k8s基本对象详解
Kubernetes 基本对象概念详解
1. Pod
1.1 核心概念
Pod是Kubernetes中最小的可部署单元,代表集群中运行的一个进程。
关键特性:
- 一个Pod包含一个或多个紧密相关的容器
- 共享网络命名空间(同一IP地址)
- 共享存储卷
- 共享生命周期(同时创建、同时调度)
1.2 Pod定义详解
apiVersion: v1
kind: Pod
metadata:
name: my-app-pod
namespace: default
labels:
app: my-app
environment: production
annotations:
kubernetes.io/change-cause: "Deploy version 1.2.3"
spec:
# 重启策略
restartPolicy: Always
# 容器定义
containers:
- name: web-server
image: nginx:1.21
imagePullPolicy: IfNotPresent
# 端口配置
ports:
- name: http
containerPort: 80
protocol: TCP
# 环境变量
env:
- name: ENVIRONMENT
value: "production"
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: db-secret
key: url
# 资源限制
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
# 健康检查
livenessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 80
initialDelaySeconds: 5
periodSeconds: 5
# 初始化容器
initContainers:
- name: init-db
image: busybox:1.28
command: ['sh', '-c', 'until nslookup db-service; do echo waiting for db; sleep 2; done']
# 存储卷
volumes:
- name: shared-data
emptyDir: {}
1.3 多容器Pod模式
Sidecar模式
apiVersion: v1
kind: Pod
metadata:
name: web-with-logger
spec:
containers:
- name: web-app
image: my-web-app:1.0
ports:
- containerPort: 8080
volumeMounts:
- name: log-volume
mountPath: /var/log/app
- name: log-collector
image: fluentd:latest
volumeMounts:
- name: log-volume
mountPath: /var/log/app
- name: config-volume
mountPath: /etc/fluentd
volumes:
- name: log-volume
emptyDir: {}
- name: config-volume
configMap:
name: fluentd-config
Ambassador模式
apiVersion: v1
kind: Pod
metadata:
name: app-with-proxy
spec:
containers:
- name: main-app
image: my-app:1.0
env:
- name: DATABASE_URL
value: "localhost:5432" # 通过ambassador代理
- name: db-ambassador
image: envoyproxy/envoy:latest
# 处理数据库连接和负载均衡
2. Service
2.1 Service类型和用途
ClusterIP(默认)
apiVersion: v1
kind: Service
metadata:
name: backend-service
spec:
type: ClusterIP
selector:
app: backend
ports:
- name: http
port: 80
targetPort: 8080
- name: metrics
port: 9090
targetPort: 9090
NodePort
apiVersion: v1
kind: Service
metadata:
name: frontend-service
spec:
type: NodePort
selector:
app: frontend
ports:
- port: 80
targetPort: 3000
nodePort: 30080 # 范围: 30000-32767
LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: external-service
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec:
type: LoadBalancer
selector:
app: external
ports:
- port: 443
targetPort: 8443
externalTrafficPolicy: Local
ExternalName
apiVersion: v1
kind: Service
metadata:
name: external-database
spec:
type: ExternalName
externalName: database.example.com
2.2 Headless Service
用于需要直接访问Pod的场景(如StatefulSet):
apiVersion: v1
kind: Service
metadata:
name: stateful-service
spec:
clusterIP: None # Headless Service
selector:
app: database
ports:
- port: 27017
targetPort: 27017
3. Volume
3.1 Volume类型详解
emptyDir
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: nginx
name: test-container
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- name: cache-volume
emptyDir:
sizeLimit: 500Mi # 可选:限制大小
hostPath
volumes:
- name: host-path-volume
hostPath:
path: /data
type: Directory # 类型:Directory, File, Socket等
configMap
volumes:
- name: config-volume
configMap:
name: app-config
items:
- key: "game.properties"
path: "game.properties"
- key: "ui.properties"
path: "ui.properties"
secret
volumes:
- name: secret-volume
secret:
secretName: app-secret
items:
- key: username
path: my-group/my-username
3.2 PersistentVolume (PV) & PersistentVolumeClaim (PVC)
PersistentVolume
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-volume
labels:
type: local
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: slow
hostPath:
path: "/mnt/data"
PersistentVolumeClaim
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pv-claim
spec:
storageClassName: slow
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
在Pod中使用PVC
apiVersion: v1
kind: Pod
metadata:
name: pv-pod
spec:
containers:
- name: pv-container
image: nginx
volumeMounts:
- mountPath: "/usr/share/nginx/html"
name: pv-storage
volumes:
- name: pv-storage
persistentVolumeClaim:
claimName: pv-claim
4. Namespace
4.1 命名空间管理
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
