https://andygol-k8s.netlify.app/zh-cn/Recent content in 生产级别的容器编排系统 on KubernetesHugozh-cnhttps://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1/<!-- api_metadata: apiVersion: "apiregistration.k8s.io/v1" import: "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" kind: "APIService" content_type: "api_reference" description: "APIService represents a server for a particular GroupVersion." title: "APIService" weight: 1 auto_generated: true --> <p><code>apiVersion: apiregistration.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/kube-aggregator/pkg/apis/apiregistration/v1&quot;</code></p> <h2 id="APIService">APIService</h2> <!-- APIService represents a server for a particular GroupVersion. Name must be "version.group". --> <p>APIService 是用来表示一个特定的 GroupVersion 的服务器。名称必须为 &quot;version.group&quot;。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: apiregistration.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: APIService</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/api-service-v1/#APIServiceSpec">APIServiceSpec</a>)</p> <!-- Spec contains information for locating and communicating with a server --> <p>spec 包含用于定位和与服务器通信的信息</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/babylon/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/babylon/<h2>Challenge</h2> <p>A large number of Babylon's products leverage machine learning and artificial intelligence, and in 2019, there wasn't enough computing power in-house to run a particular experiment. The company was also growing (from 100 to 1,600 in three years) and planning expansion into other countries.</p> <h2>Solution</h2> <p>Babylon had migrated its user-facing applications to a Kubernetes platform in 2018, so the infrastructure team turned to Kubeflow, a toolkit for machine learning on Kubernetes. "We tried to create a Kubernetes core server, we deployed Kubeflow, and we orchestrated the whole experiment, which ended up being a really good success," says AI Infrastructure Lead Jérémie Vallée. The team began building a self-service AI training platform on top of Kubernetes.</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/config-map-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "ConfigMap" content_type: "api_reference" description: "ConfigMap holds configuration data for pods to consume." title: "ConfigMap" weight: 1 --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="ConfigMap">ConfigMap</h2> <!-- ConfigMap holds configuration data for pods to consume. --> <p>ConfigMap 包含供 Pod 使用的配置数据。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: ConfigMap</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <p>标准的对象元数据。 更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> </ul> <!-- - **binaryData** (map[string][]byte) BinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet. --> <ul> <li> <p><strong>binaryData</strong> (map[string][]byte)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1/<!-- api_metadata: apiVersion: "apiextensions.k8s.io/v1" import: "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" kind: "CustomResourceDefinition" content_type: "api_reference" description: "CustomResourceDefinition represents a resource that should be exposed on the API server." title: "CustomResourceDefinition" weight: 1 auto_generated: true --> <p><code>apiVersion: apiextensions.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1&quot;</code></p> <h2 id="CustomResourceDefinition">CustomResourceDefinition</h2> <!-- CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format \<.spec.name>.\<.spec.group>. --> <p>CustomResourceDefinition 表示应在 API 服务器上公开的资源。其名称必须采用 <code>&lt;.spec.name&gt;.&lt;.spec.group&gt;</code> 格式。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>：apiextensions.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>：CustomResourceDefinition</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据，更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/delete-options/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/delete-options/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/apis/meta/v1" kind: "DeleteOptions" content_type: "api_reference" description: "DeleteOptions may be provided when deleting an API object." title: "DeleteOptions" weight: 1 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/apis/meta/v1&quot;</code></p> <!-- DeleteOptions may be provided when deleting an API object. --> <p>删除 API 对象时可以提供 DeleteOptions。</p> <hr> <!-- - **apiVersion** (string) APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources --> <ul> <li> <p><strong>apiVersion</strong> (string)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/flow-schema-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/flow-schema-v1/<!-- api_metadata: apiVersion: "flowcontrol.apiserver.k8s.io/v1" import: "k8s.io/api/flowcontrol/v1" kind: "FlowSchema" content_type: "api_reference" description: "FlowSchema defines the schema of a group of flows." title: "FlowSchema" weight: 1 auto_generated: true --> <p><code>apiVersion: flowcontrol.apiserver.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/flowcontrol/v1&quot;</code></p> <h2 id="FlowSchema">FlowSchema</h2> <!-- FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher". --> <p>FlowSchema 定义一组流的模式。请注意，一个流由属性类似的一组入站 API 请求组成， 用一对字符串进行标识：FlowSchema 的名称和一个 “流区分项”。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/introduction/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/introduction/<!-- title: "Introduction to kubectl" content_type: concept weight: 1 --> <!-- kubectl is the Kubernetes cli version of a swiss army knife, and can do many things. While this Book is focused on using kubectl to declaratively manage applications in Kubernetes, it also covers other kubectl functions. --> <p>kubectl 是 Kubernetes CLI 版本的瑞士军刀，可以胜任多种多样的任务。</p> <p>本文主要介绍如何使用 kubectl 在 Kubernetes 中声明式管理应用，本文还涵盖了一些其他的 kubectl 功能。</p> <!-- ## Command Families Most kubectl commands typically fall into one of a few categories: --> <h2 id="command-families">命令分类</h2> <p>大多数 kubectl 命令通常可以分为以下几类：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/local-subject-access-review-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/local-subject-access-review-v1/<!-- api_metadata: apiVersion: "authorization.k8s.io/v1" import: "k8s.io/api/authorization/v1" kind: "LocalSubjectAccessReview" content_type: "api_reference" description: "LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace." title: "LocalSubjectAccessReview" weight: 1 --> <p><code>apiVersion: authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authorization/v1&quot;</code></p> <h2 id="LocalSubjectAccessReview">LocalSubjectAccessReview</h2> <!-- LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking. <hr> - **apiVersion**: authorization.k8s.io/v1 - **kind**: LocalSubjectAccessReview - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>LocalSubjectAccessReview 检查用户或组是否可以在给定的命名空间内执行某操作。 划分命名空间范围的资源简化了命名空间范围的策略设置，例如权限检查。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Pod" content_type: "api_reference" description: "Pod is a collection of containers that can run on a host." title: "Pod" weight: 1 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Pod">Pod</h2> <!-- Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts. --> <p>Pod 是可以在主机上运行的容器的集合。此资源由客户端创建并调度到主机上。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: Pod</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/service-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Service" content_type: "api_reference" description: "Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy." title: "Service" weight: 1 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1”</code></p> <h2 id="Service">Service</h2> <!-- Service is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy. --> <p>Service 是软件服务（例如 mysql）的命名抽象，包含代理要侦听的本地端口（例如 3306）和一个选择算符， 选择算符用来确定哪些 Pod 将响应通过代理发送的请求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/service-account-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/service-account-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "ServiceAccount" content_type: "api_reference" description: "ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets." title: "ServiceAccount" weight: 1 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="ServiceAccount">ServiceAccount</h2> <!-- ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets --> <p>ServiceAccount 将以下内容绑定在一起：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/binding-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/binding-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Binding" content_type: "api_reference" description: "Binding ties one object to another; for example, a pod is bound to a node by a scheduler." title: "Binding" weight: 2 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Binding">Binding</h2> <!-- Binding ties one object to another; for example, a pod is bound to a node by a scheduler. --> <p>Binding 将一个对象与另一个对象绑定在一起；例如，调度程序将一个 Pod 绑定到一个节点。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: Binding</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/booz-allen/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/booz-allen/<h2>Challenge</h2> <p>In 2017, Booz Allen Hamilton's Strategic Innovation Group worked with the federal government to relaunch the decade-old recreation.gov website, which provides information and real-time booking for more than 100,000 campsites and facilities on federal lands across the country. The infrastructure needed to be agile, reliable, and scalable—as well as repeatable for the other federal agencies that are among Booz Allen Hamilton's customers.</p> <h2>Solution</h2> <p>"The only way that we thought we could be successful with this problem across all the different agencies is to create a microservice architecture and containers, so that we could be very dynamic and very agile to any given agency for whatever requirements that they may have," says Booz Allen Hamilton Senior Lead Technologist Martin Folkoff. To meet those requirements, Folkoff's team looked to Kubernetes for orchestration.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/bose/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/bose/<!-- title: Bose Case Study linkTitle: Bose case_study_styles: true cid: caseStudies logo: bose_featured_logo.png featured: false weight: 2 quote: > The CNCF Landscape quickly explains what's going on in all the different areas from storage to cloud providers to automation and so forth. This is our shopping cart to build a cloud infrastructure. We can go choose from the different aisles. new_case_study_styles: true heading_background: /images/case-studies/bose/banner1.jpg heading_title_logo: /images/bose_logo.png subheading: > Bose: Supporting Rapid Development for Millions of IoT Products With Kubernetes case_study_details: - Company: Bose Corporation - Location: Framingham, Massachusetts - Industry: Consumer Electronics --> <h2><!--Challenge-->挑战</h2> <p> <!-- A household name in high-quality audio equipment, <a href="https://www.bose.com/en_us/index.html">Bose</a> has offered connected products for more than five years, and as that demand grew, the infrastructure had to change to support it. "We needed to provide a mechanism for developers to rapidly prototype and deploy services all the way to production pretty fast," says Lead Cloud Engineer Josh West. In 2016, the company decided to start building a platform from scratch. The primary goal: "To be one to two steps ahead of the different product groups so that we are never scrambling to catch up with their scale," says Cloud Architecture Manager Dylan O'Mahony. --> 作为一家以高品质音频设备闻名的公司，[Bose](https://www.bose.com/en_us/index.html) 已经提供了超过五年的联网产品，随着这一需求的增长，基础设施不得不改变以支持它。 “我们需要为开发者提供一种机制，能够快速原型化并部署服务一直到生产环境”，首席云工程师 Josh West 说道。 2016年，公司决定开始从头构建一个平台。其主要目标是：“要领先于各个产品组一到两步，这样我们就永远不会匆忙追赶他们的规模”， 云架构经理 Dylan O'Mahony 说道。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/component-status-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/component-status-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "ComponentStatus" content_type: "api_reference" description: "ComponentStatus (and ComponentStatusList) holds the cluster validation info." title: "ComponentStatus" weight: 2 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="ComponentStatus">ComponentStatus</h2> <!-- ComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+ --> <p>ComponentStatus（和 ComponentStatusList）保存集群检验信息。 已废弃：该 API 在 v1.19 及更高版本中废弃。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: ComponentStatus</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/device-class-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/device-class-v1/<!-- api_metadata: apiVersion: "resource.k8s.io/v1" import: "k8s.io/api/resource/v1" kind: "DeviceClass" content_type: "api_reference" description: "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors." title: "DeviceClass" weight: 2 auto_generated: true --> <p><code>apiVersion: resource.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/resource/v1&quot;</code></p> <h2 id="DeviceClass">DeviceClass</h2> <!-- DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped. This is an alpha type and requires enabling the DynamicResourceAllocation feature gate. --> <p>DeviceClass 是由供应商或管理员提供的资源，包含设备配置和选择算符。 它可以在申领的设备请求中被引用，以应用预设值。作用域为集群范围。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/endpoints-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Endpoints" content_type: "api_reference" description: "Endpoints is a collection of endpoints that implement the actual service." title: "Endpoints" weight: 2 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Endpoints">Endpoints</h2> <!-- Endpoints is a collection of endpoints that implement the actual service. Example: --> <p>Endpoints 是实现实际 Service 的端点的集合。举例：</p> <pre tabindex="0"><code>Name: &#34;mysvc&#34;, Subsets: [ { Addresses: [{&#34;ip&#34;: &#34;10.10.1.1&#34;}, {&#34;ip&#34;: &#34;10.10.2.2&#34;}], Ports: [{&#34;name&#34;: &#34;a&#34;, &#34;port&#34;: 8675}, {&#34;name&#34;: &#34;b&#34;, &#34;port&#34;: 309}] }, { Addresses: [{&#34;ip&#34;: &#34;10.10.3.3&#34;}], Ports: [{&#34;name&#34;: &#34;a&#34;, &#34;port&#34;: 93}, {&#34;name&#34;: &#34;b&#34;, &#34;port&#34;: 76}] }, ] </code></pre><hr> <!-- Endpoints is a legacy API and does not contain information about all Service features. Use discoveryv1.EndpointSlice for complete information about Service endpoints. Deprecated: This API is deprecated in v1.33+. Use discoveryv1.EndpointSlice. --> <p>Endpoints 是遗留 API，不包含所有 Service 特性的信息。使用 <code>discoveryv1.EndpointSlice</code> 获取关于 Service 端点的完整信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/label-selector/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/label-selector/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/apis/meta/v1" kind: "LabelSelector" content_type: "api_reference" description: "A label selector is a label query over a set of resources." title: "LabelSelector" weight: 2 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/apis/meta/v1&quot;</code></p> <!-- A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. --> <p>标签选择算符是对一组资源的标签查询。 <code>matchLabels</code> 和 <code>matchExpressions</code> 的结果按逻辑与的关系组合。 一个 <code>empty</code> 标签选择算符匹配所有对象。一个 <code>null</code> 标签选择算符不匹配任何对象。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/limit-range-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/limit-range-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "LimitRange" content_type: "api_reference" description: "LimitRange sets resource usage limits for each kind of resource in a Namespace." title: "LimitRange" weight: 2 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="LimitRange">LimitRange</h2> <!-- LimitRange sets resource usage limits for each kind of resource in a Namespace. --> <p>LimitRange 设置名字空间中每个资源类别的资源用量限制。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: LimitRange</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/limit-range-v1/#LimitRangeSpec">LimitRangeSpec</a>) Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Secret" content_type: "api_reference" description: "Secret holds secret data of a certain type." title: "Secret" weight: 2 --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Secret">Secret</h2> <!-- Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes. --> <p>Secret 包含某些类别的秘密数据。 data 字段值的总字节必须小于 MaxSecretSize 字节。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: Secret</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **data** (map[string][]byte) Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1/<!-- api_metadata: apiVersion: "authorization.k8s.io/v1" import: "k8s.io/api/authorization/v1" kind: "SelfSubjectAccessReview" content_type: "api_reference" description: "SelfSubjectAccessReview checks whether or the current user can perform an action." title: "SelfSubjectAccessReview" weight: 2 --> <p><code>apiVersion: authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authorization/v1&quot;</code></p> <h2 id="SelfSubjectAccessReview">SelfSubjectAccessReview</h2> <!-- SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an action --> <p>SelfSubjectAccessReview 检查当前用户是否可以执行某操作。 不填写 <code>spec.namespace</code> 表示“在所有命名空间中”。 Self 是一个特殊情况，因为用户应始终能够检查自己是否可以执行某操作。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/<!-- api_metadata: apiVersion: "authentication.k8s.io/v1" import: "k8s.io/api/authentication/v1" kind: "TokenRequest" content_type: "api_reference" description: "TokenRequest requests a token for a given service account." title: "TokenRequest" weight: 2 auto_generated: true --> <p><code>apiVersion: authentication.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authentication/v1&quot;</code></p> <h2 id="TokenRequest">TokenRequest</h2> <!-- TokenRequest requests a token for a given service account. --> <p>TokenRequest 为给定的服务账号请求一个令牌。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: authentication.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: TokenRequest</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/#TokenRequestSpec">TokenRequestSpec</a>), required Spec holds information about the request being evaluated - **status** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-request-v1/#TokenRequestStatus">TokenRequestStatus</a>) Status is filled in by the server and indicates whether the token can be authenticated. --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/booking-com/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/booking-com/<h2>Challenge</h2> <p>In 2016, Booking.com migrated to an OpenShift platform, which gave product developers faster access to infrastructure. But because Kubernetes was abstracted away from the developers, the infrastructure team became a "knowledge bottleneck" when challenges arose. Trying to scale that support wasn't sustainable.</p> <h2>Solution</h2> <p>After a year operating OpenShift, the platform team decided to build its own vanilla Kubernetes platform—and ask developers to learn some Kubernetes in order to use it. "This is not a magical platform," says Ben Tyler, Principal Developer, B Platform Track. "We're not claiming that you can just use it with your eyes closed. Developers need to do some learning, and we're going to do everything we can to make sure they have access to that knowledge."</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-driver-v1/<!-- api_metadata: apiVersion: "storage.k8s.io/v1" import: "k8s.io/api/storage/v1" kind: "CSIDriver" content_type: "api_reference" description: "CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster." title: "CSIDriver" weight: 3 --> <p><code>apiVersion: storage.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/storage/v1&quot;</code></p> <h2 id="CSIDriver">CSIDriver</h2> <!-- CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced. --> <p>CSIDriver 抓取集群上部署的容器存储接口（CSI）卷驱动有关的信息。 Kubernetes 挂接/解除挂接控制器使用此对象来决定是否需要挂接。 kubelet 使用此对象决定挂载时是否需要传递 Pod 信息。 CSIDriver 对象未划分命名空间。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1/<!-- api_metadata: apiVersion: "discovery.k8s.io/v1" import: "k8s.io/api/discovery/v1" kind: "EndpointSlice" content_type: "api_reference" description: "EndpointSlice represents a set of service endpoints." title: "EndpointSlice" weight: 3 --> <p><code>apiVersion: discovery.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/discovery/v1&quot;</code></p> <h2 id="EndpointSlice">EndpointSlice</h2> <!-- EndpointSlice represents a set of service endpoints. Most EndpointSlices are created by the EndpointSlice controller to represent the Pods selected by Service objects. For a given service there may be multiple EndpointSlice objects which must be joined to produce the full set of endpoints; you can find all of the slices for a given service by listing EndpointSlices in the service's namespace whose `kubernetes.io/service-name` label contains the service's name. --> <p>EndpointSlice 表示一组服务端点。大多数 EndpointSlice 由 EndpointSlice 控制器创建，用于表示被 Service 对象选中的 Pod。对于一个给定的服务，可能存在多个 EndpointSlice 对象，这些对象必须被组合在一起以产生完整的端点集合； 你可以通过在服务的命名空间中列出 <code>kubernetes.io/service-name</code> 标签包含 Service 名称的 EndpointSlices 来找到给定 Service 的所有 slices。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1/<!-- api_metadata: apiVersion: "events.k8s.io/v1" import: "k8s.io/api/events/v1" kind: "Event" content_type: "api_reference" description: "Event is a report of an event somewhere in the cluster." title: "Event" weight: 3 auto_generated: true --> <p><code>apiVersion: events.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/events/v1&quot;</code></p> <h2 id="Event">Event</h2> <!-- Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time. Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason. Events should be treated as informative, best-effort, supplemental data. --> <p>Event 是集群中某个事件的报告。它一般表示系统的某些状态变化。 Event 的保留时间有限，触发器和消息可能会随着时间的推移而演变。 事件消费者不应假定给定原因的事件的时间所反映的是一致的下层触发因素，或具有该原因的事件的持续存在。 Events 应被视为通知性质的、尽最大努力而提供的补充数据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/list-meta/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/list-meta/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/apis/meta/v1" kind: "ListMeta" content_type: "api_reference" description: "ListMeta describes metadata that synthetic resources must have, including lists and various status objects." title: "ListMeta" weight: 3 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/apis/meta/v1&quot;</code></p> <!-- ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}. --> <p><code>ListMeta</code> 描述了合成资源必须具有的元数据，包括列表和各种状态对象。 一个资源仅能有 <code>{ObjectMeta, ListMeta}</code> 中的一个。</p> <hr> <!-- - **continue** (string) continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message. --> <ul> <li> <p><strong>continue</strong> (string)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1/<!-- api_metadata: apiVersion: "admissionregistration.k8s.io/v1" import: "k8s.io/api/admissionregistration/v1" kind: "MutatingWebhookConfiguration" content_type: "api_reference" description: "MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it." title: "MutatingWebhookConfiguration" weight: 3 --> <p><code>apiVersion: admissionregistration.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/admissionregistration/v1&quot;</code></p> <h2 id="MutatingWebhookConfiguration">MutatingWebhookConfiguration</h2> <!-- MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. --> <p>MutatingWebhookConfiguration 描述准入 Webhook 的配置，该 Webhook 可接受或拒绝对象请求，并且可能变更对象。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>：admissionregistration.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>：MutatingWebhookConfiguration</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-template-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-template-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "PodTemplate" content_type: "api_reference" description: "PodTemplate describes a template for creating copies of a predefined pod." title: "PodTemplate" weight: 3 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="PodTemplate">PodTemplate</h2> <!-- PodTemplate describes a template for creating copies of a predefined pod. --> <p>PodTemplate 描述一种模板，用来为预定义的 Pod 生成副本。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: PodTemplate</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>template</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/pod-template-v1/#PodTemplateSpec">PodTemplateSpec</a>)</p> <!-- Template defines the pods that will be created from this pod template. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <p>template 定义将基于此 Pod 模板所创建的 Pod。 <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "ResourceQuota" content_type: "api_reference" description: "ResourceQuota sets aggregate quota restrictions enforced per namespace." title: "ResourceQuota" weight: 3 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="ResourceQuota">ResourceQuota</h2> <!-- ResourceQuota sets aggregate quota restrictions enforced per namespace --> <p>ResourceQuota 设置每个命名空间强制执行的聚合配额限制。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: ResourceQuota</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。 更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/#ResourceQuotaSpec">ResourceQuotaSpec</a>)</p> <!-- Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <p><code>spec</code> 定义所需的配额。 <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-rules-review-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/self-subject-rules-review-v1/<!-- api_metadata: apiVersion: "authorization.k8s.io/v1" import: "k8s.io/api/authorization/v1" kind: "SelfSubjectRulesReview" content_type: "api_reference" description: "SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace." title: "SelfSubjectRulesReview" weight: 3 --> <p><code>apiVersion: authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authorization/v1&quot;</code></p> <h2 id="SelfSubjectRulesReview">SelfSubjectRulesReview</h2> <!-- SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server. --> <p>SelfSubjectRulesReview 枚举当前用户可以在某命名空间内执行的操作集合。 返回的操作列表可能不完整，具体取决于服务器的鉴权模式以及评估过程中遇到的任何错误。 SelfSubjectRulesReview 应由 UI 用于显示/隐藏操作，或让最终用户尽快理解自己的权限。 SelfSubjectRulesReview 不得被外部系统使用以驱动鉴权决策， 因为这会引起混淆代理人（Confused deputy）、缓存有效期/吊销（Cache lifetime/revocation）和正确性问题。 SubjectAccessReview 和 LocalAccessReview 是遵从 API 服务器所做鉴权决策的正确方式。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-review-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/token-review-v1/<!-- api_metadata: apiVersion: "authentication.k8s.io/v1" import: "k8s.io/api/authentication/v1" kind: "TokenReview" content_type: "api_reference" description: "TokenReview attempts to authenticate a token to a known user." title: "TokenReview" weight: 3 auto_generated: true --> <p><code>apiVersion: authentication.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authentication/v1&quot;</code></p> <!-- ## TokenReview {#TokenReview} TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver. --> <h2 id="TokenReview">TokenReview</h2> <p>TokenReview 尝试通过验证令牌来确认已知用户。 注意：TokenReview 请求可能会被 kube-apiserver 中的 Webhook 令牌验证器插件缓存。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/appdirect/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/appdirect/<div class="banner1" style="background-image: url('/images/case-studies/appdirect/banner1.jpg')"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/appdirect_logo.png" class="header_logo" style="margin-bottom:-2%"><br> <div class="subhead" style="margin-top:1%;font-size:0.5em">AppDirect: How AppDirect Supported the 10x Growth of Its Engineering Staff with Kubernetes </div></h1> </div> <div class="details"> Company &nbsp;<b>AppDirect</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>San Francisco, California </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Software</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1" style="width:100%""> <h2>Challenge</h2> <a href="https://www.appdirect.com/">AppDirect</a> provides an end-to-end commerce platform for cloud-based products and services. When Director of Software Development Pierre-Alexandre Lacerte began working there in 2014, the company had a monolith application deployed on a "tomcat infrastructure, and the whole release process was complex for what it should be," he says. "There were a lot of manual steps involved, with one engineer building a feature, then another team picking up the change. So you had bottlenecks in the pipeline to ship a feature to production." At the same time, the engineering team was growing, and the company realized it needed a better infrastructure to both support that growth and increase velocity. <br><br> <h2>Solution</h2> "My idea was: Let’s create an environment where teams can deploy their services faster, and they will say, ‘Okay, I don’t want to build in the monolith anymore. I want to build a service,’" says Lacerte. They considered and prototyped several different technologies before deciding to adopt <a href="https://kubernetes.io/">Kubernetes</a> in early 2016. Lacerte’s team has also integrated <a href="https://prometheus.io/">Prometheus</a> monitoring into the platform; tracing is next. Today, AppDirect has more than 50 microservices in production and 15 Kubernetes clusters deployed on <a href="https://aws.amazon.com/">AWS</a> and on premise around the world. <br><br> <h2>Impact</h2> The Kubernetes platform has helped support the engineering team’s 10x growth over the past few years. Coupled with the fact that they were continually adding new features, Lacerte says, "I think our velocity would have slowed down a lot if we didn’t have this new infrastructure." Moving to Kubernetes and services has meant that deployments have become much faster due to less dependency on custom-made, brittle shell scripts with SCP commands. Time to deploy a new version has shrunk from 4 hours to a few minutes. Additionally, the company invested a lot of effort to make things self-service for developers. "Onboarding a new service doesn’t require <a href="https://www.atlassian.com/software/jira">Jira</a> tickets or meeting with three different teams," says Lacerte. Today, the company sees 1,600 deployments per week, compared to 1-30 before. The company also achieved cost savings by moving its marketplace and billing monoliths to Kubernetes from legacy EC2 hosts as well as by leveraging autoscaling, as traffic is higher during business hours. </div> </div> </section> <div class="banner2"> <div class="banner2text"> "It was an immense engineering culture shift, but the benefits are undeniable in terms of scale and speed." <br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Alexandre Gervais, Staff Software Developer, AppDirect</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>With its end-to-end commerce platform for cloud-based products and services, <a href="https://www.appdirect.com/">AppDirect</a> has been helping organizations such as Comcast and GoDaddy simplify the digital supply chain since 2009. </h2> <br> When Director of Software Development Pierre-Alexandre Lacerte started working there in 2014, the company had a monolith application deployed on a "tomcat infrastructure, and the whole release process was complex for what it should be," he says. "There were a lot of manual steps involved, with one engineer building a feature then creating a pull request, and a QA or another engineer validating the feature. Then it gets merged and someone else will take care of the deployment. So we had bottlenecks in the pipeline to ship a feature to production." <br><br> At the same time, the engineering team of 40 was growing, and the company wanted to add an increasing number of features to its products. As a member of the platform team, Lacerte began hearing from multiple teams that wanted to deploy applications using different frameworks and languages, from <a href="https://nodejs.org/">Node.js</a> to <a href="https://spring.io/projects/spring-boot">Spring Boot Java</a>. He soon realized that in order to both support growth and increase velocity, the company needed a better infrastructure, and a system in which teams are autonomous, can do their own deploys, and be responsible for their services in production. </div> </section> <div class="banner3" style="background-image: url('/images/case-studies/appdirect/banner3.jpg')"> <div class="banner3text"> "We made the right decisions at the right time. Kubernetes and the cloud native technologies are now seen as the de facto ecosystem. We know where to focus our efforts in order to tackle the new wave of challenges we face as we scale out. The community is so active and vibrant, which is a great complement to our awesome internal team."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Alexandre Gervais, Staff Software Developer, AppDirect </span> </div> </div> <section class="section3"> <div class="fullcol"> From the beginning, Lacerte says, "My idea was: Let’s create an environment where teams can deploy their services faster, and they will say, ‘Okay, I don’t want to build in the monolith anymore. I want to build a service.’" (Lacerte left the company in 2019.)<br><br> Working with the operations team, Lacerte’s group got more control and access to the company’s <a href="https://aws.amazon.com/">AWS infrastructure</a>, and started prototyping several orchestration technologies. "Back then, Kubernetes was a little underground, unknown," he says. "But we looked at the community, the number of pull requests, the velocity on GitHub, and we saw it was getting traction. And we found that it was much easier for us to manage than the other technologies." They spun up the first few services on Kubernetes using <a href="https://www.chef.io/">Chef</a> and <a href="https://www.terraform.io/">Terraform</a> provisioning, and as more services were added, more automation was, too. "We have clusters around the world—in Korea, in Australia, in Germany, and in the U.S.," says Lacerte. "Automation is critical for us." They’re now largely using <a href="https://github.com/kubernetes/kops">Kops</a>, and are looking at managed Kubernetes offerings from several cloud providers.<br><br> Today, though the monolith still exists, there are fewer and fewer commits and features. All teams are deploying on the new infrastructure, and services are the norm. AppDirect now has more than 50 microservices in production and 15 Kubernetes clusters deployed on AWS and on premise around the world.<br><br> Lacerte’s strategy ultimately worked because of the very real impact the Kubernetes platform has had to deployment time. Due to less dependency on custom-made, brittle shell scripts with SCP commands, time to deploy a new version has shrunk from 4 hours to a few minutes. Additionally, the company invested a lot of effort to make things self-service for developers. "Onboarding a new service doesn’t require <a href="https://www.atlassian.com/software/jira">Jira</a> tickets or meeting with three different teams," says Lacerte. Today, the company sees 1,600 deployments per week, compared to 1-30 before. </div> </section> <div class="banner4" style="background-image: url('/images/case-studies/appdirect/banner4.jpg');width:100%;"> <div class="banner4text"> "I think our velocity would have slowed down a lot if we didn’t have this new infrastructure."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Pierre-Alexandre Lacerte, Director of Software Development, AppDirect</span> </div> </div> <section class="section5" style="padding:0px !important"> <div class="fullcol"> Additionally, the Kubernetes platform has helped support the engineering team’s 10x growth over the past few years. "Ownership, a core value of AppDirect, reflects in our ability to ship services independently of our monolith code base," says Staff Software Developer Alexandre Gervais, who worked with Lacerte on the initiative. "Small teams now own critical parts of our business domain model, and they operate in their decoupled domain of expertise, with limited knowledge of the entire codebase. This reduces and isolates some of the complexity." Coupled with the fact that they were continually adding new features, Lacerte says, "I think our velocity would have slowed down a lot if we didn’t have this new infrastructure." The company also achieved cost savings by moving its marketplace and billing monoliths to Kubernetes from legacy EC2 hosts as well as by leveraging autoscaling, as traffic is higher during business hours.<br><br> AppDirect’s cloud native stack also includes <a href="https://grpc.io/">gRPC</a> and <a href="https://www.fluentd.org/">Fluentd</a>, and the team is currently working on setting up <a href="https://opencensus.io/">OpenCensus</a>. The platform already has <a href="https://prometheus.io/">Prometheus</a> integrated, so "when teams deploy their service, they have their notifications, alerts and configurations," says Lacerte. "For example, in the test environment, I want to get a message on Slack, and in production, I want a <a href="https://slack.com/">Slack</a> message and I also want to get paged. We have integration with pager duty. Teams have more ownership on their services." </div> <div class="banner5" > <div class="banner5text"> "We moved from a culture limited to ‘pushing code in a branch’ to exciting new responsibilities outside of the code base: deployment of features and configurations; monitoring of application and business metrics; and on-call support in case of outages. It was an immense engineering culture shift, but the benefits are undeniable in terms of scale and speed."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Pierre-Alexandre Lacerte, Director of Software Development, AppDirect</span></div> </div> <div class="fullcol"> That of course also means more responsibility. "We asked engineers to expand their horizons," says Gervais. "We moved from a culture limited to ‘pushing code in a branch’ to exciting new responsibilities outside of the code base: deployment of features and configurations; monitoring of application and business metrics; and on-call support in case of outages. It was an immense engineering culture shift, but the benefits are undeniable in terms of scale and speed." <br><br> As the engineering ranks continue to grow, the platform team has a new challenge, of making sure that the Kubernetes platform is accessible and easily utilized by everyone. "How can we make sure that when we add more people to our team that they are efficient, productive, and know how to ramp up on the platform?" Lacerte says. So we have the evangelists, the documentation, some project examples. We do demos, we have AMA sessions. We’re trying different strategies to get everyone’s attention."<br><br> Three and a half years into their Kubernetes journey, Gervais feels AppDirect "made the right decisions at the right time," he says. "Kubernetes and the cloud native technologies are now seen as the de facto ecosystem. We know where to focus our efforts in order to tackle the new wave of challenges we face as we scale out. The community is so active and vibrant, which is a great complement to our awesome internal team. Going forward, our focus will really be geared towards benefiting from the ecosystem by providing added business value in our day-to-day operations." </div> </section>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/certificate-signing-request-v1/<!-- api_metadata: apiVersion: "certificates.k8s.io/v1" import: "k8s.io/api/certificates/v1" kind: "CertificateSigningRequest" content_type: "api_reference" description: "CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued." title: "CertificateSigningRequest" weight: 4 auto_generated: true --> <p><code>apiVersion: certificates.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/certificates/v1&quot;</code></p> <!-- ## CertificateSigningRequest {#CertificateSigningRequest} --> <h2 id="CertificateSigningRequest">证书签名请求 CertificateSigningRequest</h2> <!-- CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued. Kubelets use this API to obtain: 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). --> <p>CertificateSigningRequest 对象提供了一种通过提交证书签名请求并异步批准和颁发 x509 证书的机制。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-node-v1/<!-- api_metadata: apiVersion: "storage.k8s.io/v1" import: "k8s.io/api/storage/v1" kind: "CSINode" content_type: "api_reference" description: "CSINode holds information about all CSI drivers installed on a node." title: "CSINode" weight: 4 --> <p><code>apiVersion: storage.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/storage/v1&quot;</code></p> <h2 id="CSINode">CSINode</h2> <!-- CSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object. --> <p>CSINode 包含节点上安装的所有 CSI 驱动有关的信息。CSI 驱动不需要直接创建 CSINode 对象。 只要这些驱动使用 node-driver-registrar 边车容器，kubelet 就会自动为 CSI 驱动填充 CSINode 对象， 作为 kubelet 插件注册操作的一部分。CSINode 的名称与节点名称相同。 如果不存在此对象，则说明该节点上没有可用的 CSI 驱动或 Kubelet 版本太低无法创建该对象。 CSINode 包含指向相应节点对象的 OwnerReference。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/denso/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/denso/<h2>Challenge</h2> <p>DENSO Corporation is one of the biggest automotive components suppliers in the world. With the advent of connected cars, the company launched a Digital Innovation Department to expand into software, working on vehicle edge and vehicle cloud products. But there were several technical challenges to creating an integrated vehicle edge/cloud platform: "the amount of computing resources, the occasional lack of mobile signal, and an enormous number of distributed vehicles," says R&D Product Manager Seiichi Koizumi.</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/ingress-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/ingress-v1/<!-- api_metadata: apiVersion: "networking.k8s.io/v1" import: "k8s.io/api/networking/v1" kind: "Ingress" content_type: "api_reference" description: "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend." title: "Ingress" weight: 4 auto_generated: true --> <p><code>apiVersion: networking.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/networking/v1&quot;</code></p> <!-- ## Ingress {#Ingress} Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. --> <h2 id="Ingress">Ingress</h2> <p>Ingress 是允许入站连接到达后端定义的端点的规则集合。 Ingress 可以配置为向服务提供外部可访问的 URL、负载均衡流量、终止 SSL、提供基于名称的虚拟主机等。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/ip-address-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/ip-address-v1/<!-- api_metadata: apiVersion: "networking.k8s.io/v1" import: "k8s.io/api/networking/v1" kind: "IPAddress" content_type: "api_reference" description: "IPAddress represents a single IP of a single IP Family." title: "IPAddress" weight: 4 auto_generated: true --> <p><code>apiVersion: networking.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/networking/v1&quot;</code></p> <h2 id="IPAddress">IPAddress</h2> <!-- IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1 --> <p>IPAddress 表示单个 IP 族的单个 IP。此对象旨在供操作 IP 地址的 API 使用。 此对象由 Service 核心 API 用于分配 IP 地址。 IP 地址可以用不同的格式表示，为了保证 IP 地址的唯一性，此对象的名称是格式规范的 IP 地址。 IPv4 地址由点分隔的四个十进制数字组成，前导零可省略；IPv6 地址按照 RFC 5952 的定义来表示。 有效值：192.168.1.5、2001:db8::1 或 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1。 无效值：10.01.2.3 或 2001:db8:0:0:0::1。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/local-object-reference/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/local-object-reference/<!-- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "LocalObjectReference" content_type: "api_reference" description: "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace." title: "LocalObjectReference" weight: 4 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <!-- LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. --> <p>LocalObjectReference 包含足够的信息，可以让你在同一命名空间（namespace）内找到引用的对象。</p> <hr> <!-- - **name** (string) Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names --> <ul> <li> <p><strong>name</strong> (string)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1/<!-- api_metadata: apiVersion: "networking.k8s.io/v1" import: "k8s.io/api/networking/v1" kind: "NetworkPolicy" content_type: "api_reference" description: "NetworkPolicy describes what network traffic is allowed for a set of Pods." title: "NetworkPolicy" weight: 4 auto_generated: true --> <p><code>apiVersion: networking.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/networking/v1&quot;</code></p> <h2 id="NetworkPolicy">NetworkPolicy</h2> <!-- NetworkPolicy describes what network traffic is allowed for a set of Pods --> <p>NetworkPolicy 描述针对一组 Pod 所允许的网络流量。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: networking.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: NetworkPolicy</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/network-policy-v1/#NetworkPolicySpec">NetworkPolicySpec</a>)</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/ocado/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/ocado/<h2>Challenge</h2> <p>The world's largest online-only grocery retailer, <a href="http://www.ocadogroup.com/">Ocado</a> developed the Ocado Smart Platform to manage its own operations, from websites to warehouses, and is now licensing the technology to other retailers such as <a href="http://fortune.com/2018/05/17/ocado-kroger-warehouse-automation-amazon-walmart/">Kroger</a>. To set up the first warehouses for the platform, Ocado shifted from virtual machines and <a href="https://puppet.com/">Puppet</a> infrastructure to <a href="https://www.docker.com/">Docker</a> containers, using CoreOS's <a href="https://github.com/coreos/fleet">fleet</a> scheduler to provision all the services on its <a href="https://www.openstack.org/">OpenStack</a>-based private cloud on bare metal. As the Smart Platform grew and "fleet was going end-of-life," says Platform Engineer Mike Bryant, "we started looking for a more complete platform, with all of these disparate infrastructure services being brought together in one unified API."</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1/<!-- api_metadata: apiVersion: "apps/v1" import: "k8s.io/api/apps/v1" kind: "ReplicaSet" content_type: "api_reference" description: "ReplicaSet ensures that a specified number of pod replicas are running at any given time." title: "ReplicaSet" weight: 4 auto_generated: true --> <p><code>apiVersion: apps/v1</code></p> <p><code>import &quot;k8s.io/api/apps/v1&quot;</code></p> <h2 id="ReplicaSet">ReplicaSet</h2> <!-- ReplicaSet ensures that a specified number of pod replicas are running at any given time. --> <p>ReplicaSet 确保在任何给定的时刻都在运行指定数量的 Pod 副本。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: apps/v1</p> </li> <li> <p><strong>kind</strong>: ReplicaSet</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/replica-set-v1/#ReplicaSetSpec">ReplicaSetSpec</a>) Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "ReplicationController" content_type: "api_reference" description: "ReplicationController represents the configuration of a replication controller." title: "ReplicationController" weight: 4 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="ReplicationController">ReplicationController</h2> <!-- ReplicationController represents the configuration of a replication controller. --> <p>ReplicationController 表示一个副本控制器的配置。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: ReplicationController</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) If the Labels of a ReplicationController are empty, they are defaulted to be the same as the Pod(s) that the replication controller manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/replication-controller-v1/#ReplicationControllerSpec">ReplicationControllerSpec</a>) Spec defines the specification of the desired behavior of the replication controller. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/<!-- api_metadata: apiVersion: "authorization.k8s.io/v1" import: "k8s.io/api/authorization/v1" kind: "SubjectAccessReview" content_type: "api_reference" description: "SubjectAccessReview checks whether or not a user or group can perform an action." title: "SubjectAccessReview" weight: 4 --> <p><code>apiVersion: authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authorization/v1&quot;</code></p> <h2 id="SubjectAccessReview">SubjectAccessReview</h2> <!-- SubjectAccessReview checks whether or not a user or group can perform an action. --> <p>SubjectAccessReview 检查用户或组是否可以执行某操作。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: authorization.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: SubjectAccessReview</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的列表元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> </ul> <!-- - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/#SubjectAccessReviewSpec">SubjectAccessReviewSpec</a>), required Spec holds information about the request being evaluated - **status** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/#SubjectAccessReviewStatus">SubjectAccessReviewStatus</a>) Status is filled in by the server and indicates whether the request is allowed or not --> <ul> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v1/#SubjectAccessReviewSpec">SubjectAccessReviewSpec</a>)，必需</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/<!-- api_metadata: apiVersion: "admissionregistration.k8s.io/v1" import: "k8s.io/api/admissionregistration/v1" kind: "ValidatingWebhookConfiguration" content_type: "api_reference" description: "ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it." title: "ValidatingWebhookConfiguration" weight: 4 --> <p><code>apiVersion: admissionregistration.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/admissionregistration/v1&quot;</code></p> <h2 id="validatingWebhookConfiguration">ValidatingWebhookConfiguration</h2> <!-- ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. --> <p>ValidatingWebhookConfiguration 描述准入 Webhook 的配置，此 Webhook 可在不更改对象的情况下接受或拒绝对象请求。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: admissionregistration.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: ValidatingWebhookConfiguration</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/<!-- api_metadata: apiVersion: "rbac.authorization.k8s.io/v1" import: "k8s.io/api/rbac/v1" kind: "ClusterRole" content_type: "api_reference" description: "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding." title: "ClusterRole" weight: 5 auto_generated: true --> <p><code>apiVersion: rbac.authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/rbac/v1&quot;</code></p> <!-- ## ClusterRole {#ClusterRole} ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding. <hr> --> <h2 id="ClusterRole">ClusterRole</h2> <p>ClusterRole 是一个集群级别的 PolicyRule 逻辑分组， 可以被 RoleBinding 或 ClusterRoleBinding 作为一个单元引用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/cluster-trust-bundle-v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/cluster-trust-bundle-v1beta1/<!-- api_metadata: apiVersion: "certificates.k8s.io/v1beta1" import: "k8s.io/api/certificates/v1beta1" kind: "ClusterTrustBundle" content_type: "api_reference" description: "ClusterTrustBundle is a cluster-scoped container for X." title: "ClusterTrustBundle v1beta1" weight: 5 auto_generated: true --> <p><code>apiVersion: certificates.k8s.io/v1beta1</code></p> <p><code>import &quot;k8s.io/api/certificates/v1beta1&quot;</code></p> <h2 id="ClusterTrustBundle">ClusterTrustBundle</h2> <!-- ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates). ClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to. --> <p>ClusterTrustBundle 是一个集群范围的容器，用于存放 X.509 信任锚（根证书）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/csi-storage-capacity-v1/<!-- api_metadata: apiVersion: "storage.k8s.io/v1" import: "k8s.io/api/storage/v1" kind: "CSIStorageCapacity" content_type: "api_reference" description: "CSIStorageCapacity stores the result of one CSI GetCapacity call." title: "CSIStorageCapacity" weight: 5 --> <p><code>apiVersion: storage.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/storage/v1&quot;</code></p> <h2 id="CSIStorageCapacity">CSIStorageCapacity</h2> <!-- CSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment. This can be used when considering where to instantiate new PersistentVolumes. For example this can express things like: - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123" The following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero --> <p>CSIStorageCapacity 存储一个 CSI GetCapacity 调用的结果。 对于给定的 StorageClass，此结构描述了特定拓扑段中可用的容量。 当考虑在哪里实例化新的 PersistentVolume 时可以使用此项。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/ingress-class-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/service-resources/ingress-class-v1/<!-- api_metadata: apiVersion: "networking.k8s.io/v1" import: "k8s.io/api/networking/v1" kind: "IngressClass" content_type: "api_reference" description: "IngressClass represents the class of the Ingress, referenced by the Ingress Spec." title: "IngressClass" weight: 5 auto_generated: true --> <p><code>apiVersion: networking.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/networking/v1&quot;</code></p> <!-- ## IngressClass {#IngressClass} IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class. --> <h2 id="IngressClass">IngressClass</h2> <p>IngressClass 代表 Ingress 的类，被 Ingress 的规约引用。 <code>ingressclass.kubernetes.io/is-default-class</code> 注解可以用来标明一个 IngressClass 应该被视为默认的 Ingress 类。 当某个 IngressClass 资源将此注解设置为 true 时， 没有指定类的新 Ingress 资源将被分配到此默认类。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1/<!-- api_metadata: apiVersion: "coordination.k8s.io/v1" import: "k8s.io/api/coordination/v1" kind: "Lease" content_type: "api_reference" description: "Lease defines a lease concept." title: "Lease" weight: 5 auto_generated: true --> <p><code>apiVersion: coordination.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/coordination/v1&quot;</code></p> <h2 id="Lease">Lease</h2> <!-- Lease defines a lease concept. --> <p>Lease 定义了租约的概念。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: coordination.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: Lease</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1/#LeaseSpec">LeaseSpec</a>) spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <p>更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1/#LeaseSpec">LeaseSpec</a>)</p> <p>spec 包含 Lease 的规约。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/node-selector-requirement/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/node-selector-requirement/<!--- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "NodeSelectorRequirement" content_type: "api_reference" description: "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values." title: "NodeSelectorRequirement" weight: 5 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <!-- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. --> <p>节点选择算符需求是一个选择算符，其中包含值集、主键以及一个将键和值集关联起来的操作符。</p> <hr> <!-- - **key** (string), required The label key that the selector applies to. - **operator** (string), required Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. --> <ul> <li> <p><strong>key</strong> (string)，必需</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/<!-- api_metadata: apiVersion: "policy/v1" import: "k8s.io/api/policy/v1" kind: "PodDisruptionBudget" content_type: "api_reference" description: "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods." title: "PodDisruptionBudget" weight: 5 auto_generated: true --> <p><code>apiVersion: policy/v1</code></p> <p><code>import &quot;k8s.io/api/policy/v1&quot;</code></p> <h2 id="PodDisruptionBudget">PodDisruptionBudget</h2> <!-- PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods --> <p>PodDisruptionBudget 是一个对象，用于定义可能对一组 Pod 造成的最大干扰。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: policy/v1</p> </li> <li> <p><strong>kind</strong>: PodDisruptionBudget</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/<!-- approvers: - chenopis - abiogenesis-now title: Glossary layout: glossary noedit: true body_class: glossary default_active_tag: fundamental weight: 5 card: name: reference weight: 10 title: Glossary -->https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/create-daemon-set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/create-daemon-set/<!-- title: Building a Basic DaemonSet content_type: task weight: 5 --> <!-- overview --> <!-- This page demonstrates how to build a basic <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a> that runs a Pod on every node in a Kubernetes cluster. It covers a simple use case of mounting a file from the host, logging its contents using an [init container](/docs/concepts/workloads/pods/init-containers/), and utilizing a pause container. --> <p>本页演示如何构建一个基本的 <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a>， 用其在 Kubernetes 集群中的每个节点上运行 Pod。 这个简单的使用场景包含了从主机挂载一个文件，使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/init-containers/">Init 容器</a>记录文件的内容， 以及使用 <code>pause</code> 容器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/hello-minikube/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/hello-minikube/<!-- title: Hello Minikube content_type: tutorial weight: 5 card: name: tutorials weight: 10 --> <!-- overview --> <!-- This tutorial shows you how to run a sample app on Kubernetes using minikube. The tutorial provides a container image that uses NGINX to echo back all the requests. --> <p>本教程向你展示如何使用 Minikube 在 Kubernetes 上运行一个应用示例。 教程提供了容器镜像，使用 NGINX 来对所有请求做出回应。</p> <h2 id="教程目标">教程目标</h2> <!-- * Deploy a sample application to minikube. * Run the app. * View application logs. --> <ul> <li>将一个示例应用部署到 Minikube。</li> <li>运行应用程序。</li> <li>查看应用日志。</li> </ul> <h2 id="准备开始">准备开始</h2> <!-- This tutorial assumes that you have already set up `minikube`. See __Step 1__ in [minikube start](https://minikube.sigs.k8s.io/docs/start/) for installation instructions. --> <p>本教程假设你已经安装了 <code>minikube</code>。 有关安装说明，请参阅 <a href="https://minikube.sigs.k8s.io/docs/start/">minikube start</a> 的<strong>步骤 1</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/<!-- api_metadata: apiVersion: "rbac.authorization.k8s.io/v1" import: "k8s.io/api/rbac/v1" kind: "ClusterRoleBinding" content_type: "api_reference" description: "ClusterRoleBinding references a ClusterRole, but not contain it." title: "ClusterRoleBinding" weight: 6 auto_generated: true --> <p><code>apiVersion: rbac.authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/rbac/v1&quot;</code></p> <!-- ## ClusterRoleBinding {#ClusterRoleBinding} ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject. --> <h2 id="ClusterRoleBinding">ClusterRoleBinding</h2> <p>ClusterRoleBinding 引用 ClusterRole，但不包含它。 它可以引用全局命名空间中的 ClusterRole，并通过 Subject 添加主体信息。</p> <!-- <hr> - **apiVersion**: rbac.authorization.k8s.io/v1 - **kind**: ClusterRoleBinding - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. --> <hr> <ul> <li> <p><strong>apiVersion</strong>: rbac.authorization.k8s.io/v1</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/deployment-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/deployment-v1/<!-- api_metadata: apiVersion: "apps/v1" import: "k8s.io/api/apps/v1" kind: "Deployment" content_type: "api_reference" description: "Deployment enables declarative updates for Pods and ReplicaSets." title: "Deployment" weight: 6 auto_generated: true --> <p><code>apiVersion: apps/v1</code></p> <p><code>import &quot;k8s.io/api/apps/v1&quot;</code></p> <h2 id="Deployment">Deployment</h2> <!-- Deployment enables declarative updates for Pods and ReplicaSets. --> <p>Deployment 使得 Pod 和 ReplicaSet 能够进行声明式更新。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: apps/v1</p> </li> <li> <p><strong>kind</strong>: Deployment</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec">DeploymentSpec</a>) Specification of the desired behavior of the Deployment. - **status** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentStatus">DeploymentStatus</a>) Most recently observed status of the Deployment. --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-candidate-v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-candidate-v1beta1/<!-- api_metadata: apiVersion: "coordination.k8s.io/v1beta1" import: "k8s.io/api/coordination/v1beta1" kind: "LeaseCandidate" content_type: "api_reference" description: "LeaseCandidate defines a candidate for a Lease object." title: "LeaseCandidate v1beta1" weight: 6 auto_generated: true --> <p><code>apiVersion: coordination.k8s.io/v1beta1</code></p> <p><code>import &quot;k8s.io/api/coordination/v1beta1&quot;</code></p> <h2 id="LeaseCandidate">LeaseCandidate</h2> <!-- LeaseCandidate defines a candidate for a Lease object. Candidates are created such that coordinated leader election will pick the best leader from the list of candidates. --> <p>LeaseCandidate 定义一个 Lease 对象的候选者。 通过创建候选者，协同式领导者选举能够从候选者列表中选出最佳的领导者。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: coordination.k8s.io/v1beta1</p> </li> <li> <p><strong>kind</strong>: LeaseCandidate</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-candidate-v1beta1/#LeaseCandidateSpec">LeaseCandidateSpec</a>) spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-field-selector/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-field-selector/<!-- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "ObjectFieldSelector" content_type: "api_reference" description: "ObjectFieldSelector selects an APIVersioned field of an object." title: "ObjectFieldSelector" weight: 6 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <!-- ObjectFieldSelector selects an APIVersioned field of an object. --> <p>ObjectFieldSelector 选择对象的 APIVersioned 字段。</p> <hr> <!-- - **fieldPath** (string), required Path of the field to select in the specified API version. - **apiVersion** (string) Version of the schema the FieldPath is written in terms of, defaults to "v1". --> <ul> <li> <p><strong>fieldPath</strong> (string)，必需</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "PersistentVolumeClaim" content_type: "api_reference" description: "PersistentVolumeClaim is a user's request for and claim to a persistent volume." title: "PersistentVolumeClaim" weight: 6 --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="PersistentVolumeClaim">PersistentVolumeClaim</h2> <!-- PersistentVolumeClaim is a user's request for and claim to a persistent volume --> <p>PersistentVolumeClaim 是用户针对一个持久卷的请求和申领。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: PersistentVolumeClaim</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/#PersistentVolumeClaimSpec">PersistentVolumeClaimSpec</a>) spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/priority-level-configuration-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/priority-level-configuration-v1/<!-- api_metadata: apiVersion: "flowcontrol.apiserver.k8s.io/v1" import: "k8s.io/api/flowcontrol/v1" kind: "PriorityLevelConfiguration" content_type: "api_reference" description: "PriorityLevelConfiguration represents the configuration of a priority level." title: "PriorityLevelConfiguration" weight: 6 auto_generated: true --> <p><code>apiVersion: flowcontrol.apiserver.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/flowcontrol/v1&quot;</code></p> <h2 id="PriorityLevelConfiguration">PriorityLevelConfiguration</h2> <!-- PriorityLevelConfiguration represents the configuration of a priority level. --> <p>PriorityLevelConfiguration 表示一个优先级的配置。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: flowcontrol.apiserver.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: PriorityLevelConfiguration</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) `metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/priority-level-configuration-v1/#PriorityLevelConfigurationSpec">PriorityLevelConfigurationSpec</a>) `spec` is the specification of the desired behavior of a "request-priority". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authentication-resources/self-subject-review-v1/<!-- api_metadata: apiVersion: "authentication.k8s.io/v1" import: "k8s.io/api/authentication/v1" kind: "SelfSubjectReview" content_type: "api_reference" description: "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request." title: "SelfSubjectReview" weight: 6 auto_generated: true --> <p><code>apiVersion: authentication.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/authentication/v1&quot;</code></p> <h2 id="SelfSubjectReview">SelfSubjectReview</h2> <!-- SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase. --> <p>SelfSubjectReview 包含 kube-apiserver 所拥有的与发出此请求的用户有关的用户信息。 使用伪装时，用户将收到被伪装用户的用户信息。 如果使用伪装或请求头部进行身份验证，则所有额外的键都将被忽略大小写并以小写形式返回结果。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/namespace-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/namespace-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Namespace" content_type: "api_reference" description: "Namespace provides a scope for Names." title: "Namespace" weight: 7 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Namespace">Namespace</h2> <!-- Namespace provides a scope for Names. Use of multiple namespaces is optional. --> <p>Namespace 为名字提供作用域。使用多个命名空间是可选的。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: Namespace</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/namespace-v1/#NamespaceSpec">NamespaceSpec</a>)</p> <!-- Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <p><code>spec</code> 定义了 Namespace 的行为。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/apis/meta/v1" kind: "ObjectMeta" content_type: "api_reference" description: "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create." title: "ObjectMeta" weight: 7 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/apis/meta/v1&quot;</code></p> <!-- ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create. --> <p>ObjectMeta 是所有持久化资源必须具有的元数据，其中包括用户必须创建的所有对象。</p> <hr> <ul> <li> <p><strong>name</strong> (string)</p> <!-- Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names --> <p>name 在命名空间内必须是唯一的。创建资源时需要，尽管某些资源可能允许客户端请求自动地生成适当的名称。 名称主要用于创建幂等性和配置定义。无法更新。更多信息： <a href="https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names#names">https://kubernetes.io/zh-cn/docs/concepts/overview/working-with-objects/names#names</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "PersistentVolume" content_type: "api_reference" description: "PersistentVolume (PV) is a storage resource provisioned by an administrator." title: "PersistentVolume" weight: 7 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="PersistentVolume">PersistentVolume</h2> <!-- PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes --> <p>PersistentVolume (PV) 是管理员制备的一个存储资源。它类似于一个节点。更多信息： <a href="https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes">https://kubernetes.io/zh-cn/docs/concepts/storage/persistent-volumes</a></p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: PersistentVolume</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/#PersistentVolumeSpec">PersistentVolumeSpec</a>) spec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-v1/<!-- api_metadata: apiVersion: "rbac.authorization.k8s.io/v1" import: "k8s.io/api/rbac/v1" kind: "Role" content_type: "api_reference" description: "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding." title: "Role" weight: 7 auto_generated: true --> <p><code>apiVersion: rbac.authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/rbac/v1&quot;</code></p> <h2 id="Role">Role</h2> <!-- Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. --> <p>Role 是一个按命名空间划分的 PolicyRule 逻辑分组，可以被 RoleBinding 作为一个单元引用。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: rbac.authorization.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: Role</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/stateful-set-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/stateful-set-v1/<!-- api_metadata: apiVersion: "apps/v1" import: "k8s.io/api/apps/v1" kind: "StatefulSet" content_type: "api_reference" description: "StatefulSet represents a set of pods with consistent identities." title: "StatefulSet" weight: 7 auto_generated: true --> <p><code>apiVersion: apps/v1</code></p> <p><code>import &quot;k8s.io/api/apps/v1&quot;</code></p> <h2 id="StatefulSet">StatefulSet</h2> <!-- StatefulSet represents a set of pods with consistent identities. Identities are defined as: - Network: A single stable DNS and hostname. - Storage: As many VolumeClaims as requested. The StatefulSet guarantees that a given network identity will always map to the same storage identity. --> <p>StatefulSet 表示一组具有一致身份的 Pod。身份定义为：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/validating-admission-policy-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/validating-admission-policy-v1/<!-- api_metadata: apiVersion: "admissionregistration.k8s.io/v1" import: "k8s.io/api/admissionregistration/v1" kind: "ValidatingAdmissionPolicy" content_type: "api_reference" description: "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it." title: "ValidatingAdmissionPolicy" weight: 7 auto_generated: true --> <p><code>apiVersion: admissionregistration.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/admissionregistration/v1&quot;</code></p> <h2 id="ValidatingAdmissionPolicy">ValidatingAdmissionPolicy</h2> <!-- ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it. --> <p>ValidatingAdmissionPolicy 描述了一种准入验证策略的定义， 这种策略用于接受或拒绝一个对象，而不对其进行修改。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: admissionregistration.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: ValidatingAdmissionPolicy</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/controller-revision-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/controller-revision-v1/<!-- api_metadata: apiVersion: "apps/v1" import: "k8s.io/api/apps/v1" kind: "ControllerRevision" content_type: "api_reference" description: "ControllerRevision implements an immutable snapshot of state data." title: "ControllerRevision" weight: 8 auto_generated: true --> <p><code>apiVersion: apps/v1</code></p> <p><code>import &quot;k8s.io/api/apps/v1&quot;</code></p> <!-- ## ControllerRevision {#ControllerRevision --> <h2 id="ControllerRevision">ControllerRevision</h2> <!-- ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers. --> <p>ControllerRevision 实现了状态数据的不可变快照。 客户端负责序列化和反序列化对象，包含对象内部状态。 成功创建 ControllerRevision 后，将无法对其进行更新。 API 服务器将无法成功验证所有尝试改变 data 字段的请求。 但是，可以删除 ControllerRevisions。 请注意，由于 DaemonSet 和 StatefulSet 控制器都使用它来进行更新和回滚，所以这个对象是 Beta 版。 但是，它可能会在未来版本中更改名称和表示形式，客户不应依赖其稳定性。 它主要供控制器内部使用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/node-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/node-v1/<!-- api_metadata: apiVersion: "v1" import: "k8s.io/api/core/v1" kind: "Node" content_type: "api_reference" description: "Node is a worker node in Kubernetes." title: "Node" weight: 8 auto_generated: true --> <p><code>apiVersion: v1</code></p> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Node">Node</h2> <!-- Node is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd). --> <p>Node 是 Kubernetes 中的工作节点。 每个节点在缓存中（即在 etcd 中）都有一个唯一的标识符。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: v1</p> </li> <li> <p><strong>kind</strong>: Node</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-reference/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-reference/<!-- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "ObjectReference" content_type: "api_reference" description: "ObjectReference contains enough information to let you inspect or modify the referred object." title: "ObjectReference" weight: 8 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <!-- ObjectReference contains enough information to let you inspect or modify the referred object. --> <p>ObjectReference 包含足够的信息，允许你检查或修改引用的对象。</p> <hr> <!-- - **apiVersion** (string) API version of the referent. - **fieldPath** (string) If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. --> <ul> <li> <p><strong>apiVersion</strong> (string)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/<!-- api_metadata: apiVersion: "rbac.authorization.k8s.io/v1" import: "k8s.io/api/rbac/v1" kind: "RoleBinding" content_type: "api_reference" description: "RoleBinding references a role, but does not contain it." title: "RoleBinding" weight: 8 auto_generated: true --> <p><code>apiVersion: rbac.authorization.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/rbac/v1&quot;</code></p> <h2 id="RoleBinding">RoleBinding</h2> <!-- RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace. --> <p>RoleBinding 引用一个角色，但不包含它。 RoleBinding 可以引用相同命名空间中的 Role 或全局命名空间中的 ClusterRole。 RoleBinding 通过 Subjects 和所在的命名空间信息添加主体信息。 处于给定命名空间中的 RoleBinding 仅在该命名空间中有效。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-class-v1/<!-- api_metadata: apiVersion: "storage.k8s.io/v1" import: "k8s.io/api/storage/v1" kind: "StorageClass" content_type: "api_reference" description: "StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned." title: "StorageClass" weight: 8 auto_generated: true --> <p><code>apiVersion: storage.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/storage/v1&quot;</code></p> <h2 id="StorageClass">StorageClass</h2> <!-- StorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned. StorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name. --> <p>StorageClass 为可以动态制备 PersistentVolume 的存储类描述参数。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/validating-admission-policy-binding-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/validating-admission-policy-binding-v1/<!-- The file is auto-generated from the Go source code of the component using a generic [generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how to generate the reference documentation, please read [Contributing to the reference documentation](/docs/contribute/generate-ref-docs/). To update the reference content, please follow the [Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/) guide. You can file document formatting bugs against the [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project. To zh-cn localizaation team: We need to have a plan to localize this page. --> <p><code>apiVersion: admissionregistration.k8s.io/v1</code></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/<!-- api_metadata: apiVersion: "apps/v1" import: "k8s.io/api/apps/v1" kind: "DaemonSet" content_type: "api_reference" description: "DaemonSet represents the configuration of a daemon set." title: "DaemonSet" weight: 9 auto_generated: true --> <p><code>apiVersion: apps/v1</code></p> <p><code>import &quot;k8s.io/api/apps/v1&quot;</code></p> <!-- ## DaemonSet {#DaemonSet} DaemonSet represents the configuration of a daemon set. --> <h2 id="DaemonSet">DaemonSet</h2> <p>DaemonSet 表示守护进程集的配置。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: apps/v1</p> </li> <li> <p><strong>kind</strong>: DaemonSet</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> </ul> <!-- - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec">DaemonSetSpec</a>) The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec">DaemonSetSpec</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/patch/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/patch/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/apis/meta/v1" kind: "Patch" content_type: "api_reference" description: "Patch is provided to give a concrete name and type to the Kubernetes PATCH request body." title: "Patch" weight: 9 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/apis/meta/v1&quot;</code></p> <!-- Patch is provided to give a concrete name and type to the Kubernetes PATCH request body. --> <p>提供 Patch 是为了给 Kubernetes PATCH 请求正文提供一个具体的名称和类型。</p> <hr>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1/<!-- api_metadata: apiVersion: "node.k8s.io/v1" import: "k8s.io/api/node/v1" kind: "RuntimeClass" content_type: "api_reference" description: "RuntimeClass defines a class of container runtime supported in the cluster." title: "RuntimeClass" weight: 9 auto_generated: true --> <p><code>apiVersion: node.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/node/v1&quot;</code></p> <h2 id="RuntimeClass">RuntimeClass</h2> <!-- RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/ --> <p>RuntimeClass 定义集群中支持的容器运行时类。 RuntimeClass 用于确定哪个容器运行时用于运行某 Pod 中的所有容器。 RuntimeClass 由用户或集群制备程序手动定义，并在 PodSpec 中引用。 kubelet 负责在运行 Pod 之前解析 RuntimeClassName 引用。 有关更多详细信息，请参阅 <a href="https://kubernetes.io/zh-cn/docs/concepts/containers/runtime-class/">https://kubernetes.io/zh-cn/docs/concepts/containers/runtime-class/</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-version-migration-v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-version-migration-v1alpha1/<!-- api_metadata: apiVersion: "storagemigration.k8s.io/v1alpha1" import: "k8s.io/api/storagemigration/v1alpha1" kind: "StorageVersionMigration" content_type: "api_reference" description: "StorageVersionMigration represents a migration of stored data to the latest storage version." title: "StorageVersionMigration v1alpha1" weight: 9 auto_generated: true --> <p><code>apiVersion: storagemigration.k8s.io/v1alpha1</code></p> <p><code>import &quot;k8s.io/api/storagemigration/v1alpha1&quot;</code></p> <h2 id="StorageVersionMigration">StorageVersionMigration</h2> <!-- StorageVersionMigration represents a migration of stored data to the latest storage version. --> <p>StorageVersionMigration 表示存储的数据向最新存储版本的一次迁移。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: storagemigration.k8s.io/v1alpha1</p> </li> <li> <p><strong>kind</strong>: StorageVersionMigration</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/storage-version-migration-v1alpha1/#StorageVersionMigrationSpec">StorageVersionMigrationSpec</a>) Specification of the migration. --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/<!-- reviewers: - janetkuo title: Deployments api_metadata: - apiVersion: "apps/v1" kind: "Deployment" feature: title: Automated rollouts and rollbacks description: > Kubernetes progressively rolls out changes to your application or its configuration, while monitoring application health to ensure it doesn't kill all your instances at the same time. If something goes wrong, Kubernetes will rollback the change for you. Take advantage of a growing ecosystem of deployment solutions. description: >- A Deployment manages a set of Pods to run an application workload, usually one that doesn't maintain state. content_type: concept weight: 10 hide_summary: true # Listed separately in section index --> <!-- overview --> <!-- A _Deployment_ provides declarative updates for <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> and <a class='glossary-tooltip' title='ReplicaSet 确保一次运行指定数量的 Pod 副本。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/' target='_blank' aria-label='ReplicaSets'>ReplicaSets</a>. --> <p>一个 Deployment 为 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 和 <a class='glossary-tooltip' title='ReplicaSet 确保一次运行指定数量的 Pod 副本。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/' target='_blank' aria-label='ReplicaSet'>ReplicaSet</a> 提供声明式的更新能力。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1/<!-- api_metadata: apiVersion: "batch/v1" import: "k8s.io/api/batch/v1" kind: "Job" content_type: "api_reference" description: "Job represents the configuration of a single job." title: "Job" weight: 10 auto_generated: true --> <p><code>apiVersion: batch/v1</code></p> <p><code>import &quot;k8s.io/api/batch/v1&quot;</code></p> <h2 id="Job">Job</h2> <!-- Job represents the configuration of a single job. --> <p>Job 表示单个任务的配置。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: batch/v1</p> </li> <li> <p><strong>kind</strong>: Job</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> </ul> <!-- - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1/#JobSpec">JobSpec</a>) Specification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <ul> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/job-v1/#JobSpec">JobSpec</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/troubleshoot-kubectl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/troubleshoot-kubectl/<!-- title: "Troubleshooting kubectl" content_type: task weight: 10 --> <!-- overview --> <!-- This documentation is about investigating and diagnosing <a class='glossary-tooltip' title='kubectl 是用来和 Kubernetes 集群进行通信的命令行工具。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/' target='_blank' aria-label='kubectl'>kubectl</a> related issues. If you encounter issues accessing `kubectl` or connecting to your cluster, this document outlines various common scenarios and potential solutions to help identify and address the likely cause. --> <p>本文讲述研判和诊断 <a class='glossary-tooltip' title='kubectl 是用来和 Kubernetes 集群进行通信的命令行工具。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/' target='_blank' aria-label='kubectl'>kubectl</a> 相关的问题。 如果你在访问 <code>kubectl</code> 或连接到集群时遇到问题，本文概述了各种常见的情况和可能的解决方案， 以帮助确定和解决可能的原因。</p> <!-- body --> <h2 id="准备开始">准备开始</h2> <!-- * You need to have a Kubernetes cluster. * You also need to have `kubectl` installed - see [install tools](/docs/tasks/tools/#kubectl) --> <ul> <li>你需要有一个 Kubernetes 集群。</li> <li>你还需要安装好 <code>kubectl</code>，参见<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/#kubectl">安装工具</a>。</li> </ul> <!-- ## Verify kubectl setup Make sure you have installed and configured `kubectl` correctly on your local machine. Check the `kubectl` version to ensure it is up-to-date and compatible with your cluster. Check kubectl version: --> <h2 id="verify-kubectl-setup">验证 kubectl 设置</h2> <p>确保你已在本机上正确安装和配置了 <code>kubectl</code>。 检查 <code>kubectl</code> 版本以确保其是最新的，并与你的集群兼容。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/quick-reference/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/quick-reference/<!-- title: kubectl Quick Reference reviewers: - erictune - krousey - clove content_type: concept weight: 10 # highlight it card: name: tasks weight: 10 --> <!-- overview --> <!-- This page contains a list of commonly used `kubectl` commands and flags. --> <p>本页列举常用的 <code>kubectl</code> 命令和参数。</p> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- These instructions are for Kubernetes v1.35. To check the version, use the `kubectl version` command. --> <p>这些指令适用于 Kubernetes v1.35。要检查版本，请使用 <code>kubectl version</code> 命令。</p></div> <!-- body --> <!-- ## Kubectl autocomplete ### BASH --> <h2 id="kubectl-autocomplete">kubectl 自动补全</h2> <h3 id="bash">BASH</h3> <!-- ```bash source <(kubectl completion bash) # set up autocomplete in bash into the current shell, bash-completion package should be installed first. echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell. ``` You can also use a shorthand alias for `kubectl` that also works with completion: --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#a2f">source</span> &lt;<span style="color:#666">(</span>kubectl completion bash<span style="color:#666">)</span> <span style="color:#080;font-style:italic"># 在 bash 中设置当前 shell 的自动补全，要先安装 bash-completion 包</span> </span></span><span style="display:flex;"><span><span style="color:#a2f">echo</span> <span style="color:#b44">&#34;source &lt;(kubectl completion bash)&#34;</span> &gt;&gt; ~/.bashrc <span style="color:#080;font-style:italic"># 在你的 bash shell 中永久地添加自动补全</span> </span></span></code></pre></div><p>你还可以在补全时为 <code>kubectl</code> 使用一个速记别名：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kubelet-checkpoint-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kubelet-checkpoint-api/<div class="feature-state-notice feature-beta" title="特性门控： ContainerCheckpoint"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.30 [beta]</code>（默认启用）</div> <!-- Checkpointing a container is the functionality to create a stateful copy of a running container. Once you have a stateful copy of a container, you could move it to a different computer for debugging or similar purposes. If you move the checkpointed container data to a computer that's able to restore it, that restored container continues to run at exactly the same point it was checkpointed. You can also inspect the saved data, provided that you have suitable tools for doing so. --> <p>为容器生成检查点这个功能可以为一个正在运行的容器创建有状态的拷贝。 一旦容器有一个有状态的拷贝，你就可以将其移动到其他计算机进行调试或类似用途。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/<!-- title: Kubernetes Scheduler content_type: concept weight: 10 --> <!-- overview --> <!-- In Kubernetes, _scheduling_ refers to making sure that <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> are matched to <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='Nodes'>Nodes</a> so that <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='Kubelet'>Kubelet</a> can run them. --> <p>在 Kubernetes 中，<strong>调度</strong>是指将 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 放置到合适的<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>上，以便对应节点上的 <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='Kubelet'>Kubelet</a> 能够运行这些 Pod。</p> <!-- body --> <!-- ## Scheduling overview {#scheduling} --> <h2 id="scheduling">调度概览</h2> <!-- A scheduler watches for newly created Pods that have no Node assigned. For every Pod that the scheduler discovers, the scheduler becomes responsible for finding the best Node for that Pod to run on. The scheduler reaches this placement decision taking into account the scheduling principles described below. --> <p>调度器通过 Kubernetes 的监测（Watch）机制来发现集群中新创建且尚未被调度到节点上的 Pod。 调度器会将所发现的每一个未调度的 Pod 调度到一个合适的节点上来运行。 调度器会依据下文的调度原则来做出调度选择。</p>https://andygol-k8s.netlify.app/zh-cn/docs/home/supported-doc-versions/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/home/supported-doc-versions/<!-- title: Available Documentation Versions content_type: custom layout: supported-versions weight: 10 --> <!-- overview --> <!-- This website contains documentation for the current version of Kubernetes and the four previous versions of Kubernetes. The availability of documentation for a Kubernetes version is separate from whether that release is currently supported. Read [Support period](/releases/patch-releases/#support-period) to learn about which versions of Kubernetes are officially supported, and for how long. --> <p>本网站包含当前版本和之前四个版本的 Kubernetes 文档。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/issues/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/issues/<!-- title: Kubernetes Issue Tracker weight: 10 aliases: [/cve/,/cves/] --> <!-- To report a security issue, please follow the [Kubernetes security disclosure process](/docs/reference/issues-security/security/#report-a-vulnerability). --> <p>要报告安全问题，请遵循 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/security/#report-a-vulnerability">Kubernetes 安全问题公开流程</a>。</p> <!-- Work on Kubernetes code and public issues are tracked using [GitHub Issues](https://github.com/kubernetes/kubernetes/issues/). --> <p>使用 <a href="https://github.com/kubernetes/kubernetes/issues/">GitHub Issues</a> 跟踪 Kubernetes 编码工作和公开问题。</p> <!-- * Official [list of known CVEs](/docs/reference/issues-security/official-cve-feed/) (security vulnerabilities) that have been announced by the [Security Response Committee](https://github.com/kubernetes/committee-security-response) * [CVE-related GitHub issues](https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE) --> <ul> <li><a href="https://github.com/kubernetes/committee-security-response">安全响应委员会（Security Response Committee，SRC）</a>已公布的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/official-cve-feed/">已知 CVE 官方列表</a></li> <li><a href="https://github.com/kubernetes/kubernetes/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Aarea%2Fsecurity+in%3Atitle+CVE">CVE 相关问题</a></li> </ul> <!-- Security-related announcements are sent to the [kubernetes-security-announce@googlegroups.com](https://groups.google.com/forum/#!forum/kubernetes-security-announce) mailing list. --> <p>与安全性相关的公告将发送到 <a href="https://groups.google.com/forum/#!forum/kubernetes-security-announce">kubernetes-security-announce@googlegroups.com</a> 邮件列表。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/components/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/components/<!-- reviewers: - lavalamp title: Kubernetes Components content_type: concept description: > An overview of the key components that make up a Kubernetes cluster. weight: 10 card: title: Components of a cluster name: concepts weight: 20 --> <!-- overview --> <!-- 本页面概述了组成 Kubernetes 集群的基本组件。 {{ < figure src="https://andygol-k8s.netlify.app/images/docs/components-of-kubernetes.svg" alt="Components of Kubernetes" caption="The components of a Kubernetes cluster" class="diagram-large" clicktozoom="true" >}} --> <p>本文档概述了一个正常运行的 Kubernetes 集群所需的各种组件。</p> <figure class="diagram-large clickable-zoom"> <img src="https://andygol-k8s.netlify.app/zh-cn/docs/images/components-of-kubernetes.svg" alt="Kubernetes 的组件"/> <figcaption> <p>Kubernetes 集群的组件</p> </figcaption> </figure> <!-- body --> <!-- ## Core Components A Kubernetes cluster consists of a control plane and one or more worker nodes. Here's a brief overview of the main components: --> <h2 id="core-components">核心组件</h2> <p>Kubernetes 集群由控制平面和一个或多个工作节点组成。以下是主要组件的简要概述：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kernel-version-requirements/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kernel-version-requirements/<!-- content_type: "reference" title: Linux Kernel Version Requirements weight: 10 --> <div class="alert alert-secondary callout third-party-content" role="note"><strong>说明：</strong>&puncsp;本部分链接到提供 Kubernetes 所需功能的第三方项目。Kubernetes 项目作者不负责这些项目。此页面遵循<a href="https://github.com/cncf/foundation/blob/main/policies-guidance/website-guidelines.md" target="_blank">CNCF 网站指南</a>，按字母顺序列出项目。要将项目添加到此列表中，请在提交更改之前阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/#third-party-content">内容指南</a>。</div> <!-- Many features rely on specific kernel functionalities and have minimum kernel version requirements. However, relying solely on kernel version numbers may not be sufficient for certain operating system distributions, as maintainers for distributions such as RHEL, Ubuntu and SUSE often backport selected features to older kernel releases (retaining the older kernel version). --> <p>许多特性依赖于特定的内核功能，并且有最低的内核版本要求。 然而，单纯依赖内核版本号可能不足以满足某些操作系统发行版， 因为像 RHEL、Ubuntu 和 SUSE 等发行版的维护者们通常会将选定的特性反向移植到较旧的内核版本（保留较旧的内核版本）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/api/resource" kind: "Quantity" content_type: "api_reference" description: "Quantity is a fixed-point representation of a number." title: "Quantity" weight: 10 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/api/resource&quot;</code></p> <!-- Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors. The serialization format is: --> <p>数量（Quantity）是数字的定点表示。 除了 String() 和 AsInt64() 的访问接口之外， 它以 JSON 和 YAML 形式提供方便的打包和解包方法。</p> <p>序列化格式如下：</p> <!-- ``` \<quantity> ::= \<signedNumber>\<suffix> (Note that \<suffix> may be empty, from the "" case in \<decimalSI>.) \<digit> ::= 0 | 1 | ... | 9 \<digits> ::= \<digit> | \<digit>\<digits> \<number> ::= \<digits> | \<digits>.\<digits> | \<digits>. | .\<digits> \<sign> ::= "+" | "-" \<signedNumber> ::= \<number> | \<sign>\<number> \<suffix> ::= \<binarySI> | \<decimalExponent> | \<decimalSI> \<binarySI> ::= Ki | Mi | Gi | Ti | Pi | Ei (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) \<decimalSI> ::= m | "" | k | M | G | T | P | E (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) \<decimalExponent> ::= "e" \<signedNumber> | "E" \<signedNumber> ``` --> <pre tabindex="0"><code>&lt;quantity&gt; ::= &lt;signedNumber&gt;&lt;suffix&gt; （注意 &lt;suffix&gt; 可能为空，例如 &lt;decimalSI&gt; 的 &#34;&#34; 情形。） &lt;digit&gt; ::= 0 | 1 | ... | 9 &lt;digits&gt; ::= &lt;digit&gt; | &lt;digit&gt;&lt;digits&gt; &lt;number&gt; ::= &lt;digits&gt; | &lt;digits&gt;.&lt;digits&gt; | &lt;digits&gt;. | .&lt;digits&gt; &lt;sign&gt; ::= &#34;+&#34; | &#34;-&#34; &lt;signedNumber&gt; ::= &lt;number&gt; | &lt;sign&gt;&lt;number&gt; &lt;suffix&gt; ::= &lt;binarySI&gt; | &lt;decimalExponent&gt; | &lt;decimalSI&gt; &lt;binarySI&gt; ::= Ki | Mi | Gi | Ti | Pi | Ei （国际单位制度；查阅： http://physics.nist.gov/cuu/Units/binary.html） &lt;decimalSI&gt; ::= m | &#34;&#34; | k | M | G | T | P | E （注意，1024 = 1ki 但 1000 = 1k；我没有选择大写。） &lt;decimalExponent&gt; ::= &#34;e&#34; &lt;signedNumber&gt; | &#34;E&#34; &lt;signedNumber&gt; </code></pre><!-- No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized. --> <p>无论使用三种指数形式中哪一种，没有数量可以表示大于 2⁶³-1 的数，也不可能超过 3 个小数位。 更大或更精确的数字将被截断或向上取整（例如：0.1m 将向上取整为 1m）。 如果将来我们需要更大或更小的数量，可能会扩展。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/quickstart/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/quickstart/<!-- title: Reference Documentation Quickstart linkTitle: Quickstart content_type: task weight: 10 hide_summary: true --> <!-- overview --> <!-- This page shows how to use the `update-imported-docs.py` script to generate the Kubernetes reference documentation. The script automates the build setup and generates the reference documentation for a release. --> <p>本页讨论如何使用 <code>update-imported-docs.py</code> 脚本来生成 Kubernetes 参考文档。 此脚本将构建的配置过程自动化，并为某个发行版本生成参考文档。</p> <h2 id="准备开始">准备开始</h2> <!-- ### Requirements: - You need a machine that is running Linux or macOS. - You need to have these tools installed: - [Python](https://www.python.org/downloads/) v3.7.x+ - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - [Golang](https://go.dev/dl/) version 1.13+ - [Pip](https://pypi.org/project/pip/) used to install PyYAML - [PyYAML](https://pyyaml.org/) v5.1.2 - [make](https://www.gnu.org/software/make/) - [gcc compiler/linker](https://gcc.gnu.org/) - [Docker](https://docs.docker.com/engine/installation/) (Required only for `kubectl` command reference) --> <h3 id="requirements">需求</h3> <ul> <li> <p>你需要一台 Linux 或 macOS 机器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/networking/service-protocols/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/networking/service-protocols/<!-- title: Protocols for Services content_type: reference weight: 10 --> <!-- overview --> <!-- If you configure a <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a>, you can select from any network protocol that Kubernetes supports. Kubernetes supports the following protocols with Services: - [`SCTP`](#protocol-sctp) - [`TCP`](#protocol-tcp) _(the default)_ - [`UDP`](#protocol-udp) --> <p>如果你配置 <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a>， 你可以从 Kubernetes 支持的任何网络协议中选择一个协议。</p> <p>Kubernetes 支持以下协议用于 Service：</p> <ul> <li><a href="#protocol-sctp"><code>SCTP</code></a></li> <li><a href="#protocol-tcp"><code>TCP</code></a> <strong>（默认值）</strong></li> <li><a href="#protocol-udp"><code>UDP</code></a></li> </ul> <!-- When you define a Service, you can also specify the [application protocol](/docs/concepts/services-networking/service/#application-protocol) that it uses. This document details some special cases, all of them typically using TCP as a transport protocol: - [HTTP](#protocol-http-special) and [HTTPS](#protocol-http-special) - [PROXY protocol](#protocol-proxy-special) - [TLS](#protocol-tls-special) termination at the load balancer --> <p>当你定义 Service 时， 你还可以指定其使用的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/#application-protocol">应用协议</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/service-cidr-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/service-cidr-v1/<!-- api_metadata: apiVersion: "networking.k8s.io/v1" import: "k8s.io/api/networking/v1" kind: "ServiceCIDR" content_type: "api_reference" description: "ServiceCIDR defines a range of IP addresses using CIDR format (e." title: "ServiceCIDR" weight: 10 auto_generated: true --> <p><code>apiVersion: networking.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/networking/v1&quot;</code></p> <h2 id="ServiceCIDR">ServiceCIDR</h2> <!-- ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects. --> <p>ServiceCIDR 使用 CIDR 格式定义 IP 地址的范围（例如 192.168.0.0/24 或 2001:db2::/64）。 此范围用于向 Service 对象分配 ClusterIP。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/basic-stateful-set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/basic-stateful-set/<!-- reviewers: - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: StatefulSet Basics content_type: tutorial weight: 10 --> <!-- overview --> <!-- This tutorial provides an introduction to managing applications with <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSets'>StatefulSets</a>. It demonstrates how to create, delete, scale, and update the Pods of StatefulSets. --> <p>本教程介绍了如何使用 <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a> 来管理应用。 演示了如何创建、删除、扩容/缩容和更新 StatefulSet 的 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume/<!-- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "Volume" content_type: "api_reference" description: "Volume represents a named volume in a pod that may be accessed by any container in the pod." title: "Volume" weight: 10 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <h2 id="Volume">Volume</h2> <!-- Volume represents a named volume in a pod that may be accessed by any container in the pod. --> <p>Volume 表示 Pod 中一个有名字的卷，可以由 Pod 中的任意容器进行访问。</p> <hr> <!-- - **name** (string), required name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names --> <ul> <li> <p><strong>name</strong> (string)，必需</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/<!-- title: Installing kubeadm content_type: task weight: 10 card: name: setup weight: 20 title: Install the kubeadm setup tool --> <!-- overview --> <!-- <img src="https://andygol-k8s.netlify.app/images/kubeadm-stacked-color.png" align="right" width="150px"></img> This page shows how to install the `kubeadm` toolbox. For information on how to create a cluster with kubeadm once you have performed this installation process, see the [Creating a cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) page. --> <p><img src="https://andygol-k8s.netlify.app/images/kubeadm-stacked-color.png" align="right" width="150px"></img> 本页面显示如何安装 <code>kubeadm</code> 工具箱。 有关在执行此安装过程后如何使用 kubeadm 创建集群的信息， 请参见<a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/">使用 kubeadm 创建集群</a>。</p> <div class="version-list"> <p> 此 installation guide 适用于 Kubernetes v1.35。如果你想使用其他 Kubernetes 版本，请参考以下页面： </p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/web-ui-dashboard/<!-- reviewers: - floreks - maciaszczykm - shu-mutou - mikedanese title: Deploy and Access the Kubernetes Dashboard description: >- Deploy the web UI (Kubernetes Dashboard) and access it. content_type: concept weight: 10 card: name: tasks weight: 30 title: Use the Web UI Dashboard --> <!-- overview --> <!-- Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard. Dashboard also provides information on the state of Kubernetes resources in your cluster and on any errors that may have occurred. --> <p>Dashboard 是基于网页的 Kubernetes 用户界面。 你可以使用 Dashboard 将容器应用部署到 Kubernetes 集群中，也可以对容器应用排错，还能管理集群资源。 你可以使用 Dashboard 获取运行在集群中的应用的概览信息，也可以创建或者修改 Kubernetes 资源 （如 Deployment、Job、DaemonSet 等等）。 例如，你可以对 Deployment 实现弹性伸缩、发起滚动升级、重启 Pod 或者使用向导创建新的应用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/explore/explore-intro/<!-- title: Viewing Pods and Nodes weight: 10 --> <h2 id="教程目标">教程目标</h2> <!-- * Learn about Kubernetes Pods. * Learn about Kubernetes Nodes. * Troubleshoot deployed applications. --> <ul> <li>了解 Kubernetes Pod。</li> <li>了解 Kubernetes 节点。</li> <li>对已部署的应用进行故障排查。</li> </ul> <!-- ## Kubernetes Pods --> <h2 id="kubernetes-pod">Kubernetes Pod</h2> <div class="alert alert-primary" role="alert"> <!-- _A Pod is a group of one or more application containers (such as Docker) and includes shared storage (volumes), IP address and information about how to run them._ --> <p><strong>Pod 是一个或多个应用容器（例如 Docker）的组合，并且包含共享的存储（卷）、IP 地址和有关如何运行它们的信息。</strong></p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/cluster-large/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/cluster-large/<!-- reviewers: - davidopp - lavalamp title: Considerations for large clusters weight: 10 --> <!-- A cluster is a set of <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='nodes'>nodes</a> (physical or virtual machines) running Kubernetes agents, managed by the <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a>. Kubernetes v1.35 supports clusters with up to 5,000 nodes. More specifically, Kubernetes is designed to accommodate configurations that meet *all* of the following criteria: --> <p>集群包含多个运行着 Kubernetes 代理程序、 由<a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>管理的一组<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>（物理机或虚拟机）。 Kubernetes v1.35 单个集群支持的最大节点数为 5,000。 更具体地说，Kubernetes 设计为满足以下<strong>所有</strong>标准的配置：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-pods/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-pods/<!-- reviewers: - mikedanese - thockin title: Debug Pods content_type: task weight: 10 --> <!-- overview --> <!-- This guide is to help users debug applications that are deployed into Kubernetes and not behaving correctly. This is *not* a guide for people who want to debug their cluster. For that you should check out [this guide](/docs/tasks/debug/debug-cluster). --> <p>本指南帮助用户调试那些部署到 Kubernetes 上后没有正常运行的应用。 本指南 <strong>并非</strong> 指导用户如何调试集群。 如果想调试集群的话，请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster">这里</a>。</p> <!-- body --> <!-- ## Diagnosing the problem The first step in troubleshooting is triage. What is the problem? Is it your Pods, your Replication Controller or your Service? * [Debugging Pods](#debugging-pods) * [Debugging Replication Controllers](#debugging-replication-controllers) * [Debugging Services](#debugging-services) --> <h2 id="diagnosing-the-problem">诊断问题</h2> <p>故障排查的第一步是先给问题分类。问题是什么？是关于 Pod、Replication Controller 还是 Service？</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/<!-- title: Custom Resources reviewers: - enisoc - deads2k api_metadata: - apiVersion: "apiextensions.k8s.io/v1" kind: "CustomResourceDefinition" content_type: concept weight: 10 --> <!-- overview --> <!-- *Custom resources* are extensions of the Kubernetes API. This page discusses when to add a custom resource to your Kubernetes cluster and when to use a standalone service. It describes the two methods for adding custom resources and how to choose between them. --> <p><strong>定制资源（Custom Resource）</strong> 是对 Kubernetes API 的扩展。 本页讨论何时向 Kubernetes 集群添加定制资源，何时使用独立的服务。 本页描述添加定制资源的两种方法以及怎样在二者之间做出抉择。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/update-daemon-set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/update-daemon-set/<!-- reviewers: - janetkuo title: Perform a Rolling Update on a DaemonSet content_type: task --> <!-- overview --> <!-- This page shows how to perform a rolling update on a DaemonSet. --> <p>本文介绍了如何对 DaemonSet 执行滚动更新。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/open-a-pr/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/open-a-pr/<!-- title: Opening a pull request content_type: concept weight: 10 card: name: contribute weight: 40 --> <!-- overview --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- **Code developers**: If you are documenting a new feature for an upcoming Kubernetes release, see [Document a new feature](/docs/contribute/new-content/new-features/). --> <p><strong>代码开发者们</strong>：如果你在为下一个 Kubernetes 发行版本中的某功能特性撰写文档， 请参考<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/new-features/">为发行版本撰写功能特性文档</a>。</p></div> <!-- To contribute new content pages or improve existing content pages, open a pull request (PR). Make sure you follow all the requirements in the [Before you begin](/docs/contribute/new-content/) section. --> <p>要贡献新的内容页面或者改进已有内容页面，请发起拉取请求（PR）。 请确保你满足了<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/">开始之前</a>一节中所列举的所有要求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/<!-- reviewers: - bprashanth title: Service api_metadata: - apiVersion: "v1" kind: "Service" feature: title: Service discovery and load balancing description: > No need to modify your application to use an unfamiliar service discovery mechanism. Kubernetes gives Pods their own IP addresses and a single DNS name for a set of Pods, and can load-balance across them. description: >- Expose an application running in your cluster behind a single outward-facing endpoint, even when the workload is split across multiple backends. content_type: concept weight: 10 --> <!-- overview --> <p>Kubernetes 中 Service 是 将运行在一个或一组 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 上的网络应用程序公开为网络服务的方法。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateless-application/expose-external-ip-address/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateless-application/expose-external-ip-address/<!-- title: Exposing an External IP Address to Access an Application in a Cluster content_type: tutorial weight: 10 --> <!-- overview --> <!-- This page shows how to create a Kubernetes Service object that exposes an external IP address. --> <p>此页面显示如何创建公开外部 IP 地址的 Kubernetes 服务对象。</p> <h2 id="准备开始">准备开始</h2> <!-- * Install [kubectl](/docs/tasks/tools/). * Use a cloud provider like Google Kubernetes Engine or Amazon Web Services to create a Kubernetes cluster. This tutorial creates an [external load balancer](/docs/tasks/access-application-cluster/create-external-load-balancer/), which requires a cloud provider. * Configure `kubectl` to communicate with your Kubernetes API server. For instructions, see the documentation for your cloud provider. --> <ul> <li>安装 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/">kubectl</a>。</li> <li>使用 Google Kubernetes Engine 或 Amazon Web Services 等云供应商创建 Kubernetes 集群。 本教程创建了一个<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/">外部负载均衡器</a>， 需要云供应商。</li> <li>配置 <code>kubectl</code> 与 Kubernetes API 服务器通信。有关说明，请参阅云供应商文档。</li> </ul> <h2 id="教程目标">教程目标</h2> <!-- * Run five instances of a Hello World application. * Create a Service object that exposes an external IP address. * Use the Service object to access the running application. --> <ul> <li>运行 Hello World 应用的五个实例。</li> <li>创建一个公开外部 IP 地址的 Service 对象。</li> <li>使用 Service 对象访问正在运行的应用。</li> </ul> <!-- lessoncontent --> <!-- ## Creating a service for an application running in five pods --> <h2 id="creating-a-service-for-an-app-running-in-five-pods">为在五个 Pod 中运行的应用创建服务</h2> <!-- 1. Run a Hello World application in your cluster: --> <ol> <li> <p>在集群中运行 Hello World 应用：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/change-runtime-containerd/<!-- title: "Changing the Container Runtime on a Node from Docker Engine to containerd" weight: 10 content_type: task --> <!-- This task outlines the steps needed to update your container runtime to containerd from Docker. It is applicable for cluster operators running Kubernetes 1.23 or earlier. This also covers an example scenario for migrating from dockershim to containerd. Alternative container runtimes can be picked from this [page](/docs/setup/production-environment/container-runtimes/). --> <p>本任务给出将容器运行时从 Docker 改为 containerd 所需的步骤。 此任务适用于运行 1.23 或更早版本 Kubernetes 的集群操作人员。 同时，此任务也涉及从 dockershim 迁移到 containerd 的示例场景。 有关其他备选的容器运行时，可查阅 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes/">此页面</a>进行拣选。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/roles-and-responsibilities/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/roles-and-responsibilities/<!-- overview --> <!-- Anyone can contribute to Kubernetes. As your contributions to SIG Docs grow, you can apply for different levels of membership in the community. These roles allow you to take on more responsibility within the community. Each role requires more time and commitment. The roles are: - Anyone: regular contributors to the Kubernetes documentation - Members: can assign and triage issues and provide non-binding review on pull requests - Reviewers: can lead reviews on documentation pull requests and can vouch for a change's quality - Approvers: can lead reviews on documentation and merge changes --> <p>任何人都可以为 Kubernetes 作出贡献。随着你对 SIG Docs 的贡献增多，你可以申请 社区内不同级别的成员资格。 这些角色使得你可以在社区中承担更多的责任。 每个角色都需要更多的时间和投入。具体包括：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/<!-- reviewers: - caesarxuchao - dchen1107 title: Nodes api_metadata: - apiVersion: "v1" kind: "Node" content_type: concept weight: 10 --> <!-- overview --> <!-- Kubernetes runs your <a class='glossary-tooltip' title='工作负载是在 Kubernetes 上运行的应用程序。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/' target='_blank' aria-label='workload'>workload</a> by placing containers into Pods to run on _Nodes_. A node may be a virtual or physical machine, depending on the cluster. Each node is managed by the <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> and contains the services necessary to run <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a>. Typically you have several nodes in a cluster; in a learning or resource-limited environment, you might have only one node. The [components](/docs/concepts/architecture/#node-components) on a node include the <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a>, a <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='container runtime'>container runtime</a>, and the <a class='glossary-tooltip' title='kube-proxy 是集群中每个节点上运行的网络代理。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/' target='_blank' aria-label='kube-proxy'>kube-proxy</a>. --> <p>Kubernetes 通过将容器放入在节点（Node）上运行的 Pod 中来执行你的<a class='glossary-tooltip' title='工作负载是在 Kubernetes 上运行的应用程序。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/' target='_blank' aria-label='工作负载'>工作负载</a>。 节点可以是一个虚拟机或者物理机器，取决于所在的集群配置。 每个节点包含运行 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 所需的服务； 这些节点由<a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制面'>控制面</a>负责管理。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/node-shutdown/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/node-shutdown/<!-- title: Node Shutdowns content_type: concept weight: 10 --> <!-- overview --> <!-- In a Kubernetes cluster, a <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node'>node</a> can be shut down in a planned graceful way or unexpectedly because of reasons such as a power outage or something else external. A node shutdown could lead to workload failure if the node is not drained before the shutdown. A node shutdown can be either **graceful** or **non-graceful**. --> <p>在 Kubernetes 集群中，<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>可以按计划的体面方式关闭， 也可能因断电或其他某些外部原因被意外关闭。如果节点在关闭之前未被排空，则节点关闭可能会导致工作负载失败。 节点可以<strong>体面关闭</strong>或<strong>非体面关闭</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/images/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/images/<!-- reviewers: - erictune - thockin title: Images content_type: concept weight: 10 hide_summary: true # Listed separately in section index --> <!-- overview --> <!-- A container image represents binary data that encapsulates an application and all its software dependencies. Container images are executable software bundles that can run standalone and that make very well-defined assumptions about their runtime environment. You typically create a container image of your application and push it to a registry before referring to it in a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>. This page provides an outline of the container image concept. --> <p>容器镜像（Image）所承载的是封装了应用程序及其所有软件依赖的二进制数据。 容器镜像是可执行的软件包，可以单独运行；该软件包对所处的运行时环境具有明确定义的运行时环境假定。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/<!-- reviewers: - jsafrane - saad-ali - thockin - msau42 title: Volumes api_metadata: - apiVersion: "" kind: "Volume" content_type: concept weight: 10 --> <!-- overview --> <!-- Kubernetes _volumes_ provide a way for containers in a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='pod'>pod</a> to access and share data via the filesystem. There are different kinds of volume that you can use for different purposes, such as: --> <p>Kubernetes <strong>卷</strong>为 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 中的容器提供了一种通过文件系统访问和共享数据的方式。存在不同类别的卷，你可以将其用于各种用途，例如：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/<!-- title: Documentation Content Guide linktitle: Content guide content_type: concept weight: 10 --> <!-- overview --> <!-- This page contains guidelines for Kubernetes documentation. If you have questions about what's allowed, join the #sig-docs channel in [Kubernetes Slack](https://slack.k8s.io/) and ask! You can register for Kubernetes Slack at https://slack.k8s.io/. For information on creating new content for the Kubernetes docs, follow the [style guide](/docs/contribute/style/style-guide). --> <p>本页包含 Kubernetes 文档的一些指南。</p> <p>如果你不清楚哪些事情是可以做的，请加入到 <a href="https://slack.k8s.io/">Kubernetes Slack</a> 的 <code>#sig-docs</code> 频道提问！ 你可以在 <a href="https://slack.k8s.io">https://slack.k8s.io</a> 注册到 Kubernetes Slack。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/configure-aggregation-layer/<!-- title: Configure the Aggregation Layer reviewers: - lavalamp - cheftako - chenopis content_type: task weight: 10 --> <!-- overview --> <!-- Configuring the [aggregation layer](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/) allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs. --> <p>配置<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/">聚合层</a>可以允许 Kubernetes apiserver 使用其它 API 扩展，这些 API 不是核心 Kubernetes API 的一部分。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/reviewing-prs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/reviewing-prs/<!-- title: Reviewing pull requests content_type: concept main_menu: true weight: 10 --> <!-- overview --> <!-- Anyone can review a documentation pull request. Visit the [pull requests](https://github.com/kubernetes/website/pulls) section in the Kubernetes website repository to see open pull requests. Reviewing documentation pull requests is a great way to introduce yourself to the Kubernetes community. It helps you learn the code base and build trust with other contributors. Before reviewing, it's a good idea to: - Read the [content guide](/docs/contribute/style/content-guide/) and [style guide](/docs/contribute/style/style-guide/) so you can leave informed comments. - Understand the different [roles and responsibilities](/docs/contribute/participate/roles-and-responsibilities/) in the Kubernetes documentation community. --> <p>任何人均可评审文档的拉取请求。 访问 Kubernetes 网站仓库的 <a href="https://github.com/kubernetes/website/pulls">pull requests</a> 部分， 可以查看所有待处理的拉取请求（PR）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/labels-annotations-taints/audit-annotations/<!-- title: "Audit Annotations" weight: 10 --> <!-- overview --> <!-- This page serves as a reference for the audit annotations of the kubernetes.io namespace. These annotations apply to `Event` object from API group `audit.k8s.io`. --> <p>本页面作为 kubernetes.io 名字空间的审计注解的参考。这些注解适用于 API 组 <code>audit.k8s.io</code> 中的 <code>Event</code> 对象。</p> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- The following annotations are not used within the Kubernetes API. When you [enable auditing](/docs/tasks/debug/debug-cluster/audit/) in your cluster, audit event data is written using `Event` from API group `audit.k8s.io`. The annotations apply to audit events. Audit events are different from objects in the [Event API](/docs/reference/kubernetes-api/cluster-resources/event-v1/) (API group `events.k8s.io`). --> <p>Kubernetes API 中不使用以下注解。当你在集群中<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/audit/">启用审计</a>时， 审计事件数据将使用 API 组 <code>audit.k8s.io</code> 中的 <code>Event</code> 写入。此注解适用于审计事件。 审计事件不同于 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1/">Event API</a> （API 组 <code>events.k8s.io</code>）中的对象。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/antrea-network-policy/<!-- --- title: Use Antrea for NetworkPolicy content_type: task weight: 10 --- --> <!-- overview --> <!-- This page shows how to install and use Antrea CNI plugin on Kubernetes. For background on Project Antrea, read the [Introduction to Antrea](https://antrea.io/docs/). --> <p>本页展示了如何在 kubernetes 中安装和使用 Antrea CNI 插件。 要了解 Antrea 项目的背景，请阅读 <a href="https://antrea.io/docs/">Antrea 介绍</a>。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster. Follow the [kubeadm getting started guide](/docs/reference/setup-tools/kubeadm/) to bootstrap one. --> <p>你需要拥有一个 kuernetes 集群。 遵循 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/">kubeadm 入门指南</a>自行创建一个。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/automated-tasks-with-cron-jobs/<!-- title: Running Automated Tasks with a CronJob min-kubernetes-server-version: v1.21 reviewers: - chenopis content_type: task weight: 10 --> <!-- overview --> <!-- This page shows how to run automated tasks using Kubernetes <a class='glossary-tooltip' title='周期调度的任务（作业）。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/cron-jobs/' target='_blank' aria-label='CronJob'>CronJob</a> object. --> <p>本页演示如何使用 Kubernetes <a class='glossary-tooltip' title='周期调度的任务（作业）。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/cron-jobs/' target='_blank' aria-label='CronJob'>CronJob</a> 对象运行自动化任务。</p> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/<!-- overview --> <!-- This page shows how to run an application using a Kubernetes Deployment object. --> <p>本文介绍如何通过 Kubernetes Deployment 对象去运行一个应用。</p> <h2 id="教程目标">教程目标</h2> <!-- - Create an nginx deployment. - Use kubectl to list information about the deployment. - Update the deployment. --> <ul> <li>创建一个 nginx Deployment。</li> <li>使用 kubectl 列举该 Deployment 的相关信息。</li> <li>更新该 Deployment。</li> </ul> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/deploy-app/deploy-intro/<!-- title: Using kubectl to Create a Deployment weight: 10 --> <h2 id="教程目标">教程目标</h2> <!-- * Learn about application Deployments. * Deploy your first app on Kubernetes with kubectl. --> <ul> <li>学习应用的部署。</li> <li>使用 kubectl 在 Kubernetes 上部署第一个应用。</li> </ul> <!-- ## Kubernetes Deployments --> <h2 id="kubernetes-deployment">Kubernetes Deployment</h2> <div class="alert alert-primary" role="alert"> <!-- _A Deployment is responsible for creating and updating instances of your application._ --> <p><strong>Deployment 负责创建和更新应用的实例</strong></p> </div> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- This tutorial uses a container that requires the AMD64 architecture. If you are using minikube on a computer with a different CPU architecture, you could try using minikube with a driver that can emulate AMD64. For example, the Docker Desktop driver can do this. --> <p>本教程使用了一个需要 AMD64 架构的容器。如果你在使用 Minikube 的计算机上使用了不同的 CPU 架构，可以尝试使用能够模拟 AMD64 的 Minikube 驱动程序。例如，Docker Desktop 驱动程序可以实现这一点。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kubectl/<!-- title: Managing Secrets using kubectl content_type: task weight: 10 description: Creating Secret objects using kubectl command line. --> <!-- overview --> <!-- This page shows you how to create, edit, manage, and delete Kubernetes <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secrets'>Secrets</a> using the `kubectl` command-line tool. --> <p>本页向你展示如何使用 <code>kubectl</code> 命令行工具来创建、编辑、管理和删除。 Kubernetes <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secrets'>Secrets</a></p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/<!-- title: Using Minikube to Create a Cluster weight: 10 --> <h2 id="教程目标">教程目标</h2> <!-- * Learn what a Kubernetes cluster is. * Learn what Minikube is. * Start a Kubernetes cluster on your computer. --> <ul> <li>了解 Kubernetes 集群。</li> <li>了解 Minikube。</li> <li>在你的电脑上启动一个 Kubernetes 集群。</li> </ul> <!-- ## Kubernetes Clusters --> <h2 id="kubernetes-集群">Kubernetes 集群</h2> <div class="alert alert-primary" role="alert"> <!-- _Kubernetes is a production-grade, open-source platform that orchestrates the placement (scheduling) and execution of application containers within and across computer clusters._ --> <p><strong>Kubernetes 是一个生产级别的开源平台， 可编排在计算机集群内和跨计算机集群的应用容器的部署（调度）和执行。</strong></p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/expose/expose-intro/<!-- title: Using a Service to Expose Your App weight: 10 --> <h2 id="教程目标">教程目标</h2> <!-- * Learn about a Service in Kubernetes. * Understand how labels and selectors relate to a Service. * Expose an application outside a Kubernetes cluster. --> <ul> <li>了解 Kubernetes 中的 Service</li> <li>了解标签（Label）和选择算符（Selector）如何与 Service 关联</li> <li>用 Service 向 Kubernetes 集群外公开应用</li> </ul> <!-- ## Overview of Kubernetes Services Kubernetes [Pods](/docs/concepts/workloads/pods/) are mortal. Pods have a [lifecycle](/docs/concepts/workloads/pods/pod-lifecycle/). When a worker node dies, the Pods running on the Node are also lost. A [Replicaset](/docs/concepts/workloads/controllers/replicaset/) might then dynamically drive the cluster back to the desired state via the creation of new Pods to keep your application running. As another example, consider an image-processing backend with 3 replicas. Those replicas are exchangeable; the front-end system should not care about backend replicas or even if a Pod is lost and recreated. That said, each Pod in a Kubernetes cluster has a unique IP address, even Pods on the same Node, so there needs to be a way of automatically reconciling changes among Pods so that your applications continue to function. --> <h2 id="overview-of-kubernetes-services">Kubernetes Service 概述</h2> <p>Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/">Pod</a> 是有生命期的。 Pod 拥有<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/">生命周期</a>。 当一个工作节点停止工作后，在节点上运行的 Pod 也会消亡。 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/">ReplicaSet</a> 会自动地通过创建新的 Pod 驱动集群回到期望状态，以保证应用正常运行。 换一个例子，考虑一个具有 3 个副本的用作图像处理的后端程序。 这些副本是彼此可替换的。前端系统不应该关心后端副本，即使某个 Pod 丢失或被重新创建。 此外，Kubernetes 集群中的每个 Pod 都有一个唯一的 IP 地址，即使是在同一个 Node 上的 Pod 也是如此， 因此需要一种方法来自动协调 Pod 集合中的变化，以便应用保持运行。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/declarative-config/<!-- title: Declarative Management of Kubernetes Objects Using Configuration Files content_type: task weight: 10 --> <!-- overview --> <!-- Kubernetes objects can be created, updated, and deleted by storing multiple object configuration files in a directory and using `kubectl apply` to recursively create and update those objects as needed. This method retains writes made to live objects without merging the changes back into the object configuration files. `kubectl diff` also gives you a preview of what changes `apply` will make. --> <p>你可以通过在一个目录中存储多个对象配置文件、并使用 <code>kubectl apply</code> 来递归地创建和更新对象来创建、更新和删除 Kubernetes 对象。 这种方法会保留对现有对象已作出的修改，而不会将这些更改写回到对象配置文件中。 <code>kubectl diff</code> 也会给你呈现 <code>apply</code> 将作出的变更的预览。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/feature-gates/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/feature-gates/<!-- title: Feature Gates weight: 10 content_type: concept card: name: reference weight: 60 --> <!-- overview --> <!-- This page contains an overview of the various feature gates an administrator can specify on different Kubernetes components. See [feature stages](#feature-stages) for an explanation of the stages for a feature. --> <p>本页详述了管理员可以在不同的 Kubernetes 组件上指定的各种特性门控。</p> <p>关于特性各个阶段的说明，请参见<a href="#feature-stages">特性阶段</a>。</p> <!-- body --> <!-- ## Overview Feature gates are a set of key=value pairs that describe Kubernetes features. You can turn these features on or off using the `--feature-gates` command line flag on each Kubernetes component. --> <h2 id="overview">概述</h2> <p>特性门控是描述 Kubernetes 特性的一组键值对。你可以在 Kubernetes 的各个组件中使用 <code>--feature-gates</code> 标志来启用或禁用这些特性。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-linux-nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-linux-nodes/<!-- title: Adding Linux worker nodes content_type: task weight: 10 --> <!-- overview --> <!-- This page explains how to add Linux worker nodes to a kubeadm cluster. --> <p>本页介绍如何将 Linux 工作节点添加到 kubeadm 集群。</p> <h2 id="准备开始">准备开始</h2> <!-- * Each joining worker node has installed the required components from [Installing kubeadm](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/), such as, kubeadm, the kubelet and a <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='container runtime'>container runtime</a>. * A running kubeadm cluster created by `kubeadm init` and following the steps in the document [Creating a cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/). * You need superuser access to the node. --> <ul> <li>每个要加入的工作节点都已安装 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/install-kubeadm/">安装 kubeadm</a> 中所需的组件，例如 kubeadm、kubelet 和 <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='容器运行时'>容器运行时</a>。</li> <li>一个正在运行的、由 <code>kubeadm init</code> 命令所创建的 kubeadm 集群，且该集群的创建遵循 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/">使用 kubeadm 创建集群</a> 文档中所给的步骤。</li> <li>你需要对节点拥有超级用户权限。</li> </ul> <!-- steps --> <!-- ## Adding Linux worker nodes To add new Linux worker nodes to your cluster do the following for each machine: 1. Connect to the machine by using SSH or another method. 1. Run the command that was output by `kubeadm init`. For example: ### Additional information for kubeadm join --> <h2 id="additional-information-for-kubeadm-join">添加 Linux 工作节点</h2> <p>要将新的 Linux 工作节点添加到集群中，请对每台机器执行以下步骤：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/<!-- reviewers: - dcbw - freehan - thockin title: Network Plugins content_type: concept weight: 10 --> <!-- overview --> <!-- Kubernetes (version 1.3 through to the latest 1.35, and likely onwards) lets you use [Container Network Interface](https://github.com/containernetworking/cni) (CNI) plugins for cluster networking. You must use a CNI plugin that is compatible with your cluster and that suits your needs. Different plugins are available (both open- and closed- source) in the wider Kubernetes ecosystem. --> <p>Kubernetes（1.3 版本至最新 1.35，并可能包括未来版本） 允许你使用<a href="https://github.com/containernetworking/cni">容器网络接口</a>（CNI） 插件来完成集群联网。 你必须使用和你的集群相兼容并且满足你的需求的 CNI 插件。 在更广泛的 Kubernetes 生态系统中你可以使用不同的插件（开源和闭源）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/node-overprovisioning/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/node-overprovisioning/<!-- title: Overprovision Node Capacity For A Cluster content_type: task weight: 10 --> <!-- overview --> <!-- This page guides you through configuring <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='Node'>Node</a> overprovisioning in your Kubernetes cluster. Node overprovisioning is a strategy that proactively reserves a portion of your cluster's compute resources. This reservation helps reduce the time required to schedule new pods during scaling events, enhancing your cluster's responsiveness to sudden spikes in traffic or workload demands. By maintaining some unused capacity, you ensure that resources are immediately available when new pods are created, preventing them from entering a pending state while the cluster scales up. --> <p>本页指导你在 Kubernetes 集群中配置<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>超配。 节点超配是一种主动预留部分集群计算资源的策略。这种预留有助于减少在扩缩容事件期间调度新 Pod 所需的时间， 从而增强集群对突发流量或突发工作负载需求的响应能力。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/<!-- title: Configure Default Memory Requests and Limits for a Namespace content_type: task weight: 10 description: >- Define a default memory resource limit for a namespace, so that every new Pod in that namespace has a memory resource limit configured. --> <!-- overview --> <!-- This page shows how to configure default memory requests and limits for a <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. A Kubernetes cluster can be divided into namespaces. Once you have a namespace that has a default memory [limit](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits), and you then try to create a Pod with a container that does not specify its own memory limit, then the <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> assigns the default memory limit to that container. Kubernetes assigns a default memory request under certain conditions that are explained later in this topic. --> <p>本章介绍如何为<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>配置默认的内存请求和限制。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-memory-resource/<!-- title: Assign Memory Resources to Containers and Pods content_type: task weight: 10 --> <!-- overview --> <!-- This page shows how to assign a memory *request* and a memory *limit* to a Container. A Container is guaranteed to have as much memory as it requests, but is not allowed to use more memory than its limit. --> <p>此页面展示如何将内存<strong>请求</strong>（request）和内存<strong>限制</strong>（limit）分配给一个容器。 我们保障容器拥有它请求数量的内存，但不允许使用超过限制数量的内存。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-command-argument-container/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-command-argument-container/<!-- title: Define a Command and Arguments for a Container content_type: task weight: 10 --> <!-- overview --> <!-- This page shows how to define commands and arguments when you run a container in a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>. --> <p>本页将展示如何为 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 中容器设置启动时要执行的命令及其参数。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/limit-range/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/limit-range/<!-- reviewers: - nelvadas title: Limit Ranges api_metadata: - apiVersion: "v1" kind: "LimitRange" content_type: concept weight: 10 --> <!-- overview --> <!-- By default, containers run with unbounded [compute resources](/docs/concepts/configuration/manage-resources-containers/) on a Kubernetes cluster. Using Kubernetes [resource quotas](/docs/concepts/policy/resource-quotas/), administrators (also termed _cluster operators_) can restrict consumption and creation of cluster resources (such as CPU time, memory, and persistent storage) within a specified <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. Within a namespace, a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> can consume as much CPU and memory as is allowed by the ResourceQuotas that apply to that namespace. As a cluster operator, or as a namespace-level administrator, you might also be concerned about making sure that a single object cannot monopolize all available resources within a namespace. A LimitRange is a policy to constrain the resource allocations (limits and requests) that you can specify for each applicable object kind (such as Pod or <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PersistentVolumeClaim'>PersistentVolumeClaim</a>) in a namespace. --> <p>默认情况下， Kubernetes 集群上的容器运行使用的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/manage-resources-containers/">计算资源</a>没有限制。 使用 Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/resource-quotas/">资源配额</a>， 管理员（也称为<strong>集群操作者</strong>）可以在一个指定的<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>内限制集群资源的使用与创建。 在命名空间中，一个 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 最多能够使用命名空间的资源配额所定义的 CPU 和内存用量。 作为集群操作者或命名空间级的管理员，你可能也会担心如何确保一个 Pod 不会垄断命名空间内所有可用的资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/cluster-management/kubelet-standalone/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/cluster-management/kubelet-standalone/<!-- title: Running Kubelet in Standalone Mode content_type: tutorial weight: 10 --> <!-- overview --> <!-- This tutorial shows you how to run a standalone kubelet instance. You may have different motivations for running a standalone kubelet. This tutorial is aimed at introducing you to Kubernetes, even if you don't have much experience with it. You can follow this tutorial and learn about node setup, basic (static) Pods, and how Kubernetes manages containers. --> <p>本教程将向你展示如何运行一个独立的 kubelet 实例。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/authentication/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/authentication/<!-- reviewers: - erictune - lavalamp - deads2k - liggitt title: Authenticating content_type: concept weight: 10 --> <!-- overview --> <!-- This page provides an overview of authentication in Kubernetes, with a focus on authentication to the [Kubernetes API](/docs/concepts/overview/kubernetes-api/). --> <p>本页提供 Kubernetes 中身份认证有关的概述，重点介绍与 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/">Kubernetes API</a> 有关的身份认证。</p> <!-- body --> <!-- ## Users in Kubernetes All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users. It is assumed that a cluster-independent service manages normal users in the following ways: - an administrator distributing private keys - a user store like Keystone or Google Accounts - a file with a list of usernames and passwords In this regard, _Kubernetes does not have objects which represent normal user accounts._ Normal users cannot be added to a cluster through an API call. --> <h2 id="users-in-kubernetes">Kubernetes 中的用户</h2> <p>所有 Kubernetes 集群都有两类用户：由 Kubernetes 管理的服务账号和普通用户。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/cloud-native-security/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/cloud-native-security/<!-- --- title: "Cloud Native Security and Kubernetes" linkTitle: "Cloud Native Security" weight: 10 # The section index lists this explicitly hide_summary: true description: > Concepts for keeping your cloud native workload secure. --- --> <!-- Kubernetes is based on a cloud native architecture and draws on advice from the <a class='glossary-tooltip' title='云原生计算基金会（Cloud Native Computing Foundation）' data-toggle='tooltip' data-placement='top' href='https://cncf.io/' target='_blank' aria-label='CNCF'>CNCF</a> about good practices for cloud native information security. --> <p>Kubernetes 基于云原生架构，并借鉴了 <a class='glossary-tooltip' title='云原生计算基金会（Cloud Native Computing Foundation）' data-toggle='tooltip' data-placement='top' href='https://cncf.io/' target='_blank' aria-label='CNCF'>CNCF</a> 有关云原生信息安全良好实践的建议。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/scale/scale-intro/<!-- title: Running Multiple Instances of Your App weight: 10 --> <h2 id="教程目标">教程目标</h2> <!-- * Scale an existing app manually using kubectl. --> <ul> <li>使用 kubectl 手动扩缩现有的应用</li> </ul> <!-- ## Scaling an application --> <h2 id="扩缩应用">扩缩应用</h2> <div class="alert alert-primary" role="alert"> <!-- _You can create from the start a Deployment with multiple instances using the --replicas parameter for the kubectl create deployment command._ --> <p><strong>通过在使用 <code>kubectl create deployment</code> 命令时设置 <code>--replicas</code> 参数， 你可以在启动 Deployment 时创建多个实例。</strong></p> </div> <!-- Previously we created a [Deployment](/docs/concepts/workloads/controllers/deployment/), and then exposed it publicly via a [Service](/docs/concepts/services-networking/service/). The Deployment created only one Pod for running our application. When traffic increases, we will need to scale the application to keep up with user demand. If you haven't worked through the earlier sections, start from [Using minikube to create a cluster](/docs/tutorials/kubernetes-basics/create-cluster/cluster-intro/). _Scaling_ is accomplished by changing the number of replicas in a Deployment. --> <p>之前我们创建了一个 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/">Deployment</a>， 然后通过 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/">Service</a> 让其可以公开访问。 Deployment 仅创建了一个 Pod 用于运行这个应用。当流量增加时，我们需要扩容应用满足用户需求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/install-kubectl-linux/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/install-kubectl-linux/<!-- reviewers: - mikedanese title: Install and Set Up kubectl on Linux content_type: task weight: 10 --> <h2 id="准备开始">准备开始</h2> <!-- You must use a kubectl version that is within one minor version difference of your cluster. For example, a v1.35 client can communicate with v1.34, v1.35, and v1.36 control planes. Using the latest compatible version of kubectl helps avoid unforeseen issues. --> <p>kubectl 版本和集群版本之间的差异必须在一个小版本号内。 例如：v1.35 版本的客户端能与 v1.34、 v1.35 和 v1.36 版本的控制面通信。 用最新兼容版的 kubectl 有助于避免不可预见的问题。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/install-kubectl-macos/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/install-kubectl-macos/<!-- reviewers: - mikedanese title: Install and Set Up kubectl on macOS content_type: task weight: 10 --> <h2 id="准备开始">准备开始</h2> <!-- You must use a kubectl version that is within one minor version difference of your cluster. For example, a v1.35 client can communicate with v1.34, v1.35, and v1.36 control planes. Using the latest compatible version of kubectl helps avoid unforeseen issues. --> <p>kubectl 版本和集群之间的差异必须在一个小版本号之内。 例如：v1.35 版本的客户端能与 v1.34、 v1.35 和 v1.36 版本的控制面通信。 用最新兼容版本的 kubectl 有助于避免不可预见的问题。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/install-kubectl-windows/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/install-kubectl-windows/<!-- reviewers: - mikedanese title: Install and Set Up kubectl on Windows content_type: task weight: 10 --> <h2 id="准备开始">准备开始</h2> <!-- You must use a kubectl version that is within one minor version difference of your cluster. For example, a v1.35 client can communicate with v1.34, v1.35, and v1.36 control planes. Using the latest compatible version of kubectl helps avoid unforeseen issues. --> <p>kubectl 版本和集群版本之间的差异必须在一个小版本号内。 例如：v1.35 版本的客户端能与 v1.34、 v1.35 和 v1.36 版本的控制面通信。 用最新兼容版的 kubectl 有助于避免不可预见的问题。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/cluster-level-pss/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/cluster-level-pss/<!-- title: Apply Pod Security Standards at the Cluster Level content_type: tutorial weight: 10 --> <div class="alert alert-primary" role="alert"><div class="h4 alert-heading" role="heading">Note</div> <!-- This tutorial applies only for new clusters. --> <p>本教程仅适用于新集群。</p> </div> <!-- Pod Security is an admission controller that carries out checks against the Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-standards/) when new pods are created. It is a feature GA'ed in v1.25. This tutorial shows you how to enforce the `baseline` Pod Security Standard at the cluster level which applies a standard configuration to all namespaces in a cluster. To apply Pod Security Standards to specific namespaces, refer to [Apply Pod Security Standards at the namespace level](/docs/tutorials/security/ns-level-pss). If you are running a version of Kubernetes other than v1.35, check the documentation for that version. --> <p>Pod 安全是一个准入控制器，当新的 Pod 被创建时，它会根据 Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/">Pod 安全标准</a> 进行检查。这是在 v1.25 中达到正式发布（GA）的功能。 本教程将向你展示如何在集群级别实施 <code>baseline</code> Pod 安全标准， 该标准将标准配置应用于集群中的所有名字空间。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-resources/set-up-dra-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-resources/set-up-dra-cluster/<!-- title: "Set Up DRA in a Cluster" content_type: task min-kubernetes-server-version: v1.34 weight: 10 --> <div class="feature-state-notice feature-stable" title="特性门控： DynamicResourceAllocation"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [stable]</code>（默认启用）</div> <!-- overview --> <!-- This page shows you how to configure _dynamic resource allocation (DRA)_ in a Kubernetes cluster by enabling API groups and configuring classes of devices. These instructions are for cluster administrators. --> <p>本文介绍如何在 Kubernetes 集群中通过启用 API 组并配置设备类别来设置<strong>动态资源分配（DRA）</strong>。 这些指示说明适用于集群管理员。</p> <!-- body --> <!-- ## About DRA {#about-dra} --> <h2 id="about-dra">关于 DRA</h2> <!-- title: Dynamic Resource Allocation id: dra date: 2025-05-13 full_link: /docs/concepts/scheduling-eviction/dynamic-resource-allocation/ short_description: > A Kubernetes feature for requesting and sharing resources, like hardware accelerators, among Pods. aka: - DRA tags: - extension --> <!-- A Kubernetes feature that lets you request and share resources among Pods. These resources are often attached <a class='glossary-tooltip' title='直接或间接挂接到集群节点上的所有资源，例如 GPU 或电路板。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-device' target='_blank' aria-label='devices'>devices</a> like hardware accelerators. --> <p>Kubernetes 提供的一项特性，允许你在多个 Pod 之间请求和共享资源。<br> 这些资源通常是挂接的<a class='glossary-tooltip' title='直接或间接挂接到集群节点上的所有资源，例如 GPU 或电路板。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-device' target='_blank' aria-label='设备'>设备</a>，例如硬件加速器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/kubernetes-basics/update/update-intro/<!-- title: Performing a Rolling Update weight: 10 --> <h2 id="教程目标">教程目标</h2> <!-- Perform a rolling update using kubectl. --> <p>使用 kubectl 执行滚动更新。</p> <!-- ## Updating an application --> <h2 id="更新应用">更新应用</h2> <div class="alert alert-primary" role="alert"> <!-- _Rolling updates allow Deployments' update to take place with zero downtime by incrementally updating Pods instances with new ones._ --> <p><strong>滚动更新通过增量式更新 Pod 实例并替换为新的实例，允许在 Deployment 更新过程中实现零停机。</strong></p> </div> <!-- Users expect applications to be available all the time, and developers are expected to deploy new versions of them several times a day. In Kubernetes this is done with rolling updates. A **rolling update** allows a Deployment update to take place with zero downtime. It does this by incrementally replacing the current Pods with new ones. The new Pods are scheduled on Nodes with available resources, and Kubernetes waits for those new Pods to start before removing the old Pods. --> <p>用户希望应用程序始终可用，而开发人员则需要每天多次部署它们的新版本。 在 Kubernetes 中，这些是通过滚动更新（Rolling Update）完成的。 <strong>滚动更新</strong>允许通过使用新的实例逐步更新 Pod 实例，实现零停机的 Deployment 更新。 新的 Pod 将被调度到具有可用资源的节点上。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/cron-job-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/cron-job-v1/<!-- api_metadata: apiVersion: "batch/v1" import: "k8s.io/api/batch/v1" kind: "CronJob" content_type: "api_reference" description: "CronJob represents the configuration of a single cron job." title: "CronJob" weight: 11 auto_generated: true --> <p><code>apiVersion: batch/v1</code></p> <p><code>import &quot;k8s.io/api/batch/v1&quot;</code></p> <h2 id="CronJob">CronJob</h2> <!-- CronJob represents the configuration of a single cron job. --> <p>CronJob 代表单个定时作业（Cron Job）的配置。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: batch/v1</p> </li> <li> <p><strong>kind</strong>: CronJob</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <p>标准的对象元数据。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p> </li> <li> <p><strong>spec</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/cron-job-v1/#CronJobSpec">CronJobSpec</a>)</p> <!-- Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status --> <p>定时作业的预期行为的规约，包括排期表（Schedule）。更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/resource-field-selector/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/resource-field-selector/<!-- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "ResourceFieldSelector" content_type: "api_reference" description: "ResourceFieldSelector represents container resources (cpu, memory) and their output format." title: "ResourceFieldSelector" weight: 11 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <!-- ResourceFieldSelector represents container resources (cpu, memory) and their output format --> <p>ResourceFieldSelector 表示容器资源（CPU，内存）及其输出格式。</p> <hr> <ul> <li> <p><strong>resource</strong> (string)，必需</p> <!-- Required: resource to select --> <p>必需：选择的资源。</p> </li> <li> <p><strong>containerName</strong> (string)</p> <!-- Container name: required for volumes, optional for env vars --> <p>容器名称：对卷必需，对环境变量可选。</p> </li> <li> <p><strong>divisor</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/quantity/#Quantity">Quantity</a>)</p> <!-- Specifies the output format of the exposed resources, defaults to "1" --> <p>指定所公开的资源的输出格式，默认值为 “1”。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1/<!-- api_metadata: apiVersion: "storage.k8s.io/v1" import: "k8s.io/api/storage/v1" kind: "VolumeAttachment" content_type: "api_reference" description: "VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node." title: "VolumeAttachment" weight: 11 --> <p><code>apiVersion: storage.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/storage/v1&quot;</code></p> <h2 id="VolumeAttachment">VolumeAttachment</h2> <!-- VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node. VolumeAttachment objects are non-namespaced. --> <p>VolumeAttachment 抓取将指定卷挂接到指定节点或从指定节点解除挂接指定卷的意图。</p> <p>VolumeAttachment 对象未划分命名空间。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: storage.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: VolumeAttachment</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - **spec** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attachment-v1/#VolumeAttachmentSpec">VolumeAttachmentSpec</a>), required spec represents specification of the desired attach/detach volume behavior. Populated by the Kubernetes system. --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-parameters/common-parameters/<!-- api_metadata: apiVersion: "" import: "" kind: "Common Parameters" content_type: "api_reference" description: "" title: "Common Parameters" weight: 11 auto_generated: true --> <h2 id="allowWatchBookmarks">allowWatchBookmarks</h2> <!-- allowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. --> <p>allowWatchBookmarks 字段请求类型为 BOOKMARK 的监视事件。 没有实现书签的服务器可能会忽略这个标志，并根据服务器的判断发送书签。 客户端不应该假设书签会在任何特定的时间间隔返回，也不应该假设服务器会在会话期间发送任何书签事件。 如果当前请求不是 watch 请求，则忽略该字段。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/adding-windows-nodes/<!-- title: Adding Windows worker nodes content_type: task weight: 11 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.18 [beta]</code> </div> <!-- This page explains how to add Windows worker nodes to a kubeadm cluster. --> <p>本页介绍如何将 Linux 工作节点添加到 kubeadm 集群。</p> <h2 id="准备开始">准备开始</h2> <!-- * A running [Windows Server 2022](https://www.microsoft.com/cloud-platform/windows-server-pricing) (or higher) instance with administrative access. * A running kubeadm cluster created by `kubeadm init` and following the steps in the document [Creating a cluster with kubeadm](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/). --> <ul> <li>一个正在运行的 <a href="https://www.microsoft.com/cloud-platform/windows-server-pricing">Windows Server 2022</a> （或更高版本）实例，且具备管理权限。</li> <li>一个正在运行的、由 <code>kubeadm init</code> 命令创建的集群，且集群的创建遵循 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/">使用 kubeadm 创建集群</a> 文档中所给的步骤。</li> </ul> <!-- steps --> <!-- ## Adding Windows worker nodes --> <h2 id="adding-windows-worker-nodes">添加 Windows 工作节点</h2> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- To facilitate the addition of Windows worker nodes to a cluster, PowerShell scripts from the repository https://sigs.k8s.io/sig-windows-tools are used. --> <p>为了方便将 Windows 工作节点添加到集群，下面会用到代码仓库 <a href="https://sigs.k8s.io/sig-windows-tools">https://sigs.k8s.io/sig-windows-tools</a> 里的 PowerShell 脚本。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v1/<!-- api_metadata: apiVersion: "autoscaling/v1" import: "k8s.io/api/autoscaling/v1" kind: "HorizontalPodAutoscaler" content_type: "api_reference" description: "configuration of a horizontal pod autoscaler." title: "HorizontalPodAutoscaler" weight: 12 auto_generated: true --> <p><code>apiVersion: autoscaling/v1</code></p> <p><code>import &quot;k8s.io/api/autoscaling/v1&quot;</code></p> <!-- ## HorizontalPodAutoscaler {#HorizontalPodAutoscaler} configuration of a horizontal pod autoscaler. --> <h2 id="HorizontalPodAutoscaler">HorizontalPodAutoscaler</h2> <p>水平 Pod 自动缩放器的配置。</p> <hr> <!-- - **apiVersion**: autoscaling/v1 - **kind**: HorizontalPodAutoscaler --> <ul> <li> <p><strong>apiVersion</strong>: autoscaling/v1</p> </li> <li> <p><strong>kind</strong>: HorizontalPodAutoscaler</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <p>标准的对象元数据。 更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/status/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/status/<!-- api_metadata: apiVersion: "" import: "k8s.io/apimachinery/pkg/apis/meta/v1" kind: "Status" content_type: "api_reference" description: "Status is a return value for calls that don't return other objects." title: "Status" weight: 12 auto_generated: true --> <p><code>import &quot;k8s.io/apimachinery/pkg/apis/meta/v1&quot;</code></p> <!-- Status is a return value for calls that don't return other objects. --> <p>状态（Status）是不返回其他对象的调用的返回值。</p> <hr> <ul> <li> <p><strong>apiVersion</strong> (string)</p> <!-- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources --> <p><code>apiVersion</code> 定义对象表示的版本化模式。 服务器应将已识别的模式转换为最新的内部值，并可能拒绝无法识别的值。 更多信息： <a href="https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources">https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attributes-class-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/config-and-storage-resources/volume-attributes-class-v1/<!-- api_metadata: apiVersion: "storage.k8s.io/v1" import: "k8s.io/api/storage/v1" kind: "VolumeAttributesClass" content_type: "api_reference" description: "VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver." title: "VolumeAttributesClass" weight: 12 auto_generated: true --> <p><code>apiVersion: storage.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/storage/v1&quot;</code></p> <h2 id="VolumeAttributesClass">VolumeAttributesClass</h2> <!-- VolumeAttributesClass represents a specification of mutable volume attributes defined by the CSI driver. The class can be specified during dynamic provisioning of PersistentVolumeClaims, and changed in the PersistentVolumeClaim spec after provisioning. --> <p>VolumeAttributesClass 表示由 CSI 驱动所定义的可变更卷属性的规约。 此类可以在动态制备 PersistentVolumeClaim 期间被指定， 并且可以在制备之后在 PersistentVolumeClaim 规约中更改。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/horizontal-pod-autoscaler-v2/<!-- api_metadata: apiVersion: "autoscaling/v2" import: "k8s.io/api/autoscaling/v2" kind: "HorizontalPodAutoscaler" content_type: "api_reference" description: "HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified." title: "HorizontalPodAutoscaler" weight: 13 auto_generated: true --> <p><code>apiVersion: autoscaling/v2</code></p> <p><code>import &quot;k8s.io/api/autoscaling/v2&quot;</code></p> <h2 id="HorizontalPodAutoscaler">HorizontalPodAutoscaler</h2> <!-- HorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified. --> <p>HorizontalPodAutoscaler 是水平 Pod 自动扩缩器的配置， 它根据指定的指标自动管理实现 scale 子资源的任何资源的副本数。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/typed-local-object-reference/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/typed-local-object-reference/<!-- api_metadata: apiVersion: "" import: "k8s.io/api/core/v1" kind: "TypedLocalObjectReference" content_type: "api_reference" description: "TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace." title: "TypedLocalObjectReference" weight: 13 auto_generated: true --> <p><code>import &quot;k8s.io/api/core/v1&quot;</code></p> <!-- TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace. --> <p>TypedLocalObjectReference 包含足够的信息，可以让你在同一个名称空间中定位特定类型的引用对象。</p> <hr> <!-- - **kind** (string), required Kind is the type of resource being referenced - **name** (string), required Name is the name of resource being referenced - **apiGroup** (string) APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required. --> <ul> <li> <p><strong>kind</strong> (string)，必需</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/priority-class-v1/<!-- api_metadata: apiVersion: "scheduling.k8s.io/v1" import: "k8s.io/api/scheduling/v1" kind: "PriorityClass" content_type: "api_reference" description: "PriorityClass defines mapping from a priority class name to the priority integer value." title: "PriorityClass" weight: 14 auto_generated: true --> <p><code>apiVersion: scheduling.k8s.io/v1</code></p> <p><code>import &quot;k8s.io/api/scheduling/v1&quot;</code></p> <h2 id="PriorityClass">PriorityClass</h2> <!-- PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer. --> <p>PriorityClass 定义了从优先级类名到优先级数值的映射。 该值可以是任何有效的整数。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: scheduling.k8s.io/v1</p> </li> <li> <p><strong>kind</strong>: PriorityClass</p> </li> </ul> <!-- - **metadata** (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>) Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata --> <ul> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/device-taint-rule-v1alpha3/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/device-taint-rule-v1alpha3/<!-- api_metadata: apiVersion: "resource.k8s.io/v1alpha3" import: "k8s.io/api/resource/v1alpha3" kind: "DeviceTaintRule" content_type: "api_reference" description: "DeviceTaintRule adds one taint to all devices which match the selector." title: "DeviceTaintRule v1alpha3" weight: 15 auto_generated: true --> <p><code>apiVersion: resource.k8s.io/v1alpha3</code></p> <p><code>import &quot;k8s.io/api/resource/v1alpha3&quot;</code></p> <h2 id="DeviceTaintRule">DeviceTaintRule</h2> <!-- DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver. --> <p>DeviceTaintRule 添加一个污点到与选择算符匹配的所有设备上。 这与通过 DRA 驱动直接在 ResourceSlice 中指定污点具有同样的效果。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/node-autoscaling/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/node-autoscaling/<!-- reviewers: - gjtempleton - jonathan-innis - maciekpytel title: Node Autoscaling linkTitle: Node Autoscaling description: >- Automatically provision and consolidate the Nodes in your cluster to adapt to demand and optimize cost. content_type: concept weight: 15 --> <!-- In order to run workloads in your cluster, you need <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='Nodes'>Nodes</a>. Nodes in your cluster can be _autoscaled_ - dynamically [_provisioned_](#provisioning), or [_consolidated_](#consolidation) to provide needed capacity while optimizing cost. Autoscaling is performed by Node [_autoscalers_](#autoscalers). --> <p>为了在集群中运行负载，你需要 <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='Node'>Node</a>。 集群中的 Node 可以被<strong>自动扩缩容</strong>： 通过动态<a href="#provisioning"><strong>制备</strong></a>或<a href="#consolidation"><strong>整合</strong></a>的方式提供所需的容量并优化成本。 自动扩缩容操作是由 Node <a href="#autoscalers"><strong>Autoscaler</strong></a> 执行的。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/<!-- reviewers: - tallclair title: Pod Security Standards description: > A detailed look at the different policy levels defined in the Pod Security Standards. content_type: concept weight: 15 --> <!-- overview --> <!-- The Pod Security Standards define three different _policies_ to broadly cover the security spectrum. These policies are _cumulative_ and range from highly-permissive to highly-restrictive. This guide outlines the requirements of each policy. --> <p>Pod 安全性标准定义了三种不同的<strong>策略（Policy）</strong>，以广泛覆盖安全应用场景。 这些策略是<strong>叠加式的（Cumulative）</strong>，安全级别从高度宽松至高度受限。 本指南概述了每个策略的要求。</p> <!-- | Profile | Description | | ------ | ----------- | | <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for known privilege escalations. | | <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration. | | <strong style="white-space: nowrap">Restricted</strong> | Heavily restricted policy, following current Pod hardening best practices. | --> <table> <thead> <tr> <th>Profile</th> <th>描述</th> </tr> </thead> <tbody> <tr> <td><strong style="white-space: nowrap">Privileged</strong></td> <td>不受限制的策略，提供最大可能范围的权限许可。此策略允许已知的特权提升。</td> </tr> <tr> <td><strong style="white-space: nowrap">Baseline</strong></td> <td>限制性最弱的策略，禁止已知的特权提升。允许使用默认的（规定最少）Pod 配置。</td> </tr> <tr> <td><strong style="white-space: nowrap">Restricted</strong></td> <td>限制性非常强的策略，遵循当前的保护 Pod 的最佳实践。</td> </tr> </tbody> </table> <!-- body --> <!-- ## Profile Details --> <h2 id="profile-details">Profile 细节</h2> <h3 id="privileged">Privileged</h3> <!-- **The _Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is typically aimed at system- and infrastructure-level workloads managed by privileged, trusted users. The Privileged policy is defined by an absence of restrictions. If you define a Pod where the Privileged security policy applies, the Pod you define is able to bypass typical container isolation mechanisms. For example, you can define a Pod that has access to the node's host network. --> <p><strong><em>Privileged</em> 策略是有目的地开放且完全无限制的策略。</strong> 此类策略通常针对由特权较高、受信任的用户所管理的系统级或基础设施级负载。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/setup-extension-api-server/<!-- title: Setup an extension API server reviewers: - lavalamp - cheftako - chenopis content_type: task weight: 15 --> <!-- overview --> <!-- Setting up an extension API server to work the aggregation layer allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs. --> <p>安装扩展的 API 服务器来使用聚合层以让 Kubernetes API 服务器使用 其它 API 进行扩展， 这些 API 不是核心 Kubernetes API 的一部分。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/feature-gates-removed/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/feature-gates-removed/<!-- title: Feature Gates (removed) weight: 15 content_type: concept --> <!-- overview --> <!-- This page contains list of feature gates that have been removed. The information on this page is for reference. A removed feature gate is different from a GA'ed or deprecated one in that a removed one is no longer recognized as a valid feature gate. However, a GA'ed or a deprecated feature gate is still recognized by the corresponding Kubernetes components although they are unable to cause any behavior differences in a cluster. --> <p>本页包含了已移除的特性门控的列表。本页的信息仅供参考。 已移除的特性门控不同于正式发布（GA）或废弃的特性门控，因为已移除的特性门控将不再被视为有效的特性门控。 然而，正式发布或废弃的特性门控仍然能被对应的 Kubernetes 组件识别，这些特性门控在集群中不会造成任何行为差异。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/resource-usage-monitoring/<!-- reviewers: - mikedanese content_type: concept title: Tools for Monitoring Resources weight: 15 --> <!-- overview --> <!-- To scale an application and provide a reliable service, you need to understand how the application behaves when it is deployed. You can examine application performance in a Kubernetes cluster by examining the containers, [pods](/docs/concepts/workloads/pods/), [services](/docs/concepts/services-networking/service/), and the characteristics of the overall cluster. Kubernetes provides detailed information about an application's resource usage at each of these levels. This information allows you to evaluate your application's performance and where bottlenecks can be removed to improve overall performance. --> <p>要扩展应用程序并提供可靠的服务，你需要了解应用程序在部署时的行为。 你可以通过检测容器、<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods">Pod</a>、 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/">Service</a> 和整个集群的特征来检查 Kubernetes 集群中应用程序的性能。 Kubernetes 在每个级别上提供有关应用程序资源使用情况的详细信息。 此信息使你可以评估应用程序的性能，以及在何处可以消除瓶颈以提高整体性能。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/resource-metrics-pipeline/<!-- reviewers: - fgrzadkowski - piosz title: Resource metrics pipeline content_type: concept weight: 15 --> <!-- overview --> <!-- For Kubernetes, the _Metrics API_ offers a basic set of metrics to support automatic scaling and similar use cases. This API makes information available about resource usage for node and pod, including metrics for CPU and memory. If you deploy the Metrics API into your cluster, clients of the Kubernetes API can then query for this information, and you can use Kubernetes' access control mechanisms to manage permissions to do so. --> <p>对于 Kubernetes，<strong>Metrics API</strong> 提供了一组基本的指标，以支持自动伸缩和类似的用例。 该 API 提供有关节点和 Pod 的资源使用情况的信息， 包括 CPU 和内存的指标。如果将 Metrics API 部署到集群中， 那么 Kubernetes API 的客户端就可以查询这些信息，并且可以使用 Kubernetes 的访问控制机制来管理权限。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-claim-v1beta2/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-claim-v1beta2/<!-- api_metadata: apiVersion: "resource.k8s.io/v1beta2" import: "k8s.io/api/resource/v1beta2" kind: "ResourceClaim" content_type: "api_reference" description: "ResourceClaim describes a request for access to resources in the cluster, for use by workloads." title: "ResourceClaim v1beta2" weight: 16 auto_generated: true --> <p><code>apiVersion: resource.k8s.io/v1beta2</code></p> <p><code>import &quot;k8s.io/api/resource/v1beta2&quot;</code></p> <h2 id="ResourceClaim">ResourceClaim</h2> <!-- ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated. This is an alpha type and requires enabling the DynamicResourceAllocation feature gate. --> <p>ResourceClaim 描述对集群中供工作负载使用的资源的访问请求。 例如，如果某个工作负载需要具有特定属性的加速器设备，这就是表达该请求的方式。 状态部分跟踪此申领是否已被满足，以及具体分配了哪些资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1beta2/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-claim-template-v1beta2/<!-- api_metadata: apiVersion: "resource.k8s.io/v1beta2" import: "k8s.io/api/resource/v1beta2" kind: "ResourceClaimTemplate" content_type: "api_reference" description: "ResourceClaimTemplate is used to produce ResourceClaim objects." title: "ResourceClaimTemplate v1beta2" weight: 17 auto_generated: true --> <p><code>apiVersion: resource.k8s.io/v1beta2</code></p> <p><code>import &quot;k8s.io/api/resource/v1beta2&quot;</code></p> <h2 id="ResourceClaimTemplate">ResourceClaimTemplate</h2> <!