Kubernetes 1.19的功能探究

Kubernetes 1.19的功能探究

Kubernetes 1.19是2020年的第二个版本，也是迄今为止最长的发布周期，总共持续了20周。它包括34个增强：10个增强正在向稳定方向移动，15个在beta中增强，9个在alpha中增强。

《 Kubernetes行为准则》要求我们彼此都要优秀，尽管我们的世界动荡不安，但我们从社区中看到的只有伟大和谦卑。

下面我们来看看常用或显著的新功能和变化。

01seccomp GA

Seccomp即secure computing mode,在2.6.12版本linux内核中引入,它可以用来对进程的特权进行沙箱处理，从而限制了它可以从用户空间向内核进行的调用。

Seccomp在Kubernetes 1.3版本中作为Alpha功能引入,在安全性上有很大的提升，且Seccomp可以更加精细化控制系统调用。使用PodSecurityPolicy上的注释将Seccomp配置文件应用于所需的Pod。如apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata: name: restricted annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'在1.19版中，Seccomp功能GA，将新的seccompProfile字段添加到pod和容器的securityContext对象中。pods/security/seccomp/profiles/fine-grained.json { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", "SCMP_ARCH_X86", "SCMP_ARCH_X32" ], "syscalls": [ { "names": [ "accept4", "epoll_wait", "pselect6", "futex", "madvise", "epoll_ctl", "getsockname", "setsockopt", "vfork", "mmap", "read", "write", "close", "arch_prctl", "sched_getaffinity", "munmap", "brk", "rt_sigaction", "rt_sigprocmask", "sigaltstack", "gettid", "clone", "bind", "socket", "openat", "readlinkat", "exit_group", "epoll_create1", "listen", "rt_sigreturn", "sched_yield", "clock_gettime", "connect", "dup2", "epoll_pwait", "execve", "exit", "fcntl", "getpid", "getuid", "ioctl", "mprotect", "nanosleep", "open", "poll", "recvfrom", "sendto", "set_tid_address", "setitimer", "writev" ], "action": "SCMP_ACT_ALLOW" } ]}--- apiVersion: v1kind: Podmetadata: name: fine-pod labels: app: fine-podspec: securityContext: seccompProfile: type: Localhost localhostProfile: profiles/fine-grained.json containers: - name: test-container image: hashicorp/http-echo:0.2.3 args: - "-text=just made some syscalls!" securityContext: allowPrivilegeEscalation: falseUnconfined: 如果没有其他选择，Seccomp不会应用于容器进程（默认设置）RuntimeDefault: 使用默认的容器运行时配置文件Localhost: 指定自定义profile文件。当type为该值时，此时必须指定localhostProfile02Ingress GA在Kubernetes中,集群的入口除了LoadBalancer,NodePort外,还有1.1版中作为Beta API引入的Ingress,它可以给service提供集群外部访问的URL、负载均衡、SSL termination 、HTTP/HTTPS路由等,流量路由由Ingress资源上定义的规则控制。在1.19版中，Ingress逐渐普及。v1beta1 API移除,v1 API取而代之apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: ingress-wildcard-hostspec: rules: - host: "foo.bar.com" http: paths: - pathType: Prefix path: "/bar" backend: service: name: service1 port: number: 80入口中的每个路径都必须具有相应的路径类型,pathType字段不再具有默认值，必须指定。支持三种路径类型：ImplementationSpecific：使用此路径类型，匹配取决于IngressClass。可以将其视为单独的athType，也可以将其视为Prefix或Exact路径类型。Exact：与网址路径完全匹配且区分大小写。Prefix：根据URL前缀 进行匹配。匹配区分大小写，并且在逐个路径的基础上进行匹配。03Node debuggingEphemeralContainers(临时容器)可以在Pod中临时运行的一种容器类型,当容器崩溃或容器映像不包含调试程序（如没有外壳），对于交互式故障排除很有用。可以使用 kubectl alpha debug 命令将临时容器添加到正在运行的Pod中要启用临时容器功能，需要在kube-apiserver加入以下配置并重启--feature-gates=EphemeralContainers=true使用没有外壳容器映像测试[root@k8s-master01 ~]# kubectl run ephemeral-demo --image=docker.io/prodan/pause:3.2 --restart=Neverpod/ephemeral-demo created[root@k8s-master01 ~]# kubectl exec -it ephemeral-demo -- shERRO[0000] exec failed: container_linux.go:370: starting container process caused: exec: "sh": executable file not found in $PATH command terminated with exit code 1[root@k8s-master01 ~]# kubectl alpha debug -it ephemeral-demo --image=docker.io/library/busybox:1.28 --target=ephemeral-demo Defaulting debug container name to debugger-qq2lz.If you don't see a command prompt, try pressing enter./ #04Scheduler Configuration调度程序配置,可以通过编写配置文件并将其路径作为命令行参数来自定义kube调度程序的行为,在Kubernetes 1.19版本中升级为beta功能,v1alpha1已弃用。配置示例apiVersion: kubescheduler.config.k8s.io/v1beta1kind: KubeSchedulerConfigurationclientConnection: burst: 200 kubeconfig: "/etc/kubernetes/kube-scheduler.kubeconfig" qps: 100enableProfiling: truehealthzBindAddress: 127.0.0.1:10251leaderElection: leaderElect: truemetricsBindAddress: 127.0.0.1:10251beta的API已弃用以下参数 bindTimeoutSecondshardPodAffinitySymmetricWeightenableContentionProfiling05一些显著的弃用1.Hyperkube是Kubernetes组件的多合一二进制文件，现已弃用，以后的Kubernetes项目将不会构建。2.kube-apiserver下列参数已弃用 --audit-dynamic-configuration \#动态审计配置 --feature-gates=DynamicAuditing=true \#用于实验性质的特性开关组06一些API的变化apiextensions.k8s.io/v1beta1弃用,apiextensions.k8s.io/v1取代autoscaling/v2beta1弃用,autoscaling/v2beta2取代storage.k8s.io/v1beta1弃用,storage.k8s.io/v1取代07Kubelet TLS证书轮换GAKubelet在首次启动时,向kube-apiserver提交请求加入集群,kube-apiserver通过请求后会生成证书,有效期默认一年。V1.8版本开始支持证书轮换，当证书过期时，可以自动生成新的密钥，并从 Kubernetes API 申请新的证书。在V1.19版本中已经GA,集群可管理性将得到提升。开启证书轮换# Step 1): Config kube-controller-managerkube-controller-manager --experimental-cluster-signing-duration=87600h \ --feature-gates=RotateKubeletClientCertificate=true \ ...# Step 2): Config RBAC# Refer https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval# Step 3): Config Kubeletkubelet --feature-gates=RotateKubeletClientCertificate=true \ --cert-dir=/var/lib/kubelet/pki \ --rotate-certificates \ --rotate-server-certificates \