I-Kubernetes 1.14: ukubuka konke okusha okuyinhloko

Kulobu busuku kuzokwenzeka ukukhishwa okulandelayo kwe-Kubernetes - 1.14. Ngokwesiko elisungule ibhulogi yethu, sikhuluma ngezinguquko ezibalulekile enguqulweni entsha yalo mkhiqizo omuhle we-Open Source.

Ulwazi olusetshenziselwe ukulungisa le nto ithathwe kuyo Kubernetes izithuthukisi zokulandela amathebula, USHINTSHA-1.14 kanye nezindaba ezihlobene, izicelo zokudonsa, Iziphakamiso Zokuthuthukisa I-Kubernetes (KEP).

Ake siqale ngesingeniso esibalulekile esivela ku-SIG cluster-lifecycle: amaqoqo e-failover ashukumisayo I-Kubernetes (noma ukunemba kakhudlwana, ukuthunyelwa kwe-HA okuzibambele yona) manje kungadalwa usebenzisa okujwayelekile (kumongo weqoqo lenodi eyodwa) imiyalo kubeadm (init и join). Ngamafuphi, kulokhu:

• izitifiketi ezisetshenziswa iqoqo zidluliselwa ezimfihlo;
• ukuze kusetshenziswe iqoqo le- etcd ngaphakathi kweqoqo le-K8s (okungukuthi ukususa ukuncika okukhona ngaphambili kwangaphandle) njlld-opharetha;
• Ibhala izilungiselelo ezinconyiwe zesilinganisi somthwalo wangaphandle esinikeza ukucushwa okubekezelela iphutha (esikhathini esizayo kuhlelwa ukususa lokhu kuncika, kodwa hhayi kulesi sigaba).

Ukwakhiwa kweqoqo le-Kubernetes HA elakhiwe nge-kubeadm

Imininingwane yokusetshenziswa ingatholakala ku isiphakamiso sokuklama. Lesi sici besilindelwe isikhathi eside ngempela: inguqulo ye-alpha bekulindeleke ukuthi ibuye ku-K8s 1.9, kodwa isivele manje.

API

Ithimba apply futhi ngokujwayelekile ukuphathwa kwento ememezelayo kudlule kusuka ku kubectl ku-apiserver. Abathuthukisi ngokwabo bachaza kafushane isinqumo sabo ngokusho lokho kubectl apply - ingxenye eyisisekelo yokusebenza nezilungiselelo ku-Kubernetes, nokho, "igcwele iziphazamisi futhi kunzima ukuyilungisa," ngakho-ke lokhu kusebenza kudinga ukubuyiselwa kokujwayelekile futhi kudluliselwe endizeni yokulawula. Izibonelo ezilula nezicacile zezinkinga ezikhona namuhla:

Imininingwane mayelana nokusetshenziswa ingaphakathi I-CAP. Ukulungela kwamanje kuyi-alpha (ukuphromotha ku-beta kuhlelelwe ukukhishwa okulandelayo kwe-Kubernetes).

Kwenziwe kutholakale kunguqulo ye-alpha ithuba usebenzisa uhlelo lwe-OpenAPI v3 lwe ukudala nokushicilela imibhalo ye-OpenAPI ye-CustomResources (CR) esetshenziselwa ukuqinisekisa (uhlangothi lweseva) izinsiza ezichazwe ngumsebenzisi ze-K8s (CustomResourceDefinition, CRD). Ukushicilela i-OpenAPI ye-CRD kuvumela amaklayenti (isb. kubectl) yenza ukuqinisekiswa ohlangothini lwakho (ngaphakathi kubectl create и kubectl apply) futhi akhiphe imibhalo ngokohlelo (kubectl explain). Imininingwane - ku I-CAP.

Amalogi avele akhona ziyavula manje ngefulegi O_APPEND (kodwa hhayi O_TRUNC) ukugwema ukulahleka kwamalogi kwezinye izimo kanye nokwenza kube lula ukunqamula izingodo ngezinsiza zangaphandle ukuze zizungeziswe.

