Kubernetes 网络与存储

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

Souloss

公告

欢迎来到我的博客！这是一条示例公告

Learn More

标签

224 字

1 分钟

Kubernetes 网络与存储

2024-07-24

面试

/

Kubernetes

/

网络

/

存储

一、Kubernetes 网络模型#

1.1 网络原则#

graph LR A["Pod 1"] -->|同一 Node| B["Pod 2"] A -->|跨 Node| C["Pod 3"] style A fill:#87CEEB style B fill:#87CEEB style C fill:#90EE90

原则	说明
Pod 间通信	所有 Pod 可以直接通信，无需 NAT
Node 与 Pod	Node 可以与所有 Pod 通信，无需 NAT
Pod 自身 IP	每个 Pod 有独立的 IP，不依赖端口映射

1.2 CNI 网络插件#

1
# CNI: Container Network Interface
2
# 常见 CNI 插件
3

4
# 1. Calico - 网络策略优先
5
# 2. Flannel - 简单 overlay 网络
6
# 3. Cilium - eBPF 驱动
7
# 4. Weave Net - 自动加密

二、Service#

2.1 Service 类型#

1
# ClusterIP - 内部访问（默认）
2
apiVersion: v1
3
kind: Service
4
metadata:
5
  name: nginx-clusterip
6
spec:
7
  type: ClusterIP
8
  selector:
9
    app: nginx
10
  ports:
11
    - port: 80 # Service 端口
12
      targetPort: 80 # Pod 端口
13
      protocol: TCP
14

15
---
16

17
apiVersion: v1
18
kind: Service
19
metadata:
20
  name: nginx-nodeport
21
spec:
22
  type: NodePort
23
  selector:
24
    app: nginx
25
  ports:
26
    - port: 80
27
      targetPort: 80
28
      nodePort: 30080 # 30000-32767
29

30
---
31

32
apiVersion: v1
33
kind: Service
34
metadata:
35
  name: nginx-lb
36
spec:
37
  type: LoadBalancer
38
  selector:
39
    app: nginx
40
  ports:
41
    - port: 80
42
      targetPort: 80

2.2 Headless Service#

1
# Headless Service - 无负载均衡
2
apiVersion: v1
3
kind: Service
4
metadata:
5
  name: nginx-headless
6
spec:
7
  clusterIP: None # 关键设置
8
  selector:
9
    app: nginx
10
  ports:
11
    - port: 80
12

13
# DNS 行为
14
# 普通 Service: my-svc.namespace.svc.cluster.local -> ClusterIP
15
# Headless: pod-name.my-svc.namespace.svc.cluster.local -> Pod IP

2.3 Service 发现#

1
# 环境变量方式（自动注入）
2
# 格式: {SVCNAME}_SERVICE_HOST, {SVCNAME}_SERVICE_PORT
3
NGINX_SERVICE_HOST=10.0.0.100
4
NGINX_SERVICE_PORT=80
5

6
# DNS 方式
7
# 格式: <service-name>.<namespace>.svc.cluster.local
8
nginx.default.svc.cluster.local

2.4 kube-proxy 模式#

1
# iptables 模式（默认）
2
# 规则匹配，性能随规则增加下降
3

4
# IPVS 模式（大规模推荐）
5
# 支持负载均衡算法：rr, wrr, lc, wlc, sh, dh
6

7
# 查看模式
8
kubectl get configmap kube-proxy -n kube-system -o yaml

三、Ingress#

3.1 Ingress 配置#

1
apiVersion: networking.k8s.io/v1
2
kind: Ingress
3
metadata:
4
  name: app-ingress
5
  annotations:
6
    nginx.ingress.kubernetes.io/rewrite-target: /
7
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
8
spec:
9
  ingressClassName: nginx
10
  tls:
11
    - hosts:
12
        - app.example.com
13
      secretName: app-tls
14
  rules:
15
    - host: app.example.com
16
      http:
17
        paths:
18
          - path: /api
19
            pathType: Prefix
20
            backend:
21
              service:
22
                name: api-service
23
                port:
24
                  number: 8080
25
          - path: /static
26
            pathType: Prefix
27
            backend:
28
              service:
29
                name: static-service
30
                port:
31
                  number: 80

3.2 IngressClass#

1
apiVersion: networking.k8s.io/v1
2
kind: IngressClass
3
metadata:
4
  name: nginx
5
  annotations:
6
    ingressclass.kubernetes.io/is-default-class: "true"
7
spec:
8
  controller: k8s.io/ingress-nginx

四、NetworkPolicy#

4.1 默认拒绝#

1
# 默认拒绝所有入站流量
2
apiVersion: networking.k8s.io/v1
3
kind: NetworkPolicy
4
metadata:
5
  name: default-deny-ingress
6
spec:
7
  podSelector: {}
8
  policyTypes:
9
    - Ingress

4.2 允许特定流量#

1
# 允许前端访问后端
2
apiVersion: networking.k8s.io/v1
3
kind: NetworkPolicy
4
metadata:
5
  name: allow-frontend-to-backend
6
spec:
7
  podSelector:
8
    matchLabels:
9
      app: backend
10
  policyTypes:
11
    - Ingress
12
  ingress:
13
    - from:
14
        - podSelector:
15
            matchLabels:
16
              app: frontend
17
      ports:
18
        - protocol: TCP
19
          port: 8080
20

