ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Phau ntawv "Kubernetes rau DevOps"

Phau ntawv "Kubernetes rau DevOps"

Phau ntawv "Kubernetes rau DevOps" Nyob zoo, cov neeg nyob hauv Khabro! Kubernetes yog ib qho tseem ceeb ntawm cov huab ecosystem niaj hnub no. Cov cuab yeej no muab kev ntseeg siab, scalability thiab resilience rau ntim virtualization. John Arundel thiab Justin Domingus tham txog Kubernetes ecosystem thiab qhia cov kev daws teeb meem rau txhua hnub. Ib kauj ruam dhau los, koj yuav tsim koj tus kheej daim ntawv thov huab-ib haiv neeg thiab tsim cov txheej txheem los txhawb nws, teeb tsa ib puag ncig kev txhim kho thiab kev xa mus txuas ntxiv uas yuav pab tau koj thaum koj ua haujlwm ntawm koj daim ntawv thov tom ntej.

β€’ Pib nrog cov thawv ntim khoom thiab Kubernetes los ntawm cov hauv paus: tsis muaj kev paub tshwj xeeb los kawm cov ncauj lus. β€’ Khiav koj tus kheej pawg lossis xaiv qhov kev pabcuam Kubernetes tswj hwm los ntawm Amazon, Google, thiab lwm yam. β€’ Siv Kubernetes los tswj lub ntim ntim lub neej thiab kev siv peev txheej. β€’ Txhim kho pawg raws li tus nqi, kev ua tau zoo, kev ua haujlwm zoo, lub zog thiab kev ua kom muaj zog. β€’ Kawm cov cuab yeej zoo tshaj plaws los tsim, sim, thiab xa koj cov ntawv thov. β€’ Siv cov kev ua lag luam tam sim no kom muaj kev ruaj ntseg thiab tswj tau. β€’ Siv DevOps cov hauv paus ntsiab lus thoob plaws hauv koj lub tuam txhab kom pab pawg txhim kho tuaj yeem ua tau yooj yim dua, sai, thiab ua tau zoo.

Phau ntawv yog leej twg?

Phau ntawv yog qhov tseem ceeb tshaj plaws rau cov neeg ua haujlwm ntawm cov thawj coj saib xyuas lub luag haujlwm rau cov servers, cov ntawv thov thiab cov kev pabcuam, nrog rau cov neeg tsim khoom koom tes hauv kev tsim cov kev pabcuam huab tshiab lossis hloov pauv cov ntawv thov uas twb muaj lawm rau Kubernetes thiab huab. Tsis txhob txhawj, koj tsis tas yuav paub ua haujlwm nrog Kubernetes lossis ntim khoom li cas - peb yuav qhia koj txhua yam.

Cov neeg siv kev paub Kubernetes tseem yuav pom ntau tus nqi, nrog rau qhov tob ntawm cov ncauj lus xws li RBAC, kev xa mus tas li, kev tswj xyuas cov ntaub ntawv, thiab kev soj ntsuam. Peb cia siab tias cov nplooj ntawv hauv phau ntawv yuav muaj qee yam nthuav rau koj, tsis hais koj qhov kev txawj ntse thiab kev paub dhau los.

Phau ntawv teb cov lus nug twg?

Thaum npaj thiab sau phau ntawv, peb tau tham txog huab thev naus laus zis thiab Kubernetes nrog ntau pua tus neeg, tham nrog cov thawj coj hauv kev lag luam thiab cov kws tshaj lij nrog rau cov neeg ua haujlwm tiav. Hauv qab no yog cov lus nug uas lawv xav pom cov lus teb hauv daim ntawv tshaj tawm no.

  • "Kuv xav paub vim li cas koj yuav tsum siv sijhawm rau cov thev naus laus zis no. Cov teeb meem dab tsi yuav pab kuv thiab kuv pab neeg daws?”
  • "Kubernetes zoo li nthuav, tab sis muaj qhov cuam tshuam loj heev rau kev nkag. Npaj ib qho piv txwv yooj yim tsis yog qhov nyuaj, tab sis kev tswj hwm thiab kev debugging ntxiv yog daunting. Peb xav tau cov lus qhia txhim khu kev qha txog yuav ua li cas tib neeg tswj Kubernetes pawg hauv ntiaj teb tiag tiag thiab cov teeb meem dab tsi uas peb yuav ntsib. "
  • β€œCov lus qhia paub yuav pab tau. Kubernetes ecosystem muab cov pab pawg tshiab ntau dhau los xaiv los ntawm. Thaum muaj ob peb txoj hauv kev los ua ib yam, ua li cas koj thiaj paub tias qhov twg yog qhov zoo tshaj? Yuav ua li cas xaiv?