Futhi kumongo we-Kubernetes API, kungaphawulwa ukuthi ku PodSandbox и PodSandboxStatus kwengezwe insimu runtime_handler ukurekhoda ulwazi mayelana RuntimeClass ku-pod (funda kabanzi ngakho embhalweni mayelana Ukukhishwa kwe-Kubernetes 1.12, lapho leli klasi livele njengenguqulo ye-alpha), naku-Admission Webhooks kwenziwe ikhono lokunquma ukuthi yiziphi izinguqulo AdmissionReview bayasekela. Ekugcineni, imithetho ye-Admission Webhooks isikhona manje kungaba nomkhawulo ubukhulu bokusetshenziswa kwazo ngezikhala zamagama kanye nezinhlaka zeqoqo.

Isitoreji

PersistentLocalVolumes, ebesinesimo se-beta kusukela yakhululwa I-K8s 1.10, kumenyezelwe ezinzile (GA): leli sango lesici alisakhutshaziwe futhi lizosuswa ku-Kubernetes 1.17.

Ithuba usebenzisa okuguquguqukayo kwemvelo okubizwa ngokuthi Downward API (isibonelo, igama le-pod) lamagama ezinkomba ezifakwe njenge subPath, yathuthukiswa - ngendlela yensimu entsha subPathExpr, manje esisetshenziselwa ukunquma igama lohla lwemibhalo olufunayo. Isici ekuqaleni savela ku-Kubernetes 1.11, kodwa ku-1.14 sahlala esimweni senguqulo ye-alpha.

Njengokukhishwa kwe-Kubernetes okwedlule, izinguquko eziningi ezibalulekile zethulwa i-CSI ethuthukayo (I-Container Storage Interface):

CSI

Itholakale (njengengxenye yenguqulo ye-alpha) ukwesekwa ukukhulisa usayizi wamavolumu e-CSI. Ukuyisebenzisa uzodinga ukunika amandla isango lesici elibizwa ExpandCSIVolumes, kanye nokuba khona kokusekelwa kwalo msebenzi kumshayeli othile we-CSI.

Esinye isici se-CSI enguqulweni ye-alpha - ithuba bhekisa ngqo (okungukuthi ngaphandle kokusebenzisa i-PV/PVC) kumavolumu e-CSI ngaphakathi kokucaciswa kwe-pod. Lokhu isusa umkhawulo wokusetshenziswa kwe-CSI njengokugcinwa kwedatha okukude ngokukhethekile, ebavulela iminyango yezwe imiqulu yendawo ephemeral. Okokusetshenziswa (isibonelo esivela kumadokhumenti) kumele inikwe amandla CSIInlineVolume isango lesici.

Kubuye kube nenqubekelaphambili “kokwangaphakathi” kwe-Kubernetes ehlobene ne-CSI, engabonakali kangako kubasebenzisi bokugcina (abaphathi bohlelo) ... Okwamanje, abathuthukisi baphoqeleka ukuthi basekele izinguqulo ezimbili ze-plugin ngayinye yokugcina: eyodwa - “ku- indlela endala”, ngaphakathi kwe-codebase ye-K8s (in -tree), kanti eyesibili - njengengxenye ye-CSI entsha (funda kabanzi ngakho, isibonelo, ku lapha). Lokhu kubangela ukuphazamiseka okuqondakalayo okudingeka kubhekwane nakho njengoba i-CSI ngokwayo izinza. Akwenzeki ukumane uhoxise i-API yama-plugin angaphakathi (esihlahleni) ngenxa inqubomgomo ye-Kubernetes efanele.

Konke lokhu kuholele ekutheni inguqulo ye-alpha ifinyelele inqubo yokufuduka ikhodi ye-plugin yangaphakathi, isetshenziswe njenge-in-tree, kuma-plugin e-CSI, ngenxa yokuthi izinkathazo zabathuthukisi zizoncishiswa ekusekeleni inguqulo eyodwa yama-plugin abo, futhi ukuhambisana nama-API amadala kuzohlala futhi kungamenyezelwa ukuthi akusasebenzi esimweni esivamile. Kulindeleke ukuthi ngokukhishwa okulandelayo kwe-Kubernetes (1.15) wonke ama-plugin omhlinzeki wamafu azothuthwa, ukusetshenziswa kuzothola isimo se-beta futhi kuzokwenziwa kusebenze ekufakweni kwe-K8s ngokuzenzakalelayo. Ukuze uthole imininingwane, bheka isiphakamiso sokuklama. Lokhu kufuduka nakho kubangele ukwehluleka kusuka emikhawulweni yevolumu echazwe ngabahlinzeki abathile bamafu (AWS, Azure, GCE, Cinder).

