Azure Kubernetes 服务 (AKS)
Azure Kubernetes 服务 (AKS) 管理托管的 Kubernetes 环境,使用户可以在 Azure 中轻松地部署和管理容器化的应用程序。 AKS 环境启用了自动更新、自愈和轻松缩放等功能。 Kubernetes 群集主机由 Azure 免费管理。 由用户管理群集中的代理节点,且只需为节点在其上运行的 VM 付费。
Kubernetes 群集体系结构
Kubernetes 群集分为两个组件:
- 控制平面:提供 Kubernetes 核心服务和应用程序工作负载的业务流程。
- 节点:运行应用程序工作负载。
节点和节点池
要运行应用程序和支持服务,需要 Kubernetes 节点。 一个 AKS 群集至少有一个节点,这是运行 Kubernetes 节点组件和容器运行时的 Azure 虚拟机 (VM)。
- 节点池
具有相同配置的节点将统一合并成节点池。 一个 Kubernetes 群集至少包含一个节点池。 创建 AKS 群集时会定义初始节点数和大小,从而创建默认节点池。 AKS 中的此默认节点池包含运行代理节点的基础 VM。
可以在 AKS 托管 Kubernetes 群集上创建两种类型的节点池:
-
系统节点池
-
用户节点池
系统节点池
系统节点池承载关键系统 Pod,它们是构成群集的控制平面。 系统节点池只允许将 Linux 用作节点 OS,并且只运行基于 Linux 的工作负载。 系统节点池中的节点保留用于系统工作负载,通常不用于运行自定义工作负载。 每个 AKS 群集都必须至少包含一个具有至少一个节点的系统节点池,并且必须为节点定义基础 VM 大小。
用户节点池
用户节点池支持用户的工作负载,用户可将 Windows 或 Linux 指定为节点操作系统。 还可以定义节点的基础 VM 大小并运行特定的工作负载。
自动路由
默认情况下,Kubernetes 群集会阻止所有外部通信。
通过启用** HTTP 应用程序路由**来解决复杂性问题。 通过此加载项,可轻松地通过自动部署的入口控制器访问群集上的应用程序。
LAB
本实验来自于Azure学习模块: 在 Azure Kubernetes 服务中部署容器化应用程序
拓扑
步骤
- 为将在实验中重复使用的配置值创建变量
izhao_yiyi@Azure:~$ RESOURCE_GROUP=etaon.top
izhao_yiyi@Azure:~$ CLUSTER_NAME=aks-contoso-$RANDOM
- 使用az aks create 命令以创建 AKS 群集
izhao_yiyi@Azure:~$ az aks create
–resource-group $RESOURCE_GROUP
–name $CLUSTER_NAME
–node-count 2
–enable-addons http_application_routing
–generate-ssh-keys
–node-vm-size Standard_B2s
–network-plugin azure
-
–enable-addons http_application_routing参数 启用 HTTP 应用程序路由,在Azure门户上的‘网络’设置部分可以看到:
-
–network-plugin azure参数 设置CNI的类型为Azure
AKS的CNI默认为kubenet,选择Azure CNI的化,默认会建立自己的虚拟网络:
前面使用的命令没有指定网络IP地址,即使用以上IP地址范围。
系统反馈
{
"aadProfile": null,
"addonProfiles": {
"httpApplicationRouting": {
"config": {
"HTTPApplicationRoutingZoneName": "bdfb20a8625f417b9c17.eastasia.aksapp.io"
},
"enabled": true,
"identity": {
"clientId": "c3c858eb-cc6e-4e27-9070-9691a6efec8e",
"objectId": "b6cecf34-23bc-4fd9-b70a-affa5f2f4afc",
"resourceId": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourcegroups/MC_etaon.top_aks-contoso-31096_eastasia/providers/Microsoft.ManagedIdentity/userAssignedIdentities/httpapplicationrouting-aks-contoso-31096"
}
}
},
"agentPoolProfiles": [
{
"availabilityZones": null,
"count": 2,
"creationData": null,
"enableAutoScaling": false,
"enableEncryptionAtHost": false,
"enableFips": false,
"enableNodePublicIp": false,
"enableUltraSsd": false,
"gpuInstanceProfile": null,
"kubeletConfig": null,
"kubeletDiskType": "OS",
"linuxOsConfig": null,
"maxCount": null,
"maxPods": 30,
"minCount": null,
"mode": "System",
"name": "nodepool1",
"nodeImageVersion": "AKSUbuntu-1804gen2containerd-2021.11.06",
"nodeLabels": null,
"nodePublicIpPrefixId": null,
"nodeTaints": null,
"orchestratorVersion": "1.20.9",
"osDiskSizeGb": 128,
"osDiskType": "Managed",
"osSku": "Ubuntu",
"osType": "Linux",
"podSubnetId": null,
"powerState": {
"code": "Running"
},
"provisioningState": "Succeeded",
"proximityPlacementGroupId": null,
"scaleDownMode": null,
"scaleSetEvictionPolicy": null,
"scaleSetPriority": null,
"spotMaxPrice": null,
"tags": null,
"type": "VirtualMachineScaleSets",
"upgradeSettings": null,
"vmSize": "Standard_B2s",
"vnetSubnetId": null,
"workloadRuntime": "OCIContainer"
}
],
"apiServerAccessProfile": null,
"autoScalerProfile": null,
"autoUpgradeProfile": null,
"azurePortalFqdn": "aks-contos-etaontop-14adb2-ae5fb642.portal.hcp.eastasia.azmk8s.io",
"disableLocalAccounts": false,
"diskEncryptionSetId": null,
"dnsPrefix": "aks-contos-etaontop-14adb2",
"enablePodSecurityPolicy": false,
"enableRbac": true,
"extendedLocation": null,
