Abantu abaningi bacabanga ukuthi kwanele ukudlulisela isicelo ku-Kubernetes (kungaba usebenzisa i-Helm noma ngesandla) - futhi kuyoba nenjabulo. Kodwa akuyona yonke into elula kangaka.
Ithimba ihumushe indatshana kanjiniyela we-DevOps uJulian Gindy. Ukutshela ukuthi yiziphi izingibe inkampani yakhe ebhekane nazo ngesikhathi sokufuduka ukuze unganyatheli erekeni elifanayo.
Isinyathelo sokuqala: Setha izicelo ze-Pod kanye nemikhawulo
Ake siqale ngokusetha indawo ehlanzekile lapho ama-pods ethu azosebenza khona. I-Kubernetes inhle ekuhleleni i-pod kanye nokuhluleka. Kodwa kwavela ukuthi umhleli ngezinye izikhathi akakwazi ukubeka i-pod uma kunzima ukulinganisa ukuthi zingaki izinsiza ezidinga ukusebenza ngempumelelo. Yilapho izicelo zezinsiza nemikhawulo zivela khona. Kunezinkulumo mpikiswano eziningi mayelana nendlela engcono kakhulu yokubeka izicelo nemikhawulo. Ngezinye izikhathi kubonakala sengathi lokhu kuwubuciko ngempela kunesayensi. Nansi indlela yethu.
Izicelo ze-Pod inani eliyinhloko elisetshenziswa umhleli ukubeka kahle i-pod.
Из : Isinyathelo sokuhlunga sichaza isethi yamanodi lapho iPod ingahlelwa khona. Isibonelo, isihlungi se-PodFitsResources siyahlola ukuze sibone ukuthi inodi inazo yini izisetshenziswa ezanele zokwanelisa izicelo ezithile zensiza ezivela kuphod.
Sisebenzisa izicelo zohlelo lokusebenza ngendlela yokuthi sikwazi ukulinganisa ukuthi zingaki izinsiza Empeleni Uhlelo lokusebenza luyidinga ukuze lusebenze kahle. Ngale ndlela umhleli angabeka amanodi ngokweqiniso. Ekuqaleni, besifuna ukuhlela kakhulu izicelo ukuze siqinisekise izinsiza ezanele ze-Pod ngayinye, kodwa saqaphela ukuthi isikhathi sokuhlela sikhuphuke kakhulu, futhi amanye ama-Pods ayengahlelwanga ngokugcwele, njengokungathi azikho izicelo zensiza kuzo.
Kulokhu, umhleli wayevame "ukumpintsha" ama-pods futhi angakwazi ukuwahlela kabusha ngenxa yokuthi indiza yokulawula yayingazi ukuthi zingakanani izinsiza ezizodingeka isicelo, okuyingxenye eyinhloko ye-algorithm yokuhlela.
Imikhawulo ye-Pod umkhawulo ocacile we-pod. Imele inani eliphezulu lezinsiza iqoqo elizokwabela isiqukathi.
Futhi, kusukela : Uma isiqukathi sinomkhawulo wenkumbulo ongu-4 GiB, i-kubelet (nesikhathi sokusebenza kwesiqukathi) kuzokuphoqelela. Isikhathi sokusebenza sivimbela isiqukathi ukuthi singasebenzisi ngaphezu komkhawulo wensiza oshiwo. Isibonelo, uma inqubo esitsheni izama ukusebenzisa ngaphezu kwenani elivunyelwe lememori, i-kernel yesistimu inqamula inqubo ngephutha elithi "out of memory" (OOM).
Isiqukathi singahlala sisebenzisa izinsiza eziningi kunalokho okushiwo isicelo, kodwa asikwazi ukusebenzisa okungaphezu komkhawulo. Leli nani linzima ukulibeka ngendlela efanele, kodwa libaluleke kakhulu.
Ngokufanelekile, sifuna ukuthi izidingo zensiza ze-pod zishintshe phakathi nomjikelezo wempilo wenqubo ngaphandle kokuphazamisa ezinye izinqubo ohlelweni - lena inhloso yokubeka imikhawulo.
Ngeshwa, angikwazi ukunikeza imiyalelo eqondile yokuthi yimaphi amanani okufanele abekwe, kodwa thina ngokwethu sinamathela kule mithetho elandelayo:
- Sisebenzisa ithuluzi lokuhlola umthwalo, silingisa ileveli eyisisekelo yethrafikhi futhi sibheke ukusetshenziswa kwezinsiza ze-pod (inkumbulo nephrosesa).
- Setha izicelo ze-pod kunani eliphansi ngokungafanele (elinomkhawulo wensiza cishe izikhathi ezi-5 zevelu yezicelo) futhi uqaphele. Uma izicelo zisezingeni eliphansi kakhulu, inqubo ayikwazi ukuqala, ngokuvamile ibangela amaphutha e-cryptic Go runtime.
