Pavel Selivanov, Southbridge tus kws tsim qauv kev daws teeb meem thiab tus kws qhia Slurm, tau nthuav tawm ntawm DevOpsConf 2019. Qhov kev hais lus no yog ib feem ntawm ib qho ntawm cov ntsiab lus ntawm qhov tob tob ntawm Kubernetes "Slurm Mega".
tshwm sim nyob rau hauv Moscow rau lub Kaum Ib Hlis 18-20.
— Moscow, Kaum Ib Hlis 22-24.
ib txwm muaj.
Hauv qab ntawm qhov txiav yog ib daim ntawv teev cov ntaub ntawv.
Nyob zoo tav su, cov npoj yaig thiab cov uas ua siab ntev rau lawv. Hnub no kuv yuav tham txog kev nyab xeeb.
Kuv pom tias muaj ntau tus neeg saib xyuas kev ruaj ntseg hauv lub tsev niaj hnub no. Kuv thov txim rau koj ua ntej yog tias kuv siv cov ntsiab lus los ntawm lub ntiaj teb kev ruaj ntseg tsis raws nraim li kev cai rau koj.
Nws thiaj li tshwm sim hais tias txog rau lub hlis dhau los kuv tuaj hla ib pawg Kubernetes pej xeem. Public txhais tau hais tias muaj tus naj npawb nth ntawm namespaces; nyob rau hauv cov namespaces no muaj cov neeg siv cais nyob rau hauv lawv namespace. Tag nrho cov neeg siv no koom nrog cov tuam txhab sib txawv. Zoo, nws tau xav tias pawg no yuav tsum tau siv los ua CDN. Ntawd yog, lawv muab rau koj ib pawg, lawv muab rau koj ib tus neeg siv nyob ntawd, koj mus rau qhov chaw koj lub npe, xa koj cov fronts.
Kuv lub tuam txhab yav dhau los sim muag cov kev pabcuam no. Thiab kuv raug nug kom poke pawg saib seb qhov kev daws teeb meem no puas tsim nyog lossis tsis.
Kuv tuaj rau pawg no. Kuv tau txais cov cai txwv, txwv lub npe. Cov txiv neej nyob ntawd nkag siab tias kev nyab xeeb yog dab tsi. Lawv tau nyeem txog Kev Tswj Xyuas Kev Ruaj Ntseg Hauv Lub Luag Haujlwm (RBAC) hauv Kubernetes - thiab lawv tau twist nws kom kuv tsis tuaj yeem tso cov pods cais ntawm kev xa tawm. Kuv tsis nco qab txog qhov teeb meem uas kuv tau sim daws los ntawm kev tso lub pod tsis muaj kev xa tawm, tab sis kuv xav kom tso lub pod xwb. Zoo hmoo, kuv tau txiav txim siab pom tias kuv muaj cai dab tsi hauv pawg, kuv ua tau dab tsi, kuv ua tsis tau, thiab lawv tau ua dab tsi. Tib lub sijhawm, kuv yuav qhia koj tias lawv tau teeb tsa tsis raug hauv RBAC.
Nws thiaj li tshwm sim hais tias nyob rau hauv ob feeb kuv tau txais ib tug admin rau lawv pawg, saib tag nrho cov nyob sib ze namespaces, pom muaj cov khiav ntau lawm fronts ntawm tuam txhab uas muag uas twb yuav cov kev pab cuam thiab deployed. Kuv tsis tuaj yeem txwv kuv tus kheej kom tsis txhob mus rau ib tus neeg sab xub ntiag thiab muab qee lo lus cog lus rau ntawm nplooj ntawv loj.
Kuv yuav qhia koj nrog piv txwv li cas kuv tau ua qhov no thiab yuav tiv thaiv koj tus kheej li cas ntawm qhov no.
Tab sis ua ntej, cia kuv qhia kuv tus kheej. Kuv lub npe yog Pavel Selivanov. Kuv yog ib tug kws kes duab vajtse ntawm Southbridge. Kuv nkag siab Kubernetes, DevOps thiab txhua yam zoo nkauj. Southbridge engineers thiab kuv tab tom tsim txhua qhov no, thiab kuv tab tom sab laj.
Ntxiv nrog rau peb cov haujlwm tseem ceeb, peb tsis ntev los no tau tsim cov haujlwm hu ua Slurms. Peb tab tom sim coj peb lub peev xwm los ua haujlwm nrog Kubernetes me ntsis rau cov neeg coob coob, los qhia lwm tus los ua haujlwm nrog K8s.
Hnub no kuv yuav tham dab tsi? Lub ntsiab lus ntawm tsab ntawv ceeb toom yog pom tseeb - hais txog kev ruaj ntseg ntawm Kubernetes pawg. Tab sis kuv xav hais tam sim ntawd tias lub ntsiab lus no loj heev - thiab yog li ntawd kuv xav kom meej tam sim ntawd qhov kuv yuav tsis tham txog. Kuv yuav tsis tham txog cov lus hackneyed uas twb tau siv ntau pua zaug hauv Is Taws Nem. Txhua hom RBAC thiab daim ntawv pov thawj.
