U-Pavel Selivanov, umakhi wezixazululo ze-Southbridge kanye nothisha we-Slurm, wenze isethulo ku-DevOpsConf 2019. Le nkulumo iyingxenye yesinye sezihloko zesifundo esijulile se-Kubernetes "Slurm Mega".
kwenzeka eMoscow ngoNovemba 18-20.
- Moscow, Novemba 22-24.
itholakala njalo.
Ngezansi kokusikiwe kunombhalo wombiko.
Sanibonani ntambama, ozakwethu nalabo abazwelana nabo. Namuhla ngizokhuluma ngezokuphepha.
Ngiyabona ukuthi baningi onogada ehholo namuhla. Ngiyaxolisa kuwe kusenesikhathi uma ngisebenzisa imigomo evela emhlabeni wezokuvikela hhayi ngendlela oyijwayele.
Kwenzeka ukuthi cishe ezinyangeni eziyisithupha ezedlule ngathola iqoqo elilodwa lomphakathi le-Kubernetes. Okusesidlangalaleni kusho ukuthi kunenombolo engu-nth yezikhala zamagama; kulezi zindawo zamagama kukhona abasebenzisi abahlukanisiwe endaweni yabo yamagama. Bonke laba basebenzisi bangabezinkampani ezahlukene. Nokho, kwakucatshangwa ukuthi leli qoqo kufanele lisetshenziswe njenge-CDN. Okusho ukuthi, bakunikeza iqoqo, bakunikeza umsebenzisi lapho, uya lapho endaweni yakho yamagama, sebenzisa ama-fronts akho.
Inkampani yami yangaphambilini yazama ukuthengisa insiza enjalo. Futhi ngacelwa ukuba ngihlohle iqoqo ukuze ngibone ukuthi lesi sixazululo sasifanelekile noma cha.
Ngifike kuleli qoqo. Nganikezwa amalungelo alinganiselwe, indawo yamagama elinganiselwe. Izinsizwa ezazilapho zaziqonda ukuthi kuyini ukuphepha. Bafunde mayelana nokulawulwa kokufinyelela okusekelwe ku-Role-based (RBAC) ku-Kubernetes - futhi bayisonta ukuze ngingakwazi ukwethula ama-pods ngokuhlukene nokusetshenziswa. Angikhumbuli inkinga engangizama ukuyixazulula ngokwethula i-pod ngaphandle kokuthunyelwa, kodwa ngangifuna ngempela ukwethula i-pod nje. Ngenhlanhla, nginqume ukubona ukuthi yimaphi amalungelo enginawo kuqoqo, yini engingayenza, yini engingakwazi ukuyenza, kanye nokuthi yini abayiphambanisile lapho. Ngesikhathi esifanayo, ngizokutshela ukuthi yini abayilungise ngokungalungile ku-RBAC.
Kwenzeka ukuthi emizuzwini emibili ngithole u-admin eqenjini labo, ngibheke zonke izikhala zamagama ezingomakhelwane, ngabona izindawo zokukhiqiza ezisebenzayo zezinkampani esezithenge kakade le nsizakalo futhi zisetshenzisiwe. Ngangingakwazi ukuzivimba ukuthi ngiye phambi komuntu futhi ngibeke inhlamba ekhasini eliyinhloko.
Ngizokutshela ngezibonelo ukuthi ngenze kanjani lokhu nokuthi ungazivikela kanjani kulokhu.
Kodwa okokuqala, ake ngizethule. Igama lami nginguPavel Selivanov. Ngiyi-architect e-Southbridge. Ngiyawaqonda ama-Kubernetes, ama-DevOps nazo zonke izinhlobo zezinto zikanokusho. Mina nonjiniyela baseSouthbridge sakha konke lokhu, futhi ngiyabonisana.
Ukwengeza emisebenzini yethu eyinhloko, sisanda kwethula amaphrojekthi abizwa ngokuthi ama-Slurms. Sizama ukuletha ikhono lethu lokusebenza noKubernetes kancane kubantu abaningi, ukufundisa abanye abantu ukuthi nabo basebenze nama-K8.
Ngizokhuluma ngani namuhla? Isihloko sombiko sisobala - mayelana nokuphepha kweqoqo le-Kubernetes. Kodwa ngifuna ukusho ngokushesha ukuthi lesi sihloko sikhulu kakhulu - ngakho-ke ngifuna ukucacisa ngokushesha lokho engingeke ngikhulume ngakho. Ngeke ngikhulume ngamatemu e-hackneyed asevele asetshenziswa izikhathi eziyikhulu ku-inthanethi. Zonke izinhlobo ze-RBAC nezitifiketi.