-- ResourceClaimTemplate is used to produce ResourceClaim objects. This is an alpha type and requires enabling the DynamicResourceAllocation feature gate. --> <p>ResourceClaimTemplate 用于生成 ResourceClaim 对象。</p> <p>这是一个 Alpha 类型的特性，需要启用 DynamicResourceAllocation 特性门控。</p> <hr> <ul> <li> <p><strong>apiVersion</strong>: resource.k8s.io/v1beta2</p> </li> <li> <p><strong>kind</strong>: ResourceClaimTemplate</p> </li> <li> <p><strong>metadata</strong> (<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/common-definitions/object-meta/#ObjectMeta">ObjectMeta</a>)</p> <!-- Standard object metadata --> <p>标准的对象元数据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-slice-v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-slice-v1beta1/<!-- api_metadata: apiVersion: "resource.k8s.io/v1beta1" import: "k8s.io/api/resource/v1beta1" kind: "ResourceSlice" content_type: "api_reference" description: "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver." title: "ResourceSlice v1beta1" weight: 17 auto_generated: true --> <!-- The file is auto-generated from the Go source code of the component using a generic [generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how to generate the reference documentation, please read [Contributing to the reference documentation](/docs/contribute/generate-ref-docs/). To update the reference content, please follow the [Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/) guide. You can file document formatting bugs against the [reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project. --> <p><code>apiVersion: resource.k8s.io/v1beta1</code></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-slice-v1alpha3/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/workload-resources/resource-slice-v1alpha3/<!-- api_metadata: apiVersion: "resource.k8s.io/v1alpha3" import: "k8s.io/api/resource/v1alpha3" kind: "ResourceSlice" content_type: "api_reference" description: "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver." title: "ResourceSlice v1alpha3" weight: 18 auto_generated: true --> <p><code>apiVersion: resource.k8s.io/v1alpha3</code></p> <p><code>import &quot;k8s.io/api/resource/v1alpha3&quot;</code></p> <!-- ## ResourceSlice {#ResourceSlice} ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver. At the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple \<driver name>, \<pool name>, \<device name>. --> <h2 id="ResourceSlice">ResourceSlice</h2> <p>ResourceSlice 表示一个或多个资源，这些资源位于同一个驱动所管理的、彼此相似的资源构成的资源池。 一个池可以包含多个 ResourceSlice，一个池包含多少个 ResourceSlice 由驱动确定。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/configmap/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/configmap/<!-- title: ConfigMaps api_metadata: - apiVersion: "v1" kind: "ConfigMap" content_type: concept weight: 20 --> <!-- overview --> <!-- title: ConfigMap id: configmap full_link: /docs/concepts/configuration/configmap/ short_description: > An API object used to store non-confidential data in key-value pairs. Can be consumed as environment variables, command-line arguments, or configuration files in a volume. aka: tags: - core-object --> <!-- An API object used to store non-confidential data in key-value pairs. <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> can consume ConfigMaps as environment variables, command-line arguments, or as configuration files in a <a class='glossary-tooltip' title='包含可被 Pod 中容器访问的数据的目录。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/' target='_blank' aria-label='volume'>volume</a>. --> <p>ConfigMap 是一种 API 对象，用来将非机密性的数据保存到键值对中。使用时， <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 可以将其用作环境变量、命令行参数或者存储卷中的配置文件。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/issue-wrangler/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/issue-wrangler/<!-- title: Issue Wranglers content_type: concept weight: 20 --> <!-- overview --> <!-- Alongside the [PR Wrangler](/docs/contribute/participate/pr-wranglers),formal approvers, and reviewers, members of SIG Docs take week long shifts [triaging and categorising issues](/docs/contribute/review/for-approvers/#triage-and-categorize-issues) for the repository. --> <p>除了承担 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/pr-wranglers">PR 管理者</a>的职责外， SIG Docs 正式的批准人（Approver）、评审人（Reviewer）和成员（Member） 按周轮流<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/for-approvers/#triage-and-categorize-issues">归类仓库的 Issue</a>。</p> <!-- body --> <!-- ## Duties Each day in a week-long shift the Issue Wrangler will be responsible for: - Triaging and tagging incoming issues daily. See [Triage and categorize issues](/docs/contribute/review/for-approvers/#triage-and-categorize-issues) for guidelines on how SIG Docs uses metadata. - Keeping an eye on stale & rotten issues within the kubernetes/website repository. - Maintenance of the [Issues board](https://github.com/orgs/kubernetes/projects/72/views/1). --> <h2 id="duties">职责</h2> <p>在为期一周的轮值期内，Issue 管理者每天负责：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/<!-- overview --> <!-- This command initializes a Kubernetes control plane node. --> <p>此命令初始化一个 Kubernetes 控制平面节点。</p> <!-- body --> <!-- ### Synopsis --> <h3 id="概要">概要</h3> <!-- Run this command in order to set up the Kubernetes control plane --> <p>运行此命令来搭建 Kubernetes 控制平面节点。</p> <!-- The "init" command executes the following phases: --> <p>&quot;init&quot; 命令执行以下阶段：</p> <!-- ``` preflight Run pre-flight checks certs Certificate generation /ca Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components /apiserver Generate the certificate for serving the Kubernetes API /apiserver-kubelet-client Generate the certificate for the API server to connect to kubelet /front-proxy-ca Generate the self-signed CA to provision identities for front proxy /front-proxy-client Generate the certificate for the front proxy client /etcd-ca Generate the self-signed CA to provision identities for etcd /etcd-server Generate the certificate for serving etcd /etcd-peer Generate the certificate for etcd nodes to communicate with each other /etcd-healthcheck-client Generate the certificate for liveness probes to healthcheck etcd /apiserver-etcd-client Generate the certificate the apiserver uses to access etcd /sa Generate a private key for signing service account tokens along with its public key kubeconfig Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file /admin Generate a kubeconfig file for the admin to use and for kubeadm itself /super-admin Generate a kubeconfig file for the super-admin /kubelet Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes /controller-manager Generate a kubeconfig file for the controller manager to use /scheduler Generate a kubeconfig file for the scheduler to use etcd Generate static Pod manifest file for local etcd /local Generate the static Pod manifest file for a local, single-node local etcd instance control-plane Generate all static Pod manifest files necessary to establish the control plane /apiserver Generates the kube-apiserver static Pod manifest /controller-manager Generates the kube-controller-manager static Pod manifest /scheduler Generates the kube-scheduler static Pod manifest kubelet-start Write kubelet settings and (re)start the kubelet wait-control-plane Wait for the control plane to start upload-config Upload the kubeadm and kubelet configuration to a ConfigMap /kubeadm Upload the kubeadm ClusterConfiguration to a ConfigMap /kubelet Upload the kubelet component config to a ConfigMap upload-certs Upload certificates to kubeadm-certs mark-control-plane Mark a node as a control-plane bootstrap-token Generates bootstrap tokens used to join a node to a cluster kubelet-finalize Updates settings relevant to the kubelet after TLS bootstrap addon Install required addons for passing conformance tests /coredns Install the CoreDNS addon to a Kubernetes cluster /kube-proxy Install the kube-proxy addon to a Kubernetes cluster show-join-command Show the join command for control-plane and worker node ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>preflight 预检 </span></span><span style="display:flex;"><span>certs 生成证书 </span></span><span style="display:flex;"><span> /ca 生成自签名根 CA 用于配置其他 kubernetes 组件 </span></span><span style="display:flex;"><span> /apiserver 生成 apiserver 的证书 </span></span><span style="display:flex;"><span> /apiserver-kubelet-client 生成 apiserver 连接到 kubelet 的证书 </span></span><span style="display:flex;"><span> /front-proxy-ca 生成前端代理自签名 CA（扩展apiserver） </span></span><span style="display:flex;"><span> /front-proxy-client 生成前端代理客户端的证书（扩展 apiserver） </span></span><span style="display:flex;"><span> /etcd-ca 生成 etcd 自签名 CA </span></span><span style="display:flex;"><span> /etcd-server 生成 etcd 服务器证书 </span></span><span style="display:flex;"><span> /etcd-peer 生成 etcd 节点相互通信的证书 </span></span><span style="display:flex;"><span> /etcd-healthcheck-client 生成 etcd 健康检查的证书 </span></span><span style="display:flex;"><span> /apiserver-etcd-client 生成 apiserver 访问 etcd 的证书 </span></span><span style="display:flex;"><span> /sa 生成用于签署服务帐户令牌的私钥和公钥 </span></span><span style="display:flex;"><span>kubeconfig 生成建立控制平面和管理所需的所有 kubeconfig 文件 </span></span><span style="display:flex;"><span> /admin 生成一个 kubeconfig 文件供管理员使用以及供 kubeadm 本身使用 </span></span><span style="display:flex;"><span> /super-admin 为超级管理员生成 kubeconfig 文件 </span></span><span style="display:flex;"><span> /kubelet 为 kubelet 生成一个 kubeconfig 文件，*仅*用于集群引导 </span></span><span style="display:flex;"><span> /controller-manager 生成 kubeconfig 文件供控制器管理器使用 </span></span><span style="display:flex;"><span> /scheduler 生成 kubeconfig 文件供调度程序使用 </span></span><span style="display:flex;"><span>etcd 为本地 etcd 生成静态 Pod 清单文件 </span></span><span style="display:flex;"><span> /local 为本地单节点本地 etcd 实例生成静态 Pod 清单文件 </span></span><span style="display:flex;"><span>control-plane 生成建立控制平面所需的所有静态 Pod 清单文件 </span></span><span style="display:flex;"><span> /apiserver 生成 kube-apiserver 静态 Pod 清单 </span></span><span style="display:flex;"><span> /controller-manager 生成 kube-controller-manager 静态 Pod 清单 </span></span><span style="display:flex;"><span> /scheduler 生成 kube-scheduler 静态 Pod 清单 </span></span><span style="display:flex;"><span>kubelet-start 写入 kubelet 设置并启动（或重启）kubelet </span></span><span style="display:flex;"><span>wait-control-plane 等待控制平面启动 </span></span><span style="display:flex;"><span>upload-config 将 kubeadm 和 kubelet 配置上传到 ConfigMap </span></span><span style="display:flex;"><span> /kubeadm 将 kubeadm 集群配置上传到 ConfigMap </span></span><span style="display:flex;"><span> /kubelet 将 kubelet 组件配置上传到 ConfigMap </span></span><span style="display:flex;"><span>upload-certs 将证书上传到 kubeadm-certs </span></span><span style="display:flex;"><span>mark-control-plane 将节点标记为控制面 </span></span><span style="display:flex;"><span>bootstrap-token 生成用于将节点加入集群的引导令牌 </span></span><span style="display:flex;"><span>kubelet-finalize 在 TLS 引导后更新与 kubelet 相关的设置 </span></span><span style="display:flex;"><span>addon 安装用于通过一致性测试所需的插件 </span></span><span style="display:flex;"><span> /coredns 将 CoreDNS 插件安装到 Kubernetes 集群 </span></span><span style="display:flex;"><span> /kube-proxy 将 kube-proxy 插件安装到 Kubernetes 集群 </span></span><span style="display:flex;"><span>show-join-command 显示控制平面和工作节点的加入命令 </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubeadm init <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><!-- ### Options --> <h3 id="选项">选项</h3> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--apiserver-advertise-address string</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- The IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --> API 服务器所公布的其正在监听的 IP 地址。如果未设置，则使用默认网络接口。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kubectl-cmds/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kubectl-cmds/<!-- title: kubectl Commands weight: 20 --> <!-- [kubectl Command Reference](/docs/reference/kubectl/generated/kubectl/) --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl/">kubectl 命令参考</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet/<h2 id="简介">简介</h2> <!-- The kubelet is the primary "node agent" that runs on each node. It can register the node with the apiserver using one of: the hostname; a flag to override the hostname; or specific logic for a cloud provider. --> <p>kubelet 是在每个节点上运行的主要 “节点代理”。它可以使用以下方式之一向 API 服务器注册：</p> <ul> <li>主机名（hostname）；</li> <li>覆盖主机名的参数；</li> <li>特定于某云驱动的逻辑。</li> </ul> <!-- The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object that describes a pod. The kubelet takes a set of PodSpecs that are provided through various mechanisms (primarily through the apiserver) and ensures that the containers described in those PodSpecs are running and healthy. The kubelet doesn't manage containers which were not created by Kubernetes. --> <p>kubelet 是基于 PodSpec 来工作的。每个 PodSpec 是一个描述 Pod 的 YAML 或 JSON 对象。 kubelet 接受通过各种机制（主要是通过 apiserver）提供的一组 PodSpec，并确保这些 PodSpec 中描述的容器处于运行状态且运行状况良好。 kubelet 不管理不是由 Kubernetes 创建的容器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/api-concepts/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/api-concepts/<!-- title: Kubernetes API Concepts reviewers: - smarterclayton - lavalamp - liggitt content_type: concept weight: 20 --> <!-- overview --> <!-- The Kubernetes API is a resource-based (RESTful) programmatic interface provided via HTTP. It supports retrieving, creating, updating, and deleting primary resources via the standard HTTP verbs (POST, PUT, PATCH, DELETE, GET). For some resources, the API includes additional subresources that allow fine-grained authorization (such as separate views for Pod details and log retrievals), and can accept and serve those resources in different representations for convenience or efficiency. --> <p>Kubernetes API 是通过 HTTP 提供的基于资源 (RESTful) 的编程接口。 它支持通过标准 HTTP 动词（POST、PUT、PATCH、DELETE、GET）检索、创建、更新和删除主要资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/<!-- title: Kubernetes API Aggregation Layer reviewers: - lavalamp - cheftako - chenopis content_type: concept weight: 20 --> <!-- overview --> <!-- The aggregation layer allows Kubernetes to be extended with additional APIs, beyond what is offered by the core Kubernetes APIs. The additional APIs can either be ready-made solutions such as a [metrics server](https://github.com/kubernetes-sigs/metrics-server), or APIs that you develop yourself. --> <p>使用聚合层（Aggregation Layer），用户可以通过附加的 API 扩展 Kubernetes， 而不局限于 Kubernetes 核心 API 提供的功能。 这里的附加 API 可以是现成的解决方案，比如 <a href="https://github.com/kubernetes-sigs/metrics-server">metrics server</a>， 或者你自己开发的 API。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/security/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/security/<!-- title: Kubernetes Security and Disclosure Information aliases: [/security/] reviewers: - eparis - erictune - philips - jessfraz content_type: concept weight: 20 --> <!-- overview --> <!-- This page describes Kubernetes security and disclosure information. --> <p>本页面介绍 Kubernetes 安全和信息披露相关的内容。</p> <!-- body --> <!-- ## Security Announcements --> <h2 id="security-announcements">安全公告</h2> <!-- Join the [kubernetes-security-announce](https://groups.google.com/forum/#!forum/kubernetes-security-announce) group for emails about security and major API announcements. --> <p>加入 <a href="https://groups.google.com/forum/#!forum/kubernetes-security-announce">kubernetes-security-announce</a> 组，以获取关于安全性和主要 API 公告的电子邮件。</p> <!-- ## Report a Vulnerability --> <h2 id="report-a-vulnerability">报告一个漏洞</h2> <!-- We're extremely grateful for security researchers and users that report vulnerabilities to the Kubernetes Open Source Community. All reports are thoroughly investigated by a set of community volunteers. --> <p>我们非常感谢向 Kubernetes 开源社区报告漏洞的安全研究人员和用户。 所有的报告都由社区志愿者进行彻底调查。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/object-management/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/object-management/<!-- overview --> <!-- The `kubectl` command-line tool supports several different ways to create and manage Kubernetes <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='objects'>objects</a>. This document provides an overview of the different approaches. Read the [Kubectl book](https://kubectl.docs.kubernetes.io) for details of managing objects by Kubectl. --> <p><code>kubectl</code> 命令行工具支持多种不同的方式来创建和管理 Kubernetes <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>。 本文档概述了不同的方法。 阅读 <a href="https://kubectl.docs.kubernetes.io/zh/">Kubectl book</a> 来了解 kubectl 管理对象的详细信息。</p> <!-- body --> <!-- ## Management techniques --> <h2 id="管理技巧">管理技巧</h2> <div class="alert alert-danger" role="note"><h4 class="alert-heading">警告：</h4><!-- A Kubernetes object should be managed using only one technique. Mixing and matching techniques for the same object results in undefined behavior. --> <p>应该只使用一种技术来管理 Kubernetes 对象。混合和匹配技术作用在同一对象上将导致未定义行为。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-admission/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-admission/<!-- reviewers: - tallclair - liggitt title: Pod Security Admission description: > An overview of the Pod Security Admission Controller, which can enforce the Pod Security Standards. content_type: concept weight: 20 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.25 [stable]</code> </div> <!-- The Kubernetes [Pod Security Standards](/docs/concepts/security/pod-security-standards/) define different isolation levels for Pods. These standards let you define how you want to restrict the behavior of pods in a clear, consistent fashion. --> <p>Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/">Pod 安全性标准（Security Standard）</a> 为 Pod 定义不同的隔离级别。这些标准能够让你以一种清晰、一致的方式定义如何限制 Pod 行为。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/pr-wranglers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/pr-wranglers/<!-- title: PR wranglers content_type: concept weight: 20 --> <!-- overview --> <!-- SIG Docs [approvers](/docs/contribute/participate/roles-and-responsibilities/#approvers) take week-long shifts [managing pull requests](https://github.com/kubernetes/website/wiki/PR-Wranglers) for the repository. This section covers the duties of a PR wrangler. For more information on giving good reviews, see [Reviewing changes](/docs/contribute/review/). --> <p>SIG Docs 的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/roles-and-responsibilities/#approvers">批准人（Approver）</a> 们每周轮流负责<a href="https://github.com/kubernetes/website/wiki/PR-Wranglers">管理仓库的 PR</a>。</p> <p>本节介绍 PR 管理者的职责。关于如何提供较好的评审意见， 可参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/">评审变更</a>。</p> <!-- body --> <!-- ## Duties Each day in a week-long shift as PR Wrangler: - Review [open pull requests](https://github.com/kubernetes/website/pulls) for quality and adherence to the [Style](/docs/contribute/style/style-guide/) and [Content](/docs/contribute/style/content-guide/) guides. - Start with the smallest PRs (`size/XS`) first, and end with the largest (`size/XXL`). Review as many PRs as you can. --> <h2 id="duties">职责</h2> <p>在为期一周的轮值期内，PR 管理者要：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/<!-- # NOTE TO LOCALIZATION TEAMS # # If updating front matter for your localization because there is still # a "feature" key in this page, then you also need to update # content/??/docs/concepts/architecture/self-healing.md (which is where # it moved to) reviewers: - Kashomon - bprashanth - madhusudancs title: ReplicaSet api_metadata: - apiVersion: "apps/v1" kind: "ReplicaSet" content_type: concept description: >- A ReplicaSet's purpose is to maintain a stable set of replica Pods running at any given time. Usually, you define a Deployment and let that Deployment manage ReplicaSets automatically. weight: 20 hide_summary: true # Listed separately in section index --> <!-- overview --> <!-- A ReplicaSet's purpose is to maintain a stable set of replica Pods running at any given time. As such, it is often used to guarantee the availability of a specified number of identical Pods. --> <p>ReplicaSet 的目的是维护一组在任何时候都处于运行状态的 Pod 副本的稳定集合。 因此，它通常用来保证给定数量的、完全相同的 Pod 的可用性。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/<!-- reviewers: - jsafrane - saad-ali - thockin - msau42 - xing-yang title: Persistent Volumes api_metadata: - apiVersion: "v1" kind: "PersistentVolume" - apiVersion: "v1" kind: "PersistentVolumeClaim" feature: title: Storage orchestration description: > Automatically mount the storage system of your choice, whether from local storage, a public cloud provider, or a network storage system such as iSCSI or NFS. content_type: concept weight: 20 --> <!-- overview --> <!-- This document describes _persistent volumes_ in Kubernetes. Familiarity with [volumes](/docs/concepts/storage/volumes/), [StorageClasses](/docs/concepts/storage/storage-classes/) and [VolumeAttributesClasses](/docs/concepts/storage/volume-attributes-classes/) is suggested. --> <p>本文描述 Kubernetes 中的<strong>持久卷（Persistent Volumes）</strong>。 建议先熟悉<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/">卷（Volume）</a>、 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-classes/">存储类（StorageClass）</a>和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-attributes-classes/">卷属性类（VolumeAttributesClass）</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/scheduling/config/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/scheduling/config/<!-- title: Scheduler Configuration content_type: concept weight: 20 --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.25 [stable]</code> </div> <!-- You can customize the behavior of the `kube-scheduler` by writing a configuration file and passing its path as a command line argument. --> <p>你可以通过编写配置文件，并将其路径传给 <code>kube-scheduler</code> 的命令行参数，定制 <code>kube-scheduler</code> 的行为。</p> <!-- overview --> <!-- body --> <!-- A scheduling Profile allows you to configure the different stages of scheduling in the <a class='glossary-tooltip' title='控制平面组件，负责监视新创建的、未指定运行节点的 Pod，选择节点让 Pod 在上面运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/' target='_blank' aria-label='kube-scheduler'>kube-scheduler</a>. Each stage is exposed in an extension point. Plugins provide scheduling behaviors by implementing one or more of these extension points. --> <p>调度模板（Profile）允许你配置 <a class='glossary-tooltip' title='控制平面组件，负责监视新创建的、未指定运行节点的 Pod，选择节点让 Pod 在上面运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/' target='_blank' aria-label='kube-scheduler'>kube-scheduler</a> 中的不同调度阶段。每个阶段都暴露于某个扩展点中。插件通过实现一个或多个扩展点来提供调度行为。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-service/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-service/<!-- reviewers: - thockin - bowei content_type: task title: Debug Services weight: 20 --> <!-- overview --> <!-- An issue that comes up rather frequently for new installations of Kubernetes is that a Service is not working properly. You've run your Pods through a Deployment (or other workload controller) and created a Service, but you get no response when you try to access it. This document will hopefully help you to figure out what's going wrong. --> <p>对于新安装的 Kubernetes，经常出现的问题是 Service 无法正常运行。你已经通过 Deployment（或其他工作负载控制器）运行了 Pod，并创建 Service ， 但是当你尝试访问它时，没有任何响应。此文档有望对你有所帮助并找出问题所在。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-interdependent-environment-variables/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-interdependent-environment-variables/<!-- title: Define Dependent Environment Variables --> <!-- overview --> <!-- This page shows how to define dependent environment variables for a container in a Kubernetes Pod. --> <p>本页展示了如何为 Kubernetes Pod 中的容器定义相互依赖的环境变量。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/rollback-daemon-set/<!-- reviewers: - janetkuo title: Perform a Rollback on a DaemonSet content_type: task weight: 20 min-kubernetes-server-version: 1.7 --> <!-- overview --> <!-- This page shows how to perform a rollback on a <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a>. --> <p>本文展示了如何对 <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a> 执行回滚。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/troubleshooting-kubeadm/<!-- title: Troubleshooting kubeadm content_type: concept weight: 20 --> <!-- overview --> <!-- As with any program, you might run into an error installing or running kubeadm. This page lists some common failure scenarios and have provided steps that can help you understand and fix the problem. If your problem is not listed below, please follow the following steps: - If you think your problem is a bug with kubeadm: - Go to [github.com/kubernetes/kubeadm](https://github.com/kubernetes/kubeadm/issues) and search for existing issues. - If no issue exists, please [open one](https://github.com/kubernetes/kubeadm/issues/new) and follow the issue template. - If you are unsure about how kubeadm works, you can ask on [Slack](https://slack.k8s.io/) in `#kubeadm`, or open a question on [StackOverflow](https://stackoverflow.com/questions/tagged/kubernetes). Please include relevant tags like `#kubernetes` and `#kubeadm` so folks can help you. --> <p>与任何程序一样，你可能会在安装或者运行 kubeadm 时遇到错误。 本文列举了一些常见的故障场景，并提供可帮助你理解和解决这些问题的步骤。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/access-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/access-cluster/<!-- title: Accessing Clusters weight: 20 content_type: concept --> <!-- overview --> <!-- This topic discusses multiple ways to interact with clusters. --> <p>本文阐述多种与集群交互的方法。</p> <nav id="TableOfContents"> <ul> <li><a href="#accessing-for-the-first-time-with-kubectl">使用 kubectl 完成集群的第一次访问</a></li> <li><a href="#directly-accessing-the-rest-api">直接访问 REST API</a> <ul> <li><a href="#using-kubectl-proxy">使用 kubectl proxy</a></li> <li><a href="#without-kubectl-proxy">不使用 kubectl proxy</a></li> </ul> </li> <li><a href="#programmatic-access-to-the-api">以编程方式访问 API</a> <ul> <li><a href="#go-client">Go 客户端</a></li> <li><a href="#python-client">Python 客户端</a></li> <li><a href="#other-languages">其它语言</a></li> <li><a href="#accessing-the-api-from-a-pod">从 Pod 中访问 API</a></li> </ul> </li> <li><a href="#accessing-services-running-on-the-cluster">访问集群上运行的服务</a></li> <li><a href="#requesting-redirects">请求重定向</a></li> <li><a href="#so-many-proxies">多种代理</a></li> </ul> </nav> <!-- body --> <!-- ## Accessing for the first time with kubectl When accessing the Kubernetes API for the first time, we suggest using the Kubernetes CLI, `kubectl`. To access a cluster, you need to know the location of the cluster and have credentials to access it. Typically, this is automatically set-up when you work through a [Getting started guide](/docs/setup/), or someone else set up the cluster and provided you with credentials and a location. Check the location and credentials that kubectl knows about with this command: --> <h2 id="accessing-for-the-first-time-with-kubectl">使用 kubectl 完成集群的第一次访问</h2> <p>当你第一次访问 Kubernetes API 的时候，我们建议你使用 Kubernetes CLI 工具 <code>kubectl</code>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/slis/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/slis/<!-- reviewers: - logicalhan title: Kubernetes Component SLI Metrics linkTitle: Service Level Indicator Metrics content_type: reference weight: 20 description: >- High-level indicators for measuring the reliability and performance of Kubernetes components. --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： ComponentSLIs"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.32 [stable]</code>（默认启用）</div> <!-- By default, Kubernetes 1.35 publishes Service Level Indicator (SLI) metrics for each Kubernetes component binary. This metric endpoint is exposed on the serving HTTPS port of each component, at the path `/metrics/slis`. The `ComponentSLIs` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) defaults to enabled for each Kubernetes component as of v1.27. --> <p>默认情况下，Kubernetes 1.35 会为每个 Kubernetes 组件的二进制文件发布服务等级指标（SLI）。 此指标端点被暴露在每个组件提供 HTTPS 服务的端口上，路径为 <code>/metrics/slis</code>。 从 v1.27 版本开始，对每个 Kubernetes 组件而言， <code>ComponentSLIs</code> <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/feature-gates/">特性门控</a>都是默认启用的。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/topics-on-dockershim-and-cri-compatible-runtimes/<!-- title: Articles on dockershim Removal and on Using CRI-compatible Runtimes content_type: reference weight: 20 --> <!-- overview --> <!-- This is a list of articles and other pages that are either about the Kubernetes' deprecation and removal of _dockershim_, or about using CRI-compatible container runtimes, in connection with that removal. --> <p>这是关于 Kubernetes 弃用和移除 <strong>dockershim</strong> 或使用兼容 CRI 的容器运行时相关的文章和其他页面的列表。</p> <!-- body --> <!-- ## Kubernetes project * Kubernetes blog: [Dockershim Removal FAQ](/blog/2020/12/02/dockershim-faq/) (originally published 2020/12/02) * Kubernetes blog: [Updated: Dockershim Removal FAQ](/blog/2022/02/17/dockershim-faq/) (updated published 2022/02/17) * Kubernetes blog: [Kubernetes is Moving on From Dockershim: Commitments and Next Steps](/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/) (published 2022/01/07) * Kubernetes blog: [Dockershim removal is coming. Are you ready?](/blog/2021/11/12/are-you-ready-for-dockershim-removal/) (published 2021/11/12) * Kubernetes documentation: [Migrating from dockershim](/docs/tasks/administer-cluster/migrating-from-dockershim/) * Kubernetes documentation: [Container Runtimes](/docs/setup/production-environment/container-runtimes/) * Kubernetes enhancement proposal: [KEP-2221: Removing dockershim from kubelet](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2221-remove-dockershim/README.md) * Kubernetes enhancement proposal issue: [Removing dockershim from kubelet](https://github.com/kubernetes/enhancements/issues/2221) (_k/enhancements#2221_) --> <h2 id="kubernetes-project">Kubernetes 项目</h2> <ul> <li> <p>Kubernetes 博客：<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dockershim-faq/">Dockershim 移除常见问题解答</a>（最初发表于 2020/12/02）</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/<!-- reviewers: - davidopp - dom4ha - kevin-wangzefeng - macsko - sanposhiho title: Assigning Pods to Nodes content_type: concept weight: 20 --> <!-- overview --> <!-- You can constrain a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> so that it is _restricted_ to run on particular <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node(s)'>node(s)</a>, or to _prefer_ to run on particular nodes. There are several ways to do this and the recommended approaches all use [label selectors](/docs/concepts/overview/working-with-objects/labels/) to facilitate the selection. Often, you do not need to set any such constraints; the <a class='glossary-tooltip' title='控制平面组件，负责监视新创建的、未指定运行节点的 Pod，选择节点让 Pod 在上面运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/' target='_blank' aria-label='scheduler'>scheduler</a> will automatically do a reasonable placement (for example, spreading your Pods across nodes so as not place Pods on a node with insufficient free resources). However, there are some circumstances where you may want to control which node the Pod deploys to, for example, to ensure that a Pod ends up on a node with an SSD attached to it, or to co-locate Pods from two different services that communicate a lot into the same availability zone. --> <p>你可以约束一个 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 以便<strong>限制</strong>其只能在特定的<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>上运行， 或优先在特定的节点上运行。有几种方法可以实现这点， 推荐的方法都是用<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/">标签选择算符</a>来进行选择。 通常这样的约束不是必须的，因为调度器将自动进行合理的放置（比如，将 Pod 分散到节点上， 而不是将 Pod 放置在可用资源不足的节点上等等）。但在某些情况下，你可能需要进一步控制 Pod 被部署到哪个节点。例如，确保 Pod 最终落在连接了 SSD 的机器上， 或者将来自两个不同的服务且有大量通信的 Pod 被放置在同一个可用区。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/monitor-node-health/<!-- title: Monitor Node Health content_type: task reviewers: - Random-Liu - dchen1107 weight: 20 --> <!-- overview --> <!-- *Node Problem Detector* is a daemon for monitoring and reporting about a node's health. You can run Node Problem Detector as a `DaemonSet` or as a standalone daemon. Node Problem Detector collects information about node problems from various daemons and reports these conditions to the API server as Node [Condition](/docs/concepts/architecture/nodes/#condition)s or as [Event](/docs/reference/kubernetes-api/cluster-resources/event-v1)s. To learn how to install and use Node Problem Detector, see [Node Problem Detector project documentation](https://github.com/kubernetes/node-problem-detector). --> <p><strong>节点问题检测器（Node Problem Detector）</strong> 是一个守护程序，用于监视和报告节点的健康状况。 你可以将节点问题探测器以 <code>DaemonSet</code> 或独立守护程序运行。 节点问题检测器从各种守护进程收集节点问题，并以节点 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/#condition">Condition</a> 和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1">Event</a> 的形式报告给 API 服务器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/control-plane-node-communication/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/control-plane-node-communication/<!-- reviewers: - dchen1107 - liggitt title: Communication between Nodes and the Control Plane content_type: concept weight: 20 aliases: - master-node-communication --> <!-- overview --> <!-- This document catalogs the communication paths between the <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a> and the Kubernetes <a class='glossary-tooltip' title='一组工作机器，称为节点，会运行容器化应用程序。每个集群至少有一个工作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cluster' target='_blank' aria-label='cluster'>cluster</a>. The intent is to allow users to customize their installation to harden the network configuration such that the cluster can be run on an untrusted network (or on fully public IPs on a cloud provider). --> <p>本文列举控制面节点（确切地说是 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a>）和 Kubernetes <a class='glossary-tooltip' title='一组工作机器，称为节点，会运行容器化应用程序。每个集群至少有一个工作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cluster' target='_blank' aria-label='集群'>集群</a>之间的通信路径。 目的是为了让用户能够自定义他们的安装，以实现对网络配置的加固， 使得集群能够在不可信的网络上（或者在一个云服务商完全公开的 IP 上）运行。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/configure-multiple-schedulers/<!-- reviewers: - davidopp - madhusudancs title: Configure Multiple Schedulers content_type: task weight: 20 --> <!-- overview --> <!-- Kubernetes ships with a default scheduler that is described [here](/docs/reference/command-line-tools-reference/kube-scheduler/). If the default scheduler does not suit your needs you can implement your own scheduler. Moreover, you can even run multiple schedulers simultaneously alongside the default scheduler and instruct Kubernetes what scheduler to use for each of your pods. Let's learn how to run multiple schedulers in Kubernetes with an example. --> <p>Kubernetes 自带了一个默认调度器，其详细描述请查阅 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/">这里</a>。 如果默认调度器不适合你的需求，你可以实现自己的调度器。 而且，你甚至可以和默认调度器一起同时运行多个调度器，并告诉 Kubernetes 为每个 Pod 使用哪个调度器。 让我们通过一个例子讲述如何在 Kubernetes 中运行多个调度器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/for-approvers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/for-approvers/<!-- title: Reviewing for approvers and reviewers linktitle: For approvers and reviewers slug: for-approvers content_type: concept weight: 20 --> <!-- overview --> <!-- SIG Docs [Reviewers](/docs/contribute/participate/#reviewers) and [Approvers](/docs/contribute/participate/#approvers) do a few extra things when reviewing a change. Every week a specific docs approver volunteers to triage and review pull requests. This person is the "PR Wrangler" for the week. See the [PR Wrangler scheduler](https://github.com/kubernetes/website/wiki/PR-Wranglers) for more information. To become a PR Wrangler, attend the weekly SIG Docs meeting and volunteer. Even if you are not on the schedule for the current week, you can still review pull requests (PRs) that are not already under active review. In addition to the rotation, a bot assigns reviewers and approvers for the PR based on the owners for the affected files. --> <p>SIG Docs <a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/#reviewers">评阅人（Reviewers）</a> 和<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/#approvers">批准人（Approvers）</a> 在对变更进行评审时需要做一些额外的事情。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/container-environment/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/container-environment/<!-- reviewers: - mikedanese - thockin title: Container Environment content_type: concept weight: 20 --> <!-- overview --> <!-- This page describes the resources available to Containers in the Container environment. --> <p>本页描述了在容器环境里容器可用的资源。</p> <!-- body --> <!-- ## Container environment The Kubernetes Container environment provides several important resources to Containers: * A filesystem, which is a combination of an [image](/docs/concepts/containers/images/) and one or more [volumes](/docs/concepts/storage/volumes/). * Information about the Container itself. * Information about other objects in the cluster. --> <h2 id="container-environment">容器环境</h2> <p>Kubernetes 的容器环境给容器提供了几个重要的资源：</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes/<!-- reviewers: - vincepri - bart0sh title: Container Runtimes content_type: concept weight: 20 --> <!-- overview --> <div class="alert alert-secondary callout note" role="note"> <strong>说明：</strong> 自 1.24 版起，Dockershim 已从 Kubernetes 项目中移除。阅读 <a href="https://andygol-k8s.netlify.app/zh-cn/dockershim">Dockershim 移除的常见问题</a>了解更多详情。 </div> <!-- You need to install a <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='container runtime'>container runtime</a> into each node in the cluster so that Pods can run there. This page outlines what is involved and describes related tasks for setting up nodes. --> <p>你需要在集群内每个节点上安装一个 <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='容器运行时'>容器运行时</a> 以使 Pod 可以运行在上面。本文概述了所涉及的内容并描述了与节点设置相关的任务。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/<!-- title: Device Plugins description: > Device plugins let you configure your cluster with support for devices or resources that require vendor-specific setup, such as GPUs, NICs, FPGAs, or non-volatile main memory. content_type: concept weight: 20 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [stable]</code> </div> <!-- Kubernetes provides a device plugin framework that you can use to advertise system hardware resources to the <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='Kubelet'>Kubelet</a>. Instead of customizing the code for Kubernetes itself, vendors can implement a device plugin that you deploy either manually or as a <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a>. The targeted devices include GPUs, high-performance NICs, FPGAs, InfiniBand adapters, and other similar computing resources that may require vendor specific initialization and setup. --> <p>Kubernetes 提供了一个设备插件框架，你可以用它来将系统硬件资源发布到 <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='Kubelet'>Kubelet</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/declarative-validation/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/declarative-validation/<!-- title: Declarative API Validation reviewers: - aaron-prindle - yongruilin - jpbetz - thockin content_type: concept weight: 20 --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.33 [beta]</code> </div> <!-- Kubernetes 1.35 includes optional _declarative validation_ for APIs. When enabled, the Kubernetes API server can use this mechanism rather than the legacy approach that relies on hand-written Go code (`validation.go` files) to ensure that requests against the API are valid. Kubernetes developers, and people [extending the Kubernetes API](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/), can define validation rules directly alongside the API type definitions (`types.go` files). Code authors define pecial comment tags (e.g., `+k8s:minimum=0`). A code generator (`validation-gen`) then uses these tags to produce optimized Go code for API validation. --> <p>Kubernetes 1.35 包含可选用于 API的<strong>声明式验证</strong>特性。 当启用时，Kubernetes API 服务器可以使用此机制而不是依赖手写的 Go 代码（<code>validation.go</code> 文件）来确保针对 API 的请求是有效的。 Kubernetes 开发者和<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/">扩展 Kubernetes API</a> 的人员可以直接在 API 类型定义（<code>types.go</code> 文件）旁边定义验证规则。 代码作者定义特殊的注释标签（例如，<code>+k8s:minimum=0</code>）。 然后，一个代码生成器（<code>validation-gen</code>）会使用这些标签来生成用于 API 验证的优化 Go 代码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/calico-network-policy/<!-- reviewers: - caseydavenport title: Use Calico for NetworkPolicy content_type: task weight: 20 --> <!-- overview --> <!-- This page shows a couple of quick ways to create a Calico cluster on Kubernetes. --> <p>本页展示了几种在 Kubernetes 上快速创建 Calico 集群的方法。</p> <h2 id="准备开始">准备开始</h2> <!-- Decide whether you want to deploy a [cloud](#creating-a-calico-cluster-with-google-kubernetes-engine-gke) or [local](#creating-a-local-calico-cluster-with-kubeadm) cluster. --> <p>确定你想部署一个<a href="#gke-cluster">云版本</a>还是<a href="#local-cluster">本地版本</a>的集群。</p> <!-- steps --> <!-- ## Creating a Calico cluster with Google Kubernetes Engine (GKE) **Prerequisite**: [gcloud](https://cloud.google.com/sdk/docs/quickstarts). --> <h2 id="gke-cluster">在 Google Kubernetes Engine (GKE) 上创建一个 Calico 集群</h2> <p><strong>先决条件</strong>：<a href="https://cloud.google.com/sdk/docs/quickstarts">gcloud</a></p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/<!-- title: Extend the Kubernetes API with CustomResourceDefinitions reviewers: - deads2k - jpbetz - liggitt - roycaihw - sttts content_type: task min-kubernetes-server-version: 1.16 weight: 20 --> <!-- overview --> <!-- This page shows how to install a [custom resource](/docs/concepts/extend-kubernetes/api-extension/custom-resources/) into the Kubernetes API by creating a [CustomResourceDefinition](/docs/reference/generated/kubernetes-api/v1.35/#customresourcedefinition-v1-apiextensions-k8s-io). --> <p>本页展示如何使用 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubernetes-api/v1.35/#customresourcedefinition-v1-apiextensions-k8s-io">CustomResourceDefinition</a> 将<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/">定制资源（Custom Resource）</a> 安装到 Kubernetes API 上。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-resources/allocate-devices-dra/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-resources/allocate-devices-dra/<!-- title: Allocate Devices to Workloads with DRA content_type: task min-kubernetes-server-version: v1.34 weight: 20 --> <div class="feature-state-notice feature-stable" title="特性门控： DynamicResourceAllocation"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [stable]</code>（默认启用）</div> <!-- overview --> <!-- This page shows you how to allocate devices to your Pods by using _dynamic resource allocation (DRA)_. These instructions are for workload operators. Before reading this page, familiarize yourself with how DRA works and with DRA terminology like <a class='glossary-tooltip' title='描述工作负载所需的资源，例如设备。ResourceClaim 可以针对某些 DeviceClass 请求设备。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#resourceclaims-templates' target='_blank' aria-label='ResourceClaims'>ResourceClaims</a> and <a class='glossary-tooltip' title='定义一个模板，Kubernetes 据此创建 ResourceClaim。此模板用于为每个 Pod 提供对一些独立、相似的资源的访问权限。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#resourceclaims-templates' target='_blank' aria-label='ResourceClaimTemplates'>ResourceClaimTemplates</a>. For more information, see [Dynamic Resource Allocation (DRA)](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/). --> <p>本文介绍如何使用<strong>动态资源分配（DRA）</strong> 为 Pod 分配设备。 这些指示说明面向工作负载运维人员。在阅读本文之前，请先了解 DRA 的工作原理以及相关术语，例如 <a class='glossary-tooltip' title='描述工作负载所需的资源，例如设备。ResourceClaim 可以针对某些 DeviceClass 请求设备。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#resourceclaims-templates' target='_blank' aria-label='ResourceClaim'>ResourceClaim</a> 和 <a class='glossary-tooltip' title='定义一个模板，Kubernetes 据此创建 ResourceClaim。此模板用于为每个 Pod 提供对一些独立、相似的资源的访问权限。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/#resourceclaims-templates' target='_blank' aria-label='ResourceClaimTemplate'>ResourceClaimTemplate</a>。 更多信息参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/">动态资源分配（DRA）</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/<!-- title: Declarative Management of Kubernetes Objects Using Kustomize content_type: task weight: 20 --> <!-- overview --> <!-- [Kustomize](https://github.com/kubernetes-sigs/kustomize) is a standalone tool to customize Kubernetes objects through a [kustomization file](https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#kustomization). --> <p><a href="https://github.com/kubernetes-sigs/kustomize">Kustomize</a> 是一个独立的工具，用来通过 <a href="https://kubectl.docs.kubernetes.io/references/kustomize/glossary/#kustomization">kustomization 文件</a> 定制 Kubernetes 对象。</p> <!-- Since 1.14, kubectl also supports the management of Kubernetes objects using a kustomization file. To view resources found in a directory containing a kustomization file, run the following command: --> <p>从 1.14 版本开始，<code>kubectl</code> 也开始支持使用 kustomization 文件来管理 Kubernetes 对象。 要查看包含 kustomization 文件的目录中的资源，执行下面的命令：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/connect-applications-service/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/connect-applications-service/<!-- reviewers: - caesarxuchao - lavalamp - thockin title: Connecting Applications with Services content_type: tutorial weight: 20 --> <!-- overview --> <!-- ## The Kubernetes model for connecting containers Now that you have a continuously running, replicated application you can expose it on a network. Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on. Kubernetes gives every pod its own cluster-private IP address, so you do not need to explicitly create links between pods or map container ports to host ports. This means that containers within a Pod can all reach each other's ports on localhost, and all pods in a cluster can see each other without NAT. The rest of this document elaborates on how you can run reliable services on such a networking model. This tutorial uses a simple nginx web server to demonstrate the concept. --> <h2 id="the-kubernetes-model-for-connecting-containers">Kubernetes 连接容器的模型</h2> <p>既然有了一个持续运行、可复制的应用，我们就能够将它暴露到网络上。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/coarse-parallel-processing-work-queue/<!-- title: Coarse Parallel Processing Using a Work Queue content_type: task weight: 20 --> <!-- overview --> <!-- In this example, you will run a Kubernetes Job with multiple parallel worker processes. In this example, as each pod is created, it picks up one unit of work from a task queue, completes it, deletes it from the queue, and exits. Here is an overview of the steps in this example: 1. **Start a message queue service.** In this example, you use RabbitMQ, but you could use another one. In practice you would set up a message queue service once and reuse it for many jobs. 1. **Create a queue, and fill it with messages.** Each message represents one task to be done. In this example, a message is an integer that we will do a lengthy computation on. 1. **Start a Job that works on tasks from the queue**. The Job starts several pods. Each pod takes one task from the message queue, processes it, and exits. --> <p>本例中，你将会运行包含多个并行工作进程的 Kubernetes Job。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configmap-secret/managing-secret-using-config-file/<!-- title: Managing Secrets using Configuration File content_type: task weight: 20 description: Creating Secret objects using resource configuration file. --> <!-- overview --> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/<!-- reviewers: - jbeda title: Authenticating with Bootstrap Tokens content_type: concept weight: 20 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.18 [stable]</code> </div> <!-- Bootstrap tokens are a simple bearer token that is meant to be used when creating new clusters or joining new nodes to an existing cluster. It was built to support [kubeadm](/docs/reference/setup-tools/kubeadm/), but can be used in other contexts for users that wish to start clusters without `kubeadm`. It is also built to work, via RBAC policy, with the [kubelet TLS Bootstrapping](/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) system. --> <p>启动引导令牌是一种简单的持有者令牌（Bearer Token），这种令牌是在新建集群 或者在现有集群中添加新节点时使用的。 它被设计成能够支持 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/"><code>kubeadm</code></a>， 但是也可以被用在其他的案例中以便用户在不使用 <code>kubeadm</code> 的情况下启动集群。 它也被设计成可以通过 RBAC 策略，结合 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/">kubelet TLS 启动引导</a> 系统进行工作。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateless-application/guestbook/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateless-application/guestbook/<!-- title: "Example: Deploying PHP Guestbook application with Redis" reviewers: - ahmetb - jimangel content_type: tutorial weight: 20 card: name: tutorials weight: 30 title: "Stateless Example: PHP Guestbook with Redis" min-kubernetes-server-version: v1.14 source: https://cloud.google.com/kubernetes-engine/docs/tutorials/guestbook --> <!-- overview --> <!-- This tutorial shows you how to build and deploy a simple _(not production ready)_, multi-tier web application using Kubernetes and [Docker](https://www.docker.com/). This example consists of the following components: --> <p>本教程向你展示如何使用 Kubernetes 和 <a href="https://www.docker.com/">Docker</a> 构建和部署一个简单的 <strong>(非面向生产的)</strong> 多层 Web 应用。本例由以下组件组成：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/mysql-wordpress-persistent-volume/<!-- title: "Example: Deploying WordPress and MySQL with Persistent Volumes" reviewers: - ahmetb content_type: tutorial weight: 20 card: name: tutorials weight: 40 title: "Stateful Example: Wordpress with Persistent Volumes" --> <!-- overview --> <!-- This tutorial shows you how to deploy a WordPress site and a MySQL database using Minikube. Both applications use PersistentVolumes and PersistentVolumeClaims to store data. --> <p>本示例描述了如何通过 Minikube 在 Kubernetes 上安装 WordPress 和 MySQL。 这两个应用都使用 PersistentVolumes 和 PersistentVolumeClaims 保存数据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/suggesting-improvements/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/suggesting-improvements/<!-- title: Suggesting content improvements content_type: concept weight: 20 card: name: contribute weight: 15 anchors: - anchor: "#opening-an-issue" title: Suggest content improvements --> <!-- overview --> <!-- If you notice an issue with Kubernetes documentation or have an idea for new content, then open an issue. All you need is a [GitHub account](https://github.com/join) and a web browser. In most cases, new work on Kubernetes documentation begins with an issue in GitHub. Kubernetes contributors then review, categorize and tag issues as needed. Next, you or another member of the Kubernetes community open a pull request with changes to resolve the issue. --> <p>如果你发现 Kubernetes 文档中存在问题或者你有一个关于新内容的想法， 可以考虑提出一个问题（issue）。你只需要具有 <a href="https://github.com/join">GitHub 账号</a>和 Web 浏览器就可以完成这件事。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/updating-configuration-via-a-configmap/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/updating-configuration-via-a-configmap/<!-- title: Updating Configuration via a ConfigMap content_type: tutorial weight: 20 --> <!-- overview --> <!-- This page provides a step-by-step example of updating configuration within a Pod via a ConfigMap and builds upon the [Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) task. At the end of this tutorial, you will understand how to change the configuration for a running application. This tutorial uses the `alpine` and `nginx` images as examples. --> <p>本页提供了通过 ConfigMap 更新 Pod 中配置信息的分步示例， 本教程的前置任务是<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/">配置 Pod 以使用 ConfigMap</a>。 在本教程结束时，你将了解如何变更运行中应用的配置。 本教程以 <code>alpine</code> 和 <code>nginx</code> 镜像为例。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/new-features/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/new-features/<!-- title: Documenting a feature for a release linktitle: Documenting for a release content_type: concept main_menu: true weight: 20 card: name: contribute weight: 45 title: Documenting a feature for a release --> <!-- overview --> <!-- Each major Kubernetes release introduces new features that require documentation. New releases also bring updates to existing features and documentation (such as upgrading a feature from alpha to beta). Generally, the SIG responsible for a feature submits draft documentation of the feature as a pull request to the appropriate development branch of the `kubernetes/website` repository, and someone on the SIG Docs team provides editorial feedback or edits the draft directly. This section covers the branching conventions and process used during a release by both groups. --> <p>Kubernetes 的每个主要版本发布都会包含一些需要文档说明的新功能。 新的发行版本也会更新已有的功能特性和文档（例如将某功能特性从 Alpha 升级为 Beta）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-default-namespace/<!-- title: Configure Default CPU Requests and Limits for a Namespace content_type: task weight: 20 --> <!-- overview --> <!-- This page shows how to configure default CPU requests and limits for a <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. A Kubernetes cluster can be divided into namespaces. If you create a Pod within a namespace that has a default CPU [limit](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits), and any container in that Pod does not specify its own CPU limit, then the <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> assigns the default CPU limit to that container. Kubernetes assigns a default CPU [request](/docs/concepts/configuration/manage-resources-containers/#requests-and-limits), but only under certain conditions that are explained later in this page. --> <p>本章介绍如何为<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>配置默认的 CPU 请求和限制。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-cpu-resource/<!-- title: Assign CPU Resources to Containers and Pods content_type: task weight: 20 --> <!-- overview --> <!-- This page shows how to assign a CPU *request* and a CPU *limit* to a container. Containers cannot use more CPU than the configured limit. Provided the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests. --> <p>本页面展示如何为容器设置 CPU <strong>request（请求）</strong> 和 CPU <strong>limit（限制）</strong>。 容器使用的 CPU 不能超过所配置的限制。 如果系统有空闲的 CPU 时间，则可以保证给容器分配其所请求数量的 CPU 资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-environment-variable-container/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-environment-variable-container/<!-- title: Define Environment Variables for a Container content_type: task weight: 20 --> <!-- overview --> <!-- This page shows how to define environment variables for a container in a Kubernetes Pod. --> <p>本页将展示如何为 Kubernetes Pod 下的容器设置环境变量。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/contribute-upstream/<!-- title: Contributing to the Upstream Kubernetes Code content_type: task weight: 20 --> <!-- overview --> <!-- This page shows how to contribute to the upstream kubernetes/kubernetes project to fix bugs found in the Kubernetes API documentation or the `kube-*` components such as `kube-apiserver`, `kube-controller-manager`, etc. --> <p>此页面描述如何为上游 <code>kubernetes/kubernetes</code> 项目做出贡献，如修复 Kubernetes API 文档或 Kubernetes 组件（例如 <code>kubeadm</code>、<code>kube-apiserver</code>、<code>kube-controller-manager</code> 等） 中发现的错误。</p> <!-- If you instead want to regenerate the reference documentation for the Kubernetes API or the `kube-*` components from the upstream code, see the following instructions: - [Generating Reference Documentation for the Kubernetes API](/docs/contribute/generate-ref-docs/kubernetes-api/) - [Generating Reference Documentation for the Kubernetes Components and Tools](/docs/contribute/generate-ref-docs/kubernetes-components/) --> <p>如果你仅想从上游代码重新生成 Kubernetes API 或 <code>kube-*</code> 组件的参考文档。请参考以下说明：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-single-instance-stateful-application/<!-- overview --> <!-- This page shows you how to run a single-instance stateful application in Kubernetes using a PersistentVolume and a Deployment. The application is MySQL. --> <p>本文介绍在 Kubernetes 中如何使用 PersistentVolume 和 Deployment 运行一个单实例有状态应用。 该示例应用是 MySQL。</p> <h2 id="教程目标">教程目标</h2> <!-- * Create a PersistentVolume referencing a disk in your environment. * Create a MySQL Deployment. * Expose MySQL to other pods in the cluster at a known DNS name. --> <ul> <li>在你的环境中创建一个引用磁盘的 PersistentVolume。</li> <li>创建一个 MySQL Deployment。</li> <li>在集群内以一个已知的 DNS 名称将 MySQL 暴露给其他 Pod。</li> </ul> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/multiple-zones/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/multiple-zones/<!-- reviewers: - jlowdermilk - justinsb - quinton-hoole title: Running in multiple zones weight: 20 content_type: concept --> <!-- overview --> <!-- This page describes running a cluster across multiple zones. --> <p>本页描述如何跨多个区（Zone）运行集群。</p> <!-- body --> <!-- ## Background Kubernetes is designed so that a single Kubernetes cluster can run across multiple failure zones, typically where these zones fit within a logical grouping called a _region_. Major cloud providers define a region as a set of failure zones (also called _availability zones_) that provide a consistent set of features: within a region, each zone offers the same APIs and services. Typical cloud architectures aim to minimize the chance that a failure in one zone also impairs services in another zone. --> <h2 id="background">背景</h2> <p>Kubernetes 从设计上允许同一个 Kubernetes 集群跨多个失效区来运行， 通常这些区位于某个称作 <strong>区域（Region）</strong> 逻辑分组中。 主要的云提供商都将区域定义为一组失效区的集合（也称作 <strong>可用区（Availability Zones</strong>））， 能够提供一组一致的功能特性：每个区域内，各个可用区提供相同的 API 和服务。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/ns-level-pss/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/ns-level-pss/<!-- title: Apply Pod Security Standards at the Namespace Level content_type: tutorial weight: 20 --> <div class="alert alert-primary" role="alert"><div class="h4 alert-heading" role="heading">Note</div> <!-- This tutorial applies only for new clusters. --> <p>本教程仅适用于新集群。</p> </div> <!-- Pod Security Admission is an admission controller that applies [Pod Security Standards](/docs/concepts/security/pod-security-standards/) when pods are created. It is a feature GA'ed in v1.25. In this tutorial, you will enforce the `baseline` Pod Security Standard, one namespace at a time. You can also apply Pod Security Standards to multiple namespaces at once at the cluster level. For instructions, refer to [Apply Pod Security Standards at the cluster level](/docs/tutorials/security/cluster-level-pss/). --> <p>Pod Security Admission 是一个准入控制器，在创建 Pod 时应用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/">Pod 安全标准</a>。 这是在 v1.25 中达到正式发布（GA）的功能。 在本教程中，你将应用 <code>baseline</code> Pod 安全标准，每次一个名字空间。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/certificates/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/certificates/<!-- title: Certificates content_type: concept weight: 20 --> <!-- overview --> <!-- To learn how to generate certificates for your cluster, see [Certificates](/docs/tasks/administer-cluster/certificates/). --> <p>要了解如何为集群生成证书，参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/certificates/">证书</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/resource-quotas/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/resource-quotas/<!-- reviewers: - derekwaynecarr title: Resource Quotas api_metadata: - apiVersion: "v1" kind: "ResourceQuota" content_type: concept weight: 20 --> <!-- overview --> <!-- When several users or teams share a cluster with a fixed number of nodes, there is a concern that one team could use more than its fair share of resources. _Resource quotas_ are a tool for administrators to address this concern. --> <p>当多个用户或团队共享具有固定节点数目的集群时，人们会担心有人使用超过其基于公平原则所分配到的资源量。</p> <p><strong>资源配额</strong>是帮助管理员解决这一问题的工具。</p> <!-- A resource quota, defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. A ResourceQuota can also limit the [quantity of objects that can be created in a namespace](#quota-on-object-count) by API kind, as well as the total amount of <a class='glossary-tooltip' title='数量确定的可供使用的基础设施（CPU、内存等）。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-infrastructure-resource' target='_blank' aria-label='infrastructure resources'>infrastructure resources</a> that may be consumed by API objects found in that namespace. --> <p>资源配额，由 ResourceQuota 对象定义， 提供了限制每个<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>的资源总消耗的约束。 资源配额还可以限制在命名空间中可以创建的<a href="#quota-on-object-count">对象数量</a>（按 API 类型计算）， 以及该命名空间中存在的 API 对象可能消耗的<a class='glossary-tooltip' title='数量确定的可供使用的基础设施（CPU、内存等）。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-infrastructure-resource' target='_blank' aria-label='基础设施资源'>基础设施资源</a>的总量。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/projected-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/projected-volumes/<!-- reviewers: - marosset - jsturtevant - zshihang title: Projected Volumes content_type: concept weight: 21 # just after persistent volumes --> <!-- overview --> <!-- This document describes _projected volumes_ in Kubernetes. Familiarity with [volumes](/docs/concepts/storage/volumes/) is suggested. --> <p>本文档描述 Kubernetes 中的<strong>投射卷（Projected Volume）</strong>。 建议先熟悉<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/">卷</a>概念。</p> <!-- body --> <!-- ## Introduction A `projected` volume maps several existing volume sources into the same directory. Currently, the following types of volume sources can be projected: * [`secret`](/docs/concepts/storage/volumes/#secret) * [`downwardAPI`](/docs/concepts/storage/volumes/#downwardapi) * [`configMap`](/docs/concepts/storage/volumes/#configmap) * [`serviceAccountToken`](#serviceaccounttoken) * [`clusterTrustBundle`](#clustertrustbundle) * [`podCertificate`](#podcertificate) --> <h2 id="introduction">介绍</h2> <p>一个 <code>projected</code> 卷可以将若干现有的卷源映射到同一个目录之上。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/official-cve-feed/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/official-cve-feed/<!-- title: Official CVE Feed linkTitle: CVE feed weight: 25 outputs: - json - html - rss layout: cve-feed --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.27 [beta]</code> </div> <!-- This is a community maintained list of official CVEs announced by the Kubernetes Security Response Committee. See [Kubernetes Security and Disclosure Information](/docs/reference/issues-security/security/) for more details. The Kubernetes project publishes a programmatically accessible feed of published security issues in [JSON feed](/docs/reference/issues-security/official-cve-feed/index.json) and [RSS feed](/docs/reference/issues-security/official-cve-feed/feed.xml) formats. You can access it by executing the following commands: --> <p>这是由 Kubernetes 安全响应委员会（Security Response Committee, SRC）公布的经社区维护的官方 CVE 列表。 更多细节请参阅 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/security/">Kubernetes 安全和信息披露</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/server-side-apply/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/server-side-apply/<!-- title: Server-Side Apply reviewers: - smarterclayton - apelisse - lavalamp - liggitt content_type: concept weight: 25 --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： ServerSideApply"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.22 [stable]</code>（默认启用）</div> <!-- Kubernetes supports multiple appliers collaborating to manage the fields of a single [object](/docs/concepts/overview/working-with-objects/). Server-Side Apply provides an optional mechanism for your cluster's control plane to track changes to an object's fields. At the level of a specific resource, Server-Side Apply records and tracks information about control over the fields of that object. --> <p>Kubernetes 支持多个应用程序协作管理一个<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/">对象</a>的字段。 服务器端应用为集群的控制平面提供了一种可选机制，用于跟踪对对象字段的更改。 在特定资源级别，服务器端应用记录并跟踪有关控制该对象字段的信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/service-accounts/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/service-accounts/<!-- title: Service Accounts description: > Learn about ServiceAccount objects in Kubernetes. api_metadata: - apiVersion: "v1" kind: "ServiceAccount" content_type: concept weight: 25 --> <!-- overview --> <!-- This page introduces the ServiceAccount object in Kubernetes, providing information about how service accounts work, use cases, limitations, alternatives, and links to resources for additional guidance. --> <p>本页介绍 Kubernetes 中的 ServiceAccount 对象， 讲述服务账号的工作原理、使用场景、限制、替代方案，还提供了一些资源链接方便查阅更多指导信息。</p> <!-- body --> <!-- ## What are service accounts? {#what-are-service-accounts} --> <h2 id="what-are-service-accounts">什么是服务账号？</h2> <!-- A service account is a type of non-human account that, in Kubernetes, provides a distinct identity in a Kubernetes cluster. Application Pods, system components, and entities inside and outside the cluster can use a specific ServiceAccount's credentials to identify as that ServiceAccount. This identity is useful in various situations, including authenticating to the API server or implementing identity-based security policies. --> <p>服务账号是在 Kubernetes 中一种用于非人类用户的账号，在 Kubernetes 集群中提供不同的身份标识。 应用 Pod、系统组件以及集群内外的实体可以使用特定 ServiceAccount 的凭据来将自己标识为该 ServiceAccount。 这种身份可用于许多场景，包括向 API 服务器进行身份认证或实现基于身份的安全策略。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/<!-- title: Versions in CustomResourceDefinitions reviewers: - sttts - liggitt content_type: task weight: 30 min-kubernetes-server-version: v1.16 --> <!-- overview --> <!-- This page explains how to add versioning information to [CustomResourceDefinitions](/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1/), to indicate the stability level of your CustomResourceDefinitions or advance your API to a new version with conversion between API representations. It also describes how to upgrade an object from one version to another. --> <p>本页介绍如何添加版本信息到 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1/">CustomResourceDefinitions</a>。 目的是标明 CustomResourceDefinitions 的稳定级别或者服务于 API 升级。 API 升级时需要在不同 API 表示形式之间进行转换。 本页还描述如何将对象从一个版本升级到另一个版本。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/ingress/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/ingress/<!-- reviewers: - robscott - rikatz title: Ingress api_metadata: - apiVersion: "networking.k8s.io/v1" kind: "Ingress" - apiVersion: "networking.k8s.io/v1" kind: "IngressClass" content_type: concept description: >- Make your HTTP (or HTTPS) network service available using a protocol-aware configuration mechanism, that understands web concepts like URIs, hostnames, paths, and more. The Ingress concept lets you map traffic to different backends based on rules you define via the Kubernetes API. weight: 30 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.19 [stable]</code> </div> <!-- title: Ingress id: ingress date: 2018-04-12 full_link: /docs/concepts/services-networking/ingress/ short_description: > An API object that manages external access to the services in a cluster, typically HTTP. aka: tags: - networking - architecture - extension --> <!-- An API object that manages external access to the services in a cluster, typically HTTP. --> <p>Ingress 是对集群中服务的外部访问进行管理的 API 对象，典型的访问方式是 HTTP。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/<h2 id="简介">简介</h2> <!-- The Kubernetes API server validates and configures data for the api objects which include pods, services, replicationcontrollers, and others. The API Server services REST operations and provides the frontend to the cluster's shared state through which all other components interact. --> <p>Kubernetes API 服务器验证并配置 API 对象的数据， 这些对象包括 pods、services、replicationcontrollers 等。 API 服务器为 REST 操作提供服务，并为集群的共享状态提供前端， 所有其他组件都通过该前端进行交互。</p> <pre tabindex="0"><code>kube-apiserver [flags] </code></pre><h2 id="options">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--admission-control strings</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Admission is divided into two phases. In the first phase, only mutating admission plugins run. In the second phase, only validating admission plugins run. The names in the below list may represent a validating plugin, a mutating plugin, or both. The order of plugins in which they are passed to this flag does not matter. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, ClusterTrustBundleAttest, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyServiceExternalIPs, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionPolicy, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeDeclaredFeatureValidator, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PodNodeSelector, PodSecurity, PodTolerationRestriction, PodTopologyLabels, Priority, ResourceQuota, RuntimeClass, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionPolicy, ValidatingAdmissionWebhook. (DEPRECATED: Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.) --> 准入过程分为两个阶段。第一阶段仅运行变更型准入插件。第二阶段仅运行验证型准入插件。 以下列表中的名称可能代表验证型插件、变更型插件或两者兼有。 传递给此标志的插件顺序无关紧要。以逗号分隔的列表： AlwaysAdmit、AlwaysDeny、AlwaysPullImages、CertificateApproval、 CertificateSigning、CertificateSubjectRestriction、 ClusterTrustBundleAttest、DefaultIngressClass、DefaultStorageClass、 DefaultTolerationSeconds、DenyServiceExternalIPs、EventRateLimit、 ExtendedResourceToleration、ImagePolicyWebhook、LimitPodHardAntiAffinityTopology、 LimitRanger、MutatingAdmissionPolicy、MutatingAdmissionWebhook、NamespaceAutoProvision、 NamespaceExists、NamespaceLifecycle、NodeDeclaredFeatureValidator、NodeRestriction、 OwnerReferencesPermissionEnforcement、PersistentVolumeClaimResize、PodNodeSelector、 PodSecurity、PodTolerationRestriction、PodTopologyLabels、Priority、ResourceQuota、 RuntimeClass、ServiceAccount、StorageObjectInUseProtection TaintNodesByCondition、 ValidatingAdmissionPolicy、ValidatingAdmissionWebhook。 （已弃用：请改用 <code>--enable-admission-plugins</code> 或 <code>--disable-admission-plugins</code>。将在未来版本中移除。） </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/<h2 id="简介">简介</h2> <!-- The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of robotics and automation, a control loop is a non-terminating loop that regulates the state of the system. In Kubernetes, a controller is a control loop that watches the shared state of the cluster through the apiserver and makes changes attempting to move the current state towards the desired state. Examples of controllers that ship with Kubernetes today are the replication controller, endpoints controller, namespace controller, and serviceaccounts controller. --> <p>Kubernetes 控制器管理器是一个守护进程，内嵌随 Kubernetes 一起发布的核心控制回路。 在机器人和自动化的应用中，控制回路是一个永不休止的循环，用于调节系统状态。 在 Kubernetes 中，每个控制器是一个控制回路，通过 API 服务器监视集群的共享状态， 并尝试进行更改以将当前状态转为期望状态。 目前，Kubernetes 自带的控制器例子包括副本控制器、节点控制器、命名空间控制器和服务账号控制器等。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/<!-- title: kube-proxy content_type: tool-reference weight: 30 --> <h2 id="简介">简介</h2> <!-- The Kubernetes network proxy runs on each node. This reflects services as defined in the Kubernetes API on each node and can do simple TCP, UDP, and SCTP stream forwarding or round robin TCP, UDP, and SCTP forwarding across a set of backends. Service cluster IPs and ports are currently found through Docker-links-compatible environment variables specifying ports opened by the service proxy. There is an optional addon that provides cluster DNS for these cluster IPs. The user must create a service with the apiserver API to configure the proxy. --> <p>Kubernetes 网络代理在每个节点上运行。网络代理反映了每个节点上 Kubernetes API 中定义的服务，并且可以执行简单的 TCP、UDP 和 SCTP 流转发，或者在一组后端进行 循环 TCP、UDP 和 SCTP 转发。 当前可通过 Docker-links-compatible 环境变量找到服务集群 IP 和端口， 这些环境变量指定了服务代理打开的端口。 有一个可选的插件，可以为这些集群 IP 提供集群 DNS。 用户必须使用 apiserver API 创建服务才能配置代理。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/<!-- title: kube-scheduler content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- The Kubernetes scheduler is a control plane process which assigns Pods to Nodes. The scheduler determines which Nodes are valid placements for each Pod in the scheduling queue according to constraints and available resources. The scheduler then ranks each valid Node and binds the Pod to a suitable Node. Multiple different schedulers may be used within a cluster; kube-scheduler is the reference implementation. See [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/) for more information about scheduling and the kube-scheduler component. --> <p>Kubernetes 调度器是一个控制面进程，负责将 Pods 指派到节点上。 调度器基于约束和可用资源为调度队列中每个 Pod 确定其可合法放置的节点。 调度器之后对所有合法的节点进行排序，将 Pod 绑定到一个合适的节点。 在同一个集群中可以使用多个不同的调度器；kube-scheduler 是其参考实现。 参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/">调度</a>以获得关于调度和 kube-scheduler 组件的更多信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/<!-- reviewers: - luxas - jbeda title: kubeadm join content_type: concept weight: 30 --> <!-- overview --> <!-- This command initializes a new Kubernetes node and joins it to the cluster. --> <p>此命令用来初始化新的 Kubernetes 节点并将其加入集群。</p> <!-- body --> <!-- Run this on any machine you wish to join an existing cluster --> <p>在你希望加入现有集群的任何机器上运行它。</p> <!-- ### Synopsis --> <h3 id="概要">概要</h3> <!-- When joining a kubeadm initialized cluster, we need to establish bidirectional trust. This is split into discovery (having the Node trust the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes Control Plane trust the Node). --> <p>当节点加入 kubeadm 初始化的集群时，我们需要建立双向信任。 这个过程可以分解为发现（让待加入节点信任 Kubernetes 控制平面节点）和 TLS 引导（让 Kubernetes 控制平面节点信任待加入节点）两个部分。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl/<!-- title: kubectl content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- kubectl controls the Kubernetes cluster manager. Find more information at: https://kubernetes.io/docs/reference/kubectl/ --> <p>kubectl 用于控制 Kubernetes 集群管理器。</p> <p>参阅更多细节： <a href="https://kubernetes.io/zh-cn/docs/reference/kubectl/">https://kubernetes.io/zh-cn/docs/reference/kubectl/</a></p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p> </td> </tr> <tr> <td colspan="2">--as-group strings</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --> 操作所用的伪装用户组，此标志可以被重复设置以指定多个组。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kubectl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kubectl/<!-- title: kubectl content_type: tool-reference weight: 30 --> <h2 id="简介">简介</h2> <!-- kubectl controls the Kubernetes cluster manager. --> <p>kubectl 管理控制 Kubernetes 集群。</p> <!-- Find more information in [Command line tool](/docs/reference/kubectl/) (`kubectl`). --> <p>更多信息请查阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/">命令行工具</a>（<code>kubectl</code>）。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--add-dir-header</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- If true, adds the file directory to the header of the log messages --> 设置为 true 表示添加文件目录到日志信息头中。 </td> </tr> <tr> <td colspan="2">--alsologtostderr</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- log to standard error as well as files --> 表示将日志输出到文件的同时输出到 stderr。 </td> </tr> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Username to impersonate for the operation --> 以指定用户的身份执行操作。 </td> </tr> <tr> <td colspan="2">--as-group stringArray</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Group to impersonate for the operation, this flag can be repeated to specify multiple groups. --> 模拟指定的组来执行操作，可以使用这个标志来指定多个组。 </td> </tr> <tr> <td colspan="2">--azure-container-registry-config string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Path to the file containing Azure container registry configuration information. --> 包含 Azure 容器仓库配置信息的文件的路径。 </td> </tr> <tr> <td colspan="2">--cache-dir string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值："$HOME/.kube/cache"</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Default cache directory --> 默认缓存目录。 </td> </tr> <tr> <td colspan="2">--certificate-authority string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Path to a cert file for the certificate authority --> 指向证书机构的 cert 文件路径。 </td> </tr> <tr> <td colspan="2">--client-certificate string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Path to a client certificate file for TLS --> TLS 使用的客户端证书路径。 </td> </tr> <tr> <td colspan="2">--client-key string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Path to a client key file for TLS --> TLS 使用的客户端密钥文件路径。 </td> </tr> <tr> <td colspan="2">--cloud-provider-gce-l7lb-src-cidrs cidrs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：130.211.0.0/22,35.191.0.0/16</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!--CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks--> 在 GCE 防火墙中开放的 CIDR，用来进行 L7 LB 流量代理和健康检查。 </td> </tr> <tr> <td colspan="2">--cloud-provider-gce-lb-src-cidrs cidrs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks --> 在 GCE 防火墙中开放的 CIDR，用来进行 L4 LB 流量代理和健康检查。 </td> </tr> <tr> <td colspan="2">--cluster string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- The name of the kubeconfig cluster to use --> 要使用的 kubeconfig 集群的名称。 </td> </tr> <tr> <td colspan="2">--context string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- The name of the kubeconfig context to use --> 要使用的 kubeconfig 上下文的名称。 </td> </tr> <tr> <td colspan="2">--default-not-ready-toleration-seconds int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：300</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. --> 表示 `notReady` 状态的容忍度秒数：默认情况下，`NoExecute` 被添加到尚未具有此容忍度的每个 Pod 中。 </td> </tr> <tr> <td colspan="2">--default-unreachable-toleration-seconds int&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：300</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. --> 表示 `unreachable` 状态的容忍度秒数：默认情况下，`NoExecute` 被添加到尚未具有此容忍度的每个 Pod 中。 </td> </tr> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- help for kubectl --> kubectl 操作的帮助命令 </td> </tr> <tr> <td colspan="2">--insecure-skip-tls-verify</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure --> 设置为 true，则表示不会检查服务器证书的有效性。这样会导致你的 HTTPS 连接不安全。 </td> </tr> <tr> <td colspan="2">--kubeconfig string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Path to the kubeconfig file to use for CLI requests. --> CLI 请求使用的 kubeconfig 配置文件的路径。 </td> </tr> <tr> <td colspan="2">--log-backtrace-at traceLocation&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：0</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- when logging hits line file:N, emit a stack trace --> 当日志机制运行到指定文件的指定行（file:N）时，打印调用堆栈信息 </td> </tr> <tr> <td colspan="2">--log-dir string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- If non-empty, write log files in this directory --> 如果不为空，则将日志文件写入此目录 </td> </tr> <tr> <td colspan="2">--log-file string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- If non-empty, use this log file --> 如果不为空，则将使用此日志文件 </td> </tr> <tr> <td colspan="2">--log-file-max-size uint&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：1800</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. --> 定义日志文件的最大尺寸。单位为兆字节。如果值设置为 0，则表示日志文件大小不受限制。 </td> </tr> <tr> <td colspan="2">--log-flush-frequency duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值：5s</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Maximum number of seconds between log flushes --> 两次日志刷新操作之间的最长时间（秒） </td> </tr> <tr> <td colspan="2">--logtostderr&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：true</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- log to standard error instead of files --> 日志输出到 stderr 而不是文件中 </td> </tr> <tr> <td colspan="2">--match-server-version</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Require server version to match client version --> 要求客户端版本和服务端版本相匹配 </td> </tr> <tr> <td colspan="2">-n, --namespace string</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- If present, the namespace scope for this CLI request --> 如果存在，CLI 请求将使用此命名空间 </td> <tr> <td colspan="2">--one-output</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- If true, only write logs to their native severity level (vs also writing to each lower severity level) --> 如果为 true，则只将日志写入初始严重级别（而不是同时写入所有较低的严重级别）。 </td> </tr> </tr> <tr> <td colspan="2">--password string</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Password for basic authentication to the API server --> API 服务器进行基本身份验证的密码 </td> </tr> <tr> <td colspan="2">--profile string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值："none"</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) --> 要记录的性能指标的名称。可取（none|cpu|heap|goroutine|threadcreate|block|mutex）其中之一。 </td> </tr> <tr> <td colspan="2">--profile-output string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值："profile.pprof"</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Name of the file to write the profile to --> 用于转储所记录的性能信息的文件名。 </td> </tr> <tr> <td colspan="2">--request-timeout string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值："0"</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. --> 放弃单个服务器请求之前的等待时间，非零值需要包含相应时间单位（例如：1s、2m、3h）。 零值则表示不做超时要求。 </td> </tr> <tr> <td colspan="2">-s, --server string</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- The address and port of the Kubernetes API server --> Kubernetes API 服务器的地址和端口。 </td> </tr> <tr> <td colspan="2">--skip-headers</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- If true, avoid header prefixes in the log messages --> 设置为 true 则表示跳过在日志消息中出现 header 前缀信息。 </td> </tr> <tr> <td colspan="2">--skip-log-headers</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- If true, avoid headers when opening log files --> 设置为 true 则表示在打开日志文件时跳过 header 信息。 </td> </tr> <tr> <td colspan="2">--stderrthreshold severity&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!-- Default: -->默认值：2</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- logs at or above this threshold go to stderr --> 等于或高于此阈值的日志将输出到标准错误输出（stderr） </td> </tr> <tr> <td colspan="2">--token string</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Bearer token for authentication to the API server --> 用于对 API 服务器进行身份认证的持有者令牌 </td> </tr> <tr> <td colspan="2">--user string</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- The name of the kubeconfig user to use --> 指定使用 kubeconfig 配置文件中的用户名 </td> </tr> <tr> <td colspan="2">--username string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <!-- Username for basic authentication to the API server --> 用于 API 服务器的基本身份验证的用户名 </td> </tr> <tr> <td colspan="2">-v, --v Level</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- number for the log level verbosity --> 指定输出日志的日志详细级别 </td> </tr> <tr> <td colspan="2">--version version[=true]</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Print version information and quit --> 打印 kubectl 版本信息并退出 </td> </tr> <tr> <td colspan="2">--vmodule moduleSpec</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- comma-separated list of pattern=N settings for file-filtered logging --> 以逗号分隔的 pattern=N 设置列表，用于过滤文件的日志记录 </td> </tr> </tbody> </table> <h2 id="环境变量">环境变量</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">KUBECONFIG</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Path to the kubectl configuration ("kubeconfig") file. Default: "$HOME/.kube/config" --> kubectl 的配置 ("kubeconfig") 文件的路径。默认值："$HOME/.kube/config" </td> </tr> <tr> <td colspan="2">KUBECTL_EXPLAIN_OPENAPIV3</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- Toggles whether calls to `kubectl explain` use the new OpenAPIv3 data source available. OpenAPIV3 is enabled by default since Kubernetes 1.24. --> 切换对 <code>kubectl explain</code> 的调用是否使用可用的新 OpenAPIv3 数据源。 OpenAPIV3 自 Kubernetes 1.24 起默认被启用。 </td> </tr> <tr> <td colspan="2">KUBECTL_ENABLE_CMD_SHADOW</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- When set to true, external plugins can be used as subcommands for builtin commands if subcommand does not exist. In alpha stage, this feature can only be used for create command(e.g. kubectl create networkpolicy). --> 当设置为 true 时，如果子命令不存在，外部插件可以用作内置命令的子命令。 此功能处于 alpha 阶段，只能用于 create 命令（例如 <code>kubectl create networkpolicy</code>）。 </td> </tr> <tr> <td colspan="2">KUBECTL_PORT_FORWARD_WEBSOCKETS</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- When set to true, the kubectl port-forward command will attempt to stream using the websockets protocol. If the upgrade to websockets fails, the commands will fallback to use the current SPDY protocol. --> 当设置为 true 时，<code>kubectl port-forward</code> 命令将尝试使用 WebSocket 协议进行流式传输。 如果升级到 WebSocket 失败，命令将回退到使用当前的 SPDY 协议。 </td> </tr> <tr> <td colspan="2">KUBECTL_REMOTE_COMMAND_WEBSOCKETS</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- When set to true, the kubectl exec, cp, and attach commands will attempt to stream using the websockets protocol. If the upgrade to websockets fails, the commands will fallback to use the current SPDY protocol. --> 当设置为 true 时，kubectl exec、cp 和 attach 命令将尝试使用 WebSocket 协议进行流式传输。 如果升级到 WebSocket 失败，这些命令将回退为使用当前的 SPDY 协议。 </td> </tr> <tr> <td colspan="2">KUBECTL_KUBERC</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- When set to true, kuberc file is taken into account to define user specific preferences. --> 当设置为 true 时，kuberc 文件会被纳入考虑，用于定义用户特定偏好设置。 </td> </tr> <tr> <td colspan="2">KUBECTL_KYAML</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <!-- When set to true, kubectl is capable of producing Kubernetes-specific dialect of YAML output format. --> 当设置为 true 时，kubectl 可以生成 Kubernetes 特定的 YAML 输出格式。 </td> </tr> </tbody> </table> <h2 id="另请参见">另请参见</h2> <!-- * [kubectl annotate](/docs/reference/kubectl/generated/kubectl_annotate/) - Update the annotations on a resource * [kubectl api-resources](/docs/reference/kubectl/generated/kubectl_api-resources/) - Print the supported API resources on the server * [kubectl api-versions](/docs/reference/kubectl/generated/kubectl_api-versions/) - Print the supported API versions on the server, in the form of "group/version" * [kubectl apply](/docs/reference/kubectl/generated/kubectl_apply/) - Apply a configuration to a resource by filename or stdin * [kubectl attach](/docs/reference/kubectl/generated/kubectl_attach/) - Attach to a running container --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_annotate/">kubectl annotate</a> - 更新资源所关联的注解</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_api-resources/">kubectl api-resources</a> - 打印服务器上所支持的 API 资源</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_api-versions/">kubectl api-versions</a> - 以“组/版本”的格式输出服务端所支持的 API 版本</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/">kubectl apply</a> - 基于文件名或标准输入，将新的配置应用到资源上</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_attach/">kubectl attach</a> - 挂接到一个正在运行的容器</li> </ul> <!-- * [kubectl auth](/docs/reference/kubectl/generated/kubectl_auth/) - Inspect authorization * [kubectl autoscale](/docs/reference/kubectl/generated/kubectl_autoscale/) - Auto-scale a Deployment, ReplicaSet, or ReplicationController * [kubectl certificate](/docs/reference/kubectl/generated/kubectl_certificate/) - Modify certificate resources. * [kubectl cluster-info](/docs/reference/kubectl/generated/kubectl_cluster-info/) - Display cluster info * [kubectl completion](/docs/reference/kubectl/generated/kubectl_completion/) - Output shell completion code for the specified shell (bash or zsh) * [kubectl config](/docs/reference/kubectl/generated/kubectl_config/) - Modify kubeconfig files --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/">kubectl auth</a> - 检查授权信息</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_autoscale/">kubectl autoscale</a> - 对一个资源对象 （Deployment、ReplicaSet 或 ReplicationController）进行自动扩缩</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_certificate/">kubectl certificate</a> - 修改证书资源</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_cluster-info/">kubectl cluster-info</a> - 显示集群信息</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_completion/">kubectl completion</a> - 根据已经给出的 Shell（bash 或 zsh）， 输出 Shell 补全后的代码</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/">kubectl config</a> - 修改 kubeconfig 配置文件</li> </ul> <!-- * [kubectl cordon](/docs/reference/kubectl/generated/kubectl_cordon/) - Mark node as unschedulable * [kubectl cp](/docs/reference/kubectl/generated/kubectl_cp/) - Copy files and directories to and from containers. * [kubectl create](/docs/reference/kubectl/generated/kubectl_create/) - Create a resource from a file or from stdin. * [kubectl debug](/docs/reference/kubectl/generated/kubectl_debug/) - Create debugging sessions for troubleshooting workloads and nodes * [kubectl delete](/docs/reference/kubectl/generated/kubectl_delete/) - Delete resources by filenames, stdin, resources and names, or by resources and label selector --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_cordon/">kubectl cordon</a> - 标记节点为不可调度的</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_cp/">kubectl cp</a> - 将文件和目录拷入/拷出容器</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/">kubectl create</a> - 通过文件或标准输入来创建资源</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_debug/">kubectl debug</a> - 创建用于排查工作负载和节点故障的调试会话</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_delete/">kubectl delete</a> - 通过文件名、标准输入、资源和名字删除资源， 或者通过资源和标签选择算符来删除资源</li> </ul> <!-- * [kubectl describe](/docs/reference/kubectl/generated/kubectl_describe/) - Show details of a specific resource or group of resources * [kubectl diff](/docs/reference/kubectl/generated/kubectl_diff/) - Diff live version against would-be applied version * [kubectl drain](/docs/reference/kubectl/generated/kubectl_drain/) - Drain node in preparation for maintenance * [kubectl edit](/docs/reference/kubectl/generated/kubectl_edit/) - Edit a resource on the server * [kubectl events](/docs/reference/kubectl/generated/kubectl_events/) - List events * [kubectl exec](/docs/reference/kubectl/generated/kubectl_exec/) - Execute a command in a container * [kubectl explain](/docs/reference/kubectl/generated/kubectl_explain/) - Documentation of resources * [kubectl expose](/docs/reference/kubectl/generated/kubectl_expose/) - Take a replication controller, service, deployment or pod and expose it as a new Kubernetes Service --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_describe/">kubectl describe</a> - 显示某个资源或某组资源的详细信息</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_diff/">kubectl diff</a> - 显示目前版本与将要应用的版本之间的差异</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_drain/">kubectl drain</a> - 腾空节点，准备维护</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_edit/">kubectl edit</a> - 修改服务器上的某资源</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_events/">kubectl events</a> - 列举事件</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_exec/">kubectl exec</a> - 在容器中执行相关命令</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_explain/">kubectl explain</a> - 显示资源文档说明</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_expose/">kubectl expose</a> - 给定副本控制器、服务、Deployment 或 Pod， 将其暴露为新的 kubernetes Service</li> </ul> <!-- * [kubectl get](/docs/reference/kubectl/generated/kubectl_get/) - Display one or many resources * [kubectl kustomize](/docs/reference/kubectl/generated/kubectl_kustomize/) - Build a kustomization target from a directory or a remote url. * [kubectl label](/docs/reference/kubectl/generated/kubectl_label/) - Update the labels on a resource * [kubectl logs](/docs/reference/kubectl/generated/kubectl_logs/) - Print the logs for a container in a pod * [kubectl options](/docs/reference/kubectl/generated/kubectl_options/) - Print the list of flags inherited by all commands * [kubectl patch](/docs/reference/kubectl/generated/kubectl_patch/) - Update field(s) of a resource --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_get/">kubectl get</a> - 显示一个或者多个资源信息</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_kustomize/">kubectl kustomize</a> - 从目录或远程 URL 中构建 kustomization</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_label/">kubectl label</a> - 更新资源的标签</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_logs/">kubectl logs</a> - 输出 Pod 中某容器的日志</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_options/">kubectl options</a> - 打印所有命令都支持的共有参数列表</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_patch/">kubectl patch</a> - 更新某资源中的字段</li> </ul> <!-- * [kubectl plugin](/docs/reference/kubectl/generated/kubectl_plugin/) - Provides utilities for interacting with plugins. * [kubectl port-forward](/docs/reference/kubectl/generated/kubectl_port-forward/) - Forward one or more local ports to a pod * [kubectl proxy](/docs/reference/kubectl/generated/kubectl_proxy/) - Run a proxy to the Kubernetes API server * [kubectl replace](/docs/reference/kubectl/generated/kubectl_replace/) - Replace a resource by filename or stdin * [kubectl rollout](/docs/reference/kubectl/generated/kubectl_rollout/) - Manage the rollout of a resource * [kubectl run](/docs/reference/kubectl/generated/kubectl_run/) - Run a particular image on the cluster --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_plugin/">kubectl plugin</a> - 运行命令行插件</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_port-forward/">kubectl port-forward</a> - 将一个或者多个本地端口转发到 Pod</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_proxy/">kubectl proxy</a> - 运行一个 kubernetes API 服务器代理</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_replace/">kubectl replace</a> - 基于文件名或标准输入替换资源</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/">kubectl rollout</a> - 管理资源的上线</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_run/">kubectl run</a> - 在集群中使用指定镜像启动容器</li> </ul> <!-- * [kubectl scale](/docs/reference/kubectl/generated/kubectl_scale/) - Set a new size for a Deployment, ReplicaSet or Replication Controller * [kubectl set](/docs/reference/kubectl/generated/kubectl_set/) - Set specific features on objects * [kubectl taint](/docs/reference/kubectl/generated/kubectl_taint/) - Update the taints on one or more nodes * [kubectl top](/docs/reference/kubectl/generated/kubectl_top/) - Display Resource (CPU/Memory/Storage) usage. * [kubectl uncordon](/docs/reference/kubectl/generated/kubectl_uncordon/) - Mark node as schedulable * [kubectl version](/docs/reference/kubectl/generated/kubectl_version/) - Print the client and server version information * [kubectl wait](/docs/reference/kubectl/generated/kubectl_wait/) - Experimental: Wait for a specific condition on one or many resources. --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_scale/">kubectl scale</a> - 为一个 Deployment、ReplicaSet 或 ReplicationController 设置一个新的规模值</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/">kubectl set</a> - 为对象设置功能特性</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_taint/">kubectl taint</a> - 在一个或者多个节点上更新污点配置</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_top/">kubectl top</a> - 显示资源（CPU/内存/存储）使用率</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_uncordon/">kubectl uncordon</a> - 标记节点为可调度的</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_version/">kubectl version</a> - 打印客户端和服务器的版本信息</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_wait/">kubectl wait</a> - 实验级特性：等待一个或多个资源达到某种状态</li> </ul>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/kubectl_apply_edit-last-applied/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/kubectl_apply_edit-last-applied/<!-- title: kubectl apply edit-last-applied content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Edit the latest last-applied-configuration annotations of resources from the default editor. The edit-last-applied command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources. The default format is YAML. To edit in JSON, specify "-o json". The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used. In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version. --> <p>使用默认编辑器编辑资源的最新的 last-applied-configuration 注解。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/kubectl_apply_set-last-applied/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/kubectl_apply_set-last-applied/<!-- title: kubectl apply set-last-applied content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set the latest last-applied-configuration annotations by setting it to match the contents of a file. This results in the last-applied-configuration being updated as though 'kubectl apply -f&lt;file&gt; ' was run, without updating any other parts of the object. --> <p>设置 last-applied-configuration 注解使之与某文件内容相匹配。 这会导致 last-applied-configuration 被更新，就像运行了 <code>kubectl apply -f &lt;file&gt;</code> 一样， 但是不会更新对象的任何其他部分。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl apply set-last-applied -f FILENAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Set the last-applied-configuration of a resource to match the contents of a file kubectl apply set-last-applied -f deploy.yaml # Execute set-last-applied against each configuration file in a directory kubectl apply set-last-applied -f path/ # Set the last-applied-configuration of a resource to match the contents of a file; will create the annotation if it does not already exist kubectl apply set-last-applied -f deploy.yaml --create-annotation=true ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 设置资源的 last-applied-configuration，使之与某文件内容相同</span> </span></span><span style="display:flex;"><span>kubectl apply set-last-applied -f deploy.yaml </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 针对目录中的每一个配置文件执行 set-last-applied 操作</span> </span></span><span style="display:flex;"><span>kubectl apply set-last-applied -f path/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 设置资源的 last-applied-configuration 注解，使之与某文件内容匹配；如果该注解尚不存在，则会被创建。</span> </span></span><span style="display:flex;"><span>kubectl apply set-last-applied -f deploy.yaml --create-annotation<span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/kubectl_apply_view-last-applied/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_apply/kubectl_apply_view-last-applied/<!-- title: kubectl apply view-last-applied content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- View the latest last-applied-configuration annotations by type/name or file. The default output will be printed to stdout in YAML format. You can use the -o option to change the output format. --> <p>根据所给类别/名称或文件来查看最新的 last-applied-configuration 注解。</p> <p>默认输出将以 YAML 格式打印到标准输出。你可以使用 -o 选项来更改输出格式。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl apply view-last-applied <span style="color:#666">(</span>TYPE <span style="color:#666">[</span>NAME | -l label<span style="color:#666">]</span> | TYPE/NAME | -f FILENAME<span style="color:#666">)</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # View the last-applied-configuration annotations by type/name in YAML kubectl apply view-last-applied deployment/nginx # View the last-applied-configuration annotations by file in JSON kubectl apply view-last-applied -f deploy.yaml -o json ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 根据所给类别/名称以 YAML 格式查看 last-applied-configuration 注解</span> </span></span><span style="display:flex;"><span>kubectl apply view-last-applied deployment/nginx </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 根据所给文件以 JSON 格式查看 last-applied-configuration 注解</span> </span></span><span style="display:flex;"><span>kubectl apply view-last-applied -f deploy.yaml -o json </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--all</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Select all resources in the namespace of the specified resource types --> 选择指定资源类型的命名空间中的所有资源。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/<!-- title: kubectl auth can-i content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Check whether an action is allowed. VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a particular Kubernetes resource. This command pairs nicely with impersonation. See --as global flag. --> <p>检查某个操作是否被允许。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_reconcile/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_reconcile/<!-- title: kubectl auth reconcile content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Reconciles rules for RBAC role, role binding, cluster role, and cluster role binding objects. Missing objects are created, and the containing namespace is created for namespaced objects, if required. Existing roles are updated to include the permissions in the input objects, and remove extra permissions if --remove-extra-permissions is specified. Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if --remove-extra-subjects is specified. This is preferred to 'apply' for RBAC resources so that semantically-aware merging of rules and subjects is done. --> <p>调和 RBAC 角色、角色绑定、集群角色和集群角色绑定对象的规则。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_whoami/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_whoami/<!-- title: kubectl auth whoami content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Experimental: Check who you are and your attributes (groups, extra). This command is helpful to get yourself aware of the current user attributes, especially when dynamic authentication, e.g., token webhook, auth proxy, or OIDC provider, is enabled in the Kubernetes cluster. --> <p>实验性功能：检查你的身份和属性（如所属的组、额外信息等）。</p> <ul> <li>此命令有助于让你了解当前用户属性，尤其是在 Kubernetes 集群中启用动态身份验证（例如令牌 Webhook、身份认证代理或 OIDC 提供程序）时。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl auth whoami </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Get your subject attributes kubectl auth whoami # Get your subject attributes in JSON format kubectl auth whoami -o json ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 获取你的主体属性</span> </span></span><span style="display:flex;"><span>kubectl auth whoami </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 以 JSON 格式获取主体属性</span> </span></span><span style="display:flex;"><span>kubectl auth whoami -o json </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_certificate/kubectl_certificate_approve/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_certificate/kubectl_certificate_approve/<!-- title: kubectl certificate approve content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Approve a certificate signing request. kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requester with the attributes requested in the CSR. SECURITY NOTICE: Depending on the requested attributes, the issued certificate can potentially grant a requester access to cluster resources or to authenticate as a requested identity. Before approving a CSR, ensure you understand what the signed certificate can do. --> <p>批准证书签名请求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_certificate/kubectl_certificate_deny/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_certificate/kubectl_certificate_deny/<!-- title: kubectl certificate deny content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Deny a certificate signing request. kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requester. --> <p>拒绝证书签名请求。</p> <p><code>kubectl certificate deny</code> 允许集群管理员拒绝证书签名请求 (CSR)。 此操作通知证书签名控制器不向请求者颁发证书。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl certificate deny <span style="color:#666">(</span>-f FILENAME | NAME<span style="color:#666">)</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Deny CSR 'csr-sqgzp' kubectl certificate deny csr-sqgzp ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 拒绝 CSR &#39;csr-sqgzp&#39;</span> </span></span><span style="display:flex;"><span>kubectl certificate deny csr-sqgzp </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_cluster-info/kubectl_cluster-info_dump/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_cluster-info/kubectl_cluster-info_dump/<!-- title: kubectl cluster-info dump content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Dump cluster information out suitable for debugging and diagnosing cluster problems. By default, dumps everything to stdout. You can optionally specify a directory with --output-directory. If you specify a directory, Kubernetes will build a set of files in that directory. By default, only dumps things in the current namespace and 'kube-system' namespace, but you can switch to a different namespace with the --namespaces flag, or specify --all-namespaces to dump all namespaces. The command also dumps the logs of all of the pods in the cluster; these logs are dumped into different directories based on namespace and pod name. --> <p>转储集群信息，适合于调试和诊断集群问题。默认情况下，将所有内容转储到 <code>stdout</code>。你可以使用 <code>--output-directory</code> 指定目录。如果指定目录，Kubernetes 将在该目录中构建一组文件。 默认情况下，仅转储当前命名空间和 &quot;kube-system&quot; 命名空间中的内容，但你也可以使用 <code>--namespaces</code> 标志切换到其他命名空间，或指定 <code>--all-namespaces</code> 以转储所有命名空间。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_current-context/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_current-context/<!-- title: kubectl config current-context content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Display the current-context. --> <p>显示当前上下文。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config current-context <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Display the current-context --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示当前上下文</span> </span></span><span style="display:flex;"><span>kubectl config current-context </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for current-context --> 关于 current-context 的帮助信息。 </p> </td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_delete-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_delete-cluster/<!-- title: kubectl config delete-cluster content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Delete the specified cluster from the kubeconfig. --> <p>从 kubeconfig 中删除指定的集群。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config delete-cluster NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Delete the minikube cluster --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 删除 minikube 集群</span> </span></span><span style="display:flex;"><span>kubectl config delete-cluster minikube </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for delete-cluster --> 关于 delete-cluster 的帮助信息。 </p> </td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_delete-context/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_delete-context/<!-- title: kubectl config delete-context content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Delete the specified context from the kubeconfig. --> <p>从 kubeconfig 中删除指定的上下文。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config delete-context NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Delete the context for the minikube cluster --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 删除 minikube 集群的上下文</span> </span></span><span style="display:flex;"><span>kubectl config delete-context minikube </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for delete-context --> 关于 delete-context 的帮助信息。 </p> </td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_delete-user/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_delete-user/<!-- title: kubectl config delete-user content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Delete the specified user from the kubeconfig. --> <p>从 kubeconfig 中删除指定用户。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config delete-user NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Delete the minikube user kubectl config delete-user minikube ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 删除 minikube 用户</span> </span></span><span style="display:flex;"><span>kubectl config delete-user minikube </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for delete-user --> 关于 delete-user 的帮助信息。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_get-clusters/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_get-clusters/<h2 id="简介">简介</h2> <!-- Display clusters defined in the kubeconfig. --> <p>显示 kubeconfig 中定义的集群。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config get-clusters <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # List the clusters that kubectl knows about kubectl config get-clusters ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 列出 kubectl 所知悉的集群</span> </span></span><span style="display:flex;"><span>kubectl config get-clusters </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for get-clusters --> 关于 get-clusters 的帮助信息。 </p> </td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_get-contexts/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_get-contexts/<!-- title: kubectl config get-contexts content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Display one or many contexts from the kubeconfig file. --> <p>显示 kubeconfig 文件中的一个或多个上下文。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config get-contexts <span style="color:#666">[(</span>-o|--output<span style="color:#666">=)</span>name<span style="color:#666">)]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # List all the contexts in your kubeconfig file # Describe one context in your kubeconfig file --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 列出 kubeconfig 文件中的所有上下文</span> </span></span><span style="display:flex;"><span>kubectl config get-contexts </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 描述 kubeconfig 文件中指定上下文的详细信息</span> </span></span><span style="display:flex;"><span>kubectl config get-contexts my-context </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for get-contexts --> 关于 get-contexts 的帮助信息。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_get-users/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_get-users/<!-- title: kubectl config get-users content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Display users defined in the kubeconfig. --> <p>显示 kubeconfig 中定义的用户。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config get-users <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # List the users that kubectl knows about --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 列出 kubectl 知悉的用户</span> </span></span><span style="display:flex;"><span>kubectl config get-users </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for get-users --> 关于 get-users 的帮助信息。 </p> </td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_rename-context/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_rename-context/<!-- title: kubectl config rename-context content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Renames a context from the kubeconfig file. CONTEXT_NAME is the context name that you want to change. NEW_NAME is the new name you want to set. Note: If the context being renamed is the 'current-context', this field will also be updated. --> <p>重命名 kubeconfig 文件中的上下文。</p> <ul> <li>CONTEXT_NAME 是要更改的上下文名称。</li> <li>NEW_NAME 是要设置的新名称。</li> </ul> <p>注意：如果重命名的上下文是“当前上下文”，则该字段也将被更新。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config rename-context CONTEXT_NAME NEW_NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Rename the context 'old-name' to 'new-name' in your kubeconfig file --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 将 kubeconfig 文件中上下文 &#34;old-name&#34; 重命名为 &#34;new-name&#34;</span> </span></span><span style="display:flex;"><span>kubectl config rename-context old-name new-name </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for rename-context --> 关于 rename-context 的帮助信息。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set/<!-- title: kubectl config set content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set an individual value in a kubeconfig file. PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots. PROPERTY_VALUE is the new value you want to set. Binary fields such as 'certificate-authority-data' expect a base64 encoded string unless the --set-raw-bytes flag is used. Specifying an attribute name that already exists will merge new fields on top of existing values. --> <p>设置 kubeconfig 文件中的单个值。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-cluster/<!-- title: kubectl config set-cluster content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set a cluster entry in kubeconfig. Specifying a name that already exists will merge new fields on top of existing values for those fields. --> <p>设置 kubeconfig 中的集群条目。</p> <ul> <li>指定已存在的属性名称将把新字段值与现有值合并。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config set-cluster NAME <span style="color:#666">[</span>--server<span style="color:#666">=</span>server<span style="color:#666">]</span> <span style="color:#666">[</span>--certificate-authority<span style="color:#666">=</span>path/to/certificate/authority<span style="color:#666">]</span> <span style="color:#666">[</span>--insecure-skip-tls-verify<span style="color:#666">=</span>true<span style="color:#666">]</span> <span style="color:#666">[</span>--tls-server-name<span style="color:#666">=</span>example.com<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Set only the server field on the e2e cluster entry without touching other values kubectl config set-cluster e2e --server=https://1.2.3.4 # Embed certificate authority data for the e2e cluster entry kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt # Disable cert checking for the e2e cluster entry kubectl config set-cluster e2e --insecure-skip-tls-verify=true # Set the custom TLS server name to use for validation for the e2e cluster entry kubectl config set-cluster e2e --tls-server-name=my-cluster-name # Set the proxy URL for the e2e cluster entry kubectl config set-cluster e2e --proxy-url=https://1.2.3.4 ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 仅设置 e2e 集群条目上的 server 字段，不触及其他值</span> </span></span><span style="display:flex;"><span>kubectl config set-cluster e2e --server<span style="color:#666">=</span>https://1.2.3.4 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 在 e2e 集群条目中嵌入证书颁发机构的数据</span> </span></span><span style="display:flex;"><span>kubectl config set-cluster e2e --embed-certs --certificate-authority<span style="color:#666">=</span>~/.kube/e2e/kubernetes.ca.crt </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 禁用 e2e 集群条目中的证书检查</span> </span></span><span style="display:flex;"><span>kubectl config set-cluster e2e --insecure-skip-tls-verify<span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 设置用于验证 e2e 集群条目的自定义 TLS 服务器名称</span> </span></span><span style="display:flex;"><span>kubectl config set-cluster e2e --tls-server-name<span style="color:#666">=</span>my-cluster-name </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 设置 e2e 集群条目的代理 URL</span> </span></span><span style="display:flex;"><span>kubectl config set-cluster e2e --proxy-url<span style="color:#666">=</span>https://1.2.3.4 </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--certificate-authority string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Path to certificate-authority file for the cluster entry in kubeconfig --> kubeconfig 中集群条目的证书颁发机构文件的路径。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-context/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-context/<!-- title: kubectl config set-context content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set a context entry in kubeconfig. Specifying a name that already exists will merge new fields on top of existing values for those fields. --> <p>在 kubeconfig 中设置上下文条目。</p> <ul> <li>指定已存在的属性名称将把新字段值与现有值合并。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config set-context <span style="color:#666">[</span>NAME | --current<span style="color:#666">]</span> <span style="color:#666">[</span>--cluster<span style="color:#666">=</span>cluster_nickname<span style="color:#666">]</span> <span style="color:#666">[</span>--user<span style="color:#666">=</span>user_nickname<span style="color:#666">]</span> <span style="color:#666">[</span>--namespace<span style="color:#666">=</span>namespace<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Set the user field on the gce context entry without touching other values --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 在 gce 上下文条目上设置用户字段，而不影响其他值</span> </span></span><span style="display:flex;"><span>kubectl config set-context gce --user<span style="color:#666">=</span>cluster-admin </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--cluster string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- cluster for the context entry in kubeconfig --> kubeconfig 中上下文条目的集群。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-credentials/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-credentials/<!-- title: kubectl config set-credentials content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set a user entry in kubeconfig. Specifying a name that already exists will merge new fields on top of existing values. Client-certificate flags: --client-certificate=certfile --client-key=keyfile Bearer token flags: --token=bearer_token Basic auth flags: --username=basic_user --password=basic_password Bearer token and basic auth are mutually exclusive. --> <p>在 kubeconfig 中设置用户条目。</p> <ul> <li>指定已存在的属性名称将把新字段值与现有值合并。 <ul> <li>客户端证书标志：--client-certificate=certfile --client-key=keyfile</li> <li>持有者令牌标志：--token=bearer_token</li> <li>基本身份验证标志：--username=basic_user --password=basic_password</li> </ul> </li> <li>持有者令牌和基本身份验证是互斥的（不可同时使用）。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config set-credentials NAME <span style="color:#666">[</span>--client-certificate<span style="color:#666">=</span>path/to/certfile<span style="color:#666">]</span> <span style="color:#666">[</span>--client-key<span style="color:#666">=</span>path/to/keyfile<span style="color:#666">]</span> <span style="color:#666">[</span>--token<span style="color:#666">=</span>bearer_token<span style="color:#666">]</span> <span style="color:#666">[</span>--username<span style="color:#666">=</span>basic_user<span style="color:#666">]</span> <span style="color:#666">[</span>--password<span style="color:#666">=</span>basic_password<span style="color:#666">]</span> <span style="color:#666">[</span>--auth-provider<span style="color:#666">=</span>provider_name<span style="color:#666">]</span> <span style="color:#666">[</span>--auth-provider-arg<span style="color:#666">=</span><span style="color:#b8860b">key</span><span style="color:#666">=</span>value<span style="color:#666">]</span> <span style="color:#666">[</span>--exec-command<span style="color:#666">=</span>exec_command<span style="color:#666">]</span> <span style="color:#666">[</span>--exec-api-version<span style="color:#666">=</span>exec_api_version<span style="color:#666">]</span> <span style="color:#666">[</span>--exec-arg<span style="color:#666">=</span>arg<span style="color:#666">]</span> <span style="color:#666">[</span>--exec-env<span style="color:#666">=</span><span style="color:#b8860b">key</span><span style="color:#666">=</span>value<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Set only the "client-key" field on the "cluster-admin" # entry, without touching other values kubectl config set-credentials cluster-admin --client-key=~/.kube/admin.key # Set basic auth for the "cluster-admin" entry kubectl config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif # Embed client certificate data in the "cluster-admin" entry kubectl config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true # Enable the Google Compute Platform auth provider for the "cluster-admin" entry kubectl config set-credentials cluster-admin --auth-provider=gcp # Enable the OpenID Connect auth provider for the "cluster-admin" entry with additional arguments kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar # Remove the "client-secret" config value for the OpenID Connect auth provider for the "cluster-admin" entry kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret- # Enable new exec auth plugin for the "cluster-admin" entry kubectl config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1 # Enable new exec auth plugin for the "cluster-admin" entry with interactive mode kubectl config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1 --exec-interactive-mode=Never # Define new exec auth plugin arguments for the "cluster-admin" entry kubectl config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2 # Create or update exec auth plugin environment variables for the "cluster-admin" entry kubectl config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2 # Remove exec auth plugin environment variables for the "cluster-admin" entry kubectl config set-credentials cluster-admin --exec-env=var-to-remove- ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 仅设置 &#34;cluster-admin&#34; 条目上的 &#34;client-key&#34; 字段，不触及其他值</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --client-key<span style="color:#666">=</span>~/.kube/admin.key </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为 &#34;cluster-admin&#34; 条目设置基本身份验证</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --username<span style="color:#666">=</span>admin --password<span style="color:#666">=</span>uXFGweU9l35qcif </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 在 &#34;cluster-admin&#34; 条目中嵌入客户端证书数据</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --client-certificate<span style="color:#666">=</span>~/.kube/admin.crt --embed-certs<span style="color:#666">=</span><span style="color:#a2f">true</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为 &#34;cluster-admin&#34; 条目启用 Google Compute Platform 身份认证提供程序</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --auth-provider<span style="color:#666">=</span>gcp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用附加参数为 &#34;cluster-admin&#34; 条目启用 OpenID Connect 身份认证提供程序</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --auth-provider<span style="color:#666">=</span>oidc --auth-provider-arg<span style="color:#666">=</span>client-id<span style="color:#666">=</span>foo --auth-provider-arg<span style="color:#666">=</span>client-secret<span style="color:#666">=</span>bar </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 删除 &#34;cluster-admin&#34; 条目的 OpenID Connect 身份验证提供程序的 &#34;client-secret&#34; 配置值</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --auth-provider<span style="color:#666">=</span>oidc --auth-provider-arg<span style="color:#666">=</span>client-secret- </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为 &#34;cluster-admin&#34; 条目启用新的 exec 认证插件</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --exec-command<span style="color:#666">=</span>/path/to/the/executable --exec-api-version<span style="color:#666">=</span>client.authentication.k8s.io/v1beta1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为 &#34;cluster-admin&#34; 条目启用新的、带交互模式的 exec 认证插件</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --exec-command<span style="color:#666">=</span>/path/to/the/executable --exec-api-version<span style="color:#666">=</span>client.authentication.k8s.io/v1beta1 --exec-interactive-mode<span style="color:#666">=</span>Never </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为 &#34;cluster-admin&#34; 条目定义新的 exec 认证插件参数</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --exec-arg<span style="color:#666">=</span>arg1 --exec-arg<span style="color:#666">=</span>arg2 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为 &#34;cluster-admin&#34; 条目创建或更新 exec 认证插件环境变量</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --exec-env<span style="color:#666">=</span><span style="color:#b8860b">key1</span><span style="color:#666">=</span>val1 --exec-env<span style="color:#666">=</span><span style="color:#b8860b">key2</span><span style="color:#666">=</span>val2 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 删除 &#34;cluster-admin&#34; 条目的 exec 认证插件环境变量</span> </span></span><span style="display:flex;"><span>kubectl config set-credentials cluster-admin --exec-env<span style="color:#666">=</span>var-to-remove- </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--auth-provider string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Auth provider for the user entry in kubeconfig --> kubeconfig 中用户条目的身份验证提供程序。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_unset/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_unset/<!-- title: kubectl config unset content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Unset an individual value in a kubeconfig file. PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots. --> <p>去除 kubeconfig 文件中的某个值的设置。</p> <ul> <li>PROPERTY_NAME 是一个以点分隔的名称，其中每个元素代表一个属性名称或一个键名。键名不得包含点。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config <span style="color:#a2f">unset</span> PROPERTY_NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Unset the current-context # Unset namespace in foo context --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 去除 current-context 设置</span> </span></span><span style="display:flex;"><span>kubectl config <span style="color:#a2f">unset</span> current-context </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 去掉 foo 上下文中的 namespace 设置</span> </span></span><span style="display:flex;"><span>kubectl config <span style="color:#a2f">unset</span> contexts.foo.namespace </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for unset --> 关于 unset 的帮助信息。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_use-context/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_use-context/<!-- title: kubectl config use-context content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set the current-context in a kubeconfig file. --> <p>在 kubeconfig 文件中设置当前上下文。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config use-context CONTEXT_NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Use the context for the minikube cluster --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用 minikube 集群的上下文</span> </span></span><span style="display:flex;"><span>kubectl config use-context minikube </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for use-context --> 关于 use-context 的帮助信息。 </p> </td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_view/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_config/kubectl_config_view/<!-- title: kubectl config view content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Display merged kubeconfig settings or a specified kubeconfig file. You can use --output jsonpath={...} to extract specific values using a jsonpath expression. --> <p>显示合并的 kubeconfig 配置或指定的 kubeconfig 文件。</p> <ul> <li>你可以使用 <code>--output jsonpath={...}</code> 通过 jsonpath 表达式提取特定值。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl config view <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Show merged kubeconfig settings # Show merged kubeconfig settings, raw certificate data, and exposed secrets # Get the password for the e2e user --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示合并的 kubeconfig 设置</span> </span></span><span style="display:flex;"><span>kubectl config view </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示合并的 kubeconfig 设置、原始证书数据和公开的密钥</span> </span></span><span style="display:flex;"><span>kubectl config view --raw </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 获取 e2e 用户的密码</span> </span></span><span style="display:flex;"><span>kubectl config view -o <span style="color:#b8860b">jsonpath</span><span style="color:#666">=</span><span style="color:#b44">&#39;{.users[?(@.name == &#34;e2e&#34;)].user.password}&#39;</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: true-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_clusterrole/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_clusterrole/<!-- title: kubectl create clusterrole content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a cluster role. --> <p>创建一个集群角色。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create clusterrole NAME --verb<span style="color:#666">=</span>verb --resource<span style="color:#666">=</span>resource.group <span style="color:#666">[</span>--resource-name<span style="color:#666">=</span>resourcename<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods # Create a cluster role named "pod-reader" with ResourceName specified kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod # Create a cluster role named "foo" with API Group specified kubectl create clusterrole foo --verb=get,list,watch --resource=rs.apps # Create a cluster role named "foo" with SubResource specified kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status # Create a cluster role name "foo" with NonResourceURL specified kubectl create clusterrole "foo" --verb=get --non-resource-url=https://andygol-k8s.netlify.app/logs/* # Create a cluster role name "monitoring" with AggregationRule specified kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true" ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># 创建一个名为 &#34;pod-reader&#34; 的集群角色，允许用户对 Pod 执行 &#34;get&#34;、&#34;watch&#34; 和 &#34;list&#34; 操作</span> </span></span><span style="display:flex;"><span> kubectl create clusterrole pod-reader --verb<span style="color:#666">=</span>get,list,watch --resource<span style="color:#666">=</span>pods </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># 创建一个名为 &#34;pod-reader&#34; 的集群角色，并指定 ResourceName</span> </span></span><span style="display:flex;"><span> kubectl create clusterrole pod-reader --verb<span style="color:#666">=</span>get --resource<span style="color:#666">=</span>pods --resource-name<span style="color:#666">=</span>readablepod --resource-name<span style="color:#666">=</span>anotherpod </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># 创建一个名为 &#34;foo&#34; 的集群角色，并指定 API 组</span> </span></span><span style="display:flex;"><span> kubectl create clusterrole foo --verb<span style="color:#666">=</span>get,list,watch --resource<span style="color:#666">=</span>rs.apps </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># 创建一个名为 &#34;foo&#34; 的集群角色，并指定 SubResource</span> </span></span><span style="display:flex;"><span> kubectl create clusterrole foo --verb<span style="color:#666">=</span>get,list,watch --resource<span style="color:#666">=</span>pods,pods/status </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># 创建一个名为 &#34;foo&#34; 的集群角色，并指定 NonResourceURL</span> </span></span><span style="display:flex;"><span> kubectl create clusterrole <span style="color:#b44">&#34;foo&#34;</span> --verb<span style="color:#666">=</span>get --non-resource-url<span style="color:#666">=</span>/logs/* </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#080;font-style:italic"># 创建一个名为 &#34;monitoring&#34; 的集群角色，并指定 AggregationRule</span> </span></span><span style="display:flex;"><span> kubectl create clusterrole monitoring --aggregation-rule<span style="color:#666">=</span><span style="color:#b44">&#34;rbac.example.com/aggregate-to-monitoring=true&#34;</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--aggregation-rule &lt;<!--comma-separated 'key=value' pairs-->英文逗号分隔的 'key=value' 对&gt;</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- An aggregation label selector for combining ClusterRoles. --> 用于组合 ClusterRole 的聚合标签选择算符。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_clusterrolebinding/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_clusterrolebinding/<!-- title: kubectl create clusterrolebinding content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a cluster role binding for a particular cluster role. --> <p>为特定的集群角色创建一个集群角色绑定。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create clusterrolebinding NAME --clusterrole<span style="color:#666">=</span>NAME <span style="color:#666">[</span>--user<span style="color:#666">=</span>username<span style="color:#666">]</span> <span style="color:#666">[</span>--group<span style="color:#666">=</span>groupname<span style="color:#666">]</span> <span style="color:#666">[</span>--serviceaccount<span style="color:#666">=</span>namespace:serviceaccountname<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1 ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用 cluster-admin 集群角色为 user1、user2 和 group1 创建一个集群角色绑定</span> </span></span><span style="display:flex;"><span>kubectl create clusterrolebinding cluster-admin --clusterrole<span style="color:#666">=</span>cluster-admin --user<span style="color:#666">=</span>user1 --user<span style="color:#666">=</span>user2 --group<span style="color:#666">=</span>group1 </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_configmap/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_configmap/<!-- title: kubectl create configmap content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a config map based on a file, directory, or specified literal value. A single config map may package one or more key/value pairs. When creating a config map based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key, you may specify an alternate key. When creating a config map based on a directory, each file whose basename is a valid key in the directory will be packaged into the config map. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc). --> <p>基于文件、目录或指定的文字值创建 ConfigMap。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_cronjob/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_cronjob/<!-- title: kubectl create cronjob content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a cron job with the specified name. ``` kubectl create cronjob NAME --image=image --schedule='0/5 * * * ?' -- [COMMAND] [args...] [flags] ``` --> <p>创建具有指定名称的 CronJob。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create cronjob NAME --image<span style="color:#666">=</span>image --schedule<span style="color:#666">=</span><span style="color:#b44">&#39;0/5 * * * ?&#39;</span> -- <span style="color:#666">[</span>COMMAND<span style="color:#666">]</span> <span style="color:#666">[</span>args...<span style="color:#666">]</span> <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a cron job kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" # Create a cron job with a command kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" -- date ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建 CronJob</span> </span></span><span style="display:flex;"><span>kubectl create cronjob my-job --image<span style="color:#666">=</span>busybox --schedule<span style="color:#666">=</span><span style="color:#b44">&#34;*/1 * * * *&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建带有命令的 CronJob</span> </span></span><span style="display:flex;"><span>kubectl create cronjob my-job --image<span style="color:#666">=</span>busybox --schedule<span style="color:#666">=</span><span style="color:#b44">&#34;*/1 * * * *&#34;</span> -- date </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_deployment/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_deployment/<!-- title: kubectl create deployment content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a deployment with the specified name. --> <p>创建指定名称的 Deployment。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create deployment NAME --image<span style="color:#666">=</span>image -- <span style="color:#666">[</span>COMMAND<span style="color:#666">]</span> <span style="color:#666">[</span>args...<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a deployment named my-dep that runs the busybox image kubectl create deployment my-dep --image=busybox # Create a deployment with a command kubectl create deployment my-dep --image=busybox -- date # Create a deployment named my-dep that runs the nginx image with 3 replicas kubectl create deployment my-dep --image=nginx --replicas=3 # Create a deployment named my-dep that runs the busybox image and expose port 5701 kubectl create deployment my-dep --image=busybox --port=5701 # Create a deployment named my-dep that runs multiple containers kubectl create deployment my-dep --image=busybox:latest --image=ubuntu:latest --image=nginx ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-dep 的 Deployment，它将运行 busybox 镜像</span> </span></span><span style="display:flex;"><span>kubectl create deployment my-dep --image<span style="color:#666">=</span>busybox </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个带有命令的 Deployment</span> </span></span><span style="display:flex;"><span>kubectl create deployment my-dep --image<span style="color:#666">=</span>busybox -- date </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-dep 的 Deployment，它将运行 nginx 镜像并有 3 个副本</span> </span></span><span style="display:flex;"><span>kubectl create deployment my-dep --image<span style="color:#666">=</span>nginx --replicas<span style="color:#666">=</span><span style="color:#666">3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-dep 的 Deployment，它将运行 busybox 镜像并公开端口 5701</span> </span></span><span style="display:flex;"><span>kubectl create deployment my-dep --image<span style="color:#666">=</span>busybox --port<span style="color:#666">=</span><span style="color:#666">5701</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-dep 的 Deployment，它将运行多个容器</span> </span></span><span style="display:flex;"><span>kubectl create deployment my-dep --image<span style="color:#666">=</span>busybox:latest --image<span style="color:#666">=</span>ubuntu:latest --image<span style="color:#666">=</span>nginx </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_ingress/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_ingress/<!-- title: kubectl create ingress content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create an ingress with the specified name. --> <p>创建指定名称的 Ingress。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create ingress NAME --rule<span style="color:#666">=</span>host/path<span style="color:#666">=</span>service:port<span style="color:#666">[</span>,tls<span style="color:#666">[=</span>secret<span style="color:#666">]]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Create a single ingress called 'simple' that directs requests to foo.com/bar to svc # svc1:8080 with a TLS secret "my-cert" kubectl create ingress simple --rule="foo.com/bar=svc1:8080,tls=my-cert" # Create a catch all ingress of "/path" pointing to service svc:port and Ingress Class as "otheringress" kubectl create ingress catch-all --class=otheringress --rule="/path=svc:port" # Create an ingress with two annotations: ingress.annotation1 and ingress.annotations2 kubectl create ingress annotated --class=default --rule="foo.com/bar=svc:port" \ --annotation ingress.annotation1=foo \ --annotation ingress.annotation2=bla # Create an ingress with the same host and multiple paths kubectl create ingress multipath --class=default \ --rule="foo.com/=svc:port" \ --rule="foo.com/admin/=svcadmin:portadmin" # Create an ingress with multiple hosts and the pathType as Prefix kubectl create ingress ingress1 --class=default \ --rule="foo.com/path*=svc:8080" \ --rule="bar.com/admin*=svc2:http" # Create an ingress with TLS enabled using the default ingress certificate and different path types kubectl create ingress ingtls --class=default \ --rule="foo.com/=svc:https,tls" \ --rule="foo.com/path/subpath*=othersvc:8080" # Create an ingress with TLS enabled using a specific secret and pathType as Prefix kubectl create ingress ingsecret --class=default \ --rule="foo.com/*=svc:8080,tls=secret1" # Create an ingress with a default backend kubectl create ingress ingdefault --class=default \ --default-backend=defaultsvc:http \ --rule="foo.com/*=svc:8080,tls=secret1" --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 &#39;simple&#39; 的 Ingress，使用 TLS 类别 Secret &#34;my-cert&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 将针对 foo.com/bar 的请求重定向到 svc1:8080</span> </span></span><span style="display:flex;"><span>kubectl create ingress simple --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/bar=svc1:8080,tls=my-cert&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个 Ingress，获取指向服务 svc:port 的所有 &#34;/path&#34; 请求，并将 Ingress Class 设置为 &#34;otheringress&#34;</span> </span></span><span style="display:flex;"><span>kubectl create ingress catch-all --class<span style="color:#666">=</span>otheringress --rule<span style="color:#666">=</span><span style="color:#b44">&#34;/path=svc:port&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建含两个注解 ingress.annotation1 和 ingress.annotation2 的 Ingress</span> </span></span><span style="display:flex;"><span>kubectl create ingress annotated --class<span style="color:#666">=</span>default --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/bar=svc:port&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --annotation ingress.annotation1<span style="color:#666">=</span>foo <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --annotation ingress.annotation2<span style="color:#666">=</span>bla </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建具有相同主机和多个路径的 Ingress</span> </span></span><span style="display:flex;"><span>kubectl create ingress multipath --class<span style="color:#666">=</span>default <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/=svc:port&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/admin/=svcadmin:portadmin&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建具有多个主机且 pathType 为 Prefix 的 Ingress</span> </span></span><span style="display:flex;"><span>kubectl create ingress ingress1 --class<span style="color:#666">=</span>default <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/path*=svc:8080&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;bar.com/admin*=svc2:http&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建使用默认 Ingress 证书来启用 TLS 且具备不同路径类型的 Ingress</span> </span></span><span style="display:flex;"><span>kubectl create ingress ingtls --class<span style="color:#666">=</span>default <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/=svc:https,tls&#34;</span> <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/path/subpath*=othersvc:8080&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建使用特定密钥来启用 TLS 且 pathType 为 Prefix 的 Ingress</span> </span></span><span style="display:flex;"><span>kubectl create ingress ingsecret --class<span style="color:#666">=</span>default <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/*=svc:8080,tls=secret1&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建具有默认后端的 Ingress</span> </span></span><span style="display:flex;"><span>kubectl create ingress ingdefault --class<span style="color:#666">=</span>default <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --default-backend<span style="color:#666">=</span>defaultsvc:http <span style="color:#b62;font-weight:bold">\ </span></span></span><span style="display:flex;"><span> --rule<span style="color:#666">=</span><span style="color:#b44">&#34;foo.com/*=svc:8080,tls=secret1&#34;</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_job/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_job/<!-- title: kubectl create job content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a job with the specified name. --> <p>创建指定名称的 Job。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create job NAME --image<span style="color:#666">=</span>image <span style="color:#666">[</span>--from<span style="color:#666">=</span>cronjob/name<span style="color:#666">]</span> -- <span style="color:#666">[</span>COMMAND<span style="color:#666">]</span> <span style="color:#666">[</span>args...<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a job kubectl create job my-job --image=busybox # Create a job with a command kubectl create job my-job --image=busybox -- date # Create a job from a cron job named "a-cronjob" kubectl create job test-job --from=cronjob/a-cronjob ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个 Job</span> </span></span><span style="display:flex;"><span>kubectl create job my-job --image<span style="color:#666">=</span>busybox </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建带一条命令的 Job</span> </span></span><span style="display:flex;"><span>kubectl create job my-job --image<span style="color:#666">=</span>busybox -- date </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 从名为 &#34;a-cronjob&#34; 的定时任务创建一个 Job</span> </span></span><span style="display:flex;"><span>kubectl create job test-job --from<span style="color:#666">=</span>cronjob/a-cronjob </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_namespace/<!-- title: kubectl create namespace content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a namespace with the specified name. --> <p>用指定的名称创建命名空间。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create namespace NAME <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new namespace named my-namespace kubectl create namespace my-namespace ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 my-namespace 的命名空间</span> </span></span><span style="display:flex;"><span>kubectl create namespace my-namespace </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_poddisruptionbudget/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_poddisruptionbudget/<!-- title: kubectl create poddisruptionbudget content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a pod disruption budget with the specified name, selector, and desired minimum available pods. ``` kubectl create poddisruptionbudget NAME --selector=SELECTOR --min-available=N [--dry-run=server|client|none] ``` --> <p>创建具有指定名称、选择算符和预期最少可用 Pod 个数的 Pod 干扰预算。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create poddisruptionbudget NAME --selector<span style="color:#666">=</span>SELECTOR --min-available<span style="color:#666">=</span>N <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a pod disruption budget named my-pdb that will select all pods with the app=rails label # and require at least one of them being available at any point in time kubectl create poddisruptionbudget my-pdb --selector=app=rails --min-available=1 # Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label # and require at least half of the pods selected to be available at any point in time kubectl create pdb my-pdb --selector=app=nginx --min-available=50% ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-pdb 的 Pod 干扰预算，它将选择所有带有 app=rails 标签的 Pod</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 并要求至少有一个 Pod 在任何时候都是可用的</span> </span></span><span style="display:flex;"><span>kubectl create poddisruptionbudget my-pdb --selector<span style="color:#666">=</span><span style="color:#b8860b">app</span><span style="color:#666">=</span>rails --min-available<span style="color:#666">=</span><span style="color:#666">1</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-pdb 的 Pod 干扰预算，它将选择所有带有 app=nginx 标签的 Pod</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 并要求在任何时候所选 Pod 中至少有一半是可用的</span> </span></span><span style="display:flex;"><span>kubectl create pdb my-pdb --selector<span style="color:#666">=</span><span style="color:#b8860b">app</span><span style="color:#666">=</span>nginx --min-available<span style="color:#666">=</span>50% </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_priorityclass/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_priorityclass/<!-- title: kubectl create priorityclass content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a priority class with the specified name, value, globalDefault and description. --> <p>创建带有指定名称、取值、globalDefault 设置及描述的优先级类对象。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create priorityclass NAME --value<span style="color:#666">=</span>VALUE --global-default<span style="color:#666">=</span>BOOL <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a priority class named high-priority kubectl create priorityclass high-priority --value=1000 --description="high priority" # Create a priority class named default-priority that is considered as the global default priority kubectl create priorityclass default-priority --value=1000 --global-default=true --description="default priority" # Create a priority class named high-priority that cannot preempt pods with lower priority kubectl create priorityclass high-priority --value=1000 --description="high priority" --preemption-policy="Never" ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 high-priority 的优先级类</span> </span></span><span style="display:flex;"><span>kubectl create priorityclass high-priority --value<span style="color:#666">=</span><span style="color:#666">1000</span> --description<span style="color:#666">=</span><span style="color:#b44">&#34;high priority&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 default-priority 的优先级类，并将其视为全局默认优先级</span> </span></span><span style="display:flex;"><span>kubectl create priorityclass default-priority --value<span style="color:#666">=</span><span style="color:#666">1000</span> --global-default<span style="color:#666">=</span><span style="color:#a2f">true</span> --description<span style="color:#666">=</span><span style="color:#b44">&#34;default priority&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 high-priority 的优先级类，它不能抢占低优先级的 Pod</span> </span></span><span style="display:flex;"><span>kubectl create priorityclass high-priority --value<span style="color:#666">=</span><span style="color:#666">1000</span> --description<span style="color:#666">=</span><span style="color:#b44">&#34;high priority&#34;</span> --preemption-policy<span style="color:#666">=</span><span style="color:#b44">&#34;Never&#34;</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_quota/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_quota/<!-- title: kubectl create quota content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a resource quota with the specified name, hard limits, and optional scopes. --> <p>创建具有指定名称、硬性限制和可选范围的资源配额。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create quota NAME <span style="color:#666">[</span>--hard<span style="color:#666">=</span><span style="color:#b8860b">key1</span><span style="color:#666">=</span>value1,key2<span style="color:#666">=</span>value2<span style="color:#666">]</span> <span style="color:#666">[</span>--scopes<span style="color:#666">=</span>Scope1,Scope2<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new resource quota named my-quota kubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10 # Create a new resource quota named best-effort kubectl create quota best-effort --hard=pods=100 --scopes=BestEffort ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 my-quota 的资源配额</span> </span></span><span style="display:flex;"><span>kubectl create quota my-quota --hard<span style="color:#666">=</span><span style="color:#b8860b">cpu</span><span style="color:#666">=</span>1,memory<span style="color:#666">=</span>1G,pods<span style="color:#666">=</span>2,services<span style="color:#666">=</span>3,replicationcontrollers<span style="color:#666">=</span>2,resourcequotas<span style="color:#666">=</span>1,secrets<span style="color:#666">=</span>5,persistentvolumeclaims<span style="color:#666">=</span><span style="color:#666">10</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 best-effort 的资源配额</span> </span></span><span style="display:flex;"><span>kubectl create quota best-effort --hard<span style="color:#666">=</span><span style="color:#b8860b">pods</span><span style="color:#666">=</span><span style="color:#666">100</span> --scopes<span style="color:#666">=</span>BestEffort </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_role/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_role/<!-- title: kubectl create role content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a role with single rule. ``` kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none] ``` --> <p>创建单一规则的角色。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create role NAME --verb<span style="color:#666">=</span>verb --resource<span style="color:#666">=</span>resource.group/subresource <span style="color:#666">[</span>--resource-name<span style="color:#666">=</span>resourcename<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods # Create a role named "pod-reader" with ResourceName specified kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod # Create a role named "foo" with API Group specified kubectl create role foo --verb=get,list,watch --resource=rs.apps # Create a role named "foo" with SubResource specified kubectl create role foo --verb=get,list,watch --resource=pods,pods/status ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 &#34;pod-reader&#34; 的角色，允许用户对 Pod 执行 &#34;get&#34;、&#34;watch&#34; 和 &#34;list&#34; 操作</span> </span></span><span style="display:flex;"><span>kubectl create role pod-reader --verb<span style="color:#666">=</span>get --verb<span style="color:#666">=</span>list --verb<span style="color:#666">=</span>watch --resource<span style="color:#666">=</span>pods </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 &#34;pod-reader&#34; 的角色，并指定资源名称</span> </span></span><span style="display:flex;"><span>kubectl create role pod-reader --verb<span style="color:#666">=</span>get --resource<span style="color:#666">=</span>pods --resource-name<span style="color:#666">=</span>readablepod --resource-name<span style="color:#666">=</span>anotherpod </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 &#34;foo&#34; 的角色，并指定 API 组</span> </span></span><span style="display:flex;"><span>kubectl create role foo --verb<span style="color:#666">=</span>get,list,watch --resource<span style="color:#666">=</span>rs.apps </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 &#34;foo&#34; 的角色，并指定子资源</span> </span></span><span style="display:flex;"><span>kubectl create role foo --verb<span style="color:#666">=</span>get,list,watch --resource<span style="color:#666">=</span>pods,pods/status </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_rolebinding/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_rolebinding/<!-- title: kubectl create rolebinding content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a role binding for a particular role or cluster role. --> <p>为特定角色或集群角色创建角色绑定。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create rolebinding NAME --clusterrole<span style="color:#666">=</span>NAME|--role<span style="color:#666">=</span>NAME <span style="color:#666">[</span>--user<span style="color:#666">=</span>用户名<span style="color:#666">]</span> <span style="color:#666">[</span>--group<span style="color:#666">=</span>组名<span style="color:#666">]</span> <span style="color:#666">[</span>--serviceaccount<span style="color:#666">=</span>命名空间:服务账户名<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a role binding for user1, user2, and group1 using the admin cluster role kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1 # Create a role binding for service account monitoring:sa-dev using the admin role kubectl create rolebinding admin-binding --role=admin --serviceaccount=monitoring:sa-dev ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用 admin 集群角色为 user1、user2 和 group1 创建角色绑定</span> </span></span><span style="display:flex;"><span>kubectl create rolebinding admin --clusterrole<span style="color:#666">=</span>admin --user<span style="color:#666">=</span>user1 --user<span style="color:#666">=</span>user2 --group<span style="color:#666">=</span>group1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用 admin 角色为服务账户 monitoring:sa-dev 创建角色绑定</span> </span></span><span style="display:flex;"><span>kubectl create rolebinding admin-binding --role<span style="color:#666">=</span>admin --serviceaccount<span style="color:#666">=</span>monitoring:sa-dev </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret/<!-- title: kubectl create secret content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a secret with specified type. A docker-registry type secret is for accessing a container registry. A generic type secret indicate an Opaque secret type. A tls type secret holds TLS certificate and its associated key. --> <p>创建指定类型的 Secret：</p> <ul> <li> <p>docker-registry 类型 Secret 用于访问容器镜像仓库。</p> </li> <li> <p>generic 类型 Secret 表示不透明 Secret 类型。</p> </li> <li> <p>tls 类型 Secret 包含 TLS 证书及其关联密钥。</p> </li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create secret <span style="color:#666">(</span>docker-registry | generic | tls<span style="color:#666">)</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for secret --> secret 操作的帮助命令。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_docker-registry/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_docker-registry/<!-- title: kubectl create secret docker-registry content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a new secret for use with Docker registries. Dockercfg secrets are used to authenticate against Docker registries. When using the Docker command line to push images, you can authenticate to a given registry by running: '$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'. --> <p>新建一个 Docker 仓库所用的 Secret。</p> <p>Dockercfg Secret 用于向 Docker 仓库进行身份认证。</p> <p>当使用 Docker 命令行推送镜像时，你可以通过运行以下命令向给定的仓库进行身份认证：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_generic/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_generic/<!-- title: kubectl create secret generic content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a secret based on a file, directory, or specified literal value. A single secret may package one or more key/value pairs. --> <p>基于文件、目录或指定的文字值创建 Secret。</p> <p>单个 Secret 可以包含一个或多个键值对。</p> <!-- When creating a secret based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key. When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc). --> <p>当基于文件创建 Secret 时，键将默认为文件的基本名称，值将默认为文件内容。 如果基本名称是无效的键，或者你希望选择自己的键，你可以指定一个替代键。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_tls/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_secret_tls/<!-- title: kubectl create secret tls content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a TLS secret from the given public/private key pair. The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key. --> <p>使用给定的公钥/私钥对创建 TLS Secret。</p> <p>事先公钥/私钥对必须存在。公钥证书必须是以 .PEM 编码的，并且与给定的私钥匹配。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create secret tls NAME --cert<span style="color:#666">=</span>path/to/cert/file --key<span style="color:#666">=</span>path/to/key/file <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new TLS secret named tls-secret with the given key pair kubectl create secret tls tls-secret --cert=path/to/tls.crt --key=path/to/tls.key ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用给定的密钥对新建一个名为 tls-secret 的 TLS Secret</span> </span></span><span style="display:flex;"><span>kubectl create secret tls tls-secret --cert<span style="color:#666">=</span>path/to/tls.crt --key<span style="color:#666">=</span>path/to/tls.key </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service/<!-- title: kubectl create service content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a service using a specified subcommand. --> <p>使用指定的子命令创建 Service。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create service <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for service --> service 操作的帮助命令。 </p></td> </tr> </tbody> </table> <h2 id="继承于父命令的选项">继承于父命令的选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--as string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Username to impersonate for the operation. User could be a regular user or a service account in a namespace. --> 操作所用的伪装用户名。用户可以是常规用户或命名空间中的服务账号。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_clusterip/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_clusterip/<!-- title: kubectl create service clusterip content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a ClusterIP service with the specified name. --> <p>创建指定名称的 ClusterIP Service。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create service clusterip NAME <span style="color:#666">[</span>--tcp<span style="color:#666">=</span>&lt;port&gt;:&lt;targetPort&gt;<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new ClusterIP service named my-cs kubectl create service clusterip my-cs --tcp=5678:8080 # Create a new ClusterIP service named my-cs (in headless mode) kubectl create service clusterip my-cs --clusterip="None" ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 my-cs 的 ClusterIP Service</span> </span></span><span style="display:flex;"><span>kubectl create service clusterip my-cs --tcp<span style="color:#666">=</span>5678:8080 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 my-cs 的 ClusterIP Service（无头模式）</span> </span></span><span style="display:flex;"><span>kubectl create service clusterip my-cs --clusterip<span style="color:#666">=</span><span style="color:#b44">&#34;None&#34;</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_externalname/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_externalname/<!-- title: kubectl create service externalname content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create an ExternalName service with the specified name. ExternalName service references to an external DNS address instead of only pods, which will allow application authors to reference services that exist off platform, on other clusters, or locally. --> <p>创建指定名称的 ExternalName Service。