Pavel Selivanov, Southbridge solutions architect uye Slurm teacher, akapa mharidzo paDevOpsConf 2019. Iyi hurukuro chikamu cheimwe yemisoro yekosi yakadzama paKubernetes "Slurm Mega".
inoitika muMoscow munaNovember 18-20.
— Moscow, Mbudzi 22-24.
iripo nguva dzose.
Pazasi pekuchekwa pane chinyorwa chemushumo.
Masikati akanaka, vaunoshanda navo uye avo vanonzwira tsitsi navo. Nhasi ndichataura nezvekuchengeteka.
Ndiri kuona kuti mune ma security guard akawanda muhoro nhasi. Ndinokumbira ruregerero kwauri mberi kana ndikashandisa mazwi kubva kunyika yekuchengeteka kwete sezvaunowanzoita iwe.
Zvakaitika kuti mwedzi mitanhatu yapfuura ndakasangana neruzhinji Kubernetes cluster. Veruzhinji zvinoreva kuti pane nhamba yenhamba yemazita; munzvimbo idzi kune vashandisi vakaparadzaniswa munzvimbo yavo yemazita. Vese vashandisi ava ndevemakambani akasiyana. Zvakanaka, zvaifungidzirwa kuti cluster iyi inofanira kushandiswa seCDN. Ndokunge, ivo vanokupa sumbu, vanokupa iwe mushandisi ipapo, unoenda ikoko kune yako namespace, shandisa mafronts ako.
Kambani yangu yapfuura yakaedza kutengesa sevhisi yakadai. Uye ndakakumbirwa kuti ndibaye sumbu racho kuti ndione kana mhinduro iyi yaive yakakodzera kana kwete.
Ndakasvika pacluster iyi. Ndakapiwa kodzero shoma, nzvimbo ine mazita. Vakomana vaivapo vainzwisisa chinonzi security. Ivo vakaverenga nezve Role-based access control (RBAC) muKubernetes - uye vakamonyorora kuti ini ndisakwanise kuvhura mapodhi zvakasiyana kubva kune deployments. Handiyeuke dambudziko randanga ndichiedza kugadzirisa nekutangisa podhi pasina kutumirwa, asi ndaida chaizvo kuburitsa podhi. Neraki rakanaka, ndakafunga kuona kuti ndedzipi kodzero dzandinadzo muboka, zvandingaite, zvandisingakwanise kuita, uye zvavakakanganisa ipapo. Panguva imwecheteyo, ini ndichakuudza izvo zvavakagadzirisa zvisizvo muRBAC.
Zvakazoitika kuti mumaminetsi maviri ndakagamuchira admin kuboka ravo, ndakatarisa nzvimbo dzese dzakavakidzana, ndakaona ipapo makambani ekugadzira emakambani akange atotenga sevhisi uye akaiswa. Ndakatadza kuzvidzivisa kuenda kumberi kwemumwe munhu uye kuisa mashoko ekutuka papeji huru.
Ini ndichakuudza nemienzaniso maitiro andakaita izvi uye maitiro ekuzvidzivirira kubva pane izvi.
Asi kutanga regai ndizvizivise. Ini ndinonzi Pavel Selivanov. Ndiri architect kuSouthbridge. Ini ndinonzwisisa Kubernetes, DevOps uye ese marudzi ezvinhu zvakanakisa. Ini mainjiniya eSouthbridge neni tiri kuvaka zvese izvi, uye ndiri kubvunza.
Pamusoro pezviitwa zvedu zvikuru, nguva pfupi yadarika takaparura zvirongwa zvinonzi Slurms. Tiri kuedza kuunza kugona kwedu kushanda neKubernetes zvishoma kune ruzhinji, kudzidzisa vamwe vanhu kuti vashandewo nemaK8.
Ndichataura nezvei nhasi? Nyaya yemushumo iri pachena - nezve chengetedzo yeKubernetes cluster. Asi ndinoda kutaura pakarepo kuti nyaya iyi yakakura kwazvo - uye saka ndinoda kujekesa izvo zvandisingazotauri nezvazvo. Ini handisi kuzotaura nezve hackneyed mazwi akatoshandiswa kane zana paInternet. Ese marudzi eRBAC uye zvitupa.
