• kubernetes核心组件


    1.kubelet

    kubelet运行于集群的所有节点上,包括master的节点。
    kubelet用于处理master节点下发到本节点的任务,管理本节点上的pod以及pod中的容器。
    每个kubelet会在APIServer上注册本节点的信息,并定期上报本节点的资源使用情况。
    kubelet先于集群而存在于每个节点上的。
    kubelet作为集群节点的后台守护进程,在节点启动时,由节点上的操作系统init进程(systemd)拉起。
    分别是下面两个文件:

    root@VM-16-6-ubuntu:~# ls /lib/systemd/system/kubelet.service 
    /lib/systemd/system/kubelet.service
    root@VM-16-6-ubuntu:~# ls /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 
    /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

    kubelet主要参数配置:

    root@VM-16-6-ubuntu:~# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 
    [Service]
    Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
    Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
    Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
    Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
    Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
    Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
    Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
    ExecStart=
    ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS

    bootstrap-kubeconfig用于在kubeconfig文件不存在的情况下,像APIServer获取client端的证书文件。
    获取的证书文件将存储在cert-dir指定的目录下。同时数据也将写入一份到kubeconfig指定的目录里面。

    pod-manifest-path是静态pod的manifest的存放路径。kubelet将启动这些pod,并维持这些pod处于运行状态。

    KUBELET_NETWORK_ARGS是与节点上cni网络插件相关的配置。kubelet通过这个配置,来调用cni相关程序,配置容器中的相关网络。

    KUBELET_DNS_ARGS是集群DNS相关的配置。

    cadvisor-port默认值是4194,当配置为0的时候,表示不在节点上开始cadvisor服务。
    cadvisor是一个分析容器资源使用率和性能特性的代理工具,默认情况下会在每个节点上安装Agent。
    通过暴露cadvisor-port来提供服务。

    多数情况下,不需要修改启动文件的参数。修改之后执行:
      systemctl daemon-reload & systemctl restart kubelet

    2.kube-apiserver

    kube-apiserver是整个集群调用的入口,通过APIServer暴露的API实现对整个集群的对象和状态管理。
    kubeadm引导建立的kubernetes集群的APIServer是以静态pod的形式运行的,由kubelet启动。
    APIServer是一个庞大的单体程序。可以查看APIServer的配置yaml:

    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
      creationTimestamp: null
      labels:
        component: kube-apiserver
    spec:
      containers:
      - command:
        - kube-apiserver
        - --insecure-port=0  #APIServer非安全服务端口,默认不开启
        - --requestheader-username-headers=X-Remote-User
        - --client-ca-file=/etc/kubernetes/pki/ca.crt
        - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key #APIServer以client端身份访问kubelet所使用的私钥文件
        - --secure-port=6443
        - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
        - --requestheader-extra-headers-prefix=X-Remote-Extra-
        - --service-cluster-ip-range=10.96.0.0/12  #设置无类别预见地址的分配范围.不能与pod地址有交集
        - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt  #APIServer以client端身份访问kubelet使用的数字公钥证书.
        - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
        - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
        - --allow-privileged=true  #是否允许启动特权容器
        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
        - --requestheader-allowed-names=front-proxy-client
        - --service-account-key-file=/etc/kubernetes/pki/sa.pub
        - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
        - --enable-bootstrap-token-auth=true  #允许secret对象进行集群初始化
        - --requestheader-group-headers=X-Remote-Group
        - --advertise-address=148.70.251.10
        - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt  #APIserver公钥证书文件
        - --authorization-mode=Node,RBAC  #设置用户授权模式列表
        - --etcd-servers=https://127.0.0.1:2379  #服务地址
        - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt  #ca证书
        - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
        - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
        image: k8s.gcr.io/kube-apiserver-amd64:v1.10.2
        livenessProbe:
          failureThreshold: 8
          httpGet:
            host: 148.70.251.10
            path: /healthz
            port: 6443
            scheme: HTTPS
          initialDelaySeconds: 15
          timeoutSeconds: 15
        name: kube-apiserver
        resources:
          requests:
            cpu: 250m
        volumeMounts:
        - mountPath: /etc/kubernetes/pki
          name: k8s-certs
          readOnly: true
        - mountPath: /etc/ssl/certs
          name: ca-certs
          readOnly: true
      hostNetwork: true
      volumes:
      - hostPath:
          path: /etc/kubernetes/pki
          type: DirectoryOrCreate
        name: k8s-certs
      - hostPath:
          path: /etc/ssl/certs
          type: DirectoryOrCreate
        name: ca-certs
    status: {}

    kubelet监听/etc/kubernetes/manifests目录变化,自动重启配置发生变化的apiserver pod.

