I-Kubernetes 1.14: isishwankathelo sezinto ezintsha ezintsha

Ngobu busuku iyakwenzeka ukukhutshwa okulandelayo kweKubernetes - 1.14. Ngokwesithethe esiphuhliselwe ibhlog yethu, sithetha ngotshintsho oluphambili kwinguqulelo entsha yale mveliso imangalisayo yoMthombo oVulekileyo.

Ulwazi olusetyenzisiweyo ukulungisa le mathiriyeli luthatyathwe I-Kubernetes iitheyibhile zokulandelela umkhondo, UTSHINTSHO-1.14 kunye nemiba enxulumeneyo, izicelo zotsalo, i-Kubernetes Enhancement Proposals (KEP).

Masiqale ngentshayelelo ebalulekileyo evela kumjikelo wobomi beqela le-SIG: amaqela e-failover aguqukayo I-Kubernetes (okanye ukuchaneka ngakumbi, ukuzibamba kwe-HA deployments) ngoku inokudalwa usebenzisa eqhelekileyo (kumxholo weqela lendawo enye) imiyalelo kubeadm (init и join). Ngamafutshane, kule nto:

• izatifikethi ezisetyenziswe liqela zikhutshelwa kwiimfihlo;
• ukulungiselela ukusebenzisa iqela le etcd ngaphakathi kweqela le-K8s (o.k.t. ukususa ukuxhomekeka kwangaphandle obekukho ngaphambili) etcd-umqhubi;
• Amaxwebhu useto olucetyiswayo lwe-balancer yomthwalo wangaphandle obonelela ngolungelelwaniso lokunyamezela impazamo (kwixesha elizayo kucetywa ukuphelisa oku kuxhomekeka, kodwa hayi kweli nqanaba).

Uyilo lweqela le-Kubernetes HA elenziwe nge-kubeadm

Iinkcukacha zokuphunyezwa zingafunyanwa kwi isindululo soyilo. Eli nqaku belilindelwe ixesha elide: uguqulelo lwealpha belulindelwe emva kweK8s 1.9, kodwa luvele ngoku.

API

Iqela apply kwaye ngokuthetha ngokubanzi Ulawulo lwento ebhengezayo idlulile из kubectl kwi-apiserver. Abaphuhlisi ngokwabo bachaza ngokufutshane isigqibo sabo ngokuthi kubectl apply - inxalenye esisiseko yokusebenza kunye nokucwangciswa kwe-Kubernetes, nangona kunjalo, "igcwele iibhugi kwaye kunzima ukuyilungisa," kwaye ngoko ke lo msebenzi kufuneka ubuyiselwe ngokuqhelekileyo kwaye udluliselwe kwindiza yokulawula. Imizekelo elula necacileyo yeengxaki ezikhoyo namhlanje:

Iinkcukacha malunga nokuphunyezwa zingaphakathi ICAP. Ukulungela kwangoku yi-alpha (unyuso lwe-beta lucetyelwe ukukhutshwa kwe-Kubernetes elandelayo).

Yenziwe ifumaneke kuguqulelo lwealpha ithuba usebenzisa i OpenAPI v3 iskimu ye ukuyila nokupapasha amaxwebhu e-OpenAPI kwiCustomResources (CR) esetyenziselwa ukuqinisekiswa (kwicala lomncedisi) i-K8s izibonelelo ezichazwe ngumsebenzisi (CustomResourceDefinition, CRD). Ukupapasha i-OpenAPI yeCRD kuvumela abathengi (umzekelo. kubectl) yenza uqinisekiso kwicala lakho (ngaphakathi kubectl create и kubectl apply) kwaye ikhuphe amaxwebhu ngokwenkqubo (kubectl explain). Iinkcukacha - ngaphakathi ICAP.

Izigodo esele zikhona ziyavula ngoku ngeflegi O_APPEND (kodwa hayi O_TRUNC) ukunqanda ilahleko yezigodo kwezinye iimeko kunye nokwenza lula ukucutha iilog ngezixhobo zangaphandle zokujikeleza.

