k8s實踐6:從解決報錯開始入門RBAC

原創 am2012 2019-03-19 12:50

1.
在k8s集羣使用過程中,總是遇到各種rbac的權限問題.
記錄了幾個報錯,見下:

報錯1:

"message": "pods is forbidden: User \"kubernetes\" cannot list resource \"pods\" in API group \"\" at the cluster scope"

"message": "pservices is forbidden: User \"kubernetes\" cannot list resource \"pservices\" in API group \"\" at the cluster scope",

報錯2:

[root@k8s-master2 ~]# curl https://192.168.32.127:8443/logs  --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"kubernetes\" cannot get path \"/logs\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
curl https://192.168.32.127:8443/metrics --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"kubernetes\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403

深入學習瞭解rbac的各種基礎知識,相當必要.

2.
從分析報錯開始

報錯1:

"message": "pods is forbidden: User \"kubernetes\" cannot list resource \"pods\" in API group \"\" at the cluster scope"

先看這條報錯的命令記錄:

[root@k8s-master1 ~]# curl https://192.168.32.127:8443/api/v1/pods --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "pods is forbidden: User \"kubernetes\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403

這條報錯的意思是什麼呢?
字面上理解,用戶kubernetes在api Group裏沒有權限,無法獲取資源pod列表.
從解決這個報錯開始我們的入門學習.

3.
User kubernetes是從哪冒出來的呢?
這個用戶是我們部署apiserver時,生成的api訪問etcd的用戶.
檢索用戶kubernetes的權限和綁定的羣組,見下:

[root@k8s-master1 ~]# kubectl describe clusterrolebindings |grep -B 9 "User  kubernetes "
Name:         discover-base-url
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"discover-base-url","namespace":""},"roleR...
Role:
  Kind:  ClusterRole
  Name:  discover_base_url
Subjects:
  Kind  Name        Namespace
  ----  ----        ---------
  User  kubernetes 
--
Name:         kube-apiserver
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"kube-apiserver","namespace":""},"roleRef"...
Role:
  Kind:  ClusterRole
  Name:  kube-apiserver
Subjects:
  Kind  Name        Namespace
  ----  ----        ---------
  User  kubernetes 

權限:

[root@k8s-master1 ~]# kubectl describe clusterroles discover_base_url
Name:         discover_base_url
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"lab...
              rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
             [/]                []              [get]
[root@k8s-master1 ~]#

##注意這條權限是上篇apiserver裏面新增的權限.

[root@k8s-master1 ~]# kubectl describe clusterroles kube-apiserver
Name:         kube-apiserver
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"kube-apiserver","namespace":""},"rules":[{"apiGr...
PolicyRule:
  Resources      Non-Resource URLs  Resource Names  Verbs
  ---------      -----------------  --------------  -----
  nodes/metrics  []                 []              [get create]
  nodes/proxy    []                 []              [get create]
[root@k8s-master1 ~]#

##一個用的是Resources
##一個用的是Non-Resource

4.
引出問題1:
Non-Resouce是什麼?
google了好久,也只是看到隻言片語.以下是我自己的理解:
回頭看上篇檢索apiserver時顯示的信息:

[root@k8s-master1 ~]# curl https://192.168.32.127:8443/ --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "paths": [
    "/api",
    "/api/v1",
    "/apis",
    "/apis/",
    "/apis/admissionregistration.k8s.io",
    "/apis/admissionregistration.k8s.io/v1beta1",
    "/apis/apiextensions.k8s.io",
    "/apis/apiextensions.k8s.io/v1beta1",
    "/apis/apiregistration.k8s.io",
    "/apis/apiregistration.k8s.io/v1",
    "/apis/apiregistration.k8s.io/v1beta1",
    "/apis/apps",
    "/apis/apps/v1",
    "/apis/apps/v1beta1",
    "/apis/apps/v1beta2",
    "/apis/authentication.k8s.io",
    "/apis/authentication.k8s.io/v1",
    "/apis/authentication.k8s.io/v1beta1",
    "/apis/authorization.k8s.io",
    "/apis/authorization.k8s.io/v1",
    "/apis/authorization.k8s.io/v1beta1",
    "/apis/autoscaling",
    "/apis/autoscaling/v1",
    "/apis/autoscaling/v2beta1",
    "/apis/autoscaling/v2beta2",
    "/apis/batch",
    "/apis/batch/v1",
    "/apis/batch/v1beta1",
    "/apis/certificates.k8s.io",
    "/apis/certificates.k8s.io/v1beta1",
    "/apis/coordination.k8s.io",
    "/apis/coordination.k8s.io/v1beta1",
    "/apis/events.k8s.io",
    "/apis/events.k8s.io/v1beta1",
    "/apis/extensions",
    "/apis/extensions/v1beta1",
    "/apis/networking.k8s.io",
    "/apis/networking.k8s.io/v1",
    "/apis/policy",
    "/apis/policy/v1beta1",
    "/apis/rbac.authorization.k8s.io",
    "/apis/rbac.authorization.k8s.io/v1",
    "/apis/rbac.authorization.k8s.io/v1beta1",
    "/apis/scheduling.k8s.io",
    "/apis/scheduling.k8s.io/v1beta1",
    "/apis/storage.k8s.io",
    "/apis/storage.k8s.io/v1",
    "/apis/storage.k8s.io/v1beta1",
    "/healthz",
    "/healthz/autoregister-completion",
    "/healthz/etcd",
    "/healthz/log",
    "/healthz/ping",
    "/healthz/poststarthook/apiservice-openapi-controller",
    "/healthz/poststarthook/apiservice-registration-controller",
    "/healthz/poststarthook/apiservice-status-available-controller",
    "/healthz/poststarthook/bootstrap-controller",
    "/healthz/poststarthook/ca-registration",
    "/healthz/poststarthook/generic-apiserver-start-informers",
    "/healthz/poststarthook/kube-apiserver-autoregistration",
    "/healthz/poststarthook/rbac/bootstrap-roles",
    "/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
    "/healthz/poststarthook/start-apiextensions-controllers",
    "/healthz/poststarthook/start-apiextensions-informers",
    "/healthz/poststarthook/start-kube-aggregator-informers",
    "/healthz/poststarthook/start-kube-apiserver-admission-initializer",
    "/healthz/poststarthook/start-kube-apiserver-informers",
    "/logs",
    "/metrics",
    "/openapi/v2",
    "/swagger-2.0.0.json",
    "/swagger-2.0.0.pb-v1",
    "/swagger-2.0.0.pb-v1.gz",
    "/swagger-ui/",
    "/swagger.json",
    "/swaggerapi",
    "/version"
  ]
}[root@k8s-master1 ~]# 

從healthz開始的都是Non-resouce,是不是呢?修改clusterroles,測試見下:

[root@k8s-master1 roles]# cat clusterroles1.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: discover_base_url
rules:
- nonResourceURLs:
#  - /
  - /healthz/*
  verbs:
  - get
[root@k8s-master1 roles]#
[root@k8s-master1 roles]# kubectl apply -f clusterroles1.yaml
clusterrole.rbac.authorization.k8s.io "discover_base_url" configured
[root@k8s-master1 roles]# kubectl apply -f clusterrolebindings1.yaml
clusterrolebinding.rbac.authorization.k8s.io "discover-base-url" configured
[root@k8s-master1 roles]#

[root@k8s-master1 roles]# kubectl describe clusterroles discover_base_url
Name:         discover_base_url
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"lab...
              rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
             [/healthz/*]       []              [get]

##具有Non-Resources /healthz的get權限

[root@k8s-master1 roles]# curl https://192.168.32.127:8443/logs --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"kubernetes\" cannot get path \"/logs\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}[root@k8s-master1 roles]#
[root@k8s-master1 roles]# curl https://192.168.32.127:8443/metrics --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "forbidden: User \"kubernetes\" cannot get path \"/metrics\"",
  "reason": "Forbidden",
  "details": {

