Deployment
Deployment
部署(Deployment)是k8s中常用的资源之一,部署是无状态的,为一般性项目应用的主体,我们可以像声明docker-compose.yaml文件一样去定义容器的属性。
内容介绍:
Deployment为Pod和Replica Set提供声明式更新
注意:Deployment是通过replicaset来管理pod的,您不该手动管理由 Deployment 创建的 Replica Set,否则您就篡越了 Deployment controller 的职责
作用:
- 定义一组pod的期望数量,controller会维护pod数量与期望的数量一致
- 配置pod的发布方式,controller会安装给定的策略更新pod,保证更新过程中不可用的pod维持在限定数量范围内
- 如果发布有问题,支持回滚
原理:
在k8s集群架构中,有个kube-controller-manager的组件,这个组件是一系列控制器集合,其中每一个控制器都以独有的方式负责某种编排功能,Deployment正式这些控制器的一种,在具体实现中,实际状态往往来自于k8s集群本身,如:
- kubelet 通过心跳汇报的容器状态和节点状态
- 监控系统中保存的应用监控数据
- 控制器主动收集它的应用监控数据
期望状态一般来自用户提交的yaml文件,这些信息中都保存在etcd中
Deployment控制器实现
- Deployment Controller从Etcd中获取到所有携带 “app:nginx” 标签的Pod,然后统计它们的数量,这就是实际状态
-
Deployment对象的replicas的值就是期望状态;
-
Deployment Controller将两个状态做比较,然后根据比较结果,确定是创建Pod,还是删除已有Pod
滚动更新:
Deployment滚动更新的实现,依赖的是k8s中的replicaset,因为depolyment控制器实际操控的,就是replicas对象,而不是pod对象
黑色箭头表示被管理,绿色箭头表示请求转发
pod被replicaset管理,replicas控制pod的数量,replicaset被deployment管理。
Deployment控制pod应用的升级,回滚,当然也能控制pod的数量。service提供一个统一的固定入口,负责将前端的请求转发给pod。
ReplicaSet:
Replicaset负责通过控制器模式,保证系统中的pod的个数永远等于指定的个数,也正是Deployment只允许容器的restartPolicy=Always的主要原因,只有容器保证的了自己的始终是running状态的前提下,Replicaset调整pod的个数才有意义。
Deployment:
Deployment同样通过控制模拟器,操作Replicaset的个数和属性,进而实现水平扩展和收缩以及滚动更新,对于水平扩容和收缩的实现,Deployment Controller只需要修改replicas的值即可,用户执行这个操作的指令:
kubectl scale deployment nginx-deployment --replicas=4
k8资源管理的方式
k8s有两种方式管理对象:
- 命令式:通过kubectl指令直接操作对象
- 声明式:通过定义资源yaml来操作对象
两者背后最终都是请求k8s-apiserver实现交互的,相比命令式,声明式更具有完整性,灵活性,可维护性和扩展性。
YAML基础
YAML是一个json的超集,意味着任何有效json文件也都是一个有效的yaml文件。
k8s上只需要掌握yaml的两种结构类型:lists maps
list 用 - 来定义每一项,map则是一个key:value的键值对来表示
K8S上的yaml语法规则
大小写敏感
使用缩进表示层级关系
缩进时不允许使用Tal键,只允许使用空格
缩进的空格数目不重要,只要相同层级的元素左侧对齐即可
"#"表示注释,从这个字符一直到行尾,都会被解析器忽略
"---"" 为可选的分隔符
定义一个yaml文件
文件内容:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.12.2
ports:
- containerPort: 80
# 在一个yaml文件中通过 --- 分割多个资源对象
注意:在部署中指定适当的选择器和Pod模板标签(上面是app: nginx)不要将标签labels或者选择器selectors与其他控制器(包括其他Deployment和StatefulSet)重叠,k8s不会阻止重叠,如果多个控制前具有重叠的选择器,这些控制器可能会发生冲突并发生意外行为。
Deployment常用命令:
#创建Deployment
#基于yaml文件创建Deployment资源
kubectl create -f nginx.yaml
kubectl apply -f nginx.yaml
#升级Deployment
#一种的是命令行模式:
kubectl run nginx-dep1 --image=nginx:1.8 --replicas=1
#一种是使用kubectl,推荐使用这种方式,防止其他有人更改之前的文件
kubectl edit deployment deploy的名字
#yaml文件的方式来升级,这种升级必须有良好的集群维护制度,只能通过yaml升级,才会不覆盖之前配置,从而引发事故
#看历史Deployment:
kubectl rollout history deployment nginx-deployment
#查看更新状态也称之为查看历史
kubectl rollout history deployment nginx-deployment
#回滚
kubectl rollout history deployment nginx-deployment --to-revision=2
#扩容
kubectl scale deployment nginx-deployment --replicas=5
#缩容
kubectl scale --current-replicas=5 --replicas=3 deployment nginx-deployment
# 暂停更新
kubectl rollout pause deployment/nginx-depolyment
#恢复更新
kubectl rollout resume deployment/nginx-depolyment
这些都是不建议使用命令行执行,最好使用kubectl edit .... 来执行
更新Deployment注意事项:
在默认的情况下,revision保留10个旧的Replicaset 其余的将在后台进行垃圾回收,可以在.spec.revisionHistoryLimit设置Replicaset的个数,当设置为0的时候
不保留历史记录。
更新策略:
.spec.strategy.type==Recreate,表示重建,先删掉旧的Pod再创建新的Pod;
.spec.strategy.type==RollingUpdate,表示滚动更新,可以指定maxUnavailable和maxSurge
.spec.strategy.rollingUpdate.maxUnavailable,指定在回滚更新时最大不可用的Pod数量,
可选字段,默认为25%,可以设置为数字或百分比,如果maxSurge为0,则该值不能
为0
.spec.strategy.rollingUpdate.maxSurge可以超过期望值的最大Pod数,可选字段,默认为
25%,可以设置成数字或百分比,如果maxUnavailable为0,则该值不能为0。
