组成结构

image.png
一个 Deployment 拥有多个 Replica Set,而一个 Replica Set 拥有一个或多个 Pod

一个 Deployment 控制多个 rs 主要是为了支持回滚机制,每当 Deployment 操作时,Kubernetes会重新生成一个 Replica Set 并保留,以后有需要的话就可以回滚至之前的状态

deploy.spec

标签选择 selector

spec:
selector:
matchLabels:
xx: yy

pod 副本数 replicas

spec:
replicas: 1

滚动更新 strategy

spec:
minReadySeconds: 10
revisionHistoryLimit:5
pause: false
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1

minReadySeconds
滚动更新中新建 pod 起来后多久杀死旧 pod
默认0 ,新容器启动起来后就杀掉旧pod

revisionHistoryLimit
限制最大保留的 revision number
默认 10

pause
进行更新是否停止

type
Recreate 全部重新创建
RollingUpdate 默认

rollingUpdate
上面指定 type: RollingUpdate 才生效

maxSurge
升级过程中最多新建的 pod 数量
例:maxSurage=1,replicas=5,则表示Kubernetes会先启动1一个新的Pod后才删掉一个旧的POD,整个升级过程中最多会有5+1个POD
如果 maxUnavailable为0 ,maxSurge不能为0

maxUnavailable
升级过程中最多杀死的旧 pod 数量
如果 maxSurge 为 0 ,maxUnavailable 不能为0
例:maxUnavaible=1,则表示Kubernetes整个升级过程中最多会有1个POD处于无法服务的状态

