Ua hāʻawi ʻo Pavel Selivanov, Southbridge solutions architect a me Slurm kumu, i kahi hōʻike ma DevOpsConf 2019. ʻO kēia kamaʻilio kahi ʻāpana o kekahi o nā kumuhana o ka papa hohonu ma Kubernetes "Slurm Mega".
hana ʻia ma Moscow ma Nowemapa 18-20.
— Moscow, Nowemapa 22-24.
loaʻa mau.
Aia ma lalo iho o ka ʻoki kahi kope o ka hōʻike.
Aloha ahiahi, e nā hoa hana a me ka poʻe aloha iā lākou. I kēia lā e kamaʻilio wau e pili ana i ka palekana.
ʻIke au he nui nā kiaʻi i loko o ke keʻena i kēia lā. Ke kala aku nei au iā ʻoe ma mua inā hoʻohana au i nā huaʻōlelo mai ka honua palekana ʻaʻole like me ka mea maʻamau iā ʻoe.
Ma kahi o ʻeono mahina i hala aku nei ua loaʻa iaʻu kahi pūʻulu Kubernetes lehulehu. ʻO ke ʻano o ka lehulehu aia ka helu nth o nā inoa inoa; ma kēia mau inoa inoa aia nā mea hoʻohana i hoʻokaʻawale ʻia i ko lākou inoa inoa. No nā hui like ʻole kēia mau mea hoʻohana. ʻAe, ua manaʻo ʻia e hoʻohana ʻia kēia puʻupuʻu ma ke ʻano he CDN. ʻO ia hoʻi, hāʻawi lākou iā ʻoe i kahi hui, hāʻawi lākou iā ʻoe i kahi mea hoʻohana ma laila, hele ʻoe i laila i kou inoa inoa, hoʻonoho i kou alo.
Ua ho'āʻo koʻu hui mua e kūʻai aku i ia lawelawe. A ua noi ʻia iaʻu e ʻoki i ka pūpū e ʻike inā he kūpono a ʻaʻole paha kēia hoʻonā.
Ua hele mai au i kēia hui. Ua hāʻawi ʻia iaʻu nā kuleana palena ʻole, palena inoa inoa. Ua hoʻomaopopo nā poʻe ma laila i ke ʻano o ka palekana. Heluhelu lākou e pili ana i Role-based access control (RBAC) ma Kubernetes - a wili lākou ia mea i hiki ʻole iaʻu ke hoʻokuʻu i nā pods ma kahi kaʻawale mai nā hoʻolālā. ʻAʻole wau e hoʻomanaʻo i ka pilikia aʻu e hoʻāʻo nei e hoʻoponopono ma ka hoʻokuʻu ʻana i kahi pod me ka ʻole o ka waiho ʻana, akā makemake nui wau e hoʻomaka i kahi pod. No ka pōmaikaʻi, ua hoʻoholo wau e ʻike i nā kuleana i loaʻa iaʻu i loko o ka hui, nā mea hiki iaʻu ke hana, nā mea hiki ʻole iaʻu ke hana, a me nā mea a lākou i hoʻopaʻa ai i laila. I ka manawa like, e haʻi wau iā ʻoe i ka mea a lākou i hoʻonohonoho hewa ai ma RBAC.
Ua loaʻa iaʻu i loko o ʻelua mau minuke ua loaʻa iaʻu kahi admin i kā lākou puʻupuʻu, nānā i nā inoa inoa āpau e pili ana, ʻike ʻia ma laila nā hana hana mua o nā ʻoihana i kūʻai mua i ka lawelawe a kau ʻia. ʻAʻole hiki iaʻu ke kāohi iaʻu iho mai ka hele ʻana i mua o kekahi a kau i kekahi ʻōlelo hoʻohiki ma ka ʻaoʻao nui.
E haʻi wau iā ʻoe me nā hiʻohiʻona pehea wau i hana ai i kēia a pehea e pale aku ai iā ʻoe iho mai kēia.
Akā ʻo ka mua, e hoʻolauna wau iaʻu iho. ʻO Pavel Selivanov koʻu inoa. He mea kākau au ma Southbridge. Hoʻomaopopo wau i nā Kubernetes, DevOps a me nā ʻano mea nani. Ke kūkulu nei au me nā ʻenekinia Southbridge i kēia mau mea a pau, a ke kūkākūkā nei au.
Ma waho aʻe o kā mākou mau hana nui, ua hoʻomaka mākou i nā papahana i kapa ʻia ʻo Slurms. Ke hoʻāʻo nei mākou e lawe i kā mākou hiki ke hana me nā Kubernetes i ka lehulehu, e aʻo i nā poʻe ʻē aʻe e hana pū me nā K8.
He aha kaʻu e kamaʻilio ai i kēia lā? ʻIke ʻia ke kumuhana o ka hōʻike - e pili ana i ka palekana o ka hui Kubernetes. Akā makemake wau e ʻōlelo koke aku he nui loa kēia kumuhana - a no laila makemake wau e wehewehe koke i ka mea aʻu e kamaʻilio ʻole ai. ʻAʻole wau e kamaʻilio e pili ana i nā huaʻōlelo hackneyed i hoʻohana ʻia i hoʻokahi haneli mau manawa ma ka Pūnaewele. ʻO nā ʻano RBAC a me nā palapala hōʻoia.
