Pavel Selivanov, Southbridge solutions architect and Slurm teacher, adapereka ndemanga pa DevOpsConf 2019. Nkhaniyi ndi imodzi mwa mitu ya maphunziro ozama a Kubernetes "Slurm Mega".
ku Moscow pa November 18-20.
— Moscow, Novembala 22-24.
kupezeka nthawi zonse.
Pansi pa odulidwawo pali cholembedwa cha lipoti.
Masana abwino, ogwira nawo ntchito ndi omwe amawamvera chisoni. Lero ndikamba za chitetezo.
Ndikuwona kuti pali alonda ambiri muholo lero. Ndikupepesa kwa inu pasadakhale ngati ndigwiritsa ntchito mawu ochokera kudziko lachitetezo osati monga mwachizolowezi kwa inu.
Zinachitika kuti pafupifupi miyezi isanu ndi umodzi yapitayo ndinapeza gulu limodzi la anthu onse la Kubernetes. Pagulu zikutanthauza kuti pali chiwerengero cha nth cha malo a mayina; m'malo awa pali ogwiritsa ntchito omwe ali pawokha. Ogwiritsa ntchito onsewa ndi amakampani osiyanasiyana. Chabwino, zinkaganiziridwa kuti gululi liyenera kugwiritsidwa ntchito ngati CDN. Ndiye kuti, amakupatsirani gulu, amakupatsirani wogwiritsa ntchito pamenepo, mumapita kumalo anu am'malo, ndikuyika malire anu.
Kampani yanga yam'mbuyomu idayesa kugulitsa ntchito yotere. Ndipo ndinafunsidwa kuti ndiyang'ane gululo kuti ndiwone ngati yankho ili linali loyenera kapena ayi.
Ndinafika pagulu ili. Ndinapatsidwa ufulu wochepa, malo ochepa a mayina. Anyamata kumeneko anamvetsa chomwe chitetezo chinali. Amawerenga za Role-based access control (RBAC) ku Kubernetes - ndipo adazipotoza kuti ndisathe kukhazikitsa ma pod padera ndi zotumizidwa. Sindikukumbukira vuto lomwe ndimayesa kuthana nalo poyambitsa poto popanda kutumizidwa, koma ndinkafunadi kuyambitsa pod. Mwamwayi, ndinaganiza zowona maufulu omwe ndili nawo mgululi, zomwe ndingachite, zomwe sindingathe kuchita, ndi zomwe adasokoneza pamenepo. Nthawi yomweyo, ndikuwuzani zomwe adazikonza molakwika mu RBAC.
Zinachitika kuti mumphindi ziwiri ndinalandira admin ku gulu lawo, ndikuyang'ana malo onse oyandikana nawo, ndinawonapo makampani opanga makampani omwe adagula kale ntchitoyo ndikuyikapo. Sindinathe kudziletsa kupita kutsogolo kwa munthu ndikuyika mawu otukwana patsamba lalikulu.
Ndikuuzani ndi zitsanzo momwe ndinachitira izi komanso momwe mungadzitetezere ku izi.
Koma choyamba, ndiroleni ndidzidziwitse ndekha. Dzina langa ndine Pavel Selivanov. Ndine wojambula ku Southbridge. Ndimamvetsetsa Kubernetes, DevOps ndi mitundu yonse ya zinthu zapamwamba. Ine ndi mainjiniya aku Southbridge tikumanga zonsezi, ndipo ndikufunsira.
Kuwonjezera pa ntchito zathu zazikulu, posachedwapa tayambitsa ntchito zotchedwa Slurms. Tikuyesera kubweretsa luso lathu logwira ntchito ndi Kubernetes pang'ono kwa anthu ambiri, kuphunzitsa anthu ena kuti nawonso azigwira ntchito ndi K8s.
Kodi lero ndikamba za chiyani? Mutu wa lipotilo ndi woonekeratu - za chitetezo cha gulu la Kubernetes. Koma ndikufuna kunena nthawi yomweyo kuti mutuwu ndi waukulu kwambiri - choncho ndikufuna kufotokoza zomwe sindidzanena. Sindidzalankhula za mawu a hackneyed omwe agwiritsidwa kale ntchito nthawi zana pa intaneti. Mitundu yonse ya RBAC ndi ziphaso.
