一通百通，一文實現靈活的K8S基礎架構

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes是當前最爲流行的開源容器編排平臺，成爲衆多企業構建基礎架構的首選。在本文中，我們將探討針對你的用例構建基礎設施的最佳方式，以及你可能要根據各種限制條件做出的各種決定。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"架構設計"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你的架構應該在很大程度上圍繞你的用例來設計，因此在設計過程中你需要非常仔細以確保該基礎架構能夠支撐你的用例，在必要的時候也可以尋求外部專業團隊的幫助。在架構設計的開始保證方向正確十分重要，但是這並不意味着不會發生錯誤，而且隨着每天都有新的技術或研究橫空出世，你可以看到變革已經成爲常態，並且你的架構設計思維有可能過時。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這就是爲什麼我強烈建議你採用Architect for Chang的原則，讓你的架構成爲一個模塊化的架構以便在未來有需要的時候你可以靈活地在內部進行改變。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"讓我們看看在考慮client-server模型的情況下如何實現系統架構的目標。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"切入點：DNS"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在任何典型的基礎架構中（無論是否是雲原生架構），一個消息請求必須先由DNS服務器解析，並返回服務器的IP地址。設置你的DNS應該基於你所需要的可用性。如果你需要更高的可用性，你可能想要將你的服務器分佈到多個區域或者雲提供程序上，具體的實現要基於你想要達到的可用性等級。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"內容分發網絡（CDN）"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在某些情況下，你可能需要儘可能地以最小的延遲爲用戶提供服務，同時減少服務器的負載。這就是內容分發網絡（CDN）發揮重要作用的地方。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Client是否經常從服務器上請求一組靜態資產？你是否希望提高向用戶交付內容的速度，同時減少服務器的負載？在這種情況下，採用邊緣的CDN爲一組靜態資產提供服務，實際上可能有助於降低用戶的延遲和服務器的負載。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"你所有的內容都是動態的嗎？你是否可以在一定程度上爲用戶提供延遲的內容，以減少複雜性？或者你的應用程序接收很低的流量嗎？在這種情況下，使用CDN可能沒有太大的意義，你可以將所有的流量直接發送到全局負載均衡器。但要注意的是，擁有CDN也確實有分配流量的優勢，這在你的服務器受到DDOS攻擊時是很有幫助的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CDN提供程序包括Cloudfare CDN、Fastly、Akamai CDN、Stackpath，此外你的雲提供商也有可能會提供CDN服務，比如谷歌雲平臺的Cloud CDN、AWS的CloudFront、微軟Azure的Azure CDN等。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/a4\/a4399545731fa6cd1ea47ab60132a6cb.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Load Balancer"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果有一個請求不能被你的CDN服務，這個請求下一步會傳送到你的負載均衡器上。而這些可以是區域性的IP，也可以是全局性的Anycast IP。在某些情況下，你也可以使用負載均衡器來管理內部流量。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了路由和代理流量到合適的後端服務，負載均衡還能夠承擔SSL終止、與CDN集成，甚至管理網絡流量的某些方面等職責。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然存在硬件負載均衡器，但軟件負載均衡器提供了強大的靈活性、減少了成本開支以及彈性伸縮性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與CDN類似，你的雲提供程序應該也能夠爲你提供一個負載均衡器（如GCP的GLB、AWS的ELB、Azure的ALB等），但更有趣的是你可以直接從Kubernetes中調配這些負載均衡器。例如，在GKE中創建一個Ingress也會在後端爲你創建一個GLB來接收流量，其他功能如CDN、SSL重定向等也可以通過配置你的ingress來設置，訪問以下鏈接查看詳情："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/cloud.google.com\/kubernetes-engine\/docs\/how-to\/ingress-features"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然一開始總是從小開始，但是負載均衡器可以讓你逐步擴展至具有以下規模的架構："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/4d\/4d4ff4d1dc91548dda2517277b528ae0.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"網絡及安全架構"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下一件需要關注的事情是網絡。如果你想要提高安全性，你可能需要一個私有集羣。在那裏，你可以調節入站和出站流量，在NATs後面屏蔽IP地址，在多個VPC上隔離多個子網的網絡等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如何設置網絡通常取決於你所追求的靈活性程度以及如何實現它。設置正確的網絡就是要儘可能地減少攻擊面，同時還能保持正常的運轉。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過設置正確的網絡來保護你的基礎設施通常還涉及到使用正確規則和限制條件設置的防火牆，以便限制來自各後端服務的流量的進出，包括入站和出站。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在很多情況下，可以通過設置堡壘主機並通過隧道進行集羣中的所有操作來保護這些私有集羣，因爲你需要向公共網絡公開的就是堡壘（又稱Jump host），通常是在與集羣相同的網絡中設置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一些雲提供商在實現零信任安全的方法上也提供了定製化的解決方案。例如，GCP爲其用戶提供身份意識代理（IAP），可用於代替典型的VPN實現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有都處理好之後，下一步是根據你的用例在集羣本身內設置網絡。