E kamaʻilio wau e pili ana i ka ʻeha iaʻu a me kaʻu mau hoa pili i ka palekana i loko o kahi hui Kubernetes. ʻIke mākou i kēia mau pilikia ma waena o nā mea hoʻolako e hāʻawi i nā pūʻulu Kubernetes a ma waena o nā mea kūʻai aku e hele mai iā mākou. A mai nā mea kūʻai mai i hele mai iā mākou mai nā hui alakaʻi kūkākūkā ʻē aʻe. ʻO ia hoʻi, he nui loa ka pālākiō o ka pōʻino.
ʻEkolu mau mea aʻu e kamaʻilio ai i kēia lā:
- Nā kuleana mea hoʻohana vs nā kuleana pod. ʻAʻole like nā kuleana mea hoʻohana a me nā kuleana pod.
- ʻOhi ʻike e pili ana i ka pūʻulu. E hōʻike wau hiki iā ʻoe ke hōʻiliʻili i nā ʻike āpau āu e pono ai mai kahi hui me ka loaʻa ʻole o nā kuleana kūikawā i kēia pūʻulu.
- Hoʻouka kaua DoS i ka hui. Inā ʻaʻole hiki iā mākou ke hōʻiliʻili i ka ʻike, hiki iā mākou ke hoʻokomo i kahi hui i kēlā me kēia hihia. E kamaʻilio wau e pili ana i ka hoʻouka ʻana o DoS i nā mea mana cluster.
ʻO kekahi mea maʻamau aʻu e haʻi aku ai, ʻo ia kaʻu i hoʻāʻo ai i kēia mau mea a pau, kahi hiki iaʻu ke ʻōlelo maopopo ua hana ia.
Lawe mākou i kumu i ka hoʻokomo ʻana i kahi pūʻulu Kubernetes me ka hoʻohana ʻana iā Kubespray. Inā ʻaʻole ʻike kekahi, he hoʻonohonoho pono kēia no Ansible. Hoʻohana mau mākou i kā mākou hana. ʻO ka mea maikaʻi, hiki iā ʻoe ke ʻōwili iā ia ma nā wahi āpau - hiki iā ʻoe ke ʻōwili ma luna o nā ʻāpana hao a i ʻole i ke ao ma kahi. Hoʻokahi ʻano hoʻonohonoho e hana ma ke kumu no nā mea āpau.
Ma kēia pūʻulu e loaʻa iaʻu nā Kubernetes v1.14.5. ʻO ka hui Cube holoʻokoʻa, a mākou e noʻonoʻo ai, ua māhele ʻia i nā inoa inoa, aia kēlā me kēia inoa inoa i kahi hui ʻokoʻa, a hiki i nā lālā o kēia hui ke komo i kēlā me kēia inoa inoa. ʻAʻole hiki iā lākou ke hele i nā inoa inoa like ʻole, i kā lākou iho. Akā aia kekahi moʻokāki admin nona nā kuleana i ka pūʻulu holoʻokoʻa.
Ua hoʻohiki wau ʻo ka mea mua a mākou e hana ai ʻo ka loaʻa ʻana o nā kuleana admin i ka hui. Pono mākou i kahi pod i hoʻomākaukau kūikawā e uhaʻi i ka pūʻulu Kubernetes. ʻO nā mea a mākou e hana ai, e hoʻopili iā ia i ka hui Kubernetes.
kubectl apply -f pod.yamlE hōʻea ana kēia pod i kekahi o nā haku o ka hui Kubernetes. A ma hope o kēia, e hoʻihoʻi mai ka pūʻulu iā mākou i kahi faila i kapa ʻia ʻo admin.conf. Ma Cube, mālama kēia faila i nā palapala hoʻokele a pau, a ma ka manawa like e hoʻonohonoho i ka pūʻulu API. ʻO kēia ka maʻalahi o ka loaʻa ʻana o ka admin, manaʻo wau, 98% o nā pūʻulu Kubernetes.
Ke haʻi hou aku nei au, ua hana ʻia kēia pod e kekahi mea hoʻomohala i kāu puʻupuʻu i hiki ke kau i kāna mau noi i loko o kahi inoa liʻiliʻi liʻiliʻi, ua hoʻopili ʻia e RBAC. ʻAʻohe ona kuleana. Akā naʻe, ua hoʻihoʻi ʻia ka palapala hōʻoia.
A i kēia manawa e pili ana i kahi pod i hoʻomākaukau kūikawā ʻia. Holo mākou ma kekahi kiʻi. E lawe kākou iā debian:jessie i laʻana.
Loaʻa iā mākou kēia mea:
tolerations:
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" He aha ke ahonui? Hoʻopaʻa pinepine ʻia nā haku ma kahi pūʻulu Kubernetes me kahi mea i kapa ʻia ʻo taint. A ʻo ke kumu o kēia "maʻi" ʻo ia ka mea ʻaʻole hiki ke hāʻawi ʻia nā pods i nā nodes master. Akā ʻaʻohe mea hopohopo e hōʻike i loko o kekahi pod i ʻae ʻia i ka "maʻi". ʻŌlelo wale ka ʻāpana Toleration inā loaʻa iā NoSchedule kekahi node, a laila ʻae kā mākou node i kēlā maʻi - a ʻaʻohe pilikia.