Ndilankhula zomwe zimandipweteka ine ndi anzanga zachitetezo mu gulu la Kubernetes. Timawona mavutowa pakati pa othandizira omwe amapereka magulu a Kubernetes komanso pakati pa makasitomala omwe amabwera kwa ife. Ndipo ngakhale makasitomala omwe amabwera kwa ife kuchokera kumakampani ena otsogolera. Ndiko kuti, kukula kwa tsokali ndi lalikulu kwambiri.
Pali mfundo zitatu zomwe ndilankhula lero:
- Ufulu wa ogwiritsa ntchito motsutsana ndi ufulu wa pod. Ufulu wa ogwiritsa ntchito ndi ufulu wa pod si chinthu chomwecho.
- Kusonkhanitsa zambiri za gulu. Ndikuwonetsani kuti mutha kusonkhanitsa zidziwitso zonse zomwe mungafune kuchokera pagulu popanda kukhala ndi ufulu wapadera mgululi.
- DoS kuukira gulu. Ngati sitingathe kusonkhanitsa zambiri, tidzatha kuyika gulu muzochitika zilizonse. Ndilankhula za kuwukira kwa DoS pazinthu zowongolera magulu.
Chinthu chinanso chomwe ndinena ndizomwe ndidayesa zonsezi, pomwe ndinganene kuti zonse zimagwira ntchito.
Timatenga ngati maziko kukhazikitsa gulu la Kubernetes pogwiritsa ntchito Kubespray. Ngati wina sakudziwa, awa ndi gawo la maudindo a Ansible. Timazigwiritsa ntchito nthawi zonse pa ntchito yathu. Chinthu chabwino ndi chakuti mukhoza kuchigudubuza paliponse - mukhoza kuchigudubuza pazidutswa zachitsulo kapena mumtambo penapake. Mmodzi unsembe njira ntchito mfundo zonse.
M'gulu ili ndidzakhala ndi Kubernetes v1.14.5. Gulu lonse la Cube, lomwe tikambirane, lagawidwa m'malo a mayina, malo aliwonse a mayina ndi a gulu losiyana, ndipo mamembala a gululi ali ndi mwayi wopeza dzina lililonse. Sangapite kumalo osiyanasiyana, koma kwawo. Koma pali akaunti ina ya admin yomwe ili ndi ufulu ku gulu lonse.
Ndinalonjeza kuti chinthu choyamba chomwe tingachite ndikupeza ufulu wa admin kumagulu. Tikufuna pod yokonzedwa mwapadera yomwe ithyole gulu la Kubernetes. Zomwe tikuyenera kuchita ndikuziyika pagulu la Kubernetes.
kubectl apply -f pod.yamlPod iyi ifika kwa m'modzi mwa ambuye a gulu la Kubernetes. Ndipo zitatha izi gululo lidzatibwezera mosangalala fayilo yotchedwa admin.conf. Mu Cube, fayiloyi imasunga ziphaso zonse zoyang'anira, ndipo nthawi yomweyo imakonza gulu la API. Umu ndi momwe zimakhalira zosavuta kupeza admin, ndikuganiza, 98% yamagulu a Kubernetes.
Ndikubwerezanso, pod iyi idapangidwa ndi wopanga m'gulu lanu yemwe ali ndi mwayi wopereka malingaliro ake mumalo amodzi ang'onoang'ono, zonse zimatsitsidwa ndi RBAC. Iye analibe ufulu. Koma komabe satifiketiyo idabwezedwa.
Ndipo tsopano za poto wokonzeka mwapadera. Timayendetsa pa chithunzi chilichonse. Tiyeni titenge debian:jessie mwachitsanzo.
Tili ndi izi:
tolerations:
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" Kodi kulolerana ndi chiyani? Masters mu gulu la Kubernetes nthawi zambiri amalembedwa ndi chinthu chotchedwa taint. Ndipo tanthauzo la "matenda" awa ndikuti ma pods sangathe kupatsidwa ma node apamwamba. Koma palibe amene amavutitsa kusonyeza mu pod iliyonse kuti amalekerera "matenda". Gawo la Kulekerera limangonena kuti ngati mfundo ina ili ndi NoSchedule, ndiye kuti mfundo yathu imalekerera matenda otere - ndipo palibe mavuto.
