Molweni nonke! Igama lam ngu-Oleg Sidorenkov, ndisebenza kwi-DomClick njengentloko yeqela leziseko. Sisebenzise i-Kubik kwimveliso iminyaka engaphezu kwemithathu, kwaye ngeli xesha siye safumana amaxesha amaninzi anomdla kunye nayo. Namhlanje ndiza kukuxelela ukuba, ngendlela efanelekileyo, unokucudisa ukusebenza ngakumbi kwi-vanilla Kubernetes yeqela lakho. Ulungele ukuhamba!
Nonke niyazi kakuhle ukuba i-Kubernetes yinkqubo yomthombo ovulekileyo ovulekileyo we-orchestration yesikhongozeli; kuhle, okanye i-5 yokubini esebenza ngomlingo ngokulawula umjikelo wobomi bemicroservices zakho kwindawo yomncedisi. Ukongeza, sisixhobo esibhetyebhetye esinokuthi sidityaniswe njengeLego ukwenza ngokwezifiso ubuninzi bemisebenzi eyahlukeneyo.
Kwaye yonke into ibonakala ilungile: phosa iiseva kwiqela njengeenkuni kwibhokisi yomlilo, kwaye awuyi kuyazi nayiphi na intlungu. Kodwa ukuba ukwimekobume, uya kucinga oku: βNdinokuwugcina njani umlilo uvutha ndize ndilisindise ihlathi?β Ngamanye amazwi, indlela yokufumana iindlela zokuphucula iziseko zophuhliso kunye nokunciphisa iindleko.
1. Beka iliso kwiqela kunye nezixhobo zokusebenza
Enye yezona ndlela zixhaphakileyo, kodwa iindlela ezisebenzayo kukungeniswa kwezicelo/imida. Yahlula izicelo ngezithuba zamagama, kunye nezithuba zamagama ngamaqela ophuhliso. Ngaphambi kokuthunyelwa, seta amaxabiso esicelo okusetyenziswa kwexesha leprosesa, inkumbulo kunye nokugcinwa kwe-ephemeral.
resources:
requests:
memory: 2Gi
cpu: 250m
limits:
memory: 4Gi
cpu: 500mNgokusebenzisa amava, sifikelele kwisigqibo: akufanele unyuse izicelo ezivela kwimida ngokuphindwe kabini. Umthamo weqela ubalwa ngokusekelwe kwizicelo, kwaye ukuba unika izicelo umehluko kwizibonelelo, umzekelo, amaxesha angama-5-10, ngoko cinga ukuba kuya kwenzeka ntoni kwi-node yakho xa izaliswe ngeepods kwaye ngokukhawuleza ifumana umthwalo. Akukho nto ilungileyo. Ubuncinci, ukubetha, kwaye ubuninzi, uya kuthi ndlela-ntle kumsebenzi kwaye ufumane umthwalo we-cyclic kwiindawo ezisele emva kokuba iipods ziqala ukuhamba.
Ukongeza, ngoncedo limitranges Ekuqaleni, unokuseta amaxabiso esixhobo kwisikhongozeli - ubuncinci, ubuninzi kunye nokungagqibekanga:
β ~ kubectl describe limitranges --namespace ops
Name: limit-range
Namespace: ops
Type Resource Min Max Default Request Default Limit Max Limit/Request Ratio
---- -------- --- --- --------------- ------------- -----------------------
Container cpu 50m 10 100m 100m 2
Container ephemeral-storage 12Mi 8Gi 128Mi 4Gi -
Container memory 64Mi 40Gi 128Mi 128Mi 2Ungalibali ukunciphisa izibonelelo zeendawo zamagama ukuze iqela elinye lingakwazi ukuthatha zonke izixhobo zeqela:
β ~ kubectl describe resourcequotas --namespace ops
Name: resource-quota
Namespace: ops
Resource Used Hard
-------- ---- ----
limits.cpu 77250m 80
limits.memory 124814367488 150Gi
pods 31 45
requests.cpu 53850m 80
requests.memory 75613234944 150Gi
services 26 50
services.loadbalancers 0 0
services.nodeports 0 0Njengoko kunokubonwa kwinkcazo resourcequotas, ukuba iqela le-ops lifuna ukubeka iipods eziya kutya enye i-10 cpu, umcwangcisi akayi kuvumela oku kwaye uzakuphosa impazamo:
Error creating: pods "nginx-proxy-9967d8d78-nh4fs" is forbidden: exceeded quota: resource-quota, requested: limits.cpu=5,requests.cpu=5, used: limits.cpu=77250m,requests.cpu=53850m, limited: limits.cpu=10,requests.cpu=10Ukusombulula ingxaki enjalo, ungabhala isixhobo, umzekelo, njengaye , ikwazi ukugcina kwaye ibophelele imeko yezixhobo zomyalelo.