Ini ndichataura nezve zvinondirwadza ini nevandinoshanda navo nezve chengetedzo muboka reKubernetes. Isu tinoona aya matambudziko ese ari pakati pevanopa vanopa Kubernetes masumbu uye pakati pevatengi vanouya kwatiri. Uye kunyangwe kubva kune vatengi vanouya kwatiri kubva kune mamwe makambani ekubvunza admin. Ndiko kuti, mwero wenhamo yacho chaizvoizvo wakakura zvikuru.
Pane chaizvo zvibodzwa zvitatu zvandichataura nezvazvo nhasi:
- Kodzero dzemushandisi vs kodzero dzepod. Kodzero dzemushandisi uye kodzero dzepod hazvisi chinhu chimwe chete.
- Kuunganidza ruzivo nezve cluster. Ini ndicharatidza kuti iwe unogona kuunganidza ruzivo rwese rwaunoda kubva musumbu pasina kuve nekodzero dzakakosha muchikwata ichi.
- DoS kurwisa pane cluster. Kana isu tisingakwanisi kuunganidza ruzivo, tichakwanisa kuisa cluster chero ipi zvayo. Ini ndichataura nezveDoS kurwisa pane cluster control zvinhu.
Chimwe chinhu chakajairika chandichataura ndicho chandakaedza zvese izvi, pandinogona kutaura kuti zvese zvinoshanda.
Isu tinotora sehwaro kuisirwa kweKubernetes cluster uchishandisa Kubespray. Kana paine asingazive, iyi inongova seti yemabasa eAnsible. Tinorishandisa nguva dzose mubasa redu. Chinhu chakanaka ndechekuti unogona kuikungurutsira chero kupi - unogona kuikungurutsira pazvidimbu zvesimbi kana mugore pane imwe nzvimbo. Imwe yekuisa nzira inoshanda musimboti kune zvese.
Muchikwata ichi ndichave neKubernetes v1.14.5. Iyo Cube cluster yese, yatichafunga nezvayo, yakakamurwa kuita mazita, nzvimbo yega yega yezita ndeyechikwata chakasiyana, uye nhengo dzechikwata ichi dzinokwanisa kuwana nzvimbo yega yega. Havakwanise kuenda kunzvimbo dzakasiyana dzemazita, kune avo chete. Asi pane imwe admin account ine kodzero kune yese cluster.
Ndakavimbisa kuti chinhu chekutanga chatichaita kuwana kodzero dze admin kune cluster. Isu tinoda yakanyatsogadzirirwa pod inotyora iyo Kubernetes cluster. Zvese zvatinofanira kuita kuzviisa kuKubernetes cluster.
kubectl apply -f pod.yamlIyi pod ichasvika kune imwe yevatenzi veKubernetes cluster. Uye mushure meizvi sumbu richadzoka kwatiri nemufaro faira inonzi admin.conf. MuCube, faira iyi inochengeta zvese zvitupa zvemaneja, uye panguva imwechete inogadzirisa iyo cluster API. Izvi ndizvo zviri nyore kuwana admin kuwana, ndinofunga, 98% yeKubernetes masumbu.
Ini ndinodzokorora, iyi podhi yakagadzirwa nemumwe mugadziri musumbu rako anokwanisa kuendesa zvikumbiro zvake munzvimbo diki yezita, zvese zvakasungwa neRBAC. Akanga asina kodzero. Asi zvisinei chitupa chakadzoserwa.
Uye zvino nezvepodhi yakanyatsogadzirirwa. Isu tinomhanyisa pane chero mufananidzo. Ngatitorei debian:jessie semuenzaniso.
Tine chinhu ichi:
tolerations:
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" Chii chinonzi kushivirira? Masters ari muKubernetes cluster anowanzo makwa nechimwe chinhu chinonzi taint. Uye chirevo che "utachiona" ichi ndechekuti inotaura kuti pods haigoni kugoverwa kune master nodes. Asi hapana anonetsa kuratidza mune chero pod kuti inoshivirira kune "utachiona". The Toleration chikamu chinongotaura kuti kana imwe node ine NoSchedule, ipapo node yedu inoshivirira kune hutachiona hwakadaro - uye hapana matambudziko.
