 da batutuwa masu alaƙa, buƙatun ja, Kubernetes Haɓaka Shawarwari (KEP).

Bari mu fara da muhimmin gabatarwa daga SIG cluster-lifecycle: dynamic failover gungu Kubernetes (ko don zama madaidaici, jigilar HA mai ɗaukar nauyi) yanzu za a iya halitta ta yin amfani da saba (a cikin mahallin gungu na kumburi guda ɗaya) umarni kubeadm (init и join). A takaice, ga wannan:

• takaddun shaida da gungun ke amfani da su ana canja su zuwa ga sirri;
• don yuwuwar yin amfani da gungu na etcd a cikin gungu na K8s (watau kawar da dogaro na waje a baya) etcd-mai aiki;
• Rubuce-rubucen saitunan da aka ba da shawarar don ma'aunin nauyi na waje wanda ke ba da tsari mai jure rashin kuskure (a nan gaba an shirya shi don kawar da wannan dogaro, amma ba a wannan matakin ba).

Gine-gine na gungu na Kubernetes HA wanda aka ƙirƙira tare da kubeadm

Ana iya samun cikakkun bayanai game da aiwatarwa a ciki zane tsari. Wannan fasalin da gaske an daɗe ana jira: sigar alpha ana tsammanin dawowa cikin K8s 1.9, amma kawai ya bayyana yanzu.

API

tawagar apply kuma gabaɗaya magana sarrafa abu na shela wuce daga kubectl a cikin apiserver. Masu haɓakawa da kansu sun yi bayani a taƙaice yanke shawararsu ta hanyar cewa kubectl apply - wani muhimmin ɓangare na aiki tare da jeri a Kubernetes, duk da haka, "yana cike da kwari kuma yana da wuya a gyarawa," sabili da haka wannan aikin yana buƙatar dawo da shi zuwa al'ada kuma a canza shi zuwa jirgin sama mai sarrafawa. Misalai masu sauƙi da bayyanannu na matsalolin da ke wanzu a yau:

Cikakken bayani game da aiwatarwa yana cikin CAP. Shirye-shiryen na yanzu shine alpha (an shirya gabatarwa zuwa beta don sakin Kubernetes na gaba).

Ya samuwa a cikin sigar alpha damar amfani da tsarin OpenAPI v3 don ƙirƙira da buga takaddun Buɗaɗɗen API don Abubuwan Abubuwan Custom (CR) da aka yi amfani da shi don inganta (bangaren uwar garken) K8s albarkatun da aka ayyana (CustomResourceDefinition, CRD). Buga OpenAPI don CRD yana ba abokan ciniki damar (misali. kubectl) yi inganci a gefen ku (cikin kubectl create и kubectl applyda kuma bayar da takardu bisa ga tsarin (kubectl explain). Cikakkun bayanai - a CAP.

Ginshigin da aka rigaya yanzu suna budewa da tuta O_APPEND (amma ba O_TRUNC) don guje wa asarar gungumen azaba a wasu yanayi kuma don dacewa da yanke katako tare da kayan aiki na waje don juyawa.

Hakanan a cikin mahallin Kubernetes API, ana iya lura cewa a cikin PodSandbox и PodSandboxStatus kara da cewa filin runtime_handler don yin rikodin bayanai game da RuntimeClass a cikin kwasfa (karanta ƙarin game da shi a cikin rubutu game da Kubernetes 1.12 saki, inda wannan ajin ya bayyana azaman sigar alpha), kuma a cikin Admission Webhooks aiwatar ikon sanin ko wane iri ne AdmissionReview suna goyon baya. A ƙarshe, dokokin shiga Webhooks suna yanzu za a iya iyakance iyakar amfani da su ta wuraren sunaye da tsarin gungu.

Kaji

PersistentLocalVolumes, wanda ke da matsayin beta tun lokacin da aka saki K8s 1.10, sanar barga (GA): wannan ƙofar fasalin ba ta daina aiki kuma za a cire shi a cikin Kubernetes 1.17.

Dama ta amfani da masu canjin yanayi da ake kira API ɗin ƙasa (misali, sunan kwas ɗin) don sunayen kundayen adireshi da aka ɗora a matsayin subPath, an haɓaka - ta hanyar sabon filin subPathExpr, wanda yanzu ake amfani dashi don tantance sunan directory da ake so. Siffar ta fara bayyana a cikin Kubernetes 1.11, amma don 1.14 ya kasance a matsayin sigar alpha.

Kamar yadda yake tare da sakin Kubernetes na baya, ana gabatar da manyan canje-canje masu yawa don haɓaka CSI (Ingantacciyar Ma'ajiya ta Kwantena):

CSI

Ya zama samuwa (a matsayin ɓangare na sigar alpha) goyon baya Resizing don kundin CSI. Don amfani da shi kuna buƙatar kunna fasalin ƙofar da ake kira ExpandCSIVolumes, da kuma samun tallafi don wannan aiki a cikin takamaiman direban CSI.