Eia hou, ke ʻōlelo nei mākou ʻaʻole ʻae wale kā mākou ma lalo, akā makemake pū kekahi e kuhikuhi pono i ka haku. No ka mea, loaʻa i nā haku ka mea ʻono loa a mākou e pono ai - nā palapala hōʻoia a pau. No laila, ke ʻōlelo nei mākou nodeSelector - a loaʻa iā mākou kahi lepili maʻamau i nā haku, e hiki ai iā ʻoe ke koho mai nā nodes a pau i ka hui pū ʻana i kēlā mau nodes i haku.
Me kēia mau ʻāpana ʻelua e hele mai ʻo ia i ka haku. A e ʻae ʻia ʻo ia e noho ma laila.
Akā, ʻaʻole lawa ka hele ʻana i ka haku iā mākou. ʻAʻole kēia e hāʻawi iā mākou i kekahi mea. No laila e loaʻa iā mākou kēia mau mea ʻelua:
hostNetwork: true
hostPID: true Hōʻike mākou i kā mākou pod, a mākou e hoʻomaka ai, e noho i ka inoa inoa kernel, i ka inoa inoa pūnaewele, a i ka inoa inoa PID. Ke hoʻokuʻu ʻia ka pod ma luna o ka haku, hiki iā ia ke ʻike i nā mea maoli, nā pilina ola o kēia node, hoʻolohe i nā kaʻa āpau a ʻike i ka PID o nā kaʻina hana a pau.
A laila, pili i nā mea liʻiliʻi. E lawe etcd a heluhelu i kāu mea e makemake ai.
ʻO ka mea hoihoi loa ʻo kēia hiʻohiʻona Kubernetes, aia ma laila ma ke ʻano maʻamau.
volumeMounts:
- mountPath: /host
name: host
volumes:
- hostPath:
path: /
type: Directory
name: host A ʻo kona kumu, hiki iā mākou ke ʻōlelo i loko o ka pod a mākou e hoʻomaka ai, ʻoiai ʻaʻohe kuleana o kēia puʻupuʻu, makemake mākou e hana i kahi leo o ke ʻano hostPath. ʻO kēia ke ʻano o ka lawe ʻana i ke ala mai ka mea hoʻokipa a mākou e hoʻomaka ai - a lawe iā ia ma ke ʻano he leo. A laila kapa mākou i ka inoa: host. Kau mākou i kēia hostPath holoʻokoʻa i loko o ka pod. Ma kēia hiʻohiʻona, i ka papa kuhikuhi / host.
E hana hou au. Ua ʻōlelo mākou i ka pod e hele mai i ka haku, e kiʻi i ka hostNetwork a me ka hostPID ma laila - a kau i ke kumu holoʻokoʻa o ka haku i loko o kēia pod.
Hoʻomaopopo ʻoe aia ma Debian e holo ana mākou, a holo kēia bash ma lalo o ke aʻa. ʻO ia hoʻi, ua loaʻa iā mākou ke aʻa ma luna o ka haku, me ka loaʻa ʻole o nā kuleana i ka hui Kubernetes.
A laila ʻo ka hana holoʻokoʻa e hele i ka sub directory /host /etc/kubernetes/pki, inā ʻaʻole wau i kuhihewa, e kiʻi i nā palapala haku a pau o ka hui ma laila a, no laila, e lilo i luna hoʻomalu.
Inā ʻoe e nānā i kēia ʻano, eia kekahi o nā kuleana weliweli loa i loko o nā pods - me ka nānā ʻole i nā kuleana o ka mea hoʻohana:
Inā loaʻa iaʻu nā kuleana e holo i kahi pod ma kekahi inoa inoa o ka pūʻulu, a laila aia kēia pod i kēia mau kuleana ma ke ʻano maʻamau. Hiki iaʻu ke holo i nā pods pono, a ʻo kēia nā kuleana āpau, aʻaʻa ma ka node.
ʻO kaʻu mea punahele ʻo Root mea hoʻohana. A loaʻa iā Kubernetes kēia koho Run As Non-Root. He ʻano pale kēia mai kahi hacker. Maopopo iā ʻoe ke ʻano o ka "virus Moldavian"? Inā he hacker koke ʻoe a hele mai i kaʻu pūʻulu Kubernetes, a laila nīnau mākou, nā luna hoʻomalu: "E ʻoluʻolu e hōʻike i kāu pods me kahi e hack ai ʻoe i kaʻu puʻupuʻu, e holo like ʻole. A i ʻole, e holo ʻoe i ke kaʻina hana i loko o kāu pod ma lalo o ke aʻa, a e maʻalahi loa ʻoe e hack iaʻu. E ʻoluʻolu e pale iā ʻoe iho mai iā ʻoe iho."
ʻO ka nui o ke ala hoʻokipa, i koʻu manaʻo, ʻo ke ala wikiwiki loa e loaʻa ai ka hopena i makemake ʻia mai kahi hui Kubernetes.