Ngizokhuluma ngalokho okungizwisa ubuhlungu mina nozakwethu ngokuvikeleka eqenjini le-Kubernetes. Sibona lezi zinkinga kokubili phakathi kwabahlinzeki abahlinzeka ngamaqoqo e-Kubernetes naphakathi kwamaklayenti eza kithi. Futhi ngisho nakumakhasimende eza kithi evela kwezinye izinkampani ezibonisana nomqondisi. Okusho ukuthi, izinga lenhlekelele empeleni likhulu kakhulu.
Kukhona amaphuzu amathathu engizokhuluma ngawo namuhla:
- Amalungelo omsebenzisi vs amalungelo e-pod. Amalungelo omsebenzisi namalungelo e-pod akuyona into efanayo.
- Ukuqoqa ulwazi mayelana neqoqo. Ngizobonisa ukuthi ungakwazi ukuqoqa lonke ulwazi oludingayo kuqoqo ngaphandle kokuba namalungelo akhethekile kuleli qoqo.
- I-DoS ihlasela iqoqo. Uma singakwazi ukuqoqa ulwazi, sizokwazi ukubeka iqoqo kunoma iyiphi indlela. Ngizokhuluma ngokuhlaselwa kwe-DoS ezintweni zokulawula iqoqo.
Okunye okujwayelekile engizokubalula yilokho engikuhlole ngakho konke lokhu, engingakusho ngokuqinisekile ukuthi konke kuyasebenza.
Sithatha njengesisekelo ukufakwa kweqoqo le-Kubernetes kusetshenziswa i-Kubespray. Uma noma ubani engazi, lena empeleni isethi yezindima ze-Ansible. Siyisebenzisa njalo emsebenzini wethu. Okuhle ukuthi ungakwazi ukuyigingqa noma yikuphi - ungayigingqa ezingxenyeni zensimbi noma efwini ndawana thize. Indlela yokufaka eyodwa isebenza ngokomthetho kukho konke.
Kuleli qoqo ngizoba ne-Kubernetes v1.14.5. Iqoqo lonke le-Cube, esizolicabangela, lihlukaniswe laba yizikhala zamagama, indawo yamagama ngayinye ingeyeqembu elihlukile, futhi amalungu aleli thimba ayakwazi ukufinyelela endaweni yamagama ngayinye. Abakwazi ukuya ezindaweni zamagama ezehlukene, kwezabo kuphela. Kodwa kune-akhawunti ethile yomqondisi enamalungelo alo lonke iqoqo.
Ngethembisa ukuthi into yokuqala esizoyenza ukuthola amalungelo okuphatha e-cluster. Sidinga i-pod elungiselelwe ngokukhethekile ezophula iqoqo le-Kubernetes. Okufanele sikwenze ukukusebenzisa kwiqoqo le-Kubernetes.
kubectl apply -f pod.yamlLe pod izofika komunye wabaphathi beqoqo le-Kubernetes. Futhi ngemva kwalokhu iqoqo lizosibuyisela ngenjabulo ifayela elibizwa ngokuthi admin.conf. Ku-Cube, leli fayela ligcina zonke izitifiketi zomlawuli, futhi ngesikhathi esifanayo lilungiselela i-API yeqoqo. Lokhu kulula kangakanani ukuthola ukufinyelela komqondisi, ngicabanga, ama-98% wamaqoqo e-Kubernetes.
Ngiyaphinda, le pod yenziwe unjiniyela oyedwa kuqoqo lakho okwaziyo ukusebenzisa iziphakamiso zakhe endaweni eyodwa encane yamagama, konke kucishwe yi-RBAC. Wayengenawo amalungelo. Kodwa nokho isitifiketi sabuyiswa.
Futhi manje mayelana ne-pod elungiselelwe ngokukhethekile. Siyiqhuba kunoma yisiphi isithombe. Ake sithathe i-debian:jessie njengesibonelo.
Sinale nto:
tolerations:
- effect: NoSchedule
operator: Exists
nodeSelector:
node-role.kubernetes.io/master: "" Kuyini ukubekezelelana? Izingcweti eqoqweni le-Kubernetes ngokuvamile zimakwa ngokuthile okubizwa ngokuthi i-taint. Futhi ingqikithi yalokhu "ukutheleleka" ukuthi ithi ama-pods awakwazi ukwabelwa ama-master nodes. Kodwa akekho ohluphayo ukukhombisa kunoma iyiphi i-pod ukuthi ibekezelela "ukutheleleka". Isigaba Sokubekezelela sithi nje uma enye i-node ine-NoSchedule, khona-ke i-node yethu iyakubekezelela ukutheleleka okunjalo - futhi azikho izinkinga.
