ProHoster > Blog > Utongi > Bhuku "Kubernetes yeDevOps"

Bhuku "Kubernetes yeDevOps"

Bhuku "Kubernetes yeDevOps" Mhoroi, vagari veKhabro! Kubernetes chimwe chezvinhu zvakakosha zvemazuva ano ecosystem. Iyi tekinoroji inopa kuvimbika, scalability uye kusimba kune mudziyo virtualization. John Arundel naJustin Domingus vanotaura nezve Kubernetes ecosystem uye vanounza mhinduro dzakasimbiswa kumatambudziko ezuva nezuva. Nhanho nhanho, iwe unovaka yako wega-yekuzvarwa application uye kugadzira zvivakwa zvekuitsigira, kumisikidza nharaunda yekusimudzira uye inoenderera yekuendesa pombi inozokubatsira iwe paunenge uchishanda pane ako anotevera maapplication.

β€’ Tanga nemidziyo uye Kubernetes kubva kune izvo zvakakosha: hapana chiitiko chakakosha chinodiwa kuti udzidze musoro. β€’ Shandisa mapoka ako pachako kana kuti sarudza sevhisi inogadziriswa yeKubernetes kubva kuAmazon, Google, zvichingodaro. β€’ Shandisa Kubernetes kuronga hupenyu hwemagaba uye kushandisa zviwanikwa. β€’ Gadzirisa masumbu zvichienderana nemutengo, kuita, kusimba, simba uye scalability. β€’ Dzidza maturusi akanakisa ekugadzira, kuyedza, uye kutumira maapplication ako. β€’ Shandisa maitiro eindasitiri azvino kuti ave nechokwadi chekuchengetedzwa uye kutonga. β€’ Shandisa misimboti yeDevOps mukambani yako yese kuitira kuti zvikwata zvebudiriro zvigone kuita zviri nyore, nekukurumidza, uye nemazvo.

Bhuku racho nderaani?

Iri bhuku rinonyanya kukosha kune vashandi vemadhipatimendi ekutonga ane basa nemaseva, maapplication uye masevhisi, pamwe nevagadziri vane chekuita nekuvaka masevhisi egore kana kutamisa zvikumbiro zviripo kuKubernetes uye gore. Usanetseke, haufanirwe kuziva maitiro ekushanda neKubernetes kana midziyo - tichakudzidzisa zvese.

Vane ruzivo vashandisi veKubernetes vanowanawo kukosha kwakawanda, nekudzika kwakadzika kwemisoro yakadai seRBAC, kuenderera mberi kwekutumira, kutarisisa data, uye kucherechedzwa. Tinovimba kuti mapeji ebhuku racho zvechokwadi ane chimwe chinhu chinonakidza kwauri, zvisinei nehunyanzvi hwako uye ruzivo.

Bhuku racho rinopindura mibvunzo ipi?

Tichiri kuronga nekunyora bhuku, takakurukura tekinoroji yemakore uye Kubernetes nemazana evanhu, tichitaura nevatungamiriri veindasitiri nenyanzvi pamwe nevazivi vakakwana. Pazasi pane mibvunzo yakasarudzwa yavanoda kuti ipindurwe mubhuku rino.

  • β€œNdiri kuda kuziva kuti sei uchifanira kupedza nguva neruzivo urwu. Ndeapi matambudziko achandibatsira kugadzirisa ini nechikwata changu?"
  • "Kubernetes inoratidzika kunge inonakidza, asi ine chipingamupinyi chakakwirira chekupinda. Kugadzirira muenzaniso wakapfava hakuna kuoma, asi kuenderera mberi kwekutonga uye kugadzirisa kunotyisa. Tinoda kuwana mazano akavimbika ekuti vanhu vanobata sei Kubernetes zvikwata munyika chaiyo uye matambudziko atingangosangana nawo. "
  • β€œMazano anotevera angabatsira. Iyo Kubernetes ecosystem inopa zvikwata zvitsva zvakawandisa sarudzo dzekusarudza kubva. Kana paine nzira dzinoverengeka dzekuita chinhu chimwe chete, unoziva sei kuti ndeipi yakanakisisa? Nzira yekuita sei sarudzo?

Uye pamwe ndiyo inonyanya kukosha pamibvunzo yese:

  • "Ndingashandisa sei Kubernetes pasina kukanganisa kambani yangu?"

Excerpt. Configuration uye Chakavanzika zvinhu

Iko kugona kuparadzanisa logic yeKubernetes application kubva pakumisikidzwa kwayo (kureva, kubva kune chero kukosha kana marongero anogona kuchinja nekufamba kwenguva) anobatsira. Configuration values ​​dzinowanzo sanganisira nharaunda-chaiwo marongero, yechitatu-bato sevhisi DNS kero, uye humbowo hwechokwadi.