Kuv yuav tham txog dab tsi mob kuv thiab kuv cov npoj yaig txog kev ruaj ntseg hauv pawg Kubernetes. Peb pom cov teeb meem no ob qho tib si ntawm cov chaw muab kev pabcuam uas muab Kubernetes pawg thiab cov neeg siv khoom tuaj rau peb. Thiab txawm los ntawm cov neeg siv khoom uas tuaj rau peb los ntawm lwm lub tuam txhab kev sab laj admin. Ntawd yog, qhov ntsuas ntawm qhov xwm txheej tiag tiag yog qhov loj heev.
Muaj peb lub ntsiab lus uas kuv yuav tham txog hnub no:
- Tus neeg siv txoj cai vs pod rights. Tus neeg siv txoj cai thiab pod txoj cai tsis yog tib yam.
- Sau cov ntaub ntawv hais txog pawg. Kuv yuav qhia tias koj tuaj yeem sau tag nrho cov ntaub ntawv koj xav tau los ntawm pawg tsis muaj cai tshwj xeeb hauv pawg no.
- DoS nres ntawm pawg. Yog tias peb tsis tuaj yeem sau cov ntaub ntawv, peb yuav muaj peev xwm muab ib pawg rau txhua kis. Kuv yuav tham txog DoS tawm tsam ntawm pawg tswj hwm pawg.
Lwm qhov dav dav uas kuv yuav hais yog qhov kuv tau sim txhua qhov no, uas kuv tuaj yeem hais tau tias nws ua haujlwm txhua yam.
Peb ua raws li lub hauv paus kev teeb tsa ntawm Kubernetes pawg siv Kubespray. Yog tias leej twg tsis paub, qhov no yog qhov tseeb ntawm lub luag haujlwm rau Ansible. Peb siv nws tas li hauv peb txoj haujlwm. Qhov zoo yog tias koj tuaj yeem dov nws nyob qhov twg - koj tuaj yeem yob nws mus rau hauv cov hlau los yog hauv huab qhov chaw. Ib txoj kev teeb tsa ua haujlwm hauv txoj cai rau txhua yam.
Hauv pawg no kuv yuav muaj Kubernetes v1.14.5. Tag nrho cov Cube pawg, uas peb yuav xav txog, muab faib ua namespaces, txhua namespace belongs rau ib pab neeg sib cais, thiab cov tswv cuab ntawm pab neeg no muaj kev nkag mus rau txhua lub npe chaw. Lawv tsis tuaj yeem mus rau cov npe sib txawv, tsuas yog rau lawv tus kheej xwb. Tab sis muaj qee tus account admin uas muaj cai rau tag nrho pawg.
Kuv tau cog lus tias thawj qhov peb yuav ua yog tau txais cov cai tswj hwm rau pawg. Peb xav tau ib lub pod npaj tshwj xeeb uas yuav rhuav tshem Kubernetes pawg. Txhua yam peb yuav tsum tau ua yog siv nws rau Kubernetes pawg.
kubectl apply -f pod.yamlCov pod no yuav tuaj txog rau ib tus tswv ntawm Kubernetes pawg. Thiab tom qab no pawg yuav zoo siab rov qab los rau peb cov ntaub ntawv hu ua admin.conf. Hauv Cube, cov ntaub ntawv no khaws txhua daim ntawv pov thawj tswj hwm, thiab tib lub sijhawm teeb tsa pawg API. Qhov no yog qhov yooj yim npaum li cas kom tau txais kev nkag mus rau admin, kuv xav tias, 98% ntawm Kubernetes pawg.
Kuv rov hais dua, lub plhaub taum no tau tsim los ntawm ib tus tsim tawm hauv koj pawg uas muaj kev nkag mus rau xa nws cov lus pom zoo rau hauv ib lub npe me me, nws yog tag nrho clamped los ntawm RBAC. Nws tsis muaj cai. Tab sis txawm li cas los xij daim ntawv pov thawj tau xa rov qab.
Thiab tam sim no hais txog ib qho tshwj xeeb npaj pod. Peb khiav nws ntawm txhua daim duab. Wb coj debian:jessie ua piv txwv.
Peb muaj qhov no:
tolerations:
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" Kev kam rau siab yog dab tsi? Masters hauv pawg Kubernetes feem ntau yog cim nrog qee yam hu ua taint. Thiab qhov tseem ceeb ntawm qhov "kab mob" no yog hais tias cov pods tsis tuaj yeem raug xa mus rau cov nodes. Tab sis tsis muaj leej twg thab qhia rau hauv ib lub pods tias nws ua siab ntev rau "kab mob". Ntu Kev zam txim tsuas yog hais tias yog qee qhov ntawm muaj NoSchedule, ces peb cov node tau ua siab ntev rau tus kab mob no - thiab tsis muaj teeb meem.