Ngiyaqaphela ukuthi imikhawulo ephezulu yezinsiza yenza ukuhlela kube nzima kakhulu ngoba i-pod idinga indawo eqondiwe enezinsiza ezanele ezitholakalayo.
Cabanga ngesimo lapho uneseva yewebhu engasindi enomkhawulo wensiza ephezulu kakhulu, njengo-4 GB wememori. Le nqubo cishe izodinga ukulinganiswa ngokuvundlile, futhi i-pod entsha ngayinye izodinga ukuthi ihlelwe endaweni enenkumbulo okungenani engu-4 GB etholakalayo. Uma ingekho i-node enjalo ekhona, iqoqo kufanele lethule i-node entsha ukucubungula le pod, okungase kuthathe isikhathi. Kubalulekile ukuzuza umehluko omncane phakathi kwezicelo zensiza kanye nemikhawulo ukuze uqinisekise ukukala okusheshayo nokushelelayo.
Isinyathelo Sesibili: Setha Izivivinyo Zokuphila Nokulungela
Lesi ngesinye isihloko esicashile esivame ukuxoxwa ngaso emphakathini wakwaKubernetes. Kubalulekile ukuqonda kahle izivivinyo ze-Liveness and Readiness njengoba zinikeza indlela yokusebenza okuzinzile kwesofthiwe futhi zinciphisa isikhathi sokuphumula. Nokho, zingaba nomthelela omubi ekusebenzeni kohlelo lwakho lokusebenza uma zingalungiselelwe kahle. Ngezansi isifinyezo salokho omabili amasampuli ayini.
Ukuphila ikhombisa uma isiqukathi siyasebenza. Uma ihluleka, i-kubelet ibulala isiqukathi futhi inqubomgomo yokuqalisa kabusha inikwe amandla kuso. Uma isiqukathi singahlomile nge-Liveness Probe, isimo esimisiwe sizoba yimpumelelo - njengoba kushiwo ku .
Ama-Liveness probe kufanele ashibhile, okungukuthi angadli izinsiza eziningi, ngoba asebenza njalo futhi kufanele azise u-Kubernetes ukuthi uhlelo lokusebenza luyasebenza.
Uma usetha inketho yokusebenzisa umzuzwana ngamunye, lokhu kuzongeza isicelo esingu-1 ngomzuzwana, ngakho-ke qaphela ukuthi izinsiza ezengeziwe zizodingeka ukucubungula le thrafikhi.
Enkampanini yethu, ukuhlolwa kwe-Liveness kuhlola izingxenye eziyinhloko zohlelo lokusebenza, ngisho noma idatha (isibonelo, evela kusizindalwazi esikude noma inqolobane) ingatholakali ngokugcwele.
Senze indawo yokugcina "yezempilo" ezinhlelweni zokusebenza evele ibuyisele ikhodi yokuphendula engu-200. Lesi yinkomba yokuthi inqubo iyasebenza futhi iyakwazi ukuphatha izicelo (kodwa hhayi ithrafikhi okwamanje).
Zama Ukulungela ikhombisa ukuthi isiqukathi sikulungele yini ukunikeza izicelo. Uma i-probe yokulungela ihluleka, isilawuli sephoyinti lokugcina sisusa ikheli le-IP le-pod ezindaweni zokugcina zazo zonke izinsiza ezifana ne-pod. Lokhu kushiwo futhi emibhalweni ye-Kubernetes.
I-probe yokulungela idla izinsiza ezengeziwe, njengoba kufanele ishaye i-backend ngendlela ebonisa ukuthi isicelo sikulungele ukwamukela izicelo.
Kunenkulumompikiswano enkulu emphakathini mayelana nokuthi ungayifinyelela yini isizindalwazi ngokuqondile. Uma sicabangela i-overhead (ukuhlola kuvame, kodwa kungalawuleka), sinqume ukuthi kwezinye izinhlelo zokusebenza, ukulungela ukunikeza ithrafikhi kubalwa kuphela ngemva kokuhlola ukuthi amarekhodi abuyiswa kusizindalwazi. Izilingo zokulungela eziklanywe kahle ziqinisekise amazinga aphezulu okutholakala futhi zaqeda isikhathi sokuphumula phakathi nokuthunyelwa.
