UPavel Selivanov, umakhi wezisombululo zaseSouthbridge kunye notitshala we-Slurm, wanika intetho kwi-DevOpsConf 2019. Le ntetho iyinxalenye yesinye sezihloko zekhosi enzulu kwi-Kubernetes "Slurm Mega".
kwenzeka eMoscow ngoNovemba 18-20.
— eMoscow, ngoNovemba 22-24.
Ihlala ikhona.
Ngezantsi kokusikwa ngumbhalo wengxelo.
Molo emva kwemini, oogxa nabo bavelana nabo. Namhlanje ndiza kuthetha ngokhuseleko.
Ndiyabona ukuba baninzi oonogada eholweni namhlanje. Ndicela uxolo kuwe kwangaphambili ukuba ndisebenzisa imiqathango evela kwihlabathi lokhuseleko hayi kanye njengoko kuqhelekile kuwe.
Kwenzekile ukuba malunga neenyanga ezintandathu ezidlulileyo ndadibana neqela elinye likawonke-wonke leKubernetes. Uluntu luthetha ukuba kukho inani le-nth lezithuba zamagama; kwezi zithuba zamagama kukho abasebenzisi abekelwe bucala kwindawo yabo yamagama. Bonke aba basebenzisi bakwiinkampani ezahlukeneyo. Ewe, kwakucingelwa ukuba eli qela kufuneka lisetyenziswe njenge-CDN. Oko kukuthi, bakunika iqela, bakunika umsebenzisi apho, uya apho kwindawo yakho yamagama, uhambise imida yakho.
Inkampani yam yangaphambili yazama ukuthengisa inkonzo enjalo. Kwaye ndacelwa ukuba ndikhuphe iqela ukuze ndibone ukuba esi sisombululo sasifanelekile okanye akunjalo.
Ndifike kweli qela. Ndinikwe amalungelo alinganiselweyo, indawo yamagama elinganiselweyo. Abafana balapho babeluqonda ukhuseleko. Bafunda malunga neRole-based access control (RBAC) eKubernetes - kwaye bayijija ukuze ndingakwazi ukusungula iipods ngokwahlukileyo kwi-deployments. Andikhumbuli ingxaki endandizama ukuyisombulula ngokusungula ipod ngaphandle kokuthunyelwa, kodwa ngokwenene ndandifuna ukusungula ipod nje. Ngethamsanqa, ndaye ndagqiba ekubeni ndibone ukuba ngawaphi amalungelo endinawo kwiqela, into endinokuyenza, endingakwaziyo ukuyenza, kwaye yintoni abayenzileyo apho. Kwangaxeshanye, ndiza kukuxelela into abayilungiselele ngokungalunganga kwi-RBAC.
Kwenzekile ukuba kwimizuzu emibini ndifumane umlawuli kwiqela labo, ndajonga kuzo zonke iindawo ezingabamelwane, ndabona iinkampani esele zithengile le nkonzo zaza zasetyenziswa. Ndandingakwazi ukuzinqanda ukuba ndiye phambi komntu kwaye ndibeke izithuko kwiphepha eliphambili.
Ndiza kukuxelela ngemizekelo ukuba ndenze njani oku kunye nendlela yokuzikhusela kule nto.
Kodwa kuqala, mandizazise. Igama lam ndinguPavel Selivanov. Ndingumakhi eSouthbridge. Ndiyayiqonda iKubernetes, iDevOps kunye nazo zonke iintlobo zezinto ezintle. Iinjineli zaseSouthbridge kunye nam siyakha yonke le nto, kwaye ndiyabonisana.
Ukongeza kwimisebenzi yethu ephambili, kutshanje siphehlelele iiprojekthi ezibizwa ngokuba yiSlurms. Sizama ukuzisa isakhono sethu sokusebenza noKubernetes kancinci ebantwini, ukufundisa abanye abantu ukuba basebenze nee-K8s.
Ndiza kuthetha ngantoni namhlanje? Isihloko sengxelo sicacile - malunga nokhuseleko lweqela le-Kubernetes. Kodwa ndifuna ukuthetha ngoko nangoko ukuba esi sihloko sikhulu kakhulu - kwaye ngoko ke ndifuna ukucacisa ngokukhawuleza into endingayi kuthetha ngayo. Andiyi kuthetha malunga nemigaqo ye-hackneyed esele isetyenziswe ngokuphindwe kalikhulu kwi-Intanethi. Zonke iintlobo ze-RBAC kunye nezatifikethi.