Kupitilira apo, timanena kuti pansi athu samangolekerera, komanso amafuna kulunjika mbuye. Chifukwa ambuye ali ndi chinthu chokoma kwambiri chomwe timafunikira - ziphaso zonse. Chifukwa chake, timati nodeSelector - ndipo tili ndi cholembera chokhazikika pa masters, chomwe chimakulolani kuti musankhe kuchokera mumagulu onse omwe ali mgulu ndendende ma node omwe ali ambuye.
Ndi magawo awiriwa adzabweradi kwa mbuye. Ndipo adzaloledwa kukhala kumeneko.
Koma kungobwera kwa ambuye sikokwanira kwa ife. Izi sizitipatsa kalikonse. Kenako tili ndi zinthu ziwiri izi:
hostNetwork: true
hostPID: true Timalongosola kuti pod yathu, yomwe timayambitsa, idzakhala mu kernel namespace, mu network namespace, ndi PID namespace. Podayo ikangoyambika pa mbuyeyo, imatha kuwona zonse zenizeni, zolumikizirana za node iyi, mverani magalimoto onse ndikuwona PID ya njira zonse.
Ndiye ndi nkhani ya tinthu tating'ono. Tengani etcd ndikuwerenga zomwe mukufuna.
Chosangalatsa kwambiri ndi mawonekedwe a Kubernetes, omwe amapezeka pamenepo mwachisawawa.
volumeMounts:
- mountPath: /host
name: host
volumes:
- hostPath:
path: /
type: Directory
name: host Ndipo tanthauzo lake ndikuti titha kunena mu pod yomwe timayambitsa, ngakhale opanda ufulu ku gululi, kuti tikufuna kupanga voliyumu yamtundu wa hostPath. Izi zikutanthauza kutenga njira kuchokera kwa wolandirayo yemwe tidzayambitse - ndikuyitenga ngati voliyumu. Kenako timachitcha dzina: host. Timayika hostPath yonseyi mkati mwa pod. Mu chitsanzo ichi, ku /host directory.
Ndibwerezanso. Tinauza pod kuti abwere kwa mbuye, tenga hostNetwork ndi hostPID pamenepo - ndikuyika muzu wonse wa mbuye mkati mwa pod iyi.
Mumamvetsetsa kuti mu Debian tili ndi bash kuthamanga, ndipo bash iyi imayenda pansi pamizu. Ndiye kuti, tangolandira mizu pa mbuye, popanda kukhala ndi ufulu mu gulu la Kubernetes.
Ndiye ntchito yonse ndikupita ku subdirectory / host / etc / kubernetes/pki, ngati sindikulakwitsa, tenga zikalata zonse zamagulu pamenepo ndipo, motero, khalani woyang'anira masango.
Mukayang'ana motere, awa ndi ena mwa maufulu owopsa kwambiri mu ma pod - mosasamala kanthu kuti wogwiritsa ntchito ali ndi ufulu wotani:
Ngati ndili ndi ufulu woyendetsa poto pamalo ena am'magulu, ndiye kuti pod iyi ili ndi maufuluwa mwachisawawa. Ndikhoza kuyendetsa ma pods mwamwayi, ndipo awa ndi maufulu onse, pafupifupi mizu pa mfundo.
Ndimakonda kwambiri Root user. Ndipo Kubernetes ali ndi njira iyi ya Run As Non-Root. Uwu ndi mtundu wa chitetezo kwa wowononga. Kodi mukudziwa kuti "kachilombo ka Moldavian" ndi chiyani? Ngati mwadzidzidzi ndinu owononga ndikubwera ku gulu langa la Kubernetes, ndiye kuti ife, olamulira osauka, timafunsa kuti: "Chonde sonyezani m'magawo anu omwe mudzathyola nawo gulu langa, kuthamanga ngati opanda mizu. Apo ayi, zidzachitika kuti muthamangitse ndondomekoyi mu pod yanu pansi pa mizu, ndipo zidzakhala zosavuta kuti mundiwononge. Chonde dzitetezeni kwa inu nokha."
Voliyumu ya njira yolandirira, mwa lingaliro langa, ndiyo njira yachangu kwambiri yopezera zotsatira zomwe mukufuna kuchokera ku gulu la Kubernetes.
Koma chotani ndi zonsezi?