Kwakhona kumxholo we-Kubernetes API, kunokuqatshelwa ukuba kwi PodSandbox и PodSandboxStatus yongezwe kwintsimi runtime_handler ukurekhoda ulwazi malunga RuntimeClass kwi-pod (funda ngakumbi ngayo kwisicatshulwa malunga Kubernetes 1.12 ukukhutshwa, apho olu didi luvele njengoguqulelo lwealpha), nakwi-Admission Webhooks iphunyeziwe ukukwazi ukugqiba ukuba zeziphi iinguqulelo AdmissionReview bayaxhasa. Okokugqibela, imithetho ye-Admission Webhooks ngoku inokulinganiselwa Ubungakanani bokusetyenziswa kwazo ngezithuba zamagama kunye neziseko zeqela.

Iivenkile

PersistentLocalVolumes, eyayinesimo se-beta ukususela ekukhululweni K8s 1.10, ibhengezwe ezinzile (GA): eli sango elibonakalayo alisacinywa kwaye liya kususwa kwi-Kubernetes 1.17.

Ithuba usebenzisa izinto eziguquguqukayo zokusingqongileyo ezibizwa Ezantsi API (umzekelo, igama le-pod) kumagama oovimba beefayili anyuswe njenge subPath, yaphuhliswa - ngendlela yentsimi entsha subPathExpr, esetyenziswa ngoku ukumisela igama likavimba weefayili elifunwayo. Isici saqala savela kwi-Kubernetes 1.11, kodwa kwi-1.14 yahlala ikwimo yenguqulo ye-alpha.

Njengokukhutshwa kwe-Kubernetes yangaphambili, utshintsho oluninzi olubalulekileyo lwaziswa kuphuhliso olusebenzayo lwe-CSI (i-Container Storage Interface):

CSI

Ifumaneke (njengenxalenye yoguqulelo lwealpha) inkxaso uhlengahlengiso lwemithamo yeCSI. Ukuyisebenzisa kuya kufuneka wenze isango elibonakalayo elibiziweyo ExpandCSIVolumes, kunye nobukho benkxaso yalo msebenzi kumqhubi othile weCSI.

Olunye uphawu lweCSI kuguqulelo lwealpha - ithuba bhekisa ngokuthe ngqo (okt ngaphandle kokusebenzisa iPV/PVC) kwimiqulu yeCSI ngaphakathi kwenkcazo yepod. Oku isusa umda wokusetyenziswa kwe-CSI njengokugcinwa kwedatha okude kuphela, ebavulela iingcango zehlabathi imiqulu yendawo ephemeral. Ukusetyenziswa (umzekelo ovela kumaxwebhu) kufuneka yenziwe CSIInlineVolume isango lesici.

Kukho nenkqubela phambili "kwi-internals" ye-Kubernetes enxulumene ne-CSI, engabonakali kangako kubasebenzisi bokugqibela (abalawuli benkqubo) ... Okwangoku, abaphuhlisi banyanzelekile ukuba baxhase iinguqulelo ezimbini zeplagin yokugcina nganye: enye - "kwi indlela endala”, ngaphakathi kwe K8s codebase (in -tree), kunye neyesibini - njengenxalenye yeCSI entsha (funda ngakumbi ngayo, umzekelo, kwi apha). Oku kubangela ukuphazamiseka okuqondakalayo ekufuneka kuqwalaselwe njengoko iCSI ngokwayo izinza. Akunakwenzeka ukuba ulahlekise ngokulula i-API ye-plugins yangaphakathi (in-tree) ngenxa ye umgaqo-nkqubo ofanelekileyo weKubernetes.

Konke oku kukhokelele kwinto yokuba inguqulelo yealpha ifikelele inkqubo yokufuduka ikhowudi yeplagi yangaphakathi, iphunyezwe njenge-in-tree, kwiiplagi ze-CSI, ngenxa yokuba iinkxalabo zabaphuhlisi ziya kuncitshiswa ukuxhasa enye inguqulelo yeeplagi zabo, kunye nokuhambelana ne-APIs endala kuya kuhlala kwaye banokubhengezwa njengento engapheliyo kwimeko eqhelekileyo. Kulindeleke ukuba ngokukhululwa okulandelayo kwe-Kubernetes (1.15) zonke iiplagi zomnikezeli wefu ziya kufuduswa, ukuphunyezwa kuya kufumana isimo se-beta kwaye kuya kuqaliswa kwi-K8s ufakelo ngokungagqibekanga. Ukuze ufumane iinkcukacha, bona isindululo soyilo. Oku kufuduka nako kubangele ukuhluleka ukusuka kwimida yevolumu echazwe ngababoneleli befu abathile (AWS, Azure, GCE, Cinder).