Kupfuurirazve, isu tinoti pasi redu haringoshiviriri chete, asi zvakare rinoda kunanga kuna tenzi. Nekuti vatenzi vane chinhu chinonaka kwazvo chatinoda - zvese zvitupa. Naizvozvo, tinoti nodeSelector - uye isu tine yakajairwa label pane masters, iyo inokutendera iwe kuti usarudze kubva kune ese mafundo ari musumbu chaizvo iwo manodhi ari masters.
Nezvikamu zviviri izvi achauya zvechokwadi kuna tenzi. Uye achabvumirwa kugara ikoko.
Asi kungouya kuna tenzi hakuna kutikwanira. Izvi hazvitipe chero chinhu. Saka, isu tine zvinhu zviviri izvi:
hostNetwork: true
hostPID: true Isu tinotsanangura kuti pod yedu, yatinovhura, ichagara mu kernel namespace, mune network namespace, uye muPID namespace. Kana iyo pod yatangwa pane tenzi, inokwanisa kuona ese chaiwo, mhenyu maratidziro eiyi node, teerera kune yese traffic uye ona iyo PID yemaitiro ese.
Ipapo inyaya yezvinhu zvidiki. Tora etcd uverenge zvaunoda.
Chinhu chinonyanya kufadza ichi Kubernetes chimiro, chiripo ipapo nekukasira.
volumeMounts:
- mountPath: /host
name: host
volumes:
- hostPath:
path: /
type: Directory
name: host Uye chirevo chayo ndechekuti isu tinogona kutaura mupodhi yatinotangisa, kunyangwe tisina kodzero kune iyi cluster, kuti isu tinoda kugadzira vhoriyamu yemhando hostPath. Izvi zvinoreva kutora nzira kubva kumugadziri watichavhura - uye nekuitora sevhoriyamu. Uye tobva tazvitumidza zita: host. Isu tinoisa iyi yese hostPath mukati mepodhi. Mumuenzaniso uyu, kune / host directory.
Ndichazvidzokorora zvakare. Takaudza iyo pod kuti iuye kuna tenzi, tora iyo hostNetwork uye hostPID ipapo - uye isa mudzi wese weshe mukati mepodhi iyi.
Iwe unonzwisisa kuti muDebian isu tine bash inomhanya, uye iyi bash inomhanya pasi pemidzi. Ndiko kuti, isu takangogamuchira midzi pane tenzi, tisina kodzero muKubernetes cluster.
Zvadaro basa rose nderekuenda kune sub directory / host / etc / kubernetes / pki, kana ndisingakanganisi, tora zvitupa zvese zveboka ipapo uye, saizvozvo, uve mutungamiri weboka.
Kana ukazvitarisa seizvi, aya ndiwo mamwe ekodzero dzine njodzi mumapods - zvisinei nekuti mushandisi ane kodzero dzipi:
Kana ndine kodzero yekumhanyisa pod mune imwe nzvimbo yezita resumbu, saka iyi pod ine kodzero idzi nekusarudzika. Ndinogona kumhanyisa mapodhi akasarudzika, uye aya kazhinji ikodzero dzese, dzinenge midzi pane node.
Chandinofarira ndeye Root user. Uye Kubernetes ine iyi Mhanya SeIsiri-Root sarudzo. Iyi imhando yekudzivirira kubva kune hacker. Unoziva here kuti "utachiona hweMoldavian" chii? Kana iwe ukangoerekana wava hacker uye wauya kuboka rangu reKubernetes, saka isu, vatariri vane urombo, tinobvunza kuti: "Ndokumbira uratidze mumapodhi ako auchatsemura sumbu rangu, mhanya kunge usiri mudzi. Zvikasadaro, zvichaitika kuti iwe unomhanyisa maitiro mupodhi yako pasi pemidzi, uye zvichave nyore kwazvo kwauri kuti undibire. Ndinokumbira kuti uzvidzivirire kubva kwauri.
Host nzira vhoriyamu, mumaonero angu, ndiyo inokurumidza nzira yekuwana yaunoda mhedzisiro kubva kuKubernetes cluster.
Asi chii chekuita nezvose izvi?
