Kubernetes:云原生容器编排平台完全指南
深入解析 Kubernetes 核心概念、架构设计和生产实践,掌握云原生时代的关键技术。
Kubernetes:云原生容器编排平台完全指南
🌐 GitHub: kubernetes/kubernetes
⭐ Stars: 122,374
💻 Language: Go
📅 更新时间: 2026-05-21
什么是 Kubernetes?
Kubernetes(K8s)是一个开源的容器编排平台,由 Google 开发并捐赠给 CNCF。它提供了应用部署、扩展和管理的自动化能力,是云原生技术的核心基础设施。
核心价值
- 自动化部署: 声明式配置,自动化应用部署
- 弹性伸缩: 根据负载自动扩展和收缩
- 服务发现: 内置服务发现和负载均衡
- 滚动更新: 零停机应用的滚动升级
- 自我修复: 自动重启失败容器,替换节点
核心架构
控制平面组件
1. kube-apiserver
API 服务器是 Kubernetes 控制平面的前端,所有请求都通过它处理。
# 启动 API Server
kube-apiserver --enable-admission-plugins=NodeRestriction \
--service-cluster-ip-range=10.0.0.0/24
2. etcd
分布式键值存储,保存集群所有状态数据。
# etcd 备份
etcdctl snapshot save backup.db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt
3. kube-scheduler
负责 Pod 调度,将 Pod 分配到合适的节点。
4. kube-controller-manager
运行控制器进程,维护集群状态。
工作节点组件
1. kubelet
节点代理,确保容器运行在 Pod 中。
# kubelet 配置
kubelet --config=/var/lib/kubelet/config.yaml \
--kubeconfig=/etc/kubernetes/kubelet.conf
2. kube-proxy
维护节点网络规则,实现 Service 抽象。
# kube-proxy 模式
kube-proxy --proxy-mode=ipvs \
--cluster-cidr=10.244.0.0/16
3. 容器运行时
负责运行容器的软件(Docker、containerd、CRI-O)。
核心概念详解
Pod
Pod 是 Kubernetes 最小部署单元,包含一个或多个容器。
apiVersion: v1
kind: Pod
metadata:
name: nginx-pod
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.21
ports:
- containerPort: 80
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
Deployment
管理 Pod 的副本和更新策略。
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.21
ports:
- containerPort: 80
Service
提供稳定的服务访问入口。
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- port: 80
targetPort: 80
type: LoadBalancer
ConfigMap 和 Secret
配置管理和敏感信息存储。
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
database_url: "postgres://localhost:5432/db"
cache_size: "1000"
---
apiVersion: v1
kind: Secret
metadata:
name: db-secret
type: Opaque
data:
username: YWRtaW4=
password: cGFzc3dvcmQxMjM=
生产最佳实践
资源管理
1. 资源请求和限制
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
2. LimitRange 限制
apiVersion: v1
kind: LimitRange
metadata:
name: mem-limit-range
spec:
limits:
- default:
memory: 512Mi
defaultRequest:
memory: 256Mi
type: Container
3. ResourceQuota 配额
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
健康检查
探针配置
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
startupProbe:
httpGet:
path: /health
port: 8080
failureThreshold: 30
periodSeconds: 10
安全配置
1. Pod Security Standards
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
2. Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-network-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
3. RBAC 配置
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
监控和日志
Prometheus 集成
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: app-monitor
spec:
selector:
matchLabels:
app: myapp
endpoints:
- port: metrics
interval: 30s
日志收集
apiVersion: v1
kind: ConfigMap
metadata:
name: fluent-bit-config
data:
fluent-bit.conf: |
[INPUT]
Name tail
Path /var/log/containers/*.log
Parser docker
Tag kube.*
[OUTPUT]
Name es
Match *
Host elasticsearch
Port 9200
高级特性
自动伸缩
HPA (Horizontal Pod Autoscaler)
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: php-apache
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: php-apache
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50
VPA (Vertical Pod Autoscaler)
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
name: my-app-vpa
spec:
targetRef:
apiVersion: apps/v1
kind: Deployment
name: my-app
updatePolicy:
updateMode: "Auto"
持久化存储
PVC 配置
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: fast-ssd
resources:
requests:
storage: 10Gi
Ingress 路由
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 80
tls:
- hosts:
- api.example.com
secretName: api-tls
故障排查
常用命令
# 查看 Pod 状态
kubectl get pods -o wide
# 查看 Pod 详情
kubectl describe pod <pod-name>
# 查看日志
kubectl logs <pod-name> -f --tail=100
# 进入容器
kubectl exec -it <pod-name> -- /bin/bash
# 查看事件
kubectl get events --sort-by='.lastTimestamp'
# 查看资源使用
kubectl top nodes
kubectl top pods
常见问题
1. ImagePullBackOff
# 检查镜像名称和密钥
kubectl describe pod <pod-name>
kubectl create secret docker-registry regcred \
--docker-server=<registry> \
--docker-username=<user> \
--docker-password=<password>
2. CrashLoopBackOff
# 查看日志和事件
kubectl logs <pod-name> --previous
kubectl describe pod <pod-name>
3. Pending 状态
# 检查资源请求和节点资源
kubectl describe pod <pod-name>
kubectl describe nodes
与竞品对比
| 特性 | Kubernetes | Docker Swarm | Nomad |
|---|---|---|---|
| 学习曲线 | 陡峭 | 简单 | 中等 |
| 功能完整性 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ |
| 生态丰富度 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ |
| 社区活跃度 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ |
总结
Kubernetes 作为云原生时代的关键基础设施,提供了强大的容器编排能力。掌握其核心概念和最佳实践,对于构建可扩展、高可用的现代应用至关重要。
推荐资源
项目信息
- GitHub: https://github.com/kubernetes/kubernetes
- Stars: 122,374
- 主要语言: Go
- 许可证: Apache 2.0
- 采集时间: 2026-05-21 08:16:36
本文基于 GitHub Trending 数据进行分析,旨在传播技术知识和提供学习参考。