内容大纲
1. 容器编排概述
容器编排是指自动化容器的部署、管理、扩展和网络配置的过程。随着容器技术的普及,容器编排成为管理容器化应用的关键技术。
容器编排的主要功能包括:
- 容器的自动部署和扩缩容
- 容器的健康检查和自愈
- 容器间的网络通信管理
- 存储资源的管理和分配
- 配置管理和密钥管理
- 服务发现和负载均衡
主流的容器编排平台包括:
- Kubernetes
- Docker Swarm
- Mesos + Marathon
更多学习教程www.fgedu.net.cn
2. Kubernetes基础
2.1 Kubernetes架构
Kubernetes采用主从架构,主要组件包括:
- Master节点:控制平面,负责集群管理
- Worker节点:运行容器的节点
- Pod:最小部署单元,包含一个或多个容器
- Service:定义访问Pod的方式
- Controller:管理Pod的生命周期
2.2 Kubernetes安装
# 安装Docker
$ apt-get update
$ apt-get install -y docker.io
# 安装kubeadm、kubelet和kubectl
$ apt-get update && apt-get install -y apt-transport-https curl
$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add –
$ cat <
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
$ apt-get update
$ apt-get install -y kubelet kubeadm kubectl
$ apt-mark hold kubelet kubeadm kubectl
# 初始化Master节点
$ kubeadm init –pod-network-cidr=10.244.0.0/16
# 配置kubectl
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 安装网络插件
$ kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
# 查看集群状态
$ kubectl cluster-info
Kubernetes master is running at https://192.168.1.100:6443
KubeDNS is running at https://192.168.1.100:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 10m v1.23.0
2.3 节点管理
$ kubeadm join 192.168.1.100:6443 –token abcdef.1234567890abcdef \
–discovery-token-ca-cert-hash sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
# 查看节点状态
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 15m v1.23.0
worker1 Ready
worker2 Ready
# 标记节点角色
$ kubectl label node worker1 node-role.kubernetes.io/worker=worker
$ kubectl label node worker2 node-role.kubernetes.io/worker=worker
# 查看节点详细信息
$ kubectl describe node worker1
风哥风哥提示:Kubernetes集群的安装和配置需要根据具体环境进行调整,生产环境建议使用高可用配置。
3. 应用部署管理
3.1 Deployment资源
Deployment是Kubernetes中用于管理无状态应用的资源对象,提供了声明式的部署管理。
3.2 创建Deployment
$ cat deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
– name: nginx
image: nginx:1.19.10
ports:
– containerPort: 80
resources:
requests:
cpu: “100m”
memory: “128Mi”
limits:
cpu: “500m”
memory: “512Mi”
# 应用Deployment
$ kubectl apply -f deployment.yaml
# 查看Deployment状态
$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deployment 3/3 3 3 5m
# 查看Pod状态
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-deployment-76d6c9b8c4-5b2x7 1/1 Running 0 5m
nginx-deployment-76d6c9b8c4-7k8z9 1/1 Running 0 5m
nginx-deployment-76d6c9b8c4-9q4t2 1/1 Running 0 5m
3.3 滚动更新
$ kubectl set image deployment/nginx-deployment nginx=nginx:1.20.0
# 查看更新状态
$ kubectl rollout status deployment/nginx-deployment
Waiting for deployment “nginx-deployment” rollout to finish: 1 out of 3 new replicas have been updated…
Waiting for deployment “nginx-deployment” rollout to finish: 2 out of 3 new replicas have been updated…
Waiting for deployment “nginx-deployment” rollout to finish: 3 out of 3 new replicas have been updated…
deployment “nginx-deployment” successfully rolled out
# 回滚更新
$ kubectl rollout undo deployment/nginx-deployment
# 查看历史版本
$ kubectl rollout history deployment/nginx-deployment
学习交流加群风哥微信: itpux-com
4. 服务与网络管理
4.1 Service资源
Service是Kubernetes中用于暴露应用的资源对象,提供了稳定的访问入口。
4.2 创建Service
$ cat service.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
– port: 80
targetPort: 80
type: ClusterIP
# 应用Service
$ kubectl apply -f service.yaml
# 查看Service状态
$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-service ClusterIP 10.96.123.45
# 测试Service访问
$ kubectl run -it –rm –image=busybox:1.32.0 busybox — wget -qO- http://nginx-service
Welcome to nginx!
