Moni, okhala ku Khabro! Kubernetes ndi chimodzi mwazinthu zofunika kwambiri pazachilengedwe zamakono zamtambo. Ukadaulo uwu umapereka kudalirika, scalability ndi kulimba mtima kutengera virtualization. John Arundel ndi Justin Domingus amalankhula za chilengedwe cha Kubernetes ndikuyambitsa njira zothetsera mavuto atsiku ndi tsiku. Pang'onopang'ono, mupanga pulogalamu yanu yamtambo ndikupanga maziko oti muthandizire, kukhazikitsa malo otukuka komanso mapaipi opitilira omwe angakuthandizeni mukamagwira ntchito yotsatira.
β’ Yambani ndi zotengera ndi Kubernetes kuchokera pazoyambira: palibe chidziwitso chapadera chomwe chimafunikira kuti muphunzire mutuwo. β’ Pangani magulu anuanu kapena sankhani sevisi ya Kubernetes yoyendetsedwa kuchokera ku Amazon, Google, ndi zina zotero. β’ Konzani magulu kutengera mtengo, magwiridwe antchito, kulimba mtima, mphamvu ndi scalability. β’ Phunzirani zida zabwino kwambiri zopangira, kuyesa, ndi kutumiza mapulogalamu anu. β’ Gwiritsani ntchito njira zamakono zamakampani kuti mutsimikizire chitetezo ndi kuwongolera. β’ Tsatirani mfundo za DevOps pakampani yanu yonse kuti magulu achitukuko azitha kuchita zinthu mosinthika, mwachangu, komanso moyenera.
Bukuli ndi la ndani?
Bukuli ndilofunika kwambiri kwa ogwira ntchito m'madipatimenti oyang'anira omwe ali ndi ma seva, mapulogalamu ndi ntchito, komanso kwa omwe akutukula omwe akuchita nawo ntchito zomanga zatsopano zamtambo kapena kusamutsa mapulogalamu omwe alipo ku Kubernetes ndi mtambo. Osadandaula, simuyenera kudziwa momwe mungagwiritsire ntchito Kubernetes kapena zotengera - tikuphunzitsani chilichonse.
Ogwiritsa ntchito a Kubernetes odziwa zambiri apezanso zamtengo wapatali, ndikulongosola mozama mitu monga RBAC, kutumizira mosalekeza, kasamalidwe ka data tcheru, komanso kuwonera. Tikukhulupirira kuti masamba a bukhuli adzakhala ndi chinachake chosangalatsa kwa inu, mosasamala kanthu za luso lanu ndi zochitika zanu.
Kodi bukuli limayankha mafunso otani?
Pokonzekera ndikulemba bukhuli, tidakambirana zaukadaulo wamtambo ndi Kubernetes ndi mazana a anthu, kuyankhula ndi atsogoleri amakampani ndi akatswiri komanso odziwa bwino. Pansipa pali mafunso osankhidwa omwe akufuna kuti ayankhidwe m'bukuli.
- βNdili ndi chidwi chofuna kudziwa chifukwa chake muyenera kuthera nthawi mukugwiritsa ntchito luso limeneli. Ndi mavuto ati omwe angandithandize ine ndi timu yanga kuthetsa?"
- "Kubernetes ikuwoneka yosangalatsa, koma ili ndi chotchinga chachikulu cholowera. Kukonzekera chitsanzo chophweka sikovuta, koma kuwonjezereka kwa kayendetsedwe kake ndi kukonza zolakwika ndizovuta. Tikufuna kupeza upangiri wodalirika wa momwe anthu amayendetsera magulu a Kubernetes mdziko lenileni komanso mavuto omwe tingakumane nawo. "
- "Malangizo apamwamba angakhale othandiza. Ecosystem ya Kubernetes imapatsa magulu atsopano zosankha zambiri zoti asankhe. Ngati pali njira zingapo zochitira chinthu chomwecho, mumadziwa bwanji kuti ndi yabwino kwambiri? Kodi kusankha?
Ndipo mwina funso lofunika kwambiri mwa mafunso onse:
- "Ndingagwiritse ntchito bwanji Kubernetes popanda kusokoneza kampani yanga?"
Kadule. Kusintha ndi Zinthu Zachinsinsi
Kutha kulekanitsa malingaliro a pulogalamu ya Kubernetes ndi kasinthidwe kake (ndiko kuti, kuchokera kuzinthu zilizonse kapena zosintha zomwe zingasinthe pakapita nthawi) ndizothandiza kwambiri. Masinthidwe nthawi zambiri amaphatikiza zokonda pazachilengedwe, ma adilesi a DNS a chipani chachitatu, ndi zitsimikiziro zotsimikizira.