</p> <p>ExternalName Service 引用外部 DNS 地址，而不仅仅是 Pod， 这类 Service 允许应用作者引用平台外、其他集群或本地存在的服务。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create service externalname NAME --external-name external.name <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new ExternalName service named my-ns kubectl create service externalname my-ns --external-name bar.com ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 my-ns 的 ExternalName Service</span> </span></span><span style="display:flex;"><span>kubectl create service externalname my-ns --external-name bar.com </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_loadbalancer/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_loadbalancer/<!-- title: kubectl create service loadbalancer content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a LoadBalancer service with the specified name. --> <p>创建指定名称的 LoadBalancer 类型 Service。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create service loadbalancer NAME <span style="color:#666">[</span>--tcp<span style="color:#666">=</span>port:targetPort<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new LoadBalancer service named my-lbs kubectl create service loadbalancer my-lbs --tcp=5678:8080 ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建名为 my-lbs 的 LoadBalancer 类型 Service</span> </span></span><span style="display:flex;"><span>kubectl create service loadbalancer my-lbs --tcp<span style="color:#666">=</span>5678:8080 </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_nodeport/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_service_nodeport/<!-- title: kubectl create service nodeport content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a NodePort service with the specified name. --> <p>创建一个指定名称的 NodePort 类型 Service。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create service nodeport NAME <span style="color:#666">[</span>--tcp<span style="color:#666">=</span>port:targetPort<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # Create a new NodePort service named my-ns --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 新建一个名为 my-ns 的 NodePort 类型 Service</span> </span></span><span style="display:flex;"><span>kubectl create service nodeport my-ns --tcp<span style="color:#666">=</span>5678:8080 </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_serviceaccount/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_serviceaccount/<!-- title: kubectl create serviceaccount content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Create a service account with the specified name. --> <p>创建指定名称的服务账号。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create serviceaccount NAME <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Create a new service account named my-service-account kubectl create serviceaccount my-service-account ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 创建一个名为 my-service-account 的服务帐号</span> </span></span><span style="display:flex;"><span>kubectl create serviceaccount my-service-account </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_token/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_create/kubectl_create_token/<!-- title: kubectl create token content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Request a service account token. --> <p>请求一个服务账号令牌。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl create token SERVICE_ACCOUNT_NAME </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace kubectl create token myapp # Request a token for a service account in a custom namespace kubectl create token myapp --namespace myns # Request a token with a custom expiration kubectl create token myapp --duration 10m # Request a token with a custom audience kubectl create token myapp --audience https://example.com # Request a token bound to an instance of a Secret object kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret # Request a token bound to an instance of a Secret object with a specific UID kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 请求一个令牌，以当前命名空间中的服务账号 &#34;myapp&#34; 向 kube-apiserver 进行身份认证</span> </span></span><span style="display:flex;"><span>kubectl create token myapp </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 为特定命名空间中的服务账号请求一个令牌</span> </span></span><span style="display:flex;"><span>kubectl create token myapp --namespace myns </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 请求一个含自定义过期时间的令牌</span> </span></span><span style="display:flex;"><span>kubectl create token myapp --duration 10m </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 请求一个包含特定受众的令牌</span> </span></span><span style="display:flex;"><span>kubectl create token myapp --audience https://example.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 请求一个绑定到 Secret 对象实例的令牌</span> </span></span><span style="display:flex;"><span>kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 请求一个绑定到特定 UID 的 Secret 对象实例的令牌</span> </span></span><span style="display:flex;"><span>kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_plugin/kubectl_plugin_list/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_plugin/kubectl_plugin_list/<!-- title: kubectl plugin list content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- List all available plugin files on a user's PATH. Available plugin files are those that are: - executable - anywhere on the user's PATH - begin with "kubectl-" --> <p>列出用户 PATH 中所有可用的插件文件。</p> <p>可用的插件文件需符合以下条件：</p> <ul> <li>可执行文件</li> <li>位于用户的 PATH 中某处</li> <li>以 &quot;kubectl-&quot; 开头</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl plugin list <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- # List all available plugins # List only binary names of available plugins without paths --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 列出所有可用的插件</span> </span></span><span style="display:flex;"><span>kubectl plugin list </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 仅列出可用插件的二进制名称，不包含路径</span> </span></span><span style="display:flex;"><span>kubectl plugin list --name-only </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for list --> list 命令的帮助信息。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_history/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_history/<!-- title: kubectl rollout history content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- View previous rollout revisions and configurations. --> <p>查看以前上线的修订版本和配置。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl rollout <span style="color:#a2f">history</span> <span style="color:#666">(</span>TYPE NAME | TYPE/NAME<span style="color:#666">)</span> <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # View the rollout history of a deployment kubectl rollout history deployment/abc # View the details of daemonset revision 3 kubectl rollout history daemonset/abc --revision=3 ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 查看 Deployment 的上线历史记录</span> </span></span><span style="display:flex;"><span>kubectl rollout <span style="color:#a2f">history</span> deployment/abc </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 查看 DaemonSet 修订版本 3 的详细信息</span> </span></span><span style="display:flex;"><span>kubectl rollout <span style="color:#a2f">history</span> daemonset/abc --revision<span style="color:#666">=</span><span style="color:#666">3</span> </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: true-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_pause/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_pause/<!-- title: kubectl rollout pause content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Mark the provided resource as paused. Paused resources will not be reconciled by a controller. Use "kubectl rollout resume" to resume a paused resource. Currently only deployments support being paused. --> <p>将所提供的资源标记为已暂停。</p> <p>控制器不会调和已暂停的资源。使用 <code>kubectl rollout resume</code> 可恢复已暂停的资源， 目前只有 Deployment 支持暂停。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl rollout pause RESOURCE </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Mark the nginx deployment as paused # Any current state of the deployment will continue its function; new updates # to the deployment will not have an effect as long as the deployment is paused kubectl rollout pause deployment/nginx ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 将 nginx Deployment 标记为暂停</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># Deployment 的任何当前状态都将继续发挥作用；</span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 只要 Deployment 处于暂停状态，对 Deployment 的更新就不会产生影响</span> </span></span><span style="display:flex;"><span>kubectl rollout pause deployment/nginx </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: true-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_restart/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_restart/<!-- title: kubectl rollout restart content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Restart a resource. Resource rollout will be restarted. --> <p>重启资源。</p> <ul> <li>资源将重新开始上线。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl rollout restart RESOURCE </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Restart all deployments in the test-namespace namespace kubectl rollout restart deployment -n test-namespace # Restart a deployment kubectl rollout restart deployment/nginx # Restart a daemon set kubectl rollout restart daemonset/abc # Restart deployments with the app=nginx label kubectl rollout restart deployment --selector=app=nginx ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 重启 test-namespace 命名空间下的所有 Deployment</span> </span></span><span style="display:flex;"><span>kubectl rollout restart deployment -n test-namespace </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 重启 Deployment</span> </span></span><span style="display:flex;"><span>kubectl rollout restart deployment/nginx </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 重启 DaemonSet</span> </span></span><span style="display:flex;"><span>kubectl rollout restart daemonset/abc </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 重启带有标签 app=nginx 的 Deployment</span> </span></span><span style="display:flex;"><span>kubectl rollout restart deployment --selector<span style="color:#666">=</span><span style="color:#b8860b">app</span><span style="color:#666">=</span>nginx </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: true-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_resume/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_resume/<!-- title: kubectl rollout resume content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Resume a paused resource. Paused resources will not be reconciled by a controller. By resuming a resource, we allow it to be reconciled again. Currently only deployments support being resumed. --> <p>恢复暂停的资源。</p> <ul> <li>控制器不会调和已暂停的资源。通过恢复资源，我们可以让控制器再次调和它， 目前只有 Deployment 支持恢复。</li> </ul> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl rollout resume RESOURCE </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Resume an already paused deployment kubectl rollout resume deployment/nginx ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 恢复已暂停的 Deployment</span> </span></span><span style="display:flex;"><span>kubectl rollout resume deployment/nginx </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: true-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_status/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_status/<!-- title: kubectl rollout status content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Show the status of the rollout. By default 'rollout status' will watch the status of the latest rollout until it's done. If you don't want to wait for the rollout to finish then you can use --watch=false. Note that if a new rollout starts in-between, then 'rollout status' will continue watching the latest revision. If you want to pin to a specific revision and abort if it is rolled over by another revision, use --revision=N where N is the revision you need to watch for. --> <p>显示上线的状态。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_undo/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_rollout/kubectl_rollout_undo/<!-- title: kubectl rollout undo content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Roll back to a previous rollout. --> <p>回滚到之前上线的版本。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl rollout undo <span style="color:#666">(</span>TYPE NAME | TYPE/NAME<span style="color:#666">)</span> <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Roll back to the previous deployment kubectl rollout undo deployment/abc # Roll back to daemonset revision 3 kubectl rollout undo daemonset/abc --to-revision=3 # Roll back to the previous deployment with dry-run kubectl rollout undo --dry-run=server deployment/abc ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 回滚到上一个 Deployment 的上一次部署状态</span> </span></span><span style="display:flex;"><span>kubectl rollout undo deployment/abc </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 回滚到 DaemonSet 的修订版本 3</span> </span></span><span style="display:flex;"><span>kubectl rollout undo daemonset/abc --to-revision<span style="color:#666">=</span><span style="color:#666">3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 试运行回滚到 Deployment 的上一次部署状态</span> </span></span><span style="display:flex;"><span>kubectl rollout undo --dry-run<span style="color:#666">=</span>server deployment/abc </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--allow-missing-template-keys&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default: true-->默认值：true</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. --> 如果为 true，在模板中字段或映射键缺失时忽略模板中的错误。 仅适用于 golang 和 jsonpath 输出格式。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_env/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_env/<!-- title: kubectl set env content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Update environment variables on a pod template. List environment variable definitions in one or more pods, pod templates. Add, update, or remove container environment variable definitions in one or more pod templates (within replication controllers or deployment configurations). View or modify the environment variable definitions on all containers in the specified pods or pod templates, or just those that match a wildcard. --> <p>更新 Pod 模板中的环境变量。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_image/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_image/<!-- title: kubectl set image content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Update existing container image(s) of resources. Possible resources include (case insensitive): pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), statefulset (sts), cronjob (cj), replicaset (rs) --> <p>更新资源的现有容器镜像。</p> <p>可能的资源包括（不区分大小写）：</p> <pre tabindex="0"><code>pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), statefulset (sts), cronjob (cj), replicaset (rs) </code></pre><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> image <span style="color:#666">(</span>-f FILENAME | TYPE NAME<span style="color:#666">)</span> <span style="color:#b8860b">CONTAINER_NAME_1</span><span style="color:#666">=</span>CONTAINER_IMAGE_1 ... <span style="color:#b8860b">CONTAINER_NAME_N</span><span style="color:#666">=</span>CONTAINER_IMAGE_N </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Set a deployment's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox' kubectl set image deployment/nginx busybox=busybox nginx=nginx:1.9.1 # Update all deployments' and rc's nginx container's image to 'nginx:1.9.1' kubectl set image deployments,rc nginx=nginx:1.9.1 --all # Update image of all containers of daemonset abc to 'nginx:1.9.1' kubectl set image daemonset abc *=nginx:1.9.1 # Print result (in yaml format) of updating nginx container image from local file, without hitting the server kubectl set image -f path/to/file.yaml nginx=nginx:1.9.1 --local -o yaml ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 将 Deployment 的 nginx 容器镜像设置为 “nginx:1.9.1”，并将其 busybox 容器镜像设置为 “busybox”</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> image deployment/nginx <span style="color:#b8860b">busybox</span><span style="color:#666">=</span>busybox <span style="color:#b8860b">nginx</span><span style="color:#666">=</span>nginx:1.9.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 更新所有 Deployment 和副本控制器的 nginx 容器镜像为 “nginx:1.9.1”</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> image deployments,rc <span style="color:#b8860b">nginx</span><span style="color:#666">=</span>nginx:1.9.1 --all </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 更新 DaemonSet abc 的所有容器镜像为 &#34;nginx:1.9.1&#34;</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> image daemonset abc *<span style="color:#666">=</span>nginx:1.9.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 使用本地文件更新 nginx 容器镜像，并以 YAML 格式打印结果，但不向服务器发出请求</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> image -f path/to/file.yaml <span style="color:#b8860b">nginx</span><span style="color:#666">=</span>nginx:1.9.1 --local -o yaml </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--all</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Select all resources, in the namespace of the specified resource types --> 在指定资源类型的命名空间中，选择所有资源。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_resources/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_resources/<!-- title: kubectl set resources content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Specify compute resource requirements (CPU, memory) for any resource that defines a pod template. If a pod is successfully scheduled, it is guaranteed the amount of resource requested, but may burst up to its specified limits. For each compute resource, if a limit is specified and a request is omitted, the request will default to the limit. Possible resources include (case insensitive): Use "kubectl api-resources" for a complete list of supported resources.. --> <p>为定义 Pod 模板的任一资源指定计算资源要求（CPU、内存）。 如果 Pod 被成功调度，将保证获得所请求的资源量，但可以在某一瞬间达到其指定的限制值。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_selector/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_selector/<!-- title: kubectl set selector content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Set the selector on a resource. Note that the new selector will overwrite the old selector if the resource had one prior to the invocation of 'set selector'. A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters. If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects. --> <p>为某个资源设置选择算符。请注意， 如果资源在 <code>set selector</code> 调用之前已有选择算符，则新的选择算符将覆盖旧的选择算符。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_serviceaccount/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_serviceaccount/<!-- title: kubectl set serviceaccount content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Update the service account of pod template resources. Possible resources (case insensitive) can be: replicationcontroller (rc), deployment (deploy), daemonset (ds), job, replicaset (rs), statefulset --> <p>更新 Pod 模板资源的服务账号。</p> <p>可能的资源（不区分大小写）可以是：</p> <pre tabindex="0"><code>replicationcontroller (rc), deployment (deploy), daemonset (ds), job, replicaset (rs), statefulset </code></pre><div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> serviceaccount <span style="color:#666">(</span>-f FILENAME | TYPE NAME<span style="color:#666">)</span> SERVICE_ACCOUNT </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Set deployment nginx-deployment's service account to serviceaccount1 kubectl set serviceaccount deployment nginx-deployment serviceaccount1 # Print the result (in YAML format) of updated nginx deployment with the service account from local file, without hitting the API server kubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-run=client -o yaml ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 将名为 nginx-deployment 的 Deployment 的服务账号设置为 serviceaccount1</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> serviceaccount deployment nginx-deployment serviceaccount1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 打印使用本地文件中服务账号更新 nginx Deployment 后的结果（以 YAML 格式），不向 API 服务器发送请求</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> sa -f nginx-deployment.yaml serviceaccount1 --local --dry-run<span style="color:#666">=</span>client -o yaml </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--all</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- Select all resources, in the namespace of the specified resource types --> 在指定资源类型的命名空间中，选择所有资源。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_subject/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_set/kubectl_set_subject/<!-- title: kubectl set subject content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Update the user, group, or service account in a role binding or cluster role binding. --> <p>更新角色绑定或集群角色绑定中的用户、组或服务账号。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> subject <span style="color:#666">(</span>-f FILENAME | TYPE NAME<span style="color:#666">)</span> <span style="color:#666">[</span>--user<span style="color:#666">=</span>username<span style="color:#666">]</span> <span style="color:#666">[</span>--group<span style="color:#666">=</span>groupname<span style="color:#666">]</span> <span style="color:#666">[</span>--serviceaccount<span style="color:#666">=</span>namespace:serviceaccountname<span style="color:#666">]</span> <span style="color:#666">[</span>--dry-run<span style="color:#666">=</span>server|client|none<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Update a cluster role binding for serviceaccount1 kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1 # Update a role binding for user1, user2, and group1 kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1 # Print the result (in YAML format) of updating rolebinding subjects from a local, without hitting the server kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 更新 serviceaccount1 的集群角色绑定</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> subject clusterrolebinding admin --serviceaccount<span style="color:#666">=</span>namespace:serviceaccount1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 更新 user1、user2 和 group1 的角色绑定</span> </span></span><span style="display:flex;"><span>kubectl <span style="color:#a2f">set</span> subject rolebinding admin --user<span style="color:#666">=</span>user1 --user<span style="color:#666">=</span>user2 --group<span style="color:#666">=</span>group1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 打印从本地更新角色绑定主体的结果（以 YAML 格式），但不向服务器发送请求</span> </span></span><span style="display:flex;"><span>kubectl create rolebinding admin --role<span style="color:#666">=</span>admin --user<span style="color:#666">=</span>admin -o yaml --dry-run<span style="color:#666">=</span>client | kubectl <span style="color:#a2f">set</span> subject --local -f - --user<span style="color:#666">=</span>foo -o yaml </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--all</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"><p> <!-- Select all resources, in the namespace of the specified resource types --> 在指定资源类型的命名空间中，选择所有资源。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_top/kubectl_top_node/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_top/kubectl_top_node/<!-- title: kubectl top node content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Display resource (CPU/memory) usage of nodes. The top-node command allows you to see the resource consumption of nodes. --> <p>显示节点的资源（CPU/内存）使用情况。</p> <p>top-node 命令可以让你查看节点的资源消耗情况。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl top node <span style="color:#666">[</span>NAME | -l label<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Show metrics for all nodes kubectl top node # Show metrics for a given node kubectl top node NODE_NAME ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示所有节点的指标</span> </span></span><span style="display:flex;"><span>kubectl top node </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示某个指定节点的指标</span> </span></span><span style="display:flex;"><span>kubectl top node NODE_NAME </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for node --> node 操作的帮助命令。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_top/kubectl_top_pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/generated/kubectl_top/kubectl_top_pod/<!-- title: kubectl top pod content_type: tool-reference weight: 30 auto_generated: true --> <h2 id="简介">简介</h2> <!-- Display resource (CPU/memory) usage of pods. The 'top pod' command allows you to see the resource consumption of pods. Due to the metrics pipeline delay, they may be unavailable for a few minutes since pod creation. --> <p>显示 Pod 的资源（CPU/内存）使用情况。</p> <p><code>top pod</code> 命令允许你查看 Pod 的资源消耗情况。</p> <p>由于指标管道的延迟，Pod 创建后的几分钟内可能无法获取资源消耗数据。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubectl top pod <span style="color:#666">[</span>NAME | -l label<span style="color:#666">]</span> </span></span></code></pre></div><h2 id="示例">示例</h2> <!-- ``` # Show metrics for all pods in the default namespace kubectl top pod # Show metrics for all pods in the given namespace kubectl top pod --namespace=NAMESPACE # Show metrics for a given pod and its containers kubectl top pod POD_NAME --containers # Show metrics for the pods defined by label name=myLabel kubectl top pod -l name=myLabel ``` --> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示 default 命名空间中所有 Pod 的指标</span> </span></span><span style="display:flex;"><span>kubectl top pod </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示指定命名空间中所有 Pod 的指标</span> </span></span><span style="display:flex;"><span>kubectl top pod --namespace<span style="color:#666">=</span>NAMESPACE </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示指定 Pod 及其容器的指标</span> </span></span><span style="display:flex;"><span>kubectl top pod POD_NAME --containers </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#080;font-style:italic"># 显示由标签 name=myLabel 所定义的 Pod 的指标</span> </span></span><span style="display:flex;"><span>kubectl top pod -l <span style="color:#b8860b">name</span><span style="color:#666">=</span>myLabel </span></span></code></pre></div><h2 id="选项">选项</h2> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-A, --all-namespaces</td> </tr> <tr> <td></td> <td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. --> 如果存在，则列举所有命名空间中请求的对象。 即使使用 <code>--namespace</code> 指定，当前上下文中的命名空间也会被忽略。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/operator/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/operator/<!-- title: Operator pattern content_type: concept weight: 30 --> <!-- overview --> <!-- Operators are software extensions to Kubernetes that make use of [custom resources](/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to manage applications and their components. Operators follow Kubernetes principles, notably the [control loop](/docs/concepts/architecture/controller). --> <p>Operator 是 Kubernetes 的扩展软件， 它利用<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/">定制资源</a>管理应用及其组件。 Operator 遵循 Kubernetes 的理念，特别是在<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/controller">控制器</a>方面。</p> <!-- body --> <!-- ## Motivation The _operator pattern_ aims to capture the key aim of a human operator who is managing a service or set of services. Human operators who look after specific applications and services have deep knowledge of how the system ought to behave, how to deploy it, and how to react if there are problems. People who run workloads on Kubernetes often like to use automation to take care of repeatable tasks. The operator pattern captures how you can write code to automate a task beyond what Kubernetes itself provides. --> <h2 id="motivation">初衷</h2> <p><strong>Operator 模式</strong>旨在记述（正在管理一个或一组服务的）运维人员的关键目标。 这些运维人员负责一些特定的应用和 Service，他们需要清楚地知道系统应该如何运行、如何部署以及出现问题时如何处理。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/pinterest/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/pinterest/<h2>Challenge</h2> <p>After eight years in existence, Pinterest had grown into 1,000 microservices and multiple layers of infrastructure and diverse set-up tools and platforms. In 2016 the company launched a roadmap towards a new compute platform, led by the vision of creating the fastest path from an idea to production, without making engineers worry about the underlying infrastructure.</p> <h2>Solution</h2> <p>The first phase involved moving services to Docker containers. Once these services went into production in early 2017, the team began looking at orchestration to help create efficiencies and manage them in a decentralized way. After an evaluation of various solutions, Pinterest went with Kubernetes.</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-policy/<!-- title: Pod Security Policies content_type: concept weight: 30 --> <!-- overview --> <div class="alert alert-warning" role="alert"><div class="h4 alert-heading" role="heading">被移除的特性</div> <!-- PodSecurityPolicy was [deprecated](/blog/2021/04/08/kubernetes-1-21-release-announcement/#podsecuritypolicy-deprecation) in Kubernetes v1.21, and removed from Kubernetes in v1.25. --> <p>PodSecurityPolicy 在 Kubernetes v1.21 中<a href="https://andygol-k8s.netlify.app/blog/2021/04/08/kubernetes-1-21-release-announcement/#podsecuritypolicy-deprecation">被弃用</a>， 在 Kubernetes v1.25 中被移除。</p> </div> <!-- Instead of using PodSecurityPolicy, you can enforce similar restrictions on Pods using either or both: --> <p>作为替代，你可以使用下面任一方式执行类似的限制，或者同时使用下面这两种方式。</p> <!-- - [Pod Security Admission](/docs/concepts/security/pod-security-admission/) - a 3rd party admission plugin, that you deploy and configure yourself --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-admission/">Pod 安全准入</a></li> <li>自行部署并配置第三方准入插件</li> </ul> <!-- For a migration guide, see [Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller](/docs/tasks/configure-pod-container/migrate-from-psp/). For more information on the removal of this API, see [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/). --> <p>有关如何迁移， 参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp/">从 PodSecurityPolicy 迁移到内置的 PodSecurity 准入控制器</a>。 有关移除此 API 的更多信息，参阅 <a href="https://andygol-k8s.netlify.app/zh-cn/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/">弃用 PodSecurityPolicy：过去、现在、未来</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/<!-- title: Pod Lifecycle content_type: concept weight: 30 math: true --> <!-- overview --> <!-- This page describes the lifecycle of a Pod. Pods follow a defined lifecycle, starting in the `Pending` [phase](#pod-phase), moving through `Running` if at least one of its primary containers starts OK, and then through either the `Succeeded` or `Failed` phases depending on whether any container in the Pod terminated in failure. --> <p>本页面讲述 Pod 的生命周期。 Pod 遵循预定义的生命周期，起始于 <code>Pending</code> <a href="#pod-phase">阶段</a>， 如果至少其中有一个主要容器正常启动，则进入 <code>Running</code>，之后取决于 Pod 中是否有容器以失败状态结束而进入 <code>Succeeded</code> 或者 <code>Failed</code> 阶段。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/pod-overhead/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/pod-overhead/<!-- --- reviewers: - dchen1107 - egernst - tallclair title: Pod Overhead content_type: concept weight: 30 --- --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.24 [stable]</code> </div> <!-- When you run a Pod on a Node, the Pod itself takes an amount of system resources. These resources are additional to the resources needed to run the container(s) inside the Pod. In Kubernetes, _Pod Overhead_ is a way to account for the resources consumed by the Pod infrastructure on top of the container requests & limits. --> <p>在节点上运行 Pod 时，Pod 本身占用大量系统资源。这些是运行 Pod 内容器所需资源之外的资源。 在 Kubernetes 中，<em>POD 开销</em> 是一种方法，用于计算 Pod 基础设施在容器请求和限制之上消耗的资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/<!-- reviewers: - mikedanese title: Secrets api_metadata: - apiVersion: "v1" kind: "Secret" content_type: concept feature: title: Secret and configuration management description: > Deploy and update Secrets and application configuration without rebuilding your image and without exposing Secrets in your stack configuration. weight: 30 --> <!-- overview --> <!-- A Secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Such information might otherwise be put in a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> specification or in a <a class='glossary-tooltip' title='镜像（Image）是保存的容器实例，它打包了应用运行所需的一组软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-image' target='_blank' aria-label='container image'>container image</a>. Using a Secret means that you don't need to include confidential data in your application code. --> <p>Secret 是一种包含少量敏感信息例如密码、令牌或密钥的对象。 这样的信息可能会被放在 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 规约中或者镜像中。 使用 Secret 意味着你不需要在应用程序代码中包含机密数据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/<!-- reviewers: - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: StatefulSets api_metadata: - apiVersion: "apps/v1" kind: "StatefulSet" content_type: concept description: >- A StatefulSet runs a group of Pods, and maintains a sticky identity for each of those Pods. This is useful for managing applications that need persistent storage or a stable, unique network identity. weight: 30 hide_summary: true # Listed separately in section index --> <!-- overview --> <!-- StatefulSet is the workload API object used to manage stateful applications. --> <p>StatefulSet 是用来管理有状态应用的工作负载 API 对象。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/case-studies/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/case-studies/<!-- title: Submitting case studies linktitle: Case studies slug: case-studies content_type: concept weight: 30 --> <!-- overview --> <!-- Case studies highlight how organizations are using Kubernetes to solve real-world problems. The Kubernetes marketing team and members of the <a class='glossary-tooltip' title='云原生计算基金会（Cloud Native Computing Foundation）' data-toggle='tooltip' data-placement='top' href='https://cncf.io/' target='_blank' aria-label='CNCF'>CNCF</a> collaborate with you on all case studies. Case studies require extensive review before they're approved. --> <p>案例分析用来概述组织如何使用 Kubernetes 解决现实世界的问题。 Kubernetes 市场化团队和 <a class='glossary-tooltip' title='云原生计算基金会（Cloud Native Computing Foundation）' data-toggle='tooltip' data-placement='top' href='https://cncf.io/' target='_blank' aria-label='CNCF'>CNCF</a> 成员会与你一起工作， 撰写所有的案例分析。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/<!-- title: Find Out What Container Runtime is Used on a Node content_type: task reviewers: - SergeyKanzhelev weight: 30 --> <!-- overview --> <!-- This page outlines steps to find out what [container runtime](/docs/setup/production-environment/container-runtimes/) the nodes in your cluster use. --> <p>本页面描述查明集群中节点所使用的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes/">容器运行时</a> 的步骤。</p> <!-- Depending on the way you run your cluster, the container runtime for the nodes may have been pre-configured or you need to configure it. If you're using a managed Kubernetes service, there might be vendor-specific ways to check what container runtime is configured for the nodes. The method described on this page should work whenever the execution of `kubectl` is allowed. --> <p>取决于你运行集群的方式，节点所使用的容器运行时可能是事先配置好的， 也可能需要你来配置。如果你在使用托管的 Kubernetes 服务， 可能存在特定于厂商的方法来检查节点上配置的容器运行时。 本页描述的方法应该在能够执行 <code>kubectl</code> 的场合下都可以工作。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/job-with-pod-to-pod-communication/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/job-with-pod-to-pod-communication/<!-- title: Job with Pod-to-Pod Communication content_type: task min-kubernetes-server-version: v1.21 weight: 30 --> <!-- overview --> <!-- In this example, you will run a Job in [Indexed completion mode](/blog/2021/04/19/introducing-indexed-jobs/) configured such that the pods created by the Job can communicate with each other using pod hostnames rather than pod IP addresses. Pods within a Job might need to communicate among themselves. The user workload running in each pod could query the Kubernetes API server to learn the IPs of the other Pods, but it's much simpler to rely on Kubernetes' built-in DNS resolution. --> <p>在此例中，你将以<a href="https://andygol-k8s.netlify.app/blog/2021/04/19/introducing-indexed-jobs/">索引完成模式</a>运行一个 Job， 并通过配置使得该 Job 所创建的各 Pod 之间可以使用 Pod 主机名而不是 Pod IP 地址进行通信。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/scheduling/policies/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/scheduling/policies/<!-- title: Scheduling Policies content_type: concept sitemap: priority: 0.2 # Scheduling priorities are deprecated weight: 30 --> <!-- overview --> <!-- In Kubernetes versions before v1.23, a scheduling policy can be used to specify the *predicates* and *priorities* process. For example, you can set a scheduling policy by running `kube-scheduler --policy-config-file <filename>` or `kube-scheduler --policy-configmap <ConfigMap>`. This scheduling policy is not supported since Kubernetes v1.23. Associated flags `policy-config-file`, `policy-configmap`, `policy-configmap-namespace` and `use-legacy-policy-config` are also not supported. Instead, use the [Scheduler Configuration](/docs/reference/scheduling/config/) to achieve similar behavior. --> <p>在 Kubernetes v1.23 版本之前，可以使用调度策略来指定 <strong>predicates</strong> 和 <strong>priorities</strong> 进程。 例如，可以通过运行 <code>kube-scheduler --policy-config-file &lt;filename&gt;</code> 或者 <code>kube-scheduler --policy-configmap &lt;ConfigMap&gt;</code> 设置调度策略。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-statefulset/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-statefulset/<!-- reviewers: - bprashanth - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: Debug a StatefulSet content_type: task weight: 30 --> <!-- overview --> <!-- This task shows you how to debug a StatefulSet. --> <p>此任务展示如何调试 StatefulSet。</p> <h2 id="准备开始">准备开始</h2> <!-- * You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. * You should have a StatefulSet running that you want to investigate. --> <ul> <li>你需要有一个 Kubernetes 集群，已配置好的 kubectl 命令行工具与你的集群进行通信。</li> <li>你应该有一个运行中的 StatefulSet，以便用于调试。</li> </ul> <!-- steps --> <!-- ## Debugging a StatefulSet In order to list all the pods which belong to a StatefulSet, which have a label `app.kubernetes.io/name=MyApp` set on them, you can use the following: --> <h2 id="debugging-a-statefulset">调试 StatefulSet</h2> <p>StatefulSet 在创建 Pod 时为其设置了 <code>app.kubernetes.io/name=MyApp</code> 标签，列出仅属于某 StatefulSet 的所有 Pod 时，可以使用以下命令：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/resize-container-resources/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/resize-container-resources/<!-- title: Resize CPU and Memory Resources assigned to Containers content_type: task weight: 30 min-kubernetes-server-version: 1.33 --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： InPlacePodVerticalScaling"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [stable]</code>（默认启用）</div> <!-- This page explains how to change the CPU and memory resource requests and limits assigned to a container *without recreating the Pod*. --> <p>本页面说明了如何在<strong>不重新创建 Pod</strong> 的情况下，更改分配给容器的 CPU 和内存资源请求与限制。</p> <!-- Traditionally, changing a Pod's resource requirements necessitated deleting the existing Pod and creating a replacement, often managed by a [workload controller](/docs/concepts/workloads/controllers/). In-place Pod Resize allows changing the CPU/memory allocation of container(s) within a running Pod while potentially avoiding application disruption. The process for resizing Pod resources is covered in [Resize CPU and Memory Resources assigned to Pods](/docs/tasks/configure-pod-container/resize-pod-resources). --> <p>传统上，更改 Pod 的资源需求需要删除现有 Pod 并创建一个替代 Pod， 这通常由<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/">工作负载控制器</a>管理。 而就地 Pod 调整功能允许在运行中的 Pod 内变更容器的 CPU 和内存分配，从而可能避免干扰应用。 Pod 资源调整的流程详见：<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/resize-pod-resources">调整分配给 Pod 的 CPU 与内存资源</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/names/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/names/<!-- reviewers: - mikedanese - thockin title: Object Names and IDs content_type: concept weight: 30 --> <!-- overview --> <!-- Each <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='object'>object</a> in your cluster has a [_Name_](#names) that is unique for that type of resource. Every Kubernetes object also has a [_UID_](#uids) that is unique across your whole cluster. For example, you can only have one Pod named `myapp-1234` within the same [namespace](/docs/concepts/overview/working-with-objects/namespaces/), but you can have one Pod and one Deployment that are each named `myapp-1234`. --> <p>集群中的每一个<a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>都有一个<a href="#names"><strong>名称</strong></a>来标识在同类资源中的唯一性。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-pod-level-resources/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-pod-level-resources/<!-- title: Assign Pod-level CPU and memory resources content_type: task weight: 30 min-kubernetes-server-version: 1.34 --> <!-- overview --> <div class="feature-state-notice feature-beta" title="特性门控： PodLevelResources"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.34 [beta]</code>（默认启用）</div> <!-- This page shows how to specify CPU and memory resources for a Pod at pod-level in addition to container-level resource specifications. A Kubernetes node allocates resources to a pod based on the pod's resource requests. These requests can be defined at the pod level or individually for containers within the pod. When both are present, the pod-level requests take precedence. --> <p>本页介绍除了容器级别的资源规约外，如何在 Pod 级别指定 CPU 和内存资源。 Kubernetes 节点基于 Pod 的资源请求分配资源。 这些请求可以在 Pod 级别定义，也可以逐个为 Pod 内的容器定义。 当两种级别的请求都存在时，Pod 级别的请求优先。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/article-submission/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/article-submission/<!-- title: Submitting articles to Kubernetes blogs slug: article-submission content_type: concept weight: 30 --> <!-- overview --> <!-- There are two official Kubernetes blogs, and the CNCF has its own blog where you can cover Kubernetes too. For the [main Kubernetes blog](/docs/contribute/blog/), we (the Kubernetes project) like to publish articles with different perspectives and special focuses, that have a link to Kubernetes. With only a few special case exceptions, we only publish content that hasn't been submitted or published anywhere else. --> <p>Kubernetes 有两个官方博客，CNCF 也有自己的博客频道，你也可以在 CNCF 博客频道上发布与 Kubernetes 相关的内容。对于 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/">Kubernetes 主博客</a>， 我们（Kubernetes 项目组）希望发布与 Kubernetes 有关联的具有不同视角和独特关注点的文章。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/authorization/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/authorization/<!-- reviewers: - erictune - lavalamp - deads2k - liggitt title: Authorization content_type: concept weight: 30 description: > Details of Kubernetes authorization mechanisms and supported authorization modes. --> <!-- overview --> <!-- Kubernetes authorization takes place following [authentication](/docs/reference/access-authn-authz/authentication/). Usually, a client making a request must be authenticated (logged in) before its request can be allowed; however, Kubernetes also allows anonymous requests in some circumstances. For an overview of how authorization fits into the wider context of API access control, read [Controlling Access to the Kubernetes API](/docs/concepts/security/controlling-access/). --> <p>Kubernetes 鉴权在<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/authentication/">身份认证</a>之后进行。 通常，发出请求的客户端必须经过身份验证（登录）才能允许其请求； 但是，Kubernetes 在某些情况下也允许匿名请求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/pods-some-nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-daemon/pods-some-nodes/<!-- title: Running Pods on Only Some Nodes content_type: task weight: 30 --> <!-- overview --> <!-- This page demonstrates how can you run <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> on only some <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='Nodes'>Nodes</a> as part of a <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a> --> <p>本页演示了你如何能够仅在某些<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>上作为 <a class='glossary-tooltip' title='确保 Pod 的副本在集群中的一组节点上运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/' target='_blank' aria-label='DaemonSet'>DaemonSet</a> 的一部分运行<a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/client-libraries/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/client-libraries/<!-- title: Client Libraries reviewers: - ahmetb content_type: concept weight: 30 --> <!-- overview --> <!-- This page contains an overview of the client libraries for using the Kubernetes API from various programming languages. --> <p>本页面概要介绍了基于各种编程语言使用 Kubernetes API 的客户端库。</p> <!-- body --> <!-- To write applications using the [Kubernetes REST API](/docs/reference/using-api/), you do not need to implement the API calls and request/response types yourself. You can use a client library for the programming language you are using. --> <p>在使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/">Kubernetes REST API</a> 编写应用程序时， 你并不需要自己实现 API 调用和 “请求/响应” 类型。 你可以根据自己的编程语言需要选择使用合适的客户端库。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/controller/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/controller/<!-- title: Controllers content_type: concept weight: 30 --> <!-- overview --> <!-- In robotics and automation, a _control loop_ is a non-terminating loop that regulates the state of a system. Here is one example of a control loop: a thermostat in a room. When you set the temperature, that's telling the thermostat about your *desired state*. The actual room temperature is the *current state*. The thermostat acts to bring the current state closer to the desired state, by turning equipment on or off. --> <p>在机器人技术和自动化领域，控制回路（Control Loop）是一个非终止回路，用于调节系统状态。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/ephemeral-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/ephemeral-volumes/<!-- reviewers: - jsafrane - saad-ali - msau42 - xing-yang - pohly title: Ephemeral Volumes content_type: concept weight: 30 --> <!-- overview --> <!-- This document describes _ephemeral volumes_ in Kubernetes. Familiarity with [volumes](/docs/concepts/storage/volumes/) is suggested, in particular PersistentVolumeClaim and PersistentVolume. --> <p>本文档描述 Kubernetes 中的 <strong>临时卷（Ephemeral Volume）</strong>。 建议先了解<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/">卷</a>，特别是 PersistentVolumeClaim 和 PersistentVolume。</p> <!-- body --> <!-- Some applications need additional storage but don't care whether that data is stored persistently across restarts. For example, caching services are often limited by memory size and can move infrequently used data into storage that is slower than memory with little impact on overall performance. --> <p>有些应用程序需要额外的存储，但并不关心数据在重启后是否仍然可用。 例如，缓存服务经常受限于内存大小，而且可以将不常用的数据转移到比内存慢的存储中，对总体性能的影响并不大。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/configure-access-multiple-clusters/<!-- title: Configure Access to Multiple Clusters content_type: task weight: 30 card: name: tasks weight: 25 title: Configure access to clusters --> <!-- overview --> <!-- This page shows how to configure access to multiple clusters by using configuration files. After your clusters, users, and contexts are defined in one or more configuration files, you can quickly switch between clusters by using the `kubectl config use-context` command. --> <p>本文展示如何使用配置文件来配置对多个集群的访问。 在将集群、用户和上下文定义在一个或多个配置文件中之后，用户可以使用 <code>kubectl config use-context</code> 命令快速地在集群之间进行切换。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-constraint-namespace/<!-- title: Configure Minimum and Maximum Memory Constraints for a Namespace content_type: task weight: 30 --> <!-- overview --> <!-- This page shows how to set minimum and maximum values for memory used by containers running in a <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. You specify minimum and maximum memory values in a [LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/) object. If a Pod does not meet the constraints imposed by the LimitRange, it cannot be created in the namespace. --> <p>本页介绍如何设置在<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='名字空间'>名字空间</a> 中运行的容器所使用的内存的最小值和最大值。你可以在 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/limit-range-v1/">LimitRange</a> 对象中指定最小和最大内存值。如果 Pod 不满足 LimitRange 施加的约束， 则无法在名字空间中创建它。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/determine-reason-pod-failure/<!-- title: Determine the Reason for Pod Failure content_type: task weight: 30 --> <!-- overview --> <!-- This page shows how to write and read a Container termination message. --> <p>本文介绍如何编写和读取容器的终止消息。</p> <!-- Termination messages provide a way for containers to write information about fatal events to a location where it can be easily retrieved and surfaced by tools like dashboards and monitoring software. In most cases, information that you put in a termination message should also be written to the general [Kubernetes logs](/docs/concepts/cluster-administration/logging/). --> <p>终止消息为容器提供了一种方法，可以将有关致命事件的信息写入某个位置， 在该位置可以通过仪表板和监控软件等工具轻松检索和显示致命事件。 在大多数情况下，你放入终止消息中的信息也应该写入 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/logging/">常规 Kubernetes 日志</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/runtime-class/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/runtime-class/<!-- reviewers: - tallclair - dchen1107 title: Runtime Class content_type: concept weight: 30 hide_summary: true # Listed separately in section index --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.20 [stable]</code> </div> <!-- This page describes the RuntimeClass resource and runtime selection mechanism. RuntimeClass is a feature for selecting the container runtime configuration. The container runtime configuration is used to run a Pod's containers. --> <p>本页面描述了 RuntimeClass 资源和运行时的选择机制。</p> <p>RuntimeClass 是一个用于选择容器运行时配置的特性，容器运行时配置用于运行 Pod 中的容器。</p> <!-- body --> <!-- ## Motivation You can set a different RuntimeClass between different Pods to provide a balance of performance versus security. For example, if part of your workload deserves a high level of information security assurance, you might choose to schedule those Pods so that they run in a container runtime that uses hardware virtualization. You'd then benefit from the extra isolation of the alternative runtime, at the expense of some additional overhead. --> <h2 id="motivation">动机</h2> <p>你可以在不同的 Pod 设置不同的 RuntimeClass，以提供性能与安全性之间的平衡。 例如，如果你的部分工作负载需要高级别的信息安全保证，你可以决定在调度这些 Pod 时尽量使它们在使用硬件虚拟化的容器运行时中运行。 这样，你将从这些不同运行时所提供的额外隔离中获益，代价是一些额外的开销。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/<!-- reviewers: - sig-cluster-lifecycle title: Upgrading kubeadm clusters content_type: task weight: 30 --> <!-- overview --> <!-- This page explains how to upgrade a Kubernetes cluster created with kubeadm from version 1.34.x to version 1.35.x, and from version 1.35.x to 1.35.y (where `y > x`). Skipping MINOR versions when upgrading is unsupported. For more details, please visit [Version Skew Policy](/releases/version-skew-policy/). --> <p>本页介绍如何将 <code>kubeadm</code> 创建的 Kubernetes 集群从 1.34.x 版本升级到 1.35.x 版本以及从 1.35.x 升级到 1.35.y（其中 <code>y &gt; x</code>）。略过次版本号的升级是不被支持的。 更多详情请访问<a href="https://andygol-k8s.netlify.app/zh-cn/releases/version-skew-policy/">版本偏差策略</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/apparmor/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/apparmor/<!-- reviewers: - stclair title: Restrict a Container's Access to Resources with AppArmor content_type: tutorial weight: 30 --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： AppArmor"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.31 [stable]</code>（默认启用）</div> <!-- This page shows you how to load AppArmor profiles on your nodes and enforce those profiles in Pods. To learn more about how Kubernetes can confine Pods using AppArmor, see [Linux kernel security constraints for Pods and containers](/docs/concepts/security/linux-kernel-security-constraints/#apparmor). --> <p>本页面向你展示如何在节点上加载 AppArmor 配置文件并在 Pod 中强制应用这些配置文件。 要了解有关 Kubernetes 如何使用 AppArmor 限制 Pod 的更多信息，请参阅 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/linux-kernel-security-constraints/#apparmor">Pod 和容器的 Linux 内核安全约束</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/<!-- reviewers: - danwent - aanm title: Use Cilium for NetworkPolicy content_type: task weight: 30 --> <!-- overview --> <!-- This page shows how to use Cilium for NetworkPolicy. For background on Cilium, read the [Introduction to Cilium](https://docs.cilium.io/en/stable/overview/intro). --> <p>本页展示如何使用 Cilium 提供 NetworkPolicy。</p> <p>关于 Cilium 的背景知识，请阅读 <a href="https://docs.cilium.io/en/stable/overview/intro">Cilium 介绍</a>。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/configure-redis-using-configmap/<!-- reviewers: - eparis - pmorie title: Configuring Redis using a ConfigMap content_type: tutorial weight: 30 --> <!-- overview --> <!-- This page provides a real world example of how to configure Redis using a ConfigMap and builds upon the [Configure a Pod to Use a ConfigMap](/docs/tasks/configure-pod-container/configure-pod-configmap/) task. --> <p>这篇文档基于<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/">配置 Pod 以使用 ConfigMap</a> 这个任务，提供了一个使用 ConfigMap 来配置 Redis 的真实案例。</p> <h2 id="教程目标">教程目标</h2> <!-- * Create a ConfigMap with Redis configuration values * Create a Redis Pod that mounts and uses the created ConfigMap * Verify that the configuration was correctly applied. --> <ul> <li>使用 Redis 配置的值创建一个 ConfigMap</li> <li>创建一个 Redis Pod，挂载并使用创建的 ConfigMap</li> <li>验证配置已经被正确应用</li> </ul> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/crictl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/crictl/<!-- reviewers: - Random-Liu - feiskyer - mrunalp title: Debugging Kubernetes nodes with crictl content_type: task weight: 30 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.11 [stable]</code> </div> <!-- `crictl` is a command-line interface for CRI-compatible container runtimes. You can use it to inspect and debug container runtimes and applications on a Kubernetes node. `crictl` and its source are hosted in the [cri-tools](https://github.com/kubernetes-sigs/cri-tools) repository. --> <p><code>crictl</code> 是 CRI 兼容的容器运行时命令行接口。 你可以使用它来检查和调试 Kubernetes 节点上的容器运行时和应用程序。 <code>crictl</code> 和它的源代码在 <a href="https://github.com/kubernetes-sigs/cri-tools">cri-tools</a> 代码库。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-environment-variable-via-file/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/define-environment-variable-via-file/<!-- title: Define Environment Variable Values Using An Init Container content_type: task min-kubernetes-server-version: v1.34 weight: 30 --> <!-- overview --> <div class="feature-state-notice feature-beta" title="特性门控： EnvFiles"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [beta]</code>（默认启用）</div> <!-- This page show how to configure environment variables for containers in a Pod via file. --> <p>本页展示如何通过文件为 Pod 中的容器配置环境变量。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/<!-- reviewers: - sig-cluster-lifecycle title: Creating a cluster with kubeadm content_type: task weight: 30 --> <!-- overview --> <!-- <img src="https://andygol-k8s.netlify.app/images/kubeadm-stacked-color.png" align="right" width="150px"></img> Using `kubeadm`, you can create a minimum viable Kubernetes cluster that conforms to best practices. In fact, you can use `kubeadm` to set up a cluster that will pass the [Kubernetes Conformance tests](/blog/2017/10/software-conformance-certification/). `kubeadm` also supports other cluster lifecycle functions, such as [bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and cluster upgrades. --> <p><img src="https://andygol-k8s.netlify.app/images/kubeadm-stacked-color.png" align="right" width="150px"></img> 使用 <code>kubeadm</code>，你能创建一个符合最佳实践的最小化 Kubernetes 集群。 事实上，你可以使用 <code>kubeadm</code> 配置一个通过 <a href="https://andygol-k8s.netlify.app/blog/2017/10/software-conformance-certification/">Kubernetes 一致性测试</a>的集群。 <code>kubeadm</code> 还支持其他集群生命周期功能， 例如<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/">启动引导令牌</a>和集群升级。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configmap-secret/managing-secret-using-kustomize/<!-- title: Managing Secrets using Kustomize content_type: task weight: 30 description: Creating Secret objects using kustomization.yaml file. --> <!-- overview --> <!-- `kubectl` supports using the [Kustomize object management tool](/docs/tasks/manage-kubernetes-objects/kustomization/) to manage Secrets and ConfigMaps. You create a *resource generator* using Kustomize, which generates a Secret that you can apply to the API server using `kubectl`. --> <p><code>kubectl</code> 支持使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/kustomization/">Kustomize 对象管理工具</a>来管理 Secret 和 ConfigMap。你可以使用 Kustomize 创建<strong>资源生成器（Resource Generator）</strong>， 该生成器会生成一个 Secret，让你能够通过 <code>kubectl</code> 应用到 API 服务器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/fine-parallel-processing-work-queue/<!-- title: Fine Parallel Processing Using a Work Queue content_type: task weight: 30 --> <!-- overview --> <!-- In this example, you will run a Kubernetes Job that runs multiple parallel tasks as worker processes, each running as a separate Pod. --> <p>在此示例中，你将运行一个 Kubernetes Job，该 Job 将多个并行任务作为工作进程运行， 每个任务在单独的 Pod 中运行。</p> <!-- In this example, as each pod is created, it picks up one unit of work from a task queue, processes it, and repeats until the end of the queue is reached. Here is an overview of the steps in this example: --> <p>在这个例子中，当每个 Pod 被创建时，它会从一个任务队列中获取一个工作单元，处理它，然后重复，直到到达队列的尾部。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/indexed-parallel-processing-static/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/indexed-parallel-processing-static/<!-- title: Indexed Job for Parallel Processing with Static Work Assignment content_type: task min-kubernetes-server-version: v1.21 weight: 30 --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.24 [stable]</code> </div> <!-- overview --> <!-- In this example, you will run a Kubernetes Job that uses multiple parallel worker processes. Each worker is a different container running in its own Pod. The Pods have an _index number_ that the control plane sets automatically, which allows each Pod to identify which part of the overall task to work on. --> <p>在此示例中，你将运行一个使用多个并行工作进程的 Kubernetes Job。 每个 worker 都是在自己的 Pod 中运行的不同容器。 Pod 具有控制平面自动设置的<strong>索引编号（index number）</strong>， 这些编号使得每个 Pod 能识别出要处理整个任务的哪个部分。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-command/<!-- title: Managing Kubernetes Objects Using Imperative Commands content_type: task weight: 30 --> <!-- overview --> <!-- Kubernetes objects can quickly be created, updated, and deleted directly using imperative commands built into the `kubectl` command-line tool. This document explains how those commands are organized and how to use them to manage live objects. --> <p>使用构建在 <code>kubectl</code> 命令行工具中的指令式命令可以直接快速创建、更新和删除 Kubernetes 对象。本文档解释这些命令的组织方式以及如何使用它们来管理活跃对象。</p> <h2 id="准备开始">准备开始</h2> <!-- Install [`kubectl`](/docs/tasks/tools/). --> <p>安装<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/"><code>kubectl</code></a>。</p> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/cassandra/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/cassandra/<!-- title: "Example: Deploying Cassandra with a StatefulSet" reviewers: - ahmetb content_type: tutorial weight: 30 --> <!-- overview --> <!-- This tutorial shows you how to run [Apache Cassandra](https://cassandra.apache.org/) on Kubernetes. Cassandra, a database, needs persistent storage to provide data durability (application _state_). In this example, a custom Cassandra seed provider lets the database discover new Cassandra instances as they join the Cassandra cluster. --> <p>本教程描述了如何在 Kubernetes 上运行 <a href="https://cassandra.apache.org/">Apache Cassandra</a>。 数据库 Cassandra 需要永久性存储提供数据持久性（应用<strong>状态</strong>）。 在此示例中，自定义 Cassandra seed provider 使数据库在接入 Cassandra 集群时能够发现新的 Cassandra 实例。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/certificates/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/certificates/<!-- title: Generate Certificates Manually content_type: task weight: 30 --> <!-- overview --> <!-- When using client certificate authentication, you can generate certificates manually through [`easyrsa`](https://github.com/OpenVPN/easy-rsa), [`openssl`](https://github.com/openssl/openssl) or [`cfssl`](https://github.com/cloudflare/cfssl). --> <p>在使用客户端证书认证的场景下，你可以通过 <a href="https://github.com/OpenVPN/easy-rsa"><code>easyrsa</code></a>、 <a href="https://github.com/openssl/openssl"><code>openssl</code></a> 或 <a href="https://github.com/cloudflare/cfssl"><code>cfssl</code></a> 等工具以手工方式生成证书。</p> <!-- body --> <h3 id="easyrsa">easyrsa</h3> <!-- **easyrsa** can manually generate certificates for your cluster. --> <p><strong>easyrsa</strong> 支持以手工方式为你的集群生成证书。</p> <!-- 1. Download, unpack, and initialize the patched version of `easyrsa3`. --> <ol> <li> <p>下载、解压、初始化打过补丁的 <code>easyrsa3</code>。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>curl -LO https://dl.k8s.io/easy-rsa/easy-rsa.tar.gz </span></span><span style="display:flex;"><span>tar xzf easy-rsa.tar.gz </span></span><span style="display:flex;"><span><span style="color:#a2f">cd</span> easy-rsa-master/easyrsa3 </span></span><span style="display:flex;"><span>./easyrsa init-pki </span></span></code></pre></div></li> </ol> <!-- 1. Generate a new certificate authority (CA). `--batch` sets automatic mode; `--req-cn` specifies the Common Name (CN) for the CA's new root certificate. --> <ol start="2"> <li> <p>生成新的证书颁发机构（CA）。参数 <code>--batch</code> 用于设置自动模式； 参数 <code>--req-cn</code> 用于设置新的根证书的通用名称（CN）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/environment-variable-expose-pod-information/<!-- title: Expose Pod Information to Containers Through Environment Variables content_type: task weight: 30 --> <!-- overview --> <!-- This page shows how a Pod can use environment variables to expose information about itself to containers running in the Pod, using the _downward API_. You can use environment variables to expose Pod fields, container fields, or both. --> <p>此页面展示 Pod 如何使用 <strong>downward API</strong> 通过环境变量把自身的信息呈现给 Pod 中运行的容器。 你可以使用环境变量来呈现 Pod 的字段、容器字段或两者。</p> <!-- In Kubernetes, there are two ways to expose Pod and container fields to a running container: * _Environment variables_, as explained in this task * [Volume files](/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/) Together, these two ways of exposing Pod and container fields are called the downward API. As Services are the primary mode of communication between containerized applications managed by Kubernetes, it is helpful to be able to discover them at runtime. Read more about accessing Services [here](/docs/tutorials/services/connect-applications-service/#accessing-the-service). --> <p>在 Kubernetes 中有两种方式可以将 Pod 和容器字段呈现给运行中的容器：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-gmsa/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-gmsa/<!-- title: Configure GMSA for Windows Pods and containers content_type: task weight: 30 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.18 [stable]</code> </div> <!-- This page shows how to configure [Group Managed Service Accounts](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview) (GMSA) for Pods and containers that will run on Windows nodes. Group Managed Service Accounts are a specific type of Active Directory account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators across multiple servers. --> <p>本页展示如何为将运行在 Windows 节点上的 Pod 和容器配置 <a href="https://docs.microsoft.com/zh-cn/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview">组管理的服务账号（Group Managed Service Accounts，GMSA）</a>。 组管理的服务账号是活动目录（Active Directory）的一种特殊类型， 提供自动化的密码管理、简化的服务主体名称（Service Principal Name，SPN） 管理以及跨多个服务器将管理操作委派给其他管理员等能力。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/node-conformance/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/node-conformance/<!-- reviewers: - Random-Liu title: Validate node setup weight: 30 --> <nav id="TableOfContents"> <ul> <li><a href="#node-conformance-test">节点一致性测试</a></li> <li><a href="#node-prerequisite">节点的前提条件</a></li> <li><a href="#running-node-conformance-test">运行节点一致性测试</a></li> <li><a href="#running-node-conformance-test-for-other-architectures">针对其他硬件体系结构运行节点一致性测试</a></li> <li><a href="#running-selected-test">运行特定的测试</a></li> <li><a href="#caveats">注意事项</a></li> </ul> </nav> <!-- ## Node Conformance Test --> <h2 id="node-conformance-test">节点一致性测试</h2> <!-- *Node conformance test* is a containerized test framework that provides a system verification and functionality test for a node. The test validates whether the node meets the minimum requirements for Kubernetes; a node that passes the test is qualified to join a Kubernetes cluster. --> <p><strong>节点一致性测试</strong>是一个容器化的测试框架，提供了针对节点的系统验证和功能测试。 测试验证节点是否满足 Kubernetes 的最低要求；通过测试的节点有资格加入 Kubernetes 集群。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/<!-- reviewers: - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: Run a Replicated Stateful Application content_type: tutorial weight: 30 --> <!-- overview --> <!-- This page shows how to run a replicated stateful application using a <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>. This application is a replicated MySQL database. The example topology has a single primary server and multiple replicas, using asynchronous row-based replication. --> <p>本页展示如何使用 <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a> 控制器运行一个有状态的应用程序。此例是多副本的 MySQL 数据库。 示例应用的拓扑结构有一个主服务器和多个副本，使用异步的基于行（Row-Based） 的数据复制。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/leases/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/leases/<!-- title: Leases api_metadata: - apiVersion: "coordination.k8s.io/v1" kind: "Lease" content_type: concept weight: 30 --> <!-- overview --> <!-- Distributed systems often have a need for _leases_, which provide a mechanism to lock shared resources and coordinate activity between members of a set. In Kubernetes, the lease concept is represented by [Lease](/docs/reference/kubernetes-api/cluster-resources/lease-v1/) objects in the `coordination.k8s.io` <a class='glossary-tooltip' title='Kubernetes API 中的一组相关路径。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning' target='_blank' aria-label='API Group'>API Group</a>, which are used for system-critical capabilities such as node heartbeats and component-level leader election. --> <p>分布式系统通常需要<strong>租约（Lease）</strong>；租约提供了一种机制来锁定共享资源并协调集合成员之间的活动。 在 Kubernetes 中，租约概念表示为 <code>coordination.k8s.io</code> <a class='glossary-tooltip' title='Kubernetes API 中的一组相关路径。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning' target='_blank' aria-label='API 组'>API 组</a>中的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/lease-v1/">Lease</a> 对象， 常用于类似节点心跳和组件级领导者选举等系统核心能力。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/rbac/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/rbac/<!-- reviewers: - erictune - deads2k - liggitt title: Using RBAC Authorization content_type: concept aliases: [/rbac/] weight: 33 --> <!-- overview --> <!-- Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. --> <p>基于角色（Role）的访问控制（RBAC）是一种基于组织中用户的角色来调节控制对计算机或网络资源的访问的方法。</p> <!-- body --> <!-- RBAC authorization uses the `rbac.authorization.k8s.io` <a class='glossary-tooltip' title='Kubernetes API 中的一组相关路径。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning' target='_blank' aria-label='API group'>API group</a> to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API. --> <p>RBAC 鉴权机制使用 <code>rbac.authorization.k8s.io</code> <a class='glossary-tooltip' title='Kubernetes API 中的一组相关路径。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning' target='_blank' aria-label='API 组'>API 组</a>来驱动鉴权决定， 允许你通过 Kubernetes API 动态配置策略。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/node/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/node/<!-- reviewers: - timstclair - deads2k - liggitt title: Using Node Authorization content_type: concept weight: 34 --> <!-- overview --> <!-- Node authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets. --> <p>节点鉴权是一种特殊用途的鉴权模式，专门对 kubelet 发出的 API 请求进行授权。</p> <!-- body --> <!-- ## Overview --> <h2 id="overview">概述</h2> <!-- The Node authorizer allows a kubelet to perform API operations. This includes: --> <p>节点鉴权器允许 kubelet 执行 API 操作。包括：</p> <!-- Read operations: --> <p>读取操作：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/cel/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/cel/<!-- title: Common Expression Language in Kubernetes reviewers: - jpbetz - cici37 content_type: concept weight: 35 min-kubernetes-server-version: 1.25 --> <!-- overview --> <!-- The [Common Expression Language (CEL)](https://github.com/google/cel-go) is used in the Kubernetes API to declare validation rules, policy rules, and other constraints or conditions. CEL expressions are evaluated directly in the <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a>, making CEL a convenient alternative to out-of-process mechanisms, such as webhooks, for many extensibility use cases. Your CEL expressions continue to execute so long as the control plane's API server component remains available. --> <p><a href="https://github.com/google/cel-go">通用表达式语言 (Common Expression Language, CEL)</a> 用于声明 Kubernetes API 的验证规则、策略规则和其他限制或条件。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/provision-swap-memory/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/provision-swap-memory/<!-- reviewers: - lmktfy title: Configuring swap memory on Kubernetes nodes content_type: tutorial weight: 35 min-kubernetes-server-version: "1.33" --> <!-- overview --> <!-- This page provides an example of how to provision and configure swap memory on a Kubernetes node using kubeadm. --> <p>本文演示了如何使用 kubeadm 在 Kubernetes 节点上制备和启用交换内存。</p> <!-- lessoncontent --> <h2 id="教程目标">教程目标</h2> <!-- * Provision swap memory on a Kubernetes node using kubeadm. * Learn to configure both encrypted and unencrypted swap. * Learn to enable swap on boot. --> <ul> <li>使用 kubeadm 在 Kubernetes 节点上制备交换内存。</li> <li>学习配置加密和未加密的交换内存。</li> <li>学习如何在系统启动时启用交换内存。</li> </ul> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/webhook/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/webhook/<!-- reviewers: - erictune - lavalamp - deads2k - liggitt title: Webhook Mode content_type: concept weight: 36 --> <!-- overview --> <!-- A WebHook is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-notification via HTTP POST. A web application implementing WebHooks will POST a message to a URL when certain things happen. --> <p>Webhook 是一种 HTTP 回调：某些条件下触发的 HTTP POST 请求；通过 HTTP POST 发送的简单事件通知。一个基于 web 应用实现的 Webhook 会在特定事件发生时把消息发送给特定的 URL。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/abac/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/abac/<!-- reviewers: - erictune - lavalamp - deads2k - liggitt title: Using ABAC Authorization content_type: concept weight: 39 --> <!-- overview --> <!-- Attribute-based access control (ABAC) defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. --> <p>基于属性的访问控制（Attribute-based access control，ABAC）定义了访问控制范例， ABAC 通过使用将属性组合在一起的策略来向用户授予访问权限。</p> <!-- body --> <!-- ## Policy File Format To enable `ABAC` mode, specify `--authorization-policy-file=SOME_FILENAME` and `--authorization-mode=ABAC` on startup. The file format is [one JSON object per line](https://jsonlines.org/). There should be no enclosing list or map, only one map per line. Each line is a "policy object", where each such object is a map with the following properties: --> <h2 id="policy-file-format">策略文件格式</h2> <p>要启用 <code>ABAC</code> 模式，可以在启动时指定 <code>--authorization-policy-file=SOME_FILENAME</code> 和 <code>--authorization-mode=ABAC</code>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/daemonset/<!-- reviewers: - enisoc - erictune - foxish - janetkuo - kow3ns title: DaemonSet api_metadata: - apiVersion: "apps/v1" kind: "DaemonSet" description: >- A DaemonSet defines Pods that provide node-local facilities. These might be fundamental to the operation of your cluster, such as a networking helper tool, or be part of an add-on. content_type: concept weight: 40 hide_summary: true # Listed separately in section index ---> <!-- overview --> <!-- A _DaemonSet_ ensures that all (or some) Nodes run a copy of a Pod. As nodes are added to the cluster, Pods are added to them. As nodes are removed from the cluster, those Pods are garbage collected. Deleting a DaemonSet will clean up the Pods it created. ---> <p><strong>DaemonSet</strong> 确保全部（或者某些）节点上运行一个 Pod 的副本。 当有节点加入集群时， 也会为他们新增一个 Pod 。 当有节点从集群移除时，这些 Pod 也会被回收。删除 DaemonSet 将会删除它创建的所有 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/init-containers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/init-containers/<!--- reviewers: - erictune title: Init Containers content_type: concept weight: 40 --> <!-- overview --> <!-- This page provides an overview of init containers: specialized containers that run before app containers in a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>. Init containers can contain utilities or setup scripts not present in an app image. --> <p>本页提供了 Init 容器的概览。Init 容器是一种特殊容器，在 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 内的应用容器启动之前运行。Init 容器可以包括一些应用镜像中不存在的实用工具和安装脚本。</p> <!-- You can specify init containers in the Pod specification alongside the `containers` array (which describes app containers). --> <p>你可以在 Pod 的规约中与用来描述应用容器的 <code>containers</code> 数组平行的位置指定 Init 容器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/jsonpath/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/jsonpath/<!-- title: JSONPath Support content_type: concept weight: 40 math: true --> <!-- overview --> <!-- The <a class='glossary-tooltip' title='kubectl 是用来和 Kubernetes 集群进行通信的命令行工具。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/' target='_blank' aria-label='kubectl'>kubectl</a> tool supports JSONPath templates as an output format. --> <p><a class='glossary-tooltip' title='kubectl 是用来和 Kubernetes 集群进行通信的命令行工具。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/' target='_blank' aria-label='kubectl'>kubectl</a> 工具支持 JSONPath 模板作为输出格式。</p> <!-- body --> <!-- A _JSONPath template_ is composed of JSONPath expressions enclosed by curly braces: `{` and `}`. Kubectl uses JSONPath expressions to filter on specific fields in the JSON object and format the output. In addition to the original JSONPath template syntax, the following functions and syntax are valid: --> <p><strong>JSONPath 模板</strong>由大括号 <code>{</code> 和 <code>}</code> 包起来的 JSONPath 表达式组成。 kubectl 使用 JSONPath 表达式来过滤 JSON 对象中的特定字段并格式化输出。 除了原始的 JSONPath 模板语法，以下函数和语法也是有效的:</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/<!-- reviewers: - luxas - jbeda title: kubeadm upgrade content_type: concept weight: 40 --> <!-- overview --> <!-- `kubeadm upgrade` is a user-friendly command that wraps complex upgrading logic behind one command, with support for both planning an upgrade and actually performing it. --> <p><code>kubeadm upgrade</code> 是一个对用户友好的命令，它将复杂的升级逻辑包装在一条命令后面，支持升级的规划和实际执行。</p> <!-- body --> <!-- ## kubeadm upgrade guidance --> <h2 id="kubeadm-upgrade-guidance">kubeadm upgrade 指南</h2> <!-- The steps for performing an upgrade using kubeadm are outlined in [this document](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/). For older versions of kubeadm, please refer to older documentation sets of the Kubernetes website. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/">本文档</a>概述使用 kubeadm 执行升级的步骤。与 kubeadm 旧版本相关的文档，请参阅 Kubernetes 网站的旧版文档。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase/<!-- ## kubeadm upgrade apply phase {#cmd-apply-phase} Using the phases of `kubeadm upgrade apply`, you can choose to execute the separate steps of the initial upgrade of a control plane node. --> <h2 id="cmd-apply-phase">kubeadm upgrade apply 阶段</h2> <p>使用 <code>kubeadm upgrade apply</code> 的各个阶段， 你可以选择执行控制平面节点初始升级的单独步骤。</p> <ul class="nav nav-tabs" id="tab-apply-phase" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#tab-apply-phase-0" role="tab" aria-controls="tab-apply-phase-0" aria-selected="true">phase</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-1" role="tab" aria-controls="tab-apply-phase-1">preflight</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-2" role="tab" aria-controls="tab-apply-phase-2">control-plane</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-3" role="tab" aria-controls="tab-apply-phase-3">upload-config</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-4" role="tab" aria-controls="tab-apply-phase-4">kubelet-config</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-5" role="tab" aria-controls="tab-apply-phase-5">bootstrap-token</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-6" role="tab" aria-controls="tab-apply-phase-6">addon</a></li> <li class="nav-item"><a data-toggle="tab" class="nav-link" href="#tab-apply-phase-7" role="tab" aria-controls="tab-apply-phase-7">post-upgrade</a></li></ul> <div class="tab-content" id="tab-apply-phase"><div id="tab-apply-phase-0" class="tab-pane show active" role="tabpanel" aria-labelledby="tab-apply-phase-0"> <p><!-- ### Synopsis --> <h3 id="概要">概要</h3> <!-- Use this command to invoke single phase of the "apply" workflow --> <p>使用此命令来调用 &quot;apply&quot; 工作流的单个阶段。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/<!-- reviewers: - chenopis title: The Kubernetes API content_type: concept weight: 40 description: > The Kubernetes API lets you query and manipulate the state of objects in Kubernetes. The core of Kubernetes' control plane is the API server and the HTTP API that it exposes. Users, the different parts of your cluster, and external components all communicate with one another through the API server. card: name: concepts weight: 30 --> <!-- overview --> <!-- The core of Kubernetes' <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> is the <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a>. The API server exposes an HTTP API that lets end users, different parts of your cluster, and external components communicate with one another. The Kubernetes API lets you query and manipulate the state of API objects in Kubernetes (for example: Pods, Namespaces, ConfigMaps, and Events). --> <p>Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制面'>控制面</a>的核心是 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a>。 API 服务器负责提供 HTTP API，以供用户、集群中的不同部分和集群外部组件相互通信。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/deprecation-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/deprecation-policy/<!-- reviewers: - bgrant0607 - lavalamp - thockin title: Kubernetes Deprecation Policy content_type: concept weight: 40 --> <!-- overview --> <!-- This document details the deprecation policy for various facets of the system. --> <p>本文档详细解释系统中各个层面的弃用策略（Deprecation Policy）。</p> <!-- body --> <!-- Kubernetes is a large system with many components and many contributors. As with any such software, the feature set naturally evolves over time, and sometimes a feature may need to be removed. This could include an API, a flag, or even an entire feature. To avoid breaking existing users, Kubernetes follows a deprecation policy for aspects of the system that are slated to be removed. --> <p>Kubernetes 是一个组件众多、贡献者人数众多的大系统。 就像很多类似的软件，所提供的功能特性集合会随着时间推移而自然发生变化， 而且有时候某个功能特性可能需要被移除。被移除的可能是一个 API、 一个参数标志或者甚至某整个功能特性。为了避免影响到现有用户， Kubernetes 对于其中渐次移除的各个方面规定了一种弃用策略并遵从此策略。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/linux-security/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/linux-security/<!-- reviewers: - lmktfy title: Security For Linux Nodes content_type: concept weight: 40 --> <!-- overview --> <!-- This page describes security considerations and best practices specific to the Linux operating system. --> <p>本篇介绍特定于 Linux 操作系统的安全注意事项和最佳实践。</p> <!-- body --> <!-- ## Protection for Secret data on nodes --> <h2 id="protection-for-secret-data-on-nodes">保护节点上的 Secret 数据</h2> <!-- On Linux nodes, memory-backed volumes (such as [`secret`](/docs/concepts/configuration/secret/) volume mounts, or [`emptyDir`](/docs/concepts/storage/volumes/#emptydir) with `medium: Memory`) are implemented with a `tmpfs` filesystem. --> <p>在 Linux 节点上，由内存支持的卷（例如 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/"><code>secret</code></a> 卷挂载，或带有 <code>medium: Memory</code> 的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#emptydir"><code>emptyDir</code></a>） 使用 <code>tmpfs</code> 文件系统实现。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/pod-scheduling-readiness/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/pod-scheduling-readiness/<!-- title: Pod Scheduling Readiness content_type: concept weight: 40 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.30 [stable]</code> </div> <!-- Pods were considered ready for scheduling once created. Kubernetes scheduler does its due diligence to find nodes to place all pending Pods. However, in a real-world case, some Pods may stay in a "miss-essential-resources" state for a long period. These Pods actually churn the scheduler (and downstream integrators like Cluster AutoScaler) in an unnecessary manner. By specifying/removing a Pod's `.spec.schedulingGates`, you can control when a Pod is ready to be considered for scheduling. --> <p>Pod 一旦创建就被认为准备好进行调度。 Kubernetes 调度程序尽职尽责地寻找节点来放置所有待处理的 Pod。 然而，在实际环境中，会有一些 Pod 可能会长时间处于&quot;缺少必要资源&quot;状态。 这些 Pod 实际上以一种不必要的方式扰乱了调度器（以及 Cluster AutoScaler 这类下游的集成方）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints/<!-- title: Pod Topology Spread Constraints content_type: concept weight: 40 --> <!-- overview --> <!-- You can use _topology spread constraints_ to control how <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. This can help to achieve high availability as well as efficient resource utilization. You can set [cluster-level constraints](#cluster-level-default-constraints) as a default, or configure topology spread constraints for individual workloads. --> <p>你可以使用 <strong>拓扑分布约束（Topology Spread Constraints）</strong> 来控制 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 在集群内故障域之间的分布， 例如区域（Region）、可用区（Zone）、节点和其他用户自定义拓扑域。 这样做有助于实现高可用并提升资源利用率。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/turnkey-solutions/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/turnkey-solutions/<!-- --- title: Turnkey Cloud Solutions content_type: concept weight: 40 --- --> <!-- overview --> <!-- This page provides a list of Kubernetes certified solution providers. From each provider page, you can learn how to install and setup production ready clusters. --> <p>本页列示 Kubernetes 认证解决方案供应商。 在每一个供应商分页，你可以学习如何安装和设置生产就绪的集群。</p> <!-- body --> <script> function updateLandscapeSource(button,shouldUpdateFragment) { console.log({button: button,shouldUpdateFragment: shouldUpdateFragment}); try { if(shouldUpdateFragment) { window.location.hash = "#iframe-landscape-"+button.id; } else { var landscapeElements = document.querySelectorAll("#landscape"); let categories=button.dataset.landscapeTypes; let link = `https://landscape.cncf.io/embed/embed.html?key=${encodeURIComponent(categories)}&headers=false&style=shadowed&size=md&bg-color=%23d95e00&fg-color=%23ffffff&iframe-resizer=true` landscapeElements[0].src = link; } } catch(err) { console.log({message: "error handling Landscape switch", error: err}) } } document.addEventListener("DOMContentLoaded", function () { let hashChangeHandler = () => { if (window.location.hash) { let selectedTriggerElements = document.querySelectorAll(".landscape-trigger"+window.location.hash); if (selectedTriggerElements.length == 1) { landscapeSource = selectedTriggerElements[0]; console.log("Updating Landscape source based on fragment:", window .location .hash .substring(1)); updateLandscapeSource(landscapeSource,false); } } } var landscapeTriggerElements = document.querySelectorAll(".landscape-trigger"); landscapeTriggerElements.forEach(element => { element.onclick = function() { updateLandscapeSource(element,true); }; }); var landscapeDefaultElements = document.querySelectorAll(".landscape-trigger.landscape-default"); if (landscapeDefaultElements.length == 1) { let defaultLandscapeSource = landscapeDefaultElements[0]; updateLandscapeSource(defaultLandscapeSource,false); } window.addEventListener("hashchange", hashChangeHandler, false); hashChangeHandler(); }); </script><div id="frameHolder"> <iframe id="iframe-landscape" src="https://landscape.cncf.io/embed/embed.html?key=platform--certified-kubernetes-hosted&headers=false&style=shadowed&size=md&bg-color=%233371e3&fg-color=%23ffffff&iframe-resizer=true" style="width: 1px; min-width: 100%; min-height: 100px; border: 0;"></iframe> <script> iFrameResize({ }, '#iframe-landscape'); </script> </div>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/windows-security/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/windows-security/<!-- reviewers: - jayunit100 - jsturtevant - marosset - perithompson title: Security For Windows Nodes content_type: concept weight: 75 --> <!-- overview --> <!-- This page describes security considerations and best practices specific to the Windows operating system. --> <p>本篇介绍特定于 Windows 操作系统的安全注意事项和最佳实践。</p> <!-- body --> <!-- ## Protection for Secret data on nodes --> <h2 id="protection-for-secret-data-on-nodes">保护节点上的 Secret 数据</h2> <!-- On Windows, data from Secrets are written out in clear text onto the node's local storage (as compared to using tmpfs / in-memory filesystems on Linux). As a cluster operator, you should take both of the following additional measures: --> <p>在 Windows 上，来自 Secret 的数据以明文形式写入节点的本地存储 （与在 Linux 上使用 tmpfs / 内存中文件系统不同）。 作为集群操作员，你应该采取以下两项额外措施：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/<!-- reviewers: - mikedanese title: Labels and Selectors content_type: concept weight: 40 --> <!-- overview --> <!-- _Labels_ are key/value pairs that are attached to <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='objects'>objects</a> such as pods. Labels are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system. Labels can be used to organize and to select subsets of objects. Labels can be attached to objects at creation time and subsequently added and modified at any time. Each object can have a set of key/value labels defined. Each Key must be unique for a given object. --> <p><strong>标签（Labels）</strong> 是附加到 Kubernetes <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>（比如 Pod）上的键值对。 标签旨在用于指定对用户有意义且相关的对象的标识属性，但不直接对核心系统有语义含义。 标签可以用于组织和选择对象的子集。标签可以在创建时附加到对象，随后可以随时添加和修改。 每个对象都可以定义一组键/值标签。每个键对于给定对象必须是唯一的。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/guidelines/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/guidelines/<!-- title: Blog guidelines content_type: concept weight: 40 --> <!-- overview --> <!-- These guidelines cover the main Kubernetes blog and the Kubernetes contributor blog. All blog content must also adhere to the overall policy in the [content guide](/docs/contribute/style/content-guide/). --> <p>这些指南涵盖了 Kubernetes 主博客和 Kubernetes 贡献者博客。</p> <p>所有博客内容还必须遵循<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/">内容指南</a>中的总体政策。</p> <h1 id="准备开始">准备开始</h1> <!-- Make sure you are familiar with the introduction sections of [contributing to Kubernetes blogs](/docs/contribute/blog/), not just to learn about the two official blogs and the differences between them, but also to get an overview of the process. --> <p>确保你熟悉<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/">为 Kubernetes 博客贡献内容</a>的介绍部分， 不仅是为了了解两个官方博客及其之间的区别，也是为了对整个过程有一个概览。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-classes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-classes/<!-- reviewers: - jsafrane - saad-ali - thockin - msau42 title: Storage Classes api_metadata: - apiVersion: "storage.k8s.io/v1" kind: "StorageClass" content_type: concept weight: 40 --> <!-- overview --> <!-- This document describes the concept of a StorageClass in Kubernetes. Familiarity with [volumes](/docs/concepts/storage/volumes/) and [persistent volumes](/docs/concepts/storage/persistent-volumes) is suggested. --> <p>本文描述了 Kubernetes 中 StorageClass 的概念。 建议先熟悉<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/">卷</a>和<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes">持久卷</a>的概念。</p> <!-- A StorageClass provides a way for administrators to describe the _classes_ of storage they offer. Different classes might map to quality-of-service levels, or to backup policies, or to arbitrary policies determined by the cluster administrators. Kubernetes itself is unopinionated about what classes represent. The Kubernetes concept of a storage class is similar to “profiles” in some other storage system designs. --> <p>StorageClass 为管理员提供了描述存储<strong>类</strong>的方法。 不同的类型可能会映射到不同的服务质量等级或备份策略，或是由集群管理员制定的任意策略。 Kubernetes 本身并不清楚各种类代表的什么。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/liveness-readiness-startup-probes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/liveness-readiness-startup-probes/<!-- title: Liveness, Readiness, and Startup Probes content_type: concept weight: 40 --> <!-- overview --> <!-- Kubernetes has various types of probes: - [Liveness probe](#liveness-probe) - [Readiness probe](#readiness-probe) - [Startup probe](#startup-probe) --> <p>Kubernetes 提供了多种探针：</p> <ul> <li><a href="#liveness-probe">存活探针</a></li> <li><a href="#readiness-probe">就绪探针</a></li> <li><a href="#startup-probe">启动探针</a></li> </ul> <!-- body --> <!-- ## Liveness probe Liveness probes determine when to restart a container. For example, liveness probes could catch a deadlock when an application is running, but unable to make progress. --> <h2 id="liveness-probe">存活探针</h2> <p>存活探针决定何时重启容器。 例如，当应用在运行但无法取得进展时，存活探针可以捕获这类死锁。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-init-containers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-init-containers/<!-- reviewers: - bprashanth - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: Debug Init Containers content_type: task weight: 40 --> <!-- overview --> <!-- This page shows how to investigate problems related to the execution of Init Containers. The example command lines below refer to the Pod as `<pod-name>` and the Init Containers as `<init-container-1>` and `<init-container-2>`. --> <p>此页显示如何核查与 Init 容器执行相关的问题。 下面的示例命令行将 Pod 称为 <code>&lt;pod-name&gt;</code>，而 Init 容器称为 <code>&lt;init-container-1&gt;</code> 和 <code>&lt;init-container-2&gt;</code>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/management/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/management/<!-- title: Managing Workloads content_type: concept reviewers: - janetkuo weight: 40 --> <!-- overview --> <!-- You've deployed your application and exposed it via a Service. Now what? Kubernetes provides a number of tools to help you manage your application deployment, including scaling and updating. --> <p>你已经部署了你的应用并且通过 Service 将其暴露出来。现在要做什么？ Kubernetes 提供了一系列的工具帮助你管理应用的部署，包括扩缩和更新。</p> <!-- body --> <!-- ## Organizing resource configurations --> <h2 id="组织资源配置">组织资源配置</h2> <!-- Many applications require multiple resources to be created, such as a Deployment along with a Service. Management of multiple resources can be simplified by grouping them together in the same file (separated by `---` in YAML). For example: --> <p>一些应用需要创建多个资源，例如 Deployment 和 Service。 将多个资源归入同一个文件（在 YAML 中使用 <code>---</code> 分隔）可以简化对多个资源的管理。例如：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/pid-limiting/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/pid-limiting/<!-- reviewers: - derekwaynecarr title: Process ID Limits And Reservations content_type: concept weight: 40 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.20 [stable]</code> </div> <!-- Kubernetes allow you to limit the number of process IDs (PIDs) that a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> can use. You can also reserve a number of allocatable PIDs for each <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node'>node</a> for use by the operating system and daemons (rather than by Pods). --> <p>Kubernetes 允许你限制一个 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 中可以使用的进程 ID（PID）数目。 你也可以为每个<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>预留一定数量的可分配的 PID， 供操作系统和守护进程（而非 Pod）使用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-attributes-classes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-attributes-classes/<!-- reviewers: - msau42 - xing-yang title: Volume Attributes Classes content_type: concept weight: 40 --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： VolumeAttributesClass"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.34 [stable]</code>（默认启用）</div> <!-- This page assumes that you are familiar with [StorageClasses](/docs/concepts/storage/storage-classes/), [volumes](/docs/concepts/storage/volumes/) and [PersistentVolumes](/docs/concepts/storage/persistent-volumes/) in Kubernetes. --> <p>本页假设你已经熟悉 Kubernetes 中的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-classes/">StorageClass</a>、 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/">Volume</a> 和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">PersistentVolume</a>。</p> <!-- body --> <!-- A VolumeAttributesClass provides a way for administrators to describe the mutable "classes" of storage they offer. Different classes might map to different quality-of-service levels. Kubernetes itself is un-opinionated about what these classes represent. This feature is generally available (GA) as of version 1.34, and users have the option to disable it. --> <p>卷属性类（VolumeAttributesClass）为管理员提供了一种描述可变更的存储“类”的方法。 不同的类可以映射到不同的服务质量级别。Kubernetes 本身不关注这些类代表什么。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/troubleshooting-cni-plugin-related-errors/<!-- title: Troubleshooting CNI plugin-related errors content_type: task reviewers: - mikebrow - divya-mohan0209 weight: 40 --> <!-- overview --> <!-- To avoid CNI plugin-related errors, verify that you are using or upgrading to a container runtime that has been tested to work correctly with your version of Kubernetes. --> <p>为了避免 CNI 插件相关的错误，需要验证你正在使用或升级到的容器运行时经过测试能够在你的 Kubernetes 版本上正常工作。</p> <!-- ## About the "Incompatible CNI versions" and "Failed to destroy network for sandbox" errors --> <h2 id="about-the-incompatible-cni-versions-and-failed-to-destroy-network-for-sandbox-errors">关于 &quot;Incompatible CNI versions&quot; 和 &quot;Failed to destroy network for sandbox&quot; 错误</h2> <!-- Service issues exist for pod CNI network setup and tear down in containerd v1.6.0-v1.6.3 when the CNI plugins have not been upgraded and/or the CNI config version is not declared in the CNI config files. The containerd team reports, "these issues are resolved in containerd v1.6.4." With containerd v1.6.0-v1.6.3, if you do not upgrade the CNI plugins and/or declare the CNI config version, you might encounter the following "Incompatible CNI versions" or "Failed to destroy network for sandbox" error conditions. --> <p>在 containerd v1.6.0 到 v1.6.3 中，当配置或清除 Pod CNI 网络时，如果 CNI 插件没有升级和/或 CNI 配置文件中没有声明 CNI 配置版本，会出现服务问题。containerd 团队报告说： “这些问题在 containerd v1.6.4 中得到了解决。”</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/enforcing-pod-security-standards/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/enforcing-pod-security-standards/<!-- reviewers: - tallclair - liggitt title: Enforcing Pod Security Standards weight: 40 --> <!-- overview --> <!-- This page provides an overview of best practices when it comes to enforcing [Pod Security Standards](/docs/concepts/security/pod-security-standards). --> <p>本页提供实施 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards">Pod 安全标准（Pod Security Standards）</a> 时的一些最佳实践。</p> <!-- body --> <!-- ## Using the built-in Pod Security Admission Controller --> <h2 id="使用内置的-pod-安全性准入控制器">使用内置的 Pod 安全性准入控制器</h2> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.25 [stable]</code> </div> <!-- The [Pod Security Admission Controller](/docs/reference/access-authn-authz/admission-controllers/#podsecurity) intends to replace the deprecated PodSecurityPolicies. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podsecurity">Pod 安全性准入控制器</a> 尝试替换已被废弃的 PodSecurityPolicies。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/container-lifecycle-hooks/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/container-lifecycle-hooks/<!-- reviewers: - mikedanese - thockin title: Container Lifecycle Hooks content_type: concept weight: 40 --> <!-- overview --> <!-- This page describes how kubelet managed Containers can use the Container lifecycle hook framework to run code triggered by events during their management lifecycle. --> <p>这个页面描述了 kubelet 管理的容器如何使用容器生命周期回调框架， 藉由其管理生命周期中的事件触发，运行指定代码。</p> <!-- body --> <!-- ## Overview Analogous to many programming language frameworks that have component lifecycle hooks, such as Angular, Kubernetes provides Containers with lifecycle hooks. The hooks enable Containers to be aware of events in their management lifecycle and run code implemented in a handler when the corresponding lifecycle hook is executed. --> <h2 id="overview">概述</h2> <p>类似于许多具有生命周期回调组件的编程语言框架，例如 Angular、Kubernetes 为容器提供了生命周期回调。 回调使容器能够了解其管理生命周期中的事件，并在执行相应的生命周期回调时运行在处理程序中实现的代码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-linux-nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-linux-nodes/<!-- title: Upgrading Linux nodes content_type: task weight: 40 --> <!-- overview --> <!-- This page explains how to upgrade a Linux Worker Nodes created with kubeadm. --> <p>本页讲述了如何升级用 kubeadm 创建的 Linux 工作节点。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have shell access to all the nodes, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. --> <p>你必须有 Shell 能访问所有节点，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/http-proxy-access-api/<!-- --- title: Use an HTTP Proxy to Access the Kubernetes API content_type: task weight: 40 --- --> <!-- overview --> <!-- This page shows how to use an HTTP proxy to access the Kubernetes API. --> <p>本文说明如何使用 HTTP 代理访问 Kubernetes API。</p> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/kube-router-network-policy/<!-- reviewers: - murali-reddy title: Use Kube-router for NetworkPolicy content_type: task weight: 40 --> <!-- overview --> <!-- This page shows how to use [Kube-router](https://github.com/cloudnativelabs/kube-router) for NetworkPolicy. --> <p>本页展示如何使用 <a href="https://github.com/cloudnativelabs/kube-router">Kube-router</a> 提供 NetworkPolicy。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster running. If you do not already have a cluster, you can create one by using any of the cluster installers like Kops, Bootkube, Kubeadm etc. --> <p>你需要拥有一个运行中的 Kubernetes 集群。如果你还没有集群，可以使用任意的集群 安装程序如 Kops、Bootkube、Kubeadm 等创建一个。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/control-plane-flags/<!-- reviewers: - sig-cluster-lifecycle title: Customizing components with the kubeadm API content_type: concept weight: 40 --> <!-- overview --> <!-- This page covers how to customize the components that kubeadm deploys. For control plane components you can use flags in the `ClusterConfiguration` structure or patches per-node. For the kubelet and kube-proxy you can use `KubeletConfiguration` and `KubeProxyConfiguration`, accordingly. All of these options are possible via the kubeadm configuration API. For more details on each field in the configuration you can navigate to our [API reference pages](/docs/reference/config-api/kubeadm-config.v1beta4/). --> <p>本页面介绍了如何自定义 kubeadm 部署的组件。 你可以使用 <code>ClusterConfiguration</code> 结构中定义的参数，或者在每个节点上应用补丁来定制控制平面组件。 你可以使用 <code>KubeletConfiguration</code> 和 <code>KubeProxyConfiguration</code> 结构分别定制 kubelet 和 kube-proxy 组件。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/seccomp/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/security/seccomp/<!-- reviewers: - hasheddan - pjbgf - saschagrunert title: Restrict a Container's Syscalls with seccomp content_type: tutorial weight: 40 min-kubernetes-server-version: v1.22 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.19 [stable]</code> </div> <!-- Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node'>node</a> to your Pods and containers. Identifying the privileges required for your workloads can be difficult. In this tutorial, you will go through how to load seccomp profiles into a local Kubernetes cluster, how to apply them to a Pod, and how you can begin to craft profiles that give only the necessary privileges to your container processes. --> <p>Seccomp 代表安全计算（Secure Computing）模式，自 2.6.12 版本以来，一直是 Linux 内核的一个特性。 它可以用来沙箱化进程的权限，限制进程从用户态到内核态的调用。 Kubernetes 能使你自动将加载到<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>上的 seccomp 配置文件应用到你的 Pod 和容器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/pod-sidecar-containers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/configuration/pod-sidecar-containers/<!-- title: Adopting Sidecar Containers content_type: tutorial weight: 40 min-kubernetes-server-version: 1.29 --> <!-- overview --> <!-- This section is relevant for people adopting a new built-in [sidecar containers](/docs/concepts/workloads/pods/sidecar-containers/) feature for their workloads. Sidecar container is not a new concept as posted in the [blog post](/blog/2015/06/the-distributed-system-toolkit-patterns/). Kubernetes allows running multiple containers in a Pod to implement this concept. However, running a sidecar container as a regular container has a lot of limitations being fixed with the new built-in sidecar containers support. --> <p>本文适用于使用新的内置<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/sidecar-containers/">边车容器</a>特性的用户。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/port-forward-access-application-cluster/<!-- title: Use Port Forwarding to Access Applications in a Cluster content_type: task weight: 40 min-kubernetes-server-version: v1.10 --> <!-- overview --> <!-- This page shows how to use `kubectl port-forward` to connect to a MongoDB server running in a Kubernetes cluster. This type of connection can be useful for database debugging. --> <p>本文展示如何使用 <code>kubectl port-forward</code> 连接到在 Kubernetes 集群中运行的 MongoDB 服务。 这种类型的连接对数据库调试很有用。</p> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/imperative-config/<!-- title: Imperative Management of Kubernetes Objects Using Configuration Files content_type: task weight: 40 --> <!-- overview --> <!-- Kubernetes objects can be created, updated, and deleted by using the `kubectl` command-line tool along with an object configuration file written in YAML or JSON. This document explains how to define and manage objects using configuration files. --> <p>可以使用 <code>kubectl</code> 命令行工具以及用 YAML 或 JSON 编写的对象配置文件来创建、更新和删除 Kubernetes 对象。 本文档说明了如何使用配置文件定义和管理对象。</p> <h2 id="准备开始">准备开始</h2> <!-- Install [`kubectl`](/docs/tasks/tools/). --> <p>安装 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tools/"><code>kubectl</code></a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/source-ip/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/source-ip/<!-- title: Using Source IP content_type: tutorial min-kubernetes-server-version: v1.5 weight: 40 --> <!-- overview --> <!-- Applications running in a Kubernetes cluster find and communicate with each other, and the outside world, through the Service abstraction. This document explains what happens to the source IP of packets sent to different types of Services, and how you can toggle this behavior according to your needs. --> <p>运行在 Kubernetes 集群中的应用程序通过 Service 抽象发现彼此并相互通信，它们也用 Service 与外部世界通信。 本文解释了发送到不同类型 Service 的数据包的源 IP 会发生什么情况，以及如何根据需要切换此行为。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/downward-api-volume-expose-pod-information/<!-- title: Expose Pod Information to Containers Through Files content_type: task weight: 40 --> <!-- overview --> <!-- This page shows how a Pod can use a [`downwardAPI` volume](/docs/concepts/storage/volumes/#downwardapi), to expose information about itself to containers running in the Pod. A `downwardAPI` volume can expose Pod fields and container fields. --> <p>此页面描述 Pod 如何使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#downwardapi"><code>downwardAPI</code> 卷</a> 把自己的信息呈现给 Pod 中运行的容器。 <code>downwardAPI</code> 卷可以呈现 Pod 和容器的字段。</p> <!-- In Kubernetes, there are two ways to expose Pod and container fields to a running container: * [Environment variables](/docs/tasks/inject-data-application/environment-variable-expose-pod-information/) * Volume files, as explained in this task Together, these two ways of exposing Pod and container fields are called the _downward API_. --> <p>在 Kubernetes 中，有两种方式可以将 Pod 和容器字段呈现给运行中的容器：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/manage-resources-containers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/manage-resources-containers/<!-- title: Resource Management for Pods and Containers content_type: concept weight: 40 feature: title: Automatic bin packing description: > Automatically places containers based on their resource requirements and other constraints, while not sacrificing availability. Mix critical and best-effort workloads in order to drive up utilization and save even more resources. --> <!-- overview --> <!-- When you specify a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>, you can optionally specify how much of each resource a <a class='glossary-tooltip' title='容器是可移植、可执行的轻量级的镜像，镜像中包含软件及其相关依赖。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/' target='_blank' aria-label='container'>container</a> needs. The most common resources to specify are CPU and memory (RAM); there are others. --> <p>当你定义 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 时可以选择性地为每个<a class='glossary-tooltip' title='容器是可移植、可执行的轻量级的镜像，镜像中包含软件及其相关依赖。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/' target='_blank' aria-label='容器'>容器</a>设定所需要的资源数量。 最常见的可设定资源是 CPU 和内存（RAM）大小；此外还有其他类型的资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-runasusername/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-runasusername/<!-- title: Configure RunAsUserName for Windows pods and containers content_type: task weight: 40 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.18 [stable]</code> </div> <!-- This page shows how to use the `runAsUserName` setting for Pods and containers that will run on Windows nodes. This is roughly equivalent of the Linux-specific `runAsUser` setting, allowing you to run applications in a container as a different username than the default. --> <p>本页展示如何为运行为在 Windows 节点上运行的 Pod 和容器配置 <code>RunAsUserName</code>。 大致相当于 Linux 上的 <code>runAsUser</code>，允许在容器中以与默认值不同的用户名运行应用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/cpu-constraint-namespace/<!-- title: Configure Minimum and Maximum CPU Constraints for a Namespace content_type: task weight: 40 description: >- Define a range of valid CPU resource limits for a namespace, so that every new Pod in that namespace falls within the range you configure. --> <!-- overview --> <!-- This page shows how to set minimum and maximum values for the CPU resources used by containers and Pods in a <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. You specify minimum and maximum CPU values in a [LimitRange](/docs/reference/kubernetes-api/policy-resources/limit-range-v1/) object. If a Pod does not meet the constraints imposed by the LimitRange, it cannot be created in the namespace. --> <p>本页介绍如何为<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>中的容器和 Pod 设置其所使用的 CPU 资源的最小和最大值。你可以通过 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/limit-range-v1/">LimitRange</a> 对象声明 CPU 的最小和最大值. 如果 Pod 不能满足 LimitRange 的限制，就无法在该命名空间中被创建。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/style-guide/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/style-guide/<!-- title: Documentation Style Guide linktitle: Style guide content_type: concept weight: 40 math: true --> <!-- overview --> <!-- This page gives writing style guidelines for the Kubernetes documentation. These are guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request. For additional information on creating new content for the Kubernetes documentation, read the [Documentation Content Guide](/docs/contribute/style/content-guide/). Changes to the style guide are made by SIG Docs as a group. To propose a change or addition, [add it to the agenda](https://bit.ly/sig-docs-agenda) for an upcoming SIG Docs meeting, and attend the meeting to participate in the discussion. --> <p>本页讨论 Kubernetes 文档的样式指南。 这些仅仅是指南而不是规则。 你可以自行决定，且欢迎使用 PR 来为此文档提供修改意见。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/node-labels/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/node-labels/<!-- content_type: "reference" title: Node Labels Populated By The Kubelet weight: 40 --> <!-- Kubernetes <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='nodes'>nodes</a> come pre-populated with a standard set of <a class='glossary-tooltip' title='用来为对象设置可标识的属性标记；这些标记对用户而言是有意义且重要的。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/' target='_blank' aria-label='labels'>labels</a>. You can also set your own labels on nodes, either through the kubelet configuration or using the Kubernetes API. --> <p>Kubernetes <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>预先填充了一组标准 <a class='glossary-tooltip' title='用来为对象设置可标识的属性标记；这些标记对用户而言是有意义且重要的。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/' target='_blank' aria-label='标签'>标签</a>。</p> <p>你还可以通过 kubelet 配置或使用 Kubernetes API 在节点上设置自己的标签。</p> <!-- ## Preset labels The preset labels that Kubernetes sets on nodes are: --> <h2 id="preset-labels">预设标签</h2> <p>Kubernetes 在节点上设置的预设标签有：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cloud-controller/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cloud-controller/<!-- title: Cloud Controller Manager content_type: concept weight: 40 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.11 [beta]</code> </div> <!-- Cloud infrastructure technologies let you run Kubernetes on public, private, and hybrid clouds. Kubernetes believes in automated, API-driven infrastructure without tight coupling between components. --> <p>使用云基础设施技术，你可以在公有云、私有云或者混合云环境中运行 Kubernetes。 Kubernetes 的信条是基于自动化的、API 驱动的基础设施，同时避免组件间紧密耦合。</p> <!-- title: Cloud Controller Manager id: cloud-controller-manager full_link: /docs/concepts/architecture/cloud-controller/ short_description: > Control plane component that integrates Kubernetes with third-party cloud providers. aka: tags: - architecture - operation --> <!-- A Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> component that embeds cloud-specific control logic. The cloud controller manager lets you link your cluster into your cloud provider's API, and separates out the components that interact with that cloud platform from components that only interact with your cluster. --> <p><p>组件 cloud-controller-manager 是指云控制器管理器， 一个 Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>组件， 嵌入了特定于云平台的控制逻辑。 云控制器管理器（Cloud Controller Manager）允许将你的集群连接到云提供商的 API 之上， 并将与该云平台交互的组件同与你的集群交互的组件分离开来。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/zookeeper/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/stateful-application/zookeeper/<!-- reviewers: - bprashanth - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: Running ZooKeeper, A Distributed System Coordinator content_type: tutorial weight: 40 --> <!-- overview --> <!-- This tutorial demonstrates running [Apache Zookeeper](https://zookeeper.apache.org) on Kubernetes using [StatefulSets](/docs/concepts/workloads/controllers/statefulset/), [PodDisruptionBudgets](/docs/concepts/workloads/pods/disruptions/#pod-disruption-budget), and [PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). --> <p>本教程展示了在 Kubernetes 上使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/">StatefulSet</a>、 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/disruptions/#pod-disruption-budget">PodDisruptionBudget</a> 和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity">PodAntiAffinity</a> 特性运行 <a href="https://zookeeper.apache.org">Apache Zookeeper</a>。</p> <h2 id="准备开始">准备开始</h2> <!-- Before starting this tutorial, you should be familiar with the following Kubernetes concepts. --> <p>在开始本教程前，你应该熟悉以下 Kubernetes 概念。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/<!-- reviewers: - lavalamp - davidopp - derekwaynecarr - erictune - janetkuo - thockin title: Admission Control in Kubernetes linkTitle: Admission Control content_type: concept weight: 40 --> <!-- overview --> <!-- This page provides an overview of _admission controllers_. --> <p>此页面提供<strong>准入控制器（Admission Controller）</strong> 的概述。</p> <!-- An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the resource, but after the request is authenticated and authorized. Several important features of Kubernetes require an admission controller to be enabled in order to properly support the feature. As a result, a Kubernetes API server that is not properly configured with the right set of admission controllers is an incomplete server that will not support all the features you expect. --> <p>准入控制器是一段代码，它会在请求通过认证和鉴权之后、对象被持久化之前拦截到达 API 服务器的请求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/upgrading-windows-nodes/<!-- title: Upgrading Windows nodes min-kubernetes-server-version: 1.17 content_type: task weight: 41 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.18 [beta]</code> </div> <!-- This page explains how to upgrade a Windows node created with kubeadm. --> <p>本页解释如何升级用 kubeadm 创建的 Windows 节点。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have shell access to all the nodes, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. --> <p>你必须有 Shell 能访问所有节点，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kubelet-files/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kubelet-files/<!-- content_type: "reference" title: Local Files And Paths Used By The Kubelet weight: 42 --> <!-- The <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> is mostly a stateless process running on a Kubernetes <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node'>node</a>. This document outlines files that kubelet reads and writes. --> <p><a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> 是一个运行在 Kubernetes <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>上的无状态进程。本文简要介绍了 kubelet 读写的文件。</p> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- This document is for informational purpose and not describing any guaranteed behaviors or APIs. It lists resources used by the kubelet, which is an implementation detail and a subject to change at any release. --> <p>本文仅供参考，而非描述保证会发生的行为或 API。 本文档列举 kubelet 所使用的资源。所给的信息属于实现细节，可能会在后续版本中发生变更。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/socks5-proxy-access-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/socks5-proxy-access-api/<!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.24 [stable]</code> </div> <!-- This page shows how to use a SOCKS5 proxy to access the API of a remote Kubernetes cluster. This is useful when the cluster you want to access does not expose its API directly on the public internet. --> <p>本文展示了如何使用 SOCKS5 代理访问远程 Kubernetes 集群的 API。 当你要访问的集群不直接在公共 Internet 上公开其 API 时，这很有用。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/extensible-admission-controllers/<!-- reviewers: - smarterclayton - lavalamp - caesarxuchao - deads2k - liggitt - jpbetz title: Dynamic Admission Control content_type: concept weight: 45 --> <!-- overview --> <!-- In addition to [compiled-in admission plugins](/docs/reference/access-authn-authz/admission-controllers/), admission plugins can be developed as extensions and run as webhooks configured at runtime. This page describes how to build, configure, use, and monitor admission webhooks. --> <p>除了<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/">内置的 admission 插件</a>， 准入插件可以作为扩展独立开发，并以运行时所配置的 Webhook 的形式运行。 此页面描述了如何构建、配置、使用和监视准入 Webhook。</p> <!-- body --> <!-- ## What are admission webhooks? --> <h2 id="what-are-admission-webhooks">什么是准入 Webhook？</h2> <!-- Admission webhooks are HTTP callbacks that receive admission requests and do something with them. You can define two types of admission webhooks, [validating admission webhook](/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) and [mutating admission webhook](/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook). Mutating admission webhooks are invoked first, and can modify objects sent to the API server to enforce custom defaults. --> <p>准入 Webhook 是一种用于接收准入请求并对其进行处理的 HTTP 回调机制。 可以定义两种类型的准入 Webhook， 即<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook">验证性质的准入 Webhook</a> 和<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/#mutatingadmissionwebhook">变更性质的准入 Webhook</a>。 变更性质的准入 Webhook 会先被调用。它们可以修改发送到 API 服务器的对象以执行自定义的设置默认值操作。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/<!-- reviewers: - derekwaynecarr - mikedanese - thockin title: Namespaces api_metadata: - apiVersion: "v1" kind: "Namespace" content_type: concept weight: 45 --> <!-- overview --> <!-- In Kubernetes, _namespaces_ provide a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. Namespace-based scoping is applicable only for namespaced <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='objects'>objects</a> _(e.g. Deployments, Services, etc)_ and not for cluster-wide objects _(e.g. StorageClass, Nodes, PersistentVolumes, etc.)_. --> <p>在 Kubernetes 中，<strong>名字空间（Namespace）</strong> 提供一种机制，将同一集群中的资源划分为相互隔离的组。 同一名字空间内的资源名称要唯一，但跨名字空间时没有这个要求。 名字空间作用域仅针对带有名字空间的<a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>， （例如 Deployment、Service 等），这种作用域对集群范围的对象 （例如 StorageClass、Node、PersistentVolume 等）不适用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/deprecation-guide/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/deprecation-guide/<!-- reviewers: - liggitt - lavalamp - thockin - smarterclayton title: "Deprecated API Migration Guide" weight: 45 content_type: reference --> <!-- overview --> <!-- As the Kubernetes API evolves, APIs are periodically reorganized or upgraded. When APIs evolve, the old API is deprecated and eventually removed. This page contains information you need to know when migrating from deprecated API versions to newer and more stable API versions. --> <p>随着 Kubernetes API 的演化，API 会周期性地被重组或升级。 当 API 演化时，老的 API 会被弃用并被最终删除。 本页面包含你在将已弃用 API 版本迁移到新的更稳定的 API 版本时需要了解的知识。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/adform/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/adform/<div class="banner1 desktop" style="background-image: url('/images/case-studies/adform/banner1.jpg')"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/adform_logo.png" style="width:15%;margin-bottom:0%" class="header_logo"><br> <div class="subhead">Improving Performance and Morale with Cloud Native </div></h1> </div> <div class="details"> Company &nbsp;<b>AdForm</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Copenhagen, Denmark</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Adtech</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> <a href="https://site.adform.com/">Adform’s</a> mission is to provide a secure and transparent full stack of advertising technology to enable digital ads across devices. The company has a large infrastructure: <a href="https://www.openstack.org/">OpenStack</a>-based private clouds running on 1,100 physical servers in 7 data centers around the world, 3 of which were opened in the past year. With the company’s growth, the infrastructure team felt that "our private cloud was not really flexible enough," says IT System Engineer Edgaras Apšega. "The biggest pain point is that our developers need to maintain their virtual machines, so rolling out technology and new software takes time. We were really struggling with our releases, and we didn’t have self-healing infrastructure." <br> <h2>Solution</h2> The team, which had already been using <a href="https://prometheus.io/">Prometheus</a> for monitoring, embraced <a href="https://kubernetes.io/">Kubernetes</a> and cloud native practices in 2017. "To start our Kubernetes journey, we had to adapt all our software, so we had to choose newer frameworks," says Apšega. "We also adopted the microservices way, so observability is much better because you can inspect the bug or the services separately." </div> <div class="col2"> <h2>Impact</h2> "Kubernetes helps our business a lot because our features are coming to market faster," says Apšega. The release process went from several hours to several minutes. Autoscaling has been at least 6 times faster than the semi-manual VM bootstrapping and application deployment required before. The team estimates that the company has experienced cost savings of 4-5x due to less hardware and fewer man hours needed to set up the hardware and virtual machines, metrics, and logging. Utilization of the hardware resources has been reduced as well, with containers notching 2-3 times more efficiency over virtual machines. "The deployments are very easy because developers just push the code and it automatically appears on Kubernetes," says Apšega. Prometheus has also had a positive impact: "It provides high availability for metrics and alerting. We monitor everything starting from hardware to applications. Having all the metrics in <a href="https://grafana.com/">Grafana</a> dashboards provides great insight on your systems." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "Kubernetes enabled the self-healing and immutable infrastructure. We can do faster releases, so our developers are really happy. They can ship our features faster than before, and that makes our clients happier."<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase;line-height:14px"><br><br>— Edgaras Apšega, IT Systems Engineer, Adform</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>Adform made <a href="https://www.wsj.com/articles/fake-ad-operation-used-to-steal-from-publishers-is-uncovered-1511290981">headlines</a> last year when it detected the HyphBot ad fraud network that was costing some businesses hundreds of thousands of dollars a day.</h2>With its mission to provide a secure and transparent full stack of advertising technology to enable an open internet, Adform published a <a href="https://site.adform.com/media/85132/hyphbot_whitepaper_.pdf">white paper</a> revealing what it did—and others could too—to limit customers’ exposure to the scam. <br><br> In that same spirit, Adform is sharing its cloud native journey. "When you see that everyone shares their best practices, it inspires you to contribute back to the project," says IT Systems Engineer Edgaras Apšega.<br><br> The company has a large infrastructure: <a href="https://www.openstack.org/">OpenStack</a>-based private clouds running on 1,100 physical servers in their own seven data centers around the world, three of which were opened in the past year. With the company’s growth, the infrastructure team felt that "our private cloud was not really flexible enough," says Apšega. "The biggest pain point is that our developers need to maintain their virtual machines, so rolling out technology and new software really takes time. We were really struggling with our releases, and we didn’t have self-healing infrastructure." </div> </section> <div class="banner3" style="background-image: url('/images/case-studies/adform/banner3.jpg')"> <div class="banner3text"> "The fact that Cloud Native Computing Foundation incubated Kubernetes was a really big point for us because it was vendor neutral. And we can see that a community really gathers around it. Everyone shares their experiences, their knowledge, and the fact that it’s open source, you can contribute."<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase;line-height:14px"><br><br>— Edgaras Apšega, IT Systems Engineer, Adform</span> </div> </div> <section class="section3"> <div class="fullcol"> The team, which had already been using Prometheus for monitoring, embraced Kubernetes, microservices, and cloud native practices. "The fact that Cloud Native Computing Foundation incubated Kubernetes was a really big point for us because it was vendor neutral," says Apšega. "And we can see that a community really gathers around it."<br><br> A proof of concept project was started, with a Kubernetes cluster running on bare metal in the data center. When developers saw how quickly containers could be spun up compared to the virtual machine process, "they wanted to ship their containers in production right away, and we were still doing proof of concept," says IT Systems Engineer Andrius Cibulskis. Of course, a lot of work still had to be done. "First of all, we had to learn Kubernetes, see all of the moving parts, how they glue together," says Apšega. "Second of all, the whole CI/CD part had to be redone, and our DevOps team had to invest more man hours to implement it. And third is that developers had to rewrite the code, and they’re still doing it." <br><br> The first production cluster was launched in the spring of 2018, and is now up to 20 physical machines dedicated for pods throughout three data centers, with plans for separate clusters in the other four data centers. The user-facing Adform application platform, data distribution platform, and back ends are now all running on Kubernetes. "Many APIs for critical applications are being developed for Kubernetes," says Apšega. "Teams are rewriting their applications to .NET core, because it supports containers, and preparing to move to Kubernetes. And new applications, by default, go in containers." </div> </section> <div class="banner4" style="background-image: url('/images/case-studies/adform/banner4.jpg')"> <div class="banner4text"> "Releases are really nice for them, because they just push their code to Git and that’s it. They don’t have to worry about their virtual machines anymore." <span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase;line-height:14px"><br><br>— Andrius Cibulskis, IT Systems Engineer, Adform</span> </div> </div> <section class="section5"> <div class="fullcol"> This big push has been driven by the real impact that these new practices have had. "Kubernetes helps our business a lot because our features are coming to market faster," says Apšega. "The deployments are very easy because developers just push the code and it automatically appears on Kubernetes." The release process went from several hours to several minutes. Autoscaling is at least six times faster than the semi-manual VM bootstrapping and application deployment required before. <br><br> The team estimates that the company has experienced cost savings of 4-5x due to less hardware and fewer man hours needed to set up the hardware and virtual machines, metrics, and logging. Utilization of the hardware resources has been reduced as well, with containers notching two to three times more efficiency over virtual machines. <br><br> Prometheus has also had a positive impact: "It provides high availability for metrics and alerting," says Apšega. "We monitor everything starting from hardware to applications. Having all the metrics in Grafana dashboards provides great insight on our systems." </div> <div class="banner5"> <div class="banner5text"> "I think that our company just started our cloud native journey. It seems like a huge road ahead, but we’re really happy that we joined it." <span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase;line-height:14px"><br><br>— Edgaras Apšega, IT Systems Engineer, Adform</span> </div> </div> <div class="fullcol"> All of these benefits have trickled down to individual team members, whose working lives have been changed for the better. "They used to have to get up at night to re-start some services, and now Kubernetes handles all of that," says Apšega. Adds Cibulskis: "Releases are really nice for them, because they just push their code to Git and that’s it. They don’t have to worry about their virtual machines anymore." Even the security teams have been impacted. "Security teams are always not happy," says Apšega, "and now they’re happy because they can easily inspect the containers." The company plans to remain in the data centers for now, "mostly because we want to keep all the data, to not share it in any way," says Cibulskis, "and it’s cheaper at our scale." But, Apšega says, the possibility of using a hybrid cloud for computing is intriguing: "One of the projects we’re interested in is the <a href="https://github.com/virtual-kubelet/virtual-kubelet">Virtual Kubelet</a> that lets you spin up the working nodes on different clouds to do some computing." <br><br> Apšega, Cibulskis and their colleagues are keeping tabs on how the cloud native ecosystem develops, and are excited to contribute where they can. "I think that our company just started our cloud native journey," says Apšega. "It seems like a huge road ahead, but we’re really happy that we joined it." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/ygrene/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/ygrene/<!-- title: Ygrene Case Study linkTitle: Ygrene case_study_styles: true cid: caseStudies logo: ygrene_featured_logo.png featured: true weight: 48 quote: > We had to change some practices and code, and the way things were built, but we were able to get our main systems onto Kubernetes in a month or so, and then into production within two months. That's very fast for a finance company. new_case_study_styles: true heading_background: /images/case-studies/ygrene/banner1.jpg heading_title_logo: /images/ygrene_logo.png subheading: > Ygrene: Using Cloud Native to Bring Security and Scalability to the Finance Industry case_study_details: - Company: Ygrene - Location: Petaluma, Calif. - Industry: Clean energy financing --> <!-- <h2>Challenges</h2> --> <h2>挑战</h2> <!-- <p>A PACE (Property Assessed Clean Energy) financing company, Ygrene has funded more than $1 billion in loans since 2010. In order to approve and process those loans, "We have lots of data sources that are being aggregated, and we also have lots of systems that need to churn on that data," says Ygrene Development Manager Austin Adams. The company was utilizing massive servers, and "we just reached the limit of being able to scale them vertically. We had a really unstable system that became overwhelmed with requests just for doing background data processing in real time. The performance the users saw was very poor. We needed a solution that wouldn't require us to make huge refactors to the code base." As a finance company, Ygrene also needed to ensure that they were shipping their applications securely.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/slingtv/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/slingtv/<h2>Challenge</h2> <p>Launched by DISH Network in 2015, Sling TV experienced great customer growth from the beginning. After just a year, "we were going through some growing pains of some of the legacy systems and trying to find the right architecture to enable our future," says Brad Linder, Sling TV's Cloud Native & Big Data Evangelist. The company has particular challenges: "We take live TV and distribute it over the internet out to a user's device that we do not control," says Linder. "In a lot of ways, we are working in the Wild West: The internet is what it is going to be, and if a customer's service does not work for whatever reason, they do not care why. They just want things to work. Those are the variables of the equation that we have to try to solve. We really have to try to enable optionality and good customer experience at web scale."</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/cri-pod-container-metrics/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/cri-pod-container-metrics/<!-- title: CRI Pod & Container Metrics content_type: reference weight: 50 description: >- Collection of Pod & Container metrics via the CRI. --> <!-- overview --> <div class="feature-state-notice feature-alpha"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.23 [alpha]</code> </div> <!-- The [kubelet](/docs/reference/command-line-tools-reference/kubelet/) collects pod and container metrics via [cAdvisor](https://github.com/google/cadvisor). As an alpha feature, Kubernetes lets you configure the collection of pod and container metrics via the <a class='glossary-tooltip' title='在 kubelet 和本地容器运行时之间通讯的协议' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cri' target='_blank' aria-label='Container Runtime Interface'>Container Runtime Interface</a> (CRI). You must enable the `PodAndContainerStatsFromCRI` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) and use a compatible CRI implementation (containerd >= 1.6.0, CRI-O >= 1.23.0) to use the CRI based collection mechanism. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet/">kubelet</a> 通过 <a href="https://github.com/google/cadvisor">cAdvisor</a> 收集 Pod 和容器指标。作为一个 Alpha 特性， Kubernetes 允许你通过<a class='glossary-tooltip' title='在 kubelet 和本地容器运行时之间通讯的协议' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cri' target='_blank' aria-label='容器运行时接口'>容器运行时接口</a>（CRI） 配置收集 Pod 和容器指标。要使用基于 CRI 的收集机制，你必须启用 <code>PodAndContainerStatsFromCRI</code> <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/feature-gates/">特性门控</a> 并使用兼容的 CRI 实现（containerd &gt;= 1.6.0, CRI-O &gt;= 1.23.0）。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/ing/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/ing/<h2>Challenge</h2> <p>After undergoing an agile transformation, <a href="https://www.ing.com/">ING</a> realized it needed a standardized platform to support the work their developers were doing. "Our DevOps teams got empowered to be autonomous," says Infrastructure Architect Thijs Ebbers. "It has benefits; you get all kinds of ideas. But a lot of teams are going to devise the same wheel. Teams started tinkering with <a href="https://www.docker.com/">Docker</a>, Docker Swarm, <a href="https://kubernetes.io/">Kubernetes</a>, <a href="https://mesosphere.com/">Mesos</a>. Well, it's not really useful for a company to have one hundred wheels, instead of one good wheel.</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/ingress-controllers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/ingress-controllers/<!-- title: Ingress Controllers description: >- In order for an [Ingress](/docs/concepts/services-networking/ingress/) to work in your cluster, there must be an _ingress controller_ running. You need to select at least one ingress controller and make sure it is set up in your cluster. This page lists common ingress controllers that you can deploy. content_type: concept weight: 50 --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- The Kubernetes project recommends using [Gateway](https://gateway-api.sigs.k8s.io/) instead of [Ingress](/docs/concepts/services-networking/ingress/). The Ingress API has been frozen. --> <p>Kubernetes 项目推荐使用 <a href="https://gateway-api.sigs.k8s.io/">Gateway</a> 而不是 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/ingress/">Ingress</a>。 Ingress API 已经被冻结。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/<!-- reviewers: - erictune - mimowo - soltysh title: Jobs content_type: concept description: >- Jobs represent one-off tasks that run to completion and then stop. feature: title: Batch execution description: > In addition to services, Kubernetes can manage your batch and CI workloads, replacing containers that fail, if desired. weight: 50 hide_summary: true # Listed separately in section index --> <!-- overview --> <!-- A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. As pods successfully complete, the Job tracks the successful completions. When a specified number of successful completions is reached, the task (ie, Job) is complete. Deleting a Job will clean up the Pods it created. Suspending a Job will delete its active Pods until the Job is resumed again. --> <p>Job 会创建一个或者多个 Pod，并将继续重试 Pod 的执行，直到指定数量的 Pod 成功终止。 随着 Pod 成功结束，Job 跟踪记录成功完成的 Pod 个数。 当数量达到指定的成功个数阈值时，任务（即 Job）结束。 删除 Job 的操作会清除所创建的全部 Pod。 挂起 Job 的操作会删除 Job 的所有活跃 Pod，直到 Job 被再次恢复执行。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-config/<!-- reviewers: - luxas - jbeda title: kubeadm config content_type: concept weight: 50 --> <!-- overview --> <!-- During `kubeadm init`, kubeadm uploads the `ClusterConfiguration` object to your cluster in a ConfigMap called `kubeadm-config` in the `kube-system` namespace. This configuration is then read during `kubeadm join`, `kubeadm reset` and `kubeadm upgrade`. --> <p>在 <code>kubeadm init</code> 执行期间，kubeadm 将 <code>ClusterConfiguration</code> 对象上传 到你的集群的 <code>kube-system</code> 名字空间下名为 <code>kubeadm-config</code> 的 ConfigMap 对象中。 然后在 <code>kubeadm join</code>、<code>kubeadm reset</code> 和 <code>kubeadm upgrade</code> 执行期间读取此配置。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kubelet-config-directory-merging/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/kubelet-config-directory-merging/<!-- content_type: "reference" title: Kubelet Configuration Directory Merging weight: 50 --> <!-- When using the kubelet's `--config-dir` flag to specify a drop-in directory for configuration, there is some specific behavior on how different types are merged. Here are some examples of how different data types behave during configuration merging: --> <p>当使用 kubelet 的 <code>--config-dir</code> 标志来指定存放配置的目录时，不同类型的配置会有一些特定的行为。</p> <p>以下是在配置合并过程中不同数据类型的一些行为示例：</p> <!-- ### Structure Fields There are two types of structure fields in a YAML structure: singular (or a scalar type) and embedded (structures that contain scalar types). The configuration merging process handles the overriding of singular and embedded struct fields to create a resulting kubelet configuration. --> <h3 id="structure-fields">结构字段</h3> <p>在 YAML 结构中有两种结构字段：独立（标量类型）和嵌入式（此结构包含标量类型）。 配置合并过程将处理独立构造字段和嵌入式构造字段的重载，以创建最终的 kubelet 配置。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/device-plugin-api-versions/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/device-plugin-api-versions/<!-- content_type: "reference" title: Kubelet Device Manager API Versions weight: 50 --> <!-- This page provides details of version compatibility between the Kubernetes [device plugin API](https://github.com/kubernetes/kubelet/tree/master/pkg/apis/deviceplugin), and different versions of Kubernetes itself. --> <p>本页详述了 Kubernetes <a href="https://github.com/kubernetes/kubelet/tree/master/pkg/apis/deviceplugin">设备插件 API</a> 与不同版本的 Kubernetes 本身之间的版本兼容性。</p> <!-- ## Compatibility matrix --> <h2 id="compatibility-matrix">兼容性矩阵</h2> <table> <thead> <tr> <th></th> <th><code>v1alpha1</code></th> <th><code>v1beta1</code></th> </tr> </thead> <tbody> <tr> <td>Kubernetes 1.21</td> <td>-</td> <td>✓</td> </tr> <tr> <td>Kubernetes 1.22</td> <td>-</td> <td>✓</td> </tr> <tr> <td>Kubernetes 1.23</td> <td>-</td> <td>✓</td> </tr> <tr> <td>Kubernetes 1.24</td> <td>-</td> <td>✓</td> </tr> <tr> <td>Kubernetes 1.25</td> <td>-</td> <td>✓</td> </tr> <tr> <td>Kubernetes 1.26</td> <td>-</td> <td>✓</td> </tr> </tbody> </table> <!-- Key: * `✓` Exactly the same features / API objects in both device plugin API and the Kubernetes version. --> <p>简要说明：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/controlling-access/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/controlling-access/<!-- reviewers: - erictune - lavalamp title: Controlling Access to the Kubernetes API content_type: concept weight: 50 --> <!-- overview --> <!-- This page provides an overview of controlling access to the Kubernetes API. --> <p>本页面概述了对 Kubernetes API 的访问控制。</p> <!-- body --> <!-- Users access the [Kubernetes API](/docs/concepts/overview/kubernetes-api/) using `kubectl`, client libraries, or by making REST requests. Both human users and [Kubernetes service accounts](/docs/tasks/configure-pod-container/configure-service-account/) can be authorized for API access. When a request reaches the API, it goes through several stages, illustrated in the following diagram: --> <p>用户使用 <code>kubectl</code>、客户端库或构造 REST 请求来访问 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/">Kubernetes API</a>。 人类用户和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-service-account/">Kubernetes 服务账号</a>都可以被鉴权访问 API。 当请求到达 API 时，它会经历多个阶段，如下图所示：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/health-checks/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/health-checks/<!-- title: Kubernetes API health endpoints reviewers: - logicalhan content_type: concept weight: 50 --> <!-- overview --> <!-- The Kubernetes <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a> provides API endpoints to indicate the current status of the API server. This page describes these API endpoints and explains how you can use them. --> <p>Kubernetes <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a> 提供 API 端点以指示 API 服务器的当前状态。 本文描述了这些 API 端点，并说明如何使用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/self-healing/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/self-healing/<!-- title: Kubernetes Self-Healing content_type: concept weight: 50 feature: title: Self-healing anchor: Automated recovery from damage description: > Kubernetes restarts containers that crash, replaces entire Pods where needed, reattaches storage in response to wider failures, and can integrate with node autoscalers to self-heal even at the node level. --> <!-- overview --> <!-- Kubernetes is designed with self-healing capabilities that help maintain the health and availability of workloads. It automatically replaces failed containers, reschedules workloads when nodes become unavailable, and ensures that the desired state of the system is maintained. --> <p>Kubernetes 旨在通过自我修复能力来维护工作负载的健康和可用性。<br> 它能够自动替换失败的容器，在节点不可用时重新调度工作负载， 并确保系统的期望状态得以维持。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/certificates/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/best-practices/certificates/<!-- title: PKI certificates and requirements reviewers: - sig-cluster-lifecycle content_type: concept weight: 50 --> <!-- overview --> <!-- Kubernetes requires PKI certificates for authentication over TLS. If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/), the certificates that your cluster requires are automatically generated. You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server. This page explains the certificates that your cluster requires. --> <p>Kubernetes 需要 PKI 证书才能进行基于 TLS 的身份验证。如果你是使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/">kubeadm</a> 安装的 Kubernetes， 则会自动生成集群所需的证书。 你也可以自己生成证书 --- 例如，不将私钥存储在 API 服务器上， 可以让私钥更加安全。此页面说明了集群必需的证书。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/localization/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/localization/<!-- title: Localizing Kubernetes documentation content_type: concept approvers: - remyleone - rlenferink weight: 50 card: name: contribute weight: 50 title: Localizing the docs --> <!-- overview --> <!-- This page shows you how to [localize](https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/) the docs for a different language. --> <p>此页面描述如何为其他语言的文档提供 <a href="https://blog.mozilla.org/l10n/2011/12/14/i18n-vs-l10n-whats-the-diff/">本地化</a>版本。</p> <!-- body --> <!-- ## Contribute to an existing localization You can help add or improve the content of an existing localization. In [Kubernetes Slack](https://slack.k8s.io/), you can find a channel for each localization. There is also a general [SIG Docs Localizations Slack channel](https://kubernetes.slack.com/messages/sig-docs-localizations) where you can say hello. --> <h2 id="contribute-to-an-existing-localization">为现有的本地化做出贡献</h2> <p>你可以帮助添加或改进现有本地化的内容。在 <a href="https://slack.k8s.io/">Kubernetes Slack</a> 中，你能找到每个本地化的频道。还有一个通用的 <a href="https://kubernetes.slack.com/messages/sig-docs-localizations">SIG Docs Localizations Slack 频道</a>， 你可以在这里打个招呼。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/sidecar-containers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/sidecar-containers/<!-- title: Sidecar Containers content_type: concept weight: 50 --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： SidecarContainers"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.33 [stable]</code>（默认启用）</div> <!-- Sidecar containers are the secondary containers that run along with the main application container within the same <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>. These containers are used to enhance or to extend the functionality of the primary _app container_ by providing additional services, or functionality such as logging, monitoring, security, or data synchronization, without directly altering the primary application code. --> <p>边车容器是与<strong>主应用容器</strong>在同一个 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 中运行的辅助容器。 这些容器通过提供额外的服务或功能（如日志记录、监控、安全性或数据同步）来增强或扩展主应用容器的功能， 而无需直接修改主应用代码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/article-mirroring/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/article-mirroring/<!-- title: Blog article mirroring slug: article-mirroring content_type: concept weight: 50 --> <!-- overview --> <!-- There are two official Kubernetes blogs, and the CNCF has its own blog where you can cover Kubernetes too. For the main Kubernetes blog, we (the Kubernetes project) like to publish articles with different perspectives and special focuses, that have a link to Kubernetes. Some articles appear on both blogs: there is a primary version of the article, and a _mirror article_ on the other blog. This page describes the criteria for mirroring, the motivation for mirroring, and explains what you should do to ensure that an article publishes to both blogs. --> <p>官方有两个 Kubernetes 博客，CNCF 也有自己的博客，你也可以在其中了解 Kubernetes。<br> 对于主要的 Kubernetes 博客，我们（Kubernetes 项目）喜欢发表具有不同视角和特别焦点的文章， 这些文章与 Kubernetes 有一定的关联。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/create-hostprocess-pod/<!-- title: Create a Windows HostProcess Pod content_type: task weight: 50 min-kubernetes-server-version: 1.23 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [stable]</code> </div> <!-- Windows HostProcess containers enable you to run containerized workloads on a Windows host. These containers operate as normal processes but have access to the host network namespace, storage, and devices when given the appropriate user privileges. HostProcess containers can be used to deploy network plugins, storage configurations, device plugins, kube-proxy, and other components to Windows nodes without the need for dedicated proxies or the direct installation of host services. --> <p>Windows HostProcess 容器让你能够在 Windows 主机上运行容器化负载。 这类容器以普通的进程形式运行，但能够在具有合适用户特权的情况下， 访问主机网络名字空间、存储和设备。HostProcess 容器可用来在 Windows 节点上部署网络插件、存储配置、设备插件、kube-proxy 以及其他组件， 同时不需要配置专用的代理或者直接安装主机服务。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/dynamic-provisioning/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/dynamic-provisioning/<!-- reviewers: - saad-ali - jsafrane - thockin - msau42 title: Dynamic Volume Provisioning content_type: concept weight: 50 --> <!-- overview --> <!-- Dynamic volume provisioning allows storage volumes to be created on-demand. Without dynamic provisioning, cluster administrators have to manually make calls to their cloud or storage provider to create new storage volumes, and then create [`PersistentVolume` objects](/docs/concepts/storage/persistent-volumes/) to represent them in Kubernetes. The dynamic provisioning feature eliminates the need for cluster administrators to pre-provision storage. Instead, it automatically provisions storage when users create [`PersistentVolumeClaim` objects](/docs/concepts/storage/persistent-volumes/). --> <p>动态卷制备允许按需创建存储卷。 如果没有动态制备，集群管理员必须手动地联系他们的云或存储提供商来创建新的存储卷， 然后在 Kubernetes 集群创建 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/"><code>PersistentVolume</code> 对象</a>来表示这些卷。 动态制备功能消除了集群管理员预先配置存储的需要。相反，它在用户创建 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/"><code>PersistentVolumeClaim</code> 对象</a>时自动制备存储。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/networking/ports-and-protocols/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/networking/ports-and-protocols/<!-- title: Ports and Protocols content_type: reference weight: 50 --> <!-- When running Kubernetes in an environment with strict network boundaries, such as on-premises datacenter with physical network firewalls or Virtual Networks in Public Cloud, it is useful to be aware of the ports and protocols used by Kubernetes components --> <p>当你在一个有严格网络边界的环境里运行 Kubernetes，例如拥有物理网络防火墙或者拥有公有云中虚拟网络的自有数据中心， 了解 Kubernetes 组件使用了哪些端口和协议是非常有用的。</p> <!-- ## Control plane | Protocol | Direction | Port Range | Purpose | Used By | |----------|-----------|------------|-------------------------|---------------------------| | TCP | Inbound | 6443 | Kubernetes API server | All | | TCP | Inbound | 2379-2380 | etcd server client API | kube-apiserver, etcd | | TCP | Inbound | 10250 | Kubelet API | Self, Control plane | | TCP | Inbound | 10259 | kube-scheduler | Self | | TCP | Inbound | 10257 | kube-controller-manager | Self | Although etcd ports are included in control plane section, you can also host your own etcd cluster externally or on custom ports. --> <h2 id="control-plane">控制面</h2> <table> <thead> <tr> <th>协议</th> <th>方向</th> <th>端口范围</th> <th>目的</th> <th>使用者</th> </tr> </thead> <tbody> <tr> <td>TCP</td> <td>入站</td> <td>6443</td> <td>Kubernetes API 服务器</td> <td>所有</td> </tr> <tr> <td>TCP</td> <td>入站</td> <td>2379-2380</td> <td>etcd 服务器客户端 API</td> <td>kube-apiserver、etcd</td> </tr> <tr> <td>TCP</td> <td>入站</td> <td>10250</td> <td>kubelet API</td> <td>自身、控制面</td> </tr> <tr> <td>TCP</td> <td>入站</td> <td>10259</td> <td>kube-scheduler</td> <td>自身</td> </tr> <tr> <td>TCP</td> <td>入站</td> <td>10257</td> <td>kube-controller-manager</td> <td>自身</td> </tr> </tbody> </table> <p>尽管 etcd 的端口也列举在控制面的部分，但你也可以在外部自己托管 etcd 集群或者自定义端口。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology/<!-- reviewers: - sig-cluster-lifecycle title: Options for Highly Available Topology content_type: concept weight: 50 --> <!-- overview --> <!-- This page explains the two options for configuring the topology of your highly available (HA) Kubernetes clusters. --> <p>本页面介绍了配置高可用（HA）Kubernetes 集群拓扑的两个选项。</p> <!-- You can set up an HA cluster: --> <p>你可以设置 HA 集群：</p> <!-- - With stacked control plane nodes, where etcd nodes are colocated with control plane nodes - With external etcd nodes, where etcd runs on separate nodes from the control plane --> <ul> <li>使用堆叠（stacked）控制平面节点，其中 etcd 节点与控制平面节点共存</li> <li>使用外部 etcd 节点，其中 etcd 在与控制平面不同的节点上运行</li> </ul> <!-- You should carefully consider the advantages and disadvantages of each topology before setting up an HA cluster. --> <p>在设置 HA 集群之前，你应该仔细考虑每种拓扑的优缺点。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cgroups/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cgroups/<!-- title: About cgroup v2 content_type: concept weight: 50 --> <!-- overview --> <!-- On Linux, <a class='glossary-tooltip' title='一组具有可选资源隔离、审计和限制的 Linux 进程。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cgroup' target='_blank' aria-label='control groups'>control groups</a> constrain resources that are allocated to processes. The <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> and the underlying container runtime need to interface with cgroups to enforce [resource management for pods and containers](/docs/concepts/configuration/manage-resources-containers/) which includes cpu/memory requests and limits for containerized workloads. There are two versions of cgroups in Linux: cgroup v1 and cgroup v2. cgroup v2 is the new generation of the `cgroup` API. --> <p>在 Linux 上，<a class='glossary-tooltip' title='一组具有可选资源隔离、审计和限制的 Linux 进程。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cgroup' target='_blank' aria-label='控制组'>控制组</a>约束分配给进程的资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/service-accounts-admin/<!-- reviewers: - liggitt - enj title: Managing Service Accounts content_type: concept weight: 50 --> <!-- overview --> <!-- A _ServiceAccount_ provides an identity for processes that run in a Pod. A process inside a Pod can use the identity of its associated service account to authenticate to the cluster's API server. --> <p><strong>ServiceAccount</strong> 为 Pod 中运行的进程提供了一个身份。</p> <p>Pod 内的进程可以使用其关联服务账号的身份，向集群的 API 服务器进行身份认证。</p> <!-- For an introduction to service accounts, read [configure service accounts](/docs/tasks/configure-pod-container/configure-service-account/). This task guide explains some of the concepts behind ServiceAccounts. The guide also explains how to obtain or revoke tokens that represent ServiceAccounts, and how to (optionally) bind a ServiceAccount's validity to the lifetime of an API object. --> <p>有关服务账号的介绍， 请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-service-account/">配置服务账号</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/networking/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/networking/<!-- reviewers: - thockin title: Cluster Networking content_type: concept weight: 50 --> <!-- overview --> <!-- Networking is a central part of Kubernetes, but it can be challenging to understand exactly how it is expected to work. There are 4 distinct networking problems to address: 1. Highly-coupled container-to-container communications: this is solved by <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> and `localhost` communications. 2. Pod-to-Pod communications: this is the primary focus of this document. 3. Pod-to-Service communications: this is covered by [Services](/docs/concepts/services-networking/service/). 4. External-to-Service communications: this is also covered by Services. --> <p>集群网络系统是 Kubernetes 的核心部分，但是想要准确理解它的工作原理可是个不小的挑战。 下面列出的是网络系统的的四个主要问题：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/<!-- title: Check whether dockershim removal affects you content_type: task reviewers: - SergeyKanzhelev weight: 50 --> <!-- overview --> <!-- The `dockershim` component of Kubernetes allows the use of Docker as a Kubernetes's <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='container runtime'>container runtime</a>. Kubernetes' built-in `dockershim` component was removed in release v1.24. --> <p>Kubernetes 的 <code>dockershim</code> 组件使得你可以把 Docker 用作 Kubernetes 的 <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='容器运行时'>容器运行时</a>。 在 Kubernetes v1.24 版本中，内建组件 <code>dockershim</code> 被移除。</p> <!-- This page explains how your cluster could be using Docker as a container runtime, provides details on the role that `dockershim` plays when in use, and shows steps you can take to check whether any workloads could be affected by `dockershim` removal. --> <p>本页讲解你的集群把 Docker 用作容器运行时的运作机制， 并提供使用 <code>dockershim</code> 时，它所扮演角色的详细信息， 继而展示了一组操作，可用来检查移除 <code>dockershim</code> 对你的工作负载是否有影响。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/node-metrics/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/node-metrics/<!-- title: Node metrics data content_type: reference weight: 50 description: >- Mechanisms for accessing metrics at node, volume, pod and container level, as seen by the kubelet. --> <!-- The [kubelet](/docs/reference/command-line-tools-reference/kubelet/) gathers metric statistics at the node, volume, pod and container level, and emits this information in the [Summary API](/docs/reference/config-api/kubelet-stats.v1alpha1/). --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet/">kubelet</a> 在节点、卷、Pod 和容器级别收集统计信息， 并在 <a href="zh-cn/docs/reference/config-api/kubelet-stats.v1alpha1/">Summary API</a> 中输出这些信息。</p> <!-- You can send a proxied request to the stats summary API via the Kubernetes API server. Here is an example of a Summary API request for a node named `minikube`: --> <p>你可以通过 Kubernetes API 服务器将代理的请求发送到 stats Summary API。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/node-resource-managers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/node-resource-managers/<!-- reviewers: - derekwaynecarr - klueska title: Node Resource Managers content_type: concept weight: 50 --> <!-- overview --> <!-- In order to support latency-critical and high-throughput workloads, Kubernetes offers a suite of Resource Managers. The managers aim to co-ordinate and optimise the alignment of node's resources for pods configured with a specific requirement for CPUs, devices, and memory (hugepages) resources. --> <p>Kubernetes 提供了一组资源管理器，用于支持延迟敏感的、高吞吐量的工作负载。 资源管理器的目标是协调和优化节点资源，以支持对 CPU、设备和内存（巨页）等资源有特殊需求的 Pod。</p> <!-- body --> <!-- ## Hardware topology alignment policies --> <h2 id="hardware-topology-alignment-policies">硬件拓扑对齐策略</h2> <!-- _Topology Manager_ is a kubelet component that aims to coordinate the set of components that are responsible for these optimizations. The overall resource management process is governed using the policy you specify. To learn more, read [Control Topology Management Policies on a Node](/docs/tasks/administer-cluster/topology-manager/). --> <p>**拓扑管理器（Topology Manager）**是一个 kubelet 组件，旨在协调负责这些优化的组件集。 整体资源管理过程通过你指定的策略进行管理。 要了解更多信息，请阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/topology-manager/">控制节点上的拓扑管理策略</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/scale-stateful-set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/scale-stateful-set/<!-- reviewers: - bprashanth - enisoc - erictune - foxish - janetkuo - kow3ns - smarterclayton title: Scale a StatefulSet content_type: task weight: 50 --> <!-- overview --> <!-- This task shows how to scale a StatefulSet. Scaling a StatefulSet refers to increasing or decreasing the number of replicas. --> <p>本文介绍如何扩缩 StatefulSet。StatefulSet 的扩缩指的是增加或者减少副本个数。</p> <h2 id="准备开始">准备开始</h2> <!-- - StatefulSets are only available in Kubernetes version 1.5 or later. To check your version of Kubernetes, run `kubectl version`. - Not all stateful applications scale nicely. If you are unsure about whether to scale your StatefulSets, see [StatefulSet concepts](/docs/concepts/workloads/controllers/statefulset/) or [StatefulSet tutorial](/docs/tutorials/stateful-application/basic-stateful-set/) for further information. - You should perform scaling only when you are confident that your stateful application cluster is completely healthy. --> <ul> <li> <p>StatefulSets 仅适用于 Kubernetes 1.5 及以上版本。 要查看你的 Kubernetes 版本，运行 <code>kubectl version</code>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/<!-- title: Configuring a cgroup driver content_type: task weight: 50 --> <!-- overview --> <!-- This page explains how to configure the kubelet's cgroup driver to match the container runtime cgroup driver for kubeadm clusters. --> <p>本页阐述如何配置 kubelet 的 cgroup 驱动以匹配 kubeadm 集群中的容器运行时的 cgroup 驱动。</p> <h2 id="准备开始">准备开始</h2> <!-- You should be familiar with the Kubernetes [container runtime requirements](/docs/setup/production-environment/container-runtimes). --> <p>你应该熟悉 Kubernetes 的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes">容器运行时需求</a>。</p> <!-- steps --> <!-- ## Configuring the container runtime cgroup driver --> <h2 id="configuring-the-container-runtime-cgroup-driver">配置容器运行时 cgroup 驱动</h2> <!-- The [Container runtimes](/docs/setup/production-environment/container-runtimes) page explains that the `systemd` driver is recommended for kubeadm based setups instead of the kubelet's [default](/docs/reference/config-api/kubelet-config.v1beta1) `cgroupfs` driver, because kubeadm manages the kubelet as a [systemd service](/docs/setup/production-environment/tools/kubeadm/kubelet-integration). --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes">容器运行时</a>页面提到， 由于 kubeadm 把 kubelet 视为一个 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration">系统服务</a>来管理， 所以对基于 kubeadm 的安装， 我们推荐使用 <code>systemd</code> 驱动， 不推荐 kubelet <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1beta1">默认</a>的 <code>cgroupfs</code> 驱动。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/<!-- title: Update API Objects in Place Using kubectl patch description: Use kubectl patch to update Kubernetes API objects in place. Do a strategic merge patch or a JSON merge patch. content_type: task weight: 50 --> <!-- overview --> <!-- This task shows how to use `kubectl patch` to update an API object in place. The exercises in this task demonstrate a strategic merge patch and a JSON merge patch. --> <p>这个任务展示如何使用 <code>kubectl patch</code> 就地更新 API 对象。 