Kubernetes 知识图谱

Posted by     "Huabing Zhao" on Saturday, February 22, 2020

Mind Map

  • Kubernetes
    • 基本理念
      • 自动化部署,缩扩容和管理容器应用
      • 预期状态管理(Desired State Management)
        • Kubernetes API 对象(声明预期状态)
        • Kubernetes Control Plane(确保集群当前状态匹配预期状态)
          • Kubernetes Master
            • kube-apiserver(API Server)
              • 对外提供各种对象的CRUD REST接口
              • 对外提供Watch机制,通知对象变化
              • 将对象存储到Etcd中
            • kube-controller-manager(守护进程)
              • 功能:通过apiserver监视集群的状态,并做出相应更改,以使得集群的当前状态向预期状态靠拢
              • controllers
                • replication controller
                • endpoints controller
                • namespace controller
                • serviceaccounts controller
                • ……
            • kube-scheduler(调度器)
              • 功能:将Pod调度到合适的工作节点上运行
              • 调度的考虑因素
                • 资源需求
                • 服务治理要求
                • 硬件/软件/策略限制
                • 亲和以及反亲和要求
                • 数据局域性
                • 负载间的干扰
                • ……
          • Work Node
            • Kubelet(节点代理)
              • 接受通过各种机制(主要是通过apiserver)提供的一组PodSpec
              • 确保PodSpec中描述的容器处于运行状态且运行状况良好
            • Kube-proxy(节点网络代理)
              • 在节点上提供Kubernetes API中定义Service
              • 设置Service对应的IPtables规则
              • 进行流量转发(userspace模式)
    • 部署模式
      • Single node
      • Single head node,multiple workers
        • API Server,Scheduler,and Controller Manager run on a single node
      • Single etcd,HA heade nodes,multiple workers
        • Multiple API Server instances fronted by a load balancer
        • Multiple Scheduler and Controller Manager instances with leader election
        • Single etcd node
      • HA etcd,HA head nodes,multiple workers
        • Multiple API Server instances fronted by a load balancer
        • Multiple Scheduler and Controller Manager instances with leader election
        • Etcd cluster run on nodes seperate from the Kubernetes head nodes
      • Kubernetes Federation
    • 商业模式
      • 云服务用户:避免使用单一云提供商导致的厂商锁定,避免技术和成本风险
      • 云服务厂商:使用Kubernetes来打破AWS的先入垄断地位,抢夺市场份额
    • Workload
      • Pod
      • Workload resources(Controllers)
        • Deployment & RelicaSet
          • Deployment is used to deploy stateless appliations.
          • ReplicaSet ensured a specified numbers of pod replicas are running at a given time.
          • Deployment is used to rollout/update/rollback ReplicaSet.
          • ReplicaSet is not supposed to be used directly, it should be managed by Deployments.
        • StatefulSet
          • StatefulSet is used to deploy stateful applications.
          • SetatefSet require a Headless Service to provide network identity for the pods.
        • DaemonSet
          • DaemonSet ensures that all(or some) Nodes run a copy of a Pod.
          • Use cases: cluster storage daemon, logs collection daemon, node monitoring daemon.
        • Job & CronJob
          • Job runs pods until a specified number of them have been succcessfully executed.
          • CronJob runs a job periodically on a given schedule.
    • Storage
      • Volume
        • purpose
          • Persist data across the life span of a Pod
            • Data won’t lost when a container is restarted
          • Share data between containers running together in a Pod
            • Volume can be mounted to mutiple containers inside a Pod
        • type
          • configMap
          • emptyDir
          • hostPath
          • local
          • persistentVolumeClaim
    • Policies
      • ResourceQuota
        • purpose
          • Limit the aggregated resource consumption of a Namespace
        • Scope
          • Namespaced: ResourceQuota is enforced in a Namespace scope, different Namespaces have different Resouce limit
        • Type
          • Compute Resource Quota
            • CPU (limits.cpu requests.cpu)
            • Memory (limits.memory requets.memory)
          • Storage Resource Quota
            • Persistent Storage (storage)
            • Ephemeral Storage (ephermal-storage)
          • Object Count Quota
            • Limit of total number of Namespaced resources (count/services)
        • Request and Limit
          • Request: Resources that are guaranteed to get
          • Limit: The maximum amount of resources that one can get
    • Network
    • Security
      • Background Knowledge
      • User Type
        • Service Account
          • Managed by Kubernetes
          • Represent workloads in the cluster
          • Bound to a specific namespace
        • Normal User
          • Managed out side of Kubernetes
          • Authenticated with a valid certicated signed by the cluster’s CA
      • Authentication
      • Authorization
        • RBAC
          • Namespace Scope
            • Role
            • RoleBinding (Associate users retrived from authentication process to Roles)
          • Cluster Scope
            • ClusterRole
            • CluseterRoleBinding (Associate users retrived from authentication process to ClusteRoles)