kubernetes核心组件

1.kubelet

kubelet运行于集群的所有节点上,包括master的节点。
kubelet用于处理master节点下发到本节点的任务,管理本节点上的pod以及pod中的容器。
每个kubelet会在APIServer上注册本节点的信息,并定期上报本节点的资源使用情况。
kubelet先于集群而存在于每个节点上的。
kubelet作为集群节点的后台守护进程,在节点启动时,由节点上的操作系统init进程(systemd)拉起。
分别是下面两个文件:

root@VM-16-6-ubuntu:~# ls /lib/systemd/system/kubelet.service 
/lib/systemd/system/kubelet.service
root@VM-16-6-ubuntu:~# ls /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf

kubelet主要参数配置:

root@VM-16-6-ubuntu:~# cat /etc/systemd/system/kubelet.service.d/10-kubeadm.conf 
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS

bootstrap-kubeconfig用于在kubeconfig文件不存在的情况下,像APIServer获取client端的证书文件。
获取的证书文件将存储在cert-dir指定的目录下。同时数据也将写入一份到kubeconfig指定的目录里面。

pod-manifest-path是静态pod的manifest的存放路径。kubelet将启动这些pod,并维持这些pod处于运行状态。

KUBELET_NETWORK_ARGS是与节点上cni网络插件相关的配置。kubelet通过这个配置,来调用cni相关程序,配置容器中的相关网络。

KUBELET_DNS_ARGS是集群DNS相关的配置。

cadvisor-port默认值是4194,当配置为0的时候,表示不在节点上开始cadvisor服务。
cadvisor是一个分析容器资源使用率和性能特性的代理工具,默认情况下会在每个节点上安装Agent。
通过暴露cadvisor-port来提供服务。

多数情况下,不需要修改启动文件的参数。修改之后执行:
  systemctl daemon-reload & systemctl restart kubelet

 

2.kube-apiserver

kube-apiserver是整个集群调用的入口,通过APIServer暴露的API实现对整个集群的对象和状态管理。
kubeadm引导建立的kubernetes集群的APIServer是以静态pod的形式运行的,由kubelet启动。
APIServer是一个庞大的单体程序。可以查看APIServer的配置yaml:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-apiserver
spec:
  containers:
  - command:
    - kube-apiserver
    - --insecure-port=0  #APIServer非安全服务端口,默认不开启
    - --requestheader-username-headers=X-Remote-User
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key #APIServer以client端身份访问kubelet所使用的私钥文件
    - --secure-port=6443
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --service-cluster-ip-range=10.96.0.0/12  #设置无类别预见地址的分配范围.不能与pod地址有交集
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt  #APIServer以client端身份访问kubelet使用的数字公钥证书.
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --allow-privileged=true  #是否允许启动特权容器
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --requestheader-allowed-names=front-proxy-client
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --enable-bootstrap-token-auth=true  #允许secret对象进行集群初始化
    - --requestheader-group-headers=X-Remote-Group
    - --advertise-address=148.70.251.10
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt  #APIserver公钥证书文件
    - --authorization-mode=Node,RBAC  #设置用户授权模式列表
    - --etcd-servers=https://127.0.0.1:2379  #服务地址
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt  #ca证书
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    image: k8s.gcr.io/kube-apiserver-amd64:v1.10.2
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 148.70.251.10
        path: /healthz
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-apiserver
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
status: {}

kubelet监听/etc/kubernetes/manifests目录变化,自动重启配置发生变化的apiserver pod.

 

3.etcd

etcd用于存储整个集群的对象和状态.
kubeadm引导启动的集群默认只启动一个etcd节点和APIServer,etcd也是由kubelet启动的static pod.
如果要修改etcd的启动参数,直接修改etcd.yaml.保存之后kubelet会重启etcd的静态pod.
apiserver与etcd之间采用基于TLS的安全通信.
etcd挂载master节点本地路径/var/lib/etcd用于运行时的数据存储.

root@VM-16-6-ubuntu:~# tree /var/lib/etcd
/var/lib/etcd
└── member
    ├── snap
    │   ├── 0000000000000002-0000000000033465.snap
    │   ├── 0000000000000002-0000000000035b76.snap
    │   ├── 0000000000000002-0000000000038287.snap
    │   ├── 0000000000000002-000000000003a998.snap
    │   ├── 0000000000000002-000000000003d0a9.snap
    │   └── db
    └── wal
        ├── 0000000000000000-0000000000000000.wal
        ├── 0000000000000001-000000000000deb3.wal
        ├── 0000000000000002-000000000001b87f.wal
        ├── 0000000000000003-0000000000029249.wal
        ├── 0000000000000004-0000000000036c13.wal
        └── 0.tmp

如果需要做数据迁移和备份,只需要对这个目录进行操作就可以了.