Ndiza kuthetha ngentlungu yam kunye nabalingane bam malunga nokhuseleko kwiqela leKubernetes. Sizibona ezi ngxaki zombini phakathi kwababoneleli ababonelela ngamaqela eKubernetes naphakathi kwabathengi abeza kuthi. Kwaye nakubathengi abeza kuthi bevela kwezinye iinkampani zolawulo lokubonisana. Oko kukuthi, umlinganiselo wentlekele ngokwenene mkhulu kakhulu.
Kukho amanqaku amathathu endiya kuthetha ngawo namhlanje:
- Amalungelo abasebenzisi vs amalungelo pod. Amalungelo omsebenzisi kunye namalungelo e-pod awayonto inye.
- Ukuqokelela ulwazi malunga neqela. Ndiya kubonisa ukuba ungaqokelela lonke ulwazi oludingayo kwiqela ngaphandle kokuba namalungelo akhethekileyo kweli qela.
- Ukuhlaselwa kweDoS kwiqela. Ukuba asikwazi ukuqokelela ulwazi, siya kukwazi ukubeka i-cluster kuyo nayiphi na imeko. Ndiza kuthetha ngokuhlaselwa kwe-DoS kwizinto zokulawula i-cluster.
Enye into eqhelekileyo endiza kuyikhankanya yile nto ndiyivavanye kuyo yonke le nto, apho ndingatsho ngokuqinisekileyo ukuba yonke into iyasebenza.
Sithatha njengesiseko ukufakwa kweqela le-Kubernetes usebenzisa i-Kubespray. Ukuba nabani na akazi, le yisethi yeendima ze-Ansible. Siyisebenzisa rhoqo emsebenzini wethu. Into entle kukuba ungayiqengqeleka naphi na-ungayiqengqela kwiziqwenga zentsimbi okanye efini kwindawo ethile. Enye indlela yokufakela isebenza ngokomgaqo kuyo yonke into.
Kweli qela ndiya kuba Kubernetes v1.14.5. Iqela lonke leCube, esiza kuliqwalasela, lahlulwe ngokwezithuba zamagama, indawo nganye yamagama yeyeqela elahlukileyo, kwaye amalungu eli qela anokufikelela kwindawo nganye yamagama. Abanakuya kwiindawo zamagama ezahlukeneyo, kuphela kwezabo. Kodwa kukho iakhawunti ethile yolawulo enamalungelo kwiqela lonke.
Ndithembise ukuba into yokuqala esiya kuyenza kukufumana amalungelo olawulo kwiqela. Sidinga i-pod elungiselelwe ngokukodwa eya kuphula i-Kubernetes cluster. Ekuphela kwento ekufuneka siyenzile kukuyisebenzisa kwiqela leKubernetes.
kubectl apply -f pod.yamlLe pod iya kufika kwenye yeenkosi zeqela leKubernetes. Kwaye emva koku iqela liya kubuyela kuthi ngovuyo ifayile ebizwa ngokuba admin.conf. KwiCube, le fayile igcina zonke izatifikethi zomlawuli, kwaye kwangaxeshanye iqwalasele i-API yeqela. Yile ndlela ekulula ngayo ukufumana ukufikelela kulawulo, ndiyacinga, i-98% yamaqela e-Kubernetes.
Ndiyaphinda, le pod yenziwe ngumphuhlisi omnye kwiqela lakho onokufikelela ekufakeni izindululo zakhe kwindawo enye encinci yegama, yonke icinezelwe yi-RBAC. Wayengenamalungelo. Kodwa nangona kunjalo isiqinisekiso sabuyiswa.
Kwaye ngoku malunga ne-pod elungiselelwe ngokukodwa. Siyiqhuba kuwo nawuphi na umfanekiso. Masithathe idebian:jessie njengomzekelo.
Sinayo le nto:
tolerations:
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" Yintoni ukunyamezelana? IiMasters kwiqela leKubernetes zihlala ziphawulwa ngento ebizwa ngokuba yi-taint. Kwaye ingundoqo yolu "sulelo" kukuba ithi i-pods ayinakunikwa iinqununu eziphambili. Kodwa akukho mntu ukhathazayo ukubonisa kuyo nayiphi na i-pod ukuba iyanyamezela "usulelo". Icandelo loNyamezelo litsho nje ukuba enye i-node ine-NoSchedule, ngoko i-node yethu iyanyamezela kwintsholongwane enjalo - kwaye akukho ngxaki.
