Kubernetes核心组件
Kubernetes 核心组件功能详解
概述
Kubernetes 作为容器编排平台,提供了丰富的资源类型来管理不同类型的工作负载和配置。本文详细解析各个核心组件的功能、用途、使用场景和最佳实践。
工作负载管理组件
1. Pod - 最小部署单元
功能和特点
- 定义:Kubernetes 中最小的可部署和可管理的计算单元
- 组成:一个或多个紧密耦合的容器,共享存储和网络
- 生命周期:临时性资源,可以被创建、销毁和重建
核心特性
apiVersion: v1
kind: Pod
metadata:
name: web-pod
labels:
app: web
version: v1
spec:
containers:
- name: web-container
image: nginx:1.20
ports:
- containerPort: 80
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
env:
- name: ENV
value: "production"
volumeMounts:
- name: config-volume
mountPath: /etc/config
- name: sidecar-container
image: busybox
command: ['sh', '-c', 'while true; do echo "sidecar running"; sleep 30; done']
volumes:
- name: config-volume
configMap:
name: app-config
restartPolicy: Always
nodeSelector:
disktype: ssd
使用场景
- 临时任务:一次性运行的任务
- 调试测试:快速验证镜像和配置
- 紧密耦合应用:需要共享文件系统或网络的多容器应用
2. Deployment - 无状态应用管理
功能和特点
- 滚动更新:支持零停机时间的应用更新
- 回滚能力:可以快速回滚到之前的版本
- 扩缩容:动态调整副本数量
- 自愈能力:自动替换失败的 Pod
配置示例
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
labels:
app: web
spec:
replicas: 3
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web
image: nginx:1.20
ports:
- containerPort: 80
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1 # 更新时最多可以多创建的 Pod 数
maxUnavailable: 1 # 更新时最多可以不可用的 Pod 数
revisionHistoryLimit: 10 # 保留的历史版本数
操作命令
# 创建和管理 Deployment
kubectl create deployment web --image=nginx:1.20
kubectl scale deployment web --replicas=5
kubectl set image deployment/web web=nginx:1.21
kubectl rollout status deployment/web
kubectl rollout undo deployment/web --to-revision=2
使用场景
- Web 服务:无状态的 Web 应用
- API 服务:RESTful API 后端服务
- 微服务:云原生微服务架构
3. ReplicaSet - 副本控制器
功能和特点
- 副本管理:确保指定数量的 Pod 副本始终运行
- 选择器匹配:通过标签选择器管理 Pod
- 自动修复:替换失败或被删除的 Pod
配置示例
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: web-replicaset
labels:
app: web
spec:
replicas: 3
selector:
matchLabels:
app: web
matchExpressions:
- key: environment
operator: In
values: ["production", "staging"]
template:
metadata:
labels:
app: web
environment: production
spec:
containers:
- name: web
image: nginx:1.20
ports:
- containerPort: 80
使用场景
- 底层控制:通常由 Deployment 自动管理
- 特殊需求:需要精确控制副本行为的场景
- 调试分析:理解 Kubernetes 工作原理
4. DaemonSet - 守护进程管理
功能和特点
- 节点覆盖:确保每个节点上运行一个 Pod 副本
- 自动调度:新节点加入时自动部署
- 系统级服务:适合运行系统守护进程
配置示例
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: logging-daemon
labels:
app: logging
spec:
selector:
matchLabels:
app: logging
template:
metadata:
labels:
app: logging
spec:
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
containers:
- name: fluentd
image: fluentd:v1.14
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 200Mi
volumeMounts:
- name: varlog
mountPath: /var/log
- name: varlibdockercontainers
mountPath: /var/lib/docker/containers
readOnly: true
volumes:
- name: varlog
hostPath:
path: /var/log
- name: varlibdockercontainers
hostPath:
path: /var/lib/docker/containers
使用场景
- 日志收集:Fluentd、Filebeat 等日志代理
- 监控代理:Node Exporter、Datadog Agent
- 网络插件:CNI 网络组件
- 存储插件:CSI 存储驱动
5. StatefulSet - 有状态应用管理
功能和特点
- 稳定标识:每个 Pod 有稳定的网络标识和持久存储
- 有序部署:Pod 按顺序创建和删除
- 持久化存储:自动创建和管理 PVC
