Kubernetes 1.14: mhedziso yehukuru hutsva

Husiku huno zvichaitika kuburitswa kunotevera kweKubernetes - 1.14. Zvinoenderana netsika yakagadziridzwa kune yedu blog, tiri kutaura nezve shanduko dzakakosha mushanduro itsva yeiyi inoshamisa Open Source chigadzirwa.

Ruzivo rwakashandiswa kugadzira chinyorwa ichi rwunotorwa kubva Kubernetes inosimudzira yekutevera matafura, CHANGELOG-1.14 uye zvine chekuita nenyaya, zvikumbiro zvekudhonza, Kubernetes Enhancement Proposals (KEP).

Ngatitange nesumo yakakosha kubva kuSIG cluster-lifecycle: dynamic failover masumbu Kubernetes (kana kunyatsojeka, kuzvidzora HA deployments) ikozvino inogona kugadzirwa kushandisa zvakajairika (mumamiriro ezvinhu e-single-node clusters) mirairo kubeadm (init и join) Muchidimbu, kune izvi:

• zvitupa zvinoshandiswa nesumbu zvinoendeswa kune zvakavanzika;
• kuitira mukana wekushandisa etcd cluster mukati meK8s cluster (kureva kubvisa iyo yaimbovepo yekunze kutsamira) etcd-operator;
• Zvinyorwa zvinokurudzirwa zvigadziriso zvekunze zvinoremerwa zvinoremedza izvo zvinopa kukanganisa-kushivirira kurongeka (mune ramangwana zvakarongwa kubvisa kutsamira uku, asi kwete panguva ino).

Kuvaka kweKubernetes HA cluster yakagadzirwa nekubeadm

Tsanangudzo yekushandiswa inogona kuwanikwa mukati design proposal. Ichi chimiro chaive chakamirirwa kwenguva refu: iyo alpha vhezheni yaitarisirwa kudzoka muK8s 1.9, asi yangoonekwa izvozvi.

API

chikwata apply uye kazhinji declarative chinhu manejimendi akapfuura kubva kubectl mune apiserver. Ivo vanogadzira ivo pachavo vanotsanangura muchidimbu sarudzo yavo nekutaura izvozvo kubectl apply - chikamu chakakosha chekushanda nekumisikidza muKubernetes, zvisinei, "izere netsikidzi uye inonetsa kugadzirisa," uye nekudaro kuita uku kunoda kudzoserwa kune zvakajairika uye kuendeswa kune inodzora ndege. Mienzaniso yakapfava uye yakajeka yezvinetso zviripo nhasi:

Tsanangudzo pamusoro pekushandiswa dzirimo CAP. Kugadzirira kwazvino ndeye alpha (kusimudzirwa ku beta kwakarongwa kune inotevera Kubernetes kuburitswa).

Inowanikwa mune alpha vhezheni mukana uchishandisa OpenAPI v3 chirongwa che kugadzira uye kutsikisa OpenAPI zvinyorwa zveCustomResources (CR) inoshandiswa kusimbisa (server-side) K8s-yakatsanangurwa zviwanikwa (CustomResourceDefinition, CRD). Kutsikisa OpenAPI yeCRD inobvumira vatengi (e.g. kubectl) ita kusimbiswa kudivi rako (mukati kubectl create и kubectl apply) uye buritsa zvinyorwa zvinoenderana nechirongwa (kubectl explain) Details - in CAP.

Zvinyorwa zvakagara zviripo vava kuvhura nemureza O_APPEND (asi kwete O_TRUNC) kudzivirira kurasikirwa kwematanda mune mamwe mamiriro uye kuti zvive nyore kutema matanda ane ekunze ekushandisa ekutenderera.

Zvakare muchirevo cheKubernetes API, zvinogona kucherechedzwa kuti in PodSandbox и PodSandboxStatus akawedzera munda runtime_handler kunyora ruzivo nezve RuntimeClass mupodhi (verenga zvakawanda nezvazvo mune zvinyorwa nezve Kubernetes 1.12 kuburitswa, uko kirasi iyi yakaonekwa seye alpha vhezheni), uye muAdmission Webhooks itwa kugona kuona kuti ndedzipi shanduro AdmissionReview vanotsigira. Pakupedzisira, Mitemo yeAdmission Webhooks ikozvino inogona kuganhurirwa hukuru hwekushandiswa kwavo nenzvimbo dzezita uye masangano emasumbu.

Vaults

PersistentLocalVolumes, iyo yaive nebeta chimiro kubva pakuburitswa K8s 1.10, zvakaziviswa yakagadzikana (GA): gedhi iri harichadzimwa uye richabviswa muKubernetes 1.17.

Mukana kushandisa zvakatipoteredza variables anonzi Downward API (semuenzaniso, zita repod) yemazita emadhairekitori akaiswa se subPath, yakagadzirwa - muchimiro chemunda mutsva subPathExpr, iyo yava kushandiswa kuona zita redhairekitori raunoda. Iyo ficha yakatanga kuoneka muKubernetes 1.11, asi ye1.14 yakaramba iri mune alpha vhezheni chimiro.