Lingaliro lomwe liyenera kubwera kwa woyang'anira wamba yemwe amakumana ndi Kubernetes ndilakuti: "Inde, ndidakuwuzani, Kubernetes sikugwira ntchito. Muli mabowo mmenemo. Ndipo Cube yonse ndi ng'ombe. " Ndipotu, pali chinthu chonga zolemba, ndipo ngati muyang'ana pamenepo, pali gawo .
Ichi ndi chinthu cha yaml - titha kuchipanga mugulu la Kubernetes - lomwe limawongolera mbali zachitetezo makamaka pofotokozera ma pod. Ndiye kuti, imayang'anira ufulu wogwiritsa ntchito hostNetwork iliyonse, hostPID, mitundu ina ya voliyumu yomwe ili m'matumba poyambira. Mothandizidwa ndi Pod Security Policy, zonsezi zitha kufotokozedwa.
Chosangalatsa kwambiri pa Pod Security Policy ndikuti mu gulu la Kubernetes, onse oyika PSP samangofotokozedwa mwanjira iliyonse, amangoyimitsidwa mwachisawawa. Pod Security Policy imayatsidwa ndi pulogalamu yowonjezera yovomerezeka.
Chabwino, tiyeni tiyike Pod Security Policy mgululi, tinene kuti tili ndi ma pod amtundu wa mayina, omwe ma admins okha ndi omwe ali ndi mwayi. Tinene, muzochitika zina zonse, ma pod ali ndi ufulu wochepa. Chifukwa ambiri opanga safunika kugwiritsa ntchito ma pods omwe ali mugulu lanu.
Ndipo zonse zikuwoneka kuti zili bwino ndi ife. Ndipo gulu lathu la Kubernetes silingathe kubedwa mphindi ziwiri.
Pali vuto. Mwinanso, ngati muli ndi gulu la Kubernetes, ndiye kuti kuwunika kumayikidwa pagulu lanu. Ndikadatha mpaka kulosera kuti ngati gulu lanu likuyang'anira, lidzatchedwa Prometheus.
Zomwe ndikufuna kukuuzani zidzakhala zomveka kwa onse oyendetsa Prometheus ndi Prometheus ataperekedwa mwanjira yake yoyera. Funso ndiloti ngati sindingathe kupeza admin mumagulu mofulumira kwambiri, ndiye izi zikutanthauza kuti ndiyenera kuyang'ana kwambiri. Ndipo nditha kusaka mothandizidwa ndi kuwunika kwanu.
Mwina aliyense amawerenga zolemba zomwezo za Habré, ndipo kuwunika kuli pamalo owunikira. Tchati cha helm chimatchedwa pafupifupi chimodzimodzi kwa aliyense. Ndikuganiza kuti ngati mupanga helm install stable/prometheus, mudzakhala ndi mayina ofanana. Ndipo mwina sindidzayeneranso kulingalira dzina la DNS mgulu lanu. Chifukwa ndi muyezo.
Kenako tili ndi ma dev ns, momwe mungayendetsere pod inayake. Ndipo kuchokera pa pod iyi ndizosavuta kuchita monga chonchi:
$ curl http://prometheus-kube-state-metrics.monitoring prometheus-kube-state-metrics ndi m'modzi mwa ogulitsa a Prometheus omwe amatenga ma metrics kuchokera ku Kubernetes API yokha. Pali deta yambiri kumeneko, zomwe zikuyenda mumagulu anu, zomwe ziri, ndi mavuto otani omwe muli nawo.
Chitsanzo chosavuta:
kube_pod_container_info{namespace=“kube-system”,pod=”kube-apiserver-k8s- 1″,container=”kube-apiserver”,image=
"gcr.io/google-containers/kube-apiserver:v1.14.5"
,image_id=»docker-pullable://gcr.io/google-containers/kube- apiserver@sha256:e29561119a52adad9edc72bfe0e7fcab308501313b09bf99df4a96 38ee634989″,container_id=»docker://7cbe7b1fea33f811fdd8f7e0e079191110268f2 853397d7daf08e72c22d3cf8b»} 1
Mwa kupanga pempho losavuta la curl kuchokera ku pod yopanda mwayi, mutha kupeza izi. Ngati simukudziwa kuti ndi mtundu wanji wa Kubernetes womwe mukuyendetsa, ikuwuzani mosavuta.