Thiab tej zaum qhov tseem ceeb tshaj plaws ntawm tag nrho cov lus nug:

  • "Kuv tuaj yeem siv Kubernetes li cas yam tsis cuam tshuam kuv lub tuam txhab?"

Tshaj tawm. Configuration thiab Secret objects

Lub peev xwm los cais cov logic ntawm Kubernetes daim ntawv thov los ntawm nws qhov kev teeb tsa (uas yog, los ntawm ib qho txiaj ntsig lossis kev teeb tsa uas yuav hloov pauv lub sijhawm) yog qhov tseem ceeb heev. Configuration qhov tseem ceeb feem ntau suav nrog ib puag ncig-kev teeb tsa tshwj xeeb, qhov chaw pabcuam thib peb DNS chaw nyob, thiab daim ntawv pov thawj pov thawj.

Tau kawg, tag nrho cov no tuaj yeem muab tso ncaj qha rau hauv cov cai, tab sis txoj hauv kev no tsis hloov pauv txaus. Piv txwv li, hloov tus nqi configuration ces yuav kom koj tsim thiab xa koj cov cai dua. Ib qho kev daws teeb meem zoo dua yuav yog cais cov teeb tsa los ntawm cov cai thiab nyeem nws los ntawm cov ntaub ntawv lossis ib puag ncig hloov pauv.

Kubernetes muab ntau txoj hauv kev los tswj kev teeb tsa. Ua ntej, koj tuaj yeem dhau qhov tseem ceeb rau daim ntawv thov los ntawm ib puag ncig kev hloov pauv tau teev tseg hauv cov pod wrapper specification (saib "Environment Variables" ntawm nplooj 192). Thib ob, cov ntaub ntawv teeb tsa tuaj yeem khaws ncaj qha hauv Kubernetes siv ConfigMap thiab cov khoom zais cia.

Hauv tshooj no, peb tshawb xyuas cov khoom no kom ntxaws thiab saib qee qhov kev ua tau zoo los tswj kev teeb tsa thiab cov ntaub ntawv rhiab siv daim ntawv thov demo.

Hloov kho cov plhaub plhaub thaum hloov pauv

Xav txog tias koj muaj kev xa tawm hauv koj pawg thiab koj xav hloov qee qhov txiaj ntsig hauv nws ConfigMap. Yog tias koj siv Helm daim ntawv qhia (saib "Helm: Pob Tus Thawj Coj rau Kubernetes" nyob rau nplooj 102), koj tuaj yeem pom qhov hloov pauv thiab rov rub koj lub plhaub plhaub hauv ib qho kev ua kom zoo nkauj. Ntxiv cov lus piav qhia hauv qab no rau koj qhov kev xa tawm tshwj xeeb:

checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") .
       | sha256sum }}

Cov qauv xa tawm tam sim no muaj cov kev txheeb xyuas ntawm cov kev teeb tsa tsis raug: yog tias cov kev hloov pauv, cov lej yuav raug hloov kho. Yog tias koj khiav kev hloov kho lub kaus mom hlau, Helm yuav kuaj pom tias qhov kev xa tawm tshwj xeeb tau hloov pauv thiab yuav rov pib dua txhua lub plhaub plhaub.

Cov ntaub ntawv tseem ceeb hauv Kubernetes

Peb twb paub lawm tias cov khoom ConfigMap muab cov txheej txheem hloov tau yooj yim rau kev khaws thiab nkag mus rau cov ntaub ntawv teeb tsa hauv pawg. Txawm li cas los xij, feem ntau cov ntawv thov muaj cov ntaub ntawv uas nkag siab thiab nkag siab, xws li passwords lossis API yuam sij. Nws tseem tuaj yeem khaws cia hauv ConfigMap, tab sis qhov kev daws teeb meem no tsis zoo tagnrho.

Hloov chaw, Kubernetes muaj hom khoom tshwj xeeb tsim los khaws cov ntaub ntawv rhiab: zais cia. Tom ntej no, cia saib ib qho piv txwv ntawm yuav ua li cas cov khoom no siv tau hauv peb daim ntawv thov demo.