Ukwengeza, ukusekelwa kwamadivayisi wokuvimba nge-CSI (CSIBlockVolume) dlulisiwe kunguqulo ye-beta.

Nodes/Kubelet

Inguqulo ye-Alpha yethuliwe isiphetho esisha in Kubelet, eyenzelwe buyisela amamethrikhi kuzinsiza ezibalulekile. Ngokuvamile, uma u-Kubelet ngaphambilini ethole izibalo zokusetshenziswa kwesiqukathi ku-cAdvisor, manje le datha ivela endaweni yesikhathi sokusebenza kweziqukathi nge-CRI (I-Container Runtime Interface), kodwa ukuhambisana kokusebenza nezinguqulo ezindala ze-Docker nakho kuyalondolozwa. Ngaphambilini, izibalo eziqoqwe ku-Kubelet bezithunyelwa nge-REST API, kodwa manje isiphetho esitholakala ku- /metrics/resource/v1alpha1. Isu lesikhathi eside lonjiniyela kuyinto okokunciphisa isethi yamamethrikhi ahlinzekwe ngu-Kubelet. Phela, lawa mamethrikhi ngokwawo manje bayafona hhayi “amamethrikhi ayisisekelo”, kodwa “amamethrikhi ensiza”, futhi achazwa “njengezinsiza zesigaba sokuqala, njenge-cpu, nenkumbulo”.

I-nuance ethakazelisa kakhulu: naphezu kwenzuzo ecacile yokusebenza kwesiphetho se-gRPC uma kuqhathaniswa nezimo ezihlukahlukene zokusebenzisa ifomethi ye-Prometheus. (bona umphumela welinye lamabhentshimakhi angezansi), ababhali bakhetha ifomethi yombhalo we-Prometheus ngenxa yobuholi obucacile balolu hlelo lokuqapha emphakathini.

“I-gRPC ayihambisani namapayipi amakhulu okuqapha. I-Endpoint izoba usizo kuphela ekuletheni ama-metrics Kuseva Ye-Metrics noma izingxenye zokuqapha ezihlangana nayo ngokuqondile. Ukusebenza kwefomethi yombhalo we-Prometheus uma usebenzisa inqolobane Kuseva Ye-Metrics kuhle ngokwanele ukuze sikhethe i-Prometheus kune-gRPC uma kubhekwa ukwamukelwa okusabalele kwe-Prometheus emphakathini. Uma ifomethi ye-OpenMetrics isizinze kakhudlwana, sizokwazi ukusondela ekusebenzeni kwe-gRPC ngefomethi esekelwe ku-proto."

Olunye lokuhlolwa kokusebenza okuqhathaniswayo kokusebenzisa amafomethi e-gRPC ne-Prometheus endaweni yokugcina ye-Kubelet yamamethrikhi. Amagrafu engeziwe neminye imininingwane ingatholakala ku I-CAP.

Phakathi kwezinye izinguquko:

• Kubelet manje (kanye) ezama ukuyeka iziqukathi ezisesimweni esingaziwa ngaphambi kokuqala kabusha nokususa imisebenzi.
• Lapho usebenzisa PodPresets manje ku-container ye-init kungezwe ulwazi olufanayo nolwesitsha esijwayelekile.
• kubelet waqala ukusebenzisa usageNanoCores kusukela kumhlinzeki wezibalo we-CRI, kanye namanodi neziqukathi ku-Windows kwengezwe izibalo zenethiwekhi.
• Ulwazi lwesistimu yokusebenza nolwazi lwezakhiwo manje seluqoshwa kumalebula kubernetes.io/os и kubernetes.io/arch Izinto ze-Node (zidluliselwe kusuka ku-beta kuya ku-GA).
• Ikhono lokucacisa iqembu elithile labasebenzisi besistimu yeziqukathi ku-pod (RunAsGroup,avele phakathi I-K8s 1.11) ethuthukisiwe ngaphambi kwe-beta (inikwe amandla ngokuzenzakalela).
• du futhi uthole esetshenziswa ku-cAdvisor, kufakwe esikhundleni ekusetshenzisweni kwe-Go.

