# 资源调度策略
– 节点选择器（Node Selector）：根据节点标签选择节点
– 节点亲和性（Node Affinity）：更灵活的节点选择规则
– Pod亲和性（Pod Affinity）：将相关Pod调度到同一节点或同一拓扑域
– Pod反亲和性（Pod Anti-Affinity）：将相关Pod调度到不同节点或不同拓扑域
– 污点（Taints）：节点对Pod的排斥规则
– 容忍度（Tolerations）：Pod对节点污点的容忍程度
– 优先级（Priority）：Pod的调度优先级
– 抢占（Preemption）：高优先级Pod抢占低优先级Pod的资源

# 调度算法
– 过滤（Filtering）：筛选出满足Pod资源需求的节点
– 打分（Scoring）：对筛选出的节点进行打分，选择得分最高的节点
– 绑定（Binding）：将Pod绑定到选中的节点上

# 调度器扩展
– 自定义调度器：根据特定需求开发自定义调度器
– 调度器插件：扩展默认调度器的功能
– 多调度器：在同一集群中使用多个调度器

# 资源调度规划
– 应用分类：根据应用的特性和需求进行分类
– 节点分组：根据节点的特性和能力进行分组
– 调度策略：为不同类型的应用制定不同的调度策略
– 资源预留：为系统组件和关键应用预留资源
– 负载均衡：确保Pod在集群中均匀分布

# 应用分类
– 核心应用：需要高可靠性和性能的应用
– 非核心应用：对可靠性和性能要求较低的应用
– 批处理任务：需要大量计算资源的任务
– 实时应用：对延迟敏感的应用

# 节点分组
– 高性能节点：用于运行核心应用和实时应用
– 标准节点：用于运行普通应用
– 低性能节点：用于运行非核心应用和批处理任务
– 专用节点：用于运行特定类型的应用

# 多租户隔离方案
– 命名空间隔离：为每个租户创建独立的命名空间
– 资源隔离：为每个租户设置资源配额和限制范围
– 网络隔离：为每个租户配置网络策略，限制网络访问
– 存储隔离：为每个租户配置独立的存储资源
– 权限隔离：为每个租户配置独立的RBAC权限

# 租户类型
– 生产租户：运行生产环境应用的租户
– 测试租户：运行测试环境应用的租户
– 开发租户：运行开发环境应用的租户
– 演示租户：运行演示环境应用的租户

# 隔离级别
– 软隔离：共享集群资源，通过资源配额限制
– 硬隔离：使用物理隔离或虚拟机隔离
– 混合隔离：结合软隔离和硬隔离的优点

# 权限管理策略
– 最小权限原则：只授予用户必要的权限
– 基于角色的访问控制（RBAC）：使用角色和角色绑定管理权限
– 命名空间级权限：为每个租户配置命名空间级别的权限
– 集群级权限：为管理员配置集群级别的权限
– 服务账户：为应用配置服务账户，限制应用的权限

# 角色类型
– 集群角色（ClusterRole）：集群级别的角色
– 命名空间角色（Role）：命名空间级别的角色
– 集群角色绑定（ClusterRoleBinding）：集群级别的角色绑定
– 命名空间角色绑定（RoleBinding）：命名空间级别的角色绑定

# 权限管理工具
– kubectl：命令行工具管理权限
– Kubernetes Dashboard：图形化工具管理权限
– 第三方工具：如Keycloak、OpenID Connect等

# 配置节点亲和性
$ kubectl apply -f – << EOF apiVersion: v1 kind: Pod metadata: name: nginx namespace: default spec: containers: - name: nginx image: nginx resources: requests: cpu: "100m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" ports: - containerPort: 80 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-type operator: In values: - high-performance preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: zone operator: In values: - zone1 EOF # 查看Pod调度情况 $ kubectl get pod nginx -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx 1/1 Running 0 5m 10.244.1.2 worker1