    3.etcd

    etcd用于存储整个集群的对象和状态.
    kubeadm引导启动的集群默认只启动一个etcd节点和APIServer,etcd也是由kubelet启动的static pod.
    如果要修改etcd的启动参数,直接修改etcd.yaml.保存之后kubelet会重启etcd的静态pod.
    apiserver与etcd之间采用基于TLS的安全通信.
    etcd挂载master节点本地路径/var/lib/etcd用于运行时的数据存储.

    root@VM-16-6-ubuntu:~# tree /var/lib/etcd
    /var/lib/etcd
    └── member
        ├── snap
        │   ├── 0000000000000002-0000000000033465.snap
        │   ├── 0000000000000002-0000000000035b76.snap
        │   ├── 0000000000000002-0000000000038287.snap
        │   ├── 0000000000000002-000000000003a998.snap
        │   ├── 0000000000000002-000000000003d0a9.snap
        │   └── db
        └── wal
            ├── 0000000000000000-0000000000000000.wal
            ├── 0000000000000001-000000000000deb3.wal
            ├── 0000000000000002-000000000001b87f.wal
            ├── 0000000000000003-0000000000029249.wal
            ├── 0000000000000004-0000000000036c13.wal
            └── 0.tmp

    如果需要做数据迁移和备份,只需要对这个目录进行操作就可以了.

    4.controller-manager

    负责集群内Node,Pod副本,服务的endpoint,命名空间,Service Account,资源配额管理等.

    controller通过APIServer监控资源的状态,一旦状态发生变化,controller就会改变这个状态,使其恢复正常.
    和APIServer一样,controller-manager由kubelet启动的static pod.
    如果要修改controller-manager的启动参数,直接修改kube-controller-manager.yaml文件.

    下面是controller-manager的启动参数配置:

    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
      creationTimestamp: null
      labels:
        component: kube-controller-manager
        tier: control-plane
      name: kube-controller-manager
      namespace: kube-system
    spec:
      containers:
      - command:
        - kube-controller-manager
        - --leader-elect=true  #执行主业务逻辑前是否进行leader选举.
        - --controllers=*,bootstrapsigner,tokencleaner
        - --kubeconfig=/etc/kubernetes/controller-manager.conf
        - --service-account-private-key-file=/etc/kubernetes/pki/sa.key
        - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt  #证书文件
        - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key  #签发集群范围内的其它证书
        - --address=127.0.0.1
        - --root-ca-file=/etc/kubernetes/pki/ca.crt  #ca.crt会包含在service acount的对象参数中.
        - --use-service-account-credentials=true
        image: k8s.gcr.io/kube-controller-manager-amd64:v1.10.2
        livenessProbe:
          failureThreshold: 8
          httpGet:
            host: 127.0.0.1
            path: /healthz
            port: 10252
            scheme: HTTP
          initialDelaySeconds: 15
          timeoutSeconds: 15
        name: kube-controller-manager
        resources:
          requests:
            cpu: 200m
        volumeMounts:
        - mountPath: /etc/kubernetes/pki
          name: k8s-certs
          readOnly: true
        - mountPath: /etc/ssl/certs
          name: ca-certs
          readOnly: true
        - mountPath: /etc/kubernetes/controller-manager.conf
          name: kubeconfig
          readOnly: true
      hostNetwork: true
      volumes:
      - hostPath:
          path: /etc/kubernetes/pki
          type: DirectoryOrCreate
        name: k8s-certs
      - hostPath:
          path: /etc/ssl/certs
          type: DirectoryOrCreate
        name: ca-certs
      - hostPath:
          path: /etc/kubernetes/controller-manager.conf
          type: FileOrCreate
        name: kubeconfig
    status: {}

