layout: post
title: "Kubernetes 知识图谱"
subtitle: ""
excerpt: ""
author: "Huabing Zhao"
date: 2020-02-22
description: "Kubernetes 相关知识汇总"
image: "https://upload.wikimedia.org/wikipedia/commons/thumb/2/2d/%E0%B8%AA%E0%B8%B1%E0%B8%99%E0%B9%80%E0%B8%82%E0%B8%B2%E0%B8%8A%E0%B9%89%E0%B8%B2%E0%B8%87%E0%B9%80%E0%B8%9C%E0%B8%B7%E0%B8%AD%E0%B8%81.jpg/2560px-%E0%B8%AA%E0%B8%B1%E0%B8%99%E0%B9%80%E0%B8%82%E0%B8%B2%E0%B8%8A%E0%B9%89%E0%B8%B2%E0%B8%87%E0%B9%80%E0%B8%9C%E0%B8%B7%E0%B8%AD%E0%B8%81.jpg"
published: true
tags:
- Kubernetes
- Knowledge Graph
categories: [ Tech ]
showtoc: false
Mind Map
- Kubernetes
- 基本理念
- 自动化部署,缩扩容和管理容器应用
- 预期状态管理(Desired State Management)
- Kubernetes API 对象(声明预期状态)
- Kubernetes Control Plane(确保集群当前状态匹配预期状态)
- Kubernetes Master
- kube-apiserver(API Server)
- - 对外提供各种对象的CRUD REST接口
- 对外提供Watch机制,通知对象变化
- 将对象存储到Etcd中
- kube-controller-manager(守护进程)
- - 功能:通过apiserver监视集群的状态,并做出相应更改,以使得集群的当前状态向预期状态靠拢
- controllers
- replication controller
- endpoints controller
- namespace controller
- serviceaccounts controller
- ......
- kube-scheduler(调度器)
- - 功能:将Pod调度到合适的工作节点上运行
- 调度的考虑因素
- 资源需求
- 服务治理要求
- 硬件/软件/策略限制
- 亲和以及反亲和要求
- 数据局域性
- 负载间的干扰
- ......
- Work Node
- Kubelet(节点代理)
- - 接受通过各种机制(主要是通过apiserver)提供的一组PodSpec
- 确保PodSpec中描述的容器处于运行状态且运行状况良好
- Kube-proxy(节点网络代理)
- - 在节点上提供Kubernetes API中定义Service
- 设置Service对应的IPtables规则
- 进行流量转发(userspace模式)
- 部署模式
- Single node
- Single head node,multiple workers
- API Server,Scheduler,and Controller Manager run on a single node
- Single etcd,HA heade nodes,multiple workers
- Multiple API Server instances fronted by a load balancer
- Multiple Scheduler and Controller Manager instances with leader election
- Single etcd node
- HA etcd,HA head nodes,multiple workers
- Multiple API Server instances fronted by a load balancer
- Multiple Scheduler and Controller Manager instances with leader election
- Etcd cluster run on nodes seperate from the Kubernetes head nodes
- Kubernetes Federation
- 商业模式
- 云服务用户:避免使用单一云提供商导致的厂商锁定,避免技术和成本风险
- 云服务厂商:使用Kubernetes来打破AWS的先入垄断地位,抢夺市场份额
- Workload
- Pod
- Workload resources(Controllers)
- Deployment & RelicaSet
- Deployment is used to deploy stateless appliations.
- ReplicaSet ensured a specified numbers of pod replicas are running at a given time.
- Deployment is used to rollout/update/rollback ReplicaSet.
- ReplicaSet is not supposed to be used directly, it should be managed by Deployments.
- StatefulSet
- StatefulSet is used to deploy stateful applications.
- SetatefSet require a Headless Service to provide network identity for the pods.
- DaemonSet
- DaemonSet ensures that all(or some) Nodes run a copy of a Pod.
- Use cases: cluster storage daemon, logs collection daemon, node monitoring daemon.
- Job & CronJob
- Job runs pods until a specified number of them have been succcessfully executed.
- CronJob runs a job periodically on a given schedule.