  },
  "code": 403
}[root@k8s-master1 roles]#

可以看到除了healthz執行成功,其他全部失敗.
修改clusterroles,再測試,見下:

[root@k8s-master1 roles]# kubectl describe clusterroles discover_base_url
Name:         discover_base_url
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"},"lab...
              rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
             [/healthz/*]       []              [get]
             [/logs]            []              [get]
             [/metrics]         []              [get]
             [/version]         []              [get]
[root@k8s-master1 roles]#

再執行上面報錯的命令,全部正常.
可見,Non-Resourece包含了/healthz/*,/logs,/metrics等等.

5.
引出問題2:
Resource的權限配置?

先來條執行報錯的命令:

[root@k8s-master1 roles]#curl https://192.168.32.127:8443/api/v1/nodes/proxy  --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "nodes \"proxy\" is forbidden: User \"kubernetes\" cannot get resource \"nodes\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "name": "proxy",
    "kind": "nodes"
  },
  "code": 403
}[root@k8s-master1 roles]#

好奇怪,根據我們上面檢索的權限,見下:

--
Name:         kube-apiserver
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"kube-apiserver","namespace":""},"roleRef"...
Role:
  Kind:  ClusterRole
  Name:  kube-apiserver
Subjects:
  Kind  Name        Namespace
  ----  ----        ---------
  User  kubernetes  
Name:         kube-apiserver
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"kube-apiserver","namespace":""},"rules":[{"apiGr...
PolicyRule:
  Resources      Non-Resource URLs  Resource Names  Verbs
  ---------      -----------------  --------------  -----
  nodes/metrics  []                 []              [get create]
  nodes/proxy    []                 []              [get create]
[root@k8s-master1 ~]#

按道理是應該可以正常檢索得到的.爲什麼報錯呢?先不管,添加權限測試下看看,見下:

獲取kube-apiserver這個clusterroles權限的描述,見下:

 [root@k8s-master1 roles]# kubectl get clusterroles kube-apiserver -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"kube-apiserver","namespace":""},"rules":[{"apiGroups":[""],"resources":["nodes/proxy","nodes/metrics"],"verbs":["get","create"]}]}
  creationTimestamp: 2019-02-28T06:51:53Z
  name: kube-apiserver
  resourceVersion: "35075"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/kube-apiserver
  uid: 5519ea8d-3b25-11e9-95a3-000c29383c89
rules:
- apiGroups:
  - ""
  resources:
  - nodes/proxy
  - nodes/metrics
  verbs:
  - get
  - create
[root@k8s-master1 roles]#

修改:

[root@k8s-master1 roles]# cat clusterroles2.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-apiserver
rules:
- apiGroups: [""]
  resources: ["nodes", "nodes/proxy","nodes/metrics"]
  verbs: ["get", "list","create"]
[root@k8s-master1 roles]#
[root@k8s-master1 roles]# kubectl apply -f clusterroles2.yaml
clusterrole.rbac.authorization.k8s.io "kube-apiserver" configured
[root@k8s-master1 roles]# kubectl get clusterroles kube-apiserver -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"name":"kube-apiserver","namespace":""},"rules":[{"apiGroups":[""],"resources":["nodes","nodes/proxy","nodes/metrics"],"verbs":["get","list","create"]}]}
  creationTimestamp: 2019-02-28T06:51:53Z
  name: kube-apiserver
  resourceVersion: "476880"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/kube-apiserver
  uid: 5519ea8d-3b25-11e9-95a3-000c29383c89
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  - nodes/metrics
  verbs:
  - get
  - list
  - create

再執行前面報錯的命令:

