Sawubona, ngifuna ukwabelana nawe ngolwazi lwami lokusetha nokusebenzisa isevisi ye-AWS EKS (Elastic Kubernetes Service) yeziqukathi zeWindows, noma kunalokho mayelana nokungenzeki kokuyisebenzisa, kanye nesiphazamisi esitholakala esitsheni sesistimu ye-AWS, kulabo abanentshisekelo kule sevisi yeziqukathi ze-Windows, sicela ngaphansi kwekati.
Ngiyazi ukuthi iziqukathi zeWindows azisona isihloko esidumile, futhi bambalwa abantu abazisebenzisayo, kodwa ngisanqume ukubhala lesi sihloko, njengoba bekunendatshana embalwa ku-Habré kubernetes neWindows futhi kusekhona abantu abanjalo.
Начало
Konke kwaqala lapho kunqunywa ukuthi kuthuthelwe izinsizakalo enkampanini yethu kubernetes, okungu-70% weWindows kanye no-30% we-Linux. Ngale njongo, isevisi yefu ye-AWS EKS ithathwe njengenye yezinketho ezingenzeka. Kuze kube ngumhla ziyisi-8 kuMfumfu wezi-2019, i-AWS EKS Windows yayikukubuka kuqala Komphakathi, ngaqala ngayo, kwasetshenziswa inguqulo endala engu-1.11 ye-kubernetes, kodwa nginqume ukuyihlola noma kunjalo futhi ngibone ukuthi le sevisi yefu yayikusiphi isigaba, ukuthi yayisebenza yini. nhlobo, njengoba kwavela, cha, kwakukhona iphutha ngokungezwa kokukhipha ama-pods, kuyilapho abadala beyeka ukuphendula nge-ip yangaphakathi kusuka ku-subnet efanayo ne-node yesisebenzi samafasitela.
Ngakho-ke, kunqunywe ukuthi kuyekwe ukusetshenziswa kwe-AWS EKS ukuze sivune iqoqo lethu kubernetes ku-EC2 efanayo, kuphela kuzodingeka sichaze konke ukulinganisa kanye ne-HA ngokwethu nge-CloudFormation.
I-Amazon EKS Windows Container Support manje Iyatholakala Ngokujwayelekile
nguMartin Beeby | ngomhlaka 08 OCT 2019
Ngaphambi kokuthi ngibe nesikhathi sokwengeza ithempulethi ku-CloudFormation yeqoqo lami, ngizibonile lezi zindaba
Yebo, ngabeka wonke umsebenzi wami eceleni futhi ngaqala ukufunda ukuthi benzeni ku-GA, nokuthi konke kwashintsha kanjani ngokubuka kuqala komphakathi. Yebo, i-AWS, yenziwe kahle, ibuyekeze izithombe ze-Windows worker node to version 1.14, kanye neqoqo ngokwalo, inguqulo 1.14 ku-EKS, manje isekela ama-node windows. Project by Public Preview at Bakumbozile bathi manje sebenzisa imibhalo esemthethweni lapha:
Ukuhlanganisa iqoqo le-EKS ku-VPC yamanje nama-subnets
Kuyo yonke imithombo, kusixhumanisi esingenhla esimemezelweni kanye nasemibhalweni, kuhlongozwe ukuthi kusetshenziswe iqoqo ngokusebenzisa i-eksctl utility noma nge-CloudFormation + kubectl ngemuva, kusetshenziswa kuphela ama-subnets ase-Amazon, kanye nokudala hlukanisa i-VPC ukuze uthole iqoqo elisha.
Le nketho ayibafanele abaningi; okokuqala, i-VPC ehlukile isho izindleko ezengeziwe zezindleko zayo + nokubuka ithrafikhi ku-VPC yakho yamanje. Yini okufanele yenziwe yilabo asebevele benengqalasizinda esenziwe ngomumo ku-AWS enama-akhawunti abo e-Multiple AWS, i-VPC, ama-subnets, amatafula emizila, isango lezokuthutha nokunye? Yiqiniso, awufuni ukuphula noma ukwenza kabusha konke lokhu, futhi udinga ukuhlanganisa iqoqo elisha le-EKS kwingqalasizinda yenethiwekhi yamanje, usebenzisa i-VPC ekhona futhi, ngokuhlukana, ngokuvamile udale ama-subnets amasha eqoqo.