配置示例
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mysql-statefulset
spec:
serviceName: mysql-service
replicas: 3
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
value: "password"
ports:
- containerPort: 3306
volumeMounts:
- name: mysql-storage
mountPath: /var/lib/mysql
volumeClaimTemplates:
- metadata:
name: mysql-storage
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: mysql-service
spec:
clusterIP: None # Headless Service
selector:
app: mysql
ports:
- port: 3306
targetPort: 3306
使用场景
- 数据库:MySQL、PostgreSQL、MongoDB
- 消息队列:Kafka、RabbitMQ
- 分布式存储:Elasticsearch、Cassandra
- 有状态缓存:Redis Cluster
配置管理组件
6. ConfigMap - 配置数据管理
功能和特点
- 配置分离:将配置从容器镜像中分离
- 多种挂载方式:支持环境变量、文件、命令行参数
- 动态更新:配置变更可以动态传播到 Pod
配置示例
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
# 键值对配置
database_url: "postgresql://localhost:5432/myapp"
redis_url: "redis://localhost:6379"
log_level: "info"
# 文件配置
app.properties: |
server.port=8080
spring.datasource.url=jdbc:postgresql://localhost:5432/myapp
spring.redis.host=localhost
spring.redis.port=6379
logging.level.root=INFO
nginx.conf: |
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://backend:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
使用方式
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: myapp:latest
# 方式1:环境变量
env:
- name: DATABASE_URL
valueFrom:
configMapKeyRef:
name: app-config
key: database_url
# 方式2:批量环境变量
envFrom:
- configMapRef:
name: app-config
# 方式3:文件挂载
volumeMounts:
- name: config-volume
mountPath: /etc/config
volumes:
- name: config-volume
configMap:
name: app-config
使用场景
- 应用配置:数据库连接、API 密钥、功能开关
- 配置文件:Nginx、Apache 等服务器配置
- 脚本文件:初始化脚本、健康检查脚本
7. Secret - 敏感数据管理
功能和特点
- 加密存储:敏感数据在 etcd 中加密存储
- 访问控制:基于 RBAC 的细粒度访问控制
- 自动编码:自动进行 Base64 编码/解码
类型和示例
# 通用类型 Secret
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
username: YWRtaW4= # admin (base64编码)
password: cGFzc3dvcmQ= # password (base64编码)
api-key: eHh4eHh4eHg= # xxxxxxxx (base64编码)
---
# Docker 镜像拉取凭证
apiVersion: v1
kind: Secret
metadata:
name: docker-registry-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: eyJhdXRocyI6eyJyZWdpc3RyeS5leGFtcGxlLmNvbSI6eyJ1c2VybmFtZSI6InVzZXIiLCJwYXNzd29yZCI6InBhc3MiLCJhdXRoIjoiZFhObGNqcHdZWE56In19fQ==
---
# TLS 证书
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTi... # certificate content
tls.key: LS0tLS1CRUdJTi... # private key content
---
# SSH 密钥
apiVersion: v1
kind: Secret
metadata:
name: ssh-secret
type: kubernetes.io/ssh-auth
data:
ssh-privatekey: LS0tLS1CRUdJTi... # SSH private key
使用方式
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
containers:
- name: app
image: myapp:latest
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: app-secrets
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: password
volumeMounts:
- name: tls-certs
mountPath: /etc/tls
readOnly: true
volumes:
- name: tls-certs
secret:
secretName: tls-secret
imagePullSecrets:
- name: docker-registry-secret
使用场景
- 认证凭证:数据库密码、API 密钥
- TLS 证书:HTTPS 服务证书
- 镜像拉取:私有镜像仓库凭证
- SSH 密钥:Git 仓库访问密钥
网络和服务发现组件
8. Service - 服务抽象和负载均衡
功能和特点
- 服务发现:为 Pod 提供稳定的网络端点