21
---
22

23
apiVersion: networking.k8s.io/v1
24
kind: NetworkPolicy
25
metadata:
26
  name: allow-dns
27
spec:
28
  podSelector: {}
29
  policyTypes:
30
    - Egress
31
  egress:
32
    - to:
33
        - namespaceSelector: {}
34
      ports:
35
        - protocol: UDP
36
          port: 53

五、存储卷#

5.1 卷类型对比#

类型	说明	生命周期
emptyDir	临时存储	与 Pod 相同
hostPath	节点文件系统	持久
persistentVolumeClaim	持久存储	独立于 Pod
configMap	配置数据	可独立更新
secret	敏感数据	安全存储
nfs	网络文件系统	持久

5.2 emptyDir#

1
apiVersion: v1
2
kind: Pod
3
metadata:
4
  name: test
5
spec:
6
  containers:
7
    - name: test
8
      image: alpine
9
      volumeMounts:
10
        - name: cache
11
          mountPath: /tmp
12
  volumes:
13
    - name: cache
14
      emptyDir:
15
        sizeLimit: 100Mi
16
        medium: Memory # 内存存储

5.3 hostPath#

1
apiVersion: v1
2
kind: Pod
3
metadata:
4
  name: test
5
spec:
6
  containers:
7
    - name: test
8
      image: alpine
9
      volumeMounts:
10
        - name: data
11
          mountPath: /data
12
  volumes:
13
    - name: data
14
      hostPath:
15
        path: /var/local/data
16
        type: DirectoryOrCreate # 不存在则创建

5.4 NFS#

1
apiVersion: v1
2
kind: Pod
3
metadata:
4
  name: nfs-pod
5
spec:
6
  containers:
7
    - name: app
8
      image: alpine
9
      volumeMounts:
10
        - name: nfs-volume
11
          mountPath: /mnt/nfs
12
  volumes:
13
    - name: nfs-volume
14
      nfs:
15
        server: nfs-server.example.com
16
        path: /share

六、持久化存储#

6.1 PV 与 PVC#

1
# PersistentVolume (PV) - 管理员创建
2
apiVersion: v1
3
kind: PersistentVolume
4
metadata:
5
  name: pv-1
6
spec:
7
  capacity:
8
    storage: 10Gi
9
  accessModes:
10
    - ReadWriteOnce # 单节点读写
11
    # - ReadOnlyMany   # 多节点只读
12
    # - ReadWriteMany  # 多节点读写
13
  storageClassName: standard
14
  persistentVolumeReclaimPolicy: Retain # Retain/Delete/Recycle
15
  nfs:
16
    server: nfs-server
17
    path: /data/pv-1
18

19
---
20

21
apiVersion: v1
22
kind: PersistentVolumeClaim
23
metadata:
24
  name: pvc-1
25
spec:
26
  accessModes:
27
    - ReadWriteOnce
28
  resources:
29
    requests:
30
      storage: 5Gi
31
  storageClassName: standard

6.2 StorageClass#

1
apiVersion: storage.k8s.io/v1
2
kind: StorageClass
3
metadata:
4
  name: fast-ssd
5
provisioner: pd.csi.storage.gke.io # GCP
6
parameters:
7
  type: pd-ssd
8
  filesystem: xfs
9
reclaimPolicy: Retain
10
volumeBindingMode: WaitForFirstConsumer # 延迟绑定
11
allowVolumeExpansion: true

6.3 动态存储#

1
# 使用 StorageClass 自动创建 PV
2
apiVersion: v1
3
kind: PersistentVolumeClaim
4
metadata:
5
  name: dynamic-pvc
6
spec:
7
  storageClassName: fast-ssd
8
  accessModes:
9
    - ReadWriteOnce
10
  resources:
11
    requests:
12
      storage: 20Gi

七、ConfigMap 与 Secret#

7.1 ConfigMap#

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: app-config
5
data:
6
  config.json: |
7
    {
8
      "database": {
9
        "host": "db-service",
10
        "port": 5432
11
      }
12
    }
13
  log-level: "info"
14

15
---
16

17
apiVersion: v1
18
kind: Pod
19
metadata:
20
  name: app
21
spec:
22
  containers:
23
    - name: app
24
      image: app:latest
25
      envFrom:
26
        - configMapRef:
27
            name: app-config
28
      env:
29
        - name: DB_PASSWORD
30
          valueFrom:
31
            configMapKeyRef:
32
              name: app-config
33
              key: log-level

7.2 Secret#

1
apiVersion: v1
2
kind: Secret
3
metadata:
4
  name: app-secrets
5
type: Opaque
6
data:
7
  # echo -n "password" | base64
8
  db-password: cGFzc3dvcmQ=
9
stringData:
10
  # 自动 Base64 编码
11
  api-key: "my-secret-key"
12

13
---
14

15
apiVersion: v1
16
kind: Pod
17
metadata:
18
  name: app
19
spec:
20
  containers:
21
    - name: app
22
      image: app:latest
23
      env:
24
        - name: DB_PASSWORD
25
          valueFrom:
26
            secretKeyRef:
27
              name: app-secrets
28
              key: db-password
29
      volumeMounts:
30
        - name: secrets
31
          mountPath: /etc/secrets
32
  volumes:
33
    - name: secrets
34
      secret:
35
        secretName: app-secrets