[root@k8s-master1 roles]# curl https://192.168.32.127:8443/api/v1/nodes/k8s-master1 --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Node",
  "apiVersion": "v1",
  "metadata": {
    "name": "k8s-master1",
    "selfLink": "/api/v1/nodes/k8s-master1",
    "uid": "46a353d3-3b07-11e9-95a3-000c29383c89",
    "resourceVersion": "477158",
    "creationTimestamp": "2019-02-28T03:16:44Z",
    "labels": {
      "beta.kubernetes.io/arch": "amd64",
      "beta.kubernetes.io/os": "linux",
      "kubernetes.io/hostname": "k8s-master1"
    },
    "annotations": {
      "node.alpha.kubernetes.io/ttl": "0",
      "volumes.kubernetes.io/controller-managed-attach-detach": "true"
    }
  },
  "spec": {

  },
  "status": {
    "capacity": {
      "cpu": "1",
      "ephemeral-storage": "17394Mi",
      "hugepages-1Gi": "0",
      "hugepages-2Mi": "0",
      "memory": "1867264Ki",
      "pods": "110"
    },
    "allocatable": {
      "cpu": "1",
      "ephemeral-storage": "16415037823",
      "hugepages-1Gi": "0",
      "hugepages-2Mi": "0",
      "memory": "1764864Ki",
      "pods": "110"
    },
    "conditions": [
      {
        "type": "OutOfDisk",
        "status": "False",
        "lastHeartbeatTime": "2019-03-18T06:36:47Z",
        "lastTransitionTime": "2019-03-13T08:07:21Z",
        "reason": "KubeletHasSufficientDisk",
        "message": "kubelet has sufficient disk space available"
      },
      {
        "type": "MemoryPressure",
        "status": "False",
        "lastHeartbeatTime": "2019-03-18T06:36:47Z",
        "lastTransitionTime": "2019-03-13T08:07:21Z",
        "reason": "KubeletHasSufficientMemory",
        "message": "kubelet has sufficient memory available"
      },
      {
        "type": "DiskPressure",
        "status": "False",
        "lastHeartbeatTime": "2019-03-18T06:36:47Z",
        "lastTransitionTime": "2019-03-13T08:07:21Z",
        "reason": "KubeletHasNoDiskPressure",
        "message": "kubelet has no disk pressure"
      },
      {
        "type": "PIDPressure",
        "status": "False",
        "lastHeartbeatTime": "2019-03-18T06:36:47Z",
        "lastTransitionTime": "2019-02-28T03:16:45Z",
        "reason": "KubeletHasSufficientPID",
        "message": "kubelet has sufficient PID available"
      },
      {
        "type": "Ready",
        "status": "True",
        "lastHeartbeatTime": "2019-03-18T06:36:47Z",
        "lastTransitionTime": "2019-03-13T08:07:31Z",
        "reason": "KubeletReady",
        "message": "kubelet is posting ready status"
      }
    ],
    "addresses": [
      {
        "type": "InternalIP",
        "address": "192.168.32.128"
      },
      {
        "type": "Hostname",
        "address": "k8s-master1"
      }
    ],
    "daemonEndpoints": {
      "kubeletEndpoint": {
        "Port": 10250
      }
    },
    "nodeInfo": {
      "machineID": "d1471d605c074c43bf44cd5581364aea",
      "systemUUID": "84F64D56-0428-2BBD-7F9E-26CE9C1D7023",
      "bootID": "c49804b6-0645-49d3-902f-e66b74fed805",
      "kernelVersion": "3.10.0-514.el7.x86_64",
      "osImage": "CentOS Linux 7 (Core)",
      "containerRuntimeVersion": "docker://17.3.1",
      "kubeletVersion": "v1.12.3",
      "kubeProxyVersion": "v1.12.3",
      "operatingSystem": "linux",
      "architecture": "amd64"
    },
    "images": [
      {
        "names": [
          "registry.access.redhat.com/rhel7/pod-infrastructure@sha256:92d43c37297da3ab187fc2b9e9ebfb243c1110d446c783ae1b989088495db931",
          "registry.access.redhat.com/rhel7/pod-infrastructure:latest"
        ],
        "sizeBytes": 208612920
      },
      {
        "names": [
          "tutum/dnsutils@sha256:d2244ad47219529f1003bd1513f5c99e71655353a3a63624ea9cb19f8393d5fe",
          "tutum/dnsutils:latest"
        ],
        "sizeBytes": 199896828
      },
      {
        "names": [
          "httpd@sha256:5e7992fcdaa214d5e88c4dfde274befe60d5d5b232717862856012bf5ce31086"
        ],
        "sizeBytes": 131692150
      },
      {
        "names": [
          "httpd@sha256:20ead958907f15b638177071afea60faa61d2b6747c216027b8679b5fa58794b",
          "httpd@sha256:e76e7e1d4d853249e9460577d335154877452937c303ba5abde69785e65723f2",
          "httpd:latest"
        ],
        "sizeBytes": 131679770
      }
    ]
  }
}[root@k8s-master1 roles]#