4.3 网络策略
$ cat network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: nginx-network-policy
spec:
podSelector:
matchLabels:
app: nginx
ingress:
– from:
– podSelector:
matchLabels:
app: frontend
ports:
– protocol: TCP
port: 80
# 应用网络策略
$ kubectl apply -f network-policy.yaml
# 查看网络策略
$ kubectl get networkpolicy
NAME POD-SELECTOR AGE
nginx-network-policy app=nginx 1m
学习交流加群风哥QQ113257174
5. 存储管理
5.1 存储类型
Kubernetes支持多种存储类型,包括:
- EmptyDir:临时存储
- HostPath:主机路径
- PersistentVolume (PV):持久卷
- PersistentVolumeClaim (PVC):持久卷声明
5.2 持久卷管理
$ cat pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-volume
spec:
capacity:
storage: 10Gi
accessModes:
– ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
hostPath:
path: /mnt/data
# 应用PersistentVolume
$ kubectl apply -f pv.yaml
# 创建PersistentVolumeClaim配置文件
$ cat pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pv-claim
spec:
accessModes:
– ReadWriteOnce
resources:
requests:
storage: 5Gi
# 应用PersistentVolumeClaim
$ kubectl apply -f pvc.yaml
# 查看PV和PVC状态
$ kubectl get pv
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pv-volume 10Gi RWO Retain Bound default/pv-claim 2m
$ kubectl get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
pv-claim Bound pv-volume 10Gi RWO 1m
5.3 在Pod中使用存储
$ cat pod-with-pvc.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-with-pvc
spec:
containers:
– name: nginx
image: nginx:1.19.10
ports:
– containerPort: 80
volumeMounts:
– name: nginx-storage
mountPath: /usr/share/nginx/html
volumes:
– name: nginx-storage
persistentVolumeClaim:
claimName: pv-claim
# 应用Pod配置
$ kubectl apply -f pod-with-pvc.yaml
# 查看Pod状态
$ kubectl get pod nginx-with-pvc
NAME READY STATUS RESTARTS AGE
nginx-with-pvc 1/1 Running 0 1m
更多学习教程公众号风哥教程itpux_com
6. 配置管理
6.1 ConfigMap
ConfigMap用于存储配置信息,支持从文件、字面量或环境变量创建。
6.2 创建和使用ConfigMap
$ kubectl create configmap app-config –from-literal=database.url=mysql://fgedudb:3306/app –from-literal=api.key=secret123
# 从文件创建ConfigMap
$ echo “database.url=mysql://fgedudb:3306/app” > config.properties
$ echo “api.key=secret123” >> config.properties
$ kubectl create configmap app-config-file –from-file=config.properties
# 查看ConfigMap
$ kubectl get configmap
NAME DATA AGE
app-config 2 1m
app-config-file 1 30s
# 在Pod中使用ConfigMap
$ cat pod-with-configmap.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-with-config
spec:
containers:
– name: app
image: busybox:1.32.0
command: [“sh”, “-c”, “echo $DATABASE_URL && cat /config/config.properties”]
env:
– name: DATABASE_URL
valueFrom:
configMapKeyRef:
name: app-config
key: database.url
volumeMounts:
– name: config-volume
mountPath: /config
volumes:
– name: config-volume
configMap:
name: app-config-file
# 应用Pod配置
$ kubectl apply -f pod-with-configmap.yaml
# 查看Pod输出
$ kubectl logs app-with-config
mysql://fgedudb:3306/app
database.url=mysql://fgedudb:3306/app
api.key=secret123
6.3 Secret
Secret用于存储敏感信息,如密码、API密钥等。
6.4 创建和使用Secret
$ kubectl create secret generic app-secret –from-literal=password=secretpassword –from-literal=api.key=secret123456
# 从文件创建Secret
$ echo “secretpassword” > password.txt
$ echo “secret123456” > api.key.txt
$ kubectl create secret generic app-secret-file –from-file=password.txt –from-file=api.key.txt
# 查看Secret
$ kubectl get secret
NAME TYPE DATA AGE
app-secret Opaque 2 1m
app-secret-file Opaque 2 30s
# 在Pod中使用Secret
$ cat pod-with-secret.yaml
apiVersion: v1
kind: Pod
metadata:
name: app-with-secret
spec:
containers:
– name: app
image: busybox:1.32.0
command: [“sh”, “-c”, “echo $PASSWORD && cat /secret/api.key”]
env:
– name: PASSWORD
valueFrom:
secretKeyRef:
name: app-secret
key: password
volumeMounts:
– name: secret-volume
mountPath: /secret
readOnly: true
volumes:
– name: secret-volume
secret:
secretName: app-secret-file
# 应用Pod配置
$ kubectl apply -f pod-with-secret.yaml
# 查看Pod输出
$ kubectl logs app-with-secret
secretpassword
