Sawubona, bahlali baseKhabro! I-Kubernetes ingenye yezinto ezibalulekile ze-ecosystem yamafu yesimanje. Lobu buchwepheshe buhlinzeka ngokuthembeka, ukulinganisa kanye nokuqina ekusetshenzisweni kwezinto ezibonakalayo. UJohn Arundel noJustin Domingus bakhuluma nge-ecosystem ye-Kubernetes futhi bethula izixazululo ezifakazelwe zezinkinga zansuku zonke. Isinyathelo ngesinyathelo, uzozakhela olwakho uhlelo lokusebenza lwendabuko yamafu futhi udale ingqalasizinda ukuze uyisekele, usethe indawo yokuthuthukisa kanye nepayipi eliqhubekayo lokuthumela elizokusiza njengoba usebenza ezinhlelweni zakho ezilandelayo.
• Qalisa ngeziqukathi kanye ne-Kubernetes kusukela kokuyisisekelo: akukho ulwazi olukhethekile oludingekayo ukuze ufunde isihloko. • Qalisa amaqoqo akho noma khetha isevisi ephethwe i-Kubernetes evela ku-Amazon, Google, njll. • Sebenzisa i-Kubernetes ukuze ulawule umjikelezo wempilo yesiqukathi nokusetshenziswa kwensiza. • Lungiselela amaqoqo ngokusekelwe ezindlekweni, ukusebenza, ukuqina, amandla nokukaleka. • Funda amathuluzi angcono kakhulu okuthuthukisa, ukuhlola, nokusebenzisa izinhlelo zakho zokusebenza. • Sebenzisa izinqubo zamanje zemboni ukuqinisekisa ukuphepha nokulawula. • Sebenzisa izimiso ze-DevOps kuyo yonke inkampani yakho ukuze amaqembu okuthuthukisa akwazi ukwenza izinto ngendlela evumelana nezimo, ngokushesha, nangempumelelo.
Incwadi ngekabani?
Incwadi ifaneleka kakhulu kubasebenzi beminyango yokuphatha ebhekele amaseva, izinhlelo zokusebenza namasevisi, kanye nonjiniyela ababambe iqhaza ekwakheni izinsiza ezintsha zamafu noma ukuthuthela izinhlelo zokusebenza ezikhona ku-Kubernetes kanye nefu. Ungakhathazeki, awudingi ukwazi ukuthi usebenza kanjani nge-Kubernetes noma iziqukathi - sizokufundisa yonke into.
Abasebenzisi be-Kubernetes abanolwazi bazothola inani elikhulu, elinokufakwa okujulile kwezihloko ezifana ne-RBAC, ukuthunyelwa okuqhubekayo, ukuphathwa kwedatha ebucayi, nokubonakala. Sithemba ukuthi amakhasi encwadi azoqukatha okuthile okuthakazelisayo kuwe, kungakhathaliseki amakhono akho nolwazi lwakho.
Yimiphi imibuzo ephendulwa yile ncwadi?
Ngenkathi sihlela futhi sibhala incwadi, sixoxe ngobuchwepheshe befu kanye ne-Kubernetes namakhulu abantu, sikhuluma nabaholi bemboni nochwepheshe kanye nabaqalayo abaphelele. Ngezansi kukhona imibuzo ekhethiwe abangathanda ukuthi iphendulwe kulokhu kushicilelwa.
- “Nginentshisekelo yokuthi kungani kufanele uchithe isikhathi kulobu buchwepheshe. Yiziphi izinkinga ezongisiza mina nethimba lami ukuzixazulula?”
- “I-Kubernetes ibonakala inentshisekelo, kodwa inomgoqo ophakeme wokungena. Ukulungiselela isibonelo esilula akunzima, kodwa ukuphatha okuqhubekayo nokulungisa iphutha kuyethusa. Singathanda ukuthola izeluleko ezinokwethenjelwa zokuthi abantu bawaphatha kanjani amaqoqo e-Kubernetes emhlabeni wangempela nokuthi yiziphi izinkinga okungenzeka sibhekane nazo."