CLI

Esikhathini se-cli-runtime kanye ne-kubectl kungezwe -k ifulegi lokuhlanganiswa ne ngokwezifiso (ngendlela, ukuthuthukiswa kwayo manje kwenziwa endaweni yokugcina ehlukile), i.e. ukucubungula amafayela engeziwe e-YAML avela kunkhombandlela ye-kustomization ekhethekile (ukuthola imininingwane yokuwasebenzisa, bheka I-CAP):

Isibonelo sokusetshenziswa kwefayela okulula ukwenza ngokwezifiso (uhlelo lokusebenza oluyinkimbinkimbi kakhulu lwe-kustomize lungenzeka ngaphakathi ukumbondelana)

Ngaphezu kwalokho:

• Kwengeziwe iqembu elisha kubectl create cronjob, ogama lakhe liyazikhulumela.
• В kubectl logs manje usungakwazi hlanganisa amafulege -f (--follow zokusakaza izingodo) kanye -l (--selector ngombuzo welebula).
• kubctl wafundisa kopisha amafayela akhethwe ngekhadi lasendle.
• Eqenjini kubectl wait kwengezwe ifulege --all ukukhetha zonke izinsiza endaweni yamagama yohlobo lwensiza olushiwo.

Okunye

Amakhono alandelayo athole isimo esizinzile (GA):

• ReadinessGate, esetshenziswa ekucacisweni kwe-pod ukuchaza izimo ezengeziwe ezicatshangelwe ekulungeni kwe-pod;
• Ukusekelwa kwamakhasi amakhulu (isango lesici elibizwa ngokuthi HugePages);
• I-CustomPodDNS;
• I-PriorityClass API I-Pod Priority & Preemption.

Ezinye izinguquko ezethulwe ku-Kubernetes 1.14:

• Inqubomgomo ye-RBAC ezenzakalelayo ayisakuvumeli ukufinyelela kwe-API discovery и access-review abasebenzisi ngaphandle kokuqinisekisa (akuqinisekisiwe).
• Usekelo olusemthethweni lwe-CoreDNS enikeziwe I-Linux kuphela, ngakho-ke uma usebenzisa i-kubeadm ukuyiphakela (i-CoreDNS) kuqoqo, ama-node kufanele asebenze ku-Linux kuphela (ama-nodeSelectors asetshenziselwa lo mkhawulo).
• Ukucushwa kwe-CoreDNS okuzenzakalelayo manje isebenzisa phambili i-plugin esikhundleni se-proxy. Futhi, ku-CoreDNS kwengezwe ReadinessProbe, evimbela ukulinganisa komthwalo kumaphodi afanelekile (angakalungeli ukusetshenzelwa).
• Ku-kubeadm, ngezigaba init noma upload-certs, kwenzeka layisha izitifiketi ezidingekayo ukuxhuma indiza yokulawula entsha kumfihlo ye-kubeadm-certs (sebenzisa ifulegi --experimental-upload-certs).
• Inguqulo ye-alpha ivele yokufakwa kwe-Windows ukwesekwa I-gMSA (I-Akhawunti Yesevisi Ephethwe Ngeqembu) - ama-akhawunti akhethekile ku-Active Directory angasetshenziswa neziqukathi.
• OkwaG.C.E. yenziwe yasebenza Umbhalo wemfihlo we-mTLS phakathi kwe- etcd kanye ne-kube-apiserver.
• Izibuyekezo kusofthiwe esetshenzisiwe/encike: Hamba 1.12.1, CSI 1.1, CoreDNS 1.3.1, Docker 18.09 ukwesekwa ku-kubeadm, kanye nenguqulo encane esekelwayo ye-Docker API manje isingu-1.26.

PS

Funda futhi kubhulogi yethu:

• «I-Kubernetes 1.13: ukubuka konke okusha okuyinhloko";
• «I-Kubernetes 1.12: ukubuka konke okusha okuyinhloko";
• «I-Kubernetes 1.11: ukubuka konke okusha okuyinhloko";
• «I-Kubernetes 1.10: ukubuka konke okusha okuyinhloko".

Source: www.habr.com