Ngaphezu kwalokho, sithi i-under yethu ayigcini nje ngokubekezelela, kodwa futhi ifuna ukukhomba ngokuqondile umphathi. Ngoba amakhosi anento emnandi kakhulu esiyidingayo - zonke izitifiketi. Ngakho-ke, sithi i-nodeSelector - futhi sinelebula evamile ku-masters, ekuvumela ukuthi ukhethe kuwo wonke ama-node ku-cluster lawo maphuzu angompetha.
Ngalezi zigaba ezimbili nakanjani uzofika enkosini. Futhi uyovunyelwa ukuba ahlale lapho.
Kodwa ukuza nje enkosini akuseneli. Lokhu ngeke kusinikeze lutho. Ngakho ngokulandelayo sinalezi zinto ezimbili:
hostNetwork: true
hostPID: true Sicacisa ukuthi i-pod yethu, esiyethula, izohlala endaweni yegama le-kernel, endaweni yamagama yenethiwekhi, kanye nendawo yamagama ye-PID. Uma i-pod yethulwe ku-master, izokwazi ukubona zonke izindawo zangempela, ezibukhoma zale node, ilalele yonke ithrafikhi futhi ibone i-PID yazo zonke izinqubo.
Bese kuba yindaba yezinto ezincane. Thatha etcd futhi ufunde okufunayo.
Into ethakazelisa kakhulu yilesi sici se-Kubernetes, esikhona ngokuzenzakalelayo.
volumeMounts:
- mountPath: /host
name: host
volumes:
- hostPath:
path: /
type: Directory
name: host Futhi ingqikithi yayo ukuthi singasho ku-pod esiyethula, ngisho nangaphandle kwamalungelo kuleli qoqo, ukuthi sifuna ukudala ivolumu yohlobo lwe-hostPath. Lokhu kusho ukuthatha indlela kumsingathi esizoyethula - futhi siyithathe njengevolumu. Bese sikubiza ngegama: umsingathi. Sifaka yonke le-hostPath ngaphakathi kwe-pod. Kulesi sibonelo, ku-directory ye-host.
Ngizophinda futhi. Sitshele i-pod ukuthi ize ku-master, ithole i-hostNetwork kanye ne-hostPID lapho - bese ufaka yonke impande yenkosi ngaphakathi kwale pod.
Uyaqonda ukuthi ku-Debian sine-bash esebenzayo, futhi le bash isebenza ngaphansi kwempande. Okusho ukuthi, sisanda kuthola izimpande ku-master, ngaphandle kokuba namalungelo kuqoqo le-Kubernetes.
Khona-ke wonke umsebenzi ukuya kusiqondisi esingaphansi / umsingathi / njll / kubernetes/pki, uma ngenza iphutha, thatha zonke izitifiketi eziyinhloko zeqoqo lapho futhi, ngokufanele, ube umlawuli weqoqo.
Uma ukubheka ngale ndlela, lawa amanye amalungelo ayingozi kakhulu kuma-pods - kungakhathaliseki ukuthi yimaphi amalungelo umsebenzisi anawo:
Uma nginamalungelo okusebenzisa i-pod endaweni ethile yegama leqoqo, khona-ke le pod inalawa malungelo ngokuzenzakalelayo. Ngingasebenzisa ama-pods akhethekile, futhi lawa ngokujwayelekile wonke amalungelo, ngokuyimpande ku-node.
Engikuthandayo umsebenzisi we-Root. Futhi i-Kubernetes inale nketho ethi Run As Non-Root. Lolu wuhlobo lokuvikela ku-hacker. Uyazi ukuthi liyini “igciwane laseMoldavian”? Uma ngokuzumayo ungumgebengu we-inthanethi futhi ufika eqenjini lami le-Kubernetes, khona-ke thina, abaphathi abampofu, siyabuza: “Ngicela ukhombise kuma-pods akho ozogebenga ngawo iqoqo lami, ugijime njengengeyona impande. Uma kungenjalo, kuzokwenzeka ukuthi uqhube inqubo ku-pod yakho ngaphansi kwempande, futhi kuzoba lula kakhulu ukuthi ungigebenge. Ngicela uzivikele kuwe."
Ivolumu yendlela yosokhaya, ngokubona kwami, iyindlela eshesha kakhulu yokuthola umphumela oyifunayo kuqoqo le-Kubernetes.
Kodwa kuthiwani ngakho konke lokhu?