Txhawm rau pib, saib Kubernetes manifest rau cov khoom zais cia (saib hello-secret-env/k8s/secret.yaml):

apiVersion: v1
kind: Secret
metadata:
    name: demo-secret
stringData:
    magicWord: xyzzy

Hauv qhov piv txwv no, tus yuam sij magicWord yog xyzzy (en.wikipedia.org/wiki/Xyzzy_(computing)). Lo lus xyzzy feem ntau muaj txiaj ntsig zoo hauv lub ntiaj teb ntawm cov khoos phis tawj. Zoo ib yam li ConfigMap, koj tuaj yeem khaws ntau tus yuam sij thiab qhov tseem ceeb hauv cov khoom zais cia. Ntawm no, rau kev yooj yim, peb tsuas yog siv ib qho tseem ceeb-tus nqi khub.

Siv cov khoom zais cia ua ib puag ncig hloov pauv

Zoo li ConfigMap, cov khoom zais cia tuaj yeem tsim muaj nyob rau hauv lub thawv raws li ib puag ncig hloov pauv lossis ua cov ntaub ntawv ntawm nws lub disk. Hauv qhov piv txwv hauv qab no, peb yuav muab ib puag ncig hloov pauv rau tus nqi los ntawm Secret:

spec:
   containers:
       - name: demo
          image: cloudnatived/demo:hello-secret-env
          ports:
             - containerPort: 8888
          env:
             - name: GREETING
               valueFrom:
               secretKeyRef:
                  name: demo-secret
                  key: magicWord

Khiav cov lus txib hauv qab no hauv demo repository siv cov manifests:

kubectl apply -f hello-secret-env/k8s/
deployment.extensions "demo" configured
secret "demo-secret" created

Raws li ua ntej, xa cov chaw nres nkoj hauv zos mus rau kev xa tawm kom pom qhov tshwm sim hauv koj tus browser:

kubectl port-forward deploy/demo 9999:8888
Forwarding from 127.0.0.1:9999 -> 8888
Forwarding from [::1]:9999 -> 8888

Thaum qhib qhov chaw nyob localhost:9999/ koj yuav tsum pom cov hauv qab no:

The magic word is "xyzzy"

Sau cov khoom zais cia rau cov ntaub ntawv

Hauv qhov piv txwv no, peb yuav xa cov khoom zais cia rau lub thawv ua cov ntaub ntawv. Cov cai yog nyob rau hauv nyob zoo-secret-file folder ntawm demo repository.

Txhawm rau txuas Secret raws li cov ntaub ntawv, peb yuav siv cov hauv qab no xa mus:

spec:
   containers:
       - name: demo
          image: cloudnatived/demo:hello-secret-file
          ports:
              - containerPort: 8888
          volumeMounts:
              - name: demo-secret-volume
                mountPath: "/secrets/"
                readOnly: true
   volumes:
      - name: demo-secret-volume
        secret:
           secretName: demo-secret

Raws li nyob rau hauv ntu "Tsim cov ntaub ntawv teeb tsa los ntawm ConfigMap cov khoom" ntawm p. 240, peb tsim ib lub ntim (qhov no demo-secret-volume) thiab mount nws mus rau lub thawv nyob rau hauv lub volumeMounts seem ntawm cov specification. Lub mountPath teb yog / secrets, yog li Kubernetes yuav tsim ib cov ntaub ntawv nyob rau hauv daim nplaub tshev no rau txhua tus yuam sij / tus nqi uas tau teev tseg hauv cov khoom zais cia.

Hauv peb qhov piv txwv, peb txhais tsuas yog ib qho tseem ceeb-tus khub hu ua magicWord, yog li qhov tshwm sim yuav tsim ib qho kev nyeem ntawv nkaus xwb / secrets / magicWord nrog cov ntaub ntawv rhiab hauv lub thawv.

