Started from scratch K8s | K8s of application scheduling and management

Author | Zhang Alibaba senior technical experts

First, the meta-information resources

1. Kubernetes resource object

We know, Kubernetes resource objects: including a Spec, Status of two parts. Wherein Spec portion for a desired state description, Status section is used to describe the observed state.

Today, we will introduce another part K8s, that metadata section. This section includes resources to identify a tag: Labels, annotated to describe resources; Annotations, OwnerReference used to describe the relationship between the plurality of resources. These metadata have a very important role in K8s operation.

2. labels

The first metadata is the most important metadata - Resources tab. An identification tag having a resource type Key: Value of metadata, as shown below, shows a few common label.

The first three labels were playing in the Pod objects, respectively identifies the corresponding application environment, maturity and application version released. From the example application tags can see, the name tags include a domain name prefix to describe tagging systems and tools, the last label hit the Node object, still before the domain name increases the beta version of the identification string .

The main resources used to screen and label combination of resources, you can use SQL-like query select, according to Label other relevant resources.

---

3. Selector

The most common type Selector is equal Selector. Let's use a simple example:

Assume that the system has four Pod, Pod has a marking system for each level and environment label, we adopted Tie: front label, can match Pod left-hand column, equal type Selector may also include a plurality of equal conditions more equal is a logical relationship "and" between conditions.

In the earlier example, by Tie = front, Env = dev's Selector, we can filter out all the Tie = front, and Env = dev's Pod, is at the top left of the map Pod. Another type Selector Selector is set, in the example, all Selector screening test environment or a gray Pod.

In addition to the operation in the set, there notin set operations, such as tie notin (front, back), screening will not tie all of the front and back is not Pod. Further, screening may be based on whether the presence of a lable, such as: Selector release, with release Pod filters all tagged. Type and set equal Selector type, can also be used, "" connected to, the same relationship to identify the logical "AND".

4. Annotations

Another important metadata are: annotations. Generally non-designated information system or tool used to store the resources can be used to describe expansion spec status of resources /, where annotations to a few examples:

The first example, a certificate ID Ali cloud storage's load, we can see the annotations can have the same prefix domain name, label can also contain version information. The second annotation storage configuration information nginx access layer, we can see the annotations include "," this does not appear in the label special characters. The third general annotations can be seen after the resource operation command kubectl apply, Annotation value is a structured data, is actually a json string labeled json description of a resource on a kubectl operation.

5. Ownereference

The last is called metadata Ownereference. The so-called owner, generally refers to resource collection classes, such as Pod collection, there replicaset, statefulset, this will be mentioned in the course of the subsequent.

Controller collections of resources creates corresponding home resources. For example: replicaset controller created in operation Pod, created Ownereference Pod Pod would point to the creation of replicaset, Ownereference so that the user can easily find an object to create a resource, in addition, can also be used to achieve the effect of cascading deletes . ** **

Second, the operation and demonstration

Here we are connected by kubectl command to the ACK already created a K8s cluster, and then show you how to view and modify metadata K8s object, is a major label Pod, and notes, as well as the corresponding Ownerference.

First we look at the current cluster configuration:

1. Check the Pod, and now no one Pod;

• kubectl get pods

2. Then use a pre-prepared Pod of yaml, create a Pod out;

• kubectl apply f pod1.yaml
• kubectl apply f pod2.yaml

3. Now look at the Pod play tag, --show-labels we use this option, you can see both Pod are marked with a label deployment environment and levels;

• kubectl get pods —show-labels

4. We can also see the specific resource information another way. First, a first view nginx1 Pod's message, the output -o yaml manner, can see the Pod metadata which includes a lables field, there are two Lable;

• kubectl get pods nginx1 -o yaml | less

5. Now think about, how to modify existing lable Pod? We put it in the deployment environment, from the development environment into a test environment, and then specify the name of Pod, on the environment coupled with its value of a test, to see what can not be successful. Here reported an error, you can see that it actually say that this label already has a value;

• kubectl label pods nginx1 env=test

6. If you want to overwrite it, then get extra options plus a cover. After adding it, we should be able to see the marking has been successful;

• kubectl label pods nginx1 env=test —overwrite

7. Let's look at the situation now lable set cluster, first of all you can see nginx1 has indeed added a deployment environment test label;

• kubectl get pods —show-labels

8. If you want to Pod remove a label, the label is also playing with the same operation, but not the env after the equal sign. Plus label name only, not followed by an equal sign, of the label removed showing changed by a minus k: v;

• kubectl label pods nginx tie-

9. You can see the label, to the standard has been completely successful;

• kubectl get pods —show-labels

10. A look at the following values ​​of label configuration, this can indeed see nginx1 Pod least one tie = front label. After the Pod With this tab, you can look at how to match with the label Selector? First label Selector is designated to carry out the specified time, first try with an equal type a label to filter through the -l option, so we specify a Pod deployment environment is equal to the test, we can see that screen out one;