Umcabango okufanele ufike kunoma yimuphi umlawuli ojwayelekile ohlangana noKubernetes uthi: “Yebo, ngikutshelile, uKubernetes akasebenzi. Kunemigodi kuwo. Futhi yonke iCube iyinkunzi.” Eqinisweni, kukhona into efana nemibhalo, futhi uma ubheka lapho, kunesigaba .
Lena into ye-yaml - singayidala kuqoqo le-Kubernetes - elilawula izici zokuphepha ngokuqondile encazelweni yama-pods. Okusho ukuthi, empeleni, ilawula amalungelo okusebenzisa noma iyiphi i-hostNetwork, i-hostPID, izinhlobo ezithile zevolumu ezikuma-pods ekuqaleni. Ngosizo lwe-Pod Security Policy, konke lokhu kungachazwa.
Into ethakazelisa kakhulu ngeNqubomgomo Yezokuphepha ye-Pod ukuthi kuqoqo le-Kubernetes, bonke abafaki be-PSP abachazwanga nganoma iyiphi indlela, bamane bakhutshazwe ngokuzenzakalelayo. Inqubomgomo Yokuphepha Ye-Pod inikwe amandla kusetshenziswa i-plugin yokungena.
Kulungile, ake sikhiphe Inqubomgomo Yokuphepha Ye-Pod kuqoqo, ake sithi sinama-pods wesevisi endaweni yamagama, lapho abalawuli kuphela abanokufinyelela. Ake sithi, kuzo zonke ezinye izimo, ama-pods anamalungelo alinganiselwe. Ngoba cishe abathuthukisi abadingi ukusebenzisa ama-pods akhethekile kuqoqo lakho.
Futhi konke kubonakala kuhamba kahle ngathi. Futhi iqoqo lethu le-Kubernetes alikwazi ukugetshengwa emizuzwini emibili.
Kunenkinga. Ngokunokwenzeka, uma uneqoqo le-Kubernetes, khona-ke ukuqapha kufakwa kuqoqo lakho. Ngingahamba ngize ngibikezele ukuthi uma iqoqo lakho linokuqapha, lizobizwa nge-Prometheus.
Engizokutshela khona kuzosebenza kukho kokubili u-opharetha we-Prometheus kanye ne-Prometheus elethwa ngendlela ehlanzekile. Umbuzo uwukuthi uma ngingakwazi ukuthola umlawuli kuqoqo ngokushesha okungaka, lokhu kusho ukuthi ngidinga ukubheka okwengeziwe. Futhi ngingakwazi ukusesha ngosizo lokuqapha kwakho.
Mhlawumbe wonke umuntu ufunde izindatshana ezifanayo ku-Habré, futhi ukuqapha kutholakala endaweni yamagama yokuqapha. Ishadi le-Helm libizwa cishe ngokufana kuwo wonke umuntu. Ngicabanga ukuthi uma wenza i-helm install stable/prometheus, uzogcina usunamagama cishe afanayo. Futhi cishe ngeke ngize ngiqagele igama le-DNS kuqoqo lakho. Ngoba isezingeni.
Okulandelayo sine-dev ns ethile, lapho ungasebenzisa khona i-pod ethile. Futhi-ke kusukela kule pod kulula kakhulu ukwenza into enjengale:
$ curl http://prometheus-kube-state-metrics.monitoring I-prometheus-kube-state-metrics ingomunye wabathumeli be-Prometheus abaqoqa amamethrikhi ku-Kubernetes API uqobo. Kukhona idatha eningi lapho, yini esebenza kuqoqo lakho, ukuthi iyini, yiziphi izinkinga onazo ngayo.
Njengesibonelo esilula:
kube_pod_container_info{namespace=“kube-system”,pod=”kube-apiserver-k8s- 1″,container=”kube-apiserver”,image=
"gcr.io/google-containers/kube-apiserver:v1.14.5"
,image_id=»docker-pullable://gcr.io/google-containers/kube- apiserver@sha256:e29561119a52adad9edc72bfe0e7fcab308501313b09bf99df4a96 38ee634989″,container_id=»docker://7cbe7b1fea33f811fdd8f7e0e079191110268f2 853397d7daf08e72c22d3cf8b»} 1
Ngokwenza isicelo esilula se-curl kusuka ku-pod engenamalungelo, ungathola imininingwane elandelayo. Uma ungazi ukuthi iyiphi inguqulo ye-Kubernetes oyisebenzisayo, izokutshela kalula.