Endabeni yami, le ndlela ikhethiwe, ngasebenzisa i-VPC ekhona, ngengeza ama-subnets omphakathi angu-2 kuphela kanye nama-subnets angasese angu-2 weqoqo elisha, yiqiniso, yonke imithetho yacatshangelwa ngokuvumelana nemibhalo. .
Bekukhona nombandela owodwa: awekho amanodi ezisebenzi kuma-subnet asebenzisa i-EIP.
eksctl vs CloudFormation
Ngizokwenza ukubhuka ngokushesha ukuthi ngizame zombili izindlela zokuthumela iqoqo, kuzo zombili izimo isithombe sasifana.
Ngizobonisa isibonelo kuphela ngisebenzisa i-eksctl njengoba ikhodi lapha izoba mfishane. Usebenzisa i-eksctl, sebenzisa iqoqo ngezinyathelo ezi-3:
1. Sakha iqoqo ngokwalo + inodi yesisebenzi se-Linux, kamuva esizosingatha iziqukathi zesistimu kanye naso isilawuli se-vpc esinezinkinga ezifanayo.
eksctl create cluster
--name yyy
--region www
--version 1.14
--vpc-private-subnets=subnet-xxxxx,subnet-xxxxx
--vpc-public-subnets=subnet-xxxxx,subnet-xxxxx
--asg-access
--nodegroup-name linux-workers
--node-type t3.small
--node-volume-size 20
--ssh-public-key wwwwwwww
--nodes 1
--nodes-min 1
--nodes-max 2
--node-ami auto
--node-private-networkingUkuze usebenzise ku-VPC ekhona, vele ucacise i-id yama-subnets akho, futhi i-eksctl izonquma i-VPC ngokwayo.
Ukuqinisekisa ukuthi amanodi wakho wabasebenzi asetshenziswa kuphela ku-subnet yangasese, udinga ukucacisa --node-private-networking ye-nodegroup.
2. Sifaka isilawuli se-vpc kuqoqo lethu, elizobe selicubungula ama-node ethu ezisebenzi, sibala inani lamakheli e-IP amahhala, kanye nenani lama-ENIs ngaleso sikhathi, ukuwangeza nokuwasusa.
eksctl utils install-vpc-controllers --name yyy --approve3.Ngemva kokuthi iziqukathi zakho zesistimu yethulwe ngempumelelo ku-node yakho yesisebenzi se-Linux, okuhlanganisa isilawuli se-vpc, okusele nje ukudala elinye i-nodegroup elinabasebenzi bewindi.
eksctl create nodegroup
--region www
--cluster yyy
--version 1.14
--name windows-workers
--node-type t3.small
--ssh-public-key wwwwwwwwww
--nodes 1
--nodes-min 1
--nodes-max 2
--node-ami-family WindowsServer2019CoreContainer
--node-ami ami-0573336fc96252d05
--node-private-networkingNgemva kokuthi inodi yakho ixhumeke ngempumelelo kuqoqo lakho futhi yonke into ibonakala ihamba kahle, isesimweni sokulungela, kodwa cha.
Iphutha kusilawuli se-vpc
Uma sizama ukusebenzisa ama-pods ku-node yesisebenzi se-Windows, sizothola iphutha:
NetworkPlugin cni failed to teardown pod "windows-server-iis-7dcfc7c79b-4z4v7_default" network: failed to parse Kubernetes args: pod does not have label vpc.amazonaws.com/PrivateIPv4Address]Uma sibheka ngokujulile, sibona ukuthi isibonelo sethu ku-AWS sibukeka kanje:
Futhi kufanele kube kanje:
Kulokhu kuyacaca ukuthi isilawuli se-vpc asizange sifeze ingxenye yaso ngesizathu esithile futhi asikwazanga ukwengeza amakheli e-IP amasha esibonelweni ukuze ama-pods awasebenzise.
Ake sibheke izingodo ze-vpc-controller pod futhi nakhu esikubonayo:
kubectl log -n kube-system
I1011 06:32:03.910140 1 watcher.go:178] Node watcher processing node ip-10-xxx.ap-xxx.compute.internal.
I1011 06:32:03.910162 1 manager.go:109] Node manager adding node ip-10-xxx.ap-xxx.compute.internal with instanceID i-088xxxxx.
I1011 06:32:03.915238 1 watcher.go:238] Node watcher processing update on node ip-10-xxx.ap-xxx.compute.internal.