Zoonadi, zonsezi zikhoza kuikidwa mwachindunji mu code, koma njira iyi sikusintha mokwanira. Mwachitsanzo, kusintha mtengo wamasinthidwe kungafunike kuti mupange ndikutumizanso nambala yanu. Yankho labwino kwambiri lingakhale kulekanitsa kasinthidwe kuchokera ku code ndikuwerenga kuchokera ku fayilo kapena zosintha zachilengedwe.
Kubernetes imapereka njira zingapo zosinthira kasinthidwe. Choyamba, mutha kupititsa patsogolo pazomwe mukugwiritsa ntchito kudzera pazosintha zachilengedwe zomwe zafotokozedwa muzolemba za pod wrapper (onani "Zosintha Zachilengedwe" patsamba 192). Chachiwiri, deta yokonzekera ikhoza kusungidwa mwachindunji ku Kubernetes pogwiritsa ntchito ConfigMap ndi zinthu zachinsinsi.
M'mutu uno, tikusanthula zinthu izi mwatsatanetsatane ndikuwona njira zina zothandiza pakuwongolera kasinthidwe ndi deta yodziwika bwino pogwiritsa ntchito pulogalamu yachiwonetsero.
Kusintha zipolopolo za pod pamene kasinthidwe kakusintha
Ingoganizirani kuti muli ndi gulu lanu ndipo mukufuna kusintha zina mu ConfigMap yake. Ngati mugwiritsa ntchito tchati cha Helm (onani "Helm: Package Manager for Kubernetes" patsamba 102), mutha kungozindikira kusintha kwa kasinthidwe ndikuyikanso zipolopolo za pod mu njira imodzi yabwino. Onjezani mawu otsatirawa pamatchulidwe anu otumizira:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") .
| sha256sum }}Template yotumizira tsopano ili ndi checksum ya magawo osinthika: ngati magawo asinthidwa, ndalamazo zidzasinthidwa. Mukayendetsa kukweza kwa helm, Helm iwona kuti zomwe zatumizidwa zasintha ndikuyambitsanso zipolopolo zonse za pod.
Zambiri zokhuza ku Kubernetes
Tikudziwa kale kuti chinthu cha ConfigMap chimapereka njira yosinthika yosunga ndikupeza zosintha mumagulu. Komabe, mapulogalamu ambiri amakhala ndi zidziwitso zomwe zimakhala zovuta komanso zovuta, monga mawu achinsinsi kapena makiyi a API. Itha kusungidwanso mu ConfigMap, koma yankho ili siloyenera.
M'malo mwake, Kubernetes amapereka mtundu wapadera wa chinthu chomwe chimapangidwa kuti chisungidwe chinsinsi: Chinsinsi. Kenako, tiyeni tiwone chitsanzo cha momwe chinthuchi chingagwiritsidwire ntchito pazithunzi zathu.
Kuti muyambe, yang'anani chiwonetsero cha Kubernetes cha Chinsinsi (onani hello-secret-env/k8s/secret.yaml):
apiVersion: v1
kind: Secret
metadata:
name: demo-secret
stringData:
magicWord: xyzzy
Muchitsanzo ichi, kiyi yachinsinsi ya magicWord ndi xyzzy (en.wikipedia.org/wiki/Xyzzy_(computing)). Mawu akuti xyzzy ndi othandiza kwambiri pamakompyuta. Zofanana ndi ConfigMap, mutha kusunga makiyi angapo ndi zinthu zomwe zili mu Chinsinsi. Apa, kuphweka, timagwiritsa ntchito makiyi amodzi okha.
Kugwiritsa Ntchito Zinthu Zachinsinsi Monga Zosintha Zachilengedwe
Monga ConfigMap, Chinsinsi cha chinthu chikhoza kupezeka mu chidebe ngati zosintha za chilengedwe kapena ngati fayilo pa disk yake. Muchitsanzo chotsatirachi, tipereka kusintha kwa chilengedwe ku mtengo wochokera ku Chinsinsi:
spec:
containers:
- name: demo
image: cloudnatived/demo:hello-secret-env
ports:
- containerPort: 8888
env:
- name: GREETING
valueFrom:
secretKeyRef:
name: demo-secret
key: magicWordTsatirani lamulo ili m'malo owonetsera kuti mugwiritse ntchito mawonetsero:
kubectl apply -f hello-secret-env/k8s/
deployment.extensions "demo" configured
secret "demo-secret" createdMonga kale, tumizani doko lapafupi kuti muwone zotsatira mu msakatuli wanu:
kubectl port-forward deploy/demo 9999:8888
Forwarding from 127.0.0.1:9999 -> 8888
Forwarding from [::1]:9999 -> 8888Potsegula adilesi :9999/ muyenera kuwona zotsatirazi:
The magic word is "xyzzy"
Kulemba Zinthu Zachinsinsi ku Mafayilo
Muchitsanzo ichi, tidzalumikiza Chinsinsi ku chidebe ngati fayilo. Khodiyo ili mu foda ya moni-chinsinsi-fayilo ya malo owonetsera.
