Kubernetes 知识图谱-赵化冰的博客

Mind Map

Kubernetes
- 基本理念
  - 自动化部署，缩扩容和管理容器应用
  - 预期状态管理(Desired State Management)
    - Kubernetes API 对象（声明预期状态）
    - Kubernetes Control Plane（确保集群当前状态匹配预期状态）
      - Kubernetes Master
        
        kube-apiserver（API Server）
        
        对外提供各种对象的CRUD REST接口
        
        对外提供Watch机制，通知对象变化
        
        将对象存储到Etcd中
        
        kube-controller-manager（守护进程）
        
        功能：通过apiserver监视集群的状态，并做出相应更改，以使得集群的当前状态向预期状态靠拢
        
        controllers
        
        replication controller
        
        endpoints controller
        
        namespace controller
        
        serviceaccounts controller
        
        ……
        
        kube-scheduler（调度器）
        
        功能：将Pod调度到合适的工作节点上运行
        
        调度的考虑因素
        
        资源需求
        
        服务治理要求
        
        硬件/软件/策略限制
        
        亲和以及反亲和要求
        
        数据局域性
        
        负载间的干扰
        
        ……
      - Work Node
        
        Kubelet（节点代理）
        
        接受通过各种机制（主要是通过apiserver）提供的一组PodSpec
        
        确保PodSpec中描述的容器处于运行状态且运行状况良好
        
        Kube-proxy（节点网络代理）
        
        在节点上提供Kubernetes API中定义Service
        
        设置Service对应的IPtables规则
        
        进行流量转发（userspace模式）
- 部署模式
  - Single node
  - Single head node，multiple workers
    - API Server，Scheduler，and Controller Manager run on a single node
  - Single etcd，HA heade nodes，multiple workers
    - Multiple API Server instances fronted by a load balancer
    - Multiple Scheduler and Controller Manager instances with leader election
    - Single etcd node
  - HA etcd，HA head nodes，multiple workers
    - Multiple API Server instances fronted by a load balancer
    - Multiple Scheduler and Controller Manager instances with leader election
    - Etcd cluster run on nodes seperate from the Kubernetes head nodes
  - Kubernetes Federation
- 商业模式
  - 云服务用户：避免使用单一云提供商导致的厂商锁定，避免技术和成本风险
  - 云服务厂商：使用Kubernetes来打破AWS的先入垄断地位，抢夺市场份额
- Workload
  - Pod
    - Smalleset deployable computing unit
    - Consist of one or more containers
    - All containers in a pod share storage, network namespacem and cgroup
  - Workload resources(Controllers)
    - Deployment & RelicaSet
      - Deployment is used to deploy stateless appliations.
      - ReplicaSet ensured a specified numbers of pod replicas are running at a given time.
      - Deployment is used to rollout/update/rollback ReplicaSet.
      - ReplicaSet is not supposed to be used directly, it should be managed by Deployments.
    - StatefulSet
      - StatefulSet is used to deploy stateful applications.
      - SetatefSet require a Headless Service to provide network identity for the pods.
    - DaemonSet
      - DaemonSet ensures that all(or some) Nodes run a copy of a Pod.
      - Use cases: cluster storage daemon, logs collection daemon, node monitoring daemon.
    - Job & CronJob
      - Job runs pods until a specified number of them have been succcessfully executed.
      - CronJob runs a job periodically on a given schedule.
- Storage
  - Volume
    - purpose
      - Persist data across the life span of a Pod
        
        Data won’t lost when a container is restarted
      - Share data between containers running together in a Pod
        
        Volume can be mounted to mutiple containers inside a Pod
    - type
      - configMap
      - emptyDir
      - hostPath
      - local
      - persistentVolumeClaim
- Network
  - Linux Network Virtualization
    - Linux tun/tap
  - Network Namespace
  - Veth Pair
  - Linux bridge
  - Vlan
  - Vxlan
    - Vxlan原理
    - Linux 上实现 vxlan 网络
  - Routing Protocol
    - Distance Vector Protocol
      - BGP
    - Link-State Protocol
      - OSPF
  - K8s Network
    - Service - Cluster IP - Headless - NodePort - LoadBalancer
      - Ingress
        
        K8s Ingress
        
        Istio Ingress Gateway
    - 腾讯云
      - Global Router
      - VPC-CNI
    - API Gateway+Service Mesh
    - Kubernetes CNI插件
      - Calico
- Security
  - Background Knowledge
    - Certificate and PKI
    - Kubernetes 中使用到的证书
  - User Type
    - Service Account
      - Managed by Kubernetes
      - Represent workloads in the cluster
      - Bound to a specific namespace
    - Normal User
      - Managed out side of Kubernetes
      - Authenticated with a valid certicated signed by the cluster’s CA
        
        User name: Certificate subject Common Name field
        
        Group: Certificate subject Organization field
  - Authentication
    - Service account tokens for service accounts
    - Client certifications for normal users
    - Certifications for control plane components communication
    - Bootstrap Token for clusters and nodes bootstrapping
  - Authorization
    - RBAC
      - Namespace Scope
        
        Role
        
        RoleBinding (Associate users retrived from authentication process to Roles)
      - Cluster Scope
        
        ClusterRole
        
        CluseterRoleBinding (Associate users retrived from authentication process to ClusteRoles)

Kubernetes 知识图谱

FEATURED TAGS

FRIENDS