- “Izeluleko ezihambisanayo zingasiza. I-ecosystem ye-Kubernetes inikeza amaqembu amasha izinketho eziningi kakhulu ongakhetha kuzo. Uma kunezindlela eziningana zokwenza into efanayo, wazi kanjani ukuthi iyiphi engcono kakhulu? Indlela yokwenza ukukhetha?
Futhi mhlawumbe imibuzo ebaluleke kakhulu kuyo yonke:
- "Ngingayisebenzisa kanjani i-Kubernetes ngaphandle kokuphazamisa inkampani yami?"
Ingcaphuno. Ukucushwa kanye nezinto eziyimfihlo
Ikhono lokuhlukanisa i-logic yohlelo lokusebenza lwe-Kubernetes ekucushweni kwalo (okungukuthi, kusuka kunoma yimaphi amanani noma izilungiselelo ezingase zishintshe ngokuhamba kwesikhathi) liwusizo kakhulu. Amanani okulungiselela ngokuvamile ahlanganisa izilungiselelo eziqondene nendawo ethile, amakheli e-DNS esevisi yenkampani yangaphandle, kanye nemininingwane yokuqinisekisa.
Yiqiniso, konke lokhu kungafakwa ngqo kukhodi, kodwa le ndlela ayiguquki ngokwanele. Isibonelo, ukushintsha inani lokumisa kuzodinga ukuthi wakhe futhi usebenzise ikhodi yakho futhi. Isixazululo esingcono kakhulu kungaba ukuhlukanisa ukucushwa kukhodi bese uyifunda efayeleni noma eziguquguqukayo zemvelo.
I-Kubernetes inikeza izindlela ezimbalwa ezahlukene zokuphatha ukumisa. Okokuqala, ungadlulisa amanani kuhlelo lokusebenza ngokusebenzisa okuguquguqukayo kwemvelo okucaciswe ekucacisweni kwe-pod wrapper (bona "Okuguquguqukayo Kwemvelo" ekhasini 192). Okwesibili, idatha yokumisa ingagcinwa ngokuqondile ku-Kubernetes kusetshenziswa i-ConfigMap kanye nezinto eziyimfihlo.
Kulesi sahluko, sihlola lezi zinto ngokuningiliziwe futhi sibheke ezinye izindlela ezisebenzayo zokuphatha ukucushwa kanye nedatha ebucayi kusetshenziswa uhlelo lokusebenza lwedemo.
Ibuyekeza amagobolondo e-pod lapho ukucushwa kushintsha
Cabanga ukuthi unokusebenza ku-cluster yakho futhi ufuna ukushintsha amanani athile ku-ConfigMap yayo. Uma usebenzisa ishadi le-Helm (bona "Helm: Umphathi Wephakheji we-Kubernetes" ekhasini 102), ungathola ngokuzenzakalelayo ushintsho lokumisa futhi ulayishe kabusha amagobolondo akho e-pod ngeqhinga elilodwa elihle. Engeza isichasiselo esilandelayo ekucacisweni kwakho kokuphakelwa:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") .
| sha256sum }}Isifanekiso sokuphakelwa manje siqukethe i-checksum yamapharamitha wokumisa: uma amapharamitha ashintshwa, isamba sizobuyekezwa. Uma usebenzisa ukuthuthukiswa kwe-helm, i-Helm izobona ukuthi ukucaciswa kokuthunyelwa kushintshile futhi izoqalisa kabusha wonke amagobolondo e-pod.
Idatha ebucayi ku-Kubernetes
Sesiyazi kakade ukuthi into ye-ConfigMap inikeza indlela eguquguqukayo yokugcina kanye nokufinyelela idatha yokumisa kuqoqo. Kodwa-ke, izinhlelo zokusebenza eziningi zinolwazi olubucayi noluzwelayo, olufana namaphasiwedi noma okhiye be-API. Ingase futhi igcinwe ku-ConfigMap, kodwa lesi sixazululo asilungile.