整個node的數據都讀取出來了.

6.
接上面問題的思考,先對比下,修改前和修改後權限的對比,見下:
修改前:

rules:
- apiGroups:
  - ""
  resources:
  - nodes/proxy
  - nodes/metrics
  verbs:
  - get
  - create

修改後:

 rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/proxy
  - nodes/metrics
  verbs:
  - get
  - list
  - create

修改的就是resources加上了nodes這個資源.其他pods,svc之類的權限,參考這個權限修改就能夠實現訪問.
我的理解是:只有具有了訪問這個資源的權限之後,才能夠訪問它的子資源.
 

7.
遺留問題

還遇到個報錯,見下:

[root@k8s-master1 roles]#curl https://192.168.32.127:8443/api/v1/nodes/proxy  --cacert /etc/kubernetes/cert/ca.pem --cert /etc/kubernetes/cert/kubernetes.pem --key /etc/kubernetes/cert/kubernetes-key.pem
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "nodes \"proxy\" not found",
  "reason": "NotFound",
  "details": {
    "name": "proxy",
    "kind": "nodes"
  },
  "code": 404
}[root@k8s-master1 roles]#

這是子資源沒有生成的問題.後面再來測試.

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

KubeKey v3.1 發佈:快速自定義離線安裝包

日前,KubeKey v3.1 正式發佈。該版本主要對離線場景部署、離線包製作以及向 Kubernetes v1.24+ 升級進行了優化。 KubeKey 簡介 KubeKey 是 KubeSphere 社區開源的一款高效集羣部署工具,運

原創 2024-05-17 23:16:50

通過HPA+CronHPA組合應對業務複雜彈性伸縮場景

本文分享自華爲雲社區《通過HPA+CronHPA組合應對業務複雜彈性伸縮場景》,作者:雲容器大未來。 背景 在k8s集羣中,容器水平自動伸縮(HPA),可以根據容器資源的使用量,在設置好的副本範圍內,自動擴縮容工作負載副本數(repli

原創 2024-05-17 10:59:32

容器內存可觀測性新視角:WorkingSet 與 PageCache 監控

作者:行疾、嘗君、佑禕、六滔 容器工作內存 WorkingSet 概念介紹 在 Kubernetes 場景,容器內存實時使用量統計(Pod Memory),由 WorkingSet 工作內存(縮寫 WSS)來表示。 WorkingSet 這

原創 2024-05-16 21:13:38

歡迎報名 Apache Seata (incubating) 開源之夏

作者:Seata 社區 Part 1:歡迎大家報名 Apache Seata (incubating) 開源之夏 2024 課題 開源之夏 2024 學生報名期爲 4 月 30 日 - 6 月 3 日,歡迎報名 Apache Seata(i

原創 2024-05-16 21:13:37

Zabbix參加KCD,爲什麼選擇Zabbix監控K8s?

雲原生熱潮席捲全球 KCD上海站2024圓滿落幕 累計600+參會者報名 300+開發者齊聚上海燃動現場 臺上共同探討雲原生技術的最新進展 Zabbix參與其中 分享Zabbix對K8S的監控支持!