# 配置节点污点
$ kubectl taint nodes worker2 node-type=special:NoSchedule

# 配置Pod容忍度
$ kubectl apply -f – << EOF apiVersion: v1 kind: Pod metadata: name: special-pod namespace: default spec: containers: - name: nginx image: nginx resources: requests: cpu: "100m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" ports: - containerPort: 80 tolerations: - key: "node-type" operator: "Equal" value: "special" effect: "NoSchedule" EOF # 查看Pod调度情况 $ kubectl get pod special-pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES special-pod 1/1 Running 0 5m 10.244.2.2 worker2

# 配置Pod亲和性
$ kubectl apply -f – << EOF apiVersion: v1 kind: Pod metadata: name: web-server namespace: default labels: app: web tier: frontend spec: containers: - name: nginx image: nginx resources: requests: cpu: "100m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" ports: - containerPort: 80 EOF $ kubectl apply -f - << EOF apiVersion: v1 kind: Pod metadata: name: cache-server namespace: default labels: app: cache tier: backend spec: containers: - name: redis image: redis resources: requests: cpu: "100m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" ports: - containerPort: 6379 affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - web topologyKey: kubernetes.io/hostname EOF # 查看Pod调度情况 $ kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES web-server 1/1 Running 0 10m 10.244.1.2 worker1
cache-server 1/1 Running 0 5m 10.244.1.3 worker1

# 配置Pod反亲和性
$ kubectl apply -f – << EOF apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: default spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx resources: requests: cpu: "100m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" ports: - containerPort: 80 affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - nginx topologyKey: kubernetes.io/hostname EOF # 查看Pod调度情况 $ kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-6799fc88d8-2q4x2 1/1 Running 0 5m 10.244.1.学习交流加群风哥微信: itpux-com4 worker1
nginx-6799fc88d8-5b678 1/1 Running 0 5m 10.244.2.3 worker2
nginx-6799fc88d8-7c89d 1/1 Running 0 5m 10.244.3.2 worker3

# 创建租户命名空间
$ kubectl create namespace tenant1
$ kubectl create namespace tenant2

# 配置租户资源配额
$ kubectl apply -f – << EOF apiVersion: v1 kind: ResourceQuota metadata: name: tenant1-quota namespace: tenant1 spec: hard: requests.cpu: "2" requests.memory: "4Gi" limits.cpu: "4" limits.memory: "8Gi" pods: "10" services: "5" EOF $ kubectl apply -f - << EOF apiVersion: v1 kind: ResourceQuota metadata: name: tenant2-quota namespace: tenant2 spec: hard: requests.cpu: "1" requests.memory: "2Gi" limits.cpu: "2" limits.memory: "4Gi" pods: "5" services: "3" EOF # 配置租户网络策略 $ kubectl apply -f - << EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: tenant1-network-policy namespace: tenant1 spec: podSelector: matchLabels: {} policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: {} egress: - to: - podSelector: matchLabels: {} EOF # 配置租户RBAC权限 $ kubectl create role tenant1-reader --namespace=tenant1 --verb=get,list,watch --resource=pods,services,configmaps $ kubectl create rolebinding tenant1-reader-binding --namespace=tenant1 --role=tenant1-reader --user=tenant1 $ kubectl create role tenant2-reader --namespace=tenant2 --verb=get,list,watch --resource=pods,services,configmaps $ kubectl create rolebinding tenant2-reader-binding --namespace=tenant2 --role=tenant2-reader --user=tenant2 # 查看租户配置 $ kubectl get resourcequota --namespace=tenant1 NAME AGE REQUEST LIMIT tenant1-quota 5m requests.cpu: 0/2, requests.memory: 0/4Gi limits.cpu: 0/4, limits.memory: 0/8Gi $ kubectl get networkpolicy --namespace=tenant1 NAME AGE POD-SELECTOR AGE tenant1-network-policy 5m 5m

# 案例：企业级资源调度
# 环境：5节点K8s集群
# 目标：配置资源调度策略，优化Pod调度

# 1. 给节点打标签
$ kubectl label nodes worker1 node-type=high-performance zone=zone1
$ kubectl label nodes worker2 node-type=high-performance zone=zone2
$ kubectl label nodes worker3 node-type=standard zone=zone1
$ kubectl label nodes worker4 node-type=standard zone=zone2
$ kubectl label nodes worker5 node-type=low-cost zone=zone3