Tsis tas li ntawd, peb hais tias peb cov hauv qab no tsis tsuas yog ua siab ntev, tab sis kuj xav tau tshwj xeeb rau tus tswv. Vim tias cov masters muaj qhov qab tshaj plaws uas peb xav tau - tag nrho cov ntawv pov thawj. Yog li ntawd, peb hais nodeSelector - thiab peb muaj ib tug qauv daim ntawv lo rau masters, uas tso cai rau koj xaiv los ntawm tag nrho cov nodes nyob rau hauv pawg raws nraim cov nodes uas yog masters.
Nrog rau ob ntu no nws yuav twv yuav raug hu tuaj rau tus tswv. Thiab nws yuav raug tso cai nyob ntawd.
Tab sis tsuas yog tuaj rau tus tswv tsis txaus rau peb. Qhov no yuav tsis muab dab tsi rau peb. Yog li tom ntej no peb muaj ob yam no:
hostNetwork: true
hostPID: true Peb qhia meej tias peb lub plhaub taum pauv, uas peb tso tawm, yuav nyob hauv lub npe ntsiav tshuaj, hauv lub network namespace, thiab hauv PID namespace. Thaum lub plhaub taum pauv rau tus tswv, nws yuav tuaj yeem pom txhua qhov tiag tiag, nyob sib cuam tshuam ntawm node, mloog tag nrho cov tsheb thiab pom PID ntawm txhua tus txheej txheem.
Ces nws yog ib qho teeb meem me me. Siv lwm yam thiab nyeem qhov koj xav tau.
Qhov nthuav tshaj plaws yog qhov Kubernetes feature, uas yog tam sim no muaj los ntawm lub neej ntawd.
volumeMounts:
- mountPath: /host
name: host
volumes:
- hostPath:
path: /
type: Directory
name: host Thiab nws cov ntsiab lus yog tias peb tuaj yeem hais hauv lub plhaub taum uas peb tso tawm, txawm tias tsis muaj cai rau pawg no, uas peb xav tsim cov ntim ntawm hom hostPath. Qhov no txhais tau hais tias coj txoj hauv kev los ntawm tus tswv tsev uas peb yuav tso tawm - thiab noj nws li ntim. Thiab ces peb hu nws lub npe: host. Peb mount no tag nrho hostPath hauv lub pod. Hauv qhov piv txwv no, mus rau /host directory.
Kuv mam li rov hais dua. Peb hais kom lub plhaub taum tuaj rau tus tswv, tau txais lub hostNetwork thiab hostPID nyob ntawd - thiab mount tag nrho cov hauv paus ntawm tus tswv hauv lub plhaub taum no.
Koj nkag siab tias hauv Debian peb muaj bash khiav, thiab bash no khiav hauv paus. Ntawd yog, peb nyuam qhuav tau txais cov hauv paus rau tus tswv, tsis muaj txoj cai nyob hauv Kubernetes pawg.
Tom qab ntawd tag nrho cov haujlwm yog mus rau sub directory /host /etc/kubernetes/pki, yog tias kuv tsis yuam kev, khaws tag nrho cov ntawv pov thawj ntawm pawg muaj thiab, raws li, dhau los ua pawg thawj coj.
Yog tias koj saib nws li no, cov no yog qee txoj cai txaus ntshai tshaj plaws hauv pods - tsis hais txog txoj cai dab tsi uas tus neeg siv muaj:
Yog tias kuv muaj txoj cai los khiav ib lub pod hauv qee lub npe ntawm pawg, ces cov pod no muaj cov cai los ntawm lub neej ntawd. Kuv tuaj yeem khiav cov pods muaj cai, thiab cov no feem ntau yog tag nrho cov cai, xyaum hauv paus ntawm node.
Kuv nyiam yog tus neeg siv Root. Thiab Kubernetes muaj qhov no Khiav Raws li tsis-hauv paus kev xaiv. Qhov no yog hom kev tiv thaiv los ntawm hacker. Koj puas paub tias "tus kab mob Moldavian" yog dab tsi? Yog tias koj dheev yog ib tus neeg nyiag nkas thiab tuaj rau kuv pawg Kubernetes, ces peb, cov thawj coj tsis zoo, nug: "Thov qhia rau hauv koj cov pods uas koj yuav hack kuv pawg, khiav tsis yog hauv paus. Txwv tsis pub, nws yuav tshwm sim uas koj khiav cov txheej txheem nyob rau hauv koj lub pod nyob rau hauv lub hauv paus, thiab nws yuav yooj yim heev rau koj hack kuv. Thov tiv thaiv koj tus kheej ntawm koj tus kheej."
Host txoj kev ntim yog, hauv kuv lub tswv yim, txoj kev nrawm tshaj plaws kom tau txais qhov xav tau los ntawm Kubernetes pawg.
Tab sis yuav ua li cas nrog tag nrho cov no?
