Molo emva kwemini, ndifuna ukwabelana nani ngamava am ekusetheni nasekusebenziseni inkonzo ye-AWS EKS (Elastic Kubernetes Service) kwizikhongozeli zeWindows, okanye endaweni yoko malunga nokungenzeki kokuyisebenzisa, kunye nebug efunyenwe kwisingxobo senkqubo ye-AWS, kwabo abanomdla kule nkonzo yezikhongozeli zeWindows, nceda phantsi kwekati.
Ndiyazi ukuba izikhongozeli zeWindows ayisosihloko esidumileyo, kwaye bambalwa abantu abazisebenzisayo, kodwa ndigqibe kwelokuba ndilibhale eli nqaku, kuba bekukho amanqaku ambalwa kuHabré kwi-kubernetes kunye neWindows kwaye kusekho abantu abanjalo.
Ukuqala
Yonke yaqala xa kwagqitywa ukufuduka iinkonzo kwinkampani yethu kubernetes, eyi-70% yeWindows kunye ne-30% yeLinux. Ngenxa yale njongo, inkonzo yelifu ye-AWS EKS yayithathwa njengenye yeendlela ezinokuthi zikhethwe. Ukuza kuthi ga nge-8 ka-Okthobha ka-2019, i-AWS EKS yeWindows yayikuMbonakalo kaWonke-wonke, ndiqale ngayo, inguqulelo endala ye-1.11 ye-kubernetes yayisetyenziswa apho, kodwa ndaye ndagqiba kwelokuba ndiyijonge kwaye ndibone ukuba le nkonzo yelifu yayikweliphi na inqanaba, nokuba yayisebenza. kukho konke, njengoko kwavela, akukho, kwakukho i-bug kunye nokongezwa kokususa iipod, ngelixa abadala bayeka ukuphendula nge-ip yangaphakathi ukusuka kwi-subnet efanayo kunye ne-node yomsebenzi weefestile.
Ke ngoko, kuye kwagqitywa ekubeni sikuyeke ukusetyenziswa kwe-AWS EKS ngokuthanda iqela lethu kwi-kubernetes kwi-EC2 enye, kuphela kuya kufuneka sichaze konke ukulinganisa kunye ne-HA ngokwethu nge-CloudFormation.
Inkxaso ye-Amazon EKS yeWindows Container ngoku Ifumaneka ngokubanzi
nguMartin Beeby | nge-08 OCT 2019
Ngaphambi kokuba ndibe nexesha lokongeza ithemplate kwi-CloudFormation yeqela lam, ndibone ezi ndaba
Ewe kunjalo, ndibeke wonke umsebenzi wam ecaleni kwaye ndaqala ukufunda into abayenzela i-GA, kunye nendlela yonke into etshintshile ngayo ngokuHlolwa koLuntu. Ewe, i-AWS, yenziwe kakuhle, ihlaziywe imifanekiso yeefestile i-node yabasebenzi kwinguqulo ye-1.14, kunye neqela ngokwalo, inguqulo ye-1.14 kwi-EKS, ngoku ixhasa ii-node zefestile. Iprojekthi ngokujongwa kwangaphambili koLuntu ku Bayigqumile kwaye bathi ngoku sebenzisa amaxwebhu asemthethweni apha:
Ukudibanisa iqela le-EKS kwi-VPC yangoku kunye ne-subnets
Kuyo yonke imithombo, kwikhonkco elingasentla kwisibhengezo kunye nakumaxwebhu, kwacetywa ukuba kusetyenziswe iqela ngokusebenzisa usetyenziso lwe-eksctl lobunikazi okanye nge-CloudFormation + kubectl emva, kusetyenziswa kuphela ii-subnets zikawonkewonke e-Amazon, kunye nokudala yahlula iVPC yeqela elitsha.
Olu khetho alufanelekanga kwabaninzi; okokuqala, iVPC eyahlukileyo ithetha iindleko ezongezelelweyo ngeendleko zayo + ukujonga i-traffic kwiVPC yakho yangoku. Yintoni ekufuneka abo sele beneziseko esele zilungiselelwe kwi-AWS kunye neeakhawunti zabo ezininzi ze-AWS, i-VPC, ii-subnets, iitafile zendlela, isango lokuhamba njalo njalo? Ngokuqinisekileyo, awufuni ukuphula okanye ukwenza kwakhona konke oku, kwaye kufuneka udibanise iqela elitsha le-EKS kwisiseko sothungelwano lwangoku, usebenzisa iVPC ekhoyo kwaye, ngokuhlukana, kuninzi udale i-subnets entsha yeqela.