Futhi into ejabulisa kakhulu ukuthi ngaphezu kokufinyelela i-kube-state-metrics, ungafinyelela kalula ku-Prometheus uqobo. Ungaqoqa amamethrikhi kusukela lapho. Ungakwazi ngisho nokwakha amamethrikhi ukusuka lapho. Ngisho ngokwethiyori, ungakha umbuzo onjalo kusuka kuqoqo ku-Prometheus, elizomane liwuvale. Futhi ukuqapha kwakho kuzoyeka ukusebenza kusukela kuqoqo ngokuphelele.
Futhi lapha umbuzo uphakama ukuthi ingabe kukhona ukugada kwangaphandle okuqapha ukuqapha kwakho. Ngisanda kuthola ithuba lokusebenza kuqoqo le-Kubernetes ngaphandle kwemiphumela kimina. Ngeke wazi nokuthi ngisebenza lapho, ngoba akusekho ukugadwa.
Njengakwi-PSP, kuzwakala sengathi inkinga ukuthi bonke lobu buchwepheshe obuphambili - i-Kubernetes, i-Prometheus - abusebenzi nje futhi bugcwele izimbobo. Akunjalo Empeleni.
Kukhona into enjalo - .
Uma ungumqondisi ojwayelekile, kungenzeka ukuthi uyazi ngeNqubomgomo Yenethiwekhi ukuthi lena enye i-yaml, eseziningi kakade kuqoqo. Futhi ezinye Izinqubomgomo Zenethiwekhi azidingeki. Futhi noma ufunda ukuthi iyini i-Network Policy, ukuthi iyi-yaml firewall ye-Kubernetes, ikuvumela ukuthi ukhawulele amalungelo okufinyelela phakathi kwezikhala zamagama, phakathi kwama-pods, lapho-ke ngokuqinisekile unqume ukuthi i-firewall ngefomethi ye-yaml ku-Kubernetes isekelwe ekunqanyulweni okulandelayo. ... Cha, cha. Lokhu akudingekile neze.
Ngisho noma ungabatshelanga ochwepheshe bakho bezokuphepha ukuthi usebenzisa i-Kubernetes yakho ungakha i-firewall elula kakhulu futhi elula, kanye ne-granular kakhulu lapho. Uma bengakwazi lokhu okwamanje futhi bengakukhathazi: “Hhayi-ke, nginike, nginike...” Khona-ke kunoma yikuphi, udinga Inqubomgomo Yenethiwekhi ukuze uvimbele ukufinyelela kwezinye izindawo zesevisi ezingadonswa kuqoqo lakho. ngaphandle kokugunyazwa.
Njengasesibonelweni engisinikezile, ungadonsa amamethrikhi e-kube state kunoma iyiphi indawo yegama kuqoqo le-Kubernetes ngaphandle kokuba namalungelo okwenza kanjalo. Izinqubomgomo zenethiwekhi zivaliwe ukufinyelela kusuka kuzo zonke ezinye izikhala zamagama kuya endaweni yamagama yokuqapha futhi yilokho kuphela: akukho ukufinyelela, akunazinkinga. Kuwo wonke amashadi akhona, kokubili i-Prometheus ejwayelekile kanye ne-Prometheus eku-opharetha, kukhona inketho kumanani we-helm ukuvele unike amandla izinqubomgomo zenethiwekhi kubo. Udinga nje ukuyivula futhi izosebenza.
Kukhona inkinga eyodwa ngempela lapha. Njengoba ungumphathi ojwayelekile onentshebe, kungenzeka ukuthi unqume ukuthi izinqubomgomo zenethiwekhi azidingeki. Futhi ngemva kokufunda zonke izinhlobo zezihloko ezinsizeni ezifana noHabr, unqume ukuthi iflanela, ikakhulukazi ngemodi yesango lokusingatha, iyona nto engcono kakhulu ongayikhetha.
Yini okufanele ngiyenze?
Ungazama ukuphinda usebenzise isixazululo senethiwekhi onaso kuqoqo lakho le-Kubernetes, zama ukusishintsha ngokunye ukusebenza okwengeziwe. Ukuze Calico efanayo, isibonelo. Kodwa ngifuna ukusho zisuka nje ukuthi umsebenzi wokushintsha isixazululo senethiwekhi ku-Kubernetes working cluster awuyona into encane. Ngiyixazulule kabili (zombili izikhathi, nokho, ngokwethiyori), kodwa saze sabonisa ukuthi sikwenza kanjani kwa-Slurms. Kubafundi bethu, sibonise ukuthi singashintsha kanjani isixazululo senethiwekhi kuqoqo le-Kubernetes. Empeleni, ungazama ukwenza isiqiniseko sokuthi asikho isikhathi sokuphumula kuqoqo lokukhiqiza. Kodwa cishe ngeke uphumelele.