E1011 06:32:08.200423 1 manager.go:126] Node manager failed to get resource vpc.amazonaws.com/CIDRBlock pool on node ip-10-xxx.ap-xxx.compute.internal: failed to find the route table for subnet subnet-0xxxx
E1011 06:32:08.201211 1 watcher.go:183] Node watcher failed to add node ip-10-xxx.ap-xxx.compute.internal: failed to find the route table for subnet subnet-0xxx
I1011 06:32:08.201229 1 watcher.go:259] Node watcher adding key ip-10-xxx.ap-xxx.compute.internal (0): failed to find the route table for subnet subnet-0xxxx
I1011 06:32:08.201302 1 manager.go:173] Node manager updating node ip-10-xxx.ap-xxx.compute.internal.
E1011 06:32:08.201313 1 watcher.go:242] Node watcher failed to update node ip-10-xxx.ap-xxx.compute.internal: node manager: failed to find node ip-10-xxx.ap-xxx.compute.internal.Ukusesha ku-Google akuzange kuholele kunoma yini, njengoba ngokusobala akekho owayebambe isiphazamisi esinjalo, noma ongakathumeli inkinga kuso, bekufanele ngicabange ngezinketho mina kuqala. Into yokuqala efike engqondweni ukuthi mhlawumbe isilawuli se-vpc asikwazi ukuxazulula ip-10-xxx.ap-xxx.compute.internal futhi sifinyelele kuso ngakho-ke amaphutha enzeka.
Yebo, ngempela, sisebenzisa amaseva e-DNS angokwezifiso ku-VPC futhi, ngokomthetho, asiwasebenzisi ama-Amazon, ngakho-ke nokudlulisela akuzange kulungiselelwe lesi sizinda se-ap-xxx.compute.internal. Ngayihlola le nketho, futhi ayizange ilethe imiphumela, mhlawumbe ukuhlolwa kwakungahlanzekile, ngakho-ke, ngokuqhubekayo, lapho ngikhuluma nokusekelwa kwezobuchwepheshe, nganqotshwa umbono wabo.
Njengoba yayingekho ngempela imibono, wonke amaqembu okuvikela adalwe yi-eksctl ngokwayo, ngakho-ke kwakungekho ukungabaza mayelana nokusebenza kwabo, amatafula omzila nawo ayelungile, i-nat, i-dns, ukufinyelela kwe-inthanethi ngamanodi omsebenzi nawo ayekhona.
Ngaphezu kwalokho, uma uthumela i-node yesisebenzi ku-subnet yomphakathi ngaphandle kokusebenzisa i-node-private-networking, le nodi yabuyekezwa ngokushesha isilawuli se-vpc futhi yonke into yasebenza njengewashi.
Kwakukhona izinketho ezimbili:
- Yiyeke bese ulinda kuze kube yilapho othile echaza lesi siphazamisi ku-AWS futhi asilungise, bese ungasebenzisa ngokuphepha i-AWS EKS Windows, ngoba isanda kukhishwa ku-GA (izinsuku eziyi-8 sezidlulile ngesikhathi sokubhala lesi sihloko), cishe abaningi bazophuma. landela indlela efana neyami .
- Bhala ku-AWS Support futhi ubatshele umnyombo wenkinga ngenqwaba yezingodo ezivela yonke indawo futhi ubabonise ukuthi insizakalo yabo ayisebenzi lapho usebenzisa i-VPC yakho nama-subnets, akulona ize ukuthi sibe nokusekelwa kweBhizinisi, kufanele usebenzise. okungenani kanye :)
Ukuxhumana nonjiniyela be-AWS
Ngemva kokudala ithikithi kuphothali, ngephutha ngakhetha ukungiphendula nge-Web - i-imeyili noma isikhungo sokusekela, ngale nketho bangakwazi ukukuphendula ngemva kwezinsuku ezimbalwa, naphezu kweqiniso lokuthi ithikithi lami lalinobunzima - Isistimu ekhubazekile, okuyinto kwakusho impendulo kungakapheli amahora angu-12, futhi njengoba uhlelo lokusekelwa kweBhizinisi lunokusekelwa okungu-24/7, nginethemba lokungcono kakhulu, kodwa kwaba njalo.
Ithikithi lami lishiywe linganikezwanga kusukela ngoLwesihlanu kuze kube uMsombuluko, ngabe senginquma ukubabhalela futhi ngakhetha inketho yokuphendula i-Chat. Ngemva kokulinda isikhashana, uHarshad Madhav waqokwa ukuthi azongibona, kwase kuqala...