Ngapha koko, sithi i-under yethu ayinyamezeli kuphela, kodwa ikwafuna ukujolisa ngqo kwinkosi. Ngenxa yokuba iinkosi zineyona nto imnandi kakhulu esiyifunayo - zonke iziqinisekiso. Ke ngoko, sithi nodeSelector - kwaye sineleyibhile esemgangathweni kwiinkosi, ezikuvumela ukuba ukhethe kuzo zonke iindawo ezikwiqela ngokuchanekileyo ezo nodi ziyinkosi.
Ngala macandelo mabini ngokuqinisekileyo uya kuza enkosini. Yaye uya kuvunyelwa ukuba ahlale khona.
Kodwa ukuza nje enkosini akwanelanga. Oku akuyi kusinika nto. Ngoko ngokulandelayo sinezi zinto zimbini:
hostNetwork: true
hostPID: true Sicacisa ukuba i-pod yethu, esiyisungulayo, iya kuhlala kwi-kernel namespace, kwi-network namespace, nakwindawo yegama le-PID. Emva kokuba i-pod iqaliswe kwi-master, iya kukwazi ukubona zonke iinyani, i-interfaces ephilayo yale node, imamele zonke izithuthi kwaye ubone i-PID yazo zonke iinkqubo.
Emva koko ngumcimbi wezinto ezincinci. Thatha etcd kwaye ufunde into oyifunayo.
Eyona nto inomdla kakhulu yile Kubernetes, ekhoyo ngokuzenzekelayo.
volumeMounts:
- mountPath: /host
name: host
volumes:
- hostPath:
path: /
type: Directory
name: host Kwaye undoqo wayo kukuba sinokuthi kwi-pod esiyisungulayo, nangaphandle kwamalungelo kweli qela, ukuba sifuna ukwenza umthamo wohlobo lwe-hostPath. Oku kuthetha ukuthatha umendo ovela kumamkeli esiya kuthi siwuphehlelele - kwaye siwuthathe njengomthamo. Kwaye ke siyibiza ngegama: umamkeli. Sifaka yonke le hostPath ngaphakathi kwepod. Kulo mzekelo, kwi/host directory.
Ndizakuyiphinda kwakhona. Sixelele i-pod ukuba ize kwinkosi, ifumane i-hostNetwork kunye ne-hostPID apho - kwaye ifake yonke ingcambu yenkosi ngaphakathi kule pod.
Uyaqonda ukuba kwi-Debian sine-bash esebenzayo, kwaye le bash isebenza phantsi kweengcambu. Oko kukuthi, sifumene ingcambu kwi-master, ngaphandle kokuba nawo nawaphi na amalungelo kwiqela le-Kubernetes.
Emva koko wonke umsebenzi kukuya kwi-sub directory / host / etc / kubernetes / pki, ukuba andiphosisi, thatha zonke izatifikethi eziphambili zeqela apho kwaye, ngokufanelekileyo, ube ngumlawuli weqela.
Ukuba ujonga ngale ndlela, la ngamanye awona malungelo ayingozi kwi-pods - nokuba athini amalungelo umsebenzisi:
Ukuba ndinamalungelo okuqhuba iphod kwindawo ethile yegama leqela, ngoko le pod inala malungelo ngokungagqibekanga. Ndiyakwazi ukubaleka iipods ezikhethekileyo, kwaye la ngokubanzi ngamalungelo onke, ngokwenyani ingcambu kwindawo.
Eyona nto ndiyithandayo ngumsebenzisi weRoot. Kwaye i-Kubernetes inolu khetho lwe-Baleka njenge-Non-Root. Olu luhlobo lokukhusela kwi-hacker. Ngaba uyazi ukuba yintoni intsholongwane yaseMoldavian? Ukuba ngequbuliso ungumqweqwedisi kwaye uze kwiqela lam leKubernetes, ke thina, balawuli abahluphekayo, siyabuza: “Nceda ubonise kwiipods zakho oza kugqekeza ngazo iqela lam, ubaleke njengengeyongcambu. Kungenjalo, kuya kwenzeka ukuba uqhube inkqubo kwi pod yakho phantsi kweengcambu, kwaye kuya kuba lula kakhulu ukuba hack me. Nceda uzikhusele kuwe.
Umthamo wendlela yomamkeli, ngokoluvo lwam, yeyona ndlela ikhawulezayo yokufumana iziphumo ezifunwayo kwiqela leKubernetes.
Kodwa ukwenza ntoni ngayo yonke le nto?
Ingcinga ekufuneka ize kuye nawuphi na umlawuli oqhelekileyo odibana noKubernetes uthi: “Ewe, ndikuxelele, uKubernetes akasebenzi. Kukho imingxuma kuyo. Kwaye yonke iCube yibullshit. " Enyanisweni, kukho into efana namaxwebhu, kwaye ukuba ujonga apho, kukho icandelo .