Uma unquma ukubuza kusizindalwazi ukuze uhlole ukulungela kwesicelo sakho, qiniseka ukuthi ishibhile ngangokunokwenzeka. Ake siphendule lo mbuzo:
SELECT small_item FROM table LIMIT 1Nasi isibonelo sendlela esiwamisa ngayo la manani amabili ku-Kubernetes:
livenessProbe:
httpGet:
path: /api/liveness
port: http
readinessProbe:
httpGet:
path: /api/readiness
port: http periodSeconds: 2
Ungangeza ezinye izinketho zokumisa ezengeziwe:
initialDelaySeconds- zingaki imizuzwana ezodlula phakathi kokwethulwa kwesitsha kanye nokuqala kokwethulwa kwama-probes.periodSeconds— isikhawu sokulinda phakathi kokugijima kwesampula.timeoutSeconds- inani lamasekhondi ngemva kwalokho iphodi ithathwa njengephuthumayo. Isikhathi sokuvala esijwayelekile.failureThresholdinombolo yokuhluleka kokuhlolwa ngaphambi kokuba isignali yokuqalisa kabusha ithunyelwe ku-pod.successThresholdinombolo yezilingo eziyimpumelelo ngaphambi kokuba i-pod ishintshele esimweni esilungile (ngemuva kokwehluleka lapho i-pod iqala noma ilulama).
Isinyathelo Sesithathu: Ukusetha Izinqubomgomo Zenethiwekhi Ezizenzakalelayo Ze-Pod
I-Kubernetes inesimo senethiwekhi "esicaba", ngokuzenzakalelayo wonke ama-pods axhumana ngokuqondile. Kwezinye izimo lokhu akufiseleki.
Inkinga yezokuphepha engaba khona ukuthi umhlaseli angasebenzisa uhlelo lokusebenza olulodwa olusengozini ukuthumela ithrafikhi kuwo wonke ama-pods akunethiwekhi. Njengasezindaweni eziningi zokuvikeleka, isimiso sokungabi nalungelo elincane siyasebenza lapha. Ngokufanelekile, izinqubomgomo zenethiwekhi kufanele zisho ngokucacile ukuthi yikuphi ukuxhumana phakathi kwama-pods okuvunyelwe nokuthi yikuphi okungavumelekile.
Isibonelo, okulandelayo inqubomgomo elula enqabela yonke ithrafikhi engenayo yendawo ethile yamagama:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Ukubonakala kwalokhu kulungiselelwa:
(https://miro.medium.com/max/875/1*-eiVw43azgzYzyN1th7cZg.gif)
Imininingwane eminingi .
Isinyathelo Sesine: Ukuziphatha Ngokwezifiso Okunamahhuku neziqukathi ze-Init
Enye yezinhloso zethu ezinkulu bekuwukuhlinzeka ngokuphakela e-Kubernetes ngaphandle kwesikhathi sokuphumula konjiniyela. Lokhu kunzima ngoba kunezinketho eziningi zokuvala izinhlelo zokusebenza nokukhulula izinsiza ezisetshenzisiwe.
Kwavela ubunzima obukhethekile . Siqaphele ukuthi lapho sisebenzisa lawa ma-Pods ngokulandelana, ukuxhumana okusebenzayo kuye kwaphazamiseka ngaphambi kokuqeda ngempumelelo.
Ngemuva kocwaningo olunzulu ku-inthanethi, kuvele ukuthi uKubernetes akalindi ukuthi ukuxhumana kwe-Nginx kuphele amandla ngaphambi kokuvala i-pod. Ngosizo lwe-pre-stop hook, sisebenzise lokhu okulandelayo futhi saqeda ngokuphelele isikhathi sokuphumula:
lifecycle:
preStop:
exec:
command: ["/usr/local/bin/nginx-killer.sh"]
Kodwa nginx-killer.sh:
#!/bin/bash
sleep 3
PID=$(cat /run/nginx.pid)
nginx -s quit
while [ -d /proc/$PID ]; do
echo "Waiting while shutting down nginx..."
sleep 10
done
Enye i-paradigm ewusizo kakhulu ukusetshenziswa kweziqukathi ze-init ukuphatha ukwethulwa kwezinhlelo ezithile zokusebenza. Lokhu kuwusizo ikakhulukazi uma unenqubo yokuthutha yesizindalwazi esigxile kakhulu okufanele siqaliswe ngaphambi kokuthi isicelo siqale. Ungaphinda ucacise umkhawulo ophezulu wensiza wale nqubo ngaphandle kokusetha umkhawulo onjalo wohlelo lokusebenza oluyinhloko.
Olunye uhlelo oluvamile ukufinyelela izimfihlo ku-container ye-init, enikeza lezi ziqinisekiso kumojula eyinhloko, okuvimbela ukufinyelela okungagunyaziwe kwezimfihlo kusuka kumojula yesicelo esiyinhloko ngokwayo.
Njengokujwayelekile, isicaphuna esivela kumadokhumenti: iziqukathi ze-init zisebenzisa ngokuphephile ikhodi yomsebenzisi noma izinsiza ezingafaka engozini ukuvikeleka kwesithombe sesiqukathi sohlelo lokusebenza. Ngokugcina amathuluzi angadingekile ehlukene, ukhawulela indawo yokuhlasela yesithombe sesiqukathi sohlelo lokusebenza.