Kunalokho, i-Kubernetes inikeza uhlobo olukhethekile lwento eklanyelwe ukugcina idatha ebucayi: Imfihlo. Okulandelayo, ake sibheke isibonelo sokuthi le nto ingasetshenziswa kanjani kuhlelo lwethu lokusebenza lwedemo.
Ukuze uqalise, bheka i-Kubernetes manifest yento eyimfihlo (bona hello-secret-env/k8s/secret.yaml):
apiVersion: v1
kind: Secret
metadata:
name: demo-secret
stringData:
magicWord: xyzzy
Kulesi sibonelo, ukhiye oyimfihlo we-magicWord uthi xyzzy (en.wikipedia.org/wiki/Xyzzy_(computing)). Igama elithi xyzzy ngokuvamile liwusizo kakhulu emhlabeni wamakhompyutha. Ngokufana ne-ConfigMap, ungagcina okhiye abaningi namanani entweni eyimfihlo. Lapha, ukwenza kube lula, sisebenzisa ipheya eyodwa kuphela yenani lokhiye.
Ukusebenzisa Izinto Eziyimfihlo Njengezinto Eziguquguqukayo Zemvelo
Njengo-ConfigMap, into Eyimfihlo ingenziwa itholakale esitsheni njengokuguquguquka kwemvelo noma njengefayela kudiski yayo. Esibonelweni esilandelayo, sizokwabela okuguquguqukayo kwendawo enanini elisuka ku-Secret:
spec:
containers:
- name: demo
image: cloudnatived/demo:hello-secret-env
ports:
- containerPort: 8888
env:
- name: GREETING
valueFrom:
secretKeyRef:
name: demo-secret
key: magicWordQalisa umyalo olandelayo endaweni yedemo ukuze usebenzise i-manifest:
kubectl apply -f hello-secret-env/k8s/
deployment.extensions "demo" configured
secret "demo-secret" createdNjengangaphambili, dlulisela imbobo yendawo ekusetshenzisweni ukuze ubone umphumela esipheqululini sakho:
kubectl port-forward deploy/demo 9999:8888
Forwarding from 127.0.0.1:9999 -> 8888
Forwarding from [::1]:9999 -> 8888Lapho uvula ikheli :9999/ kufanele ubone okulandelayo:
The magic word is "xyzzy"
Ukubhala Izinto Eziyimfihlo Kumafayela
Kulesi sibonelo, sizonamathisela into eyimfihlo esitsheni njengefayela. Ikhodi itholakala kufolda yefayela le-hello-secret-repository yedemo.
Ukuxhuma Imfihlo njengefayela, sizosebenzisa okulandelayo:
spec:
containers:
- name: demo
image: cloudnatived/demo:hello-secret-file
ports:
- containerPort: 8888
volumeMounts:
- name: demo-secret-volume
mountPath: "/secrets/"
readOnly: true
volumes:
- name: demo-secret-volume
secret:
secretName: demo-secretNjengasesigatshaneni “Ukudala amafayela wokumisa kusuka ezintweni ze-ConfigMap” ekhasini. 240, sakha ivolumu (kulokhu idemo-secret-volume) bese siyikhweza esitsheni kusigaba se-volumeMounts sokucaciswa. Inkambu ye-MountPath ithi / izimfihlo, ngakho-ke i-Kubernetes izodala ifayela elilodwa kule folda kukhiye ngamunye/inani elichazwe entweni eyimfihlo.
Esibonelweni sethu, sichaze ipheya eyodwa kuphela yenani elingukhiye elibizwa nge-magicWord, ngakho i-manifest izodala ifayela lokufunda kuphela /secrets/magicWord elinedatha ebucayi esitsheni.