Pfungwa inofanirwa kuuya kune chero maneja akasangana naKubernetes ndeiyi: "Ehe, ndakakuudza, Kubernetes haishande. Pane maburi mairi. Uye Cube yese ndeye bullshit. " Muchokwadi, pane chinhu chakadai sezvinyorwa, uye kana ukatarisa ipapo, pane chikamu .
Ichi chinhu cheyaml - isu tinogona kuigadzira muKubernetes cluster - iyo inodzora kuchengetedza zvinhu zvakanyanya mukutsanangurwa kwepods. Izvi zvinoreva kuti, inodzora kodzero dzekushandisa chero hostNetwork, hostPID, mamwe marudzi evhoriyamu ari mumapodhi pakutanga. Nerubatsiro rwePod Security Policy, zvese izvi zvinogona kutsanangurwa.
Chinhu chinonyanya kufadza pamusoro pePod Security Policy ndechekuti muKubernetes cluster, vese vanoisa PSP havana kungotsanangurwa chero nzira, vanongoremara nekusarudzika. Pod Security Policy inogoneswa uchishandisa iyo yekubvuma plugin.
Zvakanaka, ngatiisei Pod Security Policy musumbu, ngatiti isu tine mamwe masevhisi pods munzvimbo yezita, iyo chete admins vanogona kuwana. Ngatitii, mune zvimwe zviitiko zvese, mapodhi ane kodzero shoma. Nekuti kazhinji vanogadzira havadi kumhanyisa mapodhi ane rombo muboka rako.
Uye zvese zvinoita kunge zvakanaka nesu. Uye yedu Kubernetes cluster haigone kubiwa mumaminetsi maviri.
Pane dambudziko. Zvingangodaro, kana iwe uine Kubernetes cluster, ipapo yekutarisa inoiswa pane yako cluster. Ndingatoenda kusvika pakufanotaura kuti kana cluster yako ine monitoring, ichanzi Prometheus.
Zvandava kuda kukuudza zvichave zvinoshanda kune vese Prometheus opareta uye Prometheus inounzwa mune yayo yakachena fomu. Mubvunzo ndewokuti kana ndikatadza kuwana admin musumbu nekukurumidza, saka izvi zvinoreva kuti ndinofanira kutarisa zvakanyanya. Uye ndinogona kutsvaga nerubatsiro rwekutarisa kwako.
Pamwe munhu wese akaverenga zvakafanana zvinyorwa paHabré, uye yekutarisa iri munzvimbo yekutarisa mazita. Helm chart inodaidzwa zvakangofanana kune wese munhu. Ndiri kufungidzira kuti kana iwe ukaita helm install stable/prometheus, unozopedzisira wava nemazita akafanana. Uye kazhinji ini handifanire kufungidzira zita reDNS musumbu rako. Nokuti zviri mwero.
Tevere tine mamwe ma dev ns, maunogona kumhanyisa imwe pod. Uye kubva pane iyi podhi zviri nyore kwazvo kuita seizvi:
$ curl http://prometheus-kube-state-metrics.monitoring prometheus-kube-state-metrics ndeimwe yevanotengesa kunze kwePrometheus iyo inounganidza metrics kubva kuKubernetes API pachayo. Pane data rakawanda ipapo, chii chiri kushanda musumbu rako, chii, matambudziko api aunawo nawo.
Semuenzaniso wakapfava:
kube_pod_container_info{namespace=“kube-system”,pod=”kube-apiserver-k8s- 1″,container=”kube-apiserver”,image=
"gcr.io/google-containers/kube-apiserver:v1.14.5"
,image_id=»docker-pullable://gcr.io/google-containers/kube- apiserver@sha256:e29561119a52adad9edc72bfe0e7fcab308501313b09bf99df4a96 38ee634989″,container_id=»docker://7cbe7b1fea33f811fdd8f7e0e079191110268f2 853397d7daf08e72c22d3cf8b»} 1
Nekuita chikumbiro chakareruka curl kubva kune isina rombo pod, unogona kuwana iyo inotevera ruzivo. Kana iwe usingazive kuti ndeipi vhezheni yeKubernetes yauri kumhanyisa, inokuudza zviri nyore.