这个任务中的练习演示了一个策略性合并 patch 和一个 JSON 合并 patch。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/romana-network-policy/<!-- reviewers: - chrismarino title: Romana for NetworkPolicy content_type: task weight: 50 --> <!-- overview --> <!-- This page shows how to use Romana for NetworkPolicy. --> <p>本页展示如何使用 Romana 作为 NetworkPolicy。</p> <h2 id="准备开始">准备开始</h2> <!-- Complete steps 1, 2, and 3 of the [kubeadm getting started guide](/docs/reference/setup-tools/kubeadm/). --> <p>完成 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/">kubeadm 入门指南</a>中的 1、2、3 步。</p> <!-- steps --> <!-- ## Installing Romana with kubeadm Follow the [containerized installation guide](https://github.com/romana/romana/tree/master/containerize) for kubeadm. ## Applying network policies To apply network policies use one of the following: * [Romana network policies](https://github.com/romana/romana/wiki/Romana-policies). * [Example of Romana network policy](https://github.com/romana/core/blob/master/doc/policy.md). * The NetworkPolicy API. --> <h2 id="使用-kubeadm-安装-romana">使用 kubeadm 安装 Romana</h2> <p>按照<a href="https://github.com/romana/romana/tree/master/containerize">容器化安装指南</a>， 使用 kubeadm 安装。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/inject-data-application/distribute-credentials-secure/<!-- title: Distribute Credentials Securely Using Secrets content_type: task weight: 50 min-kubernetes-server-version: v1.6 --> <!-- overview --> <!-- This page shows how to securely inject sensitive data, such as passwords and encryption keys, into Pods. --> <p>本文展示如何安全地将敏感数据（如密码和加密密钥）注入到 Pod 中。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/parallel-processing-expansion/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/parallel-processing-expansion/<!-- title: Parallel Processing using Expansions content_type: task min-kubernetes-server-version: v1.8 weight: 50 --> <!-- overview --> <!-- This task demonstrates running multiple <a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Jobs'>Jobs</a> based on a common template. You can use this approach to process batches of work in parallel. For this example there are only three items: _apple_, _banana_, and _cherry_. The sample Jobs process each item by printing a string then pausing. See [using Jobs in real workloads](#using-jobs-in-real-workloads) to learn about how this pattern fits more realistic use cases. --> <p>本任务展示基于一个公共的模板运行多个<a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Jobs'>Jobs</a>。 你可以用这种方法来并行执行批处理任务。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/docker-cli-to-kubectl/<!-- title: kubectl for Docker Users content_type: concept reviewers: - brendandburns - thockin weight: 50 --> <!-- overview --> <!-- You can use the Kubernetes command line tool `kubectl` to interact with the API Server. Using kubectl is straightforward if you are familiar with the Docker command line tool. However, there are a few differences between the Docker commands and the kubectl commands. The following sections show a Docker sub-command and describe the equivalent `kubectl` command. --> <p>你可以使用 Kubernetes 命令行工具 <code>kubectl</code> 与 API 服务器进行交互。如果你熟悉 Docker 命令行工具， 则使用 kubectl 非常简单。但是，Docker 命令和 kubectl 命令之间有一些区别。以下显示了 Docker 子命令， 并描述了等效的 <code>kubectl</code> 命令。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubernetes-api/<!-- title: Generating Reference Documentation for the Kubernetes API content_type: task weight: 50 --> <!-- overview --> <!-- This page shows how to update the Kubernetes API reference documentation. The Kubernetes API reference documentation is built from the [Kubernetes OpenAPI spec](https://github.com/kubernetes/kubernetes/blob/master/api/openapi-spec/swagger.json) using the [kubernetes-sigs/reference-docs](https://github.com/kubernetes-sigs/reference-docs) generation code. If you find bugs in the generated documentation, you need to [fix them upstream](/docs/contribute/generate-ref-docs/contribute-upstream/). If you need only to regenerate the reference documentation from the [OpenAPI](https://github.com/OAI/OpenAPI-Specification) spec, continue reading this page. --> <p>本页面显示了如何更新 Kubernetes API 参考文档。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/<!-- title: Configure Memory and CPU Quotas for a Namespace content_type: task weight: 50 description: >- Define overall memory and CPU resource limits for a namespace. --> <!-- overview --> <!-- This page shows how to set quotas for the total amount memory and CPU that can be used by all Pods running in a <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a>. You specify quotas in a [ResourceQuota](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/) object. --> <p>本文介绍如何为<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>下运行的所有 Pod 设置总的内存和 CPU 配额。你可以通过使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/">ResourceQuota</a> 对象设置配额.</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/taint-and-toleration/<!-- reviewers: - davidopp - kevin-wangzefeng - bsalamat title: Taints and Tolerations content_type: concept weight: 50 --> <!-- overview --> <!-- [_Node affinity_](/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) is a property of <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> that *attracts* them to a set of <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='nodes'>nodes</a> (either as a preference or a hard requirement). _Taints_ are the opposite -- they allow a node to repel a set of pods. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity">节点亲和性</a> 是 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 的一种属性，它使 Pod 被吸引到一类特定的<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a> （这可能出于一种偏好，也可能是硬性要求）。 <strong>污点（Taint）</strong> 则相反——它使节点能够排斥一类特定的 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/networking/virtual-ips/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/networking/virtual-ips/<!-- title: Virtual IPs and Service Proxies content_type: reference weight: 50 --> <!-- overview --> <!-- Every <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node'>node</a> in a Kubernetes <a class='glossary-tooltip' title='一组工作机器，称为节点，会运行容器化应用程序。每个集群至少有一个工作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cluster' target='_blank' aria-label='cluster'>cluster</a> runs a [kube-proxy](/docs/reference/command-line-tools-reference/kube-proxy/) (unless you have deployed your own alternative component in place of `kube-proxy`). --> <p>Kubernetes <a class='glossary-tooltip' title='一组工作机器，称为节点，会运行容器化应用程序。每个集群至少有一个工作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cluster' target='_blank' aria-label='集群'>集群</a>中的每个 <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>会运行一个 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-proxy/">kube-proxy</a> （除非你已经部署了自己的替换组件来替代 <code>kube-proxy</code>）。</p> <!-- The `kube-proxy` component is responsible for implementing a _virtual IP_ mechanism for <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Services'>Services</a> of `type` other than [`ExternalName`](/docs/concepts/services-networking/service/#externalname). --> <p><code>kube-proxy</code> 组件负责除 <code>type</code> 为 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/#externalname"><code>ExternalName</code></a> 以外的 <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a> 实现<strong>虚拟 IP</strong> 机制。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/autoscaling/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/autoscaling/<!-- title: Autoscaling Workloads description: >- With autoscaling, you can automatically update your workloads in one way or another. This allows your cluster to react to changes in resource demand more elastically and efficiently. content_type: concept weight: 50 --> <!-- overview --> <!-- In Kubernetes, you can _scale_ a workload depending on the current demand of resources. This allows your cluster to react to changes in resource demand more elastically and efficiently. When you scale a workload, you can either increase or decrease the number of replicas managed by the workload, or adjust the resources available to the replicas in-place. The first approach is referred to as _horizontal scaling_, while the second is referred to as _vertical scaling_. There are manual and automatic ways to scale your workloads, depending on your use case. --> <p>在 Kubernetes 中，你可以根据当前的资源需求<strong>扩缩</strong>工作负载。 这让你的集群可以更灵活、更高效地面对资源需求的变化。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/gateway/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/gateway/<!-- title: Gateway API content_type: concept description: >- Gateway API is a family of API kinds that provide dynamic infrastructure provisioning and advanced traffic routing. weight: 55 --> <!-- overview --> <!-- Make network services available by using an extensible, role-oriented, protocol-aware configuration mechanism. [Gateway API](https://gateway-api.sigs.k8s.io/) is an <a class='glossary-tooltip' title='扩展 Kubernetes 功能的资源。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/addons/' target='_blank' aria-label='add-on'>add-on</a> containing API [kinds](https://gateway-api.sigs.k8s.io/references/spec/) that provide dynamic infrastructure provisioning and advanced traffic routing. --> <p><a href="https://gateway-api.sigs.k8s.io/">Gateway API</a> 通过使用可扩展的、角色导向的、 协议感知的配置机制来提供网络服务。它是一个<a class='glossary-tooltip' title='扩展 Kubernetes 功能的资源。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/addons/' target='_blank' aria-label='附加组件'>附加组件</a>， 包含可提供动态基础设施配置和高级流量路由的 API <a href="https://gateway-api.sigs.k8s.io/references/spec/">类别</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/observability/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/observability/<!-- title: Observability reviewers: weight: 55 content_type: concept description: > Understand how to gain end-to-end visibility of a Kubernetes cluster through the collection of metrics, logs, and traces. no_list: true card: name: setup weight: 60 anchors: - anchor: "#metrics" title: Metrics - anchor: "#logs" title: Logs - anchor: "#traces" title: Traces --> <!-- overview --> <!-- In Kubernetes, observability is the process of collecting and analyzing metrics, logs, and traces—often referred to as the three pillars of observability—in order to obtain a better understanding of the internal state, performance, and health of the cluster. --> <p>在 Kubernetes 中，可观测性是通过收集和分析指标、日志和链路（通常被称为可观测性的三大支柱）， 以便更好地了解集群的内部状态、性能和健康情况的过程。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/admission-webhooks-good-practices/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/admission-webhooks-good-practices/<!-- title: Admission Webhook Good Practices description: > Recommendations for designing and deploying admission webhooks in Kubernetes. content_type: concept weight: 60 --> <!-- overview --> <!-- This page provides good practices and considerations when designing _admission webhooks_ in Kubernetes. This information is intended for cluster operators who run admission webhook servers or third-party applications that modify or validate your API requests. Before reading this page, ensure that you're familiar with the following concepts: * [Admission controllers](/docs/reference/access-authn-authz/admission-controllers/) * [Admission webhooks](/docs/reference/access-authn-authz/extensible-admission-controllers/#what-are-admission-webhooks) --> <p>本页面提供了在 Kubernetes 中设计 <strong>Admission Webhook</strong> 时的良好实践和注意事项。 此信息适用于运行准入 Webhook 服务器或第三方应用程序的集群操作员， 这些程序用于修改或验证你的 API 请求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/endpoint-slices/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/endpoint-slices/<!-- reviewers: - freehan title: EndpointSlices api_metadata: - apiVersion: "discovery.k8s.io/v1" kind: "EndpointSlice" content_type: concept weight: 60 description: >- The EndpointSlice API is the mechanism that Kubernetes uses to let your Service scale to handle large numbers of backends, and allows the cluster to update its list of healthy backends efficiently. --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.21 [stable]</code> </div> EndpointSlices 跟踪后端端点的 IP 地址。 EndpointSlices 通常与某个 <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a> 关联， 后端端点通常表示 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>。 <!-- body --> <!-- ## EndpointSlice API {#endpointslice-resource} In Kubernetes, an EndpointSlice contains references to a set of network endpoints. The control plane automatically creates EndpointSlices for any Kubernetes Service that has a <a class='glossary-tooltip' title='选择算符允许用户通过标签对一组资源对象进行筛选过滤。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/' target='_blank' aria-label='selector'>selector</a> specified. These EndpointSlices include references to all the Pods that match the Service selector. EndpointSlices group network endpoints together by unique combinations of IP family, protocol, port number, and Service name. The name of a EndpointSlice object must be a valid [DNS subdomain name](/docs/concepts/overview/working-with-objects/names#dns-subdomain-names). As an example, here's a sample EndpointSlice object, that's owned by the `example` Kubernetes Service. --> <h2 id="endpointslice-resource">EndpointSlice API</h2> <p>在 Kubernetes 中，<code>EndpointSlice</code> 包含对一组网络端点的引用。 控制面会自动为设置了<a class='glossary-tooltip' title='选择算符允许用户通过标签对一组资源对象进行筛选过滤。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/labels/' target='_blank' aria-label='选择算符'>选择算符</a>的 Kubernetes Service 创建 EndpointSlice。 这些 EndpointSlice 将包含对与 Service 选择算符匹配的所有 Pod 的引用。 EndpointSlice 通过唯一的 IP 地址簇、协议、端口号和 Service 名称将网络端点组织在一起。 EndpointSlice 的名称必须是合法的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/names#dns-subdomain-names">DNS 子域名</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/<!-- reviewers: - luxas - jbeda title: kubeadm reset content_type: concept weight: 60 --> <!-- overview --> <!-- Performs a best effort revert of changes made by `kubeadm init` or `kubeadm join`. --> <p>该命令尽力还原由 <code>kubeadm init</code> 或 <code>kubeadm join</code> 所做的更改。</p> <!-- body --> <!-- ### Synopsis --> <h3 id="概要">概要</h3> <!-- Performs a best effort revert of changes made to this host by 'kubeadm init' or 'kubeadm join' --> <p>尽最大努力还原通过 'kubeadm init' 或者 'kubeadm join' 操作对主机所作的更改。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/conventions/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/conventions/<!-- title: kubectl Usage Conventions reviewers: - janetkuo content_type: concept weight: 60 --> <!-- overview --> <!-- Recommended usage conventions for `kubectl`. --> <p><code>kubectl</code> 的推荐用法约定。</p> <!-- body --> <!-- ## Using `kubectl` in Reusable Scripts --> <h2 id="using-kubectl-in-reusable-scripts">在可重用脚本中使用 <code>kubectl</code></h2> <!-- For a stable output in a script: --> <p>对于脚本中的稳定输出：</p> <!-- * Request one of the machine-oriented output forms, such as `-o name`, `-o json`, `-o yaml`, `-o go-template`, or `-o jsonpath`. * Fully-qualify the version. For example, `jobs.v1.batch/myjob`. This will ensure that kubectl does not use its default version that can change over time. * Don't rely on context, preferences, or other implicit states. --> <ul> <li>请求一个面向机器的输出格式，例如 <code>-o name</code>、<code>-o json</code>、<code>-o yaml</code>、<code>-o go template</code> 或 <code>-o jsonpath</code>。</li> <li>完全限定版本。例如 <code>jobs.v1.batch/myjob</code>。这将确保 kubectl 不会使用其默认版本，该版本会随着时间的推移而更改。</li> <li>不要依赖上下文、首选项或其他隐式状态。</li> </ul> <!-- ## Subresources --> <h2 id="subresources">子资源</h2> <!-- * You can use the `--subresource` argument for kubectl subcommands such as `get`, `patch`, `edit`, `apply` and `replace` to fetch and update subresources for all resources that support them. In Kubernetes version 1.35, only the `status`, `scale` and `resize` subresources are supported. * For `kubectl edit`, the `scale` subresource is not supported. If you use `--subresource` with `kubectl edit` and specify `scale` as the subresource, the command will error out. * The API contract against a subresource is identical to a full resource. While updating the `status` subresource to a new value, keep in mind that the subresource could be potentially reconciled by a controller to a different value. --> <ul> <li>你可以将 <code>--subresource</code> 参数用于 kubectl 命令，例如 <code>get</code>、<code>patch</code>、<code>edit</code>、<code>apply</code> 和 <code>replace</code> 来获取和更新所有支持子资源的资源的子资源。Kubernetes 1.35 版本中， 仅支持 <code>status</code>, <code>scale</code> 和 <code>resize</code> 子资源。 <ul> <li>对于 <code>kubectl edit</code>，不支持 <code>scale</code> 子资源。如果将 <code>--subresource</code> 与 <code>kubectl edit</code> 一起使用， 并指定 <code>scale</code> 作为子资源，则命令将会报错。</li> </ul> </li> <li>针对子资源的 API 协定与完整资源相同。在更新 <code>status</code> 子资源为一个新值时，请记住， 子资源可能是潜在的由控制器调和为不同的值。</li> </ul> <!-- ## Best Practices --> <h2 id="best-practices">最佳实践</h2> <h3 id="kubectl-run"><code>kubectl run</code></h3> <!-- For `kubectl run` to satisfy infrastructure as code: --> <p>若希望 <code>kubectl run</code> 满足基础设施即代码的要求：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/zpages/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/instrumentation/zpages/<!-- title: Kubernetes z-pages content_type: reference weight: 60 reviewers: - dashpole description: >- Provides runtime diagnostics for Kubernetes components, offering insights into component runtime status and configuration flags. --> <!-- overview --> <div class="feature-state-notice feature-alpha"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.32 [alpha]</code> </div> <!-- Kubernetes core components can expose a suite of _z-endpoints_ to make it easier for users to debug their cluster and its components. These endpoints are strictly to be used for human inspection to gain real time debugging information of a component binary. Avoid automated scraping of data returned by these endpoints; in Kubernetes 1.35 these are an **alpha** feature and the response format may change in future releases. --> <p>Kubernetes 的核心组件可以暴露一系列 <strong>z-endpoints</strong>，以便用户更轻松地调试他们的集群及其组件。 这些端点仅用于人工检查，以获取组件二进制文件的实时调试信息。请不要自动抓取这些端点返回的数据； 在 Kubernetes 1.35 中，这些是 <strong>Alpha</strong> 特性，响应格式可能会在未来版本中发生变化。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/autoscaling/horizontal-pod-autoscale/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/autoscaling/horizontal-pod-autoscale/<!-- reviewers: - adrianmoisey - omerap12 title: Horizontal Pod Autoscaling feature: title: Horizontal scaling description: > Scale your application up and down with a simple command, with a UI, or automatically based on CPU usage. content_type: concept weight: 60 math: true --> <!-- overview --> <!-- In Kubernetes, a _HorizontalPodAutoscaler_ automatically updates a workload resource (such as a <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a> or <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>), with the aim of automatically scaling capacity to match demand. --> <p>在 Kubernetes 中，<strong>HorizontalPodAutoscaler</strong> 自动更新工作负载资源 （例如 <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a> 或者 <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>）， 目的是容量自动扩缩以满足需求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/migrating-telemetry-and-security-agents/<!-- title: Migrating telemetry and security agents from dockershim content_type: task reviewers: - SergeyKanzhelev weight: 60 --> <!-- overview --> <div class="alert alert-secondary callout third-party-content" role="note"><strong>说明：</strong>&puncsp;本部分链接到提供 Kubernetes 所需功能的第三方项目。Kubernetes 项目作者不负责这些项目。此页面遵循<a href="https://github.com/cncf/foundation/blob/main/policies-guidance/website-guidelines.md" target="_blank">CNCF 网站指南</a>，按字母顺序列出项目。要将项目添加到此列表中，请在提交更改之前阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/#third-party-content">内容指南</a>。</div> <!-- Kubernetes' support for direct integration with Docker Engine is deprecated and has been removed. Most apps do not have a direct dependency on runtime hosting containers. However, there are still a lot of telemetry and monitoring agents that have a dependency on Docker to collect containers metadata, logs, and metrics. This document aggregates information on how to detect these dependencies as well as links on how to migrate these agents to use generic tools or alternative runtimes. --> <p>Kubernetes 对与 Docker Engine 直接集成的支持已被弃用且已经被删除。 大多数应用程序不直接依赖于托管容器的运行时。但是，仍然有大量的遥测和监控代理依赖 Docker 来收集容器元数据、日志和指标。 本文汇总了一些如何探查这些依赖的信息以及如何迁移这些代理去使用通用工具或其他容器运行时的参考链接。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/scheduling-framework/<!-- reviewers: - ahg-g title: Scheduling Framework content_type: concept weight: 60 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.19 [stable]</code> </div> <!-- The _scheduling framework_ is a pluggable architecture for the Kubernetes scheduler. It consists of a set of "plugin" APIs that are compiled directly into the scheduler. These APIs allow most scheduling features to be implemented as plugins, while keeping the scheduling "core" lightweight and maintainable. Refer to the [design proposal of the scheduling framework][kep] for more technical information on the design of the framework. --> <p><strong>调度框架</strong>是面向 Kubernetes 调度器的一种插件架构， 它由一组直接编译到调度程序中的“插件” API 组成。 这些 API 允许大多数调度功能以插件的形式实现，同时使调度“核心”保持简单且可维护。 请参考<a href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-scheduling/624-scheduling-framework/README.md">调度框架的设计提案</a> 获取框架设计的更多技术信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/release-comms/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/release-comms/<!-- title: Post-release communications content_type: concept weight: 60 --> <!-- overview --> <!-- The Kubernetes _Release Comms_ team (part of [SIG Release](https://github.com/kubernetes/community/tree/master/sig-release)) looks after release announcements, which go onto the [main project blog](/docs/contribute/blog/#main-blog). After each release, the Release Comms team take over the main blog for a period and publish a series of additional articles to explain or announce changes related to that release. These additional articles are termed _post-release comms_. --> <p>Kubernetes 的<strong>发布沟通（Release Comms）</strong> 团队（隶属于 <a href="https://github.com/kubernetes/community/tree/master/sig-release">SIG Release</a>） 负责管理发布相关的公告，这些公告会发布在<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/#main-blog">主项目博客</a>上。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/rbac-good-practices/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/rbac-good-practices/<!-- reviewers: title: Role Based Access Control Good Practices description: > Principles and practices for good RBAC design for cluster operators. content_type: concept weight: 60 --> <!-- overview --> <!-- Kubernetes <a class='glossary-tooltip' title='管理授权决策，允许管理员通过 Kubernetes API 动态配置访问策略。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/rbac/' target='_blank' aria-label='RBAC'>RBAC</a> is a key security control to ensure that cluster users and workloads have only the access to resources required to execute their roles. It is important to ensure that, when designing permissions for cluster users, the cluster administrator understands the areas where privilge escalation could occur, to reduce the risk of excessive access leading to security incidents. The good practices laid out here should be read in conjunction with the general [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update). --> <p>Kubernetes <a class='glossary-tooltip' title='管理授权决策，允许管理员通过 Kubernetes API 动态配置访问策略。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/rbac/' target='_blank' aria-label='RBAC'>RBAC</a> 是一项重要的安全控制措施，用于保证集群用户和工作负载只能访问履行自身角色所需的资源。 在为集群用户设计权限时，请务必确保集群管理员知道可能发生特权提级的地方， 降低因过多权限而导致安全事件的风险。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/dra/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/dra/<!-- title: Good practices for Dynamic Resource Allocation as a Cluster Admin content_type: concept weight: 60 --> <!-- overview --> <!-- This page describes good practices when configuring a Kubernetes cluster utilizing Dynamic Resource Allocation (DRA). These instructions are for cluster administrators. --> <p>本文介绍在利用动态资源分配（DRA）配置 Kubernetes 集群时的良好实践。这些指示说明适用于集群管理员。</p> <!-- body --> <!-- ## Separate permissions to DRA related APIs DRA is orchestrated through a number of different APIs. Use authorization tools (like RBAC, or another solution) to control access to the right APIs depending on the persona of your user. In general, DeviceClasses and ResourceSlices should be restricted to admins and the DRA drivers. Cluster operators that will be deploying Pods with claims will need access to ResourceClaim and ResourceClaimTemplate APIs; both of these APIs are namespace scoped. --> <h2 id="separate-permissions-to-dra-related-apis">分离 DRA 相关 API 的权限</h2> <p>DRA 是通过多个不同的 API 进行编排的。使用鉴权工具（如 RBAC 或其他方案）根据用户的角色来控制对相关 API 的访问权限。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-snapshots/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-snapshots/<!-- reviewers: - saad-ali - thockin - msau42 - jingxu97 - xing-yang - yuxiangqian title: Volume Snapshots content_type: concept weight: 60 --> <!-- overview --> <!-- In Kubernetes, a _VolumeSnapshot_ represents a snapshot of a volume on a storage system. This document assumes that you are already familiar with Kubernetes [persistent volumes](/docs/concepts/storage/persistent-volumes/). --> <p>在 Kubernetes 中，<strong>卷快照</strong> 是一个存储系统上卷的快照，本文假设你已经熟悉了 Kubernetes 的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">持久卷</a>。</p> <!-- body --> <!-- ## Introduction --> <h2 id="introduction">介绍</h2> <!-- Similar to how API resources `PersistentVolume` and `PersistentVolumeClaim` are used to provision volumes for users and administrators, `VolumeSnapshotContent` and `VolumeSnapshot` API resources are provided to create volume snapshots for users and administrators. --> <p>与 <code>PersistentVolume</code> 和 <code>PersistentVolumeClaim</code> 这两个 API 资源用于给用户和管理员制备卷类似， <code>VolumeSnapshotContent</code> 和 <code>VolumeSnapshot</code> 这两个 API 资源用于给用户和管理员创建卷快照。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/high-availability/<!-- reviewers: - sig-cluster-lifecycle title: Creating Highly Available Clusters with kubeadm content_type: task weight: 60 --> <!-- overview --> <!-- This page explains two different approaches to setting up a highly available Kubernetes cluster using kubeadm: - With stacked control plane nodes. This approach requires less infrastructure. The etcd members and control plane nodes are co-located. - With an external etcd cluster. This approach requires more infrastructure. The control plane nodes and etcd members are separated. --> <p>本文讲述了使用 kubeadm 设置一个高可用的 Kubernetes 集群的两种不同方式：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/ephemeral-containers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/ephemeral-containers/<!-- reviewers: - verb - yujuhong title: Ephemeral Containers content_type: concept weight: 60 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.25 [stable]</code> </div> <!-- This page provides an overview of ephemeral containers: a special type of container that runs temporarily in an existing <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> to accomplish user-initiated actions such as troubleshooting. You use ephemeral containers to inspect services rather than to build applications. --> <p>本页面概述了临时容器：一种特殊的容器，该容器在现有 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 中临时运行，以便完成用户发起的操作，例如故障排查。 你会使用临时容器来检查服务，而不是用它来构建应用程序。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/quality-service-pod/<!-- title: Configure Quality of Service for Pods content_type: task weight: 60 --> <!-- overview --> <!-- This page shows how to configure Pods so that they will be assigned particular <a class='glossary-tooltip' title='QoS 类（Quality of Service Class）为 Kubernetes 提供了一种将集群中的 Pod 分为几个类并做出有关调度和驱逐决策的方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-qos/' target='_blank' aria-label='Quality of Service (QoS) classes'>Quality of Service (QoS) classes</a>. Kubernetes uses QoS classes to make decisions about evicting Pods when Node resources are exceeded. --> <p>本页介绍怎样配置 Pod 以让其归属于特定的 <a class='glossary-tooltip' title='QoS 类（Quality of Service Class）为 Kubernetes 提供了一种将集群中的 Pod 分为几个类并做出有关调度和驱逐决策的方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-qos/' target='_blank' aria-label='服务质量类（Quality of Service class，QoS class）'>服务质量类（Quality of Service class，QoS class）</a>. Kubernetes 在 Node 资源不足时使用 QoS 类来就驱逐 Pod 作出决定。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-pod-namespace/<!-- title: Configure a Pod Quota for a Namespace content_type: task weight: 60 description: >- Restrict how many Pods you can create within a namespace. --> <!-- overview --> <!-- This page shows how to set a quota for the total number of Pods that can run in a <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='Namespace'>Namespace</a>. You specify quotas in a [ResourceQuota](/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/) object. --> <p>本文主要介绍如何在<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>中设置可运行 Pod 总数的配额。 你可以通过使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/">ResourceQuota</a> 对象来配置配额。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/configure-feature-gates/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/configure-feature-gates/<!-- title: Enable Or Disable Feature Gates content_type: task weight: 60 --> <!-- overview --> <!-- This page shows how to enable or disable feature gates to control specific Kubernetes features in your cluster. Enabling feature gates allows you to test and use Alpha or Beta features before they become generally available. --> <p>本页介绍如何启用或禁用特性门控（feature gates）， 以便在你的集群中控制特定的 Kubernetes 特性。 启用特性门控可以让你在特性正式发布（GA）之前，测试并使用 Alpha 或 Beta 特性。</p> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- For some stable (GA) gates, you can also disable them, usually for one minor release after GA; however if you do that, your cluster may not be conformant as Kubernetes. --> <p>对于某些稳定（GA）的特性门控，你也可以禁用它们，通常只允许在 GA 之后的一个次要版本中这样做； 但如果你这样做，你的集群可能不再符合 Kubernetes 一致性（conformance）要求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/logging/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/logging/<!-- reviewers: - piosz - x13n title: Logging Architecture content_type: concept weight: 60 --> <!-- overview --> <!-- Application logs can help you understand what is happening inside your application. The logs are particularly useful for debugging problems and monitoring cluster activity. Most modern applications have some kind of logging mechanism. Likewise, container engines are designed to support logging. The easiest and most adopted logging method for containerized applications is writing to standard output and standard error streams. --> <p>应用日志可以让你了解应用内部的运行状况。日志对调试问题和监控集群活动非常有用。 大部分现代化应用都有某种日志记录机制。同样地，容器引擎也被设计成支持日志记录。 针对容器化应用，最简单且最广泛采用的日志记录方式就是写入标准输出和标准错误流。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/cri/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/containers/cri/<!-- title: Container Runtime Interface (CRI) content_type: concept weight: 60 --> <!-- overview --> <!-- The CRI is a plugin interface which enables the kubelet to use a wide variety of container runtimes, without having a need to recompile the cluster components. You need a working <a class='glossary-tooltip' title='容器运行时是负责运行容器的软件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes' target='_blank' aria-label='container runtime'>container runtime</a> on each Node in your cluster, so that the <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> can launch <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> and their containers. --> <p>CRI 是一个插件接口，它使 kubelet 能够使用各种容器运行时，无需重新编译集群组件。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/delete-stateful-set/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/delete-stateful-set/<!-- reviewers: - bprashanth - erictune - foxish - janetkuo - smarterclayton title: Delete a StatefulSet content_type: task weight: 60 --> <!-- overview --> <!-- This task shows you how to delete a <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>. --> <p>本任务展示如何删除 <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>。</p> <h2 id="准备开始">准备开始</h2> <!-- - This task assumes you have an application running on your cluster represented by a StatefulSet. --> <ul> <li>本任务假设在你的集群上已经运行了由 StatefulSet 创建的应用。</li> </ul> <!-- steps --> <!-- ## Deleting a StatefulSet You can delete a StatefulSet in the same way you delete other resources in Kubernetes: use the `kubectl delete` command, and specify the StatefulSet either by file or by name. --> <h2 id="deleting-a-statefulset">删除 StatefulSet</h2> <p>你可以像删除 Kubernetes 中的其他资源一样删除 StatefulSet： 使用 <code>kubectl delete</code> 命令，并按文件或者名字指定 StatefulSet。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/customize-hosts-file-for-pods/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/customize-hosts-file-for-pods/<!-- reviewers: - rickypai - thockin title: Adding entries to Pod /etc/hosts with HostAliases content_type: task weight: 60 min-kubernetes-server-version: 1.7 --> <!-- overview --> <!-- Adding entries to a Pod's `/etc/hosts` file provides Pod-level override of hostname resolution when DNS and other options are not applicable. You can add these custom entries with the HostAliases field in PodSpec. The Kubernetes project recommends modifying DNS configuration using the `hostAliases` field (part of the `.spec` for a Pod), and not by using an init container or other means to edit `/etc/hosts` directly. Change made in other ways may be overwritten by the kubelet during Pod creation or restart. --> <p>当 DNS 配置以及其它选项不合理的时候，通过向 Pod 的 <code>/etc/hosts</code> 文件中添加条目， 可以在 Pod 级别覆盖对主机名的解析。你可以通过 PodSpec 的 HostAliases 字段来添加这些自定义条目。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/organize-cluster-access-kubeconfig/<!-- title: Organizing Cluster Access Using kubeconfig Files content_type: concept weight: 60 --> <!-- overview --> <!-- Use kubeconfig files to organize information about clusters, users, namespaces, and authentication mechanisms. The `kubectl` command-line tool uses kubeconfig files to find the information it needs to choose a cluster and communicate with the API server of a cluster. --> <p>使用 kubeconfig 文件来组织有关集群、用户、命名空间和身份认证机制的信息。 <code>kubectl</code> 命令行工具使用 kubeconfig 文件来查找选择集群所需的信息，并与集群的 API 服务器进行通信。</p> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- A file that is used to configure access to clusters is called a *kubeconfig file*. This is a generic way of referring to configuration files. It does not mean that there is a file named `kubeconfig`. --> <p>用于配置集群访问的文件称为 <strong>kubeconfig 文件</strong>。 这是引用到配置文件的通用方法，并不意味着有一个名为 <code>kubeconfig</code> 的文件。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/access-cluster-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/access-cluster-api/<!-- title: Access Clusters Using the Kubernetes API content_type: task weight: 60 --> <!-- overview --> <!-- This page shows how to access clusters using the Kubernetes API. --> <p>本页展示了如何使用 Kubernetes API 访问集群。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/pod-failure-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/job/pod-failure-policy/<!-- title: Handling retriable and non-retriable pod failures with Pod failure policy content_type: task min-kubernetes-server-version: v1.25 weight: 60 --> <div class="feature-state-notice feature-stable" title="特性门控： JobPodFailurePolicy"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.31 [stable]</code>（默认启用）</div> <!-- overview --> <!-- This document shows you how to use the [Pod failure policy](/docs/concepts/workloads/controllers/job#pod-failure-policy), in combination with the default [Pod backoff failure policy](/docs/concepts/workloads/controllers/job#pod-backoff-failure-policy), to improve the control over the handling of container- or Pod-level failure within a <a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Job'>Job</a>. --> <p>本文向你展示如何结合默认的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job#pod-backoff-failure-policy">Pod 回退失效策略</a>来使用 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job#pod-failure-policy">Pod 失效策略</a>， 以改善 <a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Job'>Job</a> 内处理容器级别或 Pod 级别的失效。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/network-policy-provider/weave-network-policy/<!-- reviewers: - bboreham title: Weave Net for NetworkPolicy content_type: task weight: 60 --> <!-- overview --> <!-- This page shows how to use Weave Net for NetworkPolicy. --> <p>本页展示如何使用 Weave Net 提供 NetworkPolicy。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster. Follow the [kubeadm getting started guide](/docs/reference/setup-tools/kubeadm/) to bootstrap one. --> <p>你需要拥有一个 Kubernetes 集群。按照 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/">kubeadm 入门指南</a> 来启动一个。</p> <!-- steps --> <!-- ## Install the Weave Net addon Follow the [Integrating Kubernetes via the Addon](https://github.com/weaveworks/weave/blob/master/site/kubernetes/kube-addon.md#-installation) guide. The Weave Net addon for Kubernetes comes with a [Network Policy Controller](https://github.com/weaveworks/weave/blob/master/site/kubernetes/kube-addon.md#network-policy) that automatically monitors Kubernetes for any NetworkPolicy annotations on all namespaces and configures `iptables` rules to allow or block traffic as directed by the policies. --> <h2 id="install-the-weave-net-addon">安装 Weave Net 插件</h2> <p>按照<a href="https://github.com/weaveworks/weave/blob/master/site/kubernetes/kube-addon.md#-installation">通过插件集成 Kubernetes</a> 指南执行安装。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/storage-version-migration/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-kubernetes-objects/storage-version-migration/<!-- title: Migrate Kubernetes Objects Using Storage Version Migration reviewers: - deads2k - jpbetz - enj - nilekhc content_type: task min-kubernetes-server-version: v1.30 weight: 60 --> <!-- overview --> <div class="feature-state-notice feature-beta" title="特性门控： StorageVersionMigrator"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [beta]</code>（默认禁用）</div> <!-- Kubernetes relies on API data being actively re-written, to support some maintenance activities related to at rest storage. Two prominent examples are the versioned schema of stored resources (that is, the preferred storage schema changing from v1 to v2 for a given resource) and encryption at rest (that is, rewriting stale data based on a change in how the data should be encrypted). --> <p>Kubernetes 依赖主动重写的 API 数据来支持与静态存储相关的一些维护活动。 两个著名的例子是已存储资源的版本化模式（即针对给定资源的首选存储模式从 v1 更改为 v2） 和静态加密（即基于数据加密方式的变化来重写过时的数据）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/service-access-application-cluster/<!-- title: Use a Service to Access an Application in a Cluster content_type: tutorial weight: 60 --> <!-- overview --> <!-- This page shows how to create a Kubernetes Service object that external clients can use to access an application running in a cluster. The Service provides load balancing for an application that has two running instances. --> <p>本文展示如何创建一个 Kubernetes 服务对象，能让外部客户端访问在集群中运行的应用。 该服务为一个应用的两个运行实例提供负载均衡。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/pods-and-endpoint-termination-flow/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/pods-and-endpoint-termination-flow/<!-- title: Explore Termination Behavior for Pods And Their Endpoints content_type: tutorial weight: 60 --> <!-- overview --> <!-- Once you connected your Application with Service following steps like those outlined in [Connecting Applications with Services](/docs/tutorials/services/connect-applications-service/), you have a continuously running, replicated application, that is exposed on a network. This tutorial helps you look at the termination flow for Pods and to explore ways to implement graceful connection draining. --> <p>一旦你参照<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/services/connect-applications-service/">使用 Service 连接到应用</a>中概述的那些步骤使用 Service 连接到了你的应用，你就有了一个持续运行的多副本应用暴露在了网络上。 本教程帮助你了解 Pod 的终止流程，探索实现连接排空的几种方式。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/diagram-guide/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/diagram-guide/<!-- title: Diagram Guide linktitle: Diagram guide content_type: concept weight: 60 --> <!--Overview--> <!-- This guide shows you how to create, edit and share diagrams using the Mermaid JavaScript library. Mermaid.js allows you to generate diagrams using a simple markdown-like syntax inside Markdown files. You can also use Mermaid to generate `.svg` or `.png` image files that you can add to your documentation. The target audience for this guide is anybody wishing to learn about Mermaid and/or how to create and add diagrams to Kubernetes documentation. Figure 1 outlines the topics covered in this section. --> <p>本指南为你展示如何创建、编辑和分享基于 Mermaid JavaScript 库的图表。 Mermaid.js 允许你使用简单的、类似于 Markdown 的语法来在 Markdown 文件中生成图表。 你也可以使用 Mermaid 来创建 <code>.svg</code> 或 <code>.png</code> 图片文件，将其添加到你的文档中。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/<!-- reviewers: - liggitt - mikedanese - munnerz - enj title: Certificates and Certificate Signing Requests api_metadata: - apiVersion: "certificates.k8s.io/v1" kind: "CertificateSigningRequest" override_link_text: "CSR v1" - apiVersion: "certificates.k8s.io/v1alpha1" kind: "ClusterTrustBundle" content_type: concept weight: 60 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.19 [stable]</code> </div> <!-- Kubernetes certificate and trust bundle APIs enable automation of [X.509](https://www.itu.int/rec/T-REC-X.509) credential provisioning by providing a programmatic interface for clients of the Kubernetes API to request and obtain X.509 <a class='glossary-tooltip' title='证书是个安全加密文件，用来确认对 Kubernetes 集群访问的合法性。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/' target='_blank' aria-label='certificates'>certificates</a> from a Certificate Authority (CA). There is also experimental (alpha) support for distributing [trust bundles](#cluster-trust-bundles). --> <p>Kubernetes 证书和信任包（trust bundle）API 可以通过为 Kubernetes API 的客户端提供编程接口， 实现 <a href="https://www.itu.int/rec/T-REC-X.509">X.509</a> 凭据的自动化制备， 从而请求并获取证书颁发机构（CA）发布的 X.509 <a class='glossary-tooltip' title='证书是个安全加密文件，用来确认对 Kubernetes 集群访问的合法性。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/' target='_blank' aria-label='证书'>证书</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/annotations/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/annotations/<!-- title: Annotations content_type: concept weight: 60 --> <!-- overview --> <!-- You can use Kubernetes annotations to attach arbitrary non-identifying metadata to <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='objects'>objects</a>. Clients such as tools and libraries can retrieve this metadata. --> <p>你可以使用 Kubernetes 注解为<a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>附加任意的非标识的元数据。 客户端程序（例如工具和库）能够获取这些元数据信息。</p> <!-- body --> <!-- ## Attaching metadata to objects You can use either labels or annotations to attach metadata to Kubernetes objects. Labels can be used to select objects and to find collections of objects that satisfy certain conditions. In contrast, annotations are not used to identify and select objects. The metadata in an annotation can be small or large, structured or unstructured, and can include characters not permitted by labels. It is possible to use labels as well as annotations in the metadata of the same object. Annotations, like labels, are key/value maps: --> <h2 id="为对象附加元数据">为对象附加元数据</h2> <p>你可以使用标签或注解将元数据附加到 Kubernetes 对象。 标签可以用来选择对象和查找满足某些条件的对象集合。 相反，注解不用于标识和选择对象。 注解中的元数据，可以很小，也可以很大，可以是结构化的，也可以是非结构化的，能够包含标签不允许的字符。 可以在同一对象的元数据中同时使用标签和注解。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-snapshot-classes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-snapshot-classes/<!-- overview --> <!-- This document describes the concept of VolumeSnapshotClass in Kubernetes. Familiarity with [volume snapshots](/docs/concepts/storage/volume-snapshots/) and [storage classes](/docs/concepts/storage/storage-classes) is suggested. --> <p>本文档描述了 Kubernetes 中 VolumeSnapshotClass 的概念。建议熟悉 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-snapshots/">卷快照（Volume Snapshots）</a>和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-classes">存储类（Storage Class）</a>。</p> <!-- body --> <!-- ## Introduction Just like StorageClass provides a way for administrators to describe the "classes" of storage they offer when provisioning a volume, VolumeSnapshotClass provides a way to describe the "classes" of storage when provisioning a volume snapshot. --> <h2 id="introduction">介绍</h2> <p>就像 StorageClass 为管理员提供了一种在配置卷时描述存储“类”的方法， VolumeSnapshotClass 提供了一种在配置卷快照时描述存储“类”的方法。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/windows/intro/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/windows/intro/<!-- reviewers: - jayunit100 - jsturtevant - marosset - perithompson title: Windows containers in Kubernetes content_type: concept weight: 65 --> <!-- overview --> <!-- Windows applications constitute a large portion of the services and applications that run in many organizations. [Windows containers](https://aka.ms/windowscontainers) provide a way to encapsulate processes and package dependencies, making it easier to use DevOps practices and follow cloud native patterns for Windows applications. Organizations with investments in Windows-based applications and Linux-based applications don't have to look for separate orchestrators to manage their workloads, leading to increased operational efficiencies across their deployments, regardless of operating system. --> <p>在许多组织中，所运行的很大一部分服务和应用是 Windows 应用。 <a href="https://aka.ms/windowscontainers">Windows 容器</a>提供了一种封装进程和包依赖项的方式， 从而简化了 DevOps 实践，令 Windows 应用同样遵从云原生模式。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/<!-- reviewers: - klueska - pohly title: Dynamic Resource Allocation content_type: concept weight: 65 api_metadata: - apiVersion: "resource.k8s.io/v1alpha3" kind: "DeviceTaintRule" - apiVersion: "resource.k8s.io/v1beta1" kind: "ResourceClaim" - apiVersion: "resource.k8s.io/v1beta1" kind: "ResourceClaimTemplate" - apiVersion: "resource.k8s.io/v1beta1" kind: "DeviceClass" - apiVersion: "resource.k8s.io/v1beta1" kind: "ResourceSlice" - apiVersion: "resource.k8s.io/v1beta2" kind: "ResourceClaim" - apiVersion: "resource.k8s.io/v1beta2" kind: "ResourceClaimTemplate" - apiVersion: "resource.k8s.io/v1beta2" kind: "DeviceClass" - apiVersion: "resource.k8s.io/v1beta2" kind: "ResourceSlice" --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： DynamicResourceAllocation"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [stable]</code>（默认启用）</div> <!-- This page describes _dynamic resource allocation (DRA)_ in Kubernetes. --> <p>本页描述 Kubernetes 中的 <strong>动态资源分配（DRA）</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-pvc-datasource/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-pvc-datasource/<!-- reviewers: - jsafrane - saad-ali - thockin - msau42 title: CSI Volume Cloning content_type: concept weight: 60 --> <!-- overview --> <!-- This document describes the concept of cloning existing CSI Volumes in Kubernetes. Familiarity with [Volumes](/docs/concepts/storage/volumes) is suggested. --> <p>本文档介绍 Kubernetes 中克隆现有 CSI 卷的概念。阅读前建议先熟悉 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes">卷</a>。</p> <!-- body --> <!-- ## Introduction The <a class='glossary-tooltip' title='容器存储接口 （CSI）定义了存储系统暴露给容器的标准接口。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#csi' target='_blank' aria-label='CSI'>CSI</a> Volume Cloning feature adds support for specifying existing <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PVC'>PVC</a>s in the `dataSource` field to indicate a user would like to clone a <a class='glossary-tooltip' title='包含可被 Pod 中容器访问的数据的目录。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/' target='_blank' aria-label='卷（Volume）'>卷（Volume）</a>. --> <h2 id="介绍">介绍</h2> <p><a class='glossary-tooltip' title='容器存储接口 （CSI）定义了存储系统暴露给容器的标准接口。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#csi' target='_blank' aria-label='CSI'>CSI</a> 卷克隆功能增加了通过在 <code>dataSource</code> 字段中指定存在的 <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PVC'>PVC</a>， 来表示用户想要克隆的 <a class='glossary-tooltip' title='包含可被 Pod 中容器访问的数据的目录。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/' target='_blank' aria-label='卷（Volume）'>卷（Volume）</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-token/<!-- reviewers: - luxas - jbeda title: kubeadm token content_type: concept weight: 70 --> <!-- overview --> <!-- Bootstrap tokens are used for establishing bidirectional trust between a node joining the cluster and a control-plane node, as described in [authenticating with bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/). --> <p>如<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/bootstrap-tokens/">使用引导令牌进行身份验证</a>所述， 引导令牌用于在即将加入集群的节点和控制平面节点间建立双向认证。</p> <!-- `kubeadm init` creates an initial token with a 24-hour TTL. The following commands allow you to manage such a token and also to create and manage new ones. --> <p><code>kubeadm init</code> 创建了一个有效期为 24 小时的令牌，下面的命令允许你管理令牌，也可以创建和管理新的令牌。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kuberc/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kuberc/<!-- title: Kubectl user preferences (kuberc) content_type: concept weight: 70 --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes 1.34 [beta]</code> </div> <!-- A Kubernetes `kuberc` configuration file allows you to define preferences for <a class='glossary-tooltip' title='kubectl 是用来和 Kubernetes 集群进行通信的命令行工具。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/' target='_blank' aria-label='kubectl'>kubectl</a>, such as default options and command aliases. Unlike the kubeconfig file, a `kuberc` configuration file does **not** contain cluster details, usernames or passwords. --> <p>Kubernetes <code>kuberc</code> 配置文件允许你定义 <a class='glossary-tooltip' title='kubectl 是用来和 Kubernetes 集群进行通信的命令行工具。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/' target='_blank' aria-label='kubectl'>kubectl</a> 的偏好设置，例如默认选项和命令别名。 与 kubeconfig 文件不同，<code>kuberc</code> 配置文件<strong>不</strong>包含集群详情、用户名或密码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/secrets-good-practices/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/secrets-good-practices/<!-- title: Good practices for Kubernetes Secrets description: > Principles and practices for good Secret management for cluster administrators and application developers. content_type: concept weight: 70 --> <!-- overview --> <!-- --- title: Secret id: secret date: 2018-04-12 full_link: /docs/concepts/configuration/secret/ short_description: > Stores sensitive information, such as passwords, OAuth tokens, and ssh keys. aka: tags: - core-object - security --- --> <!-- Stores sensitive information, such as passwords, OAuth tokens, and SSH keys. --> <p><p>在 Kubernetes 中，Secret 是这样一个对象： secret 用于存储敏感信息，如密码、OAuth 令牌和 SSH 密钥。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/compatibility-version/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/compatibility-version/<!-- title: Compatibility Version For Kubernetes Control Plane Components reviewers: - jpbetz - siyuanfoundation content_type: concept weight: 70 --> <!-- overview --> <!-- Since release v1.32, we introduced configurable version compatibility and emulation options to Kubernetes control plane components to make upgrades safer by providing more control and increasing the granularity of steps available to cluster administrators. --> <p>自 v1.32 版本发布以来，我们为 Kubernetes 控制平面组件引入了可配置的版本兼容性和仿真选项， 为集群管理员提供更多控制选项并增加可用的细粒度步骤来让升级更加安全。</p> <!-- body --> <!-- ## Emulated Version The emulation option is set by the `--emulated-version` flag of control plane components. It allows the component to emulate the behavior (APIs, features, ...) of an earlier version of Kubernetes. --> <h2 id="emulated-version">仿真版本</h2> <p>仿真选项通过控制平面组件的 <code>--emulated-version</code> 参数来设置。 此选项允许控制平面组件仿真 Kubernetes 早期版本的行为（API、特性等）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/system-metrics/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/system-metrics/<!-- title: Metrics For Kubernetes System Components reviewers: - brancz - logicalhan - RainbowMango content_type: concept weight: 70 --> <!-- overview --> <!-- System component metrics can give a better look into what is happening inside them. Metrics are particularly useful for building dashboards and alerts. Kubernetes components emit metrics in [Prometheus format](https://prometheus.io/docs/instrumenting/exposition_formats/). This format is structured plain text, designed so that people and machines can both read it. --> <p>通过系统组件指标可以更好地了解系统组个内部发生的情况。系统组件指标对于构建仪表板和告警特别有用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/gang-scheduling/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/gang-scheduling/<!-- title: Gang Scheduling content_type: concept weight: 70 --> <!-- overview --> <div class="feature-state-notice feature-alpha" title="特性门控： GangScheduling"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [alpha]</code>（默认禁用）</div> <!-- Gang scheduling ensures that a group of Pods are scheduled on an "all-or-nothing" basis. If the cluster cannot accommodate the entire group (or a defined minimum number of Pods), none of the Pods are bound to a node. This feature depends on the [Workload API](/docs/concepts/workloads/workload-api/). Ensure the [`GenericWorkload`](/docs/reference/command-line-tools-reference/feature-gates/#GenericWorkload) feature gate and the `scheduling.k8s.io/v1alpha1` <a class='glossary-tooltip' title='Kubernetes API 中的一组相关路径。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/kubernetes-api/#api-groups-and-versioning' target='_blank' aria-label='API group'>API group</a> are enabled in the cluster. --> <p>编组调度（Gang Scheduling）确保一组 Pod 以 <strong>全有或全无（all-or-nothing）</strong> 的方式进行调度。 如果集群无法容纳整个组（或某确定的最小 Pod 数量），则不会将任何 Pod 绑定到节点上。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/scheduler-perf-tuning/<!-- --- reviewers: - bsalamat title: Scheduler Performance Tuning content_type: concept weight: 70 --- --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.14 [beta]</code> </div> <!-- [kube-scheduler](/docs/concepts/scheduling-eviction/kube-scheduler/#kube-scheduler) is the Kubernetes default scheduler. It is responsible for placement of Pods on Nodes in a cluster. --> <p>作为 kubernetes 集群的默认调度器， <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/#kube-scheduler">kube-scheduler</a> 主要负责将 Pod 调度到集群的 Node 上。</p> <!-- Nodes in a cluster that meet the scheduling requirements of a Pod are called _feasible_ Nodes for the Pod. The scheduler finds feasible Nodes for a Pod and then runs a set of functions to score the feasible Nodes, picking a Node with the highest score among the feasible ones to run the Pod. The scheduler then notifies the API server about this decision in a process called _Binding_. --> <p>在一个集群中，满足一个 Pod 调度请求的所有 Node 称之为<strong>可调度</strong> Node。 调度器先在集群中找到一个 Pod 的可调度 Node，然后根据一系列函数对这些可调度 Node 打分， 之后选出其中得分最高的 Node 来运行 Pod。 最后，调度器将这个调度决定告知 kube-apiserver，这个过程叫做<strong>绑定（Binding）</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/disruptions/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/disruptions/<!-- reviewers: - erictune - foxish - davidopp title: Disruptions content_type: concept weight: 70 --> <!-- overview --> <!-- This guide is for application owners who want to build highly available applications, and thus need to understand what types of disruptions can happen to Pods. --> <p>本指南针对的是希望构建高可用性应用的应用所有者，他们有必要了解可能发生在 Pod 上的干扰类型。</p> <!-- It is also for cluster administrators who want to perform automated cluster actions, like upgrading and autoscaling clusters. --> <p>文档同样适用于想要执行自动化集群操作（例如升级和自动扩展集群）的集群管理员。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/garbage-collection/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/garbage-collection/<!-- title: Garbage Collection content_type: concept weight: 70 --> <!-- overview --> <!-- 垃圾收集（Garbage Collection）是 Kubernetes 用于清理集群资源的各种机制的统称。 This allows the clean up of resources like the following: --> <p>垃圾收集（Garbage Collection）是 Kubernetes 用于清理集群资源的各种机制的统称。 垃圾收集允许系统清理如下资源：</p> <!-- * [Terminated pods](/docs/concepts/workloads/pods/pod-lifecycle/#pod-garbage-collection) * [Completed Jobs](/docs/concepts/workloads/controllers/ttlafterfinished/) * [Objects without owner references](#owners-dependents) * [Unused containers and container images](#containers-images) * [Dynamically provisioned PersistentVolumes with a StorageClass reclaim policy of Delete](/docs/concepts/storage/persistent-volumes/#delete) * [Stale or expired CertificateSigningRequests (CSRs)](/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process) * <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='Nodes'>Nodes</a> deleted in the following scenarios: * On a cloud when the cluster uses a [cloud controller manager](/docs/concepts/architecture/cloud-controller/) * On-premises when the cluster uses an addon similar to a cloud controller manager * [Node Lease objects](/docs/concepts/architecture/nodes/#heartbeats) --> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-garbage-collection">终止的 Pod</a></li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/">已完成的 Job</a></li> <li><a href="#owners-dependents">不再存在属主引用的对象</a></li> <li><a href="#containers-images">未使用的容器和容器镜像</a></li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#delete">动态制备的、StorageClass 回收策略为 Delete 的 PV 卷</a></li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/certificate-signing-requests/#request-signing-process">阻滞或者过期的 CertificateSigningRequest (CSR)</a></li> <li>在以下情形中删除了的<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>对象： <ul> <li>当集群使用<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cloud-controller/">云控制器管理器</a>运行于云端时；</li> <li>当集群使用类似于云控制器管理器的插件运行在本地环境中时。</li> </ul> </li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/#heartbeats">节点租约对象</a></li> </ul> <!-- ## Owners and dependents {#owners-dependents} Many objects in Kubernetes link to each other through [*owner references*](/docs/concepts/overview/working-with-objects/owners-dependents/). Owner references tell the control plane which objects are dependent on others. Kubernetes uses owner references to give the control plane, and other API clients, the opportunity to clean up related resources before deleting an object. In most cases, Kubernetes manages owner references automatically. --> <h2 id="owners-dependents">属主与依赖</h2> <p>Kubernetes 中很多对象通过<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/"><strong>属主引用</strong></a> 链接到彼此。属主引用（Owner Reference）可以告诉控制面哪些对象依赖于其他对象。 Kubernetes 使用属主引用来为控制面以及其他 API 客户端在删除某对象时提供一个清理关联资源的机会。 在大多数场合，Kubernetes 都是自动管理属主引用的。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/force-delete-stateful-set-pod/<!-- reviewers: - bprashanth - erictune - foxish - smarterclayton title: Force Delete StatefulSet Pods content_type: task weight: 70 --> <!-- overview --> <!-- This page shows how to delete Pods which are part of a <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='stateful set'>stateful set</a>, and explains the considerations to keep in mind when doing so. --> <p>本文介绍如何删除 <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a> 管理的 Pod，并解释这样操作时需要记住的一些注意事项。</p> <h2 id="准备开始">准备开始</h2> <!-- - This is a fairly advanced task and has the potential to violate some of the properties inherent to StatefulSet. - Before proceeding, make yourself familiar with the considerations enumerated below. --> <ul> <li>这是一项相当高级的任务，并且可能会违反 StatefulSet 固有的某些属性。</li> <li>请先熟悉下面列举的注意事项再开始操作。</li> </ul> <!-- steps --> <!-- ## StatefulSet considerations In normal operation of a StatefulSet, there is **never** a need to force delete a StatefulSet Pod. The [StatefulSet controller](/docs/concepts/workloads/controllers/statefulset/) is responsible for creating, scaling and deleting members of the StatefulSet. It tries to ensure that the specified number of Pods from ordinal 0 through N-1 are alive and ready. StatefulSet ensures that, at any time, there is at most one Pod with a given identity running in a cluster. This is referred to as *at most one* semantics provided by a StatefulSet. --> <h2 id="statefulset-considerations">StatefulSet 注意事项</h2> <p>在正常操作 StatefulSet 时，<strong>永远不</strong>需要强制删除 StatefulSet 管理的 Pod。 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/">StatefulSet 控制器</a>负责创建、 扩缩和删除 StatefulSet 管理的 Pod。此控制器尽力确保指定数量的从序数 0 到 N-1 的 Pod 处于活跃状态并准备就绪。StatefulSet 确保在任何时候，集群中最多只有一个具有给定标识的 Pod。 这就是所谓的由 StatefulSet 提供的<strong>最多一个（At Most One）</strong> Pod 的语义。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubernetes/setup-konnectivity/<!-- overview --> <!-- The Konnectivity service provides a TCP level proxy for the control plane to cluster communication. --> <p>Konnectivity 服务为控制平面提供集群通信的 TCP 级别代理。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/). --> <p>你需要有一个 Kubernetes 集群，并且 kubectl 命令可以与集群通信。 建议在至少有两个不充当控制平面主机的节点的集群上运行本教程。 如果你还没有集群，可以使用 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">minikube</a> 创建一个集群。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/<!-- reviewers: - sig-cluster-lifecycle title: Set up a High Availability etcd Cluster with kubeadm content_type: task weight: 70 --> <!-- overview --> <!-- By default, kubeadm runs a local etcd instance on each control plane node. It is also possible to treat the etcd cluster as external and provision etcd instances on separate hosts. The differences between the two approaches are covered in the [Options for Highly Available topology](/docs/setup/production-environment/tools/kubeadm/ha-topology) page. --> <p>默认情况下，kubeadm 在每个控制平面节点上运行一个本地 etcd 实例。也可以使用外部的 etcd 集群，并在不同的主机上提供 etcd 实例。 这两种方法的区别在<a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/ha-topology">高可用拓扑的选项</a>页面中阐述。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/connecting-frontend-backend/<!-- title: Connect a Frontend to a Backend Using Services content_type: tutorial weight: 70 --> <!-- overview --> <!-- This task shows how to create a _frontend_ and a _backend_ microservice. The backend microservice is a hello greeter. The frontend exposes the backend using nginx and a Kubernetes <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='服务（Service）'>服务（Service）</a> object. --> <p>本任务会描述如何创建前端（Frontend）微服务和后端（Backend）微服务。后端微服务是一个 hello 欢迎程序。 前端通过 nginx 和一个 Kubernetes <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='服务'>服务</a> 暴露后端所提供的服务。</p> <h2 id="教程目标">教程目标</h2> <!-- * Create and run a sample `hello` backend microservice using a <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a> object. * Use a Service object to send traffic to the backend microservice's multiple replicas. * Create and run a `nginx` frontend microservice, also using a Deployment object. * Configure the frontend microservice to send traffic to the backend microservice. * Use a Service object of `type=LoadBalancer` to expose the frontend microservice outside the cluster. --> <ul> <li>使用部署对象（Deployment object）创建并运行一个 <code>hello</code> 后端微服务</li> <li>使用一个 Service 对象将请求流量发送到后端微服务的多个副本</li> <li>同样使用一个 Deployment 对象创建并运行一个 <code>nginx</code> 前端微服务</li> <li>配置前端微服务将请求流量发送到后端微服务</li> <li>使用 <code>type=LoadBalancer</code> 的 Service 对象将前端微服务暴露到集群外部</li> </ul> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/network-policies/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/network-policies/<!-- reviewers: - thockin - caseydavenport - danwinship title: Network Policies content_type: concept api_metadata: - apiVersion: "networking.k8s.io/v1" kind: "NetworkPolicy" weight: 70 description: >- If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), NetworkPolicies allow you to specify rules for traffic flow within your cluster, and also between Pods and the outside world. Your cluster must use a network plugin that supports NetworkPolicy enforcement. --> <!-- overview --> <!-- If you want to control traffic flow at the IP address or port level for TCP, UDP, and SCTP protocols, then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster. NetworkPolicies are an application-centric construct which allow you to specify how a <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='pod'>pod</a> is allowed to communicate with various network "entities" (we use the word "entity" here to avoid overloading the more common terms such as "endpoints" and "services", which have specific Kubernetes connotations) over the network. NetworkPolicies apply to a connection with a pod on one or both ends, and are not relevant to other connections. --> <p>如果你希望针对 TCP、UDP 和 SCTP 协议在 IP 地址或端口层面控制网络流量， 则你可以考虑为集群中特定应用使用 Kubernetes 网络策略（NetworkPolicy）。 NetworkPolicy 是一种以应用为中心的结构，允许你设置如何允许 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 与网络上的各类网络“实体” （我们这里使用实体以避免过度使用诸如“端点”和“服务”这类常用术语， 这些术语在 Kubernetes 中有特定含义）通信。 NetworkPolicy 适用于一端或两端与 Pod 的连接，与其他连接无关。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/extended-resource-node/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/extended-resource-node/<!-- title: Advertise Extended Resources for a Node content_type: task weight: 70 --> <!-- overview --> <!-- This page shows how to specify extended resources for a Node. Extended resources allow cluster administrators to advertise node-level resources that would otherwise be unknown to Kubernetes. --> <p>本文展示了如何为节点指定扩展资源（Extended Resource）。 扩展资源允许集群管理员发布节点级别的资源，这些资源在不进行发布的情况下无法被 Kubernetes 感知。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/extended-resource/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/extended-resource/<!-- title: Assign Extended Resources to a Container content_type: task weight: 70 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [stable]</code> </div> <!-- This page shows how to assign extended resources to a Container. --> <p>本文介绍如何为容器指定扩展资源。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/ttlafterfinished/<!-- reviewers: - janetkuo title: Automatic Cleanup for Finished Jobs content_type: concept weight: 70 description: >- A time-to-live mechanism to clean up old Jobs that have finished execution. --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.23 [stable]</code> </div> <!-- When your Job has finished, it's useful to keep that Job in the API (and not immediately delete the Job) so that you can tell whether the Job succeeded or failed. Kubernetes' TTL-after-finished <a class='glossary-tooltip' title='控制器通过 API 服务器监控集群的公共状态，并致力于将当前状态转变为期望的状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/controller/' target='_blank' aria-label='controller'>controller</a> provides a TTL (time to live) mechanism to limit the lifetime of Job objects that have finished execution. --> <p>当你的 Job 已结束时，将 Job 保留在 API 中（而不是立即删除 Job）很有用， 这样你就可以判断 Job 是成功还是失败。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/write-new-topic/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/write-new-topic/<!-- title: Writing a new topic content_type: task weight: 70 --> <!-- overview --> <!-- This page shows how to create a new topic for the Kubernetes docs. --> <p>本页面展示如何为 Kubernetes 文档库创建新主题。</p> <h2 id="准备开始">准备开始</h2> <!-- Create a fork of the Kubernetes documentation repository as described in [Open a PR](/docs/contribute/new-content/open-a-pr/). --> <p>如<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/open-a-pr/">发起 PR</a>中所述，创建 Kubernetes 文档库的派生副本。</p> <!-- steps --> <!-- ## Choosing a page type As you prepare to write a new topic, think about the page type that would fit your content the best: --> <h2 id="选择页面类型">选择页面类型</h2> <p>当你准备编写一个新的主题时，考虑一下最适合你的内容的页面类型：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/field-selectors/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/field-selectors/<!-- title: Field Selectors content_type: concept weight: 70 --> <!-- _Field selectors_ let you [select Kubernetes resources](/docs/concepts/overview/working-with-objects/kubernetes-objects) based on the value of one or more resource fields. Here are some examples of field selector queries: _Field selectors_ let you select Kubernetes <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='objects'>objects</a> based on the value of one or more resource fields. Here are some examples of field selector queries: --> <p>“字段选择算符（Field selectors）”允许你根据一个或多个资源字段的值筛选 Kubernetes <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>。 下面是一些使用字段选择算符查询的例子：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/writing-buddy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/writing-buddy/<!-- title: Helping as a blog writing buddy slug: writing-buddy content_type: concept weight: 70 --> <!-- overview --> <!-- There are two official Kubernetes blogs, and the CNCF has its own blog where you can cover Kubernetes too. Read [contributing to Kubernetes blogs](/docs/contribute/blog/) to learn about these two blogs. When people contribute to either blog as an author, the Kubernetes project pairs up authors as _writing buddies_. This page explains how to fulfil the buddy role. You should make sure that you have at least read an outline of [article submission](/docs/contribute/blog/submission/) before you read on within this page. --> <p>Kubernetes 有两个官方博客，同时 CNCF 也有自己的博客，你也可以在其中撰写与 Kubernetes 相关的内容。<br> 阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/blog/">为 Kubernetes 博客贡献内容</a>以了解这两个博客的详细信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/kube-state-metrics/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/kube-state-metrics/<!-- title: Metrics for Kubernetes Object States content_type: concept weight: 75 description: >- kube-state-metrics, an add-on agent to generate and expose cluster-level metrics. --> <!-- The state of Kubernetes objects in the Kubernetes API can be exposed as metrics. An add-on agent called [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics) can connect to the Kubernetes API server and expose a HTTP endpoint with metrics generated from the state of individual objects in the cluster. It exposes various information about the state of objects like labels and annotations, startup and termination times, status or the phase the object currently is in. For example, containers running in pods create a `kube_pod_container_info` metric. This includes the name of the container, the name of the pod it is part of, the <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespace'>namespace</a> the pod is running in, the name of the container image, the ID of the image, the image name from the spec of the container, the ID of the running container and the ID of the pod as labels. --> <p>Kubernetes API 中 Kubernetes 对象的状态可以被公开为指标。 一个名为 <a href="https://github.com/kubernetes/kube-state-metrics">kube-state-metrics</a> 的插件代理可以连接到 Kubernetes API 服务器并公开一个 HTTP 端点，提供集群中各个对象的状态所生成的指标。 此代理公开了关于对象状态的各种信息，如标签和注解、启动和终止时间、对象当前所处的状态或阶段。 例如，针对运行在 Pod 中的容器会创建一个 <code>kube_pod_container_info</code> 指标。 其中包括容器的名称、所属的 Pod 的名称、Pod 所在的<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='命名空间'>命名空间</a>、 容器镜像的名称、镜像的 ID、容器规约中的镜像名称、运行中容器的 ID 和用作标签的 Pod ID。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/windows-resource-management/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/windows-resource-management/<!-- reviewers: - jayunit100 - jsturtevant - marosset - perithompson title: Resource Management for Windows nodes content_type: concept weight: 75 --> <!-- overview This page outlines the differences in how resources are managed between Linux and Windows. --> <p>本页概述了 Linux 和 Windows 在资源管理方式上的区别。</p> <!-- body --> <!-- On Linux nodes, <a class='glossary-tooltip' title='一组具有可选资源隔离、审计和限制的 Linux 进程。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cgroup' target='_blank' aria-label='cgroups'>cgroups</a> are used as a pod boundary for resource control. Containers are created within that boundary for network, process and file system isolation. The Linux cgroup APIs can be used to gather CPU, I/O, and memory use statistics. In contrast, Windows uses a [_job object_](https://docs.microsoft.com/windows/win32/procthread/job-objects) per container with a system namespace filter to contain all processes in a container and provide logical isolation from the host. (Job objects are a Windows process isolation mechanism and are different from what Kubernetes refers to as a <a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Job'>Job</a>). There is no way to run a Windows container without the namespace filtering in place. This means that system privileges cannot be asserted in the context of the host, and thus privileged containers are not available on Windows. Containers cannot assume an identity from the host because the Security Account Manager (SAM) is separate. --> <p>在 Linux 节点上，<a class='glossary-tooltip' title='一组具有可选资源隔离、审计和限制的 Linux 进程。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-cgroup' target='_blank' aria-label='cgroup'>cgroup</a> 用作资源控制的 Pod 边界。 在这个边界内创建容器以便于隔离网络、进程和文件系统。 Linux cgroup API 可用于收集 CPU、I/O 和内存使用统计数据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/windows/user-guide/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/windows/user-guide/<!-- reviewers: - jayunit100 - jsturtevant - marosset title: Guide for Running Windows Containers in Kubernetes content_type: tutorial weight: 75 --> <!-- overview --> <!-- This page provides a walkthrough for some steps you can follow to run Windows containers using Kubernetes. The page also highlights some Windows specific functionality within Kubernetes. It is important to note that creating and deploying services and workloads on Kubernetes behaves in much the same way for Linux and Windows containers. The [kubectl commands](/docs/reference/kubectl/) to interface with the cluster are identical. The examples in this page are provided to jumpstart your experience with Windows containers. --> <p>本文提供了一些参考演示步骤，方便你使用 Kubernetes 运行 Windows 容器。 本文还重点介绍了 Kubernetes 中专为 Windows 设计的一些特有功能。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/cron-jobs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/cron-jobs/<!-- reviewers: - erictune - soltysh - janetkuo title: CronJob api_metadata: - apiVersion: "batch/v1" kind: "CronJob" content_type: concept description: >- A CronJob starts one-time Jobs on a repeating schedule. weight: 80 hide_summary: true # Listed separately in section index --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.21 [stable]</code> </div> <!-- A _CronJob_ creates <a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Jobs'>Jobs</a> on a repeating schedule. CronJob is meant for performing regular scheduled actions such as backups, report generation, and so on. One CronJob object is like one line of a _crontab_ (cron table) file on a Unix system. It runs a Job periodically on a given schedule, written in [Cron](https://en.wikipedia.org/wiki/Cron) format. --> <p><strong>CronJob</strong> 创建基于时隔重复调度的 <a class='glossary-tooltip' title='Job 是需要运行完成的确定性的或批量的任务。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/' target='_blank' aria-label='Job'>Job</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/finalizers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/finalizers/<!-- overview --> <!-- title: Finalizer id: finalizer date: 2021-07-07 full_link: /zh-cn/docs/concepts/overview/working-with-objects/finalizers/ short_description: > A namespaced key that tells Kubernetes to wait until specific conditions are met before it fully deletes an object marked for deletion. aka: tags: - fundamental - operation --> <!-- Finalizers are namespaced keys that tell Kubernetes to wait until specific conditions are met before it fully deletes <a class='glossary-tooltip' title='Kubernetes 实体，表示 Kubernetes API 服务器上的端点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/api-concepts/#standard-api-terminology' target='_blank' aria-label='resources'>resources</a> that are marked for deletion. Finalizers alert <a class='glossary-tooltip' title='控制器通过 API 服务器监控集群的公共状态，并致力于将当前状态转变为期望的状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/controller/' target='_blank' aria-label='controllers'>controllers</a> to clean up resources the deleted object owned. --> <p>Finalizer 是带有命名空间的键，告诉 Kubernetes 等到特定的条件被满足后， 再完全删除被标记为删除的<a class='glossary-tooltip' title='Kubernetes 实体，表示 Kubernetes API 服务器上的端点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/api-concepts/#standard-api-terminology' target='_blank' aria-label='资源'>资源</a>。 Finalizer 提醒<a class='glossary-tooltip' title='控制器通过 API 服务器监控集群的公共状态，并致力于将当前状态转变为期望的状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/controller/' target='_blank' aria-label='控制器'>控制器</a>清理被删除的对象拥有的资源。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-version/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-version/<!-- reviewers: - luxas - jbeda title: kubeadm version content_type: concept weight: 80 --> <!-- overview --> <!-- This command prints the version of kubeadm. --> <p>此命令用来输出 kubeadm 的版本。</p> <!-- body --> <!-- ### Synopsis --> <h3 id="概要">概要</h3> <!-- Print the version of kubeadm --> <p>打印 kubeadm 的版本。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubeadm version <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><!-- ### Options --> <h3 id="选项">选项</h3> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for version --> version 操作的帮助命令。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/systemd-watchdog/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/systemd-watchdog/<!-- content_type: "reference" title: Kubelet Systemd Watchdog weight: 80 math: true # for a division by 2 --> <div class="feature-state-notice feature-beta" title="特性门控： SystemdWatchdog"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.32 [beta]</code>（默认启用）</div> <!-- On Linux nodes, Kubernetes 1.35 supports integrating with [systemd](https://systemd.io/) to allow the operating system supervisor to recover a failed kubelet. This integration is not enabled by default. It can be used as an alternative to periodically requesting the kubelet's `/healthz` endpoint for health checks. If the kubelet does not respond to the watchdog within the timeout period, the watchdog will kill the kubelet. --> <p>在 Linux 节点上，Kubernetes 1.35 支持与 <a href="https://systemd.io/">systemd</a> 集成，以允许操作系统监视程序恢复失败的 kubelet。 这种集成默认并未被启用。它可以作为一个替代方案，通过定期请求 kubelet 的 <code>/healthz</code> 端点进行健康检查。 如果 kubelet 在设定的超时时限内未对看门狗做出响应，看门狗将杀死 kubelet。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/seccomp/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/seccomp/<!-- content_type: reference title: Seccomp and Kubernetes weight: 80 --> <!-- overview --> <!-- Seccomp stands for secure computing mode and has been a feature of the Linux kernel since version 2.6.12. It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel. Kubernetes lets you automatically apply seccomp profiles loaded onto a <a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='node'>node</a> to your Pods and containers. --> <p>Seccomp 表示安全计算（Secure Computing）模式，自 2.6.12 版本以来，一直是 Linux 内核的一个特性。 它可以用来沙箱化进程的权限，限制进程从用户态到内核态的调用。 Kubernetes 能使你自动将加载到<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>上的 seccomp 配置文件应用到你的 Pod 和容器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dns-pod-service/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dns-pod-service/<!-- reviewers: - jbelamaric - bowei - thockin title: DNS for Services and Pods content_type: concept weight: 80 description: >- Your workload can discover Services within your cluster using DNS; this page explains how that works. --> <!-- overview --> <!-- Kubernetes creates DNS records for Services and Pods. You can contact Services with consistent DNS names instead of IP addresses. --> <p>Kubernetes 为 Service 和 Pod 创建 DNS 记录。 你可以使用稳定的 DNS 名称而非 IP 地址访问 Service。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/create-external-load-balancer/<!-- title: Create an External Load Balancer content_type: task weight: 80 --> <!-- overview --> <!-- This page shows how to create an external load balancer. --> <p>本文展示如何创建一个外部负载均衡器。</p> <!-- When creating a <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a>, you have the option of automatically creating a cloud load balancer. This provides an externally-accessible IP address that sends traffic to the correct port on your cluster nodes, _provided your cluster runs in a supported environment and is configured with the correct cloud load balancer provider package_. --> <p>创建<a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='服务'>服务</a>时，你可以选择自动创建云网络负载均衡器。 负载均衡器提供外部可访问的 IP 地址，可将流量发送到集群节点上的正确端口上 （<strong>假设集群在支持的环境中运行，并配置了正确的云负载均衡器驱动包</strong>）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-capacity/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-capacity/<!-- reviewers: - jsafrane - saad-ali - msau42 - xing-yang - pohly title: Storage Capacity content_type: concept weight: 80 --> <!-- overview --> <!-- Storage capacity is limited and may vary depending on the node on which a pod runs: network-attached storage might not be accessible by all nodes, or storage is local to a node to begin with. --> <p>存储容量是有限的，并且会因为运行 Pod 的节点不同而变化： 网络存储可能并非所有节点都能够访问，或者对于某个节点存储是本地的。</p> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.24 [stable]</code> </div> <!-- This page describes how Kubernetes keeps track of storage capacity and how the scheduler uses that information to [schedule Pods](/docs/concepts/scheduling-eviction/) onto nodes that have access to enough storage capacity for the remaining missing volumes. Without storage capacity tracking, the scheduler may choose a node that doesn't have enough capacity to provision a volume and multiple scheduling retries will be needed. --> <p>本页面描述了 Kubernetes 如何跟踪存储容量以及调度程序如何为了余下的尚未挂载的卷使用该信息将 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/">Pod 调度</a>到能够访问到足够存储容量的节点上。 如果没有跟踪存储容量，调度程序可能会选择一个没有足够容量来提供卷的节点，并且需要多次调度重试。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/multi-tenancy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/multi-tenancy/<!-- title: Multi-tenancy content_type: concept weight: 80 --> <!-- This page provides an overview of available configuration options and best practices for cluster multi-tenancy. --> <p>此页面概述了集群多租户的可用配置选项和最佳实践。</p> <!-- Sharing clusters saves costs and simplifies administration. However, sharing clusters also presents challenges such as security, fairness, and managing _noisy neighbors_. --> <p>共享集群可以节省成本并简化管理。 然而，共享集群也带来了诸如安全性、公平性和管理<strong>嘈杂邻居</strong>等挑战。</p> <!-- Clusters can be shared in many ways. In some cases, different applications may run in the same cluster. In other cases, multiple instances of the same application may run in the same cluster, one for each end user. All these types of sharing are frequently described using the umbrella term _multi-tenancy_. --> <p>集群可以通过多种方式共享。在某些情况下，不同的应用可能会在同一个集群中运行。 在其他情况下，同一应用的多个实例可能在同一个集群中运行，每个实例对应一个最终用户。 所有这些类型的共享经常使用一个总括术语 <strong>多租户（Multi-Tenancy）</strong> 来表述。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/node-status/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/node-status/<!-- content_type: reference title: Node Status weight: 80 --> <!-- overview --> <!-- The status of a [node](/docs/concepts/architecture/nodes/) in Kubernetes is a critical aspect of managing a Kubernetes cluster. In this article, we'll cover the basics of monitoring and maintaining node status to ensure a healthy and stable cluster. --> <p>在 Kubernetes 中，<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/">节点</a>的状态是管理 Kubernetes 集群的一个关键方面。在本文中，我们将简要介绍如何监控和维护节点状态以确保集群的健康和稳定。</p> <!-- ## Node status fields A Node's status contains the following information: * [Addresses](#addresses) * [Conditions](#condition) * [Capacity and Allocatable](#capacity) * [Info](#info) * [Declared Features](#declaredfeatures) --> <h2 id="node-status-fields">节点状态字段</h2> <p>一个节点的状态包含以下信息:</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-volume-storage/<!-- title: Configure a Pod to Use a Volume for Storage content_type: task weight: 50 --> <!-- overview --> <!-- This page shows how to configure a Pod to use a Volume for storage. A Container's file system lives only as long as the Container does. So when a Container terminates and restarts, filesystem changes are lost. For more consistent storage that is independent of the Container, you can use a [Volume](/docs/concepts/storage/volumes/). This is especially important for stateful applications, such as key-value stores (such as Redis) and databases. --> <p>此页面展示了如何配置 Pod 以使用卷进行存储。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/certificate-issue-client-csr/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/certificate-issue-client-csr/<!-- title: Issue a Certificate for a Kubernetes API Client Using A CertificateSigningRequest api_metadata: - apiVersion: "certificates.k8s.io/v1" kind: "CertificateSigningRequest" override_link_text: "CSR v1" weight: 80 # Docs maintenance note # # If there is a future page /docs/tasks/tls/certificate-issue-client-manually/ then this page # should link there, and the new page should link back to this one. --> <!-- overview --> <!-- Kubernetes lets you use a public key infrastructure (PKI) to authenticate to your cluster as a client. A few steps are required in order to get a normal user to be able to authenticate and invoke an API. First, this user must have an [X.509](https://www.itu.int/rec/T-REC-X.509) certificate issued by an authority that your Kubernetes cluster trusts. The client must then present that certificate to the Kubernetes API. --> <p>Kubernetes 允许你使用公钥基础设施 (PKI) 对你的集群进行身份认证，这类似于对客户端进行身份认证。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/<!-- reviewers: - sig-cluster-lifecycle title: Certificate Management with kubeadm content_type: task weight: 80 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.15 [stable]</code> </div> <!-- Client certificates generated by [kubeadm](/docs/reference/setup-tools/kubeadm/) expire after 1 year. This page explains how to manage certificate renewals with kubeadm. It also covers other tasks related to kubeadm certificate management. --> <p>由 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/">kubeadm</a> 生成的客户端证书在 1 年后到期。 本页说明如何使用 kubeadm 管理证书续订，同时也涵盖其他与 kubeadm 证书管理相关的说明。</p> <!-- The Kubernetes project recommends upgrading to the latest patch releases promptly, and to ensure that you are running a supported minor release of Kubernetes. Following this recommendation helps you to stay secure. --> <p>Kubernetes 项目建议及时升级到最新的补丁版本，并确保你正在运行受支持的 Kubernetes 次要版本。 遵循这一建议有助于你确保安全。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/kubelet-integration/<!-- reviewers: - sig-cluster-lifecycle title: Configuring each kubelet in your cluster using kubeadm content_type: concept weight: 80 --> <!-- overview --> <div class="alert alert-secondary callout note" role="note"> <strong>说明：</strong> 自 1.24 版起，Dockershim 已从 Kubernetes 项目中移除。阅读 <a href="https://andygol-k8s.netlify.app/zh-cn/dockershim">Dockershim 移除的常见问题</a>了解更多详情。 </div> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.11 [stable]</code> </div> <!-- The lifecycle of the kubeadm CLI tool is decoupled from the [kubelet](/docs/reference/command-line-tools-reference/kubelet), which is a daemon that runs on each node within the Kubernetes cluster. The kubeadm CLI tool is executed by the user when Kubernetes is initialized or upgraded, whereas the kubelet is always running in the background. Since the kubelet is a daemon, it needs to be maintained by some kind of an init system or service manager. When the kubelet is installed using DEBs or RPMs, systemd is configured to manage the kubelet. You can use a different service manager instead, but you need to configure it manually. Some kubelet configuration details need to be the same across all kubelets involved in the cluster, while other configuration aspects need to be set on a per-kubelet basis to accommodate the different characteristics of a given machine (such as OS, storage, and networking). You can manage the configuration of your kubelets manually, but kubeadm now provides a `KubeletConfiguration` API type for [managing your kubelet configurations centrally](#configure-kubelets-using-kubeadm). --> <p>kubeadm CLI 工具的生命周期与 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet">kubelet</a> 解耦；kubelet 是一个守护程序，在 Kubernetes 集群中的每个节点上运行。 当 Kubernetes 初始化或升级时，kubeadm CLI 工具由用户执行，而 kubelet 始终在后台运行。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/system-logs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/system-logs/<!-- reviewers: - dims - 44past4 title: System Logs content_type: concept weight: 80 --> <!-- overview --> <!-- System component logs record events happening in cluster, which can be very useful for debugging. You can configure log verbosity to see more or less detail. Logs can be as coarse-grained as showing errors within a component, or as fine-grained as showing step-by-step traces of events (like HTTP access logs, pod state changes, controller actions, or scheduler decisions). --> <p>系统组件的日志记录集群中发生的事件，这对于调试非常有用。 你可以配置日志的精细度，以展示更多或更少的细节。 日志可以是粗粒度的，如只显示组件内的错误， 也可以是细粒度的，如显示事件的每一个跟踪步骤（比如 HTTP 访问日志、pod 状态更新、控制器动作或调度器决策）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/page-content-types/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/page-content-types/<!-- title: Page content types content_type: concept weight: 80 card: name: contribute weight: 30 --> <!-- overview --> <!-- The Kubernetes documentation follows several types of page content: - Concept - Task - Tutorial - Reference --> <p>Kubernetes 文档包含以下几种页面内容类型：</p> <ul> <li>概念（Concept）</li> <li>任务（Task）</li> <li>教程（Tutorial）</li> <li>参考（Reference）</li> </ul> <!-- body --> <!-- ## Content sections Each page content type contains a number of sections defined by Markdown comments and HTML headings. You can add content headings to your page with the `heading` shortcode. The comments and headings help maintain the structure of the page content types. Examples of Markdown comments defining page content sections: --> <h2 id="content-sections">内容章节</h2> <p>每种页面内容类型都有一些使用 Markdown 注释和 HTML 标题定义的章节。 你可以使用 <code>heading</code> 短代码将内容标题添加到你的页面中。 注释和标题有助于维护对应页面内容类型的结构组织。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/resource-bin-packing/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/resource-bin-packing/<!-- reviewers: - bsalamat - k82cn - ahg-g title: Resource Bin Packing content_type: concept weight: 80 --> <!-- overview --> <!-- In the [scheduling-plugin](/docs/reference/scheduling/config/#scheduling-plugins) `NodeResourcesFit` of kube-scheduler, there are two scoring strategies that support the bin packing of resources: `MostAllocated` and `RequestedToCapacityRatio`. --> <p>在 kube-scheduler 的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/scheduling/config/#scheduling-plugins">调度插件</a> <code>NodeResourcesFit</code> 中存在两种支持资源装箱（bin packing）的策略：<code>MostAllocated</code> 和 <code>RequestedToCapacityRatio</code>。</p> <!-- body --> <!-- ## Enabling bin packing using MostAllocated strategy The `MostAllocated` strategy scores the nodes based on the utilization of resources, favoring the ones with higher allocation. For each resource type, you can set a weight to modify its influence in the node score. To set the `MostAllocated` strategy for the `NodeResourcesFit` plugin, use a [scheduler configuration](/docs/reference/scheduling/config) similar to the following: --> <h2 id="enabling-bin-packing-using-mostallocated-strategy">使用 MostAllocated 策略启用资源装箱</h2> <p><code>MostAllocated</code> 策略基于资源的利用率来为节点计分，优选分配比率较高的节点。 针对每种资源类型，你可以设置一个权重值以改变其对节点得分的影响。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-horizontal-autoscaling/<!-- title: Autoscale the DNS Service in a Cluster content_type: task weight: 80 --> <!-- overview --> <!-- This page shows how to enable and configure autoscaling of the DNS service in your Kubernetes cluster. --> <p>本页展示了如何在你的 Kubernetes 集群中启用和配置 DNS 服务的自动扩缩功能。</p> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-qos/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-qos/<!-- title: Pod Quality of Service Classes content_type: concept weight: 85 --> <!-- overview --> <!-- This page introduces _Quality of Service (QoS) classes_ in Kubernetes, and explains how Kubernetes assigns a QoS class to each Pod as a consequence of the resource constraints that you specify for the containers in that Pod. Kubernetes relies on this classification to make decisions about which Pods to evict when there are not enough available resources on a Node. --> <p>本页介绍 Kubernetes 中的 <strong>服务质量（Quality of Service，QoS）</strong> 类， 阐述 Kubernetes 如何根据为 Pod 中的容器指定的资源约束为每个 Pod 设置 QoS 类。 Kubernetes 依赖这种分类来决定当 Node 上没有足够可用资源时要驱逐哪些 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-hostname/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-hostname/<!-- title: Pod Hostname content_type: concept weight: 85 --> <!-- overview --> <!-- This page explains how to set a Pod's hostname, potential side effects after configuration, and the underlying mechanics. --> <p>本文讲述如何设置 Pod 的主机名、配置主机名后的潜在副作用以及底层机制。</p> <!-- body --> <!-- ## Default Pod hostname When a Pod is created, its hostname (as observed from within the Pod) is derived from the Pod's metadata.name value. Both the hostname and its corresponding fully qualified domain name (FQDN) are set to the metadata.name value (from the Pod's perspective) --> <h2 id="default-pod-hostname">默认 Pod 主机名</h2> <p>当 Pod 被创建时，其主机名（从 Pod 内部观察）来源于 Pod 的 <code>metadata.name</code> 值。 主机名和其对应的完全限定域名（FQDN）都会被设置为 <code>metadata.name</code> 值（从 Pod 的角度）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dual-stack/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dual-stack/<!-- title: IPv4/IPv6 dual-stack description: >- Kubernetes lets you configure single-stack IPv4 networking, single-stack IPv6 networking, or dual stack networking with both network families active. This page explains how. feature: title: IPv4/IPv6 dual-stack description: > Allocation of IPv4 and IPv6 addresses to Pods and Services content_type: concept reviewers: - lachie83 - khenidak - aramase - bridgetkromhout weight: 90 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.23 [stable]</code> </div> <!-- IPv4/IPv6 dual-stack networking enables the allocation of both IPv4 and IPv6 addresses to <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a> and <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Services'>Services</a>. --> <p>IPv4/IPv6 双协议栈网络能够将 IPv4 和 IPv6 地址分配给 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 和 <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-alpha/<!-- title: kubeadm alpha content_type: concept weight: 90 --> <div class="alert alert-caution" role="note"><h4 class="alert-heading">注意：</h4><!-- `kubeadm alpha` provides a preview of a set of features made available for gathering feedback from the community. Please try it out and give us feedback! --> <p><code>kubeadm alpha</code> 提供了一组可用于收集社区反馈的预览性质功能。 请试用这些功能并给我们提供反馈！</p></div> <!-- Currently there are no experimental commands under `kubeadm alpha`. --> <p>目前在 <code>kubeadm alpha</code> 之下没有试验性质的命令。</p> <h2 id="接下来">接下来</h2> <!-- * [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node * [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to connect a node to the cluster * [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join` --> <ul> <li>用来启动引导 Kubernetes 控制平面节点的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/">kubeadm init</a> 命令</li> <li>用来将节点连接到集群的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/">kubeadm join</a> 命令</li> <li>用来还原 <code>kubeadm init</code> 或 <code>kubeadm join</code> 操作对主机所做的任何更改的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/">kubeadm reset</a> 命令</li> </ul>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-certs/<!-- `kubeadm certs` provides utilities for managing certificates. For more details on how these commands can be used, see [Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/). --> <p><code>kubeadm certs</code> 提供管理证书的工具。关于如何使用这些命令的细节， 可参见<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/">使用 kubeadm 管理证书</a>。</p> <h2 id="cmd-certs">kubeadm certs</h2> <!-- A collection of operations for operating Kubernetes certificates. --> <p>用来操作 Kubernetes 证书的一组命令。</p> <ul class="nav nav-tabs" id="tab-certs" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#tab-certs-0" role="tab" aria-controls="tab-certs-0" aria-selected="true">概览</a></li> </ul> <div class="tab-content" id="tab-certs"><div id="tab-certs-0" class="tab-pane show active" role="tabpanel" aria-labelledby="tab-certs-0"> <p><!-- ### Synopsis --> <h3 id="概要">概要</h3> <!-- Commands related to handling Kubernetes certificates --> <p>处理 Kubernetes 证书相关的命令。</p> <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-shell" data-lang="shell"><span style="display:flex;"><span>kubeadm certs <span style="color:#666">[</span>flags<span style="color:#666">]</span> </span></span></code></pre></div><!-- ### Options --> <h3 id="选项">选项</h3> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for certs --> certs 操作的帮助命令。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/<!-- title: kubeadm init phase weight: 90 content_type: concept --> <!-- `kubeadm init phase` enables you to invoke atomic steps of the bootstrap process. Hence, you can let kubeadm do some of the work and you can fill in the gaps if you wish to apply customization. --> <p><code>kubeadm init phase</code> 能确保调用引导过程的原子步骤。 因此，如果希望自定义应用，则可以让 kubeadm 做一些工作，然后填补空白。</p> <!-- `kubeadm init phase` is consistent with the [kubeadm init workflow](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow), and behind the scene both use the same code. --> <p><code>kubeadm init phase</code> 与 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow">kubeadm init 工作流</a> 一致，后台都使用相同的代码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join-phase/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join-phase/<!-- title: kubeadm join phase weight: 90 content_type: concept --> <!-- `kubeadm join phase` enables you to invoke atomic steps of the join process. Hence, you can let kubeadm do some of the work and you can fill in the gaps if you wish to apply customization. --> <p><code>kubeadm join phase</code> 使你能够调用 <code>join</code> 过程的基本原子步骤。 因此，如果希望执行自定义操作，可以让 kubeadm 做一些工作，然后由用户来补足剩余操作。</p> <!-- `kubeadm join phase` is consistent with the [kubeadm join workflow](/docs/reference/setup-tools/kubeadm/kubeadm-join/#join-workflow), and behind the scene both use the same code. --> <p><code>kubeadm join phase</code> 与 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-join/#join-workflow">kubeadm join 工作流程</a>一致， 后台都使用相同的代码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig/<!-- `kubeadm kubeconfig` provides utilities for managing kubeconfig files. For examples on how to use `kubeadm kubeconfig user` see [Generating kubeconfig files for additional users](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users). --> <p><code>kubeadm kubeconfig</code> 提供用来管理 kubeconfig 文件的工具。</p> <p>如果希望查看如何使用 <code>kubeadm kubeconfig user</code> 的示例， 请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users">为其他用户生成 kubeconfig 文件</a>。</p> <h2 id="cmd-kubeconfig">kubeadm kubeconfig</h2> <ul class="nav nav-tabs" id="tab-kubeconfig" role="tablist"><li class="nav-item"><a data-toggle="tab" class="nav-link active" href="#tab-kubeconfig-0" role="tab" aria-controls="tab-kubeconfig-0" aria-selected="true">概述</a></li> </ul> <div class="tab-content" id="tab-kubeconfig"><div id="tab-kubeconfig-0" class="tab-pane show active" role="tabpanel" aria-labelledby="tab-kubeconfig-0"> <p><!-- ### Synopsis Kubeconfig file utilities. ### Options --> <h3 id="概要">概要</h3> <p>kubeconfig 文件工具。</p> <h3 id="选项">选项</h3> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">-h, --help</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- help for kubeconfig --> kubeconfig 操作的帮助命令。 <p> </td> </tr> </tbody> </table> <!-- ### Options inherited from parent commands --> <h3 id="从父命令继承的选项">从父命令继承的选项</h3> <table style="width: 100%; table-layout: fixed;"> <colgroup> <col span="1" style="width: 10px;" /> <col span="1" /> </colgroup> <tbody> <tr> <td colspan="2">--rootfs string</td> </tr> <tr> <td></td><td style="line-height: 130%; word-wrap: break-word;"> <p> <!-- The path to the 'real' host root filesystem. This will cause kubeadm to chroot into the provided path. --> 到“真实”主机根文件系统的路径。设置此标志将导致 kubeadm 切换到所提供的路径。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase/<!-- title: kubeadm reset phase weight: 90 content_type: concept --> <!-- `kubeadm reset phase` enables you to invoke atomic steps of the node reset process. Hence, you can let kubeadm do some of the work and you can fill in the gaps if you wish to apply customization. --> <p><code>kubeadm reset phase</code> 使你能够调用 <code>reset</code> 过程的基本原子步骤。 因此，如果希望执行自定义操作，你可以让 kubeadm 做一些工作，然后由用户来补足剩余操作。</p> <!-- `kubeadm reset phase` is consistent with the [kubeadm reset workflow](/docs/reference/setup-tools/kubeadm/kubeadm-reset/#reset-workflow), and behind the scene both use the same code. --> <p><code>kubeadm reset phase</code> 与 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-reset/#reset-workflow">kubeadm reset 工作流程</a>一致， 后台都使用相同的代码。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/api-server-bypass-risks/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/api-server-bypass-risks/<!-- title: Kubernetes API Server Bypass Risks description: > Security architecture information relating to the API server and other components content_type: concept weight: 90 --> <!-- overview --> <!-- The Kubernetes API server is the main point of entry to a cluster for external parties (users and services) interacting with it. --> <p>Kubernetes API 服务器是外部（用户和服务）与集群交互的主要入口。</p> <!-- As part of this role, the API server has several key built-in security controls, such as audit logging and <a class='glossary-tooltip' title='在对象持久化之前拦截 Kubernetes API 服务器请求的一段代码。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/' target='_blank' aria-label='admission controllers'>admission controllers</a>. However, there are ways to modify the configuration or content of the cluster that bypass these controls. --> <p>API 服务器作为交互的主要入口，还提供了几种关键的内置安全控制， 例如审计日志和<a class='glossary-tooltip' title='在对象持久化之前拦截 Kubernetes API 服务器请求的一段代码。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/' target='_blank' aria-label='准入控制器'>准入控制器</a>。 但有一些方式可以绕过这些安全控制从而修改集群的配置或内容。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/pod-priority-preemption/<!-- title: Pod Priority and Preemption content_type: concept weight: 90 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.14 [stable]</code> </div> <!-- [Pods](/docs/concepts/workloads/pods/) can have _priority_. Priority indicates the importance of a Pod relative to other Pods. If a Pod cannot be scheduled, the scheduler tries to preempt (evict) lower priority Pods to make scheduling of the pending Pod possible. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/">Pod</a> 可以有<strong>优先级</strong>。 优先级表示一个 Pod 相对于其他 Pod 的重要性。 如果一个 Pod 无法被调度，调度程序会尝试抢占（驱逐）较低优先级的 Pod， 以使悬决 Pod 可以被调度。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicationcontroller/<!-- reviewers: - bprashanth - janetkuo title: ReplicationController api_metadata: - apiVersion: "v1" kind: "ReplicationController" content_type: concept weight: 90 description: >- Legacy API for managing workloads that can scale horizontally. Superseded by the Deployment and ReplicaSet APIs. --> <!-- overview --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- A [`Deployment`](/docs/concepts/workloads/controllers/deployment/) that configures a [`ReplicaSet`](/docs/concepts/workloads/controllers/replicaset/) is now the recommended way to set up replication. --> <p>现在推荐使用配置 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/"><code>ReplicaSet</code></a> 的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/"><code>Deployment</code></a> 来建立副本管理机制。</p></div> <!-- A _ReplicationController_ ensures that a specified number of pod replicas are running at any one time. In other words, a ReplicationController makes sure that a pod or a homogeneous set of pods is always up and available. --> <p><strong>ReplicationController</strong> 确保在任何时候都有特定数量的 Pod 副本处于运行状态。 换句话说，ReplicationController 确保一个 Pod 或一组同类的 Pod 总是可用的。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/switch-to-evented-pleg/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/switch-to-evented-pleg/<!-- title: Switching from Polling to CRI Event-based Updates to Container Status min-kubernetes-server-version: 1.26 content_type: task weight: 90 --> <div class="feature-state-notice feature-alpha" title="特性门控： EventedPLEG"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [alpha]</code>（默认禁用）</div> <!-- overview --> <!-- This page shows how to migrate nodes to use event based updates for container status. The event-based implementation reduces node resource consumption by the kubelet, compared to the legacy approach that relies on polling. You may know this feature as _evented Pod lifecycle event generator (PLEG)_. That's the name used internally within the Kubernetes project for a key implementation detail. The polling based approach is referred to as _generic PLEG_. --> <p>本页展示了如何迁移节点以使用基于事件的更新来获取容器状态。 与依赖轮询的传统方法相比，基于事件的实现可以减少 kubelet 对节点资源的消耗。 你可以将这个特性称为<strong>事件驱动的 Pod 生命周期事件生成器 (PLEG)</strong>。 这是在 Kubernetes 项目内部针对关键实现细节所用的名称。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/change-default-storage-class/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/change-default-storage-class/<!-- overview --> <!-- This page shows how to change the default Storage Class that is used to provision volumes for PersistentVolumeClaims that have no special requirements. --> <p>本文展示了如何改变默认的 Storage Class，它用于为没有特殊需求的 PersistentVolumeClaims 配置 volumes。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/hardening-guide/scheduler/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/hardening-guide/scheduler/<!-- title: "Hardening Guide - Scheduler Configuration" description: > Information about how to make the Kubernetes scheduler more secure. content_type: concept weight: 90 --> <!-- overview --> <!-- The Kubernetes <a class='glossary-tooltip' title='控制平面组件，负责监视新创建的、未指定运行节点的 Pod，选择节点让 Pod 在上面运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/' target='_blank' aria-label='scheduler'>scheduler</a> is one of the critical components of the <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a>. This document covers how to improve the security posture of the Scheduler. A misconfigured scheduler can have security implications. Such a scheduler can target specific nodes and evict the workloads or applications that are sharing the node and its resources. This can aid an attacker with a [Yo-Yo attack](https://arxiv.org/abs/2105.00542): an attack on a vulnerable autoscaler. --> <p>Kubernetes <a class='glossary-tooltip' title='控制平面组件，负责监视新创建的、未指定运行节点的 Pod，选择节点让 Pod 在上面运行。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kube-scheduler/' target='_blank' aria-label='调度器'>调度器</a>是<a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>的关键组件之一。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/hardening-guide/authentication-mechanisms/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/hardening-guide/authentication-mechanisms/<!-- --- title: Hardening Guide - Authentication Mechanisms description: > Information on authentication options in Kubernetes and their security properties. content_type: concept weight: 90 --- --> <!-- overview --> <!-- Selecting the appropriate authentication mechanism(s) is a crucial aspect of securing your cluster. Kubernetes provides several built-in mechanisms, each with its own strengths and weaknesses that should be carefully considered when choosing the best authentication mechanism for your cluster. --> <p>选择合适的身份认证机制是确保集群安全的一个重要方面。 Kubernetes 提供了多种内置机制， 当为你的集群选择最好的身份认证机制时需要谨慎考虑每种机制的优缺点。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/change-pv-access-mode-readwriteoncepod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/change-pv-access-mode-readwriteoncepod/<!-- title: Change the Access Mode of a PersistentVolume to ReadWriteOncePod content_type: task weight: 90 min-kubernetes-server-version: v1.22 --> <!-- overview --> <!-- This page shows how to change the access mode on an existing PersistentVolume to use `ReadWriteOncePod`. --> <p>本文演示了如何将现有 PersistentVolume 的访问模式更改为使用 <code>ReadWriteOncePod</code>。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-organization/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-organization/<!-- title: Content organization content_type: concept weight: 90 --> <!-- overview --> <!-- This site uses Hugo. In Hugo, [content organization](https://gohugo.io/content-management/organization/) is a core concept. --> <p>本网站使用了 Hugo。在 Hugo 中，<a href="https://gohugo.io/content-management/organization/">内容组织</a>是一个核心概念。</p> <!-- body --> <!-- **Hugo Tip:** Start Hugo with `hugo server -navigateToChanged` for content edit-sessions. --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><strong>Hugo 提示：</strong> 用 <code>hugo server --navigateToChanged</code> 命令启动 Hugo 以进行内容编辑会话。</div> <!-- ## Page Lists ### Page Order The documentation side menu, the documentation page browser etc. are listed using Hugo's default sort order, which sorts by weight (from 1), date (newest first), and finally by the link title. Given that, if you want to move a page or a section up, set a weight in the page's front matter: --> <h2 id="页面列表">页面列表</h2> <h3 id="页面顺序">页面顺序</h3> <p>文档侧方菜单、文档页面浏览器等以 Hugo 的默认排序顺序列出。Hugo 会按照权重（从 1 开始）、 日期（最新的排最前面）排序，最后按链接标题排序。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-persistent-volume-storage/<!-- title: Configure a Pod to Use a PersistentVolume for Storage content_type: task weight: 90 --> <!-- overview --> <!-- This page shows you how to configure a Pod to use a <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PersistentVolumeClaim'>PersistentVolumeClaim</a> for storage. Here is a summary of the process: 1. You, as cluster administrator, create a PersistentVolume backed by physical storage. You do not associate the volume with any Pod. 1. You, now taking the role of a developer / cluster user, create a PersistentVolumeClaim that is automatically bound to a suitable PersistentVolume. 1. You create a Pod that uses the above PersistentVolumeClaim for storage. --> <p>本文将向你介绍如何配置 Pod 使用 <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PersistentVolumeClaim'>PersistentVolumeClaim</a> 作为存储。 以下是该过程的总结：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/owners-dependents/<!-- title: Owners and Dependents content_type: concept weight: 60 --> <!-- overview --> <!-- In Kubernetes, some <a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='objects'>objects</a> are *owners* of other objects. For example, a <a class='glossary-tooltip' title='ReplicaSet 确保一次运行指定数量的 Pod 副本。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/' target='_blank' aria-label='ReplicaSet'>ReplicaSet</a> is the owner of a set of Pods. These owned objects are *dependents* of their owner. --> <p>在 Kubernetes 中，一些<a class='glossary-tooltip' title='Kubernetes 系统中的实体，代表了集群的部分状态。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/#kubernetes-objects' target='_blank' aria-label='对象'>对象</a>是其他对象的“属主（Owner）”。 例如，<a class='glossary-tooltip' title='ReplicaSet 确保一次运行指定数量的 Pod 副本。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/replicaset/' target='_blank' aria-label='ReplicaSet'>ReplicaSet</a> 是一组 Pod 的属主。 具有属主的对象是属主的“附属（Dependent）”。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-limits/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-limits/<!-- reviewers: - jsafrane - saad-ali - thockin - msau42 title: Node-specific Volume Limits content_type: concept weight: 90 --> <!-- overview --> <!-- This page describes the maximum number of volumes that can be attached to a Node for various cloud providers. --> <p>此页面描述了各个云供应商可挂接至一个节点的最大卷数。</p> <!-- Cloud providers like Google, Amazon, and Microsoft typically have a limit on how many volumes can be attached to a Node. It is important for Kubernetes to respect those limits. Otherwise, Pods scheduled on a Node could get stuck waiting for volumes to attach. --> <p>谷歌、亚马逊和微软等云供应商通常对可以挂接到节点的卷数量进行限制。 Kubernetes 需要尊重这些限制。否则，在节点上调度的 Pod 可能会卡住去等待卷的挂接。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubectl/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubectl/<!-- title: Generating Reference Documentation for kubectl Commands content_type: task weight: 90 --> <!-- overview --> <!-- This page shows how to generate the `kubectl` command reference. --> <p>本页面描述了如何生成 <code>kubectl</code> 命令参考。</p> <!-- This topic shows how to generate reference documentation for [kubectl commands](/docs/reference/generated/kubectl/kubectl-commands) like [kubectl apply](/docs/reference/generated/kubectl/kubectl-commands#apply) and [kubectl taint](/docs/reference/generated/kubectl/kubectl-commands#taint). This topic does not show how to generate the [kubectl](/docs/reference/generated/kubectl/kubectl/) options reference page. For instructions on how to generate the kubectl options reference page, see [Generating Reference Pages for Kubernetes Components and Tools](/docs/home/contribute/generated-reference/kubernetes-components/). --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4>本主题描述了如何为 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubectl/kubectl-commands">kubectl 命令</a> 生成参考文档，如 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubectl/kubectl-commands#apply">kubectl apply</a> 和 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubectl/kubectl-commands#taint">kubectl taint</a>。 本主题没有讨论如何生成 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubectl/kubectl-commands/">kubectl</a> 组件选项的参考页面。 相关说明请参见<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/">为 Kubernetes 组件和工具生成参考页面</a>。</div> <h2 id="准备开始">准备开始</h2> <!-- ### Requirements: - You need a machine that is running Linux or macOS. - You need to have these tools installed: - [Python](https://www.python.org/downloads/) v3.7.x+ - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - [Golang](https://go.dev/dl/) version 1.13+ - [Pip](https://pypi.org/project/pip/) used to install PyYAML - [PyYAML](https://pyyaml.org/) v5.1.2 - [make](https://www.gnu.org/software/make/) - [gcc compiler/linker](https://gcc.gnu.org/) - [Docker](https://docs.docker.com/engine/installation/) (Required only for `kubectl` command reference) --> <h3 id="requirements">需求</h3> <ul> <li> <p>你需要一台 Linux 或 macOS 机器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-reconfigure/<!-- reviewers: - sig-cluster-lifecycle title: Reconfiguring a kubeadm cluster content_type: task weight: 90 --> <!-- overview --> <!-- kubeadm does not support automated ways of reconfiguring components that were deployed on managed nodes. One way of automating this would be by using a custom [operator](/docs/concepts/extend-kubernetes/operator/). --> <p>kubeadm 不支持自动重新配置部署在托管节点上的组件的方式。 一种自动化的方法是使用自定义的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/operator/">operator</a>。</p> <!-- To modify the components configuration you must manually edit associated cluster objects and files on disk. This guide shows the correct sequence of steps that need to be performed to achieve kubeadm cluster reconfiguration. --> <p>要修改组件配置，你必须手动编辑磁盘上关联的集群对象和文件。 本指南展示了实现 kubeadm 集群重新配置所需执行的正确步骤顺序。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/system-traces/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/system-traces/<!-- title: Traces For Kubernetes System Components reviewers: - logicalhan - lilic content_type: concept weight: 90 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.27 [beta]</code> </div> <!-- System component traces record the latency of and relationships between operations in the cluster. --> <p>系统组件追踪功能记录各个集群操作的时延信息和这些操作之间的关系。</p> <!-- Kubernetes components emit traces using the [OpenTelemetry Protocol](https://opentelemetry.io/docs/specs/otlp/) with the gRPC exporter and can be collected and routed to tracing backends using an [OpenTelemetry Collector](https://github.com/open-telemetry/opentelemetry-collector#-opentelemetry-collector). --> <p>Kubernetes 组件基于 gRPC 导出器的 <a href="https://opentelemetry.io/docs/specs/otlp/">OpenTelemetry 协议</a> 发送追踪信息，并用 <a href="https://github.com/open-telemetry/opentelemetry-collector#-opentelemetry-collector">OpenTelemetry Collector</a> 收集追踪信息，再将其转交给追踪系统的后台。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/psp-to-pod-security-standards/<!-- reviewers: - tallclair - liggitt title: Mapping PodSecurityPolicies to Pod Security Standards content_type: concept weight: 95 --> <!-- overview --> <!-- The tables below enumerate the configuration parameters on `PodSecurityPolicy` objects, whether the field mutates and/or validates pods, and how the configuration values map to the [Pod Security Standards](/docs/concepts/security/pod-security-standards/). --> <p>下面的表格列举了 <code>PodSecurityPolicy</code> 对象上的配置参数，这些字段是否会变更或检查 Pod 配置，以及这些配置值如何映射到 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/">Pod 安全性标准（Pod Security Standards）</a> 之上。</p> <!-- For each applicable parameter, the allowed values for the [Baseline](/docs/concepts/security/pod-security-standards/#baseline) and [Restricted](/docs/concepts/security/pod-security-standards/#restricted) profiles are listed. Anything outside the allowed values for those profiles would fall under the [Privileged](/docs/concepts/security/pod-security-standards/#privileged) profile. "No opinion" means all values are allowed under all Pod Security Standards. --> <p>对于每个可应用的参数，表格中给出了 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/#baseline">Baseline</a> 和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/#restricted">Restricted</a> 配置下可接受的取值。 对这两种配置而言不可接受的取值均归入 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/#privileged">Privileged</a> 配置下。“无意见”意味着对所有 Pod 安全性标准而言所有取值都可接受。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/<!-- reviewers: - fgrzadkowski - jszczepkowski - justinsb - directxman12 title: Horizontal Pod Autoscaler Walkthrough content_type: task weight: 100 min-kubernetes-server-version: 1.23 --> <!-- overview --> <!-- A [HorizontalPodAutoscaler](/docs/concepts/workloads/autoscaling/horizontal-pod-autoscale/) (HPA for short) automatically updates a workload resource (such as a <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a> or <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>), with the aim of automatically scaling the workload to match demand. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/autoscaling/horizontal-pod-autoscale/">HorizontalPodAutoscaler</a>（简称 HPA ） 自动更新工作负载资源（例如 <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a> 或者 <a class='glossary-tooltip' title='StatefulSet 用来管理某 Pod 集合的部署和扩缩，并为这些 Pod 提供持久存储和持久标识符。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/' target='_blank' aria-label='StatefulSet'>StatefulSet</a>）， 目的是自动扩缩工作负载以满足需求。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/proxies/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/proxies/<!-- title: Proxies in Kubernetes content_type: concept weight: 90 --> <!-- overview --> <!-- This page explains proxies used with Kubernetes. --> <p>本文讲述了 Kubernetes 中所使用的代理。</p> <!-- body --> <!-- ## Proxies There are several different proxies you may encounter when using Kubernetes: --> <h2 id="proxies">代理</h2> <p>用户在使用 Kubernetes 的过程中可能遇到几种不同的代理（proxy）：</p> <!-- 1. The [kubectl proxy](/docs/tasks/access-application-cluster/access-cluster/#directly-accessing-the-rest-api): - runs on a user's desktop or in a pod - proxies from a localhost address to the Kubernetes apiserver - client to proxy uses HTTP - proxy to apiserver uses HTTPS - locates apiserver - adds authentication headers --> <ol> <li> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/access-cluster/#directly-accessing-the-rest-api">kubectl proxy</a>：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/security-checklist/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/security-checklist/<!-- title: Security Checklist description: > Baseline checklist for ensuring security in Kubernetes clusters. content_type: concept weight: 100 --> <!-- overview --> <!-- This checklist aims at providing a basic list of guidance with links to more comprehensive documentation on each topic. It does not claim to be exhaustive and is meant to evolve. On how to read and use this document: - The order of topics does not reflect an order of priority. - Some checklist items are detailed in the paragraph below the list of each section. --> <p>本清单旨在提供一个基本的指导列表，其中包含链接，指向各个主题的更为全面的文档。 此清单不求详尽无遗，是预计会不断演化的。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/change-pv-reclaim-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/change-pv-reclaim-policy/<!-- overview --> <!-- This page shows how to change the reclaim policy of a Kubernetes PersistentVolume. --> <p>本文展示了如何更改 Kubernetes PersistentVolume 的回收策略。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/node-pressure-eviction/<!-- title: Node-pressure Eviction content_type: concept weight: 100 --> <p>节点压力驱逐是 <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> 主动终止 Pod 以回收节点上资源的过程。</br></p> <!-- The <a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> monitors resources like memory, disk space, and filesystem inodes on your cluster's nodes. When one or more of these resources reach specific consumption levels, the kubelet can proactively fail one or more pods on the node to reclaim resources and prevent starvation. --> <p><a class='glossary-tooltip' title='一个在集群中每个节点上运行的代理。它保证容器都运行在 Pod 中。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet' target='_blank' aria-label='kubelet'>kubelet</a> 监控集群节点的内存、磁盘空间和文件系统的 inode 等资源。 当这些资源中的一个或者多个达到特定的消耗水平， kubelet 可以主动地使节点上一个或者多个 Pod 失效，以回收资源防止饥饿。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/advanced/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/advanced/<!-- title: Advanced contributing slug: advanced content_type: concept weight: 100 --> <!-- overview --> <!-- This page assumes that you understand how to [contribute to new content](/docs/contribute/new-content/) and [review others' work](/docs/contribute/review/reviewing-prs/), and are ready to learn about more ways to contribute. You need to use the Git command line client and other tools for some of these tasks. --> <p>如果你已经了解如何<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/new-content/">贡献新内容</a>和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/review/reviewing-prs/">评阅他人工作</a>，并准备了解更多贡献的途径， 请阅读此文。你需要使用 Git 命令行工具和其他工具做这些工作。</p> <!-- body --> <!-- ## Propose improvements SIG Docs [members](/docs/contribute/participate/roles-and-responsibilities/#members) can propose improvements. --> <h2 id="propose-improvements">提出改进建议</h2> <p>SIG Docs 的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/participate/roles-and-responsibilities/#members">成员</a>可以提出改进建议。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-health-monitoring/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-health-monitoring/<!-- reviewers: - jsafrane - saad-ali - msau42 - xing-yang title: Volume Health Monitoring content_type: concept weight: 100 --> <!-- overview --> <div class="feature-state-notice feature-alpha"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.21 [alpha]</code> </div> <!-- <a class='glossary-tooltip' title='容器存储接口 （CSI）定义了存储系统暴露给容器的标准接口。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#csi' target='_blank' aria-label='CSI'>CSI</a> volume health monitoring allows CSI Drivers to detect abnormal volume conditions from the underlying storage systems and report them as events on <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PVCs'>PVCs</a> or <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a>. --> <p><a class='glossary-tooltip' title='容器存储接口 （CSI）定义了存储系统暴露给容器的标准接口。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#csi' target='_blank' aria-label='CSI'>CSI</a> 卷健康监测支持 CSI 驱动从底层的存储系统着手， 探测异常的卷状态，并以事件的形式上报到 <a class='glossary-tooltip' title='声明在持久卷中定义的存储资源，以便可以将其挂载为容器中的卷。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims' target='_blank' aria-label='PVC'>PVC</a> 或 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>.</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/list-all-running-container-images/<!-- title: List All Container Images Running in a Cluster content_type: task weight: 100 --> <!-- overview --> <!-- This page shows how to use kubectl to list all of the Container images for Pods running in a cluster. --> <p>本文展示如何使用 kubectl 来列出集群中所有运行 Pod 的容器的镜像</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-projected-volume-storage/<!-- reviewers: - jpeeler - pmorie title: Configure a Pod to Use a Projected Volume for Storage content_type: task weight: 100 --> <!-- overview --> <!-- This page shows how to use a [`projected`](/docs/concepts/storage/volumes/#projected) Volume to mount several existing volume sources into the same directory. Currently, `secret`, `configMap`, `downwardAPI`, and `serviceAccountToken` volumes can be projected. --> <p>本文介绍怎样通过 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volumes/#projected"><code>projected</code></a> 卷将现有的多个卷资源挂载到相同的目录。 当前，<code>secret</code>、<code>configMap</code>、<code>downwardAPI</code> 和 <code>serviceAccountToken</code> 卷可以被投射。</p> <!-- `serviceAccountToken` is not a volume type. --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><code>serviceAccountToken</code> 不是一种卷类型。</div> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/implementation-details/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/implementation-details/<!-- reviewers: - luxas - jbeda title: Implementation details content_type: concept weight: 100 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.10 [stable]</code> </div> <!-- `kubeadm init` and `kubeadm join` together provide a nice user experience for creating a bare Kubernetes cluster from scratch, that aligns with the best-practices. However, it might not be obvious _how_ kubeadm does that. --> <p><code>kubeadm init</code> 和 <code>kubeadm join</code> 结合在一起为从头开始创建最基本的 Kubernetes 集群提供了良好的用户体验，这与最佳实践一致。 但是，kubeadm <strong>如何</strong>做到这一点可能并不明显。</p> <!-- This document provides additional details on what happens under the hood, with the aim of sharing knowledge on the best practices for a Kubernetes cluster. --> <p>本文档提供了更多幕后的详细信息，旨在分享有关 Kubernetes 集群最佳实践的知识。</p>https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/tools/kubeadm/dual-stack-support/<!-- title: Dual-stack support with kubeadm content_type: task weight: 100 min-kubernetes-server-version: 1.21 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.23 [stable]</code> </div> <!-- Your Kubernetes cluster includes [dual-stack](/docs/concepts/services-networking/dual-stack/) networking, which means that cluster networking lets you use either address family. In a cluster, the control plane can assign both an IPv4 address and an IPv6 address to a single <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> or a <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a>. --> <p>你的集群包含<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dual-stack/">双协议栈</a>组网支持， 这意味着集群网络允许你在两种地址族间任选其一。在集群中，控制面可以为同一个 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 或者 <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a> 同时赋予 IPv4 和 IPv6 地址。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/topology-aware-routing/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/topology-aware-routing/<!-- reviewers: - robscott title: Topology Aware Routing content_type: concept weight: 100 description: >- _Topology Aware Routing_ provides a mechanism to help keep network traffic within the zone where it originated. Preferring same-zone traffic between Pods in your cluster can help with reliability, performance (network latency and throughput), or cost. --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.23 [beta]</code> </div> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- Prior to Kubernetes 1.27, this feature was known as _Topology Aware Hints_. --> <p>在 Kubernetes 1.27 之前，此特性称为<strong>拓扑感知提示（Topology Aware Hint）</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/common-labels/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/common-labels/<!-- --- title: Recommended Labels content_type: concept weight: 100 --- --> <!-- overview --> <!-- You can visualize and manage Kubernetes objects with more tools than kubectl and the dashboard. A common set of labels allows tools to work interoperably, describing objects in a common manner that all tools can understand. --> <p>除了 kubectl 和 dashboard 之外，你还可以使用其他工具来可视化和管理 Kubernetes 对象。 一组通用的标签可以让多个工具之间相互操作，用所有工具都能理解的通用方式描述对象。</p> <!-- In addition to supporting tooling, the recommended labels describe applications in a way that can be queried. --> <p>除了支持工具外，推荐的标签还以一种可以查询的方式描述了应用程序。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/metrics-reference/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/metrics-reference/<!-- title: Generating reference documentation for metrics content_type: task weight: 100 --> <!-- overview --> <!-- This page demonstrates the generation of metrics reference documentation. --> <p>本页演示如何生成指标参考文档。</p> <h2 id="准备开始">准备开始</h2> <!-- ### Requirements: - You need a machine that is running Linux or macOS. - You need to have these tools installed: - [Python](https://www.python.org/downloads/) v3.7.x+ - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - [Golang](https://go.dev/dl/) version 1.13+ - [Pip](https://pypi.org/project/pip/) used to install PyYAML - [PyYAML](https://pyyaml.org/) v5.1.2 - [make](https://www.gnu.org/software/make/) - [gcc compiler/linker](https://gcc.gnu.org/) - [Docker](https://docs.docker.com/engine/installation/) (Required only for `kubectl` command reference) --> <h3 id="requirements">需求</h3> <ul> <li> <p>你需要一台 Linux 或 macOS 机器。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/linux-kernel-security-constraints/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/linux-kernel-security-constraints/<!-- title: Linux kernel security constraints for Pods and containers description: > Overview of Linux kernel security modules and constraints that you can use to harden your Pods and containers. content_type: concept weight: 100 --> <!-- overview --> <!-- This page describes some of the security features that are built into the Linux kernel that you can use in your Kubernetes workloads. To learn how to apply these features to your Pods and containers, refer to [Configure a SecurityContext for a Pod or Container](/docs/tasks/configure-pod-container/security-context/). You should already be familiar with Linux and with the basics of Kubernetes workloads. --> <p>本页描述了一些 Linux 内核中内置的、你可以在 Kubernetes 工作负载中使用的安全特性。 要了解如何将这些特性应用到你的 Pod 和容器， 请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/security-context/">为 Pod 或容器配置 SecurityContext</a>。 你须熟悉 Linux 和 Kubernetes 工作负载的基础知识。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/api-eviction/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/api-eviction/<!-- title: API-initiated Eviction content_type: concept weight: 110 --> <p>API 发起的驱逐是一个先调用 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubernetes-api/v1.35/#create-eviction-pod-v1-core">Eviction API</a> 创建 <code>Eviction</code> 对象，再由该对象体面地中止 Pod 的过程。 </br></p> <!-- You can request eviction by calling the Eviction API directly, or programmatically using a client of the <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a>, like the `kubectl drain` command. This creates an `Eviction` object, which causes the API server to terminate the Pod. API-initiated evictions respect your configured [`PodDisruptionBudgets`](/docs/tasks/run-application/configure-pdb/) and [`terminationGracePeriodSeconds`](/docs/concepts/workloads/pods/pod-lifecycle#pod-termination). Using the API to create an Eviction object for a Pod is like performing a policy-controlled [`DELETE` operation](/docs/reference/kubernetes-api/workload-resources/pod-v1/#delete-delete-a-pod) on the Pod. --> <p>你可以通过直接调用 Eviction API 发起驱逐，也可以通过编程的方式使用 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a>的客户端来发起驱逐， 比如 <code>kubectl drain</code> 命令。 此操作创建一个 <code>Eviction</code> 对象，该对象再驱动 API 服务器终止选定的 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/flow-control/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/flow-control/<!-- title: API Priority and Fairness content_type: concept min-kubernetes-server-version: v1.18 weight: 110 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.29 [stable]</code> </div> <!-- Controlling the behavior of the Kubernetes API server in an overload situation is a key task for cluster administrators. The <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='kube-apiserver'>kube-apiserver</a> has some controls available (i.e. the `--max-requests-inflight` and `--max-mutating-requests-inflight` command-line flags) to limit the amount of outstanding work that will be accepted, preventing a flood of inbound requests from overloading and potentially crashing the API server, but these flags are not enough to ensure that the most important requests get through in a period of high traffic. --> <p>对于集群管理员来说，控制 Kubernetes API 服务器在过载情况下的行为是一项关键任务。 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='kube-apiserver'>kube-apiserver</a> 有一些控件（例如：命令行标志 <code>--max-requests-inflight</code> 和 <code>--max-mutating-requests-inflight</code>）， 可以限制将要接受的未处理的请求，从而防止过量请求入站，潜在导致 API 服务器崩溃。 但是这些标志不足以保证在高流量期间，最重要的请求仍能被服务器接受。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/kubelet-authn-authz/<!-- reviewers: - liggitt title: Kubelet authentication/authorization weight: 110 --> <!-- ## Overview --> <h2 id="overview">概述</h2> <!-- A kubelet's HTTPS endpoint exposes APIs which give access to data of varying sensitivity, and allow you to perform operations with varying levels of power on the node and within containers. --> <p>kubelet 的 HTTPS 端点公开了一些 API，这些 API 可以访问敏感度不同的数据， 并允许你在节点上和容器内以不同级别的权限执行操作。</p> <!-- This document describes how to authenticate and authorize access to the kubelet's HTTPS endpoint. --> <p>本文档介绍了如何对 kubelet 的 HTTPS 端点的访问进行认证和鉴权。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/running-cloud-controller/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/running-cloud-controller/<!-- reviewers: - luxas - thockin - wlan0 title: Kubernetes Cloud Controller Manager content_type: concept weight: 110 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.11 [beta]</code> </div> <!-- Since cloud providers develop and release at a different pace compared to the Kubernetes project, abstracting the provider-specific code to the `<a class='glossary-tooltip' title='将 Kubernetes 与第三方云提供商进行集成的控制平面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cloud-controller/' target='_blank' aria-label='cloud-controller-manager'>cloud-controller-manager</a>` binary allows cloud vendors to evolve independently from the core Kubernetes code. --> <p>由于云驱动的开发和发布的步调与 Kubernetes 项目不同，将服务提供商专用代码抽象到 <code><a class='glossary-tooltip' title='将 Kubernetes 与第三方云提供商进行集成的控制平面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/cloud-controller/' target='_blank' aria-label='cloud-controller-manager'>cloud-controller-manager</a></code> 二进制中有助于云服务厂商在 Kubernetes 核心代码之外独立进行开发。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/swap-behavior/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/node/swap-behavior/<!-- content_type: "reference" title: Linux Node Swap Behaviors weight: 110 --> <!-- To allow Kubernetes workloads to use swap, on a Linux node, you must disable the kubelet's default behavior of failing when swap is detected, and specify memory-swap behavior as `LimitedSwap`: --> <p>要允许 Kubernetes 工作负载在 Linux 节点上使用交换分区， 你必须禁用 kubelet 在检测到交换分区时失败的默认行为， 并指定内存交换行为为 <code>LimitedSwap</code>：</p> <!-- The available choices for swap behavior are: --> <p>可用的交换行为选项有：</p> <!-- `NoSwap` : (default) Workloads running as Pods on this node do not and cannot use swap. However, processes outside of Kubernetes' scope, such as system daemons (including the kubelet itself!) **can** utilize swap. This behavior is beneficial for protecting the node from system-level memory spikes, but it does not safeguard the workloads themselves from such spikes. --> <dl> <dt><code>NoSwap</code></dt> <dd>（默认）在此节点上作为 Pod 运行的工作负载不会也不能使用交换分区。 然而，系统守护进程（包括 kubelet 本身！）等这类 Kubernetes 范围之外的进程<strong>可以</strong>利用交换分区。 这种行为有助于保护节点免受系统级别的内存峰值影响， 但这不能保护工作负载本身不受此类峰值的影响。</dd> </dl> <!-- `LimitedSwap` : Kubernetes workloads can utilize swap memory. The amount of swap available to a Pod is determined automatically. To learn more, read [swap memory management](/docs/concepts/cluster-administration/swap-memory-management/). --> <dl> <dt><code>LimitedSwap</code></dt> <dd>Kubernetes 工作负载可以使用交换内存，Pod 可用的交换量是自动确定的。</dd> </dl> <p>要了解更多，请阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/swap-memory-management/">交换内存管理</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/windows-storage/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/windows-storage/<!-- reviewers: - jingxu97 - mauriciopoppe - jayunit100 - jsturtevant - marosset - aravindhp title: Windows Storage content_type: concept --> <!-- overview --> <!-- This page provides an storage overview specific to the Windows operating system. --> <p>此页面提供特定于 Windows 操作系统的存储概述。</p> <!-- body --> <!-- ## Persistent storage {#storage} Windows has a layered filesystem driver to mount container layers and create a copy filesystem based on NTFS. All file paths in the container are resolved only within the context of that container. --> <h2 id="storage">持久存储</h2> <p>Windows 有一个分层文件系统驱动程序用来挂载容器层和创建基于 NTFS 的文件系统拷贝。 容器中的所有文件路径仅在该容器的上下文中解析。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/windows-networking/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/windows-networking/<!-- reviewers: - aravindhp - jayunit100 - jsturtevant - marosset title: Networking on Windows content_type: concept weight: 110 --> <!-- overview --> <!-- Kubernetes supports running nodes on either Linux or Windows. You can mix both kinds of node within a single cluster. This page provides an overview to networking specific to the Windows operating system. --> <p>Kubernetes 支持运行 Linux 或 Windows 节点。 你可以在统一集群内混布这两种节点。 本页提供了特定于 Windows 操作系统的网络概述。</p> <!-- body --> <!-- ## Container networking on Windows {#networking} Networking for Windows containers is exposed through [CNI plugins](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/). Windows containers function similarly to virtual machines in regards to networking. Each container has a virtual network adapter (vNIC) which is connected to a Hyper-V virtual switch (vSwitch). The Host Networking Service (HNS) and the Host Compute Service (HCS) work together to create containers and attach container vNICs to networks. HCS is responsible for the management of containers whereas HNS is responsible for the management of networking resources such as: * Virtual networks (including creation of vSwitches) * Endpoints / vNICs * Namespaces * Policies including packet encapsulations, load-balancing rules, ACLs, and NAT rules. --> <h2 id="networking">Windows 容器网络</h2> <p>Windows 容器网络通过 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/">CNI 插件</a>暴露。 Windows 容器网络的工作方式与虚拟机类似。 每个容器都有一个连接到 Hyper-V 虚拟交换机（vSwitch）的虚拟网络适配器（vNIC）。 主机网络服务（Host Networking Service，HNS）和主机计算服务（Host Compute Service，HCS） 协同创建容器并将容器 vNIC 挂接到网络。 HCS 负责管理容器，而 HNS 负责管理以下网络资源：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/security-context/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/security-context/<!-- reviewers: - erictune - mikedanese - thockin title: Configure a Security Context for a Pod or Container content_type: task weight: 110 --> <!-- overview --> <!-- A security context defines privilege and access control settings for a Pod or Container. Security context settings include, but are not limited to: * Discretionary Access Control: Permission to access an object, like a file, is based on [user ID (UID) and group ID (GID)](https://wiki.archlinux.org/index.php/users_and_groups). * [Security Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux): Objects are assigned security labels. * Running as privileged or unprivileged. * [Linux Capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/): Give a process some privileges, but not all the privileges of the root user. --> <p>安全上下文（Security Context）定义 Pod 或 Container 的特权与访问控制设置。 安全上下文包括但不限于：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/configure-pdb/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/configure-pdb/<!-- title: Specifying a Disruption Budget for your Application content_type: task weight: 110 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.21 [stable]</code> </div> <!-- This page shows how to limit the number of concurrent disruptions that your application experiences, allowing for higher availability while permitting the cluster administrator to manage the clusters nodes. --> <p>本文展示如何限制应用程序的并发干扰数量，在允许集群管理员管理集群节点的同时保证高可用。</p> <h2 id="准备开始">准备开始</h2> 你的 Kubernetes 服务器版本必须不低于版本 v1.21. <p>要获知版本信息，请输入 <code>kubectl version</code>.</p> <!-- - You are the owner of an application running on a Kubernetes cluster that requires high availability. - You should know how to deploy [Replicated Stateless Applications](/docs/tasks/run-application/run-stateless-application-deployment/) and/or [Replicated Stateful Applications](/docs/tasks/run-application/run-replicated-stateful-application/). - You should have read about [Pod Disruptions](/docs/concepts/workloads/pods/disruptions/). - You should confirm with your cluster owner or service provider that they respect Pod Disruption Budgets. --> <ul> <li>你是 Kubernetes 集群中某应用的所有者，该应用有高可用要求。</li> <li>你应了解如何部署<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-stateless-application-deployment/">无状态应用</a> 和/或<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/run-replicated-stateful-application/">有状态应用</a>。</li> <li>你应当已经阅读过关于 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/disruptions/">Pod 干扰</a>的文档。</li> <li>用户应当与集群所有者或服务提供者确认其遵从 Pod 干扰预算（Pod Disruption Budgets）的规则。</li> </ul> <!-- steps --> <!-- ## Protecting an Application with a PodDisruptionBudget 1. Identify what application you want to protect with a PodDisruptionBudget (PDB). 1. Think about how your application reacts to disruptions. 1. Create a PDB definition as a YAML file. 1. Create the PDB object from the YAML file. --> <h2 id="protecting-app-with-pdb">用 PodDisruptionBudget 来保护应用</h2> <ol> <li>确定想要使用 PodDisruptionBudget（PDB）来保护的应用。</li> <li>考虑应用对干扰的反应。</li> <li>以 YAML 文件形式定义 PDB。</li> <li>通过 YAML 文件创建 PDB 对象。</li> </ol> <!-- discussion --> <!-- ## Identify an Application to Protect The most common use case when you want to protect an application specified by one of the built-in Kubernetes controllers: --> <h2 id="identify-app-to-protect">确定要保护的应用</h2> <p>用户想要保护通过内置的 Kubernetes 控制器指定的应用，这是最常见的使用场景：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/application-security-checklist/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/application-security-checklist/<!-- title: Application Security Checklist description: > Baseline guidelines around ensuring application security on Kubernetes, aimed at application developers content_type: concept weight: 110 --> <!-- overview --> <!-- This checklist aims to provide basic guidelines on securing applications running in Kubernetes from a developer's perspective. This list is not meant to be exhaustive and is intended to evolve over time. --> <p>本检查清单旨在为开发者提供在 Kubernetes 上安全地运行应用的基本指南。 此列表并不打算详尽无遗，会随着时间的推移而不断演变。</p> <!-- The following is taken from the existing checklist created for Kubernetes admins. https://kubernetes.io/docs/concepts/security/security-checklist/ --> <!-- On how to read and use this document: - The order of topics does not reflect an order of priority. - Some checklist items are detailed in the paragraph below the list of each section. - This checklist assumes that a `developer` is a Kubernetes cluster user who interacts with namespaced scope objects. --> <p>关于如何阅读和使用本文档：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/cluster-ip-allocation/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/cluster-ip-allocation/<!-- reviewers: - sftim - thockin title: Service ClusterIP allocation content_type: concept weight: 120 --> <!-- overview --> <!-- In Kubernetes, [Services](/docs/concepts/services-networking/service/) are an abstract way to expose an application running on a set of Pods. Services can have a cluster-scoped virtual IP address (using a Service of `type: ClusterIP`). Clients can connect using that virtual IP address, and Kubernetes then load-balances traffic to that Service across the different backing Pods. --> <p>在 Kubernetes 中，<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/">Service</a> 是一种抽象的方式， 用于公开在一组 Pod 上运行的应用。 Service 可以具有集群作用域的虚拟 IP 地址（使用 <code>type: ClusterIP</code> 的 Service）。 客户端可以使用该虚拟 IP 地址进行连接，Kubernetes 通过不同的后台 Pod 对该 Service 的流量进行负载均衡。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/<!-- reviewers: - mikedanese - liggitt - smarterclayton - awly title: TLS bootstrapping content_type: concept weight: 120 --> <!-- overview --> <!-- In a Kubernetes cluster, the components on the worker nodes - kubelet and kube-proxy - need to communicate with Kubernetes control plane components, specifically kube-apiserver. In order to ensure that communication is kept private, not interfered with, and ensure that each component of the cluster is talking to another trusted component, we strongly recommend using client TLS certificates on nodes. --> <p>在一个 Kubernetes 集群中，工作节点上的组件（kubelet 和 kube-proxy）需要与 Kubernetes 控制平面组件通信，尤其是 kube-apiserver。 为了确保通信本身是私密的、不被干扰，并且确保集群的每个组件都在与另一个可信的组件通信， 我们强烈建议使用节点上的客户端 TLS 证书。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/addons/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/addons/<!-- title: Installing Addons content_type: concept weight: 120 --> <!-- overview --> <div class="alert alert-secondary callout third-party-content" role="note"><strong>说明：</strong>&puncsp;本部分链接到提供 Kubernetes 所需功能的第三方项目。Kubernetes 项目作者不负责这些项目。此页面遵循<a href="https://github.com/cncf/foundation/blob/main/policies-guidance/website-guidelines.md" target="_blank">CNCF 网站指南</a>，按字母顺序列出项目。要将项目添加到此列表中，请在提交更改之前阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/#third-party-content">内容指南</a>。</div> <!-- Add-ons extend the functionality of Kubernetes. This page lists some of the available add-ons and links to their respective installation instructions. The list does not try to be exhaustive. --> <p>Add-on 扩展了 Kubernetes 的功能。</p> <p>本文列举了一些可用的 add-on 以及到它们各自安装说明的链接。该列表并不试图详尽无遗。</p> <!-- body --> <!-- ## Networking and Network Policy * [ACI](https://www.github.com/noironetworks/aci-containers) provides integrated container networking and network security with Cisco ACI. * [Antrea](https://antrea.io/) operates at Layer 3/4 to provide networking and security services for Kubernetes, leveraging Open vSwitch as the networking data plane. Antrea is a [CNCF project at the Sandbox level](https://www.cncf.io/projects/antrea/). * [Calico](https://www.tigera.io/project-calico/) is a networking and network policy provider. Calico supports a flexible set of networking options so you can choose the most efficient option for your situation, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio & Envoy) applications at the service mesh layer. * [Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel) unites Flannel and Calico, providing networking and network policy. * [Cilium](https://github.com/cilium/cilium) is a networking, observability, and security solution with an eBPF-based data plane. Cilium provides a simple flat Layer 3 network with the ability to span multiple clusters in either a native routing or overlay/encapsulation mode, and can enforce network policies on L3-L7 using an identity-based security model that is decoupled from network addressing. Cilium can act as a replacement for kube-proxy; it also offers additional, opt-in observability and security features. Cilium is a [CNCF project at the Graduated level](https://www.cncf.io/projects/cilium/). --> <h2 id="networking-and-network-policy">联网和网络策略</h2> <ul> <li><a href="https://www.github.com/noironetworks/aci-containers">ACI</a> 通过 Cisco ACI 提供集成的容器网络和安全网络。</li> <li><a href="https://antrea.io/">Antrea</a> 在第 3/4 层执行操作，为 Kubernetes 提供网络连接和安全服务。Antrea 利用 Open vSwitch 作为网络的数据面。 Antrea 是一个<a href="https://www.cncf.io/projects/antrea/">沙箱级的 CNCF 项目</a>。</li> <li><a href="https://www.tigera.io/project-calico/">Calico</a> 是一个联网和网络策略供应商。 Calico 支持一套灵活的网络选项，因此你可以根据自己的情况选择最有效的选项，包括非覆盖和覆盖网络，带或不带 BGP。 Calico 使用相同的引擎为主机、Pod 和（如果使用 Istio 和 Envoy）应用程序在服务网格层执行网络策略。</li> <li><a href="https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel">Canal</a> 结合 Flannel 和 Calico，提供联网和网络策略。</li> <li><a href="https://github.com/cilium/cilium">Cilium</a> 是一种网络、可观察性和安全解决方案，具有基于 eBPF 的数据平面。 Cilium 提供了简单的 3 层扁平网络， 能够以原生路由（routing）和覆盖/封装（overlay/encapsulation）模式跨越多个集群， 并且可以使用与网络寻址分离的基于身份的安全模型在 L3 至 L7 上实施网络策略。 Cilium 可以作为 kube-proxy 的替代品；它还提供额外的、可选的可观察性和安全功能。 Cilium 是一个<a href="https://www.cncf.io/projects/cilium/">毕业级别的 CNCF 项目</a>。</li> </ul> <!-- * [CNI-Genie](https://github.com/cni-genie/CNI-Genie) enables Kubernetes to seamlessly connect to a choice of CNI plugins, such as Calico, Canal, Flannel, or Weave. CNI-Genie is a [CNCF project at the Sandbox level](https://www.cncf.io/projects/cni-genie/). * [Contiv](https://contivpp.io/) provides configurable networking (native L3 using BGP, overlay using vxlan, classic L2, and Cisco-SDN/ACI) for various use cases and a rich policy framework. Contiv project is fully [open sourced](https://github.com/contiv). The [installer](https://github.com/contiv/install) provides both kubeadm and non-kubeadm based installation options. * [Contrail](https://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/), based on [Tungsten Fabric](https://tungsten.io), is an open source, multi-cloud network virtualization and policy management platform. Contrail and Tungsten Fabric are integrated with orchestration systems such as Kubernetes, OpenShift, OpenStack and Mesos, and provide isolation modes for virtual machines, containers/pods and bare metal workloads. --> <ul> <li><a href="https://github.com/cni-genie/CNI-Genie">CNI-Genie</a> 使 Kubernetes 无缝连接到 Calico、Canal、Flannel 或 Weave 等其中一种 CNI 插件。 CNI-Genie 是一个<a href="https://www.cncf.io/projects/cni-genie/">沙箱级的 CNCF 项目</a>。</li> <li><a href="https://contivpp.io/">Contiv</a> 为各种用例和丰富的策略框架提供可配置的网络 （带 BGP 的原生 L3、带 vxlan 的覆盖、标准 L2 和 Cisco-SDN/ACI）。 Contiv 项目完全<a href="https://github.com/contiv">开源</a>。 其<a href="https://github.com/contiv/install">安装程序</a> 提供了基于 kubeadm 和非 kubeadm 的安装选项。</li> <li><a href="https://www.juniper.net/us/en/products-services/sdn/contrail/contrail-networking/">Contrail</a> 基于 <a href="https://tungsten.io">Tungsten Fabric</a>，是一个开源的多云网络虚拟化和策略管理平台。 Contrail 和 Tungsten Fabric 与业务流程系统（例如 Kubernetes、OpenShift、OpenStack 和 Mesos）集成在一起， 为虚拟机、容器或 Pod 以及裸机工作负载提供了隔离模式。</li> </ul> <!-- * [Flannel](https://github.com/flannel-io/flannel#deploying-flannel-manually) is an overlay network provider that can be used with Kubernetes. * [Gateway API](/docs/concepts/services-networking/gateway/) is an open source project managed by the [SIG Network](https://github.com/kubernetes/community/tree/master/sig-network) community and provides an expressive, extensible, and role-oriented API for modeling service networking. * [Knitter](https://github.com/ZTE/Knitter/) is a plugin to support multiple network interfaces in a Kubernetes pod. * [Multus](https://github.com/k8snetworkplumbingwg/multus-cni) is a Multi plugin for multiple network support in Kubernetes to support all CNI plugins (e.g. Calico, Cilium, Contiv, Flannel), in addition to SRIOV, DPDK, OVS-DPDK and VPP based workloads in Kubernetes. --> <ul> <li><a href="https://github.com/flannel-io/flannel#deploying-flannel-manually">Flannel</a> 是一个可以用于 Kubernetes 的 overlay 网络提供者。</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/gateway/">Gateway API</a> 是一个由 <a href="https://github.com/kubernetes/community/tree/master/sig-network">SIG Network</a> 社区管理的开源项目， 为服务网络建模提供一种富有表达力、可扩展和面向角色的 API。</li> <li><a href="https://github.com/ZTE/Knitter/">Knitter</a> 是在一个 Kubernetes Pod 中支持多个网络接口的插件。</li> <li><a href="https://github.com/k8snetworkplumbingwg/multus-cni">Multus</a> 是一个多插件， 可在 Kubernetes 中提供多种网络支持，以支持所有 CNI 插件（例如 Calico、Cilium、Contiv、Flannel）， 而且包含了在 Kubernetes 中基于 SRIOV、DPDK、OVS-DPDK 和 VPP 的工作负载。</li> </ul> <!-- * [OVN-Kubernetes](https://github.com/ovn-org/ovn-kubernetes/) is a networking provider for Kubernetes based on [OVN (Open Virtual Network)](https://github.com/ovn-org/ovn/), a virtual networking implementation that came out of the Open vSwitch (OVS) project. OVN-Kubernetes provides an overlay based networking implementation for Kubernetes, including an OVS based implementation of load balancing and network policy. * [Nodus](https://github.com/akraino-edge-stack/icn-nodus) is an OVN based CNI controller plugin to provide cloud native based Service function chaining(SFC). --> <ul> <li><a href="https://github.com/ovn-org/ovn-kubernetes/">OVN-Kubernetes</a> 是一个 Kubernetes 网络驱动， 基于 <a href="https://github.com/ovn-org/ovn/">OVN（Open Virtual Network）</a>实现，是从 Open vSwitch (OVS) 项目衍生出来的虚拟网络实现。OVN-Kubernetes 为 Kubernetes 提供基于覆盖网络的网络实现， 包括一个基于 OVS 实现的负载均衡器和网络策略。</li> <li><a href="https://github.com/akraino-edge-stack/icn-nodus">Nodus</a> 是一个基于 OVN 的 CNI 控制器插件， 提供基于云原生的服务功能链 (SFC)。</li> </ul> <!-- * [NSX-T](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html) Container Plug-in (NCP) provides integration between VMware NSX-T and container orchestrators such as Kubernetes, as well as integration between NSX-T and container-based CaaS/PaaS platforms such as Pivotal Container Service (PKS) and OpenShift. * [Nuage](https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst) is an SDN platform that provides policy-based networking between Kubernetes Pods and non-Kubernetes environments with visibility and security monitoring. * [Romana](https://github.com/romana) is a Layer 3 networking solution for pod networks that also supports the [NetworkPolicy](/docs/concepts/services-networking/network-policies/) API. * [Spiderpool](https://github.com/spidernet-io/spiderpool) is an underlay and RDMA networking solution for Kubernetes. Spiderpool is supported on bare metal, virtual machines, and public cloud environments. * [Terway](https://github.com/AliyunContainerService/terway/) is a suite of CNI plugins based on AlibabaCloud's VPC and ECS network products. It provides native VPC networking and network policies in AlibabaCloud environments. * [Weave Net](https://github.com/rajch/weave#using-weave-on-kubernetes) provides networking and network policy, will carry on working on both sides of a network partition, and does not require an external database. --> <ul> <li><a href="https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html">NSX-T</a> 容器插件（NCP） 提供了 VMware NSX-T 与容器协调器（例如 Kubernetes）之间的集成，以及 NSX-T 与基于容器的 CaaS / PaaS 平台（例如关键容器服务（PKS）和 OpenShift）之间的集成。</li> <li><a href="https://github.com/nuagenetworks/nuage-kubernetes/blob/v5.1.1-1/docs/kubernetes-1-installation.rst">Nuage</a> 是一个 SDN 平台，可在 Kubernetes Pods 和非 Kubernetes 环境之间提供基于策略的联网，并具有可视化和安全监控。</li> <li><a href="https://github.com/romana">Romana</a> 是一个 Pod 网络的第三层解决方案，并支持 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/network-policies/">NetworkPolicy</a> API。</li> <li><a href="https://github.com/spidernet-io/spiderpool">Spiderpool</a> 为 Kubernetes 提供了下层网络和 RDMA 高速网络解决方案，兼容裸金属、虚拟机和公有云等运行环境。</li> <li><a href="https://github.com/AliyunContainerService/terway/">Terway</a> 是一套基于阿里云 VPC 和 ECS 网络产品的 CNI 插件，能够在阿里云环境中提供原生的 VPC 网络和网络策略支持。</li> <li><a href="https://github.com/rajch/weave#using-weave-on-kubernetes">Weave Net</a> 提供在网络分组两端参与工作的联网和网络策略，并且不需要额外的数据库。</li> </ul> <!-- ## Service Discovery * [CoreDNS](https://coredns.io) is a flexible, extensible DNS server which can be [installed](https://github.com/coredns/helm) as the in-cluster DNS for pods. --> <h2 id="service-discovery">服务发现</h2> <ul> <li><a href="https://coredns.io">CoreDNS</a> 是一种灵活的，可扩展的 DNS 服务器，可以 <a href="https://github.com/coredns/helm">安装</a>为集群内的 Pod 提供 DNS 服务。</li> </ul> <!-- ## Visualization &amp; Control * [Dashboard](https://github.com/kubernetes/dashboard#kubernetes-dashboard) is a dashboard web interface for Kubernetes. * [Headlamp](https://headlamp.dev/) is an extensible Kub deployed in-cluster or used as a desktop application. --> <h2 id="visualization-and-control">可视化管理</h2> <ul> <li><a href="https://github.com/kubernetes/dashboard#kubernetes-dashboard">Dashboard</a> 是一个 Kubernetes 的 Web 控制台界面。</li> <li><a href="https://headlamp.dev/">Headlamp</a> 是一个<strong>可扩展的 Kubernetes 用户界面（UI）</strong>， 既可以<strong>以集群内方式部署</strong>，也可以<strong>作为桌面应用程序使用</strong>。</li> </ul> <!-- ## Infrastructure * [KubeVirt](https://kubevirt.io/user-guide/#/installation/installation) is an add-on to run virtual machines on Kubernetes. Usually run on bare-metal clusters. * The [node problem detector](https://github.com/kubernetes/node-problem-detector) runs on Linux nodes and reports system issues as either [Events](/docs/reference/kubernetes-api/cluster-resources/event-v1/) or [Node conditions](/docs/concepts/architecture/nodes/#condition). --> <h2 id="infrastructure">基础设施</h2> <ul> <li><a href="https://kubevirt.io/user-guide/#/installation/installation">KubeVirt</a> 是可以让 Kubernetes 运行虚拟机的 add-on。通常运行在裸机集群上。</li> <li><a href="https://github.com/kubernetes/node-problem-detector">节点问题检测器</a> 在 Linux 节点上运行， 并将系统问题报告为<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1/">事件</a> 或<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/#condition">节点状况</a>。</li> </ul> <!-- ## Instrumentation * [kube-state-metrics](/docs/concepts/cluster-administration/kube-state-metrics) --> <h2 id="instrumentation">插桩</h2> <ul> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/kube-state-metrics">kube-state-metrics</a></li> </ul> <!-- ## Legacy Add-ons There are several other add-ons documented in the deprecated [cluster/addons](https://git.k8s.io/kubernetes/cluster/addons) directory. Well-maintained ones should be linked to here. PRs welcome! --> <h2 id="legacy-addons">遗留 Add-on</h2> <p>还有一些其它 add-on 归档在已废弃的 <a href="https://git.k8s.io/kubernetes/cluster/addons">cluster/addons</a> 路径中。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/analytics/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/analytics/<!-- title: Viewing Site Analytics content_type: concept weight: 120 card: name: contribute weight: 100 --> <!-- overview --> <!-- This page contains information about the kubernetes.io analytics dashboard. --> <p>此页面包含有关 kubernetes.io 分析仪表板的信息。</p> <!-- body --> <!-- [View the dashboard](https://lookerstudio.google.com/u/0/reporting/fe615dc5-59b0-4db5-8504-ef9eacb663a9/page/4VDGB/). This dashboard is built using [Google Looker Studio](https://lookerstudio.google.com/overview) and shows information collected on kubernetes.io using Google Analytics 4 since August 2022. --> <p><a href="https://lookerstudio.google.com/u/0/reporting/fe615dc5-59b0-4db5-8504-ef9eacb663a9/page/4VDGB/">查看仪表板</a>。</p> <p>此仪表板使用 <a href="https://lookerstudio.google.com/overview">Google Looker Studio</a> 构建，并显示自 2022 年 8 月以来使用 Google Analytics 4 在 kubernetes.io 上收集的信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/access-api-from-pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/access-api-from-pod/<!-- title: Accessing the Kubernetes API from a Pod content_type: task weight: 120 --> <!-- overview --> <!-- This guide demonstrates how to access the Kubernetes API from within a pod. --> <p>本指南演示了如何从 Pod 中访问 Kubernetes API。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/hugo-shortcodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/hugo-shortcodes/<!-- title: Custom Hugo Shortcodes content_type: concept weight: 120 --> <!-- overview --> <!-- This page explains the custom Hugo shortcodes that can be used in Kubernetes Markdown documentation. --> <p>本页面将介绍 Hugo 自定义短代码，可以用于 Kubernetes Markdown 文档书写。</p> <!-- Read more about shortcodes in the [Hugo documentation](https://gohugo.io/content-management/shortcodes). --> <p>关于短代码的更多信息可参见 <a href="https://gohugo.io/content-management/shortcodes">Hugo 文档</a>。</p> <!-- body --> <!-- ## Feature state In a Markdown page (`.md` file) on this site, you can add a shortcode to display version and state of the documented feature. --> <h2 id="feature-state">功能状态</h2> <p>在本站的 Markdown 页面（<code>.md</code> 文件）中，你可以加入短代码来展示所描述的功能特性的版本和状态。