Wani fasali na CSI a cikin sigar alpha - damar koma kai tsaye (watau ba tare da amfani da PV/PVC ba) zuwa kundin CSI a cikin ƙayyadaddun kwafsa. Wannan yana cire ƙuntatawa akan amfani da CSI azaman keɓantaccen ma'ajin bayanan nesa, bude musu kofofin duniya kundin ephemeral na gida. Don amfani (misali daga takardun) dole ne a kunna CSIInlineVolume kofar fasalin.

Har ila yau, an sami ci gaba a cikin "internals" na Kubernetes da ke da alaƙa da CSI, waɗanda ba a bayyane ba ga masu amfani da ƙarshen (masu gudanar da tsarin) ... A halin yanzu, an tilasta masu haɓakawa su goyi bayan nau'i biyu na kowane kayan aikin ajiya: daya - "a cikin tsohuwar hanya", a cikin K8s codebase (in-itace), da na biyu - a matsayin wani ɓangare na sabuwar CSI. (karanta ƙarin game da shi, misali, a a nan). Wannan yana haifar da rashin jin daɗi da za a iya fahimta waɗanda ke buƙatar magance kamar yadda CSI kanta ta daidaita. Ba zai yiwu kawai a soke API na plugins na ciki (cikin itace) ba saboda manufofin Kubernetes masu dacewa.

Duk wannan ya haifar da gaskiyar cewa sigar alfa ta kai tsarin ƙaura na ciki plugin code, An aiwatar da shi azaman itace, a cikin CSI plugins, godiya ga abin da damuwa na masu haɓakawa za a rage su don tallafawa nau'in nau'in plugins ɗin su, kuma dacewa tare da tsoffin APIs za su kasance kuma ana iya bayyana su a cikin yanayin da aka saba. Ana sa ran cewa ta hanyar sakin Kubernetes na gaba (1.15) za a yi ƙaura duk plugins masu samar da girgije, aiwatarwa zai karɓi matsayin beta kuma za a kunna shi a cikin shigarwar K8s ta tsohuwa. Don cikakkun bayanai, duba zane tsari. Wannan hijira kuma ta haifar da hakan ƙi daga iyakar girman da aka ayyana ta takamaiman masu samar da girgije (AWS, Azure, GCE, Cinder).

Bugu da ƙari, tallafi don toshe na'urori tare da CSI (CSIBlockVolume) canja wuri zuwa beta version.

Nodes/Kubelet

An gabatar da sigar Alpha sabon karshen a Kubelet, wanda aka tsara don dawo da ma'auni akan mahimman albarkatu. Gabaɗaya magana, idan a baya Kubelet ya karɓi ƙididdiga akan amfani da kwantena daga cAdvisor, yanzu wannan bayanan sun fito ne daga yanayin lokacin lokacin kwantena ta hanyar CRI (Container Runtime Interface), amma ana kiyaye dacewa don aiki tare da tsofaffin nau'ikan Docker. A baya can, an aiko da kididdigar da aka tattara a Kubelet ta hanyar REST API, amma yanzu wurin ƙarshe yana a /metrics/resource/v1alpha1. Dabarar dogon lokaci na masu haɓakawa shine shine don rage girman saitin awo wanda Kubelet ya bayar. Af, waɗannan ma'auni da kansu yanzu suna waya ba "ma'auni na asali", amma "ma'aunin albarkatu", kuma an bayyana su a matsayin "albarkatun aji na farko, irin su cpu, da ƙwaƙwalwar ajiya".

Nuance mai ban sha'awa mai ban sha'awa: duk da fa'idar aikin aiki na ƙarshen gRPC idan aka kwatanta da lokuta daban-daban na amfani da tsarin Prometheus (duba sakamakon daya daga cikin alamomin da ke ƙasa), marubuta sun fi son tsarin rubutu na Prometheus saboda jagorancin jagorancin wannan tsarin kulawa a cikin al'umma.

“gRPC bai dace da manyan bututun sa ido ba. Ƙarshen Ƙarshen zai zama da amfani kawai don isar da awo zuwa Sabar Ma'auni ko abubuwan sa ido waɗanda ke haɗa kai tsaye da shi. Ayyukan tsarin rubutu na Prometheus lokacin amfani da caching a cikin Metrics Server mai kyau isa a gare mu mu fifita Prometheus akan gRPC da aka ba da taruwar Prometheus a cikin al'umma. Da zarar tsarin OpenMetrics ya zama mafi kwanciyar hankali, za mu iya kusanci aikin gRPC tare da tsarin tushen tsari."

Ɗaya daga cikin kwatancen gwaje-gwajen aiki na amfani da tsarin gRPC da Prometheus a cikin sabon ƙarshen Kubelet don ma'auni. Ana iya samun ƙarin jadawali da sauran cikakkun bayanai a ciki CAP.