Uye chinonyanya kufadza ndechekuti pamusoro pekuwana kube-state-metrics, unogona kungowana nyore Prometheus pachayo zvakananga. Unogona kuunganidza metrics kubva ipapo. Iwe unogona kunyange kugadzira metrics kubva ipapo. Kunyangwe ne theoretically, iwe unogona kuvaka mubvunzo wakadaro kubva kuboka muPrometheus, iro rinongoridzima. Uye kutarisa kwako kunomira kushanda kubva kusumbu zvachose.
Uye pano mubvunzo unomuka kana chero yekunze yekutarisa inotarisisa yako yekutarisa. Ini ndichangowana mukana wekushanda muKubernetes cluster pasina mhedzisiro kwandiri. Iwe hauchatoziva kuti ndiri kushanda ipapo, sezvo kusisina chero monitoring.
Sezvakangoita nePSP, zvinoita sekunge dambudziko nderekuti ese aya matekinoroji emhando yepamusoro - Kubernetes, Prometheus - haangoshande uye azere nemakomba. Kwete saizvozvo.
Pane chinhu chakadaro - .
Kana iwe uri wakajairika admin, saka kazhinji iwe unoziva nezve Network Policy kuti iyi ingori imwe yaml, iyo yatove yakawanda yavo musumbu. Uye mamwe Network Policies haadiwe. Uye kunyangwe iwe ukaverenga kuti Network Policy chii, kuti iri yaml firewall yeKubernetes, inokutendera iwe kudzikisira kodzero dzekuwana pakati pemazita, pakati pemapods, saka iwe zvechokwadi wafunga kuti firewall mune yaml fomati muKubernetes yakavakirwa pane zvinotevera zvinobvisa. ... Kwete, kwete. Izvi hazvidi hazvo.
Kunyangwe iwe usina kuudza nyanzvi dzako dzekuchengetedza kuti uchishandisa Kubernetes yako unogona kuvaka iri nyore uye yakapusa firewall, uye yakanyanya granular pane izvozvo. Kana ivo vasati vaziva izvi uye vasingakunetsei: "Zvakanaka, ndipe, ndipe ..." Zvino chero zvakadaro, unoda Network Policy kuvharidzira kupinda kune dzimwe nzvimbo dzebasa dzinogona kudhonzwa kubva muboka rako. pasina mvumo.
Senge mumuenzaniso wandakapa, unogona kudhonza kube state metrics kubva kune chero nzvimbo yezita muKubernetes cluster pasina kuve nekodzero yekuita kudaro. Mitemo yetiweki yakavhara kupinda kubva kune mamwe mazita ese kune yekutarisa namespace uye ndizvozvo: hapana kuwana, hapana matambudziko. Mune ese machati aripo, ese ari maviri akajairwa Prometheus uye iyo Prometheus iri mune opareta, pane ingori sarudzo mune helm kukosha kuti ingogonesa network marongero kwavari. Iwe unongoda kuibatidza uye ivo vachashanda.
Pane dambudziko rimwe chete pano. Kuve akajairwa ndebvu admin, iwe unogona kunge wakafunga kuti network marongero haadiwe. Uye mushure mekuverenga marudzi ese ezvinyorwa pane zviwanikwa zvakaita saHabr, wakafunga kuti flannel, kunyanya ine host-gedhi mode, ndicho chinhu chakanakisa chaungasarudza.
Chii chandinofanira kuita?
Iwe unogona kuedza kudzorerazve network mhinduro yaunayo muKubernetes cluster, edza kuitsiva nechimwe chinhu chinoshanda. Kune imwecheteyo Calico, semuenzaniso. Asi ini ndinoda kutaura ipapo ipapo kuti basa rekuchinja network solution muKubernetes working cluster harina diki. Ndakazvigadzirisa kaviri (nguva mbiri, zvisinei, nedzidziso), asi isu takatoratidza maitiro ekuzviita paSlurms. Kune vadzidzi vedu, takaratidza maitiro ekuchinja network solution muKubernetes cluster. In musimboti, unogona kuedza kuve nechokwadi kuti hapana downtime pane yekugadzira cluster. Asi pamwe haubudiriri.
