Kubernetes has become a recognized standard container choreography fact, it is almost everywhere. Now experiencing a difficult practitioners Kubernetes never understand this technology. Software development, testing and infrastructure are in their "business."
Before you create a production-ready Kubernetes platform, you need to be ready to migrate applications from legacy environments out, but it is definitely not an easy task. You need a etcd database, kube-controller, kube-scheduler, certificate, core-DNS and so on. It also invested time and resources to research to determine the proper combination of components and a reliable, adaptive testing methods so that you can quickly change in the exchange, or enhancements.
In addition to creating the environment and management processes, strategic and tactical planning is also extremely important to the company. Few companies just to meet the needs of infrastructure and began using containers. Your design and technology stack container environment are more likely to need the support of old and new computing form, while avoiding re-use of assets, resources and costs. (Example techniques function and design of the stack below)
FIG technology stack container structures 1
Figure 2 vessel design environment
Management and automation
Rancher is an open source, enterprise-class Kubernetes management platform that provides Kubernetes-as-a-Service (Kubernetes as a Service) for enterprise customers, it is simple and intuitive interface style and operation experience, to a great extent solve the industry's legacy has long been Kubernetes native UI usability poor and steep learning curve problem. By using Rancher, you can manually create pain Kubernetes away from the cluster and can be a key to automatically set up the cluster. It also provides the feature set needed to set K8s cluster, including configuration, access control, global DNS, and disaster recovery, monitoring, logging and cluster upgrade. The use Ansible CentOS VMs may be configured to K8s node.
Logs and monitoring
Rancher has built FluentD deployment, it may be used to construct EFK stack. Each cluster can be configured to push the log FluentD Elasticsearch instance.
Kibana is an open source visualization platform that can very easily view and search Elasticsearch logs.
Elasticsearch Github repo:
https://github.com/helm/charts/tree/master/stable/elasticsearch
Prometheus是一个收集监控指标的优质方案,Prometheus server可用于存储时间序列数据,alert-manager可用于管理告警,node-exporter可从节点导出指标,Kube-state-metrics可以为所有k8s对象生成指标。
Prometheus Github repo:
https://github.com/helm/charts/tree/master/stable/prometheus
然而,Prometheus缺少用户界面,因此需要Grafana,这是一个数据可视化工具。它能够连接到Prometheus server,提供监控用的图表和dashboard。
Grafana Github repo:
https://github.com/helm/charts/tree/master/stable/grafana
管理和自动化
Rancher是一个开源的企业级Kubernetes管理平台,为企业用户提供Kubernetes-as-a-Service (Kubernetes即服务),它简洁直观的界面风格及操作体验,极大程度解决了业界遗留已久的Kubernetes原生UI易用性不佳以及学习曲线陡峭的问题。通过使用Rancher,你可以远离手动创建Kubernetes集群的痛苦并且可以一键自动设置集群。它还提供一套K8s集群所需的功能集,包括配置、访问控制、全局DNS、灾备和恢复、监控、日志以及集群升级。使用Ansible将可以为K8s节点配置 CentOS VMs。
日志和监控
Rancher具有内置的FluentD部署,可用于构建EFK堆栈。可以将每个集群配置为把FluentD日志推送到Elasticsearch实例。
Kibana是一个开源的可视化平台,可以极为方便地查看和搜索Elasticsearch日志。
Elasticsearch Github repo:
https://github.com/helm/charts/tree/master/stable/elasticsearch
Prometheus是一个收集监控指标的优质方案,Prometheus server可用于存储时间序列数据,alert-manager可用于管理告警,node-exporter可从节点导出指标,Kube-state-metrics可以为所有k8s对象生成指标。
Prometheus Github repo:
https://github.com/helm/charts/tree/master/stable/prometheus
然而,Prometheus缺少用户界面,因此需要Grafana,这是一个数据可视化工具。它能够连接到Prometheus server,提供监控用的图表和dashboard。
Grafana Github repo:
https://github.com/helm/charts/tree/master/stable/grafana
持久化存储
在Kubernetes里的一切都是动态的和无状态的,这违背了传统存储方案的原则。因此,选择一个可行的持久化存储方案是你将面临的其中一个难题。市场上有许多流行的解决方案,如Ceph、Rook、StarageIO以及Portworx。
其中,Portworx具有数据移动性、高可用性、独立性、持久卷的动态加密配置。在worker节点上,我们建议anotherdisk(vmdk)通过Portworx创建存储池。Portworx配备了名为stork的智能调度程序,可以通过仅在几个工作节点上安装Portworx来节省许可成本。
你可以使用这个helm chart部署Portworx:
https://github.com/portworx/helm/tree/master/charts/portworx
容器安全
容器安全在一直不断发展,由于pod的动态特性,让容器内发生的所有进程和通信具有可见性和可控制变得至关重要。Neuvector可以提供主机和pod的连续运行时保护,它可以通过扫描Kubernetes集群、节点、pod以及容器镜像来保护容器不受安全漏洞的影响。此外,还有一个附带的优势是能够为集群提供docker和kubernetes基准。它还能通过学习pod/service的良好行为来成为网络防火墙,并且基于此动态创建安全策略。当service在“保护模式”中时,它能够防止任何未经授权的进程或网络通信为该pod或服务运行。
你可使用这个helm chart 部署 Neuvector:
https://github.com/neuvector/neuvector-helm
负载均衡
一旦应用程序部署在K8S集群中后,有几个选项可以将它们暴露到集群外部。另一个需要考虑的因素是,如果你是将应用程序从传统基础架构迁移到容器中来,并且希望保留回滚的状态或想要在传统环境中保留现在已经迁移到K8S集群中的服务。
AVI Networks可以提供软件定义的负载均衡器,它有一个控制平面和一个服务平面。这一负载均衡器提供负载均衡、流量管理、弹性伸缩以及端到端的自动化K8S服务。AVI在K8S云上将服务引擎部署为PODS,它可以处理南北流量(即客户端和服务器之间的流量),以及K8S服务的负载均衡。
每次在K8S云中创建ingress时,AVI都配置了DNS服务器和IPAM池,可以自动创建虚拟服务。它将从IPAM分配一个IP,创建一个DNS入口并且配置后端的pod池。AVI同时能够通过ingress的注释添加各种HTTP策略以及网络安全策略的功能。
CI/CD工具
由于所有东西及其依赖项都被打包到容器中,因此Kubernetes可以使得持续部署成为现实,它还能从特定的工作节点中调度工作负载。而滚动更新策略可以零停机执行持续部署。
Jenkins is a very good tool for continuous integration and build mirroring, which provides integrated to form a complete CI / CD assembly line with Gitlab, Nexus, JFrog artifactory, SonarQube, Neuvector, Fority, Helm and Rancher.
Helm package an entire application stack to the chart, including the desired application pod, service, secert, ingress, persistent storage. Helm also remain deployed in the same case across different environments. (As shown below)
FIG container assembly 3
All in all, there are many ways to help build Kubernetes platform, the deployment of applications become ever easier than ever K8S cluster. I hope it makes you a better understanding of areas of concern and to know which tool or platform that allows K8S cluster become a reality in the enterprise.