Zvechokwadi, izvi zvose zvinogona kuiswa zvakananga mukodhi, asi nzira iyi haina kushanduka zvakakwana. Semuenzaniso, kushandura kukosha kwekugadzirisa zvinozoda kuti iwe uvake uye utumire kodhi yako zvakare. Mhinduro iri nani ingave yekuparadzanisa gadziriso kubva kune kodhi uye kuiverenga kubva kune faira kana nharaunda zvinosiyana.

Kubernetes inopa akati wandei nzira dzekugadzirisa zvigadziriso. Chekutanga, unogona kupfuudza kukosha kune application kuburikidza nemamiriro ekunze anotsanangurwa mune iyo pod wrapper yakatarwa (ona "Environment Variables" papeji 192). Chechipiri, data yekumisikidza inogona kuchengetwa yakananga muKubernetes uchishandisa ConfigMap uye Chakavanzika zvinhu.

Muchitsauko chino, tinoongorora zvinhu izvi zvakadzama uye tinotarisa dzimwe nzira dzinoshanda dzekugadzirisa zvigadziriso uye data inonzwisisika uchishandisa demo application.

Kuvandudza pod shells kana gadziriro yachinja

Fungidzira iwe une deployment musumbu rako uye iwe unoda kushandura mamwe maitiro muConfigMap yayo. Kana iwe ukashandisa iyo Helm chati (ona "Helm: Package Maneja weKubernetes" papeji 102), unogona kuona otomatiki shanduko yegadziriso uye kurodhazve maganda ako epodhi mune imwe yakatsvinda trick. Wedzera zvinotevera anonotation kune yako deployment specification:

checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") .
       | sha256sum }}

Iyo deployment template ikozvino ine cheki yezvigadziriso zvigadziriso: kana iyo paramita yakashandurwa, iyo sum ichagadziridzwa. Kana iwe ukamhanyisa helm kukwidziridza, Helm ichaona kuti iyo yekumisikidza yachinja uye ichatangazve ese maganda epod.

Sensitive data muKubernetes

Isu tinotoziva kuti chinhu cheConfigMap chinopa inochinjika nzira yekuchengetedza uye kuwana yekumisikidza data musumbu. Nekudaro, maapplication mazhinji ane ruzivo rwakadzama uye rwakadzama, senge mapassword kana makiyi eAPI. Inogona zvakare kuchengetwa muConfigMap, asi mhinduro iyi haina kunaka.

Panzvimbo iyoyo, Kubernetes inopa yakasarudzika mhando yechinhu chakagadzirirwa kuchengetedza data rakadzama: Chakavanzika. Tevere, ngatitarisei muenzaniso wekuti chinhu ichi chinogona kushandiswa sei mune yedu demo application.

Kuti utange, tarisa Kubernetes manifest yeChakavanzika chinhu (ona hello-secret-env/k8s/secret.yaml):

apiVersion: v1
kind: Secret
metadata:
    name: demo-secret
stringData:
    magicWord: xyzzy

Mumuenzaniso uyu, magicWord kiyi yakavanzika ndeye xyzzy (en.wikipedia.org/wiki/Xyzzy_(computing)). Izwi rekuti xyzzy rinowanzo batsira zvakanyanya munyika yemakomputa. Zvakafanana neConfigMap, unogona kuchengeta akawanda makiyi uye kukosha muChinhu Chakavanzika. Pano, kuti zvive nyore, tinoshandisa chete kiyi-kukosha peya.

Kushandisa Zvakavanzika Zvinhu seMamiriro Ezvakatipoteredza

Kufanana neConfigMap, Chinhu Chakavanzika chinogona kuitwa kuti chiwanikwe mumudziyo sechinzvimbo chinosiyana kana sefaira pane dhisiki rayo. Mumuenzaniso unotevera, tichapa nharaunda inoshanduka kune kukosha kubva kuChakavanzika:

spec:
   containers:
       - name: demo
          image: cloudnatived/demo:hello-secret-env
          ports:
             - containerPort: 8888
          env:
             - name: GREETING
               valueFrom:
               secretKeyRef:
                  name: demo-secret
                  key: magicWord

Mhanya unotevera kuraira mune demo repository kuti uise mamanifesiti:

kubectl apply -f hello-secret-env/k8s/
deployment.extensions "demo" configured
secret "demo-secret" created

Sekare, endesa chiteshi chenzvimbo kune kutumirwa kuti uone mhedzisiro mubrowser yako:

kubectl port-forward deploy/demo 9999:8888
Forwarding from 127.0.0.1:9999 -> 8888
Forwarding from [::1]:9999 -> 8888

Pakuvhura kero localhost:9999/ iwe unofanirwa kuona zvinotevera:

The magic word is "xyzzy"

Kunyora Chakavanzika Zvinhu kune Mafaira

Mumuenzaniso uyu, tichabatanidza Chakavanzika chinhu kumudziyo sefaira. Iyo kodhi iri mune hello-chakavanzika-faira folda yedemo repository.