Qhov kev xav uas yuav tsum tuaj rau txhua tus thawj coj uas ntsib Kubernetes yog: “Yog lawm, kuv tau hais rau koj, Kubernetes tsis ua haujlwm. Muaj qhov nyob hauv nws. Thiab tag nrho lub Cube yog bullshit. " Qhov tseeb, muaj xws li cov ntaub ntawv, thiab yog tias koj saib muaj, muaj ib ntu .
Qhov no yog yaml yam khoom - peb tuaj yeem tsim nws hauv Kubernetes pawg - uas tswj kev ruaj ntseg yam tshwj xeeb hauv kev piav qhia ntawm cov pods. Ntawd yog, qhov tseeb, nws tswj cov cai siv ib qho hostNetwork, hostPID, qee hom ntim uas nyob hauv cov pods thaum pib. Nrog kev pab los ntawm Pod Security Policy, tag nrho cov no tuaj yeem piav qhia.
Qhov nthuav tshaj plaws txog Pod Security Txoj Cai yog tias nyob rau hauv Kubernetes pawg, txhua tus PSP installers tsis yog tsis tau piav qhia nyob rau hauv ib txoj kev, lawv tsuas yog neeg xiam oob qhab los ntawm lub neej ntawd. Pod Security Policy tau qhib siv lub plugin nkag.
Okay, cia peb siv Pod Security Policy rau hauv pawg, cia peb hais tias peb muaj qee qhov kev pabcuam pods hauv lub npe, uas tsuas yog cov thawj coj nkag tau. Cia peb hais, nyob rau hauv tag nrho lwm yam, pods muaj cai txwv. Vim tias feem ntau cov neeg tsim khoom yuav tsis tas yuav khiav cov pods muaj cai hauv koj pawg.
Thiab txhua yam zoo li zoo nrog peb. Thiab peb cov Kubernetes pawg tsis tuaj yeem raug hacked hauv ob feeb.
Muaj teeb meem. Feem ntau yuav, yog tias koj muaj Kubernetes pawg, tom qab ntawd kev saib xyuas raug teeb tsa ntawm koj pawg. Kuv tseem yuav mus kom deb li deb tau kwv yees tias yog koj pawg muaj kev saib xyuas, nws yuav hu ua Prometheus.
Qhov kuv tab tom qhia koj yuav siv tau rau ob tus neeg teb xov tooj Prometheus thiab Prometheus xa hauv nws daim ntawv ntshiab. Cov lus nug yog tias yog tias kuv tsis tuaj yeem tau txais tus thawj coj hauv pawg sai sai, qhov no txhais tau tias kuv yuav tsum tau saib ntau dua. Thiab kuv tuaj yeem tshawb nrog kev pab los ntawm koj qhov kev saib xyuas.
Tej zaum txhua leej txhua tus tau nyeem tib cov lus ntawm Habre, thiab kev saib xyuas yog nyob rau hauv qhov chaw saib xyuas lub npe. Helm daim ntawv hu ua roughly tib yam rau txhua tus. Kuv tabtom kwv yees tias yog tias koj ua Helm nruab ruaj khov / prometheus, koj yuav xaus nrog cov npe tib yam. Thiab feem ntau kuv yuav tsis tau twv lub npe DNS hauv koj pawg. Vim nws yog standard.
Tom ntej no peb muaj qee yam dev ns, uas koj tuaj yeem khiav ib qho pod. Thiab tom qab ntawd los ntawm lub pob no nws yooj yim heev los ua ib yam dab tsi zoo li no:
$ curl http://prometheus-kube-state-metrics.monitoring prometheus-kube-state-metrics yog ib qho ntawm Prometheus exporters uas sau metrics los ntawm Kubernetes API nws tus kheej. Muaj ntau cov ntaub ntawv muaj, dab tsi khiav hauv koj pawg, nws yog dab tsi, koj muaj teeb meem dab tsi nrog nws.
Raws li ib qho piv txwv yooj yim:
kube_pod_container_info{namespace=“kube-system”,pod=”kube-apiserver-k8s- 1″,container=”kube-apiserver”, duab =
"gcr.io/google-containers/kube-apiserver:v1.14.5"
,image_id=»docker-pullable://gcr.io/google-containers/kube- apiserver@sha256:e29561119a52adad9edc72bfe0e7fcab308501313b09bf99df4a96 38ee634989″,container_id=»docker://7cbe7b1fea33f811fdd8f7e0e079191110268f2 853397d7daf08e72c22d3cf8b»} 1
Los ntawm kev ua ib qho yooj yim curl thov los ntawm ib tug unprivileged pod, koj tuaj yeem tau txais cov ntaub ntawv hauv qab no. Yog tias koj tsis paub dab tsi version ntawm Kubernetes koj tab tom khiav, nws yuav yooj yim qhia rau koj.
Thiab qhov nthuav tshaj plaws yog tias ntxiv rau kev nkag mus rau kube-xeev-metrics, koj tuaj yeem yooj yim nkag mus rau Prometheus nws tus kheej ncaj qha. Koj tuaj yeem sau cov ntsuas ntsuas los ntawm qhov ntawd. Koj tuaj yeem tsim cov metrics los ntawm qhov ntawd. Txawm hais tias txoj kev xav, koj tuaj yeem tsim cov lus nug zoo li no los ntawm pawg hauv Prometheus, uas yuav tsuas tua nws. Thiab koj qhov kev saib xyuas yuav tsis ua haujlwm ntawm pawg tag nrho.