    5.kube-scheduler

    按照特定的调度算法和策略,将待调度pod绑定集群中某个适合的Node,并写入绑定信息.
    由kubelet启动的static pod.
    scheduler的配置参数:

    apiVersion: v1
    kind: Pod
    metadata:
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ""
      creationTimestamp: null
      labels:
        component: kube-scheduler
        tier: control-plane
      name: kube-scheduler
      namespace: kube-system
    spec:
      containers:
      - command:
        - kube-scheduler
        - --address=127.0.0.1  #服务地址,不对外提供服务
        - --leader-elect=true  #在主业务逻辑循环前,是否进行选主
        - --kubeconfig=/etc/kubernetes/scheduler.conf  #启动文件
        image: k8s.gcr.io/kube-scheduler-amd64:v1.10.2
        livenessProbe:
          failureThreshold: 8
          httpGet:
            host: 127.0.0.1
            path: /healthz
            port: 10251
            scheme: HTTP
          initialDelaySeconds: 15
          timeoutSeconds: 15
        name: kube-scheduler
        resources:
          requests:
            cpu: 100m
        volumeMounts:
        - mountPath: /etc/kubernetes/scheduler.conf
          name: kubeconfig
          readOnly: true
      hostNetwork: true
      volumes:
      - hostPath:
          path: /etc/kubernetes/scheduler.conf
          type: FileOrCreate
        name: kubeconfig
    status: {}

    6.kube-proxy

    service在创建的时候会分配一个虚拟的服务IP,对service访问会按照一定策略分发到后面的pod.
    service并没有实体,让service起作用的是运行在kubernetes集群节点上的kube-proxy组件.

    由于proxy的存在,在client调用的service时,调用者无需关心后端pod的数量,负载均衡和故障恢复.
    kube-proxy由daemonset控制器在各个节点上启动唯一实例.
    kube-proxy不是静态pod,它的配置放在kube-proxy配置里面.
    我们可以查看kube-proxy的配置:

    root@VM-16-6-ubuntu:~# kubectl exec kube-proxy-gnrc7 -n kube-system -- cat /var/lib/kube-proxy/config.conf
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    bindAddress: 0.0.0.0
    clientConnection:
      acceptContentTypes: ""
      burst: 10
      contentType: application/vnd.kubernetes.protobuf
      kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
      qps: 5
    clusterCIDR: ""
    configSyncPeriod: 15m0s
    conntrack:
      max: null
      maxPerCore: 32768
      min: 131072
      tcpCloseWaitTimeout: 1h0m0s
      tcpEstablishedTimeout: 24h0m0s
    enableProfiling: false
    healthzBindAddress: 0.0.0.0:10256
    hostnameOverride: ""
    iptables:
      masqueradeAll: false
      masqueradeBit: 14
      minSyncPeriod: 0s
      syncPeriod: 30s
    ipvs:
      minSyncPeriod: 0s
      scheduler: ""
      syncPeriod: 30s
    kind: KubeProxyConfiguration
    metricsBindAddress: 127.0.0.1:10249
    mode: ""
    nodePortAddresses: null
    oomScoreAdj: -999
    portRange: ""
    resourceContainer: /kube-proxy

    最重要的配置就是mode,kube-proxy支持三种mode.分别是:user-spece,iptables,ipvs.
    如果配置文件的pod为空,那么将选择当前最好的mode(iptables),如果内核不支持将改为user-spece模式.

  • 相关阅读:
    在阿里云申请Symantec免费SSL证书操作流程
    http改造成https的实践案例
    Extjs Window用法详解 3 打印具体应用,是否关掉打印预览的界面
    【Unity_UWP】Unity 工程发布win10 UWP 时的本地文件读取 (下篇)
    【Unity_UWP】Unity 工程发布win10 UWP 时的本地文件读取 (上篇)
    打开文件或者uri的方式--------进程启动文件和启动者启动文件
    C# 各版本新特性
    iOS: 音效和音乐的播放,封装的工具类
    iOS: xcode打包上传iTunes失败,iTunes Store operation failed,this action can not complete .try again
    iOS: 详细的正则表达式
  • 原文地址:https://www.cnblogs.com/yangmingxianshen/p/12627446.html
Copyright © 2020-2023  润新知