Kwimeko yam, le ndlela ikhethiwe, ndasebenzisa i-VPC ekhoyo, ndongeza kuphela i-2 subnets yoluntu kunye ne-2 subnets yangasese yeqela elitsha, ngokuqinisekileyo, yonke imigaqo ithathelwe ingqalelo ngokuhambelana namaxwebhu. .
Kwakukho nomqathango omnye: akukho ndawo zabasebenzi kwii-subnets zikawonkewonke zisebenzisa i-EIP.
eksctl vs CloudFormation
Ndiza kwenza ugcino ngoko nangoko ukuba ndizame zombini iindlela zokusebenzisa iqela, kuzo zombini iimeko umfanekiso wawufana.
Ndiza kubonisa umzekelo kuphela usebenzisa i-eksctl kuba ikhowudi apha izakuba mfutshane. Ukusebenzisa i-eksctl, sebenzisa i-cluster ngamanyathelo ama-3:
1. Senza i-cluster ngokwayo + i-Linux worker node, eya kuthi kamva ibambe izikhongozeli zenkqubo kunye nomlawuli ofanayo we-vpc-fated.
eksctl create cluster
--name yyy
--region www
--version 1.14
--vpc-private-subnets=subnet-xxxxx,subnet-xxxxx
--vpc-public-subnets=subnet-xxxxx,subnet-xxxxx
--asg-access
--nodegroup-name linux-workers
--node-type t3.small
--node-volume-size 20
--ssh-public-key wwwwwwww
--nodes 1
--nodes-min 1
--nodes-max 2
--node-ami auto
--node-private-networkingUkuze kusiwe kwi VPC esele ikhona, khankanya nje i id ye subnets zakho, kwaye eksctl iyakumisela iVPC ngokwayo.
Ukuqinisekisa ukuba iindawo zakho zabasebenzi zisasazwa kuphela kwi-subnet yangasese, kufuneka ucacise --i-node-yabucala-networking ye-nodegroup.
2. Sifaka i-vpc-controller kwi-cluster yethu, eya kuthi emva koko iqhubekise i-nodes yethu yabasebenzi, ibala inani leedilesi ze-IP zamahhala, kunye nenani le-ENIs kumzekelo, ukongeza nokususa.
eksctl utils install-vpc-controllers --name yyy --approve3.Emva kokuba izikhongozeli zakho zenkqubo zisungulwe ngempumelelo kwinode yakho yabasebenzi beLinux, kubandakanya nomlawuli we-vpc, okuseleyo kukudala elinye iqela elineefestile zabasebenzi.
eksctl create nodegroup
--region www
--cluster yyy
--version 1.14
--name windows-workers
--node-type t3.small
--ssh-public-key wwwwwwwwww
--nodes 1
--nodes-min 1
--nodes-max 2
--node-ami-family WindowsServer2019CoreContainer
--node-ami ami-0573336fc96252d05
--node-private-networkingEmva kokuba i-node yakho iqhagamshelwe ngempumelelo kwiqela lakho kwaye yonke into ibonakala ilungile, ikwimeko eLungileyo, kodwa hayi.
Impazamo kwi-vpc-controller
Ukuba sizama ukuqhuba iipod kwi-node yabasebenzi windows, siya kufumana impazamo:
NetworkPlugin cni failed to teardown pod "windows-server-iis-7dcfc7c79b-4z4v7_default" network: failed to parse Kubernetes args: pod does not have label vpc.amazonaws.com/PrivateIPv4Address]Ukuba sijonga nzulu, sibona ukuba umzekelo wethu kwi-AWS ujongeka ngolu hlobo:
Kwaye kuya kuba njalo:
Kule nto kucacile ukuba i-vpc-controller ayizange izalise inxalenye yayo ngesizathu esithile kwaye ayikwazi ukongeza iidilesi ze-IP ezintsha kumzekelo ukwenzela ukuba iipods zikwazi ukuzisebenzisa.
Makhe sijonge iilogi ze-vpc-controller pod kwaye yile nto siyibonayo:
kubectl log -n kube-inkqubo
I1011 06:32:03.910140 1 watcher.go:178] Node watcher processing node ip-10-xxx.ap-xxx.compute.internal.
I1011 06:32:03.910162 1 manager.go:109] Node manager adding node ip-10-xxx.ap-xxx.compute.internal with instanceID i-088xxxxx.
I1011 06:32:03.915238 1 watcher.go:238] Node watcher processing update on node ip-10-xxx.ap-xxx.compute.internal.