Akā, he aha ka hana me kēia mau mea?
ʻO ka manaʻo e hiki mai i kekahi luna maʻamau e hālāwai me Kubernetes: "ʻAe, haʻi wau iā ʻoe, ʻaʻole hana ʻo Kubernetes. He mau puka i loko. A he lapuwale ka Cube a pau. ʻOiaʻiʻo, aia kekahi mea e like me ka palapala, a inā ʻoe e nānā i laila, aia kahi ʻāpana .
He mea yaml kēia - hiki iā mākou ke hana i loko o ka pūʻulu Kubernetes - nāna e hoʻomalu i nā ʻano palekana i ka wehewehe ʻana i nā pods. ʻO ia, ʻoiaʻiʻo, kaohi ia i nā kuleana e hoʻohana i kekahi hostNetwork, hostPID, kekahi mau ʻano leo i loko o nā pods i ka hoʻomaka ʻana. Me ke kōkua o Pod Security Policy, hiki ke wehewehe ʻia kēia mau mea āpau.
ʻO ka mea hoihoi loa e pili ana i ka Pod Security Policy ʻo ia i loko o ka pūʻulu Kubernetes, ʻaʻole i wehewehe ʻia nā mea hoʻonohonoho PSP āpau ma kekahi ʻano, ua hoʻopau wale ʻia lākou e ka paʻamau. Hoʻohana ʻia ka Pod Security Policy me ka hoʻohana ʻana i ka plugin admission.
ʻAe, e hoʻokomo i ka Pod Security Policy i loko o ka pūʻulu, e ʻōlelo mākou aia kekahi mau pods lawelawe ma ka inoa inoa, kahi i loaʻa ai i nā mea hoʻokele. E ʻōlelo kākou, ma nā hihia ʻē aʻe, loaʻa i nā pods nā kuleana kaupalena. No ka mea, ʻaʻole pono nā mea hoʻomohala e holo i nā pods i kāu puʻupuʻu.
A ua maikaʻi nā mea a pau iā mākou. A ʻaʻole hiki ke hoʻopaʻa ʻia kā mākou hui Kubernetes i ʻelua mau minuke.
Aia kekahi pilikia. Loaʻa paha, inā loaʻa iā ʻoe kahi puʻupuʻu Kubernetes, a laila hoʻokomo ʻia ka nānā ʻana ma kāu pūʻulu. E hele au a hiki i ka wānana inā he nānā kāu cluster, e kapa ʻia ʻo ia ʻo Prometheus.
ʻO kaʻu mea e haʻi aku ai iā ʻoe e kūpono no ka mea hoʻohana Prometheus a me Prometheus i hāʻawi ʻia ma kona ʻano maʻemaʻe. ʻO ka nīnau inā ʻaʻole hiki iaʻu ke hoʻokomo i kahi admin i loko o ka pūʻulu me ka wikiwiki, a laila pono wau e nānā hou aku. A hiki iaʻu ke ʻimi me ke kōkua o kāu nānā ʻana.
Heluhelu paha nā kānaka a pau i nā ʻatikala like ma Habré, a aia ka nānā ʻana ma ka inoa inoa nānā. Ua kapa ʻia ka pakuhi Helm no kēlā me kēia kanaka. Manaʻo wau inā ʻoe e hoʻokomo i ka helm install stable/prometheus, e pau ana ʻoe i nā inoa like. A ʻaʻole paha wau e koho i ka inoa DNS i kāu puʻupuʻu. No ka mea, he maʻamau.
A laila loaʻa iā mākou kekahi dev ns, kahi e hiki ai iā ʻoe ke holo i kahi pod. A laila mai kēia pod he mea maʻalahi loa ke hana i kekahi mea e like me kēia:
$ curl http://prometheus-kube-state-metrics.monitoring ʻO ka prometheus-kube-state-metrics kekahi o nā mea hoʻopuka Prometheus e hōʻiliʻili ana i nā metric mai ka Kubernetes API ponoʻī. Nui ka ʻikepili ma laila, he aha ka mea e holo nei i kāu puʻupuʻu, he aha ia, he aha nā pilikia āu e loaʻa ai.
He laʻana maʻalahi:
kube_pod_container_info{namespace=“kube-system”,pod=”kube-apiserver-k8s- 1″,container=”kube-apiserver”,image=
"gcr.io/google-containers/kube-apiserver:v1.14.5"
,image_id=»docker-pullable://gcr.io/google-containers/kube- apiserver@sha256:e29561119a52adad9edc72bfe0e7fcab308501313b09bf99df4a96 38ee634989″,container_id=»docker://7cbe7b1fea33f811fdd8f7e0e079191110268f2 853397d7daf08e72c22d3cf8b»} 1
Ma ka hana ʻana i kahi noi curl maʻalahi mai kahi pod pono ʻole, hiki iā ʻoe ke loaʻa ka ʻike aʻe. Inā ʻaʻole ʻoe maopopo i ka mana o nā Kubernetes āu e holo nei, e haʻi maʻalahi iā ʻoe.