Ndipo chosangalatsa kwambiri ndichakuti kuwonjezera pakupeza kube-state-metrics, mutha kungofikira ku Prometheus yokha mwachindunji. Mutha kutolera ma metric kuchokera pamenepo. Mutha kupanganso ma metric kuchokera pamenepo. Ngakhale mwachidziwitso, mutha kupanga funso lotere kuchokera pagulu la Prometheus, lomwe lingangoyimitsa. Ndipo kuyang'anira kwanu kudzasiya kugwira ntchito kuchokera kumagulu onse.
Ndipo apa funso likubwera ngati kuyang'anira kwanu kuli koyang'anira. Ndangopeza mwayi wogwira ntchito mgulu la Kubernetes popanda zotsatirapo kwa ine ndekha. Simungadziwe kuti ndikugwira ntchito kumeneko, popeza palibenso kuyang'anira.
Monga momwe zilili ndi PSP, zikuwoneka ngati vuto ndilokuti matekinoloje onse apamwambawa - Kubernetes, Prometheus - sagwira ntchito ndipo ali ndi mabowo. Osati kwenikweni.
Pali chinthu choterocho - .
Ngati ndinu woyang'anira wabwinobwino, ndiye kuti mumadziwa za Network Policy kuti iyi ndi yaml ina, yomwe ilipo kale ambiri mgululi. Ndipo ma Network Policy ena safunikira. Ndipo ngakhale mutawerenga kuti Network Policy ndi chiyani, kuti ndi yaml firewall ya Kubernetes, imakupatsani mwayi wochepetsera ufulu wopezeka pakati pa malo a mayina, pakati pa ma pod, ndiye kuti mwaganiza kuti chowotcha moto mumtundu wa yaml ku Kubernetes chikuchokera pazotsatira zotsatirazi. ... Ayi, ayi. Izi sizofunikira.
Ngakhale simunauze akatswiri anu achitetezo kuti pogwiritsa ntchito Kubernetes yanu mutha kupanga chowotcha chowotcha chosavuta komanso chosavuta, komanso chaching'ono kwambiri pamenepo. Ngati sakudziwa izi ndipo sakukuvutitsani: "Chabwino, ndipatseni, ndipatseni ..." Ndiye mulimonsemo, muyenera Network Policy kuti aletse mwayi wopita kumalo ena othandizira omwe angakokedwe ku gulu lanu. popanda chilolezo.
Monga m'chitsanzo chomwe ndidapereka, mutha kukokera ma metrics a kube state kuchokera kumalo aliwonse amgulu la Kubernetes popanda kukhala ndi ufulu kutero. Ndondomeko zapaintaneti zatsekereza mwayi wopezeka m'malo ena onse kupita kumalo owunikira ndipo ndizomwe: palibe mwayi, palibe mavuto. M'ma chart onse omwe alipo, onse Prometheus ndi Prometheus omwe ali mu opareshoni, pali mwayi wosankha pamakhalidwe a helm kuti mungowathandizira mfundo zama network. Mukungoyenera kuyatsa ndipo agwira ntchito.
Pali vuto limodzi kwenikweni pano. Pokhala woyang'anira ndevu wabwinobwino, mwina mudaganiza kuti mfundo zapaintaneti sizofunika. Ndipo mutawerenga zolemba zamitundu yonse pazinthu monga Habr, mudaganiza kuti flannel, makamaka ndi njira yolowera pakhomo, ndiye chinthu chabwino kwambiri chomwe mungasankhe.
Chochita?
Mutha kuyesanso kuyikanso njira yolumikizira netiweki yomwe muli nayo mugulu lanu la Kubernetes, yesani kuyisintha ndi zina zambiri. Kwa Calico yemweyo, mwachitsanzo. Koma ndikufuna kunena nthawi yomweyo kuti ntchito yosintha njira yothetsera maukonde mu gulu la Kubernetes yogwira ntchito ndiyosavuta. Ndinazithetsa kawiri (nthawi zonse, komabe, mwamalingaliro), koma tidawonetsa momwe tingachitire ku Slurms. Kwa ophunzira athu, tidawonetsa momwe tingasinthire njira yothetsera maukonde mu gulu la Kubernetes. M'malo mwake, mutha kuyesa kuwonetsetsa kuti palibe nthawi yopumira pamagulu opanga. Koma mwina simungapambane.