Uma usebenzisa le-manifest ngendlela efanayo nesibonelo sangaphambilini, kufanele uthole umphumela ofanayo:
The magic word is "xyzzy"
Ukufunda Izinto Eziyimfihlo
Esigabeni esidlule, sisebenzise umyalo wokuchaza we-kubectl ukuze sibonise okuqukethwe kwe-ConfigMap. Ingabe okufanayo kungenziwa nge-Secret?
kubectl describe secret/demo-secret
Name: demo-secret
Namespace: default
Labels: <none>
Annotations:
Type: Opaque
Data
====
magicWord: 5 bytesSicela uqaphele ukuthi idatha ngokwayo ayiboniswa. Izinto eziyimfihlo ku-Kubernetes ziwuhlobo lwe-Opaque, okusho ukuthi okuqukethwe kuzo akuboniswa ku-kubectl echaza okukhiphayo, okufakiwe kwamalogi, noma itheminali, okwenza kube nzima ukuveza ulwazi olubucayi ngephutha.
Ukuze ubuke inguqulo ye-YAML enekhodi yedatha ebucayi, sebenzisa umyalo we-kubectl get:
kubectl get secret/demo-secret -o yaml
apiVersion: v1
data:
magicWord: eHl6enk=
kind: Secret
metadata:
...
type: Opaqueisisekelo64
Iyini i-eHl6enk=, ehluke ngokuphelele enanini lethu lokuqala? Lokhu empeleni kuyinto eyimfihlo, emelelwe ekubhalweni ngekhodi kwe-base64. I-Base64 iwuhlelo lokufaka ikhodi kanambambili okungahleliwe njengochungechunge lwezinhlamvu.
Ngenxa yokuthi ulwazi olubucayi lungase lube kanambambili futhi lungakhiqizi (njengoba kunjalo ngokhiye wokubethela we-TLS), izinto eziyimfihlo zihlala zigcinwe ngefomethi ye-base64.
Umbhalo othi beHl6enk= uyinguqulo efakwe ikhodi ye-base64 yegama lethu eliyimfihlo elithi xyzzy. Ungaqinisekisa lokhu ngokusebenzisa i-base64 -decode umyalo kutheminali:
echo "eHl6enk=" | base64 --decode
xyzzyNgakho-ke, ngenkathi i-Kubernetes ikuvikela ekukhipheni idatha ebucayi ngephutha kusiphetho noma kumafayela okungena, uma uzifundile izimvume kokuthi Izinto Eziyimfihlo endaweni ethile yamagama, leyo datha ingenziwa i-base64ed bese iqoshwa kamuva.
Uma udinga ukufaka ikhodi ye-base64 umbhalo othile (ngokwesibonelo, ukuwubeka Emfihlweni), sebenzisa umyalo we-base64 ngaphandle kokuphikisana:
echo xyzzy | base64
eHl6enkKUkufinyelela Izinto Eziyimfihlo
Ubani ongafunda futhi ahlele izinto eziyimfihlo? Lokhu kunqunywa i-RBAC, indlela yokulawula ukufinyelela (sizoxoxa ngakho ngokuningiliziwe esigatshaneni esithi “Isethulo Sokulawula Ukufinyelela Okusekelwe Endimeni” ekhasini 258). Uma usebenzisa iqoqo elingenayo i-RBAC noma elingavunyelwe, zonke izinto zakho eziyimfihlo zitholakala kunoma yibaphi abasebenzisi neziqukathi (sizochaza kamuva ukuthi akufanele ube namaqoqo okukhiqiza ngaphandle kwe-RBAC).
Ukubethelwa kwedatha okungenzi lutho
Kuthiwani ngalabo abakwazi ukufinyelela kusizindalwazi njlld lapho uKubernetes egcina khona lonke ulwazi lwayo? Bangakwazi ukufunda idatha ebucayi ngaphandle kwemvume yokufunda izinto eziyimfihlo nge-API?
Kusukela kunguqulo 1.7, i-Kubernetes isekela ukubethelwa kwedatha okungenzi lutho. Lokhu kusho ukuthi ulwazi olubucayi ngaphakathi etcd lugcinwa lubethelwe kudiski futhi alukwazi ukufundwa ngisho nalabo abanokufinyelela okuqondile kusizindalwazi. Ukuze uyisuse ekubhaleni kwayo, udinga ukhiye oneseva ye-Kubernetes API kuphela. Kuqoqo elilungiselelwe kahle, ukubethela kokwenziwayo kufanele kunikwe amandla.