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這牽涉到以下任務："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置集羣內的服務發現（可由CoreDNS處理）"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果需要的話，設置一個服務網格（如LinkerD、Istio、Consul等）"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置Ingress controller和API網關（例如：Nginx、Ambassador、Kong、Gloo等）"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置使用CNI的網絡插件，方便集羣內的聯網"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置網絡策略，調節服務間的通信，並根據需要使用各種服務類型暴露服務"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"使用GRPC、Thrift或HTTP等協議和工具，設置不同服務之間的服務間通信"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設置A\/B測試，如果你使用像Istio或Linkerd這樣的服務網格，實現起來可以更容易"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想看一些示例實現，我建議你看看這個repo（"},{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/github.com\/terraform-google-modules\/cloud-foundation-fabric"},{"type":"text","text":"），它可以幫助用戶在GCP中設置所有這些不同的網絡模型，包括通過VPN的hub和spoke、用於內部的DNS和Google Private Access、支持GKE的共享VPC等等，所有這些都使用Terraform。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而云計算中網絡的有趣之處在於，它不侷限於你所在地區的雲服務商，而是可以根據需要跨越多個地區的多個服務商。這就是Kubefed或Crossplane這樣的項目可以提供幫助的地方。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想探索更多關於設置VPC、子網和整體網絡時的一些最佳實踐，我建議你訪問下方網頁，同樣的概念也適用於你加入的任何雲提供商："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline"}],"text":"https:\/\/cloud.google.com\/solutions\/best-practices-vpc-design"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Kubernetes"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你使用的是GKE、EKS、AKS這樣的託管集羣，Kubernetes是自動管理的，從而降低了用戶操作的複雜程度。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你自己管理Kubernetes，你需要處理很多事情，比如，備份和加密etcd存儲，在集羣中的各個節點之間建立網絡，定期爲你的節點打上最新版本的操作系統補丁，管理集羣升級以與上游的Kubernetes版本保持一致。基於此，只有當你擁有一個專門的團隊來維護這些事情的時候，才建議這樣做。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Site Reliability Engineering (SRE)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當你維護一個複雜的基礎設施時，擁有合適的可觀察性堆棧是非常重要的，這樣你就可以在用戶注意到錯誤之前就檢測到錯誤以及預測可能的變化，進而識別異常，並有餘力深入鑽研問題到底在哪裏。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在，這就需要你有代理，將指標暴露爲特定的工具或應用來收集分析（可以遵循pull或push機制）。而如果你使用的是帶有sidecars的服務網格，它們往往會自帶指標，而不需要自定義配置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在任意場景下，都可以使用Prometheus這樣的工具作爲時序數據庫，爲你收集所有的指標，以及藉助類似於OpenTelemetry的工具，使用內置的exporter從應用程序和各種工具中公開指標。藉助Alertmanager之類的工具可以向多個渠道發送通知和告警， Grafana將提供可視化儀表板，給用戶提供整個基礎設施的完整可見性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜上，這就是Prometheus的可觀察性的解決方案："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d5\/d5826924d2599baf7aa4e2cd6df27475.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"來源：https:\/\/prometheus.io\/docs\/introduction\/overview\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"擁有這樣複雜的系統，還需要使用日誌聚合系統，這樣所有的日誌就可以流到一個地方，便於調試。大部分企業傾向於使用ELK或EFK堆棧，Logstash或FluentD根據你的限制條件爲你做日誌聚合和過濾。但日誌領域也有新的玩家，比如Loki和Promtail。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖說明了類似FluentD的日誌聚合系統如何簡化你的架構："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/99\/992b439ccf94ecc965b6a220ab6c6e1e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"來源：https:\/\/www.fluentd.org\/architecture"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是，如果要追蹤跨越多個微服務和工具的請求呢？這是分佈式跟蹤開始發揮作用的地方，特別是考慮到微服務的複雜性。像Zipkin和Jaeger這樣的工具一直是這個領域的先驅，最近進入這個領域的新興工具是Tempo。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然日誌聚合會給出各種來源的信息，但它不一定能給出請求的上下文，這纔是做跟蹤真正有幫助的地方。但是請記住，在你的堆棧中添加跟蹤會給你的請求增加很大的開銷，因爲上下文必須和請求一起在服務之間傳播。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是一個典型的分佈式跟蹤架構："}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/44\/44f65b4d9c1c6e4d561b8857663b99d2.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"來源：https:\/\/www.jaegertracing.io\/docs\/1.21\/architecture\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是，網站的可靠性並不僅僅止於監控、可視化和告警。你必須準備好處理系統任何部分的任何故障，並定期進行備份和故障切換，這樣至少可以將數據損失的程度降到最低。你可以藉助類似Velero的工具實現。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Velero通過利用你使用的相同Kubernetes架構，幫助你維護集羣中各種組件的定期備份，包括你的工作負載、存儲等。Velero的架構如下："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/fd\/fd61bab66934ebf8282e4035d59f1080.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"正如你所觀察到的，有一個備份controller，它定期對對象進行備份，根據你設置的計劃將它們推送到特定的目的地，其頻率是基於你設置的計劃。