Ndipo vuto kwenikweni kuthetsedwa kwambiri mophweka. Pali ziphaso mgululi, ndipo mukudziwa kuti ziphaso zanu zitha pakatha chaka. Chabwino, ndipo nthawi zambiri yankho labwinobwino lokhala ndi satifiketi mgululi - chifukwa chiyani tikudera nkhawa, tikweza gulu latsopano pafupi, kusiya yakaleyo kuvunda, ndikuyikanso chilichonse. Zowona, zikavunda, tikhala tsiku limodzi, koma nali tsango latsopano.
Mukakweza gulu latsopano, nthawi yomweyo ikani Calico m'malo mwa flannel.
Zoyenera kuchita ngati ziphaso zanu zaperekedwa kwa zaka zana ndipo simutumizanso gululo? Pali chinthu chonga Kube-RBAC-Proxy. Ichi ndi chitukuko chozizira kwambiri, chimakupatsani mwayi wodziyika nokha ngati chidebe cham'mbali mwa pod iliyonse mgulu la Kubernetes. Ndipo imawonjezera chilolezo ku pod iyi kudzera mu RBAC ya Kubernetes yokha.
Pali vuto limodzi. M'mbuyomu, njira iyi ya Kube-RBAC-Proxy idamangidwa mu Prometheus ya wogwiritsa ntchito. Koma kenako anali atapita. Tsopano matembenuzidwe amakono amadalira kuti muli ndi ndondomeko ya intaneti ndikuyitseka pogwiritsa ntchito. Ndipo chifukwa chake tidzayenera kulembanso tchati pang'ono. M'malo mwake, ngati mupita , pali zitsanzo za momwe angagwiritsire ntchito izi ngati mapepala apambali, ndipo matchati ayenera kulembedwanso pang'ono.
Pali vuto lina laling'ono. Prometheus si yekhayo amene amapereka ma metrics ake kwa aliyense. Zida zathu zonse zamagulu a Kubernetes zimathanso kubweza ma metric awo.
Koma monga ndanenera kale, ngati simungathe kulowa mgululi ndikusonkhanitsa zambiri, ndiye kuti mutha kuvulaza.
Kotero ine ndiwonetsa mwamsanga njira ziwiri momwe gulu la Kubernetes lingawonongeke.
Mudzaseka ndikakuuzani izi, izi ndizochitika ziwiri zenizeni.
Njira imodzi. Kutha kwa zinthu.
Tiyeni tiyambitse pod ina yapadera. Idzakhala ndi gawo ngati ili.
resources:
requests:
cpu: 4
memory: 4Gi Monga mukudziwira, zopempha ndi kuchuluka kwa CPU ndi kukumbukira zomwe zimasungidwa kwa wolandirayo kuti akwaniritse zopempha zina. Ngati tili ndi makamu anayi mu gulu la Kubernetes, ndipo ma pod anayi a CPU afika kumeneko ndi zopempha, zikutanthauza kuti palibe ma pods omwe ali ndi zopempha omwe angakhoze kubwera kwa wolandirayo.
Ngati ndikuyendetsa pod yotere, ndiye ndikuyendetsa lamulo:
$ kubectl scale special-pod --replicas=...Ndiye palibe wina aliyense amene adzatha kutumiza ku gulu la Kubernetes. Chifukwa node zonse zidzatha zopempha. Ndipo potero ndidzayimitsa gulu lanu la Kubernetes. Ndikachita izi madzulo, nditha kuyimitsa ntchito kwa nthawi yayitali.
Tikayang'ananso zolemba za Kubernetes, tiwona chinthu ichi chotchedwa Limit Range. Imayika zothandizira pazinthu zamagulu. Mutha kulemba chinthu cha Limit Range mu yaml, ndikuchiyika kumalo ena a mayina - ndiyeno m'malo awa mutha kunena kuti muli ndi zinthu zosasintha, zochulukirapo komanso zochepa zamapodi.
Ndi chithandizo cha chinthu choterocho, titha kuchepetsa ogwiritsa ntchito m'malo enaake amagulu kuti athe kuwonetsa mitundu yonse ya zinthu zoyipa pamakadi awo. Koma mwatsoka, ngakhale mutauza wogwiritsa ntchito kuti sangathe kuyambitsa ma pod ndi zopempha za CPU yopitilira imodzi, pali lamulo lodabwitsa kwambiri, kapena atha kudutsa pa dashboard.