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service-traffic-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service-traffic-policy/<!-- --- reviewers: - maplain title: Service Internal Traffic Policy content_type: concept weight: 120 description: >- If two Pods in your cluster want to communicate, and both Pods are actually running on the same node, _Service Internal Traffic Policy_ to keep network traffic within that node. Avoiding a round trip via the cluster network can help with reliability, performance (network latency and throughput), or cost. --- --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [stable]</code> </div> <!-- _Service Internal Traffic Policy_ enables internal traffic restrictions to only route internal traffic to endpoints within the node the traffic originated from. The "internal" traffic here refers to traffic originated from Pods in the current cluster. This can help to reduce costs and improve performance. --> <p><strong>服务内部流量策略</strong>开启了内部流量限制，将内部流量只路由到发起方所处节点内的服务端点。 这里的”内部“流量指当前集群中的 Pod 所发起的流量。 这种机制有助于节省开销，提升效率。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubelet-credential-provider/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubelet-credential-provider/<!-- title: Configure a kubelet image credential provider reviewers: - liggitt - cheftako content_type: task min-kubernetes-server-version: v1.26 weight: 120 --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [stable]</code> </div> <!-- overview --> <!-- Starting from Kubernetes v1.20, the kubelet can dynamically retrieve credentials for a container image registry using exec plugins. The kubelet and the exec plugin communicate through stdio (stdin, stdout, and stderr) using Kubernetes versioned APIs. These plugins allow the kubelet to request credentials for a container registry dynamically as opposed to storing static credentials on disk. For example, the plugin may talk to a local metadata server to retrieve short-lived credentials for an image that is being pulled by the kubelet. --> <p>从 Kubernetes v1.20 开始，kubelet 可以使用 exec 插件动态获得针对某容器镜像库的凭据。 kubelet 使用 Kubernetes 版本化 API 通过标准输入输出（标准输入、标准输出和标准错误）和 exec 插件通信。这些插件允许 kubelet 动态请求容器仓库的凭据，而不是将静态凭据存储在磁盘上。 例如，插件可能会与本地元数据服务器通信，以获得 kubelet 正在拉取的镜像的短期凭据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/communicate-containers-same-pod-shared-volume/<!-- title: Communicate Between Containers in the Same Pod Using a Shared Volume content_type: task weight: 120 --> <!-- overview --> <!-- This page shows how to use a Volume to communicate between two Containers running in the same Pod. See also how to allow processes to communicate by [sharing process namespace](/docs/tasks/configure-pod-container/share-process-namespace/) between containers. --> <p>本文旨在说明如何让一个 Pod 内的两个容器使用一个卷（Volume）进行通信。 参阅如何让两个进程跨容器通过 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/">共享进程名字空间</a>。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/kubernetes-components/<!-- title: Generating Reference Pages for Kubernetes Components and Tools content_type: task weight: 120 --> <!-- overview --> <!-- This page shows how to build the Kubernetes component and tool reference pages. --> <p>本页面描述如何构造 Kubernetes 组件和工具的参考文档。</p> <h2 id="准备开始">准备开始</h2> <!-- Start with the [Prerequisites section](/docs/contribute/generate-ref-docs/quickstart/#before-you-begin) in the Reference Documentation Quickstart guide. --> <p>阅读参考文档快速入门指南中的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/quickstart/#before-you-begin">准备工作</a>节。</p> <!-- steps --> <!-- Follow the [Reference Documentation Quickstart](/docs/contribute/generate-ref-docs/quickstart/) to generate the Kubernetes component and tool reference pages. --> <p>按照<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/generate-ref-docs/quickstart/">参考文档快速入门</a> 指引，生成 Kubernetes 组件和工具的参考文档。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-service-account/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-service-account/<!-- reviewers: - enj - liggitt - thockin title: Configure Service Accounts for Pods content_type: task weight: 120 --> <!-- overview --> <!-- Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> to authenticate to the <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a>. --> <p>Kubernetes 提供两种完全不同的方式来为客户端提供支持，这些客户端可能运行在你的集群中， 也可能与你的集群的<a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制面'>控制面</a>相关， 需要向 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a>完成身份认证。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/pull-image-private-registry/<!-- title: Pull an Image from a Private Registry content_type: task weight: 130 --> <!-- overview --> <!-- This page shows how to create a Pod that uses a <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secret'>Secret</a> to pull an image from a private container image registry or repository. There are many private registries in use. This task uses [Docker Hub](https://www.docker.com/products/docker-hub) as an example registry. --> <p>本文介绍如何使用 <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secret'>Secret</a> 从私有的镜像仓库或代码仓库拉取镜像来创建 Pod。 有很多私有镜像仓库正在使用中。这个任务使用的镜像仓库是 <a href="https://www.docker.com/products/docker-hub">Docker Hub</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/debug-cluster/flow-control/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/debug-cluster/flow-control/<!-- title: Flow control weight: 130 --> <!-- overview --> <!-- API Priority and Fairness controls the behavior of the Kubernetes API server in an overload situation. You can find more information about it in the [API Priority and Fairness](/docs/concepts/cluster-administration/flow-control/) documentation. --> <p>API 优先级和公平性控制着 Kubernetes API 服务器在负载过高的情况下的行为。你可以在 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/flow-control/">API 优先级和公平性</a>文档中找到更多信息。</p> <!-- body --> <!-- ## Diagnostics Every HTTP response from an API server with the priority and fairness feature enabled has two extra headers: `X-Kubernetes-PF-FlowSchema-UID` and `X-Kubernetes-PF-PriorityLevel-UID`, noting the flow schema that matched the request and the priority level to which it was assigned, respectively. The API objects' names are not included in these headers (to avoid revealing details in case the requesting user does not have permission to view them). When debugging, you can use a command such as: --> <h2 id="diagnostics">问题诊断</h2> <p>对于启用了 APF 的 API 服务器，每个 HTTP 响应都有两个额外的 HTTP 头： <code>X-Kubernetes-PF-FlowSchema-UID</code> 和 <code>X-Kubernetes-PF-PriorityLevel-UID</code>， 给出与请求匹配的 FlowSchema 和已分配的优先级级别。 如果请求用户没有查看这些对象的权限，则这些 HTTP 头中将不包含 API 对象的名称， 因此在调试时，你可以使用类似如下的命令：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/quota-api-object/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/quota-api-object/<!-- title: Configure Quotas for API Objects content_type: task weight: 130 --> <!-- overview --> <!-- This page shows how to configure quotas for API objects, including PersistentVolumeClaims and Services. A quota restricts the number of objects, of a particular type, that can be created in a namespace. You specify quotas in a [ResourceQuota](/docs/reference/generated/kubernetes-api/v1.35/#resourcequota-v1-core) object. --> <p>本文讨论如何为 API 对象配置配额，包括 PersistentVolumeClaim 和 Service。 配额限制了可以在命名空间中创建的特定类型对象的数量。 你可以在 <a href="https://andygol-k8s.netlify.app/docs/reference/generated/kubernetes-api/v1.35/#resourcequota-v1-core">ResourceQuota</a> 对象中指定配额。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/configure-dns-cluster/<!-- --- title: Configure DNS for a Cluster weight: 130 content_type: concept --- --> <!-- overview --> <!-- Kubernetes offers a DNS cluster addon, which most of the supported environments enable by default. In Kubernetes version 1.11 and later, CoreDNS is recommended and is installed by default with kubeadm. --> <p>Kubernetes 提供 DNS 集群插件，大多数支持的环境默认情况下都会启用。 在 Kubernetes 1.11 及其以后版本中，推荐使用 CoreDNS， kubeadm 默认会安装 CoreDNS。</p> <!-- body --> <!-- For more information on how to configure CoreDNS for a Kubernetes cluster, see the [Customizing DNS Service](/docs/tasks/administer-cluster/dns-custom-nameservers/). --> <p>要了解关于如何为 Kubernetes 集群配置 CoreDNS 的更多信息，参阅 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/">定制 DNS 服务</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/access-cluster-services/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/access-application-cluster/access-cluster-services/<!-- title: Access Services Running on Clusters content_type: task weight: 140 --> <!-- overview --> <!-- This page shows how to connect to services running on the Kubernetes cluster. --> <p>本文展示了如何连接 Kubernetes 集群上运行的服务。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/<!-- title: Control CPU Management Policies on the Node reviewers: - sjenning - ConnorDoyle - balajismaniam content_type: task min-kubernetes-server-version: v1.26 weight: 140 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [stable]</code> </div> <!-- Kubernetes keeps many aspects of how pods execute on nodes abstracted from the user. This is by design.  However, some workloads require stronger guarantees in terms of latency and/or performance in order to operate acceptably. The kubelet provides methods to enable more complex workload placement policies while keeping the abstraction free from explicit placement directives. --> <p>按照设计，Kubernetes 对 Pod 执行相关的很多方面进行了抽象，使得用户不必关心。 然而，为了正常运行，有些工作负载要求在延迟和/或性能方面有更强的保证。 为此，kubelet 提供方法来实现更复杂的负载放置策略，同时保持抽象，避免显式的放置指令。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/<!-- title: Configure Liveness, Readiness and Startup Probes content_type: task weight: 140 --> <!-- overview --> <!-- This page shows how to configure liveness, readiness and startup probes for containers. For more information about probes, see [Liveness, Readiness and Startup Probes](/docs/concepts/configuration/liveness-readiness-startup-probes) The [kubelet](/docs/reference/command-line-tools-reference/kubelet/) uses liveness probes to know when to restart a container. For example, liveness probes could catch a deadlock, where an application is running, but unable to make progress. Restarting a container in such a state can help to make the application more available despite bugs. --> <p>这篇文章介绍如何给容器配置存活（Liveness）、就绪（Readiness）和启动（Startup）探针。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/change-package-repository/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubeadm/change-package-repository/<!-- title: Changing The Kubernetes Package Repository content_type: task weight: 150 --> <!-- overview --> <!-- This page explains how to enable a package repository for the desired Kubernetes minor release upon upgrading a cluster. This is only needed for users of the community-owned package repositories hosted at `pkgs.k8s.io`. Unlike the legacy package repositories, the community-owned package repositories are structured in a way that there's a dedicated package repository for each Kubernetes minor version. --> <p>本页介绍了如何在升级集群时启用包含 Kubernetes 次要版本的软件包仓库。 这仅适用于使用托管在 <code>pkgs.k8s.io</code> 上社区自治软件包仓库的用户。 启用新的 Kubernetes 小版本的软件包仓库。与传统的软件包仓库不同， 社区自治的软件包仓库所采用的结构为每个 Kubernetes 小版本都有一个专门的软件包仓库。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes/<!-- title: Assign Pods to Nodes content_type: task weight: 150 --> <!-- overview --> <!-- This page shows how to assign a Kubernetes Pod to a particular node in a Kubernetes cluster. --> <p>此页面显示如何将 Kubernetes Pod 指派给 Kubernetes 集群中的特定节点。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/topology-manager/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/topology-manager/<!-- title: Control Topology Management Policies on a node reviewers: - ConnorDoyle - klueska - lmdaly - nolancon - bg-chun content_type: task min-kubernetes-server-version: v1.18 weight: 150 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.27 [beta]</code> </div> <!-- An increasing number of systems leverage a combination of CPUs and hardware accelerators to support latency-critical execution and high-throughput parallel computation. These include workloads in fields such as telecommunications, scientific computing, machine learning, financial services and data analytics. Such hybrid systems comprise a high performance environment. --> <p>越来越多的系统利用 CPU 和硬件加速器的组合来支持要求低延迟的任务和高吞吐量的并行计算。 这类负载包括电信、科学计算、机器学习、金融服务和数据分析等。 此类混合系统需要有高性能环境支持。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/user-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/user-namespaces/<!-- title: User Namespaces reviewers: content_type: concept weight: 160 min-kubernetes-server-version: v1.25 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.30 [beta]</code> </div> <!-- This page explains how user namespaces are used in Kubernetes pods. A user namespace isolates the user running inside the container from the one in the host. A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. --> <p>本页解释了在 Kubernetes Pod 中如何使用用户命名空间。 用户命名空间将容器内运行的用户与主机中的用户隔离开来。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/<!-- title: Assign Pods to Nodes using Node Affinity min-kubernetes-server-version: v1.10 content_type: task weight: 160 --> <!-- overview --> <!-- This page shows how to assign a Kubernetes Pod to a particular node using Node Affinity in a Kubernetes cluster. --> <p>本页展示在 Kubernetes 集群中，如何使用节点亲和性把 Kubernetes Pod 分配到特定节点。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-custom-nameservers/<!-- reviewers: - bowei - zihongz title: Customizing DNS Service content_type: task min-kubernetes-server-version: v1.12 weight: 160 --> <!-- overview --> <!-- This page explains how to configure your DNS <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod(s)'>Pod(s)</a> and customize the DNS resolution process in your cluster. --> <p>本页说明如何配置 DNS <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>，以及定制集群中 DNS 解析过程。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/downward-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/downward-api/<!-- title: Downward API content_type: concept weight: 170 description: > There are two ways to expose Pod and container fields to a running container: environment variables, and as files that are populated by a special volume type. Together, these two ways of exposing Pod and container fields are called the downward API. --> <!-- overview --> <!-- It is sometimes useful for a container to have information about itself, without being overly coupled to Kubernetes. The _downward API_ allows containers to consume information about themselves or the cluster without using the Kubernetes client or API server. --> <p>对于容器来说，在不与 Kubernetes 过度耦合的情况下，拥有关于自身的信息有时是很有用的。 <strong>Downward API</strong> 允许容器在不使用 Kubernetes 客户端或 API 服务器的情况下获得自己或集群的信息。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/dns-debugging-resolution/<!-- reviewers: - bowei - zihongz title: Debugging DNS Resolution content_type: task min-kubernetes-server-version: v1.6 weight: 170 --> <!-- overview --> <!-- This page provides hints on diagnosing DNS problems. --> <p>这篇文章提供了一些关于 DNS 问题诊断的方法。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-pod-initialization/<!-- title: Configure Pod Initialization content_type: task weight: 170 --> <!-- overview --> <!-- This page shows how to use an Init Container to initialize a Pod before an application Container runs. --> <p>本文介绍在应用容器运行前，怎样利用 Init 容器初始化 Pod。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/declare-network-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/declare-network-policy/<!-- reviewers: - caseydavenport - danwinship title: Declare Network Policy min-kubernetes-server-version: v1.8 content_type: task weight: 180 --> <!-- overview --> <!-- This document helps you get started using the Kubernetes [NetworkPolicy API](/docs/concepts/services-networking/network-policies/) to declare network policies that govern how pods communicate with each other. --> <p>本文可以帮助你开始使用 Kubernetes 的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/network-policies/">NetworkPolicy API</a> 声明网络策略去管理 Pod 之间的通信</p> <div class="alert alert-secondary callout third-party-content" role="note"><strong>说明：</strong>&puncsp;本部分链接到提供 Kubernetes 所需功能的第三方项目。Kubernetes 项目作者不负责这些项目。此页面遵循<a href="https://github.com/cncf/foundation/blob/main/policies-guidance/website-guidelines.md" target="_blank">CNCF 网站指南</a>，按字母顺序列出项目。要将项目添加到此列表中，请在提交更改之前阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/#third-party-content">内容指南</a>。</div> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/<!-- title: Attach Handlers to Container Lifecycle Events content_type: task weight: 180 --> <!-- overview --> <!-- This page shows how to attach handlers to Container lifecycle events. Kubernetes supports the postStart and preStop events. Kubernetes sends the postStart event immediately after a Container is started, and it sends the preStop event immediately before the Container is terminated. A Container may specify one handler per event. --> <p>这个页面将演示如何为容器的生命周期事件挂接处理函数。Kubernetes 支持 postStart 和 preStop 事件。 当一个容器启动后，Kubernetes 将立即发送 postStart 事件；在容器被终结之前， Kubernetes 将发送一个 preStop 事件。容器可以为每个事件指定一个处理程序。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/developing-cloud-controller-manager/<!-- reviewers: - luxas - thockin - wlan0 title: Developing Cloud Controller Manager content_type: concept weight: 190 --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.11 [beta]</code> </div> <!-- title: Cloud Controller Manager id: cloud-controller-manager full_link: /docs/concepts/architecture/cloud-controller/ short_description: > Control plane component that integrates Kubernetes with third-party cloud providers. aka: tags: - architecture - operation --> <!-- A Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> component that embeds cloud-specific control logic. The cloud controller manager lets you link your cluster into your cloud provider's API, and separates out the components that interact with that cloud platform from components that only interact with your cluster. --> <p>一个 Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>组件， 嵌入了特定于云平台的控制逻辑。 云控制器管理器（Cloud Controller Manager）允许将你的集群连接到云提供商的 API 之上， 并将与该云平台交互的组件同与你的集群交互的组件分离开来。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-pod-configmap/<!-- title: Configure a Pod to Use a ConfigMap content_type: task weight: 190 card: name: tasks weight: 50 --> <!-- overview --> <!-- Many applications rely on configuration which is used during either application initialization or runtime. Most times, there is a requirement to adjust values assigned to configuration parameters. ConfigMaps are a Kubernetes mechanism that let you inject configuration data into application <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='pods'>pods</a>. --> <p>很多应用在其初始化或运行期间要依赖一些配置信息。 大多数时候，存在要调整配置参数所设置的数值的需求。 ConfigMap 是 Kubernetes 的一种机制，可让你将配置数据注入到应用的 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 内部。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/enable-disable-api/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/enable-disable-api/<!-- --- title: Enable Or Disable A Kubernetes API content_type: task weight: 200 --- --> <!-- overview --> <!-- This page shows how to enable or disable an API version from your cluster's <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a>. --> <p>本页展示怎么用集群的 <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>. 启用/禁用 API 版本。</p> <!-- steps --> <!-- Specific API versions can be turned on or off by passing `--runtime-config=api/<version>` as a command line argument to the API server. The values for this argument are a comma-separated list of API versions. Later values override earlier values. The `runtime-config` command line argument also supports 2 special keys: --> <p>通过 API 服务器的命令行参数 <code>--runtime-config=api/&lt;version&gt;</code> ， 可以开启/关闭某个指定的 API 版本。 此参数的值是一个逗号分隔的 API 版本列表。 此列表中，后面的值可以覆盖前面的值。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/coordinated-leader-election/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/coordinated-leader-election/<!-- reviewers: - jpbetz title: Coordinated Leader Election content_type: concept weight: 200 --> <!-- overview --> <div class="feature-state-notice feature-beta" title="特性门控： CoordinatedLeaderElection"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.33 [beta]</code>（默认禁用）</div> <!-- Kubernetes 1.35 includes a beta feature that allows <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> components to deterministically select a leader via _coordinated leader election_. This is useful to satisfy Kubernetes version skew constraints during cluster upgrades. Currently, the only builtin selection strategy is `OldestEmulationVersion`, preferring the leader with the lowest emulation version, followed by binary version, followed by creation timestamp. --> <p>Kubernetes 1.35 包含一个 Beta 特性， 允许<a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>组件通过<strong>协调领导者选举</strong>确定性地选择一个领导者。 这对于在集群升级期间满足 Kubernetes 版本偏差约束非常有用。 目前，唯一内置的选择策略是 <code>OldestEmulationVersion</code>， 此策略会优先选择最低仿真版本作为领导者，其次按二进制版本选择领导者，最后会按创建时间戳选择领导者。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/share-process-namespace/<!-- --- title: Share Process Namespace between Containers in a Pod reviewers: - verb - yujuhong - dchen1107 content_type: task weight: 200 --- --> <!-- overview --> <!-- This page shows how to configure process namespace sharing for a pod. When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod. --> <p>此页面展示如何为 Pod 配置进程命名空间共享。 当启用进程命名空间共享时，容器中的进程对同一 Pod 中的所有其他容器都是可见的。</p> <!-- You can use this feature to configure cooperating containers, such as a log handler sidecar container, or to troubleshoot container images that don't include debugging utilities like a shell. --> <p>你可以使用此功能来配置协作容器，比如日志处理 sidecar 容器， 或者对那些不包含诸如 shell 等调试实用工具的镜像进行故障排查。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/image-volumes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/image-volumes/<!-- title: Use an Image Volume With a Pod reviewers: content_type: task weight: 210 min-kubernetes-server-version: v1.31 --> <!-- overview --> <div class="feature-state-notice feature-beta" title="特性门控： ImageVolume"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.35 [beta]</code>（默认启用）</div> <!-- This page shows how to configure a pod using image volumes. This allows you to mount content from OCI registries inside containers. --> <p>本页展示了如何使用镜像卷配置 Pod。此特性允许你在容器内挂载来自 OCI 镜像仓库的内容。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/encrypt-data/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/encrypt-data/<!-- title: Encrypting Confidential Data at Rest reviewers: - aramase - enj content_type: task weight: 210 --> <!-- overview --> <!-- All of the APIs in Kubernetes that let you write persistent API resource data support at-rest encryption. For example, you can enable at-rest encryption for <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secrets'>Secrets</a>. This at-rest encryption is additional to any system-level encryption for the etcd cluster or for the filesystem(s) on hosts where you are running the kube-apiserver. This page shows how to enable and configure encryption of API data at rest. --> <p>Kubernetes 中允许允许用户编辑的持久 API 资源数据的所有 API 都支持静态加密。 例如，你可以启用静态加密 <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secret'>Secret</a>。 此静态加密是对 etcd 集群或运行 kube-apiserver 的主机上的文件系统的任何系统级加密的补充。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/user-namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/user-namespaces/<!-- title: Use a User Namespace With a Pod reviewers: content_type: task weight: 210 min-kubernetes-server-version: v1.25 --> <!-- overview --> <div class="feature-state-notice feature-beta" title="特性门控： UserNamespacesSupport"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.33 [beta]</code>（默认启用）</div> <!-- This page shows how to configure a user namespace for pods. This allows you to isolate the user running inside the container from the one in the host. --> <p>本页展示如何为 Pod 配置 user 名字空间。可以将容器内的用户与主机上的用户隔离开来。</p> <!-- A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace. --> <p>在容器中以 root 用户运行的进程可以以不同的（非 root）用户在宿主机上运行；换句话说， 进程在 user 名字空间内部拥有执行操作的全部特权，但在 user 名字空间外部并没有执行操作的特权。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/decrypt-data/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/decrypt-data/<!-- title: Decrypt Confidential Data that is Already Encrypted at Rest content_type: task weight: 215 --> <!-- overview --> <!-- All of the APIs in Kubernetes that let you write persistent API resource data support at-rest encryption. For example, you can enable at-rest encryption for <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secrets'>Secrets</a>. This at-rest encryption is additional to any system-level encryption for the etcd cluster or for the filesystem(s) on hosts where you are running the kube-apiserver. --> <p>Kubernetes 中允许允许你写入持久性 API 资源数据的所有 API 都支持静态加密。 例如，你可以为 <a class='glossary-tooltip' title='Secret 用于存储敏感信息，如密码、 OAuth 令牌和 SSH 密钥。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/secret/' target='_blank' aria-label='Secret'>Secret</a> 启用静态加密。 此静态加密是对 etcd 集群或运行 kube-apiserver 的主机上的文件系统的所有系统级加密的补充。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/static-pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/static-pod/<!-- reviewers: - jsafrane title: Create static Pods weight: 220 content_type: task --> <!-- overview --> <!-- *Static Pods* are managed directly by the kubelet daemon on a specific node, without the <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API server'>API server</a> observing them. Unlike Pods that are managed by the control plane (for example, a <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a>); instead, the kubelet watches each static Pod (and restarts it if it fails). --> <p><strong>静态 Pod</strong> 在指定的节点上由 kubelet 守护进程直接管理，不需要 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a>监管。 与由控制面管理的 Pod（例如，<a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a>） 不同；kubelet 监视每个静态 Pod（在它失败之后重新启动）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/<!-- title: Guaranteed Scheduling For Critical Add-On Pods content_type: concept weight: 220 --> <!-- overview --> <!-- Kubernetes core components such as the API server, scheduler, and controller-manager run on a control plane node. However, add-ons must run on a regular cluster node. Some of these add-ons are critical to a fully functional cluster, such as metrics-server, DNS, and UI. A cluster may stop working properly if a critical add-on is evicted (either manually or as a side effect of another operation like upgrade) and becomes pending (for example when the cluster is highly utilized and either there are other pending pods that schedule into the space vacated by the evicted critical add-on pod or the amount of resources available on the node changed for some other reason). --> <p>Kubernetes 核心组件（如 API 服务器、调度器、控制器管理器）在控制平面节点上运行。 但是插件必须在常规集群节点上运行。 其中一些插件对于功能完备的集群至关重要，例如 Heapster、DNS 和 UI。 如果关键插件被逐出（手动或作为升级等其他操作的副作用）或者变成挂起状态，集群可能会停止正常工作。 关键插件进入挂起状态的例子有：集群利用率过高；被逐出的关键插件 Pod 释放了空间，但该空间被之前悬决的 Pod 占用；由于其它原因导致节点上可用资源的总量发生变化。</p>https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/mixed-version-proxy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/mixed-version-proxy/<!-- reviewers: - jpbetz title: Mixed Version Proxy content_type: concept weight: 220 --> <!-- overview --> <div class="feature-state-notice feature-alpha" title="特性门控： UnknownVersionInteroperabilityProxy"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.28 [alpha]</code>（默认禁用）</div> <!-- Kubernetes 1.35 includes an alpha feature that lets an <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API Server'>API Server</a> proxy resource requests to other _peer_ API servers. It also lets clients get a holistic view of resources served across the entire cluster through discovery. This is useful when there are multiple API servers running different versions of Kubernetes in one cluster (for example, during a long-lived rollout to a new release of Kubernetes). --> <p>Kubernetes 1.35 包含了一个 Alpha 特性，可以让 <a class='glossary-tooltip' title='提供 Kubernetes API 服务的控制面组件。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/#kube-apiserver' target='_blank' aria-label='API 服务器'>API 服务器</a>代理指向其他<strong>对等</strong> API 服务器的资源请求。 它还允许客户通过发现功能全面了解整个集群提供的资源。 当一个集群中运行着多个 API 服务器，且各服务器的 Kubernetes 版本不同时 （例如在上线 Kubernetes 新版本的时间跨度较长时），这一特性非常有用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/ip-masq-agent/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/ip-masq-agent/<!-- title: IP Masquerade Agent User Guide content_type: task weight: 230 --> <!-- overview --> <!-- This page shows how to configure and enable the `ip-masq-agent`. --> <p>此页面展示如何配置和启用 <code>ip-masq-agent</code>。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/translate-compose-kubernetes/<!-- reviewers: - cdrage title: Translate a Docker Compose File to Kubernetes Resources content_type: task weight: 230 --> <!-- overview --> <!-- What's Kompose? It's a conversion tool for all things compose (namely Docker Compose) to container orchestrators (Kubernetes or OpenShift). --> <p>Kompose 是什么？它是一个转换工具，可将 Compose （即 Docker Compose）所组装的所有内容转换成容器编排器（Kubernetes 或 OpenShift）可识别的形式。</p> <!-- More information can be found on the Kompose website at [https://kompose.io/](https://kompose.io/). --> <p>更多信息请参考 Kompose 官网 <a href="https://kompose.io/">https://kompose.io/</a>。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/enforce-standards-admission-controller/<!-- title: Enforce Pod Security Standards by Configuring the Built-in Admission Controller reviewers: - tallclair - liggitt content_type: task weight: 240 --> <!-- Kubernetes provides a built-in [admission controller](/docs/reference/access-authn-authz/admission-controllers/#podsecurity) to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards). You can configure this admission controller to set cluster-wide defaults and [exemptions](/docs/concepts/security/pod-security-admission/#exemptions). --> <p>Kubernetes 提供一种内置的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/#podsecurity">准入控制器</a> 用来强制实施 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards">Pod 安全性标准</a>。 你可以配置此准入控制器来设置集群范围的默认值和<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-admission/#exemptions">豁免选项</a>。</p> <h2 id="准备开始">准备开始</h2> <!-- Following an alpha release in Kubernetes v1.22, Pod Security Admission became available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available. --> <p>Pod 安全性准入（Pod Security Admission）在 Kubernetes v1.22 作为 Alpha 特性发布， 在 Kubernetes v1.23 中作为 Beta 特性默认可用。从 1.25 版本起， 此特性进阶至正式发布（Generally Available）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/limit-storage-consumption/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/limit-storage-consumption/<!-- title: Limit Storage Consumption content_type: task weight: 240 --> <!-- overview --> <!-- This example demonstrates how to limit the amount of storage consumed in a namespace --> <p>此示例演示如何限制一个名字空间中的存储使用量。</p> <!-- The following resources are used in the demonstration: [ResourceQuota](/docs/concepts/policy/resource-quotas/), [LimitRange](/docs/tasks/administer-cluster/memory-default-namespace/), and [PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/). --> <p>演示中用到了以下资源：<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/policy/resource-quotas/">ResourceQuota</a>、 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/manage-resources/memory-default-namespace/">LimitRange</a> 和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">PersistentVolumeClaim</a>。</p> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/controller-manager-leader-migration/<!-- reviewers: - jpbetz - cheftako title: Migrate Replicated Control Plane To Use Cloud Controller Manager linkTitle: "Migrate Replicated Control Plane To Use Cloud Controller Manager" content_type: task weight: 250 --> <!-- overview --> <!-- title: Cloud Controller Manager id: cloud-controller-manager full_link: /docs/concepts/architecture/cloud-controller/ short_description: > Control plane component that integrates Kubernetes with third-party cloud providers. aka: tags: - architecture - operation --> <!-- A Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='control plane'>control plane</a> component that embeds cloud-specific control logic. The cloud controller manager lets you link your cluster into your cloud provider's API, and separates out the components that interact with that cloud platform from components that only interact with your cluster. --> <p>一个 Kubernetes <a class='glossary-tooltip' title='控制平面是指容器编排层，它暴露 API 和接口来定义、部署容器和管理容器的生命周期。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/glossary/?all=true#term-control-plane' target='_blank' aria-label='控制平面'>控制平面</a>组件， 嵌入了特定于云平台的控制逻辑。 云控制器管理器（Cloud Controller Manager）允许将你的集群连接到云提供商的 API 之上， 并将与该云平台交互的组件同与你的集群交互的组件分离开来。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/<!-- title: Enforce Pod Security Standards with Namespace Labels reviewers: - tallclair - liggitt content_type: task weight: 250 --> <!-- Namespaces can be labeled to enforce the [Pod Security Standards](/docs/concepts/security/pod-security-standards). The three policies [privileged](/docs/concepts/security/pod-security-standards/#privileged), [baseline](/docs/concepts/security/pod-security-standards/#baseline) and [restricted](/docs/concepts/security/pod-security-standards/#restricted) broadly cover the security spectrum and are implemented by the [Pod Security](/docs/concepts/security/pod-security-admission/) <a class='glossary-tooltip' title='在对象持久化之前拦截 Kubernetes API 服务器请求的一段代码。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/' target='_blank' aria-label='admission controller'>admission controller</a>. --> <p>名字空间可以打上标签以强制执行 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards">Pod 安全性标准</a>。 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/#privileged">特权（privileged）</a>、 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/#baseline">基线（baseline）</a>和 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-standards/#restricted">受限（restricted）</a> 这三种策略涵盖了广泛安全范围，并由 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/security/pod-security-admission/">Pod 安全</a><a class='glossary-tooltip' title='在对象持久化之前拦截 Kubernetes API 服务器请求的一段代码。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/' target='_blank' aria-label='准入控制器'>准入控制器</a>实现。</p> <h2 id="准备开始">准备开始</h2> <!-- Pod Security Admission was available by default in Kubernetes v1.23, as a beta. From version 1.25 onwards, Pod Security Admission is generally available. --> <p>Pod 安全性准入（Pod Security Admission）在 Kubernetes v1.23 中作为 Beta 特性默认可用。 从 1.25 版本起，此特性进阶至正式发布（Generally Available）。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/migrate-from-psp/<!-- title: Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller reviewers: - tallclair - liggitt content_type: task min-kubernetes-server-version: v1.22 weight: 260 --> <!-- overview --> <!-- This page describes the process of migrating from PodSecurityPolicies to the built-in PodSecurity admission controller. This can be done effectively using a combination of dry-run and `audit` and `warn` modes, although this becomes harder if mutating PSPs are used. --> <p>本页面描述从 PodSecurityPolicy 迁移到内置的 PodSecurity 准入控制器的过程。 这一迁移过程可以通过综合使用试运行、<code>audit</code> 和 <code>warn</code> 模式等来实现， 尽管在使用了变更式 PSP 时会变得有些困难。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/cluster-management/namespaces-walkthrough/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tutorials/cluster-management/namespaces-walkthrough/<!-- reviewers: - derekwaynecarr - janetkuo title: Namespaces Walkthrough content_type: task weight: 260 --> <!-- overview --> <!-- Kubernetes <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespaces'>namespaces</a> help different projects, teams, or customers to share a Kubernetes cluster. --> <p>Kubernetes <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='名字空间'>名字空间</a>有助于不同的项目、团队或客户去共享 Kubernetes 集群。</p> <!-- It does this by providing the following: 1. A scope for [Names](/docs/concepts/overview/working-with-objects/names/). 2. A mechanism to attach authorization and policy to a subsection of the cluster. --> <p>名字空间通过以下方式实现这点：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/configure-upgrade-etcd/<!-- reviewers: - mml - wojtek-t - jpbetz title: Operating etcd clusters for Kubernetes content_type: task weight: 270 --> <!-- overview --> <!-- title: etcd id: etcd date: 2018-04-12 full_link: /docs/tasks/administer-cluster/configure-upgrade-etcd/ short_description: > Consistent and highly-available key value store used as backing store of Kubernetes for all cluster data. aka: tags: - architecture - storage --> <!-- Consistent and highly-available key value store used as backing store of Kubernetes for all cluster data. --> <p><p>etcd 是 一致且高可用的键值存储，用作 Kubernetes 所有集群数据的后台数据库。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/reserve-compute-resources/<!-- reviewers: - vishh - derekwaynecarr - dashpole title: Reserve Compute Resources for System Daemons content_type: task weight: 290 --> <!-- overview --> <!-- Kubernetes nodes can be scheduled to `Capacity`. Pods can consume all the available capacity on a node by default. This is an issue because nodes typically run quite a few system daemons that power the OS and Kubernetes itself. Unless resources are set aside for these system daemons, pods and system daemons compete for resources and lead to resource starvation issues on the node. The `kubelet` exposes a feature named 'Node Allocatable' that helps to reserve compute resources for system daemons. Kubernetes recommends cluster administrators to configure 'Node Allocatable' based on their workload density on each node. --> <p>Kubernetes 的节点可以按照 <code>Capacity</code> 调度。默认情况下 pod 能够使用节点全部可用容量。 这是个问题，因为节点自己通常运行了不少驱动 OS 和 Kubernetes 的系统守护进程。 除非为这些系统守护进程留出资源，否则它们将与 Pod 争夺资源并导致节点资源短缺问题。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubelet-in-userns/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubelet-in-userns/<!-- title: Running Kubernetes Node Components as a Non-root User content_type: task min-kubernetes-server-version: 1.22 weight: 300 --> <!-- overview --> <div class="feature-state-notice feature-alpha"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.22 [alpha]</code> </div> <!-- This document describes how to run Kubernetes Node components such as kubelet, CRI, OCI, and CNI without root privileges, by using a <a class='glossary-tooltip' title='一种为非特权用户模拟超级用户特权的 Linux 内核功能特性。' data-toggle='tooltip' data-placement='top' href='https://man7.org/linux/man-pages/man7/user_namespaces.7.html' target='_blank' aria-label='user namespace'>user namespace</a>. This technique is also known as _rootless mode_. <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><p>This document describes how to run Kubernetes Node components (and hence pods) as a non-root user.</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/safely-drain-node/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/safely-drain-node/<!-- reviewers: - davidopp - mml - foxish - kow3ns title: Safely Drain a Node content_type: task weight: 310 --> <!-- overview --> <!-- This page shows how to safely drain a node, respecting the PodDisruptionBudget you have defined. --> <p>本页展示了如何在确保 PodDisruptionBudget 的前提下， 安全地清空一个<a class='glossary-tooltip' title='Kubernetes 中的工作机器称作节点。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/' target='_blank' aria-label='节点'>节点</a>。</p> <h2 id="准备开始">准备开始</h2> <!-- This task assumes that you have met the following prerequisites: 1. You do not require your applications to be highly available during the node drain, or 1. You have read about the [PodDisruptionBudget](/docs/concepts/workloads/pods/disruptions/) concept, and have [configured PodDisruptionBudgets](/docs/tasks/run-application/configure-pdb/) for applications that need them. --> <p>此任务假定你已经满足了以下先决条件：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/securing-a-cluster/<!-- reviewers: - smarterclayton - liggitt - enj title: Securing a Cluster content_type: task weight: 320 --> <!-- overview --> <!-- This document covers topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security. --> <p>本文档涉及与保护集群免受意外或恶意访问有关的主题，并对总体安全性提出建议。</p> <h2 id="准备开始">准备开始</h2> <ul> <li><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/<!-- reviewers: - mtaufen - dawnchen title: Set Kubelet Parameters Via A Configuration File content_type: task weight: 330 ---> <h2 id="准备开始">准备开始</h2> <!-- Some steps in this page use the `jq` tool. If you don't have `jq`, you can install it via your operating system's software sources, or fetch it from [https://jqlang.github.io/jq/](https://jqlang.github.io/jq/). Some steps also involve installing `curl`, which can be installed via your operating system's software sources. --> <p>此页面中的某些步骤使用 <code>jq</code> 工具。如果你没有 <code>jq</code>，你可以通过操作系统的软件源安装它，或者从 <a href="https://jqlang.github.io/jq/">https://jqlang.github.io/jq/</a> 中获取它。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/namespaces/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/namespaces/<!-- reviewers: - derekwaynecarr - janetkuo title: Share a Cluster with Namespaces content_type: task weight: 340 --> <!-- overview --> <!-- This page shows how to view, work in, and delete <a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='namespaces'>namespaces</a>. The page also shows how to use Kubernetes namespaces to subdivide your cluster. --> <p>本页展示如何查看、使用和删除<a class='glossary-tooltip' title='名字空间是 Kubernetes 用来支持隔离单个集群中的资源组的一种抽象。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/working-with-objects/namespaces/' target='_blank' aria-label='名字空间'>名字空间</a>。 本页同时展示如何使用 Kubernetes 名字空间来划分集群。</p> <h2 id="准备开始">准备开始</h2> <!-- * Have an [existing Kubernetes cluster](/docs/setup/). * You have a basic understanding of Kubernetes <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pods'>Pods</a>, <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Services'>Services</a>, and <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployments'>Deployments</a>. --> <ul> <li>你已拥有一个<a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/">配置好的 Kubernetes 集群</a>。</li> <li>你已对 Kubernetes 的 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a>、 <a class='glossary-tooltip' title='将运行在一组 Pods 上的应用程序公开为网络服务的抽象方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/' target='_blank' aria-label='Service'>Service</a> 和 <a class='glossary-tooltip' title='管理集群上的多副本应用。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/deployment/' target='_blank' aria-label='Deployment'>Deployment</a> 有基本理解。</li> </ul> <!-- steps --> <!-- ## Viewing namespaces --> <h2 id="查看名字空间">查看名字空间</h2> <!-- List the current namespaces in a cluster using: --> <p>列出集群中现有的名字空间：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cluster-upgrade/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cluster-upgrade/<!-- title: Upgrade A Cluster content_type: task weight: 350 --> <!-- overview --> <!-- This page provides an overview of the steps you should follow to upgrade a Kubernetes cluster. The Kubernetes project recommends upgrading to the latest patch releases promptly, and to ensure that you are running a supported minor release of Kubernetes. Following this recommendation helps you to stay secure. The way that you upgrade a cluster depends on how you initially deployed it and on any subsequent changes. At a high level, the steps you perform are: --> <p>本页概述升级 Kubernetes 集群的步骤。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/use-cascading-deletion/<!-- title: Use Cascading Deletion in a Cluster content_type: task weight: 360 --> <!--overview--> <!-- This page shows you how to specify the type of [cascading deletion](/docs/concepts/architecture/garbage-collection/#cascading-deletion) to use in your cluster during <a class='glossary-tooltip' title='Kubernetes 用于清理集群资源的各种机制的统称。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/garbage-collection/' target='_blank' aria-label='garbage collection'>garbage collection</a>. --> <p>本页面向你展示如何设置在你的集群执行<a class='glossary-tooltip' title='Kubernetes 用于清理集群资源的各种机制的统称。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/garbage-collection/' target='_blank' aria-label='垃圾收集'>垃圾收集</a> 时要使用的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/garbage-collection/#cascading-deletion">级联删除</a> 类型。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kms-provider/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/kms-provider/<!-- reviewers: - aramase - enj title: Using a KMS provider for data encryption content_type: task weight: 370 --> <!-- overview --> <!-- This page shows how to configure a Key Management Service (KMS) provider and plugin to enable secret data encryption. In Kubernetes 1.35 there are two versions of KMS at-rest encryption. You should use KMS v2 if feasible because KMS v1 is deprecated (since Kubernetes v1.28) and disabled by default (since Kubernetes v1.29). KMS v2 offers significantly better performance characteristics than KMS v1. --> <p>本页展示了如何配置密钥管理服务（Key Management Service，KMS）驱动和插件以启用 Secret 数据加密。 在 Kubernetes 1.35 中，存在两个版本的 KMS 静态加密方式。 如果可行的话，建议使用 KMS v2，因为（自 Kubernetes v1.28 起）KMS v1 已经被弃用并 （自 Kubernetes v1.29 起）默认被禁用。 KMS v2 提供了比 KMS v1 明显更好的性能特征。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/coredns/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/coredns/<!-- reviewers: - johnbelamaric title: Using CoreDNS for Service Discovery min-kubernetes-server-version: v1.9 content_type: task weight: 380 --> <!-- overview --> <!-- This page describes the CoreDNS upgrade process and how to install CoreDNS instead of kube-dns. --> <p>此页面介绍了 CoreDNS 升级过程以及如何安装 CoreDNS 而不是 kube-dns。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/nodelocaldns/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/nodelocaldns/<!-- reviewers: - bowei - zihongz - sftim title: Using NodeLocal DNSCache in Kubernetes Clusters content_type: task weight: 390 --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.18 [stable]</code> </div> <!-- This page provides an overview of NodeLocal DNSCache feature in Kubernetes. --> <p>本页概述了 Kubernetes 中的 NodeLocal DNSCache 功能。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/<!-- title: Using sysctls in a Kubernetes Cluster reviewers: - sttts content_type: task weight: 400 ---> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.21 [stable]</code> </div> <!-- This document describes how to configure and use kernel parameters within a Kubernetes cluster using the <a class='glossary-tooltip' title='用于获取和设置 Unix 内核参数的接口' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/' target='_blank' aria-label='sysctl'>sysctl</a> interface. --> <p>本文档介绍如何通过 <a class='glossary-tooltip' title='用于获取和设置 Unix 内核参数的接口' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/sysctl-cluster/' target='_blank' aria-label='sysctl'>sysctl</a> 接口在 Kubernetes 集群中配置和使用内核参数。</p> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- Starting from Kubernetes version 1.23, the kubelet supports the use of either `/` or `.` as separators for sysctl names. Starting from Kubernetes version 1.25, setting Sysctls for a Pod supports setting sysctls with slashes. For example, you can represent the same sysctl name as `kernel.shm_rmid_forced` using a period as the separator, or as `kernel/shm_rmid_forced` using a slash as a separator. For more sysctl parameter conversion method details, please refer to the page [sysctl.d(5)](https://man7.org/linux/man-pages/man5/sysctl.d.5.html) from the Linux man-pages project. --> <p>从 Kubernetes 1.23 版本开始，kubelet 支持使用 <code>/</code> 或 <code>.</code> 作为 sysctl 参数的分隔符。 从 Kubernetes 1.25 版本开始，支持为 Pod 设置 sysctl 时使用设置名字带有斜线的 sysctl。 例如，你可以使用点或者斜线作为分隔符表示相同的 sysctl 参数，以点作为分隔符表示为： <code>kernel.shm_rmid_forced</code>， 或者以斜线作为分隔符表示为：<code>kernel/shm_rmid_forced</code>。 更多 sysctl 参数转换方法详情请参考 Linux man-pages <a href="https://man7.org/linux/man-pages/man5/sysctl.d.5.html">sysctl.d(5)</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/memory-manager/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/memory-manager/<!-- title: Utilizing the NUMA-aware Memory Manager reviewers: - klueska - derekwaynecarr content_type: task min-kubernetes-server-version: v1.32 weight: 410 --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： MemoryManager"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.32 [stable]</code>（默认启用）</div> <!-- The Kubernetes *Memory Manager* enables the feature of guaranteed memory (and hugepages) allocation for pods in the `Guaranteed` <a class='glossary-tooltip' title='QoS 类（Quality of Service Class）为 Kubernetes 提供了一种将集群中的 Pod 分为几个类并做出有关调度和驱逐决策的方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-qos/' target='_blank' aria-label='QoS class'>QoS class</a>. The Memory Manager employs hint generation protocol to yield the most suitable NUMA affinity for a pod. The Memory Manager feeds the central manager (*Topology Manager*) with these affinity hints. Based on both the hints and Topology Manager policy, the pod is rejected or admitted to the node. --> <p>Kubernetes 内存管理器（Memory Manager）为 <code>Guaranteed</code> <a class='glossary-tooltip' title='QoS 类（Quality of Service Class）为 Kubernetes 提供了一种将集群中的 Pod 分为几个类并做出有关调度和驱逐决策的方法。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-qos/' target='_blank' aria-label='QoS 类'>QoS 类</a> 的 Pods 提供可保证的内存（及大页面）分配能力。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/<!-- title: Verify Signed Container Images content_type: task min-kubernetes-server-version: v1.24 weight: 420 --> <!-- overview --> <div class="feature-state-notice feature-alpha"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.24 [alpha]</code> </div> <h2 id="准备开始">准备开始</h2> <!-- You will need to have the following tools installed: - `cosign` ([install guide](https://docs.sigstore.dev/cosign/system_config/installation/)) - `curl` (often provided by your operating system) - `jq` ([download jq](https://jqlang.github.io/jq/download/)) --> <p>你需要安装以下工具：</p> <ul> <li><code>cosign</code>（<a href="https://docs.sigstore.dev/cosign/system_config/installation/">安装指南</a>)</li> <li><code>curl</code>（通常由你的操作系统提供）</li> <li><code>jq</code>（<a href="https://jqlang.github.io/jq/download/">下载 jq</a>）</li> </ul> <!-- ## Verifying binary signatures The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign's keyless signing. To verify a particular binary, retrieve it together with its signature and certificate: --> <h2 id="verifying-binary-signatures">验证二进制签名</h2> <p>Kubernetes 发布过程使用 cosign 的无密钥签名对所有二进制工件（压缩包、 SPDX 文件、 独立的二进制文件）签名。要验证一个特定的二进制文件， 获取组件时要包含其签名和证书：</p>https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/22/headlamp-in-2025-project-highlights/Thu, 22 Jan 2026 10:00:00 +0800https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/22/headlamp-in-2025-project-highlights/<!-- title: "Headlamp in 2025: Project Highlights" date: 2026-01-22T10:00:00+08:00 slug: headlamp-in-2025-project-highlights author: > Evangelos Skopelitis (Microsoft) --> <!-- _This announcement is a recap from a post originally [published](https://headlamp.dev/blog/2025/11/13/headlamp-in-2025) on the Headlamp blog._ --> <p><strong>本公告是对最初在 Headlamp 博客上<a href="https://headlamp.dev/blog/2025/11/13/headlamp-in-2025">发布</a>的帖子的回顾。</strong></p> <!-- [Headlamp](https://headlamp.dev/) has come a long way in 2025. The project has continued to grow – reaching more teams across platforms, powering new workflows and integrations through plugins, and seeing increased collaboration from the broader community. --> <p><a href="https://headlamp.dev/">Headlamp</a> 在 2025 年取得了长足的发展。该项目持续成长，覆盖了更多平台和团队； 通过插件机制支持了新的工作流和集成方式；同时也看到了来自更广泛社区的协作不断增强。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/08/kubernetes-v1-35-watch-based-route-reconciliation-in-ccm/Thu, 08 Jan 2026 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/08/kubernetes-v1-35-watch-based-route-reconciliation-in-ccm/<!-- --- layout: blog title: "Kubernetes v1.35: Watch Based Route Reconciliation in the Cloud Controller Manager" date: 2026-01-08T10:30:00-08:00 slug: kubernetes-v1-35-watch-based-route-reconciliation-in-ccm author: > [Lukas Metzner](https://github.com/lukasmetzner) (Hetzner) --- --> <!-- Up to and including Kubernetes v1.34, the route controller in Cloud Controller Manager (CCM) implementations built using the [k8s.io/cloud-provider](https://github.com/kubernetes/cloud-provider) library reconciles routes at a fixed interval. This causes unnecessary API requests to the cloud provider when there are no changes to routes. Other controllers implemented through the same library already use watch-based mechanisms, leveraging informers to avoid unnecessary API calls. A new feature gate is being introduced in v1.35 to allow changing the behavior of the route controller to use watch-based informers. --> <p>在 Kubernetes v1.34 及更早版本中，使用 <a href="https://github.com/kubernetes/cloud-provider">k8s.io/cloud-provider</a> 库构建的云控制器管理器（CCM）实现中的路由控制器会以固定的时间间隔进行路由协调。 这会导致在路由没有变化的情况下，向云提供商发出不必要的 API 请求。 其他使用同一库实现的控制器已经使用基于监听的机制， 利用 informer 来避免不必要的 API 调用。 v1.35 版本引入了一个新的特性门控，允许更改路由控制器的行为， 使其使用基于监听的 informer。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/05/kubernetes-v1-35-restart-all-containers/Mon, 05 Jan 2026 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/05/kubernetes-v1-35-restart-all-containers/<!-- layout: blog title: "Kubernetes v1.35: New level of efficiency with in-place Pod restart" date: 2026-01-05T10:30:00-08:00 slug: kubernetes-v1-35-restart-all-containers author: > [Yuan Wang](https://github.com/yuanwang04) [Giuseppe Tinti Tomio](https://github.com/GiuseppeTT) [Sergey Kanzhelev](https://github.com/SergeyKanzhelev) translator: > [Xin Li](https://github.com/my-git9) --> <!-- The release of Kubernetes 1.35 introduces a powerful new feature that provides a much-requested capability: the ability to trigger a full, in-place restart of the Pod. This feature, *Restart All Containers* (alpha in 1.35), allows for an efficient way to reset a Pod's state compared to resource-intensive approach of deleting and recreating the entire Pod. This feature is especially useful for AI/ML workloads allowing application developers to concentrate on their core training logic while offloading complex failure-handling and recovery mechanisms to sidecars and declarative Kubernetes configuration. With `RestartAllContainers` and other planned enhancements, Kubernetes continues to add building blocks for creating the most flexible, robust, and efficient platforms for AI/ML workloads. This new functionality is available by enabling the `RestartAllContainersOnContainerExits` feature gate. This alpha feature extends the [*Container Restart Rules* feature](/docs/concepts/workloads/pods/pod-lifecycle/#container-restart-rules), which graduated to beta in Kubernetes 1.35. --> <p>Kubernetes 1.35 版本引入了一项强大的新特性，满足了用户对 Pod 就地重启的迫切需求。 这项名为“重启所有容器”（Restart All Containers，1.35 版本为 Alpha 版）的特性， 相比于资源用量较高的删除并重建整个 Pod 的方式，能够更高效地重置 Pod 的状态。 该特性对于 AI/ML 工作负载尤为实用，使应用程序开发人员能够专注于核心训练逻辑， 同时将复杂的故障处理和恢复机制交给边车容器和声明式 Kubernetes 配置来处理。 凭借 <code>RestartAllContainers</code> 和其他计划中的增强特性， Kubernetes 将继续构建更灵活、更健壮、更高效的 AI/ML 工作负载平台。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/05/kubernetes-v1-35-numeric-toleration-operators/Mon, 05 Jan 2026 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2026/01/05/kubernetes-v1-35-numeric-toleration-operators/<!-- layout: blog title: "Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons (Alpha)" date: 2026-01-05T10:30:00-08:00 slug: kubernetes-v1-35-numeric-toleration-operators author: > Heba Elayoty (Microsoft) --> <!-- Many production Kubernetes clusters blend on-demand (higher-SLA) and spot/preemptible (lower-SLA) nodes to optimize costs while maintaining reliability for critical workloads. Platform teams need a safe default that keeps most workloads away from risky capacity, while allowing specific workloads to opt-in with explicit thresholds like "I can tolerate nodes with failure probability up to 5%". --> <p>许多生产级 Kubernetes 集群会混合使用按需（on-demand，高 SLA）节点与 spot/可抢占（preemptible，低 SLA）节点， 以在保证关键工作负载可靠性的同时优化成本。平台团队需要一个“安全默认值”，让大多数工作负载远离风险容量， 同时又允许特定工作负载用明确阈值显式选择接受（opt-in），例如“我可以容忍失败概率最高 5% 的节点”。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/12/18/kubernetes-v1-35-job-managedby-for-jobs-goes-ga/Thu, 18 Dec 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/12/18/kubernetes-v1-35-job-managedby-for-jobs-goes-ga/<!-- layout: blog title: "Kubernetes v1.35: Job Managed By Goes GA" date: 2025-12-18T10:30:00-08:00 slug: kubernetes-v1-35-job-managedby-for-jobs-goes-ga author: > [Dejan Zele Pejchev](https://github.com/dejanzele) (G-Research), [Michał Woźniak](https://github.com/mimowo) (Google) --> <!-- In Kubernetes v1.35, the ability to specify an external Job controller (through `.spec.managedBy`) graduates to General Availability. --> <p>在 Kubernetes v1.35 中，通过 <code>.spec.managedBy</code> 指定外部 Job 控制器的能力升级为正式可用（GA）。</p> <!-- This feature allows external controllers to take full responsibility for Job reconciliation, unlocking powerful scheduling patterns like multi-cluster dispatching with [MultiKueue](https://kueue.sigs.k8s.io/docs/concepts/multikueue/). --> <p>该特性允许外部控制器对 Job 的调谐（reconciliation）承担完全责任，从而解锁更强大的调度模式， 例如借助 <a href="https://kueue.sigs.k8s.io/docs/concepts/multikueue/">MultiKueue</a> 进行跨多集群派发。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/12/17/kubernetes-v1-35-release/Wed, 17 Dec 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/12/17/kubernetes-v1-35-release/<!-- layout: blog title: "Kubernetes v1.35: Timbernetes (The World Tree Release)" date: 2025-12-17T10:30:00-08:00 evergreen: true slug: kubernetes-v1-35-release author: > [Kubernetes v1.35 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.35/release-team.md) --> <!-- **Editors**: Aakanksha Bhende, Arujjwal Negi, Chad M. Crowell, Graziano Casto, Swathi Rao --> <p><strong>编辑</strong>：Aakanksha Bhende、Arujjwal Negi、Chad M. Crowell、Graziano Casto、Swathi Rao</p> <!-- Similar to previous releases, the release of Kubernetes v1.35 introduces new stable, beta, and alpha features. The consistent delivery of high-quality releases underscores the strength of our development cycle and the vibrant support from our community. --> <p>与之前版本类似，Kubernetes v1.35 的发布引入了新的稳定（GA）、Beta 和 Alpha 特性。 持续交付高质量版本，体现了我们开发周期的韧性，也离不开社区的热情支持。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/26/kubernetes-v1-35-sneak-peek/Wed, 26 Nov 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/26/kubernetes-v1-35-sneak-peek/<!-- layout: blog title: 'Kubernetes v1.35 Sneak Peek' date: 2025-11-26 slug: kubernetes-v1-35-sneak-peek author: > Aakanksha Bhende, Arujjwal Negi, Chad M. Crowell, Graziano Casto, Swathi Rao --> <!-- As the release of Kubernetes v1.35 approaches, the Kubernetes project continues to evolve. Features may be deprecated, removed, or replaced to improve the project's overall health. This blog post outlines planned changes for the v1.35 release that the release team believes you should be aware of to ensure the continued smooth operation of your Kubernetes cluster(s), and to keep you up to date with the latest developments. The information below is based on the current status of the v1.35 release and is subject to change before the final release date. --> <p>随着 Kubernetes v1.35 发布的临近，Kubernetes 项目持续演进。 为了改善项目的整体健康状况，某些功能可能会被弃用、移除或替换。 本博客文章概述了 v1.35 版本的计划变更， 发布团队认为你应该了解这些变更，以确保 Kubernetes 集群的持续平稳运行， 并让你了解最新进展。 以下信息基于 v1.35 版本的当前状态，在最终发布日期之前可能会发生变化。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/25/configuration-good-practices/Tue, 25 Nov 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/25/configuration-good-practices/<!-- layout: blog title: "Kubernetes Configuration Good Practices" date: 2025-11-25T00:00:00+00:00 slug: configuration-good-practices evergreen: true author: Kirti Goyal --> <!-- Configuration is one of those things in Kubernetes that seems small until it's not. Configuration is at the heart of every Kubernetes workload. A missing quote, a wrong API version or a misplaced YAML indent can ruin your entire deploy. --> <p>配置是 Kubernetes 中看似微不足道，实则关键的事情之一。 配置是每个 Kubernetes 工作负载的核心。 一个缺失的引号、错误的 API 版本或错位的 YAML 缩进都可能毁掉你的整个部署。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/11/ingress-nginx-retirement/Tue, 11 Nov 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/11/ingress-nginx-retirement/<!-- layout: blog title: "Ingress NGINX Retirement: What You Need to Know" slug: ingress-nginx-retirement canonicalUrl: https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement date: 2025-11-11T10:30:00-08:00 author: > Tabitha Sable (Kubernetes SRC) --> <!-- To prioritize the safety and security of the ecosystem, Kubernetes SIG Network and the Security Response Committee are announcing the upcoming retirement of [Ingress NGINX](https://github.com/kubernetes/ingress-nginx/). Best-effort maintenance will continue until March 2026. Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered. **Existing deployments of Ingress NGINX will continue to function and installation artifacts will remain available.** We recommend migrating to one of the many alternatives. Consider [migrating to Gateway API](https://gateway-api.sigs.k8s.io/guides/), the modern replacement for Ingress. If you must continue using Ingress, many alternative Ingress controllers are [listed in the Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). Continue reading for further information about the history and current state of Ingress NGINX, as well as next steps. --> <p>为了优先考虑生态系统的安全，Kubernetes SIG Network 和安全响应委员会宣布 <a href="https://github.com/kubernetes/ingress-nginx/">Ingress NGINX</a> 即将退役， 并将尽力将其维护期持续到 2026 年 3 月。 之后，将不再有进一步的版本发布、错误修复和更新来解决可能发现的任何安全漏洞。 <strong>现有的 Ingress NGINX Deployment 将继续运行，并且安装工件仍将可用。</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/09/steering-committee-results-2025/Sun, 09 Nov 2025 15:10:00 -0500https://andygol-k8s.netlify.app/zh-cn/blog/2025/11/09/steering-committee-results-2025/<!-- layout: blog title: "Announcing the 2025 Steering Committee Election Results" slug: steering-committee-results-2025 canonicalUrl: https://www.kubernetes.dev/blog/2025/11/09/steering-committee-results-2025 date: 2025-11-09T15:10:00-05:00 author: > Arujjwal Negi --> <!-- The [2025 Steering Committee Election](https://github.com/kubernetes/community/tree/master/elections/steering/2025) is now complete. The Kubernetes Steering Committee consists of 7 seats, 4 of which were up for election in 2025. Incoming committee members serve a term of 2 years, and all members are elected by the Kubernetes Community. The Steering Committee oversees the governance of the entire Kubernetes project. With that great power comes great responsibility. You can learn more about the steering committee’s role in their [charter](https://github.com/kubernetes/steering/blob/master/charter.md). Thank you to everyone who voted in the election; your participation helps support the community’s continued health and success. --> <p><a href="https://github.com/kubernetes/community/tree/master/elections/steering/2025">2025 指导委员会选举</a>现已结束。 Kubernetes 指导委员会由 7 个席位组成，其中 4 个席位在 2025 年进行了选举。 新当选的委员会成员将任职 2 年，所有成员均由 Kubernetes 社区选举产生。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/10/20/seven-kubernetes-pitfalls-and-how-to-avoid/Mon, 20 Oct 2025 08:30:00 -0700https://andygol-k8s.netlify.app/zh-cn/blog/2025/10/20/seven-kubernetes-pitfalls-and-how-to-avoid/<!-- layout: blog title: "7 Common Kubernetes Pitfalls (and How I Learned to Avoid Them)" date: 2025-10-20T08:30:00-07:00 slug: seven-kubernetes-pitfalls-and-how-to-avoid author: > Abdelkoddous Lhajouji --> <!-- It's no secret that Kubernetes can be both powerful and frustrating at times. When I first started dabbling with container orchestration, I made more than my fair share of mistakes enough to compile a whole list of pitfalls. In this post, I want to walk through seven big gotchas I've encountered (or seen others run into) and share some tips on how to avoid them. Whether you're just kicking the tires on Kubernetes or already managing production clusters, I hope these insights help you steer clear of a little extra stress. --> <p>Kubernetes 功能强大，但有时也会令人沮丧，这已不是什么秘密。 当我刚开始接触容器编排时，我犯了不少错误，足以列出一整张误区清单。 在这篇文章中，我想分享我遇到的（或看到其他人遇到的）七个常见误区， 以及如何避免它们的建议。 无论你只是刚开始尝试 Kubernetes，还是已经在管理生产集群， 我希望这些见解能帮助你避免一些额外的麻烦。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/19/kubernetes-v1-34-recover-expansion-failure/Fri, 19 Sep 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/19/kubernetes-v1-34-recover-expansion-failure/<!-- layout: blog title: "Kubernetes v1.34: Recovery From Volume Expansion Failure (GA)" date: 2025-09-19T10:30:00-08:00 slug: kubernetes-v1-34-recover-expansion-failure author: > [Hemant Kumar](https://github.com/gnufied) (Red Hat) --> <!-- Have you ever made a typo when expanding your persistent volumes in Kubernetes? Meant to specify `2TB` but specified `20TiB`? This seemingly innocuous problem was kinda hard to fix - and took the project almost 5 years to fix. [Automated recovery from storage expansion](/docs/concepts/storage/persistent-volumes/#recovering-from-failure-when-expanding-volumes) has been around for a while in beta; however, with the v1.34 release, we have graduated this to **general availability**. --> <p>你是否曾经在扩展 Kubernetes 中的持久卷时犯过拼写错误？本来想指定 <code>2TB</code> 却写成了 <code>20TiB</code>？ 这个看似无害的问题实际上很难修复——项目花了将近 5 年时间才解决。 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#recovering-from-failure-when-expanding-volumes">存储扩展的自动恢复</a> 此特性在一段时间内一直处于 Beta 状态；不过，随着 v1.34 版本的发布，我们已经将其提升到<strong>正式发布</strong>状态。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/16/kubernetes-v1-34-volume-group-snapshot-beta-2/Tue, 16 Sep 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/16/kubernetes-v1-34-volume-group-snapshot-beta-2/<!-- layout: blog title: "Kubernetes v1.34: Moving Volume Group Snapshots to v1beta2" date: 2025-09-16T10:30:00-08:00 slug: kubernetes-v1-34-volume-group-snapshot-beta-2 author: > Xing Yang (VMware by Broadcom) --> <!-- Volume group snapshots were [introduced](/blog/2023/05/08/kubernetes-1-27-volume-group-snapshot-alpha/) as an Alpha feature with the Kubernetes 1.27 release and moved to [Beta](/blog/2024/12/18/kubernetes-1-32-volume-group-snapshot-beta/) in the Kubernetes 1.32 release. The recent release of Kubernetes v1.34 moved that support to a second beta. The support for volume group snapshots relies on a set of [extension APIs for group snapshots](https://kubernetes-csi.github.io/docs/group-snapshot-restore-feature.html#volume-group-snapshot-apis). These APIs allow users to take crash consistent snapshots for a set of volumes. Behind the scenes, Kubernetes uses a label selector to group multiple PersistentVolumeClaims for snapshotting. A key aim is to allow you restore that set of snapshots to new volumes and recover your workload based on a crash consistent recovery point. This new feature is only supported for [CSI](https://kubernetes-csi.github.io/docs/) volume drivers. --> <p>卷组快照在 Kubernetes 1.27 版本中作为 Alpha 特性被引入， 并在 Kubernetes 1.32 版本中移至 <a href="https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/18/kubernetes-1-32-volume-group-snapshot-beta/">Beta</a> 阶段。 Kubernetes v1.34 的最近一次发布将该支持移至第二个 Beta 阶段。 对卷组快照的支持依赖于一组<a href="https://kubernetes-csi.github.io/docs/group-snapshot-restore-feature.html#volume-group-snapshot-apis">用于组快照的扩展 API</a>。 这些 API 允许用户为一组卷获取崩溃一致性快照。在后台，Kubernetes 根据标签选择器对多个 PersistentVolumeClaim 分组，并进行快照操作。关键目标是允许你将这组快照恢复到新卷上， 并基于崩溃一致性恢复点恢复工作负载。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/11/kubernetes-v1-34-mutable-csi-node-allocatable-count/Thu, 11 Sep 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/11/kubernetes-v1-34-mutable-csi-node-allocatable-count/<!-- layout: blog title: "Kubernetes v1.34: Mutable CSI Node Allocatable Graduates to Beta" date: 2025-09-11T10:30:00-08:00 slug: kubernetes-v1-34-mutable-csi-node-allocatable-count author: Eddie Torres (Amazon Web Services) --> <!-- The [functionality for CSI drivers to update information about attachable volume count on the nodes](https://kep.k8s.io/4876), first introduced as Alpha in Kubernetes v1.33, has graduated to **Beta** in the Kubernetes v1.34 release! This marks a significant milestone in enhancing the accuracy of stateful pod scheduling by reducing failures due to outdated attachable volume capacity information. --> <p><a href="https://kep.k8s.io/4876">CSI 驱动更新节点上可挂接卷数量信息的这一功能</a>在 Kubernetes v1.33 中首次以 Alpha 引入，如今在 Kubernetes v1.34 中进阶为 <strong>Beta</strong>！ 这是提升有状态 Pod 调度准确性的重要里程碑，可减少因可挂接卷容量信息过时所导致的调度失败问题。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/10/kubernetes-v1-34-env-files/Wed, 10 Sep 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/10/kubernetes-v1-34-env-files/<!-- layout: blog title: "Kubernetes v1.34: Use An Init Container To Define App Environment Variables" date: 2025-09-10T10:30:00-08:00 draft: true slug: kubernetes-v1-34-env-files author: > HirazawaUi --> <!-- Kubernetes typically uses ConfigMaps and Secrets to set environment variables, which introduces additional API calls and complexity, For example, you need to separately manage the Pods of your workloads and their configurations, while ensuring orderly updates for both the configurations and the workload Pods. Alternatively, you might be using a vendor-supplied container that requires environment variables (such as a license key or a one-time token), but you don’t want to hard-code them or mount volumes just to get the job done. --> <p>Kubernetes 通常使用 ConfigMap 和 Secret 来设置环境变量， 这会引入额外的 API 调用和复杂性。例如，你需要分别管理工作负载的 Pod 和它们的配置， 同时还要确保配置和工作负载 Pod 的有序更新。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/04/kubernetes-v1-34-introducing-psi-metrics-beta/Thu, 04 Sep 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/09/04/kubernetes-v1-34-introducing-psi-metrics-beta/<!-- layout: blog title: "PSI Metrics for Kubernetes Graduates to Beta" date: 2025-09-04T10:30:00-08:00 slug: kubernetes-v1-34-introducing-psi-metrics-beta author: "Haowei Cai (Google)" --> <!-- As Kubernetes clusters grow in size and complexity, understanding the health and performance of individual nodes becomes increasingly critical. We are excited to announce that as of Kubernetes v1.34, **Pressure Stall Information (PSI) Metrics** has graduated to Beta. --> <p>随着 Kubernetes 集群规模和复杂性的增长，了解各个节点的健康状况和性能变得越来越关键。 我们很高兴地宣布，从 Kubernetes v1.34 开始，<strong>压力停滞信息 (PSI) 指标</strong>已升级到 Beta 版本。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/08/07/introducing-headlamp-ai-assistant/Thu, 07 Aug 2025 20:00:00 +0100https://andygol-k8s.netlify.app/zh-cn/blog/2025/08/07/introducing-headlamp-ai-assistant/<!-- layout: blog title: "Introducing Headlamp AI Assistant" date: 2025-08-07T20:00:00+01:00 slug: introducing-headlamp-ai-assistant author: > Joaquim Rocha (Microsoft) canonicalUrl: "https://headlamp.dev/blog/2025/08/07/introducing-the-headlamp-ai-assistant" --> <!-- _This announcement originally [appeared](https://headlamp.dev/blog/2025/08/07/introducing-the-headlamp-ai-assistant) on the Headlamp blog._ To simplify Kubernetes management and troubleshooting, we're thrilled to introduce [Headlamp AI Assistant](https://github.com/headlamp-k8s/plugins/tree/main/ai-assistant#readme): a powerful new plugin for Headlamp that helps you understand and operate your Kubernetes clusters and applications with greater clarity and ease. --> <p><strong>本文是 <a href="https://headlamp.dev/blog/2025/08/07/introducing-the-headlamp-ai-assistant">Headlamp AI 助手介绍</a>这篇博客的中文译稿。</strong></p> <p>为了简化 Kubernetes 的管理和故障排除，我们非常高兴地推出 <a href="https://github.com/headlamp-k8s/plugins/tree/main/ai-assistant#readme">Headlamp AI 助手</a>： 这是 Headlamp 的一个强大的新插件，可以帮助你更清晰、更轻松地理解和操作你的 Kubernetes 集群和应用程序。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/07/28/kubernetes-v1-34-sneak-peek/Mon, 28 Jul 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/07/28/kubernetes-v1-34-sneak-peek/<!-- layout: blog title: 'Kubernetes v1.34 Sneak Peek' date: 2025-07-28 slug: kubernetes-v1-34-sneak-peek author: > Agustina Barbetta, Alejandro Josue Leon Bellido, Graziano Casto, Melony Qin, Dipesh Rawat --> <!-- Kubernetes v1.34 is coming at the end of August 2025. This release will not include any removal or deprecation, but it is packed with an impressive number of enhancements. Here are some of the features we are most excited about in this cycle! Please note that this information reflects the current state of v1.34 development and may change before release. --> <p>Kubernetes v1.34 将于 2025 年 8 月底发布。 本次发版不会移除或弃用任何特性，但包含了数量惊人的增强特性。 以下列出一些本次发版最令人兴奋的特性！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/25/image-compatibility-in-cloud-native-environments/Wed, 25 Jun 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/25/image-compatibility-in-cloud-native-environments/<!-- layout: blog title: "Image Compatibility In Cloud Native Environments" date: 2025-06-25 draft: false slug: image-compatibility-in-cloud-native-environments author: > Chaoyi Huang (Huawei), Marcin Franczyk (Huawei), Vanessa Sochat (Lawrence Livermore National Laboratory) --> <!-- In industries where systems must run very reliably and meet strict performance criteria such as telecommunication, high-performance or AI computing, containerized applications often need specific operating system configuration or hardware presence. It is common practice to require the use of specific versions of the kernel, its configuration, device drivers, or system components. Despite the existence of the [Open Container Initiative (OCI)](https://opencontainers.org/), a governing community to define standards and specifications for container images, there has been a gap in expression of such compatibility requirements. The need to address this issue has led to different proposals and, ultimately, an implementation in Kubernetes' [Node Feature Discovery (NFD)](https://kubernetes-sigs.github.io/node-feature-discovery/stable/get-started/index.html). --> <p>在电信、高性能或 AI 计算等必须高度可靠且满足严格性能标准的行业中，容器化应用通常需要特定的操作系统配置或硬件支持。 通常的做法是要求使用特定版本的内核、其配置、设备驱动程序或系统组件。 尽管存在<a href="https://opencontainers.org/">开放容器倡议 (OCI)</a> 这样一个定义容器镜像标准和规范的治理社区， 但在表达这种兼容性需求方面仍存在空白。为了解决这一问题，业界提出了多个提案，并最终在 Kubernetes 的<a href="https://kubernetes-sigs.github.io/node-feature-discovery/stable/get-started/index.html">节点特性发现 (NFD)</a> 项目中实现了相关功能。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/16/changes-to-kubernetes-slack/Mon, 16 Jun 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/16/changes-to-kubernetes-slack/<!-- layout: blog title: "Changes to Kubernetes Slack" date: 2025-06-16 canonicalUrl: https://www.kubernetes.dev/blog/2025/06/16/changes-to-kubernetes-slack-2025/ slug: changes-to-kubernetes-slack Author: > [Josh Berkus](https://github.com/jberkus) --> <!-- **UPDATE**: We've received notice from Salesforce that our Slack workspace **WILL NOT BE DOWNGRADED** on June 20th. Stand by for more details, but for now, there is no urgency to back up private channels or direct messages. --> <p><strong>更新</strong>：我们已收到 Salesforce 的通知，我们的 Slack 工作区在 6 月 20 日<strong>不会被降级</strong>。 请等待更多细节更新，目前<strong>无需紧急备份</strong>私有频道或私信。</p> <!-- ~Kubernetes Slack will lose its special status and will be changing into a standard free Slack on June 20, 2025~~. Sometime later this year, our community may move to a new platform. If you are responsible for a channel or private channel, or a member of a User Group, you will need to take some actions as soon as you can. --> <p><del>Kubernetes Slack 将在 6 月 20 日失去原有的专属支持，并转变为标准免费版 Slack</del>~。 今年晚些时候，我们的社区可能会迁移到新平台。 如果你是频道或私有频道的负责人，又或是用户组的成员，你需要尽快采取一些行动。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/10/enhancing-kubernetes-event-management-custom-aggregation/Tue, 10 Jun 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/10/enhancing-kubernetes-event-management-custom-aggregation/<!-- layout: blog title: "Enhancing Kubernetes Event Management with Custom Aggregation" date: 2025-06-10 draft: false slug: enhancing-kubernetes-event-management-custom-aggregation Author: > [Rez Moss](https://github.com/rezmoss) --> <!-- Kubernetes [Events](/docs/reference/kubernetes-api/cluster-resources/event-v1/) provide crucial insights into cluster operations, but as clusters grow, managing and analyzing these events becomes increasingly challenging. This blog post explores how to build custom event aggregation systems that help engineering teams better understand cluster behavior and troubleshoot issues more effectively. --> <p>Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubernetes-api/cluster-resources/event-v1/">Event</a> 提供了集群操作的关键洞察信息，但随着集群的增长，管理和分析这些 Event 变得越来越具有挑战性。 这篇博客文章探讨了如何构建自定义 Event 聚合系统，以帮助工程团队更好地理解集群行为并更有效地解决问题。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/05/introducing-gateway-api-inference-extension/Thu, 05 Jun 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/05/introducing-gateway-api-inference-extension/<!-- layout: blog title: "Introducing Gateway API Inference Extension" date: 2025-06-05 slug: introducing-gateway-api-inference-extension draft: false author: > Daneyon Hansen (Solo.io), Kaushik Mitra (Google), Jiaxin Shan (Bytedance), Kellen Swain (Google) --> <!-- Modern generative AI and large language model (LLM) services create unique traffic-routing challenges on Kubernetes. Unlike typical short-lived, stateless web requests, LLM inference sessions are often long-running, resource-intensive, and partially stateful. For example, a single GPU-backed model server may keep multiple inference sessions active and maintain in-memory token caches. Traditional load balancers focused on HTTP path or round-robin lack the specialized capabilities needed for these workloads. They also don’t account for model identity or request criticality (e.g., interactive chat vs. batch jobs). Organizations often patch together ad-hoc solutions, but a standardized approach is missing. --> <p>现代生成式 AI 和大语言模型（LLM）服务在 Kubernetes 上带来独特的流量路由挑战。 与典型的短生命期的无状态 Web 请求不同，LLM 推理会话通常是长时间运行的、资源密集型的，并且具有一定的状态性。 例如，单个由 GPU 支撑的模型服务器可能会保持多个推理会话处于活跃状态，并保留内存中的令牌缓存。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/03/start-sidecar-first/Tue, 03 Jun 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/03/start-sidecar-first/<!-- layout: blog title: "Start Sidecar First: How To Avoid Snags" date: 2025-06-03 draft: false slug: start-sidecar-first author: Agata Skorupka (The Scale Factory) --> <!-- From the [Kubernetes Multicontainer Pods: An Overview blog post](/blog/2025/04/22/multi-container-pods-overview/) you know what their job is, what are the main architectural patterns, and how they are implemented in Kubernetes. The main thing I’ll cover in this article is how to ensure that your sidecar containers start before the main app. It’s more complicated than you might think! --> <p>从 <a href="https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/22/multi-container-pods-overview/">&quot;Kubernetes 多容器 Pod：概述&quot;博客</a>中， 你了解了 Pod 的工作方式，Pod 的主要架构模式，以及 Pod 在 Kubernetes 中是如何实现的。 本文主要介绍的是如何确保你的边车容器在主应用之前启动。这比你想象的要复杂得多！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/02/gateway-api-v1-3/Mon, 02 Jun 2025 09:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/02/gateway-api-v1-3/<!-- layout: blog title: "Gateway API v1.3.0: Advancements in Request Mirroring, CORS, Gateway Merging, and Retry Budgets" date: 2025-06-02T09:00:00-08:00 draft: false slug: gateway-api-v1-3 author: > [Candace Holman](https://github.com/candita) (Red Hat) --> <p><img src="https://andygol-k8s.netlify.app/zh-cn/blog/2025/06/02/gateway-api-v1-3/gateway-api-logo.svg" alt="Gateway API logo"></p> <!-- Join us in the Kubernetes SIG Network community in celebrating the general availability of [Gateway API](https://gateway-api.sigs.k8s.io/) v1.3.0! We are also pleased to announce that there are already a number of conformant implementations to try, made possible by postponing this blog announcement. Version 1.3.0 of the API was released about a month ago on April 24, 2025. --> <p>加入 Kubernetes SIG Network 社区，共同庆祝 <a href="https://gateway-api.sigs.k8s.io/">Gateway API</a> v1.3.0 正式发布！ 我们很高兴地宣布，通过推迟这篇博客的发布，现在已经有了多个符合规范的实现可供试用。 API 1.3.0 版本已于 2025 年 4 月 24 日发布。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/16/kubernetes-v1-33-in-place-pod-resize-beta/Fri, 16 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/16/kubernetes-v1-33-in-place-pod-resize-beta/<!-- layout: blog title: "Kubernetes v1.33: In-Place Pod Resize Graduated to Beta" slug: kubernetes-v1-33-in-place-pod-resize-beta date: 2025-05-16T10:30:00-08:00 author: "Tim Allclair (Google)" --> <!-- On behalf of the Kubernetes project, I am excited to announce that the **in-place Pod resize** feature (also known as In-Place Pod Vertical Scaling), first introduced as alpha in Kubernetes v1.27, has graduated to **Beta** and will be enabled by default in the Kubernetes v1.33 release! This marks a significant milestone in making resource management for Kubernetes workloads more flexible and less disruptive. --> <p>代表 Kubernetes 项目，我很高兴地宣布，<strong>原地 Pod 调整大小</strong>特性（也称为原地 Pod 垂直缩放）， 在 Kubernetes v1.27 中首次引入为 Alpha 版本，现在已升级为 <strong>Beta</strong> 版本， 并将在 Kubernetes v1.33 发行版中默认启用！ 这标志着 Kubernetes 工作负载的资源管理变得更加灵活和不那么具有干扰性的一个重要里程碑。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/15/kubernetes-1-33-jobs-success-policy-goes-ga/Thu, 15 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/15/kubernetes-1-33-jobs-success-policy-goes-ga/<!-- layout: blog title: "Kubernetes 1.33: Job's SuccessPolicy Goes GA" date: 2025-05-15T10:30:00-08:00 slug: kubernetes-1-33-jobs-success-policy-goes-ga authors: > [Yuki Iwai](https://github.com/tenzen-y) (CyberAgent, Inc) --> <!-- On behalf of the Kubernetes project, I'm pleased to announce that Job _success policy_ has graduated to General Availability (GA) as part of the v1.33 release. --> <p>我代表 Kubernetes 项目组，很高兴地宣布在 v1.33 版本中，Job 的<strong>成功策略</strong>已进阶至 GA（正式发布）。</p> <!-- ## About Job's Success Policy In batch workloads, you might want to use leader-follower patterns like [MPI](https://en.wikipedia.org/wiki/Message_Passing_Interface), in which the leader controls the execution, including the followers' lifecycle. --> <h2 id="about-jobs-success-policy">关于 Job 的成功策略</h2> <p>在批处理工作负载中，你可能希望使用类似 <a href="https://zh.wikipedia.org/zh-cn/%E8%A8%8A%E6%81%AF%E5%82%B3%E9%81%9E%E4%BB%8B%E9%9D%A2">MPI（消息传递接口）</a> 的领导者跟随者（leader-follower）模式，其中领导者控制执行过程，包括跟随者的生命周期。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/14/kubernetes-v1-33-updates-to-container-lifecycle/Wed, 14 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/14/kubernetes-v1-33-updates-to-container-lifecycle/<!-- layout: blog title: "Kubernetes v1.33: Updates to Container Lifecycle" date: 2025-05-14T10:30:00-08:00 slug: kubernetes-v1-33-updates-to-container-lifecycle author: > Sreeram Venkitesh (DigitalOcean) --> <!-- Kubernetes v1.33 introduces a few updates to the lifecycle of containers. The Sleep action for container lifecycle hooks now supports a zero sleep duration (feature enabled by default). There is also alpha support for customizing the stop signal sent to containers when they are being terminated. --> <p>Kubernetes v1.33 引入了对容器生命周期的一些更新。 容器生命周期回调的 Sleep 动作现在支持零睡眠时长（特性默认启用）。 同时还为定制发送给终止中的容器的停止信号提供了 Alpha 级别支持。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/13/kubernetes-v1-33-jobs-backoff-limit-per-index-goes-ga/Tue, 13 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/13/kubernetes-v1-33-jobs-backoff-limit-per-index-goes-ga/<!-- layout: blog title: "Kubernetes v1.33: Job's Backoff Limit Per Index Goes GA" date: 2025-05-13T10:30:00-08:00 slug: kubernetes-v1-33-jobs-backoff-limit-per-index-goes-ga author: > [Michał Woźniak](https://github.com/mimowo) (Google) --> <!-- In Kubernetes v1.33, the _Backoff Limit Per Index_ feature reaches general availability (GA). This blog describes the Backoff Limit Per Index feature and its benefits. --> <p>在 Kubernetes v1.33 中，<strong>逐索引的回退限制</strong>特性进阶至 GA（正式发布）。本文介绍此特性及其优势。</p> <!-- ## About backoff limit per index When you run workloads on Kubernetes, you must consider scenarios where Pod failures can affect the completion of your workloads. Ideally, your workload should tolerate transient failures and continue running. To achieve failure tolerance in a Kubernetes Job, you can set the `spec.backoffLimit` field. This field specifies the total number of tolerated failures. --> <h2 id="about-backoff-limit-per-index">关于逐索引的回退限制</h2> <p>当你在 Kubernetes 上运行工作负载时，必须考虑 Pod 失效可能影响工作负载完成的场景。 理想情况下，你的工作负载应该能够容忍短暂的失效并继续运行。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/12/kubernetes-v1-33-ensure-secret-pulled-images-alpha/Mon, 12 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/12/kubernetes-v1-33-ensure-secret-pulled-images-alpha/<!-- layout: blog title: "Kubernetes v1.33: Image Pull Policy the way you always thought it worked!" date: 2025-05-12T10:30:00-08:00 slug: kubernetes-v1-33-ensure-secret-pulled-images-alpha author: > [Ben Petersen](https://github.com/benjaminapetersen) (Microsoft), [Stanislav Láznička](https://github.com/stlaz) (Microsoft) --> <!-- ## Image Pull Policy the way you always thought it worked! Some things in Kubernetes are surprising, and the way `imagePullPolicy` behaves might be one of them. Given Kubernetes is all about running pods, it may be peculiar to learn that there has been a caveat to restricting pod access to authenticated images for over 10 years in the form of [issue 18787](https://github.com/kubernetes/kubernetes/issues/18787)! It is an exciting release when you can resolve a ten-year-old issue. --> <h2 id="镜像拉取策略终于按你的预期工作了">镜像拉取策略终于按你的预期工作了！</h2> <p>Kubernetes 中有些东西让人感到奇怪，<code>imagePullPolicy</code> 的行为就是其中之一。 Kubernetes 作为一个专注于运行 Pod 的平台，居然在限制 Pod 访问经认证的镜像方面，存在一个长达十余年的问题， 详见 <a href="https://github.com/kubernetes/kubernetes/issues/18787">Issue 18787</a>！ v1.33 解决了这个十年前的老问题，这真是一个有纪念意义的版本。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/09/kubernetes-v1-33-streaming-list-responses/Fri, 09 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/09/kubernetes-v1-33-streaming-list-responses/<!-- layout: blog title: "Kubernetes v1.33: Streaming List responses" date: 2025-05-09T10:30:00-08:00 slug: kubernetes-v1-33-streaming-list-responses author: > Marek Siarkowicz (Google), Wei Fu (Microsoft) --> <!-- Managing Kubernetes cluster stability becomes increasingly critical as your infrastructure grows. One of the most challenging aspects of operating large-scale clusters has been handling List requests that fetch substantial datasets - a common operation that could unexpectedly impact your cluster's stability. Today, the Kubernetes community is excited to announce a significant architectural improvement: streaming encoding for List responses. --> <p>随着基础设施的增长，管理 Kubernetes 集群的稳定性变得愈发重要。 在大规模集群的运维中，最具挑战性的操作之一就是处理获取大量数据集的 List 请求。 List 请求是一种常见的操作，却可能意外影响集群的稳定性。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/08/kubernetes-v1-33-volume-populators-ga/Thu, 08 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/08/kubernetes-v1-33-volume-populators-ga/<!-- layout: blog title: "Kubernetes 1.33: Volume Populators Graduate to GA" date: 2025-05-08T10:30:00-08:00 slug: kubernetes-v1-33-volume-populators-ga author: > Danna Wang (Google) Sunny Song (Google) --> <!-- Kubernetes _volume populators_ are now generally available (GA)! The `AnyVolumeDataSource` feature gate is treated as always enabled for Kubernetes v1.33, which means that users can specify any appropriate [custom resource](/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources) as the data source of a PersistentVolumeClaim (PVC). An example of how to use dataSourceRef in PVC: --> <p>Kubernetes 的<strong>卷填充器</strong>现已进阶至 GA（正式发布）！ <code>AnyVolumeDataSource</code> 特性门控在 Kubernetes v1.33 中设为始终启用， 这意味着用户可以将任何合适的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources">自定义资源</a>作为 PersistentVolumeClaim（PVC）的数据源。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/05/kubernetes-v1-33-prevent-persistentvolume-leaks-when-deleting-out-of-order-graduate-to-ga/Mon, 05 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/05/kubernetes-v1-33-prevent-persistentvolume-leaks-when-deleting-out-of-order-graduate-to-ga/<!-- layout: blog title: 'Kubernetes v1.33: Prevent PersistentVolume Leaks When Deleting out of Order graduates to GA' date: 2025-05-05T10:30:00-08:00 slug: kubernetes-v1-33-prevent-persistentvolume-leaks-when-deleting-out-of-order-graduate-to-ga author: > Deepak Kinni (Broadcom) --> <!-- I am thrilled to announce that the feature to prevent [PersistentVolume](/docs/concepts/storage/persistent-volumes/) (or PVs for short) leaks when deleting out of order has graduated to General Availability (GA) in Kubernetes v1.33! This improvement, initially introduced as a beta feature in Kubernetes v1.31, ensures that your storage resources are properly reclaimed, preventing unwanted leaks. --> <p>我很高兴地宣布，当无序删除时防止 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">PersistentVolume</a>（简称 PV） 泄漏的特性已经在 Kubernetes v1.33 中进阶为正式版（GA）！这项改进最初在 Kubernetes v1.31 中作为 Beta 特性引入， 确保你的存储资源能够被正确回收，防止不必要的泄漏。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/02/kubernetes-1-33-mutable-csi-node-allocatable-count/Fri, 02 May 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/05/02/kubernetes-1-33-mutable-csi-node-allocatable-count/<!-- layout: blog title: "Kubernetes v1.33: Mutable CSI Node Allocatable Count" date: 2025-05-02T10:30:00-08:00 slug: kubernetes-1-33-mutable-csi-node-allocatable-count author: Eddie Torres (Amazon Web Services) --> <!-- Scheduling stateful applications reliably depends heavily on accurate information about resource availability on nodes. Kubernetes v1.33 introduces an alpha feature called *mutable CSI node allocatable count*, allowing Container Storage Interface (CSI) drivers to dynamically update the reported maximum number of volumes that a node can handle. This capability significantly enhances the accuracy of pod scheduling decisions and reduces scheduling failures caused by outdated volume capacity information. --> <p>可靠调度有状态应用极度依赖于节点上资源可用性的准确信息。<br> Kubernetes v1.33 引入一个名为<strong>可变的 CSI 节点可分配计数</strong>的 Alpha 特性，允许 CSI（容器存储接口）驱动动态更新节点可以处理的最大卷数量。<br> 这一能力显著提升 Pod 调度决策的准确性，并减少因卷容量信息过时而导致的调度失败。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/30/kubernetes-v1-33-storage-capacity-scoring-feature/Wed, 30 Apr 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/30/kubernetes-v1-33-storage-capacity-scoring-feature/<!-- layout: blog title: "Kubernetes v1.33: Storage Capacity Scoring of Nodes for Dynamic Provisioning (alpha)" date: 2025-04-30T10:30:00-08:00 slug: kubernetes-v1-33-storage-capacity-scoring-feature author: > Yuma Ogami (Cybozu) --> <!-- Kubernetes v1.33 introduces a new alpha feature called `StorageCapacityScoring`. This feature adds a scoring method for pod scheduling with [the topology-aware volume provisioning](/blog/2018/10/11/topology-aware-volume-provisioning-in-kubernetes/). This feature eases to schedule pods on nodes with either the most or least available storage capacity. --> <p>Kubernetes v1.33 引入了一个名为 <code>StorageCapacityScoring</code> 的新 Alpha 级别<strong>特性</strong>。 此<strong>特性</strong>添加了一种为 Pod 调度评分的方法， 并与<a href="https://andygol-k8s.netlify.app/blog/2018/10/11/topology-aware-volume-provisioning-in-kubernetes/">拓扑感知卷制备</a>相关。 此<strong>特性</strong>可以轻松地选择在具有最多或最少可用存储容量的节点上调度 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/29/kubernetes-v1-33-image-volume-beta/Tue, 29 Apr 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/29/kubernetes-v1-33-image-volume-beta/<!-- layout: blog title: "Kubernetes v1.33: Image Volumes graduate to beta!" date: 2025-04-29T10:30:00-08:00 slug: kubernetes-v1-33-image-volume-beta author: Sascha Grunert (Red Hat) --> <!-- [Image Volumes](/blog/2024/08/16/kubernetes-1-31-image-volume-source) were introduced as an Alpha feature with the Kubernetes v1.31 release as part of [KEP-4639](https://github.com/kubernetes/enhancements/issues/4639). In Kubernetes v1.33, this feature graduates to **beta**. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/kubernetes-1-31-image-volume-source">镜像卷</a>作为 Alpha 特性首次引入 Kubernetes v1.31 版本，并作为 <a href="https://github.com/kubernetes/enhancements/issues/4639">KEP-4639</a> 的一部分发布。在 Kubernetes v1.33 中，此特性进阶至 <strong>Beta</strong>。</p> <!-- Please note that the feature is still _disabled_ by default, because not all [container runtimes](/docs/setup/production-environment/container-runtimes) have full support for it. [CRI-O](https://cri-o.io) supports the initial feature since version v1.31 and will add support for Image Volumes as beta in v1.33. [containerd merged](https://github.com/containerd/containerd/pull/10579) support for the alpha feature which will be part of the v2.1.0 release and is working on beta support as part of [PR #11578](https://github.com/containerd/containerd/pull/11578). --> <p>请注意，此特性目前仍默认<strong>禁用</strong>， 因为并非所有的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes">容器运行时</a>都完全支持此特性。 <a href="https://cri-o.io">CRI-O</a> 自 v1.31 起就支持此初始特性，并将在 v1.33 中添加对镜像卷的 Beta 支持。 <a href="https://github.com/containerd/containerd/pull/10579">containerd 已合并</a>对 Alpha 特性的支持， 此特性将包含在 containerd v2.1.0 版本中，并正通过 <a href="https://github.com/containerd/containerd/pull/11578">PR #11578</a> 实现对 Beta 的支持。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/28/kubernetes-v1-33-hpa-configurable-tolerance/Mon, 28 Apr 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/28/kubernetes-v1-33-hpa-configurable-tolerance/<!-- layout: blog title: "Kubernetes v1.33: HorizontalPodAutoscaler Configurable Tolerance" slug: kubernetes-v1-33-hpa-configurable-tolerance math: true # for formulae date: 2025-04-28T10:30:00-08:00 author: "Jean-Marc François (Google)" --> <!-- This post describes _configurable tolerance for horizontal Pod autoscaling_, a new alpha feature first available in Kubernetes 1.33. --> <p>这篇文章描述了<strong>水平 Pod 自动扩缩的可配置容差</strong>， 这是在 Kubernetes 1.33 中首次出现的一个新的 Alpha 特性。</p> <!-- ## What is it? [Horizontal Pod Autoscaling](/docs/tasks/run-application/horizontal-pod-autoscale/) is a well-known Kubernetes feature that allows your workload to automatically resize by adding or removing replicas based on resource utilization. --> <h2 id="它是什么">它是什么？</h2> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/">水平 Pod 自动扩缩</a> 是 Kubernetes 中一个众所周知的特性，它允许你的工作负载根据资源利用率自动增减副本数量。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/22/multi-container-pods-overview/Tue, 22 Apr 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/22/multi-container-pods-overview/<!-- layout: blog title: "Kubernetes Multicontainer Pods: An Overview" date: 2025-04-22 draft: false slug: multi-container-pods-overview author: Agata Skorupka (The Scale Factory) --> <!-- As cloud-native architectures continue to evolve, Kubernetes has become the go-to platform for deploying complex, distributed systems. One of the most powerful yet nuanced design patterns in this ecosystem is the sidecar pattern—a technique that allows developers to extend application functionality without diving deep into source code. --> <p>随着云原生架构的不断演进，Kubernetes 已成为部署复杂分布式系统的首选平台。 在这个生态系统中，最强大却又微妙的设计模式之一是边车（Sidecar） 模式 —— 一种允许开发者扩展应用功能而不深入源代码的技术。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/07/introducing-kube-scheduler-simulator/Mon, 07 Apr 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/04/07/introducing-kube-scheduler-simulator/<!-- layout: blog title: "Introducing kube-scheduler-simulator" date: 2025-04-07 draft: false slug: introducing-kube-scheduler-simulator author: Kensei Nakada (Tetrate) --> <!-- The Kubernetes Scheduler is a crucial control plane component that determines which node a Pod will run on. Thus, anyone utilizing Kubernetes relies on a scheduler. [kube-scheduler-simulator](https://github.com/kubernetes-sigs/kube-scheduler-simulator) is a _simulator_ for the Kubernetes scheduler, that started as a [Google Summer of Code 2021](https://summerofcode.withgoogle.com/) project developed by me (Kensei Nakada) and later received a lot of contributions. This tool allows users to closely examine the scheduler’s behavior and decisions. --> <p>Kubernetes 调度器（Scheduler）是一个关键的控制平面组件，负责决定 Pod 将运行在哪个节点上。<br> 因此，任何使用 Kubernetes 的人都依赖于调度器。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/26/kubernetes-v1-33-upcoming-changes/Wed, 26 Mar 2025 10:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/26/kubernetes-v1-33-upcoming-changes/<!-- layout: blog title: 'Kubernetes v1.33 sneak peek' date: 2025-03-26T10:30:00-08:00 slug: kubernetes-v1-33-upcoming-changes author: > Agustina Barbetta, Aakanksha Bhende, Udi Hofesh, Ryota Sawada, Sneha Yadav --> <!-- As the release of Kubernetes v1.33 approaches, the Kubernetes project continues to evolve. Features may be deprecated, removed, or replaced to improve the overall health of the project. This blog post outlines some planned changes for the v1.33 release, which the release team believes you should be aware of to ensure the continued smooth operation of your Kubernetes environment and to keep you up-to-date with the latest developments. The information below is based on the current status of the v1.33 release and is subject to change before the final release date. --> <p>随着 Kubernetes v1.33 版本的发布临近，Kubernetes 项目仍在不断发展。 为了提升项目的整体健康状况，某些特性可能会被弃用、移除或替换。 这篇博客文章概述了 v1.33 版本的一些计划变更，发布团队认为你有必要了解这些内容， 以确保 Kubernetes 环境的持续平稳运行，并让你掌握最新的发展动态。 以下信息基于 v1.33 版本的当前状态，在最终发布日期之前可能会有所变化。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/24/ingress-nginx-cve-2025-1974/Mon, 24 Mar 2025 12:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/24/ingress-nginx-cve-2025-1974/<!-- layout: blog title: "Ingress-nginx CVE-2025-1974: What You Need to Know" date: 2025-03-24T12:00:00-08:00 slug: ingress-nginx-CVE-2025-1974 author: > Tabitha Sable (Kubernetes Security Response Committee) --> <!-- Today, the ingress-nginx maintainers have [released patches for a batch of critical vulnerabilities](https://github.com/kubernetes/ingress-nginx/releases) that could make it easy for attackers to take over your Kubernetes cluster. If you are among the over 40% of Kubernetes administrators using [ingress-nginx](https://github.com/kubernetes/ingress-nginx/), you should take action immediately to protect your users and data. --> <p>今天，ingress-nginx 项目的维护者们<a href="https://github.com/kubernetes/ingress-nginx/releases">发布了一批关键漏洞的修复补丁</a>， 这些漏洞可能让攻击者轻易接管你的 Kubernetes 集群。目前有 40% 以上的 Kubernetes 管理员正在使用 <a href="https://github.com/kubernetes/ingress-nginx/">ingress-nginx</a>， 如果你是其中之一，请立即采取行动，保护你的用户和数据。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/23/introducing-jobset/Sun, 23 Mar 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/23/introducing-jobset/<!-- layout: blog title: "Introducing JobSet" date: 2025-03-23 slug: introducing-jobset **Authors**: Daniel Vega-Myhre (Google), Abdullah Gharaibeh (Google), Kevin Hannon (Red Hat) --> <!-- In this article, we introduce [JobSet](https://jobset.sigs.k8s.io/), an open source API for representing distributed jobs. The goal of JobSet is to provide a unified API for distributed ML training and HPC workloads on Kubernetes. --> <p>在本文中，我们介绍 <a href="https://jobset.sigs.k8s.io/">JobSet</a>，这是一个用于表示分布式任务的开源 API。 JobSet 的目标是为 Kubernetes 上的分布式机器学习训练和高性能计算（HPC）工作负载提供统一的 API。</p> <!-- ## Why JobSet? The Kubernetes community’s recent enhancements to the batch ecosystem on Kubernetes has attracted ML engineers who have found it to be a natural fit for the requirements of running distributed training workloads. Large ML models (particularly LLMs) which cannot fit into the memory of the GPU or TPU chips on a single host are often distributed across tens of thousands of accelerator chips, which in turn may span thousands of hosts. --> <h2 id="why-jobset">为什么需要 JobSet？</h2> <p>Kubernetes 社区近期对 Kubernetes 批处理生态系统的增强，吸引了许多机器学习工程师， 他们发现这非常符合运行分布式训练工作负载的需求。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/12/sig-apps-spotlight-2025/Wed, 12 Mar 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/03/12/sig-apps-spotlight-2025/<!-- layout: blog title: "Spotlight on SIG Apps" slug: sig-apps-spotlight-2025 canonicalUrl: https://www.kubernetes.dev/blog/2025/03/12/sig-apps-spotlight-2025 date: 2025-03-12 author: "Sandipan Panda (DevZero)" --> <!-- In our ongoing SIG Spotlight series, we dive into the heart of the Kubernetes project by talking to the leaders of its various Special Interest Groups (SIGs). This time, we focus on **[SIG Apps](https://github.com/kubernetes/community/tree/master/sig-apps#apps-special-interest-group)**, the group responsible for everything related to developing, deploying, and operating applications on Kubernetes. [Sandipan Panda](https://www.linkedin.com/in/sandipanpanda) ([DevZero](https://www.devzero.io/)) had the opportunity to interview [Maciej Szulik](https://github.com/soltysh) ([Defense Unicorns](https://defenseunicorns.com/)) and [Janet Kuo](https://github.com/janetkuo) ([Google](https://about.google/)), the chairs and tech leads of SIG Apps. They shared their experiences, challenges, and visions for the future of application management within the Kubernetes ecosystem. --> <p>在我们正在进行的 SIG 聚焦系列中，我们通过与 Kubernetes 项目各个特别兴趣小组（SIG）的领导者对话， 深入探讨 Kubernetes 项目的核心。这一次，我们聚焦于 <strong><a href="https://github.com/kubernetes/community/tree/master/sig-apps#apps-special-interest-group">SIG Apps</a></strong>， 这个小组负责 Kubernetes 上与应用程序开发、部署和操作相关的所有内容。 <a href="https://www.linkedin.com/in/sandipanpanda">Sandipan Panda</a>（[DevZero](<a href="https://www.devzero.io/">https://www.devzero.io/</a>）） 有机会采访了 SIG Apps 的主席和技术负责人 <a href="https://github.com/soltysh">Maciej Szulik</a>（<a href="https://defenseunicorns.com/">Defense Unicorns</a>） 以及 <a href="https://github.com/janetkuo">Janet Kuo</a>（<a href="https://about.google/">Google</a>）。 他们分享了在 Kubernetes 生态系统中关于应用管理的经验、挑战以及未来愿景。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/02/28/nftables-kube-proxy/Fri, 28 Feb 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/02/28/nftables-kube-proxy/<!-- layout: blog title: "NFTables mode for kube-proxy" date: 2025-02-28 slug: nftables-kube-proxy author: > Dan Winship (Red Hat) --> <!-- A new nftables mode for kube-proxy was introduced as an alpha feature in Kubernetes 1.29. Currently in beta, it is expected to be GA as of 1.33. The new mode fixes long-standing performance problems with the iptables mode and all users running on systems with reasonably-recent kernels are encouraged to try it out. (For compatibility reasons, even once nftables becomes GA, iptables will still be the _default_.) --> <p>Kubernetes 1.29 引入了一种新的 Alpha 特性：kube-proxy 的 nftables 模式。 目前该模式处于 Beta 阶段，并预计将在 1.33 版本中达到一般可用（GA）状态。 新模式解决了 iptables 模式长期存在的性能问题，建议所有运行在较新内核版本系统上的用户尝试使用。 出于兼容性原因，即使 nftables 成为 GA 功能，iptables 仍将是<strong>默认</strong>模式。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/02/14/cloud-controller-manager-chicken-egg-problem/Fri, 14 Feb 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/02/14/cloud-controller-manager-chicken-egg-problem/<!-- layout: blog title: "The Cloud Controller Manager Chicken and Egg Problem" date: 2025-02-14 slug: cloud-controller-manager-chicken-egg-problem author: > Antonio Ojea, Michael McCune --> <!-- Kubernetes 1.31 [completed the largest migration in Kubernetes history][migration-blog], removing the in-tree cloud provider. While the component migration is now done, this leaves some additional complexity for users and installer projects (for example, kOps or Cluster API) . We will go over those additional steps and failure points and make recommendations for cluster owners. This migration was complex and some logic had to be extracted from the core components, building four new subsystems. --> <p>Kubernetes 1.31<br> <a href="https://andygol-k8s.netlify.app/zh-cn/blog/2024/05/20/completing-cloud-provider-migration/">完成了 Kubernetes 历史上最大的迁移</a>，移除了树内云驱动（in-tree cloud provider）。 虽然组件迁移已经完成，但这为用户和安装项目（例如 kOps 或 Cluster API）带来了一些额外的复杂性。 我们将回顾这些额外的步骤和可能的故障点，并为集群所有者提供改进建议。<br> 此次迁移非常复杂，必须从核心组件中提取部分逻辑，构建四个新的子系统。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2025/01/21/sig-architecture-enhancements/Tue, 21 Jan 2025 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2025/01/21/sig-architecture-enhancements/<!-- layout: blog title: "Spotlight on SIG Architecture: Enhancements" slug: sig-architecture-enhancements canonicalUrl: https://www.kubernetes.dev/blog/2025/01/21/sig-architecture-enhancements date: 2025-01-21 author: "Frederico Muñoz (SAS Institute)" --> <!-- _This is the fourth interview of a SIG Architecture Spotlight series that will cover the different subprojects, and we will be covering [SIG Architecture: Enhancements](https://github.com/kubernetes/community/blob/master/sig-architecture/README.md#enhancements)._ In this SIG Architecture spotlight we talked with [Kirsten Garrison](https://github.com/kikisdeliveryservice), lead of the Enhancements subproject. --> <p><strong>这是 SIG Architecture 聚光灯系列的第四次采访，我们将介绍 <a href="https://github.com/kubernetes/community/blob/master/sig-architecture/README.md#enhancements">SIG Architecture: Enhancements</a>。</strong></p> <p>在本次 SIG Architecture 专题采访中，我们访谈了 Enhancements 子项目的负责人 <a href="https://github.com/kikisdeliveryservice">Kirsten Garrison</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/17/kube-apiserver-api-streaming/Tue, 17 Dec 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/17/kube-apiserver-api-streaming/<!-- layout: blog title: 'Enhancing Kubernetes API Server Efficiency with API Streaming' date: 2024-12-17 slug: kube-apiserver-api-streaming author: > Stefan Schimanski (Upbound), Wojciech Tyczynski (Google), Lukasz Szaszkiewicz (Red Hat) --> <!-- Managing Kubernetes clusters efficiently is critical, especially as their size is growing. A significant challenge with large clusters is the memory overhead caused by **list** requests. --> <p>高效管理 Kubernetes 集群至关重要，特别是在集群规模不断增长的情况下更是如此。 大型集群面临的一个重大挑战是 <strong>list</strong> 请求所造成的内存开销。</p> <!-- In the existing implementation, the kube-apiserver processes **list** requests by assembling the entire response in-memory before transmitting any data to the client. But what if the response body is substantial, say hundreds of megabytes? Additionally, imagine a scenario where multiple **list** requests flood in simultaneously, perhaps after a brief network outage. While [API Priority and Fairness](/docs/concepts/cluster-administration/flow-control) has proven to reasonably protect kube-apiserver from CPU overload, its impact is visibly smaller for memory protection. This can be explained by the differing nature of resource consumption by a single API request - the CPU usage at any given time is capped by a constant, whereas memory, being uncompressible, can grow proportionally with the number of processed objects and is unbounded. This situation poses a genuine risk, potentially overwhelming and crashing any kube-apiserver within seconds due to out-of-memory (OOM) conditions. To better visualize the issue, let's consider the below graph. --> <p>在现有的实现中，kube-apiserver 在处理 <strong>list</strong> 请求时，先在内存中组装整个响应，再将所有数据传输给客户端。 但如果响应体非常庞大，比如数百兆字节呢？另外再想象这样一种场景，有多个 <strong>list</strong> 请求同时涌入，可能是在短暂的网络中断后涌入。 虽然 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/cluster-administration/flow-control">API 优先级和公平性</a>已经证明可以合理地保护 kube-apiserver 免受 CPU 过载，但其对内存保护的影响却明显较弱。这可以解释为各个 API 请求的资源消耗性质有所不同。 在任何给定时间，CPU 使用量都会受到某个常量的限制，而内存由于不可压缩，会随着处理对象数量的增加而成比例增长，且没有上限。 这种情况会带来真正的风险，kube-apiserver 可能会在几秒钟内因内存不足（OOM）状况而淹没和崩溃。 为了更直观地查验这个问题，我们看看下面的图表。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/16/cpumanager-strict-cpu-reservation/Mon, 16 Dec 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/16/cpumanager-strict-cpu-reservation/<!-- layout: blog title: 'Kubernetes v1.32 Adds A New CPU Manager Static Policy Option For Strict CPU Reservation' date: 2024-12-16 slug: cpumanager-strict-cpu-reservation author: > [Jing Zhang](https://github.com/jingczhang) (Nokia) --> <!-- In Kubernetes v1.32, after years of community discussion, we are excited to introduce a `strict-cpu-reservation` option for the [CPU Manager static policy](/docs/tasks/administer-cluster/cpu-management-policies/#static-policy-options). This feature is currently in alpha, with the associated policy hidden by default. You can only use the policy if you explicitly enable the alpha behavior in your cluster. --> <p>在 Kubernetes v1.32 中，经过社区多年的讨论，我们很高兴地引入了 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/#static-policy-options">CPU Manager 静态策略</a>的 <code>strict-cpu-reservation</code> 选项。此特性当前处于 Alpha 阶段，默认情况下关联的策略是隐藏的。 只有在你的集群中明确启用了此 Alpha 行为后，才能使用此策略。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/13/memory-manager-goes-ga/Fri, 13 Dec 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/13/memory-manager-goes-ga/<!-- layout: blog title: "Kubernetes v1.32: Memory Manager Goes GA" date: 2024-12-13 slug: memory-manager-goes-ga author: > [Talor Itzhak](https://github.com/Tal-or) (Red Hat) --> <!-- With Kubernetes 1.32, the memory manager has officially graduated to General Availability (GA), marking a significant milestone in the journey toward efficient and predictable memory allocation for containerized applications. Since Kubernetes v1.22, where it graduated to beta, the memory manager has proved itself reliable, stable and a good complementary feature for the [CPU Manager](/docs/tasks/administer-cluster/cpu-management-policies/). --> <p>随着 Kubernetes 1.32 的发布，内存管理器已进阶至正式发布（GA）， 这标志着在为容器化应用实现高效和可预测的内存分配的旅程中迈出了重要的一步。 内存管理器自 Kubernetes v1.22 进阶至 Beta 后，其可靠性、稳定性已得到证实， 是 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/">CPU 管理器</a>的一个良好补充特性。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/12/scheduler-queueinghint/Thu, 12 Dec 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/12/12/scheduler-queueinghint/<!-- layout: blog title: "Kubernetes v1.32: QueueingHint Brings a New Possibility to Optimize Pod Scheduling" date: 2024-12-12 slug: scheduler-queueinghint Author: > [Kensei Nakada](https://github.com/sanposhiho) (Tetrate.io) --> <!-- The Kubernetes [scheduler](/docs/concepts/scheduling-eviction/kube-scheduler/) is the core component that selects the nodes on which new Pods run. The scheduler processes these new Pods **one by one**. Therefore, the larger your clusters, the more important the throughput of the scheduler becomes. Over the years, Kubernetes SIG Scheduling has improved the throughput of the scheduler in multiple enhancements. This blog post describes a major improvement to the scheduler in Kubernetes v1.32: a [scheduling context element](/docs/concepts/scheduling-eviction/scheduling-framework/#extension-points) named _QueueingHint_. This page provides background knowledge of the scheduler and explains how QueueingHint improves scheduling throughput. --> <p>Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/kube-scheduler/">调度器</a>是为新 Pod 选择运行节点的核心组件，调度器会<strong>逐一</strong>处理这些新 Pod。 因此，集群规模越大，调度器的吞吐量就越重要。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/11/08/kubernetes-1-32-upcoming-changes/Fri, 08 Nov 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/11/08/kubernetes-1-32-upcoming-changes/<!-- layout: blog title: 'Kubernetes v1.32 sneak peek' date: 2024-11-08 slug: kubernetes-1-32-upcoming-changes author: > Matteo Bianchi, Edith Puclla, William Rizzo, Ryota Sawada, Rashan Smith --> <!-- As we get closer to the release date for Kubernetes v1.32, the project develops and matures. Features may be deprecated, removed, or replaced with better ones for the project's overall health. This blog outlines some of the planned changes for the Kubernetes v1.32 release, that the release team feels you should be aware of, for the continued maintenance of your Kubernetes environment and keeping up to date with the latest changes. Information listed below is based on the current status of the v1.32 release and may change before the actual release date. --> <p>随着 Kubernetes v1.32 发布日期的临近，Kubernetes 项目继续发展和成熟。 在这个过程中，某些特性可能会被弃用、移除或被更好的特性取代，以确保项目的整体健康与发展。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/10/28/k8s-upstream-training-japan-spotlight/Mon, 28 Oct 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/10/28/k8s-upstream-training-japan-spotlight/<!-- layout: blog title: "Spotlight on Kubernetes Upstream Training in Japan" slug: k8s-upstream-training-japan-spotlight date: 2024-10-28 canonicalUrl: https://www.k8s.dev/blog/2024/10/28/k8s-upstream-training-japan-spotlight/ author: > [Junya Okabe](https://github.com/Okabe-Junya) (University of Tsukuba) / Organizing team of Kubernetes Upstream Training in Japan --> <!-- We are organizers of [Kubernetes Upstream Training in Japan](https://github.com/kubernetes-sigs/contributor-playground/tree/master/japan). Our team is composed of members who actively contribute to Kubernetes, including individuals who hold roles such as member, reviewer, approver, and chair. --> <p>我们是<a href="https://github.com/kubernetes-sigs/contributor-playground/tree/master/japan">日本 Kubernetes 上游培训</a>的组织者。 我们的团队由积极向 Kubernetes 做贡献的成员组成，他们在社区中担任了 Member、Reviewer、Approver 和 Chair 等角色。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/10/02/steering-committee-results-2024/Wed, 02 Oct 2024 15:10:00 -0500https://andygol-k8s.netlify.app/zh-cn/blog/2024/10/02/steering-committee-results-2024/<!-- layout: blog title: "Announcing the 2024 Steering Committee Election Results" slug: steering-committee-results-2024 canonicalUrl: https://www.kubernetes.dev/blog/2024/10/02/steering-committee-results-2024 date: 2024-10-02T15:10:00-05:00 author: > Bridget Kromhout --> <!-- The [2024 Steering Committee Election](https://github.com/kubernetes/community/tree/master/elections/steering/2024) is now complete. The Kubernetes Steering Committee consists of 7 seats, 3 of which were up for election in 2024. Incoming committee members serve a term of 2 years, and all members are elected by the Kubernetes Community. This community body is significant since it oversees the governance of the entire Kubernetes project. With that great power comes great responsibility. You can learn more about the steering committee’s role in their [charter](https://github.com/kubernetes/steering/blob/master/charter.md). Thank you to everyone who voted in the election; your participation helps support the community’s continued health and success. --> <p><a href="https://github.com/kubernetes/community/tree/master/elections/steering/2024">2024 年指导委员会选举</a>现已完成。 Kubernetes 指导委员会由 7 个席位组成，其中 3 个席位于 2024 年进行选举。 新任委员会成员的任期为 2 年，所有成员均由 Kubernetes 社区选举产生。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/09/24/sig-scheduling-spotlight-2024/Tue, 24 Sep 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/09/24/sig-scheduling-spotlight-2024/<!-- layout: blog title: "Spotlight on SIG Scheduling" slug: sig-scheduling-spotlight-2024 canonicalUrl: https://www.kubernetes.dev/blog/2024/09/24/sig-scheduling-spotlight-2024 date: 2024-09-24 author: "Arvind Parekh" --> <!-- In this SIG Scheduling spotlight we talked with [Kensei Nakada](https://github.com/sanposhiho/), an approver in SIG Scheduling. ## Introductions **Arvind:** **Hello, thank you for the opportunity to learn more about SIG Scheduling! Would you like to introduce yourself and tell us a bit about your role, and how you got involved with Kubernetes?** --> <p>在本次 SIG Scheduling 的访谈中，我们与 <a href="https://github.com/sanposhiho/">Kensei Nakada</a> 进行了交流，他是 SIG Scheduling 的一名 Approver。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/23/kubernetes-1-31-kubeadm-v1beta4/Fri, 23 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/23/kubernetes-1-31-kubeadm-v1beta4/<!-- layout: blog title: 'Kubernetes v1.31: kubeadm v1beta4' date: 2024-08-23 slug: kubernetes-1-31-kubeadm-v1beta4 author: > Paco Xu (DaoCloud) --> <!-- As part of the Kubernetes v1.31 release, [`kubeadm`](/docs/reference/setup-tools/kubeadm/) is adopting a new ([v1beta4](/docs/reference/config-api/kubeadm-config.v1beta4/)) version of its configuration file format. Configuration in the previous v1beta3 format is now formally deprecated, which means it's supported but you should migrate to v1beta4 and stop using the deprecated format. Support for v1beta3 configuration will be removed after a minimum of 3 Kubernetes minor releases. --> <p>作为 Kubernetes v1.31 发布的一部分，<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/"><code>kubeadm</code></a> 采用了全新版本（<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/">v1beta4</a>）的配置文件格式。 之前 v1beta3 格式的配置现已正式弃用，这意味着尽管之前的格式仍然受支持，但你应迁移到 v1beta4 并停止使用已弃用的格式。 对 v1beta3 配置的支持将在至少 3 次 Kubernetes 次要版本发布后被移除。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/22/kubernetes-1-31-custom-profiling-kubectl-debug/Thu, 22 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/22/kubernetes-1-31-custom-profiling-kubectl-debug/<!-- layout: blog title: "Kubernetes 1.31: Custom Profiling in Kubectl Debug Graduates to Beta" date: 2024-08-22 slug: kubernetes-1-31-custom-profiling-kubectl-debug author: > Arda Güçlü (Red Hat) --> <!-- There are many ways of troubleshooting the pods and nodes in the cluster. However, `kubectl debug` is one of the easiest, highly used and most prominent ones. It provides a set of static profiles and each profile serves for a different kind of role. For instance, from the network administrator's point of view, debugging the node should be as easy as this: --> <p>有很多方法可以对集群中的 Pod 和节点进行故障排查，而 <code>kubectl debug</code> 是最简单、使用最广泛、最突出的方法之一。 它提供了一组静态配置，每个配置适用于不同类型的角色。 例如，从网络管理员的视角来看，调试节点应该像这样简单：</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/22/fine-grained-supplementalgroups-control/Thu, 22 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/22/fine-grained-supplementalgroups-control/<!-- layout: blog title: 'Kubernetes 1.31: Fine-grained SupplementalGroups control' date: 2024-08-22 slug: fine-grained-supplementalgroups-control author: > Shingo Omura (Woven By Toyota) --> <!-- This blog discusses a new feature in Kubernetes 1.31 to improve the handling of supplementary groups in containers within Pods. --> <p>本博客讨论了 Kubernetes 1.31 中的一项新特性，目的是改善处理 Pod 中容器内的附加组。</p> <!-- ## Motivation: Implicit group memberships defined in `/etc/group` in the container image Although this behavior may not be popular with many Kubernetes cluster users/admins, kubernetes, by default, _merges_ group information from the Pod with information defined in `/etc/group` in the container image. Let's see an example, below Pod specifies `runAsUser=1000`, `runAsGroup=3000` and `supplementalGroups=4000` in the Pod's security context. --> <h2 id="动机-容器镜像中-etc-group-中定义的隐式组成员关系">动机：容器镜像中 <code>/etc/group</code> 中定义的隐式组成员关系</h2> <p>尽管这种行为可能并不受许多 Kubernetes 集群用户/管理员的欢迎， 但 Kubernetes 默认情况下会将 Pod 中的组信息与容器镜像中 <code>/etc/group</code> 中定义的信息进行<strong>合并</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/22/cpumanager-static-policy-distributed-cpu-across-cores/Thu, 22 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/22/cpumanager-static-policy-distributed-cpu-across-cores/<!-- layout: blog title: 'Kubernetes v1.31: New Kubernetes CPUManager Static Policy: Distribute CPUs Across Cores' date: 2024-08-22 slug: cpumanager-static-policy-distributed-cpu-across-cores author: > [Jiaxin Shan](https://github.com/Jeffwan) (Bytedance) --> <!-- In Kubernetes v1.31, we are excited to introduce a significant enhancement to CPU management capabilities: the `distribute-cpus-across-cores` option for the [CPUManager static policy](/docs/tasks/administer-cluster/cpu-management-policies/#static-policy-options). This feature is currently in alpha and hidden by default, marking a strategic shift aimed at optimizing CPU utilization and improving system performance across multi-core processors. --> <p>在 Kubernetes v1.31 中，我们很高兴引入了对 CPU 管理能力的重大增强：针对 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/#static-policy-options">CPUManager 静态策略</a>的 <code>distribute-cpus-across-cores</code> 选项。此特性目前处于 Alpha 阶段， 默认被隐藏，标志着旨在优化 CPU 利用率和改善多核处理器系统性能的战略转变。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/21/cri-cgroup-driver-lookup-now-beta/Wed, 21 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/21/cri-cgroup-driver-lookup-now-beta/<!-- layout: blog title: "Kubernetes 1.31: Autoconfiguration For Node Cgroup Driver (beta)" date: 2024-08-21 slug: cri-cgroup-driver-lookup-now-beta author: > Peter Hunt (Red Hat) --> <!-- Historically, configuring the correct cgroup driver has been a pain point for users running new Kubernetes clusters. On Linux systems, there are two different cgroup drivers: `cgroupfs` and `systemd`. In the past, both the [kubelet](/docs/reference/command-line-tools-reference/kubelet/) and CRI implementation (like CRI-O or containerd) needed to be configured to use the same cgroup driver, or else the kubelet would exit with an error. This was a source of headaches for many cluster admins. However, there is light at the end of the tunnel! --> <p>一直以来，为新运行的 Kubernetes 集群配置正确的 cgroup 驱动程序是用户的一个痛点。 在 Linux 系统中，存在两种不同的 cgroup 驱动程序：<code>cgroupfs</code> 和 <code>systemd</code>。 过去，<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/command-line-tools-reference/kubelet/">kubelet</a> 和 CRI 实现（如 CRI-O 或 containerd）需要配置为使用相同的 cgroup 驱动程序， 否则 kubelet 会报错并退出。 这让许多集群管理员头疼不已。不过，现在曙光乍现！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/20/websockets-transition/Tue, 20 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/20/websockets-transition/<!-- layout: blog title: 'Kubernetes 1.31: Streaming Transitions from SPDY to WebSockets' date: 2024-08-20 slug: websockets-transition author: > [Sean Sullivan](https://github.com/seans3) (Google) [Shannon Kularathna](https://github.com/shannonxtreme) (Google) --> <!-- In Kubernetes 1.31, by default kubectl now uses the WebSocket protocol instead of SPDY for streaming. This post describes what these changes mean for you and why these streaming APIs matter. --> <p>在 Kubernetes 1.31 中，kubectl 现在默认使用 WebSocket 协议而不是 SPDY 进行流式传输。</p> <p>这篇文章介绍了这些变化对你意味着什么以及这些流式传输 API 的重要性。</p> <!-- ## Streaming APIs in Kubernetes In Kubernetes, specific endpoints that are exposed as an HTTP or RESTful interface are upgraded to streaming connections, which require a streaming protocol. Unlike HTTP, which is a request-response protocol, a streaming protocol provides a persistent connection that's bi-directional, low-latency, and lets you interact in real-time. Streaming protocols support reading and writing data between your client and the server, in both directions, over the same connection. This type of connection is useful, for example, when you create a shell in a running container from your local workstation and run commands in the container. --> <h2 id="kubernetes-中的流式-api">Kubernetes 中的流式 API</h2> <p>在 Kubernetes 中，某些以 HTTP 或 RESTful 接口公开的某些端点会被升级为流式连接，因而需要使用流式协议。 与 HTTP 这种请求-响应协议不同，流式协议提供了一种持久的双向连接，具有低延迟的特点，并允许实时交互。 流式协议支持在客户端与服务器之间通过同一个连接进行双向的数据读写。 这种类型的连接非常有用，例如，当你从本地工作站在某个运行中的容器内创建 shell 并在该容器中运行命令时。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/19/kubernetes-1-31-pod-failure-policy-for-jobs-goes-ga/Mon, 19 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/19/kubernetes-1-31-pod-failure-policy-for-jobs-goes-ga/<!-- layout: blog title: "Kubernetes 1.31: Pod Failure Policy for Jobs Goes GA" date: 2024-08-19 slug: kubernetes-1-31-pod-failure-policy-for-jobs-goes-ga author: > [Michał Woźniak](https://github.com/mimowo) (Google), [Shannon Kularathna](https://github.com/shannonxtreme) (Google) --> <!-- This post describes _Pod failure policy_, which graduates to stable in Kubernetes 1.31, and how to use it in your Jobs. --> <p>这篇博文阐述在 Kubernetes 1.31 中进阶至 Stable 的 <strong>Pod 失效策略</strong>，还介绍如何在你的 Job 中使用此策略。</p> <!-- ## About Pod failure policy When you run workloads on Kubernetes, Pods might fail for a variety of reasons. Ideally, workloads like Jobs should be able to ignore transient, retriable failures and continue running to completion. --> <h2 id="关于-pod-失效策略">关于 Pod 失效策略</h2> <p>当你在 Kubernetes 上运行工作负载时，Pod 可能因各种原因而失效。 理想情况下，像 Job 这样的工作负载应该能够忽略瞬时的、可重试的失效，并继续运行直到完成。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/matchlabelkeys-podaffinity/Fri, 16 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/matchlabelkeys-podaffinity/<!-- layout: blog title: 'Kubernetes 1.31: MatchLabelKeys in PodAffinity graduates to beta' date: 2024-08-16 slug: matchlabelkeys-podaffinity author: > Kensei Nakada (Tetrate) --> <!-- Kubernetes 1.29 introduced new fields `matchLabelKeys` and `mismatchLabelKeys` in `podAffinity` and `podAntiAffinity`. In Kubernetes 1.31, this feature moves to beta and the corresponding feature gate (`MatchLabelKeysInPodAffinity`) gets enabled by default. --> <p>Kubernetes 1.29 在 <code>podAffinity</code> 和 <code>podAntiAffinity</code> 中引入了新的字段 <code>matchLabelKeys</code> 和 <code>mismatchLabelKeys</code>。</p> <p>在 Kubernetes 1.31 中，此特性进阶至 Beta，并且相应的特性门控（<code>MatchLabelKeysInPodAffinity</code>）默认启用。</p> <!-- ## `matchLabelKeys` - Enhanced scheduling for versatile rolling updates During a workload's (e.g., Deployment) rolling update, a cluster may have Pods from multiple versions at the same time. However, the scheduler cannot distinguish between old and new versions based on the `labelSelector` specified in `podAffinity` or `podAntiAffinity`. As a result, it will co-locate or disperse Pods regardless of their versions. --> <h2 id="matchlabelkeys-为多样化滚动更新增强了调度"><code>matchLabelKeys</code> - 为多样化滚动更新增强了调度</h2> <p>在工作负载（例如 Deployment）的滚动更新期间，集群中可能同时存在多个版本的 Pod。<br> 然而，调度器无法基于 <code>podAffinity</code> 或 <code>podAntiAffinity</code> 中指定的 <code>labelSelector</code> 区分新旧版本。 结果，调度器将并置或分散调度 Pod，不会考虑这些 Pod 的版本。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/kubernetes-1-31-prevent-persistentvolume-leaks-when-deleting-out-of-order/Fri, 16 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/kubernetes-1-31-prevent-persistentvolume-leaks-when-deleting-out-of-order/<!-- layout: blog title: 'Kubernetes 1.31: Prevent PersistentVolume Leaks When Deleting out of Order' date: 2024-08-16 slug: kubernetes-1-31-prevent-persistentvolume-leaks-when-deleting-out-of-order author: > Deepak Kinni (Broadcom) --> <!-- [PersistentVolume](/docs/concepts/storage/persistent-volumes/) (or PVs for short) are associated with [Reclaim Policy](/docs/concepts/storage/persistent-volumes/#reclaim-policy). The reclaim policy is used to determine the actions that need to be taken by the storage backend on deletion of the PVC Bound to a PV. When the reclaim policy is `Delete`, the expectation is that the storage backend releases the storage resource allocated for the PV. In essence, the reclaim policy needs to be honored on PV deletion. With the recent Kubernetes v1.31 release, a beta feature lets you configure your cluster to behave that way and honor the configured reclaim policy. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">PersistentVolume</a>（简称 PV） 具有与之关联的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#reclaim-policy">回收策略</a>。 回收策略用于确定在删除绑定到 PV 的 PVC 时存储后端需要采取的操作。当回收策略为 <code>Delete</code> 时， 期望存储后端释放为 PV 所分配的存储资源。实际上，在 PV 被删除时就需要执行此回收策略。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/kubernetes-1-31-image-volume-source/Fri, 16 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/16/kubernetes-1-31-image-volume-source/<!-- layout: blog title: "Kubernetes 1.31: Read Only Volumes Based On OCI Artifacts (alpha)" date: 2024-08-16 slug: kubernetes-1-31-image-volume-source author: Sascha Grunert --> <!-- The Kubernetes community is moving towards fulfilling more Artificial Intelligence (AI) and Machine Learning (ML) use cases in the future. While the project has been designed to fulfill microservice architectures in the past, it’s now time to listen to the end users and introduce features which have a stronger focus on AI/ML. --> <p>Kubernetes 社区正朝着在未来满足更多人工智能（AI）和机器学习（ML）使用场景的方向发展。 虽然此项目在过去设计为满足微服务架构，但现在是时候听听最终用户的声音并引入更侧重于 AI/ML 的特性了。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/15/kubernetes-1-31-volume-attributes-class/Thu, 15 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/15/kubernetes-1-31-volume-attributes-class/<!-- layout: blog title: "Kubernetes 1.31: VolumeAttributesClass for Volume Modification Beta" date: 2024-08-15 slug: kubernetes-1-31-volume-attributes-class author: > Sunny Song (Google) Matthew Cary (Google) --> <!-- Volumes in Kubernetes have been described by two attributes: their storage class, and their capacity. The storage class is an immutable property of the volume, while the capacity can be changed dynamically with [volume resize](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims). This complicates vertical scaling of workloads with volumes. While cloud providers and storage vendors often offer volumes which allow specifying IO quality of service (Performance) parameters like IOPS or throughput and tuning them as workloads operate, Kubernetes has no API which allows changing them. --> <p>在 Kubernetes 中，卷由两个属性描述：存储类和容量。存储类是卷的不可变属性， 而容量可以通过<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#expanding-persistent-volumes-claims">卷调整大小</a>进行动态变更。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/15/consistent-read-from-cache-beta/Thu, 15 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/15/consistent-read-from-cache-beta/<!-- layout: blog title: 'Kubernetes v1.31: Accelerating Cluster Performance with Consistent Reads from Cache' date: 2024-08-15 slug: consistent-read-from-cache-beta author: > Marek Siarkowicz (Google) -> <!-- Kubernetes is renowned for its robust orchestration of containerized applications, but as clusters grow, the demands on the control plane can become a bottleneck. A key challenge has been ensuring strongly consistent reads from the etcd datastore, requiring resource-intensive quorum reads. --> <p>Kubernetes 以其强大的容器化应用编排能力而闻名，但随着集群规模扩大， 对控制平面的需求可能成为性能瓶颈。其中一个主要挑战是确保从 etcd 数据存储进行强一致性读，这通常需要资源密集型仲裁读取操作。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/14/kubernetes-1-31-moving-cgroup-v1-support-maintenance-mode/Wed, 14 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/14/kubernetes-1-31-moving-cgroup-v1-support-maintenance-mode/<!-- layout: blog title: "Kubernetes 1.31: Moving cgroup v1 Support into Maintenance Mode" date: 2024-08-14 slug: kubernetes-1-31-moving-cgroup-v1-support-maintenance-mode author: Harshal Patil --> <!-- As Kubernetes continues to evolve and adapt to the changing landscape of container orchestration, the community has decided to move cgroup v1 support into [maintenance mode](#what-does-maintenance-mode-mean) in v1.31. This shift aligns with the broader industry's move towards cgroup v2, offering improved functionalities: including scalability and a more consistent interface. Before we dive into the consequences for Kubernetes, let's take a step back to understand what cgroups are and their significance in Linux. --> <p>随着 Kubernetes 不断发展，为了适应容器编排全景图的变化，社区决定在 v1.31 中将对 cgroup v1 的支持转为<a href="#what-does-maintenance-mode-mean">维护模式</a>。 这一转变与行业更广泛地向 cgroup v2 的迁移保持一致，后者的功能更强， 包括可扩展性和更加一致的接口。在我们深入探讨对 Kubernetes 的影响之前， 先回顾一下 cgroup 的概念及其在 Linux 中的重要意义。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/14/last-phase-transition-time-ga/Wed, 14 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/14/last-phase-transition-time-ga/<!-- layout: blog title: "Kubernetes v1.31: PersistentVolume Last Phase Transition Time Moves to GA" date: 2024-08-14 slug: last-phase-transition-time-ga author: > Roman Bednář (Red Hat) --> <!-- Announcing the graduation to General Availability (GA) of the PersistentVolume `lastTransitionTime` status field, in Kubernetes v1.31! The Kubernetes SIG Storage team is excited to announce that the "PersistentVolumeLastPhaseTransitionTime" feature, introduced as an alpha in Kubernetes v1.28, has now reached GA status and is officially part of the Kubernetes v1.31 release. This enhancement helps Kubernetes users understand when a [PersistentVolume](/docs/concepts/storage/persistent-volumes/) transitions between different phases, allowing for more efficient and informed resource management. --> <p>现在宣布 PersistentVolume 的 <code>lastTransitionTime</code> 状态字段在 Kubernetes v1.31 版本进阶至正式发布（GA）！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/13/kubernetes-v1-31-release/Tue, 13 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/13/kubernetes-v1-31-release/<!-- --- layout: blog title: 'Kubernetes v1.31: Elli' date: 2024-08-13 slug: kubernetes-v1-31-release author: > [Kubernetes v1.31 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.31/release-team.md) --- --> <!-- **Editors:** Matteo Bianchi, Yigit Demirbas, Abigail McCarthy, Edith Puclla, Rashan Smith Announcing the release of Kubernetes v1.31: Elli! Similar to previous releases, the release of Kubernetes v1.31 introduces new stable, beta, and alpha features. The consistent delivery of high-quality releases underscores the strength of our development cycle and the vibrant support from our community. This release consists of 45 enhancements. Of those enhancements, 11 have graduated to Stable, 22 are entering Beta, and 12 have graduated to Alpha. --> <p><strong>编辑:</strong> Matteo Bianchi, Yigit Demirbas, Abigail McCarthy, Edith Puclla, Rashan Smith</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/12/feature-gates-in-client-go/Mon, 12 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/12/feature-gates-in-client-go/<!-- layout: blog title: 'Introducing Feature Gates to Client-Go: Enhancing Flexibility and Control' date: 2024-08-12 slug: feature-gates-in-client-go author: > Ben Luddy (Red Hat), Lukasz Szaszkiewicz (Red Hat) --> <!-- Kubernetes components use on-off switches called _feature gates_ to manage the risk of adding a new feature. The feature gate mechanism is what enables incremental graduation of a feature through the stages Alpha, Beta, and GA. --> <p>Kubernetes 组件使用称为“特性门控（Feature Gates）”的开关来管理添加新特性的风险， 特性门控机制使特性能够通过 Alpha、Beta 和 GA 阶段逐步升级。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/07/sig-api-machinery-spotlight-2024/Wed, 07 Aug 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/08/07/sig-api-machinery-spotlight-2024/<!-- layout: blog title: "Spotlight on SIG API Machinery" slug: sig-api-machinery-spotlight-2024 canonicalUrl: https://www.kubernetes.dev/blog/2024/08/07/sig-api-machinery-spotlight-2024 date: 2024-08-07 author: "Frederico Muñoz (SAS Institute)" --> <!-- We recently talked with [Federico Bongiovanni](https://github.com/fedebongio) (Google) and [David Eads](https://github.com/deads2k) (Red Hat), Chairs of SIG API Machinery, to know a bit more about this Kubernetes Special Interest Group. --> <p>我们最近与 SIG API Machinery 的主席 <a href="https://github.com/fedebongio">Federico Bongiovanni</a>（Google）和 <a href="https://github.com/deads2k">David Eads</a>（Red Hat）进行了访谈， 了解一些有关这个 Kubernetes 特别兴趣小组的信息。</p> <!-- ## Introductions **Frederico (FSM): Hello, and thank your for your time. To start with, could you tell us about yourselves and how you got involved in Kubernetes?** --> <h2 id="introductions">介绍</h2> <p><strong>Frederico (FSM)：你好，感谢你抽时间参与访谈。首先，你能做个自我介绍以及你是如何参与到 Kubernetes 的？</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/07/19/kubernetes-1-31-upcoming-changes/Fri, 19 Jul 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/07/19/kubernetes-1-31-upcoming-changes/<!-- layout: blog title: 'Kubernetes Removals and Major Changes In v1.31' date: 2024-07-19 slug: kubernetes-1-31-upcoming-changes author: > Abigail McCarthy, Edith Puclla, Matteo Bianchi, Rashan Smith, Yigit Demirbas --> <!-- As Kubernetes develops and matures, features may be deprecated, removed, or replaced with better ones for the project's overall health. This article outlines some planned changes for the Kubernetes v1.31 release that the release team feels you should be aware of for the continued maintenance of your Kubernetes environment. The information listed below is based on the current status of the v1.31 release. It may change before the actual release date. --> <p>随着 Kubernetes 的发展和成熟，为了项目的整体健康，某些特性可能会被弃用、删除或替换为更好的特性。 本文阐述了 Kubernetes v1.31 版本的一些更改计划，发行团队认为你应当了解这些更改， 以便持续维护 Kubernetes 环境。 下面列出的信息基于 v1.31 版本的当前状态；这些状态可能会在实际发布日期之前发生变化。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/06/06/10-years-of-kubernetes/Thu, 06 Jun 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/06/06/10-years-of-kubernetes/<!-- layout: blog title: "10 Years of Kubernetes" date: 2024-06-06 slug: 10-years-of-kubernetes author: > [Bob Killen](https://github.com/mrbobbytables) (CNCF), [Chris Short](https://github.com/chris-short) (AWS), [Frederico Muñoz](https://github.com/fsmunoz) (SAS), [Kaslin Fields](https://github.com/kaslin) (Google), [Tim Bannister](https://github.com/sftim) (The Scale Factory), and every contributor across the globe --> <!--  Ten (10) years ago, on June 6th, 2014, the [first commit](https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56) of Kubernetes was pushed to GitHub. That first commit with 250 files and 47,501 lines of go, bash and markdown kicked off the project we have today. Who could have predicted that 10 years later, Kubernetes would grow to become one of the largest Open Source projects to date with over [88,000 contributors](https://k8s.devstats.cncf.io/d/24/overall-project-statistics?orgId=1) from more than [8,000 companies](https://www.cncf.io/reports/kubernetes-project-journey-report/), across 44 countries. --> <p><img src="https://andygol-k8s.netlify.app/zh-cn/blog/2024/06/06/10-years-of-kubernetes/kcseu2024.jpg" alt="KCSEU 2024 团体照片"></p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/05/20/completing-cloud-provider-migration/Mon, 20 May 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/05/20/completing-cloud-provider-migration/<!-- layout: blog title: 'Completing the largest migration in Kubernetes history' date: 2024-05-20 slug: completing-cloud-provider-migration author: > Andrew Sy Kim (Google), Michelle Au (Google), Walter Fender (Google), Michael McCune (Red Hat) --> <!-- Since as early as Kubernetes v1.7, the Kubernetes project has pursued the ambitious goal of removing built-in cloud provider integrations ([KEP-2395](https://github.com/kubernetes/enhancements/blob/master/keps/sig-cloud-provider/2395-removing-in-tree-cloud-providers/README.md)). While these integrations were instrumental in Kubernetes' early development and growth, their removal was driven by two key factors: the growing complexity of maintaining native support for every cloud provider across millions of lines of Go code, and the desire to establish Kubernetes as a truly vendor-neutral platform. --> <p>早自 Kubernetes v1.7 起，Kubernetes 项目就开始追求取消集成内置云驱动 （<a href="https://github.com/kubernetes/enhancements/blob/master/keps/sig-cloud-provider/2395-removing-in-tree-cloud-providers/README.md">KEP-2395</a>）。 虽然这些集成对于 Kubernetes 的早期发展和增长发挥了重要作用，但它们的移除是由两个关键因素驱动的： 为各云启动维护数百万行 Go 代码的原生支持所带来的日趋增长的复杂度，以及将 Kubernetes 打造为真正的供应商中立平台的愿景。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/05/09/gateway-api-v1-1/Thu, 09 May 2024 09:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2024/05/09/gateway-api-v1-1/<!-- layout: blog title: "Gateway API v1.1: Service mesh, GRPCRoute, and a whole lot more" date: 2024-05-09T09:00:00-08:00 slug: gateway-api-v1-1 author: > [Richard Belleville](https://github.com/gnossen) (Google), [Frank Budinsky](https://github.com/frankbu) (IBM), [Arko Dasgupta](https://github.com/arkodg) (Tetrate), [Flynn](https://github.com/kflynn) (Buoyant), [Candace Holman](https://github.com/candita) (Red Hat), [John Howard](https://github.com/howardjohn) (Solo.io), [Christine Kim](https://github.com/xtineskim) (Isovalent), [Mattia Lavacca](https://github.com/mlavacca) (Kong), [Keith Mattix](https://github.com/keithmattix) (Microsoft), [Mike Morris](https://github.com/mikemorris) (Microsoft), [Rob Scott](https://github.com/robscott) (Google), [Grant Spence](https://github.com/gcs278) (Red Hat), [Shane Utt](https://github.com/shaneutt) (Kong), [Gina Yeh](https://github.com/ginayeh) (Google), and other review and release note contributors --> <p><img src="https://andygol-k8s.netlify.app/zh-cn/blog/2024/05/09/gateway-api-v1-1/gateway-api-logo.svg" alt="Gateway API logo"></p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/30/prevent-unauthorized-volume-mode-conversion-ga/Tue, 30 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/30/prevent-unauthorized-volume-mode-conversion-ga/<!-- layout: blog title: "Kubernetes 1.30: Preventing unauthorized volume mode conversion moves to GA" date: 2024-04-30 slug: prevent-unauthorized-volume-mode-conversion-ga author: > Raunak Pradip Shah (Mirantis) --> <p><strong>作者:</strong> Raunak Pradip Shah (Mirantis)</p> <p><strong>译者:</strong> Xin Li (DaoCloud)</p> <!-- With the release of Kubernetes 1.30, the feature to prevent the modification of the volume mode of a [PersistentVolumeClaim](/docs/concepts/storage/persistent-volumes/) that was created from an existing VolumeSnapshot in a Kubernetes cluster, has moved to GA! --> <p>随着 Kubernetes 1.30 的发布，防止修改从 Kubernetes 集群中现有 VolumeSnapshot 创建的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">PersistentVolumeClaim</a> 的卷模式的特性已被升级至 GA！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/25/structured-authentication-moves-to-beta/Thu, 25 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/25/structured-authentication-moves-to-beta/<!-- layout: blog title: "Kubernetes 1.30: Structured Authentication Configuration Moves to Beta" date: 2024-04-25 slug: structured-authentication-moves-to-beta author: > [Anish Ramasekar](https://github.com/aramase) (Microsoft) --> <!-- With Kubernetes 1.30, we (SIG Auth) are moving Structured Authentication Configuration to beta. Today's article is about _authentication_: finding out who's performing a task, and checking that they are who they say they are. Check back in tomorrow to find about what's new in Kubernetes v1.30 around _authorization_ (deciding what someone can and can't access). --> <p>在 Kubernetes 1.30 中，我们（SIG Auth）将结构化身份认证配置（Structured Authentication Configuration）进阶至 Beta。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/24/validating-admission-policy-ga/Wed, 24 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/24/validating-admission-policy-ga/<!-- layout: blog title: "Kubernetes 1.30: Validating Admission Policy Is Generally Available" slug: validating-admission-policy-ga date: 2024-04-24 author: > Jiahui Feng (Google) --> <!-- On behalf of the Kubernetes project, I am excited to announce that ValidatingAdmissionPolicy has reached **general availability** as part of Kubernetes 1.30 release. If you have not yet read about this new declarative alternative to validating admission webhooks, it may be interesting to read our [previous post](/blog/2022/12/20/validating-admission-policies-alpha/) about the new feature. If you have already heard about ValidatingAdmissionPolicies and you are eager to try them out, there is no better time to do it than now. Let's have a taste of a ValidatingAdmissionPolicy, by replacing a simple webhook. --> <p>我代表 Kubernetes 项目组成员，很高兴地宣布 ValidatingAdmissionPolicy 已经作为 Kubernetes 1.30 发布的一部分<strong>正式发布</strong>。 如果你还不了解这个全新的声明式验证准入 Webhook 的替代方案， 请参阅有关这个新特性的<a href="https://andygol-k8s.netlify.app/blog/2022/12/20/validating-admission-policies-alpha/">上一篇博文</a>。 如果你已经对 ValidatingAdmissionPolicy 有所了解并且想要尝试一下，那么现在是最好的时机。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/23/recursive-read-only-mounts/Tue, 23 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/23/recursive-read-only-mounts/<p><strong>作者:</strong> Akihiro Suda (NTT)</p> <p><strong>译者:</strong> Xin Li (DaoCloud)</p> <!-- layout: blog title: 'Kubernetes 1.30: Read-only volume mounts can be finally literally read-only' date: 2024-04-23 slug: recursive-read-only-mounts author: > Akihiro Suda (NTT) --> <!-- Read-only volume mounts have been a feature of Kubernetes since the beginning. Surprisingly, read-only mounts are not completely read-only under certain conditions on Linux. As of the v1.30 release, they can be made completely read-only, with alpha support for _recursive read-only mounts_. --> <p>只读卷挂载从一开始就是 Kubernetes 的一个特性。 令人惊讶的是，在 Linux 上的某些条件下，只读挂载并不是完全只读的。 从 v1.30 版本开始，这类卷挂载可以被处理为完全只读；v1.30 为<strong>递归只读挂载</strong>提供 Alpha 支持。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/22/userns-beta/Mon, 22 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/22/userns-beta/<!-- layout: blog title: "Kubernetes 1.30: Beta Support For Pods With User Namespaces" date: 2024-04-22 slug: userns-beta author: > Rodrigo Campos Catelin (Microsoft), Giuseppe Scrivano (Red Hat), Sascha Grunert (Red Hat) --> <!-- Linux provides different namespaces to isolate processes from each other. For example, a typical Kubernetes pod runs within a network namespace to isolate the network identity and a PID namespace to isolate the processes. One Linux namespace that was left behind is the [user namespace](https://man7.org/linux/man-pages/man7/user_namespaces.7.html). This namespace allows us to isolate the user and group identifiers (UIDs and GIDs) we use inside the container from the ones on the host. --> <p>Linux 提供了不同的命名空间来将进程彼此隔离。 例如，一个典型的 Kubernetes Pod 运行在一个网络命名空间中可以隔离网络身份，运行在一个 PID 命名空间中可以隔离进程。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/11/sig-architecture-code-spotlight-2024/Thu, 11 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/11/sig-architecture-code-spotlight-2024/<!-- layout: blog title: "Spotlight on SIG Architecture: Code Organization" slug: sig-architecture-code-spotlight-2024 canonicalUrl: https://www.kubernetes.dev/blog/2024/04/11/sig-architecture-code-spotlight-2024 date: 2024-04-11 author: > Frederico Muñoz (SAS Institute) --> <p><strong>作者:</strong> Frederico Muñoz (SAS Institute)</p> <p><strong>译者:</strong> Xin Li (DaoCloud)</p> <!-- _This is the third interview of a SIG Architecture Spotlight series that will cover the different subprojects. We will cover [SIG Architecture: Code Organization](https://github.com/kubernetes/community/blob/e44c2c9d0d3023e7111d8b01ac93d54c8624ee91/sig-architecture/README.md#code-organization)._ In this SIG Architecture spotlight I talked with [Madhav Jivrajani](https://github.com/MadhavJivrajani) (VMware), a member of the Code Organization subproject. --> <p><strong>这是 SIG Architecture Spotlight 系列的第三次采访，该系列将涵盖不同的子项目。 我们将介绍 <a href="https://github.com/kubernetes/community/blob/e44c2c9d0d3023e7111d8b01ac93d54c8624ee91/sig-architecture/README.md#code-organization">SIG Architecture：代码组织</a>。</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/03/intro-windows-ops-readiness/Wed, 03 Apr 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/04/03/intro-windows-ops-readiness/<!-- layout: blog title: "Introducing the Windows Operational Readiness Specification" date: 2024-04-03 slug: intro-windows-ops-readiness author: > Jay Vyas (Tesla), Amim Knabben (Broadcom), Tatenda Zifudzi (AWS) --> <!-- Since Windows support [graduated to stable](/blog/2019/03/25/kubernetes-1-14-release-announcement/) with Kubernetes 1.14 in 2019, the capability to run Windows workloads has been much appreciated by the end user community. The level of and availability of Windows workload support has consistently been a major differentiator for Kubernetes distributions used by large enterprises. However, with more Windows workloads being migrated to Kubernetes and new Windows features being continuously released, it became challenging to test Windows worker nodes in an effective and standardized way. --> <p>自从 2019 年 Kubernetes 1.14 将对 Windows 的支持<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2019/03/25/kubernetes-1-14-release-announcement/">升级为稳定版</a>以来， 能够运行 Windows 工作负载的能力一直深受最终用户社区的认可。对于大型企业来说， 对 Windows 工作负载支持的水平和可用性一直是各大企业选择 Kubernetes 发行版的重要差异化因素。 然而，随着越来越多的 Windows 工作负载迁移到 Kubernetes，以及新的 Windows 特性不断发布， 要高效且标准化地测试 Windows 工作节点变得越来越具有挑战性。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/03/12/kubernetes-1-30-upcoming-changes/Tue, 12 Mar 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/03/12/kubernetes-1-30-upcoming-changes/<!-- layout: blog title: 'A Peek at Kubernetes v1.30' date: 2024-03-12 slug: kubernetes-1-30-upcoming-changes --> <!-- **Authors:** Amit Dsouza, Frederick Kautz, Kristin Martin, Abigail McCarthy, Natali Vlatko --> <p><strong>作者:</strong> Amit Dsouza, Frederick Kautz, Kristin Martin, Abigail McCarthy, Natali Vlatko</p> <p><strong>译者:</strong> Paco Xu (DaoCloud)</p> <!-- ## A quick look: exciting changes in Kubernetes v1.30 It's a new year and a new Kubernetes release. We're halfway through the release cycle and have quite a few interesting and exciting enhancements coming in v1.30. From brand new features in alpha, to established features graduating to stable, to long-awaited improvements, this release has something for everyone to pay attention to! To tide you over until the official release, here's a sneak peek of the enhancements we're most excited about in this cycle! --> <h2 id="快速预览-kubernetes-v1-30-中令人兴奋的变化">快速预览：Kubernetes v1.30 中令人兴奋的变化</h2> <p>新年新版本，v1.30 发布周期已过半，我们将迎来一系列有趣且令人兴奋的增强功能。 从全新的 alpha 特性，到已有的特性升级为稳定版，再到期待已久的改进，这个版本对每个人都有值得关注的内容！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/02/22/k8s-book-club/Thu, 22 Feb 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/02/22/k8s-book-club/<!-- layout: blog title: "A look into the Kubernetes Book Club" slug: k8s-book-club date: 2024-02-22 canonicalUrl: https://www.k8s.dev/blog/2024/02/22/k8s-book-club/ author: > Frederico Muñoz (SAS Institute) --> <!-- Learning Kubernetes and the entire ecosystem of technologies around it is not without its challenges. In this interview, we will talk with [Carlos Santana (AWS)](https://www.linkedin.com/in/csantanapr/) to learn a bit more about how he created the [Kubernetes Book Club](https://community.cncf.io/kubernetes-virtual-book-club/), how it works, and how anyone can join in to take advantage of a community-based learning experience. --> <p>学习 Kubernetes 及其整个生态的技术并非易事。在本次采访中，我们的访谈对象是 <a href="https://www.linkedin.com/in/csantanapr/">Carlos Santana (AWS)</a>， 了解他是如何创办 <a href="https://community.cncf.io/kubernetes-virtual-book-club/">Kubernetes 读书会（Book Club）</a>的， 整个读书会是如何运作的，以及大家如何加入其中，进而更好地利用社区学习体验。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2024/01/23/kubernetes-separate-image-filesystem/Tue, 23 Jan 2024 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2024/01/23/kubernetes-separate-image-filesystem/<!-- layout: blog title: 'Image Filesystem: Configuring Kubernetes to store containers on a separate filesystem' date: 2024-01-23 slug: kubernetes-separate-image-filesystem --> <!-- **Author:** Kevin Hannon (Red Hat) --> <p><strong>作者:</strong> Kevin Hannon (Red Hat)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a></p> <!-- A common issue in running/operating Kubernetes clusters is running out of disk space. When the node is provisioned, you should aim to have a good amount of storage space for your container images and running containers. The [container runtime](/docs/setup/production-environment/container-runtimes/) usually writes to `/var`. This can be located as a separate partition or on the root filesystem. CRI-O, by default, writes its containers and images to `/var/lib/containers`, while containerd writes its containers and images to `/var/lib/containerd`. --> <p>磁盘空间不足是运行或操作 Kubernetes 集群时的一个常见问题。 在制备节点时，你应该为容器镜像和正在运行的容器留足够的存储空间。 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/setup/production-environment/container-runtimes/">容器运行时</a>通常会向 <code>/var</code> 目录写入数据。 此目录可以位于单独的分区或根文件系统上。CRI-O 默认将其容器和镜像写入 <code>/var/lib/containers</code>， 而 containerd 将其容器和镜像写入 <code>/var/lib/containerd</code>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/20/contextual-logging-in-kubernetes-1-29/Wed, 20 Dec 2023 09:30:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/20/contextual-logging-in-kubernetes-1-29/<!-- layout: blog title: "Contextual logging in Kubernetes 1.29: Better troubleshooting and enhanced logging" slug: contextual-logging-in-kubernetes-1-29 date: 2023-12-20T09:30:00-08:00 canonicalUrl: https://www.kubernetes.dev/blog/2023/12/20/contextual-logging/ --> <!-- **Authors**: [Mengjiao Liu](https://github.com/mengjiao-liu/) (DaoCloud), [Patrick Ohly](https://github.com/pohly) (Intel) --> <p><strong>作者</strong>：<a href="https://github.com/mengjiao-liu/">Mengjiao Liu</a> (DaoCloud), <a href="https://github.com/pohly">Patrick Ohly</a> (Intel)</p> <p><strong>译者</strong>：<a href="https://github.com/mengjiao-liu/">Mengjiao Liu</a> (DaoCloud)</p> <!-- On behalf of the [Structured Logging Working Group](https://github.com/kubernetes/community/blob/master/wg-structured-logging/README.md) and [SIG Instrumentation](https://github.com/kubernetes/community/tree/master/sig-instrumentation#readme), we are pleased to announce that the contextual logging feature introduced in Kubernetes v1.24 has now been successfully migrated to two components (kube-scheduler and kube-controller-manager) as well as some directories. This feature aims to provide more useful logs for better troubleshooting of Kubernetes and to empower developers to enhance Kubernetes. --> <p>代表<a href="https://github.com/kubernetes/community/blob/master/wg-structed-logging/README.md">结构化日志工作组</a>和 <a href="https://github.com/kubernetes/community/tree/master/sig-instrumentation#readme">SIG Instrumentation</a>， 我们很高兴地宣布在 Kubernetes v1.24 中引入的上下文日志记录功能现已成功迁移了两个组件（kube-scheduler 和 kube-controller-manager） 以及一些目录。该功能旨在为 Kubernetes 提供更多有用的日志以更好地进行故障排除，并帮助开发人员增强 Kubernetes。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/19/kubernetes-1-29-taint-eviction-controller/Tue, 19 Dec 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/19/kubernetes-1-29-taint-eviction-controller/<!-- layout: blog title: "Kubernetes 1.29: Decoupling taint-manager from node-lifecycle-controller" date: 2023-12-19 slug: kubernetes-1-29-taint-eviction-controller --> <!-- **Authors:** Yuan Chen (Apple), Andrea Tosatto (Apple) --> <p><strong>作者:</strong> Yuan Chen (Apple), Andrea Tosatto (Apple)</p> <p><strong>译者:</strong> Allen Zhang</p> <!-- This blog discusses a new feature in Kubernetes 1.29 to improve the handling of taint-based pod eviction. --> <p>这篇博客讨论在 Kubernetes 1.29 中基于污点的 Pod 驱逐处理的新特性。</p> <!-- ## Background --> <h2 id="背景">背景</h2> <!-- In Kubernetes 1.29, an improvement has been introduced to enhance the taint-based pod eviction handling on nodes. This blog discusses the changes made to node-lifecycle-controller to separate its responsibilities and improve overall code maintainability. --> <p>在 Kubernetes 1.29 中引入了一项改进，以加强节点上基于污点的 Pod 驱逐处理。 本文将讨论对节点生命周期控制器（node-lifecycle-controller）所做的更改，以分离职责并提高代码的整体可维护性。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/19/pod-ready-to-start-containers-condition-now-in-beta/Tue, 19 Dec 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/19/pod-ready-to-start-containers-condition-now-in-beta/<!-- layout: blog title: "Kubernetes 1.29: PodReadyToStartContainers Condition Moves to Beta" date: 2023-12-19 slug: pod-ready-to-start-containers-condition-now-in-beta --> <!-- **Authors**: Zefeng Chen (independent), Kevin Hannon (Red Hat) --> <p><strong>作者</strong>：Zefeng Chen (independent), Kevin Hannon (Red Hat)</p> <p><strong>译者</strong>：<a href="https://github.com/windsonsea">Michael Yao</a></p> <!-- With the recent release of Kubernetes 1.29, the `PodReadyToStartContainers` [condition](/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions) is available by default. The kubelet manages the value for that condition throughout a Pod's lifecycle, in the status field of a Pod. The kubelet will use the `PodReadyToStartContainers` condition to accurately surface the initialization state of a Pod, from the perspective of Pod sandbox creation and network configuration by a container runtime. --> <p>随着最近发布的 Kubernetes 1.29，<code>PodReadyToStartContainers</code> <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/pod-lifecycle/#pod-conditions">状况</a>默认可用。 kubelet 在 Pod 的整个生命周期中管理该状况的值，将其存储在 Pod 的状态字段中。 kubelet 将通过容器运行时从 Pod 沙箱创建和网络配置的角度使用 <code>PodReadyToStartContainers</code> 状况准确地展示 Pod 的初始化状态，</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/Mon, 18 Dec 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/18/kubernetes-1-29-feature-loadbalancer-ip-mode-alpha/<!-- layout: blog title: "Kubernetes 1.29: New (alpha) Feature, Load Balancer IP Mode for Services" date: 2023-12-18 slug: kubernetes-1-29-feature-loadbalancer-ip-mode-alpha --> <!-- **Author:** [Aohan Yang](https://github.com/RyanAoh) --> <p><strong>作者：</strong> <a href="https://github.com/RyanAoh">Aohan Yang</a></p> <p><strong>译者：</strong> Allen Zhang</p> <!-- This blog introduces a new alpha feature in Kubernetes 1.29. It provides a configurable approach to define how Service implementations, exemplified in this blog by kube-proxy, handle traffic from pods to the Service, within the cluster. --> <p>本文介绍 Kubernetes 1.29 中一个新的 Alpha 特性。 此特性提供了一种可配置的方式用于定义 Service 的实现方式，本文中以 kube-proxy 为例介绍如何处理集群内从 Pod 到 Service 的流量。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/15/kubernetes-1-29-volume-attributes-class/Fri, 15 Dec 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/12/15/kubernetes-1-29-volume-attributes-class/<!-- layout: blog title: "Kubernetes 1.29: VolumeAttributesClass for Volume Modification" date: 2023-12-15 slug: kubernetes-1-29-volume-attributes-class --> <p><strong>译者</strong>：<a href="https://github.com/carlory">Baofa Fan</a> (DaoCloud)</p> <!-- The v1.29 release of Kubernetes introduced an alpha feature to support modifying a volume by changing the `volumeAttributesClassName` that was specified for a PersistentVolumeClaim (PVC). With the feature enabled, Kubernetes can handle updates of volume attributes other than capacity. Allowing volume attributes to be changed without managing it through different provider's APIs directly simplifies the current flow. You can read about VolumeAttributesClass usage details in the Kubernetes documentation or you can read on to learn about why the Kubernetes project is supporting this feature. --> <p>Kubernetes v1.29 版本引入了一个 Alpha 功能，支持通过变更 PersistentVolumeClaim（PVC）的 <code>volumeAttributesClassName</code> 字段来修改卷。启用该功能后，Kubernetes 可以处理除容量以外的卷属性的更新。 允许更改卷属性，而无需通过不同提供商的 API 对其进行管理，这直接简化了当前流程。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/11/24/sig-testing-spotlight-2023/Fri, 24 Nov 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/11/24/sig-testing-spotlight-2023/<!-- layout: blog title: "Spotlight on SIG Testing" slug: sig-testing-spotlight-2023 date: 2023-11-24 canonicalUrl: https://www.kubernetes.dev/blog/2023/11/24/sig-testing-spotlight-2023/ --> <p><strong>作者:</strong> Sandipan Panda</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a></p> <!-- Welcome to another edition of the _SIG spotlight_ blog series, where we highlight the incredible work being done by various Special Interest Groups (SIGs) within the Kubernetes project. In this edition, we turn our attention to [SIG Testing](https://github.com/kubernetes/community/tree/master/sig-testing#readme), a group interested in effective testing of Kubernetes and automating away project toil. SIG Testing focus on creating and running tools and infrastructure that make it easier for the community to write and run tests, and to contribute, analyze and act upon test results. --> <p>欢迎阅读又一期的 “SIG 聚光灯” 系列博客，这些博客重点介绍 Kubernetes 项目中各个特别兴趣小组（SIG）所从事的令人赞叹的工作。这篇博客将聚焦 <a href="https://github.com/kubernetes/community/tree/master/sig-testing#readme">SIG Testing</a>， 这是一个致力于有效测试 Kubernetes，让此项目的繁琐工作实现自动化的兴趣小组。 SIG Testing 专注于创建和运行工具和基础设施，使社区更容易编写和运行测试，并对测试结果做贡献、分析和处理。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/11/16/kubernetes-1-29-upcoming-changes/Thu, 16 Nov 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/11/16/kubernetes-1-29-upcoming-changes/<!-- layout: blog title: 'Kubernetes Removals, Deprecations, and Major Changes in Kubernetes 1.29' date: 2023-11-16 slug: kubernetes-1-29-upcoming-changes --> <!-- **Authors:** Carol Valencia, Kristin Martin, Abigail McCarthy, James Quigley, Hosam Kamel --> <p><strong>作者:</strong> Carol Valencia, Kristin Martin, Abigail McCarthy, James Quigley, Hosam Kamel</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- As with every release, Kubernetes v1.29 will introduce feature deprecations and removals. Our continued ability to produce high-quality releases is a testament to our robust development cycle and healthy community. The following are some of the deprecations and removals coming in the Kubernetes 1.29 release. --> <p>和其他每次发布一样，Kubernetes v1.29 将弃用和移除一些特性。 一贯以来生成高质量发布版本的能力是开发周期稳健和社区健康的证明。 下文列举即将发布的 Kubernetes 1.29 中的一些弃用和移除事项。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/11/07/introducing-sig-etcd/Tue, 07 Nov 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/11/07/introducing-sig-etcd/<!