Ukongeza, inkxaso yezixhobo zebhloko ezineCSI (CSIBlockVolume) idluliselwe kuguqulelo lwe-beta.

Nodes/Kubelet

Uguqulelo lweAlpha lubonisiwe isiphelo esitsha in Kubelet, eyenzelwe buyisela iimetrics kwimithombo ephambili. Ngokubanzi, ukuba ngaphambili uKubelet ufumene izibalo zokusetyenziswa kwesikhongozeli kwi-cAdvisor, ngoku le datha isuka kwindawo yokuqhuba isikhongozeli nge-CRI (i-Container Runtime Interface), kodwa ukuhambelana nokusebenza kunye neenguqulelo ezindala ze-Docker nazo zigciniwe. Ngaphambili, izibalo eziqokelelwe eKubelet bezithunyelwa nge-REST API, kodwa ngoku isiphelo esibekwe e. /metrics/resource/v1alpha1. Isicwangciso sexesha elide sabaphuhlisi yi kukunciphisa iseti yeemetrics ezibonelelwe ngu Kubelet. Ngendlela, ezi metrics ngokwazo ngoku bayafowuna hayi "iimethrikhi ezingundoqo", kodwa "iimetriki zezibonelelo", kwaye zichazwa "njengezixhobo zodidi lokuqala, njenge-cpu, kunye nememori".

I-nuance enomdla kakhulu: ngaphandle kwenzuzo ecacileyo yokusebenza kwesiphelo se-gRPC xa kuthelekiswa neemeko ezahlukeneyo zokusebenzisa ifomathi yePrometheus. (jonga isiphumo somnye webenchmarks ezingezantsi), ababhali bakhetha ifomathi yombhalo wePrometheus ngenxa yobunkokeli obucacileyo bale nkqubo yokubeka iliso kuluntu.

“I-gRPC ayihambelani nemibhobho emikhulu yokubeka iliso. Isiphelo siya kuba luncedo ekuhambiseni iimetrics kwiSeva yeeMetrics okanye iinxalenye zokubeka iliso ezidibanisa ngqo nayo. Ukusebenza kwefomathi yombhalo we-Prometheus xa usebenzisa i-caching kwi-Metrics Server ilunge ngokwanele ukuba sikhethe i-Prometheus kune-gRPC ngenxa yokwamkelwa ngokubanzi kwe-Prometheus eluntwini. Nje ukuba ifomathi ye-OpenMetrics izinze ngakumbi, siya kukwazi ukusondela ekusebenzeni kwe-gRPC ngefomathi esekwe kwiproto.

Olunye lovavanyo lothelekiso lokusebenzisa iifomati ze-gRPC kunye ne-Prometheus kwisiphelo se-Kubelet entsha yeemetriki. Iigrafu ezingakumbi kunye nezinye iinkcukacha zinokufumaneka kwi ICAP.

Phakathi kolunye utshintsho:

• Kubelet ngoku (kanye) ezama ukuyeka Izikhongozeli ezikwimeko engaziwayo phambi kokuba uqalise kwaye ucime imisebenzi.
• Sebenzisa PodPresets ngoku kwi init container yongezwa ulwazi olufanayo nolwesikhongozeli esiqhelekileyo.
• kubelet waqala ukusebenzisa usageNanoCores ukusuka kumboneleli weenkcukacha-manani we-CRI, kunye neendawo zokuhlala kunye nezikhongozeli kwiWindows yongezwe manani womnatha.
• Inkqubo yokusebenza kunye nolwazi lwezakhiwo ngoku zirekhodwa kwiilebhile kubernetes.io/os и kubernetes.io/arch Izinto zeNode (zidluliselwe kwi-beta ukuya kwi-GA).
• Ukukwazi ukukhankanya inkqubo ethile yeqela labasebenzisi kwizikhongozeli ezikwipod (RunAsGroup, wavela ngaphakathi K8s 1.11) phambili phambi kwe-beta (yenziwe ngokuzenzekelayo).
• du kwaye ufumane esetyenziswa kwi-cAdvisor, kutshintshwa kuphumezo lweGo.