secret123456
author:www.itpux.com
7. 安全管理
7.1 安全上下文
安全上下文用于设置Pod和容器的安全属性,如运行用户、权限等。
7.2 配置安全上下文
$ cat pod-security-context.yaml
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
– name: app
image: busybox:1.32.0
command: [“sh”, “-c”, “sleep 3600”]
securityContext:
runAsUser: 1001
allowPrivilegeEscalation: false
capabilities:
add: [“NET_ADMIN”, “SYS_TIME”]
drop: [“ALL”]
# 应用Pod配置
$ kubectl apply -f pod-security-context.yaml
# 查看Pod状态
$ kubectl get pod secure-pod
NAME READY STATUS RESTARTS AGE
secure-pod 1/1 Running 0 1m
# 验证安全上下文
$ kubectl exec secure-pod — id
uid=1001 gid=1001 groups=2000
7.3 RBAC权限管理
$ kubectl create serviceaccount app-service-account
# 创建Role
$ cat role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
rules:
– apiGroups: [“”]
resources: [“pods”, “services”]
verbs: [“get”, “list”, “watch”]
# 应用Role
$ kubectl apply -f role.yaml
# 创建RoleBinding
$ cat rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: app-role-binding
subjects:
– kind: ServiceAccount
name: app-service-account
namespace: default
roleRef:
kind: Role
name: app-role
apiGroup: rbac.authorization.k8s.io
# 应用RoleBinding
$ kubectl apply -f rolebinding.yaml
# 查看Role和RoleBinding
$ kubectl get role
NAME CREATED AT
app-role 2026-04-03T10:00:00Z
$ kubectl get rolebinding
NAME ROLE AGE
app-role-binding Role/app-role 1m
8. 监控与日志
8.1 资源监控
$ kubectl top pod
NAME CPU(cores) MEMORY(bytes)
nginx-deployment-76d6c9b8c4-5b2x7 1m 20Mi
nginx-deployment-76d6c9b8c4-7k8z9 1m 21Mi
nginx-deployment-76d6c9b8c4-9q4t2 1m 20Mi
# 查看节点资源使用情况
$ kubectl top node
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
master 100m 5% 1000Mi 25%
worker1 50m 2% 800Mi 20%
worker2 60m 3% 900Mi 22%
8.2 日志管理
$ kubectl logs nginx-deployment-76d6c9b8c4-5b2x7
10.244.1.1 – – [03/Apr/2026:10:00:00 +0000] “GET / HTTP/1.1” 200 612 “-” “curl/7.64.0”
10.244.1.1 – – [03/Apr/2026:10:01:00 +0000] “GET / HTTP/1.1” 200 612 “-” “curl/7.64.0”
# 流式查看日志
$ kubectl logs -f nginx-deployment-76d6c9b8c4-5b2x7
# 查看多容器Pod的日志
$ kubectl logs nginx-deployment-76d6c9b8c4-5b2x7 -c nginx
8.3 集群监控
$ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
# 安装Prometheus和Grafana
$ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
$ helm repo update
$ helm install prometheus prometheus-community/kube-prometheus-stack
# 查看Prometheus和Grafana服务
$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
prometheus-server ClusterIP 10.96.78.90
grafana ClusterIP 10.96.45.67
9. 自动伸缩
9.1 Horizontal Pod Autoscaler (HPA)
HPA根据CPU利用率或其他指标自动调整Pod数量。
9.2 配置HPA
$ cat hpa.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: nginx-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-deployment
minReplicas: 3
maxReplicas: 10
metrics:
– type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
– type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 70
# 应用HPA
$ kubectl apply -f hpa.yaml
# 查看HPA状态
$ kubectl get hpa
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
nginx-hpa Deployment/nginx-deployment 10%/50%, 20%/70% 3 10 3 2m
# 模拟负载
$ kubectl run -i –tty load-generator –image=busybox /bin/sh
$ while true; do wget -q -O- http://nginx-service; done
# 查看HPA自动伸缩
$ kubectl get hpa
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
nginx-hpa Deployment/nginx-deployment 80%/50%, 60%/70% 3 10 6 5m
9.3 集群自动伸缩
Cluster Autoscaler根据集群资源需求自动调整节点数量。
10. 最佳实践
10.1 部署最佳实践
- 使用Deployment管理无状态应用
- 使用StatefulSet管理有状态应用
- 使用DaemonSet部署节点级服务
- 使用CronJob执行定时任务
10.2 配置最佳实践
- 使用ConfigMap管理配置
- 使用Secret管理敏感信息
- 使用环境变量注入配置
- 使用Volume挂载配置文件
10.3 网络最佳实践
- 使用Service暴露应用
- 使用Ingress管理外部访问
- 使用NetworkPolicy控制网络访问
- 使用DNS进行服务发现
10.4 存储最佳实践
- 使用PersistentVolumeClaim管理存储
- 选择合适的存储类型
- 配置存储资源限制
- 定期备份数据
10.5 安全最佳实践
- 使用最小权限原则
- 配置安全上下文
- 使用RBAC管理权限
- 定期更新镜像和组件
生产环境建议
- 使用高可用Kubernetes集群
- 实施完整的监控和告警体系
- 建立CI/CD pipeline自动化部署
- 制定灾难恢复计划
- 定期进行安全审计
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