Thiab ntawm no cov lus nug tshwm sim seb puas muaj kev saib xyuas sab nraud saib xyuas koj li kev saib xyuas. Kuv nyuam qhuav tau txais lub sijhawm los khiav lag luam hauv Kubernetes pawg yam tsis muaj kev cuam tshuam rau kuv tus kheej. Koj yuav tsis paub tias kuv tab tom khiav haujlwm ntawd, vim tsis muaj kev saib xyuas ntxiv lawm.
Ib yam li nrog PSP, nws zoo li qhov teeb meem yog tias tag nrho cov thev naus laus zis zoo nkauj - Kubernetes, Prometheus - lawv tsuas yog tsis ua haujlwm thiab muaj qhov puv. Tsis yog tiag.
Muaj ib yam li ntawd - .
Yog tias koj yog tus thawj tswj hwm ib txwm muaj, feem ntau koj yuav paub txog Network Txoj Cai tias qhov no tsuas yog lwm yaml, uas twb muaj ntau ntawm lawv hauv pawg. Thiab qee txoj cai Network yeej tsis xav tau. Thiab txawm hais tias koj nyeem Network Txoj Cai yog dab tsi, tias nws yog yaml firewall ntawm Kubernetes, nws tso cai rau koj los txwv txoj cai nkag ntawm namespaces, nruab nrab ntawm cov pods, ces koj yeej txiav txim siab tias firewall nyob rau hauv yaml hom hauv Kubernetes yog raws li nram no abstractions. ... Tsis yog. Qhov no yeej tsis tsim nyog.
Txawm hais tias koj tsis tau qhia rau koj cov kws paub txog kev ruaj ntseg uas siv koj lub Kubernetes koj tuaj yeem tsim tau ib qho yooj yim thiab yooj yim firewall, thiab ib qho me me ntawm qhov ntawd. Yog tias lawv tseem tsis tau paub qhov no thiab tsis thab koj: "Zoo, muab rau kuv, muab rau kuv ..." Tom qab ntawd txawm li cas los xij, koj xav tau Txoj Cai Network los thaiv kev nkag mus rau qee qhov chaw pabcuam uas tuaj yeem rub tawm ntawm koj pawg. tsis muaj kev tso cai.
Raws li hauv qhov piv txwv kuv tau muab, koj tuaj yeem rub tawm kube lub xeev ntsuas los ntawm txhua qhov chaw nyob hauv Kubernetes pawg yam tsis muaj cai ua li ntawd. Network txoj cai tau kaw nkag los ntawm tag nrho lwm cov npe chaw mus rau kev saib xyuas lub npe thiab qhov ntawd yog nws: tsis muaj kev nkag mus, tsis muaj teeb meem. Nyob rau hauv tag nrho cov kab kos uas muaj nyob, ob qho tib si tus qauv Prometheus thiab Prometheus uas yog nyob rau hauv tus neeg teb xov tooj, muaj tsuas yog ib qho kev xaiv nyob rau hauv lub helm qhov tseem ceeb los ua kom yooj yim network txoj cai rau lawv. Koj tsuas yog yuav tsum qhib nws thiab lawv yuav ua haujlwm.
Muaj ib qho teeb meem tiag tiag ntawm no. Ua tus tswj hwm ib txwm muaj hwj txwv, koj feem ntau yuav txiav txim siab tias tsis xav tau cov cai hauv network. Thiab tom qab nyeem txhua yam ntawm cov khoom siv xws li Habr, koj tau txiav txim siab tias flannel, tshwj xeeb tshaj yog nrog hom host-gateway, yog qhov zoo tshaj plaws uas koj tuaj yeem xaiv.
Kuv yuav ua li cas?
Koj tuaj yeem sim rov muab cov kev daws teeb meem hauv lub network uas koj muaj hauv koj pawg Kubernetes, sim hloov nws nrog qee yam ua haujlwm zoo dua. Rau tib Calico, piv txwv li. Tab sis kuv xav hais tam sim ntawd tias txoj haujlwm ntawm kev hloov cov kev daws teeb meem hauv lub network hauv Kubernetes ua haujlwm pawg yog qhov tsis tseem ceeb. Kuv tau daws nws ob zaug (ob qho tib si, txawm li cas los xij, theoretically), tab sis peb txawm pom tias yuav ua li cas ntawm Slurms. Rau peb cov tub ntxhais kawm, peb tau qhia yuav ua li cas hloov cov kev daws teeb meem hauv lub network hauv Kubernetes pawg. Hauv txoj cai, koj tuaj yeem sim ua kom paub tseeb tias tsis muaj sijhawm poob ntawm pawg tsim khoom. Tab sis tej zaum koj yuav tsis ua tiav.