 

4.controller-manager

负责集群内Node,Pod副本,服务的endpoint,命名空间,Service Account,资源配额管理等.

controller通过APIServer监控资源的状态,一旦状态发生变化,controller就会改变这个状态,使其恢复正常.
和APIServer一样,controller-manager由kubelet启动的static pod.
如果要修改controller-manager的启动参数,直接修改kube-controller-manager.yaml文件.

下面是controller-manager的启动参数配置:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: kube-controller-manager
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-controller-manager
    - --leader-elect=true  #执行主业务逻辑前是否进行leader选举.
    - --controllers=*,bootstrapsigner,tokencleaner
    - --kubeconfig=/etc/kubernetes/controller-manager.conf
    - --service-account-private-key-file=/etc/kubernetes/pki/sa.key
    - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt  #证书文件
    - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key  #签发集群范围内的其它证书
    - --address=127.0.0.1
    - --root-ca-file=/etc/kubernetes/pki/ca.crt  #ca.crt会包含在service acount的对象参数中.
    - --use-service-account-credentials=true
    image: k8s.gcr.io/kube-controller-manager-amd64:v1.10.2
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10252
        scheme: HTTP
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-controller-manager
    resources:
      requests:
        cpu: 200m
    volumeMounts:
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/kubernetes/controller-manager.conf
      name: kubeconfig
      readOnly: true
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/kubernetes/controller-manager.conf
      type: FileOrCreate
    name: kubeconfig
status: {}

 

5.kube-scheduler

按照特定的调度算法和策略,将待调度pod绑定集群中某个适合的Node,并写入绑定信息.
由kubelet启动的static pod.
scheduler的配置参数:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  creationTimestamp: null
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-scheduler
    - --address=127.0.0.1  #服务地址,不对外提供服务
    - --leader-elect=true  #在主业务逻辑循环前,是否进行选主
    - --kubeconfig=/etc/kubernetes/scheduler.conf  #启动文件
    image: k8s.gcr.io/kube-scheduler-amd64:v1.10.2
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10251
        scheme: HTTP
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-scheduler
    resources:
      requests:
        cpu: 100m
    volumeMounts:
    - mountPath: /etc/kubernetes/scheduler.conf
      name: kubeconfig
      readOnly: true
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/scheduler.conf
      type: FileOrCreate
    name: kubeconfig
status: {}

 

6.kube-proxy

service在创建的时候会分配一个虚拟的服务IP,对service访问会按照一定策略分发到后面的pod.
service并没有实体,让service起作用的是运行在kubernetes集群节点上的kube-proxy组件.

由于proxy的存在,在client调用的service时,调用者无需关心后端pod的数量,负载均衡和故障恢复.
kube-proxy由daemonset控制器在各个节点上启动唯一实例.
kube-proxy不是静态pod,它的配置放在kube-proxy配置里面.
我们可以查看kube-proxy的配置:

root@VM-16-6-ubuntu:~# kubectl exec kube-proxy-gnrc7 -n kube-system -- cat /var/lib/kube-proxy/config.conf
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
  acceptContentTypes: ""
  burst: 10
  contentType: application/vnd.kubernetes.protobuf
  kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
  qps: 5
clusterCIDR: ""
configSyncPeriod: 15m0s
conntrack:
  max: null
  maxPerCore: 32768
  min: 131072
  tcpCloseWaitTimeout: 1h0m0s
  tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
iptables:
  masqueradeAll: false
  masqueradeBit: 14
  minSyncPeriod: 0s
  syncPeriod: 30s
ipvs:
  minSyncPeriod: 0s
  scheduler: ""
  syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: ""
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
resourceContainer: /kube-proxy

最重要的配置就是mode,kube-proxy支持三种mode.分别是:user-spece,iptables,ipvs.
如果配置文件的pod为空,那么将选择当前最好的mode(iptables),如果内核不支持将改为user-spece模式.

 

posted @ 2020-04-03 16:53  明王不动心  阅读(598)  评论(0编辑  收藏  举报