hpa HorizontalPodAutoscaler

metrics-server-v0.4.2

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   labels:
  5.     k8s-app: metrics-server
  6.   name: metrics-server
  7.   namespace: kube-system
  8. ---
  9. apiVersion: rbac.authorization.k8s.io/v1
  10. kind: ClusterRole
  11. metadata:
  12.   labels:
  13.     k8s-app: metrics-server
  14.     rbac.authorization.k8s.io/aggregate-to-admin: "true"
  15.     rbac.authorization.k8s.io/aggregate-to-edit: "true"
  16.     rbac.authorization.k8s.io/aggregate-to-view: "true"
  17.   name: system:aggregated-metrics-reader
  18. rules:
  19. - apiGroups:
  20.   - metrics.k8s.io
  21.   resources:
  22.   - pods
  23.   - nodes
  24.   verbs:
  25.   - get
  26.   - list
  27.   - watch
  28. ---
  29. apiVersion: rbac.authorization.k8s.io/v1
  30. kind: ClusterRole
  31. metadata:
  32.   labels:
  33.     k8s-app: metrics-server
  34.   name: system:metrics-server
  35. rules:
  36. - apiGroups:
  37.   - ""
  38.   resources:
  39.   - pods
  40.   - nodes
  41.   - nodes/stats
  42.   - namespaces
  43.   - configmaps
  44.   verbs:
  45.   - get
  46.   - list
  47.   - watch
  48. ---
  49. apiVersion: rbac.authorization.k8s.io/v1
  50. kind: RoleBinding
  51. metadata:
  52.   labels:
  53.     k8s-app: metrics-server
  54.   name: metrics-server-auth-reader
  55.   namespace: kube-system
  56. roleRef:
  57.   apiGroup: rbac.authorization.k8s.io
  58.   kind: Role
  59.   name: extension-apiserver-authentication-reader
  60. subjects:
  61. - kind: ServiceAccount
  62.   name: metrics-server
  63.   namespace: kube-system
  64. ---
  65. apiVersion: rbac.authorization.k8s.io/v1
  66. kind: ClusterRoleBinding
  67. metadata:
  68.   labels:
  69.     k8s-app: metrics-server
  70.   name: metrics-server:system:auth-delegator
  71. roleRef:
  72.   apiGroup: rbac.authorization.k8s.io
  73.   kind: ClusterRole
  74.   name: system:auth-delegator
  75. subjects:
  76. - kind: ServiceAccount
  77.   name: metrics-server
  78.   namespace: kube-system
  79. ---
  80. apiVersion: rbac.authorization.k8s.io/v1
  81. kind: ClusterRoleBinding
  82. metadata:
  83.   labels:
  84.     k8s-app: metrics-server
  85.   name: system:metrics-server
  86. roleRef:
  87.   apiGroup: rbac.authorization.k8s.io
  88.   kind: ClusterRole
  89.   name: system:metrics-server
  90. subjects:
  91. - kind: ServiceAccount
  92.   name: metrics-server
  93.   namespace: kube-system
  94. ---
  95. apiVersion: v1
  96. kind: Service
  97. metadata:
  98.   labels:
  99.     k8s-app: metrics-server
  100.   name: metrics-server
  101.   namespace: kube-system
  102. spec:
  103.   ports:
  104.   - name: https
  105.     port: 443
  106.     protocol: TCP
  107.     targetPort: https
  108.   selector:
  109.     k8s-app: metrics-server
  110. ---
  111. apiVersion: apps/v1
  112. kind: Deployment
  113. metadata:
  114.   labels:
  115.     k8s-app: metrics-server
  116.   name: metrics-server
  117.   namespace: kube-system
  118. spec:
  119.   selector:
  120.     matchLabels:
  121.       k8s-app: metrics-server
  122.   strategy:
  123.     rollingUpdate:
  124.       maxUnavailable: 0
  125.   template:
  126.     metadata:
  127.       labels:
  128.         k8s-app: metrics-server
  129.     spec:
  130.       containers:
  131.       - args:
  132.         - --cert-dir=/tmp
  133.         - --kubelet-insecure-tls
  134.         - --secure-port=4443
  135.         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
  136.         - --kubelet-use-node-status-port
  137.         image: k8s.gcr.io/metrics-server/metrics-server:v0.4.2
  138.         imagePullPolicy: IfNotPresent
  139.         livenessProbe:
  140.           failureThreshold: 3
  141.           httpGet:
  142.             path: /livez
  143.             port: https
  144.             scheme: HTTPS
  145.           periodSeconds: 10
  146.         name: metrics-server
  147.         ports:
  148.         - containerPort: 4443
  149.           name: https
  150.           protocol: TCP
  151.         readinessProbe:
  152.           failureThreshold: 3
  153.           httpGet:
  154.             path: /readyz
  155.             port: https
  156.             scheme: HTTPS
  157.           periodSeconds: 10
  158.         securityContext:
  159.           readOnlyRootFilesystem: true
  160.           runAsNonRoot: true
  161.           runAsUser: 1000
  162.         volumeMounts:
  163.         - mountPath: /tmp
  164.           name: tmp-dir
  165.       nodeSelector:
  166.         kubernetes.io/os: linux
  167.       priorityClassName: system-cluster-critical
  168.       serviceAccountName: metrics-server
  169.       volumes:
  170.       - emptyDir: {}
  171.         name: tmp-dir
  172. ---
  173. apiVersion: apiregistration.k8s.io/v1
  174. kind: APIService
  175. metadata:
  176.   labels:
  177.     k8s-app: metrics-server
  178.   name: v1beta1.metrics.k8s.io
  179. spec:
  180.   group: metrics.k8s.io
  181.   groupPriorityMinimum: 100
  182.   insecureSkipTLSVerify: true
  183.   service:
  184.     name: metrics-server
  185.     namespace: kube-system
  186.   version: v1beta1
  187.   versionPriority: 100

示例

  2. apiVersion: apps/v1
  3. kind: Deployment
  4. metadata:
  5.   name: c7-dep
  6.   namespace: default
  7. spec:
  8.   selector:
  9.     matchLabels:
  10.       app: c7-dep
  11.   replicas: 3
  12.   strategy:
  13.     type: RollingUpdate
  14.   template:
  15.     metadata:
  16.       labels:
  17.         app: c7-dep
  18.     spec:
  19.       containers:
  20.       - image: centos:7.4
  21.         name: c7-dep-centos7
  22.         command: 
  23.         - /bin/sh
  24.         - -c 
  25.         - sleep 6000
  26.         resources:
  27.           limits:
  28.             cpu: 1200m
  29.           requests:
  30.             cpu: 1000m
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: c7-hpa
spec:
  maxReplicas: 40
  minReplicas: 2
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: c7-dep
  targetCPUUtilizationPercentage: 70

示例实践结论

deploy 必须指定资源限制,requests.cpu 优先,不设置按 limits.cpu
按 cpu 以 总量的 百分比

kube-controller-manager 参数

—horizontal-pod-autoscaler-sync-period
HPA Controller 默认 30s 轮询一次,查询指定的资源(RC或者Deployment)中Pod的资源使用率,并且与创建时设定的值和指标做对比,从而实现自动伸缩的功能

—horizontal-pod-autoscaler-downscale-stabilization
设置一个持续时间,用于指定在当前操作完成后,HPA 必须等待多长时间才能执行另一次缩放操作。默认为5分钟,也就是默认需要等待5分钟后才会开始自动缩放