Sekuburitswa kwakapfuura Kubernetes, shanduko zhinji dzakakosha dzinounzwa kune inoshingairira kusimudzira CSI (Container Storage Interface):

CSI

Yakave iripo (sechikamu cheiyo alpha vhezheni) kutsigira kuchinja mavhoriyamu eCSI. Kuti uishandise iwe unozofanirwa kugonesa iyo ficha gedhi rakadanwa ExpandCSIVolumes, pamwe nekuwanikwa kwerutsigiro rwekushanda uku mune chaiyo CSI mutyairi.

Chimwe chinhu cheCSI mune alpha vhezheni - mukana tarisa zvakananga (kureva pasina kushandisa PV/PVC) kuCSI mavhoriyamu mukati meiyo pod yakatarwa. Izvi inobvisa chirambidzo pakushandiswa kweCSI sekungochengeterwa data kure, uchivazarurira mikova yenyika zvemuno ephemeral volumes. Zvekushandisa (muenzaniso kubva pazvinyorwa) inofanira kugoneswa CSIInlineVolume feature gate.

Pave zvakare nekufambira mberi mu "mukati" yeKubernetes ine hukama neCSI, isingaonekwe kune vashandisi vekupedzisira (system administrators) ... Parizvino, vanogadzira vanomanikidzwa kutsigira maviri mavhezheni ega ega yekuchengetedza plugin: imwe - "mu nzira yekare", mukati meK8s codebase (mu-muti), uye yechipiri - sechikamu cheCSI itsva. (verenga zvakawanda nezvazvo, semuenzaniso, mu pano). Izvi zvinokonzeresa kusagadzikana kunonzwisisika kunoda kugadziriswa sezvo CSI pachayo ichidzikama. Izvo hazvigoneke kungo bvisa iyo API yemukati (mu-muti) plugins nekuda kwe yakakodzera Kubernetes mutemo.

Zvese izvi zvakakonzera kuti iyo alpha vhezheni yasvika migration process yemukati plugin kodhi, inoshandiswa se-mu-muti, muCSI plugins, nekuda kwekuti kunetseka kwevagadziri kuchaderedzwa kutsigira imwe shanduro yemapulagi avo, uye kuenderana nekare APIs kucharamba uye vanogona kuziviswa kusashanda mumamiriro ezvinhu akajairika. Zvinotarisirwa kuti nekuburitswa kunotevera kweKubernetes (1.15) ese cloud provider plugins achatamiswa, iko kuita kuchagashira beta chimiro uye ichaitwa mukumisikidzwa kweK8s nekukasira. Kuti uwane mamwe mashoko, ona design proposal. Kutama uku kwakakonzerawo kuramba kubva kumiganhu yevhoriyamu inotsanangurwa nevanopa gore (AWS, Azure, GCE, Cinder).

Pamusoro pezvo, rutsigiro rwe block zvishandiso neCSI (CSIBlockVolume) kutamiswa kune beta vhezheni.

Nodes/Kubelet

Alpha vhezheni yaratidzwa new endpoint in Kubelet, yakagadzirirwa dzorera metrics pane zvakakosha zviwanikwa. Kazhinji kutaura, kana Kubelet yakambogamuchira nhamba dzekushandiswa kwemudziyo kubva kucAdvisor, ikozvino data iri rinobva kumudziyo wekumhanyisa nharaunda kuburikidza neCRI (Container Runtime Interface), asi kuenderana kwekushanda neshanduro dzekare dzeDocker kunochengetedzwa zvakare. Pakutanga, nhamba dzakaunganidzwa muKubelet dzakatumirwa kuburikidza neREST API, asi ikozvino magumo ari pa. /metrics/resource/v1alpha1. Nzira yenguva refu yevagadziri ndizvo ndeyekudzikisa seti yemametric akapihwa naKubelet. Nenzira, aya metrics pachawo zvino vofona kwete "core metrics", asi "resource metrics", uye inotsanangurwa se "yekutanga-kirasi zviwanikwa, senge cpu, uye ndangariro".

Iyo inonakidza nuance: kunyangwe yakajeka kuita mukana weiyo gRPC yekupedzisira mukuenzanisa neakasiyana nyaya dzekushandisa iyo Prometheus fomati. (ona mhedzisiro yeimwe yemabhenji pazasi), vanyori vakafarira zvinyorwa zvemashoko ePrometheus nekuda kwehutungamiri hwakajeka hweiyi hurongwa hwekutarisa munharaunda.

"gRPC haienderane nemapaipi makuru ekutarisa. Endpoint inongobatsira chete kuendesa metrics kuMetrics Server kana yekutarisa zvikamu zvinobatanidza zvakananga nayo. Prometheus text fomati kuita kana uchishandisa caching muMetrics Server zvakanaka zvakakwana kuti isu tide Prometheus pane gRPC yakapihwa kutorwa kwakawanda kwaPrometheus munharaunda. Kana iyo OpenMetrics fomati yawedzera kugadzikana, isu tichakwanisa kusvika gRPC kuita neproto-based fomati."