Zabbix中國 2024-05-15 22:35:23

網絡現代化 通向雲原生應用的高速公路

關注我們牛年牛氣沖天 “夜上海夜上海,你是個不夜城……”,歌曲中描繪的老上海十里洋場,用“摩登”(Modern)這個詞來形容最恰當不過。摩登,意味着時髦、潮流和趨勢。 投入數字化轉型的洪流中,企業打造現代化應用的需求和願望越來越迫切,而

osc_5rzx0ke2 2024-05-14 00:46:31

雲原生週刊:Kubernetes Grafana 看板更新 | 2024.5.13

開源項目推薦 Chart Testing Chart Testing 是用於測試 Helm 圖表的工具。它旨在用於對拉取請求進行 lint 和測試。它會自動檢測針對目標分支更改的圖表。 Clusterpedia Clusterpedia 是

原創 2024-05-13 23:19:18

KubeKey 部署 K8s v1.28.8 實戰

在某些生產環境下,我們僅需要一個原生的 K8s 集羣,無需部署 KubeSphere 這樣的圖形化管理控制檯。在我們已有的技術棧裏,已經習慣了利用 KubeKey 部署 KubeSphere 和 K8s 集羣。今天,我將爲大家實戰演示如何在

原創 2024-05-11 23:51:54

KubeSphere 社區雙週報|2024.04.26-05.09

KubeSphere 社區雙週報主要整理展示新增的貢獻者名單和證書、新增的講師證書以及兩週內提交過 commit 的貢獻者,並對近期重要的 PR 進行解析,同時還包含了線上/線下活動和佈道推廣等一系列社區動態。 本次雙週報涵蓋時間爲:202

原創 2024-05-11 23:51:52

帶你熟悉CCE集羣增強型CPU管理策略enhanced-static

本文分享自華爲雲社區《華爲雲CCE集羣增強型CPU管理策略enhanced-static》,作者: 可以交個朋友。 背景 開源Kubernetes默認提供的CPU管理策略有none和static兩種: none: 不開啓CPU管理策略,

原創 2024-05-11 11:30:50

雲原生週刊:Terraform 1.8 發佈 | 2024.5.6

開源項目推薦 xlskubectl 用於控制 Kubernetes 集羣的電子表格。xlskubectl 將 Google Spreadsheet 與 Kubernetes 集成。你可以通過用於跟蹤費用的同一電子表格來管理集羣。 git-

原創 2024-05-06 22:46:37

ACK One x OpenKruiseGame 全球遊戲服多地域一致性交付最佳實踐

作者:劉秋陽、蔡靖 前言 在當今全球一體化的經濟環境下,數字娛樂產業正日益成爲文化和商業交流的有力代表。在此背景下大量遊戲廠商嘗試遊戲出海並取得了令人矚目的成績,許多遊戲以全球同服架構吸引着世界各地廣泛的玩家羣體。遊戲全球化部署不僅擴大了單

原創 2024-04-30 21:12:18

雲原生週刊:K8s 中的服務和網絡 | 2024.4.29

開源項目推薦 k8s-image-swapper k8s-image-swapper 是 Kubernetes 的一個變更 Webhook,它將鏡像下載到自己的鏡像倉庫,並將鏡像指向該新位置。它是 docker pull-through p

原創 2024-04-30 10:48:10

華爲云云原生FinOps解決方案,釋放雲原生最大價值

華爲云云原生FinOps通過可視化的成本洞察和成本優化,幫助用戶精細用雲以提升單位成本的資源利用率,實現降本增效目標 企業上雲現狀:上雲趨勢持續加深,但云上開支存在顯著浪費 根據Flexer 2024年最新的一項調查顯示,當前有超過7

原創 2024-04-29 22:33:46

Sealos 雲主機正式上線,便宜,便宜,便宜!

我們基於 Sealos 雲開發的能力,僅用三天時間就上線 Sealos 的雲主機能力,現在不太懂容器的同學也可以在 Sealos 上開心的使用虛擬機了,本文先說 Sealos 雲主機的優勢,再聊聊我們是怎麼這麼快實現上線的,以及爲什麼我們要

原創 2024-04-26 21:14:40