Futhi inkinga empeleni ixazululwe kalula kakhulu. Kunezitifiketi ku-cluster, futhi uyazi ukuthi izitifiketi zakho zizophelelwa yisikhathi ngonyaka. Yebo, futhi ngokuvamile isixazululo esivamile esinezitifiketi kuqoqo - kungani sikhathazeka, sizophakamisa iqoqo elisha eduze, siyeke elidala libole, futhi sikhiphe kabusha yonke into. Yiqiniso, lapho kubola, kuzodingeka sihlale usuku, kodwa nali iqoqo elisha.
Uma uphakamisa iqoqo elisha, ngesikhathi esifanayo faka i-Calico esikhundleni seflaneli.
Yini okufanele uyenze uma izitifiketi zakho zikhishwa iminyaka eyikhulu futhi ngeke uphinde ukhiphe iqoqo? Kukhona into efana ne-Kube-RBAC-Proxy. Lokhu ukuthuthuka okuhle kakhulu, kukuvumela ukuthi uzishumeke njengesiqukathi se-sidecar kunoma iyiphi i-pod kuqoqo le-Kubernetes. Futhi empeleni yengeza ukugunyazwa kule pod nge-RBAC ye-Kubernetes uqobo.
Kukhona inkinga eyodwa. Ngaphambilini, lesi sixazululo se-Kube-RBAC-Proxy sakhiwe ku-Prometheus yomsebenzisi. Kodwa wabe esehambile. Manje izinguqulo zesimanje zincike ekutheni unenqubomgomo yenethiwekhi futhi uyivale usebenzisa yona. Ngakho-ke kuzodingeka sibhale kabusha ishadi kancane. Eqinisweni, uma uya ku , kunezibonelo zendlela yokusebenzisa lokhu njengama-sidecars, futhi amashadi kuzodingeka abhalwe kabusha kancane.
Kukhona enye futhi inkinga encane. U-Prometheus akuyena yedwa onikeza amamethrikhi ayo kunoma ubani. Zonke izingxenye zethu zeqoqo le-Kubernetes nazo ziyakwazi ukubuyisela ama-metric azo.
Kodwa njengoba ngike ngasho, uma ungakwazi ukufinyelela iqoqo futhi uqoqe ulwazi, khona-ke ungenza okungenani ukulimala okuthile.
Ngakho-ke ngizokhombisa ngokushesha izindlela ezimbili ukuthi iqoqo le-Kubernetes lingonakaliswa kanjani.
Uzohleka uma ngikutshela lokhu, lawa amacala amabili angempela.
Indlela yokuqala. Ukuqedwa kwensiza.
Ake sethule enye iphodi ekhethekile. Izoba nesigaba esinjengalesi.
resources:
requests:
cpu: 4
memory: 4Gi Njengoba nazi, izicelo inani le-CPU nenkumbulo egcinwe kumsingathi ngamaphodi athile anezicelo. Uma sinosokhaya oyisisekelo esine kuqoqo le-Kubernetes, futhi ama-CPU pod amane afika lapho nezicelo, kusho ukuthi awasekho ama-pods anezicelo azokwazi ukuza kulo msingathi.
Uma ngisebenzisa i-pod enjalo, ngizosebenzisa umyalo:
$ kubectl scale special-pod --replicas=...Ngemuva kwalokho akekho omunye ozokwazi ukuphakela iqoqo le-Kubernetes. Ngoba wonke ama-node azophelelwa izicelo. Futhi ngaleyo ndlela ngizomisa iqoqo lakho le-Kubernetes. Uma ngenza lokhu kusihlwa, ngingakwazi ukumisa ukuthunyelwa isikhathi eside.
Uma sibheka futhi imibhalo ye-Kubernetes, sizobona le nto ebizwa ngokuthi i-Limit Range. Isetha izinsiza zezinto zeqoqo. Ungabhala into ethi Limit Range ku-yaml, uyisebenzise ezindaweni ezithile zamagama - bese kule ndawo yamagama ungasho ukuthi unezinsiza ezizenzakalelayo, eziphezulu nezincane zama-pods.
Ngosizo lwento enjalo, singakhawulela abasebenzisi ezindaweni ezithile zamagama zomkhiqizo wamaqembu ekhonweni lokubonisa zonke izinhlobo zezinto ezimbi kuma-pods abo. Kodwa ngeshwa, ngisho noma utshela umsebenzisi ukuthi ngeke akwazi ukwethula ama-pods anezicelo ze-CPU engaphezu kweyodwa, kunomyalo wesilinganiso omangalisayo, noma angenza isikali kudeshibhodi.