-- layout: blog title: "Introducing SIG etcd" slug: introducing-sig-etcd date: 2023-11-07 canonicalUrl: https://etcd.io/blog/2023/introducing-sig-etcd/ --> <!-- **Authors**: Han Kang (Google), Marek Siarkowicz (Google), Frederico Muñoz (SAS Institute) --> <p><strong>作者</strong>：Han Kang (Google), Marek Siarkowicz (Google), Frederico Muñoz (SAS Institute)</p> <p><strong>译者</strong>：Xin Li (Daocloud)</p> <!-- Special Interest Groups (SIGs) are a fundamental part of the Kubernetes project, with a substantial share of the community activity happening within them. When the need arises, [new SIGs can be created](https://github.com/kubernetes/community/blob/master/sig-wg-lifecycle.md), and that was precisely what happened recently. --> <p>特殊兴趣小组（SIG）是 Kubernetes 项目的基本组成部分，很大一部分的 Kubernetes 社区活动都在其中进行。 当有需要时，可以创建<a href="https://github.com/kubernetes/community/blob/master/sig-wg-lifecycle.md">新的 SIG</a>， 而这正是最近发生的事情。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/31/gateway-api-ga/Tue, 31 Oct 2023 10:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/31/gateway-api-ga/<!-- layout: blog title: "Gateway API v1.0: GA Release" date: 2023-10-31T10:00:00-08:00 slug: gateway-api-ga --> <!-- **Authors:** Shane Utt (Kong), Nick Young (Isovalent), Rob Scott (Google) --> <p><strong>作者：</strong> Shane Utt (Kong), Nick Young (Isovalent), Rob Scott (Google)</p> <p><strong>译者：</strong> Xin Li (Daocloud)</p> <!-- On behalf of Kubernetes SIG Network, we are pleased to announce the v1.0 release of [Gateway API](https://gateway-api.sigs.k8s.io/)! This release marks a huge milestone for this project. Several key APIs are graduating to GA (generally available), while other significant features have been added to the Experimental channel. --> <p>我们代表 Kubernetes SIG Network 很高兴地宣布 <a href="https://gateway-api.sigs.k8s.io/">Gateway API</a> v1.0 版本发布！此版本是该项目的一个重要里程碑。几个关键的 API 正在逐步进入 GA（正式发布）阶段， 同时其他重要特性已添加到实验（Experimental）通道中。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/23/persistent-volume-last-phase-transition-time/Mon, 23 Oct 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/23/persistent-volume-last-phase-transition-time/<!-- layout: blog title: PersistentVolume Last Phase Transition Time in Kubernetes date: 2023-10-23 slug: persistent-volume-last-phase-transition-time --> <!-- **Author:** Roman Bednář (Red Hat) --> <p><strong>作者：</strong> Roman Bednář (Red Hat)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- In the recent Kubernetes v1.28 release, we (SIG Storage) introduced a new alpha feature that aims to improve PersistentVolume (PV) storage management and help cluster administrators gain better insights into the lifecycle of PVs. With the addition of the `lastPhaseTransitionTime` field into the status of a PV, cluster administrators are now able to track the last time a PV transitioned to a different [phase](/docs/concepts/storage/persistent-volumes/#phase), allowing for more efficient and informed resource management. --> <p>在最近的 Kubernetes v1.28 版本中，我们（SIG Storage）引入了一项新的 Alpha 级别特性， 旨在改进 PersistentVolume（PV）存储管理并帮助集群管理员更好地了解 PV 的生命周期。 通过将 <code>lastPhaseTransitionTime</code> 字段添加到 PV 的状态中，集群管理员现在可以跟踪 PV 上次转换到不同<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#phase">阶段</a>的时间， 从而实现更高效、更明智的资源管理。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/20/kcs-shanghai/Fri, 20 Oct 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/20/kcs-shanghai/<!-- layout: blog title: "A Quick Recap of 2023 China Kubernetes Contributor Summit" slug: kcs-shanghai date: 2023-10-20 canonicalUrl: https://www.kubernetes.dev/blog/2023/10/20/kcs-shanghai/ --> <!-- **Author:** Paco Xu and Michael Yao (DaoCloud) On September 26, 2023, the first day of [KubeCon + CloudNativeCon + Open Source Summit China 2023](https://www.lfasiallc.com/kubecon-cloudnativecon-open-source-summit-china/), nearly 50 contributors gathered in Shanghai for the Kubernetes Contributor Summit. --> <p><strong>作者：</strong> Paco Xu 和 Michael Yao (DaoCloud)</p> <p>2023 年 9 月 26 日，即 <a href="https://www.lfasiallc.com/kubecon-cloudnativecon-open-source-summit-china/">KubeCon + CloudNativeCon + Open Source Summit China 2023</a> 第一天，近 50 位社区贡献者济济一堂，在上海聚首 Kubernetes 贡献者峰会。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/10/cri-o-community-package-infrastructure/Tue, 10 Oct 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/10/cri-o-community-package-infrastructure/<!-- layout: blog title: "CRI-O is moving towards pkgs.k8s.io" date: 2023-10-10 slug: cri-o-community-package-infrastructure --> <p><strong>作者</strong>：Sascha Grunert</p> <!-- **Author:** Sascha Grunert --> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- The Kubernetes community [recently announced](/blog/2023/08/31/legacy-package-repository-deprecation/) that their legacy package repositories are frozen, and now they moved to [introduced community-owned package repositories](/blog/2023/08/15/pkgs-k8s-io-introduction) powered by the [OpenBuildService (OBS)](https://build.opensuse.org/project/subprojects/isv:kubernetes). CRI-O has a long history of utilizing [OBS for their package builds](https://github.com/cri-o/cri-o/blob/e292f17/install.md#install-packaged-versions-of-cri-o), but all of the packaging efforts have been done manually so far. --> <p>Kubernetes 社区<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/31/legacy-package-repository-deprecation/">最近宣布</a>旧的软件包仓库已被冻结， 现在这些软件包将被迁移到由 <a href="https://build.opensuse.org/project/subprojects/isv:kubernetes">OpenBuildService（OBS）</a> 提供支持的<a href="https://andygol-k8s.netlify.app/blog/2023/08/15/pkgs-k8s-io-introduction">社区自治软件包仓库</a>中。 很久以来，CRI-O 一直在利用 <a href="https://github.com/cri-o/cri-o/blob/e292f17/install.md#install-packaged-versions-of-cri-o">OBS 进行软件包构建</a>， 但到目前为止，所有打包工作都是手动完成的。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/05/sig-architecture-conformance-spotlight-2023/Thu, 05 Oct 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/05/sig-architecture-conformance-spotlight-2023/<!-- layout: blog title: "Spotlight on SIG Architecture: Conformance" slug: sig-architecture-conformance-spotlight-2023 date: 2023-10-05 canonicalUrl: https://www.k8s.dev/blog/2023/10/05/sig-architecture-conformance-spotlight-2023/ --> <!-- **Author**: Frederico Muñoz (SAS Institute) --> <p><strong>作者</strong>：Frederico Muñoz (SAS Institute)</p> <p><strong>译者</strong>：<a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- _This is the first interview of a SIG Architecture Spotlight series that will cover the different subprojects. We start with the SIG Architecture: Conformance subproject_ In this [SIG Architecture](https://github.com/kubernetes/community/blob/master/sig-architecture/README.md) spotlight, we talked with [Riaan Kleinhans](https://github.com/Riaankl) (ii.nz), Lead for the [Conformance sub-project](https://github.com/kubernetes/community/blob/master/sig-architecture/README.md#conformance-definition-1). --> <p><strong>这是 SIG Architecture 焦点访谈系列的首次采访，这一系列访谈将涵盖多个子项目。 我们从 SIG Architecture：Conformance 子项目开始。</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/02/steering-committee-results-2023/Mon, 02 Oct 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/10/02/steering-committee-results-2023/<!-- layout: blog title: "Announcing the 2023 Steering Committee Election Results" date: 2023-10-02 slug: steering-committee-results-2023 --> <!-- **Author**: Kaslin Fields --> <p><strong>作者</strong>：Kaslin Fields</p> <p><strong>译者</strong>：Xin Li(DaoCloud)</p> <!-- The [2023 Steering Committee Election](https://github.com/kubernetes/community/tree/master/events/elections/2023) is now complete. The Kubernetes Steering Committee consists of 7 seats, 4 of which were up for election in 2023. Incoming committee members serve a term of 2 years, and all members are elected by the Kubernetes Community. --> <p><a href="https://github.com/kubernetes/community/tree/master/events/elections/2023">2023 年指导委员会选举</a>现已完成。 Kubernetes 指导委员会由 7 个席位组成，其中 4 个席位于 2023 年进行选举。 新任委员会成员的任期为 2 年，所有成员均由 Kubernetes 社区选举产生。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/26/happy-7th-birthday-kubeadm/Tue, 26 Sep 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/26/happy-7th-birthday-kubeadm/<!-- layout: blog title: 'Happy 7th Birthday kubeadm!' date: 2023-09-26 slug: happy-7th-birthday-kubeadm --> <!-- **Author:** Fabrizio Pandini (VMware) --> <p><strong>作者:</strong> Fabrizio Pandini (VMware)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- What a journey so far! Starting from the initial blog post [“How we made Kubernetes insanely easy to install”](/blog/2016/09/how-we-made-kubernetes-easy-to-install/) in September 2016, followed by an exciting growth that lead to general availability / [“Production-Ready Kubernetes Cluster Creation with kubeadm”](/blog/2018/12/04/production-ready-kubernetes-cluster-creation-with-kubeadm/) two years later. And later on a continuous, steady and reliable flow of small improvements that is still going on as of today. --> <p>回首向来萧瑟处，七年光阴风雨路！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/25/kubeadm-use-etcd-learner-mode/Mon, 25 Sep 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/25/kubeadm-use-etcd-learner-mode/<!-- layout: blog title: 'kubeadm: Use etcd Learner to Join a Control Plane Node Safely' date: 2023-09-25 slug: kubeadm-use-etcd-learner-mode --> <!-- **Author:** Paco Xu (DaoCloud) --> <p><strong>作者:</strong> Paco Xu (DaoCloud)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- The [`kubeadm`](/docs/reference/setup-tools/kubeadm/) tool now supports etcd learner mode, which allows you to enhance the resilience and stability of your Kubernetes clusters by leveraging the [learner mode](https://etcd.io/docs/v3.4/learning/design-learner/#appendix-learner-implementation-in-v34) feature introduced in etcd version 3.4. This guide will walk you through using etcd learner mode with kubeadm. By default, kubeadm runs a local etcd instance on each control plane node. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/setup-tools/kubeadm/"><code>kubeadm</code></a> 工具现在支持 etcd learner 模式， 借助 etcd 3.4 版本引入的 <a href="https://etcd.io/docs/v3.4/learning/design-learner/#appendix-learner-implementation-in-v34">learner 模式</a>特性， 可以提高 Kubernetes 集群的弹性和稳定性。本文将介绍如何在 kubeadm 中使用 etcd learner 模式。 默认情况下，kubeadm 在每个控制平面节点上运行一个本地 etcd 实例。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/13/userns-alpha/Wed, 13 Sep 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/13/userns-alpha/<!-- layout: blog title: "User Namespaces: Now Supports Running Stateful Pods in Alpha!" date: 2023-09-13 slug: userns-alpha --> <!-- **Authors:** Rodrigo Campos Catelin (Microsoft), Giuseppe Scrivano (Red Hat), Sascha Grunert (Red Hat) --> <p><strong>作者：</strong> Rodrigo Campos Catelin (Microsoft), Giuseppe Scrivano (Red Hat), Sascha Grunert (Red Hat)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- Kubernetes v1.25 introduced support for user namespaces for only stateless pods. Kubernetes 1.28 lifted that restriction, after some design changes were done in 1.27. --> <p>Kubernetes v1.25 引入用户命名空间（User Namespace）特性，仅支持无状态（Stateless）Pod。 Kubernetes 1.28 在 1.27 的基础上中进行了一些改进后，取消了这一限制。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/12/local-k8s-development-tools/Tue, 12 Sep 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/09/12/local-k8s-development-tools/<!-- layout: blog title: 'Comparing Local Kubernetes Development Tools: Telepresence, Gefyra, and mirrord' date: 2023-09-12 slug: local-k8s-development-tools --> <!-- **Author:** Eyal Bukchin (MetalBear) --> <p><strong>作者:</strong> Eyal Bukchin (MetalBear)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- The Kubernetes development cycle is an evolving landscape with a myriad of tools seeking to streamline the process. Each tool has its unique approach, and the choice often comes down to individual project requirements, the team's expertise, and the preferred workflow. --> <p>Kubernetes 的开发周期是一个不断演化的领域，有许多工具在寻求简化这个过程。 每个工具都有其独特的方法，具体选择通常取决于各个项目的要求、团队的专业知识以及所偏好的工作流。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/31/legacy-package-repository-deprecation/Thu, 31 Aug 2023 15:30:00 -0700https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/31/legacy-package-repository-deprecation/<!-- layout: blog title: "Kubernetes Legacy Package Repositories Will Be Frozen On September 13, 2023" date: 2023-08-31T15:30:00-07:00 slug: legacy-package-repository-deprecation evergreen: true author: > Bob Killen (Google), Chris Short (AWS), Jeremy Rickard (Microsoft), Marko Mudrinić (Kubermatic), Tim Bannister (The Scale Factory) --> <!-- On August 15, 2023, the Kubernetes project announced the general availability of the community-owned package repositories for Debian and RPM packages available at `pkgs.k8s.io`. The new package repositories are replacement for the legacy Google-hosted package repositories: `apt.kubernetes.io` and `yum.kubernetes.io`. The [announcement blog post for `pkgs.k8s.io`](/blog/2023/08/15/pkgs-k8s-io-introduction/) highlighted that we will stop publishing packages to the legacy repositories in the future. --> <p>2023 年 8 月 15 日，Kubernetes 项目宣布社区拥有的 Debian 和 RPM 软件包仓库在 <code>pkgs.k8s.io</code> 上正式提供。新的软件包仓库将取代旧的由 Google 托管的软件包仓库：<code>apt.kubernetes.io</code> 和 <code>yum.kubernetes.io</code>。 <a href="https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/15/pkgs-k8s-io-introduction/"><code>pkgs.k8s.io</code> 的公告博客文章</a>强调我们未来将停止将软件包发布到旧仓库。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/29/gateway-api-v0-8/Tue, 29 Aug 2023 10:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/29/gateway-api-v0-8/<!-- layout: blog title: "Gateway API v0.8.0: Introducing Service Mesh Support" date: 2023-08-29T10:00:00-08:00 slug: gateway-api-v0-8 --> <!-- ***Authors:*** Flynn (Buoyant), John Howard (Google), Keith Mattix (Microsoft), Michael Beaumont (Kong), Mike Morris (independent), Rob Scott (Google) --> <p><strong>作者：</strong> Flynn (Buoyant), John Howard (Google), Keith Mattix (Microsoft), Michael Beaumont (Kong), Mike Morris (independent), Rob Scott (Google)</p> <p><strong>译者：</strong> Xin Li (Daocloud)</p> <!-- We are thrilled to announce the v0.8.0 release of Gateway API! With this release, Gateway API support for service mesh has reached [Experimental status][status]. We look forward to your feedback! We're especially delighted to announce that Kuma 2.3+, Linkerd 2.14+, and Istio 1.16+ are all fully-conformant implementations of Gateway API service mesh support. --> <p>我们很高兴地宣布 Gateway API 的 v0.8.0 版本发布了！ 通过此版本，Gateway API 对服务网格的支持已达到<a href="https://gateway-api.sigs.k8s.io/geps/overview/#status">实验性（Experimental）状态</a>。 我们期待你的反馈！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/28/kubernetes-1-28-feature-mixed-version-proxy-alpha/Mon, 28 Aug 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/28/kubernetes-1-28-feature-mixed-version-proxy-alpha/<!-- layout: blog title: "Kubernetes 1.28: A New (alpha) Mechanism For Safer Cluster Upgrades" date: 2023-08-28 slug: kubernetes-1-28-feature-mixed-version-proxy-alpha --> <!-- **Author:** Richa Banker (Google) --> <p><strong>作者：</strong> Richa Banker (Google)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- This blog describes the _mixed version proxy_, a new alpha feature in Kubernetes 1.28. The mixed version proxy enables an HTTP request for a resource to be served by the correct API server in cases where there are multiple API servers at varied versions in a cluster. For example, this is useful during a cluster upgrade, or when you're rolling out the runtime configuration of the cluster's control plane. --> <p>本博客介绍了<strong>混合版本代理（Mixed Version Proxy）</strong>，这是 Kubernetes 1.28 中的一个新的 Alpha 级别特性。当集群中存在多个不同版本的 API 服务器时，混合版本代理使对资源的 HTTP 请求能够被正确的 API 服务器处理。例如，在集群升级期间或当发布集群控制平面的运行时配置时此特性非常有用。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/25/native-sidecar-containers/Fri, 25 Aug 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/25/native-sidecar-containers/<!-- layout: blog title: "Kubernetes v1.28: Introducing native sidecar containers" date: 2023-08-25 slug: native-sidecar-containers --> <p><strong>作者</strong>：Todd Neal (AWS), Matthias Bertschy (ARMO), Sergey Kanzhelev (Google), Gunju Kim (NAVER), Shannon Kularathna (Google)</p> <!-- ***Authors:*** Todd Neal (AWS), Matthias Bertschy (ARMO), Sergey Kanzhelev (Google), Gunju Kim (NAVER), Shannon Kularathna (Google) --> <!-- This post explains how to use the new sidecar feature, which enables restartable init containers and is available in alpha in Kubernetes 1.28. We want your feedback so that we can graduate this feature as soon as possible. --> <p>本文介绍了如何使用新的边车（Sidecar）功能，该功能支持可重新启动的 Init 容器， 并且在 Kubernetes 1.28 以 Alpha 版本发布。我们希望得到你的反馈，以便我们尽快完成此功能。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/24/swap-linux-beta/Thu, 24 Aug 2023 10:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/24/swap-linux-beta/<!-- layout: blog title: "Kubernetes 1.28: Beta support for using swap on Linux" date: 2023-08-24T10:00:00-08:00 slug: swap-linux-beta --> <!-- **Author:** Itamar Holder (Red Hat) --> <p><strong>作者</strong>：Itamar Holder (Red Hat)</p> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- The 1.22 release [introduced Alpha support](/blog/2021/08/09/run-nodes-with-swap-alpha/) for configuring swap memory usage for Kubernetes workloads running on Linux on a per-node basis. Now, in release 1.28, support for swap on Linux nodes has graduated to Beta, along with many new improvements. --> <p>Kubernetes 1.22 版本为交换内存<a href="https://andygol-k8s.netlify.app/blog/2021/08/09/run-nodes-with-swap-alpha/">引入了一项 Alpha 支持</a>， 用于为在 Linux 节点上运行的 Kubernetes 工作负载逐个节点地配置交换内存使用。 现在，在 1.28 版中，对 Linux 节点上的交换内存的支持已升级为 Beta 版，并有许多新的改进。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/23/kubelet-podresources-api-ga/Wed, 23 Aug 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/23/kubelet-podresources-api-ga/<!-- layout: blog title: 'Kubernetes 1.28: Node podresources API Graduates to GA' date: 2023-08-23 slug: kubelet-podresources-api-GA --> <!-- **Author:** Francesco Romani (Red Hat) --> <p><strong>作者</strong>：Francesco Romani (Red Hat)</p> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- The podresources API is an API served by the kubelet locally on the node, which exposes the compute resources exclusively allocated to containers. With the release of Kubernetes 1.28, that API is now Generally Available. --> <p>podresources API 是由 kubelet 提供的节点本地 API，它用于公开专门分配给容器的计算资源。 随着 Kubernetes 1.28 的发布，该 API 现已正式发布。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/21/kubernetes-1-28-jobapi-update/Mon, 21 Aug 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/21/kubernetes-1-28-jobapi-update/<!-- layout: blog title: "Kubernetes 1.28: Improved failure handling for Jobs" date: 2023-08-21 slug: kubernetes-1-28-jobapi-update --> <!-- **Authors:** Kevin Hannon (G-Research), Michał Woźniak (Google) --> <p><strong>作者：</strong> Kevin Hannon (G-Research), Michał Woźniak (Google)</p> <p><strong>译者：</strong> Xin Li (Daocloud)</p> <!-- This blog discusses two new features in Kubernetes 1.28 to improve Jobs for batch users: [Pod replacement policy](/docs/concepts/workloads/controllers/job/#pod-replacement-policy) and [Backoff limit per index](/docs/concepts/workloads/controllers/job/#backoff-limit-per-index). --> <p>本博客讨论 Kubernetes 1.28 中的两个新特性，用于为批处理用户改进 Job： <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/#pod-replacement-policy">Pod 更换策略</a> 和<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/#backoff-limit-per-index">基于索引的回退限制</a>。</p> <!-- These features continue the effort started by the [Pod failure policy](/docs/concepts/workloads/controllers/job/#pod-failure-policy) to improve the handling of Pod failures in a Job. --> <p>这些特性延续了 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/job/#pod-failure-policy">Pod 失效策略</a> 为开端的工作，用来改进对 Job 中 Pod 失效的处理。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/18/retroactive-default-storage-class-ga/Fri, 18 Aug 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/18/retroactive-default-storage-class-ga/<!-- layout: blog title: "Kubernetes v1.28: Retroactive Default StorageClass move to GA" date: 2023-08-18 slug: retroactive-default-storage-class-ga --> <!-- **Author:** Roman Bednář (Red Hat) --> <p><strong>作者:</strong> Roman Bednář (Red Hat)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- Announcing graduation to General Availability (GA) - Retroactive Default StorageClass Assignment in Kubernetes v1.28! --> <p>可追溯的默认 StorageClass 赋值（Retroactive Default StorageClass Assignment）在 Kubernetes v1.28 中宣布进阶至正式发布（GA）！</p> <!-- Kubernetes SIG Storage team is thrilled to announce that the "Retroactive Default StorageClass Assignment" feature, introduced as an alpha in Kubernetes v1.25, has now graduated to GA and is officially part of the Kubernetes v1.28 release. This enhancement brings a significant improvement to how default [StorageClasses](/docs/concepts/storage/storage-classes/) are assigned to PersistentVolumeClaims (PVCs). --> <p>Kubernetes SIG Storage 团队非常高兴地宣布，在 Kubernetes v1.25 中作为 Alpha 特性引入的 “可追溯默认 StorageClass 赋值” 现已进阶至 GA， 并正式成为 Kubernetes v1.28 发行版的一部分。 这项增强特性极大地改进了默认的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-classes/">StorageClasses</a> 为 PersistentVolumeClaim (PVC) 赋值的方式。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/16/kubernetes-1-28-non-graceful-node-shutdown-ga/Wed, 16 Aug 2023 10:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/16/kubernetes-1-28-non-graceful-node-shutdown-ga/<!-- layout: blog title: "Kubernetes 1.28: Non-Graceful Node Shutdown Moves to GA" date: 2023-08-16T10:00:00-08:00 slug: kubernetes-1-28-non-graceful-node-shutdown-GA --> <!-- **Authors:** Xing Yang (VMware) and Ashutosh Kumar (Elastic) --> <p><strong>作者：</strong> Xing Yang (VMware) 和 Ashutosh Kumar (Elastic)</p> <p><strong>译者：</strong> Xin Li (Daocloud)</p> <!-- The Kubernetes Non-Graceful Node Shutdown feature is now GA in Kubernetes v1.28. It was introduced as [alpha](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2268-non-graceful-shutdown) in Kubernetes v1.24, and promoted to [beta](https://kubernetes.io/blog/2022/12/16/kubernetes-1-26-non-graceful-node-shutdown-beta/) in Kubernetes v1.26. This feature allows stateful workloads to restart on a different node if the original node is shutdown unexpectedly or ends up in a non-recoverable state such as the hardware failure or unresponsive OS. --> <p>Kubernetes 节点非体面关闭特性现已在 Kubernetes v1.28 中正式发布。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/15/pkgs-k8s-io-introduction/Tue, 15 Aug 2023 20:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/08/15/pkgs-k8s-io-introduction/<!-- layout: blog title: "pkgs.k8s.io: Introducing Kubernetes Community-Owned Package Repositories" date: 2023-08-15T20:00:00+0000 slug: pkgs-k8s-io-introduction author: > Marko Mudrinić (Kubermatic) --> <!-- On behalf of Kubernetes SIG Release, I am very excited to introduce the Kubernetes community-owned software repositories for Debian and RPM packages: `pkgs.k8s.io`! The new package repositories are replacement for the Google-hosted package repositories (`apt.kubernetes.io` and `yum.kubernetes.io`) that we've been using since Kubernetes v1.5. --> <p>我很高兴代表 Kubernetes SIG Release 介绍 Kubernetes 社区自有的 Debian 和 RPM 软件仓库：<code>pkgs.k8s.io</code>！ 这些全新的仓库取代了我们自 Kubernetes v1.5 以来一直使用的托管在 Google 的仓库（<code>apt.kubernetes.io</code> 和 <code>yum.kubernetes.io</code>）。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/07/20/sig-cli-spotlight-2023/Thu, 20 Jul 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/07/20/sig-cli-spotlight-2023/<!-- layout: blog title: "Spotlight on SIG CLI" date: 2023-07-20 slug: sig-cli-spotlight-2023 canonicalUrl: https://www.kubernetes.dev/blog/2023/07/13/sig-cli-spotlight-2023/ --> <!-- **Author**: Arpit Agrawal --> <p><strong>作者</strong>：Arpit Agrawal</p> <p><strong>译者</strong>：Xin Li (Daocloud)</p> <!-- In the world of Kubernetes, managing containerized applications at scale requires powerful and efficient tools. The command-line interface (CLI) is an integral part of any developer or operator’s toolkit, offering a convenient and flexible way to interact with a Kubernetes cluster. --> <p>在 Kubernetes 的世界中，大规模管理容器化应用程序需要强大而高效的工具。 命令行界面（CLI）是任何开发人员或操作人员工具包不可或缺的一部分， 其提供了一种方便灵活的方式与 Kubernetes 集群交互。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/07/06/confidential-kubernetes/Thu, 06 Jul 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/07/06/confidential-kubernetes/<!-- layout: blog title: "Confidential Kubernetes: Use Confidential Virtual Machines and Enclaves to improve your cluster security" date: 2023-07-06 slug: "confidential-kubernetes" --> <!-- **Authors:** Fabian Kammel (Edgeless Systems), Mikko Ylinen (Intel), Tobin Feldman-Fitzthum (IBM) --> <p><strong>作者</strong>：Fabian Kammel (Edgeless Systems), Mikko Ylinen (Intel), Tobin Feldman-Fitzthum (IBM)</p> <p><strong>译者</strong>：<a href="https://github.com/asa3311">顾欣</a></p> <!-- In this blog post, we will introduce the concept of Confidential Computing (CC) to improve any computing environment's security and privacy properties. Further, we will show how the Cloud-Native ecosystem, particularly Kubernetes, can benefit from the new compute paradigm. Confidential Computing is a concept that has been introduced previously in the cloud-native world. The [Confidential Computing Consortium](https://confidentialcomputing.io/) (CCC) is a project community in the Linux Foundation that already worked on [Defining and Enabling Confidential Computing](https://confidentialcomputing.io/wp-content/uploads/sites/85/2019/12/CCC_Overview.pdf). In the [Whitepaper](https://confidentialcomputing.io/wp-content/uploads/sites/85/2023/01/CCC-A-Technical-Analysis-of-Confidential-Computing-v1.3_Updated_November_2022.pdf), they provide a great motivation for the use of Confidential Computing: > Data exists in three states: in transit, at rest, and in use. …Protecting sensitive data > in all of its states is more critical than ever. Cryptography is now commonly deployed > to provide both data confidentiality (stopping unauthorized viewing) and data integrity > (preventing or detecting unauthorized changes). While techniques to protect data in transit > and at rest are now commonly deployed, the third state - protecting data in use - is the new frontier. Confidential Computing aims to primarily solve the problem of **protecting data in use** by introducing a hardware-enforced Trusted Execution Environment (TEE). --> <p>在这篇博客文章中，我们将介绍机密计算（Confidential Computing，简称 CC）的概念， 以增强任何计算环境的安全和隐私属性。此外，我们将展示云原生生态系统， 特别是 Kubernetes，如何从新的计算范式中受益。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/06/29/container-image-signature-verification/Thu, 29 Jun 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/06/29/container-image-signature-verification/<!-- layout: blog title: "Verifying Container Image Signatures Within CRI Runtimes" date: 2023-06-29 slug: container-image-signature-verification --> <!-- **Author**: Sascha Grunert --> <p><strong>作者:</strong> Sascha Grunert</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- The Kubernetes community has been signing their container image-based artifacts since release v1.24. While the graduation of the [corresponding enhancement][kep] from `alpha` to `beta` in v1.26 introduced signatures for the binary artifacts, other projects followed the approach by providing image signatures for their releases, too. This means that they either create the signatures within their own CI/CD pipelines, for example by using GitHub actions, or rely on the Kubernetes [image promotion][promo] process to automatically sign the images by proposing pull requests to the [k/k8s.io][k8s.io] repository. A requirement for using this process is that the project is part of the `kubernetes` or `kubernetes-sigs` GitHub organization, so that they can utilize the community infrastructure for pushing images into staging buckets. --> <p>Kubernetes 社区自 v1.24 版本开始对基于容器镜像的工件进行签名。在 v1.26 中， <a href="https://github.com/kubernetes/enhancements/issues/3031">相应的增强特性</a>从 <code>alpha</code> 进阶至 <code>beta</code>，引入了针对二进制工件的签名。 其他项目也采用了类似的方法，为其发布版本提供镜像签名。这意味着这些项目要么使用 GitHub actions 在自己的 CI/CD 流程中创建签名，要么依赖于 Kubernetes 的<a href="https://github.com/kubernetes-sigs/promo-tools/blob/e2b96dd/docs/image-promotion.md">镜像推广</a>流程， 通过向 <a href="https://github.com/kubernetes/k8s.io/tree/4b95cc2/k8s.gcr.io">k/k8s.io</a> 仓库提交 PR 来自动签名镜像。 使用此流程的前提要求是项目必须属于 <code>kubernetes</code> 或 <code>kubernetes-sigs</code> GitHub 组织， 这样能够利用社区基础设施将镜像推送到暂存桶中。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/06/09/dl-adopt-cdn/Fri, 09 Jun 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/06/09/dl-adopt-cdn/<!-- layout: blog title: "dl.k8s.io to adopt a Content Delivery Network" date: 2023-06-09 slug: dl-adopt-cdn --> <!-- **Authors**: Arnaud Meukam (VMware), Hannah Aubry (Fast Forward), Frederico Muñoz (SAS Institute) --> <p><strong>作者</strong>：Arnaud Meukam (VMware), Hannah Aubry (Fast Forward), Frederico Muñoz (SAS Institute)</p> <p><strong>译者</strong>：<a href="https://github.com/my-git9">Xin Li</a> (Daocloud)</p> <!-- We're happy to announce that dl.k8s.io, home of the official Kubernetes binaries, will soon be powered by [Fastly](https://www.fastly.com). Fastly is known for its high-performance content delivery network (CDN) designed to deliver content quickly and reliably around the world. With its powerful network, Fastly will help us deliver official Kubernetes binaries to users faster and more reliably than ever before. --> <p>我们很高兴地宣布，官方 Kubernetes 二进制文件的主页 dl.k8s.io 很快将由 <a href="https://www.fastly.com">Fastly</a> 提供支持。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/24/oci-security-profiles/Wed, 24 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/24/oci-security-profiles/<!-- layout: blog title: "Using OCI artifacts to distribute security profiles for seccomp, SELinux and AppArmor" date: 2023-05-24 slug: oci-security-profiles --> <!-- **Author**: Sascha Grunert --> <p><strong>作者</strong>: Sascha Grunert</p> <p><strong>译者</strong>: <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- The [Security Profiles Operator (SPO)][spo] makes managing seccomp, SELinux and AppArmor profiles within Kubernetes easier than ever. It allows cluster administrators to define the profiles in a predefined custom resource YAML, which then gets distributed by the SPO into the whole cluster. Modification and removal of the security profiles are managed by the operator in the same way, but that’s a small subset of its capabilities. --> <p><a href="https://github.com/kubernetes-sigs/security-profiles-operator">Security Profiles Operator (SPO)</a> 使得在 Kubernetes 中管理 seccomp、SELinux 和 AppArmor 配置文件变得更加容易。 它允许集群管理员在预定义的自定义资源 YAML 中定义配置文件，然后由 SPO 分发到整个集群中。 安全配置文件的修改和移除也由 Operator 以同样的方式进行管理，但这只是其能力的一小部分。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/18/seccomp-profiles-edge/Thu, 18 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/18/seccomp-profiles-edge/<!-- layout: blog title: "Having fun with seccomp profiles on the edge" date: 2023-05-18 slug: seccomp-profiles-edge --> <!-- **Author**: Sascha Grunert --> <p><strong>作者</strong>: Sascha Grunert</p> <p><strong>译者</strong>: <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- The [Security Profiles Operator (SPO)][spo] is a feature-rich [operator][operator] for Kubernetes to make managing seccomp, SELinux and AppArmor profiles easier than ever. Recording those profiles from scratch is one of the key features of this operator, which usually involves the integration into large CI/CD systems. Being able to test the recording capabilities of the operator in edge cases is one of the recent development efforts of the SPO and makes it excitingly easy to play around with seccomp profiles. --> <p>[Security Profiles Operator (SPO)][spo] 是一个功能丰富的 Kubernetes [operator][operator]， 相比以往可以简化 seccomp、SELinux 和 AppArmor 配置文件的管理。 从头开始记录这些配置文件是该 Operator 的关键特性之一，这通常涉及与大型 CI/CD 系统集成。 在边缘场景中测试 Operator 的记录能力是 SPO 的最新开发工作之一， 非常有助于轻松玩转 seccomp 配置文件。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/16/kms-v2-moves-to-beta/Tue, 16 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/16/kms-v2-moves-to-beta/<!-- layout: blog title: "Kubernetes 1.27: KMS V2 Moves to Beta" date: 2023-05-16 slug: kms-v2-moves-to-beta --> <!-- **Authors:** Anish Ramasekar, Mo Khan, and Rita Zhang (Microsoft) --> <p><strong>作者：</strong> Anish Ramasekar, Mo Khan, and Rita Zhang (Microsoft)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- With Kubernetes 1.27, we (SIG Auth) are moving Key Management Service (KMS) v2 API to beta. --> <p>在 Kubernetes 1.27 中，我们（SIG Auth）将密钥管理服务（KMS）v2 API 带入 Beta 阶段。</p> <!-- ## What is KMS? One of the first things to consider when securing a Kubernetes cluster is encrypting etcd data at rest. KMS provides an interface for a provider to utilize a key stored in an external key service to perform this encryption. --> <h2 id="kms-是什么">KMS 是什么？</h2> <p>保护 Kubernetes 集群时首先要考虑的事情之一是加密静态的 etcd 数据。 KMS 为供应商提供了一个接口，以便利用存储在外部密钥服务中的密钥来执行此加密。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/15/speed-up-pod-startup/Mon, 15 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/15/speed-up-pod-startup/<!-- layout: blog title: "Kubernetes 1.27: updates on speeding up Pod startup" date: 2023-05-15T00:00:00+0000 slug: speed-up-pod-startup --> <!-- **Authors**: Paco Xu (DaoCloud), Sergey Kanzhelev (Google), Ruiwen Zhao (Google) --> <p><strong>作者</strong>：Paco Xu (DaoCloud), Sergey Kanzhelev (Google), Ruiwen Zhao (Google) <strong>译者</strong>：Michael Yao (DaoCloud)</p> <!-- How can Pod start-up be accelerated on nodes in large clusters? This is a common issue that cluster administrators may face. This blog post focuses on methods to speed up pod start-up from the kubelet side. It does not involve the creation time of pods by controller-manager through kube-apiserver, nor does it include scheduling time for pods or webhooks executed on it. --> <p>如何在大型集群中加快节点上的 Pod 启动？这是集群管理员可能面临的常见问题。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/12/in-place-pod-resize-alpha/Fri, 12 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/12/in-place-pod-resize-alpha/<!-- layout: blog title: "Kubernetes 1.27: In-place Resource Resize for Kubernetes Pods (alpha)" date: 2023-05-12 slug: in-place-pod-resize-alpha --> <p><strong>作者:</strong> Vinay Kulkarni (Kubescaler Labs)</p> <!-- **Author:** [Vinay Kulkarni](https://github.com/vinaykul) (Kubescaler Labs) --> <p><strong>译者</strong>：<a href="https://github.com/pacoxu">Paco Xu</a> (Daocloud)</p> <!-- If you have deployed Kubernetes pods with CPU and/or memory resources specified, you may have noticed that changing the resource values involves restarting the pod. This has been a disruptive operation for running workloads... until now. --> <p>如果你部署的 Pod 设置了 CPU 或内存资源，你就可能已经注意到更改资源值会导致 Pod 重新启动。 以前，这对于运行的负载来说是一个破坏性的操作。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/11/nodeport-dynamic-and-static-allocation/Thu, 11 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/11/nodeport-dynamic-and-static-allocation/<!-- layout: blog title: "Kubernetes 1.27: Avoid Collisions Assigning Ports to NodePort Services" date: 2023-05-11 slug: nodeport-dynamic-and-static-allocation --> <!-- **Author:** Xu Zhenglun (Alibaba) --> <p><strong>作者:</strong> Xu Zhenglun (Alibaba)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- In Kubernetes, a Service can be used to provide a unified traffic endpoint for applications running on a set of Pods. Clients can use the virtual IP address (or _VIP_) provided by the Service for access, and Kubernetes provides load balancing for traffic accessing different back-end Pods, but a ClusterIP type of Service is limited to providing access to nodes within the cluster, while traffic from outside the cluster cannot be routed. One way to solve this problem is to use a `type: NodePort` Service, which sets up a mapping to a specific port of all nodes in the cluster, thus redirecting traffic from the outside to the inside of the cluster. --> <p>在 Kubernetes 中，对于以一组 Pod 运行的应用，Service 可以为其提供统一的流量端点。 客户端可以使用 Service 提供的虚拟 IP 地址（或 <strong>VIP</strong>）进行访问， Kubernetes 为访问不同的后端 Pod 的流量提供负载均衡能力， 但 ClusterIP 类型的 Service 仅限于供集群内的节点来访问， 而来自集群外的流量无法被路由。解决这个难题的一种方式是使用 <code>type: NodePort</code> Service， 这种服务会在集群所有节点上为特定端口建立映射关系，从而将来自集群外的流量重定向到集群内。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/09/introducing-kubectl-applyset-pruning/Tue, 09 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/09/introducing-kubectl-applyset-pruning/<!-- layout: blog title: "Kubernetes 1.27: Safer, More Performant Pruning in kubectl apply" date: 2023-05-09 slug: introducing-kubectl-applyset-pruning --> <!-- **Authors:** Katrina Verey (independent) and Justin Santa Barbara (Google) --> <p><strong>作者:</strong> Katrina Verey（独立个人）和 Justin Santa Barbara (Google)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- Declarative configuration management with the `kubectl apply` command is the gold standard approach to creating or modifying Kubernetes resources. However, one challenge it presents is the deletion of resources that are no longer needed. In Kubernetes version 1.5, the `--prune` flag was introduced to address this issue, allowing kubectl apply to automatically clean up previously applied resources removed from the current configuration. --> <p>通过 <code>kubectl apply</code> 命令执行声明式配置管理是创建或修改 Kubernetes 资源的黄金标准方法。 但这种方法也带来了一个挑战，那就是删除不再需要的资源。 在 Kubernetes 1.5 版本中，引入了 <code>--prune</code> 标志来解决此问题， 允许 <code>kubectl apply</code> 自动清理从当前配置中删除的先前应用的资源。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/08/kubernetes-1-27-volume-group-snapshot-alpha/Mon, 08 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/08/kubernetes-1-27-volume-group-snapshot-alpha/<!-- layout: blog title: "Kubernetes 1.27: Introducing An API For Volume Group Snapshots" date: 2023-05-08 slug: kubernetes-1-27-volume-group-snapshot-alpha --> <p><strong>Author:</strong> Xing Yang (VMware)</p> <p><strong>译者</strong>: <a href="https://github.com/asa3311">顾欣</a></p> <!-- Volume group snapshot is introduced as an Alpha feature in Kubernetes v1.27. This feature introduces a Kubernetes API that allows users to take crash consistent snapshots for multiple volumes together. It uses a label selector to group multiple `PersistentVolumeClaims` for snapshotting. This new feature is only supported for [CSI](https://kubernetes-csi.github.io/docs/) volume drivers. --> <p>磁盘卷组快照在 Kubernetes v1.27 中作为 Alpha 特性被引入。 此特性引入了一个 Kubernetes API，允许用户对多个卷进行快照，以保证在发生故障时数据的一致性。 它使用标签选择器来将多个 <code>PersistentVolumeClaims</code> （持久卷申领）分组以进行快照。 这个新特性仅支持 CSI 卷驱动器。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/05/qos-memory-resources/Fri, 05 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/05/qos-memory-resources/<!-- layout: blog title: 'Kubernetes 1.27: Quality-of-Service for Memory Resources (alpha)' date: 2023-05-05 slug: qos-memory-resources --> <!-- **Authors:** Dixita Narang (Google) --> <p><strong>作者</strong>：Dixita Narang (Google)</p> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- Kubernetes v1.27, released in April 2023, introduced changes to Memory QoS (alpha) to improve memory management capabilites in Linux nodes. --> <p>Kubernetes v1.27 于 2023 年 4 月发布，引入了对内存 QoS（Alpha）的更改，用于提高 Linux 节点中的内存管理功能。</p> <!-- Support for Memory QoS was initially added in Kubernetes v1.22, and later some [limitations](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2570-memory-qos#reasons-for-changing-the-formula-of-memoryhigh-calculation-in-alpha-v127) around the formula for calculating `memory.high` were identified. These limitations are addressed in Kubernetes v1.27. --> <p>对内存 QoS 的支持最初是在 Kubernetes v1.22 中添加的，后来发现了关于计算 <code>memory.high</code> 公式的一些<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2570-memory-qos#reasons-for-changing-the-formula-of-memoryhigh-calculation-in-alpha-v127">不足</a>。 这些不足在 Kubernetes v1.27 中得到解决。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/04/kubernetes-1-27-statefulset-pvc-auto-deletion-beta/Thu, 04 May 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/04/kubernetes-1-27-statefulset-pvc-auto-deletion-beta/<!-- layout: blog title: 'Kubernetes 1.27: StatefulSet PVC Auto-Deletion (beta)' date: 2023-05-04 slug: kubernetes-1-27-statefulset-pvc-auto-deletion-beta --> <!-- **Author:** Matthew Cary (Google) --> <p><strong>作者</strong>：Matthew Cary (Google)</p> <p><strong>译者</strong>：顾欣 (ICBC)</p> <!-- Kubernetes v1.27 graduated to beta a new policy mechanism for [`StatefulSets`](/docs/concepts/workloads/controllers/statefulset/) that controls the lifetime of their [`PersistentVolumeClaims`](/docs/concepts/storage/persistent-volumes/) (PVCs). The new PVC retention policy lets users specify if the PVCs generated from the `StatefulSet` spec template should be automatically deleted or retrained when the `StatefulSet` is deleted or replicas in the `StatefulSet` are scaled down. --> <p>Kubernetes v1.27 将一种新的策略机制升级到 Beta 阶段，这一策略用于控制 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/"><code>StatefulSets</code></a> 的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/"><code>PersistentVolumeClaims</code></a>（PVCs）的生命周期。 这种新的 PVC 保留策略允许用户指定当删除 <code>StatefulSet</code> 或者缩减 <code>StatefulSet</code> 中的副本时， 是自动删除还是保留从 <code>StatefulSet</code> 规约模板生成的 PVC。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/02/hpa-container-resource-metric/Tue, 02 May 2023 12:00:00 +0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/05/02/hpa-container-resource-metric/<!-- layout: blog title: "Kubernetes 1.27: HorizontalPodAutoscaler ContainerResource type metric moves to beta" date: 2023-05-02T12:00:00+0800 slug: hpa-container-resource-metric --> <!-- **Author:** [Kensei Nakada](https://github.com/sanposhiho) (Mercari) --> <p><strong>作者:</strong> <a href="https://github.com/sanposhiho">Kensei Nakada</a> (Mercari)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- Kubernetes 1.20 introduced the [`ContainerResource` type metric](/docs/tasks/run-application/horizontal-pod-autoscale/#container-resource-metrics) in HorizontalPodAutoscaler (HPA). In Kubernetes 1.27, this feature moves to beta and the corresponding feature gate (`HPAContainerMetrics`) gets enabled by default. --> <p>Kubernetes 1.20 在 HorizontalPodAutoscaler (HPA) 中引入了 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/run-application/horizontal-pod-autoscale/#container-resource-metrics"><code>ContainerResource</code> 类型指标</a>。</p> <p>在 Kubernetes 1.27 中，此特性进阶至 Beta，相应的特性门控 (<code>HPAContainerMetrics</code>) 默认被启用。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/28/statefulset-start-ordinal/Fri, 28 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/28/statefulset-start-ordinal/<!-- layout: blog title: "Kubernetes 1.27: StatefulSet Start Ordinal Simplifies Migration" date: 2023-04-28 slug: statefulset-start-ordinal --> <!-- **Author**: Peter Schuurman (Google) --> <p><strong>作者：</strong> Peter Schuurman (Google)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- Kubernetes v1.26 introduced a new, alpha-level feature for [StatefulSets](/docs/concepts/workloads/controllers/statefulset/) that controls the ordinal numbering of Pod replicas. As of Kubernetes v1.27, this feature is now beta. Ordinals can start from arbitrary non-negative numbers. This blog post will discuss how this feature can be used. --> <p>Kubernetes v1.26 为 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/">StatefulSet</a> 引入了一个新的 Alpha 级别特性，可以控制 Pod 副本的序号。 从 Kubernetes v1.27 开始，此特性进级到 Beta 阶段。序数可以从任意非负数开始， 这篇博文将讨论如何使用此功能。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/25/k8s-cve-feed-beta/Tue, 25 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/25/k8s-cve-feed-beta/<!-- layout: blog title: Updates to the Auto-refreshing Official CVE Feed date: 2023-04-25 slug: k8s-cve-feed-beta --> <p><strong>作者</strong>：Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar</p> <!-- **Authors**: Cailyn Edwards (Shopify), Mahé Tardy (Isovalent), Pushkar Joglekar --> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- Since launching the [Auto-refreshing Official CVE feed](/docs/reference/issues-security/official-cve-feed/) as an alpha feature in the 1.25 release, we have made significant improvements and updates. We are excited to announce the release of the beta version of the feed. This blog post will outline the feedback received, the changes made, and talk about how you can help as we prepare to make this a stable feature in a future Kubernetes Release. --> <p>自从在 1.25 版本中将<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/issues-security/official-cve-feed/">官方自动刷新 CVE 订阅源</a>作为 Alpha 功能启用以来，我们已经做了一些重大改进和更新。我们很高兴宣布该订阅源的 Beta 版现已发布。这篇博文将列举收到的反馈、所做的更改， 还讨论了在未来 Kubernetes 版本中准备使其进阶成为一个稳定功能时你可以如何提供帮助。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/24/openapi-v3-field-validation-ga/Mon, 24 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/24/openapi-v3-field-validation-ga/<!-- layout: blog title: "Kubernetes 1.27: Server Side Field Validation and OpenAPI V3 move to GA" date: 2023-04-24 slug: openapi-v3-field-validation-ga --> <!-- **Author**: Jeffrey Ying (Google), Antoine Pelisse (Google) --> <p><strong>作者</strong>：Jeffrey Ying (Google), Antoine Pelisse (Google)</p> <p><strong>译者</strong>：Michael Yao (DaoCloud)</p> <!-- Before Kubernetes v1.8 (!), typos, mis-indentations or minor errors in YAMLs could have catastrophic consequences (e.g. a typo like forgetting the trailing s in `replica: 1000` could cause an outage, because the value would be ignored and missing, forcing a reset of replicas back to 1). This was solved back then by fetching the OpenAPI v2 in kubectl and using it to verify that fields were correct and present before applying. Unfortunately, at that time, Custom Resource Definitions didn’t exist, and the code was written under that assumption. When CRDs were later introduced, the lack of flexibility in the validation code forced some hard decisions in the way CRDs exposed their schema, leaving us in a cycle of bad validation causing bad OpenAPI and vice-versa. With the new OpenAPI v3 and Server Field Validation being GA in 1.27, we’ve now solved both of these problems. --> <p>在 Kubernetes v1.8 之前，YAML 文件中的拼写错误、缩进错误或其他小错误可能会产生灾难性后果 （例如像在 <code>replica: 1000</code> 中忘记了结尾的字母 “s”，可能会导致宕机。 因为该值会被忽略并且丢失，并强制将副本重置回 1）。当时解决这个问题的办法是： 在 kubectl 中获取 OpenAPI v2 并在应用之前使用 OpenAPI v2 来校验字段是否正确且存在。 不过当时没有自定义资源定义 (CRD)，相关代码是在当时那样的假设下编写的。 之后引入了 CRD，发现校验代码缺乏灵活性，迫使 CRD 在公开其模式定义时做出了一些艰难的决策， 使得我们进入了不良校验造成不良 OpenAPI，不良 OpenAPI 无法校验的循环。 随着新的 OpenAPI v3 和服务器端字段校验在 1.27 中进阶至 GA，我们现在已经解决了这两个问题。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/21/node-log-query-alpha/Fri, 21 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/21/node-log-query-alpha/<!-- layout: blog title: "Kubernetes 1.27: Query Node Logs Using The Kubelet API" date: 2023-04-21 slug: node-log-query-alpha --> <!-- **Author:** Aravindh Puthiyaparambil (Red Hat) --> <p><strong>作者：</strong> Aravindh Puthiyaparambil (Red Hat)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- Kubernetes 1.27 introduced a new feature called _Node log query_ that allows viewing logs of services running on the node. --> <p>Kubernetes 1.27 引入了一个名为<strong>节点日志查询</strong>的新功能， 可以查看节点上运行的服务的日志。</p> <!-- ## What problem does it solve? Cluster administrators face issues when debugging malfunctioning services running on the node. They usually have to SSH or RDP into the node to view the logs of the service to debug the issue. The _Node log query_ feature helps with this scenario by allowing the cluster administrator to view the logs using _kubectl_. This is especially useful with Windows nodes where you run into the issue of the node going to the ready state but containers not coming up due to CNI misconfigurations and other issues that are not easily identifiable by looking at the Pod status. --> <h2 id="它解决了什么问题">它解决了什么问题？</h2> <p>集群管理员在调试节点上运行的表现不正常的服务时会遇到问题。 他们通常必须通过 SSH 或 RDP 进入节点以查看服务日志以调试问题。 <strong>节点日志查询</strong>功能通过允许集群管理员使用 <strong>kubectl</strong> 查看日志的方式来帮助解决这种情况。这对于 Windows 节点特别有用， 在 Windows 节点中，你会遇到节点进入就绪状态但由于 CNI 错误配置和其他不易通过查看 Pod 状态来辨别的问题而导致容器无法启动的情况。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/20/read-write-once-pod-access-mode-beta/Thu, 20 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/20/read-write-once-pod-access-mode-beta/<!-- layout: blog title: "Kubernetes 1.27: Single Pod Access Mode for PersistentVolumes Graduates to Beta" date: 2023-04-20 slug: read-write-once-pod-access-mode-beta --> <!-- **Author:** Chris Henzie (Google) --> <p><strong>作者</strong>：Chris Henzie (Google)</p> <p><strong>译者</strong>：顾欣 (ICBC)</p> <!-- With the release of Kubernetes v1.27 the ReadWriteOncePod feature has graduated to beta. In this blog post, we'll take a closer look at this feature, what it does, and how it has evolved in the beta release. --> <p>随着 Kubernetes v1.27 的发布，ReadWriteOncePod 功能已经升级为 Beta 版。 在这篇博客文章中，我们将更详细地介绍这个功能，作用以及在 Beta 版本中的发展。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/Tue, 18 Apr 2023 10:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/<!-- layout: blog title: "Kubernetes 1.27: Efficient SELinux volume relabeling (Beta)" date: 2023-04-18T10:00:00-08:00 slug: kubernetes-1-27-efficient-selinux-relabeling-beta --> <p><strong>作者</strong>：Jan Šafránek (Red Hat)</p> <!-- **Author:** Jan Šafránek (Red Hat) --> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- ## The problem --> <h2 id="the-problem">问题</h2> <!-- On Linux with Security-Enhanced Linux (SELinux) enabled, it's traditionally the container runtime that applies SELinux labels to a Pod and all its volumes. Kubernetes only passes the SELinux label from a Pod's `securityContext` fields to the container runtime. --> <p>在启用了 Security-Enhancled Linux（SELinux）系统上，传统做法是让容器运行时负责为 Pod 及所有卷应用 SELinux 标签。 Kubernetes 仅将 SELinux 标签从 Pod 的 <code>securityContext</code> 字段传递给容器运行时。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/17/fine-grained-pod-topology-spread-features-beta/Mon, 17 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/17/fine-grained-pod-topology-spread-features-beta/<!-- layout: blog title: "Kubernetes 1.27: More fine-grained pod topology spread policies reached beta" date: 2023-04-17 slug: fine-grained-pod-topology-spread-features-beta --> <!-- **Authors:** [Alex Wang](https://github.com/denkensk) (Shopee), [Kante Yin](https://github.com/kerthcet) (DaoCloud), [Kensei Nakada](https://github.com/sanposhiho) (Mercari) --> <p><strong>作者:</strong> <a href="https://github.com/denkensk">Alex Wang</a> (Shopee), <a href="https://github.com/kerthcet">Kante Yin</a> (DaoCloud), <a href="https://github.com/sanposhiho">Kensei Nakada</a> (Mercari)</p> <p><strong>译者:</strong> <a href="https://github.com/windsonsea">Michael Yao</a> (DaoCloud)</p> <!-- In Kubernetes v1.19, [Pod topology spread constraints](/docs/concepts/scheduling-eviction/topology-spread-constraints/) went to general availability (GA). As time passed, we - SIG Scheduling - received feedback from users, and, as a result, we're actively working on improving the Topology Spread feature via three KEPs. All of these features have reached beta in Kubernetes v1.27 and are enabled by default. This blog post introduces each feature and the use case behind each of them. --> <p>在 Kubernetes v1.19 中， <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/scheduling-eviction/topology-spread-constraints/">Pod 拓扑分布约束</a>进阶至正式发布 (GA)。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/06/keeping-kubernetes-secure-with-updated-go-versions/Thu, 06 Apr 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/04/06/keeping-kubernetes-secure-with-updated-go-versions/<!-- layout: blog title: "Keeping Kubernetes Secure with Updated Go Versions" date: 2023-04-06 slug: keeping-kubernetes-secure-with-updated-go-versions --> <!-- **Author**: [Jordan Liggitt](https://github.com/liggitt) (Google) --> <p><strong>作者</strong>：<a href="https://github.com/liggitt">Jordan Liggitt</a> (Google)</p> <p><strong>译者</strong>：顾欣 (ICBC)</p> <h3 id="the-problem">问题</h3> <!-- Since v1.19 (released in 2020), the Kubernetes project provides 12-14 months of patch releases for each minor version. This enables users to qualify and adopt Kubernetes versions in an annual upgrade cycle and receive security fixes for a year. --> <p>从 2020 年发布的 v1.19 版本以来，Kubernetes 项目为每个次要版本提供 12-14 个月的补丁维护期。 这使得用户可以按照年度升级周期来评估和选用 Kubernetes 版本，并持续一年获得安全修复。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/30/kubescape-validating-admission-policy-library/Thu, 30 Mar 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/30/kubescape-validating-admission-policy-library/<!-- layout: blog title: "Kubernetes Validating Admission Policies: A Practical Example" date: 2023-03-30T00:00:00+0000 slug: kubescape-validating-admission-policy-library --> <!-- **Authors**: Craig Box (ARMO), Ben Hirschberg (ARMO) --> <p><strong>作者</strong>：Craig Box (ARMO), Ben Hirschberg (ARMO)</p> <p><strong>译者</strong>：Xiaoyang Zhang (Huawei)</p> <!-- Admission control is an important part of the Kubernetes control plane, with several internal features depending on the ability to approve or change an API object as it is submitted to the server. It is also useful for an administrator to be able to define business logic, or policies, regarding what objects can be admitted into a cluster. To better support that use case, [Kubernetes introduced external admission control in v1.7](/blog/2017/06/kubernetes-1-7-security-hardening-stateful-application-extensibility-updates/). --> <p>准入控制是 Kubernetes 控制平面的重要组成部分，在向服务器提交请求时，可根据批准或更改 API 对象的能力来实现多项内部功能。 对于管理员来说，定义有关哪些对象可以进入集群的业务逻辑或策略是很有用的。为了更好地支持该场景， <a href="https://andygol-k8s.netlify.app/blog/2017/06/kubernetes-1-7-security-hardening-stateful-application-extensibility-updates/">Kubernetes 在 v1.7 中引入了外部准入控制</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/17/upcoming-changes-in-kubernetes-v1-27/Fri, 17 Mar 2023 14:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/17/upcoming-changes-in-kubernetes-v1-27/<!-- layout: blog title: "Kubernetes Removals and Major Changes In v1.27" date: 2023-03-17T14:00:00+0000 slug: upcoming-changes-in-kubernetes-v1-27 --> <!-- **Author**: Harshita Sao --> <p><strong>作者</strong>：Harshita Sao</p> <p><strong>译者</strong>：Michael Yao (DaoCloud)</p> <!-- As Kubernetes develops and matures, features may be deprecated, removed, or replaced with better ones for the project's overall health. Based on the information available at this point in the v1.27 release process, which is still ongoing and can introduce additional changes, this article identifies and describes some of the planned changes for the Kubernetes v1.27 release. --> <p>随着 Kubernetes 发展和成熟，为了此项目的整体健康，某些特性可能会被弃用、移除或替换为优化过的特性。 基于目前在 v1.27 发布流程中获得的信息，本文将列举并描述一些计划在 Kubernetes v1.27 发布中的变更， 发布工作目前仍在进行中，可能会引入更多变更。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/10/image-registry-redirect/Fri, 10 Mar 2023 17:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/10/image-registry-redirect/<!-- layout: blog title: "k8s.gcr.io Redirect to registry.k8s.io - What You Need to Know" date: 2023-03-10T17:00:00.000Z slug: image-registry-redirect --> <!-- **Authors**: Bob Killen (Google), Davanum Srinivas (AWS), Chris Short (AWS), Frederico Muñoz (SAS Institute), Tim Bannister (The Scale Factory), Ricky Sadowski (AWS), Grace Nguyen (Expo), Mahamed Ali (Rackspace Technology), Mars Toktonaliev (independent), Laura Santamaria (Dell), Kat Cosgrove (Dell) --> <p><strong>作者</strong>：Bob Killen (Google)、Davanum Srinivas (AWS)、Chris Short (AWS)、Frederico Muñoz (SAS Institute)、Tim Bannister (The Scale Factory)、Ricky Sadowski (AWS)、Grace Nguyen (Expo)、Mahamed Ali (Rackspace Technology)、Mars Toktonaliev（独立个人）、Laura Santamaria (Dell)、Kat Cosgrove (Dell)</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/10/forensic-container-analysis/Fri, 10 Mar 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/10/forensic-container-analysis/<!-- layout: blog title: "Forensic container analysis" date: 2023-03-10 slug: forensic-container-analysis --> <p><strong>作者：</strong><a href="https://github.com/adrianreber">Adrian Reber</a> (Red Hat)</p> <!-- **Authors:** Adrian Reber (Red Hat) --> <p><strong>译者：</strong><a href="https://github.com/pacoxu">Paco Xu</a> (DaoCloud)</p> <!-- In my previous article, [Forensic container checkpointing in Kubernetes][forensic-blog], I introduced checkpointing in Kubernetes and how it has to be setup and how it can be used. The name of the feature is Forensic container checkpointing, but I did not go into any details how to do the actual analysis of the checkpoint created by Kubernetes. In this article I want to provide details how the checkpoint can be analyzed. --> <p>我之前在 <a href="https://kubernetes.io/zh-cn/blog/2022/12/05/forensic-container-checkpointing-alpha/">Kubernetes 中的取证容器检查点</a> 一文中，介绍了检查点以及如何创建和使用它。 该特性的名称是取证容器检查点，但我没有详细介绍如何对 Kubernetes 创建的检查点进行实际分析。 在本文中，我想提供如何分析检查点的详细信息。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/01/introducing-kwok/Wed, 01 Mar 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/03/01/introducing-kwok/<!-- layout: blog title: "Introducing KWOK: Kubernetes WithOut Kubelet" date: 2023-03-01 slug: introducing-kwok canonicalUrl: https://kubernetes.dev/blog/2023/03/01/introducing-kwok/ --> <!-- **Author:** Shiming Zhang (DaoCloud), Wei Huang (Apple), Yibo Zhuang (Apple) --> <p><strong>作者:</strong> Shiming Zhang (DaoCloud), Wei Huang (Apple), Yibo Zhuang (Apple)</p> <p><strong>译者:</strong> Michael Yao (DaoCloud)</p> <img style="float: right; display: inline-block; margin-left: 2em; max-width: 15em;" src="https://andygol-k8s.netlify.app/blog/2023/03/01/introducing-kwok/kwok.svg" alt="KWOK logo" /> <!-- Have you ever wondered how to set up a cluster of thousands of nodes just in seconds, how to simulate real nodes with a low resource footprint, and how to test your Kubernetes controller at scale without spending much on infrastructure? If you answered "yes" to any of these questions, then you might be interested in KWOK, a toolkit that enables you to create a cluster of thousands of nodes in seconds. --> <p>你是否曾想过在几秒钟内搭建一个由数千个节点构成的集群，如何用少量资源模拟真实的节点， 如何不耗费太多基础设施就能大规模地测试你的 Kubernetes 控制器？</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/02/14/kubernetes-katacoda-tutorials-stop-from-2023-03-31/Tue, 14 Feb 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/02/14/kubernetes-katacoda-tutorials-stop-from-2023-03-31/<!-- layout: blog title: "Free Katacoda Kubernetes Tutorials Are Shutting Down" date: 2023-02-14 slug: kubernetes-katacoda-tutorials-stop-from-2023-03-31 evergreen: true --> <!-- **Author**: Natali Vlatko, SIG Docs Co-Chair for Kubernetes --> <p><strong>作者</strong>：Natali Vlatko，Kubernetes SIG Docs 联合主席</p> <p><strong>译者</strong>：Michael Yao (DaoCloud)</p> <!-- [Katacoda](https://katacoda.com/kubernetes), the popular learning platform from O’Reilly that has been helping people learn all about Java, Docker, Kubernetes, Python, Go, C++, and more, [shut down for public use in June 2022](https://www.oreilly.com/online-learning/leveraging-katacoda-technology.html). However, tutorials specifically for Kubernetes, linked from the Kubernetes website for our project’s users and contributors, remained available and active after this change. Unfortunately, this will no longer be the case, and Katacoda tutorials for learning Kubernetes will cease working after March 31st, 2023. --> <p><a href="https://katacoda.com/kubernetes">Katacoda</a> 是 O’Reilly 开设的热门学习平台， 帮助人们学习 Java、Docker、Kubernetes、Python、Go、C++ 和其他更多内容， 这个学习平台于 <a href="https://www.oreilly.com/online-learning/leveraging-katacoda-technology.html">2022 年 6 月停止对公众开放</a>。 但是，从 Kubernetes 网站为相关项目用户和贡献者关联的 Kubernetes 专门教程在那次变更后仍然可用并处于活跃状态。 遗憾的是，接下来情况将发生变化，Katacoda 上有关学习 Kubernetes 的教程将在 2023 年 3 月 31 日之后彻底关闭。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/02/06/k8s-gcr-io-freeze-announcement/Mon, 06 Feb 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/02/06/k8s-gcr-io-freeze-announcement/<!-- layout: blog title: "k8s.gcr.io Image Registry Will Be Frozen From the 3rd of April 2023" date: 2023-02-06 slug: k8s-gcr-io-freeze-announcement --> <!-- **Authors**: Mahamed Ali (Rackspace Technology) --> <p><strong>作者</strong>：Mahamed Ali (Rackspace Technology)</p> <p><strong>译者</strong>：Michael Yao (Daocloud)</p> <!-- The Kubernetes project runs a community-owned image registry called `registry.k8s.io` to host its container images. On the 3rd of April 2023, the old registry `k8s.gcr.io` will be frozen and no further images for Kubernetes and related subprojects will be pushed to the old registry. This registry `registry.k8s.io` replaced the old one and has been generally available for several months. We have published a [blog post](/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/) about its benefits to the community and the Kubernetes project. This post also announced that future versions of Kubernetes will not be available in the old registry. Now that time has come. --> <p>Kubernetes 项目运行一个名为 <code>registry.k8s.io</code>、由社区管理的镜像仓库来托管其容器镜像。 2023 年 4 月 3 日，旧仓库 <code>k8s.gcr.io</code> 将被冻结，Kubernetes 及其相关子项目的镜像将不再推送到这个旧仓库。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/02/03/sig-instrumentation-spotlight-2023/Fri, 03 Feb 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/02/03/sig-instrumentation-spotlight-2023/<!-- layout: blog title: "Spotlight on SIG Instrumentation" slug: sig-instrumentation-spotlight-2023 date: 2023-02-03 canonicalUrl: https://www.kubernetes.dev/blog/2023/02/03/sig-instrumentation-spotlight-2023/ --> <!-- **Author:** Imran Noor Mohamed (Delivery Hero) --> <p><strong>作者</strong>: Imran Noor Mohamed (Delivery Hero)</p> <p><strong>译者</strong>: <a href="https://github.com/kevin1689-cloud">Kevin Yang</a></p> <!-- Observability requires the right data at the right time for the right consumer (human or piece of software) to make the right decision. In the context of Kubernetes, having best practices for cluster observability across all Kubernetes components is crucial. --> <p>可观测性需要在合适的时间提供合适的数据，以便合适的消费者（人员或软件）做出正确的决策。 在 Kubernetes 的环境中，拥有跨所有 Kubernetes 组件的集群可观测性最佳实践是至关重要的。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/20/security-behavior-analysis/Fri, 20 Jan 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/20/security-behavior-analysis/<!-- layout: blog title: Consider All Microservices Vulnerable — And Monitor Their Behavior date: 2023-01-20 slug: security-behavior-analysis --> <!-- **Author:** David Hadas (IBM Research Labs) --> <p><strong>作者</strong>：David Hadas (IBM Research Labs)</p> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- _This post warns Devops from a false sense of security. Following security best practices when developing and configuring microservices do not result in non-vulnerable microservices. The post shows that although all deployed microservices are vulnerable, there is much that can be done to ensure microservices are not exploited. It explains how analyzing the behavior of clients and services from a security standpoint, named here **"Security-Behavior Analytics"**, can protect the deployed vulnerable microservices. It points to [Guard](http://knative.dev/security-guard), an open source project offering security-behavior monitoring and control of Kubernetes microservices presumed vulnerable._ --> <p><em>本文对 DevOps 产生的错误安全意识做出提醒。开发和配置微服务时遵循安全最佳实践并不能让微服务不易被攻击。 本文说明，即使所有已部署的微服务都容易被攻击，但仍然可以采取很多措施来确保微服务不被利用。 本文解释了如何从安全角度对客户端和服务的行为进行分析，此处称为 <strong>“安全行为分析”</strong> ， 可以对已部署的易被攻击的微服务进行保护。本文会引用 <a href="http://knative.dev/security-guard">Guard</a>， 一个开源项目，对假定易被攻击的 Kubernetes 微服务的安全行为提供监测与控制。</em></p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/12/protect-mission-critical-pods-priorityclass/Thu, 12 Jan 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/12/protect-mission-critical-pods-priorityclass/<!-- layout: blog title: "Protect Your Mission-Critical Pods From Eviction With PriorityClass" date: 2023-01-12 slug: protect-mission-critical-pods-priorityclass description: "Pod priority and preemption help to make sure that mission-critical pods are up in the event of a resource crunch by deciding order of scheduling and eviction." --> <p><strong>作者</strong>：Sunny Bhambhani (InfraCloud Technologies)</p> <!-- **Author:** Sunny Bhambhani (InfraCloud Technologies) --> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- Kubernetes has been widely adopted, and many organizations use it as their de-facto orchestration engine for running workloads that need to be created and deleted frequently. --> <p>Kubernetes 已被广泛使用，许多组织将其用作事实上的编排引擎，用于运行需要频繁被创建和删除的工作负载。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/Fri, 06 Jan 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/<!-- layout: blog title: "Kubernetes 1.26: Eviction policy for unhealthy pods guarded by PodDisruptionBudgets" date: 2023-01-06 slug: "unhealthy-pod-eviction-policy-for-pdbs" --> <!-- **Authors:** Filip Křepinský (Red Hat), Morten Torkildsen (Google), Ravi Gudimetla (Apple) --> <p><strong>作者：</strong> Filip Křepinský (Red Hat), Morten Torkildsen (Google), Ravi Gudimetla (Apple)</p> <p><strong>译者：</strong> Michael Yao (DaoCloud)</p> <!-- Ensuring the disruptions to your applications do not affect its availability isn't a simple task. Last month's release of Kubernetes v1.26 lets you specify an _unhealthy pod eviction policy_ for [PodDisruptionBudgets](/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) (PDBs) to help you maintain that availability during node management operations. In this article, we will dive deeper into what modifications were introduced for PDBs to give application owners greater flexibility in managing disruptions. --> <p>确保对应用的干扰不影响其可用性不是一个简单的任务。 上个月发布的 Kubernetes v1.26 允许针对 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets">PodDisruptionBudget</a> (PDB) 指定<strong>不健康 Pod 驱逐策略</strong>，这有助于在节点执行管理操作期间保持可用性。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/05/retroactive-default-storage-class/Thu, 05 Jan 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/05/retroactive-default-storage-class/<!-- layout: blog title: "Kubernetes v1.26: Retroactive Default StorageClass" date: 2023-01-05 slug: retroactive-default-storage-class --> <!-- **Author:** Roman Bednář (Red Hat) --> <p><strong>作者：</strong> Roman Bednář (Red Hat)</p> <p><strong>译者：</strong> Michael Yao (DaoCloud)</p> <!-- The v1.25 release of Kubernetes introduced an alpha feature to change how a default StorageClass was assigned to a PersistentVolumeClaim (PVC). With the feature enabled, you no longer need to create a default StorageClass first and PVC second to assign the class. Additionally, any PVCs without a StorageClass assigned can be updated later. This feature was graduated to beta in Kubernetes v1.26. --> <p>Kubernetes v1.25 引入了一个 Alpha 特性来更改默认 StorageClass 被分配到 PersistentVolumeClaim (PVC) 的方式。 启用此特性后，你不再需要先创建默认 StorageClass，再创建 PVC 来分配类。 此外，任何未分配 StorageClass 的 PVC 都可以在后续被更新。此特性在 Kubernetes v1.26 中已进阶至 Beta。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/02/cross-namespace-data-sources-alpha/Mon, 02 Jan 2023 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2023/01/02/cross-namespace-data-sources-alpha/<!-- layout: blog title: "Kubernetes v1.26: Alpha support for cross-namespace storage data sources" date: 2023-01-02 slug: cross-namespace-data-sources-alpha --> <!-- **Author:** Takafumi Takahashi (Hitachi Vantara) --> <p><strong>作者：</strong> Takafumi Takahashi (Hitachi Vantara)</p> <p><strong>译者：</strong> Michael Yao (DaoCloud)</p> <!-- Kubernetes v1.26, released last month, introduced an alpha feature that lets you specify a data source for a PersistentVolumeClaim, even where the source data belong to a different namespace. With the new feature enabled, you specify a namespace in the `dataSourceRef` field of a new PersistentVolumeClaim. Once Kubernetes checks that access is OK, the new PersistentVolume can populate its data from the storage source specified in that other namespace. Before Kubernetes v1.26, provided your cluster had the `AnyVolumeDataSource` feature enabled, you could already provision new volumes from a data source in the **same** namespace. However, that only worked for the data source in the same namespace, therefore users couldn't provision a PersistentVolume with a claim in one namespace from a data source in other namespace. To solve this problem, Kubernetes v1.26 added a new alpha `namespace` field to `dataSourceRef` field in PersistentVolumeClaim the API. --> <p>上个月发布的 Kubernetes v1.26 引入了一个 Alpha 特性，允许你在源数据属于不同的名字空间时为 PersistentVolumeClaim 指定数据源。启用这个新特性后，你在新 PersistentVolumeClaim 的 <code>dataSourceRef</code> 字段中指定名字空间。一旦 Kubernetes 发现访问权限正常，新的 PersistentVolume 就可以从其他名字空间中指定的存储源填充其数据。在 Kubernetes v1.26 之前，如果集群已启用了 <code>AnyVolumeDataSource</code> 特性，你可能已经从<strong>相同的</strong>名字空间中的数据源制备新卷。 但这仅适用于同一名字空间中的数据源，因此用户无法基于一个名字空间中的数据源使用另一个名字空间中的声明来制备 PersistentVolume。为了解决这个问题，Kubernetes v1.26 在 PersistentVolumeClaim API 的 <code>dataSourceRef</code> 字段中添加了一个新的 Alpha <code>namespace</code> 字段。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/30/advancements-in-kubernetes-traffic-engineering/Fri, 30 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/30/advancements-in-kubernetes-traffic-engineering/<!-- layout: blog title: "Kubernetes v1.26: Advancements in Kubernetes Traffic Engineering" date: 2022-12-30 slug: advancements-in-kubernetes-traffic-engineering --> <p><strong>作者</strong>：Andrew Sy Kim (Google)</p> <!-- **Authors:** Andrew Sy Kim (Google) --> <p><strong>译者</strong>：Wilson Wu (DaoCloud)</p> <!-- Kubernetes v1.26 includes significant advancements in network traffic engineering with the graduation of two features (Service internal traffic policy support, and EndpointSlice terminating conditions) to GA, and a third feature (Proxy terminating endpoints) to beta. The combination of these enhancements aims to address short-comings in traffic engineering that people face today, and unlock new capabilities for the future. --> <p>Kubernetes v1.26 在网络流量工程方面取得了重大进展， 两项功能（服务内部流量策略支持和 EndpointSlice 终止状况）升级为正式发布版本， 第三项功能（代理终止端点）升级为 Beta。这些增强功能的结合旨在解决人们目前所面临的流量工程短板，并在未来解锁新的功能。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/27/cpumanager-ga/Tue, 27 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/27/cpumanager-ga/<!-- layout: blog title: 'Kubernetes v1.26: CPUManager goes GA' date: 2022-12-27 slug: cpumanager-ga --> <!-- **Author:** Francesco Romani (Red Hat) --> <p><strong>作者：</strong> Francesco Romani (Red Hat)</p> <p><strong>译者：</strong> Michael Yao (DaoCloud)</p> <!-- The CPU Manager is a part of the kubelet, the Kubernetes node agent, which enables the user to allocate exclusive CPUs to containers. Since Kubernetes v1.10, where it [graduated to Beta](/blog/2018/07/24/feature-highlight-cpu-manager/), the CPU Manager proved itself reliable and fulfilled its role of allocating exclusive CPUs to containers, so adoption has steadily grown making it a staple component of performance-critical and low-latency setups. Over time, most changes were about bugfixes or internal refactoring, with the following noteworthy user-visible changes: --> <p>CPU 管理器是 kubelet 的一部分；kubelet 是 Kubernetes 的节点代理，能够让用户给容器分配独占 CPU。 CPU 管理器自从 Kubernetes v1.10 <a href="https://andygol-k8s.netlify.app/blog/2018/07/24/feature-highlight-cpu-manager/">进阶至 Beta</a>， 已证明了它本身的可靠性，能够充分胜任将独占 CPU 分配给容器，因此采用率稳步增长， 使其成为性能关键型和低延迟场景的基本组件。随着时间的推移，大多数变更均与错误修复或内部重构有关， 以下列出了几个值得关注、用户可见的变更：</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/26/pod-scheduling-readiness-alpha/Mon, 26 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/26/pod-scheduling-readiness-alpha/<!-- layout: blog title: "Kubernetes 1.26: Pod Scheduling Readiness" date: 2022-12-26 slug: pod-scheduling-readiness-alpha --> <!-- **Author:** Wei Huang (Apple), Abdullah Gharaibeh (Google) --> <p><strong>作者：</strong> Wei Huang (Apple), Abdullah Gharaibeh (Google)</p> <p><strong>译者：</strong> XiaoYang Zhang (HuaWei)</p> <!-- Kubernetes 1.26 introduced a new Pod feature: _scheduling gates_. In Kubernetes, scheduling gates are keys that tell the scheduler when a Pod is ready to be considered for scheduling. --> <p>Kubernetes 1.26 引入了一个新的 Pod 特性：<strong>调度门控</strong>。 在 Kubernetes 中，调度门控是通知调度器何时可以考虑 Pod 调度的关键。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/23/kubernetes-12-06-fsgroup-on-mount/Fri, 23 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/23/kubernetes-12-06-fsgroup-on-mount/<!-- layout: blog title: "Kubernetes 1.26: Support for Passing Pod fsGroup to CSI Drivers At Mount Time" date: 2022-12-23 slug: kubernetes-12-06-fsgroup-on-mount --> <!-- **Authors:** Fabio Bertinatto (Red Hat), Hemant Kumar (Red Hat) --> <p><strong>作者：</strong> Fabio Bertinatto (Red Hat), Hemant Kumar (Red Hat)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- Delegation of `fsGroup` to CSI drivers was first introduced as alpha in Kubernetes 1.22, and graduated to beta in Kubernetes 1.25. For Kubernetes 1.26, we are happy to announce that this feature has graduated to General Availability (GA). In this release, if you specify a `fsGroup` in the [security context](/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod), for a (Linux) Pod, all processes in the pod's containers are part of the additional group that you specified. --> <p>将 <code>fsGroup</code> 委托给 CSI 驱动程序管理首先在 Kubernetes 1.22 中作为 Alpha 特性引入， 并在 Kubernetes 1.25 中进阶至 Beta 状态。 对于 Kubernetes 1.26，我们很高兴地宣布此特性已进阶至正式发布（GA）状态。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/19/devicemanager-ga/Mon, 19 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/19/devicemanager-ga/<!-- layout: blog title: 'Kubernetes 1.26: Device Manager graduates to GA' date: 2022-12-19 slug: devicemanager-ga --> <!-- **Author:** Swati Sehgal (Red Hat) --> <p><strong>作者</strong>： Swati Sehgal (Red Hat)</p> <p><strong>译者</strong>： Jin Li (UOS)</p> <!-- The Device Plugin framework was introduced in the Kubernetes v1.8 release as a vendor independent framework to enable discovery, advertisement and allocation of external devices without modifying core Kubernetes. The feature graduated to Beta in v1.10. With the recent release of Kubernetes v1.26, Device Manager is now generally available (GA). --> <p>设备插件框架是在 Kubernetes v1.8 版本中引入的，它是一个与供应商无关的框架， 旨在实现对外部设备的发现、公布和分配，而无需修改核心 Kubernetes。 该功能在 v1.10 版本中升级为 Beta 版本。随着 Kubernetes v1.26 的最新发布， 设备管理器现已正式发布（GA）。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/16/kubernetes-1-26-non-graceful-node-shutdown-beta/Fri, 16 Dec 2022 10:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/16/kubernetes-1-26-non-graceful-node-shutdown-beta/<!-- layout: blog title: "Kubernetes 1.26: Non-Graceful Node Shutdown Moves to Beta" date: 2022-12-16T10:00:00-08:00 slug: kubernetes-1-26-non-graceful-node-shutdown-beta --> <!-- **Author:** Xing Yang (VMware), Ashutosh Kumar (VMware) Kubernetes v1.24 [introduced](https://kubernetes.io/blog/2022/05/20/kubernetes-1-24-non-graceful-node-shutdown-alpha/) an alpha quality implementation of improvements for handling a [non-graceful node shutdown](/docs/concepts/architecture/nodes/#non-graceful-node-shutdown). In Kubernetes v1.26, this feature moves to beta. This feature allows stateful workloads to failover to a different node after the original node is shut down or in a non-recoverable state, such as the hardware failure or broken OS. --> <p><strong>作者：</strong> Xing Yang (VMware), Ashutosh Kumar (VMware)</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/15/dynamic-resource-allocation/Thu, 15 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/15/dynamic-resource-allocation/<!-- layout: blog title: "Kubernetes 1.26: Alpha API For Dynamic Resource Allocation" date: 2022-12-15 slug: dynamic-resource-allocation --> <!-- **Authors:** Patrick Ohly (Intel), Kevin Klues (NVIDIA) --> <p><strong>作者:</strong> Patrick Ohly (Intel)、Kevin Klues (NVIDIA)</p> <p><strong>译者：</strong> 空桐</p> <!-- Dynamic resource allocation is a new API for requesting resources. It is a generalization of the persistent volumes API for generic resources, making it possible to: - access the same resource instance in different pods and containers, - attach arbitrary constraints to a resource request to get the exact resource you are looking for, - initialize a resource according to parameters provided by the user. --> <p>动态资源分配是一个用于请求资源的新 API。 它是对为通用资源所提供的持久卷 API 的泛化。它可以：</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/12/kubernetes-release-artifact-signing/Mon, 12 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/12/kubernetes-release-artifact-signing/<!-- layout: blog title: "Kubernetes 1.26: We're now signing our binary release artifacts!" date: 2022-12-12 slug: kubernetes-release-artifact-signing --> <!-- **Author:** Sascha Grunert --> <p><strong>作者：</strong> Sascha Grunert</p> <p><strong>译者：</strong> XiaoYang Zhang (HUAWEI)</p> <!-- The Kubernetes Special Interest Group (SIG) Release is proud to announce that we are digitally signing all release artifacts, and that this aspect of Kubernetes has now reached _beta_. --> <p>Kubernetes 特别兴趣小组 SIG Release 自豪地宣布，我们正在对所有发布工件进行数字签名，并且 Kubernetes 在这一方面现已达到 <strong>Beta</strong>。</p> <!-- Signing artifacts provides end users a chance to verify the integrity of the downloaded resource. It allows to mitigate man-in-the-middle attacks directly on the client side and therefore ensures the trustfulness of the remote serving the artifacts. The overall goal of out past work was to define the used tooling for signing all Kubernetes related artifacts as well as providing a standard signing process for related projects (for example for those in [kubernetes-sigs][k-sigs]). --> <p>签名工件为终端用户提供了验证下载资源完整性的机会。 它可以直接在客户端减轻中间人攻击，从而确保远程服务工件的可信度。 过去工作的总体目标是定义用于对所有 Kubernetes 相关工件进行签名的工具， 以及为相关项目（例如 <a href="https://github.com/kubernetes-sigs">kubernetes-sigs</a> 中的项目）提供标准签名流程。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/05/forensic-container-checkpointing-alpha/Mon, 05 Dec 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/12/05/forensic-container-checkpointing-alpha/<p><strong>作者:</strong> <a href="https://github.com/adrianreber">Adrian Reber</a> (Red Hat)</p> <!-- **Authors:** Adrian Reber (Red Hat) --> <!-- Forensic container checkpointing is based on [Checkpoint/Restore In Userspace](https://criu.org/) (CRIU) and allows the creation of stateful copies of a running container without the container knowing that it is being checkpointed. The copy of the container can be analyzed and restored in a sandbox environment multiple times without the original container being aware of it. Forensic container checkpointing was introduced as an alpha feature in Kubernetes v1.25. --> <p>取证容器检查点（Forensic container checkpointing）基于 <a href="https://criu.org/">CRIU</a>（Checkpoint/Restore In Userspace ，用户空间的检查点/恢复）， 并允许创建正在运行的容器的有状态副本，而容器不知道它正在被检查。容器的副本，可以在沙箱环境中被多次分析和恢复，而原始容器并不知道。 取证容器检查点是作为一个 alpha 特性在 Kubernetes v1.25 中引入的。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/Fri, 18 Nov 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/11/18/upcoming-changes-in-kubernetes-1-26/<!-- layout: blog title: "Kubernetes Removals, Deprecations, and Major Changes in 1.26" date: 2022-11-18 slug: upcoming-changes-in-kubernetes-1-26 --> <!-- **Author**: Frederico Muñoz (SAS) --> <p><strong>作者</strong> ：Frederico Muñoz (SAS)</p> <!-- Change is an integral part of the Kubernetes life-cycle: as Kubernetes grows and matures, features may be deprecated, removed, or replaced with improvements for the health of the project. For Kubernetes v1.26 there are several planned: this article identifies and describes some of them, based on the information available at this mid-cycle point in the v1.26 release process, which is still ongoing and can introduce additional changes. --> <p>变化是 Kubernetes 生命周期不可分割的一部分：随着 Kubernetes 成长和日趋成熟， 为了此项目的健康发展，某些功能特性可能会被弃用、移除或替换为优化过的功能特性。 Kubernetes v1.26 也做了若干规划：根据 v1.26 发布流程中期获得的信息， 本文将列举并描述其中一些变更，这些变更目前仍在进行中，可能会引入更多变更。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/10/04/introducing-kueue/Tue, 04 Oct 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/10/04/introducing-kueue/<!-- layout: blog title: "Introducing Kueue" date: 2022-10-04 slug: introducing-kueue --> <!-- **Authors:** Abdullah Gharaibeh (Google), Aldo Culquicondor (Google) --> <p><strong>作者：</strong> Abdullah Gharaibeh（谷歌），Aldo Culquicondor（谷歌）</p> <!-- Whether on-premises or in the cloud, clusters face real constraints for resource usage, quota, and cost management reasons. Regardless of the autoscalling capabilities, clusters have finite capacity. As a result, users want an easy way to fairly and efficiently share resources. --> <p>无论是在本地还是在云端，集群都面临着资源使用、配额和成本管理方面的实际限制。 无论自动扩缩容能力如何，集群的容量都是有限的。 因此，用户需要一种简单的方法来公平有效地共享资源。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/10/03/userns-alpha/Mon, 03 Oct 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/10/03/userns-alpha/<!-- layout: blog title: "Kubernetes 1.25: alpha support for running Pods with user namespaces" date: 2022-10-03 slug: userns-alpha --> <!-- **Authors:** Rodrigo Campos (Microsoft), Giuseppe Scrivano (Red Hat) --> <p><strong>作者:</strong> Rodrigo Campos（Microsoft）、Giuseppe Scrivano（Red Hat）</p> <!-- Kubernetes v1.25 introduces the support for user namespaces. --> <p>Kubernetes v1.25 引入了对用户名字空间的支持。</p> <!-- This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new security layer to protect from other pods running on the same system. --> <p>这是在 Kubernetes 中运行安全工作负载的一项重大改进。 每个 Pod 只能访问系统上可用 UID 和 GID 的有限子集， 因此添加了一个新的安全层来保护 Pod 免受运行在同一系统上的其他 Pod 的影响。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/15/app-rollout-features-reach-stable/Thu, 15 Sep 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/15/app-rollout-features-reach-stable/<!-- layout: blog title: "Kubernetes 1.25: Two Features for Apps Rollouts Graduate to Stable" date: 2022-09-15 slug: "app-rollout-features-reach-stable" --> <!-- **Authors:** Ravi Gudimetla (Apple), Filip Křepinský (Red Hat), Maciej Szulik (Red Hat) --> <p><strong>作者：</strong> Ravi Gudimetla (Apple)、Filip Křepinský (Red Hat)、Maciej Szulik (Red Hat)</p> <!-- This blog describes the two features namely `minReadySeconds` for StatefulSets and `maxSurge` for DaemonSets that SIG Apps is happy to graduate to stable in Kubernetes 1.25. Specifying `minReadySeconds` slows down a rollout of a StatefulSet, when using a `RollingUpdate` value in `.spec.updateStrategy` field, by waiting for each pod for a desired time. This time can be used for initializing the pod (e.g. warming up the cache) or as a delay before acknowledging the pod. --> <p>这篇博客描述了两个特性，即用于 StatefulSet 的 <code>minReadySeconds</code> 以及用于 DaemonSet 的 <code>maxSurge</code>， SIG Apps 很高兴宣布这两个特性在 Kubernetes 1.25 进入稳定阶段。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/14/pod-has-network-condition/Wed, 14 Sep 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/14/pod-has-network-condition/<!-- layout: blog title: 'Kubernetes 1.25: PodHasNetwork Condition for Pods' date: 2022-09-14 slug: pod-has-network-condition author: > Deep Debroy (Apple) --> <!-- Kubernetes 1.25 introduces Alpha support for a new kubelet-managed pod condition in the status field of a pod: `PodHasNetwork`. The kubelet, for a worker node, will use the `PodHasNetwork` condition to accurately surface the initialization state of a pod from the perspective of pod sandbox creation and network configuration by a container runtime (typically in coordination with CNI plugins). The kubelet starts to pull container images and start individual containers (including init containers) after the status of the `PodHasNetwork` condition is set to `"True"`. Metrics collection services that report latency of pod initialization from a cluster infrastructural perspective (i.e. agnostic of per container characteristics like image size or payload) can utilize the `PodHasNetwork` condition to accurately generate Service Level Indicators (SLIs). Certain operators or controllers that manage underlying pods may utilize the `PodHasNetwork` condition to optimize the set of actions performed when pods repeatedly fail to come up. --> <p>Kubernetes 1.25 引入了对 kubelet 所管理的新的 Pod 状况 <code>PodHasNetwork</code> 的 Alpha 支持， 该状况位于 Pod 的 status 字段中 。对于工作节点，kubelet 将使用 <code>PodHasNetwork</code> 状况从容器运行时 （通常与 CNI 插件协作）创建 Pod 沙箱和网络配置的角度准确地了解 Pod 的初始化状态。 在 <code>PodHasNetwork</code> 状况的 status 设置为 <code>&quot;True&quot;</code> 后，kubelet 开始拉取容器镜像并启动独立的容器 （包括 Init 容器）。从集群基础设施的角度报告 Pod 初始化延迟的指标采集服务 （无需知道每个容器的镜像大小或有效负载等特征）就可以利用 <code>PodHasNetwork</code> 状况来准确生成服务水平指标（Service Level Indicator，SLI）。 某些管理底层 Pod 的 Operator 或控制器可以利用 <code>PodHasNetwork</code> 状况来优化 Pod 反复出现失败时要执行的操作。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/12/k8s-cve-feed-alpha/Mon, 12 Sep 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/12/k8s-cve-feed-alpha/<!-- layout: blog title: Announcing the Auto-refreshing Official Kubernetes CVE Feed date: 2022-09-12 slug: k8s-cve-feed-alpha --> <!-- **Author**: Pushkar Joglekar (VMware) A long-standing request from the Kubernetes community has been to have a programmatic way for end users to keep track of Kubernetes security issues (also called "CVEs", after the database that tracks public security issues across different products and vendors). Accompanying the release of Kubernetes v1.25, we are excited to announce availability of such a [feed](/docs/reference/issues-security/official-cve-feed/) as an `alpha` feature. This blog will cover the background and scope of this new service. --> <p><strong>作者</strong>：Pushkar Joglekar (VMware)</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/07/iptables-chains-not-api/Wed, 07 Sep 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/07/iptables-chains-not-api/<!-- layout: blog title: "Kubernetes’s IPTables Chains Are Not API" date: 2022-09-07 slug: iptables-chains-not-api --> <!-- **Author:** Dan Winship (Red Hat) --> <p><strong>作者：</strong> Dan Winship (Red Hat)</p> <p><strong>译者：</strong> Xin Li (DaoCloud)</p> <!-- Some Kubernetes components (such as kubelet and kube-proxy) create iptables chains and rules as part of their operation. These chains were never intended to be part of any Kubernetes API/ABI guarantees, but some external components nonetheless make use of some of them (in particular, using `KUBE-MARK-MASQ` to mark packets as needing to be masqueraded). --> <p>一些 Kubernetes 组件（例如 kubelet 和 kube-proxy）在执行操作时，会创建特定的 iptables 链和规则。 这些链从未被计划使其成为任何 Kubernetes API/ABI 保证的一部分， 但一些外部组件仍然使用其中的一些链（特别是使用 <code>KUBE-MARK-MASQ</code> 将数据包标记为需要伪装）。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/02/cosi-kubernetes-object-storage-management/Fri, 02 Sep 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/09/02/cosi-kubernetes-object-storage-management/<!-- layout: blog title: "Introducing COSI: Object Storage Management using Kubernetes APIs" date: 2022-09-02 slug: cosi-kubernetes-object-storage-management --> <!-- **Authors:** Sidhartha Mani ([Minio, Inc](https://min.io)) --> <p><strong>作者：</strong> Sidhartha Mani (<a href="https://min.io">Minio, Inc</a>)</p> <!-- This article introduces the Container Object Storage Interface (COSI), a standard for provisioning and consuming object storage in Kubernetes. It is an alpha feature in Kubernetes v1.25. File and block storage are treated as first class citizens in the Kubernetes ecosystem via [Container Storage Interface](https://kubernetes.io/blog/2019/01/15/container-storage-interface-ga/) (CSI). Workloads using CSI volumes enjoy the benefits of portability across vendors and across Kubernetes clusters without the need to change application manifests. An equivalent standard does not exist for Object storage. Object storage has been rising in popularity in recent years as an alternative form of storage to filesystems and block devices. Object storage paradigm promotes disaggregation of compute and storage. This is done by making data available over the network, rather than locally. Disaggregated architectures allow compute workloads to be stateless, which consequently makes them easier to manage, scale and automate. --> <p>本文介绍了容器对象存储接口 (COSI)，它是在 Kubernetes 中制备和使用对象存储的一个标准。 它是 Kubernetes v1.25 中的一个 Alpha 功能。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/31/cgroupv2-ga-1-25/Wed, 31 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/31/cgroupv2-ga-1-25/<!-- layout: blog title: "Kubernetes 1.25: cgroup v2 graduates to GA" date: 2022-08-31 slug: cgroupv2-ga-1-25 --> <!-- **Authors:**: David Porter (Google), Mrunal Patel (Red Hat) --> <p><strong>作者</strong>: David Porter (Google), Mrunal Patel (Red Hat)</p> <!-- Kubernetes 1.25 brings cgroup v2 to GA (general availability), letting the [kubelet](/docs/concepts/overview/components/#kubelet) use the latest container resource management capabilities. --> <p>Kubernetes 1.25 将 cgroup v2 正式发布（GA）， 让 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/overview/components/#kubelet">kubelet</a> 使用最新的容器资源管理能力。</p> <!-- ## What are cgroups? --> <h2 id="什么是-cgroup">什么是 cgroup？</h2> <!-- Effective [resource management](/docs/concepts/configuration/manage-resources-containers/) is a critical aspect of Kubernetes. This involves managing the finite resources in your nodes, such as CPU, memory, and storage. *cgroups* are a Linux kernel capability that establish resource management functionality like limiting CPU usage or setting memory limits for running processes. --> <p>有效的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/configuration/manage-resources-containers/">资源管理</a>是 Kubernetes 的一个关键方面。 这涉及管理节点中的有限资源，例如 CPU、内存和存储。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/29/csi-inline-volumes-ga/Mon, 29 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/29/csi-inline-volumes-ga/<!-- layout: blog title: "Kubernetes 1.25: CSI Inline Volumes have graduated to GA" date: 2022-08-29 slug: csi-inline-volumes-ga --> <!-- **Author:** Jonathan Dobson (Red Hat) --> <p><strong>作者：</strong> Jonathan Dobson (Red Hat)</p> <!-- CSI Inline Volumes were introduced as an alpha feature in Kubernetes 1.15 and have been beta since 1.16. We are happy to announce that this feature has graduated to General Availability (GA) status in Kubernetes 1.25. CSI Inline Volumes are similar to other ephemeral volume types, such as `configMap`, `downwardAPI` and `secret`. The important difference is that the storage is provided by a CSI driver, which allows the use of ephemeral storage provided by third-party vendors. The volume is defined as part of the pod spec and follows the lifecycle of the pod, meaning the volume is created once the pod is scheduled and destroyed when the pod is destroyed. --> <p>CSI 内联存储卷是在 Kubernetes 1.15 中作为 Alpha 功能推出的，并从 1.16 开始成为 Beta 版本。 我们很高兴地宣布，这项功能在 Kubernetes 1.25 版本中正式发布（GA）。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/23/podsecuritypolicy-the-historical-context/Tue, 23 Aug 2022 15:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/23/podsecuritypolicy-the-historical-context/<!-- layout: blog title: "PodSecurityPolicy: The Historical Context" date: 2022-08-23T15:00:00-0800 slug: podsecuritypolicy-the-historical-context evergreen: true --> <!-- **Author:** Mahé Tardy (Quarkslab) --> <p><strong>作者：</strong> Mahé Tardy (Quarkslab)</p> <!-- The PodSecurityPolicy (PSP) admission controller has been removed, as of Kubernetes v1.25. Its deprecation was announced and detailed in the blog post [PodSecurityPolicy Deprecation: Past, Present, and Future](/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/), published for the Kubernetes v1.21 release. --> <p>从 Kubernetes v1.25 开始，PodSecurityPolicy (PSP) 准入控制器已被移除。 在为 Kubernetes v1.21 发布的博文 <a href="https://andygol-k8s.netlify.app/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/">PodSecurityPolicy 弃用：过去、现在和未来</a> 中，已经宣布并详细说明了它的弃用情况。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/23/kubernetes-v1-25-release/Tue, 23 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/23/kubernetes-v1-25-release/<!-- layout: blog title: "Kubernetes v1.25: Combiner" date: 2022-08-23 slug: kubernetes-v1-25-release --> <!-- **Authors**: [Kubernetes 1.25 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.25/release-team.md) --> <p><strong>作者</strong>: <a href="https://github.com/kubernetes/sig-release/blob/master/releases/release-1.25/release-team.md">Kubernetes 1.25 发布团队</a></p> <!-- Announcing the release of Kubernetes v1.25! --> <p>宣布 Kubernetes v1.25 的发版！</p> <!-- This release includes a total of 40 enhancements. Fifteen of those enhancements are entering Alpha, ten are graduating to Beta, and thirteen are graduating to Stable. We also have two features being deprecated or removed. --> <p>这个版本总共包括 40 项增强功能。 其中 15 项增强功能进入 Alpha，10 项进入 Beta，13 项进入 Stable。 我们也废弃/移除了两个功能。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/22/sig-storage-spotlight/Mon, 22 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/22/sig-storage-spotlight/<!-- layout: blog title: "Spotlight on SIG Storage" slug: sig-storage-spotlight date: 2022-08-22 canonicalUrl: https://www.kubernetes.dev/blog/2022/08/22/sig-storage-spotlight-2022/ --> <!-- **Author**: Frederico Muñoz (SAS) --> <p><strong>作者</strong>：Frederico Muñoz (SAS)</p> <!-- Since the very beginning of Kubernetes, the topic of persistent data and how to address the requirement of stateful applications has been an important topic. Support for stateless deployments was natural, present from the start, and garnered attention, becoming very well-known. Work on better support for stateful applications was also present from early on, with each release increasing the scope of what could be run on Kubernetes. --> <p>自 Kubernetes 诞生之初，持久数据以及如何解决有状态应用程序的需求一直是一个重要的话题。 对无状态部署的支持是很自然的、从一开始就存在的，并引起了人们的关注，变得众所周知。 从早期开始，我们也致力于更好地支持有状态应用程序，每个版本都增加了可以在 Kubernetes 上运行的范围。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/15/meet-our-contributors-china-ep-03/Mon, 15 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/15/meet-our-contributors-china-ep-03/<!-- layout: blog title: "Meet Our Contributors - APAC (China region)" date: 2022-08-15 slug: meet-our-contributors-china-ep-03 canonicalUrl: https://www.kubernetes.dev/blog/2022/08/15/meet-our-contributors-chn-ep-03/ --> <!-- **Authors & Interviewers:** [Avinesh Tripathi](https://github.com/AvineshTripathi), [Debabrata Panigrahi](https://github.com/Debanitrkl), [Jayesh Srivastava](https://github.com/jayesh-srivastava), [Priyanka Saggu](https://github.com/Priyankasaggu11929/), [Purneswar Prasad](https://github.com/PurneswarPrasad), [Vedant Kakde](https://github.com/vedant-kakde) --> <p><strong>作者和受访者：</strong> <a href="https://github.com/AvineshTripathi">Avinesh Tripathi</a>、 <a href="https://github.com/Debanitrkl">Debabrata Panigrahi</a>、 <a href="https://github.com/jayesh-srivastava">Jayesh Srivastava</a>、 <a href="https://github.com/Priyankasaggu11929/">Priyanka Saggu</a>、 <a href="https://github.com/PurneswarPrasad">Purneswar Prasad</a>、 <a href="https://github.com/vedant-kakde">Vedant Kakde</a></p> <hr> <!-- Hello, everyone 👋 Welcome back to the third edition of the "Meet Our Contributors" blog post series for APAC. This post features four outstanding contributors from China, who have played diverse leadership and community roles in the upstream Kubernetes project. So, without further ado, let's get straight to the article. --> <p>大家好 👋</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/11/enhancing-kubernetes-one-kep-at-a-time/Thu, 11 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/11/enhancing-kubernetes-one-kep-at-a-time/<!-- layout: blog title: "Enhancing Kubernetes one KEP at a Time" date: 2022-08-11 slug: enhancing-kubernetes-one-kep-at-a-time canonicalUrl: https://www.k8s.dev/blog/2022/08/11/enhancing-kubernetes-one-kep-at-a-time/ --> <!-- **Author:** Ryler Hockenbury (Mastercard) --> <p><strong>作者：</strong> Ryler Hockenbury（Mastercard）</p> <!-- Did you know that Kubernetes v1.24 has [46 enhancements](https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/)? That's a lot of new functionality packed into a 4-month release cycle. The Kubernetes release team coordinates the logistics of the release, from remediating test flakes to publishing updated docs. It's a ton of work, but they always deliver. The release team comprises around 30 people across six subteams - Bug Triage, CI Signal, Enhancements, Release Notes, Communications, and Docs.  Each of these subteams manages a component of the release. This post will focus on the role of the enhancements subteam and how you can get involved. --> <p>你是否知道 Kubernetes v1.24 有 <a href="https://kubernetes.io/zh-cn/blog/2022/05/03/kubernetes-1-24-release-announcement/">46 个增强特性</a>？ 在为期 4 个月的发布周期内包含了大量新特性。 Kubernetes 发布团队协调发布的后勤工作，从修复测试问题到发布更新的文档。他们需要完成成吨的工作，但发布团队总是能按期交付。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/04/upcoming-changes-in-kubernetes-1-25/Thu, 04 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/04/upcoming-changes-in-kubernetes-1-25/<!-- layout: blog title: "Kubernetes Removals and Major Changes In 1.25" date: 2022-08-04 slug: upcoming-changes-in-kubernetes-1-25 --> <!-- **Authors**: Kat Cosgrove, Frederico Muñoz, Debabrata Panigrahi --> <p><strong>作者</strong>：Kat Cosgrove、Frederico Muñoz、Debabrata Panigrahi</p> <!-- As Kubernetes grows and matures, features may be deprecated, removed, or replaced with improvements for the health of the project. Kubernetes v1.25 includes several major changes and one major removal. --> <p>随着 Kubernetes 成长和日趋成熟，为了此项目的健康发展，某些功能特性可能会被弃用、移除或替换为优化过的功能特性。 Kubernetes v1.25 包括几个主要变更和一个主要移除。</p> <!-- ## The Kubernetes API Removal and Deprecation process The Kubernetes project has a well-documented [deprecation policy](/docs/reference/using-api/deprecation-policy/) for features. This policy states that stable APIs may only be deprecated when a newer, stable version of that same API is available and that APIs have a minimum lifetime for each stability level. A deprecated API is one that has been marked for removal in a future Kubernetes release; it will continue to function until removal (at least one year from the deprecation), but usage will result in a warning being displayed. Removed APIs are no longer available in the current version, at which point you must migrate to using the replacement. --> <h2 id="the-kubernetes-api-removal-and-deprecation-process">Kubernetes API 移除和弃用流程</h2> <p>Kubernetes 项目对功能特性有一个文档完备的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/deprecation-policy/">弃用策略</a>。 该策略规定，只有当较新的、稳定的相同 API 可用时，原有的稳定 API 才可能被弃用，每个稳定级别的 API 都有一个最短的生命周期。 弃用的 API 指的是已标记为将在后续发行某个 Kubernetes 版本时移除的 API； 移除之前该 API 将继续发挥作用（从弃用起至少一年时间），但使用时会显示一条警告。 移除的 API 将在当前版本中不再可用，此时你必须迁移以使用替换的 API。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/02/sig-docs-spotlight-2022/Tue, 02 Aug 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/02/sig-docs-spotlight-2022/<!-- layout: blog title: "Spotlight on SIG Docs" date: 2022-08-02 slug: sig-docs-spotlight-2022 canonicalUrl: https://kubernetes.dev/blog/2022/08/02/sig-docs-spotlight-2022/ --> <!-- **Author:** Purneswar Prasad --> <p><strong>作者：</strong> Purneswar Prasad</p> <!-- ## Introduction The official documentation is the go-to source for any open source project. For Kubernetes, it's an ever-evolving Special Interest Group (SIG) with people constantly putting in their efforts to make details about the project easier to consume for new contributors and users. SIG Docs publishes the official documentation on [kubernetes.io](https://kubernetes.io) which includes, but is not limited to, documentation of the core APIs, core architectural details, and CLI tools shipped with the Kubernetes release. To learn more about the work of SIG Docs and its future ahead in shaping the community, I have summarised my conversation with the co-chairs, [Divya Mohan](https://twitter.com/Divya_Mohan02) (DM), [Rey Lejano](https://twitter.com/reylejano) (RL) and Natali Vlatko (NV), who ran through the SIG's goals and how fellow contributors can help. --> <h2 id="简介">简介</h2> <p>官方文档是所有开源项目的首选资料源。对于 Kubernetes，它是一个持续演进的特别兴趣小组 (SIG)， 人们持续不断努力制作详实的项目资料，让新贡献者和用户更容易取用这些文档。 SIG Docs 在 <a href="https://kubernetes.io">kubernetes.io</a> 上发布官方文档， 包括但不限于 Kubernetes 版本发布时附带的核心 API 文档、核心架构细节和 CLI 工具文档。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/07/13/gateway-api-graduates-to-beta/Wed, 13 Jul 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/07/13/gateway-api-graduates-to-beta/<!-- layout: blog title: Kubernetes Gateway API Graduates to Beta date: 2022-07-13 slug: gateway-api-graduates-to-beta canonicalUrl: https://gateway-api.sigs.k8s.io/blog/2022/graduating-to-beta/ --> <!-- **Authors:** Shane Utt (Kong), Rob Scott (Google), Nick Young (VMware), Jeff Apple (HashiCorp) --> <p><strong>作者：</strong> Shane Utt (Kong)、Rob Scott (Google)、Nick Young (VMware)、Jeff Apple (HashiCorp)</p> <p><strong>译者：</strong> Michael Yao (DaoCloud)</p> <!-- We are excited to announce the v0.5.0 release of Gateway API. For the first time, several of our most important Gateway API resources are graduating to beta. Additionally, we are starting a new initiative to explore how Gateway API can be used for mesh and introducing new experimental concepts such as URL rewrites. We'll cover all of this and more below. --> <p>我们很高兴地宣布 Gateway API 的 v0.5.0 版本发布。 我们最重要的几个 Gateway API 资源首次进入 Beta 阶段。 此外，我们正在启动一项新的倡议，探索如何将 Gateway API 用于网格，还引入了 URL 重写等新的实验性概念。 下文涵盖了这部分内容和更多说明。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/06/01/annual-report-summary-2021/Wed, 01 Jun 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/06/01/annual-report-summary-2021/<!-- layout: blog title: "Annual Report Summary 2021" date: 2022-06-01 slug: annual-report-summary-2021 --> <!-- **Author:** Paris Pittman (Steering Committee) --> <p><strong>作者：</strong> Paris Pittman（指导委员会）</p> <!-- Last year, we published our first [Annual Report Summary](/blog/2021/06/28/announcing-kubernetes-community-group-annual-reports/) for 2020 and it's already time for our second edition! [2021 Annual Report Summary](https://www.cncf.io/reports/kubernetes-annual-report-2021/) --> <p>去年，我们发布了第一期 <a href="https://andygol-k8s.netlify.app/blog/2021/06/28/announcing-kubernetes-community-group-annual-reports/">2020 年度总结报告</a>， 现在已经是时候发布第二期了！</p> <p><a href="https://www.cncf.io/reports/kubernetes-annual-report-2021/">2021 年度总结报告</a></p> <!-- This summary reflects the work that has been done in 2021 and the initiatives on deck for the rest of 2022. Please forward to organizations and indidviduals participating in upstream activities, planning cloud native strategies, and/or those looking to help out. To find a specific community group's complete report, go to the [kubernetes/community repo](https://github.com/kubernetes/community) under the groups folder. Example: [sig-api-machinery/annual-report-2021.md](https://github.com/kubernetes/community/blob/master/sig-api-machinery/annual-report-2021.md) --> <p>这份总结反映了 2021 年已完成的工作以及 2022 下半年置于台面上的倡议。 请将这份总结转发给正参与上游活动、计划云原生战略和寻求帮助的那些组织和个人。 若要查阅特定社区小组的完整报告，请访问 <a href="https://github.com/kubernetes/community">kubernetes/community 仓库</a>查找各小组的文件夹。例如： <a href="https://github.com/kubernetes/community/blob/master/sig-api-machinery/annual-report-2021.md">sig-api-machinery/annual-report-2021.md</a></p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/27/maxunavailable-for-statefulset/Fri, 27 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/27/maxunavailable-for-statefulset/<!-- layout: blog title: 'Kubernetes 1.24: Maximum Unavailable Replicas for StatefulSet' date: 2022-05-27 slug: maxunavailable-for-statefulset **Author:** Mayank Kumar (Salesforce) --> <p><strong>作者：</strong> Mayank Kumar (Salesforce)</p> <p><strong>译者：</strong> Xiaoyang Zhang（Huawei）</p> <!-- Kubernetes [StatefulSets](/docs/concepts/workloads/controllers/statefulset/), since their introduction in 1.5 and becoming stable in 1.9, have been widely used to run stateful applications. They provide stable pod identity, persistent per pod storage and ordered graceful deployment, scaling and rolling updates. You can think of StatefulSet as the atomic building block for running complex stateful applications. As the use of Kubernetes has grown, so has the number of scenarios requiring StatefulSets. Many of these scenarios, require faster rolling updates than the currently supported one-pod-at-a-time updates, in the case where you're using the `OrderedReady` Pod management policy for a StatefulSet. --> <p>Kubernetes <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/">StatefulSet</a>， 自 1.5 版本中引入并在 1.9 版本中变得稳定以来，已被广泛用于运行有状态应用。它提供固定的 Pod 身份标识、 每个 Pod 的持久存储以及 Pod 的有序部署、扩缩容和滚动更新功能。你可以将 StatefulSet 视为运行复杂有状态应用程序的原子构建块。随着 Kubernetes 的使用增多，需要 StatefulSet 的场景也越来越多。 当 StatefulSet 的 Pod 管理策略为 <code>OrderedReady</code> 时，其中许多场景需要比当前所支持的一次一个 Pod 的更新更快的滚动更新。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/25/contextual-logging/Wed, 25 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/25/contextual-logging/<!-- layout: blog title: "Contextual Logging in Kubernetes 1.24" date: 2022-05-25 slug: contextual-logging canonicalUrl: https://kubernetes.dev/blog/2022/05/25/contextual-logging/ --> <!-- **Authors:** Patrick Ohly (Intel) --> <p><strong>作者:</strong> Patrick Ohly (Intel)</p> <!-- The [Structured Logging Working Group](https://github.com/kubernetes/community/blob/master/wg-structured-logging/README.md) has added new capabilities to the logging infrastructure in Kubernetes 1.24. This blog post explains how developers can take advantage of those to make log output more useful and how they can get involved with improving Kubernetes. --> <p><a href="https://github.com/kubernetes/community/blob/master/wg-structured-logging/README.md">结构化日志工作组</a> 在 Kubernetes 1.24 中为日志基础设施添加了新功能。这篇博文解释了开发者如何利用这些功能使日志输出更有用， 以及他们如何参与改进 Kubernetes。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/23/service-ip-dynamic-and-static-allocation/Mon, 23 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/23/service-ip-dynamic-and-static-allocation/<!-- layout: blog title: "Kubernetes 1.24: Avoid Collisions Assigning IP Addresses to Services" date: 2022-05-23 slug: service-ip-dynamic-and-static-allocation --> <!-- **Author:** Antonio Ojea (Red Hat) --> <p><strong>作者：</strong> Antonio Ojea (Red Hat)</p> <!-- In Kubernetes, [Services](/docs/concepts/services-networking/service/) are an abstract way to expose an application running on a set of Pods. Services can have a cluster-scoped virtual IP address (using a Service of `type: ClusterIP`). Clients can connect using that virtual IP address, and Kubernetes then load-balances traffic to that Service across the different backing Pods. --> <p>在 Kubernetes 中，<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/service/">Services</a> 是一种抽象，用来暴露运行在一组 Pod 上的应用。 Service 可以有一个集群范围的虚拟 IP 地址（使用 <code>type: ClusterIP</code> 的 Service）。 客户端可以使用该虚拟 IP 地址进行连接， Kubernetes 为对该 Service 的访问流量提供负载均衡，以访问不同的后端 Pod。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/20/kubernetes-1-24-non-graceful-node-shutdown-alpha/Fri, 20 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/20/kubernetes-1-24-non-graceful-node-shutdown-alpha/<!-- layout: blog title: "Kubernetes 1.24: Introducing Non-Graceful Node Shutdown Alpha" date: 2022-05-20 slug: kubernetes-1-24-non-graceful-node-shutdown-alpha --> <!-- **Authors** Xing Yang and Yassine Tijani (VMware) --> <p><strong>作者</strong>：Xing Yang 和 Yassine Tijani (VMware)</p> <!-- Kubernetes v1.24 introduces alpha support for [Non-Graceful Node Shutdown](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2268-non-graceful-shutdown). This feature allows stateful workloads to failover to a different node after the original node is shutdown or in a non-recoverable state such as hardware failure or broken OS. --> <p>Kubernetes v1.24 引入了对<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2268-non-graceful-shutdown">节点非体面关闭</a> （Non-Graceful Node Shutdown）的 Alpha 支持。 此特性允许有状态工作负载在原节点关闭或处于不可恢复状态（如硬件故障或操作系统损坏）后，故障转移到不同的节点。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/18/prevent-unauthorised-volume-mode-conversion-alpha/Wed, 18 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/18/prevent-unauthorised-volume-mode-conversion-alpha/<!-- layout: blog title: 'Kubernetes 1.24: Prevent unauthorised volume mode conversion' date: 2022-05-18 slug: prevent-unauthorised-volume-mode-conversion-alpha --> <!-- **Author:** Raunak Pradip Shah (Mirantis) --> <p><strong>作者：</strong> Raunak Pradip Shah (Mirantis)</p> <!-- Kubernetes v1.24 introduces a new alpha-level feature that prevents unauthorised users from modifying the volume mode of a [`PersistentVolumeClaim`](/docs/concepts/storage/persistent-volumes/) created from an existing [`VolumeSnapshot`](/docs/concepts/storage/volume-snapshots/) in the Kubernetes cluster. --> <p>Kubernetes v1.24 引入了一个新的 alpha 级特性，可以防止未经授权的用户修改基于 Kubernetes 集群中已有的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/volume-snapshots/"><code>VolumeSnapshot</code></a> 创建的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/"><code>PersistentVolumeClaim</code></a> 的卷模式。</p> <!-- ### The problem --> <h3 id="问题">问题</h3> <!-- The [Volume Mode](/docs/concepts/storage/persistent-volumes/#volume-mode) determines whether a volume is formatted into a filesystem or presented as a raw block device. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/#volume-mode">卷模式</a>确定卷是格式化为文件系统还是显示为原始块设备。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/16/volume-populators-beta/Mon, 16 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/16/volume-populators-beta/<!-- layout: blog title: "Kubernetes 1.24: Volume Populators Graduate to Beta" date: 2022-05-16 slug: volume-populators-beta --> <!-- **Author:** Ben Swartzlander (NetApp) --> <p><strong>作者：</strong> Ben Swartzlander (NetApp)</p> <!-- The volume populators feature is now two releases old and entering beta! The `AnyVolumeDataSource` feature gate defaults to enabled in Kubernetes v1.24, which means that users can specify any custom resource as the data source of a PVC. --> <p>卷填充器功能现在已经经历两个发行版本并进入 Beta 阶段！ 在 Kubernetes v1.24 中 <code>AnyVolumeDataSource</code> 特性门控默认被启用。 这意味着用户可以指定任何自定义资源作为 PVC 的数据源。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/13/grpc-probes-now-in-beta/Fri, 13 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/13/grpc-probes-now-in-beta/<!-- layout: blog title: "Kubernetes 1.24: gRPC container probes in beta" date: 2022-05-13 slug: grpc-probes-now-in-beta --> <!-- **Author**: Sergey Kanzhelev (Google) --> <p><strong>作者</strong>：Sergey Kanzhelev (Google)</p> <p><strong>译者</strong>：Xiaoyang Zhang（Huawei）</p> <!-- With Kubernetes 1.24 the gRPC probes functionality entered beta and is available by default. Now you can configure startup, liveness, and readiness probes for your gRPC app without exposing any HTTP endpoint, nor do you need an executable. Kubernetes can natively connect to your workload via gRPC and query its status. --> <p>在 Kubernetes 1.24 中，gRPC 探针（probe）功能进入了 beta 阶段，默认情况下可用。 现在，你可以为 gRPC 应用程序配置启动、活跃和就绪探测，而无需公开任何 HTTP 端点， 也不需要可执行文件。Kubernetes 可以通过 gRPC 直接连接到你的工作负载并查询其状态。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/06/storage-capacity-ga/Fri, 06 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/06/storage-capacity-ga/<!-- layout: blog title: "Storage Capacity Tracking reaches GA in Kubernetes 1.24" date: 2022-05-06 slug: storage-capacity-ga --> <!-- **Authors:** Patrick Ohly (Intel) --> <p><strong>作者:</strong> Patrick Ohly（Intel）</p> <!-- The v1.24 release of Kubernetes brings [storage capacity](/docs/concepts/storage/storage-capacity/) tracking as a generally available feature. --> <p>在 Kubernetes v1.24 版本中，<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/storage-capacity/">存储容量</a>跟踪已经成为一项正式发布的功能。</p> <!-- ## Problems we have solved --> <h2 id="已经解决的问题">已经解决的问题</h2> <!-- As explained in more detail in the [previous blog post about this feature](/blog/2021/04/14/local-storage-features-go-beta/), storage capacity tracking allows a CSI driver to publish information about remaining capacity. The kube-scheduler then uses that information to pick suitable nodes for a Pod when that Pod has volumes that still need to be provisioned. --> <p>如<a href="https://andygol-k8s.netlify.app/blog/2021/04/14/local-storage-features-go-beta/">上一篇关于此功能的博文</a>中所详细介绍的， 存储容量跟踪允许 CSI 驱动程序发布有关剩余容量的信息。当 Pod 仍然有需要配置的卷时， kube-scheduler 使用该信息为 Pod 选择合适的节点。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/05/volume-expansion-ga/Thu, 05 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/05/volume-expansion-ga/<!-- --- layout: blog title: "Kubernetes 1.24: Volume Expansion Now A Stable Feature" date: 2022-05-05 slug: volume-expansion-ga --- --> <!-- **Author:** Hemant Kumar (Red Hat) Volume expansion was introduced as a alpha feature in Kubernetes 1.8 and it went beta in 1.11 and with Kubernetes 1.24 we are excited to announce general availability(GA) of volume expansion. This feature allows Kubernetes users to simply edit their `PersistentVolumeClaim` objects and specify new size in PVC Spec and Kubernetes will automatically expand the volume using storage backend and also expand the underlying file system in-use by the Pod without requiring any downtime at all if possible. --> <p><strong>作者：</strong> Hemant Kumar (Red Hat)</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/03/dockershim-historical-context/Tue, 03 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/03/dockershim-historical-context/<!-- layout: blog title: "Dockershim: The Historical Context" date: 2022-05-03 slug: dockershim-historical-context --> <!-- **Author:** Kat Cosgrove Dockershim has been removed as of Kubernetes v1.24, and this is a positive move for the project. However, context is important for fully understanding something, be it socially or in software development, and this deserves a more in-depth review. Alongside the dockershim removal in Kubernetes v1.24, we’ve seen some confusion (sometimes at a panic level) and dissatisfaction with this decision in the community, largely due to a lack of context around this removal. The decision to deprecate and eventually remove dockershim from Kubernetes was not made quickly or lightly. Still, it’s been in the works for so long that many of today’s users are newer than that decision, and certainly newer than the choices that led to the dockershim being necessary in the first place. So what is the dockershim, and why is it going away? --> <p><strong>作者：</strong> Kat Cosgrove</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/03/kubernetes-1-24-release-announcement/Tue, 03 May 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/05/03/kubernetes-1-24-release-announcement/<!-- layout: blog title: "Kubernetes 1.24: Stargazer" date: 2022-05-03 slug: kubernetes-1-24-release-announcement --> <!-- **Authors**: [Kubernetes 1.24 Release Team](https://git.k8s.io/sig-release/releases/release-1.24/release-team.md) We are excited to announce the release of Kubernetes 1.24, the first release of 2022! This release consists of 46 enhancements: fourteen enhancements have graduated to stable, fifteen enhancements are moving to beta, and thirteen enhancements are entering alpha. Also, two features have been deprecated, and two features have been removed. --> <p><strong>作者</strong>: <a href="https://git.k8s.io/sig-release/releases/release-1.24/release-team.md">Kubernetes 1.24 发布团队</a></p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/04/29/frontiers-fsgroups-and-frogs-kubernetes-1.23-%E5%8F%91%E5%B8%83%E9%87%87%E8%AE%BF/Fri, 29 Apr 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/04/29/frontiers-fsgroups-and-frogs-kubernetes-1.23-%E5%8F%91%E5%B8%83%E9%87%87%E8%AE%BF/<!-- layout: blog title: "Frontiers, fsGroups and frogs: the Kubernetes 1.23 release interview" date: 2022-04-29 --> <!-- **Author**: Craig Box (Google) --> <p><strong>作者</strong>: Craig Box (Google)</p> <!-- One of the highlights of hosting the weekly [Kubernetes Podcast from Google](https://kubernetespodcast.com/) is talking to the release managers for each new Kubernetes version. The release team is constantly refreshing. Many working their way from small documentation fixes, step up to shadow roles, and then eventually lead a release. --> <p>举办每周一次的<a href="https://kubernetespodcast.com/">来自 Google 的 Kubernetes 播客</a> 的亮点之一是与每个新 Kubernetes 版本的发布经理交谈。发布团队不断刷新。许多人从小型文档修复开始，逐步晋升为影子角色，然后最终领导发布。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/04/28/ingress-nginx-1-2-0/Thu, 28 Apr 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/04/28/ingress-nginx-1-2-0/<!-- layout: blog title: 'Increasing the security bar in Ingress-NGINX v1.2.0' date: 2022-04-28 slug: ingress-nginx-1-2-0 --> <!-- **Authors:** Ricardo Katz (VMware), James Strong (Chainguard) --> <p><strong>作者：</strong> Ricardo Katz (VMware), James Strong (Chainguard)</p> <!-- The [Ingress](/docs/concepts/services-networking/ingress/) may be one of the most targeted components of Kubernetes. An Ingress typically defines an HTTP reverse proxy, exposed to the Internet, containing multiple websites, and with some privileged access to Kubernetes API (such as to read Secrets relating to TLS certificates and their private keys). --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/ingress/">Ingress</a> 可能是 Kubernetes 最容易受攻击的组件之一。 Ingress 通常定义一个 HTTP 反向代理，暴露在互联网上，包含多个网站，并具有对 Kubernetes API 的一些特权访问（例如读取与 TLS 证书及其私钥相关的 Secret）。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/04/07/upcoming-changes-in-kubernetes-1-24/Thu, 07 Apr 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/04/07/upcoming-changes-in-kubernetes-1-24/<!-- layout: blog title: "Kubernetes Removals and Deprecations In 1.24" date: 2022-04-07 slug: upcoming-changes-in-kubernetes-1-24 --> <!-- **Author**: Mickey Boxell (Oracle) As Kubernetes evolves, features and APIs are regularly revisited and removed. New features may offer an alternative or improved approach to solving existing problems, motivating the team to remove the old approach. --> <p><strong>作者</strong>：Mickey Boxell (Oracle)</p> <p>随着 Kubernetes 的发展，一些特性和 API 会被定期重检和移除。 新特性可能会提供替代或改进的方法，来解决现有的问题，从而激励团队移除旧的方法。</p> <!-- We want to make sure you are aware of the changes coming in the Kubernetes 1.24 release. The release will **deprecate** several (beta) APIs in favor of stable versions of the same APIs. The major change coming in the Kubernetes 1.24 release is the [removal of Dockershim](https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2221-remove-dockershim). This is discussed below and will be explored in more depth at release time. For an early look at the changes coming in Kubernetes 1.24, take a look at the in-progress [CHANGELOG](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md). --> <p>我们希望确保你了解 Kubernetes 1.24 版本的变化。该版本将 <strong>弃用</strong> 一些（测试版/beta）API， 转而支持相同 API 的稳定版本。Kubernetes 1.24 版本的主要变化是<a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2221-remove-dockershim">移除 Dockershim</a>。 这将在下面讨论，并将在发布时更深入地探讨。 要提前了解 Kubernetes 1.24 中的更改，请查看正在更新中的 <a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md">CHANGELOG</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/03/31/ready-for-dockershim-removal/Thu, 31 Mar 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/03/31/ready-for-dockershim-removal/<!-- layout: blog title: "Is Your Cluster Ready for v1.24?" date: 2022-03-31 slug: ready-for-dockershim-removal --> <!-- **Author:** Kat Cosgrove --> <p><strong>作者:</strong> Kat Cosgrove</p> <!-- Way back in December of 2020, Kubernetes announced the [deprecation of Dockershim](/blog/2020/12/02/dont-panic-kubernetes-and-docker/). In Kubernetes, dockershim is a software shim that allows you to use the entire Docker engine as your container runtime within Kubernetes. In the upcoming v1.24 release, we are removing Dockershim - the delay between deprecation and removal in line with the [project’s policy](https://kubernetes.io/docs/reference/using-api/deprecation-policy/) of supporting features for at least one year after deprecation. If you are a cluster operator, this guide includes the practical realities of what you need to know going into this release. Also, what do you need to do to ensure your cluster doesn’t fall over! --> <p>早在 2020 年 12 月，Kubernetes 就宣布<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/">弃用 Dockershim</a>。 在 Kubernetes 中，dockershim 是一个软件 shim， 它允许你将整个 Docker 引擎用作 Kubernetes 中的容器运行时。 在即将发布的 v1.24 版本中，我们将移除 Dockershim - 在宣布弃用之后到彻底移除这段时间内，我们至少预留了一年的时间继续支持此功能， 这符合相关的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/using-api/deprecation-policy/">项目策略</a>。 如果你是集群操作员，则该指南包含你在此版本中需要了解的实际情况。 另外还包括你需要做些什么来确保你的集群不会崩溃！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/03/16/meet-our-contributors-au-nz-ep-02/Wed, 16 Mar 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/03/16/meet-our-contributors-au-nz-ep-02/<!-- layout: blog title: "Meet Our Contributors - APAC (Aus-NZ region)" date: 2022-03-16 slug: meet-our-contributors-au-nz-ep-02 canonicalUrl: https://www.kubernetes.dev/blog/2022/03/14/meet-our-contributors-au-nz-ep-02/ --> <!-- **Authors & Interviewers:** [Anubhav Vardhan](https://github.com/anubha-v-ardhan), [Atharva Shinde](https://github.com/Atharva-Shinde), [Avinesh Tripathi](https://github.com/AvineshTripathi), [Brad McCoy](https://github.com/bradmccoydev), [Debabrata Panigrahi](https://github.com/Debanitrkl), [Jayesh Srivastava](https://github.com/jayesh-srivastava), [Kunal Verma](https://github.com/verma-kunal), [Pranshu Srivastava](https://github.com/PranshuSrivastava), [Priyanka Saggu](github.com/Priyankasaggu11929/), [Purneswar Prasad](https://github.com/PurneswarPrasad), [Vedant Kakde](https://github.com/vedant-kakde) --> <p><strong>作者和采访者：</strong> <a href="https://github.com/anubha-v-ardhan">Anubhav Vardhan</a>、 <a href="https://github.com/Atharva-Shinde">Atharva Shinde</a>、 <a href="https://github.com/AvineshTripathi">Avinesh Tripathi</a>、 <a href="https://github.com/bradmccoydev">Brad McCoy</a>、 <a href="https://github.com/Debanitrkl">Debabrata Panigrahi</a>、 <a href="https://github.com/jayesh-srivastava">Jayesh Srivastava</a>、 <a href="https://github.com/verma-kunal">Kunal Verma</a>、 <a href="https://github.com/PranshuSrivastava">Pranshu Srivastava</a>、 <a href="github.com/Priyankasaggu11929/">Priyanka Saggu</a>、 <a href="https://github.com/PurneswarPrasad">Purneswar Prasad</a>、 <a href="https://github.com/vedant-kakde">Vedant Kakde</a></p> <hr> <!-- Good day, everyone 👋 --> <p>大家好👋</p> <!-- Welcome back to the second episode of the "Meet Our Contributors" blog post series for APAC. --> <p>欢迎来到亚太地区的”认识我们的贡献者”博文系列第二期。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/17/dockershim-faq/Thu, 17 Feb 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/17/dockershim-faq/<!-- layout: blog title: "Updated: Dockershim Removal FAQ" linkTitle: "Dockershim Removal FAQ" date: 2022-02-17 slug: dockershim-faq aliases: [ '/dockershim' ] --> <!-- **This supersedes the original [Dockershim Deprecation FAQ](/blog/2020/12/02/dockershim-faq/) article, published in late 2020. The article includes updates from the v1.24 release of Kubernetes.** --> <p><strong>本文是针对 2020 年末发布的<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dockershim-faq/">弃用 Dockershim 的常见问题</a>的博客更新。 本文包括 Kubernetes v1.24 版本的更新。</strong></p> <hr> <!-- This document goes over some frequently asked questions regarding the removal of _dockershim_ from Kubernetes. The removal was originally [announced](/blog/2020/12/08/kubernetes-1-20-release-announcement/) as a part of the Kubernetes v1.20 release. The Kubernetes [v1.24 release](/releases/#release-v1-24) actually removed the dockershim from Kubernetes. --> <p>本文介绍了一些关于从 Kubernetes 中移除 <em>dockershim</em> 的常见问题。 该移除最初是作为 Kubernetes v1.20 版本的一部分<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/">宣布</a>的。 Kubernetes 在 <a href="https://andygol-k8s.netlify.app/zh-cn/releases/#release-v1-24">v1.24 版</a>移除了 dockershim。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/16/sig-node-ci-subproject-celebrates/Wed, 16 Feb 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/16/sig-node-ci-subproject-celebrates/<!-- --- layout: blog title: 'SIG Node CI Subproject Celebrates Two Years of Test Improvements' date: 2022-02-16 slug: sig-node-ci-subproject-celebrates canonicalUrl: https://www.kubernetes.dev/blog/2022/02/16/sig-node-ci-subproject-celebrates-two-years-of-test-improvements/ url: /zh-cn/blog/2022/02/sig-node-ci-subproject-celebrates --- --> <p><strong>作者：</strong> Sergey Kanzhelev (Google), Elana Hashman (Red Hat)</p> <!--**Authors:** Sergey Kanzhelev (Google), Elana Hashman (Red Hat)--> <!--Ensuring the reliability of SIG Node upstream code is a continuous effort that takes a lot of behind-the-scenes effort from many contributors. There are frequent releases of Kubernetes, base operating systems, container runtimes, and test infrastructure that result in a complex matrix that requires attention and steady investment to "keep the lights on." In May 2020, the Kubernetes node special interest group ("SIG Node") organized a new subproject for continuous integration (CI) for node-related code and tests. Since its inauguration, the SIG Node CI subproject has run a weekly meeting, and even the full hour is often not enough to complete triage of all bugs, test-related PRs and issues, and discuss all related ongoing work within the subgroup.--> <p>保证 SIG 节点上游代码的可靠性是一项持续的工作，需要许多贡献者在幕后付出大量努力。 Kubernetes、基础操作系统、容器运行时和测试基础架构的频繁发布，导致了一个复杂的矩阵， 需要关注和稳定的投资来“保持灯火通明”。2020 年 5 月，Kubernetes Node 特殊兴趣小组 （“SIG Node”）为节点相关代码和测试组织了一个新的持续集成（CI）子项目。自成立以来，SIG Node CI 子项目每周举行一次会议，即使一整个小时通常也不足以完成对所有缺陷、测试相关的 PR 和问题的分类， 并讨论组内所有相关的正在进行的工作。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/07/sig-multicluster-spotlight-2022/Mon, 07 Feb 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/07/sig-multicluster-spotlight-2022/<!-- layout: blog title: "Spotlight on SIG Multicluster" date: 2022-02-07 slug: sig-multicluster-spotlight-2022 canonicalUrl: https://www.kubernetes.dev/blog/2022/02/04/sig-multicluster-spotlight-2022/ --> <!-- **Authors:** Dewan Ahmed (Aiven) and Chris Short (AWS) --> <p><strong>作者：</strong> Dewan Ahmed (Aiven) 和 Chris Short (AWS)</p> <!-- ## Introduction [SIG Multicluster](https://github.com/kubernetes/community/tree/master/sig-multicluster) is the SIG focused on how Kubernetes concepts are expanded and used beyond the cluster boundary. Historically, Kubernetes resources only interacted within that boundary - KRU or Kubernetes Resource Universe (not an actual Kubernetes concept). Kubernetes clusters, even now, don't really know anything about themselves or, about other clusters. Absence of cluster identifiers is a case in point. With the growing adoption of multicloud and multicluster deployments, the work SIG Multicluster doing is gaining a lot of attention. In this blog, [Jeremy Olmsted-Thompson, Google](https://twitter.com/jeremyot) and [Chris Short, AWS](https://twitter.com/ChrisShort) discuss the interesting problems SIG Multicluster is solving and how you can get involved. Their initials **JOT** and **CS** will be used for brevity. --> <h2 id="简介">简介</h2> <p><a href="https://github.com/kubernetes/community/tree/master/sig-multicluster">SIG Multicluster</a> 是专注于如何拓展 Kubernetes 的概念并将其用于集群边界之外的 SIG。 以往 Kubernetes 资源仅在 Kubernetes Resource Universe (KRU) 这个边界内进行交互，其中 KRU 不是一个实际的 Kubernetes 概念。 即使是现在，Kubernetes 集群对自身或其他集群并不真正了解。集群标识符的缺失就是一个例子。 随着多云和多集群部署日益普及，SIG Multicluster 所做的工作越来越受到关注。 在这篇博客中，<a href="https://twitter.com/jeremyot">来自 Google 的 Jeremy Olmsted-Thompson</a> 和 <a href="https://twitter.com/ChrisShort">来自 AWS 的 Chris Short</a> 讨论了 SIG Multicluster 正在解决的一些有趣的问题和以及大家如何参与其中。 为简洁起见，下文将使用他们两位的首字母 <strong>JOT</strong> 和 <strong>CS</strong>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/01/19/secure-your-admission-controllers-and-webhooks/Wed, 19 Jan 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/01/19/secure-your-admission-controllers-and-webhooks/<!-- layout: blog title: "Securing Admission Controllers" date: 2022-01-19 slug: secure-your-admission-controllers-and-webhooks --> <!-- **Author:** Rory McCune (Aqua Security) --> <p><strong>作者:</strong> Rory McCune (Aqua Security)</p> <!-- [Admission control](/docs/reference/access-authn-authz/admission-controllers/) is a key part of Kubernetes security, alongside authentication and authorization. Webhook admission controllers are extensively used to help improve the security of Kubernetes clusters in a variety of ways including restricting the privileges of workloads and ensuring that images deployed to the cluster meet organization’s security requirements. --> <p><a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/admission-controllers/">准入控制</a>和认证、授权都是 Kubernetes 安全性的关键部分。 Webhook 准入控制器被广泛用于以多种方式帮助提高 Kubernetes 集群的安全性， 包括限制工作负载权限和确保部署到集群的镜像满足组织安全要求。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/01/10/meet-our-contributors-india-ep-01/Mon, 10 Jan 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/01/10/meet-our-contributors-india-ep-01/<!-- layout: blog title: "Meet Our Contributors - APAC (India region)" date: 2022-01-10 slug: meet-our-contributors-india-ep-01 canonicalUrl: https://www.kubernetes.dev/blog/2022/01/10/meet-our-contributors-india-ep-01/ --> <!-- **Authors & Interviewers:** [Anubhav Vardhan](https://github.com/anubha-v-ardhan), [Atharva Shinde](https://github.com/Atharva-Shinde), [Avinesh Tripathi](https://github.com/AvineshTripathi), [Debabrata Panigrahi](https://github.com/Debanitrkl), [Kunal Verma](https://github.com/verma-kunal), [Pranshu Srivastava](https://github.com/PranshuSrivastava), [Pritish Samal](https://github.com/CIPHERTron), [Purneswar Prasad](https://github.com/PurneswarPrasad), [Vedant Kakde](https://github.com/vedant-kakde) --> <p><strong>作者和采访者：</strong> <a href="https://github.com/anubha-v-ardhan">Anubhav Vardhan</a>、 <a href="https://github.com/Atharva-Shinde">Atharva Shinde</a>、 <a href="https://github.com/AvineshTripathi">Avinesh Tripathi</a>、 <a href="https://github.com/Debanitrkl">Debabrata Panigrahi</a>、 <a href="https://github.com/verma-kunal">Kunal Verma</a>、 <a href="https://github.com/PranshuSrivastava">Pranshu Srivastava</a>、 <a href="https://github.com/CIPHERTron">Pritish Samal</a>、 <a href="https://github.com/PurneswarPrasad">Purneswar Prasad</a>、 <a href="https://github.com/vedant-kakde">Vedant Kakde</a></p> <!-- **Editor:** [Priyanka Saggu](https://psaggu.com) --> <p><strong>编辑：</strong> <a href="https://psaggu.com">Priyanka Saggu</a></p> <hr> <!-- Good day, everyone 👋 --> <p>大家好 👋</p> <!-- Welcome to the first episode of the APAC edition of the "Meet Our Contributors" blog post series. --> <p>欢迎来到亚太地区的“认识我们的贡献者”博文系列第一期。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/Fri, 07 Jan 2022 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2022/01/07/kubernetes-is-moving-on-from-dockershim/<!-- layout: blog title: "Kubernetes is Moving on From Dockershim: Commitments and Next Steps" date: 2022-01-07 slug: kubernetes-is-moving-on-from-dockershim --> <!-- **Authors:** Sergey Kanzhelev (Google), Jim Angel (Google), Davanum Srinivas (VMware), Shannon Kularathna (Google), Chris Short (AWS), Dawn Chen (Google) --> <p><strong>作者：</strong> Sergey Kanzhelev (Google), Jim Angel (Google), Davanum Srinivas (VMware), Shannon Kularathna (Google), Chris Short (AWS), Dawn Chen (Google)</p> <!-- Kubernetes is removing dockershim in the upcoming v1.24 release. We're excited to reaffirm our community values by supporting open source container runtimes, enabling a smaller kubelet, and increasing engineering velocity for teams using Kubernetes. If you [use Docker Engine as a container runtime](/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/) for your Kubernetes cluster, get ready to migrate in 1.24! To check if you're affected, refer to [Check whether dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/). --> <p>Kubernetes 将在即将发布的 1.24 版本中移除 dockershim。我们很高兴能够通过支持开源容器运行时、支持更小的 kubelet 以及为使用 Kubernetes 的团队提高工程速度来重申我们的社区价值。 如果你<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/find-out-runtime-you-use/">使用 Docker Engine 作为 Kubernetes 集群的容器运行时</a>， 请准备好在 1.24 中迁移！要检查你是否受到影响， 请参考<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/">检查移除 Dockershim 对你的影响</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/17/security-profiles-operator/Fri, 17 Dec 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/17/security-profiles-operator/<!-- layout: blog title: "What's new in Security Profiles Operator v0.4.0" date: 2021-12-17 slug: security-profiles-operator --> <!-- **Authors:** Jakub Hrozek, Juan Antonio Osorio, Paulo Gomes, Sascha Grunert --> <p><strong>作者:</strong> Jakub Hrozek, Juan Antonio Osorio, Paulo Gomes, Sascha Grunert</p> <hr> <!-- The [Security Profiles Operator (SPO)](https://sigs.k8s.io/security-profiles-operator) is an out-of-tree Kubernetes enhancement to make the management of [seccomp](https://en.wikipedia.org/wiki/Seccomp), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) and [AppArmor](https://en.wikipedia.org/wiki/AppArmor) profiles easier and more convenient. We're happy to announce that we recently [released v0.4.0](https://github.com/kubernetes-sigs/security-profiles-operator/releases/tag/v0.4.0) of the operator, which contains a ton of new features, fixes and usability improvements. --> <p><a href="https://sigs.k8s.io/security-profiles-operator">Security Profiles Operator (SPO)</a> 是一种树外 Kubernetes 增强功能，用于更方便、更便捷地管理 <a href="https://en.wikipedia.org/wiki/Seccomp">seccomp</a>、 <a href="https://zh.wikipedia.org/wiki/%E5%AE%89%E5%85%A8%E5%A2%9E%E5%BC%BA%E5%BC%8FLinux">SELinux</a> 和 <a href="https://zh.wikipedia.org/wiki/AppArmor">AppArmor</a> 配置文件。 我们很高兴地宣布，我们最近<a href="https://github.com/kubernetes-sigs/security-profiles-operator/releases/tag/v0.4.0">发布了 v0.4.0</a> 的 Operator，其中包含了大量的新功能、缺陷修复和可用性改进。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/16/kubernetes-1-23-statefulset-pvc-auto-deletion/Thu, 16 Dec 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/16/kubernetes-1-23-statefulset-pvc-auto-deletion/<!-- layout: blog title: 'Kubernetes 1.23: StatefulSet PVC Auto-Deletion (alpha)' date: 2021-12-16 slug: kubernetes-1-23-statefulset-pvc-auto-deletion --> <!-- **Author:** Matthew Cary (Google) --> <p><strong>作者:</strong> Matthew Cary (谷歌)</p> <!-- Kubernetes v1.23 introduced a new, alpha-level policy for [StatefulSets](/docs/concepts/workloads/controllers/statefulset/) that controls the lifetime of [PersistentVolumeClaims](/docs/concepts/storage/persistent-volumes/) (PVCs) generated from the StatefulSet spec template for cases when they should be deleted automatically when the StatefulSet is deleted or pods in the StatefulSet are scaled down. --> <p>Kubernetes v1.23 为 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/controllers/statefulset/">StatefulSets</a> 引入了一个新的 alpha 级策略，用来控制由 StatefulSet 规约模板生成的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/storage/persistent-volumes/">PersistentVolumeClaims</a> (PVCs) 的生命周期， 用于当删除 StatefulSet 或减少 StatefulSet 中的 Pods 数量时 PVCs 应该被自动删除的场景。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/Fri, 10 Dec 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/10/storage-in-tree-to-csi-migration-status-update/<!--- layout: blog title: "Kubernetes 1.23: Kubernetes In-Tree to CSI Volume Migration Status Update" date: 2021-12-10 slug: storage-in-tree-to-csi-migration-status-update --> <!--- **Author:** Jiawei Wang (Google) --> <p><strong>作者</strong>: Jiawei Wang（谷歌）</p> <!--- The Kubernetes in-tree storage plugin to [Container Storage Interface (CSI)](/blog/2019/01/15/container-storage-interface-ga/) migration infrastructure has already been [beta](/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/) since v1.17. CSI migration was introduced as alpha in Kubernetes v1.14. --> <p>自 Kubernetes v1.14 引入容器存储接口（<a href="https://andygol-k8s.netlify.app/blog/2019/01/15/container-storage-interface-ga/">Container Storage Interface, CSI</a>）的工作达到 alpha 阶段后，自 v1.17 起，Kubernetes 树内存储插件（in-tree storage plugin）向 CSI 的迁移基础设施已步入 <a href="https://andygol-k8s.netlify.app/blog/2019/12/09/kubernetes-1-17-feature-csi-migration-beta/">beta 阶段</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/08/dual-stack-networking-ga/Wed, 08 Dec 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/12/08/dual-stack-networking-ga/<!-- layout: blog title: 'Kubernetes 1.23: Dual-stack IPv4/IPv6 Networking Reaches GA' date: 2021-12-08 slug: dual-stack-networking-ga --> <!-- **Author:** Bridget Kromhout (Microsoft) --> <p><strong>作者:</strong> Bridget Kromhout (微软)</p> <!-- "When will Kubernetes have IPv6?" This question has been asked with increasing frequency ever since alpha support for IPv6 was first added in k8s v1.9. While Kubernetes has supported IPv6-only clusters since v1.18, migration from IPv4 to IPv6 was not yet possible at that point. At long last, [dual-stack IPv4/IPv6 networking](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/563-dual-stack/) has reached general availability (GA) in Kubernetes v1.23. What does dual-stack networking mean for you? Let’s take a look… --> <p>“Kubernetes 何时支持 IPv6？” 自从 k8s v1.9 版本中首次添加对 IPv6 的 alpha 支持以来，这个问题的讨论越来越频繁。 虽然 Kubernetes 从 v1.18 版本开始就支持纯 IPv6 集群，但当时还无法支持 IPv4 迁移到 IPv6。 <a href="https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/563-dual-stack/">IPv4/IPv6 双协议栈网络</a> 在 Kubernetes v1.23 版本中进入正式发布（GA）阶段。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/11/08/steering-committee-results-2021/Mon, 08 Nov 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/11/08/steering-committee-results-2021/<!-- layout: blog title: "Announcing the 2021 Steering Committee Election Results" date: 2021-11-08 slug: steering-committee-results-2021 --> <!-- **Author**: Kaslin Fields --> <p><strong>作者</strong>：Kaslin Fields</p> <!-- The [2021 Steering Committee Election](https://github.com/kubernetes/community/tree/master/events/elections/2021) is now complete. The Kubernetes Steering Committee consists of 7 seats, 4 of which were up for election in 2021. Incoming committee members serve a term of 2 years, and all members are elected by the Kubernetes Community. --> <p><a href="https://github.com/kubernetes/community/tree/master/events/elections/2021">2021 年指导委员会选举</a>现已完成。 Kubernetes 指导委员会由 7 个席位组成，其中 4 个席位将在 2021 年进行选举。 新任委员会成员任期 2 年，所有成员均由 Kubernetes 社区选举产生。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/09/27/sig-node-spotlight-2021/Mon, 27 Sep 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/09/27/sig-node-spotlight-2021/<!-- --- layout: blog title: "Spotlight on SIG Node" date: 2021-09-27 slug: sig-node-spotlight-2021 --- --> <p><strong>Author:</strong> Dewan Ahmed, Red Hat</p> <!-- **Author:** Dewan Ahmed, Red Hat --> <!-- ## Introduction In Kubernetes, a _Node_ is a representation of a single machine in your cluster. [SIG Node](https://github.com/kubernetes/community/tree/master/sig-node) owns that very important Node component and supports various subprojects such as Kubelet, Container Runtime Interface (CRI) and more to support how the pods and host resources interact. In this blog, we have summarized our conversation with [Elana Hashman (EH)](https://twitter.com/ehashdn) & [Sergey Kanzhelev (SK)](https://twitter.com/SergeyKanzhelev), who walk us through the various aspects of being a part of the SIG and share some insights about how others can get involved. --> <h2 id="介绍">介绍</h2> <p>在 Kubernetes 中，一个 <em>Node</em> 是你集群中的某台机器。 <a href="https://github.com/kubernetes/community/tree/master/sig-node">SIG Node</a> 负责这一非常重要的 Node 组件并支持各种子项目， 如 Kubelet, Container Runtime Interface (CRI) 以及其他支持 Pod 和主机资源间交互的子项目。 在这篇文章中，我们总结了和 <a href="https://twitter.com/ehashdn">Elana Hashman (EH)</a> &amp; <a href="https://twitter.com/SergeyKanzhelev">Sergey Kanzhelev (SK)</a> 的对话，是他们带领我们了解作为此 SIG 一份子的各个方面，并分享一些关于其他人如何参与的见解。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/07/26/update-with-ingress-nginx/Mon, 26 Jul 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/07/26/update-with-ingress-nginx/<!-- layout: blog title: 'Updating NGINX-Ingress to use the stable Ingress API' date: 2021-07-26 slug: update-with-ingress-nginx --> <!-- **Authors:** James Strong, Ricardo Katz --> <p><strong>作者：</strong> James Strong, Ricardo Katz</p> <!-- With all Kubernetes APIs, there is a process to creating, maintaining, and ultimately deprecating them once they become GA. The networking.k8s.io API group is no different. The upcoming Kubernetes 1.22 release will remove several deprecated APIs that are relevant to networking: --> <p>对于所有 Kubernetes API，一旦它们被正式发布（GA），就有一个创建、维护和最终弃用它们的过程。 networking.k8s.io API 组也不例外。 即将发布的 Kubernetes 1.22 版本将移除几个与网络相关的已弃用 API：</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/07/15/sig-usability-spotlight-2021/Thu, 15 Jul 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/07/15/sig-usability-spotlight-2021/<!-- layout: blog title: "Spotlight on SIG Usability" date: 2021-07-15 slug: sig-usability-spotlight-2021 author: > Kunal Kushwaha (Civo) --> <div class="alert alert-info" role="note"><h4 class="alert-heading">说明：</h4><!-- SIG Usability, which is featured in this Spotlight blog, has been deprecated and is no longer active. As a result, the links and information provided in this blog post may no longer be valid or relevant. Should there be renewed interest and increased participation in the future, the SIG may be revived. However, as of August 2023 the SIG is inactive per the Kubernetes community policy. The Kubernetes project encourages you to explore other [SIGs](https://github.com/kubernetes/community/blob/master/sig-list.md#special-interest-groups) and resources available on the Kubernetes website to stay up-to-date with the latest developments and enhancements in Kubernetes. --> <p>本篇聚焦博客提到的 SIG Usability 已被弃用并且不再活跃。因此， 本文中提供的链接和信息可能已失效或不再适用。 如果未来社区对该小组重新产生兴趣并有更多成员参与， 它有可能会被重新启用。但根据 Kubernetes 社区的政策， 截至 2023 年 8 月，该 SIG 已处于非活跃状态。 Kubernetes 项目鼓励你去探索其他 <a href="https://github.com/kubernetes/community/blob/master/sig-list.md#special-interest-groups">SIG</a> 以及 Kubernetes 官网提供的各类资源，以便及时了解 Kubernetes 的最新进展和功能增强。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/04/16/volume-health-monitoring-alpha-update/Fri, 16 Apr 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/04/16/volume-health-monitoring-alpha-update/<!-- layout: blog title: "Volume Health Monitoring Alpha Update" date: 2021-04-16 slug: volume-health-monitoring-alpha-update --> <!-- **Author:** Xing Yang (VMware) --> <p><strong>作者：</strong> Xing Yang (VMware)</p> <!-- The CSI Volume Health Monitoring feature, originally introduced in 1.19 has undergone a large update for the 1.21 release. --> <p>最初在 1.19 中引入的 CSI 卷健康监控功能在 1.21 版本中进行了大规模更新。</p> <!-- ## Why add Volume Health Monitoring to Kubernetes? --> <h2 id="为什么要向-kubernetes-添加卷健康监控">为什么要向 Kubernetes 添加卷健康监控？</h2> <!-- Without Volume Health Monitoring, Kubernetes has no knowledge of the state of the underlying volumes of a storage system after a PVC is provisioned and used by a Pod. Many things could happen to the underlying storage system after a volume is provisioned in Kubernetes. For example, the volume could be deleted by accident outside of Kubernetes, the disk that the volume resides on could fail, it could be out of capacity, the disk may be degraded which affects its performance, and so on. Even when the volume is mounted on a pod and used by an application, there could be problems later on such as read/write I/O errors, file system corruption, accidental unmounting of the volume outside of Kubernetes, etc. It is very hard to debug and detect root causes when something happened like this. --> <p>如果没有卷健康监控，在 PVC 被 Pod 配置和使用后，Kubernetes 将不知道存储系统的底层卷的状态。 在 Kubernetes 中配置卷后，底层存储系统可能会发生很多事情。 例如，卷可能在 Kubernetes 之外被意外删除、卷所在的磁盘可能发生故障、容量不足、磁盘可能被降级而影响其性能等等。 即使卷被挂载到 Pod 上并被应用程序使用，以后也可能会出现诸如读/写 I/O 错误、文件系统损坏、在 Kubernetes 之外被意外卸载卷等问题。 当发生这样的事情时，调试和检测根本原因是非常困难的。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/Tue, 06 Apr 2021 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/<!-- title: "PodSecurityPolicy Deprecation: Past, Present, and Future" --> <!-- **Author:** Tabitha Sable (Kubernetes SIG Security) --> <p>作者：Tabitha Sable（Kubernetes SIG Security）</p> <div class="pageinfo pageinfo-primary"> <!-- **Update:** *With the release of Kubernetes v1.25, PodSecurityPolicy has been removed.* --> <p><strong>更新：随着 Kubernetes v1.25 的发布，PodSecurityPolicy 已被删除。</strong></p> <!-- *You can read more information about the removal of PodSecurityPolicy in the [Kubernetes 1.25 release notes](/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes).* --> <p><strong>你可以在 <a href="https://andygol-k8s.netlify.app/zh-cn/blog/2022/08/23/kubernetes-v1-25-release/#pod-security-changes">Kubernetes 1.25 发布说明</a> 中阅读有关删除 PodSecurityPolicy 的更多信息。</strong></p> </div> <!-- PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, to be released later this week. This starts the countdown to its removal, but doesn’t change anything else. PodSecurityPolicy will continue to be fully functional for several more releases before being removed completely. In the meantime, we are developing a replacement for PSP that covers key use cases more easily and sustainably. --> <p>PodSecurityPolicy (PSP) 在 Kubernetes 1.21 中被弃用。<!--to be released later this week这句感觉没必要翻译，非漏译--> PSP 日后会被移除，但目前不会改变任何其他内容。在移除之前，PSP 将继续在后续多个版本中完全正常运行。 与此同时，我们正在开发 PSP 的替代品，希望可以更轻松、更可持续地覆盖关键用例。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/21/writing-crl-scheduler/Mon, 21 Dec 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/21/writing-crl-scheduler/<!-- --- layout: blog title: "A Custom Kubernetes Scheduler to Orchestrate Highly Available Applications" date: 2020-12-21 slug: writing-crl-scheduler --- --> <p><strong>作者</strong>: Chris Seto (Cockroach Labs)</p> <!-- **Author**: Chris Seto (Cockroach Labs) --> <!-- As long as you're willing to follow the rules, deploying on Kubernetes and air travel can be quite pleasant. More often than not, things will "just work". However, if one is interested in travelling with an alligator that must remain alive or scaling a database that must remain available, the situation is likely to become a bit more complicated. It may even be easier to build one's own plane or database for that matter. Travelling with reptiles aside, scaling a highly available stateful system is no trivial task. --> <p>只要你愿意遵守规则，那么在 Kubernetes 上的部署和探索可以是相当愉快的。更多时候，事情会 &quot;顺利进行&quot;。 然而，如果一个人对与必须保持存活的鳄鱼一起旅行或者是对必须保持可用的数据库进行扩展有兴趣， 情况可能会变得更复杂一点。 相较于这个问题，建立自己的飞机或数据库甚至还可能更容易一些。撇开与鳄鱼的旅行不谈，扩展一个高可用的有状态系统也不是一件小事。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/18/kubernetes-1.20-pod-impersonation-short-lived-volumes-in-csi/Fri, 18 Dec 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/18/kubernetes-1.20-pod-impersonation-short-lived-volumes-in-csi/<!-- layout: blog title: 'Kubernetes 1.20: Pod Impersonation and Short-lived Volumes in CSI Drivers' date: 2020-12-18 slug: kubernetes-1.20-pod-impersonation-short-lived-volumes-in-csi --> <!-- **Author**: Shihang Zhang (Google) --> <p><strong>作者</strong>: Shihang Zhang（谷歌）</p> <!-- Typically when a [CSI](https://github.com/container-storage-interface/spec/blob/baa71a34651e5ee6cb983b39c03097d7aa384278/spec.md) driver mounts credentials such as secrets and certificates, it has to authenticate against storage providers to access the credentials. However, the access to those credentials are controlled on the basis of the pods' identities rather than the CSI driver's identity. CSI drivers, therefore, need some way to retrieve pod's service account token. --> <p>通常，当 <a href="https://github.com/container-storage-interface/spec/blob/baa71a34651e5ee6cb983b39c03097d7aa384278/spec.md">CSI</a> 驱动程序挂载 诸如 Secret 和证书之类的凭据时，它必须通过存储提供者的身份认证才能访问这些凭据。 然而，对这些凭据的访问是根据 Pod 的身份而不是 CSI 驱动程序的身份来控制的。 因此，CSI 驱动程序需要某种方法来取得 Pod 的服务帐户令牌。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/Tue, 08 Dec 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/08/kubernetes-1-20-release-announcement/<!-- --- layout: blog title: 'Kubernetes 1.20: The Raddest Release' date: 2020-12-08 slug: kubernetes-1-20-release-announcement evergreen: true --- --> <p><strong>作者:</strong> <a href="https://github.com/kubernetes/sig-release/blob/master/releases/release-1.20/release_team.md">Kubernetes 1.20 发布团队</a></p> <!-- **Authors:** [Kubernetes 1.20 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.20/release_team.md) --> <p>我们很高兴地宣布 Kubernetes 1.20 的发布，这是我们 2020 年的第三个也是最后一个版本！此版本包含 42 项增强功能：11 项增强功能已升级到稳定版，15 项增强功能正在进入测试版，16 项增强功能正在进入 Alpha 版。</p> <!-- We’re pleased to announce the release of Kubernetes 1.20, our third and final release of 2020! This release consists of 42 enhancements: 11 enhancements have graduated to stable, 15 enhancements are moving to beta, and 16 enhancements are entering alpha. --> <p>1.20 发布周期在上一个延长的发布周期之后恢复到 11 周的正常节奏。这是一段时间以来功能最密集的版本之一：Kubernetes 创新周期仍呈上升趋势。此版本具有更多的 Alpha 而非稳定的增强功能，表明云原生生态系统仍有许多需要探索的地方。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/Wed, 02 Dec 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dont-panic-kubernetes-and-docker/<!-- layout: blog title: "Don't Panic: Kubernetes and Docker" date: 2020-12-02 slug: dont-panic-kubernetes-and-docker evergreen: true --> <p><strong>作者：</strong> Jorge Castro, Duffie Cooley, Kat Cosgrove, Justin Garrison, Noah Kantrowitz, Bob Killen, Rey Lejano, Dan “POP” Papandrea, Jeffrey Sica, Davanum “Dims” Srinivas</p> <!-- **Update:** _Kubernetes support for Docker via `dockershim` is now removed. For more information, read the [removal FAQ](/dockershim). You can also discuss the deprecation via a dedicated [GitHub issue](https://github.com/kubernetes/kubernetes/issues/106917)._ --> <p><strong>更新</strong>：Kubernetes 通过 <code>dockershim</code> 对 Docker 的支持现已移除。 有关更多信息，请阅读<a href="https://andygol-k8s.netlify.app/zh-cn/dockershim">移除 FAQ</a>。 你还可以通过专门的 <a href="https://github.com/kubernetes/kubernetes/issues/106917">GitHub issue</a> 讨论弃用。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dockershim-faq/Wed, 02 Dec 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/12/02/dockershim-faq/<!-- layout: blog title: "Dockershim Deprecation FAQ" date: 2020-12-02 slug: dockershim-faq --> <!-- _**Update**: There is a [newer version](/blog/2022/02/17/dockershim-faq/) of this article available._ --> <p><em><strong>更新</strong>：本文有<a href="https://andygol-k8s.netlify.app/zh-cn/blog/2022/02/17/dockershim-faq/">较新版本</a>。</em></p> <!-- This document goes over some frequently asked questions regarding the Dockershim deprecation announced as a part of the Kubernetes v1.20 release. For more detail on the deprecation of Docker as a container runtime for Kubernetes kubelets, and what that means, check out the blog post [Don't Panic: Kubernetes and Docker](/blog/2020/12/02/dont-panic-kubernetes-and-docker/). Also, you can read [check whether Dockershim removal affects you](/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/) to check whether it does. --> <p>本文回顾了自 Kubernetes v1.20 版宣布弃用 Dockershim 以来所引发的一些常见问题。 关于 Kubernetes kubelets 从容器运行时的角度弃用 Docker 的细节以及这些细节背后的含义，请参考博文 <a href="https://andygol-k8s.netlify.app/blog/2020/12/02/dont-panic-kubernetes-and-docker/">别慌: Kubernetes 和 Docker</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/10/01/%E4%B8%BA%E5%BC%80%E5%8F%91%E6%8C%87%E5%8D%97%E5%81%9A%E8%B4%A1%E7%8C%AE/Thu, 01 Oct 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/10/01/%E4%B8%BA%E5%BC%80%E5%8F%91%E6%8C%87%E5%8D%97%E5%81%9A%E8%B4%A1%E7%8C%AE/<!-- --- title: "Contributing to the Development Guide" linkTitle: "Contributing to the Development Guide" Author: Erik L. Arneson Description: "A new contributor describes the experience of writing and submitting changes to the Kubernetes Development Guide." date: 2020-10-01 canonicalUrl: https://www.kubernetes.dev/blog/2020/09/28/contributing-to-the-development-guide/ resources: - src: "jorge-castro-code-of-conduct.jpg" title: "Jorge Castro announcing the Kubernetes Code of Conduct during a weekly SIG ContribEx meeting." --- --> <!-- When most people think of contributing to an open source project, I suspect they probably think of contributing code changes, new features, and bug fixes. As a software engineer and a long-time open source user and contributor, that's certainly what I thought. Although I have written a good quantity of documentation in different workflows, the massive size of the Kubernetes community was a new kind of "client." I just didn't know what to expect when Google asked my compatriots and me at [Lion's Way](https://lionswaycontent.com/) to make much-needed updates to the Kubernetes Development Guide. *This article originally appeared on the [Kubernetes Contributor Community blog](https://www.kubernetes.dev/blog/2020/09/28/contributing-to-the-development-guide/).* --> <p>当大多数人想到为一个开源项目做贡献时，我猜想他们可能想到的是贡献代码修改、新功能和错误修复。作为一个软件工程师和一个长期的开源用户和贡献者，这也正是我的想法。 虽然我已经在不同的工作流中写了不少文档，但规模庞大的 Kubernetes 社区是一种新型 &quot;客户&quot;。我只是不知道当 Google 要求我和 <a href="https://lionswaycontent.com/">Lion's Way</a> 的同胞们对 Kubernetes 开发指南进行必要更新时会发生什么。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/09/04/kubernetes-1-19-introducing-structured-logs/Fri, 04 Sep 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/09/04/kubernetes-1-19-introducing-structured-logs/<!-- layout: blog title: 'Introducing Structured Logs' date: 2020-09-04 slug: kubernetes-1-19-Introducing-Structured-Logs --> <!-- **Authors:** Marek Siarkowicz (Google), Nathan Beach (Google) --> <p><strong>作者：</strong> Marek Siarkowicz（谷歌），Nathan Beach（谷歌）</p> <!-- Logs are an essential aspect of observability and a critical tool for debugging. But Kubernetes logs have traditionally been unstructured strings, making any automated parsing difficult and any downstream processing, analysis, or querying challenging to do reliably. --> <p>日志是可观察性的一个重要方面，也是调试的重要工具。 但是Kubernetes日志传统上是非结构化的字符串，因此很难进行自动解析，以及任何可靠的后续处理、分析或查询。</p> <!-- In Kubernetes 1.19, we are adding support for structured logs, which natively support (key, value) pairs and object references. We have also updated many logging calls such that over 99% of logging volume in a typical deployment are now migrated to the structured format. --> <p>在Kubernetes 1.19中，我们添加结构化日志的支持，该日志本身支持（键，值）对和对象引用。 我们还更新了许多日志记录调用，以便现在将典型部署中超过99％的日志记录量迁移为结构化格式。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/09/03/warnings/Thu, 03 Sep 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/09/03/warnings/<!-- layout: blog title: "Warning: Helpful Warnings Ahead" date: 2020-09-03 slug: warnings evergreen: true --> <!-- **Author**: [Jordan Liggitt](https://github.com/liggitt) (Google) --> <p><strong>作者</strong>: <a href="https://github.com/liggitt">Jordan Liggitt</a> (Google)</p> <!-- As Kubernetes maintainers, we're always looking for ways to improve usability while preserving compatibility. As we develop features, triage bugs, and answer support questions, we accumulate information that would be helpful for Kubernetes users to know. In the past, sharing that information was limited to out-of-band methods like release notes, announcement emails, documentation, and blog posts. Unless someone knew to seek out that information and managed to find it, they would not benefit from it. --> <p>作为 Kubernetes 维护者，我们一直在寻找在保持兼容性的同时提高可用性的方法。 在开发功能、分类 Bug、和回答支持问题的过程中，我们积累了有助于 Kubernetes 用户了解的信息。 过去，共享这些信息仅限于发布说明、公告电子邮件、文档和博客文章等带外方法。 除非有人知道需要寻找这些信息并成功找到它们，否则他们不会从中受益。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/06/better-docs-ux-with-docsy/Mon, 15 Jun 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/06/better-docs-ux-with-docsy/<!-- layout: blog title: A Better Docs UX With Docsy date: 2020-06-15 slug: better-docs-ux-with-docsy url: /blog/2020/06/better-docs-ux-with-docsy --> <!-- **Author:** Zach Corleissen, Cloud Native Computing Foundation --> <p><strong>作者：</strong> Zach Corleissen，Cloud Native Computing Foundation</p> <!-- *Editor's note: Zach is one of the chairs for the Kubernetes documentation special interest group (SIG Docs).* --> <p><strong>编者注：Zach 是 Kubernetes 文档特别兴趣小组（SIG Docs）的主席之一。</strong></p> <!-- I'm pleased to announce that the [Kubernetes website](https://kubernetes.io) now features the [Docsy Hugo theme](https://docsy.dev). --> <p>我很高兴地宣布 <a href="https://kubernetes.io">Kubernetes 网站</a>现在采用了 <a href="https://docsy.dev">Docsy Hugo 主题</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/03/25/kubernetes-1-18-release-announcement/Wed, 25 Mar 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/03/25/kubernetes-1-18-release-announcement/<!-- **Authors:** [Kubernetes 1.18 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.18/release_team.md) --> <p><strong>作者:</strong> <a href="https://github.com/kubernetes/sig-release/blob/master/releases/release-1.18/release_team.md">Kubernetes 1.18 发布团队</a></p> <!-- We're pleased to announce the delivery of Kubernetes 1.18, our first release of 2020! Kubernetes 1.18 consists of 38 enhancements: 15 enhancements are moving to stable, 11 enhancements in beta, and 12 enhancements in alpha. --> <p>我们很高兴宣布 Kubernetes 1.18 版本的交付，这是我们 2020 年的第一版！Kubernetes 1.18 包含 38 个增强功能：15 项增强功能已转为稳定版，11 项增强功能处于 beta 阶段，12 项增强功能处于 alpha 阶段。</p> <!-- Kubernetes 1.18 is a "fit and finish" release. Significant work has gone into improving beta and stable features to ensure users have a better experience. An equal effort has gone into adding new developments and exciting new features that promise to enhance the user experience even more. --> <p>Kubernetes 1.18 是一个近乎 “完美” 的版本。为了改善 beta 和稳定的特性，已进行了大量工作， 以确保用户获得更好的体验。我们在增强现有功能的同时也增加了令人兴奋的新特性，这些有望进一步增强用户体验。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2020/01/15/kubernetes-on-mips/Wed, 15 Jan 2020 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2020/01/15/kubernetes-on-mips/<!-- layout: blog title: "Kubernetes on MIPS" date: 2020-01-15 slug: Kubernetes-on-MIPS --> <!-- **Authors:** TimYin Shi, Dominic Yin, Wang Zhan, Jessica Jiang, Will Cai, Jeffrey Gao, Simon Sun (Inspur) --> <p><strong>作者:</strong> 石光银，尹东超，展望，江燕，蔡卫卫，高传集，孙思清（浪潮）</p> <!-- ## Background --> <h2 id="背景">背景</h2> <!-- [MIPS](https://en.wikipedia.org/wiki/MIPS_architecture) (Microprocessor without Interlocked Pipelined Stages) is a reduced instruction set computer (RISC) instruction set architecture (ISA), appeared in 1981 and developed by MIPS Technologies. Now MIPS architecture is widely used in many electronic products. --> <p><a href="https://zh.wikipedia.org/wiki/MIPS%E6%9E%B6%E6%A7%8B">MIPS</a> (Microprocessor without Interlocked Pipelined Stages) 是一种采取精简指令集（RISC）的处理器架构 (ISA)，出现于 1981 年，由 MIPS 科技公司开发。如今 MIPS 架构被广泛应用于许多电子产品上。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/12/09/kubernetes-1-17-release-announcement/Mon, 09 Dec 2019 13:00:00 -0800https://andygol-k8s.netlify.app/zh-cn/blog/2019/12/09/kubernetes-1-17-release-announcement/<!-- --- layout: blog title: "Kubernetes 1.17: Stability" date: 2019-12-09T13:00:00-08:00 slug: kubernetes-1-17-release-announcement evergreen: true --- --> <p><strong>作者:</strong> <a href="https://github.com/kubernetes/sig-release/blob/master/releases/release-1.17/release_team.md">Kubernetes 1.17发布团队</a></p> <!-- **Authors:** [Kubernetes 1.17 Release Team](https://github.com/kubernetes/sig-release/blob/master/releases/release-1.17/release_team.md) --> <p>我们高兴的宣布Kubernetes 1.17版本的交付，它是我们2019年的第四个也是最后一个发布版本。Kubernetes v1.17包含22个增强功能：有14个增强已经逐步稳定(stable)，4个增强功能已经进入公开测试版(beta)，4个增强功能刚刚进入内部测试版(alpha)。</p> <!-- We’re pleased to announce the delivery of Kubernetes 1.17, our fourth and final release of 2019! Kubernetes v1.17 consists of 22 enhancements: 14 enhancements have graduated to stable, 4 enhancements are moving to beta, and 4 enhancements are entering alpha. --> <h2 id="主要的主题">主要的主题</h2> <!-- ## Major Themes --> <h3 id="云服务提供商标签基本可用">云服务提供商标签基本可用</h3> <!-- ### Cloud Provider Labels reach General Availability --> <p>作为公开测试版特性添加到 v1.2 ，v1.17 中可以看到云提供商标签达到基本可用。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/11/26/develop-a-kubernetes-controller-in-java/Tue, 26 Nov 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/11/26/develop-a-kubernetes-controller-in-java/<!-- --- layout: blog title: "Develop a Kubernetes controller in Java" date: 2019-11-26 slug: Develop-A-Kubernetes-Controller-in-Java --- --> <!-- **Authors:** Min Kim (Ant Financial), Tony Ado (Ant Financial) --> <p><strong>作者:</strong> Min Kim (蚂蚁金服), Tony Ado (蚂蚁金服)</p> <!-- The official [Kubernetes Java SDK](https://github.com/kubernetes-client/java) project recently released their latest work on providing the Java Kubernetes developers a handy Kubernetes controller-builder SDK which is helpful for easily developing advanced workloads or systems. --> <p><a href="https://github.com/kubernetes-client/java">Kubernetes Java SDK</a> 官方项目最近发布了他们的最新工作，为 Java Kubernetes 开发人员提供一个便捷的 Kubernetes 控制器-构建器 SDK，它有助于轻松开发高级工作负载或系统。