• kubectl get pods —show-labels -l env=test

11. If a plurality of equal said specified conditions require, and in fact this is a relationship, if equal to said re-env dev, we actually fail to get a Pod;

• kubectl get pods —show-labels -l env=test,env=dev

12. Then if that env = dev, but tie = front, we are able to match to the second Pod, i.e. nginx2;

• kubectl get pods —show-labels -l env=dev,tie=front

13. We can also try again how to use the set type of label Selector to filter. This time we want to match all deployment environment is a test or dev is the Pod, so here add a quotation mark, and then specify a set of all deployment environments in parentheses. The Pod can create two are screened;

• kubectl get pods —show-labels -l ’env in (dev,test)’

14. We try to look at how to increase Pod a comment to it, with the marking is the same operation, but the label command into annotate command; then, as the specified type and corresponding names. Behind the label is not coupled with the k: v, but rather add annotation of k: v. Here we can specify an arbitrary string, for example, add a space, a comma can;

• kubectl annotate pods nginx1 my-annotate=‘my annotate,ok’

15. Then, let's look at some of the metadata of the Pod, here we can see the inside Pod metadata annotations, this is a my-annotate the Annotations;

• kubectl get pods nging1 -O yaml | less

Then we can see here, in fact, there is a kubectl apply when, kubectl tool adds an annotation, which is also a json string.

16. Then we'll show you how to see the Pod Ownereference is out. The original Pod Pod are directly created by this way to create the resources, this time for a way to create: to create a Pod by creating a ReplicaSet object. First create a ReplicaSet object, and this object can ReplicaSet specific look;

• kubectl apply -f rs.yaml
• kubectl get replicasets  nginx-replicasets -o yaml |less

17. We can look inside this ReplicaSet spec inside, mention will create two Pod, then selector deployment environment by matching the production environment is the product of this label to match. So we can look at the situation now Pod cluster;

• kubectl get pods

18.'ll find two more Pod, Pod closer look at these two, you can see ReplicaSet created out of the Pod has a feature that it has Ownereference, then Ownereference which points to a replicasets type, whose name is called nginx-replicasets;

• kubectl get pods nginx-replicasets-rhd68 -o yaml | less

Third, the controller mode

1, the control cycle

Controlled model is the core concept of control loop. Comprising a controller, the system being controlled, and a sensor system can be observed in the control cycle, three logical components.

Of course, these logical components are, by modifying the external resource spec controlled resource, and the controller compares resources spec Status, thereby calculating a diff, diff eventually used to determine what the system performs a control operation, such that control operation will the system generates a new output sensor and a resource status report form, the various components of the controller will be operating independently, so that the system continues to approach the final state represents spec.

2、Sensor

Sensor logic control cycle mainly composed Reflector, Informer, Indexer three components.

Reflector to get data resources through List and Watch K8s server. List is used in the case of Controller and Watch restart interrupted, the full amount of system resources update; and Watch the incremental update resources between multiple List; Reflector after obtaining new resources data, Delta will be in a queue stuffed a resource object information including resource object itself and the type of event records of Delta, Delta queue can guarantee that the same object in the queue only one record, so as to avoid re-Reflector Watch List and generated when duplicate records.

Informer assembly continuously ejected from the recording Delta delta queue, then the resource object to the indexer, so that the indexer resource record in a cache, the cache default setting is used to do the namespace resource index, and may be Controller Controller Manager or more shared. After that, then this event to the callback function event

Control loop controller components primarily by the event handler and worker composition, will concern among event handlers each additional resources, update, delete events, and according to the logic controller to determine the need for treatment. Events need to be processed, the event will namespaces associated with the resource name and stuffed a work queue and be handled by a Worker subsequent worker in the pool, work queue to be stored heavy objects in order to avoid more than a Woker handling of the same resources.

Worker in dealing with resource objects, generally need to regain the resource with the name of the latest resource data, to create or update resource objects, or other external service calls, if the process fails when the Worker, under normal circumstances will the resources name rejoin the work queue, so retry after convenience.

3, an example of the control cycle - Expansion

To give a simple example to explain the working principle of control cycle.

ReplicaSet is used to describe a stateless application resource capacity scaling behavior, ReplicaSet controler number of applications to maintain a desired state by monitoring ReplicaSet resource, ReplicaSet Pod to match the associated through selector, is considered here ReplicaSet rsA, replicas It was changed from 2 to 3 in the scene.

First, Reflector will watch to change ReplicaSet Pod and two resources, and why we will watch change pod resources will be mentioned later. After the discovery ReplicaSet changed, the object is inserted into the RSA, and the type of update is recorded in the delta queue.

Informer on the one hand the new ReplicaSet update the cache, and the Namespace nsA as an index. On the other hand, the callback call Update, ReplicaSet the controller will change found ReplicaSet string nsA / rsA string plunged into the work queue, a job queue after Worker taken from the work queue to nsA / rsA this string key, and taken from the cache to the latest data ReplicaSet.