- 负载均衡:在多个 Pod 之间分发流量
- 多种类型:支持 ClusterIP、NodePort、LoadBalancer
服务类型详解
ClusterIP(默认类型)
apiVersion: v1
kind: Service
metadata:
name: web-service
spec:
type: ClusterIP
selector:
app: web
ports:
- port: 80
targetPort: 8080
protocol: TCP
sessionAffinity: ClientIP # 会话保持
NodePort
apiVersion: v1
kind: Service
metadata:
name: web-nodeport
spec:
type: NodePort
selector:
app: web
ports:
- port: 80
targetPort: 8080
nodePort: 30080 # 可选,不指定则自动分配
LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: web-loadbalancer
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 8080
loadBalancerSourceRanges:
- 10.0.0.0/8
Headless Service
apiVersion: v1
kind: Service
metadata:
name: mysql-headless
spec:
clusterIP: None # Headless Service
selector:
app: mysql
ports:
- port: 3306
targetPort: 3306
使用场景
- 微服务通信:服务间的内部通信
- 负载均衡:流量分发和故障转移
- 服务发现:动态发现后端服务实例
- 外部访问:暴露服务给集群外部
9. Ingress - HTTP/HTTPS 路由管理
功能和特点
- HTTP 路由:基于域名和路径的智能路由
- TLS 终结:HTTPS 证书管理和终结
- 负载均衡:应用层负载均衡
- 可扩展性:支持多种 Ingress 控制器
配置示例
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/rate-limit-connection: "10"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- api.example.com
- web.example.com
secretName: tls-secret
rules:
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
- host: api.example.com
http:
paths:
- path: /v1
pathType: Prefix
backend:
service:
name: api-v1-service
port:
number: 8080
- path: /v2
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 8080
高级配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: advanced-ingress
annotations:
# 限流配置
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/rate-limit-burst: "200"
# 认证配置
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# 跨域配置
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://example.com"
# 代理配置
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
# 缓存配置
nginx.ingress.kubernetes.io/server-snippet: |
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
expires 1y;
add_header Cache-Control "public, no-transform";
}
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
使用场景
- API 网关:统一的 API 入口和路由
- 多域名管理:单一集群管理多个域名
- 蓝绿部署:流量切换和灰度发布
- SSL 终结:集中化的 TLS 证书管理
10. Endpoint & EndpointSlice - 服务端点管理
Endpoint
apiVersion: v1
kind: Endpoints
metadata:
name: web-service
subsets:
- addresses:
- ip: 10.244.1.10
nodeName: node1
- ip: 10.244.2.15
nodeName: node2
ports:
- port: 8080
protocol: TCP
EndpointSlice(新版本推荐)
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
name: web-service-abc123
labels:
kubernetes.io/service-name: web-service
addressType: IPv4
endpoints:
- addresses:
- "10.244.1.10"
conditions:
ready: true
serving: true
terminating: false
nodeName: node1
zone: us-west-1a
- addresses:
- "10.244.2.15"
conditions:
ready: true
serving: true
terminating: false
nodeName: node2
zone: us-west-1b
ports:
- name: http
port: 8080
protocol: TCP
使用场景
- 服务发现:kube-proxy 使用端点信息配置负载均衡
- 健康检查:标记不健康的端点
- 网络调试:排查服务连接问题
- 监控集成:服务网格和监控系统集成
OpenShift 特有组件
11. Route - OpenShift 路由管理
功能和特点
- OpenShift 特有:Red Hat OpenShift 的路由管理组件
- HAProxy 集成:基于 HAProxy 的负载均衡
- 自动 DNS:自动生成域名和 DNS 记录
配置示例