Yog tias koj siv qhov manifest zoo ib yam li qhov piv txwv dhau los, koj yuav tsum tau txais cov txiaj ntsig zoo ib yam:

The magic word is "xyzzy"

Nyeem Tej Yam Ntxim Saib Ntxim Ua

Hauv seem dhau los, peb siv kubectl piav qhia cov lus txib los tso saib cov ntsiab lus ntawm ConfigMap. Yuav ua li cas tib yam nrog Secret?

kubectl describe secret/demo-secret
Name:          demo-secret

Namespace:      default
Labels:             <none>
Annotations:
Type:               Opaque

Data
====
magicWord: 5   bytes

Thov nco ntsoov tias cov ntaub ntawv nws tus kheej tsis tshwm sim. Cov khoom zais cia hauv Kubernetes yog hom Opaque, uas txhais tau hais tias lawv cov ntsiab lus tsis muaj nyob rau hauv kubectl piav qhia cov zis, nkag nkag, lossis lub davhlau ya nyob twg, ua rau nws tsis tuaj yeem pom cov ntaub ntawv rhiab heev.

Txhawm rau saib YAML version ntawm cov ntaub ntawv nkag siab, siv kubectl tau txais cov lus txib:

kubectl get secret/demo-secret -o yaml
apiVersion: v1
data:
   magicWord: eHl6enk=
kind: Secret
metadata:
...
type: Opaque

puag 64

eHl6enk = dab tsi, txawv kiag li ntawm peb tus nqi qub? Qhov no yog qhov tseeb khoom zais cia, sawv cev hauv base64 encoding. Base64 yog lub tswv yim rau encoding arbitrary binary cov ntaub ntawv raws li ib txoj hlua ntawm cov cim.

Vim tias cov ntaub ntawv rhiab tuaj yeem yog binary thiab tsis tso tawm (raws li qhov xwm txheej nrog TLS encryption tus yuam sij), Cov khoom zais cia ib txwm khaws cia hauv hom ntawv base64.

Cov ntawv beHl6enk = yog base64 encoded version ntawm peb lo lus zais xyzzy. Koj tuaj yeem txheeb xyuas qhov no los ntawm kev khiav lub hauv paus 64 - txiav txim siab hais kom ua hauv lub davhlau ya nyob twg:

echo "eHl6enk=" | base64 --decode
xyzzy

Yog li, thaum Kubernetes tiv thaiv koj los ntawm kev ua yuam kev tawm cov ntaub ntawv rhiab hauv lub davhlau ya nyob twg lossis cov ntaub ntawv teev cia, yog tias koj tau nyeem cov ntawv tso cai ntawm cov khoom zais cia hauv ib lub npe tshwj xeeb, cov ntaub ntawv ntawd tuaj yeem yog base64ed thiab tom qab txiav tawm.

Yog tias koj xav tau base64 encode qee cov ntawv nyeem (piv txwv li, muab tso rau hauv Daim Npav), siv cov lus txib base64 yam tsis muaj kev sib cav:

echo xyzzy | base64
eHl6enkK

Nkag mus rau cov khoom zais cia

Leej twg tuaj yeem nyeem thiab kho cov khoom zais cia? Qhov no yog txiav txim los ntawm RBAC, ib qho kev tswj xyuas kev nkag mus (peb yuav tham txog nws kom meej nyob rau hauv ntu ntu "Kev Taw Qhia rau Kev Tswj Xyuas Kev Ruaj Ntseg" ntawm nplooj 258). Yog tias koj tab tom khiav ib pawg uas tsis muaj RBAC lossis tsis tau qhib, tag nrho koj cov khoom zais cia muaj rau txhua tus neeg siv thiab ntim khoom (peb yuav piav qhia tom qab tias koj yuav tsum tsis txhob muaj pawg ntau lawm yam tsis muaj RBAC).

Passive cov ntaub ntawv encryption

Yuav ua li cas txog cov neeg uas muaj kev nkag mus rau lwm yam database uas Kubernetes khaws tag nrho nws cov ntaub ntawv? Lawv puas tuaj yeem nyeem cov ntaub ntawv rhiab yam tsis muaj kev tso cai los nyeem cov khoom zais cia ntawm API?

Txij li thaum version 1.7, Kubernetes txhawb nqa cov ntaub ntawv nkag mus. Qhov no txhais tau hais tias cov ntaub ntawv rhiab hauv etcd khaws cia rau hauv disk thiab tsis tuaj yeem nyeem txawm tias cov neeg uas muaj kev nkag ncaj qha rau hauv cov ntaub ntawv. Txhawm rau decrypt nws, koj xav tau tus yuam sij uas tsuas yog Kubernetes API server muaj. Nyob rau hauv ib pawg configured kom raug, passive encryption yuav tsum tau enabled.