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/11/26/running-kubernetes-locally-on-linux-with-microk8s/Tue, 26 Nov 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/11/26/running-kubernetes-locally-on-linux-with-microk8s/<!-- title: 'Running Kubernetes locally on Linux with Microk8s' date: 2019-11-26 --> <!-- **Authors**: [Ihor Dvoretskyi](https://twitter.com/idvoretskyi), Developer Advocate, Cloud Native Computing Foundation; [Carmine Rimi](https://twitter.com/carminerimi) --> <p><strong>作者</strong>: <a href="https://twitter.com/idvoretskyi">Ihor Dvoretskyi</a>，开发支持者，云原生计算基金会；<a href="https://twitter.com/carminerimi">Carmine Rimi</a></p> <!-- This article, the second in a [series](/blog/2019/03/28/running-kubernetes-locally-on-linux-with-minikube-now-with-kubernetes-1.14-support/) about local deployment options on Linux, and covers [MicroK8s](https://microk8s.io/). Microk8s is the click-and-run solution for deploying a Kubernetes cluster locally, originally developed by Canonical, the publisher of Ubuntu. --> <p>本文是关于 Linux 上的本地部署选项<a href="https://twitter.com/idvoretskyi">系列</a>的第二篇，涵盖了 <a href="https://microk8s.io/">MicroK8s</a>。Microk8s 是本地部署 Kubernetes 集群的 'click-and-run' 方案，最初由 Ubuntu 的发布者 Canonical 开发。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/10/29/kubernetes-documentation-end-user-survey/Tue, 29 Oct 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/10/29/kubernetes-documentation-end-user-survey/<!-- --- layout: blog title: "Kubernetes Documentation Survey" date: 2019-10-29 slug: kubernetes-documentation-end-user-survey --- --> <p><strong>Author:</strong> <a href="https://www.linkedin.com/in/aimee-ukasick/">Aimee Ukasick</a> and SIG Docs</p> <!-- In September, SIG Docs conducted its first survey about the [Kubernetes documentation](https://kubernetes.io/docs/). We'd like to thank the CNCF's Kim McMahon for helping us create the survey and access the results. --> <p>9月，SIG Docs 进行了第一次关于 <a href="https://kubernetes.io/docs/">Kubernetes 文档</a>的用户调研。我们要感谢 CNCF 的 Kim McMahon 帮助我们创建调查并获取结果。</p> <!-- # Key takeaways --> <h1 id="主要收获">主要收获</h1> <!-- Respondents would like more example code, more detailed content, and more diagrams in the Concepts, Tasks, and Reference sections. --> <p>受访者希望能在概念、任务和参考部分得到更多示例代码、更详细的内容和更多图表。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/10/10/contributor-summit-san-diego-schedule/Thu, 10 Oct 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/10/10/contributor-summit-san-diego-schedule/<!-- layout: blog title: "Contributor Summit San Diego Schedule Announced!" date: 2019-10-10 slug: contributor-summit-san-diego-schedule --> <!-- **Authors:** Josh Berkus (Red Hat), Paris Pittman (Google), Jonas Rosland (VMware) --> <p><strong>作者：</strong> Josh Berkus (Red Hat), Paris Pittman (Google), Jonas Rosland (VMware)</p> <!-- There are many great sessions planned for the Contributor Summit, spread across five rooms of current contributor content in addition to the new contributor workshops. Since this is an upstream contributor summit and we don't often meet, being a globally distributed team, most of these sessions are discussions or hands-on labs, not just presentations. We want folks to learn and have a good time meeting their OSS teammates. --> <p>除了新贡献者研讨会之外，贡献者峰会还安排了许多精彩的会议，这些会议分布在当前五个贡献者内容的会议室中。由于这是一个上游贡献者峰会，并且我们不经常见面，所以作为一个全球分布的团队，这些会议大多是讨论或动手实践，而不仅仅是演示。我们希望大家互相学习，并于他们的开源代码队友玩的开心。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/10/03/2019-steering-committee-election-results/Thu, 03 Oct 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/10/03/2019-steering-committee-election-results/<!-- --- layout: blog title: "2019 Steering Committee Election Results" date: 2019-10-03 slug: 2019-steering-committee-election-results --- --> <!-- **Authors**: Bob Killen (University of Michigan), Jorge Castro (VMware), Brian Grant (Google), and Ihor Dvoretskyi (CNCF) --> <p><strong>作者</strong>：Bob Killen (University of Michigan), Jorge Castro (VMware), Brian Grant (Google), and Ihor Dvoretskyi (CNCF)</p> <!-- The [2019 Steering Committee Election] is a landmark milestone for the Kubernetes project. The initial bootstrap committee is graduating to emeritus and the committee has now shrunk to its final allocation of seven seats. All members of the Steering Committee are now fully elected by the Kubernetes Community. --> <p><a href="https://git.k8s.io/community/events/elections/2021">2019 指导委员会选举</a> 是 Kubernetes 项目的重要里程碑。最初的自助委员会正逐步退休，现在该委员会已缩减到最后分配的 7 个席位。指导委员会的所有成员现在都由 Kubernetes 社区选举产生。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/09/24/san-diego-contributor-summit/Tue, 24 Sep 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/09/24/san-diego-contributor-summit/<!-- --- layout: blog title: "Contributor Summit San Diego Registration Open!" date: 2019-09-24 slug: san-diego-contributor-summit --- ---> <!-- **Authors:** Paris Pittman (Google), Jeffrey Sica (Red Hat), Jonas Rosland (VMware) ---> <p><strong>作者：</strong> Paris Pittman (Google), Jeffrey Sica (Red Hat), Jonas Rosland (VMware)</p> <!-- [Contributor Summit San Diego 2019 Event Page] In record time, we’ve hit capacity for the *new contributor workshop* session of the event! ---> <p><a href="https://events.linuxfoundation.org/events/kubernetes-contributor-summit-north-america-2019/">2019 San Diego 贡献者峰会活动页面</a> 在创纪录的时间内，<em>新贡献者研讨会</em> 活动已满员！</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/08/29/the-machines-can-do-the-work-a-story-of-kubernetes-testing-ci-and-automating-the-contributor-experience/Thu, 29 Aug 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/08/29/the-machines-can-do-the-work-a-story-of-kubernetes-testing-ci-and-automating-the-contributor-experience/<!-- layout: blog title: 'The Machines Can Do the Work, a Story of Kubernetes Testing, CI, and Automating the Contributor Experience' date: 2018-08-29 --> <!-- **Author**: Aaron Crickenberger (Google) and Benjamin Elder (Google) --> <p><strong>作者</strong>：Aaron Crickenberger（谷歌）和 Benjamin Elder（谷歌）</p> <!-- _“Large projects have a lot of less exciting, yet, hard work. We value time spent automating repetitive work more highly than toil. Where that work cannot be automated, it is our culture to recognize and reward all types of contributions. However, heroism is not sustainable.”_ - [Kubernetes Community Values](https://git.k8s.io/community/values.md#automation-over-process) --> <p><em>”大型项目有很多不那么令人兴奋，但却很辛苦的工作。比起辛苦工作，我们更重视把时间花在自动化重复性工作上，如果这项工作无法实现自动化，我们的文化就是承认并奖励所有类型的贡献。然而，英雄主义是不可持续的。“</em> - <a href="https://git.k8s.io/community/values.md#automation-over-process">Kubernetes Community Values</a></p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/Tue, 06 Aug 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/08/06/opa-gatekeeper-policy-and-governance-for-kubernetes/<!-- --- layout: blog title: "OPA Gatekeeper: Policy and Governance for Kubernetes" date: 2019-08-06 slug: OPA-Gatekeeper-Policy-and-Governance-for-Kubernetes --- ---> <!-- **Authors:** Rita Zhang (Microsoft), Max Smythe (Google), Craig Hooper (Commonwealth Bank AU), Tim Hinrichs (Styra), Lachie Evenson (Microsoft), Torin Sandall (Styra) ---> <p><strong>作者：</strong> Rita Zhang (Microsoft), Max Smythe (Google), Craig Hooper (Commonwealth Bank AU), Tim Hinrichs (Styra), Lachie Evenson (Microsoft), Torin Sandall (Styra)</p> <!-- The [Open Policy Agent Gatekeeper](https://github.com/open-policy-agent/gatekeeper) project can be leveraged to help enforce policies and strengthen governance in your Kubernetes environment. In this post, we will walk through the goals, history, and current state of the project. ---> <p>可以从项目 <a href="https://github.com/open-policy-agent/gatekeeper">Open Policy Agent Gatekeeper</a> 中获得帮助，在 Kubernetes 环境下实施策略并加强治理。在本文中，我们将逐步介绍该项目的目标，历史和当前状态。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/06/11/join-us-at-the-contributor-summit-in-shanghai/Tue, 11 Jun 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/06/11/join-us-at-the-contributor-summit-in-shanghai/<!-- --- layout: blog title: 'Join us at the Contributor Summit in Shanghai' date: 2019-06-11 --- --> <p><strong>Author</strong>: Josh Berkus (Red Hat)</p> <!--  --> <p></p> <!-- For the second year, we will have [a Contributor Summit event](https://www.lfasiallc.com/events/contributors-summit-china-2019/) the day before [KubeCon China](https://events.linuxfoundation.cn/events/kubecon-cloudnativecon-china-2019/) in Shanghai. If you already contribute to Kubernetes or would like to contribute, please consider attending and [register](https://www.lfasiallc.com/events/contributors-summit-china-2019/register/). The Summit will be held June 24th, at the Shanghai Expo Center (the same location where KubeCon will take place), and will include a Current Contributor Day as well as the New Contributor Workshop and the Documentation Sprints. --> <p>连续第二年，我们将在 <a href="https://events.linuxfoundation.cn/events/kubecon-cloudnativecon-china-2019/">KubeCon China</a> 之前举行一天的 <a href="https://www.lfasiallc.com/events/contributors-summit-china-2019/">贡献者峰会</a>。 不管您是否已经是一名 Kubernetes 贡献者，还是想要加入社区队伍，贡献一份力量，都请考虑<a href="https://www.lfasiallc.com/events/contributors-summit-china-2019/register/">注册</a>参加这次活动。 这次峰会将于六月 24 号，在上海世博中心（和 KubeCon 的举办地点相同）举行， 一天的活动将包含“现有贡献者活动”，以及“新贡献者工作坊”和“文档小组活动”。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/05/14/expanding-our-contributor-workshops/Tue, 14 May 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/05/14/expanding-our-contributor-workshops/<!-- --- layout: blog title: "Expanding our Contributor Workshops" date: 2019-05-14 slug: expanding-our-contributor-workshops --- --> <!-- **Authors:** Guinevere Saenger (GitHub) and Paris Pittman (Google) --> <p><strong>作者:</strong> Guinevere Saenger (GitHub) 和 Paris Pittman (Google)（谷歌）</p> <!-- **tl;dr** - learn about the contributor community with us and land your first PR! We have spots available in [Barcelona][eu] (registration **closes** on Wednesday May 15, so grab your spot!) and the upcoming [Shanghai][cn] Summit. --> <p><strong>tl;dr</strong> - 与我们一起了解贡献者社区，并获得你的第一份 PR ! 我们在[巴塞罗那][欧洲]有空位（登记 在5月15号周三<strong>结束</strong>，所以抓住这次机会！）并且在[上海][中国]有即将到来的峰会。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/04/26/how-you-can-help-localize-kubernetes-docs/Fri, 26 Apr 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/04/26/how-you-can-help-localize-kubernetes-docs/<!-- layout: blog title: 'How You Can Help Localize Kubernetes Docs' date: 2019-04-26 --> <!-- **Author: Zach Corleissen (Linux Foundation)** Last year we optimized the Kubernetes website for [hosting multilingual content](/blog/2018/11/08/kubernetes-docs-updates-international-edition/). Contributors responded by adding multiple new localizations: as of April 2019, Kubernetes docs are partially available in nine different languages, with six added in 2019 alone. You can see a list of available languages in the language selector at the top of each page. By _partially available_, I mean that localizations are ongoing projects. They range from mostly complete ([Chinese docs for 1.12](https://v1-12.docs.kubernetes.io/zh/)) to brand new (1.14 docs in [Portuguese](https://kubernetes.io/pt/)). If you're interested in helping an existing localization, read on! --> <p><strong>作者: Zach Corleissen（Linux 基金会）</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/04/24/%E4%BD%BF%E7%94%A8-kubernetes-%E8%AE%BE%E5%A4%87%E6%8F%92%E4%BB%B6%E5%92%8C-runtimeclass-%E5%9C%A8-ingress-%E6%8E%A7%E5%88%B6%E5%99%A8%E4%B8%AD%E5%AE%9E%E7%8E%B0%E7%A1%AC%E4%BB%B6%E5%8A%A0%E9%80%9F-ssl/tls-%E7%BB%88%E6%AD%A2/Wed, 24 Apr 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/04/24/%E4%BD%BF%E7%94%A8-kubernetes-%E8%AE%BE%E5%A4%87%E6%8F%92%E4%BB%B6%E5%92%8C-runtimeclass-%E5%9C%A8-ingress-%E6%8E%A7%E5%88%B6%E5%99%A8%E4%B8%AD%E5%AE%9E%E7%8E%B0%E7%A1%AC%E4%BB%B6%E5%8A%A0%E9%80%9F-ssl/tls-%E7%BB%88%E6%AD%A2/<!-- layout: blog title: 'Hardware Accelerated SSL/TLS Termination in Ingress Controllers using Kubernetes Device Plugins and RuntimeClass' date: 2019-04-24 --> <!-- **Authors:** Mikko Ylinen (Intel) --> <p><strong>作者：</strong> Mikko Ylinen (Intel)</p> <p><strong>译者：</strong> <a href="https://github.com/pegasas">pegasas</a></p> <!-- ## Abstract --> <h2 id="摘要">摘要</h2> <!-- A Kubernetes Ingress is a way to connect cluster services to the world outside the cluster. In order to correctly route the traffic to service backends, the cluster needs an Ingress controller. The Ingress controller is responsible for setting the right destinations to backends based on the Ingress API objects’ information. The actual traffic is routed through a proxy server that is responsible for tasks such as load balancing and SSL/TLS (later “SSL” refers to both SSL or TLS ) termination. The SSL termination is a CPU heavy operation due to the crypto operations involved. To offload some of the CPU intensive work away from the CPU, OpenSSL based proxy servers can take the benefit of OpenSSL Engine API and dedicated crypto hardware. This frees CPU cycles for other things and improves the overall throughput of the proxy server. --> <p>Kubernetes Ingress 是在集群服务与集群外部世界建立连接的一种方法。为了正确地将流量路由到服务后端，集群需要一个 Ingress 控制器。Ingress 控制器负责根据 Ingress API 对象的信息设置目标到正确的后端。实际流量通过代理服务器路由， 代理服务器负责诸如负载均衡和 SSL/TLS （稍后的“SSL”指 SSL 或 TLS）终止等任务。由于涉及加密操作，SSL 终止是一个 CPU 密集型操作。为了从 CPU 中分载一些 CPU 密集型工作，基于 OpenSSL 的代理服务器可以利用 OpenSSL Engine API 和专用加密硬件的优势。 这将为其他事情释放 CPU 周期，并提高代理服务器的总体吞吐量。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/04/15/process-id-limiting-for-stability-improvements-in-kubernetes-1.14/Mon, 15 Apr 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/04/15/process-id-limiting-for-stability-improvements-in-kubernetes-1.14/<!-- title: 'Process ID Limiting for Stability Improvements in Kubernetes 1.14' date: 2019-04-15 --> <!-- **Author: Derek Carr** Have you ever seen someone take more than their fair share of the cookies? The one person who reaches in and grabs a half dozen fresh baked chocolate chip chunk morsels and skitters off like Cookie Monster exclaiming “Om nom nom nom.” In some rare workloads, a similar occurrence was taking place inside Kubernetes clusters. With each Pod and Node, there comes a finite number of possible process IDs (PIDs) for all applications to share. While it is rare for any one process or pod to reach in and grab all the PIDs, some users were experiencing resource starvation due to this type of behavior. So in Kubernetes 1.14, we introduced an enhancement to mitigate the risk of a single pod monopolizing all of the PIDs available. --> <p><strong>作者: Derek Carr</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2019/03/07/raw-block-volume-support-to-beta/Thu, 07 Mar 2019 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2019/03/07/raw-block-volume-support-to-beta/<!-- title: Raw Block Volume support to Beta date: 2019-03-07 ---> <!-- **Authors:** Ben Swartzlander (NetApp), Saad Ali (Google) Kubernetes v1.13 moves raw block volume support to beta. This feature allows persistent volumes to be exposed inside containers as a block device instead of as a mounted file system. ---> <p><strong>作者：</strong> Ben Swartzlander (NetApp), Saad Ali (Google)</p> <p>Kubernetes v1.13 中对原生数据块卷（Raw Block Volume）的支持进入 Beta 阶段。此功能允许将持久卷作为块设备而不是作为已挂载的文件系统暴露在容器内部。</p> <!-- ## What are block devices? Block devices enable random access to data in fixed-size blocks. Hard drives, SSDs, and CD-ROMs drives are all examples of block devices. Typically persistent storage is implemented in a layered maner with a file system (like ext4) on top of a block device (like a spinning disk or SSD). Applications then read and write files instead of operating on blocks. The operating systems take care of reading and writing files, using the specified filesystem, to the underlying device as blocks. It's worth noting that while whole disks are block devices, so are disk partitions, and so are LUNs from a storage area network (SAN) device. ---> <h2 id="什么是块设备">什么是块设备？</h2> <p>块设备允许对固定大小的块中的数据进行随机访问。硬盘驱动器、SSD 和 CD-ROM 驱动器都是块设备的例子。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/12/05/new-contributor-workshop-shanghai/Wed, 05 Dec 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/12/05/new-contributor-workshop-shanghai/<!-- layout: blog title: 'New Contributor Workshop Shanghai' date: 2018-12-05 --> <!-- **Authors**: Josh Berkus (Red Hat), Yang Li (The Plant), Puja Abbassi (Giant Swarm), XiangPeng Zhao (ZTE) --> <p><strong>作者</strong>: Josh Berkus (红帽), Yang Li (The Plant), Puja Abbassi (Giant Swarm), XiangPeng Zhao (中兴通讯)</p> <!-- <figure> <img src="https://andygol-k8s.netlify.app/images/blog/2018-12-05-new-contributor-shanghai/attendees.png" alt="KubeCon Shanghai New Contributor Summit attendees. Photo by Jerry Zhang"/> <figcaption> <p>KubeCon Shanghai New Contributor Summit attendees. Photo by Jerry Zhang</p> </figcaption> </figure> --> <figure> <img src="https://andygol-k8s.netlify.app/images/blog/2018-12-05-new-contributor-shanghai/attendees.png" alt="KubeCon 上海站新贡献者峰会与会者，摄影：Jerry Zhang"/> <figcaption> <p>KubeCon 上海站新贡献者峰会与会者，摄影：Jerry Zhang</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/11/08/kubernetes-docs-updates-international-edition/Thu, 08 Nov 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/11/08/kubernetes-docs-updates-international-edition/<!-- layout: blog title: 'Kubernetes Docs Updates, International Edition' date: 2018-11-08 --> <!-- **Author**: Zach Corleissen (Linux Foundation) --> <p><strong>作者</strong>：Zach Corleissen （Linux 基金会）</p> <!-- As a co-chair of SIG Docs, I'm excited to share that Kubernetes docs have a fully mature workflow for localization (l10n). --> <p>作为文档特别兴趣小组（SIG Docs）的联合主席，我很高兴能与大家分享 Kubernetes 文档在本地化（l10n）方面所拥有的一个完全成熟的工作流。</p> <!-- ## Abbreviations galore --> <h2 id="丰富的缩写">丰富的缩写</h2> <!-- L10n is an abbreviation for _localization_. --> <p>L10n 是 <em>localization</em> 的缩写。</p> <!-- I18n is an abbreviation for _internationalization_. --> <p>I18n 是 <em>internationalization</em> 的缩写。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/16/kubernetes-2018-north-american-contributor-summit/Tue, 16 Oct 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/16/kubernetes-2018-north-american-contributor-summit/<!-- layout: "Blog" title: "Kubernetes 2018 North American Contributor Summit" date: 2018-10-16 --> <!-- **Authors:** --> <p><strong>作者：</strong></p> <!-- [Bob Killen][bob] (University of Michigan) [Sahdev Zala][sahdev] (IBM), [Ihor Dvoretskyi][ihor] (CNCF) --> <p><a href="https://twitter.com/mrbobbytables">Bob Killen</a>（密歇根大学） <a href="https://twitter.com/sp_zala">Sahdev Zala</a>（IBM）， <a href="https://twitter.com/idvoretskyi">Ihor Dvoretskyi</a>（CNCF）</p> <!-- The 2018 North American Kubernetes Contributor Summit to be hosted right before [KubeCon + CloudNativeCon][kubecon] Seattle is shaping up to be the largest yet. --> <p>2018 年北美 Kubernetes 贡献者峰会将在西雅图 <a href="https://events.linuxfoundation.org/events/kubecon-cloudnativecon-north-america-2018/">KubeCon + CloudNativeCon</a> 会议之前举办，这将是迄今为止规模最大的一次盛会。</p> <!-- It is an event that brings together new and current contributors alike to connect and share face-to-face; and serves as an opportunity for existing contributors to help shape the future of community development. For new community members, it offers a welcoming space to learn, explore and put the contributor workflow to practice. --> <p>这是一个将新老贡献者聚集在一起，面对面交流和分享的活动；并为现有的贡献者提供一个机会，帮助塑造社区发展的未来。它为新的社区成员提供了一个学习、探索和实践贡献工作流程的良好空间。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/15/2018-steering-committee-election-results/Mon, 15 Oct 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/15/2018-steering-committee-election-results/<!-- layout: blog title: '2018 Steering Committee Election Results' date: 2018-10-15 --> <!-- **Authors**: Jorge Castro (Heptio), Ihor Dvoretskyi (CNCF), Paris Pittman (Google) --> <p><strong>作者</strong>: Jorge Castro (Heptio), Ihor Dvoretskyi (CNCF), Paris Pittman (Google)</p> <!-- ## Results --> <h2 id="结果">结果</h2> <!-- The [Kubernetes Steering Committee Election](https://kubernetes.io/blog/2018/09/06/2018-steering-committee-election-cycle-kicks-off/) is now complete and the following candidates came ahead to secure two year terms that start immediately: --> <p><a href="https://kubernetes.io/blog/2018/09/06/2018-steering-committee-election-cycle-kicks-off/">Kubernetes 督导委员会选举</a>现已完成，以下候选人获得了立即开始的两年任期：</p> <ul> <li>Aaron Crickenberger, Google, <a href="https://github.com/spiffxp">@spiffxp</a></li> <li>Davanum Srinivas, Huawei, <a href="https://github.com/dims">@dims</a></li> <li>Tim St. Clair, Heptio, <a href="https://github.com/timothysc">@timothysc</a></li> </ul> <!-- ## Big Thanks! --> <h2 id="十分感谢">十分感谢！</h2> <!-- * Steering Committee Member Emeritus [Quinton Hoole](https://github.com/quinton-hoole) for his service to the community over the past year. We look forward to * The candidates that came forward to run for election. May we always have a strong set of people who want to push community forward like yours in every election. * All 307 voters who cast a ballot. * And last but not least...Cornell University for hosting [CIVS](https://civs.cs.cornell.edu/)! --> <ul> <li>督导委员会荣誉退休成员 <a href="https://github.com/quinton-hoole">Quinton Hoole</a>，表扬他在过去一年为社区所作的贡献。我们期待着</li> <li>参加竞选的候选人。愿我们永远拥有一群强大的人，他们希望在每一次选举中都能像你们一样推动社区向前发展。</li> <li>共计 307 名选民参与投票。</li> <li>本次选举由康奈尔大学主办 <a href="https://civs.cs.cornell.edu/">CIVS</a>！</li> </ul> <!-- ## Get Involved with the Steering Committee --> <h2 id="加入督导委员会">加入督导委员会</h2> <!-- You can follow along to Steering Committee [backlog items](https://git.k8s.io/steering/backlog.md) and weigh in by filing an issue or creating a PR against their [repo](https://github.com/kubernetes/steering). They meet bi-weekly on [Wednesdays at 8pm UTC](https://github.com/kubernetes/steering) and regularly attend Meet Our Contributors. --> <p>你可以关注督导委员会的<a href="https://git.k8s.io/steering/backlog.md">任务清单</a>，并通过向他们的<a href="https://github.com/kubernetes/steering">代码仓库</a>提交 issue 或 PR 的方式来参与。他们也会在<a href="https://github.com/kubernetes/steering">UTC 时间每周三晚 8 点</a>举行会议，并定期与我们的贡献者见面。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/11/topology-aware-volume-provisioning-in-kubernetes/Thu, 11 Oct 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/11/topology-aware-volume-provisioning-in-kubernetes/<!-- layout: blog title: 'Topology-Aware Volume Provisioning in Kubernetes' date: 2018-10-11 --> <!-- **Author**: Michelle Au (Google) --> <p><strong>作者</strong>: Michelle Au（谷歌）</p> <!-- The multi-zone cluster experience with persistent volumes is improving in Kubernetes 1.12 with the topology-aware dynamic provisioning beta feature. This feature allows Kubernetes to make intelligent decisions when dynamically provisioning volumes by getting scheduler input on the best place to provision a volume for a pod. In multi-zone clusters, this means that volumes will get provisioned in an appropriate zone that can run your pod, allowing you to easily deploy and scale your stateful workloads across failure domains to provide high availability and fault tolerance. --> <p>通过提供拓扑感知动态卷供应功能，具有持久卷的多区域集群体验在 Kubernetes 1.12 中得到了改进。此功能使得 Kubernetes 在动态供应卷时能做出明智的决策，方法是从调度器获得为 Pod 提供数据卷的最佳位置。在多区域集群环境，这意味着数据卷能够在满足你的 Pod 运行需要的合适的区域被供应，从而允许你跨故障域轻松部署和扩展有状态工作负载，从而提供高可用性和容错能力。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/10/kubernetes-v1.12-introducing-runtimeclass/Wed, 10 Oct 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/10/kubernetes-v1.12-introducing-runtimeclass/<!-- layout: blog title: 'Kubernetes v1.12: Introducing RuntimeClass' date: 2018-10-10 --> <!-- **Author**: Tim Allclair (Google) --> <p><strong>作者</strong>: Tim Allclair (Google)</p> <!-- Kubernetes originally launched with support for Docker containers running native applications on a Linux host. Starting with [rkt](https://kubernetes.io/blog/2016/07/rktnetes-brings-rkt-container-engine-to-kubernetes/) in Kubernetes 1.3 more runtimes were coming, which lead to the development of the [Container Runtime Interface](https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/) (CRI). Since then, the set of alternative runtimes has only expanded: projects like [Kata Containers](https://katacontainers.io/) and [gVisor](https://github.com/google/gvisor) were announced for stronger workload isolation, and Kubernetes' Windows support has been [steadily progressing](https://kubernetes.io/blog/2018/01/kubernetes-v19-beta-windows-support/). --> <p>Kubernetes 最初是为了支持在 Linux 主机上运行本机应用程序的 Docker 容器而创建的。 从 Kubernetes 1.3 中的 <a href="https://kubernetes.io/blog/2016/07/rktnetes-brings-rkt-container-engine-to-kubernetes/">rkt</a> 开始，更多的运行时间开始涌现， 这导致了<a href="https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/">容器运行时接口（Container Runtime Interface）</a>（CRI）的开发。 从那时起，备用运行时集合越来越大： 为了加强工作负载隔离，<a href="https://katacontainers.io/">Kata Containers</a> 和 <a href="https://github.com/google/gvisor">gVisor</a> 等项目被发起， 并且 Kubernetes 对 Windows 的支持正在<a href="https://kubernetes.io/blog/2018/01/kubernetes-v19-beta-windows-support/">稳步发展</a>。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/03/kubedirector-the-easy-way-to-run-complex-stateful-applications-on-kubernetes/Wed, 03 Oct 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/03/kubedirector-the-easy-way-to-run-complex-stateful-applications-on-kubernetes/<!-- layout: blog title: 'KubeDirector: The easy way to run complex stateful applications on Kubernetes' date: 2018-10-03 --> <!-- **Author**: Thomas Phelan (BlueData) --> <p><strong>作者</strong>：Thomas Phelan（BlueData）</p> <!-- KubeDirector is an open source project designed to make it easy to run complex stateful scale-out application clusters on Kubernetes. KubeDirector is built using the custom resource definition (CRD) framework and leverages the native Kubernetes API extensions and design philosophy. This enables transparent integration with Kubernetes user/resource management as well as existing clients and tools. --> <p>KubeDirector 是一个开源项目，旨在简化在 Kubernetes 上运行复杂的有状态扩展应用程序集群。KubeDirector 使用自定义资源定义（CRD） 框架构建，并利用了本地 Kubernetes API 扩展和设计哲学。这支持与 Kubernetes 用户/资源 管理以及现有客户端和工具的透明集成。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/01/health-checking-grpc-servers-on-kubernetes/Mon, 01 Oct 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/10/01/health-checking-grpc-servers-on-kubernetes/<!-- layout: blog title: 'Health checking gRPC servers on Kubernetes' date: 2018-10-01 ---> <!-- **Author**: [Ahmet Alp Balkan](https://twitter.com/ahmetb) (Google) ---> <p><strong>作者</strong>： <a href="https://twitter.com/ahmetb">Ahmet Alp Balkan</a> (Google)</p> <!-- **Update (December 2021):** _Kubernetes now has built-in gRPC health probes starting in v1.23. To learn more, see [Configure Liveness, Readiness and Startup Probes](/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe). This article was originally written about an external tool to achieve the same task._ --> <p><strong>更新（2021 年 12 月）：</strong> “Kubernetes 从 v1.23 开始具有内置 gRPC 健康探测。 了解更多信息，请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe">配置存活探针、就绪探针和启动探针</a>。 本文最初是为有关实现相同任务的外部工具所写。”</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/08/02/dynamically-expand-volume-with-csi-and-kubernetes/Thu, 02 Aug 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/08/02/dynamically-expand-volume-with-csi-and-kubernetes/<!-- layout: blog title: 'Dynamically Expand Volume with CSI and Kubernetes' date: 2018-08-02 --> <!-- **Author**: Orain Xiong (Co-Founder, WoquTech) --> <p><strong>作者</strong>：Orain Xiong（联合创始人, WoquTech）</p> <!-- _There is a very powerful storage subsystem within Kubernetes itself, covering a fairly broad spectrum of use cases. Whereas, when planning to build a product-grade relational database platform with Kubernetes, we face a big challenge: coming up with storage. This article describes how to extend latest Container Storage Interface 0.2.0 and integrate with Kubernetes, and demonstrates the essential facet of dynamically expanding volume capacity._ --> <p><em>Kubernetes 本身有一个非常强大的存储子系统，涵盖了相当广泛的用例。而当我们计划使用 Kubernetes 构建产品级关系型数据库平台时，我们面临一个巨大的挑战：提供存储。本文介绍了如何扩展最新的 Container Storage Interface 0.2.0 和与 Kubernetes 集成，并演示了卷动态扩容的基本方面。</em></p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/12/resize-pv-using-k8s/Thu, 12 Jul 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/12/resize-pv-using-k8s/<!-- layout: blog title: 'Resizing Persistent Volumes using Kubernetes' date: 2018-07-12 --> <!-- **Author**: Hemant Kumar (Red Hat) --> <p><strong>作者</strong>: Hemant Kumar (Red Hat)</p> <!-- **Editor’s note: this post is part of a [series of in-depth articles](https://kubernetes.io/blog/2018/06/27/kubernetes-1.11-release-announcement/) on what’s new in Kubernetes 1.11** In Kubernetes v1.11 the persistent volume expansion feature is being promoted to beta. This feature allows users to easily resize an existing volume by editing the `PersistentVolumeClaim` (PVC) object. Users no longer have to manually interact with the storage backend or delete and recreate PV and PVC objects to increase the size of a volume. Shrinking persistent volumes is not supported. Volume expansion was introduced in v1.8 as an Alpha feature, and versions prior to v1.11 required enabling the feature gate, `ExpandPersistentVolumes`, as well as the admission controller, `PersistentVolumeClaimResize` (which prevents expansion of PVCs whose underlying storage provider does not support resizing). In Kubernetes v1.11+, both the feature gate and admission controller are enabled by default. Although the feature is enabled by default, a cluster admin must opt-in to allow users to resize their volumes. Kubernetes v1.11 ships with volume expansion support for the following in-tree volume plugins: AWS-EBS, GCE-PD, Azure Disk, Azure File, Glusterfs, Cinder, Portworx, and Ceph RBD. Once the admin has determined that volume expansion is supported for the underlying provider, they can make the feature available to users by setting the `allowVolumeExpansion` field to `true` in their `StorageClass` object(s). Only PVCs created from that `StorageClass` will be allowed to trigger volume expansion. --> <p><strong>编者注：这篇博客是<a href="https://kubernetes.io/blog/2018/06/27/kubernetes-1.11-release-announcement/">深度文章系列</a>的一部分，这个系列介绍了 Kubernetes 1.11 中的新增特性</strong></p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/11/dynamic-kubelet-configuration/Wed, 11 Jul 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/11/dynamic-kubelet-configuration/<!-- layout: blog title: 'Dynamic Kubelet Configuration' date: 2018-07-11 --> <!-- **Author**: Michael Taufen (Google) --> <p><strong>作者</strong>: Michael Taufen (Google)</p> <!-- **Editor’s note: The feature has been removed in the version 1.24 after deprecation in 1.22.** --> <p><strong>编者注：在 1.22 版本弃用后，该功能已在 1.24 版本中删除。</strong></p> <!-- **Editor’s note: this post is part of a [series of in-depth articles](https://kubernetes.io/blog/2018/06/27/kubernetes-1.11-release-announcement/) on what’s new in Kubernetes 1.11** --> <p><strong>编者注：这篇文章是<a href="https://kubernetes.io/blog/2018/06/27/kubernetes-1.11-release-announcement/">一系列深度文章</a> 的一部分，这个系列介绍了 Kubernetes 1.11 中的新增功能</strong></p> <!-- ## Why Dynamic Kubelet Configuration? --> <h2 id="为什么要进行动态-kubelet-配置">为什么要进行动态 Kubelet 配置？</h2> <!-- Kubernetes provides API-centric tooling that significantly improves workflows for managing applications and infrastructure. Most Kubernetes installations, however, run the Kubelet as a native process on each host, outside the scope of standard Kubernetes APIs. --> <p>Kubernetes 提供了以 API 为中心的工具，可显着改善用于管理应用程序和基础架构的工作流程。 但是，在大多数的 Kubernetes 安装中，kubelet 在每个主机上作为本机进程运行，因此 未被标准 Kubernetes API 覆盖。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/10/coredns-ga-for-kubernetes-cluster-dns/Tue, 10 Jul 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/10/coredns-ga-for-kubernetes-cluster-dns/<!-- layout: blog title: "CoreDNS GA for Kubernetes Cluster DNS" date: 2018-07-10 ---> <!-- **Author**: John Belamaric (Infoblox) **Editor’s note: this post is part of a [series of in-depth articles](https://kubernetes.io/blog/2018/06/27/kubernetes-1.11-release-announcement/) on what’s new in Kubernetes 1.11** ---> <p><strong>作者</strong>：John Belamaric (Infoblox)</p> <p>**编者注：这篇文章是 <a href="https://kubernetes.io/blog/2018/06/27/kubernetes-1.11-release-announcement/">系列深度文章</a> 中的一篇，介绍了 Kubernetes 1.11 新增的功能</p> <!-- ## Introduction In Kubernetes 1.11, [CoreDNS](https://coredns.io) has reached General Availability (GA) for DNS-based service discovery, as an alternative to the kube-dns addon. This means that CoreDNS will be offered as an option in upcoming versions of the various installation tools. In fact, the kubeadm team chose to make it the default option starting with Kubernetes 1.11. ---> <h2 id="介绍">介绍</h2> <p>在 Kubernetes 1.11 中，<a href="https://coredns.io">CoreDNS</a> 已经达到基于 DNS 服务发现的 General Availability (GA)，可以替代 kube-dns 插件。这意味着 CoreDNS 会作为即将发布的安装工具的选项之一上线。实际上，从 Kubernetes 1.11 开始，kubeadm 团队选择将它设为默认选项。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/Mon, 09 Jul 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/<!-- layout: blog title: 'IPVS-Based In-Cluster Load Balancing Deep Dive' date: 2018-07-09 --> <!-- Author: Jun Du(Huawei), Haibin Xie(Huawei), Wei Liang(Huawei) Editor’s note: this post is part of a series of in-depth articles on what’s new in Kubernetes 1.11 --> <p>作者: Jun Du(华为), Haibin Xie(华为), Wei Liang(华为)</p> <p>注意: 这篇文章出自 系列深度文章 介绍 Kubernetes 1.11 的新特性</p> <!-- Introduction Per the Kubernetes 1.11 release blog post , we announced that IPVS-Based In-Cluster Service Load Balancing graduates to General Availability. In this blog, we will take you through a deep dive of the feature. --> <p>介绍</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/06/28/airflow-on-kubernetes-part-1-a-different-kind-of-operator/Thu, 28 Jun 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/06/28/airflow-on-kubernetes-part-1-a-different-kind-of-operator/<!-- layout: blog title: 'Airflow on Kubernetes (Part 1): A Different Kind of Operator' date: 2018-06-28 --> <!-- Author: Daniel Imberman (Bloomberg LP) --> <p>作者: Daniel Imberman (Bloomberg LP)</p> <!-- ## Introduction As part of Bloomberg's [continued commitment to developing the Kubernetes ecosystem](https://www.techatbloomberg.com/blog/bloomberg-awarded-first-cncf-end-user-award-contributions-kubernetes/), we are excited to announce the Kubernetes Airflow Operator; a mechanism for [Apache Airflow](https://airflow.apache.org/), a popular workflow orchestration framework to natively launch arbitrary Kubernetes Pods using the Kubernetes API. --> <h2 id="介绍">介绍</h2> <p>作为 Bloomberg <a href="https://www.techatbloomberg.com/blog/bloomberg-awarded-first-cncf-end-user-award-contributions-kubernetes/">持续致力于开发 Kubernetes 生态系统</a>的一部分， 我们很高兴能够宣布 Kubernetes Airflow Operator 的发布; <a href="https://airflow.apache.org/">Apache Airflow</a>的一种机制，一种流行的工作流程编排框架， 使用 Kubernetes API 可以在本机启动任意的 Kubernetes Pod。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/06/07/dynamic-ingress-in-kubernetes/Thu, 07 Jun 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/06/07/dynamic-ingress-in-kubernetes/<!-- title: Dynamic Ingress in Kubernetes date: 2018-06-07 Author: Richard Li (Datawire) --> <!-- Kubernetes makes it easy to deploy applications that consist of many microservices, but one of the key challenges with this type of architecture is dynamically routing ingress traffic to each of these services. One approach is Ambassador, a Kubernetes-native open source API Gateway built on the Envoy Proxy. Ambassador is designed for dynamic environment where services may come and go frequently. Ambassador is configured using Kubernetes annotations. Annotations are used to configure specific mappings from a given Kubernetes service to a particular URL. A mapping can include a number of annotations for configuring a route. Examples include rate limiting, protocol, cross-origin request sharing, traffic shadowing, and routing rules. --> <p>Kubernetes 可以轻松部署由许多微服务组成的应用程序，但这种架构的关键挑战之一是动态地将流量路由到这些服务中的每一个。 一种方法是使用 <a href="https://www.getambassador.io">Ambassador</a>， 一个基于 <a href="https://www.envoyproxy.io">Envoy Proxy</a> 构建的 Kubernetes 原生开源 API 网关。 Ambassador 专为动态环境而设计，这类环境中的服务可能被频繁添加或删除。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/06/06/4-years-of-k8s/Wed, 06 Jun 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/06/06/4-years-of-k8s/<!-- layout: blog title: 4 Years of K8s date: 2018-06-06 --> <!-- **Author**: Joe Beda (CTO and Founder, Heptio) On June 6, 2014 I checked in the [first commit](https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56) of what would become the public repository for Kubernetes. Many would assume that is where the story starts. It is the beginning of history, right? But that really doesn’t tell the whole story. --> <p><strong>作者</strong>：Joe Beda（Heptio 首席技术官兼创始人）</p> <p>2014 年 6 月 6 日，我检查了 Kubernetes 公共代码库的<a href="https://github.com/kubernetes/kubernetes/commit/2c4b3a562ce34cddc3f8218a2c4d11c7310e6d56">第一次 commit</a> 。许多人会认为这是故事开始的地方。这难道不是一切开始的地方吗？但这的确不能把整个过程说清楚。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/05/30/say-hello-to-discuss-kubernetes/Wed, 30 May 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/05/30/say-hello-to-discuss-kubernetes/<!-- layout: blog title: Say Hello to Discuss Kubernetes date: 2018-05-30 --> <!-- Author: Jorge Castro (Heptio) --> <p>作者: Jorge Castro (Heptio)</p> <!-- Communication is key when it comes to engaging a community of over 35,000 people in a global and remote environment. Keeping track of everything in the Kubernetes community can be an overwhelming task. On one hand we have our official resources, like Stack Overflow, GitHub, and the mailing lists, and on the other we have more ephemeral resources like Slack, where you can hop in, chat with someone, and then go on your merry way. --> <p>就一个超过 35,000 人的全球性社区而言，参与其中时沟通是非常关键的。 跟踪 Kubernetes 社区中的所有内容可能是一项艰巨的任务。 一方面，我们有官方资源，如 Stack Overflow，GitHub 和邮件列表，另一方面，我们有更多瞬时性的资源，如 Slack，你可以加入进去、与某人聊天然后各走各路。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/05/01/developing-on-kubernetes/Tue, 01 May 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/05/01/developing-on-kubernetes/<!-- --- title: Developing on Kubernetes date: 2018-05-01 slug: developing-on-kubernetes --- --> <!-- **Authors**: [Michael Hausenblas](https://twitter.com/mhausenblas) (Red Hat), [Ilya Dmitrichenko](https://twitter.com/errordeveloper) (Weaveworks) --> <p><strong>作者</strong>： <a href="https://twitter.com/mhausenblas">Michael Hausenblas</a> (Red Hat), <a href="https://twitter.com/errordeveloper">Ilya Dmitrichenko</a> (Weaveworks)</p> <!-- How do you develop a Kubernetes app? That is, how do you write and test an app that is supposed to run on Kubernetes? This article focuses on the challenges, tools and methods you might want to be aware of to successfully write Kubernetes apps alone or in a team setting. --> <p>您将如何开发一个 Kubernetes 应用？也就是说，您如何编写并测试一个要在 Kubernetes 上运行的应用程序？本文将重点介绍在独自开发或者团队协作中，您可能希望了解到的为了成功编写 Kubernetes 应用程序而需面临的挑战，工具和方法。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/04/25/open-source-charts-2017/Wed, 25 Apr 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/04/25/open-source-charts-2017/<!-- --- title: Kubernetes Community - Top of the Open Source Charts in 2017 date: 2018-04-25 slug: open-source-charts-2017 --- ---> <!-- 2017 was a huge year for Kubernetes, and GitHub’s latest [Octoverse report](https://octoverse.github.com) illustrates just how much attention this project has been getting. Kubernetes, an [open source platform for running application containers](/docs/concepts/overview/what-is-kubernetes/), provides a consistent interface that enables developers and ops teams to automate the deployment, management, and scaling of a wide variety of applications on just about any infrastructure. ---> <p>对于 Kubernetes 来说，2017 年是丰收的一年，GitHub的最新 <a href="https://octoverse.github.com">Octoverse 报告</a> 说明了该项目获得了多少关注。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/03/15/principles-of-container-app-design/Thu, 15 Mar 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/03/15/principles-of-container-app-design/<!-- title: "Principles of Container-based Application Design" date: 2018-03-15 slug: principles-of-container-app-design url: /blog/2018/03/Principles-Of-Container-App-Design --> <!-- It's possible nowadays to put almost any application in a container and run it. Creating cloud-native applications, however—containerized applications that are automated and orchestrated effectively by a cloud-native platform such as Kubernetes—requires additional effort. Cloud-native applications anticipate failure; they run and scale reliably even when their infrastructure experiences outages. To offer such capabilities, cloud-native platforms like Kubernetes impose a set of contracts and constraints on applications. These contracts ensure that applications they run conform to certain constraints and allow the platform to automate application management. --> <p>如今，可以将几乎所有应用程序放入容器中并运行它。 但是，创建云原生应用程序（由 Kubernetes 等云原生平台自动有效地编排的容器化应用程序）需要付出额外的努力。 云原生应用程序会预期失败； 它们可以可靠的运行和扩展，即使基础架构出现故障。 为了提供这样的功能，像 Kubernetes 这样的云原生平台对应用程序施加了一系列约定和约束。 这些合同确保运行的应用程序符合某些约束条件，并允许平台自动执行应用程序管理。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2018/01/09/kubernetes-v19-beta-windows-support/Tue, 09 Jan 2018 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2018/01/09/kubernetes-v19-beta-windows-support/<!-- title: Kubernetes v1.9 releases beta support for Windows Server Containers date: 2018-01-09 slug: kubernetes-v19-beta-windows-support url: /blog/2018/01/Kubernetes-V19-Beta-Windows-Support ---> <!-- With the release of Kubernetes v1.9, our mission of ensuring Kubernetes works well everywhere and for everyone takes a great step forward. We’ve advanced support for Windows Server to beta along with continued feature and functional advancements on both the Kubernetes and Windows platforms. SIG-Windows has been working since March of 2016 to open the door for many Windows-specific applications and workloads to run on Kubernetes, significantly expanding the implementation scenarios and the enterprise reach of Kubernetes. ---> <p>随着 Kubernetes v1.9 的发布，我们确保所有人在任何地方都能正常运行 Kubernetes 的使命前进了一大步。我们的 Beta 版本对 Windows Server 的支持进行了升级，并且在 Kubernetes 和 Windows 平台上都提供了持续的功能改进。为了在 Kubernetes 上运行许多特定于 Windows 的应用程序和工作负载，SIG-Windows 自2016年3月以来一直在努力，大大扩展了 Kubernetes 的实现场景和企业适用范围。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2017/11/17/autoscaling-in-kubernetes/Fri, 17 Nov 2017 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2017/11/17/autoscaling-in-kubernetes/<!-- title: " Autoscaling in Kubernetes " date: 2017-11-17 slug: autoscaling-in-kubernetes url: /blog/2017/11/Autoscaling-In-Kubernetes --> <!-- Kubernetes allows developers to automatically adjust cluster sizes and the number of pod replicas based on current traffic and load. These adjustments reduce the amount of unused nodes, saving money and resources. In this talk, Marcin Wielgus of Google walks you through the current state of pod and node autoscaling in Kubernetes: .how it works, and how to use it, including best practices for deployments in production applications. --> <p>Kubernetes 允许开发人员根据当前的流量和负载自动调整集群大小和 pod 副本的数量。这些调整减少了未使用节点的数量，节省了资金和资源。 在这次演讲中，谷歌的 Marcin Wielgus 将带领您了解 Kubernetes 中 pod 和 node 自动调焦的当前状态：它是如何工作的，以及如何使用它，包括在生产应用程序中部署的最佳实践。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2017/10/24/five-days-of-kubernetes-18/Tue, 24 Oct 2017 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2017/10/24/five-days-of-kubernetes-18/<!-- title: " Five Days of Kubernetes 1.8 " date: 2017-10-24 slug: five-days-of-kubernetes-18 url: /blog/2017/10/Five-Days-Of-Kubernetes-18 --> <!-- Kubernetes 1.8 is live, made possible by hundreds of contributors pushing thousands of commits in this latest releases. --> <p>Kubernetes 1.8 已经推出，数百名贡献者在这个最新版本中推出了成千上万的提交。</p> <!-- The community has tallied more than 66,000 commits in the main repo and continues rapid growth outside of the main repo, which signals growing maturity and stability for the project. The community has logged more than 120,000 commits across all repos and 17,839 commits across all repos for v1.7.0 to v1.8.0 alone. --> <p>社区已经有超过 66,000 个提交在主仓库，并在主仓库之外继续快速增长，这标志着该项目日益成熟和稳定。仅 v1.7.0 到 v1.8.0，社区就记录了所有仓库的超过 120,000 次提交和 17839 次提交。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2017/10/05/kubernetes-community-steering-committee-election-results/Thu, 05 Oct 2017 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2017/10/05/kubernetes-community-steering-committee-election-results/<!-- title: " Kubernetes Community Steering Committee Election Results " date: 2017-10-05 slug: kubernetes-community-steering-committee-election-results url: /blog/2017/10/Kubernetes-Community-Steering-Committee-Election-Results --> <!-- Beginning with the announcement of Kubernetes 1.0 at OSCON in 2015, there has been a concerted effort to share the power and burden of leadership across the Kubernetes community. --> <p>自 2015 年 OSCON 发布 Kubernetes 1.0 以来，大家一直在共同努力，在 Kubernetes 社区中共同分享领导力和责任。</p> <!-- With the work of the Bootstrap Governance Committee, consisting of Brandon Philips, Brendan Burns, Brian Grant, Clayton Coleman, Joe Beda, Sarah Novotny and Tim Hockin - a cross section of long-time leaders representing 5 different companies with major investments of talent and effort in the Kubernetes Ecosystem - we wrote an initial [Steering Committee Charter](https://github.com/kubernetes/steering/blob/master/charter.md) and launched a community wide election to seat a Kubernetes Steering Committee. --> <p>在 Brandon Philips、Brendan Burns、Brian Grant、Clayton Coleman、Joe Beda、Sarah Novotny 和 Tim Hockin 组成的自举治理委员会的工作下 - 代表 5 家不同公司的长期领导者，他们对 Kubernetes 生态系统进行了大量的人才投资和努力 - 编写了初始的<a href="https://github.com/kubernetes/steering/blob/master/charter.md">指导委员会章程</a>，并发起了一次社区选举，以选举 Kubernetes 指导委员会成员。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/08/29/stateful-applications-using-kubernetes-datera/Mon, 29 Aug 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/08/29/stateful-applications-using-kubernetes-datera/<!-- title: " Scaling Stateful Applications using Kubernetes Pet Sets and FlexVolumes with Datera Elastic Data Fabric " date: 2016-08-29 slug: stateful-applications-using-kubernetes-datera url: /blog/2016/08/Stateful-Applications-Using-Kubernetes-Datera ---> <!-- _Editor’s note: today’s guest post is by Shailesh Mittal, Software Architect and Ashok Rajagopalan, Sr Director Product at Datera Inc, talking about Stateful Application provisioning with Kubernetes on Datera Elastic Data Fabric._ ---> <p><em>编者注：今天的邀请帖子来自 Datera 公司的软件架构师 Shailesh Mittal 和高级产品总监 Ashok Rajagopalan，介绍在 Datera Elastic Data Fabric 上用 Kubernetes 配置状态应用程序。</em></p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/08/16/sig-apps-running-apps-in-kubernetes/Tue, 16 Aug 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/08/16/sig-apps-running-apps-in-kubernetes/<!-- title: " SIG Apps: build apps for and operate them in Kubernetes " date: 2016-08-16 slug: sig-apps-running-apps-in-kubernetes canonicalUrl: https://kubernetes.io/blog/2016/08/sig-apps-running-apps-in-kubernetes/ url: /blog/2016/08/Sig-Apps-Running-Apps-In-Kubernetes --> <!-- _Editor’s note: This post is by the Kubernetes SIG-Apps team sharing how they focus on the developer and devops experience of running applications in Kubernetes._ Kubernetes is an incredible manager for containerized applications. Because of this, [numerous](https://kubernetes.io/blog/2016/02/sharethis-kubernetes-in-production) [companies](https://blog.box.com/blog/kubernetes-box-microservices-maximum-velocity/) [have](http://techblog.yahoo.co.jp/infrastructure/os_n_k8s/) [started](http://www.nextplatform.com/2015/11/12/inside-ebays-shift-to-kubernetes-and-containers-atop-openstack/) to run their applications in Kubernetes. Kubernetes Special Interest Groups ([SIGs](https://github.com/kubernetes/community/blob/master/README.md#special-interest-groups-sig)) have been around to support the community of developers and operators since around the 1.0 release. People organized around networking, storage, scaling and other operational areas. As Kubernetes took off, so did the need for tools, best practices, and discussions around building and operating cloud native applications. To fill that need the Kubernetes [SIG Apps](https://github.com/kubernetes/community/tree/master/sig-apps) came into existence. SIG Apps is a place where companies and individuals can: --> <p><strong>编者注</strong>：这篇文章由 Kubernetes SIG-Apps 团队撰写，分享他们如何关注在 Kubernetes 中运行应用的开发者和 devops 经验。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/21/oh-the-places-you-will-go/Thu, 21 Jul 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/21/oh-the-places-you-will-go/<!-- title: " Happy Birthday Kubernetes. Oh, the places you’ll go! " date: 2016-07-21 slug: oh-the-places-you-will-go url: /blog/2016/07/Oh-The-Places-You-Will-Go --> <!-- _Editor’s note, Today’s guest post is from an independent Kubernetes contributor, Justin Santa Barbara, sharing his reflection on growth of the project from inception to its future._ **Dear K8s,** _It’s hard to believe you’re only one - you’ve grown up so fast. On the occasion of your first birthday, I thought I would write a little note about why I was so excited when you were born, why I feel fortunate to be part of the group that is raising you, and why I’m eager to watch you continue to grow up!_ --> <p><em>编者按，今天的嘉宾帖子来自一位独立的 kubernetes 撰稿人 Justin Santa Barbara，分享了他对项目从一开始到未来发展的思考。</em></p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/18/bringing-end-to-end-kubernetes-testing-to-azure-2/Mon, 18 Jul 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/18/bringing-end-to-end-kubernetes-testing-to-azure-2/<!-- title: " Bringing End-to-End Kubernetes Testing to Azure (Part 2) " date: 2016-07-18 slug: bringing-end-to-end-kubernetes-testing-to-azure-2 url: /blog/2016/07/Bringing-End-To-End-Kubernetes-Testing-To-Azure-2 --> <!-- _Editor’s Note: Today’s guest post is Part II from a [series](https://kubernetes.io/blog/2016/06/bringing-end-to-end-testing-to-azure) by Travis Newhouse, Chief Architect at AppFormix, writing about their contributions to Kubernetes._ --> <p><em>作者标注：今天的邀请帖子是 Travis Newhouse 的 <a href="https://kubernetes.io/blog/2016/06/bringing-end-to-end-testing-to-azure">系列</a> 中的第二部分，他是 AppFormix 的首席架构师，这篇文章介绍了他们对 Kubernetes 的贡献。</em></p> <!-- Historically, Kubernetes testing has been hosted by Google, running e2e tests on [Google Compute Engine](https://cloud.google.com/compute/) (GCE) and [Google Container Engine](https://cloud.google.com/container-engine/) (GKE). In fact, the gating checks for the submit-queue are a subset of tests executed on these test platforms. Federated testing aims to expand test coverage by enabling organizations to host test jobs for a variety of platforms and contribute test results to benefit the Kubernetes project. Members of the Kubernetes test team at Google and SIG-Testing have created a [Kubernetes test history dashboard](http://storage.googleapis.com/kubernetes-test-history/static/index.html) that publishes the results from all federated test jobs (including those hosted by Google). In this blog post, we describe extending the e2e test jobs for Azure, and show how to contribute a federated test to the Kubernetes project. --> <p>历史上，Kubernetes 测试一直由谷歌托管，在 <a href="https://cloud.google.com/compute/">谷歌计算引擎</a> (GCE) 和 <a href="https://cloud.google.com/container-engine/">谷歌容器引擎</a> (GKE) 上运行端到端测试。实际上，提交队列的选通检查是在这些测试平台上执行测试的子集。联合测试旨在通过使组织托管各种平台的测试作业并贡献测试结果，从而让 Kubernetes 项目受益来扩大测试范围。谷歌和 SIG-Testing 的 Kubernetes 测试小组成员已经创建了一个 <a href="http://storage.googleapis.com/kubernetes-test-history/static/index.html">Kubernetes 测试历史记录仪表板</a>，可以发布所有联合测试作业（包括谷歌托管的作业）的全部结果。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/15/dashboard-web-interface-for-kubernetes/Fri, 15 Jul 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/15/dashboard-web-interface-for-kubernetes/<!-- title: " Dashboard - Full Featured Web Interface for Kubernetes " date: 2016-07-15 slug: dashboard-web-interface-for-kubernetes url: /blog/2016/07/Dashboard-Web-Interface-For-Kubernetes --> <!-- _Editor’s note: this post is part of a [series of in-depth articles](https://kubernetes.io/blog/2016/07/five-days-of-kubernetes-1-3) on what's new in Kubernetes 1.3_ [Kubernetes Dashboard](http://github.com/kubernetes/dashboard) is a project that aims to bring a general purpose monitoring and operational web interface to the Kubernetes world.&nbsp;Three months ago we [released](https://kubernetes.io/blog/2016/04/building-awesome-user-interfaces-for-kubernetes) the first production ready version, and since then the dashboard has made massive improvements. In a single UI, you’re able to perform majority of possible interactions with your Kubernetes clusters without ever leaving your browser. This blog post breaks down new features introduced in the latest release and outlines the roadmap for the future.&nbsp; --> <p><em>编者按：这篇文章是<a href="https://kubernetes.io/blog/2016/07/five-days-of-kubernetes-1-3">一系列深入的文章</a> 中关于Kubernetes 1.3的新内容的一部分</em> <a href="http://github.com/kubernetes/dashboard">Kubernetes Dashboard</a>是一个旨在为 Kubernetes 世界带来通用监控和操作 Web 界面的项目。三个月前，我们<a href="https://kubernetes.io/blog/2016/04/building-awesome-user-interfaces-for-kubernetes">发布</a>第一个面向生产的版本，从那时起 dashboard 已经做了大量的改进。在一个 UI 中，您可以在不离开浏览器的情况下，与 Kubernetes 集群执行大多数可能的交互。这篇博客文章分解了最新版本中引入的新功能，并概述了未来的路线图。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/14/citrix-netscaler-and-kubernetes/Thu, 14 Jul 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/14/citrix-netscaler-and-kubernetes/<!-- title: " Citrix + Kubernetes = A Home Run " date: 2016-07-14 slug: citrix-netscaler-and-kubernetes url: /blog/2016/07/Citrix-Netscaler-And-Kubernetes --> <!-- _Editor’s note: today’s guest post is by Mikko Disini, a Director of Product Management at Citrix Systems, sharing their collaboration experience on a Kubernetes integration.&nbsp;_ --> <p>编者按：今天的客座文章来自 Citrix Systems 的产品管理总监 Mikko Disini，他分享了他们在 Kubernetes 集成上的合作经验。 _</p> <!-- Technical collaboration is like sports. If you work together as a team, you can go down the homestretch and pull through for a win. That’s our experience with the Google Cloud Platform team. --> <p>技术合作就像体育运动。如果你能像一个团队一样合作，你就能在最后关头取得胜利。这就是我们对谷歌云平台团队的经验。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/13/stateful-applications-in-containers-kubernetes/Wed, 13 Jul 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/07/13/stateful-applications-in-containers-kubernetes/<!-- title: " Stateful Applications in Containers!? Kubernetes 1.3 Says “Yes!” " date: 2016-07-13 slug: stateful-applications-in-containers-kubernetes url: /blog/2016/07/stateful-applications-in-containers-kubernetes --> <!-- _Editor's note: today’s guest post is from Mark Balch, VP of Products at Diamanti, who’ll share more about the contributions they’ve made to Kubernetes._ --> <p><em>编者注： 今天的来宾帖子来自 Diamanti 产品副总裁 Mark Balch，他将分享有关他们对 Kubernetes 所做的贡献的更多信息。</em></p> <!-- Congratulations to the Kubernetes community on another [value-packed release](https://kubernetes.io/blog/2016/07/kubernetes-1-3-bridging-cloud-native-and-enterprise-workloads/). A focus on stateful applications and federated clusters are two reasons why I’m so excited about 1.3. Kubernetes support for stateful apps such as Cassandra, Kafka, and MongoDB is critical. Important services rely on databases, key value stores, message queues, and more. Additionally, relying on one data center or container cluster simply won’t work as apps grow to serve millions of users around the world. Cluster federation allows users to deploy apps across multiple clusters and data centers for scale and resiliency. --> <p>祝贺 Kubernetes 社区发布了另一个<a href="https://kubernetes.io/blog/2016/07/kubernetes-1-3-bridging-cloud-native-and-enterprise-workloads/">有价值的版本</a>。 专注于有状态应用程序和联邦集群是我对 1.3 如此兴奋的两个原因。 Kubernetes 对有状态应用程序（例如 Cassandra、Kafka 和 MongoDB）的支持至关重要。 重要服务依赖于数据库、键值存储、消息队列等。 此外，随着应用程序的发展为全球数百万用户提供服务，仅依靠一个数据中心或容器集群将无法正常工作。 联邦集群允许用户跨多个集群和数据中心部署应用程序，以实现规模和弹性。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/05/03/coreosfest2016-kubernetes-community/Tue, 03 May 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/05/03/coreosfest2016-kubernetes-community/<!-- title: " CoreOS Fest 2016: CoreOS and Kubernetes Community meet in Berlin (& San Francisco) " date: 2016-05-03 slug: coreosfest2016-kubernetes-community url: /blog/2016/05/Coreosfest2016-Kubernetes-Community --> <!-- [CoreOS Fest 2016](https://coreos.com/fest/) will bring together the container and open source distributed systems community, including many thought leaders in the Kubernetes space. It is the second annual CoreOS community conference, held for the first time in Berlin on May 9th and 10th. CoreOS believes Kubernetes is the container orchestration component to deliver GIFEE (Google’s Infrastructure for Everyone Else). --> <p><a href="https://coreos.com/fest/">CoreOS Fest 2016</a> 将汇集容器和开源分布式系统社区，其中包括 Kubernetes 领域的许多思想领袖。 这是第二次年度 CoreOS 社区会议，于5月9日至10日在柏林首次举行。 CoreOS 相信 Kubernetes 是提供 GIFEE（适用于所有人的 Google 的基础架构）服务的合适的容器编排组件。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/04/19/sig-clusterops-promote-operability-and-interoperability-of-k8s-clusters/Tue, 19 Apr 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/04/19/sig-clusterops-promote-operability-and-interoperability-of-k8s-clusters/<!-- title: " SIG-ClusterOps: Promote operability and interoperability of Kubernetes clusters " date: 2016-04-19 slug: sig-clusterops-promote-operability-and-interoperability-of-k8s-clusters url: /blog/2016/04/Sig-Clusterops-Promote-Operability-And-Interoperability-Of-K8S-Clusters --> <!-- _Editor’s note: This week we’re featuring [Kubernetes Special Interest Groups](https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)); Today’s post is by the SIG-ClusterOps team whose mission is to promote operability and interoperability of Kubernetes clusters -- to listen, help & escalate._ --> <p><em>编者注： 本周我们将推出 <a href="https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)">Kubernetes 特殊兴趣小组</a>；今天的帖子由 SIG-ClusterOps 团队负责，其任务是促进 Kubernetes 集群的可操作性和互操作性 -- 倾听，帮助和升级。</em></p> <!-- We think Kubernetes is an awesome way to run applications at scale! Unfortunately, there's a bootstrapping problem: we need good ways to build secure & reliable scale environments around Kubernetes. While some parts of the platform administration leverage the platform (cool!), there are fundamental operational topics that need to be addressed and questions (like upgrade and conformance) that need to be answered. --> <p>我们认为 Kubernetes 是大规模运行应用程序的绝佳方法！ 不幸的是，存在一个引导问题：我们需要良好的方法来围绕 Kubernetes 构建安全可靠的扩展环境。 虽然平台管理的某些部分利用了平台（很酷！），这有一些基本的操作主题需要解决，还有一些问题（例如升级和一致性）需要回答。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/04/18/kubernetes-network-policy-apis/Mon, 18 Apr 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/04/18/kubernetes-network-policy-apis/<!-- title: " SIG-Networking: Kubernetes Network Policy APIs Coming in 1.3 " date: 2016-04-18 slug: kubernetes-network-policy-apis url: /blog/2016/04/Kubernetes-Network-Policy-APIs --> <!-- _Editor’s note: This week we’re featuring [Kubernetes Special Interest Groups](https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)); Today’s post is by the Network-SIG team describing network policy APIs coming in 1.3 - policies for security, isolation and multi-tenancy._ --> <p><em>编者注：本周我们将推出 <a href="https://github.com/kubernetes/kubernetes/wiki/Special-Interest-Groups-(SIGs)">Kubernetes 特殊兴趣小组</a>、 Network-SIG 小组今天的帖子描述了 1.3 版中的网络策略 API-安全，隔离和多租户策略。</em></p> <!-- The [Kubernetes network SIG](https://kubernetes.slack.com/messages/sig-network/) has been meeting regularly since late last year to work on bringing network policy to Kubernetes and we’re starting to see the results of this effort. --> <p>自去年下半年以来，<a href="https://kubernetes.slack.com/messages/sig-network/">Kubernetes SIG-Networking</a> 一直在定期开会，致力于将网络策略引入 Kubernetes，我们开始看到这个努力的结果。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/04/08/adding-support-for-kubernetes-in-rancher/Fri, 08 Apr 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/04/08/adding-support-for-kubernetes-in-rancher/<!-- title: " Adding Support for Kubernetes in Rancher " date: 2016-04-08 slug: adding-support-for-kubernetes-in-rancher url: /blog/2016/04/Adding-Support-For-Kubernetes-In-Rancher --> <!-- _Today’s guest post is written by Darren Shepherd, Chief Architect at Rancher Labs, an open-source software platform for managing containers._ --> <p><em>今天的来宾帖子由 Rancher Labs（用于管理容器的开源软件平台）的首席架构师 Darren Shepherd 撰写。</em></p> <!-- Over the last year, we’ve seen a tremendous increase in the number of companies looking to leverage containers in their software development and IT organizations. To achieve this, organizations have been looking at how to build a centralized container management capability that will make it simple for users to get access to containers, while centralizing visibility and control with the IT organization. In 2014 we started the open-source Rancher project to address this by building a management platform for containers. --> <p>在过去的一年中，我们看到希望在其软件开发和IT组织中利用容器的公司数量激增。 为了实现这一目标，组织一直在研究如何构建集中式的容器管理功能，该功能将使用户可以轻松访问容器，同时集中管理IT组织的可见性和控制力。 2014年，我们启动了开源 Rancher 项目，通过构建容器管理平台来解决此问题。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/24/kubecon-eu-2016-kubernetes-community-in/Wed, 24 Feb 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/24/kubecon-eu-2016-kubernetes-community-in/<!-- title: " KubeCon EU 2016: Kubernetes Community in London " date: 2016-02-24 slug: kubecon-eu-2016-kubernetes-community-in url: /blog/2016/02/Kubecon-Eu-2016-Kubernetes-Community-In --> <!-- KubeCon EU 2016 is the inaugural [European Kubernetes](http://kubernetes.io/) community conference that follows on the American launch in November 2015. KubeCon is fully dedicated to education and community engagement for[Kubernetes](http://kubernetes.io/) enthusiasts, production users and the surrounding ecosystem. --> <p>KubeCon EU 2016 是首届<a href="http://kubernetes.io/">欧洲 Kubernetes</a> 社区会议，紧随 2015 年 11 月召开的北美会议。KubeCon 致力于为 <a href="http://kubernetes.io/">Kubernetes</a> 爱好者、产品用户和周围的生态系统提供教育和社区参与。</p> <!-- Come join us in London and hang out with hundreds from the Kubernetes community and experience a wide variety of deep technical expert talks and use cases. --> <p>快来加入我们在伦敦，与 Kubernetes 社区的数百人一起出去，体验各种深入的技术专家讲座和用例。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/23/kubernetes-community-meeting-notes_23/Tue, 23 Feb 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/23/kubernetes-community-meeting-notes_23/<!-- --- title: " Kubernetes Community Meeting Notes - 20160218 " date: 2016-02-23 slug: kubernetes-community-meeting-notes_23 url: /blog/2016/02/Kubernetes-community-meeting-notes-20160128 --- --> <!-- ##### February 18th - kmachine demo, clusterops SIG formed, new k8s.io website preview, 1.2 update and planning 1.3 The Kubernetes contributing community meets most Thursdays at 10:00PT to discuss the project's status via videoconference. Here are the notes from the latest meeting. --> <h5 id="2月18号-kmachine-演示-sig-clusterops-成立-新的-k8s-io-网站预览-1-2-版本更新和-1-3-版本计划">2月18号 - kmachine 演示、SIG clusterops 成立、新的 k8s.io 网站预览、1.2 版本更新和 1.3 版本计划</h5> <p>Kubernetes 贡献社区会议大多在星期四的 10:00 召开，通过视频会议讨论项目现有情况。这里是最近一次会议的笔记。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/09/kubernetes-community-meeting-notes/Tue, 09 Feb 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/09/kubernetes-community-meeting-notes/<!-- title: " Kubernetes community meeting notes - 20160204 " date: 2016-02-09 slug: kubernetes-community-meeting-notes url: /blog/2016/02/Kubernetes-Community-Meeting-Notes --> <!-- #### February 4th - rkt demo (congratulations on the 1.0, CoreOS!), eBay puts k8s on Openstack and considers Openstack on k8s, SIGs, and flaky test surge makes progress. --> <h4 id="2-月-4-日-rkt-演示-祝贺-1-0-版本-coreos-ebay-将-k8s-放在-openstack-上并认为-openstack-在-k8s-sig-和片状测试激增方面取得了进展">2 月 4 日 - rkt 演示（祝贺 1.0 版本，CoreOS！），eBay 将 k8s 放在 Openstack 上并认为 Openstack 在 k8s，SIG 和片状测试激增方面取得了进展。</h4> <!-- The Kubernetes contributing community meets most Thursdays at 10:00PT to discuss the project's status via a videoconference. Here are the notes from the latest meeting. --> <p>Kubernetes 贡献社区在每周四 10:00 PT 开会,通过视频会议讨论项目状态。以下是最近一次会议的笔记。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/01/state-of-container-world-january-2016/Mon, 01 Feb 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/02/01/state-of-container-world-january-2016/<!-- title: " State of the Container World, January 2016 " date: 2016-02-01 slug: state-of-container-world-january-2016 url: /blog/2016/02/State-Of-Container-World-January-2016 --> <!-- At the start of the new year, we sent out a survey to gauge the state of the container world. We’re ready to send the [February edition](https://docs.google.com/forms/d/13yxxBqb5igUhwrrnDExLzZPjREiCnSs-AH-y4SSZ-5c/viewform), but before we do, let’s take a look at the January data from the 119 responses (thank you for participating!). --> <p>新年伊始，我们进行了一项调查，以评估容器世界的现状。 我们已经准备好发送<a href="https://docs.google.com/forms/d/13yxxBqb5igUhwrrnDExLzZPjREiCnSs-AH-y4SSZ-5c/viewform"> 2 月版</a>但在此之前，让我们从 119 条回复中看一下 1 月的数据（感谢您的参与！）。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/01/28/kubernetes-community-meeting-notes/Thu, 28 Jan 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/01/28/kubernetes-community-meeting-notes/<!-- --- title: " Kubernetes Community Meeting Notes - 20160114 " date: 2016-01-28 slug: kubernetes-community-meeting-notes url: /zh/blog/2016/01/Kubernetes-Community-Meeting-Notes --- --> <!-- ##### January 14 - RackN demo, testing woes, and KubeCon EU CFP. --- Note taker: Joe Beda --- --> <h5 id="1-月-14-日-rackn-演示-测试问题和-kubecon-eu-cfp">1 月 14 日 - RackN 演示、测试问题和 KubeCon EU CFP。</h5> <hr> <h2 id="记录者-joe-beda">记录者：Joe Beda</h2> <!-- * Demonstration: Automated Deploy on Metal, AWS and others w/ Digital Rebar, Rob Hirschfeld and Greg Althaus from RackN * Greg Althaus. CTO. Digital Rebar is the product. Bare metal provisioning tool. * Detect hardware, bring it up, configure raid, OS and get workload deployed. * Been working on Kubernetes workload. * Seeing trend to start in cloud and then move back to bare metal. * New provider model to use provisioning system on both cloud and bare metal. * UI, REST API, CLI * Demo: Packet -- bare metal as a service * 4 nodes running grouped into a "deployment" * Functional roles/operations selected per node. * Decomposed the kubernetes bring up into units that can be ordered and synchronized. Dependency tree -- things like wait for etcd to be up before starting k8s master. * Using the Ansible playbook under the covers. * Demo brings up 5 more nodes -- packet will build those nodes * Pulled out basic parameters from the ansible playbook. Things like the network config, dns set up, etc. * Hierarchy of roles pulls in other components -- making a node a master brings in a bunch of other roles that are necessary for that. * Has all of this combined into a command line tool with a simple config file. * Forward: extending across multiple clouds for test deployments. Also looking to create split/replicated across bare metal and cloud. * Q: secrets? A: using ansible playbooks. Builds own certs and then distributes them. Wants to abstract them out and push that stuff upstream. * Q: Do you support bringing up from real bare metal with PXE boot? A: yes -- will discover bare metal systems and install OS, install ssh keys, build networking, etc. --> <ul> <li> <p>演示：在 Metal，AWS 和其他平台上使用 Digital Rebar 自动化部署，来自 RackN 的 Rob Hirschfeld 和 Greg Althaus。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/01/14/why-kubernetes-doesnt-use-libnetwork/Thu, 14 Jan 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/01/14/why-kubernetes-doesnt-use-libnetwork/<!-- title: " Why Kubernetes doesn’t use libnetwork " date: 2016-01-14 slug: why-kubernetes-doesnt-use-libnetwork url: /blog/2016/01/Why-Kubernetes-Doesnt-Use-Libnetwork --> <!-- Kubernetes has had a very basic form of network plugins since before version 1.0 was released — around the same time as Docker's [libnetwork](https://github.com/docker/libnetwork) and Container Network Model ([CNM](https://github.com/docker/libnetwork/blob/master/docs/design.md)) was introduced. Unlike libnetwork, the Kubernetes plugin system still retains its "alpha" designation. Now that Docker's network plugin support is released and supported, an obvious question we get is why Kubernetes has not adopted it yet. After all, vendors will almost certainly be writing plugins for Docker — we would all be better off using the same drivers, right? --> <p>在 1.0 版本发布之前，Kubernetes 已经有了一个非常基础的网络插件形式-大约在引入 Docker’s <a href="https://github.com/docker/libnetwork">libnetwork</a> 和 Container Network Model (<a href="https://github.com/docker/libnetwork/blob/master/docs/design.md">CNM</a>) 的时候。与 libnetwork 不同，Kubernetes 插件系统仍然保留它的 'alpha' 名称。现在 Docker 的网络插件支持已经发布并得到支持，我们发现一个明显的问题是 Kubernetes 尚未采用它。毕竟，供应商几乎肯定会为 Docker 编写插件-我们最好还是用相同的驱动程序，对吧？</p>https://andygol-k8s.netlify.app/zh-cn/blog/2016/01/11/simple-leader-election-with-kubernetes/Mon, 11 Jan 2016 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2016/01/11/simple-leader-election-with-kubernetes/<!-- title: " Simple leader election with Kubernetes and Docker " date: 2016-01-11 slug: simple-leader-election-with-kubernetes --> <!-- #### Overview Kubernetes simplifies the deployment and operational management of services running on clusters. However, it also simplifies the development of these services. In this post we'll see how you can use Kubernetes to easily perform leader election in your distributed application. Distributed applications usually replicate the tasks of a service for reliability and scalability, but often it is necessary to designate one of the replicas as the leader who is responsible for coordination among all of the replicas. --> <h4 id="概述">概述</h4> <p>Kubernetes 简化了集群上运行的服务的部署和操作管理。但是，它也简化了这些服务的发展。在本文中，我们将看到如何使用 Kubernetes 在分布式应用程序中轻松地执行 leader election。分布式应用程序通常为了可靠性和可伸缩性而复制服务的任务，但通常需要指定其中一个副本作为负责所有副本之间协调的负责人。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/12/17/managing-kubernetes-pods-services-and-replication-controllers-with-puppet/Thu, 17 Dec 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/12/17/managing-kubernetes-pods-services-and-replication-controllers-with-puppet/<!-- title: " Managing Kubernetes Pods, Services and Replication Controllers with Puppet " date: 2015-12-17 slug: managing-kubernetes-pods-services-and-replication-controllers-with-puppet url: /blog/2015/12/Managing-Kubernetes-Pods-Services-And-Replication-Controllers-With-Puppet --> <!-- _Today’s guest post is written by Gareth Rushgrove, Senior Software Engineer at Puppet Labs, a leader in IT automation. Gareth tells us about a new Puppet module that helps manage resources in Kubernetes.&nbsp;_ People familiar with [Puppet](https://github.com/puppetlabs/puppet)&nbsp;might have used it for managing files, packages and users on host computers. But Puppet is first and foremost a configuration management tool, and config management is a much broader discipline than just managing host-level resources. A good definition of configuration management is that it aims to solve four related problems: identification, control, status accounting and verification and audit. These problems exist in the operation of any complex system, and with the new [Puppet Kubernetes module](https://forge.puppetlabs.com/garethr/kubernetes)&nbsp;we’re starting to look at how we can solve those problems for Kubernetes. --> <p><em>今天的嘉宾帖子是由 IT 自动化领域的领导者 Puppet Labs 的高级软件工程师 Gareth Rushgrove 撰写的。Gareth告诉我们一个新的 Puppet 模块，它帮助管理 Kubernetes 中的资源。</em></p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/11/09/kubernetes-1-1-performance-upgrades-improved-tooling-and-a-growing-community/Mon, 09 Nov 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/11/09/kubernetes-1-1-performance-upgrades-improved-tooling-and-a-growing-community/<!-- title: " Kubernetes 1.1 Performance upgrades, improved tooling and a growing community " date: 2015-11-09 slug: kubernetes-1-1-performance-upgrades-improved-tooling-and-a-growing-community url: /blog/2015/11/Kubernetes-1-1-Performance-Upgrades-Improved-Tooling-And-A-Growing-Community --> <!-- Since the Kubernetes 1.0 release in July, we’ve seen tremendous adoption by companies building distributed systems to manage their container clusters. We’re also been humbled by the rapid growth of the community who help make Kubernetes better everyday. We have seen commercial offerings such as Tectonic by CoreOS and RedHat Atomic Host emerge to deliver deployment and support of Kubernetes. And a growing ecosystem has added Kubernetes support including tool vendors such as Sysdig and Project Calico. --> <p>自从 Kubernetes 1.0 在七月发布以来，我们已经看到大量公司采用建立分布式系统来管理其容器集群。 我们也对帮助 Kubernetes 社区变得更好，迅速发展的人感到钦佩。 我们已经看到诸如 CoreOS 的 Tectonic 和 RedHat Atomic Host 之类的商业产品应运而生，用以提供 Kubernetes 的部署和支持。 一个不断发展的生态系统增加了 Kubernetes 的支持，包括 Sysdig 和 Project Calico 等工具供应商。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/08/04/weekly-kubernetes-community-hangout/Tue, 04 Aug 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/08/04/weekly-kubernetes-community-hangout/<!-- title: " Weekly Kubernetes Community Hangout Notes - July 31 2015 " date: 2015-08-04 slug: weekly-kubernetes-community-hangout url: /blog/2015/08/Weekly-Kubernetes-Community-Hangout --> <!-- Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum. Here are the notes from today's meeting: --> <p>每周，Kubernetes 贡献社区都会通过Google 环聊虚拟开会。我们希望任何有兴趣的人都知道本论坛讨论的内容。</p> <p>这是今天会议的笔记：</p> <!-- * Private Registry Demo - Muhammed * Run docker-registry as an RC/Pod/Service * Run a proxy on every node * Access as localhost:5000 * Discussion: * Should we back it by GCS or S3 when possible? * Run real registry backed by $object_store on each node * DNS instead of localhost? * disassemble image strings? * more like DNS policy? --> <ul> <li> <p>私有镜像仓库演示 - Muhammed</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/07/08/announcing-first-kubernetes-enterprise/Wed, 08 Jul 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/07/08/announcing-first-kubernetes-enterprise/<!-- title: " Announcing the First Kubernetes Enterprise Training Course " date: 2015-07-08 slug: announcing-first-kubernetes-enterprise url: /blog/2015/07/Announcing-First-Kubernetes-Enterprise --> <!-- At Google we rely on Linux application containers to run our core infrastructure. Everything from Search to Gmail runs in containers. &nbsp;In fact, we like containers so much that even our Google Compute Engine VMs run in containers! &nbsp;Because containers are critical to our business, we have been working with the community on many of the basic container technologies (from cgroups to Docker’s LibContainer) and even decided to build the next generation of Google’s container scheduling technology, Kubernetes, in the open. --> <p>在谷歌，我们依赖 Linux 容器应用程序去运行我们的核心基础架构。所有服务，从搜索引擎到Gmail服务，都运行在容器中。事实上，我们非常喜欢容器，甚至我们的谷歌云计算引擎虚拟机也运行在容器上！由于容器对于我们的业务至关重要，我们已经与社区合作开发许多基本的容器技术（从 cgroups 到 Docker 的 LibContainer）,甚至决定去构建谷歌的下一代开源容器调度技术，Kubernetes。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/06/26/slides-cluster-management-with/Fri, 26 Jun 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/06/26/slides-cluster-management-with/<!-- title: " Slides: Cluster Management with Kubernetes, talk given at the University of Edinburgh " date: 2015-06-26 slug: slides-cluster-management-with url: /blog/2015/06/Slides-Cluster-Management-With --> <!-- On Friday 5 June 2015 I gave a talk called [Cluster Management with Kubernetes](https://docs.google.com/presentation/d/1H4ywDb4vAJeg8KEjpYfhNqFSig0Q8e_X5I36kM9S6q0/pub?start=false&loop=false&delayms=3000) to a general audience at the University of Edinburgh. The talk includes an example of a music store system with a Kibana front end UI and an Elasticsearch based back end which helps to make concrete concepts like pods, replication controllers and services. [Cluster Management with Kubernetes](https://docs.google.com/presentation/d/1H4ywDb4vAJeg8KEjpYfhNqFSig0Q8e_X5I36kM9S6q0/pub?start=false&loop=false&delayms=3000). --> <p>2015年6月5日星期五，我在爱丁堡大学给普通听众做了一个演讲，题目是<a href="https://docs.google.com/presentation/d/1H4ywDb4vAJeg8KEjpYfhNqFSig0Q8e_X5I36kM9S6q0/pub?start=false&loop=false&delayms=3000">使用 Kubernetes 进行集群管理</a>。这次演讲包括一个带有 Kibana 前端 UI 的音乐存储系统的例子，以及一个基于 Elasticsearch 的后端，该后端有助于生成具体的概念，如 pods、复制控制器和服务。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/05/19/kubernetes-on-openstack/Tue, 19 May 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/05/19/kubernetes-on-openstack/<!-- title: " Kubernetes on OpenStack " date: 2015-05-19 slug: kubernetes-on-openstack url: /blog/2015/05/Kubernetes-On-Openstack --> <p><a href="https://3.bp.blogspot.com/-EOrCHChZJZE/VVZzq43g6CI/AAAAAAAAF-E/JUilRHk369E/s1600/Untitled%2Bdrawing.jpg"><img src="https://3.bp.blogspot.com/-EOrCHChZJZE/VVZzq43g6CI/AAAAAAAAF-E/JUilRHk369E/s400/Untitled%2Bdrawing.jpg" alt=""></a></p> <!-- Today, the [OpenStack foundation](https://www.openstack.org/foundation/) made it even easier for you deploy and manage clusters of Docker containers on OpenStack clouds by including Kubernetes in its [Community App Catalog](http://apps.openstack.org/). &nbsp;At a keynote today at the OpenStack Summit in Vancouver, Mark Collier, COO of the OpenStack Foundation, and Craig Peters, &nbsp;[Mirantis](https://www.mirantis.com/) product line manager, demonstrated the Community App Catalog workflow by launching a Kubernetes cluster in a matter of seconds by leveraging the compute, storage, networking and identity systems already present in an OpenStack cloud. --> <p>今天，<a href="https://www.openstack.org/foundation/">OpenStack 基金会</a>通过在其<a href="http://apps.openstack.org/">社区应用程序目录</a>中包含 Kubernetes，使您更容易在 OpenStack 云上部署和管理 Docker 容器集群。 今天在温哥华 OpenStack 峰会上的主题演讲中，OpenStack 基金会的首席运营官：Mark Collier 和 <a href="https://www.mirantis.com/">Mirantis</a> 产品线经理 Craig Peters 通过利用 OpenStack 云中已经存在的计算、存储、网络和标识系统，在几秒钟内启动了 Kubernetes 集群，展示了社区应用程序目录的工作流。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/05/11/weekly-kubernetes-community-hangout/Mon, 11 May 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/05/11/weekly-kubernetes-community-hangout/<!-- title: " Weekly Kubernetes Community Hangout Notes - May 1 2015 " date: 2015-05-11 slug: weekly-kubernetes-community-hangout url: /blog/2015/05/Weekly-Kubernetes-Community-Hangout --> <!-- Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum. --> <p>每个星期，Kubernetes 贡献者社区几乎都会在谷歌 Hangouts 上聚会。我们希望任何对此感兴趣的人都能了解这个论坛的讨论内容。</p> <!-- * Simple rolling update - Brendan * Rolling update = nice example of why RCs and Pods are good. * ...pause… (Brendan needs demo recovery tips from Kelsey) * Rolling update has recovery: Cancel update and restart, update continues from where it stopped. * New controller gets name of old controller, so appearance is pure update. * Can also name versions in update (won't do rename at the end). --> <ul> <li> <p>简单的滚动更新 - Brendan</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/05/04/appc-support-for-kubernetes-through-rkt/Mon, 04 May 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/05/04/appc-support-for-kubernetes-through-rkt/<!-- title: " AppC Support for Kubernetes through RKT " date: 2015-05-04 slug: appc-support-for-kubernetes-through-rkt url: /blog/2015/05/Appc-Support-For-Kubernetes-Through-Rkt --> <!-- We very recently accepted a pull request to the Kubernetes project to add appc support for the Kubernetes community. &nbsp;Appc is a new open container specification that was initiated by CoreOS, and is supported through CoreOS rkt container runtime. --> <p>我们最近接受了对 Kubernetes 项目的拉取请求，以增加对 Kubernetes 社区的应用程序支持。  AppC 是由 CoreOS 发起的新的开放容器规范，并通过 CoreOS rkt 容器运行时受到支持。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/30/weekly-kubernetes-community-hangout_29/Thu, 30 Apr 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/30/weekly-kubernetes-community-hangout_29/<!-- --- title: " Weekly Kubernetes Community Hangout Notes - April 24 2015 " date: 2015-04-30 slug: weekly-kubernetes-community-hangout_29 url: /zh/blog/2015/04/Weekly-Kubernetes-Community-Hangout_29 --- --> <!-- Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum. --> <p>每个星期，Kubernetes 贡献者社区几乎都会在谷歌 Hangouts 上聚会。我们希望任何对此感兴趣的人都能了解这个论坛的讨论内容。</p> <!-- Agenda: * Flocker and Kubernetes integration demo --> <p>日程安排：</p> <ul> <li>Flocker 和 Kubernetes 集成演示</li> </ul> <!-- Notes: * flocker and kubernetes integration demo * * Flocker Q/A * Does the file still exists on node1 after migration? * Brendan: Any plan this to make it a volume? So we don't need powerstrip? * Luke: Need to figure out interest to decide if we want to make it a first-class persistent disk provider in kube. * Brendan: Removing need for powerstrip would make it simple to use. Totally go for it. * Tim: Should take no more than 45 minutes to add it to kubernetes:) --> <p>笔记：</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/23/borg-predecessor-to-kubernetes/Thu, 23 Apr 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/23/borg-predecessor-to-kubernetes/<!-- title: " Borg: The Predecessor to Kubernetes " date: 2015-04-23 slug: borg-predecessor-to-kubernetes url: /blog/2015/04/Borg-Predecessor-To-Kubernetes --> <!-- Google has been running containerized workloads in production for more than a decade. Whether it's service jobs like web front-ends and stateful servers, infrastructure systems like [Bigtable](http://research.google.com/archive/bigtable.html) and [Spanner](http://research.google.com/archive/spanner.html), or batch frameworks like [MapReduce](http://research.google.com/archive/mapreduce.html) and [Millwheel](http://research.google.com/pubs/pub41378.html), virtually everything at Google runs as a container. Today, we took the wraps off of Borg, Google’s long-rumored internal container-oriented cluster-management system, publishing details at the academic computer systems conference [Eurosys](http://eurosys2015.labri.fr/). You can find the paper [here](https://research.google.com/pubs/pub43438.html). --> <p>十多年来，谷歌一直在生产中运行容器化工作负载。 无论是像网络前端和有状态服务器之类的工作，像 <a href="http://research.google.com/archive/bigtable.html">Bigtable</a> 和 <a href="http://research.google.com/archive/spanner.html">Spanner</a>一样的基础架构系统，或是像 <a href="http://research.google.com/archive/mapreduce.html">MapReduce</a> 和 <a href="http://research.google.com/pubs/pub41378.html">Millwheel</a>一样的批处理框架， Google 的几乎一切都是以容器的方式运行的。今天，我们揭开了 Borg 的面纱，Google 传闻已久的面向容器的内部集群管理系统，并在学术计算机系统会议 <a href="http://eurosys2015.labri.fr/">Eurosys</a> 上发布了详细信息。你可以在 <a href="https://research.google.com/pubs/pub43438.html">此处</a> 找到论文。</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/17/weekly-kubernetes-community-hangout_17/Fri, 17 Apr 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/17/weekly-kubernetes-community-hangout_17/<!-- --- title: " Weekly Kubernetes Community Hangout Notes - April 17 2015 " date: 2015-04-17 slug: weekly-kubernetes-community-hangout_17 url: /zh/blog/2015/04/Weekly-Kubernetes-Community-Hangout_17 --- --> <!-- Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum. --> <p>每个星期，Kubernetes 贡献者社区几乎都会在谷歌 Hangouts 上聚会。我们希望任何对此感兴趣的人都能了解这个论坛的讨论内容。</p> <!-- Agenda * Mesos Integration * High Availability (HA) * Adding performance and profiling details to e2e to track regressions * Versioned clients --> <p>议程</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/16/kubernetes-release-0150/Thu, 16 Apr 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/16/kubernetes-release-0150/<!-- Release Notes: --> <p>Release 说明：</p> <!-- * Enables v1beta3 API and sets it to the default API version ([#6098][1]) * Added multi-port Services ([#6182][2]) * New Getting Started Guides * Multi-node local startup guide ([#6505][3]) * Mesos on Google Cloud Platform ([#5442][4]) * Ansible Setup instructions ([#6237][5]) * Added a controller framework ([#5270][6], [#5473][7]) * The Kubelet now listens on a secure HTTPS port ([#6380][8]) * Made kubectl errors more user-friendly ([#6338][9]) * The apiserver now supports client cert authentication ([#6190][10]) * The apiserver now limits the number of concurrent requests it processes ([#6207][11]) * Added rate limiting to pod deleting ([#6355][12]) * Implement Balanced Resource Allocation algorithm as a PriorityFunction in scheduler package ([#6150][13]) * Enabled log collection from master ([#6396][14]) * Added an api endpoint to pull logs from Pods ([#6497][15]) * Added latency metrics to scheduler ([#6368][16]) * Added latency metrics to REST client ([#6409][17]) --> <ul> <li>启用 1beta3 API 并将其设置为默认 API 版本 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6098" title="在 master 中默认启用 v1beta3 api 版本">#6098</a>)</li> <li>增加了多端口服务(<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6182" title="实现多端口服务">#6182</a>) <ul> <li>新入门指南</li> <li>多节点本地启动指南 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6505" title="Docker 多节点">#6505</a>)</li> <li>Google 云平台上的 Mesos (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/5442" title="谷歌云平台上 Mesos 入门指南">#5442</a>)</li> <li>Ansible 安装说明 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6237" title="示例 ansible 设置仓库">#6237</a>)</li> </ul> </li> <li>添加了一个控制器框架 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/5270" title="控制器框架">#5270</a>, <a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/5473" title="添加 DeltaFIFO（控制器框架块）">#5473</a>)</li> <li>Kubelet 现在监听一个安全的 HTTPS 端口 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6380" title="将 kubelet 配置为使用 HTTPS (获得 2)">#6380</a>)</li> <li>使 kubectl 错误更加友好 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6338" title="返回用于配置验证的类型化错误，并简化错误">#6338</a>)</li> <li>apiserver 现在支持客户端 cert 身份验证 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6190" title="添加客户端证书认证">#6190</a>)</li> <li>apiserver 现在限制了它处理的并发请求的数量 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6207" title="为服务器处理的正在运行的请求数量添加一个限制。">#6207</a>)</li> <li>添加速度限制删除 pod (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6355" title="添加速度限制删除 pod">#6355</a>)</li> <li>将平衡资源分配算法作为优先级函数实现在调度程序包中 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6150" title="将均衡资源分配算法作为优先级函数实现在调度程序包中。">#6150</a>)</li> <li>从主服务器启用日志收集功能 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6396" title="启用主服务器收集日志。">#6396</a>)</li> <li>添加了一个 api 端口来从 Pod 中提取日志 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6497" title="pod 子日志资源">#6497</a>)</li> <li>为调度程序添加了延迟指标 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6368" title="将基本延迟指标添加到调度程序。">#6368</a>)</li> <li>为 REST 客户端添加了延迟指标 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6409" title="向 REST 客户端添加延迟指标">#6409</a>)</li> </ul> <!-- * etcd now runs in a pod on the master ([#6221][18]) * nginx now runs in a container on the master ([#6334][19]) * Began creating Docker images for master components ([#6326][20]) * Updated GCE provider to work with gcloud 0.9.54 ([#6270][21]) * Updated AWS provider to fix Region vs Zone semantics ([#6011][22]) * Record event when image GC fails ([#6091][23]) * Add a QPS limiter to the kubernetes client ([#6203][24]) * Decrease the time it takes to run make release ([#6196][25]) * New volume support * Added iscsi volume plugin ([#5506][26]) * Added glusterfs volume plugin ([#6174][27]) * AWS EBS volume support ([#5138][28]) * Updated to heapster version to v0.10.0 ([#6331][29]) * Updated to etcd 2.0.9 ([#6544][30]) * Updated to Kibana to v1.2 ([#6426][31]) * Bug Fixes * Kube-proxy now updates iptables rules if a service's public IPs change ([#6123][32]) * Retry kube-addons creation if the initial creation fails ([#6200][33]) * Make kube-proxy more resiliant to running out of file descriptors ([#6727][34]) --> <ul> <li>etcd 现在在 master 上的一个 pod 中运行 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6221" title="在 pod 中运行 etcd 2.0.5">#6221</a>)</li> <li>nginx 现在在 master上的容器中运行 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6334" title="添加一个 nginx docker 镜像用于主程序。">#6334</a>)</li> <li>开始为主组件构建 Docker 镜像 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6326" title="为主组件创建 Docker 镜像">#6326</a>)</li> <li>更新了 GCE 程序以使用 gcloud 0.9.54 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6270" title="gcloud 0.9.54 的更新">#6270</a>)</li> <li>更新了 AWS 程序来修复区域与区域语义 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6011" title="修复 AWS 区域 与 zone">#6011</a>)</li> <li>记录镜像 GC 失败时的事件 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6091" title="记录镜像 GC 失败时的事件。">#6091</a>)</li> <li>为 kubernetes 客户端添加 QPS 限制器 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6203" title="向 kubernetes 客户端添加 QPS 限制器。">#6203</a>)</li> <li>减少运行 make release 所需的时间 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6196" title="在 `make release` 的构建和打包阶段并行化架构">#6196</a>)</li> <li>新卷的支持 <ul> <li>添加 iscsi 卷插件 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/5506" title="添加 iscsi 卷插件">#5506</a>)</li> <li>添加 glusterfs 卷插件 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6174" title="实现 glusterfs 卷插件">#6174</a>)</li> <li>AWS EBS 卷支持 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/5138" title="AWS EBS 卷支持">#5138</a>)</li> </ul> </li> <li>更新到 heapster 版本到 v0.10.0 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6331" title="将 heapster 版本更新到 v0.10.0">#6331</a>)</li> <li>更新到 etcd 2.0.9 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6544" title="构建 etcd 镜像(版本 2.0.9)，并将 kubernetes 集群升级到新版本">#6544</a>)</li> <li>更新到 Kibana 到 v1.2 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6426" title="更新 Kibana 到 v1.2，它对 Elasticsearch 的位置进行了参数化">#6426</a>)</li> <li>漏洞修复 <ul> <li>如果服务的公共 IP 发生变化，Kube-proxy现在会更新iptables规则 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6123" title="修复了 kube-proxy 中的一个错误，如果一个服务的公共 ip 发生变化，它不会更新 iptables 规则">#6123</a>)</li> <li>如果初始创建失败，则重试 kube-addons 创建 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6200" title="如果 kube-addons 创建失败，请重试 kube-addons 创建。">#6200</a>)</li> <li>使 kube-proxy 对耗尽文件描述符更具弹性 (<a href="https://github.com/GoogleCloudPlatform/kubernetes/pull/6727" title="pkg/proxy: fd 用完后引起恐慌">#6727</a>)</li> </ul> </li> </ul> <!-- To download, please visit https://github.com/GoogleCloudPlatform/kubernetes/releases/tag/v0.15.0 --> <p>要下载，请访问 <a href="https://github.com/GoogleCloudPlatform/kubernetes/releases/tag/v0.15.0">https://github.com/GoogleCloudPlatform/kubernetes/releases/tag/v0.15.0</a></p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/04/weekly-kubernetes-community-hangout/Sat, 04 Apr 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/04/04/weekly-kubernetes-community-hangout/<!-- title: " Weekly Kubernetes Community Hangout Notes - April 3 2015 " date: 2015-04-04 slug: weekly-kubernetes-community-hangout url: /blog/2015/04/Weekly-Kubernetes-Community-Hangout --> <!-- # Kubernetes: Weekly Kubernetes Community Hangout Notes --> <h1 id="kubernetes-每周-kubernetes-社区聚会笔记">Kubernetes: 每周 Kubernetes 社区聚会笔记</h1> <!-- Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum. --> <p>每周，Kubernetes 贡献社区几乎都会通过 Google Hangouts 开会。 我们希望任何有兴趣的人都知道本论坛讨论的内容。</p> <!-- Agenda: --> <p>议程：</p> <!-- * Quinton - Cluster federation * Satnam - Performance benchmarking update --> <ul> <li>Quinton - 集群联邦</li> <li>Satnam - 性能基准测试更新</li> </ul> <!-- *Notes from meeting:* --> <p><em>会议记录：</em></p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/03/28/weekly-kubernetes-community-hangout/Sat, 28 Mar 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/03/28/weekly-kubernetes-community-hangout/<!-- title: " Weekly Kubernetes Community Hangout Notes - March 27 2015 " date: 2015-03-28 slug: weekly-kubernetes-community-hangout url: /blog/2015/03/Weekly-Kubernetes-Community-Hangout --> <!-- Every week the Kubernetes contributing community meet virtually over Google Hangouts. We want anyone who's interested to know what's discussed in this forum. --> <p>每个星期，Kubernetes 贡献者社区几乎都会在谷歌 Hangouts 上聚会。我们希望任何对此感兴趣的人都能了解这个论坛的讨论内容。</p> <!-- Agenda: --> <p>日程安排：</p> <!-- \- Andy - demo remote execution and port forwarding \- Quinton - Cluster federation - Postponed \- Clayton - UI code sharing and collaboration around Kubernetes --> <p>- Andy - 演示远程执行和端口转发</p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/03/23/kubernetes-gathering-videos/Mon, 23 Mar 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/03/23/kubernetes-gathering-videos/<!-- title: " Kubernetes Gathering Videos " date: 2015-03-23 slug: kubernetes-gathering-videos url: /blog/2015/03/Kubernetes-Gathering-Videos --> <!-- If you missed the Kubernetes Gathering in SF last month, fear not! Here are the videos from the evening presentations organized into a playlist on YouTube [](https://www.youtube.com/playlist?list=PL69nYSiGNLP2FBVvSLHpJE8_6hRHW8Kxe) --> <p>如果你错过了上个月在旧金山举行的 Kubernetes 大会，不要害怕!以下是在 YouTube 上组织成播放列表的晚间演示文稿中的视频。</p> <p><a href="https://www.youtube.com/playlist?list=PL69nYSiGNLP2FBVvSLHpJE8_6hRHW8Kxe"><img src="https://img.youtube.com/vi/q8lGZCKktYo/0.jpg" alt="Kubernetes Gathering"></a></p>https://andygol-k8s.netlify.app/zh-cn/blog/2015/03/20/welcome-to-kubernetes-blog/Fri, 20 Mar 2015 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/blog/2015/03/20/welcome-to-kubernetes-blog/<!-- title: Welcome to the Kubernetes Blog! date: 2015-03-20 slug: welcome-to-kubernetes-blog url: /blog/2015/03/Welcome-To-Kubernetes-Blog --> <!-- Welcome to the new Kubernetes Blog. Follow this blog to learn about the Kubernetes Open Source project. We plan to post release notes, how-to articles, events, and maybe even some off topic fun here from time to time. --> <p>欢迎来到新的 Kubernetes 博客。关注此博客，了解 Kubernetes 开源项目。我们计划时不时的发布发布说明，操作方法文章，活动，甚至一些非常有趣的话题。</p> <!-- If you are using Kubernetes or contributing to the project and would like to do a guest post, [please let me know](mailto:kitm@google.com). --> <p>如果您正在使用 Kubernetes 或为该项目做出贡献并想要发帖子，<a href="mailto:kitm@google.com">请告诉我</a>。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/amadeus/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/amadeus/<div class="banner1"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/amadeus_logo.png" class="header_logo"><br> <div class="subhead">Another Technical Evolution for a 30-Year-Old Company </div></h1> </div> <div class="details"> Company &nbsp;<b>Amadeus IT Group</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Madrid, Spain</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Travel Technology</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> In the past few years, Amadeus, which provides IT solutions to the travel industry around the world, found itself in need of a new platform for the 5,000 services supported by its service-oriented architecture. The 30-year-old company operates its own data center in Germany, and there were growing demands internally and externally for solutions that needed to be geographically dispersed. And more generally, "we had objectives of being even more highly available," says Eric Mountain, Senior Expert, Distributed Systems at Amadeus. Among the company’s goals: to increase automation in managing its infrastructure, optimize the distribution of workloads, use data center resources more efficiently, and adopt new technologies more easily. </div> <div class="col2"> <h2>Solution</h2> Mountain has been overseeing the company’s migration to <a href="https://kubernetes.io/">Kubernetes</a>, using <a href="https://www.openshift.org/">OpenShift</a> Container Platform, <a href="https://www.redhat.com/en">Red Hat</a>’s enterprise container platform. <br><br> <h2>Impact</h2> One of the first projects the team deployed in Kubernetes was the Amadeus Airline Cloud Availability solution, which helps manage ever-increasing flight-search volume. "It’s now handling in production several thousand transactions per second, and it’s deployed in multiple data centers throughout the world," says Mountain. "It’s not a migration of an existing workload; it’s a whole new workload that we couldn’t have done otherwise. [This platform] gives us access to market opportunities that we didn’t have before." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "We want multi-data center capabilities, and we want them for our mainstream system as well. We didn’t think that we could achieve them with our existing system. We need new automation, things that Kubernetes and OpenShift bring."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Eric Mountain, Senior Expert, Distributed Systems at Amadeus IT Group</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>In his two decades at Amadeus, Eric Mountain has been the migrations guy. </h2> Back in the day, he worked on the company’s move from Unix to Linux, and now he’s overseeing the journey to cloud native. "Technology just keeps changing, and we embrace it," he says. "We are celebrating our 30 years this year, and we continue evolving and innovating to stay cost-efficient and enhance everyone’s travel experience, without interrupting workflows for the customers who depend on our technology."<br><br> That was the challenge that Amadeus—which provides IT solutions to the travel industry around the world, from flight searches to hotel bookings to customer feedback—faced in 2014. The technology team realized it was in need of a new platform for the 5,000 services supported by its service-oriented architecture.<br><br> The tipping point occurred when they began receiving many requests, internally and externally, for solutions that needed to be geographically outside the company’s main data center in Germany. "Some requests were for running our applications on customer premises," Mountain says. "There were also new services we were looking to offer that required response time to the order of a few hundred milliseconds, which we couldn’t achieve with transatlantic traffic. Or at least, not without eating into a considerable portion of the time available to our applications for them to process individual queries."<br><br> More generally, the company was interested in leveling up on high availability, increasing automation in managing infrastructure, optimizing the distribution of workloads and using data center resources more efficiently. "We have thousands and thousands of servers," says Mountain. "These servers are assigned roles, so even if the setup is highly automated, the machine still has a given role. It’s wasteful on many levels. For instance, an application doesn’t necessarily use the machine very optimally. Virtualization can help a bit, but it’s not a silver bullet. If that machine breaks, you still want to repair it because it has that role and you can’t simply say, ‘Well, I’ll bring in another machine and give it that role.’ It’s not fast. It’s not efficient. So we wanted the next level of automation."<br><br> </div> </section> <div class="banner3"> <div class="banner3text"> "We hope that if we build on what others have built, what we do might actually be upstream-able. As Kubernetes and OpenShift progress, we see that we are indeed able to remove some of the additional layers we implemented to compensate for gaps we perceived earlier." </div> </div> <section class="section3"> <div class="fullcol"> While mainly a C++ and Java shop, Amadeus also wanted to be able to adopt new technologies more easily. Some of its developers had started using languages like <a href="https://www.python.org/">Python</a> and databases like <a href="https://www.couchbase.com/">Couchbase</a>, but Mountain wanted still more options, he says, "in order to better adapt our technical solutions to the products we offer, and open up entirely new possibilities to our developers." Working with recent technologies and cool new things would also make it easier to attract new talent. <br><br> All of those needs led Mountain and his team on a search for a new platform. "We did a set of studies and proofs of concept over a fairly short period, and we considered many technologies," he says. "In the end, we were left with three choices: build everything on premise, build on top of <a href="https://kubernetes.io/">Kubernetes</a> whatever happens to be missing from our point of view, or go with <a href="https://www.openshift.com/">OpenShift</a> and build whatever remains there." <br><br> The team decided against building everything themselves—though they’d done that sort of thing in the past—because "people were already inventing things that looked good," says Mountain. <br><br> Ultimately, they went with OpenShift Container Platform, <a href="https://www.redhat.com/en">Red Hat</a>’s Kubernetes-based enterprise offering, instead of building on top of Kubernetes because "there was a lot of synergy between what we wanted and the way Red Hat was anticipating going with OpenShift," says Mountain. "They were clearly developing Kubernetes, and developing certain things ahead of time in OpenShift, which were important to us, such as more security." <br><br> The hope was that those particular features would eventually be built into Kubernetes, and, in the case of security, Mountain feels that has happened. "We realize that there’s always a certain amount of automation that we will probably have to develop ourselves to compensate for certain gaps," says Mountain. "The less we do that, the better for us. We hope that if we build on what others have built, what we do might actually be upstream-able. As Kubernetes and OpenShift progress, we see that we are indeed able to remove some of the additional layers we implemented to compensate for gaps we perceived earlier." </div> </section> <div class="banner4"> <div class="banner4text"> "It’s not a migration of an existing workload; it’s a whole new workload that we couldn’t have done otherwise. [This platform] gives us access to market opportunities that we didn’t have before." </div> </div> <section class="section4"> <div class="fullcol"> The first project the team tackled was one that they knew had to run outside the data center in Germany. Because of the project’s needs, "We couldn’t rely only on the built-in Kubernetes service discovery; we had to layer on top of that an extra service discovery level that allows us to load balance at the operation level within our system," says Mountain. They also built a stream dedicated to monitoring, which at the time wasn’t offered in the Kubernetes or OpenShift ecosystem. Now that <a href="https://www.prometheus.io/">Prometheus</a> and other products are available, Mountain says the company will likely re-evaluate their monitoring system: "We obviously always like to leverage what Kubernetes and OpenShift can offer." <br><br> The second project ended up going into production first: the Amadeus Airline Cloud Availability solution, which helps manage ever-increasing flight-search volume and was deployed in public cloud. Launched in early 2016, it is "now handling in production several thousand transactions per second, and it’s deployed in multiple data centers throughout the world," says Mountain. "It’s not a migration of an existing workload; it’s a whole new workload that we couldn’t have done otherwise. [This platform] gives us access to market opportunities that we didn’t have before." <br><br> Having been through this kind of technical evolution more than once, Mountain has advice on how to handle the cultural changes. "That’s one aspect that we can tackle progressively," he says. "We have to go on supplying our customers with new features on our pre-existing products, and we have to keep existing products working. So we can’t simply do absolutely everything from one day to the next. And we mustn’t sell it that way." <br><br> The first order of business, then, is to pick one or two applications to demonstrate that the technology works. Rather than choosing a high-impact, high-risk project, Mountain’s team selected a smaller application that was representative of all the company’s other applications in its complexity: "We just made sure we picked something that’s complex enough, and we showed that it can be done." </div> </section> <div class="banner5"> <div class="banner5text"> "The bottom line is we want these multi-data center capabilities, and we want them as well for our mainstream system," he says. "And we don’t think that we can implement them with our previous system. We need the new automation, homogeneity, and scale that Kubernetes and OpenShift bring." </div> </div> <section class="section5"> <div class="fullcol"> Next comes convincing people. "On the operations side and on the R&D side, there will be people who say quite rightly, ‘There is a system, and it works, so why change?’" Mountain says. "The only thing that really convinces people is showing them the value." For Amadeus, people realized that the Airline Cloud Availability product could not have been made available on the public cloud with the company’s existing system. The question then became, he says, "Do we go into a full-blown migration? Is that something that is justified?" <br><br> "The bottom line is we want these multi-data center capabilities, and we want them as well for our mainstream system," he says. "And we don’t think that we can implement them with our previous system. We need the new automation, homogeneity, and scale that Kubernetes and OpenShift bring." <br><br> So how do you get everyone on board? "Make sure you have good links between your R&D and your operations," he says. "Also make sure you’re going to talk early on to the investors and stakeholders. Figure out what it is that they will be expecting from you, that will convince them or not, that this is the right way for your company." <br><br> His other advice is simply to make the technology available for people to try it. "Kubernetes and OpenShift Origin are open source software, so there’s no complicated license key for the evaluation period and you’re not limited to 30 days," he points out. "Just go and get it running." Along with that, he adds, "You’ve got to be prepared to rethink how you do things. Of course making your applications as cloud native as possible is how you’ll reap the most benefits: 12 factors, CI/CD, which is continuous integration, continuous delivery, but also continuous deployment." <br><br> And while they explore that aspect of the technology, Mountain and his team will likely be practicing what he preaches to others taking the cloud native journey. "See what happens when you break it, because it’s important to understand the limits of the system," he says. Or rather, he notes, the advantages of it. "Breaking things on Kube is actually one of the nice things about it—it recovers. It’s the only real way that you’ll see that you might be able to do things." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/ancestry/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/ancestry/<div class="banner1"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/ancestry_logo.png" width="22%" style="margin-bottom:-12px;margin-left:3px;"><br> <div class="subhead">Digging Into the Past With New Technology</div></h1> </div> <div class="details"> Company &nbsp;<b>Ancestry</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Lehi, Utah</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Internet Company, Online Services</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> Ancestry, the global leader in family history and consumer genomics, uses sophisticated engineering and technology to help everyone, everywhere discover the story of what led to them. The company has spent more than 30 years innovating and building products and technologies that at their core, result in real and emotional human responses. <a href="https://www.ancestry.com">Ancestry</a> currently serves more than 2.6 million paying subscribers, holds 20 billion historical records, 90 million family trees and more than four million people are in its AncestryDNA network, making it the largest consumer genomics DNA network in the world. The company's popular website, <a href="https://www.ancestry.com">ancestry.com</a>, has been working with big data long before the term was popularized. The site was built on hundreds of services, technologies and a traditional deployment methodology. "It's worked well for us in the past," says Paul MacKay, software engineer and architect at Ancestry, "but had become quite cumbersome in its processing and is time-consuming. As a primarily online service, we are constantly looking for ways to accelerate to be more agile in delivering our solutions and our&nbsp;products." <br> </div> <div class="col2"> <h2>Solution</h2> The company is transitioning to cloud native infrastructure, using <a href="https://www.docker.com">Docker</a> containerization, <a href="https://kubernetes.io">Kubernetes</a> orchestration and <a href="https://prometheus.io">Prometheus</a> for cluster monitoring.<br> <br> <h2>Impact</h2> "Every single product, every decision we make at Ancestry, focuses on delighting our customers with intimate, sometimes life-changing discoveries about themselves and their families," says MacKay. "As the company continues to grow, the increased productivity gains from using Kubernetes has helped Ancestry make customer discoveries faster. With the move to Dockerization for example, instead of taking between 20 to 50 minutes to deploy a new piece of code, we can now deploy in under a minute for much of our code. We’ve truly experienced significant time savings in addition to the various features and benefits from cloud native and Kubernetes-type technologies." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "At a certain point, you have to step back if you're going to push a new technology and get key thought leaders with engineers within the organization to become your champions for new technology adoption. At training sessions, the development teams were always the ones that were saying, 'Kubernetes saved our time tremendously; it's an enabler. It really is incredible.'"<br><br><span style="font-size:16px">- PAUL MACKAY, SOFTWARE ENGINEER AND ARCHITECT AT ANCESTRY</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>It started with a Shaky Leaf.</h2> Since its introduction a decade ago, the Shaky Leaf icon has become one of Ancestry's signature features, which signals to users that there's a helpful hint you can use to find out more about your family tree.<br><br> So when the company decided to begin moving its infrastructure to cloud native technology, the first service that was launched on <a href="https://kubernetes.io">Kubernetes</a>, the open source platform for managing application containers across clusters of hosts, was this hint system. Think of it as Amazon's recommended products, but instead of recommending products the company recommends records, stories, or familial connections. "It was a very important part of the site," says Ancestry software engineer and architect Paul MacKay, "but also small enough for a pilot project that we knew we could handle in a very appropriate, secure way."<br><br> And when it went live smoothly in early 2016, "our deployment time for this service literally was cut down from 50 minutes to 2 or 5 minutes," MacKay adds. "The development team was just thrilled because we're focused on supplying a great experience for our customers. And that means features, it means stability, it means all those things that we need for a first-in-class type operation."<br><br> The stability of that Shaky Leaf was a signal for MacKay and his team that their decision to embrace cloud native technologies was the right one for the company. With a private data center, Ancestry built its website (which launched in 1996) on hundreds of services and technologies and a traditional deployment methodology. "It worked well for us in the past, but the sum of the legacy systems became quite cumbersome in its processing and was time-consuming," says MacKay. "We were looking for other ways to accelerate, to be more agile in delivering our solutions and our products." </div> </section> <div class="banner3"> <div class="banner3text"> "And when it [Kubernetes] went live smoothly in early 2016, 'our deployment time for this service literally was cut down from 50 minutes to 2 or 5 minutes,' MacKay adds. 'The development team was just thrilled because we're focused on supplying a great experience for our customers. And that means features, it means stability, it means all those things that we need for a first-in-class type operation.'" </div> </div> <section class="section3"> <div class="fullcol"> That need led them in 2015 to explore containerization. Ancestry engineers had already been using technology like <a href="https://www.java.com/en/">Java</a> and <a href="https://www.python.org">Python</a> on Linux, so part of the decision was about making the infrastructure more Linux-friendly. They quickly decided that they wanted to go with Docker for containerization, "but it always comes down to the orchestration part of it to make it really work," says MacKay.<br><br> His team looked at orchestration platforms offered by <a href="https://docs.docker.com/compose/">Docker Compose</a>, <a href="https://mesos.apache.org">Mesos</a> and <a href="https://www.openstack.org/software/">OpenStack</a>, and even started to prototype some homegrown solutions. And then they started hearing rumblings of the imminent release of Kubernetes v1.0. "At the forefront, we were looking at the secret store, so we didn't have to manage that all ourselves, the config maps, the methodology of seamless deployment strategy," he says. "We found that how Kubernetes had done their resources, their types, their labels and just their interface was so much further advanced than the other things we had seen. It was a feature fit."<br><br> <div class="quote"> Plus, MacKay says, "I just believed in the confidence that comes with the history that Google has with containerization. So we started out right on the leading edge of it. And we haven't looked back since."</div><br> Which is not to say that adopting a new technology hasn't come with some challenges. "Change is hard," says MacKay. "Not because the technology is hard or that the technology is not good. It's just that people like to do things like they had done [before]. You have the early adopters and you have those who are coming in later. It was a learning experience on both sides."<br><br> Figuring out the best deployment operations for Ancestry was a big part of the work it took to adopt cloud native infrastructure. "We want to make sure the process is easy and also controlled in the manner that allows us the highest degree of security that we demand and our customers demand," says MacKay. "With Kubernetes and other products, there are some good solutions, but a little bit of glue is needed to bring it into corporate processes and governances. It's like having a set of gloves that are generic, but when you really do want to grab something you have to make it so it's customized to you. That's what we had to do."<br><br> Their best practices include allowing their developers to deploy into development stage and production, but then controlling the aspects that need governance and auditing, such as secrets. They found that having one namespace per service is useful for achieving that containment of secrets and config maps. And for their needs, having one container per pod makes it easier to manage and to have a smaller unit of deployment. <br><br> </div> </section> <div class="banner4"> <div class="banner4text"> "The success of Ancestry's first deployment of the hint system on Kubernetes helped create momentum for greater adoption of the technology." </div> </div> <section class="section4"> <div class="fullcol"> With that process established, the time spent on deployment was cut down to under a minute for some services. "As programmers, we have what's called REPL: read, evaluate, print, and loop, but with Kubernetes, we have CDEL: compile, deploy, execute, and loop," says MacKay. "It's a very quick loop back and a great benefit to understand that when our services are deployed in production, they're the same as what we tested in the pre-production environments. The approach of cloud native for Ancestry provides us a better ability to scale and to accommodate the business needs as work loads occur."<br><br> The success of Ancestry's first deployment of the hint system on Kubernetes helped create momentum for greater adoption of the technology. "Engineers like to code, they like to do features, they don't like to sit around waiting for things to be deployed and worrying about scaling up and out and down," says MacKay. "After a while the engineers became our champions. At training sessions, the development teams were always the ones saying, 'Kubernetes saved our time tremendously; it's an enabler; it really is incredible.' Over time, we were able to convince our management that this was a transition that the industry is making and that we needed to be a part of it."<br><br> A year later, Ancestry has transitioned a good number of applications to Kubernetes. "We have many different services that make up the rich environment that [the website] has from both the DNA side and the family history side," says MacKay. "We have front-end stacks, back-end stacks and back-end processing type stacks that are in the cluster."<br><br> The company continues to weigh which services it will move forward to Kubernetes, which ones will be kept as is, and which will be replaced in the future and thus don't have to be moved over. MacKay estimates that the company is "approaching halfway on those features that are going forward. We don't have to do a lot of convincing anymore. It's more of an issue of timing with getting product management and engineering staff the knowledge and information that they need." </div> </section> <div class="banner5"> <div class="banner5text"> "... 'I believe in Kubernetes. I believe in containerization. I think if we can get there and establish ourselves in that world, we will be further along and far better off being agile and all the things we talk about, and it'll&nbsp;go&nbsp;forward.'" </div> </div> <section class="section5"> <div class="fullcol"> Looking ahead, MacKay sees Ancestry maximizing the benefits of Kubernetes in 2017. "We're very close to having everything that should be or could be in a Linux-friendly world in Kubernetes by the end of the year," he says, adding that he's looking forward to features such as federation and horizontal pod autoscaling that are currently in the works. "Kubernetes has been very wonderful for us and we continue to ride the wave."<br><br> That wave, he points out, has everything to do with the vibrant Kubernetes community, which has grown by leaps and bounds since Ancestry joined it as an early adopter. "This is just a very rough way of judging it, but on Slack in June 2015, there were maybe 500 on there," MacKay says. "The last time I looked there were maybe 8,500 just on the Slack channel. There are so many major companies and different kinds of companies involved now. It's the variety of contributors, the number of contributors, the incredibly competent and friendly community."<br><br> As much as he and his team at Ancestry have benefited from what he calls "the goodness and the technical abilities of many" in the community, they've also contributed information about best practices, logged bug issues and participated in the open source conversation. And they've been active in attending <a href="https://www.meetup.com/Utah-Kubernetes-Meetup/">meetups</a> to help educate and give back to the local tech community in Utah. Says MacKay: "We're trying to give back as far as our experience goes, rather than just code." <br><br>When he meets with companies considering adopting cloud native infrastructure, the best advice he has to give from Ancestry's Kubernetes journey is this: "Start small, but with hard problems," he says. And "you need a patron who understands the vision of containerization, to help you tackle the political as well as other technical roadblocks that can occur when change is needed."<br><br> With the changes that MacKay's team has led over the past year and a half, cloud native will be part of Ancestry's technological genealogy for years to come. MacKay has been such a champion of the technology that he says people have jokingly accused him of having a Kubernetes tattoo.<br><br> "I really don't," he says with a laugh. "But I'm passionate. I'm not exclusive to any technology; I use whatever I need that's out there that makes us great. If it's something else, I'll use it. But right now I believe in Kubernetes. I believe in containerization. I think if we can get there and establish ourselves in that world, we will be further along and far better off being agile and all the things we talk about, and it'll go forward."<br><br> He pauses. "So, yeah, I guess you can say I'm an evangelist for Kubernetes," he says. "But I'm not getting a tattoo!" </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/ant-financial/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/ant-financial/<!-- title: Ant Financial Case Study linkTitle: ant-financial case_study_styles: true cid: caseStudies featured: false new_case_study_styles: true heading_background: /images/case-studies/antfinancial/banner1.jpg heading_title_logo: /images/antfinancial_logo.png subheading: > Ant Financial's Hypergrowth Strategy Using Kubernetes case_study_details: - Company: Ant Financial - Location: Hangzhou, China - Industry: Financial Services --> <!-- <h2>Challenge</h2> <p>Officially founded in October 2014, <a href="https://www.antfin.com/index.htm?locale=en_us">Ant Financial</a> originated from <a href="https://global.alipay.com/">Alipay</a>, the world's largest online payment platform that launched in 2004. The company also offers numerous other services leveraging technology innovation. With the volume of transactions Alipay handles for its 900+ million users worldwide (through its local and global partners)—256,000 transactions per second at the peak of Double 11 Singles Day 2017, and total gross merchandise value of $31 billion for Singles Day 2018—not to mention that of its other services, Ant Financial faces "data processing challenge in a whole new way," says Haojie Hang, who is responsible for Product Management for the Storage and Compute Group. "We see three major problems of operating at that scale: how to provide real-time compute, storage, and processing capability, for instance to make real-time recommendations for fraud detection; how to provide intelligence on top of this data, because there's too much data and then we're not getting enough insight; and how to apply security in the application level, in the middleware level, the system level, even the chip level." In order to provide reliable and consistent services to its customers, Ant Financial embraced containers in early 2014, and soon needed an orchestration solution for the tens-of-thousands-of-node clusters in its data centers.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/blablacar/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/blablacar/<div class="banner1"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/blablacar_logo.png" class="header_logo"><br /> <div class="subhead">Turning to Containerization to Support Millions of Rideshares</div></h1> </div> <div class="details"> Company &nbsp;<b>BlaBlaCar</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Paris, France</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Ridesharing Company</b> </div> <hr /> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> The world’s largest long-distance carpooling community, <a href="https://www.blablacar.com/">BlaBlaCar</a>, connects 40 million members across 22 countries. The company has been experiencing exponential growth since 2012 and needed its infrastructure to keep up. "When you’re thinking about doubling the number of servers, you start thinking, ‘What should I do to be more efficient?’" says Simon Lallemand, Infrastructure Engineer at BlaBlaCar. "The answer is not to hire more and more people just to deal with the servers and installation." The team knew they had to scale the platform, but wanted to stay on their own bare metal servers. <br /> <br /> <h2>Solution</h2> Opting not to shift to cloud virtualization or use a private cloud on their own servers, the BlaBlaCar team became early adopters of containerization, using the CoreOs runtime <a href="https://coreos.com/rkt">rkt</a>, initially deployed using <a href="https://coreos.com/fleet/docs/latest/launching-containers-fleet.html">fleet</a> cluster manager. Last year, the company switched to <a href="https://kubernetes.io/">Kubernetes</a> orchestration, and now also uses <a href="https://prometheus.io/">Prometheus</a> for monitoring. </div> <div class="col2"> <h2>Impact</h2> "Before using containers, it would take sometimes a day, sometimes two, just to create a new service," says Lallemand. "With all the tooling that we made around the containers, copying a new service now is a matter of minutes. It’s really a huge gain. We are better at capacity planning in our data center because we have fewer constraints due to this abstraction between the services and the hardware we run on. For the developers, it also means they can focus only on the features that they’re developing, and not on the infrastructure." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "When you’re switching to this cloud-native model and running everything in containers, you have to make sure that at any moment you can reboot without any downtime and without losing traffic. [With Kubernetes] our infrastructure is much more resilient and we have better availability than before."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br />- Simon Lallemand, Infrastructure Engineer at BlaBlaCar</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>For the 40 million users of <a href="https://www.blablacar.com/">BlaBlaCar</a>, it’s easy to find strangers headed in the same direction to share rides and costs. You can even choose how much "bla bla" chatter you want from a long-distance ride mate.</h2> Behind the scenes, though, the infrastructure was falling woefully behind the rider community’s exponential growth. Founded in 2006, the company hit its current stride around 2012. "Our infrastructure was very traditional," says Infrastructure Engineer Simon Lallemand, who began working at the company in 2014. "In the beginning, it was a bit chaotic because we had to [grow] fast. But then comes the time when you have to design things to make it manageable."<br /><br /> By 2015, the company had about 50 bare metal servers. The team was using a <a href="https://www.mysql.com/">MySQL</a> database and <a href="http://php.net/">PHP</a>, but, Lallemand says, "it was a very static way." They also utilized the configuration management system, <a href="https://www.chef.io/chef/">Chef</a>, but had little automation in its process. "When you’re thinking about doubling the number of servers, you start thinking, ‘What should I do to be more efficient?’" says Lallemand. "The answer is not to hire more and more people just to deal with the servers and installation."<br /><br /> Instead, BlaBlaCar began its cloud-native journey but wasn’t sure which route to take. "We could either decide to go into cloud virtualization or even use a private cloud on our own servers," says Lallemand. "But going into the cloud meant we had to make a lot of changes in our application work, and we were just not ready to make the switch from on premise to the cloud." They wanted to keep the great performance they got on bare metal, so they didn’t want to go to virtualization on premise.<br /><br /> The solution: containerization. This was early 2015 and containers were still relatively new. "It was a bold move at the time," says Lallemand. "We decided that the next servers that we would buy in the new data center would all be the same model, so we could outsource the maintenance of the servers. And we decided to go with containers and with <a href="https://coreos.com/">CoreOS</a> Container Linux as an abstraction for this hardware. It seemed future-proof to go with containers because we could see what companies were already doing with containers." </div> </section> <div class="banner3"> <div class="banner3text"> "With all the tooling that we made around the containers, copying a new service is a matter of minutes. It’s a huge gain. For the developers, it means they can focus only on the features that they’re developing and not on the infrastructure or the hour they would test their code, or the hour that it would get deployed." </div> </div> <section class="section3"> <div class="fullcol"> Next, they needed to choose a runtime for the containers, but "there were very few deployments in production at that time," says Lallemand. They experimented with <a href="https://www.docker.com/">Docker</a> but decided to go with <a href="https://coreos.com/rkt">rkt</a>. Lallemand explains that for BlaBlaCar, it was "much simpler to integrate things that are on rkt." At the time, the project was still pre-v1.0, so "we could speak with the developers of rkt and give them feedback. It was an advantage." Plus, he notes, rkt was very stable, even at this early stage.<br /><br /> Once those decisions were made that summer, the company came up with a plan for implementation. First, they formed a task force to create a workflow that would be tested by three of the 10 members on Lallemand’s team. But they took care to run regular workshops with all 10 members to make sure everyone was on board. "When you’re focused on your product sometimes you forget if it’s really user friendly, whether other people can manage to create containers too," Lallemand says. "So we did a lot of iterations to find a good workflow."<br /><br /> After establishing the workflow, Lallemand says with a smile that "we had this strange idea that we should try the most difficult thing first. Because if it works, it will work for everything." So the first project the team decided to containerize was the database. "Nobody did that at the time, and there were really no existing tools for what we wanted to do, including building container images," he says. So the team created their own tools, such as <a href="https://github.com/blablacar/dgr">dgr</a>, which builds container images so that the whole team has a common framework to build on the same images with the same standards. They also revamped the service-discovery tools <a href="https://github.com/airbnb/nerve">Nerve</a> and <a href="http://airbnb.io/projects/synapse/">Synapse</a>; their versions, <a href="https://github.com/blablacar/go-nerve">Go-Nerve</a> and <a href="https://github.com/blablacar/go-synapse">Go-Synapse</a>, were written in Go and built to be more efficient and include new features. All of these tools were open-sourced.<br /><br /> At the same time, the company was working to migrate its entire platform to containers with a deadline set for Christmas 2015. With all the work being done in parallel, BlaBlaCar was able to get about 80 percent of its production into containers by its deadline with live traffic running on containers during December. (It’s now at 100 percent.) "It’s a really busy time for traffic," says Lallemand. "We knew that by using those new servers with containers, it would help us handle the traffic."<br /><br /> In the middle of that peak season for carpooling, everything worked well. "The biggest impact that we had was for the deployment of new services," says Lallemand. "Before using containers, we had to first deploy a new server and create configurations with Chef. It would take sometimes a day, sometimes two, just to create a new service. And with all the tooling that we made around the containers, copying a new service is a matter of minutes. So it’s really a huge gain. For the developers, it means they can focus only on the features that they’re developing and not on the infrastructure or the hour they would test their code, or the hour that it would get deployed." </div> </section> <div class="banner4"> <div class="banner4text"> "We realized that there was a really strong community around it [Kubernetes], which meant we would not have to maintain a lot of tools of our own," says Lallemand. "It was better if we could contribute to some bigger project like Kubernetes." </div> </div> <section class="section4"> <div class="fullcol"> In order to meet their self-imposed deadline, one of the decisions they made was to not do any "orchestration magic" for containers in the first production alignment. Instead, they used the basic <a href="https://coreos.com/fleet/docs/latest/launching-containers-fleet.html">fleet</a> tool from CoreOS to deploy their containers. (They did build a tool called <a href="https://github.com/blablacar/ggn">GGN</a>, which they’ve open-sourced, to make it more manageable for their system engineers to use.)<br /><br /> Still, the team knew that they’d want more orchestration. "Our tool was doing a pretty good job, but at some point you want to give more autonomy to the developer team," Lallemand says. "We also realized that we don’t want to be the single point of contact for developers when they want to launch new services." By the summer of 2016, they found their answer in <a href="http://kubernetes.io/">Kubernetes</a>, which had just begun supporting rkt implementation.<br /><br /> After discussing their needs with their contacts at CoreOS and Google, they were convinced that Kubernetes would work for BlaBlaCar. "We realized that there was a really strong community around it, which meant we would not have to maintain a lot of tools of our own," says Lallemand. "It was better if we could contribute to some bigger project like Kubernetes." They also started using <a href="https://prometheus.io/">Prometheus</a>, as they were looking for "service-oriented monitoring that could be updated nightly." Production on Kubernetes began in December 2016. "We like to do crazy stuff around Christmas," he adds with a laugh.<br /><br /> BlaBlaCar now has about 3,000 pods, with 1200 of them running on Kubernetes. Lallemand leads a "foundations team" of 25 members who take care of the networks, databases and systems for about 100 developers. There have been some challenges getting to this point. "The rkt implementation is still not 100 percent finished," Lallemand points out. "It’s really good, but there are some features still missing. We have questions about how we do things with stateful services, like databases. We know how we will be migrating some of the services; some of the others are a bit more complicated to deal with. But the Kubernetes community is making a lot of progress on that part."<br /><br /> The team is particularly happy that they’re now able to plan capacity better in the company’s data center. "We have fewer constraints since we have this abstraction between the services and the hardware we run on," says Lallemand. "If we lose a server because there’s a hardware problem on it, we just move the containers onto another server. It’s much more efficient. We do that by just changing a line in the configuration file. And with Kubernetes, it should be automatic, so we would have nothing to do." </div> </section> <div class="banner5"> <div class="banner5text"> "If we lose a server because there’s a hardware problem on it, we just move the containers onto another server. It’s much more efficient. We do that by just changing a line in the configuration file. With Kubernetes, it should be automatic, so we would have nothing to do." </div> </div> <section class="section5"> <div class="fullcol"> And these advances ultimately trickle down to BlaBlaCar’s users. "We have improved availability overall on our website," says Lallemand. "When you’re switching to this cloud-native model with running everything in containers, you have to make sure that you can at any moment reboot a server or a data container without any downtime, without losing traffic. So now our infrastructure is much more resilient and we have better availability than before."<br /><br /> Within BlaBlaCar’s technology department, the cloud-native journey has created some profound changes. Lallemand thinks that the regular meetings during the conception stage and the training sessions during implementation helped. "After that everybody took part in the migration process," he says. "Then we split the organization into different ‘tribes’—teams that gather developers, product managers, data analysts, all the different jobs, to work on a specific part of the product. Before, they were organized by function. The idea is to give all these tribes access to the infrastructure directly in a self-service way without having to ask. These people are really autonomous. They have responsibility of that part of the product, and they can make decisions faster." <br /><br /> This DevOps transformation turned out to be a positive one for the company’s staffers. "The team was very excited about the DevOps transformation because it was new, and we were working to make things more reliable, more future-proof," says Lallemand. "We like doing things that very few people are doing, other than the internet giants." <br /><br /> With these changes already making an impact, BlaBlaCar is looking to split up more and more of its application into services. "I don’t say microservices because they’re not so micro," Lallemand says. "If we can split the responsibilities between the development teams, it would be easier to manage and more reliable, because we can easily add and remove services if one fails. You can handle it easily, instead of adding a big monolith that we still have." <br /><br /> When Lallemand speaks to other European companies curious about what BlaBlaCar has done with its infrastructure, he tells them to come along for the ride. "I tell them that it’s such a pleasure to deal with the infrastructure that we have today compared to what we had before," he says. "They just need to keep in mind their real motive, whether it’s flexibility in development or reliability or so on, and then go step by step towards reaching those objectives. That’s what we’ve done. It’s important not to do technology for the sake of technology. Do it for a purpose. Our focus was on helping the developers." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/blackrock/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/blackrock/<div class="banner1"> <h1> CASE STUDY: <img src="https://andygol-k8s.netlify.app/images/blackrock_logo.png" class="header_logo"><br> <div class="subhead">Rolling Out Kubernetes in Production in 100 Days</div> </h1> </div> <div class="details"> Company &nbsp;<b>BlackRock</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>New York, NY</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Financial Services</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> The world’s largest asset manager, <a href="https://www.blackrock.com/investing">BlackRock</a> operates a very controlled static deployment scheme, which has allowed for scalability over the years. But in their data science division, there was a need for more dynamic access to resources. "We want to be able to give every investor access to data science, meaning <a href="https://www.python.org">Python</a> notebooks, or even something much more advanced, like a MapReduce engine based on <a href="https://spark.apache.org">Spark</a>," says Michael Francis, a Managing Director in BlackRock’s Product Group, which runs the company’s investment management platform. "Managing complex Python installations on users’ desktops is really hard because everyone ends up with slightly different environments. We have existing environments that do these things, but we needed to make it real, expansive and scalable. Being able to spin that up on demand, tear it down, make that much more dynamic, became a critical thought process for us. It’s not so much that we had to solve our main core production problem, it’s how do we extend that? How do we evolve?" </div> <div class="col2"> <h2>Solution</h2> Drawing from what they learned during a pilot done last year using <a href="https://www.docker.com">Docker</a> environments, Francis put together a cross-sectional team of 20 to build an investor research web app using <a href="https://kubernetes.io">Kubernetes</a> with the goal of getting it into production within one quarter. <br><br> <h2>Impact</h2> "Our goal was: How do you give people tools rapidly without having to install them on their desktop?" says Francis. And the team hit the goal within 100 days. Francis is pleased with the results and says, "We’re going to use this infrastructure for lots of other application workloads as time goes on. It’s not just data science; it’s this style of application that needs the dynamism. But I think we’re 6-12 months away from making a [large scale] decision. We need to gain experience of running the system in production, we need to understand failure modes and how best to manage operational issues. What’s interesting is that just having this technology there is changing the way our developers are starting to think about their future development." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "My message to other enterprises like us is you can actually integrate Kubernetes into an existing, well-orchestrated machinery. You don’t have to throw out everything you do. And using Kubernetes made a complex problem significantly easier."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Michael Francis, Managing Director, BlackRock</span> </div> </div> <section class="section2"> <div class="fullcol"> One of the management objectives for BlackRock’s Product Group employees in 2017 was to "build cool stuff." Led by Managing Director Michael Francis, a cross-sectional group of 20 did just that: They rolled out a full production Kubernetes environment and released a new investor research web app on it. In 100 days.<br><br> For a company that’s the world’s largest asset manager, "just equipment procurement can take 100 days sometimes, let alone from inception to delivery," says Karl Wieman, a Senior System Administrator. "It was an aggressive schedule. But it moved the dial." In fact, the project achieved two goals: It solved a business problem (creating the needed web app) as well as provided real-world, in-production experience with Kubernetes, a cloud-native technology that the company was eager to explore. "It’s not so much that we had to solve our main core production problem, it’s how do we extend that? How do we evolve?" says Francis. The ultimate success of this project, beyond delivering the app, lies in the fact that "we’ve managed to integrate a radically new thought process into a controlled infrastructure that we didn’t want to change."<br><br> After all, in its three decades of existence, BlackRock has "a very well-established environment for managing our compute resources," says Francis. "We manage large cluster processes on machines, so we do a lot of orchestration and management for our main production processes in a way that’s very cloudish in concept. We’re able to manage them in a very controlled, static deployment scheme, and that has given us a huge amount of scalability."<br><br> Though that works well for the core production, the company has found that some data science workloads require more dynamic access to resources. "It’s a very bursty process," says Francis, who is head of data for the company’s Aladdin investment management platform division.<br><br> Aladdin, which connects the people, information and technology needed for money management in real time, is used internally and is also sold as a platform to other asset managers and insurance companies. "We want to be able to give every investor access to data science, meaning <a href="https://www.python.org">Python</a> notebooks, or even something much more advanced, like a MapReduce engine based on <a href="https://spark.apache.org">Spark</a>," says Francis. But "managing complex Python installations on users’ desktops is really hard because everyone ends up with slightly different environments. Docker allows us to flatten that environment." </div> </section> <div class="banner3"> <div class="banner3text"> "We manage large cluster processes on machines, so we do a lot of orchestration and management for our main production processes in a way that’s very cloudish in concept. We’re able to manage them in a very controlled, static deployment scheme, and that has given us a huge amount of scalability." </div> </div> <section class="section3"> <div class="fullcol"> Still, challenges remain. "If you have a shared cluster, you get this storming herd problem where everyone wants to do the same thing at the same time," says Francis. "You could put limits on it, but you’d have to build an infrastructure to define limits for our processes, and the Python notebooks weren’t really designed for that. We have existing environments that do these things, but we needed to make it real, expansive, and scalable. Being able to spin that up on demand, tear it down, and make that much more dynamic, became a critical thought process for us."<br><br> Made up of managers from technology, infrastructure, production operations, development and information security, Francis’s team was able to look at the problem holistically and come up with a solution that made sense for BlackRock. "Our initial straw man was that we were going to build everything using <a href="https://www.ansible.com">Ansible</a> and run it all using some completely different distributed environment," says Francis. "That would have been absolutely the wrong thing to do. Had we gone off on our own as the dev team and developed this solution, it would have been a very different product. And it would have been very expensive. We would not have gone down the route of running under our existing orchestration system. Because we don’t understand it. These guys [in operations and infrastructure] understand it. Having the multidisciplinary team allowed us to get to the right solutions and that actually meant we didn’t build anywhere near the amount we thought we were going to end up building."<br><br> In search of a solution in which they could manage usage on a user-by-user level, Francis’s team gravitated to Red Hat’s <a href="https://www.openshift.com">OpenShift</a> Kubernetes offering. The company had already experimented with other cloud-native environments, but the team liked that Kubernetes was open source, and "we felt the winds were blowing in the direction of Kubernetes long term," says Francis. "Typically we make technology choices that we believe are going to be here in 5-10 years’ time, in some form. And right now, in this space, Kubernetes feels like the one that’s going to be there." Adds Uri Morris, Vice President of Production Operations: "When you see that the non-Google committers to Kubernetes overtook the Google committers, that’s an indicator of the momentum."<br><br> Once that decision was made, the major challenge was figuring out how to make Kubernetes work within BlackRock’s existing framework. "It’s about understanding how we can operate, manage and support a platform like this, in addition to tacking it onto our existing technology platform," says Project Manager Michael Maskallis. "All the controls we have in place, the change management process, the software development lifecycle, onboarding processes we go through—how can we do all these things?"<br><br> The first (anticipated) speed bump was working around issues behind BlackRock’s corporate firewalls. "One of our challenges is there are no firewalls in most open source software," says Francis. "So almost all install scripts fail in some bizarre way, and pulling down packages doesn’t necessarily work." The team ran into these types of problems using <a href="https://andygol-k8s.netlify.app/docs/getting-started-guides/minikube/">Minikube</a> and did a few small pushes back to the open source project. </div> </section> <div class="banner4"> <div class="banner4text"> "Typically we make technology choices that we believe are going to be here in 5-10 years’ time, in some form. And right now, in this space, Kubernetes feels like the one that’s going to be there." </div> </div> <section class="section4"> <div class="fullcol"> There were also questions about service discovery. "You can think of Aladdin as a cloud of services with APIs between them that allows us to build applications rapidly," says Francis. "It’s all on a proprietary message bus, which gives us all sorts of advantages but at the same time, how does that play in a third party [platform]?"<br><br> Another issue they had to navigate was that in BlackRock’s existing system, the messaging protocol has different instances in the different development, test and production environments. While Kubernetes enables a more DevOps-style model, it didn’t make sense for BlackRock. "I think what we are very proud of is that the ability for us to push into production is still incredibly rapid in this [new] infrastructure, but we have the control points in place, and we didn’t have to disrupt everything," says Francis. "A lot of the cost of this development was thinking how best to leverage our internal tools. So it was less costly than we actually thought it was going to be."<br><br> The project leveraged tools associated with the messaging bus, for example. "The way that the Kubernetes cluster will talk to our internal messaging platform is through a gateway program, and this gateway program already has built-in checks and throttles," says Morris. "We can use them to control and potentially throttle the requests coming in from Kubernetes’s very elastic infrastructure to the production infrastructure. We’ll continue to go in that direction. It enables us to scale as we need to from the operational perspective."<br><br> The solution also had to be complementary with BlackRock’s centralized operational support team structure. "The core infrastructure components of Kubernetes are hooked into our existing orchestration framework, which means that anyone in our support team has both control and visibility to the cluster using the existing operational tools," Morris explains. "That means that I don’t need to hire more people."<br><br> With those points established, the team created a procedure for the project: "We rolled this out first to a development environment, then moved on to a testing environment and then eventually to two production environments, in that sequential order," says Maskallis. "That drove a lot of our learning curve. We have all these moving parts, the software components on the infrastructure side, the software components with Kubernetes directly, the interconnectivity with the rest of the environment that we operate here at BlackRock, and how we connect all these pieces. If we came across issues, we fixed them, and then moved on to the different environments to replicate that until we eventually ended up in our production environment where this particular cluster is supposed to live."<br><br> The team had weekly one-hour working sessions with all the members (who are located around the world) participating, and smaller breakout or deep-dive meetings focusing on specific technical details. Possible solutions would be reported back to the group and debated the following week. "I think what made it a successful experiment was people had to work to learn, and they shared their experiences with others," says Vice President and Software Developer Fouad Semaan. Then, Francis says, "We gave our engineers the space to do what they’re good at. This hasn’t been top-down." </div> </section> <div class="banner5"> <div class="banner5text"> "The core infrastructure components of Kubernetes are hooked into our existing orchestration framework, which means that anyone in our support team has both control and visibility to the cluster using the existing operational tools. That means that I don’t need to hire more people." </div> </div> <section class="section5"> <div class="fullcol"> They were led by one key axiom: To stay focused and avoid scope creep. This meant that they wouldn’t use features that weren’t in the core of Kubernetes and Docker. But if there was a real need, they’d build the features themselves. Luckily, Francis says, "Because of the rapidity of the development, a lot of things we thought we would have to build ourselves have been rolled into the core product. [The package manager<a href="https://helm.sh"> Helm</a> is one example]. People have similar problems."<br><br> By the end of the 100 days, the app was up and running for internal BlackRock users. The initial capacity of 30 users was hit within hours, and quickly increased to 150. "People were immediately all over it," says Francis. In the next phase of this project, they are planning to scale up the cluster to have more capacity.<br><br> Even more importantly, they now have in-production experience with Kubernetes that they can continue to build on—and a complete framework for rolling out new applications. "We’re going to use this infrastructure for lots of other application workloads as time goes on. It’s not just data science; it’s this style of application that needs the dynamism," says Francis. "Is it the right place to move our core production processes onto? It might be. We’re not at a point where we can say yes or no, but we felt that having real production experience with something like Kubernetes at some form and scale would allow us to understand that. I think we’re 6-12 months away from making a [large scale] decision. We need to gain experience of running the system in production, we need to understand failure modes and how best to manage operational issues."<br><br> For other big companies considering a project like this, Francis says commitment and dedication are key: "We got the signoff from [senior management] from day one, with the commitment that we were able to get the right people. If I had to isolate what makes something complex like this succeed, I would say senior hands-on people who can actually drive it make a huge difference." With that in place, he adds, "My message to other enterprises like us is you can actually integrate Kubernetes into an existing, well-orchestrated machinery. You don’t have to throw out everything you do. And using Kubernetes made a complex problem significantly easier." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/box/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/box/<div class="banner1"> <h1>CASE STUDY: <img src="https://andygol-k8s.netlify.app/images/box_logo.png" width="10%" style="margin-bottom:-6px"><br> <div class="subhead">An Early Adopter Envisions a New Cloud Platform</div> </h1> </div> <div class="details"> Company &nbsp;<b>Box</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Redwood City, California</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Technology</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> Founded in 2005, the enterprise content management company allows its more than 50 million users to manage content in the cloud. <a href="https://www.box.com/home">Box</a> was built primarily with bare metal inside the company’s own data centers, with a monolithic PHP code base. As the company was expanding globally, it needed to focus on "how we run our workload across many different cloud infrastructures from bare metal to public cloud," says Sam Ghods, Cofounder and Services Architect of Box. "It’s been a huge challenge because of different clouds, especially bare metal, have very different interfaces." <br> </div> <div class="col2"> <h2>Solution</h2> Over the past couple of years, Box has been decomposing its infrastructure into microservices, and became an early adopter of, as well as contributor to, <a href="http://kubernetes.io/">Kubernetes</a> container orchestration. Kubernetes, Ghods says, has allowed Box’s developers to "target a universal set of concepts that are portable across all clouds."<br><br> <h2>Impact</h2> "Before Kubernetes," Ghods says, "our infrastructure was so antiquated it was taking us more than six months to deploy a new microservice. Today, a new microservice takes less than five days to deploy. And we’re working on getting it to an hour." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "We looked at a lot of different options, but Kubernetes really stood out....the fact that on day one it was designed to run on bare metal just as well as Google Cloud meant that we could actually migrate to it inside of our data centers, and then use those same tools and concepts to run across public cloud providers as&nbsp;well."<br><br><span style="font-size:15px;letter-spacing:0.08em">- SAM GHOUDS, CO-FOUNDER AND SERVICES ARCHITECT OF BOX</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>In the summer of 2014, Box was feeling the pain of a decade’s worth of hardware and software infrastructure that wasn’t keeping up with the company’s needs.</h2> A platform that allows its more than 50 million users (including governments and big businesses like <a href="https://www.ge.com/">General Electric</a>) to manage and share content in the cloud, Box was originally a <a href="http://php.net/">PHP</a> monolith of millions of lines of code built exclusively with bare metal inside of its own data centers. It had already begun to slowly chip away at the monolith, decomposing it into microservices. And "as we’ve been expanding into regions around the globe, and as the public cloud wars have been heating up, we’ve been focusing a lot more on figuring out how we run our workload across many different environments and many different cloud infrastructure providers," says Box Cofounder and Services Architect Sam Ghods. "It’s been a huge challenge thus far because of all these different providers, especially bare metal, have very different interfaces and ways in which you work with them."<br><br> Box’s cloud native journey accelerated that June, when Ghods attended <a href="https://www.docker.com/events/dockercon">DockerCon</a>. The company had come to the realization that it could no longer run its applications only off bare metal, and was researching containerizing with Docker, virtualizing with OpenStack, and supporting public cloud.<br><br> At that conference, Google announced the release of its Kubernetes container management system, and Ghods was won over. "We looked at a lot of different options, but Kubernetes really stood out, especially because of the incredibly strong team of <a href="https://research.google/pubs/large-scale-cluster-management-at-google-with-borg/">Borg</a> veterans and the vision of having a completely infrastructure-agnostic way of being able to run cloud software," he says, referencing Google’s internal container orchestrator Borg. "The fact that on day one it was designed to run on bare metal just as well as <a href="https://cloud.google.com/">Google Cloud</a> meant that we could actually migrate to it inside of our data centers, and then use those same tools and concepts to run across public cloud providers as well."<br><br> Another plus: Ghods liked that <a href="https://kubernetes.io/">Kubernetes</a> has a universal set of API objects like pod, service, replica set and deployment object, which created a consistent surface to build tooling against. "Even PaaS layers like <a href="https://www.openshift.com/">OpenShift</a> or <a href="http://deis.io/">Deis</a> that build on top of Kubernetes still treat those objects as first-class principles," he says. "We were excited about having these abstractions shared across the entire ecosystem, which would result in a lot more momentum than we saw in other potential solutions."