Thiab qhov teeb meem yog daws tau yooj yim heev. Muaj cov ntawv pov thawj hauv pawg, thiab koj paub tias koj daim ntawv pov thawj yuav tas sijhawm hauv ib xyoos. Zoo, thiab feem ntau yog ib qho kev daws teeb meem nrog cov ntawv pov thawj hauv pawg - yog vim li cas peb txhawj xeeb, peb yuav tsa ib pawg tshiab nyob ze, cia tus qub mus lwj, thiab rov ua txhua yam. Muaj tseeb, thaum nws mus lwj, peb yuav tau zaum rau ib hnub, tab sis ntawm no yog ib pawg tshiab.
Thaum koj tsa ib pawg tshiab, tib lub sijhawm ntxig Calico es tsis txhob flannel.
Yuav ua li cas yog tias koj daim ntawv pov thawj raug muab rau ib puas xyoo thiab koj yuav tsis rov muab cov pawg? Muaj ib yam li Kube-RBAC-Proxy. Qhov no yog qhov kev txhim kho txias heev, nws tso cai rau koj los kos nws tus kheej ua lub thawv ntim rau hauv ib lub pod hauv Kubernetes pawg. Thiab nws ua tau ntxiv kev tso cai rau lub pod no los ntawm RBAC ntawm Kubernetes nws tus kheej.
Muaj ib qho teeb meem. Yav dhau los, qhov kev daws teeb meem Kube-RBAC-Proxy no tau tsim rau hauv tus neeg teb xov tooj Prometheus. Tiamsis thaum ntawd nws twb ploj mus lawm. Tam sim no niaj hnub versions cia siab rau qhov tseeb tias koj muaj txoj cai network thiab kaw nws siv lawv. Thiab yog li ntawd peb yuav tau rov sau daim ntawv me ntsis. Qhov tseeb, yog koj mus , muaj cov piv txwv ntawm yuav ua li cas siv qhov no ua sidecars, thiab cov kab kos yuav tsum tau rov sau dua tsawg.
Muaj ib qho teeb meem me me ntxiv. Prometheus tsis yog tib qho uas muab nws cov kev ntsuas rau ib leeg xwb. Tag nrho peb cov Kubernetes pawg pawg tseem tuaj yeem xa rov qab lawv tus kheej ntsuas.
Tab sis raws li kuv twb tau hais lawm, yog tias koj tsis tuaj yeem nkag mus rau pawg thiab sau cov ntaub ntawv, ces koj tuaj yeem ua qee yam kev puas tsuaj.
Yog li kuv mam li qhia ob txoj hauv kev sai li cas Kubernetes pawg tuaj yeem raug puas tsuaj.
Koj yuav luag thaum kuv qhia koj qhov no, cov no yog ob lub neej tiag tiag.
Txoj kev ib. Kev pab cuam.
Cia peb tso lwm qhov tshwj xeeb pod. Nws yuav muaj ntu zoo li no.
resources:
requests:
cpu: 4
memory: 4Gi Raws li koj paub, kev thov yog tus nqi ntawm CPU thiab lub cim xeeb uas tau tshwj tseg rau ntawm tus tswv tsev rau cov pods tshwj xeeb nrog kev thov. Yog tias peb muaj plaub-core host hauv Kubernetes pawg, thiab plaub CPU pods tuaj txog ntawd nrog kev thov, nws txhais tau hais tias tsis muaj pods ntxiv nrog kev thov yuav tuaj yeem tuaj rau tus tswv tsev no.
Yog tias kuv khiav zoo li no, ces kuv yuav khiav cov lus txib:
$ kubectl scale special-pod --replicas=...Tom qab ntawd tsis muaj leej twg yuav tuaj yeem xa mus rau Kubernetes pawg. Vim tias tag nrho cov nodes yuav khiav tawm ntawm kev thov. Thiab yog li kuv yuav tso tseg koj pawg Kubernetes. Yog tias kuv ua qhov no thaum yav tsaus ntuj, kuv tuaj yeem nres qhov kev xa mus ntev heev.
Yog tias peb saib dua ntawm Kubernetes cov ntaub ntawv, peb yuav pom qhov no hu ua Limit Range. Nws teev cov peev txheej rau cov khoom pawg. Koj tuaj yeem sau qhov Limit Range khoom hauv yaml, siv rau qee lub npe chaw - thiab tom qab ntawd hauv qhov chaw npe no koj tuaj yeem hais tias koj muaj lub neej ntawd, qhov siab tshaj plaws thiab yam tsawg kawg nkaus rau cov pods.
Nrog kev pab los ntawm cov khoom no, peb tuaj yeem txwv cov neeg siv khoom tshwj xeeb ntawm cov npe khoom ntawm pawg hauv lub peev xwm los qhia txhua yam tsis zoo ntawm lawv cov pods. Tab sis hmoov tsis, txawm hais tias koj qhia rau tus neeg siv tias lawv tsis tuaj yeem tso cov pods nrog kev thov ntau dua ib qho CPU, muaj cov lus txib zoo li no, lossis lawv tuaj yeem ua qhov ntsuas los ntawm dashboard.