Kubatanidza Chakavanzika sefaira, isu tichashandisa kunotevera kutumirwa:

spec:
   containers:
       - name: demo
          image: cloudnatived/demo:hello-secret-file
          ports:
              - containerPort: 8888
          volumeMounts:
              - name: demo-secret-volume
                mountPath: "/secrets/"
                readOnly: true
   volumes:
      - name: demo-secret-volume
        secret:
           secretName: demo-secret

Sezviri muchikamu "Kugadzira mafaera ekugadzirisa kubva kuConfigMap zvinhu" pane p. 240, isu tinogadzira vhoriyamu (mune iyi kesi demo-chakavanzika-vhoriyamu) uye toiisa kumudziyo uri muvhoriyamuMounts chikamu cheiyo yakatarwa. Iyo mountPath munda ndeye / zvakavanzika, saka Kubernetes ichagadzira imwe faira mune iyi folda kune yega kiyi / kukosha peya inotsanangurwa muChakavanzika chinhu.

Mumuenzaniso wedu, isu takatsanangura imwe chete kiyi-kukosha peya inonzi magicWord, saka iyo manifest ichagadzira imwechete yekuverenga-chete faira /secrets/magicWord ine data rakadzama mumudziyo.

Kana iwe ukashandisa iyi manifesto nenzira imwechete seyemuenzaniso wapfuura, unofanirwa kuwana mhedzisiro yakafanana:

The magic word is "xyzzy"

Kuverenga Zvinhu Zvakavanzika

Muchikamu chakapfuura, takashandisa kubectl tsanangura kuraira kuratidza zvirimo muConfigMap. Zvimwechete zvinogona kuitwa neChakavanzika?

kubectl describe secret/demo-secret
Name:          demo-secret

Namespace:      default
Labels:             <none>
Annotations:
Type:               Opaque

Data
====
magicWord: 5   bytes

Ndokumbira utarise kuti iyo data pachayo haina kuratidzwa. Zvakavanzika zvinhu muKubernetes ndezvemhando yeOpaque, zvinoreva kuti zvirimo hazviratidzirwe mukubectl tsanangura zvinobuda, zvinyorwa zvelogi, kana iyo terminal, zvichiita kuti zvisaite kuburitsa netsaona ruzivo.

Kuti utarise yakavharidzirwa YAML vhezheni yedata inonzwisisika, shandisa iyo kubectl get command:

kubectl get secret/demo-secret -o yaml
apiVersion: v1
data:
   magicWord: eHl6enk=
kind: Secret
metadata:
...
type: Opaque

base64

Chii chinonzi eHl6enk=, chakasiyana zvachose neukoshi hwedu hwepakutanga? Ichi chaicho chinhu Chakavanzika, chinomiririrwa mu base64 encoding. Base64 chirongwa chekuisa encoding yekupokana bhinari data setambo yemavara.

Nekuti ruzivo rwakadzama runogona kunge rwuri rwebhinari uye rusiri kubuda (sezvazvinoita neTLS encryption kiyi), Zvakavanzika zvinhu zvinogara zvakachengetwa mu base64 fomati.

Iwo manyoro beHl6enk= ndiyo base64 encoded vhezheni yezwi redu rakavanzika xyzzy. Unogona kuonesa izvi nekumhanyisa base64 -decode command mune terminal:

echo "eHl6enk=" | base64 --decode
xyzzy

Saka, nepo Kubernetes ichikudzivirira kubva netsaona yekuburitsa data rakadzama mune terminal kana faira mafaira, kana iwe wakaverenga zvibvumirano pane Chakavanzika zvinhu mune yakatarwa namespace, iyo data inogona kuve base64ed uye yozodhindwa.

Kana iwe uchida kuseta64 encode mamwe mavara (semuenzaniso, kuisa muChakavanzika), shandisa iyo base64 yekuraira pasina nharo:

echo xyzzy | base64
eHl6enkK

Kuwana Zvinhu Zvakavanzika

Ndiani anogona kuverenga nekugadzirisa Zvakavanzika? Izvi zvinotemerwa neRBAC, nzira yekudzora yekuwana (tichaikurukura zvakadzama muchikamu che "Sumo kune Role-Based Access Control" papeji 258). Kana iwe uchimhanyisa cluster isina RBAC kana isina kugoneswa, zvese zveChakavanzika zvinhu zvinowanikwa kune chero vashandisi uye midziyo (tichatsanangura gare gare kuti haufanirwe kuve nemasumbu ekugadzira pasina RBAC).