A ʻo ka mea hoihoi loa, ʻo ia ka hoʻohui ʻana i ka kube-state-metrics, hiki iā ʻoe ke komo maʻalahi iā Prometheus ponoʻī. Hiki iā ʻoe ke hōʻiliʻili i nā metric mai laila. Hiki iā ʻoe ke kūkulu i nā metric mai laila. ʻOiai ʻo ka manaʻo, hiki iā ʻoe ke kūkulu i kahi nīnau mai kahi hui i Prometheus, e hoʻopau wale ia. A pau ka hana ʻana o kāu mākaʻikaʻi mai ka pūʻulu.
A eia ka nīnau inā paha e nānā kekahi mākaʻikaʻi waho i kāu nānā. Ua loaʻa iaʻu ka manawa kūpono e hana i kahi hui Kubernetes me ka ʻole o ka hopena noʻu iho. ʻAʻole ʻoe e ʻike e hana ana au ma laila, no ka mea, ʻaʻohe mea nānā.
E like me ka PSP, ʻike ʻia ka pilikia ʻo kēia mau ʻenehana nani - Kubernetes, Prometheus - ʻaʻole lākou hana a piha i nā lua. ʻaʻole naʻe.
Aia kekahi mea - .
Inā he admin maʻamau ʻoe, a laila ʻike paha ʻoe e pili ana i ka Network Policy he yaml ʻē aʻe kēia, a ua nui ka nui o lākou i loko o ka hui. A ʻaʻole pono kekahi mau Kulekele Pūnaewele. A inā ʻoe e heluhelu i ke ʻano o ka Network Policy, ʻo ia ka yaml firewall o Kubernetes, hiki iā ʻoe ke kaupalena i nā kuleana komo ma waena o nā inoa, ma waena o nā pods, a laila ua hoʻoholo maoli ʻoe e pili ana ka pā ahi ma ka format yaml ma Kubernetes i nā abstractions e hiki mai ana. ... ʻAʻole, ʻaʻole . ʻAʻole pono kēia.
ʻOiai inā ʻaʻole ʻoe i haʻi i kāu poʻe loea palekana me ka hoʻohana ʻana i kāu Kubernetes hiki iā ʻoe ke kūkulu i kahi pā ahi maʻalahi a maʻalahi, a me kahi mea kikoʻī loa i kēlā. Inā ʻaʻole lākou i ʻike i kēia a ʻaʻole hoʻopilikia iā ʻoe: "ʻAe, hāʻawi mai iaʻu, hāʻawi mai iaʻu ..." A laila, i kēlā me kēia hihia, pono ʻoe i ka Pūnaewele Pūnaewele e pale i ke komo ʻana i kekahi mau wahi lawelawe i hiki ke huki ʻia mai kāu hui. me ka ʻae ʻole.
E like me ka laʻana aʻu i hāʻawi ai, hiki iā ʻoe ke huki i nā metric mokuʻāina kube mai kekahi inoa inoa ma ka pūʻulu Kubernetes me ka loaʻa ʻole o nā kuleana e hana pēlā. Ua pani nā kulekele pūnaewele i ke komo ʻana mai nā inoa inoa ʻē aʻe a pau i ka namespace nānā a ʻo ia: ʻaʻohe komo, ʻaʻohe pilikia. Ma nā pakuhi āpau e noho nei, ʻo ka Prometheus maʻamau a me ka Prometheus i loko o ka mea hoʻohana, aia kahi koho i nā waiwai helm e hiki ai i nā kulekele ʻoihana no lākou. Pono ʻoe e hoʻā a e hana lākou.
Hoʻokahi pilikia maoli ma ʻaneʻi. Ma ke ʻano he luna ʻumiʻumi maʻamau, ua hoʻoholo paha ʻoe ʻaʻole pono nā kulekele pūnaewele. A ma hope o ka heluhelu ʻana i nā ʻano ʻatikala āpau e pili ana i nā kumuwaiwai e like me Habr, ua hoʻoholo ʻoe ʻo ka flannel, ʻoi loa me ke ʻano host-gateway, ʻo ia ka mea maikaʻi loa āu e koho ai.
He aha kaʻu e hana ai?
Hiki iā ʻoe ke hoʻāʻo e hoʻihoʻi hou i ka hoʻonā pūnaewele i loaʻa iā ʻoe i kāu hui Kubernetes, e hoʻāʻo e hoʻololi iā ia me kahi mea ʻoi aku ka hana. No ka Calico like, no ka laʻana. Akā makemake wau e haʻi koke aku ʻo ka hana o ka hoʻololi ʻana i ka hoʻonā pūnaewele ma kahi hui hana Kubernetes he mea ʻole. Ua hoʻoponopono au iā ia i ʻelua manawa (ʻelua mau manawa, akā naʻe, ma ke ʻano he manaʻo), akā ua hōʻike mākou pehea e hana ai ma Slurms. No kā mākou mau haumāna, ua hōʻike mākou i ke ʻano o ka hoʻololi ʻana i ka hoʻonā pūnaewele ma kahi pūʻulu Kubernetes. Ma ke kumu, hiki iā ʻoe ke hoʻāʻo e hōʻoia ʻaʻole he downtime ma ka pūʻulu hana. Akā ʻaʻole paha ʻoe e kūleʻa.
