Kubernetes 知识图谱

Mind Map

• Kubernetes
  • 基本理念
    • 自动化部署，缩扩容和管理容器应用
    • 预期状态管理(Desired State Management)
      • Kubernetes API 对象（声明预期状态）
      • Kubernetes Control Plane（确保集群当前状态匹配预期状态）
        • Kubernetes Master
          • kube-apiserver（API Server）
            • 对外提供各种对象的CRUD REST接口
            • 对外提供Watch机制，通知对象变化
            • 将对象存储到Etcd中
          • kube-controller-manager（守护进程）
            • 功能：通过apiserver监视集群的状态，并做出相应更改，以使得集群的当前状态向预期状态靠拢
            • controllers
              • replication controller
              • endpoints controller
              • namespace controller
              • serviceaccounts controller
              • ……
          • kube-scheduler（调度器）
            • 功能：将Pod调度到合适的工作节点上运行
            • 调度的考虑因素
              • 资源需求
              • 服务治理要求
              • 硬件/软件/策略限制
              • 亲和以及反亲和要求
              • 数据局域性
              • 负载间的干扰
              • ……
        • Work Node
          • Kubelet（节点代理）
            • 接受通过各种机制（主要是通过apiserver）提供的一组PodSpec
            • 确保PodSpec中描述的容器处于运行状态且运行状况良好
          • Kube-proxy（节点网络代理）
            • 在节点上提供Kubernetes API中定义Service
            • 设置Service对应的IPtables规则
            • 进行流量转发（userspace模式）
  • 部署模式
    • Single node
    • Single head node，multiple workers
      • API Server，Scheduler，and Controller Manager run on a single node
    • Single etcd，HA heade nodes，multiple workers
      • Multiple API Server instances fronted by a load balancer
      • Multiple Scheduler and Controller Manager instances with leader election
      • Single etcd node
    • HA etcd，HA head nodes，multiple workers
      • Multiple API Server instances fronted by a load balancer
      • Multiple Scheduler and Controller Manager instances with leader election
      • Etcd cluster run on nodes seperate from the Kubernetes head nodes
    • Kubernetes Federation
  • 商业模式
    • 云服务用户：避免使用单一云提供商导致的厂商锁定，避免技术和成本风险
    • 云服务厂商：使用Kubernetes来打破AWS的先入垄断地位，抢夺市场份额
  • Workload
    • Pod
      • Smalleset deployable computing unit
      • Consist of one or more containers
      • All containers in a pod share storage, network namespacem and cgroup
    • Workload resources(Controllers)
      • Deployment & RelicaSet
        • Deployment is used to deploy stateless appliations.
        • ReplicaSet ensured a specified numbers of pod replicas are running at a given time.
        • Deployment is used to rollout/update/rollback ReplicaSet.
        • ReplicaSet is not supposed to be used directly, it should be managed by Deployments.
      • StatefulSet
        • StatefulSet is used to deploy stateful applications.
        • SetatefSet require a Headless Service to provide network identity for the pods.
      • DaemonSet
        • DaemonSet ensures that all(or some) Nodes run a copy of a Pod.
        • Use cases: cluster storage daemon, logs collection daemon, node monitoring daemon.
      • Job & CronJob
        • Job runs pods until a specified number of them have been succcessfully executed.
        • CronJob runs a job periodically on a given schedule.
  • Storage
    • Volume
      • purpose
        • Persist data across the life span of a Pod
          • Data won’t lost when a container is restarted
        • Share data between containers running together in a Pod
          • Volume can be mounted to mutiple containers inside a Pod
      • type
        • configMap
        • emptyDir
        • hostPath
        • local
        • persistentVolumeClaim
  • Policies
    • ResourceQuota
      • purpose
        • Limit the aggregated resource consumption of a Namespace
      • Scope
        • Namespaced: ResourceQuota is enforced in a Namespace scope, different Namespaces have different Resouce limit
      • Type
        • Compute Resource Quota
          • CPU (limits.cpu requests.cpu)
          • Memory (limits.memory requets.memory)
        • Storage Resource Quota
          • Persistent Storage (storage)
          • Ephemeral Storage (ephermal-storage)
        • Object Count Quota
          • Limit of total number of Namespaced resources (count/services)
      • Request and Limit
        • Request: Resources that are guaranteed to get
        • Limit: The maximum amount of resources that one can get
  • Network
    • Linux Network Virtualization
      • Linux tun/tap
    • Network Namespace
    • Veth Pair
    • Linux bridge
    • Vlan
    • Vxlan
      • Vxlan原理
      • Linux 上实现 vxlan 网络
    • Routing Protocol
      • Distance Vector Protocol
        • BGP
      • Link-State Protocol
        • OSPF
    • K8s Network
      • Service - Cluster IP - Headless - NodePort - LoadBalancer
        • Ingress
          • K8s Ingress
          • Istio Ingress Gateway
      • 腾讯云
        • Global Router
        • VPC-CNI
      • API Gateway+Service Mesh
      • Kubernetes CNI插件
        • Calico
  • Security
    • Background Knowledge
      • Certificate and PKI
      • Kubernetes 中使用到的证书
    • User Type
      • Service Account
        • Managed by Kubernetes
        • Represent workloads in the cluster
        • Bound to a specific namespace
      • Normal User
        • Managed out side of Kubernetes
        • Authenticated with a valid certicated signed by the cluster’s CA
          • User name: Certificate subject Common Name field
          • Group: Certificate subject Organization field
    • Authentication
      • Service account tokens for service accounts
      • Client certifications for normal users
      • Certifications for control plane components communication
      • Bootstrap Token for clusters and nodes bootstrapping
    • Authorization
      • RBAC
        • Namespace Scope
          • Role
          • RoleBinding (Associate users retrived from authentication process to Roles)
        • Cluster Scope
          • ClusterRole
          • CluseterRoleBinding (Associate users retrived from authentication process to ClusteRoles)

• ← Previous Post
• Next Post →