Ungahlola ukuthi ukubethela kokwenziwayo kusebenza yini kuqoqo lakho ngale ndlela:
kubectl describe pod -n kube-system -l component=kube-apiserver |grep encryption
--experimental-encryption-provider-config=...Uma ungaliboni ifulegi lokuhlela-lokubethela-lomhlinzeki, ukubethela kokwenziwa akunikiwe amandla. Uma usebenzisa i-Google Kubernetes Engine noma ezinye izinsiza zokuphatha ze-Kubernetes, idatha yakho ibethelwa kusetshenziswa indlela ehlukile, ngakho ifulegi ngeke libe khona. Hlola nomthengisi wakho we-Kubernetes ukuze ubone ukuthi okuqukethwe njlld kubethelwe yini.
Ukugcina idatha eyimfihlo
Kunezinsiza ezithile ze-Kubernetes okungafanele neze zisuswe kuqoqo, njengezinto eziyimfihlo ezibucayi kakhulu. Ungakwazi ukuvikela insiza ekususweni usebenzisa isichasiselo esinikezwe ngumphathi we-Helm:
kind: Secret
metadata:
annotations:
"helm.sh/resource-policy": keepAmasu Okuphatha Into Eyimfihlo
Esibonelweni esivela esigabeni sangaphambilini, idatha ebucayi ivikelwe ekufinyeleleni okungagunyaziwe ngokushesha ngemva kokugcinwa kuqoqo. Kodwa kumafayela e-manifest agcinwe njengombhalo ongenalutho.
Akufanele neze ubeke ulwazi oluyimfihlo kumafayela alawulwa inguqulo. Ungaluphatha kanjani futhi ulugcine ngokuphephile lolu lwazi ngaphambi kokulusebenzisa kuqoqo lakho le-Kubernetes?
Ungakhetha noma yimaphi amathuluzi noma amasu okuphatha idatha ebucayi kuzinhlelo zakho zokusebenza, kodwa usazodinga ukuphendula okungenani imibuzo elandelayo.
- Idatha ebucayi kufanele igcinwe kuphi ukuze ifinyeleleke kakhulu?
- Uyenza kanjani idatha ebucayi ifinyeleleke ezinhlelweni zakho ezisebenzayo?
- Yini okufanele yenzeke ezinhlelweni zakho zokusebenza lapho ushintsha noma uhlela idatha ebucayi?
Mayelana nababhali
John Arundel ungumeluleki onesipiliyoni seminyaka engu-30 embonini yamakhompyutha. Ubhale izincwadi eziningana futhi usebenza nezinkampani eziningi ezivela emazweni ahlukene, ezicebisa ngengqalasizinda etholakala efwini kanye neKubernetes. Ngesikhathi sakhe sokuphumula, uthanda ukuntweza, ungumdubuli wesibhamu okahle, futhi udlala upiyano njengomuntu osanda kufunda. Uhlala endlini yezinganekwane eCornwall, eNgilandi.
Justin Domingus - unjiniyela wokuphatha amasistimu osebenza endaweni ye-DevOps ene-Kubernetes nobuchwepheshe bamafu. Uyakujabulela ukuchitha isikhathi ngaphandle, ukuphuza ikhofi, inkalankala, nokuhlala kukhompyutha. Uhlala e-Seattle, Washington, nekati elimangalisayo kanye nomfazi omuhle kakhulu nomngane omkhulu, u-Adrienne.
»Imininingwane eyengeziwe mayelana nencwadi ingatholakala kokuthi
»
»
Ngesaphulelo esingu-25% se-Khabrozhiteley usebenzisa isigqebhezana - Kubernetes
Ngemva kokukhokhwa kwenguqulo yephepha yencwadi, incwadi ye-elekthronikhi izothunyelwa nge-imeyili.
Source: www.habr.com