Ndipo apa ndi pamene njira yachiwiri imachokera. Timakhazikitsa 11 pods. Ndizo biliyoni khumi ndi chimodzi. Izi sichifukwa chakuti ndinapeza nambala yotero, koma chifukwa ndinaziwona ndekha.
Nkhani yeniyeni. Madzulo ndidatsala pang'ono kutuluka muofesi. Ndikuwona gulu la omanga atakhala pakona, akuchita zinthu movutikira ndi ma laputopu awo. Ndinapita kwa anyamata ndikuwafunsa kuti: "Chachitika ndi chiyani?"
M'mbuyomo, cha m'ma XNUMX koloko madzulo, m'modzi mwa omanga amakonzekera kupita kwawo. Ndipo ndidaganiza kuti: "Tsopano nditsitsa pulogalamu yanga kukhala imodzi." Ndidakanikiza imodzi, koma intaneti idatsika pang'ono. Anakankhanso ija, nasindikizanso ija, ndikudinanso Enter. Ndinkachita zonse zomwe ndingathe. Kenako intaneti idakhala ndi moyo - ndipo chilichonse chidayamba kutsika mpaka chiwerengerochi.
Zowona, nkhaniyi sinachitike pa Kubernetes; panthawiyo anali Nomad. Zinatha ndi mfundo yoti titatha ola limodzi loyesera kuyimitsa Nomad kuti asayese kukwera, Nomad adayankha kuti sasiya kukulitsa ndipo sangachite china chilichonse. "Ndatopa, ndikunyamuka." Ndipo iye anadzipinda.
Mwachilengedwe, ndidayesa kuchita zomwezo pa Kubernetes. Kubernetes sanasangalale ndi mabiliyoni khumi ndi limodzi, adati: "Sindingathe. Kuposa alonda amkati." Koma ma pod 1 akhoza.
Poyankha biliyoni imodzi, Cube sinadzipatulire yokha. Anayambadi kukulitsa. Pamene ndondomekoyi inkapitirira, zinamutengera nthawi yochuluka kuti apange makoko atsopano. Komabe ndondomeko inapitirira. Vuto lokhalo ndiloti ngati ndingathe kuyambitsa ma pods mopanda malire m'malo anga a mayina, ndiye kuti ngakhale popanda zopempha ndi malire ndikhoza kuyambitsa ma pods ambiri ndi ntchito zina kuti mothandizidwa ndi ntchitoyi ma node ayamba kuwonjezera kukumbukira, mu CPU. Ndikayambitsa ma pod ambiri, chidziwitso chochokera kwa iwo chiyenera kupita kusungirako, ndiko kuti, etcd. Ndipo zambiri zikafika pamenepo, zosungirako zimayamba kubwerera pang'onopang'ono - ndipo Kubernetes akuyamba kukhala osasunthika.
Ndipo vuto linanso ... Monga mukudziwira, zinthu zolamulira Kubernetes si chinthu chimodzi chapakati, koma zigawo zingapo. Makamaka, pali woyang'anira woyang'anira, scheduler, ndi zina zotero. Anyamata onsewa adzayamba kugwira ntchito zosafunikira, zopusa nthawi imodzi, zomwe pakapita nthawi zidzayamba kutenga nthawi yambiri. Woyang'anira wowongolera apanga ma pod atsopano. Scheduler ayesa kupeza mfundo yatsopano kwa iwo. Mutha kutha ma node atsopano mgulu lanu posachedwa. Gulu la Kubernetes liyamba kugwira ntchito pang'onopang'ono komanso pang'onopang'ono.
Koma ndinaganiza zongopitirira. Monga mukudziwa, ku Kubernetes pali chinthu chotchedwa utumiki. Chabwino, mwachisawawa m'magulu anu, mwinamwake, ntchitoyi imagwira ntchito pogwiritsa ntchito matebulo a IP.
Ngati muthamangitsa ma pod biliyoni, mwachitsanzo, ndiyeno gwiritsani ntchito script kukakamiza Kubernetis kupanga ntchito zatsopano:
for i in {1..1111111}; do
kubectl expose deployment test --port 80
--overrides="{"apiVersion": "v1",
"metadata": {"name": "nginx$i"}}";
done Pamagulu onse a gululo, malamulo ochulukirapo a iptables adzapangidwa pafupifupi nthawi imodzi. Komanso, malamulo a iptables biliyoni imodzi adzapangidwa pa ntchito iliyonse.