Uye dambudziko rinogadziriswa zviri nyore. Kune zvitupa muchikwata, uye iwe unoziva kuti zvitupa zvako zvichapera mugore. Zvakanaka, uye kazhinji mhinduro yakajairwa ine zvitupa musumbu - nei isu tichinetsekana, isu tichasimudza sumbu nyowani padhuze, rega rekare rive rakaora, uye redeploy zvese. Ichokwadi, kana yaora, tichafanira kugara kwezuva, asi heino sumbu idzva.
Paunosimudza sumbu idzva, panguva imwechete isa Calico panzvimbo yeflannel.
Chii chaunofanira kuita kana zvitupa zvako zvakapihwa kwezana ramakore uye usiri kuzoendesa zvakare cluster? Pane chinhu chakadai Kube-RBAC-Proxy. Uku ndiko kukura kunotonhorera, kunokutendera kuti uzvimisikidze segaba repadivi kune chero pod muKubernetes cluster. Uye iyo inowedzera mvumo kune iyi pod kuburikidza neRBAC yeKubernetes pachayo.
Pane dambudziko rimwe chete. Pakutanga, iyi Kube-RBAC-Proxy mhinduro yakavakirwa muanoshanda's Prometheus. Asi akabva aenda. Iye zvino mavhezheni emazuva ano anovimba nenyaya yekuti une network network uye woivhara uchishandisa iwo. Uye saka tichafanirwa kunyorazve chati zvishoma. Muchokwadi, kana uchienda , kune mienzaniso yemashandisirwo ezvi semasidecars, uye machati achafanira kunyorwa patsva zvishoma.
Pane rimwe dambudziko diki. Prometheus haisiriye yega inopa metrics yayo kune chero munhu. Yese yedu Kubernetes cluster zvikamu zvinokwanisawo kudzosera yavo metrics.
Asi sezvandambotaura, kana iwe usingakwanise kuwana iyo cluster uye kuunganidza ruzivo, saka unogona kungoita kukuvadza.
Saka ini ndichakurumidza kuratidza nzira mbiri nzira iyo Kubernetes cluster inogona kuparadzwa.
Iwe uchaseka kana ndakuudza izvi, idzi mbiri dzehupenyu chaidzo.
Nzira imwe. Resource depletion.
Ngatitange imwe podhi yakakosha. Ichange iine chikamu chakadai.
resources:
requests:
cpu: 4
memory: 4Gi Sezvaunoziva, zvikumbiro ihuwandu hweCPU uye ndangariro inochengeterwa pane inomiririra kune chaiyo pods ine zvikumbiro. Kana isu tine mana-core host muKubernetes cluster, uye mana maCPU pods asvika ipapo aine zvikumbiro, zvinoreva kuti hapasisina mapodhi ane zvikumbiro achakwanisa kuuya kune uyu muenzi.
Kana ndikamhanyisa podhi yakadai, ipapo ndichamhanyisa murairo:
$ kubectl scale special-pod --replicas=...Ipapo hapana mumwe munhu achakwanisa kuendesa kune Kubernetes cluster. Nekuti ma node ese achapera zvikumbiro. Uye saka ini ndichamisa yako Kubernetes sumbu. Kana ndikaita izvi manheru, ndinogona kumisa kutumirwa kwenguva yakareba.
Kana tikatarisa zvakare kuKubernetes zvinyorwa, isu tichaona ichi chinonzi Limit Range. Inoisa zviwanikwa zve cluster zvinhu. Unogona kunyora Limit Range chinhu muyaml, woishandisa kune dzimwe nzvimbo dzezita - uye ipapo mune ino namespace unogona kutaura kuti une default, yakawanda uye shoma zviwanikwa zvepods.
Nerubatsiro rwechinhu chakadaro, tinogona kudzikamisa vashandisi mune chaiyo chigadzirwa nzvimbo dzezvikwata mukukwanisa kuratidza marudzi ese ezvinhu zvakashata pamapodhi avo. Asi zvinosiririsa, kunyangwe iwe ukaudza mushandisi kuti havagone kuvhura mapodhi nezvikumbiro zveanopfuura CPU imwe, kune yakakura kudaro chiyero kuraira, kana ivo vanogona kuyera kuburikidza nedhibhodhi.
Uye apa ndipo panobva nzira nhamba yechipiri. Tinoparura 11 pods. Ndiwo mabhiriyoni gumi nerimwe. Izvi hazvisi nekuti ndauya nenhamba yakadai, asi nekuti ndakazviona ini.