Isinyathelo Sesihlanu: Ukucushwa Kwe-Kernel
Ekugcineni, ake sikhulume ngendlela ethuthuke kakhulu.
I-Kubernetes iyinkundla evumelana nezimo ngokwedlulele ekuvumela ukuthi usebenzise imithwalo yemisebenzi noma ngabe ubona kufanelekile. Sinenani lezinhlelo zokusebenza ezisebenza kahle kakhulu ezidinga izinsiza kakhulu. Ngemva kokwenza ukuhlola okubanzi komthwalo, sithole ukuthi enye yezinhlelo zokusebenza ibinobunzima bokuhambisana nomthwalo wethrafikhi olindelwe lapho izilungiselelo ezizenzakalelayo ze-Kubernetes zisebenza.
Kodwa-ke, i-Kubernetes ikuvumela ukuthi usebenzise isitsha esinenhlanhla esishintsha kuphela amapharamitha e-kernel ye-pod ethile. Nakhu esikusebenzisile ukushintsha inombolo enkulu yokuxhumana okuvuliwe:
initContainers:
- name: sysctl
image: alpine:3.10
securityContext:
privileged: true
command: ['sh', '-c', "sysctl -w net.core.somaxconn=32768"]
Lena indlela ethuthuke kakhulu ngokuvamile engadingeki. Kodwa uma uhlelo lwakho lokusebenza ludonsa kanzima ukubhekana nomthwalo osindayo, ungazama ukulungisa ezinye zalezi zilungiselelo. Ulwazi olwengeziwe mayelana nale nqubo nokusetha amanani ahlukene - njengenjwayelo .
Ekuphethweni
Nakuba i-Kubernetes ingase ibonakale njengesixazululo esingaphandle kwebhokisi, kunezinyathelo ezimbalwa ezibalulekile okufanele zithathwe ukuze kugcinwe izinhlelo zokusebenza zisebenza kahle.
Kukho konke ukuthuthela e-Kubernetes, kubalulekile ukulandela "umjikelezo wokuhlola umthwalo": sebenzisa uhlelo lokusebenza, luhlole ngaphansi komthwalo, bheka ama-metrics nokuziphatha kokukala, lungisa ukulungiselelwa ngokusekelwe kule datha, bese uphinda lo mjikelezo futhi.
Bheka okwenzekayo mayelana nethrafikhi elindelekile futhi uzame ukweqa ukuze ubone ukuthi yiziphi izingxenye eziphuka kuqala. Ngale ndlela yokuphindaphinda, izincomo ezimbalwa kuphela ezisohlwini ezinganele ukuze kuzuzwe impumelelo. Noma kungase kudingeke ukwenza ngezifiso okujulile.
Hlala uzibuza le mibuzo:
- Zingaki izinsiza ezisetshenziswa izinhlelo zokusebenza futhi leli nani lizoshintsha kanjani?
- Yiziphi izidingo zangempela zokukala? Uhlelo lokusebenza luzosingatha ithrafikhi engakanani ngokwesilinganiso? Kuthiwani ngethrafikhi ephezulu?
- Isevisi izodinga kangaki ukuba ikhule? Ama-pod amasha adinga ukuvuka futhi asebenze ngokushesha kangakanani ukuze amukele ithrafikhi?
- Ama-pods avalwa kahle kangakanani? Ingabe kuyadingeka nhlobo? Kungenzeka yini ukufeza ukuthunyelwa ngaphandle kwesikhathi sokuphumula?
- Ungazinciphisa kanjani izingozi zokuphepha futhi ukhawule umonakalo kunoma yimaphi ama-pods asengozini? Ingabe kukhona izinsiza ezinezimvume noma ukufinyelela ezingakudingi?
I-Kubernetes inikeza inkundla emangalisayo ekuvumela ukuthi usebenzise imikhuba engcono kakhulu ukuze usebenzise izinkulungwane zezinsizakalo kuqoqo. Nokho, zonke izinhlelo zokusebenza zihlukile. Ngezinye izikhathi ukuqaliswa kudinga umsebenzi omningi kancane.
Ngenhlanhla, i-Kubernetes inikeza izilungiselelo ezidingekayo ukuze kuzuzwe yonke imigomo yezobuchwepheshe. Ngokusebenzisa inhlanganisela yezicelo zensiza kanye nemikhawulo, ama-Liveness and Readiness probes, iziqukathi ze-init, izinqubomgomo zenethiwekhi, nokushuna kwe-kernel yangokwezifiso, ungafinyelela ukusebenza okuphezulu kanye nokubekezelela amaphutha kanye nokuqina okusheshayo.
Okunye ongakufunda:
- .
- .
- .
Source: www.habr.com