E1011 06:32:08.200423 1 manager.go:126] Node manager failed to get resource vpc.amazonaws.com/CIDRBlock pool on node ip-10-xxx.ap-xxx.compute.internal: failed to find the route table for subnet subnet-0xxxx
E1011 06:32:08.201211 1 watcher.go:183] Node watcher failed to add node ip-10-xxx.ap-xxx.compute.internal: failed to find the route table for subnet subnet-0xxx
I1011 06:32:08.201229 1 watcher.go:259] Node watcher adding key ip-10-xxx.ap-xxx.compute.internal (0): failed to find the route table for subnet subnet-0xxxx
I1011 06:32:08.201302 1 manager.go:173] Node manager updating node ip-10-xxx.ap-xxx.compute.internal.
E1011 06:32:08.201313 1 watcher.go:242] Node watcher failed to update node ip-10-xxx.ap-xxx.compute.internal: node manager: failed to find node ip-10-xxx.ap-xxx.compute.internal.Ukukhangela kuGoogle akuzange kukhokelele kuyo nantoni na, kuba ngokucacileyo akukho mntu wayeyibambile i-bug okwangoku, okanye engakhange athumele umba kuyo, kuye kwafuneka ndicinge ngokukhetha mna kuqala. Into yokuqala eyafika engqondweni kukuba mhlawumbi i-vpc-controller ayikwazi ukusombulula ip-10-xxx.ap-xxx.compute.internal kwaye ifike kuyo kwaye ngenxa yoko iimpazamo zenzeka.
Ewe, ngokwenene, sisebenzisa iiseva ze-DNS zesiko kwi-VPC kwaye, ngokomgaqo, asizisebenzisi i-Amazon, ngoko ke ukuthunyelwa akuzange kulungiselelwe le domain ap-xxx.compute.internal. Ndivavanye olu khetho, kwaye aluzange luzise iziphumo, mhlawumbi uvavanyo aluzange luhlambuluke, kwaye ngoko ke, ngokuqhubekayo, xa ndinxibelelana nenkxaso yobugcisa, ndanikezela kwingcamango yabo.
Ekubeni bekungekho naziphi na iingcamango, onke amaqela okhuseleko adalwe yi-eksctl ngokwayo, ngoko kwakungekho mathandabuzo malunga nokusebenza kwabo, iitafile zendlela zazichanekile, i-nat, i-dns, ukufikelela kwi-Intanethi kunye neendawo zabasebenzi zazikhona.
Ngaphezu koko, ukuba uhambisa i-node yomsebenzi kwi-subnet yoluntu ngaphandle kokusebenzisa i-node-private-networking, le node yahlaziywa ngokukhawuleza ngumlawuli we-vpc kwaye yonke into yasebenza njengewotshi.
Kwakukho iinketho ezimbini:
- Yinike kwaye ulinde de umntu achaze le bug kwi-AWS kwaye ayilungise, kwaye emva koko ungasebenzisa ngokukhuselekileyo i-AWS EKS Windows, kuba ikhutshwe nje kwi-GA (iintsuku ezi-8 zidlulile ngexesha lokubhala eli nqaku), abaninzi baya kuthi mhlawumbi landela indlela efanayo nam .
- Bhala kwi-AWS Inkxaso kwaye ubaxelele undoqo wengxaki kunye neqela lonke leenkuni ezivela kuyo yonke indawo kwaye ubonise ukuba inkonzo yabo ayisebenzi xa usebenzisa i-VPC yakho kunye ne-subnets, akusiyo into yokuba sinenkxaso yoShishino, kufuneka usebenzise. nokuba kube kanye :)
Unxibelelwano neenjineli ze-AWS
Emva kokuba ndenze itikiti kwi-portal, ngempazamo ndakhetha ukundiphendula nge-Web-imeyile okanye iziko lenkxaso, ngolu khetho banokukuphendula emva kweentsuku ezimbalwa konke konke, ngaphandle kokuba itikiti lam linoBungqongqo-Inkqubo yonakele kwakuthetha impendulo ngaphakathi <iiyure ze-12, kwaye ekubeni isicwangciso senkxaso yoShishino sinenkxaso ye-24/7, ndathemba okulungileyo, kodwa kwavela njengesiqhelo.
Itikiti lam lishiywe linganikezelwanga ukusuka ngoLwesihlanu kude kube ngoMvulo, emva koko ndagqiba ekubeni ndibabhalele kwakhona kwaye ndakhetha ukhetho lwempendulo yeNgxoxo. Emva kokulinda ixesha elifutshane, uHarshad Madhav wonyulwa ukuba andibone, kwaye emva koko waqala...
