kubernetes核心組件詳解
1. 節點Pod管家:kubelet
kubelet運行在集羣的所有節點上
- 每個節點上的kubelet由操作系統init進程(如;systemd)啓動,在ubuntu 16.04 +有兩個,init進程與文件分別是
root@K8S-Master:/# ls /lib/systemd/system/kubelet.service
/lib/systemd/system/kubelet.service
root@K8S-Master:/# ls /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
kubelet的主要參數配置在/etc/systemd/system/kubelet.service.d/10-kubeadm.conf中
root@K8S-Master:/# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
# Note: This dropin only works with kubeadm and kubelet v1.11+
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/default/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
- 啓動參數配置:/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
- 配置修改與生效:systemctl daemon -reload & systemctl restart kubelet
2. 集羣管理入口:kube-apiserver
- 由kubelet啓動的static pod
- APIServer的pod spec:/etc/kubernetes/manifests/kube-apiserver.yaml
# cat /etc/kubernetes/manifests/kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
- --advertise-address=172.28.65.239
- --allow-privileged=true
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: k8s.gcr.io/kube-apiserver:v1.13.2
imagePullPolicy: IfNotPresent
...
- insecure-port是api-server的非安全服務端口,默認使用http協議訪問,默認值爲0,即不開啓
- service-account-key-file是server-account的公鑰文件,用於驗證客戶端請求中的service-account中的token串的,若沒有設置,則apiserver會使用tls-private-key-file來驗證token串
- kubelet-client-key設置的是apiserver以client端身份,訪問kubernetes所使用的私鑰文件
- admission-control設置的是一組准入策略的攔截器
- service-cluster-ip-range設置的是抽象的kubernetes-servers的無類別遇見路由地址分配範圍,不能與pod的範圍有交集
- kubelet-client-certificate設置的是apiserver以client端身份訪問kubernetes的數字公鑰證書
- allow-privileged,配置是否允許啓動特權容器
- client-ca-file,是用於對client請求進行證書校驗的ca公鑰證書
- tls-cert-file,是apiserver的公鑰證書
- tls-private-key-file,是apiserver的私鑰證書
- secure-port是apiserver的端口
- advertise-address是apiserver的地址
- authorization-mode=Node是設置用戶授權模式列表
- etcd_*則是用來配置apiserver與etcd之前的相關文件
- kubelet監聽/etc/kubernetes/manifests目錄變化,自動重啓配置發生變化的apiserver pod
3. 配置中心:etcd
- 位置在/etc/kubernetes/manifests下的etcd.yaml
- 由kubelet啓動的static pod
- apiserver與etcd之間採用基於TLS的安全通信
- etcd掛載master節點本地路徑/var/lib/etcd用於運行時數據存儲
要是做etcd的數據遷移,需要關注這個目錄/var/lib/etcd
4. 管理控制中心:kube-controller-manager
- 負責集羣內Node、Pod副本、服務的endpoit、命名空間、Service Account、資源配額等管理
- 由kubelet啓動的static pod
- 文件是在/etc/kubernetes/manifests中的kube-controller-manager.yaml,修改方式就修改這個文件,然後會自動重啓生效
5. 調度器:kube-scheduler
Scheduler:單純地調度Pod
- 按照特定的調度算法和策略,將待調度的Pod綁定到集羣中某個合適的Node,並寫入綁定信息
- 由kubelet啓動static pod
- 位置在/etc/kubernetes/manifests中的kube-scheduler.yaml
6. 服務抽象實現:kube-proxy
kube-proxy運行在kubernetes集羣的每一個節點上
- kube-proxy由daemonset控制器在各個節點上啓動唯一實例
- 配置參數:/var/lib/kube-proxy/config.cong(pod內)
- 查看kube-proxy的podID,這裏是:kube-proxy-lspg2
root@K8S-Master:~# kubectl exec kube-proxy-lspg2 -n kube-system -- cat /var/lib/kube-proxy/config.conf
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ""
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
qps: 5
clusterCIDR: 192.168.0.0/16
configSyncPeriod: 15m0s
conntrack:
max: null
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
iptables:
masqueradeAll: false
masqueradeBit: 14
minSyncPeriod: 0s
syncPeriod: 30s
ipvs:
excludeCIDRs: null
minSyncPeriod: 0s
scheduler: ""
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: ""
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
resourceContainer: /kube-proxy
mode爲空,則爲選擇目前最好的mode,目前是iptables
- Proxy mode:iptables
7. 集羣管理工具:kubectl
kubectl是目前管理k8s集羣的最強利器,主要命令類型如下:
- 集羣訪問配置:kubectl config
- 集羣控制:kubectl create/apply/delete/label/edit/expose/scale
- 集羣查看和問題調試:kubectl get/describe/logs/exec/attach
舉些栗子
- 集羣訪問配置命令
kubectl config view
kubectl config set-cluster k8s1 --server=hhhps://1.2.3.4
kubectl config get-clusters
kubectl config delete-cluster k8s1
- 集羣控制命令
# 創建pod
kubectl create -f xxx.yaml
#打標籤
kubectl lable pods/<pod-name> <pod-lable>
#查詢標籤
kubectl get pods --show-lables | grep <%pod-name%>
#編輯pod的配置yaml文件
kubeclt edit deployment/<pod-name>
# 將pod副本數升到3
kubectl scale --replicas=3 deployment/<%pod-name%>
# create、update pod,推薦使用
kubectl apply -f xxx.yaml
# 刪除deployment
kubectl delete -f xxx.yaml
- 集羣查看和問題調試
# 查看pod
kubectl get pods <參數>
# 查看pod運行的信息
kubectl describe pods/<pod-name>
# 查看log日誌
kubectl logs -f pods/<pod-name>
# 訪問容器內部,例如查看容器內/xxx/xxx/xxx.conf的內容
kubectl exec <pod-name> -- cat /xxx/xxx/xxx.conf
# 掛在到容器中
kubectl attach <pod-name>