Nyaya chaiyo. Kwave kudoka ndave kutobuda muoffice. Ndiri kuona boka revagadziri vakagara mukona, vachiita zvekupenga vachiita chimwe chinhu nemalaptops avo. Ndinoenda kune vakomana ndokubvunza: "Chii chaitika kwauri?"
Nguva pfupi yapfuura, nguva dzepfumbamwe manheru, mumwe wevagadziri aigadzirira kuenda kumba. Uye ndakafunga kuti: "Ini ndichadzikisa chikumbiro changu kusvika kune chimwe." Ndakadzvanya imwe, asi iyo Internet yakadzikira zvishoma. Akadzvanya iya zvakare, akadzvanya iya achibva adzvanya Enter. Ndakaita zvese zvandaigona. Ipapo iyo Internet yakava nehupenyu - uye zvese zvakatanga kudzika kusvika kune iyi nhamba.
Chokwadi, nyaya iyi haina kuitika paKubernetes; panguva iyoyo yaive Nomad. Zvakazoguma nenyaya yekuti mushure meawa yekuedza kwedu kumisa Nomad kubva pakuramba achiedza kukwira, Nomad akapindura kuti aisazomira kuyera uye hapana chimwe chaachaita. "Ndaneta ndave kuenda." Uye akapeta.
Sezvingatarisirwa, ndakaedza kuita zvimwe chete paKubernetes. Kubernetes haana kufara nemapodhi emabhiriyoni gumi nerimwe, akati: "Ini handikwanise. Inodarika maguard emukati memuromo." Asi 1 pods aigona.
Mukupindura bhiriyoni imwe, Cube haina kubuda mukati mayo. Akanyatsotanga kuwedzera. Kuenderera mberi kwemaitiro acho, nguva yakawanda yaakatora kuti agadzire mapodhi matsva. Asi zvakadaro hurongwa hwakaenderera mberi. Dambudziko chete nderekuti kana ndikakwanisa kuvhura mapodhi zvisina muganho munzvimbo yangu yezita, saka kunyangwe pasina zvikumbiro uye miganhu ndinogona kuvhura mapodhi akawanda ane mamwe mabasa zvekuti nerubatsiro rwemabasa aya node dzinotanga kuwedzera mundangariro, muCPU. Pandinotanga mapodhi akawanda, ruzivo kubva kwavari runofanira kupinda mukuchengetedza, kureva, etcd. Uye kana ruzivo rwakawanda rwasvika ipapo, chichengetedzo chinotanga kudzoka zvishoma nezvishoma - uye Kubernetes anotanga kugomara.
Uye rimwe dambudziko ... Sezvaunoziva, Kubernetes kutonga zvinhu hazvisi chinhu chimwe chete chepakati, asi zvikamu zvakawanda. Kunyanya, kune maneja maneja, scheduler, zvichingodaro. Vose vakomana ava vachatanga kuita zvisina basa, basa reupenzi panguva imwe chete, iyo nekufamba kwenguva inotanga kutora nguva yakawanda. Iyo controller maneja ichagadzira mapodhi matsva. Scheduler anoedza kutsvaga node itsva kwavari. Iwe unogona kunge uchinge wapererwa nemanodhi matsva musumbu rako munguva pfupi. Iyo Kubernetes cluster ichatanga kushanda zvishoma nezvishoma uye zvishoma.
Asi ndakasarudza kupfuurira. Sezvaunoziva, muKubernetes pane chinhu chakadai chinonzi sevhisi. Zvakanaka, nekusarudzika mumasumbu ako, kazhinji, sevhisi inoshanda uchishandisa IP matafura.
Kana iwe uchimhanyisa bhiriyoni imwe pods, semuenzaniso, uye wozoshandisa script kumanikidza Kubernetis kugadzira masevhisi matsva:
for i in {1..1111111}; do
kubectl expose deployment test --port 80
--overrides="{"apiVersion": "v1",
"metadata": {"name": "nginx$i"}}";
done Pamanode ese esumbu, yakawanda uye yakawanda mitsva iptables mitemo ichagadzirwa inenge imwe chete. Uyezve, bhiriyoni imwe iptables mitemo ichagadzirwa kune yega yega sevhisi.