Sayilungisa ngayo i-intanethi ngeeyure ze-3 ngokulandelelana, sihambisa iingodo, sihambisa iqela elifanayo kwilabhoratri ye-AWS ukulinganisa ingxaki, ukudala kwakhona iqela kum, njalo njalo, into kuphela esize kuyo kukuba iinkuni kwacaca ukuba i-resol ayisebenzi i-AWS amagama e-domain yangaphakathi, endibhale ngayo ngasentla, kwaye u-Harshad Madhav wandicela ukuba ndidale ukuhanjiswa, kuthiwa sisebenzisa i-DNS yesiko kwaye oku kunokuba yingxaki.
Ukuhambisa phambili
ap-xxx.compute.internal -> 10.x.x.2 (VPC CIDRBlock)
amazonaws.com -> 10.x.x.2 (VPC CIDRBlock)Nantso into eyenziwayo, usuku luphelile. UHarshad Madhav ubhale kwakhona ukuba ayijonge kwaye kufanele isebenze, kodwa hayi, isisombululo asizange sincede kwaphela.
Kwaye kwabakho unxibelelwano kunye neenjineli ezi-2 ezingakumbi, omnye wayeka engxoxweni, ngokucacileyo wayesoyika imeko entsonkothileyo, owesibini wachitha usuku lwam kwakhona kumjikelo opheleleyo wokulungisa iimpazamo, ukuthumela izingodo, ukudala amaqela kumacala omabini, Ukugqiba wathetha kakuhle, iyasebenza kum, apha ndilapha ndenza yonke into inyathelo ngenyathelo kuxwebhu olusemthethweni kwaye wena kwaye uya kuphumelela.
Ndamcela ngokuzithoba ukuba ahambe kwaye abele omnye umntu kwitikiti lam ukuba awuyazi ukuba ungayijonga phi ingxaki.
Gqibela
Ngosuku lwesithathu, injineli entsha u-Arun B. wabelwa kum, kwaye ukususela ekuqaleni kokunxibelelana naye kwacaca ngokukhawuleza ukuba le yayingeyiyo iinjineli ezi-3 zangaphambili. Wafunda yonke imbali kwaye wacela ngokukhawuleza ukuba aqokelele iingodo usebenzisa iskripthi sakhe kwi-ps1, eyayikwi-github yakhe. Oku kwalandelwa kwakhona ngazo zonke ii-iterations zokudala amaqela, iziphumo zomyalelo okhuphayo, ukuqokelela izingodo, kodwa u-Arun B. wayehamba ngendlela efanelekileyo egweba ngemibuzo endibuzwe yona.
Sifike nini kwinqanaba lokuvumela -stderrthreshold=debug kwi-vpc-controller yabo, kwaye kwenzeka ntoni emva koko? ngokuqinisekileyo ayisebenzi) i-pod ayiqalisi ngolu khetho, kuphela -stderrthreshold=info iyasebenza.
Sigqibile apha kwaye u-Arun B. uthe uya kuzama ukuvelisa amanyathelo am ukuze afumane impazamo efanayo. Ngosuku olulandelayo ndifumana impendulo evela ku-Arun B. akazange alilahle eli tyala, kodwa wathabatha ikhowudi yokuhlaziya i-vpc-controller yabo kwaye wafumana indawo apho kwaye kutheni ingasebenzi:
Ngaloo ndlela, ukuba usebenzisa itafile yendlela engundoqo kwiVPC yakho, ngoko ngokungagqibekanga ayinanxulumano kunye neendawo ezincinci eziyimfuneko, eziyimfuneko kakhulu kumlawuli we-vpc, kwimeko ye-subnet yoluntu, inetafile yendlela yesiko. leyo inombutho.
Ngokongeza ngesandla imibutho yetafile yendlela ephambili kunye nee-subnets eziyimfuneko, kunye nokudala kwakhona i-nodegroup, yonke into isebenza ngokugqibeleleyo.
Ndiyathemba ukuba uArun B. uya kuyixela ngokwenene le bug kubaphuhlisi be-EKS kwaye siza kubona inguqulelo entsha ye-vpc-controller apho yonke into iya kusebenza ngaphandle kwebhokisi. Okwangoku inguqulelo yamva nje yile: 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/eks/vpc-resource-controller:0.2.1
unale ngxaki.
Ndiyabulela kuye wonke umntu ofunde de kube sekupheleni, vavanya yonke into oza kuyisebenzisa kwimveliso ngaphambi kokuphunyezwa.
umthombo: www.habr.com