Passive data encryption

Zvakadini neavo vanogona kuwana iyo etcd dhatabhesi uko Kubernetes inochengetera ruzivo rwayo rwese? Vanogona here kuverenga data rakadzama vasina mvumo yekuverenga Zvakavanzika zvinhu kuburikidza neAPI?

Kubva vhezheni 1.7, Kubernetes inotsigira passive data encryption. Izvi zvinoreva kuti ruzivo rwakadzama mukati etcd inochengetwa yakavharidzirwa pa diski uye haigone kuverengerwa kunyangwe nevaya vane mukana wakananga kune dhatabhesi. Kuti uinyore, unoda kiyi iyo chete Kubernetes API server ine. Mune cluster yakanyatsogadzirirwa, passive encryption inofanira kugoneswa.

Unogona kutarisa kana passive encryption ichishanda musumbu rako nenzira iyi:

kubectl describe pod -n kube-system -l component=kube-apiserver |grep encryption
        --experimental-encryption-provider-config=...

Kana iwe usingaone yekuyedza-encryption-provider-config mureza, passive encryption haina kugoneswa. Paunenge uchishandisa Google Kubernetes Injini kana mamwe Kubernetes manejimendi masevhisi, data rako rakavharidzirwa uchishandisa imwe nzira, saka mureza hauzovepo. Tarisa nemutengesi wako weKubernetes kuti uone kana etcd zvemukati zvakavharirwa.

Kuchengeta zvakavanzika data

Kune zvimwe zviwanikwa zveKubernetes izvo hazvifanirwe kubviswa kubva musumbu, senge zvakanyanya kucherekedza Chakavanzika zvinhu. Iwe unogona kuchengetedza sosi kubva pakudzimwa uchishandisa chirevo chinopihwa neHelm maneja:

kind: Secret
metadata:
    annotations:
        "helm.sh/resource-policy": keep

Secret Object Management Strategies

Mumuenzaniso kubva muchikamu chakapfuura, data yakavanzika yakachengetedzwa kubva kune isina mvumo yekuwana pakarepo mushure mekuchengetwa musumbu. Asi muma manifest mafaira aichengetwa semavara akajeka.

Haufanire kuisa ruzivo rwakavanzika mumafaira ari mukutonga kweshanduro. Iwe unogona sei kuchengetedza uye kuchengetedza ruzivo urwu usati waishandisa kune yako Kubernetes cluster?

Iwe unogona kusarudza chero maturusi kana marongero ekubata data rakadzama mune ako maapplication, asi iwe uchazongoda kupindura kanokwana mibvunzo inotevera.

  • Ndekupi kunofanirwa kuchengetwa data rinonzwisisika kuitira kuti riwanikwe zvakanyanya?
  • Maitiro ekuita kuti data rakavanzika riwanikwe kune ako anoshanda maapplication?
  • Chii chinofanirwa kuitika kumashandisirwo ako kana iwe ukatsiva kana kugadzirisa data rakadzama?

Nezvevanyori

John Arundel inyanzvi ine makore makumi matatu eruzivo muindasitiri yemakombuta. Akanyora mabhuku akati wandei uye anoshanda nemakambani mazhinji kubva kunyika dzakasiyana, achivaraira nezve cloud-native infrastructure uye Kubernetes. Munguva yake yekuzorora, anonakidzwa nekusevha, akanaka kupfura pfuti, uye anoridza piyano seasingaite. Anogara muimba yengano muCornwall, England.

Justin Domingus -Sisitimu manejimendi enjiniya anoshanda munzvimbo yeDevOps neKubernetes uye makore matekinoroji. Anofarira kupedza nguva ari panze, kunwa kofi, kukwara, uye kugara pakombiyuta. Anogara muSeattle, Washington, ane katsi inoshamisa uye mudzimai anotoshamisa uye shamwari yepamoyo, Adrienne.

Β» Mamwe mashoko pamusoro pebhuku anogona kuwanikwa pa muparidzi webhusaiti
Β» Tafura yezvinyorwa
Β» Chidimbu

For Khabrozhiteley 25% dhisikaundi uchishandisa kopani - Kubernetes

Pakubhadharwa kwepepa rebhuku rebhuku, bhuku remagetsi richatumirwa ne-e-mail.

Source: www.habr.com

Voeg