Deployment yaml常见字段解析
apiVersion: v1 #必填,版本号,例如v1
kind: Depolyment #必填
metadata: #必填,元数据
name: string #必填,Pod名称
namespace: string #必填,Pod所属的命名空间
labels: #自定义标签
- name: string #自定义标签名字<key: value>
annotations: #自定义注释列表
- name: string
spec: #必填,部署的详细定义
selector:
matchLabels:
name: string #必填,通过此标签匹配对应pod<key: value>
replicas: number #必填,副本数量
template: #必填,应用容器模版定义
metadata:
labels:
name: string #必填,遇上面matchLabels的标签相同
spec:
containers: #必填,定义容器列表
- name: string #必填,容器名称
image: string #必填,容器的镜像名称
imagePullPolicy: [Always | Never | IfNotPresent] #获取镜像的策略 Alawys表示下载镜像 IfnotPresent表示优先使用本地镜像,否则下载镜像,Nerver表示仅使用本地镜像
command: [string] #容器的启动命令列表,如不指定,使用打包时使用的启动命令
args: [string] #容器的启动命令参数列表
workingDir: string #选填,容器的工作目录
env: #容器运行前需设置的环境变量列表
- name: string #环境变量名称
value: string #环境变量的值
ports: #需要暴露的端口库号列表
- name: string #选填,端口号名称
containerPort: int #容器需要监听的端口号
hostPort: int #选填,容器所在主机需要监听的端口号,默认与Container相同
protocol: string #选填,端口协议,支持TCP和UDP,默认TCP
resources: #资源限制和请求的设置
limits: #资源限制的设置
cpu: string #Cpu的限制,单位为core数,将用于docker run --cpu-shares参数
memory: string #内存限制,单位可以为Mib/Gib,将用于docker run --memory参数
requests: #资源请求的设置
cpu: string #Cpu请求,容器启动的初始可用数量
memory: string #内存清楚,容器启动的初始可用数量
volumeMounts: #挂载到容器内部的存储卷配置
- name: string #引用pod定义的共享存储卷的名称,需用volumes[]部分定义的的卷名
mountPath: string #存储卷在容器内mount的绝对路径,应少于512字符
readOnly: boolean #是否为只读模式
livenessProbe: #对Pod内个容器健康检查的设置,当探测无响应几次后将自动重启该容器,检查方法有exec、httpGet和tcpSocket,对一个容器只需设置其中一种方法即可
exec: #对Pod容器内检查方式设置为exec方式
command: [string] #exec方式需要制定的命令或脚本
httpGet: #对Pod内个容器健康检查方法设置为HttpGet,需要制定Path、port
path: string
port: number
host: string
scheme: string
HttpHeaders:
- name: string
value: string
tcpSocket: #对Pod内个容器健康检查方式设置为tcpSocket方式
port: number
initialDelaySeconds: 0 #容器启动完成后首次探测的时间,单位为秒
timeoutSeconds: 0 #对容器健康检查探测等待响应的超时时间,单位秒,默认1秒
periodSeconds: 0 #对容器监控检查的定期探测时间设置,单位秒,默认10秒一次
successThreshold: 0
failureThreshold: 0
securityContext:
privileged:false
#Pod的重启策略,Always表示一旦不管以何种方式终止运行,kubelet都将重启,OnFailure表示只有Pod以非0退出码退出才重启,Nerver表示不再重启该Pod
restartPolicy: [Always | Never | OnFailure]
nodeSelector: obeject #设置NodeSelector表示将该Pod调度到包含这个label的node上,以key:value的格式指定
imagePullSecrets: #Pull镜像时使用的secret名称,以key:secretkey格式指定
- name: string
hostNetwork:false #是否使用主机网络模式,默认为false,如果设置为true,表示使用宿主机网络
volumes: #在该pod上定义共享存储卷列表
- name: string #共享存储卷名称 (volumes类型有很多种)
emptyDir: {} #类型为emtyDir的存储卷,与Pod同生命周期的一个临时目录。为空值
hostPath: string #类型为hostPath的存储卷,表示挂载Pod所在宿主机的目录
path: string #Pod所在宿主机的目录,将被用于同期中mount的目录
- name: string #共享存储卷名称
secret: #类型为secret的存储卷,挂载集群与定义的secre对象到容器内部
scretname: string
items:
- key: string #选择secrets定义的某个key
path: string #文件内容路径
- name: string #共享存储卷名称
configMap: #类型为configMap的存储卷,挂载预定义的configMap对象到容器内部
name: string
items:
- key: string #选择configmap定义的某个key
path: string #文件内容路径
- name: string #共享存储卷名称
persistentVolumeClaim:
claimName: string #类型为PVC的持久化存储卷
更多描述:
/**
* Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.
*/
"activeDeadlineSeconds"?: number;
/**
* If specified, the pod's scheduling constraints
*/
"affinity"?: IIoK8sApiCoreV1Affinity;
/**
* AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.
*/
"automountServiceAccountToken"?: boolean;
/**
* List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.
*/
"containers": Array<IIoK8sApiCoreV1Container>;
/**
* Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy.
*/
"dnsConfig"?: IIoK8sApiCoreV1PodDNSConfig;
/**
* Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.
*/
"dnsPolicy"?: string;
/**
* EnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.
*/
"enableServiceLinks"?: boolean;
/**
* List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.
*/
"ephemeralContainers"?: Array<IIoK8sApiCoreV1EphemeralContainer>;
/**
* HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.
*/
"hostAliases"?: Array<IIoK8sApiCoreV1HostAlias>;
/**
* Use the host's ipc namespace. Optional: Default to false.
*/
"hostIPC"?: boolean;
/**
* Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.
*/
"hostNetwork"?: boolean;
/**
* Use the host's pid namespace. Optional: Default to false.
*/
"hostPID"?: boolean;
/**
* Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.
*/
"hostname"?: string;
/**
* ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod
*/
"imagePullSecrets"?: Array<IIoK8sApiCoreV1LocalObjectReference>;
/**
* List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
*/
"initContainers"?: Array<IIoK8sApiCoreV1Container>;
/**
* NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.
*/
"nodeName"?: string;
/**
* NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
*/
"nodeSelector"?: {
[key: string]: string;
};
/**
* Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.
*/
"overhead"?: {
[key: string]: IIoK8sApimachineryPkgApiResourceQuantity;
};
/**
* PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature.
*/
"preemptionPolicy"?: string;
/**
* The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.
*/
"priority"?: number;
/**
* If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.
*/
"priorityClassName"?: string;
/**
* If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True"
*/
"readinessGates"?: Array<IIoK8sApiCoreV1PodReadinessGate>;
/**
* Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
*/
"restartPolicy"?: string;
/**
* RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler.
*/
"runtimeClassName"?: string;
/**
* If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.
*/
"schedulerName"?: string;
/**
* SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.
*/
"securityContext"?: IIoK8sApiCoreV1PodSecurityContext;
/**
* DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.
*/
"serviceAccount"?: string;
/**
* ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
*/
"serviceAccountName"?: string;
/**
* Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.
*/
"shareProcessNamespace"?: boolean;
/**
* If specified, the fully qualified Pod hostname will be "<hostname>.<subdomain>.<pod namespace>.svc.<cluster domain>". If not specified, the pod will not have a domainname at all.
*/
"subdomain"?: string;
/**
* Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.
*/
"terminationGracePeriodSeconds"?: number;
/**
* If specified, the pod's tolerations.
*/
"tolerations"?: Array<IIoK8sApiCoreV1Toleration>;
/**
* TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is only honored by clusters that enable the EvenPodsSpread feature. All topologySpreadConstraints are ANDed.
*/
"topologySpreadConstraints"?: Array<IIoK8sApiCoreV1TopologySpreadConstraint>;
/**
* List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes
*/
"volumes"?: Array<IIoK8sApiCoreV1Volume>;