Kubernetes 教程
Kubernetes (简称 K8s) 是 Google 开源的容器编排系统,用于自动化部署、扩展和管理容器化应用程序。
核心概念
- Cluster(集群): 一组节点(物理机或虚拟机)的集合
- Node(节点): 集群中的工作机器,分为 Master 节点和 Worker 节点
- Pod: Kubernetes 的最小部署单元,包含一个或多个容器
- Service: 定义一组 Pod 的访问策略
- Volume: 持久化存储
- Namespace: 虚拟集群,用于资源隔离
二、Kubernetes 架构
Master 组件
- API Server: 集群的统一入口
- Scheduler: 负责 Pod 调度
- Controller Manager: 维护集群状态
- etcd: 分布式键值存储,保存集群状态
Node 组件
- Kubelet: 负责与 Master 通信,管理 Pod
- Kube-proxy: 实现 Service 的网络代理
- Container Runtime: 容器运行时(如 Docker)
三、Kubernetes 安装
1. Minikube (本地开发环境)
# 安装 minikube
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube
# 启动集群
minikube start
# 验证安装
kubectl get nodes
2. kubeadm (生产环境)
# 所有节点执行
sudo apt-get update && sudo apt-get install -y apt-transport-https curl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
# Master 节点执行
sudo kubeadm init --pod-network-cidr=10.244.0.0/16
# Worker 节点执行(使用上条命令输出的join命令)
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash <hash>
# 安装网络插件(在Master节点)
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
四、kubectl 基本命令
集群管理
kubectl cluster-info # 查看集群信息
kubectl get nodes # 查看节点
kubectl describe node <node> # 查看节点详情
资源管理
kubectl get pods [-n namespace] # 查看Pod
kubectl get deployments # 查看部署
kubectl get services # 查看服务
kubectl get all # 查看所有资源
kubectl describe pod <pod-name> # 查看Pod详情
kubectl logs <pod-name> [-c container] # 查看Pod日志
kubectl exec -it <pod-name> -- /bin/bash # 进入Pod
创建/删除资源
kubectl apply -f file.yaml # 创建/更新资源
kubectl delete -f file.yaml # 删除资源
kubectl create deployment nginx --image=nginx # 快速创建部署
五、Kubernetes 核心资源
1. Pod
# pod-example.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
labels:
app: nginx
spec:
containers:
- name: nginx-container
image: nginx:1.14.2
ports:
- containerPort: 80
2. Deployment
# deployment-example.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
3. Service
# service-example.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: NodePort # 也可以是 ClusterIP 或 LoadBalancer
六、Kubernetes 进阶概念
1. ConfigMap & Secret
# configmap-example.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
APP_COLOR: blue
APP_MODE: prod
# secret-example.yaml
apiVersion: v1
kind: Secret
metadata:
name: app-secret
type: Opaque
data:
DB_Password: cGFzc3dvcmQ= # base64编码
2. Volume
# volume-example.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: data-volume
mountPath: /usr/share/nginx/html
volumes:
- name: data-volume
hostPath:
path: /data
type: Directory
3. StatefulSet (有状态应用)
# statefulset-example.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: web
spec:
serviceName: "nginx"
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
name: web
volumeMounts:
- name: www
mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
name: www
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 1Gi
七、Kubernetes 网络
1. Service 类型
- ClusterIP: 默认类型,集群内部IP
- NodePort: 通过节点IP和静态端口暴露服务
- LoadBalancer: 使用云提供商的负载均衡器
- ExternalName: 通过返回CNAME记录映射到外部服务
2. Ingress
# ingress-example.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 80
八、Kubernetes 运维
1. 自动扩缩容
# 创建HPA
kubectl autoscale deployment nginx-deployment --cpu-percent=50 --min=1 --max=10
# 查看HPA
kubectl get hpa
2. 滚动更新
kubectl set image deployment/nginx-deployment nginx=nginx:1.16.1
kubectl rollout status deployment/nginx-deployment
kubectl rollout history deployment/nginx-deployment
kubectl rollout undo deployment/nginx-deployment
3. 资源限制
# resources-example.yaml
apiVersion: v1
kind: Pod
metadata:
name: limited-pod
spec:
containers:
- name: nginx
image: nginx
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
九、Kubernetes 安全
1. RBAC (基于角色的访问控制)
# rbac-example.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
2. Network Policies
# network-policy-example.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
spec:
podSelector:
matchLabels:
role: db
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
十、Kubernetes 监控与日志
1. 监控方案
- Metrics Server: 集群资源监控
- Prometheus: 开源监控系统
- Grafana: 可视化监控数据
2. 日志方案
- EFK Stack: Elasticsearch + Fluentd + Kibana
- Loki: Grafana 的轻量级日志系统
十一、常见问题解决
- Pod 一直处于 Pending 状态
kubectl describe pod <pod-name>
kubectl get events --sort-by=.metadata.creationTimestamp
- Pod 崩溃或无法启动
kubectl logs <pod-name> --previous
kubectl describe pod <pod-name>
- 节点 NotReady
journalctl -u kubelet -n 50 --no-pager
- 资源不足
kubectl describe nodes
kubectl top nodes
kubectl top pods
十二、进阶学习
- Helm: Kubernetes 包管理器
- Operator 模式: 自定义控制器
- Service Mesh: Istio/Linkerd
- GitOps: ArgoCD/Flux
- 多集群管理: Kubefed
Kubernetes 是一个强大的容器编排系统,学习曲线较陡但非常值得。建议从 Minikube 开始实践,逐步深入理解各个概念和组件。