2. Khetha owona gcino lwefayile
Apha ndingathanda ukuchukumisa isihloko semithamo eqhubekayo kunye ne-disk subsystem ye-Kubernetes worker nodes. Ndiyathemba ukuba akukho mntu usebenzisa "Cube" kwi-HDD kwimveliso, kodwa ngamanye amaxesha i-SSD eqhelekileyo ayisekho ngokwaneleyo. Sidibene nengxaki apho iilog bezibulala idiski ngenxa yemisebenzi ye-I/O, kwaye akukho zisombululo zininzi:
-
Sebenzisa ii-SSD ezisebenza kakhulu okanye utshintshele kwi-NVMe (ukuba ulawula i-hardware yakho).
-
Nciphisa inqanaba lokugawulwa kwemithi.
-
Yenza "i-smart" yokulinganisa iipod ezidlwengula idiski (
podAntiAffinity).
Ikhusi elingasentla libonisa okwenzekayo phantsi kwe nginx-ingress-controller kwidiski xa ukufikelela_logs ukuloga kwenziwe (~12 amawaka logs/sec). Le meko, ngokuqinisekileyo, inokukhokelela ekuthotyweni kwazo zonke izicelo kule node.
Ngokuphathelele i-PV, yeha, andizange ndizame yonke into Imiqulu Ezingisayo. Sebenzisa olona khetho lufanelekileyo olukufanelayo. Ngokomlando, kuye kwenzeka kwilizwe lethu ukuba inxalenye encinci yeenkonzo ifuna umthamo we-RWX, kwaye ixesha elidlulileyo baqala ukusebenzisa i-NFS yokugcina lo msebenzi. Ixabiso eliphantsi kwaye ... ngokwaneleyo. Ewe kunjalo, mna naye satya i-shit - usikelelwe, kodwa sifunde ukuyicoca, kwaye intloko yam ayisabuhlungu. Kwaye ukuba kunokwenzeka, yiya kwindawo yokugcina into ye-S3.
3. Qokelela imifanekiso ephuculweyo
Kungcono ukusebenzisa imifanekiso elungiselelwe isikhongozeli ukuze uKubernetes akwazi ukuyilanda ngokukhawuleza kwaye ayenze ngokufanelekileyo.
Ukulungiswa kuthetha ukuba imifanekiso:
-
ziqulathe isicelo esinye okanye yenza umsebenzi omnye kuphela;
-
incinci ngobukhulu, kuba imifanekiso emikhulu idluliselwa ngokubi ngakumbi kwinethiwekhi;
-
ube neziphelo zempilo kunye nokulungela ezivumela uKubernetes ukuba athathe inyathelo xa kwenzeka ixesha lokuphumla;
-
sebenzisa iisistim zokusebenza ezisebenzisekayo (ezifana neAlpine okanye iCoreOS), ezixhathisa ngakumbi kwiimpazamo zoqwalaselo;
-
sebenzisa ulwakhiwo lwezigaba ezininzi ukuze ukwazi ukubeka kuphela izicelo ezihlanganisiweyo hayi imithombo ekhaphayo.
Zininzi izixhobo kunye neenkonzo ezikuvumela ukuba ujonge kwaye ulungise imifanekiso ngokubhabha. Kubalulekile ukuzigcina zisexesheni kwaye zivavanyelwe ukhuseleko. Ngenxa yoko ufumana:
-
Umthwalo wenethiwekhi ocuthiweyo kwiqela lonke.
-
Ukunciphisa ixesha lokuqalisa isikhongozeli.
-
Ubungakanani obuncinci berejista yakho yonke yeDocker.