Kulumikiza Chinsinsi monga fayilo, tidzagwiritsa ntchito zotsatirazi:
spec:
containers:
- name: demo
image: cloudnatived/demo:hello-secret-file
ports:
- containerPort: 8888
volumeMounts:
- name: demo-secret-volume
mountPath: "/secrets/"
readOnly: true
volumes:
- name: demo-secret-volume
secret:
secretName: demo-secretMonga mundime "Kupanga mafayilo osinthika kuchokera kuzinthu za ConfigMap" pa p. 240, timapanga voliyumu (pankhaniyi demo-chinsinsi-voliyumu) ββndikuyiyika ku chidebe mu gawo la volumeMounts lachidziwitso. Munda wa mountPath ndi / zinsinsi, kotero Kubernetes apanga fayilo imodzi mufoda iyi pa fungulo lililonse / mtengo womwe wafotokozedwa mu Chinsinsi.
Muchitsanzo chathu, tidangofotokozera makiyi amodzi okha omwe amatchedwa magicWord, kotero chiwonetserochi chidzapanga fayilo imodzi yokha /secrets/magicWord yokhala ndi chidziwitso chodziwika bwino mumtsuko.
Ngati mugwiritsa ntchito chiwonetserochi mofanana ndi chitsanzo cham'mbuyomu, muyenera kupeza zotsatira zomwezo:
The magic word is "xyzzy"
Kuwerenga Zinthu Zachinsinsi
M'gawo lapitalo, tidagwiritsa ntchito lamulo lofotokoza za kubectl kuti tiwonetse zomwe zili mu ConfigMap. Kodi zomwezo zingachitike ndi Chinsinsi?
kubectl describe secret/demo-secret
Name: demo-secret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
magicWord: 5 bytesChonde dziwani kuti deta yokha sikuwonetsedwa. Zinthu zachinsinsi ku Kubernetes ndi zamtundu wa Opaque, zomwe zikutanthauza kuti zomwe zili mkati mwake sizikuwonetsedwa mu kubectl kufotokoza zomwe zatuluka, zolemba za log, kapena terminal, zomwe zimapangitsa kuti zikhale zosatheka kuwulula mwangozi zambiri.
Kuti muwone mtundu wa YAML wosungidwa wa data yovuta, gwiritsani ntchito kubectl get command:
kubectl get secret/demo-secret -o yaml
apiVersion: v1
data:
magicWord: eHl6enk=
kind: Secret
metadata:
...
type: Opaquezoyambira64
Kodi eHl6enk=, yosiyana kotheratu ndi mtengo wathu wakale? Ichi ndi chinthu Chachinsinsi, choyimiridwa mu encoding ya base64. Base64 ndi chiwembu chosungira deta yosasinthika ya binary ngati mndandanda wa zilembo.
Chifukwa chidziwitso chodziwika bwino chikhoza kukhala cha binary osati chotuluka (monga momwe zimakhalira ndi kiyi ya TLS encryption), Zinthu zachinsinsi zimasungidwa mumtundu wa base64.
Mawu akuti beHl6enk= ndiye mtundu wa base64 wosungidwa wa mawu athu achinsinsi akuti xyzzy. Mutha kutsimikizira izi poyendetsa base64 -decode command mu terminal:
echo "eHl6enk=" | base64 --decode
xyzzyChifukwa chake, pomwe Kubernetes amakutetezani kuti musatulutse mwangozi zidziwitso zodziwika bwino mu terminal kapena mafayilo a log, ngati mwawerenga zilolezo pa Zinthu Zachinsinsi mumalo enaake, detayo imatha kukhazikitsidwa64ed ndikusinthidwa pambuyo pake.
Ngati mukufuna kuyika zolemba zina (mwachitsanzo, kuziyika mu Chinsinsi), gwiritsani ntchito base64 lamulo popanda mikangano:
echo xyzzy | base64
eHl6enkKKupeza Zinthu Zachinsinsi
Ndani angawerenge ndikusintha Zinthu Zachinsinsi? Izi zimatsimikiziridwa ndi RBAC, njira yoyendetsera mwayi wofikira (tidzakambirana mwatsatanetsatane mugawo la "Introduction to Role-Based Access Control" patsamba 258). Ngati mukuyendetsa masango omwe alibe RBAC kapena osayatsidwa, zinthu zanu zonse Zachinsinsi zimapezeka kwa ogwiritsa ntchito ndi zotengera (tidzafotokozera pambuyo pake kuti musakhale ndi magulu opanga popanda RBAC).