Le yinto ye-yaml - sinokuyidala kwiqela le-Kubernetes - elilawula imiba yokhuseleko ngokukodwa kwinkcazo yeepods. Oko kukuthi, enyanisweni, ilawula amalungelo okusebenzisa nayiphi na i-hostNetwork, i-hostPID, iindidi ezithile zevolumu ezikwiipods ekuqaleni. Ngoncedo loMgaqo-nkqubo woKhuseleko lwePod, konke oku kunokuchazwa.
Eyona nto inomdla ngoMgaqo-nkqubo woKhuseleko lwePod kukuba kwiqela le-Kubernetes, zonke ii-installers ze-PSP azichazwanga nje nangayiphi na indlela, zikhutshaziwe nje ngokungagqibekanga. UMgaqo-nkqubo woKhuseleko wePod uvulelwe kusetyenziswa iplagi yokungena.
Kulungile, masibeke uMgaqo-nkqubo woKhuseleko lwePod kwiqela, masithi sineenkonzo ezithile zeepods kwindawo yegama, apho kuphela abalawuli abanokufikelela khona. Masithi, kuzo zonke ezinye iimeko, iipods zinamalungelo alinganiselwe. Kuba kusenokwenzeka ukuba abaphuhlisi akufuneki baqhube iipod zamalungelo kwiqela lakho.
Kwaye yonke into ibonakala ilungile ngathi. Kwaye iqela lethu leKubernetes alinakuqhekezwa kwimizuzu emibini.
Kukho ingxaki. Okunokwenzeka, ukuba uneqela le-Kubernetes, ke ukubeka iliso kufakwe kwiqela lakho. Ndingade ndihambe ndide ndiqikelele ukuba ukuba iqela lakho linokubeka iliso, liya kubizwa ngokuba yiPrometheus.
Into endiza kukuxelela yona iya kusebenza kubo bobabini umqhubi wePrometheus kunye nePrometheus eziswe ngendlela ecocekileyo. Umbuzo kukuba ukuba andinakukwazi ukufumana umlawuli kwiqela ngokukhawuleza, ngoko oku kuthetha ukuba kufuneka ndijonge ngakumbi. Kwaye ndiyakwazi ukukhangela ngoncedo lokujonga kwakho.
Mhlawumbi wonke umntu ufunde amanqaku afanayo kwi-Habré, kwaye uhlolo lubekwe kwindawo yokubeka iliso. Itshathi yeHelm ibizwa ngokulinganayo kuye wonke umntu. Ndicinga ukuba ukuba wenza i-helm yokufaka i-stable/prometheus, uya kugqiba ngamagama afanayo. Kwaye kusenokwenzeka ukuba andizukuphinda ndiqashele igama le-DNS kwiqela lakho. Kuba isemgangathweni.
Okulandelayo sine-dev ns ethile, apho unokuqhuba khona i-pod ethile. Kwaye ke kule pod kulula kakhulu ukwenza into enje:
$ curl http://prometheus-kube-state-metrics.monitoring I-prometheus-kube-state-metrics yenye yabathengisi be-Prometheus abaqokelela iimetrics kwi-Kubernetes API ngokwayo. Kukho idatha eninzi apho, yintoni esebenzayo kwiqela lakho, yintoni na, zeziphi iingxaki onazo ngayo.
Njengomzekelo olula:
kube_pod_container_info{namespace=“kube-system”,pod=”kube-apiserver-k8s- 1″,container=”kube-apiserver”,image=
"gcr.io/google-containers/kube-apiserver:v1.14.5"
,image_id=»docker-pullable://gcr.io/google-containers/kube- apiserver@sha256:e29561119a52adad9edc72bfe0e7fcab308501313b09bf99df4a96 38ee634989″,container_id=»docker://7cbe7b1fea33f811fdd8f7e0e079191110268f2 853397d7daf08e72c22d3cf8b»} 1
Ngokwenza isicelo esilula se-curl kwi-pod engafanelekanga, unokufumana ulwazi olulandelayo. Ukuba awuyazi ukuba yeyiphi inguqulelo ye-Kubernetes oyisebenzisayo, iya kukuxelela ngokulula.
Kwaye eyona nto inomdla kakhulu kukuba ukongeza ekufikeleleni kube-state-metrics, unokufikelela ngokulula kwiPrometheus ngokwayo ngqo. Ungaqokelela iimetriki ukusuka apho. Unokwakha iimethrikhi ukusuka apho. Nokuba ithiyori, unokwakha umbuzo onjalo kwiqela lePrometheus, eliya kuthi licime. Kwaye ukubeka esweni kwakho kuya kuyeka ukusebenza kwiqela ngokupheleleyo.