Koj tuaj yeem tshawb xyuas yog tias passive encryption ua haujlwm hauv koj pawg li no:

kubectl describe pod -n kube-system -l component=kube-apiserver |grep encryption
        --experimental-encryption-provider-config=...

Yog tias koj tsis pom qhov kev sim-encryption-provider-config chij, passive encryption tsis tau qhib. Thaum siv Google Kubernetes Cav lossis lwm yam kev pabcuam Kubernetes, koj cov ntaub ntawv raug encrypted siv cov txheej txheem sib txawv, yog li tus chij yuav tsis nyob. Tshawb xyuas nrog koj tus neeg muag khoom Kubernetes kom pom tias lwm yam ntsiab lus raug encrypted.

Khaws cov ntaub ntawv tsis pub lwm tus paub

Muaj qee qhov Kubernetes cov peev txheej uas yuav tsum tsis txhob raug tshem tawm ntawm pawg, xws li cov khoom zais zais siab heev. Koj tuaj yeem tiv thaiv cov peev txheej los ntawm kev raug tshem tawm siv cov lus piav qhia los ntawm tus thawj tswj hwm Helm:

kind: Secret
metadata:
    annotations:
        "helm.sh/resource-policy": keep

Secret Object Management Strategies

Hauv qhov piv txwv los ntawm ntu dhau los, cov ntaub ntawv rhiab tau raug tiv thaiv los ntawm kev nkag tsis tau tso cai tam sim ntawd tom qab khaws cia hauv pawg. Tab sis nyob rau hauv cov ntaub ntawv manifest lawv tau khaws cia ua cov ntawv dawb.

Koj yuav tsum tsis txhob tso cov ntaub ntawv tsis pub lwm tus paub hauv cov ntaub ntawv uas nyob hauv kev tswj hwm version. Koj tuaj yeem tswj hwm thiab khaws cov ntaub ntawv no li cas ua ntej siv rau koj pawg Kubernetes?

Koj tuaj yeem xaiv cov cuab yeej lossis cov tswv yim los tuav cov ntaub ntawv rhiab hauv koj daim ntawv thov, tab sis koj tseem yuav tau teb tsawg kawg cov lus nug hauv qab no.

  • Qhov twg yuav tsum tau khaws cov ntaub ntawv rhiab heev kom nws nkag tau yooj yim?
  • Yuav ua li cas ua kom cov ntaub ntawv rhiab nkag mus rau koj cov ntawv thov nquag?
  • Yuav ua li cas rau koj daim ntawv thov thaum koj hloov lossis hloov cov ntaub ntawv rhiab?

Hais txog cov neeg sau ntawv

John Arundel yog ib tug kws pab tswv yim nrog 30 xyoo ntawm kev paub hauv computer kev lag luam. Nws tau sau ob peb phau ntawv thiab ua haujlwm nrog ntau lub tuam txhab los ntawm ntau lub teb chaws, qhia lawv txog huab cua hauv haiv neeg thiab Kubernetes. Nyob rau hauv nws lub sijhawm dawb, nws nyiam caij nthwv dej, yog tus tua phom zoo, thiab ua si piano raws li kev nyiam ua haujlwm. Nyob rau hauv ib lub tsev fairytale hauv Cornwall, England.

Justin Domingus - cov kws tshaj lij kev tswj hwm ua haujlwm hauv DevOps ib puag ncig nrog Kubernetes thiab huab thev naus laus zis. Nws nyiam siv sijhawm sab nraum zoov, haus kas fes, crabling, thiab zaum ntawm lub computer. Nyob hauv Seattle, Washington, nrog tus miv zoo thiab tus poj niam zoo dua thiab tus phooj ywg zoo tshaj, Adrienne.

Β» Xav paub ntau ntxiv txog phau ntawv tuaj yeem nrhiav tau ntawm tus tshaj tawm lub vev xaib
Β» Cov txheej txheem
Β» Tshaj tawm

Rau Khabrozhiteley 25% luv nqi siv daim coupon - Kubernetes

Thaum them nyiaj ntawm daim ntawv version ntawm phau ntawv, ib phau ntawv hluav taws xob yuav raug xa los ntawm e-mail.

Tau qhov twg los: www.hab.com

Ntxiv ib saib