Ndakatarisa chinhu ichi pazviuru zvakati kuti, kusvika gumi. Uye dambudziko nderekuti nechekare pachikumbaridzo ichi zvinonetsa kuita ssh kune node. Nokuti mapaketi, achipfuura nemaketani akawanda, anotanga kunzwa asina kunaka.
Uye izvi, zvakare, zvese zvinogadziriswa nerubatsiro rweKubernetes. Kune yakadaro Resource quota chinhu. Inoisa nhamba yezviwanikwa zviripo uye zvinhu zvezita rezita muboka. Tinogona kugadzira chinhu cheyaml munzvimbo yega yega yeKubernetes cluster. Tichishandisa chinhu ichi, tinogona kutaura kuti tine imwe nhamba yezvikumbiro nemiganhu yakagoverwa kune iyi nzvimbo yezita, uye zvino tinogona kutaura kuti munzvimbo iyi yezita zvinokwanisika kugadzira 10 masevhisi uye gumi pods. Uye mugadziri mumwe chete anogona kuzvidzipa manheru. Kubernetes achamuudza kuti: "Haugone kukwira mapodhi ako kusvika pachiyero ichocho, nekuti sosi yacho inodarika chiyero." Ndizvozvo, dambudziko rakagadziriswa. .
Rimwe dambudziko rinomuka panyaya iyi. Iwe unonzwa kuti zvave kuoma sei kugadzira nzvimbo yezita muKubernetes. Kuti tiugadzire, tinofanira kukoshesa zvinhu zvakawanda.
Resource quota + Limit Range + RBAC
• Gadzira nzvimbo yezita
• Gadzira muganhu wepakati
• Gadzira mukati resourcequota
• Gadzira serviceaccount yeCI
• Gadzira kubatanidza kweCI nevashandisi
• Optionally vhura inodiwa sevhisi pods
Naizvozvo, ndinoda kutora mukana uno kugovera zviri kuitika kwandiri. Pane chinhu chakadai chinonzi SDK opareta. Iyi inzira yeKubernetes cluster yekunyora vashandisi vayo. Unogona kunyora zvirevo uchishandisa Ansible.
Pakutanga zvakanyorwa muAnsible, uye ndakazoona kuti pakanga paine SDK opareta ndokunyorazve basa reAnsible kuita mushandisi. Ichi chirevo chinokutendera iwe kugadzira chinhu muKubernetes cluster inonzi command. Mukati memurairo, inokutendera iwe kutsanangura nharaunda yeiyi rairo muyaml. Uye mukati mechikwata chechikwata, zvinotitendera kutsanangura kuti tiri kugovera zviwanikwa zvakawanda.
Little .
Uye mukupedzisa. Chii chekuita nezvose izvi?
Chekutanga. Pod Security Policy yakanaka. Uye zvisinei nekuti hapana weKubernetes vanoisa vanovashandisa nanhasi, iwe uchiri kufanira kuvashandisa mumasumbu ako.
Network Policy haisi imwe chete isingakoshi. Izvi ndizvo zvinonyanya kudiwa musumbu.
LimitRange/ResourceQuota - yave nguva yekuishandisa. Takatanga kushandisa izvi kare kare, uye kwenguva yakareba ndaiva nechokwadi chokuti munhu wose ari kuishandisa. Zvakazoitika kuti izvi hazviwanzoitiki.
Pamusoro pezvandakataura panguva yemushumo, pane zvisina kunyorwa zvinhu zvinokutendera iwe kurwisa sumbu. Yakabudiswa munguva pfupi yapfuura .
Zvimwe zvinhu zvinosuwisa uye zvinorwadza. Semuenzaniso, pasi pemamwe mamiriro, cubelets muKubernetes cluster inogona kupa zviri mukati meiyo warlocks dhairekitori kumushandisi asina mvumo.
Pane mirayiridzo yekuti ungabereka sei zvese zvandakakuudza. Kune mafaera ane mienzaniso yekugadzira ekuti ResourceQuota uye Pod Security Policy inotaridzika sei. Uye iwe unogona kubata zvese izvi.
Ndinotenda kune vese.
Source: www.habr.com