CLI

Kwi-cli-runtime kunye ne-kubectl yongezwa -k iflegi yokudibanisa ne yenza ngokwezifiso (ngendlela, ukuphuhliswa kwayo ngoku kuqhutyelwa kwindawo yokugcina eyahlukileyo), i.e. ukuqhubekekisa ezongezelelweyo iifayile ze-YAML kuluhlu lwezalathisi ze-kustomization ezikhethekileyo (ukufumana iinkcukacha zokuzisebenzisa, bona ICAP):

Umzekelo wokusetyenziswa kwefayile elula ukwenza ngokwezifiso (usetyenziso oluntsokothileyo lwe kustomize lunokwenzeka ngaphakathi ziweyo)

Ukongeza:

• Yongeziwe iqela elitsha kubectl create cronjob, ogama lakhe liyazithethela.
• В kubectl logs ngoku ungakwazi ukudibanisa iiflegi -f (--follow kwimiqulu yostrimisho) kunye -l (--selector ngombuzo weleyibhile).
• kubectl wafundiswa khuphela iifayile ezikhethwe ngekhadi lasendle.
• Eqela kubectl wait yongezwa iflegi --all ukukhetha zonke izibonelelo kwisithuba samagama sohlobo lovimba oluxeliweyo.

Okunye

Ezi zakhono zilandelayo zifumene iwonga elizinzileyo (GA):

• ReadinessGate, isetyenziswe kwinkcazo ye-pod ukuchaza iimeko ezongezelelweyo ezithathelwe ingqalelo kwi-pod yokulungela;
• Inkxaso yamaphepha amakhulu (isici sesango elibizwa ngokuba yi HugePages);
• CustomPodDNS;
• PriorityClass API I-Pod ePhambili kunye nokuQalwa.

Olunye utshintsho lwaziswa kwi-Kubernetes 1.14:

• Umgaqo-nkqubo we-RBAC omiselweyo awusavumeli ukufikelela kwi-API discovery и access-review abasebenzisi ngaphandle koqinisekiso (ayiqinisekiswanga).
• Inkxaso ye-CoreDNS esemthethweni iqinisekisiwe I-Linux kuphela, ngoko xa usebenzisa i-kubeadm ukuyihambisa (CoreDNS) kwiqela, iindawo kufuneka ziqhube kuphela kwi-Linux (i-nodeSelectors zisetyenziselwa lo mda).
• Ubumbeko lwe-CoreDNS oluhlala lukhona ngoku isebenzisa phambili iplagi endaweni yommeli. Kwakhona, kwiCoreDNS yongezwe ReadinessProbe, ethintela ulungelelwaniso lomthwalo kwiipodi ezifanelekileyo (ezingekakulungeli inkonzo).
• Kwi-beadm, kwizigaba init okanye upload-certs, yenzeka layisha izatifikethi ezifunekayo ukuqhagamshela inqwelomoya-moya entsha kwimfihlo ye-kubeadm-certs (sebenzisa iflegi --experimental-upload-certs).
• Uguqulelo lwealpha luye lwavela kufakelo lweWindows inkxaso I-gMSA (iAkhawunti yeNkonzo eLawulwayo yeQela) - ii-akhawunti ezikhethekileyo ezikwi-Active Directory ezinokuthi zisetyenziswe zizikhongozeli.
• KuG.C.E. yenziwe yasebenza uguqulelo oluntsonkothileyo lwe-mTLS phakathi kwe- etcd kunye ne kube-apiserver.
• Uhlaziyo kwisoftware esetyenzisiweyo/exhomekeke kwisoftware: Hamba 1.12.1, CSI 1.1, CoreDNS 1.3.1, Docker 18.09 inkxaso kwi kubeadm, kwaye ubuncinci obuxhaswayo iDocker API version ngoku yi-1.26.

PS

Funda nakwibhlog yethu:

• «I-Kubernetes 1.13: isishwankathelo sezinto ezintsha ezintsha";
• «I-Kubernetes 1.12: isishwankathelo sezinto ezintsha ezintsha";
• «I-Kubernetes 1.11: isishwankathelo sezinto ezintsha ezintsha";
• «I-Kubernetes 1.10: isishwankathelo sezinto ezintsha ezintsha».

umthombo: www.habr.com