Thiab qhov no yog qhov uas txoj kev thib ob los ntawm. Peb tso tawm 11 pods. Qhov ntawd yog kaum ib billion. Qhov no tsis yog vim kuv tuaj nrog tus lej ntawd, tab sis vim kuv pom nws tus kheej.
Dab neeg tiag tiag. Thaum tsaus ntuj kuv tab tom yuav tawm ntawm qhov chaw ua haujlwm. Kuv pom ib pawg neeg tsim tawm zaum ntawm lub ces kaum, frantically ua ib yam dab tsi nrog lawv lub laptops. Kuv nce mus rau cov txiv neej thiab nug: "Ua li cas rau koj?"
Ua ntej me ntsis, nyob ib ncig ntawm cuaj yav tsaus ntuj, ib tus neeg tsim khoom tab tom npaj mus tsev. Thiab kuv tau txiav txim siab: "Kuv tam sim no yuav ntsuas kuv daim ntawv thov mus rau ib qho." Kuv nias ib qho, tab sis Internet qeeb me ntsis. Nws nias ib zaug ntxiv, nws nias ib qho, thiab nyem Enter. Kuv poked ntawm txhua yam kuv ua tau. Tom qab ntawd Is Taws Nem tau los ua lub neej - thiab txhua yam pib nce mus rau tus lej no.
Muaj tseeb, zaj dab neeg no tsis tshwm sim rau Kubernetes; thaum lub sijhawm ntawd nws yog Nomad. Nws tau xaus nrog qhov tseeb tias tom qab ib teev ntawm peb qhov kev sim kom Nomad los ntawm kev sim ntsuas mus tas li, Nomad teb tias nws yuav tsis tso tseg thiab yuav tsis ua lwm yam. "Kuv nkees, kuv tawm mus." Thiab nws curled.
Lawm, kuv sim ua tib yam ntawm Kubernetes. Kubernetes tsis zoo siab nrog kaum ib txhiab plhom pods, nws hais tias: “Kuv ua tsis tau. Tshaj tawm hauv lub qhov ncauj tiv thaiv." Tab sis 1 pods tuaj yeem.
Nyob rau hauv teb rau ib billion, lub Cube tsis thim mus rau hauv nws tus kheej. Nws yeej pib scaling. Cov txheej txheem txuas ntxiv mus, ntau lub sijhawm nws coj nws los tsim cov pods tshiab. Tab sis tseem cov txheej txheem tau mus ntxiv. Qhov teeb meem nkaus xwb yog tias kuv tuaj yeem tso cov pods tsis txwv hauv kuv lub npe, tom qab ntawd txawm tias tsis muaj kev thov thiab txwv kuv tuaj yeem tso ntau cov pods nrog qee cov haujlwm uas nrog kev pab ntawm cov haujlwm no cov nodes yuav pib ntxiv hauv nco, hauv CPU. Thaum kuv tso tawm ntau lub pods, cov ntaub ntawv los ntawm lawv yuav tsum mus rau hauv cia, uas yog, thiab lwm yam. Thiab thaum cov ntaub ntawv ntau dhau mus txog qhov ntawd, qhov chaw cia pib rov qab qeeb dhau - thiab Kubernetes pib ua npub.
Thiab ib qho teeb meem ntxiv ... Raws li koj paub, Kubernetes tswj cov ntsiab lus tsis yog ib qho tseem ceeb, tab sis ob peb yam. Tshwj xeeb, muaj tus tswj tswj tswj, teem sijhawm, thiab lwm yam. Tag nrho cov txiv neej no yuav pib ua haujlwm tsis tsim nyog, ua haujlwm ruam tib lub sijhawm, uas dhau sijhawm yuav pib siv sijhawm ntau thiab ntau dua. Tus tswj tswj yuav tsim cov pods tshiab. Scheduler yuav sim nrhiav qhov tshiab rau lawv. Koj feem ntau yuav khiav tawm ntawm cov nodes tshiab hauv koj pawg sai sai. Cov pab pawg Kubernetes yuav pib ua haujlwm qeeb thiab qeeb.
Tab sis kuv txiav txim siab mus ntxiv. Raws li koj paub, hauv Kubernetes muaj xws li ib yam hu ua kev pabcuam. Zoo, los ntawm lub neej ntawd hauv koj pawg, feem ntau yuav, cov kev pabcuam ua haujlwm siv IP rooj.
Yog hais tias koj khiav ib billion pods, piv txwv li, thiab tom qab ntawd siv ib tsab ntawv los yuam Kubernetis los tsim cov kev pabcuam tshiab:
for i in {1..1111111}; do
kubectl expose deployment test --port 80
--overrides="{"apiVersion": "v1",
"metadata": {"name": "nginx$i"}}";
done Ntawm tag nrho cov nodes ntawm pawg, ntau thiab ntau cov cai tshiab iptables yuav raug tsim tawm kwv yees li ib txhij. Ntxiv mus, ib txhiab iptables cov cai yuav raug tsim rau txhua qhov kev pabcuam.
