一. 簡介:
kubernetes是一個開源的容器管理工具,是基於GO語言開實現的,輕量級和便攜式的應用,可以把kubernetes cluster在linux主機上部署、管理和擴容docker容器的應用在多個主機上。
二. 架構:
1. kubernetes由以下組件組成:
- kubernetes master
- kubernetes nodes
- etcd
- kubernetes network
2. 組件是通過網絡連接的,如下圖所示:
3. 上面的圖可以匯總如下信息:
- kubernetes master: 通過HTTP或者HTTPS連接etcd去存儲數據。
- kubernetes nodes: 通過HTTP或者HTTPS連接kubernetes master去獲取命令和報告狀態。
- kubernetes network: 通過L2,L3或overlay和容器之間建立連接。
(1) kubernetes master:
kubernetes主要有以下幾個功能:
- 認證和授權
- RESTful API entry point
- 對kubernetes nodes容器部署的調度
- 擴容和復制容器
- 讀取配置去創建群集
下圖顯示了master daemon 是如何工作實現上述功能的:
API server (kube-apiserver)
API server提供基於HTTP或者HTTPS的RESTful API,它是kubernetes 組件中心,比如kubectl, the scheduler, the replication controller, 和etcd 數據存儲,及運行在kubernetes nodes上的kubelet 和kube-proxy.
Scheduler (kube-scheduler)
調度器幫助選擇哪個容器運行在哪個節點上,針對派送和綁定容器到節點,它只是使用一個簡單的算法定義優先級。
比如:
- CPU
- 內存
- 多少容器運行
Controller manager( kube-controller-manager)
該控制管理執行群集的操作。比如:
- 管理kubernetes nodes
- 創建和更新kubernetes內部信息
- 嘗試改變當前的狀態到滿意的狀態。
Command-line interface (kubectl)
安裝完kubernetes master后,你可以使用kubernetes 命令行接口,kuberctl,去管理kubernetes群集,比如使用kubectl get cs返回每個組件的狀態,kubectl get nodes返回kubernetes節點的列表。
//see the Component Statuses # kubectl get cs NAME STATUS MESSAGE ERROR controller-manager Healthy ok nil scheduler Healthy ok nil etcd-0 Healthy {"health": "true"} nil //see the nodes # kubectl get nodes NAME LABELS STATUS AGE kub-node1 kubernetes.io/hostname=kub-node1 Ready 26d kub-node2 kubernetes.io/hostname=kub-node2 Ready 26d
(2) kubernetes節點
kubernetes node在kubernetes群集中是slave node, 它是由kubernetes master控制的,使用docker支行應用。
下圖描述了節點中的任務和角色:
從上圖可以看出該了該節點有兩個守護進程,kubelet和kube-proxy。
kubelet在kubernetes節點中是主要的進程,它負責和kubernetes master通信,完成以下操作。
- 周期性的訪問 API controller去檢查和報告
- 執行容器的操作
- 支行HTTP服務器提供簡單的APIs.
proxy(kube-proxy)
proxy處理網絡代理和每個容器的負載均衡,它通過改變linux iptables rules來控制在容器上的TCP和UDP包。
在配置完kube-proxy守護進程后,它配置Iptables規則,可以使用iptables –t nat –L 或者iptables –t nat –S 去檢查nat 表的規則,如下所示:
//the result will be vary and dynamically changed by kube-proxy
# sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-N FLANNEL
-N KUBE-NODEPORT-CONTAINER
-N KUBE-NODEPORT-HOST
-N KUBE-PORTALS-CONTAINER
-N KUBE-PORTALS-HOST
-A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER
-A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST
-A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOST
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.90.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -j FLANNEL
-A FLANNEL -d 192.168.0.0/16 -j ACCEPT
-A FLANNEL ! -d 224.0.0.0/4 -j MASQUERADE
(3) etcd
etcd是分布式的鍵值數據存儲,可以通過RESTful API去執行CRUD的操作,kubernetes使用etcd作為主要數據存儲。
可以通過curl命令去獲取:
//example: etcd server is localhost and default port is 4001
# curl -L http://127.0.0.1:4001/v2/keys/registry
{"action":"get","node":{"key":"/registry","dir":true,"nodes":[{"key":"/registry/namespaces","dir":true,"modifiedIndex":6,"createdIndex":6},{"key":"/registry/pods","dir":true,"modifiedIndex":187,"createdIndex":187},{"key":"/registry/clusterroles","dir":true,"modifiedIndex":196,"createdIndex":196},{"key":"/registry/replicasets","dir":true,"modifiedIndex":178,"createdIndex":178},{"key":"/registry/limitranges","dir":true,"modifiedIndex":202,"createdIndex":202},{"key":"/registry/storageclasses","dir":true,"modifiedIndex":215,"createdIndex":215},{"key":"/registry/apiregistration.k8s.io","dir":true,"modifiedIndex":7,"createdIndex":7},{"key":"/registry/serviceaccounts","dir":true,"modifiedIndex":70,"createdIndex":70},{"key":"/registry/secrets","dir":true,"modifiedIndex":71,"createdIndex":71},{"key":"/registry/deployments","dir":true,"modifiedIndex":177,"createdIndex":177},{"key":"/registry/services","dir":true,"modifiedIndex":13,"createdIndex":13},{"key":"/registry/configmaps","dir":true,"modifiedIndex":52,"createdIndex":52},{"key":"/registry/ranges","dir":true,"modifiedIndex":4,"createdIndex":4},{"key":"/registry/minions","dir":true,"modifiedIndex":58,"createdIndex":58},{"key":"/registry/clusterrolebindings","dir":true,"modifiedIndex":171,"createdIndex":171}],"modifiedIndex":4,"createdIndex":4}}
(4) kubernetes network:
容器如果在單一的節點之間進行通信 ,可以使用Docker network或者Docker compose去發現彼此。假如在多個節點之間進行通信,Kubernetes使用overlay network或者 container network interface(CNI) 去完成多個容器間的通信 。