4. Sebenzisa i-DNS cache
Ukuba sithetha ngemithwalo ephezulu, ke ubomi buhle ngaphandle kokulungisa inkqubo yeDNS yeqela. Kudala, abaphuhlisi beKubernetes baxhasa isisombululo sabo se-kube-dns. Kwakhona kwaphunyezwa apha, kodwa le software ayizange ilungiswe ngokukodwa kwaye ayizange ivelise ukusebenza okufunekayo, nangona yayibonakala ingumsebenzi olula. Emva koko kwavela i-coredns, esayitshintshela kuyo kwaye singenalusizi; kamva yaba yinkonzo ye-DNS engagqibekanga kwii-K8s. Ngexesha elithile, sikhule saya kwi-40 lamawaka e-rps kwinkqubo ye-DNS, kwaye esi sisombululo siye sanganelanga. Kodwa, ngethamsanqa, i-Nodelocaldns yaphuma, i-aka node cache yendawo, aka .
Kutheni sisebenzisa oku? Kukho i-bug kwi-Linux kernel ethi, xa iifowuni ezininzi ngokudibana kwe-NAT nge-UDP, zikhokelela kwimeko yogqatso lwamangenelo kwiitafile ze-contrack, kwaye inxalenye yetrafikhi nge-NAT ilahleka (uhambo ngalunye ngeNkonzo yi-NAT). I-Nodelocaldns isombulula le ngxaki ngokususa i-NAT kunye nokuphucula uxhulumaniso kwi-TCP ukuya phezulu kwe-DNS, kunye ne-caching yendawo yemibuzo ye-DNS ephezulu (kuquka i-cache emfutshane ye-5-yesibini engalunganga).
5. Ukulinganisa iipods ngokuthe tye kwaye ngokuthe nkqo ngokuzenzekelayo
Ngaba ungatsho ngokuzithemba ukuba zonke ii-microservices zakho zilungele ukunyuka kabini ukuya kathathu komthwalo? Indlela yokwaba ngokufanelekileyo izixhobo kwizicelo zakho? Ukugcina iipod ezimbalwa ezisebenza ngaphaya komthwalo womsebenzi kunokuba yimfuneko, kodwa ukuzigcina ngasemva kuqhuba umngcipheko wexesha lokuphumla ukusuka ekunyukeni ngequbuliso kwi-traffic ukuya kwinkonzo. Iinkonzo ezifana ΠΈ .
VPA ikuvumela ukuba unyuse ngokuzenzekelayo izicelo/imida yezikhongozeli zakho kwipod ngokuxhomekeke kusetyenziso lokwenyani. Inokuba luncedo njani? Ukuba unee-pods ezingenakulinganiswa ngokuthe tye ngesizathu esithile (esingathembekanga ngokupheleleyo), ngoko ungazama ukunika utshintsho kwimithombo yayo kwi-VPA. Uphawu lwayo yinkqubo yengcebiso esekwe kwimbali kunye nedatha yangoku evela kwi-metric-server, ke ukuba awufuni kuzitshintsha ngokuzenzekelayo izicelo / imida, unokujonga ngokulula izixhobo ezicetyiswayo kwizikhongozeli zakho kwaye ukwandise useto ukugcina i-CPU kunye inkumbulo kwiqela.
Umfanekiso uthathwe https://levelup.gitconnected.com/kubernetes-autoscaling-101-cluster-autoscaler-horizontal-pod-autoscaler-and-vertical-pod-2a441d9ad231
Umcwangcisi eKubernetes uhlala esekelwe kwizicelo. Naliphi na ixabiso olibekayo apho, umcwangcisi uya kukhangela indawo efanelekileyo esekelwe kuyo. Amaxabiso emida ayafuneka ukuze i-cubelet iqonde ukuba ithini ukuginya okanye ukuyibulala ipod. Kwaye ekubeni ipharamitha ebalulekileyo kuphela lixabiso lezicelo, iVPA iya kusebenza nayo. Nanini na xa usikala isicelo ngokuthe nkqo, uchaza ukuba kufuneka zibe yintoni na izicelo. Kuya kwenzeka ntoni kwimida ngoko? Le parameter nayo iyakulinganiswa ngokomlinganiselo.