Kwaye apha umbuzo uvela ukuba ngaba kukho nawuphi na ukubekwa esweni kwangaphandle ukubeka iliso kwakho. Ndisandula ukufumana ithuba lokusebenza kwiqela le-Kubernetes ngaphandle kweziphumo kum. Awuzukwazi nokuba ndisebenza apho, kuba akusekho kubeka iliso.
Kanye njenge-PSP, kuvakala ngathi ingxaki kukuba zonke ezi teknoloji zintle - Kubernetes, Prometheus - azisebenzi kwaye zigcwele imingxunya. Hayi ncma.
Kukho into enjalo- .
Ukuba ungumlawuli oqhelekileyo, ngoko kusenokwenzeka ukuba uyazi malunga nePolisi yeNethiwekhi ukuba le yenye yaml, esele ininzi kuyo kwiqela. Kwaye ezinye iiPolisi zeNethiwekhi ngokuqinisekileyo azifuneki. Kwaye nokuba ufunda ukuba yintoni iPolisi yeNethiwekhi, ukuba yi-yaml firewall ye-Kubernetes, ikuvumela ukuba unciphise amalungelo okufikelela phakathi kweendawo zamagama, phakathi kwee-pods, ngoko ngokuqinisekileyo ugqibe ekubeni i-firewall kwifomathi ye-yaml kwi-Kubernetes isekelwe kwi-abstractions elandelayo. ... Hayi hayi . Oku akuyomfuneko ngokuqinisekileyo.
Nokuba awukhange uxelele iingcali zakho zokhuseleko ukuba usebenzisa i-Kubernetes yakho unokwakha i-firewall elula kakhulu kwaye elula, kunye negranular kakhulu apho. Ukuba abakayazi le nto kwaye abakukhathazi: "Kulungile, ndinike, ndinike..." Emva koko, kuyo nayiphi na imeko, udinga iPolisi yeNethiwekhi ukuvala ukufikelela kwezinye iindawo zenkonzo ezinokutsalwa kwiqela lakho. ngaphandle kwalo naluphi na ugunyaziso.
Njengoko kumzekelo endiwunikileyo, ungatsala i-kube state metrics nakweyiphi na indawo yegama kwiqela leKubernetes ngaphandle kokuba namalungelo okwenza njalo. Imigaqo-nkqubo yothungelwano ivalile ukufikelela kuzo zonke ezinye iindawo zamagama kwindawo yokubeka iliso kwaye yiyo: akukho ukufikelela, akukho ngxaki. Kuzo zonke iitshathi ezikhoyo, zombini umgangatho wePrometheus kunye nePrometheus ekumsebenzisi, kukho nje ukhetho kumaxabiso e-helm ukwenza ngokulula iinkqubo zenethiwekhi kubo. Kufuneka nje uyivule kwaye ziya kusebenza.
Inye ngenene ingxaki apha. Ukuba ngumlawuli oqhelekileyo weentshebe, mhlawumbi ugqibe ekubeni imigaqo-nkqubo yenethiwekhi ayifuneki. Kwaye emva kokufunda zonke iintlobo zamanqaku kwizixhobo ezifana neHabr, ugqibe kwelokuba iflaneli, ngakumbi ngemowudi yesango lomkhosi, yeyona nto ilungileyo onokuyikhetha.
Yintoni endiyenzayo?
Ungazama ukuphinda usebenzise isisombululo sothungelwano onaso kwiqela lakho le-Kubernetes, zama ukusibuyisela ngento esebenza ngakumbi. KwiCalico efanayo, umzekelo. Kodwa ndifuna ukuthetha kwangoko ukuba umsebenzi wokutshintsha isisombululo sothungelwano kwiqela elisebenzayo leKubernetes awuyonto encinci. Ndizisombulule kabini (zombini izihlandlo, nangona kunjalo, ngokwethiyori), kodwa sade sabonisa indlela yokwenza kwi-Slurms. Kubafundi bethu, sibonise indlela yokutshintsha isisombululo senethiwekhi kwiqela leKubernetes. Ngokomgaqo, unokuzama ukuqinisekisa ukuba akukho xesha lokuphumla kwiqela lemveliso. Kodwa mhlawumbi akuyi kuphumelela.