# 2. 配置核心应用调度
$ kubectl apply -f – << EOF apiVersion: apps/v1 kind: Deployment metadata: name: core-app namespace: default spec: replicas: 2 selector: matchLabels: app: core template: metadata: labels: app: core spec: containers: - name: core-app image: nginx resources: requests: cpu: "1" memory: "2Gi" limits: cpu: "2" memory: "4Gi" ports: - containerPort: 80 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-type operator: In values: - high-performance preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: zone operator: In values: - zone1 EOF # 3. 配置普通应用调度 $ kubectl apply -f - << EOF apiVersion: apps/v1 kind: Deployment metadata: name: standard-app namespace: default spec: replicas: 3 selector: matchLabels: app: standard template: metadata: labels: app: standard spec: containers: - name: standard-app image: nginx resources: requests: cpu: "500m" memory: "1Gi" limits: cpu: "1" memory: "2Gi" ports: - containerPort: 80 affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-type operator: In values: - standard EOF # 4. 配置批处理任务调度 $ kubectl apply -f - << EOF apiVersion: batch/v1 kind: Job metadata: name: batch-job namespace: default spec: template: spec: containers: - name: batch-job image: busybox command: ["sh", "-c", "echo 'Hello, World!' && sleep 3600"] resources: requests: cpu: "2" memory: "4Gi" limits: cpu: "4" memory: "8Gi" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-type operator: In values: - low-cost restartPolicy: Never backoffLimit: 1 EOF # 5. 查看Pod调度情况 $ kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES core-app-54d4d5c678-2q4x2 1/1 Running 0 10m 10.244.1.2 worker1
core-app-54d4d5c678-5b678 1/1 Running 0 10m 10.244.2.2 worker2
standard-app-6799fc88d8-2q4x2 1/1 Running 0 5m 10.244.3.2 worker3
standard-app-6799fc88d8-5b678 1/1 Running 0 5m 10.244.4.2 worker4
standard-app-6799fc88d8-7c89d 1/1 Running 0 5m 10.244.3.3 worker3
batch-job-54d4d5c678-2q4x2 1/1 Running 0 2m 10.244.5.2 worker5

# 案例：企业级多租户管理
# 环境：10节点K8s集群
# 目标：配置多租户隔离，管理多个租户

# 1. 创建租户命名空间
$ kubectl create namespace tenant-production
$ kubectl create namespace tenant-staging
$ kubectl create namespace tenant-development

# 2. 配置租户资源配额
$ kubectl apply -f – << EOF apiVersion: v1 kind: ResourceQuota metadata: name: production-quota namespace: tenant-production spec: hard: requests.cpu: "8" requests.memory: "16Gi" limits.cpu: "16" limits.memory: "32Gi" pods: "20" services: "10" EOF $ kubectl apply -f - << EOF apiVersion: v1 kind: ResourceQuota metadata: name: staging-quota namespace: tenant-staging spec: hard: requests.cpu: "4" requests.memory: "8Gi" limits.cpu: "8" limits.memory: "16Gi" pods: "10" services: "5" EOF $ kubectl apply -f - << EOF apiVersion: v1 kind: ResourceQuota metadata: name: development-quota namespace: tenant-development spec: hard: requests.cpu: "2" requests.memory: "4Gi" limits.cpu: "4" limits.memory: "8Gi" pods: "5" services: "3" EOF # 3. 配置租户网络策略 $ kubectl apply -f - << EOF apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: production-network-policy namespace: tenant-production spec: podSelector: matchLabels: {} policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: {} egress: - to: - podSelector: matchLabels: {} EOF # 4. 配置租户RBAC权限 $ kubectl create role production-admin --namespace=tenant-production --verb=* --resource=* $ kubectl create rolebinding production-admin-binding --namespace=tenant-production --role=production-admin --user=admin $ kubectl create role staging-admin --namespace=tenant-staging --verb=* --resource=* $ kubectl create rolebinding staging-admin-binding --namespace=tenant-staging --role=staging-admin --user=staging-admin $ kubectl create role development-admin --namespace=tenant-development --verb=* --resource=* $ kubectl create rolebinding development-admin-binding --namespace=tenant-development --role=development-admin --user=dev-admin # 5. 部署租户应用 $ kubectl apply -f - << EOF apiVersion: apps/v1 kind: Deployment metadata: name: production-app namespace: tenant-production spec: replicas: 5 selector: matchLabels: app: production template: metadata: labels: app: production spec: containers: - name: production-app image: nginx resources: requests: cpu: "1" memory: "2Gi" limits: cpu: "2" memory: "4Gi" ports: - containerPort: 80 EOF # 6. 查看租户配置 $ kubectl get resourcequota --namespace=tenant-production NAME AGE REQUEST LIMIT production-quota 10m requests.cpu: 5/8, requests.memory: 10Gi/16Gi limits.cpu: 10/16, limits.memory: 20Gi/32Gi $ kubectl get pods --namespace=tenant-production NAME READY STATUS RESTARTS AGE production-app-54d4d5c678-2q4x2 1/1 Running 0 5m production-app-54d4d5c678-5b678 1/1 Running 0 5m production-app-54d4d5c678-7c89d 1/1 Running 0 5m production-app-54d4d5c678-8x8x8 1/1 Running 0 5m production-app-54d4d5c678-9y9y9 1/1 Running 0 5m