A ua maʻalahi loa ka pilikia. Aia nā palapala hōʻoia i loko o ka pūʻulu, a ʻike ʻoe e pau ana kāu palapala hōʻoia i hoʻokahi makahiki. ʻAe, a ʻo ka maʻamau ka hopena maʻamau me nā palapala hōʻoia i loko o ka pūʻulu - no ke aha mākou e hopohopo nei, e hoʻāla mākou i kahi pūʻulu hou ma kahi kokoke, e hoʻokuʻu i ka mea kahiko, a hoʻihoʻi hou i nā mea āpau. ʻOiaʻiʻo, i ka wā e popopo ai, pono mākou e noho no kahi lā, akā eia kahi hui hou.
Ke hāpai ʻoe i kahi puʻupuʻu hou, i ka manawa like e hoʻokomo iā Calico ma kahi o ka flannel.
He aha kāu e hana ai inā hāʻawi ʻia kāu mau palapala hōʻoia no hoʻokahi haneli mau makahiki a ʻaʻole ʻoe e hoʻihoʻi hou i ka pūʻulu? Aia kekahi mea e like me Kube-RBAC-Proxy. He hoʻomohala ʻoluʻolu loa kēia, hiki iā ʻoe ke hoʻokomo iā ia iho ma ke ʻano he pahu sidecar i kekahi pod i ka hui Kubernetes. A hoʻohui maoli ia i ka mana i kēia pod ma o RBAC o Kubernetes ponoʻī.
Aia kekahi pilikia. Ma mua, ua kūkulu ʻia kēia hoʻonā Kube-RBAC-Proxy i ka Prometheus o ka mea hoʻohana. Akā, ua hala ʻo ia. Ke hilinaʻi nei nā mana hou i ka ʻoiaʻiʻo he kulekele kāu pūnaewele a pani iā ia me ka hoʻohana ʻana iā lākou. A no laila, pono mākou e kākau hou i ka pakuhi. ʻOiaʻiʻo, ināʻoe e hele i , Aia nā hiʻohiʻona o ka hoʻohana ʻana i kēia ma ke ʻano he sidecars, a pono e kākau hou ʻia nā pakuhi.
Aia kekahi pilikia liʻiliʻi. ʻAʻole ʻo Prometheus wale nō ka hāʻawi ʻana i kāna metric i kekahi. Hiki i nā ʻāpana hui Kubernetes āpau ke hoʻihoʻi i kā lākou mau ana ponoʻī.
Akā, e like me kaʻu i ʻōlelo ai, inā ʻaʻole hiki iā ʻoe ke komo i ka cluster a hōʻiliʻili i ka ʻike, a laila hiki iā ʻoe ke hana i kahi pōʻino.
No laila, e hōʻike koke wau i ʻelua ala e hiki ai ke hōʻino ʻia kahi pūʻulu Kubernetes.
E ʻakaʻaka ʻoe ke haʻi aku au iā ʻoe i kēia, ʻelua mau hihia ola maoli kēia.
Hanakahi. Hoʻopau waiwai.
E hoʻomaka kākou i kahi pod kūikawā hou. E loaʻa iā ia kahi ʻāpana e like me kēia.
resources:
requests:
cpu: 4
memory: 4Gi E like me kāu e ʻike ai, ʻo nā noi ka nui o ka CPU a me ka hoʻomanaʻo i mālama ʻia ma ka host no nā pods kikoʻī me nā noi. Inā loaʻa iā mākou he pūʻali koa ʻehā i loko o kahi puʻupuʻu Kubernetes, a hōʻea mai ʻehā mau pahu CPU i laila me nā noi, ʻo ia hoʻi ʻaʻole hiki i nā pods me nā noi ke hele mai i kēia host.
Inā holo wau i kēlā pod, a laila e holo wau i ke kauoha:
$ kubectl scale special-pod --replicas=...A laila ʻaʻohe mea ʻē aʻe e hiki ke kau i ka hui Kubernetes. No ka pau ʻana o nā node a pau i nā noi. A pēlā wau e hoʻōki ai i kāu hui Kubernetes. Inā hana wau i kēia i ke ahiahi, hiki iaʻu ke hoʻōki i nā hoʻolaha no ka manawa lōʻihi.
Inā mākou e nānā hou i ka palapala Kubernetes, e ʻike mākou i kēia mea i kapa ʻia ʻo Limit Range. Hoʻonohonoho ia i nā kumuwaiwai no nā mea cluster. Hiki iā ʻoe ke kākau i kahi mea Limit Range ma yaml, e hoʻopili iā ia i kekahi mau inoa inoa - a laila ma kēia inoa inoa hiki iā ʻoe ke ʻōlelo he kumu paʻamau, ka palena a me ka liʻiliʻi loa no nā pods.
Me ke kōkua o ia mea, hiki iā mākou ke kaupalena i nā mea hoʻohana i nā inoa inoa huahana kikoʻī o nā hui i ka hiki ke hōʻike i nā ʻano mea ʻino āpau ma kā lākou pods. Akā naʻe, inā ʻoe e haʻi i ka mea hoʻohana ʻaʻole hiki iā lākou ke hoʻomaka i nā pods me nā noi no ka ʻoi aku ma mua o hoʻokahi CPU, aia kahi kauoha nui maikaʻi, a i ʻole hiki iā lākou ke hana i ka pālākiō ma o ka dashboard.