Kwaye ingxaki eneneni isonjululwe ngokulula kakhulu. Kukho izatifikethi kwiqela, kwaye uyazi ukuba izatifikethi zakho ziya kuphelelwa ngonyaka. Ewe, kwaye ngokuqhelekileyo isisombululo esiqhelekileyo kunye nezatifikethi kwiqela - kutheni sinexhala, siya kuphakamisa iqela elitsha elikufutshane, sivumele elidala libole, kwaye siphinde sisebenzise yonke into. Enyanisweni, xa ibolile, kuya kufuneka sihlale usuku, kodwa nali iqela elitsha.
Xa uphakamisa iqela elitsha, kwangaxeshanye faka iCalico endaweni yeflaneli.
Yintoni omawuyenze ukuba izatifikethi zakho zikhutshwe ikhulu leminyaka kwaye awuzukuphinda usasaze iqela? Kukho into efana neKube-RBAC-Proxy. Olu luphuhliso olupholileyo kakhulu, lukuvumela ukuba uzibethelele njengesitya semoto esecaleni kuyo nayiphi na i-pod kwiqela le-Kubernetes. Kwaye yongeza ugunyaziso kule pod nge-RBAC ye-Kubernetes ngokwayo.
Kukho ingxaki enye. Ngaphambili, esi sisombululo se-Kube-RBAC-Proxy sakhiwe kwi-Prometheus yomsebenzisi. Kodwa emva koko wayengekho. Ngoku iinguqulelo zanamhlanje zixhomekeke kwinto yokuba unomgaqo-nkqubo wenethiwekhi kwaye uvale usebenzisa wona. Ke ngoko kuya kufuneka siyibhale kancinci itshathi. Enyanisweni, ukuba uya ku , kukho imizekelo yendlela yokusebenzisa oku njengee-sidecars, kwaye iitshathi kuya kufuneka zibhalwe ngokutsha kancinci.
Kukho enye ingxaki encinci ngakumbi. IPrometheus ayinguye yedwa onikezela ngeemetrics zakhe kuye nabani na. Onke amacandelo ethu eqela le-Kubernetes ayakwazi ukubuyisela iimethrikhi zawo.
Kodwa njengoko besenditshilo, ukuba awukwazi ukufikelela kwiqela kwaye uqokelele ulwazi, ngoko unokwenza ingozi.
Ngoko ke ndiza kubonisa ngokukhawuleza iindlela ezimbini ukuba i-Kubernetes iqoqo inokonakala njani.
Uza kuhleka xa ndikuxelela oku, ezi zimbini zokwenyani iimeko.
Indlela yokuqala. Ukuncipha kobutyebi.
Masiqalise enye ipod ekhethekileyo. Iyakuba necandelo elinje.
resources:
requests:
cpu: 4
memory: 4Gi Njengoko usazi, izicelo sisixa se-CPU kunye nememori egcinwe kumamkeli kwiipod ezithile ezinezicelo. Ukuba sinomgcini-zine-core host kwi-cluster ye-Kubernetes, kunye neepods ezine ze-CPU zifika apho kunye nezicelo, kuthetha ukuba akusekho iipods ezinezicelo eziya kukwazi ukuza kulo mkhosi.
Ukuba ndiqhuba i-pod enjalo, ke ndiya kuqhuba umyalelo:
$ kubectl scale special-pod --replicas=...Ke akukho mntu wumbi uya kukwazi ukuhambisa kwiqela leKubernetes. Kuba zonke iinodi ziya kuphelelwa zizicelo. Kwaye ke ndiya kulimisa iqela lakho leKubernetes. Ukuba ndikwenza oku ngokuhlwa, ndingamisa ukuthunyelwa ixesha elide.
Ukuba sijonga kwakhona kuxwebhu lweKubernetes, siya kuyibona le nto ibizwa ngokuba yiLimit Range. Ibeka izibonelelo zezinto zeqela. Ungabhala into yeLimi Range kwi-yaml, uyifake kwiindawo ezithile zamagama-kwaye ke kwesi sithuba samagama ungatsho ukuba unokungagqibekanga, ubuninzi kunye nobuncinci bemithombo yeepods.
Ngoncedo lwento enjalo, sinokunciphisa abasebenzisi kwiindawo ezithile zemveliso zamaqela ekukwazini ukubonisa zonke iintlobo zezinto ezimbi kwiipods zabo. Kodwa ngelishwa, nokuba uxelele umsebenzisi ukuba abanakusungula iipod ngezicelo ze-CPU enye, kukho umyalelo omangalisayo wesikali, okanye banokwenza isikali kwideshibhodi.