"fqdn": "aks-contos-etaontop-14adb2-ae5fb642.hcp.eastasia.azmk8s.io",
"fqdnSubdomain": null,
"httpProxyConfig": null,
"id": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourcegroups/etaon.top/providers/Microsoft.ContainerService/managedClusters/aks-contoso-31096",
"identity": {
"principalId": "03016c69-734e-46a4-a7fd-dcb437f6961a",
"tenantId": "7446b7c5-bb59-4186-a8df-513c195bc49f",
"type": "SystemAssigned",
"userAssignedIdentities": null
},
"identityProfile": {
"kubeletidentity": {
"clientId": "5ed42363-69bc-47b7-ad16-3a262e98a362",
"objectId": "0bf0c11a-2f25-4ade-b4f5-df5beab61343",
"resourceId": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourcegroups/MC_etaon.top_aks-contoso-31096_eastasia/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-contoso-31096-agentpool"
}
},
"kubernetesVersion": "1.20.9",
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOA+F/qE7BKbdDnRyBc3yNMiLHwZbq+Y2Mec+z50i37SiyGq3PjLkqFBVIknKi4y5O7mWbo2AeDZOkNnKJMiax6nQvSTxnAy5Ijp4RqfUQjmKpi1bo+XC1FPq+Pe7HLJaNBDZA3SsY+cdIpLt4kJfsxdV9ndTCHp5ygrTAhaoCqXwoh+pvJgFN9u0K0Axoc7UE21V2yTSLoCLMcArY8qIWWtTl8xErxG9CLsBUnejWMzh67IO6Ieo+QZgirDvfYXJrkc+BU4dveCA3RjqiHNCOE6tMUR+FC7DXFSwswldJaW/JxnCSPIue20DS9zvM4F5nklibLVfhcQCq6DjTUTs1"
}
]
}
},
"location": "eastasia",
"maxAgentPools": 100,
"name": "aks-contoso-31096",
"networkProfile": {
"dnsServiceIp": "10.0.0.10",
"dockerBridgeCidr": "172.17.0.1/16",
"ipFamilies": [
"IPv4"
],
"loadBalancerProfile": {
"allocatedOutboundPorts": null,
"effectiveOutboundIPs": [
{
"id": "/subscriptions/14adb214-7b29-422a-ac8a-df2af1e51201/resourceGroups/MC_etaon.top_aks-contoso-31096_eastasia/providers/Microsoft.Network/publicIPAddresses/a69e46df-32c3-4acb-9a4a-ab01531711c4",
"resourceGroup": "MC_etaon.top_aks-contoso-31096_eastasia"
}
],
"enableMultipleStandardLoadBalancers": null,
"idleTimeoutInMinutes": null,
"managedOutboundIPs": {
"count": 1,
"countIpv6": null
},
"outboundIPs": null,
"outboundIpPrefixes": null
},
"loadBalancerSku": "Standard",
"natGatewayProfile": null,
"networkMode": null,
"networkPlugin": "azure",
"networkPolicy": null,
"outboundType": "loadBalancer",
"podCidr": null,
"podCidrs": null,
"serviceCidr": "10.0.0.0/16",
"serviceCidrs": [
"10.0.0.0/16"
]
},
"nodeResourceGroup": "MC_etaon.top_aks-contoso-31096_eastasia",
"podIdentityProfile": null,
"powerState": {
"code": "Running"
},
"privateFqdn": null,
"privateLinkResources": null,
"provisioningState": "Succeeded",
"publicNetworkAccess": null,
"resourceGroup": "etaon.top",
"securityProfile": null,
"servicePrincipalProfile": {
"clientId": "msi",
"secret": null
},
"sku": {
"name": "Basic",
"tier": "Free"
},
"tags": null,
"type": "Microsoft.ContainerService/ManagedClusters",
"windowsProfile": {
"adminPassword": null,
"adminUsername": "azureuser",
"enableCsiProxy": true,
"gmsaProfile": null,
"licenseType": null
}
}
也可以从控制台看到
- 运行以下命令将 Kubernetes 群集与 kubectl 链接
可以通过点击‘连接’查看具体命令:
izhao_yiyi@Azure:~$
az aks get-credentials --resource-group etaon.top --name aks-contoso-31096
The behavior of this command has been altered by the following extension: aks-preview
Merged “aks-contoso-31096” as current context in /home/izhao_yiyi/.kube/config
izhao_yiyi@Azure:~$ kubectl get node
NAME STATUS ROLES AGE VERSION
aks-nodepool1-00921554-vmss000000 Ready agent 54m v1.20.9
aks-nodepool1-00921554-vmss000001 Ready agent 54m v1.20.9
- 创建应用contoso-website
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: contoso-website
spec:
selector: # Define the wrapping strategy