- Storage
- Volume
- purpose
- Persist data across the life span of a Pod
- Data won't lost when a container is restarted
- Share data between containers running together in a Pod
- Volume can be mounted to mutiple containers inside a Pod
- type
- configMap
- emptyDir
- hostPath
- local
- persistentVolumeClaim
- Policies
- ResourceQuota
- purpose
- Limit the aggregated resource consumption of a Namespace
- Scope
- Namespaced: ResourceQuota is enforced in a Namespace scope, different Namespaces have different Resouce limit
- Type
- Compute Resource Quota
- CPU (limits.cpu requests.cpu)
- Memory (limits.memory requets.memory)
- Storage Resource Quota
- Persistent Storage (storage)
- Ephemeral Storage (ephermal-storage)
- Object Count Quota
- Limit of total number of Namespaced resources (count/services)
- Request and Limit
- Request: Resources that are guaranteed to get
- Limit: The maximum amount of resources that one can get
- Network
- Linux Network Virtualization
- Network Namespace
- Veth Pair
- Linux bridge
- Distance Vector Protocol
- Link-State Protocol
- Service
- Cluster IP
- Provides access in the cluster internally
- The ClusterIP range is defined in API server startup option
-service-cluster-ip-range
- Service port is defined in the Service Manifest
- NodePort
- Provides access at the node level
- The NodePort range is defined in API server startup option
--service-node-port-range
- LoadBalancer
- Provides an external IP to allow access from outside of the cluster
- ExternalName
- An alias to an external service
- DNS redirection
- Headless
- Define a Headless service: specify "None" in for the cluster IP(.spec.clusterIP)
- No cluster IP allocated to Headless services
- No load balancing and proxying for Headless service
- Kube dns returns the IP of the pods backing the service
- Kube Proxy
- Provides a proxy server or appliction-level gateway between localhost and the K8s API server
- Handles locating the apiserver and authenticating (uses cluster configuration and user credential in .kube/config)
- Can send requests to API server (for example: get the list of services in default namespace
localhost:proxy-port/api/v1/namespaces/default/services)
- Can send requests to services via url
localhost:proxy-port/api/v1/namespaces/namespace_name/services/service_name[:port_name]/proxy/[application url]
- Kubectl port-forward
- Forward local ports to a pod
- kebectl port-forward deployment/mydeployment localport:port
- kebectl port-forward service/myservice localport:port
- kebectl port-forward pod/mypod localport:port
- Ingress
- DNS
- Service
- Normal Service
- A/AAA record which resolves name to the Cluster IP
- - Name:
my-svc.my-namespace.svc.cluster-domain.example
- Example: kubernetes.default.svc.cluster.local. 30 IN A 172.20.252.11
- SRV record for each named service port
- - Name:
_my-port-name._my-port-protocol.my-svc.my-namespace.svc.cluster-domain.example
- Example: _https._tcp.kubernetes.default.svc.cluster.local. 5 IN SRV 0 100 443 kubernetes.default.svc.cluster.local.
- A PTR record which resolves Cluster IP to domain name
- - Example
1.252.20.172.in-addr.arpa. 5 IN PTR kubernetes.default.svc.cluster.local.
- Headless Service
- A/AAA record which resolves to the set of IPs of the pods selected by the service
- N*M SRV records (N pods, M named ports in service)
- A PTR record which resolves pod IP to domain name of each pod
- ExternalName
- A CNAME pointing to the domain name of the external service
- Pod
- A/AAA record which resolves name to the pod IP
- General name
- Name:
pod-ip-address.my-namespace.pod.cluster-domain.example
- Example:
172-20-0-57.default.pod.cluster.local. 3 IN A 172.20.0.57
- Pod created by Deployment or DaemonSet exposed by a Service
- pod-ip-address.deployment-name.my-namespace.svc.cluster-domain.example
- CoreDNS
- Plugins
- errors: Erros are logged to stdout
- prometheus: Metrics of CoreDNS are available at
http://localhost:9153/metrics in Prometheus format
- kubernetes: CoreDNS will reply to DNS queries based on IP of the services and pods of Kubernetes.
- 腾讯云
- API Gateway+Service Mesh
- Kubernetes CNI插件
- Scheduling
- Algorithm: Predicate find a set of available nodes -> Priority select the best suitable node
- Predicates: find available nodes through some conditions: check memory, cpu, disk, etc.
- Priorities: select a node to run the scheduled pod: select the node with the least amount of pods by default
- Policy: specify a number of predicates and priorities
- Run a customscheduler
- Policy:
--policy-config-file
- Name:
--scheduler-name
- Pod Specification: hits for pod scheduling
- NodeName: assign pods to the named node
- NodeSelector: assign pods to a group of nodes with particular labels
- Affinity and anti-affinity:
- Node
- Node affinity: has the same ability to constrain pods to particular nodes, but is more expressive and powerful
- Node anti-affinity: use
NotIn and DoesNotExist to achieve node anti-affinity
- Inter-Pod
- Inter-Pod affinity: co-locate some pods in the same nodes
- Inter-Pod anti-affinity: distribute some pods in different nodes
- taints and tolerations
- allow a node to repel a set of pods
- allow pods to be scheduled onto nodes with matching taints
- SchedulerName: choose a specific scheduler to schedule a pod
- Security
- Background Knowledge
- User Type
- Service Account
- Managed by Kubernetes
- Represent workloads in the cluster
- Bound to a specific namespace
- Normal User
- Managed out side of Kubernetes
- Authenticated with a valid certicated signed by the cluster's CA
- Authentication
- Authorization
- RBAC
- Namespace Scope
- Role
- RoleBinding (Associate users retrived from authentication process to Roles)
- Cluster Scope
- ClusterRole
- CluseterRoleBinding (Associate users retrived from authentication process to ClusteRoles)
- Helm: package management tool for K8s applications
- Chart: package all k8s manifests as a single tarball
- Chart.yaml: this files contains metadata about this Chart: name, version, keywords
- templeates: this directorey contains the resource manifests that makes up this application
- deployment
- services
- secretes
- ...
- values.yaml: this files contains keys and values that are used to generate the release. These values are replaced in the resource manifests using the Go template syntax
- Repository: HTTP servers that contains charts
- Helm commands
- helm search hub redis: find redis chart and its repository in helm hub
- helm sarch repo redis: find redis chart in repositories
- helm install redis bitnami/redis: install redis chart
- Extending the Kubernetes API
- Custom Resource
- CRD: Define custom resources
- Custom Resources/Ojbects: Declare the desired spec of a custom resource
- Custom Controllers: watch-loop to make sure the actual state meet the declared spec
- Aggregated API Server
- Deploy an extension API server
- Register APIService objects
- Group: API groups this extension API server hosts
- Version: API version this extension API server hosts
- kube-apiserver proxies client requests to the extension API server