name: production
environment: prod
4.2 资源配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-resources
namespace: production
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
pods: "10"
services: "5"
4.3 默认命名空间配置
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
namespace: production
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
5. Deployment
5.1 基本Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.21
ports:
- containerPort: 80
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
5.2 部署策略
蓝绿部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-blue
spec:
replicas: 3
selector:
matchLabels:
app: nginx
version: blue
template:
metadata:
labels:
app: nginx
version: blue
# ... 容器定义
金丝雀发布
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-canary
spec:
replicas: 1 # 少量副本进行测试
selector:
matchLabels:
app: nginx
version: canary
template:
metadata:
labels:
app: nginx
version: canary
# ... 容器定义
6. StatefulSet
6.1 有状态应用部署
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql
spec:
serviceName: "mysql"
replicas: 3
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mysql-secret
key: password
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-data
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: mysql-data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "fast-ssd"
resources:
requests:
storage: 20Gi
6.2 StatefulSet特性
- 稳定的、唯一的网络标识符
- 稳定的、持久的存储
- 有序的、优雅的部署和扩缩容
- 有序的、自动的滚动更新
7. DaemonSet
7.1 守护进程部署
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: fluentd-logging
labels:
app: fluentd
spec:
selector:
matchLabels:
name: fluentd
template:
metadata:
labels:
name: fluentd
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: fluentd
image: fluent/fluentd:v1.7-debian-1
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
terminationGracePeriodSeconds: 30
volumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
8. Job & CronJob
8.1 Job
apiVersion: batch/v1
kind: Job
metadata:
name: pi-calculation
spec:
completions: 5 # 需要完成的总任务数
parallelism: 2 # 并行运行的Pod数量
backoffLimit: 4 # 重试次数
template:
spec:
containers:
- name: pi
image: perl:5.34
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
8.2 CronJob
apiVersion: batch/v1
kind: CronJob
metadata:
name: database-backup
spec:
schedule: "0 2 * * *" # 每天凌晨2点
startingDeadlineSeconds: 200
concurrencyPolicy: Forbid # 禁止并发执行
jobTemplate:
spec:
template:
spec:
containers:
- name: backup
image: postgres:13
command:
- /bin/sh
- -c
- pg_dump -h $DB_HOST -U $DB_USER $DB_NAME > /backup/backup.sql
env:
- name: DB_HOST
value: "postgresql-service"
- name: DB_USER
valueFrom:
secretKeyRef:
name: db-secret
key: username
- name: DB_NAME
value: "myapp"
volumeMounts:
- name: backup-volume
mountPath: /backup
restartPolicy: OnFailure
volumes:
- name: backup-volume
persistentVolumeClaim:
claimName: backup-pvc
9. ConfigMap & Secret
9.1 ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
# 简单属性
game.properties: |
enemies=aliens
lives=3
enemies.cheat=true
enemies.cheat.level=noGoodRotten
# UI配置
ui.properties: |
color.good=purple
color.bad=yellow
allow.textmode=true
9.2 Secret
apiVersion: v1
kind: Secret
metadata:
name: app-secret
type: Opaque
data:
# 注意:这些值是base64编码的
username: YWRtaW4= # admin
password: cGFzc3dvcmQ= # password
stringData:
# 不需要base64编码
api-url: "https://api.example.com"
10. Ingress
10.1 基本Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: hello-world.info
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
10.2 TLS配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tls-ingress
spec:
tls:
- hosts:
- https-example.foo.com
secretName: testsecret-tls
rules:
- host: https-example.foo.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
对象关系总结
Namespace
├── Pod
│ ├── Container
│ ├── Volume (emptyDir, hostPath)
│ └── ConfigMap/Secret (作为环境变量或文件)
├── Service → Pod (通过Selector)
├── Deployment → ReplicaSet → Pod
├── StatefulSet → Pod (有序,持久存储)
├── DaemonSet → Pod (每个节点)
├── Job/CronJob → Pod (一次性/定时任务)
├── PersistentVolumeClaim → PersistentVolume
└── Ingress → Service
这些基本对象构成了Kubernetes应用部署的基础。理解它们之间的关系和用途对于有效使用Kubernetes至关重要。
浙公网安备 33010602011771号