Kwaye kulapho indlela inombolo yesibini ivela khona. Siphehlelela 11 pods. Ziibhiliyoni ezilishumi elinanye. Oku akubangelwa kukuba ndize nenombolo enjalo, kodwa ngenxa yokuba ndiyibonile.
Ibali lokwenyani. Latshona ilanga ndabe sendizophuma eofisini. Ndibona iqela labaphuhlisi behleli ekoneni, bexakekile besenza into ngeelaptop zabo. Ndiya kubafana ndibuze: "Kwenzeke ntoni kuwe?"
Ngaphambilana, malunga nentsimbi yethoba ngokuhlwa, omnye wabaphuhlisi wayelungiselela ukugoduka. Ndaye ndagqiba kwelokuba: “Ngoku ndiza kuthoba isicelo sam siye kwesinye.” Ndicinezele enye, kodwa i-Intanethi yehla kancinci. Waphinda wacofa enye, wacofa enye, wacofa u-Enter. Ndazama ngayo yonke into endiyenzayo. Emva koko i-Intanethi yaphila - kwaye yonke into yaqala ukuhla ukuya kweli nani.
Enyanisweni, eli bali alizange lenzeke kwi-Kubernetes; ngelo xesha yayinguNomad. Iphelile into yokuba emva kweyure yokuzama ukunqanda uNomad kwiinzame eziqhubekayo zokunyuka, uNomad waphendula ukuba akayi kuyeka ukukala kwaye akayi kwenza enye into. "Ndidiniwe, ndiyahamba." Uye wazisonga.
Ngokwemvelo, ndizamile ukwenza okufanayo kwi-Kubernetes. U-Kubernetes wayengonwabanga ziipods ezilishumi elinanye zeebhiliyoni, wathi: “Andikwazi. Igqithise koonogada bomlomo bangaphakathi." Kodwa i-1 pods yayinokubakho.
Ukuphendula kwibhiliyoni enye, iCube ayizange irhoxe kuyo. Waqala ngokwenene ukukala. Okukhona inkqubo iqhubela phambili, kokukhona kwamthatha ixesha elininzi ukwenza iipod ezintsha. Kodwa nangoko inkqubo yaqhubeka. Ingxaki kuphela kukuba ukuba ndinokuqalisa ii-pods ngokungenamkhawulo kwindawo yam yegama, ngoko ngaphandle kwezicelo kunye nemida ndiyakwazi ukuqalisa iipod ezininzi ngemisebenzi ethile ukuba ngoncedo lwale misebenzi iinodi ziya kuqala ukudibanisa kwimemori, kwi-CPU. Xa ndiqalisa iipods ezininzi, ulwazi oluvela kubo kufuneka lungene kwindawo yokugcina, oko kukuthi, njl. Kwaye xa ulwazi oluninzi lufika apho, indawo yokugcina iqala ukubuya kancinci kakhulu- kwaye uKubernetes uqala ukuba buthuntu.
Kwaye enye ingxaki ... Njengoko uyazi, izinto zokulawula i-Kubernetes azikho into enye ephakathi, kodwa amacandelo amaninzi. Ngokukodwa, kukho umphathi womlawuli, umcwangcisi, njalo njalo. Bonke aba bafana baya kuqala ukwenza umsebenzi ongeyomfuneko, obudenge ngexesha elifanayo, eliya kuthi ekuhambeni kwexesha liqale ukuthatha ixesha elingakumbi. Umphathi womlawuli uya kudala iipod ezintsha. Umcwangcisi uya kuzama ukufumana indawo entsha kubo. Uya kuphelelwa ziindawo ezintsha kwiqela lakho kungekudala. Iqela leKubernetes liya kuqalisa ukusebenza kancinci kwaye kancinci.
Kodwa ndagqiba ekubeni ndigqithele ngakumbi. Njengoko uyazi, eKubernetes kukho into ebizwa ngokuba yinkonzo. Ewe, ngokungagqibekanga kumaqela akho, kunokwenzeka ukuba, inkonzo isebenza usebenzisa iitafile ze-IP.
Ukuba usebenzisa ibhiliyoni yeepods, umzekelo, kwaye usebenzise iskripthi ukunyanzela uKubernetis ukwenza iinkonzo ezintsha:
for i in {1..1111111}; do
kubectl expose deployment test --port 80
--overrides="{"apiVersion": "v1",
"metadata": {"name": "nginx$i"}}";
done Kuzo zonke ii-nodes ze-cluster, imithetho emininzi ye-iptables emitsha iya kuveliswa malunga nexesha elinye. Ngaphezu koko, imithetho eyibhiliyoni yee-iptables iya kuveliswa kwinkonzo nganye.
