Docker教程
5分钟阅读
第1章:Kubernetes 基础知识
学习目标
- 理解 Kubernetes 的核心概念和架构
- 掌握 Kubernetes 的基本术语和组件
- 了解容器编排的基本原理
- 熟悉 Kubernetes 的设计理念
什么是 Kubernetes
Kubernetes(简称 K8s)是一个开源的容器编排平台,用于自动化部署、扩展和管理容器化应用程序。
发展历史
- 2014年:Google 开源 Kubernetes 项目
- 2015年:CNCF(云原生计算基金会)成立,Kubernetes 成为首个项目
- 2017年:Kubernetes 1.8 发布,生态系统日趋成熟
- 至今:成为容器编排的事实标准
Kubernetes 核心特性
1. 自愈能力(Self-healing)
# 示例:Pod 自动重启
apiVersion: v1
kind: Pod
metadata:
name: self-healing-pod
spec:
restartPolicy: Always # 容器失败时自动重启
containers:
- name: app
image: nginx:1.25
livenessProbe: # 健康检查
httpGet:
path: /
port: 80
initialDelaySeconds: 30
periodSeconds: 10
2. 弹性伸缩(Auto-scaling)
# 水平 Pod 自动伸缩
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: webapp-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: webapp
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
3. 声明式 API
# 声明期望状态,Kubernetes 负责实现
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3 # 期望运行 3 个副本
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.25
ports:
- containerPort: 80
4. 控制器模式
控制器持续监控集群状态,确保实际状态与期望状态一致。
graph LR
A[期望状态] --> B[控制器]
C[实际状态] --> B
B --> D[调节动作]
D --> C
核心概念和术语
1. Pod
Pod 是 Kubernetes 中最小的部署单元,包含一个或多个容器。
apiVersion: v1
kind: Pod
metadata:
name: multi-container-pod
labels:
app: webapp
spec:
containers:
- name: web
image: nginx:1.25
ports:
- containerPort: 80
- name: sidecar
image: busybox
command: ['sh', '-c', 'while true; do echo "sidecar running"; sleep 30; done']
Pod 特点:
- 共享网络和存储
- 同一 Pod 内容器可通过 localhost 通信
- Pod 内容器共享生命周期
2. Service
Service 为 Pod 提供稳定的网络访问入口。
apiVersion: v1
kind: Service
metadata:
name: webapp-service
spec:
selector:
app: webapp
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: ClusterIP # 集群内部访问
Service 类型:
- ClusterIP:集群内部访问(默认)
- NodePort:通过节点端口访问
- LoadBalancer:通过云负载均衡器访问
- ExternalName:DNS CNAME 记录
3. Deployment
Deployment 管理 Pod 的部署和更新。
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp-deployment
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
containers:
- name: webapp
image: webapp:v1.0
ports:
- containerPort: 8080
4. StatefulSet
StatefulSet 管理有状态应用,提供稳定的网络标识和持久存储。
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql
spec:
serviceName: mysql
replicas: 3
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
value: "password"
volumeMounts:
- name: data
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
5. DaemonSet
DaemonSet 确保每个节点运行一个 Pod 副本。
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-exporter
spec:
selector:
matchLabels:
app: node-exporter
template:
metadata:
labels:
app: node-exporter
spec:
hostNetwork: true
containers:
- name: node-exporter
image: prom/node-exporter:latest
ports:
- containerPort: 9100
6. Job 和 CronJob
# Job:一次性任务
apiVersion: batch/v1
kind: Job
metadata:
name: data-migration
spec:
template:
spec:
containers:
- name: migration
image: migration-tool:latest
command: ["./migrate.sh"]
restartPolicy: Never
backoffLimit: 4
---
# CronJob:定时任务
apiVersion: batch/v1
kind: CronJob
metadata:
name: backup-job
spec:
schedule: "0 2 * * *" # 每天凌晨2点
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: backup-tool:latest
command: ["./backup.sh"]
restartPolicy: OnFailure
命名空间和标签
Namespace
Namespace 提供资源隔离和多租户支持。
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
env: dev
team: backend
# 创建命名空间
kubectl create namespace production
# 在指定命名空间创建资源
kubectl apply -f deployment.yaml -n production
# 查看命名空间
kubectl get namespaces
Label 和 Selector
Label 是键值对,用于标识和选择资源。
apiVersion: v1
kind: Pod
metadata:
name: webapp-pod
labels:
app: webapp
version: v1.0
environment: production
tier: frontend
spec:
containers:
- name: webapp
image: webapp:v1.0
# 使用 Label Selector
apiVersion: v1
kind: Service
metadata:
name: webapp-service
spec:
selector:
app: webapp
tier: frontend
ports:
- port: 80
targetPort: 8080
Annotation
Annotation 存储非标识性元数据。
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
annotations:
deployment.kubernetes.io/revision: "1"
kubernetes.io/change-cause: "Initial deployment"
contact: "team@example.com"
description: "Web application frontend"
spec:
# ...
集群架构和组件
控制平面组件
1. kube-apiserver
API 服务器是 Kubernetes 控制平面的前端,处理所有 REST 请求。
# API 服务器配置示例
kube-apiserver \
--advertise-address=192.168.1.100 \
--allow-privileged=true \
--authorization-mode=Node,RBAC \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
--enable-admission-plugins=NodeRestriction \
--etcd-servers=https://127.0.0.1:2379 \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key \
--secure-port=6443
2. etcd
分布式键值存储,保存集群的所有数据。
# etcd 集群配置
etcd \
--name=master-1 \
--data-dir=/var/lib/etcd \
--listen-client-urls=https://192.168.1.100:2379 \
--advertise-client-urls=https://192.168.1.100:2379 \
--listen-peer-urls=https://192.168.1.100:2380 \
--initial-advertise-peer-urls=https://192.168.1.100:2380 \
--cert-file=/etc/kubernetes/pki/etcd/server.crt \
--key-file=/etc/kubernetes/pki/etcd/server.key \
--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
3. kube-scheduler
调度器负责将 Pod 分配到合适的节点。
# 调度器配置
apiVersion: kubescheduler.config.k8s.io/v1beta3
kind: KubeSchedulerConfiguration
profiles:
- schedulerName: default-scheduler
plugins:
score:
enabled:
- name: NodeResourcesFit
- name: NodeAffinity
- name: PodTopologySpread
4. kube-controller-manager
控制器管理器运行各种控制器。
# 控制器管理器配置
kube-controller-manager \
--bind-address=127.0.0.1 \
--cluster-cidr=10.244.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt \
--cluster-signing-key-file=/etc/kubernetes/pki/ca.key \
--kubeconfig=/etc/kubernetes/controller-manager.conf \
--leader-elect=true \
--service-cluster-ip-range=10.96.0.0/12
节点组件
1. kubelet
节点代理,管理 Pod 和容器。
# kubelet 配置
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
failSwapOn: false
authentication:
anonymous:
enabled: false
webhook:
enabled: true
authorization:
mode: Webhook
2. kube-proxy
网络代理,实现 Service 的网络规则。
# kube-proxy 配置
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: 0.0.0.0
clientConnection:
kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
clusterCIDR: 10.244.0.0/16
mode: iptables
3. 容器运行时
支持多种容器运行时:
# containerd 配置
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "k8s.gcr.io/pause:3.7"
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
镜像和拉取策略
镜像拉取策略
apiVersion: v1
kind: Pod
metadata:
name: image-policy-demo
spec:
containers:
- name: app
image: nginx:1.25
imagePullPolicy: IfNotPresent # 拉取策略
拉取策略类型:
- Always:总是拉取最新镜像
- IfNotPresent:本地不存在时才拉取(默认)
- Never:从不拉取,只使用本地镜像
私有镜像仓库
# 创建 Secret
apiVersion: v1
kind: Secret
metadata:
name: regcred
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64-encoded-docker-config>
---
# 使用 Secret
apiVersion: v1
kind: Pod
metadata:
name: private-image-pod
spec:
containers:
- name: app
image: private-registry.com/app:v1.0
imagePullSecrets:
- name: regcred
资源管理
资源请求和限制
apiVersion: v1
kind: Pod
metadata:
name: resource-demo
spec:
containers:
- name: app
image: nginx:1.25
resources:
requests: # 请求的资源
memory: "64Mi"
cpu: "250m"
limits: # 资源限制
memory: "128Mi"
cpu: "500m"
服务质量等级
- Guaranteed:requests = limits
- Burstable:requests < limits
- BestEffort:无 requests 和 limits
小结
本章学习了:
- Kubernetes 概述:容器编排平台的核心特性
- 核心概念:Pod、Service、Deployment 等基本对象
- 集群架构:控制平面和节点组件的作用
- 资源管理:命名空间、标签、资源配额
- 镜像管理:拉取策略和私有仓库配置
这些基础知识为后续深入学习 Kubernetes 奠定了坚实基础。