# 案例：企业级权限管理
# 环境：5节点K8s集群
# 目标：配置RBAC权限，管理用户访问

# 1. 创建角色
$ kubectl create clusterrole cluster-admin –verb=* –resource=*
$ kubectl create clusterrole cluster-reader –verb=get,list,watch –resource=*

$ kubectl create role namespace-admin –verb=* –resource=*
$ kubectl create role namespace-reader –verb=get,list,watch –resource=pods,services,configmaps

# 2. 创建用户
$ kubectl config set-credentials admin –username=admin –password=admin123
$ kubectl config set-credentials developer –username=developer –password=developer123
$ kubectl config set-credentials viewer –username=viewer –password=viewer123

# 3. 创建角色绑定
$ kubectl create clusterrolebinding admin-binding –clusterrole=cluster-admin –user=admin
$ kubectl create clusterrolebinding viewer-binding –clusterrole=cluster-reader –user=viewer

$ kubectl create namespace dev
$ kubectl create rolebinding developer-binding –namespace=dev –role=namespace-admin –user=developer

# 4. 测试权限
# 以admin身份访问
$ kubectl –user=admin get nodes
NAME STATUS ROLES AGE VERSION
master1 Ready control-plane 30d v1.27.0
worker1 Ready 30d v1.27.0
worker2 Ready 30d v1.27.0
worker3 Ready 30d v1.27.0
worker4 Ready 30d v1.27.0

# 以developer身份访问
$ kubectl –user=developer –namespace=dev get pods
No resources found in dev namespace

# 以viewer身份访问
$ kubectl –user=viewer get pods
No resources found in default namespace

# 测试权限边界
$ kubectl –user=developer get nodes
Error from server (Forbidden): nodes is forbidden: User “developer” cannot list resource “nodes” in API group “” at the cluster scope

# 常见问题与解决方案

## 1. Pod调度失败
– 原因：节点资源不足、调度策略冲突、节点污点
– 解决方案：增加节点资源、调整调度策略、配置容忍度

## 2. 资源利用率低
– 原因：Pod分布不均、资源配置不合理
– 解决方案：优化调度策略、调整资源配置、使用自动扩缩容

## 3. 租户间资源竞争
– 原因：资源配额设置不合理、Pod优先级设置不当
– 解决方案：调整资源配额、设置Pod优先级、使用资源预留

## 4. 权限管理复杂
– 原因：角色和角色绑定过多、权限设置不当
– 解决方案：使用命名空间隔离、简化角色设计、定期审计权限

## 5. 网络隔离不生效
– 原因：网络插件不支持网络策略、网络策略配置错误
– 解决方案：使用支持网络策略的网络插件、检查网络策略配置