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: web-route
annotations:
haproxy.router.openshift.io/rate-limit-connections: "true"
haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp: "100"
spec:
host: web.apps.cluster.example.com
to:
kind: Service
name: web-service
weight: 100
port:
targetPort: 8080
tls:
termination: edge
certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
使用场景
- OpenShift 环境:替代 Ingress 的路由解决方案
- 企业级功能:更丰富的企业级路由功能
- 多租户:项目级别的路由隔离
12. ImageStream - OpenShift 镜像流管理
功能和特点
- 镜像版本管理:跟踪镜像的多个版本
- 自动触发:镜像更新时自动触发部署
- 镜像安全:集成镜像安全扫描
配置示例
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
name: my-app
spec:
lookupPolicy:
local: true
tags:
- name: latest
from:
kind: DockerImage
name: registry.example.com/myorg/my-app:latest
importPolicy:
scheduled: true
insecure: false
referencePolicy:
type: Local
- name: v1.0
from:
kind: DockerImage
name: registry.example.com/myorg/my-app:v1.0.0
- name: dev
from:
kind: ImageStreamTag
name: my-app:latest
使用场景
- CI/CD 集成:与 OpenShift 构建系统集成
- 镜像管理:统一的镜像版本管理
- 安全扫描:自动化的镜像安全检查
组件关系和协作模式
1. 典型应用部署架构
graph TB
User[用户] --> Ingress[Ingress Controller]
Ingress --> Service[Service]
Service --> Pod1[Pod 1]
Service --> Pod2[Pod 2]
Service --> Pod3[Pod 3]
Deployment[Deployment] --> ReplicaSet[ReplicaSet]
ReplicaSet --> Pod1
ReplicaSet --> Pod2
ReplicaSet --> Pod3
ConfigMap[ConfigMap] --> Pod1
ConfigMap --> Pod2
ConfigMap --> Pod3
Secret[Secret] --> Pod1
Secret --> Pod2
Secret --> Pod3
Service --> Endpoints[Endpoints/EndpointSlice]
Endpoints --> Pod1
Endpoints --> Pod2
Endpoints --> Pod3
2. 有状态应用架构
graph TB
Client[客户端] --> HeadlessService[Headless Service]
HeadlessService --> StatefulSet[StatefulSet]
StatefulSet --> Pod1[Pod-0]
StatefulSet --> Pod2[Pod-1]
StatefulSet --> Pod3[Pod-2]
Pod1 --> PVC1[PVC-0]
Pod2 --> PVC2[PVC-1]
Pod3 --> PVC3[PVC-2]
PVC1 --> PV1[PV-0]
PVC2 --> PV2[PV-1]
PVC3 --> PV3[PV-2]
3. 配置管理模式
graph LR
ConfigMap[ConfigMap] --> |环境变量| Pod[Pod]
ConfigMap --> |文件挂载| Pod
Secret[Secret] --> |敏感环境变量| Pod
Secret --> |证书文件| Pod
Secret --> |镜像拉取凭证| Pod
最佳实践和使用建议
1. 工作负载选择指南
| 场景 | 推荐组件 | 理由 |
|---|---|---|
| 无状态 Web 应用 | Deployment + Service + Ingress | 易于扩缩容和滚动更新 |
| 数据库应用 | StatefulSet + Headless Service | 需要稳定标识和持久存储 |
| 系统守护进程 | DaemonSet | 每个节点需要运行一个实例 |
| 批处理任务 | Job/CronJob | 一次性或定时任务 |
| 调试测试 | Pod | 快速验证和调试 |
2. 配置管理最佳实践
配置分层策略
# 基础配置 - ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: app-base-config
data:
log_level: "info"
server_timeout: "30s"
---
# 环境特定配置 - ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: app-prod-config
data:
database_pool_size: "20"
cache_size: "1000"
---
# 敏感配置 - Secret
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
database_password: cGFzc3dvcmQ=
api_key: eHh4eHh4eHg=
配置注入模式
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-deployment
spec:
template:
spec:
containers:
- name: app
image: myapp:latest
envFrom:
- configMapRef:
name: app-base-config
- configMapRef:
name: app-prod-config
env:
- name: DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: database_password
volumeMounts:
- name: config-files
mountPath: /etc/config
volumes:
- name: config-files
projected:
sources:
- configMap:
name: app-base-config
- secret:
name: app-secrets
3. 网络访问模式
内部服务通信
# 后端服务
apiVersion: v1
kind: Service
metadata:
name: backend-service
spec:
type: ClusterIP
selector:
app: backend
ports:
- port: 8080
targetPort: 8080
外部访问
# 方式1:LoadBalancer(云环境)
apiVersion: v1
kind: Service
metadata:
name: web-loadbalancer
spec:
type: LoadBalancer
selector:
app: web
ports:
- port: 80
targetPort: 8080
---
# 方式2:NodePort(本地环境)
apiVersion: v1
kind: Service
metadata:
name: web-nodeport
spec:
type: NodePort
selector:
app: web
ports:
- port: 80
targetPort: 8080
nodePort: 30080
---
# 方式3:Ingress(推荐)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
spec:
rules:
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
4. 安全考虑
RBAC 配置
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-serviceaccount
namespace: production
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
namespace: production
rules:
- apiGroups: [""]
resources: ["pods", "configmaps", "secrets"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-rolebinding
namespace: production
subjects:
- kind: ServiceAccount
name: app-serviceaccount
namespace: production
roleRef:
kind: Role
name: app-role
apiGroup: rbac.authorization.k8s.io
网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: web-netpol
namespace: production
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: backend
ports:
- protocol: TCP
port: 5432
监控和故障排查
1. 常用诊断命令
# Pod 相关
kubectl get pods -o wide
kubectl describe pod <pod-name>
kubectl logs <pod-name> -c <container-name>
kubectl exec -it <pod-name> -- /bin/bash
# Service 相关
kubectl get svc
kubectl describe svc <service-name>
kubectl get endpoints <service-name>
# 配置相关
kubectl get configmap <cm-name> -o yaml
kubectl get secret <secret-name> -o yaml
# 网络相关
kubectl get ingress
kubectl describe ingress <ingress-name>
kubectl get networkpolicy
# 工作负载相关
kubectl get deployment <deploy-name> -o yaml
kubectl rollout status deployment/<deploy-name>
kubectl rollout history deployment/<deploy-name>
2. 常见问题排查
Pod 启动失败
# 检查 Pod 状态
kubectl get pods
kubectl describe pod <pod-name>
# 常见原因:
# 1. 镜像拉取失败 - ImagePullBackOff
# 2. 资源不足 - Pending
# 3. 配置错误 - CrashLoopBackOff
# 4. 存储问题 - VolumeMount 失败
服务访问问题
# 检查服务和端点
kubectl get svc <service-name>
kubectl get endpoints <service-name>
kubectl describe svc <service-name>
# 网络连通性测试
kubectl run debug --image=busybox -it --rm -- /bin/sh
# 在 debug pod 中测试连接
nslookup <service-name>
wget -O- <service-name>:<port>
总结
Kubernetes 的各个组件各司其职,形成了一个完整的容器编排生态系统:
核心设计原则
- 声明式配置:通过 YAML 描述期望状态
- 控制器模式:持续监控并调和实际状态与期望状态
- 标签选择器:灵活的资源关联和管理
- 分层抽象:从 Pod 到 Service 的逐层抽象
- 可扩展性:通过 CRD 和 Operator 模式扩展功能
组件协作关系
- 工作负载层:Pod → ReplicaSet → Deployment/StatefulSet/DaemonSet
- 网络层:Service → Endpoints → Ingress/Route
- 配置层:ConfigMap/Secret → 环境变量/文件挂载
- 存储层:PV → PVC → 容器挂载点
理解这些组件的功能和协作关系是掌握 Kubernetes 的关键,合理选择和配置这些组件能够构建出高可用、可扩展、易维护的云原生应用系统。
本文来自博客园,作者:MadLongTom,转载请注明原文链接:https://www.cnblogs.com/madtom/p/19048861
浙公网安备 33010602011771号