Kuv tshawb xyuas qhov no tag nrho ntawm ntau txhiab, txog rau kaum. Thiab qhov teeb meem yog tias twb nyob ntawm qhov pib no nws yog qhov teeb meem heev los ua ssh rau ntawm node. Vim tias pob ntawv, mus dhau ntau cov saw hlau, pib xav tias tsis zoo heev.
Thiab qhov no, ib yam nkaus, yog daws tau nrog kev pab los ntawm Kubernetes. Muaj xws li Resource quota kwv. Teem tus naj npawb ntawm cov peev txheej muaj thiab cov khoom siv rau lub npe chaw nyob hauv pawg. Peb tuaj yeem tsim cov khoom yaml hauv txhua lub npe ntawm Kubernetes pawg. Siv cov khoom no, peb tuaj yeem hais tias peb muaj qee qhov kev thov thiab kev txwv tsis pub faib rau lub npe chaw no, thiab tom qab ntawd peb tuaj yeem hais tias hauv lub npe no nws muaj peev xwm tsim tau 10 cov kev pabcuam thiab 10 pods. Thiab ib tus tsim tawm tsawg kawg tuaj yeem choke nws tus kheej thaum yav tsaus ntuj. Kubernetes yuav hais rau nws tias: "Koj tsis tuaj yeem ntsuas koj cov pods rau qhov nyiaj ntawd, vim tias cov peev txheej dhau ntawm cov quota." Qhov ntawd yog nws, teeb meem daws tau. .
Ib qho teeb meem tshwm sim hauv qhov no. Koj xav tias nws nyuaj npaum li cas los tsim lub npe chaw hauv Kubernetes. Txhawm rau tsim nws, peb yuav tsum coj ntau yam rau hauv tus account.
Cov peev txheej quota + Limit Range + RBAC
• Tsim ib lub npe chaw
• Tsim ib qho kev txwv sab hauv
• Tsim nyob rau hauv resourcequota
• Tsim ib tus account rau CI
• Tsim lub luag haujlwm rau CI thiab cov neeg siv
• Xaiv tau tso tawm cov kev pab cuam tsim nyog pods
Yog li ntawd, kuv xav siv lub sijhawm no los qhia kuv txoj kev txhim kho. Muaj xws li ib yam hu ua SDK tus neeg teb xov tooj. Nov yog txoj hauv kev rau Kubernetes pawg los sau cov neeg ua haujlwm rau nws. Koj tuaj yeem sau nqe lus siv Ansible.
Thaum xub thawj nws tau sau rau hauv Ansible, thiab tom qab ntawd kuv pom tias muaj tus neeg teb xov tooj SDK thiab rov sau lub luag haujlwm Ansible rau hauv tus neeg teb xov tooj. Cov lus no tso cai rau koj los tsim ib qho khoom hauv Kubernetes pawg hu ua cov lus txib. Hauv qhov hais kom ua, nws tso cai rau koj los piav txog ib puag ncig rau cov lus txib no hauv yaml. Thiab nyob rau hauv pab pawg ib puag ncig, nws tso cai rau peb piav qhia tias peb tau faib ntau cov peev txheej.
Me ntsis .
Thiab nyob rau hauv xaus. Yuav ua li cas nrog tag nrho cov no?
Ua ntej. Pod Security Policy yog qhov zoo. Thiab txawm hais tias tsis muaj ib qho ntawm Kubernetes installers siv rau hnub no, koj tseem yuav tsum siv lawv hauv koj pawg.
Txoj Cai Network tsis yog lwm qhov tsis tsim nyog. Qhov no yog qhov xav tau tiag tiag hauv pawg.
LimitRange/ResourceQuota - nws yog lub sijhawm los siv nws. Peb pib siv qhov no ntev dhau los, thiab ntev ntev kuv paub tseeb tias txhua tus siv nws. Nws muab tawm tias qhov no tsis tshua muaj.
Ntxiv rau qhov kuv tau hais thaum lub sijhawm tshaj tawm, muaj cov ntaub ntawv tsis muaj ntaub ntawv uas tso cai rau koj tawm tsam pawg. Tso tawm tsis ntev los no .
Tej yam uas tu siab thiab mob siab heev. Piv txwv li, nyob rau hauv tej yam kev mob, cubelets nyob rau hauv ib tug Kubernetes pawg tuaj yeem muab cov ntsiab lus ntawm warlocks directory rau tus neeg siv tsis tau tso cai.
Muaj cov lus qhia yuav ua li cas rov tsim dua txhua yam kuv tau hais rau koj. Muaj cov ntaub ntawv nrog cov qauv tsim khoom ntawm ResourceQuota thiab Pod Security Policy zoo li cas. Thiab koj tuaj yeem kov tag nrho cov no.
Ua tsaug rau sawv daws.
Tau qhov twg los: www.hab.com