版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/huangjun0210/article/details/86692108
kubernetes核心组件详解
1. 节点Pod管家:kubelet
kubelet运行在集群的所有节点上
- 每个节点上的kubelet由操作系统init进程(如;systemd)启动,在ubuntu 16.04 +有两个,init进程与文件分别是
root@K8S-Master:/# ls /lib/systemd/system/kubelet.service
/lib/systemd/system/kubelet.service
root@K8S-Master:/# ls /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
kubelet的主要参数配置在/etc/systemd/system/kubelet.service.d/10-kubeadm.conf中
root@K8S-Master:/# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
# Note: This dropin only works with kubeadm and kubelet v1.11+
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/default/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
- 启动参数配置:/etc/systemd/system/kubelet.service.d/10-kubeadm.conf
- 配置修改与生效:systemctl daemon -reload & systemctl restart kubelet
2. 集群管理入口:kube-apiserver
- 由kubelet启动的static pod
- APIServer的pod spec:/etc/kubernetes/manifests/kube-apiserver.yaml
# cat /etc/kubernetes/manifests/kube-apiserver.yaml
...
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
- --advertise-address=172.28.65.239
- --allow-privileged=true
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: k8s.gcr.io/kube-apiserver:v1.13.2
imagePullPolicy: IfNotPresent
...
- insecure-port是api-server的非安全服务端口,默认使用http协议访问,默认值为0,即不开启
- service-account-key-file是server-account的公钥文件,用于验证客户端请求中的service-account中的token串的,若没有设置,则apiserver会使用tls-private-key-file来验证token串
- kubelet-client-key设置的是apiserver以client端身份,访问kubernetes所使用的私钥文件
- admission-control设置的是一组准入策略的拦截器
- service-cluster-ip-range设置的是抽象的kubernetes-servers的无类别遇见路由地址分配范围,不能与pod的范围有交集
- kubelet-client-certificate设置的是apiserver以client端身份访问kubernetes的数字公钥证书
- allow-privileged,配置是否允许启动特权容器
- client-ca-file,是用于对client请求进行证书校验的ca公钥证书
- tls-cert-file,是apiserver的公钥证书
- tls-private-key-file,是apiserver的私钥证书
- secure-port是apiserver的端口
- advertise-address是apiserver的地址
- authorization-mode=Node是设置用户授权模式列表
- etcd_*则是用来配置apiserver与etcd之前的相关文件
- kubelet监听/etc/kubernetes/manifests目录变化,自动重启配置发生变化的apiserver pod
3. 配置中心:etcd
- 位置在/etc/kubernetes/manifests下的etcd.yaml
- 由kubelet启动的static pod
- apiserver与etcd之间采用基于TLS的安全通信
- etcd挂载master节点本地路径/var/lib/etcd用于运行时数据存储
要是做etcd的数据迁移,需要关注这个目录/var/lib/etcd
4. 管理控制中心:kube-controller-manager
- 负责集群内Node、Pod副本、服务的endpoit、命名空间、Service Account、资源配额等管理
- 由kubelet启动的static pod
- 文件是在/etc/kubernetes/manifests中的kube-controller-manager.yaml,修改方式就修改这个文件,然后会自动重启生效
5. 调度器:kube-scheduler
Scheduler:单纯地调度Pod
- 按照特定的调度算法和策略,将待调度的Pod绑定到集群中某个合适的Node,并写入绑定信息
- 由kubelet启动static pod
- 位置在/etc/kubernetes/manifests中的kube-scheduler.yaml
6. 服务抽象实现:kube-proxy
kube-proxy运行在kubernetes集群的每一个节点上
- kube-proxy由daemonset控制器在各个节点上启动唯一实例
- 配置参数:/var/lib/kube-proxy/config.cong(pod内)
- 查看kube-proxy的podID,这里是:kube-proxy-lspg2
root@K8S-Master:~# kubectl exec kube-proxy-lspg2 -n kube-system -- cat /var/lib/kube-proxy/config.conf
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ""
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
qps: 5
clusterCIDR: 192.168.0.0/16
configSyncPeriod: 15m0s
conntrack:
max: null
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
iptables:
masqueradeAll: false
masqueradeBit: 14
minSyncPeriod: 0s
syncPeriod: 30s
ipvs:
excludeCIDRs: null
minSyncPeriod: 0s
scheduler: ""
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: ""
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
resourceContainer: /kube-proxy
mode为空,则为选择目前最好的mode,目前是iptables
- Proxy mode:iptables
7. 集群管理工具:kubectl
kubectl是目前管理k8s集群的最强利器,主要命令类型如下:
- 集群访问配置:kubectl config
- 集群控制:kubectl create/apply/delete/label/edit/expose/scale
- 集群查看和问题调试:kubectl get/describe/logs/exec/attach
举些栗子
- 集群访问配置命令
kubectl config view
kubectl config set-cluster k8s1 --server=hhhps://1.2.3.4
kubectl config get-clusters
kubectl config delete-cluster k8s1
- 集群控制命令
# 创建pod
kubectl create -f xxx.yaml
#打标签
kubectl lable pods/<pod-name> <pod-lable>
#查询标签
kubectl get pods --show-lables | grep <%pod-name%>
#编辑pod的配置yaml文件
kubeclt edit deployment/<pod-name>
# 将pod副本数升到3
kubectl scale --replicas=3 deployment/<%pod-name%>
# create、update pod,推荐使用
kubectl apply -f xxx.yaml
# 删除deployment
kubectl delete -f xxx.yaml
- 集群查看和问题调试
# 查看pod
kubectl get pods <参数>
# 查看pod运行的信息
kubectl describe pods/<pod-name>
# 查看log日志
kubectl logs -f pods/<pod-name>
# 访问容器内部,例如查看容器内/xxx/xxx/xxx.conf的内容
kubectl exec <pod-name> -- cat /xxx/xxx/xxx.conf
# 挂在到容器中
kubectl attach <pod-name>