Daga cikin wasu canje-canje:

• Kubelet yanzu (lokaci daya) kokarin tsayawa kwantena a cikin yanayin da ba a sani ba kafin sake farawa da share ayyukan.
• Lokacin amfani PodPresets yanzu zuwa kwandon init an kara wannan bayanin kamar na kwantena na yau da kullun.
• kubelet ya fara amfani usageNanoCores daga mai ba da kididdigar CRI, da kuma ga nodes da kwantena a cikin Windows kara da cewa kididdigar cibiyar sadarwa.
• Ana yin rikodin tsarin aiki da bayanan gine-gine a cikin lakabi kubernetes.io/os и kubernetes.io/arch Abubuwan node (an canza su daga beta zuwa GA).
• Ikon tantance takamaiman rukunin masu amfani da tsarin don kwantena a cikin kwafsa (RunAsGroup, ya bayyana a ciki K8s 1.11) ci gaba kafin beta (an kunna ta tsohuwa).
• du kuma sami amfani a cAdvisor, maye gurbinsu kan Go aiwatarwa.

CLI

A cikin cli-runtime da kubectl ya kara da cewa -k tuta don haɗin kai tare da siffanta (ta hanyar, ci gabanta yanzu ana aiwatar da shi a cikin ma'ajin daban), watau. don aiwatar da ƙarin fayilolin YAML daga kundayen adireshi na musamman (don cikakkun bayanai kan amfani da su, duba CAP):

Misalin sauƙin amfani da fayil keɓancewa (wani ƙarin hadaddun aikace-aikacen kustomize yana yiwuwa a ciki overlays)

Bugu da kari:

• Kara sabuwar kungiya kubectl create cronjob, wanda sunansa yayi magana don kansa.
• В kubectl logs yanzu zaka iya a hada tutoci -f (--follow don streaming logs) da -l (--selector don tambayar lakabin).
• kubectl koyar kwafi fayilolin da aka zaɓa ta katin daji.
• Zuwa ga tawagar kubectl wait ya kara da cewa tuta --all don zaɓar duk albarkatu a cikin sararin sunan takamaiman nau'in albarkatu.

Sauran

Abubuwan iyawa masu zuwa sun sami karɓuwa (GA) matsayi:

• ReadinessGate, wanda aka yi amfani da shi a cikin ƙayyadaddun kwas ɗin don ayyana ƙarin yanayin da aka yi la'akari da shi a cikin shirye-shiryen kwaf ɗin;
• Taimako ga manyan shafuka (kofar fasalin da ake kira HugePages);
• CustomPodDNS;
• API ɗin PriorityClass Mahimmancin Pod & Preemption.

Sauran canje-canje da aka gabatar a cikin Kubernetes 1.14:

• Tsohuwar manufar RBAC ba ta ba da damar samun damar API ba discovery и access-review masu amfani ba tare da tantancewa ba (wanda ba a tabbatar ba).
• Taimakon CoreDNS na hukuma tabbatar kawai don Linux, don haka lokacin amfani da kubeadm don tura shi (CoreDNS) a cikin wani rukuni, ya kamata nodes ɗin su gudana ne kawai Linux (ana amfani da nodeSelectors don wannan ƙuntatawa).
• Tsarin CoreDNS na asali shine yanzu amfani gaba plugin maimakon wakili. Hakanan, a cikin CoreDNS kara da cewa readinessProbe, wanda ke hana ma'aunin nauyi akan dacewa (ba a shirye don sabis ba) kwafs.
• A cikin kubeadm, akan matakai init ko upload-certs, ya zama mai yiwuwa ɗora takaddun takaddun da ake buƙata don haɗa sabon jirgin sama mai sarrafawa zuwa sirrin kubeadm-certs (amfani da tuta --experimental-upload-certs).
• domin Windows- An bayyana sigar alpha ta shigarwa. tallafi gMSA (Asusun Gudanar da Sabis na Ƙungiyar) - asusu na musamman a cikin Active Directory waɗanda kuma kwantena za a iya amfani da su.
• Za G.C.E. kunnawa mTLS boye-boye tsakanin etcd da kube-apiserver.
• Sabuntawa a cikin software da aka yi amfani da su / dogaro: Go 1.12.1, CSI 1.1, CoreDNS 1.3.1, Docker 18.09 goyon baya a cikin kubeadm, kuma mafi ƙarancin tallafin Docker API version yanzu shine 1.26.

PS

Karanta kuma a kan shafinmu:

• «Kubernetes 1.13: bayyani na manyan sabbin abubuwa";
• «Kubernetes 1.12: bayyani na manyan sabbin abubuwa";
• «Kubernetes 1.11: bayyani na manyan sabbin abubuwa";
• «Kubernetes 1.10: bayyani na manyan sabbin abubuwa".

source: www.habr.com