Umzekelo, nantsi imimiselo yepod eqhelekileyo:
resources:
requests:
memory: 250Mi
cpu: 200m
limits:
memory: 500Mi
cpu: 350mInjini yokucebisa imisela ukuba isicelo sakho sifuna i-300m CPU kunye ne-500Mi ukuze isebenze ngokufanelekileyo. Uya kufumana ezi setingi zilandelayo:
resources:
requests:
memory: 500Mi
cpu: 300m
limits:
memory: 1000Mi
cpu: 525mNjengoko kukhankanyiwe ngasentla, oku kukulinganisa ngokulinganayo okusekwe kwizicelo/kwimida yomlinganiselo kumboniso:
-
CPU: 200m β 300m: umlinganiselo 1:1.75;
-
Imemori: 250Mi β 500Mi: umlinganiselo 1:2.
Ngokuphathelele HPA, ngoko indlela yokusebenza ibonakala ngokucacileyo. Iimetriki ezifana ne-CPU kunye nememori zivaliwe, kwaye ukuba i-avareji yazo zonke ii-replicas idlula umqobo, isicelo silinganiswa nge-+1 sub de ixabiso liwela ngaphantsi komqobo okanye de kufike inani eliphezulu le-replicas.
Umfanekiso uthathwe https://levelup.gitconnected.com/kubernetes-autoscaling-101-cluster-autoscaler-horizontal-pod-autoscaler-and-vertical-pod-2a441d9ad231
Ukongeza kwiimethrikhi eziqhelekileyo ezifana ne-CPU kunye nememori, unokuseta imida kwiimetrikhi zakho zesiko kwi-Prometheus kwaye usebenze nazo ukuba ucinga ukuba lolona phawu luchanekileyo lwexesha lokulinganisa isicelo sakho. Nje ukuba isicelo sizinzile ngaphantsi komqobo we-metric ochaziweyo, i-HPA iya kuqalisa ukukala i-pods ukuya kutsho kwinani elincinane leekopi okanye de umthwalo udibane nomda ochaziweyo.
6. Musa ukulibala malunga Node Affinity kunye Pod Affinity
Ayizizo zonke ii-nodes ezisebenza kwi-hardware efanayo, kwaye ayizizo zonke iipods ezifuna ukuqhuba usetyenziso olunzima. I-Kubernetes ikuvumela ukuba usete ubungcali beendawo kunye neepods usebenzisa Node Affinity ΠΈ Pod Affinity.
Ukuba unama-nodes afanelekileyo kwimisebenzi enzima kakhulu, ngoko ke ekusebenzeni okuphezulu kungcono ukubopha izicelo kwiindawo ezihambelanayo. Ukwenza oku sebenzisa nodeSelector ngeleyibhile ye-node.
Masithi uneendawo ezimbini: enye ene CPUType=HIGHFREQ kunye nenani elikhulu cores fast, enye nge MemoryType=HIGHMEMORY inkumbulo ngakumbi kunye nokusebenza ngokukhawuleza. Eyona ndlela ilula kukwabela usasazo kwindawo ethile HIGHFREQngokongeza kwicandelo spec lo mkhethi:
β¦
nodeSelector:
CPUType: HIGHFREQIndlela ebiza kakhulu kwaye ecacileyo yokwenza oku kukusebenzisa nodeAffinity ebaleni affinity razdela spec. Kukho iinketho ezimbini:
-
requiredDuringSchedulingIgnoredDuringExecution: isicwangciso esinzima (umcwangcisi uya kuhambisa iipods kuphela kwiindawo ezithile (kwaye akukho nanye indawo)); -
preferredDuringSchedulingIgnoredDuringExecution: isicwangciso esithambileyo (umcwangcisi uya kuzama ukuhambisa kwiindawo ezithile, kwaye ukuba oko kuyasilela, iya kuzama ukuhambisa kwindawo elandelayo ekhoyo).
Ungakhankanya i-syntax ethile yokulawula iilebhile ze-node, njenge In, NotIn, Exists, DoesNotExist, Gt okanye Lt. Nangona kunjalo, khumbula ukuba iindlela ezintsonkothileyo kuluhlu olude lweelebhile ziya kucothisa ukwenziwa kwezigqibo kwiimeko ezinzima. Ngamanye amazwi, yigcine ilula.