A ma laila mai ke ʻano helu ʻelua. Hoʻomaka mākou i 11 pods. He ʻumikūmākahi piliona kēlā. ʻAʻole kēia no kaʻu i loaʻa mai ai i kēlā helu, akā no kaʻu ʻike ʻana iaʻu iho.
Moʻolelo maoli. I ke ahiahi ua kokoke au e haʻalele i ke keʻena. ʻIke wau i kahi pūʻulu o nā mea hoʻomohala e noho ana ma ke kihi, e hana ana i kekahi mea me kā lākou kamepiula. Piʻi au i nā kāne a nīnau: "He aha ka mea iā ʻoe?"
Ma mua iki, ma kahi o ʻeiwa o ke ahiahi, ua mākaukau kekahi o nā mea hoʻomohala e hoʻi i ka home. A ua hoʻoholo wau: "E hoʻonui wau i kaʻu noi i hoʻokahi." Ua kaomi au i hoʻokahi, akā ua lohi iki ka Internet. Paʻi hou ʻo ia i kekahi, kaomi ʻo ia i kekahi, a kaomi iā Enter. Ua ʻimi au i nā mea a pau i hiki iaʻu. A laila ua ola ka Pūnaewele - a ua hoʻomaka nā mea a pau i lalo i kēia helu.
ʻOiaʻiʻo, ʻaʻole i hana ʻia kēia moʻolelo ma Kubernetes, i kēlā manawa ʻo Nomad. Ua hoʻopau ʻia me ka ʻoiaʻiʻo ma hope o hoʻokahi hola o kā mākou hoʻāʻo ʻana e kāpae iā Nomad mai ka hoʻomau mau ʻana e hoʻonui, ua pane ʻo Nomad ʻaʻole ʻo ia e hoʻōki i ka scaling a ʻaʻole e hana i kekahi mea ʻē aʻe. "Ua luhi au, e haʻalele ana au." A wili ʻo ia i luna.
Ma keʻano maoli, ua hoʻāʻo wau e hana like ma Kubernetes. ʻAʻole hauʻoli ʻo Kubernetes me ʻumikūmākahi piliona pods, ʻōlelo ʻo ia: "ʻAʻole hiki iaʻu. ʻOi aku i nā kiaʻi waha o loko." Akā, hiki i 1 pods.
I ka pane ʻana i hoʻokahi piliona, ʻaʻole i haʻalele ka Cube iā ia iho. Ua hoʻomaka maoli ʻo ia i ka scaling. ʻOi aku ka lōʻihi o ke kaʻina hana, ʻoi aku ka nui o ka manawa e hana ai i nā pods hou. Akā, ua hoʻomau ka hana. ʻO ka pilikia wale nō inā hiki iaʻu ke hoʻomaka i nā pods me ka palena ʻole i koʻu inoa inoa, a laila me ka ʻole o nā noi a me nā palena hiki iaʻu ke hoʻomaka i nā pods he nui me kekahi mau hana me ke kōkua o kēia mau hana e hoʻomaka nā nodes e hoʻohui i ka hoʻomanaʻo, i ka CPU. Ke hoʻomaka wau i nā pods he nui, pono e hele ka ʻike mai ia mau mea i loko o kahi waihona, ʻo ia hoʻi, etcd. A i ka hiki ʻana mai o ka ʻike he nui i laila, hoʻomaka ka hoʻihoʻi ʻana o ka waihona - a hoʻomaka ʻo Kubernetes e lilo i polu.
A ʻo kekahi pilikia hou aʻe... E like me kāu e ʻike ai, ʻaʻole hoʻokahi mea koʻikoʻi nā mea mana Kubernetes, akā he mau ʻāpana. Ma keʻano kūikawā, aia kahi luna hoʻomalu, mea hoʻonohonoho, a pēlā aku. E hoʻomaka ana kēia mau kāne a pau e hana i nā hana pono ʻole, naʻaupō i ka manawa like, e hoʻomaka ana ka manawa e hoʻonui i ka manawa. E hana ka luna hoʻomalu i nā pods hou. E hoʻāʻo ʻo Scheduler e ʻimi i kahi node hou no lākou. E pau koke ana paha ʻoe i nā node hou o kāu pūʻulu. E hoʻomaka ana ka pūʻulu Kubernetes e hana lohi a lohi.
Akā, ua hoʻoholo wau e hele i mua. E like me kāu e ʻike ai, aia ma Kubernetes kahi mea i kapa ʻia he lawelawe. ʻAe, ma ka paʻamau i kāu mau puʻupuʻu, ʻoi aku ka maikaʻi o ka lawelawe me ka hoʻohana ʻana i nā papa IP.
Inā holo ʻoe i hoʻokahi piliona pods, no ka laʻana, a laila hoʻohana i kahi palapala e koi iā Kubernetis e hana i nā lawelawe hou:
for i in {1..1111111}; do
kubectl expose deployment test --port 80
--overrides="{"apiVersion": "v1",
"metadata": {"name": "nginx$i"}}";
done Ma nā node a pau o ka pūʻulu, e hoʻonui ʻia nā lula iptables hou i ka manawa like. Eia kekahi, hoʻokahi piliona iptables e hana ʻia no kēlā me kēia lawelawe.