Futhi kulapho indlela inombolo yesibili ivela khona. Sethula 11 pods. Lezo zigidigidi eziyishumi nanye. Lokhu akungenxa yokuthi ngiqhamuke nenombolo enjalo, kodwa ngizibonele.
Indaba yangempela. Sekuhlwile ngase ngiphuma ehhovisi. Ngibona iqembu lonjiniyela lihlezi ekhoneni, lenza okuthile ngamakhompyutha aphathekayo. Ngiya kubafana futhi ngibuze: "Kwenzekeni kuwe?"
Ngaphambidlana, cishe ngehora lesishiyagalolunye ebusuku, omunye wonjiniyela wayelungiselela ukuya ekhaya. Futhi nganquma: “Manje ngizokwehlisela isicelo sami sibe kwesisodwa.” Ngacindezela eyodwa, kodwa i-inthanethi yehla kancane. Aphinde acofe leli, acofe leli, acofe u-Enter. Ngangizama ngakho konke engangingakwenza. Khona-ke i-intanethi yaphila - futhi yonke into yaqala ukwehla kule nombolo.
Yiqiniso, le ndaba ayizange yenzeke ku-Kubernetes; ngaleso sikhathi kwakunguNomad. Kugcine ngokuthi ngemuva kwehora sizama ukuvimba uNomad ezama ukukala, uNomad waphendula ngokuthi ngeke ayeke ukukala futhi akukho okunye azokwenza. "Ngikhathele ngiyahamba." Futhi wagoqa.
Ngokwemvelo, ngazama ukwenza okufanayo ku-Kubernetes. U-Kubernetes akazange ajabule ngama-pods ayizigidi eziyizinkulungwane eziyishumi nanye, uthe: “Angikwazi. Idlula onogada bomlomo bangaphakathi." Kepha ama-pods ayi-1 angakwazi.
Ephendula isigidigidi, iCube ayizange ihoxe kuyona. Waqala ngempela ukukala. Lapho inqubo iqhubeka, kwamthatha isikhathi esiningi ukwakha ama-pods amasha. Kodwa nokho inqubo yaqhubeka. Inkinga kuphela ukuthi uma ngikwazi ukwethula ama-pods ngokungenamkhawulo endaweni yami yegama, khona-ke noma ngaphandle kwezicelo nemingcele ngingakwazi ukwethula ama-pods amaningi ngemisebenzi ethile kangangokuthi ngosizo lwale misebenzi ama-node azoqala ukuhlanganisa enkumbulweni, ku-CPU. Lapho ngethula ama-pods amaningi, ulwazi oluvela kubo kufanele lungene kwisitoreji, okungukuthi, njll. Futhi lapho ulwazi oluningi lufika lapho, isitoreji siqala ukubuya kancane kakhulu - futhi i-Kubernetes iqala ukuba buthuntu.
Futhi enye inkinga ... Njengoba wazi, izakhi zokulawula i-Kubernetes aziyona into eyodwa ephakathi, kodwa izingxenye eziningana. Ikakhulukazi, kukhona umphathi wesilawuli, umhleli, njalonjalo. Bonke laba bafana bazoqala ukwenza umsebenzi ongadingekile, oyisiphukuphuku ngesikhathi esifanayo, okuzothi ngokuhamba kwesikhathi kuqale ukuthatha isikhathi esiningi. Umphathi wesilawuli uzodala ama-pod amasha. Umhleli uzozama ukubatholela indawo entsha. Cishe uzophelelwa ama-node amasha kuqoqo lakho maduze. Iqoqo le-Kubernetes lizoqala ukusebenza kancane futhi kancane.
Kodwa nganquma ukuqhubeka nakakhulu. Njengoba wazi, ku-Kubernetes kukhona into ebizwa ngokuthi isevisi. Yebo, ngokuzenzakalelayo kumaqoqo akho, cishe, isevisi isebenza kusetshenziswa amathebula e-IP.
Uma usebenzisa ama-pod ayizigidi eziyinkulungwane, isibonelo, bese usebenzisa iskripthi ukuphoqa i-Kubernetis ukuthi idale amasevisi amasha:
for i in {1..1111111}; do
kubectl expose deployment test --port 80
--overrides="{"apiVersion": "v1",
"metadata": {"name": "nginx$i"}}";
done Kuwo wonke ama-node e-cluster, imithetho eminingi ye-iptables emisha izokwenziwa cishe kanyekanye. Ngaphezu kwalokho, kuzokwenziwa imithetho ye-iptables eyibhiliyoni kusevisi ngayinye.