Njengoko kukhankanyiwe ngasentla, i-Kubernetes ikuvumela ukuba usete ubudlelwane beepods zangoku. Oko kukuthi, unokuqinisekisa ukuba ii-pods ezithile zisebenza kunye nezinye ii-pods kwindawo yokufumaneka efanayo (efanelekileyo kumafu) okanye iindawo zokuhlala.
Π podAffinity amasimi affinity razdela spec iindawo ezifanayo ziyafumaneka njengoko kwimeko nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution ΠΈ preferredDuringSchedulingIgnoredDuringExecution. Umahluko kuphela kukuba matchExpressions izakubophelela iipods kwindawo esele iqhuba ipod enaloo lebhile.
I-Kubernetes ikwabonelela ngentsimi podAntiAffinity, leyo, ngokuchaseneyo, ayibopheleli i-pod kwi-node kunye neepods ezithile.
Malunga namabinzana nodeAffinity Ingcebiso efanayo inokunikwa: zama ukugcina imithetho elula kunye nengqiqo, ungazami ukulayisha ngokugqithiseleyo inkcazo ye-pod kunye nesethi yemithetho enzima. Kulula kakhulu ukwenza umgaqo ongayi kuhambelana neemeko zeqela, ukudala umthwalo ongeyomfuneko kumcwangcisi kunye nokunciphisa ukusebenza ngokubanzi.
7. IiTaints & Tolerances
Kukho enye indlela yokulawula umcwangcisi. Ukuba uneqela elikhulu elinamakhulu ama-nodes kunye namawaka e-microservices, ngoko kunzima kakhulu ukuba ungavumeli iipods ezithile ukuba zibanjwe kwiindawo ezithile.
Indlela yokungcola-imithetho evimbelayo-inceda kule nto. Umzekelo, kwiimeko ezithile unokuthintela iinodi ezithile ekusebenziseni iipod. Ukufaka i-taint kwindawo ethile kufuneka usebenzise ukhetho taint kwi kubectl. Chaza isitshixo kunye nexabiso kwaye emva koko ucofe njenge NoSchedule okanye NoExecute:
$ kubectl taint nodes node10 node-role.kubernetes.io/ingress=true:NoScheduleKuyafaneleka ukuba uqaphele ukuba indlela ye-taint ixhasa iziphumo ezintathu eziphambili: NoSchedule, NoExecute ΠΈ PreferNoSchedule.
-
NoSchedulekuthetha ukuba okwangoku akusayi kubakho lungeniso luhambelanayo kwiinkcukacha zepodtolerations, ayizukwazi ukubekwa kwindawo (kulo mzekelonode10). -
PreferNoSchedule- inguqulelo eyenziwe lulaNoSchedule. Kulo mzekelo, umcwangcisi uya kuzama ukungaziniki iipod ezingenalo ungeno oluhambelanayotolerationsnge node nganye, kodwa oku ayisosithintelo esinzima. Ukuba akukho zixhobo kwiqela, ke iipods ziya kuqalisa ukuthunyelwa kule node. -
NoExecute- esi siphumo sibangela ukukhutshwa ngokukhawuleza kweepods ezingenalo ukungena okuhambelanayotolerations.
Okubangela umdla kukuba, le ndlela yokuziphatha inokurhoxiswa kusetyenziswa indlela yokunyamezela. Oku kulungele xa kukho i-node "engavumelekanga" kwaye kufuneka ubeke kuphela iinkonzo zeziseko ezingundoqo kuyo. Yenziwa njani? Vumela kuphela ezo pods apho kukho ukunyamezela okufanelekileyo.
Nantsi indlela inkcazo yepod enokuthi ijongeke ngayo:
spec:
tolerations:
- key: "node-role.kubernetes.io/ingress"
operator: "Equal"
value: "true"
effect: "NoSchedule"Oku akuthethi ukuba i-redeploy elandelayo iya kuwela kule node ethile, oku akusiyo i-Node Affinity mechanism kunye nodeSelector. Kodwa ngokudibanisa izinto ezininzi, unokufezekisa useto lomcwangcisi obhetyebhetye.