matchLabels: # Match all pods with the defined labels
app: contoso-website # Labels follow the `name: value` template
template: # This is the template of the pod inside the deployment
metadata:
labels:
app: contoso-website
spec:
nodeSelector:
kubernetes.io/os: linux
containers:
- image: mcr.microsoft.com/mslearn/samples/contoso-website
name: contoso-website
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 250m
memory: 256Mi
ports:
- containerPort: 80
name: http
应用yaml文件,查看结果
izhao_yiyi@Azure:~/contoso-website$ kubectl apply -f deployment.yaml
deployment.apps/contoso-website created
izhao_yiyi@Azure:~/contoso-website$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
contoso-website 0/1 1 0 17s
izhao_yiyi@Azure:~/contoso-website$ kubectl get po -w
NAME READY STATUS RESTARTS AGE
contoso-website-97988f7c-7dgfz 0/1 ContainerCreating 0 25s
contoso-website-97988f7c-7dgfz 1/1 Running 0 35s
^Cizhao_yiyi@Azure:~/contoso-website$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
contoso-website 1/1 1 1 41s
在控制台同样可以看到
5. 为contoso-website暴露Service(ClusterIp)
#service.yaml
apiVersion: v1
kind: Service
metadata:
name: contoso-website
spec:
type: ClusterIP
selector:
app: contoso-website
ports:
- port: 80 # SERVICE exposed port
name: http # SERVICE port name
protocol: TCP # The protocol the SERVICE will listen to
targetPort: http # Port to forward to in the POD
izhao_yiyi@Azure:~/contoso-website$ kubectl apply -f service.yaml
service/contoso-website created
izhao_yiyi@Azure:~/contoso-website$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
contoso-website ClusterIP 10.0.88.220 <none> 80/TCP 7s
- 在 Cloud Shell 中,运行 az network dns zone list 命令以查询 Azure DNS 区域列表
izhao_yiyi@Azure:~/contoso-website$
az aks show \ -g $RESOURCE_GROUP \ -n $CLUSTER_NAME \ -o tsv \ --query addonProfiles.httpApplicationRouting.config.HTTPApplicationRoutingZoneName
The behavior of this command has been altered by the following extension: aks-preview
bdfb20a8625f417b9c17.eastasia.aksapp.io
- 配置ingress的yaml并部署
#ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: contoso-website
annotations:
kubernetes.io/ingress.class: addon-http-application-routing
spec:
rules:
- host: contoso.bdfb20a8625f417b9c17.eastasia.aksapp.io
http:
paths:
- backend: # How the ingress will handle the requests
service:
name: contoso-website # Which service the request will be forwarded to
port:
name: http # Which port in that service
path: / # Which path is this rule referring to
pathType: Prefix # See more at https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types
- 在yaml文件的 metadata 部分中创建了一个 annotations 项,系统将调用该文件来使用此入口的 HTTP application routing 加载项。 将该项设置为 kubernetes.io/ingress.class,并将值设置为 addon-http-application-routing
- 在rule中指定了到host的后端service
izhao_yiyi@Azure:~/contoso-website$ kubectl apply -f ingress.yaml
ingress.networking.k8s.io/contoso-website created
izhao_yiyi@Azure:~/contoso-website$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
contoso-website <none> contoso.bdfb20a8625f417b9c17.eastasia.aksapp.io 20.187.250.168 80 9s
izhao_yiyi@Azure:~/contoso-website$ kubectl describe ingress contoso-website
Name: contoso-website
Namespace: default
Address: 20.187.250.168
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
contoso.bdfb20a8625f417b9c17.eastasia.aksapp.io
/ contoso-website:http (10.240.0.54:80)
Annotations: kubernetes.io/ingress.class: addon-http-application-routing
Events: <none>
可以看到挂到后端的service的情况。
从控制台看
访问Web:contoso.bdfb20a8625f417b9c17.eastasia.aksapp.io