Imwe yekuenzanisa kwekuita bvunzo dzekushandisa gRPC uye Prometheus mafomati mune itsva Kubelet endpoint yemametrics. Mamwe magirafu uye mamwe mashoko anogona kuwanikwa mukati CAP.

Pakati pedzimwe shanduko:

• Kubelet now (one time) kuedza kumira midziyo mune isingazivikanwe mamiriro asati atangazve uye kudzima mashandiro.
• Paunoshandisa PodPresets zvino kuinit container akawedzera ruzivo rwakafanana neyegaba renguva dzose.
• kubelet akatanga kushandisa usageNanoCores kubva kune CRI manhamba anopa, uye kune node uye midziyo paWindows akawedzera network statistics.
• Operating system uye ruzivo rwekuvaka ikozvino rwakanyorwa mumalebula kubernetes.io/os и kubernetes.io/arch Node zvinhu (zvinotamiswa kubva ku beta kuenda kuGA).
• Kugona kutsanangura chaiyo system mushandisi boka remidziyo mune pod (RunAsGroup, akaonekwa mukati K8s 1.11) advanced pamberi pe beta (inogoneswa neyakagadzika).
• du uye tsvaga inoshandiswa mu cAdvisor, yakatsiviwa paGo kusevenzesa.

CLI

Mune cli-runtime uye kubectl akawedzera -k mureza wekubatanidza ne customize (nenzira, kukura kwayo iko zvino kunoitwa mune imwe nzvimbo yekuchengetedza), i.e. kugadzirisa mamwe mafaera eYAML kubva kune akakosha kustomization madhairekitori (kuti uwane ruzivo rwekuvashandisa, ona CAP):

Muenzaniso wekushandiswa kwefaira nyore customization (a more complex application of kustomize inogoneka mukati kuwanda)

Mukuwedzera:

• Added chikwata chitsva kubectl create cronjob, ane zita rinozvitaurira.
• В kubectl logs zvino unogona sanganisa mireza -f (--follow yekutepfenyura matanda) uye -l (--selector zvemubvunzo wezita).
• kubectl vakadzidziswa kopi mafaira akasarudzwa nekadhi remusango.
• Kuchikwata kubectl wait akawedzera mureza --all kusarudza zviwanikwa zvese munzvimbo yemazita yemhando yemhando yakataurwa.

Zvimwe

Aya anotevera maficha akagamuchira yakagadzikana (GA) chimiro:

• ReadinessGate, yakashandiswa mune iyo pod yakatarwa kutsanangura mamwe mamiriro akatorwa muakange ekugadzirira podhi;
• Tsigiro yemapeji mahombe (feature gedhi rakadanwa HugePages);
• CustomPodDNS;
• Purogiramu inonzi PriorityClass Pod Kukosha & Preemption.

Dzimwe shanduko dzakaunzwa muKubernetes 1.14:

• Default RBAC policy haichabvumiri API kupinda discovery и access-review vashandisi vasina chokwadi (zvisina kuvimbiswa).
• Official CoreDNS rutsigiro sured Linux chete, saka kana uchishandisa kubeadm kuiisa (CoreDNS) musumbu, node dzinofanira kungomhanya paLinux (nodeSelectors anoshandiswa pakumisa iyi).
• Default CoreDNS kumisikidzwa ikozvino anoshandisa mberi plugin pachinzvimbo chemumiriri. Zvakare, muCoreDNS akawedzera ReadinessProbe, iyo inodzivirira kuyera kuyera pamapodhi akakodzera (asina kugadzirira sevhisi).
• Mukubeadm, pazvikamu init kana upload-certs, zvakava zvinogoneka rodha zvitupa zvinodiwa kubatanidza iyo nyowani yekudzora-ndege kune yakavanzika kubeadm-certs (shandisa mureza --experimental-upload-certs).
• Iyo alpha vhezheni yakaonekwa yeWindows kumisikidzwa tsigiro gMSA (Group Managed Service Account) - maakaundi akakosha muActive Directory anogona zvakare kushandiswa nemidziyo.
• ZvaG.C.E. activated mTLS encryption pakati etcd uye kube-apiserver.
• Zvigadziriso mumashandisirwo / anotsamira software: Enda 1.12.1, CSI 1.1, CoreDNS 1.3.1, Docker 18.09 rutsigiro mukubeadm, uye shoma inotsigirwa yeDocker API vhezheni yava 1.26.

PS

Verenga zvakare pablog yedu:

• «Kubernetes 1.13: mhedziso yehukuru hutsva";
• «Kubernetes 1.12: mhedziso yehukuru hutsva";
• «Kubernetes 1.11: mhedziso yehukuru hutsva";
• «Kubernetes 1.10: mhedziso yehukuru hutsva".

Source: www.habr.com