1. Kubernetes集群搭建实战1.1 环境准备与工具选择搭建Kubernetes集群前需要做好充分准备。我建议从硬件配置开始每个节点至少2核CPU、4GB内存和20GB磁盘空间生产环境建议翻倍。网络方面需要确保节点间互通关闭swap分区swapoff -a并设置正确的hostname。选择工具链时新手可以从Minikube开始体验单节点环境minikube start --driverdocker --kubernetes-versionv1.23.0生产环境我更推荐kubeadm它提供了灵活的定制能力。最近帮客户部署时发现1.24版本需要额外配置CRI运行时这是新手常踩的坑。1.2 使用kubeadm搭建集群实际部署中我习惯先在所有节点执行基础配置# 设置内核参数 cat EOF | sudo tee /etc/modules-load.d/k8s.conf overlay br_netfilter EOF # 加载模块 sudo modprobe overlay sudo modprobe br_netfilter然后安装三大件kubeadm/kubelet/kubectl这里要注意版本匹配问题。上周在AWS上部署时就遇到因版本不兼容导致API Server崩溃的情况。初始化控制平面时这个命令模板我用了很多次kubeadm init \ --pod-network-cidr10.244.0.0/16 \ --apiserver-advertise-address192.168.1.100 \ --kubernetes-versionstable-1.23记得保存最后的join命令有次客户误删终端记录不得不重新初始化集群。1.3 网络插件与节点加入Flannel是我最常用的CNI插件部署简单kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml但遇到Azure环境时需要改用Azure CNI以避免网络策略冲突。工作节点加入时常见证书过期问题可以通过kubeadm token create --print-join-command重新生成。去年处理过200节点的大集群批量加入时建议用Ansible并行执行。2. 应用部署与管理2.1 编写高效的Deployment这是我常用的Nginx部署模板包含健康检查和资源限制apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deploy spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.21-alpine ports: - containerPort: 80 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi livenessProbe: httpGet: path: / port: 80 initialDelaySeconds: 30 periodSeconds: 102.2 服务暴露与Ingress配置NodePort适合测试环境kubectl expose deploy nginx-deploy --typeNodePort --port80生产环境一定要用Ingress这是Nginx Ingress的经典配置apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nginx-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - host: demo.example.com http: paths: - path: / pathType: Prefix backend: service: name: nginx-deploy port: number: 802.3 配置与密钥管理ConfigMap和Secret要分开管理这是我总结的最佳实践# 创建通用配置 kubectl create configmap app-config \ --from-fileapplication.properties \ --from-literallog_levelINFO # 安全处理密钥 kubectl create secret generic db-creds \ --from-literalusernameadmin \ --from-literalpasswordS3cret!在Pod中通过volume挂载时记得设置适当的文件权限。3. 存储与状态管理3.1 持久卷实战动态存储供应能极大简化工作先创建StorageClassapiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: fast-ssd provisioner: kubernetes.io/aws-ebs parameters: type: gp3 fsType: ext4然后通过PVC申请存储apiVersion: v1 kind: PersistentVolumeClaim metadata: name: mysql-pvc spec: storageClassName: fast-ssd accessModes: - ReadWriteOnce resources: requests: storage: 20Gi3.2 StatefulSet有状态应用部署MySQL时StatefulSet是必须的关键配置包括apiVersion: apps/v1 kind: StatefulSet metadata: name: mysql spec: serviceName: mysql replicas: 1 selector: matchLabels: app: mysql template: metadata: labels: app: mysql spec: containers: - name: mysql image: mysql:5.7 volumeMounts: - name: data mountPath: /var/lib/mysql volumeClaimTemplates: - metadata: name: data spec: accessModes: [ ReadWriteOnce ] storageClassName: fast-ssd resources: requests: storage: 20Gi4. 运维与监控4.1 使用Prometheus监控安装Prometheus Operator后定义监控目标apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: nginx-monitor spec: selector: matchLabels: app: nginx endpoints: - port: web interval: 30s4.2 日志收集方案EFK栈中Fluentd的配置要点apiVersion: apps/v1 kind: DaemonSet metadata: name: fluentd spec: template: spec: containers: - name: fluentd image: fluent/fluentd-kubernetes-daemonset:v1.12 env: - name: FLUENT_ELASTICSEARCH_HOST value: elasticsearch - name: FLUENT_ELASTICSEARCH_PORT value: 9200 volumeMounts: - name: varlog mountPath: /var/log - name: varlibdockercontainers mountPath: /var/lib/docker/containers4.3 自动扩缩容实践HPA配置示例apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: nginx-hpa spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: nginx-deploy minReplicas: 2 maxReplicas: 10 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 50在最近的项目中我们结合自定义指标实现了基于QPS的自动扩缩将服务响应时间降低了40%。记住要设置合理的冷却时间--horizontal-pod-autoscaler-downscale-stabilization避免频繁抖动。