Worker by comparing ReplicaSet in spec status in the value and found this ReplicaSet need for expansion, so ReplicaSet the Worker create a Pod, the pod orientation in Ownereference the ReplicaSet rsA.

---

Then add to the Pod Reflector Watch event in the queue to join the Add additional delta type deta record, on the one hand the new Pod record store to the cache by Indexer, on the other hand called Add callback ReplicaSet controller, Add a callback function found by checking the corresponding ReplicaSet pod ownerReferences, and the character string comprising ReplicaSet namespace and plunged into the work queue.

ReplicaSet of Woker after obtaining a new work item, taken from the cache to the new ReplicaSet record, and got all it creates Pod, because the state ReplicaSet not up to date, that is, the number of all creation Pod is not up to date. Therefore, at this time ReplicaSet update status allows spec and status agreement.

Fourth, the controller mode summary

1 two API design methods

Kubernetes dependent declarative controller mode API. Another common type of API is imperative API. Why Kubernetes using declarative API, rather than the imperative to design the entire API control it?

First, comparing two different API on the interactive behavior. In life, the common imperative of interaction between parents and their child communication, because children lack a sense of purpose, can not understand the expectations of parents, parents often through some commands, teach them some explicit action, for example: eat, sleep like command. We arrange container system, the imperative to send a clear API is through the operating system to perform.

The common declarative interaction, is the boss of communication for their employees. Employers generally do not give a very clear decision at their own employees, may actually be the boss for things to operate itself, not as employees clear. Therefore, the boss to employees by setting quantifiable business goals way to play to their own initiative. For example, the owner will require a product's market share reached 80%, but does not indicate the market share to achieve this, do the specific operational details.

Similarly, in a container arrangement system, we can perform a number of application examples in three copies to maintain, without expansion to clear or delete existing Pod Pod, to ensure that the number of copies in three.

2, imperative API issues

After two interactive API to understand the difference, you can analyze the problem imperative API.

• API commands the biggest problem is that the error handling;

In large-scale distributed systems, the error is ubiquitous. Once the command is issued it does not respond, the caller can only attempt to recover the error by repeatedly retry mode, but retry the blind may lead to greater problems.

Assuming that the original order, the background has actually completed the execution, and then retry the implementation of a multi-retry command operations. To avoid the problem of retries, the system often need before executing the command, to record what command to be executed, and in other scenes restart, redo commands to be executed, but also in the implementation process, also we need to consider more the sequence of commands, covering the relationship and so some complex logic situation.

• In fact, many imperative interactive system will often do a background inspection system, used to correct the command processing times out, retry and some scenes caused by data inconsistencies;

However, because the logic inspection and daily operational logic is not the same, often not enough to cover on the test, not strict enough on error handling, with a lot of operational risk, so often a lot of manual inspection systems are triggered.

• Finally, imperative API when handling multiple concurrent access, and very prone to problems;

If there are multiple concurrent operations of a resource request, and upon which an operation error has occurred, it is necessary to retry. Then the final which takes effect, and it is difficult to confirm, there is no guarantee. Many command systems tend to be carried out before the operating system will lock, thus ensuring the entire system into effect last predictability of behavior, but the behavior of the lock, slows down the efficiency of the entire system.

• In contrast, declarative API system recorded the natural system and the final status now.

No additional operational data. Moreover, because of the idempotent state, the operation can be repeated at any time. In declarative way the system is running, the normal operating state of the resource is actually inspection, no additional inspection system development, operation logic of the system also can be tested and tempered in the daily operation, so the whole operation stability can be guaranteed.

Finally, because the final state resources is clear, we can merge multiple changes to the state. You do not need to be locked, to support concurrent access to multiple parties.

3, controller mode summary

Finally, we summarize:

Controller Mode 1.Kubernetes employed, declarative API is driven. Precisely, it is based on the modification of Kubernetes resource object driven;
after 2.Kubernetes resources, is concerned about the control of the resource. The controller asynchronous control system arranged to drive the near end state;
3. Such controllers are operating autonomously, such automated and unattended systems possible;
4. As Kubernetes controllers and resources are possible from definition, it is possible to facilitate the expansion controller mode. Especially for stateful applications, we often custom resource controller and a way to automate the operation and maintenance operations by. This is the follow-up will introduce the operator of the scene.

---

This paper summarizes

Here we briefly summarize the main content of this article:

• Metadata portion Kubernetes resource objects, including the tag used to identify resources: Labels, annotated to describe resources; Annotations, OwnerReference used to describe the relationship between the plurality of resources. These metadata have a very important role in K8s operation;
• Control type mode control is the core concept of the cycle;
• API design two kinds of methods: declarative and imperative API API; Kubernetes controller model used, is driven by a declarative API;

Alibaba Cloud native micro-channel public number (ID: Alicloudnative) focus on micro service, Serverless, container, Service Mesh and other technical fields, focusing popular technology trends in cloud native, cloud native large-scale landing practice, do most understand cloud native developers No public.