Ngiyihlole yonke le nto ezinkulungwaneni ezimbalwa, kuze kufike eshumini. Futhi inkinga ukuthi kakade kulo mngcele kuyinkinga impela ukwenza i-ssh ku-node. Ngoba amaphakethe, ehamba ngamaketanga amaningi, aqala ukuzizwa engemnandi kakhulu.
Futhi lokhu, nakho, konke kuxazululwa ngosizo lwe-Kubernetes. Kukhona into enjalo yesabelo seNsiza. Isetha inombolo yezinsiza ezitholakalayo nezinto zendawo yamagama kuqoqo. Singakha into ye-yaml endaweni yamagama ngayinye yeqoqo le-Kubernetes. Ukusebenzisa le nto, singasho ukuthi sinenani elithile lezicelo nemikhawulo eyabelwe lesi sikhala samagama, bese singasho ukuthi kule ndawo yegama kungenzeka ukudala izinsizakalo ezingu-10 nama-pods angu-10. Futhi umthuthukisi oyedwa angakwazi okungenani ukuziminyanisa kusihlwa. U-Kubernetes uzomtshela ukuthi: “Awukwazi ukukala ama-pods akho kuleso nani, ngoba insiza ingaphezu kwesilinganiso.” Yilokho kuphela, inkinga ixazululiwe. .
Kuvela iphuzu elilodwa eliyinkinga kulokhu. Uzwa ukuthi sekunzima kangakanani ukudala indawo yamagama ku-Kubernetes. Ukuze siyidale, kudingeka sicabangele izinto eziningi.
Isabelo sensiza + Ububanzi Bomkhawulo + RBAC
• Dala indawo yamagama
• Dala ibanga elilinganiselwe ngaphakathi
• Dala i-resourcequota yangaphakathi
• Dala i-akhawunti yesevisi ye-CI
• Dala ukubophezela kwe-CI nabasebenzisi
• Ngokuzithandela yethula ama-pods esevisi adingekayo
Ngakho-ke, ngithanda ukuthatha leli thuba ukwabelana ngentuthuko yami. Kukhona into enjalo ebizwa ngokuthi i-opharetha ye-SDK. Lena indlela yokuthi iqoqo le-Kubernetes libhalele ama-opharetha walo. Ungabhala izitatimende usebenzisa i-Ansible.
Ekuqaleni yayibhalwe nge-Ansible, ngase ngabona ukuthi kukhona u-opharetha we-SDK ngase ngibhala kabusha indima ethi Ansible ibe ngu-opharetha. Lesi sitatimende sikuvumela ukuthi udale into eqoqweni le-Kubernetes ebizwa ngokuthi umyalo. Ngaphakathi komyalo, ikuvumela ukuthi uchaze indawo yalo myalo nge-yaml. Futhi ngaphakathi kwendawo yeqembu, kusivumela ukuthi sichaze ukuthi sabela izinsiza eziningi kangaka.
Omncane .
Futhi ekugcineni. Kwenziwani ngakho konke lokhu?
Okokuqala. Inqubomgomo Yokuphepha Ye-Pod yinhle. Futhi naphezu kweqiniso lokuthi abekho abafaki be-Kubernetes abazisebenzisayo kuze kube yilolu suku, usadinga ukuzisebenzisa kumaqoqo akho.
Inqubomgomo Yenethiwekhi ayisona nje esinye isici esingadingekile. Yilokhu okudingeka ngempela kuqoqo.
LimitRange/ResourceQuota - yisikhathi sokuyisebenzisa. Saqala ukusebenzisa lokhu kudala, futhi isikhathi eside ngangiqiniseka ukuthi wonke umuntu uyayisebenzisa. Kuvele ukuthi lokhu akuvamile.
Ngaphezu kwalokho engikushilo phakathi nombiko, kunezici ezingabhaliwe ezikuvumela ukuthi uhlasele iqoqo. Ikhishwe muva nje .
Ezinye izinto ziyadabukisa futhi ziyalimaza. Isibonelo, ngaphansi kwezimo ezithile, ama-cubelets kuqoqo le-Kubernetes anganikeza okuqukethwe kohlu lwemibhalo lwe-warlocks kumsebenzisi ongagunyaziwe.
Kunemiyalelo yokuthi ungakhiqiza kanjani kabusha yonke into engikutshele yona. Kunamafayela anezibonelo zokukhiqiza zokuthi i-ResourceQuota ne-Pod Security Policy ibukeka kanjani. Futhi ungakuthinta konke lokhu.
Siyabonga kubo bonke.
Source: www.habr.com