Ndiyiqwalasele yonke lento kumawaka aliqela, ukuya kwishumi. Kwaye ingxaki kukuba sele ikulo mgubasi kuyingxaki ukwenza ssh kwindawo. Ngenxa yokuba iipakethi, ezihamba ngamatyathanga amaninzi, ziqala ukuziva zingekho mnandi kakhulu.
Kwaye oku, nako, konke kusonjululwe ngoncedo lweKubernetes. Kukho into enjalo yesabelo seResource. Icwangcisa inani lezibonelelo ezikhoyo kunye nezinto zesithuba samagama kwiqela. Singenza into ye-yaml kwindawo nganye yegama leqela leKubernetes. Ukusebenzisa le nto, sinokuthi sinenani elithile lezicelo kunye nemida eyabelwe le ndawo yamagama, kwaye ke sinokuthi kule ndawo yegama kunokwenzeka ukwenza iinkonzo ezili-10 kunye neepod ezili-10. Kwaye umphuhlisi omnye unokuziminxa ngokuhlwa. U-Kubernetes uya kumxelela: "Awunakukwazi ukulinganisa iipods zakho ukuya kweso sixa, kuba ubutyebi bungaphezulu kwesabelo." Yiyo loo nto, ingxaki isonjululwe. .
Ingongoma enye eyingxaki ivela kulo mba. Uziva ukuba kunzima kangakanani ukwenza indawo yamagama eKubernetes. Ukuyidala, kufuneka sithathele ingqalelo izinto ezininzi.
Umthamo wezibonelelo + Uluhlu lweMida + RBAC
• Yenza isithuba samagama
• Yenza umda ngaphakathi
• Yenza i-resourcequota yangaphakathi
• Yenza i-akhawunti yenkonzo ye-CI
• Yenza ukubamba iqhaza kwi-CI kunye nabasebenzisi
• Ngokuzithandela uqalise iipodi zenkonzo eziyimfuneko
Ngoko ke, ndingathanda ukuthatha eli thuba ukwabelana ngophuhliso lwam. Kukho into ebizwa ngokuba ngumqhubi we-SDK. Le yindlela yokuba iqela leKubernetes libhale abaqhubi kulo. Ungabhala iingxelo usebenzisa i-Ansible.
Ekuqaleni kwabhalwa kwi-Ansible, emva koko ndabona ukuba kukho umqhubi we-SDK kwaye wayibhala kwakhona indima ye-Ansible ibe ngumqhubi. Le ngxelo ikuvumela ukuba wenze into kwiqela le-Kubernetes ebizwa ngokuba ngumyalelo. Ngaphakathi komyalelo, ikuvumela ukuba uchaze imeko-bume yalo myalelo kwi-yaml. Kwaye ngaphakathi kwendawo yeqela, kusivumela ukuba sichaze ukuba sabe izixhobo ezininzi kangaka.
Omncinci .
Kwaye ekugqibeleni. Kwenzeke ntoni ngayo yonke lento?
Ekuqaleni. UMgaqo-nkqubo woKhuseleko lwePod ulungile. Kwaye ngaphandle kwento yokuba akukho namnye wabafaki be-Kubernetes abayisebenzisayo ukuza kuthi ga namhlanje, kusafuneka uyisebenzise kumaqela akho.
UMgaqo-nkqubo weNethiwekhi awuyonto nje enye engeyomfuneko. Le yeyona nto ifunekayo kwiqela.
LimitRange/ResourceQuota - lixesha lokuyisebenzisa. Saqala ukusebenzisa le nto kwakudala, kwaye ixesha elide ndandiqinisekile ukuba wonke umntu uyayisebenzisa. Kwavela ukuba oku kunqabile.
Ukongeza kwinto endiyikhankanyileyo ngexesha lengxelo, kukho izinto ezingabhalwanga ezikuvumela ukuba uhlasele iqela. Ikhutshwe kutshanje .
Ezinye izinto zibuhlungu kwaye zibuhlungu. Ngokomzekelo, phantsi kweemeko ezithile, i-cubelets kwi-cluster ye-Kubernetes inokunika imixholo ye-warlocks directory kumsebenzisi ongagunyaziswanga.
Kukho imiyalelo yendlela yokuvelisa kwakhona yonke into endikuxelele yona. Kukho iifayile ezinemizekelo yemveliso yendlela iResourceQuota kunye nePod Security Policy ibonakala ngayo. Kwaye ungayichukumisa yonke le nto.
Enkosi kubo bonke.
umthombo: www.habr.com