這可以用於故障轉移和遷移，因爲幾乎所有的對象都有備份。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"存儲"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有許多不同的存儲程序和文件系統可用，這在雲提供程序之間可能存在很大的不同。這就需要像容器存儲接口（CSI）這樣的標準，該標準可以幫助大部分volume的外置插件，從而使其易於維護和發展而不會成爲核心瓶頸。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是CSI架構，通常可以支持各種volume插件："}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/45\/457ac2c9977fef08f1a5abb12d06b00d.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"來源：https:\/\/kubernetes.io\/blog\/2018\/08\/02\/dynamically-expand-volume-with-csi-and-kubernetes\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分佈式存儲帶來的集羣、擴展等各種問題怎麼辦？"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這時Ceph這樣的文件系統已經證明了自己的能力，不過考慮到Ceph並不是以Kubernetes爲中心構建的，部署和管理起來存在一些難度，此時可以考慮Rook這樣的項目。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雖然Rook沒有和Ceph耦合，也支持其他文件系統，比如EdgeFS、NFS等，但Rook與Ceph CSI就像是天作之合。Rook與Ceph的架構如下："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1f\/1f3c24b331ce356338d092bf65ed965b.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"來源：https:\/\/rook.io\/docs\/rook\/v1.5\/ceph-storage.html"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如你所見，Rook承擔了Kubernetes集羣中的Ceph安裝、配置和管理的功能。根據用戶的喜好，自動分配下面的存儲。這一切的發生，都不會讓應用暴露在任何複雜的情況下。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"鏡像倉庫"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"鏡像倉庫爲你提供了一個用戶界面，你可以在這裏管理各種用戶賬戶、推送\/拉取鏡像、管理配額、通過webhook獲得事件通知、進行漏洞掃描、簽署推送的鏡像，還可以處理鏡像或在多個鏡像倉庫中複製鏡像等操作。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你使用的是雲提供商，他們很有可能已經提供了鏡像倉庫作爲一項服務（例如GCR、ECR、ACR等），這就消除了很多複雜性。如果你的雲提供商沒有提供，你也可以選擇第三方的鏡像倉庫，比如Docker Hub、Quay等。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但如果你想託管自己的鏡像倉庫呢？"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想在企業內部部署鏡像倉庫，想對其本身有更多的控制權，或者想降低漏洞掃描等操作的相關成本，那麼可能需要進行託管。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果是這種情況，那麼選擇像Harbor這樣的私有鏡像倉庫會對你有所幫助。Harbor架構如下："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/2f\/2fe16906fc7475e90c788914b094f5a2.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"來源：https:\/\/goharbor.io\/docs\/1.10\/install-config\/harbor-ha-helm\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Harbor是一個符合OCI的鏡像倉庫，由各種開源組件組成，包括Docker鏡像倉庫V2、Harbor UI、Clair和Notary。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"CI\/CD架構"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes可以在任何規模下託管所有的工作負載，但這也需要一個標準的方式來部署應用程序，並採用精簡的CI\/CD工作流程。下圖爲典型的CI\/CD流水線："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/3e\/3e44cf1b1f1878a270be00896b04e30f.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一些第三方服務如Travis CI、Circle CI、Gitlab CI或Github Actions都包含了自己的CI運行器。你只需定義你要構建的流水線中的步驟。這通常包括：構建鏡像，掃描鏡像以查找可能的漏洞，運行測試並將其推送到鏡像倉庫，在某些情況下還需要提供一個預覽環境以進行審批。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在，雖然如果你管理自己的CI運行器，步驟通常保持不變，但你需要將它們配置爲在集羣內部或外部設置，並具有適當的權限，以便將資產推送到鏡像倉庫。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們已經介紹了基於Kubernetes的雲原生基礎設施的架構。正如我們上面所看到的，各種工具解決了基礎設施的不同問題。它們就像樂高積木一樣，每一個都專注於當前的一個特定問題，爲你抽象掉了很多複雜的東西。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這使得用戶可以以漸進的方式逐漸上手Kubernetes。並且你可以根據你的用例，只使用整個堆棧中你需要的工具。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"作者簡介"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"VIGNESH T.V.，Timecampus CEO、CTO及創始人。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/thenewstack.io\/a-deep-dive-into-architecting-a-kubernetes-infrastructure\/"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自：RancherLabs（ID：RancherLabs）"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接："},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/Q1S9LXjpmFZu8kitxMKDhg","title":"xxx","type":null},"content":[{"type":"text","text":"一通百通，一文實現靈活的K8S基礎架"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}