Salungisa iphutha ngayo ku-inthanethi amahora angu-3 ngokulandelana, sidlulisela izingodo, sisebenzisa iqoqo elifanayo elabhorethri ye-AWS ukulingisa inkinga, sakha kabusha iqoqo engxenyeni yami, njalo njalo, into kuphela esize kuyo ukuthi kusukela izingodo kwakusobala ukuthi i-resol yayingasebenzi amagama esizinda sangaphakathi se-AWS, engibhale ngawo ngenhla, futhi u-Harshad Madhav wangicela ukuthi ngidale ukudlulisa, kusolakala ukuthi sisebenzisa i-DNS yangokwezifiso futhi lokhu kungaba inkinga.
Ukudlulisela phambili
ap-xxx.compute.internal -> 10.x.x.2 (VPC CIDRBlock)
amazonaws.com -> 10.x.x.2 (VPC CIDRBlock)Yilokho okwenziwayo, usuku lwase luphelile. U-Harshad Madhav wabhala emuva ukuze akuhlole futhi kufanele kusebenze, kodwa cha, isinqumo asizange sisize ngalutho.
Kwabe sekuba nokuxhumana nabanye onjiniyela abangu-2, omunye wavele waphuma engxoxweni, ngokusobala wayesaba icala eliyinkimbinkimbi, owesibili wachitha usuku lwami futhi emjikelezweni ogcwele wokulungisa iphutha, ukuthumela izingodo, ukudala amaqoqo nhlangothi zombili, agcine esho kahle nje, kuyangisebenzela, nakhu ngikhona ngenza konke ngesinyathelo ngesinyathelo kumadokhumenti asemthethweni nawe futhi uzophumelela.
Ngamcela ngesizotha ukuthi ahambe futhi abele omunye umuntu ithikithi lami uma ungazi ukuthi uzoyibheka kuphi inkinga.
Ukugcina
Ngosuku lwesithathu, unjiniyela omusha u-Arun B. wabelwa kimi, futhi kusukela ekuqaleni kokuxhumana naye kwacaca ngokushesha ukuthi kwakungebona onjiniyela abangu-3 bangaphambili. Wafunda wonke umlando futhi ngokushesha wacela ukuqoqa izingodo esebenzisa iskripthi sakhe ku-ps1, esasiku-github yakhe. Lokhu kwaphinde kwalandelwa yizo zonke iziphindaphindo zokudala amaqoqo, ukukhipha imiphumela yomyalo, ukuqoqa izingodo, kodwa u-Arun B. wayehamba ngendlela efanele ehlulela ngemibuzo engibuzwe yona.
Sifike nini ezingeni lokunika amandla -stderrthreshold=debug kusilawuli sabo se-vpc, futhi kwenzekani ngokulandelayo? Yebo ayisebenzi) i-pod imane nje ingaqali ngale nketho, kuphela -stderrthreshold=info isebenza.
Siqedile lapha futhi u-Arun B. uthe uzozama ukukhiqiza kabusha izinyathelo zami ukuze athole iphutha elifanayo. Ngosuku olulandelayo ngithola impendulo evela ku-Arun B. akazange alilahle leli cala, kodwa wathatha ikhodi yokubuyekeza yesilawuli sabo se-vpc futhi wathola indawo lapho ekhona nokuthi kungani kungasebenzi:
Ngakho-ke, uma usebenzisa ithebula lomzila oyinhloko ku-VPC yakho, khona-ke ngokuzenzakalelayo alinakho ukuzihlanganisa nama-subnets adingekayo, adingeka kakhulu kumlawuli we-vpc, esimweni se-subnet yomphakathi, inetafula lomzila wangokwezifiso. enenhlanganiso.
Ngokungeza mathupha izinhlangano zetafula lomzila oyinhloko nama-subnet adingekayo, nokudala kabusha i-nodegroup, yonke into isebenza kahle.
Ngithemba ukuthi u-Arun B. uzobika ngempela lesi siphazamisi kubathuthukisi be-EKS futhi sizobona inguqulo entsha yesilawuli se-vpc lapho konke kuzosebenza ngaphandle kwebhokisi. Okwamanje inguqulo yakamuva ithi: 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/eks/vpc-resource-controller:0.2.1
unale nkinga.
Siyabonga kuwo wonke umuntu ofunde kwaze kwaba sekupheleni, hlola yonke into ozoyisebenzisa ekukhiqizeni ngaphambi kokuyisebenzisa.
Source: www.habr.com