Ine ndinachifufuza chinthu chonsechi pa zikwi zingapo, mpaka khumi. Ndipo vuto ndilakuti pakadali pano ndizovuta kuchita ssh ku mfundo. Chifukwa mapaketi, akudutsa mu unyolo wambiri, amayamba kumva kuti sali bwino.
Ndipo izi, nazonso, zonse zimathetsedwa mothandizidwa ndi Kubernetes. Pali chinthu chotere cha Resource quota. Imakhazikitsa kuchuluka kwazinthu zomwe zilipo ndi zinthu zamalo a mayina mumagulu. Titha kupanga chinthu chaml m'malo aliwonse amgulu la Kubernetes. Pogwiritsa ntchito chinthu ichi, tikhoza kunena kuti tili ndi chiwerengero cha zopempha ndi malire omwe amaperekedwa kwa malo awa, ndiyeno tikhoza kunena kuti mu malo awa ndizotheka kupanga mautumiki 10 ndi ma pod 10. Ndipo woyambitsa m'modzi akhoza kudzitsamwitsa madzulo. Kubernetes adzamuuza kuti: "Simungathe kukweza madontho anu kufika pamlingo woterewo, chifukwa gwerolo limaposa chigawocho." Ndi zimenezo, vuto lathetsedwa. .
Mfundo imodzi yovuta imabuka pankhaniyi. Mukumva momwe zimakhalira zovuta kupanga malo a mayina ku Kubernetes. Kuti tichite zimenezi, tiyenera kuganizira zinthu zambiri.
Gawo lazinthu + Limit Range + RBAC
• Pangani malo a mayina
• Pangani malire mkati
• Pangani mkati mwa resourcequota
• Pangani akaunti ya service ya CI
• Pangani maudindo a CI ndi ogwiritsa ntchito
• Mwasankha yambitsani zofunikira zautumiki
Chifukwa chake, ndikufuna kutenga mwayiwu kuti ndifotokoze zomwe ndikuchita. Pali chinthu choterocho chotchedwa SDK operator. Iyi ndi njira yoti gulu la Kubernetes lilembe ogwiritsira ntchito. Mutha kulemba ziganizo pogwiritsa ntchito Ansible.
Poyamba zidalembedwa mu Ansible, kenako ndidawona kuti panali woyendetsa SDK ndikulembanso gawo la Ansible kukhala woyendetsa. Mawu awa amakulolani kuti mupange chinthu mu gulu la Kubernetes lotchedwa lamulo. Mkati mwa lamulo, imakulolani kufotokoza chilengedwe cha lamulo ili mu yaml. Ndipo mkati mwa malo a timu, zimatilola kufotokoza kuti tikugawa zinthu zambiri.
Wamng'ono .
Ndipo pomaliza. Zotani ndi zonsezi?
Choyamba. Pod Security Policy ndi yabwino. Ndipo ngakhale kuti palibe omwe akukhazikitsa Kubernetes omwe amawagwiritsa ntchito mpaka pano, muyenera kuwagwiritsabe ntchito m'magulu anu.
Network Policy sizinthu zina zosafunikira. Izi ndi zomwe zimafunikira kwenikweni pagulu.
LimitRange/ResourceQuota - ndi nthawi yoti mugwiritse ntchito. Tinayamba kugwiritsa ntchito izi kalekale, ndipo kwa nthawi yayitali ndinali wotsimikiza kuti aliyense akugwiritsa ntchito. Zinapezeka kuti izi ndizosowa.
Kuphatikiza pa zomwe ndatchula pa lipotili, pali zinthu zosalembedwa zomwe zimakulolani kuti muwononge masango. Zatulutsidwa posachedwa .
Zinthu zina ndi zomvetsa chisoni komanso zopweteka. Mwachitsanzo, pansi pazifukwa zina, ma cubelets mu gulu la Kubernetes amatha kupereka zomwe zili mu bukhu la warlocks kwa wogwiritsa ntchito wosaloledwa.
Pali malangizo amomwe mungapangirenso zonse zomwe ndakuuzani. Pali mafayilo okhala ndi zitsanzo zopanga zomwe ResourceQuota ndi Pod Security Policy zimawonekera. Ndipo mukhoza kukhudza zonsezi.
Zikomo kwa nonse.
Source: www.habr.com