Passive data encryption
Nanga bwanji omwe ali ndi mwayi wopeza etcd komwe Kubernetes amasunga zidziwitso zake zonse? Kodi angawerenge deta yovuta popanda chilolezo chowerenga Zinthu Zachinsinsi kudzera pa API?
Popeza mtundu 1.7, Kubernetes imathandizira kubisa kwa data. Izi zikutanthauza kuti zidziwitso zachinsinsi zomwe zili mkati mwa etcd zimasungidwa zobisika pa disk ndipo sizingawerengedwe ngakhale ndi omwe ali ndi mwayi wofikira ku database. Kuti muyimbe, mufunika kiyi yomwe seva ya Kubernetes API yokha ili nayo. Mu gulu lokonzedwa bwino, kubisa koyenera kuyenera kuyatsidwa.
Mutha kuwona ngati kubisa kosagwira ntchito kumagwira ntchito mgulu lanu motere:
kubectl describe pod -n kube-system -l component=kube-apiserver |grep encryption
--experimental-encryption-provider-config=...Ngati simukuwona mbendera yoyeserera-encryption-provider-config, kubisa kokhazikika sikuyatsidwa. Mukamagwiritsa ntchito Google Kubernetes Engine kapena ntchito zina zoyang'anira Kubernetes, deta yanu imabisidwa pogwiritsa ntchito njira ina, kotero mbendera sidzakhalapo. Yang'anani ndi ogulitsa anu a Kubernetes kuti muwone ngati etcd zasungidwa.
Kusunga zinsinsi
Pali zinthu zina za Kubernetes zomwe siziyenera kuchotsedwa pagulu, monga zinthu zachinsinsi zachinsinsi. Mutha kuteteza gwero kuti lisachotsedwe pogwiritsa ntchito ndemanga yoperekedwa ndi woyang'anira Helm:
kind: Secret
metadata:
annotations:
"helm.sh/resource-policy": keepNjira Zoyendetsera Zinthu Zachinsinsi
Mu chitsanzo kuchokera m'gawo lapitalo, deta tcheru inatetezedwa ku mwayi wosaloleka atangosungidwa m'gulu. Koma m'mafayilo owonetsera adasungidwa ngati mawu osavuta.
Musamayike zinsinsi m'mafayilo omwe ali muulamuliro wamitundu. Kodi mungasamalire bwanji ndikusunga izi musanazigwiritse ntchito pagulu lanu la Kubernetes?
Mutha kusankha zida zilizonse kapena njira zothanirana ndi zovuta zomwe mukugwiritsa ntchito, koma muyenera kuyankhabe mafunso otsatirawa.
- Kodi deta yachinsinsi iyenera kusungidwa kuti kuti ikhale yofikirika kwambiri?
- Kodi mungapangire bwanji kuti data yachinsinsi ifikire ku mapulogalamu omwe akugwira ntchito?
- Kodi chikuyenera kuchitika chiyani pamapulogalamu anu mukalowa m'malo kapena kusintha zinthu zobisika?
Za olemba
John Arundel ndi mlangizi wazaka 30 zokumana nazo pamakampani apakompyuta. Walemba mabuku angapo ndikugwira ntchito ndi makampani ambiri ochokera m'mayiko osiyanasiyana, kuwalangiza pa zomangamanga zamtambo ndi Kubernetes. Munthawi yake yopuma, amakonda kusewera mafunde, amakonda kuwombera mfuti, komanso amaimba piyano ngati munthu wamasewera. Amakhala m'kanyumba kakang'ono ku Cornwall, England.
Justin Domingus - injiniya wowongolera machitidwe omwe amagwira ntchito m'malo a DevOps okhala ndi Kubernetes ndi matekinoloje amtambo. Amakonda kukhala panja, kumwa khofi, nkhanu, ndi kukhala pakompyuta. Amakhala ku Seattle, Washington, ndi mphaka wabwino kwambiri komanso mkazi wabwino kwambiri komanso bwenzi lapamtima, Adrienne.
Β» Zambiri za bukuli zitha kupezeka pa
Β»
Β»
Kwa Khabrozhiteley 25% kuchotsera pogwiritsa ntchito kuponi - Kubernetes
Pakulipira kwa pepala la bukhuli, buku lamagetsi lidzatumizidwa ndi imelo.
Source: www.habr.com