Ua nānā au i kēia mea holoʻokoʻa ma nā tausani, a hiki i ka ʻumi. A ʻo ka pilikia, aia ma kēia paepae ua pilikia loa ke hana ssh i ka node. No ka mea, ʻo nā ʻeke, e hele ana i nā kaulahao he nui, hoʻomaka ka manaʻo ʻaʻole maikaʻi loa.
A ua hoʻoholo ʻia kēia me ke kōkua o Kubernetes. Loaʻa i kahi mea quota Resource. Hoʻonohonoho i ka helu o nā kumuwaiwai a me nā mea i loaʻa no ka inoa inoa ma ka pūʻulu. Hiki iā mākou ke hana i kahi mea yaml i kēlā me kēia inoa inoa o ka hui Kubernetes. Ke hoʻohana nei i kēia mea, hiki iā mākou ke ʻōlelo he nui nā noi a me nā palena i hāʻawi ʻia no kēia inoa inoa, a laila hiki iā mākou ke ʻōlelo i kēia inoa inoa hiki ke hana i nā lawelawe 10 a me 10 pods. A hiki i ka mea hoʻomohala hoʻokahi ke ʻoki iā ia iho i ke ahiahi. E haʻi aku ʻo Kubernetes iā ia: "ʻAʻole hiki iā ʻoe ke hoʻonui i kāu pods i kēlā nui, no ka mea, ʻoi aku ka waiwai ma mua o ka quota." ʻO ia, hoʻopau ʻia ka pilikia. .
Hoʻokahi wahi pilikia ma kēia ʻano. Manaʻo ʻoe i ka paʻakikī o ka hana ʻana i kahi inoa inoa ma Kubernetes. No ka hana ʻana, pono mākou e noʻonoʻo i nā mea he nui.
ʻAi kumu waiwai + palena palena + RBAC
• E hana i kahi inoa
• E hana i kahi palena palena i loko
• E hana i loko o ka waihona waiwai
• E hana i kahi mooolelo lawelawe no CI
• E hana i ka pilina pili no CI a me nā mea hoʻohana
• Optionally hoolana i ka pono lawelawe pods
No laila, makemake wau e lawe i kēia manawa e kaʻana like i kaʻu mau mea i ulu ai. Aia kekahi mea i kapa ʻia ʻo SDK operator. He ala kēia no kahi hui Kubernetes e kākau i nā mea hana no ia. Hiki iā ʻoe ke kākau i nā ʻōlelo me ka hoʻohana ʻana iā Ansible.
I ka wā mua ua kākau ʻia ma Ansible, a laila ʻike wau aia kahi mea hoʻohana SDK a kākau hou i ka hana Ansible i kahi mea hoʻohana. Hāʻawi kēia ʻōlelo iā ʻoe e hana i kahi mea ma ka hui Kubernetes i kapa ʻia he kauoha. I loko o kahi kauoha, hiki iā ʻoe ke wehewehe i ke kaiapuni no kēia kauoha ma yaml. A i loko o ke kaiapuni o ka hui, hiki iā mākou ke wehewehe i ka hoʻokaʻawale ʻana i nā kumuwaiwai he nui.
'Oiʻi .
A i ka hopena. He aha ka hana me kēia mau mea?
Ka mua. Maikaʻi ke kulekele palekana Pod. A ʻoiai ʻaʻole hoʻohana kekahi o nā mea hoʻonohonoho Kubernetes iā lākou a hiki i kēia lā, pono ʻoe e hoʻohana iā lākou i kāu mau puʻupuʻu.
ʻAʻole pono wale ke kulekele ʻoihana. ʻO kēia ka mea e pono ai i kahi hui.
LimitRange/ResourceQuota - ʻo ia ka manawa e hoʻohana ai. Ua hoʻomaka mākou e hoʻohana i kēia i ka wā ma mua, a no ka manawa lōʻihi ua maopopo iaʻu e hoʻohana ana nā mea a pau. Ua ʻike ʻia he kakaikahi kēia.
Ma waho aʻe o ka mea aʻu i ʻōlelo ai i ka wā o ka hōʻike, aia nā hiʻohiʻona palapala ʻole e hiki ai iā ʻoe ke hoʻouka i ka pūpū. Hoʻokuʻu ʻia i kēia manawa .
He mea kaumaha a ʻeha kekahi mau mea. No ka laʻana, ma lalo o kekahi mau kūlana, hiki i nā cubelets i kahi hui Kubernetes ke hāʻawi i nā mea o ka papa kuhikuhi warlocks i kahi mea hoʻohana ʻole.
Aia nā ʻōlelo aʻo e pili ana i ka hana hou ʻana i nā mea a pau aʻu i haʻi aku ai iā ʻoe. Aia nā faila me nā hiʻohiʻona hana o ke ʻano o ResourceQuota a me Pod Security Policy. A hiki iā ʻoe ke hoʻopā i kēia mau mea a pau.
Mahalo i nā mea a pau.
Source: www.habr.com