8. Cwangcisa iPod Deployment Priority
Ngenxa yokuba uneepods ezinikezelwe kwiinodi akuthethi ukuba zonke iipods kufuneka ziphathwe ngokubaluleka okufanayo. Umzekelo, unokufuna ukubeka ezinye iipod phambi kwabanye.
I-Kubernetes inikezela ngeendlela ezahlukeneyo zokucwangcisa iPod Priority and Preemption. Useto luqulathe amacandelo amaninzi: into PriorityClass kunye neenkcazo zentsimi priorityClassName kwiinkcukacha zepod. Makhe sijonge umzekelo:
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: high-priority
value: 99999
globalDefault: false
description: "This priority class should be used for very important pods only"Siyadala PriorityClass, yinike igama, inkcazo kunye nexabiso. Ephezulu value, kokukhona eyona nto iphambili iphezulu. Ixabiso linokuba yiyo nayiphi na i-32-bit integer ngaphantsi okanye ilingane ne-1. Ukufuduswa kuya kwenzeka kuphela ukuba i-pod-priority pod ayinayo indawo yokujika, ngoko ke ezinye iipod ezivela kwi-node ethile ziya kukhutshwa. Ukuba lomatshini uqinile kakhulu kuwe, ungadibanisa ukhetho preemptionPolicy: Never, kwaye ke akuyi kubakho preemption, i-pod iyakuma kuqala kumgca kwaye ilinde umcwangcisi ukuba afumane izixhobo zamahhala kuyo.
Emva koko, sakha ipod apho sibonisa khona igama priorityClassName:
apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
priorityClassName: high-priority
Unokwenza iiklasi ezininzi eziphambili njengoko uthanda, nangona kucetyiswa ukuba ungaqhubeki nale nto (yithi, zinciphise kwindawo ephantsi, ephakathi kunye nephezulu).
Ngaloo ndlela, ukuba kuyimfuneko, unokwandisa ukusebenza kakuhle kokuthunyelwa kweenkonzo ezibalulekileyo ezifana ne-nginx-ingress-controller, coredns, njl.
9. Ukwandisa iklasta ye-ETCD
I-ETCD inokubizwa ngokuba yingqondo yeqela lonke. Kubaluleke kakhulu ukugcina ukusebenza kwale database kwinqanaba eliphezulu, ekubeni isantya sokusebenza kwiCube sixhomekeke kuyo. Umgangatho ofanelekileyo, kwaye kwangaxeshanye, isisombululo esihle siya kuba kukugcina iqela le-ETCD kwii-master nodes ukuze ube nokulibaziseka okuncinci kwi-kube-apiserver. Ukuba awukwazi ukwenza oku, ke beka i-ETCD ngokusondeleyo, kunye ne-bandwidth elungileyo phakathi kwabathathi-nxaxheba. Kwakhona qaphela ukuba zingaphi ii-nodes ezivela kwi-ETCD ezinokuwa ngaphandle kokulimala kwiqela
Gcina ukhumbule ukuba ukunyusa ngokugqithisileyo inani lamalungu kwi-cluster kunokunyusa ukunyamezela kweempazamo kwindleko yokusebenza, yonke into kufuneka ibe yimodareyitha.
Ukuba sithetha ngokuseta inkonzo, kukho iingcebiso ezimbalwa:
-
Yiba nehardware elungileyo, esekwe kubungakanani beqela (unokufunda ).
-
Tweak iiparamitha ezimbalwa ukuba uthe wasasaza iqela phakathi kweqela le DCs okanye umsebenzi womnatha wakho kunye neediski zishiya okuninzi okufunwayo (unokufunda ).
isiphelo
Eli nqaku lichaza iingongoma iqela lethu elizama ukuzithobela. Oku akuyonkcazo yenyathelo ngenyathelo lezenzo, kodwa iinketho ezinokuba luncedo ekulungiseleleni umphezulu weqela. Kucacile ukuba iqela ngalinye lihlukile ngendlela yalo, kwaye izisombululo zoqwalaselo zinokwahluka kakhulu, ngoko kuya kuba nomdla ukufumana ingxelo yakho malunga nendlela obeka iliso ngayo iqoqo lakho leKubernetes kunye nendlela ophucula ngayo ukusebenza kwayo. Yabelana ngamava akho kumazwana, kuya kuba mnandi ukwazi.
umthombo: www.habr.com