<br><br> Box deployed Kubernetes in a cluster in a production data center just six months later. Kubernetes was then still pre-beta, on version 0.11. They started small: The very first thing Ghods’s team ran on Kubernetes was a Box API checker that confirms Box is up. "That was just to write and deploy some software to get the whole pipeline functioning," he says. Next came some daemons that process jobs, which was "nice and safe because if they experienced any interruptions, we wouldn’t fail synchronous incoming requests from customers." </div> </section> <div class="banner3"> <div class="banner3text"> "As we’ve been expanding into regions around the globe, and as the public cloud wars have been heating up, we’ve been focusing a lot more on figuring out how we [can have Kubernetes help] run our workload across many different environments and many different cloud infrastructure providers." </div> </div> <section class="section3"> <div class="fullcol"> The first live service, which the team could route to and ask for information, was launched a few months later. At that point, Ghods says, "We were comfortable with the stability of the Kubernetes cluster. We started to port some services over, then we would increase the cluster size and port a few more, and that’s ended up to about 100 servers in each data center that are dedicated purely to Kubernetes. And that’s going to be expanding a lot over the next 12 months, probably too many hundreds if not thousands."<br><br> While observing teams who began to use Kubernetes for their microservices, "we immediately saw an uptick in the number of microservices being released," Ghods&nbsp;notes. "There was clearly a pent-up demand for a better way of building software through microservices, and the increase in agility helped our developers be more productive and make better architectural choices." <br><br><div class="quote">"There was clearly a pent-up demand for a better way of building software through microservices, and the increase in agility helped our developers be more productive and make better architectural choices."</div><br> Ghods reflects that as early adopters, Box had a different journey from what companies experience now. "We were definitely lock step with waiting for certain things to stabilize or features to get released," he says. "In the early days we were doing a lot of contributions [to components such as kubectl apply] and waiting for Kubernetes to release each of them, and then we’d upgrade, contribute more, and go back and forth several times. The entire project took about 18 months from our first real deployment on Kubernetes to having general availability. If we did that exact same thing today, it would probably be no more than six."<br><br> In any case, Box didn’t have to make too many modifications to Kubernetes for it to work for the company. "The vast majority of the work our team has done to implement Kubernetes at Box has been making it work inside of our existing (and often legacy) infrastructure," says Ghods, "such as upgrading our base operating system from RHEL6 to RHEL7 or integrating it into <a href="https://www.nagios.org/">Nagios</a>, our monitoring infrastructure. But overall Kubernetes has been remarkably flexible with fitting into many of our constraints, and we’ve been running it very successfully on our bare metal infrastructure."<br><br> Perhaps the bigger challenge for Box was a cultural one. "Kubernetes, and cloud native in general, represents a pretty big paradigm shift, and it’s not very incremental," Ghods says. "We’re essentially making this pitch that Kubernetes is going to solve everything because it does things the right way and everything is just suddenly better. But it’s important to keep in mind that it’s not nearly as proven as many other solutions out there. You can’t say how long this or that company took to do it because there just aren’t that many yet. Our team had to really fight for resources because our project was a bit of a moonshot." </div> </section> <div class="banner4"> <div class="banner4text"> "The vast majority of the work our team has done to implement Kubernetes at Box has been making it work inside of our existing [and often legacy] infrastructure....overall Kubernetes has been remarkably flexible with fitting into many of our constraints, and we’ve been running it very successfully on our bare metal infrastructure." </div> </div> <section class="section4"> <div class="fullcol"> Having learned from experience, Ghods offers these two pieces of advice for companies going through similar challenges: <h2>1. Deliver early and often.</h2> Service discovery was a huge problem for Box, and the team had to decide whether to build an interim solution or wait for Kubernetes to natively satisfy Box’s unique requirements. After much debate, "we just started focusing on delivering something that works, and then dealing with potentially migrating to a more native solution later," Ghods says. "The above-all-else target for the team should always be to serve real production use cases on the infrastructure, no matter how trivial. This helps keep the momentum going both for the team itself and for the organizational perception of the project." </br></br> <h2>2. Keep an open mind about what your company has to abstract away from developers and what it&nbsp;doesn’t.</h2> Early on, the team built an abstraction on top of Docker files to help ensure that images had the right security updates. This turned out to be superfluous work, since container images are considered immutable and you can easily scan them post-build to ensure they do not contain vulnerabilities. Because managing infrastructure through containerization is such a discontinuous leap, it’s better to start by interacting directly with the native tools and learning their unique advantages and caveats. An abstraction should be built only after a practical need for it arises.</br></br> In the end, the impact has been powerful. "Before Kubernetes," Ghods says, "our infrastructure was so antiquated it was taking us more than six months to deploy a new microservice. Now a new microservice takes less than five days to deploy. And we’re working on getting it to an hour. Granted, much of that six months was due to how broken our systems were, but bare metal is intrinsically a difficult platform to support unless you have a system like Kubernetes to help manage&nbsp;it."</br></br> By Ghods’s estimate, Box is still several years away from his goal of being a 90-plus percent Kubernetes shop. "We’re very far along on having a mission-critical, stable Kubernetes deployment that provides a lot of value," he says. "Right now about five percent of all of our compute runs on Kubernetes, and I think in the next six months we’ll likely be between 20 to 50 percent. We’re working hard on enabling all stateless service use cases, and shift our focus to stateful services after&nbsp;that." </div> </section> <div class="banner5"> <div class="banner5text"> "Ghods predicts that Kubernetes has the opportunity to be the new cloud platform. '...because it’s a never-before-seen level of automation and intelligence surrounding infrastructure that is portable and agnostic to every way you can run your infrastructure.'" </div> </div> <section class="section5"> <div class="fullcol"> In fact, that’s what he envisions across the industry: Ghods predicts that Kubernetes has the opportunity to be the new cloud platform. Kubernetes provides an API consistent across different cloud platforms including bare metal, and "I don’t think people have seen the full potential of what’s possible when you can program against one single interface," he says. "The same way <a href="https://aws.amazon.com/">AWS</a> changed infrastructure so that you don’t have to think about servers or cabinets or networking equipment anymore, Kubernetes enables you to focus exclusively on the containers that you’re running, which is pretty exciting. That’s the vision."</br></br> Ghods points to projects that are already in development or recently released for Kubernetes as a cloud platform: cluster federation, the Dashboard UI, and <a href="https://coreos.com/">CoreOS</a>’s etcd operator. "I honestly believe it’s the most exciting thing I’ve seen in cloud infrastructure," he says, "because it’s a never-before-seen level of automation and intelligence surrounding infrastructure that is portable and agnostic to every way you can run your infrastructure."</br></br> Box, with its early decision to use bare metal, embarked on its Kubernetes journey out of necessity. But Ghods says that even if companies don’t have to be agnostic about cloud providers today, Kubernetes may soon become the industry standard, as more and more tooling and extensions are built around the API.</br></br> "The same way it doesn’t make sense to deviate from Linux because it’s such a standard," Ghods says, "I think Kubernetes is going down the same path. It is still early days—the documentation still needs work and the user experience for writing and publishing specs to the Kubernetes clusters is still rough. When you’re on the cutting edge you can expect to bleed a little. But the bottom line is, this is where the industry is going. Three to five years from now it’s really going to be shocking if you run your infrastructure any other way." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/capital-one/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/capital-one/<div class="banner1 desktop" style="background-image: url('/images/case-studies/capitalone/banner1.jpg')"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/capitalone-logo.png" style="margin-bottom:-2%" class="header_logo"><br> <div class="subhead">Supporting Fast Decisioning Applications with Kubernetes </div></h1> </div> <div class="details"> Company &nbsp;<b>Capital One</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>McLean, Virginia</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Retail banking</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> The team set out to build a provisioning platform for <a href="https://www.capitalone.com/">Capital One</a> applications deployed on AWS that use streaming, big-data decisioning, and machine learning. One of these applications handles millions of transactions a day; some deal with critical functions like fraud detection and credit decisioning. The key considerations: resilience and speed—as well as full rehydration of the cluster from base AMIs. <br> <h2>Solution</h2> The decision to run <a href="https://kubernetes.io/">Kubernetes</a> "is very strategic for us," says John Swift, Senior Director Software Engineering. "We use Kubernetes as a substrate or an operating system, if you will. There’s a degree of affinity in our product development." </div> <div class="col2"> <h2>Impact</h2> "Kubernetes is a significant productivity multiplier," says Lead Software Engineer Keith Gasser, adding that to run the platform without Kubernetes would "easily see our costs triple, quadruple what they are now for the amount of pure AWS expense." Time to market has been improved as well: "Now, a team can come to us and we can have them up and running with a basic decisioning app in a fortnight, which before would have taken a whole quarter, if not longer." Deployments increased by several orders of magnitude. Plus, the rehydration/cluster-rebuild process, which took a significant part of a day to do manually, now takes a couple hours with Kubernetes automation and declarative configuration. </div> </div> </section> <div class="banner2"> <div class="banner2text"> <iframe width="560" height="315" src="https://www.youtube.com/embed/UHVW01ksg-s" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe><br><br> "With the scalability, the management, the coordination, Kubernetes really empowers us and gives us more time back than we had before." <span style="font-size:16px;text-transform:uppercase">— Jamil Jadallah, Scrum Master</span> </div> </div> </div> <section class="section2"> <div class="fullcol"> <h2></h2> As a top 10 U.S. retail bank, Capital One has applications that handle millions of transactions a day. Big-data decisioning—for fraud detection, credit approvals and beyond—is core to the business. To support the teams that build applications with those functions for the bank, the cloud team led by Senior Director Software Engineering John Swift embraced Kubernetes for its provisioning platform. "Kubernetes and its entire ecosystem are very strategic for us," says Swift. "We use Kubernetes as a substrate or an operating system, if you will. There’s a degree of affinity in our product development."<br><br> Almost two years ago, the team embarked on this journey by first working with Docker. Then came Kubernetes. "We wanted to put streaming services into Kubernetes as one feature of the workloads for fast decisioning, and to be able to do batch alongside it," says Lead Software Engineer Keith Gasser. "Once the data is streamed and batched, there are so many tool sets in <a href="https://flink.apache.org/">Flink</a> that we use for decisioning. We want to provide the tools in the same ecosystem, in a consistent way, rather than have a large custom snowflake ecosystem where every tool needs its own custom deployment. Kubernetes gives us the ability to bring all of these together, so the richness of the open source and even the license community dealing with big data can be corralled." </div> </section> <div class="banner3" style="background-image: url('/images/case-studies/capitalone/banner3.jpg')"> <div class="banner3text"> "We want to provide the tools in the same ecosystem, in a consistent way, rather than have a large custom snowflake ecosystem where every tool needs its own custom deployment. Kubernetes gives us the ability to bring all of these together, so the richness of the open source and even the license community dealing with big data can be corralled." </div> </div> <section class="section3"> <div class="fullcol"> In this first year, the impact has already been great. "Time to market is really huge for us," says Gasser. "Especially with fraud, you have to be very nimble in the way you respond to threats in the marketplace—being able to add and push new rules, detect new patterns of behavior, detect anomalies in account and transaction flows." With Kubernetes, "a team can come to us and we can have them up and running with a basic decisioning app in a fortnight, which before would have taken a whole quarter, if not longer. Kubernetes is a manifold productivity multiplier."<br><br> Teams now have the tools to be autonomous in their deployments, and as a result, deployments have increased by two orders of magnitude. "And that was with just seven dedicated resources, without needing a whole group sitting there watching everything," says Scrum Master Jamil Jadallah. "That’s a huge cost savings. With the scalability, the management, the coordination, Kubernetes really empowers us and gives us more time back than we had before." </div> </section> <div class="banner4" style="background-image: url('/images/case-studies/capitalone/banner4.jpg')"> <div class="banner4text"> With Kubernetes, "a team can come to us and we can have them up and running with a basic decisioning app in a fortnight, which before would have taken a whole quarter, if not longer. Kubernetes is a manifold productivity multiplier." </div> </div> <section class="section5" style="padding:0px !important"> <div class="fullcol"> Kubernetes has also been a great time-saver for Capital One’s required period "rehydration" of clusters from base AMIs. To minimize the attack vulnerability profile for applications in the cloud, "Our entire clusters get rebuilt from scratch periodically, with new fresh instances and virtual server images that are patched with the latest and greatest security patches," says Gasser. This process used to take the better part of a day, and personnel, to do manually. It’s now a quick Kubernetes job.<br><br> Savings extend to both capital and operating expenses. "It takes very little to get into Kubernetes because it’s all open source," Gasser points out. "We went the DIY route for building our cluster, and we definitely like the flexibility of being able to embrace the latest from the community immediately without waiting for a downstream company to do it. There’s capex related to those licenses that we don’t have to pay for. Moreover, there’s capex savings for us from some of the proprietary software that we get to sunset in our particular domain. So that goes onto our ledger in a positive way as well." (Some of those open source technologies include Prometheus, Fluentd, gRPC, Istio, CNI, and Envoy.) </div> <div class="banner5"> <div class="banner5text"> "If we had to do all of this without Kubernetes, on underlying cloud services, I could easily see our costs triple, quadruple what they are now for the amount of pure AWS expense. That doesn’t account for personnel to deploy and maintain all the additional infrastructure." </div> </div> <div class="fullcol"> And on the opex side, Gasser says, the savings are high. "We run dozens of services, we have scores of pods, many daemon sets, and since we’re data-driven, we take advantage of EBS-backed volume claims for all of our stateful services. If we had to do all of this without Kubernetes, on underlying cloud services, I could easily see our costs triple, quadruple what they are now for the amount of pure AWS expense. That doesn’t account for personnel to deploy and maintain all the additional infrastructure."<br><br> The team is confident that the benefits will continue to multiply—without a steep learning curve for the engineers being exposed to the new technology. "As we onboard additional tenants in this ecosystem, I think the need for folks to understand Kubernetes may not necessarily go up. In fact, I think it goes down, and that’s good," says Gasser. "Because that really demonstrates the scalability of the technology. You start to reap the benefits, and they can concentrate on all the features they need to build for great decisioning in the business— fraud decisions, credit decisions—and not have to worry about, ‘Is my AWS server broken? Is my pod not running?’" </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/cern/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/cern/<div class="banner1" style="background-image: url('/images/case-studies/cern/banner1.jpg')"> <h1> CASE STUDY: CERN<br> <div class="subhead" style="margin-top:1%">CERN: Processing Petabytes of Data More Efficiently with Kubernetes </div></h1> </div> <div class="details"> Company &nbsp;<b>CERN</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Geneva, Switzerland </b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Particle physics research</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1" style="width:100%""> <h2>Challenge</h2> At CERN, the European Organization for Nuclear Research, physicists conduct experiments to learn about fundamental science. In its particle accelerators, "we accelerate protons to very high energy, close to the speed of light, and we make the two beams of protons collide," says CERN Software Engineer Ricardo Rocha. "The end result is a lot of data that we have to process." CERN currently stores 330 petabytes of data in its data centers, and an upgrade of its accelerators expected in the next few years will drive that number up by 10x. Additionally, the organization experiences extreme peaks in its workloads during periods prior to big conferences, and needs its infrastructure to scale to those peaks. "We want to have a more hybrid infrastructure, where we have our on premise infrastructure but can make use of public clouds temporarily when these peaks come up," says Rocha. "We’ve been looking to new technologies that can help improve our efficiency in our infrastructure so that we can dedicate more of our resources to the actual processing of the data." <br><br> <h2>Solution</h2> CERN’s technology team embraced containerization and cloud native practices, choosing Kubernetes for orchestration, Helm for deployment, Prometheus for monitoring, and CoreDNS for DNS resolution inside the clusters. Kubernetes federation has allowed the organization to run some production workloads both on premise and in public clouds. <br><br> <h2>Impact</h2> "Kubernetes gives us the full automation of the application," says Rocha. "It comes with built-in monitoring and logging for all the applications and the workloads that deploy in Kubernetes. This is a massive simplification of our current deployments." The time to deploy a new cluster for a complex distributed storage system has gone from more than 3 hours to less than 15 minutes. Adding new nodes to a cluster used to take more than an hour; now it takes less than 2 minutes. The time it takes to autoscale replicas for system components has decreased from more than an hour to less than 2 minutes. Initially, virtualization gave 20% overhead, but with tuning this was reduced to ~5%. Moving to Kubernetes on bare metal would get this to 0%. Not having to host virtual machines is expected to also get 10% of memory capacity back. </div> </div> </section> <div class="banner2"> <div class="banner2text"> "Kubernetes is something we can relate to very much because it’s naturally distributed. What it gives us is a uniform API across heterogeneous resources to define our workloads. This is something we struggled with a lot in the past when we want to expand our resources outside our infrastructure." <br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Ricardo Rocha, Software Engineer, CERN</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>With a mission of researching fundamental science, and a stable of extremely large machines, the European Organization for Nuclear Research (CERN) operates at what can only be described as hyperscale. </h2> Experiments are conducted in particle accelerators, the biggest of which is 27 kilometers in circumference. "We accelerate protons to very high energy, to close to the speed of light, and we make the two beams of protons collide in well-defined places," says CERN Software Engineer Ricardo Rocha. "We build experiments around these places where we do the collisions. The end result is a lot of data that we have to process."<br><br> And he does mean a lot: CERN currently stores and processes 330 petabytes of data—gathered from 4,300 projects and 3,300 users—using 10,000 hypervisors and 320,000 cores in its data centers. <br><br> Over the years, the CERN technology department has built a large computing infrastructure, based on OpenStack private clouds, to help the organization’s physicists analyze and treat all this data. The organization experiences extreme peaks in its workloads. "Very often, just before conferences, physicists want to do an enormous amount of extra analysis to publish their papers, and we have to scale to these peaks, which means overcommitting resources in some cases," says Rocha. "We want to have a more hybrid infrastructure, where we have our on premise infrastructure but can make use of public clouds temporarily when these peaks come up."<br><br> Additionally, few years ago, CERN announced that it would be doing a big upgrade of its accelerators, which will mean a ten-fold increase in the amount of data that can be collected. "So we’ve been looking to new technologies that can help improve our efficiency in our infrastructure, so that we can dedicate more of our resources to the actual processing of the data," says Rocha. </div> </section> <div class="banner3" style="background-image: url('/images/case-studies/cern/banner3.jpg')"> <div class="banner3text"> "Before, the tendency was always: ‘I need this, I get a couple of developers, and I implement it.’ Right now it’s ‘I need this, I’m sure other people also need this, so I’ll go and ask around.’ The CNCF is a good source because there’s a very large catalog of applications available. It’s very hard right now to justify developing a new product in-house. There is really no real reason to keep doing that. It’s much easier for us to try it out, and if we see it’s a good solution, we try to reach out to the community and start working with that community." <br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Ricardo Rocha, Software Engineer, CERN</span> </div> </div> <section class="section3"> <div class="fullcol"> Rocha’s team started looking at Kubernetes and containerization in the second half of 2015. "We’ve been using distributed infrastructures for decades now," says Rocha. "Kubernetes is something we can relate to very much because it’s naturally distributed. What it gives us is a uniform API across heterogeneous resources to define our workloads. This is something we struggled with a lot in the past when we want to expand our resources outside our infrastructure."<br><br> The team created a prototype system for users to deploy their own Kubernetes cluster in CERN’s infrastructure, and spent six months validating the use cases and making sure that Kubernetes integrated with CERN’s internal systems. The main use case is batch workloads, which represent more than 80% of resource usage at CERN. (One single project that does most of the physics data processing and analysis alone consumes 250,000 cores.) "This is something where the investment in simplification of the deployment, logging, and monitoring pays off very quickly," says Rocha. Other use cases include Spark-based data analysis and machine learning to improve physics analysis. "The fact that most of these technologies integrate very well with Kubernetes makes our lives easier," he adds.<br><br> The system went into production in October 2016, also using Helm for deployment, Prometheus for monitoring, and CoreDNS for DNS resolution within the cluster. "One thing that Kubernetes gives us is the full automation of the application," says Rocha. "So it comes with built-in monitoring and logging for all the applications and the workloads that deploy in Kubernetes. This is a massive simplification of our current deployments." The time to deploy a new cluster for a complex distributed storage system has gone from more than 3 hours to less than 15 minutes.<br><br> Adding new nodes to a cluster used to take more than an hour; now it takes less than 2 minutes. The time it takes to autoscale replicas for system components has decreased from more than an hour to less than 2 minutes. </div> </section> <div class="banner4" style="background-image: url('/images/case-studies/cern/banner4.jpg')"> <div class="banner4text"> "With Kubernetes, there’s a well-established technology and a big community that we can contribute to. It allows us to do our physics analysis without having to focus so much on the lower level software. This is just exciting. We are looking forward to keep contributing to the community and collaborating with everyone."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Ricardo Rocha, Software Engineer, CERN</span> </div> </div> <section class="section5" style="padding:0px !important"> <div class="fullcol"> Rocha points out that the metric used in the particle accelerators may be events per second, but in reality "it’s how fast and how much of the data we can process that actually counts." And efficiency has certainly been improved with Kubernetes. Initially, virtualization gave 20% overhead, but with tuning this was reduced to ~5%. Moving to Kubernetes on bare metal would get this to 0%. Not having to host virtual machines is expected to also get 10% of memory capacity back.<br><br> Kubernetes federation, which CERN has been using for a portion of its production workloads since February 2018, has allowed the organization to adopt a hybrid cloud strategy. And it was remarkably simple to do. "We had a summer intern working on federation," says Rocha. "For many years, I’ve been developing distributed computing software, which took like a decade and a lot of effort from a lot of people to stabilize and make sure it works. And for our intern, in a couple of days he was able to demo to me and my team that we had a cluster at CERN and a few clusters outside in public clouds that were federated together and that we could submit workloads to. This was shocking for us. It really shows the power of using this kind of well-established technologies." <br><br> With such results, adoption of Kubernetes has made rapid gains at CERN, and the team is eager to give back to the community. "If we look back into the ’90s and early 2000s, there were not a lot of companies focusing on systems that have to scale to this kind of size, storing petabytes of data, analyzing petabytes of data," says Rocha. "The fact that Kubernetes is supported by such a wide community and different backgrounds, it motivates us to contribute back." </div> <div class="banner5" > <div class="banner5text"> This means that the physicist can build his or her analysis and publish it in a repository, share it with colleagues, and in 10 years redo the same analysis with new data. If we looked back even 10 years, this was just a dream."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Ricardo Rocha, Software Engineer, CERN</span></div> </div> <div class="fullcol"> These new technologies aren’t just enabling infrastructure improvements. CERN also uses the Kubernetes-based <a href="https://github.com/recast-hep">Reana/Recast</a> platform for reusable analysis, which is "the ability to define physics analysis as a set of workflows that are fully containerized in one single entry point," says Rocha. "This means that the physicist can build his or her analysis and publish it in a repository, share it with colleagues, and in 10 years redo the same analysis with new data. If we looked back even 10 years, this was just a dream."<br><br> All of these things have changed the culture at CERN considerably. A decade ago, "The tendency was always: ‘I need this, I get a couple of developers, and I implement it,’" says Rocha. "Right now it’s ‘I need this, I’m sure other people also need this, so I’ll go and ask around.’ The CNCF is a good source because there’s a very large catalog of applications available. It’s very hard right now to justify developing a new product in-house. There is really no real reason to keep doing that. It’s much easier for us to try it out, and if we see it’s a good solution, we try to reach out to the community and start working with that community." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/chinaunicom/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/chinaunicom/<!-- title: China Unicom Case Study linkTitle: chinaunicom case_study_styles: true cid: caseStudies featured: false new_case_study_styles: true heading_background: /images/case-studies/chinaunicom/banner1.jpg heading_title_logo: /images/chinaunicom_logo.png subheading: > China Unicom: How China Unicom Leveraged Kubernetes to Boost Efficiency and Lower IT Costs case_study_details: - Company: China Unicom - Location: Beijing, China - Industry: Telecom --> <!-- <h2>Challenge</h2> <p>China Unicom is one of the top three telecom operators in China, and to serve its 300 million users, the company runs several data centers with thousands of servers in each, using <a href="https://www.docker.com/">Docker</a> containerization and <a href="https://www.vmware.com/">VMWare</a> and <a href="https://www.openstack.org/">OpenStack</a> infrastructure since 2016. Unfortunately, "the resource utilization rate was relatively low," says Chengyu Zhang, Group Leader of Platform Technology R&D, "and we didn't have a cloud platform to accommodate our hundreds of applications." Formerly an entirely state-owned company, China Unicom has in recent years taken private investment from BAT (Baidu, Alibaba, Tencent) and JD.com, and is now focusing on internal development using open source technology, rather than commercial products. As such, Zhang's China Unicom Lab team began looking for open source orchestration for its cloud infrastructure.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/city-of-montreal/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/city-of-montreal/<div class="banner1" style="background-image: url('/images/case-studies/montreal/banner1.jpg')"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/montreal_logo.png" class="header_logo" style="width:20%;margin-bottom:-1.2%"><br> <div class="subhead" style="margin-top:1%">City of Montréal - How the City of Montréal Is Modernizing Its 30-Year-Old, Siloed&nbsp;Architecture&nbsp;with&nbsp;Kubernetes </div></h1> </div> <div class="details"> Company &nbsp;<b>City of Montréal</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Montréal, Québec, Canada</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Government</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1" style="width:100%""> <h2>Challenge</h2> Like many governments, Montréal has a number of legacy systems, and “we have systems that are older than some developers working here,” says the city’s CTO, Jean-Martin Thibault. “We have mainframes, all flavors of Windows, various flavors of Linux, old and new Oracle systems, Sun servers, all kinds of databases. Like all big corporations, some of the most important systems, like Budget and Human Resources, were developed on mainframes in-house over the past 30 years.” There are over 1,000 applications in all, and most of them were running on different ecosystems. In 2015, a new management team decided to break down those silos, and invest in IT in order to move toward a more integrated governance for the city. They needed to figure out how to modernize the architecture. <h2>Solution</h2> The first step was containerization. The team started with a small Docker farm with four or five servers, with Rancher for providing access to the Docker containers and their logs and Jenkins to deploy. “We based our effort on the new trends; we understood the benefits of immutability and deployments without downtime and such things,” says Solutions Architect Marc Khouzam. They soon realized they needed orchestration as well, and opted for Kubernetes. Says Enterprise Architect Morgan Martinet: “Kubernetes offered concepts on how you would describe an architecture for any kind of application, and based on those concepts, deploy what’s required to run the infrastructure. It was becoming a de facto standard.” <br> <h2>Impact</h2> The time to market has improved drastically, from many months to a few weeks. Deployments went from months to hours. “In the past, you would have to ask for virtual machines, and that alone could take weeks, easily,” says Thibault. “Now you don’t even have to ask for anything. You just create your project and it gets deployed.” Kubernetes has also improved the efficiency of how the city uses its compute resources: “Before, the 200 application components we currently run on Kubernetes would have required hundreds of virtual machines, and now, if we’re talking about a single environment of production, we are able to run them on 8 machines, counting the masters of Kubernetes,” says Martinet. And it’s all done with a small team of just 5 people operating the Kubernetes clusters. </div> </div> </section> <div class="banner2"> <div class="banner2text"> "We realized the limitations of having a non-orchestrated Docker environment. Kubernetes came to the rescue, bringing in all these features that make it a lot easier to manage and give a lot more benefits to the users." <br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- JEAN-MARTIN THIBAULT, CTO, CITY OF MONTRÉAL</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>The second biggest municipality in Canada, Montréal has a large number of legacy systems keeping the government running. And while they don’t quite date back to the city’s founding in 1642, “we have systems that are older than some developers working here,” jokes the city’s CTO, Jean-Martin Thibault.</h2> “We have mainframes, all flavors of Windows, various flavors of Linux, old and new Oracle systems, Sun servers, all kinds of databases. Some of the most important systems, like Budget and Human Resources, were developed on mainframes in-house over the past 30 years.” <br><br> In recent years, that fact became a big pain point. There are over 1,000 applications in all, running on almost as many different ecosystems. In 2015, a new city management team decided to break down those silos, and invest in IT in order to move toward a more integrated governance. “The organization was siloed, so as a result the architecture was siloed,” says Thibault. “Once we got integrated into one IT team, we decided to redo an overall enterprise architecture.” <br><br> The first step to modernize the architecture was containerization. “We based our effort on the new trends; we understood the benefits of immutability and deployments without downtime and such things,” says Solutions Architect Marc Khouzam. The team started with a small Docker farm with four or five servers, with Rancher for providing access to the Docker containers and their logs and Jenkins for deployment. </div> </section> <div class="banner3" style="background-image: url('/images/case-studies/montreal/banner3.jpg')"> <div class="banner3text"> "Getting a project running in Kubernetes is entirely dependent on how long you need to program the actual software. It’s no longer dependent on deployment. Deployment is so fast that it’s negligible."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- MARC KHOUZAM, SOLUTIONS ARCHITECT, CITY OF MONTRÉAL</span> </div> </div> <section class="section3"> <div class="fullcol"> But this Docker farm setup had some limitations, including the lack of self-healing and dynamic scaling based on traffic, and the effort required to optimize server resources and scale to multiple instances of the same container. The team soon realized they needed orchestration as well. “Kubernetes came to the rescue,” says Thibault, “bringing in all these features that make it a lot easier to manage and give a lot more benefits to the users.” <br><br> The team had evaluated several orchestration solutions, but Kubernetes stood out because it addressed all of the pain points. (They were also inspired by Yahoo! Japan’s use case, which the team members felt came close to their vision.) “Kubernetes offered concepts on how you would describe an architecture for any kind of application, and based on those concepts, deploy what’s required to run the infrastructure,” says Enterprise Architect Morgan Martinet. “It was becoming a de facto standard. It also promised portability across cloud providers. The choice of Kubernetes now gives us many options such as running clusters in-house or in any IaaS provider, or even using Kubernetes-as-a-service in any of the major cloud providers.” <br><br> Another important factor in the decision was vendor neutrality. “As a government entity, it is essential for us to be neutral in our selection of products and providers,” says Thibault. “The independence of the Cloud Native Computing Foundation from any company provides this.” </div> </section> <div class="banner4" style="background-image: url('/images/case-studies/montreal/banner4.jpg')"> <div class="banner4text"> "Kubernetes has been great. It’s been stable, and it provides us with elasticity, resilience, and robustness. While re-architecting for Kubernetes, we also benefited from the monitoring and logging aspects, with centralized logging, Prometheus logging, and Grafana dashboards. We have enhanced visibility of what’s being deployed." <br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- MORGAN MARTINET, ENTERPRISE ARCHITECT, CITY OF MONTRÉAL</span> </div> </div> <section class="section5" style="padding:0px !important"> <div class="fullcol"> The Kubernetes implementation began with the deployment of a small cluster using an internal Ansible playbook, which was soon replaced by the Kismatic distribution. Given the complexity they saw in operating a Kubernetes platform, they decided to provide development groups with an automated CI/CD solution based on Helm. “An integrated CI/CD solution on Kubernetes standardized how the various development teams designed and deployed their solutions, but allowed them to remain independent,” says Khouzam. <br><br> During the re-architecting process, the team also added Prometheus for monitoring and alerting, Fluentd for logging, and Grafana for visualization. “We have enhanced visibility of what’s being deployed,” says Martinet. Adds Khouzam: “The big benefit is we can track anything, even things that don’t run inside the Kubernetes cluster. It’s our way to unify our monitoring effort.” <br><br> All together, the cloud native solution has had a positive impact on velocity as well as administrative overhead. With standardization, code generation, automatic deployments into Kubernetes, and standardized monitoring through Prometheus, the time to market has improved drastically, from many months to a few weeks. Deployments went from months and weeks of planning down to hours. “In the past, you would have to ask for virtual machines, and that alone could take weeks to properly provision,” says Thibault. Plus, for dedicated systems, experts often had to be brought in to install them with their own recipes, which could take weeks and months. <br><br> Now, says Khouzam, “we can deploy pretty much any application that’s been Dockerized without any help from anybody. Getting a project running in Kubernetes is entirely dependent on how long you need to program the actual software. It’s no longer dependent on deployment. Deployment is so fast that it’s negligible.” </div> <div class="banner5" > <div class="banner5text"> "We’re working with the market when possible, to put pressure on our vendors to support Kubernetes, because it’s a much easier solution to manage"<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- MORGAN MARTINET, ENTERPRISE ARCHITECT, CITY OF MONTRÉAL</span></div> </div> <div class="fullcol"> Kubernetes has also improved the efficiency of how the city uses its compute resources: “Before, the 200 application components we currently run in Kubernetes would have required hundreds of virtual machines, and now, if we’re talking about a single environment of production, we are able to run them on 8 machines, counting the masters of Kubernetes,” says Martinet. And it’s all done with a small team of just five people operating the Kubernetes clusters. Adds Martinet: “It’s a dramatic improvement no matter what you measure.” <br><br> So it should come as no surprise that the team’s strategy going forward is to target Kubernetes as much as they can. “If something can’t run inside Kubernetes, we’ll wait for it,” says Thibault. That means they haven’t moved any of the city’s Windows systems onto Kubernetes, though it’s something they would like to do. “We’re working with the market when possible, to put pressure on our vendors to support Kubernetes, because it’s a much easier solution to manage,” says Martinet. <br><br> Thibault sees a near future where 60% of the city’s workloads are running on a Kubernetes platform—basically any and all of the use cases that they can get to work there. “It’s so much more efficient than the way we used to do things,” he says. “There’s no looking back.” </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/crowdfire/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/crowdfire/<div class="banner1"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/crowdfire_logo.png" class="header_logo"><br> <div class="subhead">How to Keep Iterating a Fast-Growing App With a Cloud-Native Approach</div></h1> </div> <div class="details"> Company &nbsp;<b>Crowdfire</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Mumbai, India</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Social Media Software</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> <a href="https://www.crowdfireapp.com/">Crowdfire</a> helps content creators create their content anywhere on the Internet and publish it everywhere else in the right format. Since its launch in 2010, it has grown to 16 million users. The product began as a monolith app running on <a href="https://cloud.google.com/appengine/">Google App Engine</a>, and in 2015, the company began a transformation to microservices running on Amazon Web Services <a href="https://aws.amazon.com/elasticbeanstalk/">Elastic Beanstalk</a>. "It was okay for our use cases initially, but as the number of services, development teams and scale increased, the deploy times, self-healing capabilities and resource utilization started to become problems for us," says Software Engineer Amanpreet Singh, who leads the infrastructure team for Crowdfire.<br> <h2>Solution</h2> "We realized that we needed a more cloud-native approach to deal with these issues," says Singh. The team decided to implement a custom setup of Kubernetes based on <a href="https://www.terraform.io/">Terraform</a> and <a href="https://www.ansible.com/">Ansible</a>. <br> </div> <div class="col2"> <h2>Impact</h2> "Kubernetes has helped us reduce the deployment time from 15 minutes to less than a minute," says Singh. "Due to Kubernetes’s self-healing nature, the operations team doesn’t need to do any manual intervention in case of a node or pod failure." Plus, he says, "Dev-Prod parity has improved since developers can experiment with options in dev/staging clusters, and when it’s finalized, they just commit the config changes in the respective code repositories. These changes automatically get replicated on the production cluster via CI/CD pipelines." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "In the 15 months that we’ve been using Kubernetes, it has been amazing for us. It enabled us to iterate quickly, increase development speed, and continuously deliver new features and bug fixes to our users, while keeping our operational costs and infrastructure management overhead under control."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Amanpreet Singh, Software Engineer at Crowdfire</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>"If you build it, they will come."</h2> For most content creators, only half of that movie quote may ring true. Sure, platforms like Wordpress, YouTube and Shopify have made it simple for almost anyone to start publishing new content online, but attracting an audience isn’t as easy. Crowdfire "helps users publish their content to all possible places where their audience exists," says Amanpreet Singh, a Software Engineer at the company based in Mumbai, India. Crowdfire has gained more than 16 million users—from bloggers and artists to makers and small businesses—since its launch in 2010.<br><br> With that kind of growth—and a high demand from users for new features and continuous improvements—the Crowdfire team struggled to keep up behind the scenes. In 2015, they moved their monolith Java application to Amazon Web Services <a href="https://aws.amazon.com/elasticbeanstalk/">Elastic Beanstalk</a> and started breaking it down into microservices.<br><br> It was a good first step, but the team soon realized they needed to go further down the cloud-native path, which would lead them to Kubernetes. "It was okay for our use cases initially, but as the number of services and development teams increased and we scaled further, deploy times, self-healing capabilities and resource utilization started to become problematic," says Singh, who leads the infrastructure team at Crowdfire. "We realized that we needed a more cloud-native approach to deal with these issues."<br><br> As he looked around for solutions, Singh had a checklist of what Crowdfire needed. "We wanted to keep some things separate so they could be shipped independent of other things; this would help remove blockers and let different teams work at their own pace," he says. "We also make a lot of data-driven decisions, so shipping a feature and its iterations quickly was a must."<br><br> Kubernetes checked all the boxes and then some. "One of the best things was the built-in service discovery," he says. "When you have a bunch of microservices that need to call each other, having internal DNS readily available and service IPs and ports automatically set as environment variables help a lot." Plus, he adds, "Kubernetes’s opinionated approach made it easier to get started." </div> </section> <div class="banner3"> <div class="banner3text"> "We realized that we needed a more cloud-native approach to deal with these issues," says Singh. The team decided to implement a custom setup of Kubernetes based on Terraform and Ansible." </div> </div> <section class="section3"> <div class="fullcol"> There was another compelling business reason for the cloud-native approach. "In today’s world of ever-changing business requirements, using cloud native technology provides a variety of options to choose from—even the ability to run services in a hybrid cloud environment," says Singh. "Businesses can keep services in a region closest to the users, and thus benefit from high-availability and resiliency."<br><br> So in February 2016, Singh set up a test Kubernetes cluster using the kube-up scripts provided. "I explored the features and was able to deploy an application pretty easily," he says. "However, it seemed like a black box since I didn’t understand the components completely, and had no idea what the kube-up script did under the hood. So when it broke, it was hard to find the issue and fix it." <br><br> To get a better understanding, Singh dove into the internals of Kubernetes, reading the docs and even some of the code. And he looked to the Kubernetes community for more insight. "I used to stay up a little late every night (a lot of users were active only when it’s night here in India) and would try to answer questions on the Kubernetes community Slack from users who were getting started," he says. "I would also follow other conversations closely. I must admit I was able to avoid a lot of issues in our setup because I knew others had faced the same issues."<br><br> Based on the knowledge he gained, Singh decided to implement a custom setup of Kubernetes based on <a href="https://www.terraform.io/">Terraform</a> and <a href="https://www.ansible.com/">Ansible</a>. "I wrote Terraform to launch Kubernetes master and nodes (Auto Scaling Groups) and an Ansible playbook to install the required components," he says. (The company recently switched to using prebaked <a href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html">AMIs</a> to make the node bringup faster, and is planning to change its networking layer.) <br><br> </div> </section> <div class="banner4"> <div class="banner4text"> "Kubernetes helped us reduce the deployment time from 15 minutes to less than a minute. Due to Kubernetes’s self-healing nature, the operations team doesn’t need to do any manual intervention in case of a node or pod failure." </div> </div> <section class="section4"> <div class="fullcol"> First, the team migrated a few staging services from Elastic Beanstalk to the new Kubernetes staging cluster, and then set up a production cluster a month later to deploy some services. The results were convincing. "By the end of March 2016, we established that all the new services must be deployed on Kubernetes," says Singh. "Kubernetes helped us reduce the deployment time from 15 minutes to less than a minute. Due to Kubernetes’s self-healing nature, the operations team doesn’t need to do any manual intervention in case of a node or pod failure." On top of that, he says, "Dev-Prod parity has improved since developers can experiment with options in dev/staging clusters, and when it’s finalized, they just commit the config changes in the respective code repositories. These changes automatically get replicated on the production cluster via CI/CD pipelines. This brings more visibility into the changes being made, and keeping an audit trail."<br><br> Over the next six months, the team worked on migrating all the services from Elastic Beanstalk to Kubernetes, except for the few that were deprecated and would soon be terminated anyway. The services were moved one at a time, and their performance was monitored for two to three days each. Today, "We’re completely migrated and we run all new services on Kubernetes," says Singh. <br><br> The impact has been considerable: With Kubernetes, the company has experienced a 90% cost savings on Elastic Load Balancer, which is now only used for their public, user-facing services. Their EC2 operating expenses have been decreased by as much as 50%.<br><br> All 30 engineers at Crowdfire were onboarded at once. "I gave an internal talk where I shared the basic components and demoed the usage of kubectl," says Singh. "Everyone was excited and happy about using Kubernetes. Developers have more control and visibility into their applications running in production now. Most of all, they’re happy with the low deploy times and self-healing services." <br><br> And they’re much more productive, too. "Where we used to do about 5 deployments per day," says Singh, "now we’re doing 30+ production and 50+ staging deployments almost every day." </div> </section> <div class="banner5"> <div class="banner5text"> The impact has been considerable: With Kubernetes, the company has experienced a 90% cost savings on Elastic Load Balancer, which is now only used for their public, user-facing services. Their EC2 operating expenses have been decreased by as much as 50%. </div> </div> <section class="section5"> <div class="fullcol"> Singh notes that almost all of the engineers interact with the staging cluster on a daily basis, and that has created a cultural change at Crowdfire. "Developers are more aware of the cloud infrastructure now," he says. "They’ve started following cloud best practices like better health checks, structured logs to stdout [standard output], and config via files or environment variables."<br><br> With Crowdfire’s commitment to Kubernetes, Singh is looking to expand the company’s cloud-native stack. The team already uses <a href="https://prometheus.io/">Prometheus</a> for monitoring, and he says he is evaluating <a href="https://linkerd.io/">Linkerd</a> and <a href="https://envoyproxy.github.io/">Envoy Proxy</a> as a way to "get more metrics about request latencies and failures, and handle them better." Other CNCF projects, including <a href="http://opentracing.io/">OpenTracing</a> and <a href="https://grpc.io/">gRPC</a> are also on his radar.<br><br> Singh has found that the cloud-native community is growing in India, too, particularly in Bangalore. "A lot of startups and new companies are starting to run their infrastructure on Kubernetes," he says. <br><br> And when people ask him about Crowdfire’s experience, he has this advice to offer: "Kubernetes is a great piece of technology, but it might not be right for you, especially if you have just one or two services or your app isn’t easy to run in a containerized environment," he says. "Assess your situation and the value that Kubernetes provides before going all in. If you do decide to use Kubernetes, make sure you understand the components that run under the hood and what role they play in smoothly running the cluster. Another thing to consider is if your apps are ‘Kubernetes-ready,’ meaning if they have proper health checks and handle termination signals to shut down gracefully."<br><br> And if your company fits that profile, go for it. Crowdfire clearly did—and is now reaping the benefits. "In the 15 months that we’ve been using Kubernetes, it has been amazing for us," says Singh. "It enabled us to iterate quickly, increase development speed and continuously deliver new features and bug fixes to our users, while keeping our operational costs and infrastructure management overhead under control." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/daocloud/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/daocloud/<!-- title: DaoCloud Case Study linkTitle: DaoCloud case_study_styles: true cid: caseStudies logo: daocloud_featured_logo.svg css: /css/style_daocloud.css new_case_study_styles: true heading_background: /images/case-studies/daocloud/banner1.jpg heading_title_logo: /images/daocloud-light.svg subheading: > Seek Global Optimal Solutions for Digital World case_study_details: - Company: DaoCloud - Location: Shanghai, China - Industry: Cloud Native --> <!-- <h2>Challenges</h2> --> <h2>挑战</h2> <!-- <p><a href="https://www.daocloud.io/en/">DaoCloud</a>, founded in 2014, is an innovation leader in the field of cloud native. It boasts independent intellectual property rights of core technologies for crafting an open cloud platform to empower the digital transformation of enterprises.</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-eventratelimit.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-eventratelimit.v1alpha1/<!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#eventratelimit-admission-k8s-io-v1alpha1-Configuration">Configuration</a></li> </ul> <h2 id="eventratelimit-admission-k8s-io-v1alpha1-Configuration"><code>Configuration</code></h2> <p> <!-- Configuration provides configuration for the EventRateLimit admission controller. --> Configuration 为 EventRateLimit 准入控制器提供配置数据。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>eventratelimit.admission.k8s.io/v1alpha1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>Configuration</code></td></tr> <tr><td><code>limits</code> <B><!--[Required]-->[必需]</B><br/> <a href="#eventratelimit-admission-k8s-io-v1alpha1-Limit"><code>[]Limit</code></a> </td> <td> <p> <!-- limits are the limits to place on event queries received. Limits can be placed on events received server-wide, per namespace, per user, and per source+object. At least one limit is required. --> <code>limits</code> 是为所接收到的事件查询设置的限制。可以针对服务器端接收到的事件设置限制， 按逐个名字空间、逐个用户、或逐个来源+对象组合的方式均可以。 至少需要设置一种限制。 </p> </td> </tr> </tbody> </table> <h2 id="eventratelimit-admission-k8s-io-v1alpha1-Limit"><code>Limit</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p>https://andygol-k8s.netlify.app/zh-cn/case-studies/golfnow/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/golfnow/<div class="banner1"> <h1>CASE STUDY: <img src="https://andygol-k8s.netlify.app/images/golfnow_logo.png" width="20%" style="margin-bottom:-6px"><br> <div class="subhead">Saving Time and Money with Cloud Native Infrastructure</div> </h1> </div> <div class="details"> Company&nbsp;<b>GolfNow</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location&nbsp;<b>Orlando, Florida</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry&nbsp;<b>Golf Industry Technology and Services Provider</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> A member of the <a href="http://www.nbcunicareers.com/our-businesses/nbc-sports-group">NBC Sports Group</a>, <a href="https://www.golfnow.com/">GolfNow</a> is the golf industry’s technology and services leader, managing 10 different products, as well as the largest e-commerce tee time marketplace in the world. As its business began expanding rapidly and globally, GolfNow’s monolithic application became problematic. "We kept growing our infrastructure vertically rather than horizontally, and the cost of doing business became problematic," says Sheriff Mohamed, GolfNow’s Director, Architecture. "We wanted the ability to more easily expand globally." <br> </div> <div class="col2"> <h2>Solution</h2> Turning to microservices and containerization, GolfNow began moving its applications and databases from third-party services to its own clusters running on <a href="https://www.docker.com/">Docker</a> and <a href="https://kubernetes.io/">Kubernetes.</a><br><br> <h2>Impact</h2> The results were immediate. While maintaining the same capacity—and beyond, during peak periods—GolfNow saw its infrastructure costs for the first application virtually cut in half. </div> </div> </section> <div class="banner2"> <div class="banner2text"> "With our growth we obviously needed to expand our infrastructure, and we kept growing vertically rather than horizontally. We were basically wasting money and doubling the cost of our infrastructure."<br><br><span style="font-size:15px;letter-spacing:0.08em">- SHERIFF MOHAMED, DIRECTOR, ARCHITECTURE AT GOLFNOW</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>It’s not every day that you can say you’ve slashed an operating expense by half.</h2> But Sheriff Mohamed and Josh Chandler did just that when they helped lead their company, <a href="https://www.golfnow.com/">GolfNow</a>, on a journey from a monolithic to a containerized, cloud native infrastructure managed by Kubernetes. <br> <br> A top-performing business within the NBC Sports Group, GolfNow is a technology and services company with the largest tee time marketplace in the world. GolfNow serves 5 million active golfers across 10 different products. In recent years, the business had grown so fast that the infrastructure supporting their giant monolithic application (written in C#.NET and backed by SQL Server database management system) could not keep up. "With our growth we obviously needed to expand our infrastructure, and we kept growing vertically rather than horizontally," says Sheriff, GolfNow’s Director, Architecture. "Our costs were growing exponentially. And on top of that, we had to build a Disaster Recovery (DR) environment, which then meant we’d have to copy exactly what we had in our original data center to another data center that was just the standby. We were basically wasting money and doubling the cost of our infrastructure." <br> <br> In moving just the first of GolfNow’s important applications—a booking engine for golf courses and B2B marketing platform—from third-party services to their own Kubernetes environment, "our bill went down drastically," says Sheriff. <br> <br> The path to those stellar results began in late 2014. In order to support GolfNow’s global growth, the team decided that the company needed to have multiple data centers and the ability to quickly and easily re-route traffic as needed. "From there we knew that we needed to go in a direction of breaking things apart, microservices, and containerization," says Sheriff. "At the time we were trying to get away from <a href="https://www.microsoft.com/net">C#.NET</a> and <a href="https://www.microsoft.com/en-cy/sql-server/sql-server-2016">SQL Server</a> since it didn’t run very well on Linux, where everything container was running smoothly." <br> <br> To that end, the team shifted to working with <a href="https://nodejs.org/">Node.js</a>, the open-source, cross-platform JavaScript runtime environment for developing tools and applications, and <a href="https://www.mongodb.com/">MongoDB</a>, the open-source database program. At the time, <a href="https://www.docker.com/">Docker</a>, the platform for deploying applications in containers, was still new. But once the team began experimenting with it, Sheriff says, "we realized that was the way we wanted to go, especially since that’s the way the industry is heading." </div> </section> <div class="banner3"> <div class="banner3text"> "The team migrated the rest of the application into their Kubernetes cluster. And the impact was immediate: On top of cutting monthly costs by a large percentage, says Sheriff, 'Running at the same capacity and during our peak time, we were able to horizontally grow. Since we were using our VMs more efficiently with containers, we didn’t have to pay extra money at all.'" </div> </div> <section class="section3"> <div class="fullcol"> GolfNow’s dev team ran an "internal, low-key" proof of concept and were won over. "We really liked how easy it was to be able to pass containers around to each other and have them up and running in no time, exactly the way it was running on my machine," says Sheriff. "Because that is always the biggest gripe that Ops has with developers, right? ‘It worked on my machine!’ But then we started getting to the point of, ‘How do we make sure that these things stay up and running?’" <br><br> That led the team on a quest to find the right orchestration system for the company’s needs. Sheriff says the first few options they tried were either too heavy or "didn’t feel quite right." In late summer 2015, they discovered the just-released <a href="https://kubernetes.io/">Kubernetes</a>, which Sheriff immediately liked for its ease of use. "We did another proof of concept," he says, "and Kubernetes won because of the fact that the community backing was there, built on top of what Google had already done." <br><br> But before they could go with Kubernetes, <a href="http://www.nbc.com/">NBC</a>, GolfNow’s parent company, also asked them to comparison shop with another company. Sheriff and his team liked the competing company’s platform user interface, but didn’t like that its platform would not allow containers to run natively on Docker. With no clear decision in sight, Sheriff’s VP at GolfNow, Steve McElwee, set up a three-month trial during which a GolfNow team (consisting of Sheriff and Josh, who’s now Lead Architect, Open Platforms) would build out a Kubernetes environment, and a large NBC team would build out one with the other company’s platform. <br><br> "We spun up the cluster and we tried to get everything to run the way we wanted it to run," Sheriff says. "The biggest thing that we took away from it is that not only did we want our applications to run within Kubernetes and Docker, we also wanted our databases to run there. We literally wanted our entire infrastructure to run within Kubernetes." <br><br> At the time there was nothing in the community to help them get Kafka and MongoDB clusters running within a Kubernetes and Docker environment, so Sheriff and Josh figured it out on their own, taking a full month to get it right. "Everything started rolling from there," Sheriff says. "We were able to get all our applications connected, and we finished our side of the proof of concept a month in advance. My VP was like, ‘Alright, it’s over. Kubernetes wins.’" <br><br> The next step, beginning in January 2016, was getting everything working in production. The team focused first on one application that was already written in Node.js and MongoDB. A booking engine for golf courses and B2B marketing platform, the application was already going in the microservice direction but wasn’t quite finished yet. At the time, it was running in <a href="https://devcenter.heroku.com/articles/mongohq">Heroku Compose</a> and other third-party services—resulting in a large monthly bill. </div> </section> <div class="banner4"> <div class="banner4text"> "'The time I spent actually moving the applications was under 30 seconds! We can move data centers in just incredible amounts of time. If you haven’t come from the Kubernetes world you wouldn’t believe me.' Sheriff puts it in these terms: 'Before Kubernetes I wasn’t sleeping at night, literally. I was woken up all the time, because things were down. After Kubernetes, I’ve been sleeping at night.'" </div> </div> <section class="section4"> <div class="fullcol"> "The goal was to take all of that out and put it within this new platform we’ve created with Kubernetes on <a href="https://cloud.google.com/compute/">Google Compute Engine (GCE)</a>," says Sheriff. "So we ended up building piece by piece, in parallel, what was out in Heroku and Compose, in our Kubernetes cluster. Then, literally, just switched configs in the background. So in Heroku we had the app running hitting a Compose database. We’d take the config, change it and make it hit the database that was running in our cluster." <br><br> Using this procedure, they were able to migrate piecemeal, without any downtime. The first migration was done during off hours, but to test the limits, the team migrated the second database in the middle of the day, when lots of users were running the application. "We did it," Sheriff says, "and again it was successful. Nobody noticed." <br><br> After three weeks of monitoring to make sure everything was running stable, the team migrated the rest of the application into their Kubernetes cluster. And the impact was immediate: On top of cutting monthly costs by a large percentage, says Sheriff, "Running at the same capacity and during our peak time, we were able to horizontally grow. Since we were using our VMs more efficiently with containers, we didn’t have to pay extra money at all." <br><br> Not only were they saving money, but they were also saving time. "I had a meeting this morning about migrating some applications from one cluster to another," says Josh. "I spent about 2 hours explaining the process. The time I spent actually moving the applications was under 30 seconds! We can move data centers in just incredible amounts of time. If you haven’t come from the Kubernetes world you wouldn’t believe me." Sheriff puts it in these terms: "Before Kubernetes I wasn’t sleeping at night, literally. I was woken up all the time, because things were down. After Kubernetes, I’ve been sleeping at night." <br><br> A small percentage of the applications on GolfNow have been migrated over to the Kubernetes environment. "Our Core Team is rewriting a lot of the .NET applications into <a href="https://www.microsoft.com/net/core">.NET Core</a> [which is compatible with Linux and Docker] so that we can run them within containers," says Sheriff. <br><br> Looking ahead, Sheriff and his team want to spend 2017 continuing to build a whole platform around Kubernetes with <a href="https://github.com/drone/drone">Drone</a>, an open-source continuous delivery platform, to make it more developer-centric. "Now they’re able to manage configuration, they’re able to manage their deployments and things like that, making all these subteams that are now creating all these microservices, be self sufficient," he says. "So it can pull us away from applications and allow us to just make sure the cluster is running and healthy, and then actually migrate that over to our Ops team." </div> </section> <div class="banner5"> <div class="banner5text"> "Having gone from complete newbies to production-ready in three months, the GolfNow team is eager to encourage other companies to follow their lead. 'This is The Six Million Dollar Man of the cloud right now,' adds Josh. 'Just try it out, watch it happen. I feel like the proof is in the pudding when you look at these kinds of application stacks. They’re faster, they’re more resilient.'" </div> </div> <section class="section5"> <div class="fullcol"> And long-term, Sheriff has an even bigger goal for getting more people into the Kubernetes fold. "We’re actually trying to make this platform generic enough so that any of our sister companies can use it if they wish," he says. "Most definitely I think it can be used as a model. I think the way we migrated into it, the way we built it out, are all ways that I think other companies can learn from, and should not be afraid of." <br><br> The GolfNow team is also giving back to the Kubernetes community by open-sourcing a bot framework that Josh built. "We noticed that the dashboard user interface is actually moving a lot faster than when we started," says Sheriff. "However we realized what we needed was something that’s more of a bot that really helps us administer Kubernetes as a whole through Slack." Josh explains: "With the Kubernetes-Slack integration, you can essentially hook into a cluster and the issue commands and edit configurations. We’ve tried to simplify the security configuration as much as possible. We hope this will be our major thank you to Kubernetes, for everything you’ve given us." <br><br> Having gone from complete newbies to production-ready in three months, the GolfNow team is eager to encourage other companies to follow their lead. The lessons they’ve learned: "You’ve got to have buy-in from your boss," says Sheriff. "Another big deal is having two to three people dedicated to this type of endeavor. You can’t have people who are half in, half out." And if you don’t have buy-in from the get go, proving it out will get you there. <br><br> "This is The Six Million Dollar Man of the cloud right now," adds Josh. "Just try it out, watch it happen. I feel like the proof is in the pudding when you look at these kinds of application stacks. They’re faster, they’re more resilient." </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/haufegroup/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/haufegroup/<div class="banner1"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/haufegroup_logo.png" class="header_logo"><br> <div class="subhead">Paving the Way for Cloud Native for Midsize Companies</div></h1> </div> <div class="details"> Company &nbsp;<b>Haufe Group</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Freiburg, Germany</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Media and Software</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>Challenge</h2> Founded in 1930 as a traditional publisher, Haufe Group has grown into a media and software company with 95 percent of its sales from digital products. Over the years, the company has gone from having "hardware in the basement" to outsourcing its infrastructure operations and IT. More recently, the development of new products, from Internet portals for tax experts to personnel training software, has created demands for increased speed, reliability and scalability. "We need to be able to move faster," says Solution Architect Martin Danielsson. "Adapting workloads is something that we really want to be able to do." <br> <br> <h2>Solution</h2> Haufe Group began its cloud-native journey when <a href="https://azure.microsoft.com/">Microsoft Azure</a> became available in Europe; the company needed cloud deployments for its desktop apps with bandwidth-heavy download services. "After that, it has been different projects trying out different things," says Danielsson. Two years ago, Holger Reinhardt joined Haufe Group as CTO and rapidly re-oriented the traditional host provider-based approach toward a cloud and API-first strategy. </div> <div class="col2"> A core part of this strategy was a strong mandate to embrace infrastructure-as-code across the entire software deployment lifecycle via Docker. The company is now getting ready to go live with two services in production using <a href="https://kubernetes.io/">Kubernetes</a> orchestration on <a href="https://azure.microsoft.com/">Microsoft Azure</a> and <a href="https://aws.amazon.com/">Amazon Web Services</a>. The team is also working on breaking up one of their core Java Enterprise desktop products into microservices to allow for better evolvability and dynamic scaling in the cloud. <br> <br> <h2>Impact</h2> With the ability to adapt workloads, Danielsson says, teams "will be able to scale down to around half the capacity at night, saving 30 percent of the hardware cost." Plus, shorter release times have had a major impact. "Before, we had to announce at least a week in advance when we wanted to do a release because there was a huge checklist of things that you had to do," he says. "By going cloud native, we have the infrastructure in place to be able to automate all of these things. Now we can get a new release done in half an hour instead of days." </div> </div> </section> <div class="banner2"> <div class="banner2text"> "Over the next couple of years, people won’t even think that much about it when they want to run containers. Kubernetes is going to be the go-to solution."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Martin Danielsson, Solution Architect, Haufe Group</span> </div> </div> <section class="section2"> <div class="fullcol"> <h2>More than 80 years ago, Haufe Group was founded as a traditional publishing company, printing books and commentary on paper.</h2> By the 1990s, though, the company’s leaders recognized that the future was digital, and to their credit, were able to transform Haufe Group into a media and software business that now gets 95 percent of its sales from digital products. "Among the German companies doing this, we were one of the early adopters," says Martin Danielsson, Solution Architect for Haufe Group.<br><br> And now they’re leading the way for midsize companies embracing cloud-native technology like Kubernetes. "The really big companies like Ticketmaster and Google get it right, and the startups get it right because they’re faster," says Danielsson. "We’re in this big lump of companies in the middle with a lot of legacy, a lot of structure, a lot of culture that does not easily fit the cloud technologies. We’re just 1,500 people, but we have hundreds of customer-facing applications. So we’re doing things that will be relevant for many companies of our size or even smaller."<br><br> Many of those legacy challenges stemmed from simply following the technology trends of the times. "We used to do full DevOps," he says. In the 1990s and 2000s, "that meant that you had your hardware in the basement. And then 10 years ago, the hype of the moment was to outsource application operations, outsource everything, and strip down your IT department to take away the distraction of all these hardware things. That’s not our area of expertise. We didn’t want to be an infrastructure provider. And now comes the backlash of that."<br><br> Haufe Group began feeling the pain as they were developing more new products, from Internet portals for tax experts to personnel training software, that have created demands for increased speed, reliability and scalability. "Right now, we have this break in workflows, where we go from writing concepts to developing, handing it over to production and then handing that over to your host provider," he says. "And then when things go bad we have no clue what went wrong. We definitely want to take back control, and we want to move a lot faster. Adapting workloads is something that we really want to be able to do."<br><br> Those needs led them to explore cloud-native technology. Their first foray into the cloud was doing deployments in <a href="https://azure.microsoft.com/">Microsoft Azure</a>, once it became available in Europe, for desktop products that had built-in download services. Hosting expenses for such bandwidth-heavy services were too high, so the company turned to the cloud. "After that, it has been different projects trying out different things," says Danielsson. </div> </section> <div class="banner3"> <div class="banner3text"> "We have been doing containers for the last two years, and we really got the hang of how they work," says Danielsson. "But it was always for development and test, never in production, because we didn’t fully understand how that would work. And to me, Kubernetes was definitely the technology that solved that." </div> </div> <section class="section3"> <div class="fullcol"> Two years ago, Holger Reinhardt joined Haufe Group as CTO and rapidly re-oriented the traditional host provider-based approach toward a cloud and API-first strategy. A core part of this strategy was a strong mandate to embrace infrastructure-as-code across the entire software deployment lifecycle via Docker. Some experiments went further than others; German regulations about sensitive data proved to be a road block in moving some workloads to Azure and Amazon Web Services. "Due to our history, Germany is really strict with things like personally identifiable data," Danielsson says.<br><br> These experiments took on new life with the arrival of the Azure Sovereign Cloud for Germany (an Azure clone run by the German T-Systems provider). With the availability of Azure.de—which conforms to Germany’s privacy regulations—teams started to seriously consider deploying production loads in Docker into the cloud. "We have been doing containers for the last two years, and we really got the hang of how they work," says Danielsson. "But it was always for development and test, never in production, because we didn’t fully understand how that would work. And to me, Kubernetes was definitely the technology that solved that."<br><br> In parallel, Danielsson had built an API management system with the aim of supporting CI/CD scenarios, aspects of which were missing in off-the-shelf API management products. With a foundation based on <a href="https://getkong.org/">Mashape’s Kong</a> gateway, it is open-sourced as <a href="http://wicked.haufe.io/">wicked.haufe.io</a>. He put wicked.haufe.io to use with his product team.<br><br> Otherwise, Danielsson says his philosophy was "don’t try to reinvent the wheel all the time. Go for what’s there and 99 percent of the time it will be enough. And if you think you really need something custom or additional, think perhaps once or twice again. One of the things that I find so amazing with this cloud-native framework is that everything ties in."<br><br> Currently, Haufe Group is working on two projects using Kubernetes in production. One is a new mobile application for researching legislation and tax laws. "We needed a way to take out functionality from a legacy core and put an application on top of that with an API gateway—a lot of moving parts that screams containers," says Danielsson. So the team moved the build pipeline away from "deploying to some old, huge machine that you could deploy anything to" and onto a Kubernetes cluster where there would be automatic CI/CD "with feature branches and all these things that were a bit tedious in the past." </div> </section> <div class="banner4"> <div class="banner4text"> "Before, we had to announce at least a week in advance when we wanted to do a release because there was a huge checklist of things that you had to do," says Danielsson. "By going cloud native, we have the infrastructure in place to be able to automate all of these things. Now we can get a new release done in half an hour instead of days." </div> </div> <section class="section4"> <div class="fullcol"> It was a proof of concept effort, and the proof was in the pudding. "Everyone was really impressed at what we accomplished in a week," says Danielsson. "We did these kinds of integrations just to make sure that we got a handle on how Kubernetes works. If you can create optimism and buzz around something, it’s half won. And if the developers and project managers know this is working, you’re more or less done." Adds Reinhardt: "You need to create some very visible, quick wins in order to overcome the status quo."<br><br> The impact on the speed of deployment was clear: "Before, we had to announce at least a week in advance when we wanted to do a release because there was a huge checklist of things that you had to do," says Danielsson. "By going cloud native, we have the infrastructure in place to be able to automate all of these things. Now we can get a new release done in half an hour instead of days." <br><br> The potential impact on cost was another bonus. "Hosting applications is quite expensive, so moving to the cloud is something that we really want to be able to do," says Danielsson. With the ability to adapt workloads, teams "will be able to scale down to around half the capacity at night, saving 30 percent of the hardware cost." <br><br> Just as importantly, Danielsson says, there’s added flexibility: "When we try to move or rework applications that are really crucial, it’s often tricky to validate whether the path we want to take is going to work out well. In order to validate that, we would need to reproduce the environment and really do testing, and that’s prohibitively expensive and simply not doable with traditional host providers. Cloud native gives us the ability to do risky changes and validate them in a cost-effective way."<br><br> As word of the two successful test projects spread throughout the company, interest in Kubernetes has grown. "We want to be able to support our developers in running Kubernetes clusters but we’re not there yet, so we allow them to do it as long as they’re aware that they are on their own," says Danielsson. "So that’s why we are also looking at things like [the managed Kubernetes platform] <a href="https://coreos.com/tectonic/">CoreOS Tectonic</a>, <a href="https://azure.microsoft.com/en-us/services/container-service/">Azure Container Service</a>, <a href="https://aws.amazon.com/ecs/">ECS</a>, etc. These kinds of services will be a lot more relevant to midsize companies that want to leverage cloud native but don’t have the IT departments or the structure around that."<br><br> In the next year and a half, Danielsson says the company will be working on moving one of their legacy desktop products, a web app for researching legislation and tax laws originally built in Java Enterprise, onto cloud-native technology. "We’re doing a microservice split out right now so that we can independently deploy the different parts," he says. The main website, which provides free content for customers, is also moving to cloud native. </div> </section> <div class="banner5"> <div class="banner5text"> "the execution of a strategy requires alignment of culture, structure and technology. Only if those three dimensions are aligned can you successfully execute a transformation into microservices and cloud-native architectures. And it is only then that the Cloud will pay the dividends in much faster speeds in product innovation and much lower operational costs." </div> </div> <section class="section5"> <div class="fullcol"> But with these goals, Danielsson believes there are bigger cultural challenges that need to be constantly addressed. The move to new technology, not to mention a shift toward DevOps, means a lot of change for employees. "The roles were rather fixed in the past," he says. "You had developers, you had project leads, you had testers. And now you get into these really, really important things like test automation. Testers aren’t actually doing click testing anymore, and they have to write automated testing. And if you really want to go full-blown CI/CD, all these little pieces have to work together so that you get the confidence to do a check in, and know this check in is going to land in production, because if I messed up, some test is going to break. This is a really powerful thing because whatever you do, whenever you merge something into the trunk or to the master, this is going live. And that’s where you either get the people or they run away screaming." Danielsson understands that it may take some people much longer to get used to the new ways.<br><br> "Culture is nothing that you can force on people," he says. "You have to live it for yourself. You have to evangelize. You have to show the advantages time and time again: This is how you can do it, this is what you get from it." To that end, his team has scheduled daylong workshops for the staff, bringing in outside experts to talk about everything from API to Devops to cloud. <br><br> For every person who runs away screaming, many others get drawn in. "Get that foot in the door and make them really interested in this stuff," says Danielsson. "Usually it catches on. We have people you never would have expected chanting, ‘Docker Docker Docker’ now. It’s cool to see them realize that there is a world outside of their Python libraries. It’s awesome to see them really work with Kubernetes."<br><br> Ultimately, Reinhardt says, "the execution of a strategy requires alignment of culture, structure and technology. Only if those three dimensions are aligned can you successfully execute a transformation into microservices and cloud-native architectures. And it is only then that the Cloud will pay the dividends in much faster speeds in product innovation and much lower operational costs." </div> </section>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/imagepolicy.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/imagepolicy.v1alpha1/<!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#imagepolicy-k8s-io-v1alpha1-ImageReview">ImageReview</a></li> </ul> <h2 id="imagepolicy-k8s-io-v1alpha1-ImageReview"><code>ImageReview</code></h2> <p> <!-- ImageReview checks if the set of images in a pod are allowed. --> <code>ImageReview<code> 检查某个 Pod 中是否可以使用某些镜像。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>imagepolicy.k8s.io/v1alpha1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>ImageReview</code></td></tr> <tr><td><code>metadata</code><br/> <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a> </td> <td> <p> <!-- Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p> --> 标准的对象元数据。更多信息：https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata </p> <!-- Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field. --> <p>参阅 Kubernetes API 文档了解 <code>metadata</code> 字段的内容。</p> </td> </tr> <tr><td><code>spec</code> <B><!--Required-->[必需]</B><br/> <a href="#imagepolicy-k8s-io-v1alpha1-ImageReviewSpec"><code>ImageReviewSpec</code></a> </td> <td> <p> <!-- Spec holds information about the pod being evaluated --> <code>spec</code> 中包含与被评估的 Pod 相关的信息。 </p>https://andygol-k8s.netlify.app/zh-cn/case-studies/jd-com/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/jd-com/<h2>Challenge</h2> <p>With more than 300 million active users and total 2017 revenue of more than $55 billion, <a href="https://corporate.JD.com/home">JD.com</a> is China's largest retailer, and its operations are the epitome of hyperscale. For example, there are more than a trillion images in JD.com's product databases—with 100 million being added daily—and this enormous amount of data needs to be instantly accessible. In 2014, JD.com moved its applications to containers running on bare metal machines using OpenStack and Docker to "speed up the delivery of our computing resources and make the operations much simpler," says Haifeng Liu, JD.com's Chief Architect. But by the end of 2015, with tens of thousands of nodes running in multiple data centers, "we encountered a lot of problems because our platform was not strong enough, and we suffered from bottlenecks and scalability issues," says Liu. "We needed infrastructure for the next five years of development, now."</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-admission.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-admission.v1/<!-- title: kube-apiserver Admission (v1) content_type: tool-reference package: admission.k8s.io/v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="资源类型">资源类型</h2> <ul> <li><a href="#admission-k8s-io-v1-AdmissionReview">AdmissionReview</a></li> </ul> <h2 id="admission-k8s-io-v1-AdmissionReview"><code>AdmissionReview</code></h2> <p> <!-- AdmissionReview describes an admission review request/response. --> <code>AdmissionReview</code> 描述准入评审请求/响应。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>admission.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>AdmissionReview</code></td></tr> <tr><td><code>request</code><br/> <a href="#admission-k8s-io-v1-AdmissionRequest"><code>AdmissionRequest</code></a> </td> <td> <p> <!-- request describes the attributes for the admission request. --> <code>request</code> 描述准入请求的属性。 </p> </td> </tr> <tr><td><code>response</code><br/> <a href="#admission-k8s-io-v1-AdmissionResponse"><code>AdmissionResponse</code></a> </td> <td> <p> <!-- response describes the attributes for the admission response. --> <code>response</code> 描述准入响应的属性。 </p> </td> </tr> </tbody> </table> <h2 id="admission-k8s-io-v1-AdmissionRequest"><code>AdmissionRequest</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#admission-k8s-io-v1-AdmissionReview">AdmissionReview</a></li> </ul> <p> <!-- AdmissionRequest describes the admission.Attributes for the admission request. --> <code>AdmissionRequest</code> 描述准入请求的 admission.Attributes。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-audit.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-audit.v1/<!--- title: kube-apiserver Audit Configuration (v1) content_type: tool-reference package: audit.k8s.io/v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#audit-k8s-io-v1-Event">Event</a></li> <li><a href="#audit-k8s-io-v1-EventList">EventList</a></li> <li><a href="#audit-k8s-io-v1-Policy">Policy</a></li> <li><a href="#audit-k8s-io-v1-PolicyList">PolicyList</a></li> </ul> <h2 id="audit-k8s-io-v1-Event"><code>Event</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#audit-k8s-io-v1-EventList">EventList</a></li> </ul> <p> <!-- Event captures all the information that can be included in an API audit log. --> Event 结构包含可出现在 API 审计日志中的所有信息。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>audit.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>Event</code></td></tr> <tr><td><code>level</code> <B><!--[Required]-->[必需]</B><br/> <a href="#audit-k8s-io-v1-Level"><code>Level</code></a> </td> <td> <p> <!-- AuditLevel at which event was generated --> 生成事件所对应的审计级别。 </p> </td> </tr> <tr><td><code>auditID</code> <B><!--[Required]-->[必需]</B><br/> <a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/types#UID"><code>k8s.io/apimachinery/pkg/types.UID</code></a> </td> <td> <p> <!-- Unique audit ID, generated for each request. --> 为每个请求所生成的唯一审计 ID。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-config.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-config.v1/<!-- title: kube-apiserver Configuration (v1) content_type: tool-reference package: apiserver.config.k8s.io/v1 auto_generated: true --> <p> <!-- Package v1 is the v1 version of the API. --> v1 包中包含 API 的 v1 版本。 </p> <!-- ## Resource Types --> <h2 id="资源类型">资源类型</h2> <ul> <li><a href="#apiserver-config-k8s-io-v1-AdmissionConfiguration">AdmissionConfiguration</a></li> <li><a href="#apiserver-config-k8s-io-v1-AuthorizationConfiguration">AuthorizationConfiguration</a></li> <li><a href="#apiserver-config-k8s-io-v1-EncryptionConfiguration">EncryptionConfiguration</a></li> </ul> <h2 id="apiserver-config-k8s-io-v1-AdmissionConfiguration"><code>AdmissionConfiguration</code></h2> <p> <!-- AdmissionConfiguration provides versioned configuration for admission controllers. --> AdmissionConfiguration 为准入控制器提供版本化的配置。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.config.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>AdmissionConfiguration</code></td></tr> <tr><td><code>plugins</code><br/> <a href="#apiserver-config-k8s-io-v1-AdmissionPluginConfiguration"><code>[]AdmissionPluginConfiguration</code></a> </td> <td> <p> <!-- Plugins allows specifying a configuration per admission control plugin. --> <code>plugins</code> 字段允许为每个准入控制插件设置配置选项。 </p> </td> </tr> </tbody> </table> <h2 id="apiserver-config-k8s-io-v1-AuthorizationConfiguration"><code>AuthorizationConfiguration</code></h2> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.config.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>AuthorizationConfiguration</code></td></tr> <tr><td><code>authorizers</code> <B><!--[Required]-->[必需]</B><br/> <a href="#apiserver-config-k8s-io-v1-AuthorizerConfiguration"><code>[]AuthorizerConfiguration</code></a> </td> <td> <p> <!-- Authorizers is an ordered list of authorizers to authorize requests against. This is similar to the --authorization-modes kube-apiserver flag Must be at least one. --> <code>authorizers</code> 是用于针对请求进行鉴权的鉴权组件的有序列表。 这类似于 <code>--authorization-modes</code> kube-apiserver 标志。 必须至少包含一个元素。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-config.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-config.v1alpha1/<!-- title: kube-apiserver Configuration (v1alpha1) content_type: tool-reference package: apiserver.k8s.io/v1alpha1 auto_generated: true --> <p> <!-- Package v1alpha1 is the v1alpha1 version of the API. --> 包 v1alpha1 包含 API 的 v1alpha1 版本。 </p> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#apiserver-k8s-io-v1alpha1-AdmissionConfiguration">AdmissionConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1alpha1-AuthenticationConfiguration">AuthenticationConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1alpha1-AuthorizationConfiguration">AuthorizationConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1alpha1-EgressSelectorConfiguration">EgressSelectorConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1alpha1-TracingConfiguration">TracingConfiguration</a></li> </ul> <h2 id="TracingConfiguration"><code>TracingConfiguration</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li> <p><a href="#kubelet-config-k8s-io-v1beta1-KubeletConfiguration">KubeletConfiguration</a></p> </li> <li> <p><a href="#apiserver-k8s-io-v1alpha1-TracingConfiguration">TracingConfiguration</a></p> </li> </ul> <p> <!-- TracingConfiguration provides versioned configuration for OpenTelemetry tracing clients. --> TracingConfiguration 为 OpenTelemetry 跟踪客户端提供了不同版本的配置。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>endpoint</code><br/> <code>string</code> </td> <td> <p> <!-- Endpoint of the collector this component will report traces to. The connection is insecure, and does not currently support TLS. Recommended is unset, and endpoint is the otlp grpc default, localhost:4317. --> 采集器的端点，此组件将向其报告跟踪信息。 连接不安全，目前不支持 TLS。 推荐不设置，端点为 otlp grpc 默认值 localhost:4317。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-config.v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-config.v1beta1/<!-- title: kube-apiserver Configuration (v1beta1) content_type: tool-reference package: apiserver.k8s.io/v1beta1 auto_generated: true --> <p> <!-- Package v1beta1 is the v1beta1 version of the API.</p> --> v1beta1 包是 v1beta1 版本的 API。 </p> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#apiserver-k8s-io-v1beta1-AuthenticationConfiguration">AuthenticationConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1beta1-AuthorizationConfiguration">AuthorizationConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1beta1-EgressSelectorConfiguration">EgressSelectorConfiguration</a></li> <li><a href="#apiserver-k8s-io-v1beta1-TracingConfiguration">TracingConfiguration</a></li> </ul> <h2 id="TracingConfiguration"><code>TracingConfiguration</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li> <p><a href="#kubelet-config-k8s-io-v1beta1-KubeletConfiguration">KubeletConfiguration</a></p> </li> <li> <p><a href="#apiserver-k8s-io-v1alpha1-TracingConfiguration">TracingConfiguration</a></p> </li> <li> <p><a href="#apiserver-k8s-io-v1beta1-TracingConfiguration">TracingConfiguration</a></p> </li> </ul> <p> <!-- TracingConfiguration provides versioned configuration for OpenTelemetry tracing clients. --> TracingConfiguration 为 OpenTelemetry 跟踪客户端提供版本化的配置。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>endpoint</code><br/> <code>string</code> </td> <td> <p> <!-- Endpoint of the collector this component will report traces to. The connection is insecure, and does not currently support TLS. Recommended is unset, and endpoint is the otlp grpc default, localhost:4317. --> 采集器的端点，此组件将向其报告跟踪信息。 连接不安全，目前不支持 TLS。 推荐不设置，端点为 otlp grpc 默认值 localhost:4317。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kube-controller-manager-config.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kube-controller-manager-config.v1alpha1/<!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#cloudcontrollermanager-config-k8s-io-v1alpha1-CloudControllerManagerConfiguration">CloudControllerManagerConfiguration</a></li> <li><a href="#controllermanager-config-k8s-io-v1alpha1-LeaderMigrationConfiguration">LeaderMigrationConfiguration</a></li> <li><a href="#kubecontrollermanager-config-k8s-io-v1alpha1-KubeControllerManagerConfiguration">KubeControllerManagerConfiguration</a></li> </ul> <h2 id="ClientConnectionConfiguration"><code>ClientConnectionConfiguration</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li> <p><a href="#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration">KubeSchedulerConfiguration</a></p> </li> <li> <p><a href="#controllermanager-config-k8s-io-v1alpha1-GenericControllerManagerConfiguration">GenericControllerManagerConfiguration</a></p> </li> </ul> <p> <!-- ClientConnectionConfiguration contains details for constructing a client. --> ClientConnectionConfiguration 包含构建客户端的详细信息。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>kubeconfig</code> <B><!--[Required]-->[必需]</B><br/> <code>string</code> </td> <td> <p> <!-- kubeconfig is the path to a KubeConfig file. --> kubeconfig 是指向 KubeConfig 文件的路径。 </p> </td> </tr> <tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/> <code>string</code> </td> <td> <p> <!-- acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client. --> acceptContentTypes 定义了客户端在连接服务器时发送的 Accept 请求头， 覆盖默认值 application/json。此字段将控制特定客户端与服务器之间的所有连接。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1/<!-- title: kube-proxy Configuration (v1alpha1) content_type: tool-reference package: kubeproxy.config.k8s.io/v1alpha1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration">KubeProxyConfiguration</a></li> </ul> <h2 id="FormatOptions"><code>FormatOptions</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#LoggingConfiguration">LoggingConfiguration</a></li> </ul> <p> <!-- FormatOptions contains options for the different logging formats. --> `FormatOptions` 包含不同日志格式的选项。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>text</code> <B><!--[Required]-->[必需]</B><br/> <a href="#TextOptions"><code>TextOptions</code></a> </td> <td> <p> <!-- [Alpha] Text contains options for logging format &quot;text&quot;. Only available when the LoggingAlphaOptions feature gate is enabled. --> [Alpha] text 包含日志格式 &quot;text&quot; 的选项。 仅在启用了 `LoggingAlphaOptions` 特性门控时可用。 </p> </td> </tr> <tr><td><code>json</code> <B><!--[Required]-->[必需]</B><br/> <a href="#JSONOptions"><code>JSONOptions</code></a> </td> <td> <p> <!-- [Alpha] JSON contains options for logging format &quot;json&quot;. Only available when the LoggingAlphaOptions feature gate is enabled. --> [Alpha] JSON 包含日志格式 &quot;json&quot; 的选项。 仅在启用了 `LoggingAlphaOptions` 特性门控时可用。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kube-scheduler-config.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kube-scheduler-config.v1/<!-- title: kube-scheduler Configuration (v1) content_type: tool-reference package: kubescheduler.config.k8s.io/v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#kubescheduler-config-k8s-io-v1-DefaultPreemptionArgs">DefaultPreemptionArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-DynamicResourcesArgs">DynamicResourcesArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-InterPodAffinityArgs">InterPodAffinityArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration">KubeSchedulerConfiguration</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-NodeAffinityArgs">NodeAffinityArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-NodeResourcesBalancedAllocationArgs">NodeResourcesBalancedAllocationArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-NodeResourcesFitArgs">NodeResourcesFitArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-PodTopologySpreadArgs">PodTopologySpreadArgs</a></li> <li><a href="#kubescheduler-config-k8s-io-v1-VolumeBindingArgs">VolumeBindingArgs</a></li> </ul> <h2 id="ClientConnectionConfiguration"><code>ClientConnectionConfiguration</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#kubescheduler-config-k8s-io-v1-KubeSchedulerConfiguration">KubeSchedulerConfiguration</a></li> </ul> <!-- ClientConnectionConfiguration contains details for constructing a client. --> <p>ClientConnectionConfiguration 中包含用来构造客户端所需的细节。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>kubeconfig</code> <B><!--[Required]-->[必需]</B><br/> <code>string</code> </td> <td> <!-- kubeconfig is the path to a KubeConfig file. --> <p><code>kubeconfig</code> 字段为指向 KubeConfig 文件的路径。</p> </td> </tr> <tr><td><code>acceptContentTypes</code> <B><!--[Required]-->[必需]</B><br/> <code>string</code> </td> <td> <p> <!-- acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client. --> <code>acceptContentTypes</code> 定义的是客户端与服务器建立连接时要发送的 Accept 头部， 这里的设置值会覆盖默认值 "application/json"。此字段会影响某特定客户端与服务器的所有连接。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeadm-config.v1beta4/<!-- title: kubeadm Configuration (v1beta4) content_type: tool-reference package: kubeadm.k8s.io/v1beta4 auto_generated: true --> <!-- <h2>Overview</h2> <p>Package v1beta4 defines the v1beta4 version of the kubeadm configuration file format. This version improves on the v1beta3 format by fixing some minor issues and adding a few new fields.</p> <p>A list of changes since v1beta3:</p> --> <h2>概述</h2> <p>v1beta4 包定义 v1beta4 版本的 kubeadm 配置文件格式。 此版本改进了 v1beta3 的格式，修复了一些小问题并添加了一些新的字段。</p> <p>从 v1beta3 版本以来的变更列表：</p> <!-- <ul> <li>TODO https://github.com/kubernetes/kubeadm/issues/2890</li> <li>Support custom environment variables in control plane components under <code>ClusterConfiguration</code>. Use <code>APIServer.ExtraEnvs</code>, <code>ControllerManager.ExtraEnvs</code>, <code>Scheduler.ExtraEnvs</code>, <code>Etcd.Local.ExtraEnvs</code>.</li> <li>The <code>ResetConfiguration</code> API type is now supported in v1beta4. Users are able to reset a node by passing a <code>--config</code> file to <code>kubeadm reset</code>.</li> </ul> --> <ul> <li>TODO https://github.com/kubernetes/kubeadm/issues/2890</li> <li>使用 <code>APIServer.ExtraEnvs</code>、<code>ControllerManager.ExtraEnvs</code>、 <code>Scheduler.ExtraEnvs</code>、<code>Etcd.Local.ExtraEnvs</code>。 支持在 <code>ClusterConfiguration</code> 下控制平面组件中的定制环境变量。</li> <li><code>ResetConfiguration</code> API 类型在 v1beta4 中已得到支持。 用户可以为 <code>kubeadm reset</code> 指定 <code>--config</code> 文件来重置节点。</li> </ul> <!-- <h1>Migration from old kubeadm config versions</h1> <ul> <li>kubeadm v1.15.x and newer can be used to migrate from v1beta1 to v1beta2.</li> <li>kubeadm v1.22.x and newer no longer support v1beta1 and older APIs, but can be used to migrate v1beta2 to v1beta3.</li> <li>kubeadm v1.27.x and newer no longer support v1beta2 and older APIs.</li> <li>TODO: https://github.com/kubernetes/kubeadm/issues/2890 add version that can be used to convert to v1beta4</li> </ul> --> <h1>kubeadm 配置版本迁移</h1> <ul> <li>kubeadm v1.15.x 及更高版本可用于从 v1beta1 迁移到 v1beta2。</li> <li>kubeadm v1.22.x 及更高版本不再支持 v1beta1 和更早的 API，但可用于从 v1beta2 迁移到 v1beta3。</li> <li>kubeadm v1.27.x 及更高版本不再支持 v1beta2 和更早的 API。</li> <li>TODO: https://github.com/kubernetes/kubeadm/issues/2890 添加可用于转换到 v1beta4 的版本</li> </ul> <!-- <h2>Basics</h2> <p>The preferred way to configure kubeadm is to pass an YAML configuration file with the `--config“ option. Some of the configuration options defined in the kubeadm config file are also available as command line flags, but only the most common/simple use case are supported with this approach.</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeadm-config.v1beta3/<!-- title: kubeadm Configuration (v1beta3) content_type: tool-reference package: kubeadm.k8s.io/v1beta3 auto_generated: true --> <!-- <h2>Overview</h2> <p>Package v1beta3 defines the v1beta3 version of the kubeadm configuration file format. This version improves on the v1beta2 format by fixing some minor issues and adding a few new fields.</p> <p>A list of changes since v1beta2:</p> --> <h2>概述</h2> <p>v1beta3 包定义 v1beta3 版本的 kubeadm 配置文件格式。 此版本改进了 v1beta2 的格式，修复了一些小问题并添加了一些新的字段。</p> <p>从 v1beta2 版本以来的变更列表：</p> <!-- <ul> <li>The deprecated &quot;ClusterConfiguration.useHyperKubeImage&quot; field has been removed. Kubeadm no longer supports the hyperkube image.</li> <li>The &quot;ClusterConfiguration.dns.Type&quot; field has been removed since CoreDNS is the only supported DNS server type by kubeadm.</li> <li>Include &quot;datapolicy&quot; tags on the fields that hold secrets. This would result in the field values to be omitted when API structures are printed with klog.</li> <li>Add &quot;InitConfiguration.skipPhases&quot;, &quot;JoinConfiguration.skipPhases&quot; to allow skipping a list of phases during kubeadm init/join command execution.</li> --> <ul> <li>已弃用的字段 &quot;ClusterConfiguration.useHyperKubeImage&quot; 现在被移除。 kubeadm 不再支持 hyperkube 镜像。</li> <li>&quot;ClusterConfiguration.dns.type&quot; 字段已经被移除，因为 CoreDNS 是 kubeadm 所支持的唯一 DNS 服务器类型。</li> <li>保存 Secret 信息的字段现在包含了 &quot;datapolicy&quot; 标记（tag）。 这一标记会导致 API 结构通过 klog 打印输出时，会忽略这些字段的值。</li> <li>添加了 &quot;InitConfiguration.skipPhases&quot;、&quot;JoinConfiguration.skipPhases&quot;， 以允许在执行 <code>kubeadm init/join</code> 命令时略过某些阶段。</li> <!-- <li>Add &quot;InitConfiguration.nodeRegistration.imagePullPolicy&quot; and &quot;JoinConfiguration.nodeRegistration.imagePullPolicy&quot; to allow specifying the images pull policy during kubeadm &quot;init&quot; and &quot;join&quot;. The value must be one of &quot;Always&quot;, &quot;Never&quot; or &quot;IfNotPresent&quot;. &quot;IfNotPresent&quot; is the default, which has been the existing behavior prior to this addition.</li> <li>Add &quot;InitConfiguration.patches.directory&quot;, &quot;JoinConfiguration.patches.directory&quot; to allow the user to configure a directory from which to take patches for components deployed by kubeadm.</li> <li>Move the BootstrapToken* API and related utilities out of the &quot;kubeadm&quot; API group to a new group &quot;bootstraptoken&quot;. The kubeadm API version v1beta3 no longer contains the BootstrapToken* structures.</li> --> <li>添加了 &quot;InitConfiguration.nodeRegistration.imagePullPolicy&quot; 和 &quot;JoinConfiguration.nodeRegistration.imagePullPolicy&quot; 以允许在 <code>kubeadm init</code> 和 <code>kubeadm join</code> 期间指定镜像拉取策略。 这两个字段的值必须是 &quot;Always&quot;、&quot;Never&quot; 或 &quot;IfNotPresent&quot 之一。 默认值是 &quot;IfNotPresent&quot;，也是添加此字段之前的默认行为。</li> <li>添加了 &quot;InitConfiguration.patches.directory&quot; 和 &quot;JoinConfiguration.patches.directory&quot; 以允许用户配置一个目录， kubeadm 将从该目录中提取组件的补丁包。</li> <li>BootstrapToken* API 和相关的工具被从 &quot;kubeadm&quot; API 组中移出， 放到一个新的 &quot;bootstraptoken&quot; 组中。kubeadm API 版本 v1beta3 不再包含 BootstrapToken* 结构。</li> </ul> <!-- <p>Migration from old kubeadm config versions</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeconfig.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubeconfig.v1/<!-- title: kubeconfig (v1) content_type: tool-reference package: v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="资源类型">资源类型</h2> <ul> <li><a href="#Config">Config</a></li> </ul> <h2 id="Config"><code>Config</code></h2> <!-- Config holds the information needed to build connect to remote kubernetes clusters as a given user --> <p>Config 保存以给定用户身份构建连接到远程 Kubernetes 集群所需的信息 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>Config</code></td></tr> <tr><td><code>kind</code><br/> <code>string</code> </td> <td> <p> <!-- Legacy field from pkg/api/types.go TypeMeta.TODO(jlowdermilk): remove this after eliminating downstream dependencies. --> 来自 pkg/api/types.go TypeMeta 的遗留字段。 </p> </td> </tr> <tr><td><code>apiVersion</code><br/> <code>string</code> </td> <td> <p> <!-- Legacy field from pkg/api/types.go TypeMeta. TODO(jlowdermilk): remove this after eliminating downstream dependencies. --> 来自 pkg/api/types.go TypeMeta 的遗留字段。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-credentialprovider.v1/<!-- title: Kubelet CredentialProvider (v1) content_type: tool-reference package: credentialprovider.kubelet.k8s.io/v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#credentialprovider-kubelet-k8s-io-v1-CredentialProviderRequest">CredentialProviderRequest</a></li> <li><a href="#credentialprovider-kubelet-k8s-io-v1-CredentialProviderResponse">CredentialProviderResponse</a></li> </ul> <h2 id="credentialprovider-kubelet-k8s-io-v1-CredentialProviderRequest"><code>CredentialProviderRequest</code></h2> <p> <!-- CredentialProviderRequest includes the image that the kubelet requires authentication for. Kubelet will pass this request object to the plugin via stdin. In general, plugins should prefer responding with the same apiVersion they were sent. --> <code>CredentialProviderRequest</code> 包含 kubelet 需要通过身份验证才能访问的镜像。 kubelet 将此请求对象通过 stdin 传递到插件。 通常，插件应优先使用所收到的 <code>apiVersion</code> 作出响应。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>credentialprovider.kubelet.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderRequest</code></td></tr> <tr><td><code>image</code> <B><!--[Required]-->[必需]</B><br/> <code>string</code> </td> <td> <p> <!-- image is the container image that is being pulled as part of the credential provider plugin request. Plugins may optionally parse the image to extract any information required to fetch credentials. --> <code>image</code> 是作为凭据提供程序插件请求的一部分所拉取的容器镜像。 这些插件可以选择解析镜像以提取获取凭据所需的任何信息。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1/<!-- title: Kubelet Configuration (v1) content_type: tool-reference package: kubelet.config.k8s.io/v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="资源类型">资源类型</h2> <ul> <li><a href="#kubelet-config-k8s-io-v1-CredentialProviderConfig">CredentialProviderConfig</a></li> </ul> <h2 id="kubelet-config-k8s-io-v1-CredentialProviderConfig"><code>CredentialProviderConfig</code></h2> <!-- CredentialProviderConfig is the configuration containing information about each exec credential provider. Kubelet reads this configuration from disk and enables each provider as specified by the CredentialProvider type. --> <p>CredentialProviderConfig 包含有关每个 exec 凭据提供程序的配置信息。 kubelet 从磁盘上读取这些配置信息，并根据 CredentialProvider 类型启用各个提供程序。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>kubelet.config.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderConfig</code></td></tr> <tr><td><code>providers</code> <B><!--[Required]-->[必需]</B><br/> <a href="#kubelet-config-k8s-io-v1-CredentialProvider"><code>[]CredentialProvider</code></a> </td> <td> <p> <!-- providers is a list of credential provider plugins that will be enabled by the kubelet. Multiple providers may match against a single image, in which case credentials from all providers will be returned to the kubelet. If multiple providers are called for a single image, the results are combined. If providers return overlapping auth keys, the value from the provider earlier in this list is attempted first. --> <code>providers</code> 是一组凭据提供程序插件，这些插件会被 kubelet 启用。 多个提供程序可以匹配到同一镜像上，这时，来自所有提供程序的凭据信息都会返回给 kubelet。 如果针对同一镜像调用了多个提供程序，则结果会被组合起来。如果提供程序返回的认证主键有重复， 列表中先出现的提供程序所返回的值将被首先尝试。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1alpha1/<!-- title: Kubelet Configuration (v1alpha1) content_type: tool-reference package: kubelet.config.k8s.io/v1alpha1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="资源类型">资源类型</h2> <ul> <li><a href="#kubelet-config-k8s-io-v1alpha1-CredentialProviderConfig">CredentialProviderConfig</a></li> </ul> <h2 id="kubelet-config-k8s-io-v1alpha1-CredentialProviderConfig"><code>CredentialProviderConfig</code></h2> <!-- CredentialProviderConfig is the configuration containing information about each exec credential provider. Kubelet reads this configuration from disk and enables each provider as specified by the CredentialProvider type. --> <p>CredentialProviderConfig 包含有关每个 exec 凭据提供者的配置信息。 kubelet 从磁盘上读取这些配置信息，并根据 CredentialProvider 类型启用各个提供者。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>kubelet.config.k8s.io/v1alpha1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>CredentialProviderConfig</code></td></tr> <tr><td><code>providers</code> <B><!--[Required]-->[必需]</B><br/> <a href="#kubelet-config-k8s-io-v1alpha1-CredentialProvider"><code>[]CredentialProvider</code></a> </td> <td> <!-- providers is a list of credential provider plugins that will be enabled by the kubelet. Multiple providers may match against a single image, in which case credentials from all providers will be returned to the kubelet. If multiple providers are called for a single image, the results are combined. If providers return overlapping auth keys, the value from the provider earlier in this list is attempted first. --> <code>providers</code> 是一组凭据提供者插件，这些插件会被 kubelet 启用。 多个提供者可以匹配到同一镜像上，这时，来自所有提供者的凭据信息都会返回给 kubelet。 如果针对同一镜像调用了多个提供者，则结果会被组合起来。如果提供者返回的认证主键有重复， 列表中先出现的提供者所返回的值将第一个被尝试使用。 </td> </tr> </tbody> </table> <h2 id="kubelet-config-k8s-io-v1alpha1-ImagePullIntent"><code>ImagePullIntent</code></h2> <p> <!-- ImagePullIntent is a record of the kubelet attempting to pull an image. --> <code>ImagePullIntent</code> 是 kubelet 尝试拉取镜像的记录。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/<!-- title: Kubelet Configuration (v1beta1) content_type: tool-reference package: kubelet.config.k8s.io/v1beta1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#kubelet-config-k8s-io-v1beta1-CredentialProviderConfig">CredentialProviderConfig</a></li> <li><a href="#kubelet-config-k8s-io-v1beta1-KubeletConfiguration">KubeletConfiguration</a></li> <li><a href="#kubelet-config-k8s-io-v1beta1-SerializedNodeConfigSource">SerializedNodeConfigSource</a></li> </ul> <h2 id="FormatOptions"><code>FormatOptions</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#LoggingConfiguration">LoggingConfiguration</a></li> </ul> <p> <!-- FormatOptions contains options for the different logging formats. --> FormatOptions 包含为不同日志格式提供的选项。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr> <td> <code>text</code> <B><!-- [Required] -->[必需]</B><br/> <a href="#TextOptions"><code>TextOptions</code></a> </td> <td> <!-- <p>[Alpha] Text contains options for logging format &quot;text&quot;. Only available when the LoggingAlphaOptions feature gate is enabled.</p> --> <p>[Alpha] 文本包含用于记录 &quot;text&quot; 格式的选项。 仅当 LoggingAlphaOptions 特性门控被启用时可用。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kuberc.v1alpha1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kuberc.v1alpha1/<!-- title: kuberc (v1alpha1) content_type: tool-reference package: kubectl.config.k8s.io/v1alpha1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#kubectl-config-k8s-io-v1alpha1-Preference">Preference</a></li> </ul> <h2 id="kubectl-config-k8s-io-v1alpha1-Preference"><code>Preference</code></h2> <p> <!-- Preference stores elements of KubeRC configuration file --> <code>Preference</code> 存储 KubeRC 配置文件的元素 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>kubectl.config.k8s.io/v1alpha1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>Preference</code></td></tr> <tr><td><code>overrides</code> <B><!--[Required]-->[必需]</B><br/> <a href="#kubectl-config-k8s-io-v1alpha1-CommandOverride"><code>[]CommandOverride</code></a> </td> <td> <p> <!-- overrides allows changing default flag values of commands. This is especially useful, when user doesn't want to explicitly set flags each time. --> <code>overrides</code> 允许更改命令的默认标志值。 这对于用户不想每次明确设置标志时特别有用。 </p> </td> </tr> <tr><td><code>aliases</code> <B><!--[Required]-->[必需]</B><br/> <a href="#kubectl-config-k8s-io-v1alpha1-AliasOverride"><code>[]AliasOverride</code></a> </td> <td> <p> <!-- aliases allow defining command aliases for existing kubectl commands, with optional default flag values. If the alias name collides with a built-in command, built-in command always takes precedence. Flag overrides defined in the overrides section do NOT apply to aliases for the same command. kubectl [ALIAS NAME] [USER_FLAGS] [USER_EXPLICIT_ARGS] expands to kubectl [COMMAND] # built-in command alias points to [KUBERC_PREPEND_ARGS] [USER_FLAGS] [KUBERC_FLAGS] # rest of the flags that are not passed by user in [USER_FLAGS] [USER_EXPLICIT_ARGS] [KUBERC_APPEND_ARGS] e.g. --> <code>aliases</code> 允许为现有的 kubectl 命令定义命令别名，并可选择设置默认标志值。 如果别名与内置命令冲突，内置命令始终优先。 在 <code>overrides</code> 部分定义的标志覆盖不适用于同一命令的别名。 <code>kubectl [ALIAS NAME] [USER_FLAGS] [USER_EXPLICIT_ARGS]</code> 展开为： <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl <span style="color:#666">[</span>COMMAND<span style="color:#666">]</span> <span style="color:#080;font-style:italic"># 别名指向的内置命令</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>KUBERC_PREPEND_ARGS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>USER_FLAGS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>KUBERC_FLAGS<span style="color:#666">]</span> <span style="color:#080;font-style:italic"># 其余未由用户在 [用户标志] 中传递的标志</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>USER_EXPLICIT_ARGS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>KUBERC_APPEND_ARGS<span style="color:#666">]</span> </span></span></code></pre></div><p>例如：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kuberc.v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/kuberc.v1beta1/<!-- title: kuberc (v1beta1) content_type: tool-reference package: kubectl.config.k8s.io/v1beta1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#kubectl-config-k8s-io-v1beta1-Preference">Preference</a></li> </ul> <h2 id="kubectl-config-k8s-io-v1beta1-Preference"><code>Preference</code></h2> <p> <!-- Preference stores elements of KubeRC configuration file --> <code>Preference</code> 存储 KubeRC 配置文件的元素。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>kubectl.config.k8s.io/v1beta1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>Preference</code></td></tr> <tr><td><code>defaults</code> <B><!--[Required]-->[必需]</B><br/> <a href="#kubectl-config-k8s-io-v1beta1-CommandDefaults"><code>[]CommandDefaults</code></a> </td> <td> <p> <!-- defaults allow changing default option values of commands. This is especially useful, when user doesn't want to explicitly set options each time. --> <code>defaults</code> 允许更改命令的默认选项值。 这对于用户不想每次明确设置选项时特别有用。 </p> </td> </tr> <tr><td><code>aliases</code> <B><!--[Required]-->[必需]</B><br/> <a href="#kubectl-config-k8s-io-v1beta1-AliasOverride"><code>[]AliasOverride</code></a> </td> <td> <p> <!-- aliases allow defining command aliases for existing kubectl commands, with optional default option values. If the alias name collides with a built-in command, built-in command always takes precedence. Option overrides defined in the defaults section do NOT apply to aliases for the same command. kubectl [ALIAS NAME] [USER_OPTIONS] [USER_EXPLICIT_ARGS] expands to kubectl [COMMAND] # built-in command alias points to [KUBERC_PREPEND_ARGS] [USER_OPTIONS] [KUBERC_OPTIONS] # rest of the options that are not passed by user in [USER_OPTIONS] [USER_EXPLICIT_ARGS] [KUBERC_APPEND_ARGS] e.g. --> <code>aliases</code> 允许为现有的 kubectl 命令定义命令别名，并可选择设置默认选项值。 如果别名与内置命令冲突，内置命令始终优先。 在 <code>defaults</code> 部分定义的选项 <code>overrides</code> 不适用于同一命令的别名。 <code>kubectl [ALIAS NAME] [USER_OPTIONS] [USER_EXPLICIT_ARGS]</code> 展开为： <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>kubectl <span style="color:#666">[</span>COMMAND<span style="color:#666">]</span> <span style="color:#080;font-style:italic"># 别名指向的内置命令</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>KUBERC_PREPEND_ARGS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>USER_OPTIONS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>KUBERC_OPTIONS<span style="color:#666">]</span> <span style="color:#080;font-style:italic"># 其余未由用户在 [用户选项] 中传递的选项</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>USER_EXPLICIT_ARGS<span style="color:#666">]</span> </span></span><span style="display:flex;"><span> <span style="color:#666">[</span>KUBERC_APPEND_ARGS<span style="color:#666">]</span> </span></span></code></pre></div><p>例如：</p>https://andygol-k8s.netlify.app/zh-cn/releases/release/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/releases/release/<!-- title: Kubernetes Release Cycle type: docs auto_generated: true --> <!-- THIS CONTENT IS AUTO-GENERATED via https://github.com/kubernetes/website/blob/main/scripts/releng/update-release-info.sh --> <div class="pageinfo pageinfo-light"> <!-- This content is auto-generated and links may not function. The source of the document is located [here](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/release.md). --> <p>此内容原文是自动生成的，链接可能无法正常访问。 文档的来源在<a href="https://github.com/kubernetes/community/blob/master/contributors/devel/sig-release/release.md">这里</a>。</p> </div> <!-- Localization note: omit the pageinfo block when localizing --> <!-- ## Targeting enhancements, Issues and PRs to Release Milestones This document is focused on Kubernetes developers and contributors who need to create an enhancement, issue, or pull request which targets a specific release milestone. --> <h2 id="targeting-enhancements-issues-and-prs-to-release-milestones">针对发布里程碑的特性增强、Issue 和 PR</h2> <p>本文档重点是面向于那些需要创建针对特定发布里程碑的特性增强、问题或拉取请求的 Kubernetes 开发人员和贡献者。</p>https://andygol-k8s.netlify.app/zh-cn/community/code-of-conduct/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/community/code-of-conduct/<!-- title: Kubernetes Community Code of Conduct body_class: code-of-conduct cid: code-of-conduct --> <!-- _Kubernetes follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). The text of the CNCF CoC is replicated below, as of [commit 71412bb02](https://github.com/cncf/foundation/blob/71412bb029090d42ecbeadb39374a337bfb48a9c/code-of-conduct.md)._ --> <p><strong>Kubernetes 遵循 <a href="https://github.com/cncf/foundation/blob/main/code-of-conduct.md">CNCF 行为准则</a>。 有关 CNCF 行为准则的文本，请参阅 <a href="https://github.com/cncf/foundation/blob/71412bb029090d42ecbeadb39374a337bfb48a9c/code-of-conduct.md">commit 71412bb02</a>。</strong></p> <div id="cncf-code-of-conduct"> <!-- Do not edit this file directly. Get the latest from https://github.com/cncf/foundation/blob/master/code-of-conduct-languages/zh.md --> <!-- ## CNCF Community Code of Conduct v1.3 ### Community Code of Conduct --> <h2 id="cncf-community-code-of-conduct-v13">云原生计算基金会（CNCF）社区行为准则 1.3 版本</h2> <h3 id="community-code-of-conduct">社区行为准则</h3> <!-- As contributors, maintainers, and participants in the CNCF community, and in the interest of fostering an open and welcoming community, we pledge to respect all people who participate or contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, attending conferences or events, or engaging in other community or project activities. We are committed to making participation in the CNCF community a harassment-free experience for everyone, regardless of age, body size, caste, disability, ethnicity, level of experience, family status, gender, gender identity and expression, marital status, military or veteran status, nationality, personal appearance, race, religion, sexual orientation, socieconomic status, tribe, or any other dimension of diversity. --> <p>作为 CNCF 社区的贡献者、维护者和参与者，我们努力建设一个开放和受欢迎的社区，我们承诺尊重所有上报 Issue、发布功能需求、更新文档、提交 PR 或补丁、参加会议活动以及其他社区和项目活动的贡献者和参与者。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/external-api/external-metrics.v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/external-api/external-metrics.v1beta1/<!-- title: Kubernetes External Metrics (v1beta1) content_type: tool-reference package: external.metrics.k8s.io/v1beta1 auto_generated: true --> <p> <!-- Package v1beta1 is the v1beta1 version of the external metrics API. --> v1beta1 包是 v1beta1 版本的外部指标 API。 </p> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#external-metrics-k8s-io-v1beta1-ExternalMetricValue">ExternalMetricValue</a></li> <li><a href="#external-metrics-k8s-io-v1beta1-ExternalMetricValueList">ExternalMetricValueList</a></li> </ul> <h2 id="external-metrics-k8s-io-v1beta1-ExternalMetricValue"><code>ExternalMetricValue</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#external-metrics-k8s-io-v1beta1-ExternalMetricValueList">ExternalMetricValueList</a></li> </ul> <p> <!-- ExternalMetricValue is a metric value for external metric A single metric value is identified by metric name and a set of string labels. For one metric there can be multiple values with different sets of labels. --> ExternalMetricValue 是外部指标的一个度量值。 单个度量值由指标名称和一组字符串标签标识。 对于一个指标，可以有多个具有不同标签集的值。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/external-api/metrics.v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/external-api/metrics.v1beta1/<!-- title: Kubernetes Metrics (v1beta1) content_type: tool-reference package: metrics.k8s.io/v1beta1 auto_generated: true --> <!-- <p>Package v1beta1 is the v1beta1 version of the metrics API.</p> --> <p>v1beta1 包是 v1beta1 版本的指标 API。</p> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#metrics-k8s-io-v1beta1-NodeMetrics">NodeMetrics</a></li> <li><a href="#metrics-k8s-io-v1beta1-NodeMetricsList">NodeMetricsList</a></li> <li><a href="#metrics-k8s-io-v1beta1-PodMetrics">PodMetrics</a></li> <li><a href="#metrics-k8s-io-v1beta1-PodMetricsList">PodMetricsList</a></li> </ul> <h2 id="metrics-k8s-io-v1beta1-NodeMetrics"><code>NodeMetrics</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p> <ul> <li><a href="#metrics-k8s-io-v1beta1-NodeMetricsList">NodeMetricsList</a></li> </ul> <!-- <p>NodeMetrics sets resource usage metrics of a node.</p> --> <p>NodeMetrics 设置节点的资源用量指标。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>metrics.k8s.io/v1beta1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>NodeMetrics</code></td></tr> <tr><td><code>metadata</code><br/> <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#objectmeta-v1-meta"><code>meta/v1.ObjectMeta</code></a> </td> <td> <!-- <p>Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p> Refer to the Kubernetes API documentation for the fields of the <code>metadata</code> field. --> <p>标准的对象元数据。更多信息： https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/external-api/custom-metrics.v1beta2/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/external-api/custom-metrics.v1beta2/<!-- title: Kubernetes Custom Metrics (v1beta2) content_type: tool-reference package: custom.metrics.k8s.io/v1beta2 auto_generated: true --> <!-- <p>Package v1beta2 is the v1beta2 version of the custom_metrics API.</p> --> <p>v1beta2 包是 v1beta2 版本的 custom_metrics API。</p> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#custom-metrics-k8s-io-v1beta2-MetricListOptions">MetricListOptions</a></li> <li><a href="#custom-metrics-k8s-io-v1beta2-MetricValue">MetricValue</a></li> <li><a href="#custom-metrics-k8s-io-v1beta2-MetricValueList">MetricValueList</a></li> </ul> <h2 id="custom-metrics-k8s-io-v1beta2-MetricListOptions"><code>MetricListOptions</code></h2> <p> <!-- <p>MetricListOptions is used to select metrics by their label selectors</p> --> <p>MetricListOptions 用于按其标签选择算符来选择指标。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>custom.metrics.k8s.io/v1beta2</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>MetricListOptions</code></td></tr> <tr><td><code>labelSelector</code><br/> <code>string</code> </td> <td> <!-- <p>A selector to restrict the list of returned objects by their labels. Defaults to everything.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/naic/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/naic/<h2>Challenge</h2> <p>The <a href="http://www.naic.org/">National Association of Insurance Commissioners (NAIC)</a>, the U.S. standard-setting and regulatory support organization, was looking for a way to deliver new services faster to provide more value for members and staff. It also needed greater agility to improve productivity internally.</p> <h2>Solution</h2> <p>Beginning in 2016, they started using <a href="https://www.cncf.io/">Cloud Native Computing Foundation (CNCF)</a> tools such as <a href="https://prometheus.io/">Prometheus</a>. NAIC began hosting internal systems and development systems on <a href="https://kubernetes.io/">Kubernetes</a> at the beginning of 2018, as part of a broad move toward the public cloud. "Our culture and technology transition is a strategy embraced by our top leaders," says Dan Barker, Chief Enterprise Architect. "It has already proven successful by allowing us to accelerate our value pipeline by more than double while decreasing our costs by more than half. We are also seeing customer satisfaction increase as we add more and more applications to these new technologies."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/nav/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/nav/<h2>Challenge</h2> <p>Founded in 2012, <a href="https://www.nav.com/">Nav</a> provides small business owners with access to their business credit scores from all three major commercial credit bureaus—Equifax, Experian and Dun & Bradstreet—and financing options that best fit their needs. Five years in, the startup was growing rapidly, and "our cloud environments were getting very large, and our usage of those environments was extremely low, like under 1%," says Director of Engineering Travis Jeppson. "We wanted our usage of cloud environments to be more tightly coupled with what we actually needed, so we started looking at containerization and orchestration to help us be able to run workloads that were distinct from one another but could share a similar resource pool."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/netease/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/netease/<!-- title: NetEase Case Study linkTitle: NetEase case_study_styles: true cid: caseStudies logo: netease_featured_logo.png featured: false new_case_study_styles: true heading_background: /images/case-studies/netease/banner1.jpg heading_title_logo: /images/netease_logo.png subheading: > How NetEase Leverages Kubernetes to Support Internet Business Worldwide case_study_details: - Company: NetEase - Location: Hangzhou, China - Industry: Internet technology --> <!-- <h2>Challenge</h2> --> <h2>挑战</h2> <!-- <p>Its gaming business is one of the largest in the world, but that's not all that <a href="https://netease-na.com/">NetEase</a> provides to Chinese consumers. The company also operates e-commerce, advertising, music streaming, online education, and email platforms; the last of which serves almost a billion users with free email services through sites like <a href="https://www.163.com/">163.com</a>. In 2015, the NetEase Cloud team providing the infrastructure for all of these systems realized that their R&D process was slowing down developers. "Our users needed to prepare all of the infrastructure by themselves," says Feng Changjian, Architect for NetEase Cloud and Container Service. "We were eager to provide the infrastructure and tools for our users automatically via serverless container service."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/newyorktimes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/newyorktimes/<h2>Challenge</h2> <p>When the company decided a few years ago to move out of its data centers, its first deployments on the public cloud were smaller, less critical applications managed on virtual machines. "We started building more and more tools, and at some point we realized that we were doing a disservice by treating Amazon as another data center," says Deep Kapadia, Executive Director, Engineering at The New York Times. Kapadia was tapped to lead a Delivery Engineering Team that would "design for the abstractions that cloud providers offer us."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/nokia/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/nokia/<h2>Challenge</h2> <p><a href="https://www.nokia.com/en_int">Nokia</a>'s core business is building telecom networks end-to-end; its main products are related to the infrastructure, such as antennas, switching equipment, and routing equipment. "As telecom vendors, we have to deliver our software to several telecom operators and put the software into their infrastructure, and each of the operators have a bit different infrastructure," says Gergely Csatari, Senior Open Source Engineer. "There are operators who are running on bare metal. There are operators who are running on virtual machines. There are operators who are running on <a href="https://cloud.vmware.com/">VMware Cloud</a> and <a href="https://www.openstack.org/">OpenStack</a> Cloud. We want to run the same product on all of these different infrastructures without changing the product itself."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/northwestern-mutual/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/northwestern-mutual/<h2>Challenge</h2> <p>In the spring of 2015, Northwestern Mutual acquired a fintech startup, LearnVest, and decided to take "Northwestern Mutual's leading products and services and meld it with LearnVest's digital experience and innovative financial planning platform," says Brad Williams, Director of Engineering for Client Experience, Northwestern Mutual. The company's existing infrastructure had been optimized for batch workflows hosted on on-prem networks; deployments were very traditional, focused on following a process instead of providing deployment agility. "We had to build a platform that was elastically scalable, but also much more responsive, so we could quickly get data to the client website so our end-customers have the experience they expect," says Williams.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/openai/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/openai/<!-- title: OpenAI Case Study case_study_styles: true cid: caseStudies new_case_study_styles: true heading_background: /images/case-studies/openAI/banner1.jpg heading_title_logo: /images/openAI_logo.png subheading: > Launching and Scaling Up Experiments, Made Simple case_study_details: - Company: OpenAI - Location: San Francisco, California - Industry: Artificial Intelligence Research --> <!-- <h2>Challenge</h2> <p>An artificial intelligence research lab, OpenAI needed infrastructure for deep learning that would allow experiments to be run either in the cloud or in its own data center, and to easily scale. Portability, speed, and cost were the main drivers.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/peardeck/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/peardeck/<h2>Challenge</h2> <p>The three-year-old startup provides a web app for teachers to interact with their students in the classroom. The JavaScript app was built on Google's web app development platform <a href="https://firebase.google.com/">Firebase</a>, using <a href="https://www.heroku.com/">Heroku</a>. As the user base steadily grew, so did the development team. "We outgrew Heroku when we started wanting to have multiple services, and the deploying story got pretty horrendous. We were frustrated that we couldn't have the developers quickly stage a version," says CEO Riley Eynon-Lynch. "Tracing and monitoring became basically impossible." On top of that, many of Pear Deck's customers are behind government firewalls and connect through Firebase, not Pear Deck's servers, making troubleshooting even more difficult.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/pearson/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/pearson/<h2>Challenge</h2> <p>A global education company serving 75 million learners, Pearson set a goal to more than double that number, to 200 million, by 2025. A key part of this growth is in digital learning experiences, and Pearson was having difficulty in scaling and adapting to its growing online audience. They needed an infrastructure platform that would be able to scale quickly and deliver products to market faster.</p> <h2>Solution</h2> <p>"To transform our infrastructure, we had to think beyond simply enabling automated provisioning," says Chris Jackson, Director for Cloud Platforms & SRE at Pearson. "We realized we had to build a platform that would allow Pearson developers to build, manage and deploy applications in a completely different way." The team chose Docker container technology and Kubernetes orchestration "because of its flexibility, ease of management and the way it would improve our engineers' productivity."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/pingcap/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/pingcap/<h2>Challenge</h2> <p>PingCAP is the company leading the development of the popular open source NewSQL database <a href="https://github.com/pingcap/tidb">TiDB</a>, which is MySQL-compatible, can handle hybrid transactional and analytical processing (HTAP) workloads, and has a cloud native architectural design. "Having a hybrid multi-cloud product is an important part of our global go-to-market strategy," says Kevin Xu, General Manager of Global Strategy and Operations. In order to achieve that, the team had to address two challenges: "how to deploy, run, and manage a distributed stateful application, such as a distributed database like TiDB, in a containerized world," Xu says, and "how to deliver an easy-to-use, consistent, and reliable experience for our customers when they use TiDB in the cloud, any cloud, whether that's one cloud provider or a combination of different cloud environments." Knowing that using a distributed system isn't easy, they began looking for the right orchestration layer to help reduce some of that complexity for end users.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/nerdalize/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/nerdalize/<h2>Challenge</h2> <p>Nerdalize offers affordable cloud hosting for customers—and free heat and hot water for people who sign up to house the heating devices that contain the company's servers. The savings Nerdalize realizes by not running data centers are passed on to its customers. When the team began using Docker to make its software more portable, it realized it also needed a container orchestration solution. "As a cloud provider, we have internal services for hosting our backends and billing our customers, but we also need to offer our compute to our end users," says Digital Product Engineer Ad van der Veer. "Since we have these heating devices spread across the Netherlands, we need some way of tying that all together."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/prowise/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/prowise/<h2>Challenge</h2> <p>A Dutch company that produces educational devices and software used around the world, <a href="https://www.prowise.com/en/">Prowise</a> had an infrastructure based on Linux services with multiple availability zones in Europe, Australia, and the U.S. "We've grown a lot in the past couple of years, and we started to encounter problems with versioning and flexible scaling," says Senior DevOps Engineer Victor van den Bosch, "not only scaling in demands, but also in being able to deploy multiple products which all have their own versions, their own development teams, and their own problems that they're trying to solve. To be able to put that all on the same platform without much resistance is what we were looking for. We wanted to future proof our infrastructure, and also solve some of the problems that are associated with just running a normal Linux service."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/slamtec/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/slamtec/<h2>Challenge</h2> <p>Founded in 2013, SLAMTEC provides service robot autonomous localization and navigation solutions. The company's strength lies in its R&D team's ability to quickly introduce, and continually iterate on, its core products. In the past few years, the company, which had a legacy infrastructure based on Alibaba Cloud and VMware vSphere, began looking to build its own stable and reliable container cloud platform to host its Internet of Things applications. "Our needs for the cloud platform included high availability, scalability and security; multi-granularity monitoring alarm capability; friendliness to containers and microservices; and perfect CI/CD support," says Benniu Ji, Director of Cloud Computing Business Division.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/sos/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/sos/<h2>Challenge</h2> <p>For the past six decades, SOS International has been providing reliable medical and travel assistance in the Nordic region. In recent years, the company's business strategy has required increasingly intense development in the digital space, but when it came to its IT systems, "SOS has a very fragmented legacy," with three traditional monoliths (Java, .NET, and IBM's AS/400) and a waterfall approach, says Martin Ahrentsen, Head of Enterprise Architecture. "We have been forced to institute both new technology and new ways of working, so we could be more efficient with a shorter time to market. It was a much more agile approach, and we needed to have a platform that can help us deliver that to the business."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/spotify/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/spotify/<h2>Challenge</h2> <p>Launched in 2008, the audio-streaming platform has grown to over 200 million monthly active users across the world. "Our goal is to empower creators and enable a really immersive listening experience for all of the consumers that we have today—and hopefully the consumers we'll have in the future," says Jai Chakrabarti, Director of Engineering, Infrastructure and Operations. An early adopter of microservices and Docker, Spotify had containerized microservices running across its fleet of VMs with a homegrown container orchestration system called <a href="https://github.com/spotify/helios">Helios</a>. By late 2017, it became clear that "having a small team working on the features was just not as efficient as adopting something that was supported by a much bigger community," he says.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/squarespace/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/squarespace/<!-- --- title: Squarespace Case Study case_study_styles: true cid: caseStudies css: /css/style_case_studies.css --- --> <!-- <div class="banner1 desktop" style="background-image: url('/images/case-studies/squarespace/banner1.jpg')"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/squarespace_logo.png" class="header_logo"><br> <div class="subhead">Squarespace: Gaining Productivity and Resilience with Kubernetes</div> </h1> </div> --> <div class="banner1 desktop" style="background-image: url('/images/case-studies/squarespace/banner1.jpg')"> <h1> 案例分析：<img src="https://andygol-k8s.netlify.app/images/squarespace_logo.png" class="header_logo"><br> <div class="subhead">Squarespace: 借力 Kubernetes 提升效率和可靠性</div> </h1> </div> <!-- <div class="details"> Company &nbsp;<b>Squarespace</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>New York, N.Y.</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Software as a Service, Website-Building Platform</b> </div> --> <div class="details"> 公司名 &nbsp;<b>Squarespace</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;地址 &nbsp;<b>纽约市，纽约州</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;行业 &nbsp;<b>软件服务，网站构建平台</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <!-- <h2>Challenge</h2> Moving from a monolith to microservices in 2014 "solved a problem on the development side, but it pushed that problem to the infrastructure team," says Kevin Lynch, Staff Engineer on the Site Reliability team at Squarespace. "The infrastructure deployment process on our 5,000 VM hosts was slowing everyone down." --> <h2>挑战</h2> 自从 2014 年，我们从 monolith 架构移植到微服务架构， “虽然解决了开发端的问题，但却带来了架构组的问题”，Squarespace 网站可靠性组的主任工程师 Kevin Lynch 说道。 “5000 个 VM 主机上的部署过程，让每个人都举步维艰。” <br> <!-- <h2>Solution</h2> The team experimented with container orchestration platforms, and found that Kubernetes "answered all the questions that we had," says Lynch. The company began running Kubernetes in its data centers in&nbsp;2016. --> <h2>解决方案</h2> 网站可靠性组开始尝试使用不同的容器编排平台，然后发现 Kubernetes “解决了我们所有的既有问题”，Lynch 说道。于是整个公司在 2016 年开始在自己的数据中心中运行 Kubernetes 集群。 </div> <div class="col2"> <!-- <h2>Impact</h2> Since Squarespace moved to Kubernetes, in conjunction with modernizing its networking stack, deployment time has been reduced by almost 85%. Before, their VM deployment would take half an hour; now, says Lynch, "someone can generate a templated application, deploy it within five minutes, and have actual instances containerized, running in our staging environment at that point." Because of that, "productivity time is the big cost saver," he adds. "When we started the Kubernetes project, we had probably a dozen microservices. Today there are twice that in the pipeline being actively worked on." Resilience has also been improved with Kubernetes: "If a node goes down, it’s rescheduled immediately and there’s no performance&nbsp;impact." --> <h2>影响</h2> 自从 Squarespace 开始全面使用 Kubernetes，伴随着网络技术栈的革新，部署时间大幅减少85%。 以前，他们的 VM 部署需要耗费半个小时；现在，Lynch 提到，“一个人可以生成一个模板应用，在五分钟内部署，并将实例容器化，并在模拟环境下运行。”正因为如此，“开发效率节省了大量的成本。” 他又补充道，“当我们开始用 Kubernetes 时，我们可能只有十几个微服务。而现在的任务栏里面已经有两倍多的微服务正在进行中。” Kubernetes 也同样提升了可靠性：“如果一个节点宕掉，马上会重新调度一个新的节点，没有任何性能上的影响。” </div> </div> </section> <div class="banner2"> <div class="banner2text"> <iframe width="560" height="315" src="https://www.youtube.com/embed/feQkzJkW-SA" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe> <br><br>“一旦你验证了 Kubernetes 可以解决一个问题，每个人都会立即着手解决其它的问题，无需你的布道。” <br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>— Kevin Lynch，Squarespace 网站可靠性组的主任工程师</span> </div> </div> <section class="section2"> <div class="fullcol"> <!-- <h2>Since it was started in a dorm room in 2003, Squarespace has made it simple for millions of people to create their own websites.</h2> --> <h2>从 2003 年宿舍起步， Squarespace 已经为数百万人提供了网站构建服务。</h2> <!-- Behind the scenes, though, the company’s monolithic Java application was making things not so simple for its developers to keep improving the platform. So in 2014, the company decided to "go down the microservices path," says Kevin Lynch, staff engineer on Squarespace’s Site Reliability team. "But we were always deploying our applications in vCenter VMware VMs [in our own data centers]. Microservices solved a problem on the development side, but it pushed that problem to the Infrastructure team. The infrastructure deployment process on our 5,000 VM hosts was slowing everyone down."<br><br> --> 但在幕后，公司的单体应用却让开发人员在平台创新上举步维艰。所以在 2014 年，公司决定”走微服务之路”，Kevin Lynch 提到，Squarespace 网站稳定性组的主任工程师。 “但是我们还是一直在自己的 vCenter VMware 虚拟机[我们自己的数据中心]上部署应用。微服务解决了开发端的问题，但是让问题转变到了基础架构组这一边。我们在5000个虚拟机主机上的部署流程让每个人的开发效率都提高不起来。” <!-- After experimenting with another container orchestration platform and "breaking it in very painful ways," Lynch says, the team began experimenting with Kubernetes in mid-2016 and found that it "answered all the questions that we had." Deploying it in the data center rather than the public cloud was their biggest challenge, and at the time, not a lot of other companies were doing that. "We had to figure out how to deploy this in our infrastructure for ourselves, and we had to integrate it with our other applications," says Lynch.<br><br> --> 在尝试过另外一个容器编排平台，“非常痛苦地拆解它”，Lynch 说道，我们组开始在 2016 年年中尝试 Kubernetes，发现它“能解决我们所有的问题”。 将 Kubernetes 部署在数据中心，而非公有云上是我们最大的挑战，但在当时，并没有很多其它的公司会这么做。 “我们必须要自己摸索出如何在自己的基础架构中部署它，我们也必须要将其和我们其它的应用做集成，”Lynch补充道。<br><br> <!-- At the same time, Squarespace’s Network Engineering team was modernizing its networking stack, switching from a traditional layer-two network to a layer-three spine-and-leaf network. "It mapped beautifully with what we wanted to do with Kubernetes," says Lynch. "It gives us the ability to have our servers communicate directly with the top-of-rack switches. We use Calico for <a href="https://github.com/containernetworking/cnihttps://github.com/containernetworking/cni">CNI networking for Kubernetes</a>, so we can announce all these individual Kubernetes pod IP addresses and have them integrate seamlessly with our other services that are still provisioned in the VMs." --> 与此同时，Squarespace 的网络工程组也正在革新它们的网络技术栈，从传统的 L2 网络转变为 L3 脊叶网络架构。 “” Lynch 说道，“它给了我们服务器直接通过架顶交换机通信的能力。我们使用 Calico 作为 <a href="https://github.com/containernetworking/cnihttps://github.com/containernetworking/cni">Kubernetes 的 CNI 网络插件</a>”， 因而，我们可以为每个 Kubernetes pod 分配 IP 地址，并将它们和其它仍在虚拟机中创建的服务无缝衔接。 </div> </section> <div class="banner3" style="background-image: url('/images/case-studies/squarespace/banner3.jpg')"> <!-- <div class="banner3text"> After experimenting with another container orchestration platform and "breaking it in very painful ways," Lynch says, the team began experimenting with Kubernetes in mid-2016 and found that it "answered all the questions that we had." </div> --> <div class="banner3text"> 在尝试过另外一个容器编排平台，“非常痛苦地拆解它”，Lynch 说道，我们组开始在 2016 年年中尝试 Kubernetes，发现它“能解决我们所有的问题”。 </div> </div> <section class="section3"> <div class="fullcol"> <!-- Within a couple months, they had a stable cluster for their internal use, and began rolling out Kubernetes for production. They also added Zipkin and CNCF projects <a href="https://prometheus.io/">Prometheus</a> and <a href="https://www.fluentd.org/">fluentd</a> to their cloud native stack. "We switched to Kubernetes, a new world, and we revamped all our other tooling as well," says Lynch. "It allowed us to streamline our process, so we can now easily create an entire microservice project from templates, generate the code and deployment pipeline for that, generate the Docker file, and then immediately just ship a workable, deployable project to Kubernetes." Deployments across Dev/QA/Stage/Prod were also "simplified drastically," Lynch adds. "Now there is little configuration variation." --> 几个月的时间，它们就有了一个稳定的集群供内部使用，并开始在生产环境下使用 Kubernetes。 他们同时还在自己的云原生技术栈中用到了 Zipkin 和 CNCF 项目 <a href="https://prometheus.io/">Prometheus</a> and <a href="https://www.fluentd.org/">fluentd</a> 。 “我们换到 Kubernetes，就像进入了一个新世界，我们也同时改进了其它的工具，” Lynch 说道。“它让我们简化了流程，因而，我们才能更加方便地从模板中创建整个微服务项目，生成代码和部署管道，生成 Docker 文件， 并迅速地将可用的、可部署的项目发布到 Kubernetes 集群上。”在 Dev/QA/Stage/Prod 不同环境间的部署也变得 “异常的简单，” Lynch 补充道。 “现在，环境间的配置差异变得很小。” <br><br> <!-- And the whole process takes only five minutes, an almost 85% reduction in time compared to their VM deployment. "From end to end that probably took half an hour, and that’s not accounting for the fact that an infrastructure engineer would be responsible for doing that, so there’s some business delay in there as well." --> 而且整个部署过程只需要五分钟，和虚拟机部署相比，几乎节约了 85% 的时间。 “从端到端可能要半个小时，这还没有考虑可能需要基础架构工程师来做这方面的工作，因而，也还有一些业务上的延时。” <br><br> <!-- With faster deployments, "productivity time is the big cost saver," says Lynch. "We had a team that was implementing a new file storage service, and they just started integrating that with our storage back end without our involvement"—which wouldn’t have been possible before Kubernetes. He adds: "When we started the Kubernetes project, we had probably a dozen microservices. Today there are twice that in the pipeline being actively worked on." --> 部署变快之后，“开发效率节省了大量的成本，” Lynch 提到，“我们有个组想要实现新的文件存储服务，他们就径直和我们的存储后来做了集成，而不需要我们的参与”，这在采用 Kubernetes 之前是不可想象的。 他又补充道：“在我们开始 Kubernetes 项目时，我们可能只有十几个微服务。而现在的任务栏里面已经有两倍多的微服务正在进行中。” </div> </section> <div class="banner4" style="background-image: url('/images/case-studies/squarespace/banner4.jpg')"> <div class="banner4text"> <!-- "We switched to Kubernetes, a new world....It allowed us to streamline our process, so we can now easily create an entire microservice project from templates," Lynch says. And the whole process takes only five minutes, an almost 85% reduction in time compared to their VM deployment. --> “我们换到 Kubernetes，就像进入了一个新世界....它让我们简化了流程，因而，我们才能更加方便地从模板中创建整个微服务项目，” Lynch 说道。整个部署过程只需要五分钟，和虚拟机部署相比，几乎节约了 85% 的时间。 </div> </div> <section class="section5" style="padding:0px !important"> <div class="fullcol"> <!-- There’s also been a positive impact on the application’s resilience. "When we’re deploying VMs, we have to build tooling to ensure that a service is spread across racks appropriately and can withstand failure," he says. "Kubernetes just does it. If a node goes down, it’s rescheduled immediately and there’s no performance impact." --> 同样在应用程序的可靠性方面也有积极的影响。“当我们在部署虚拟机时，我们需要工具来保障服务散布在机架间，可以承受失败，”他说道，“Kubernetes 正好可以做到这一点。如果节点宕掉，可以马上重新调度，没有性能影响。” <br><br> <!-- Another big benefit is autoscaling. "It wasn’t really possible with the way we’ve been using VMware," says Lynch, "but now we can just add the appropriate autoscaling features via Kubernetes directly, and boom, it’s scaling up as demand increases. And it worked out of the box." --> 另一个很大的好处就是扩缩容。“按照我们使用 VMware 的方式，扩缩容好像不可能实现，”Lynch 说道，“但现在，我们可以直接通过 Kubernetes 加入合适的扩缩容功能，然后，随着需求的增加而扩容。开箱即用！” <br><br> <!-- For others starting out with Kubernetes, Lynch says his best advice is to "fail fast": "Once you’ve planned things out, just execute. Kubernetes has been really great for trying something out quickly and seeing if it works or not." --> 针对刚开始使用 Kubernetes 的人，Lynch 说他最后的建议就是“快速失败”：“一旦计划后，马上执行。Kubernetes 真的是非常适合快速实验，看看是否可行。” </div> <div class="banner5"> <div class="banner5text"> <!-- "When we’re deploying VMs, we have to build tooling to ensure that a service is spread across racks appropriately and can withstand failure," he says. "Kubernetes just does it. If a node goes down, it’s rescheduled immediately and there’s no performance impact." --> “当我们在部署虚拟机时，我们需要工具来保障服务散布在机架间，可以承受失败，”他说道，“Kubernetes 正好可以做到这一点。如果节点宕掉，可以马上重新调度，没有性能影响。” </div> </div> <div class="fullcol"> <!-- Lynch and his team are planning to open source some of the tools they’ve developed to extend Kubernetes and use it as an API itself. The first tool injects dependent applications as containers in a pod. "When you ship an application, usually it comes along with a whole bunch of dependent applications that need to be shipped with that, for example, fluentd for logging," he explains. With this tool, the developer doesn’t need to worry about the configurations. --> Lynch 和他的小组正准备开源一些他们的工具，这些工具用来延展 Kubernetes，将其作为 API 使用。 第一个工具在 pod 将依赖应用作为容器注入。 “当你在发布应用时，常常需要一系列的依赖应用，例如，日志用的 fluentd，” 他解释道。 有了这个工具，开发人员就不需要担心配置了。 <br><br> <!-- Going forward, all new services at Squarespace are going into Kubernetes, and the end goal is to convert everything it can. About a quarter of existing services have been migrated. "Our monolithic application is going to be the last one, just because it’s so big and complex," says Lynch. "But now I’m seeing other services get moved over, like the file storage service. Someone just did it and it worked—painlessly. So I believe if we tackle it, it’s probably going to be a lot easier than we fear. Maybe I should just take my own advice and fail fast!" --> 自此之后，Squarespace 所有新的微服务都将直接部署到 Kubernetes 上，而最终的目标是要扩大到所有的服务上。 现在已经有四分之一的服务已经移植完。“我的单体应用将是最后一个被移植的，仅仅是以为它太大、太复杂，”Lynch 说道。 “但现在我已经看到其它的服务已经被移植到 Kubernetes 上，例如文件存储服务。有人解决了，而且并不复杂。 所以我坚信如果我们着手解决它，很可能回避我们所担心的要轻松许多。也许我应该接受自己的建议，“快速失败”！” </div> </section>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-webhookadmission.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/apiserver-webhookadmission.v1/<!-- title: WebhookAdmission Configuration (v1) content_type: tool-reference package: apiserver.config.k8s.io/v1 auto_generated: true --> <p> <!-- Package v1 is the v1 version of the API. --> 此 API 的版本是 v1。 </p> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#apiserver-config-k8s-io-v1-WebhookAdmission">WebhookAdmission</a></li> </ul> <h2 id="apiserver-config-k8s-io-v1-WebhookAdmission"><code>WebhookAdmission</code></h2> <p> <!-- WebhookAdmission provides configuration for the webhook admission controller. --> WebhookAdmission 为 Webhook 准入控制器提供配置信息。 </p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>apiserver.config.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>WebhookAdmission</code></td></tr> <tr><td><code>kubeConfigFile</code> <B><!--[Required]-->[必需]</B><br/> <code>string</code> </td> <td> <p> <!-- KubeConfigFile is the path to the kubeconfig file. --> 字段 kubeConfigFile 包含指向 kubeconfig 文件的路径。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/windows/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/windows/<!-- reviewers: - aravindhp - jayunit100 - jsturtevant - marosset title: Windows debugging tips content_type: concept --> <!-- overview --> <!-- body --> <!-- ## Node-level troubleshooting {#troubleshooting-node} 1. My Pods are stuck at "Container Creating" or restarting over and over Ensure that your pause image is compatible with your Windows OS version. See [Pause container](/docs/concepts/windows/intro/#pause-container) to see the latest / recommended pause image and/or get more information. --> <h2 id="troubleshooting-node">工作节点级别排障</h2> <ol> <li> <p>我的 Pod 都卡在 “Container Creating” 或者不断重启</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/yahoo-japan/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/yahoo-japan/https://andygol-k8s.netlify.app/zh-cn/case-studies/adidas/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/adidas/<!-- title: adidas Case Study linkTitle: adidas case_study_styles: true cid: caseStudies featured: false new_case_study_styles: true heading_background: /images/case-studies/adidas/banner1.png heading_title_text: adidas use_gradient_overlay: true subheading: > Staying True to Its Culture, adidas Got 40% of Its Most Impactful Systems Running on Kubernetes in a Year case_study_details: - Company: adidas - Location: Herzogenaurach, Germany - Industry: Fashion --> <!-- <h2>Challenge</h2> <p>In recent years, the adidas team was happy with its software choices from a technology perspective—but accessing all of the tools was a problem. For instance, "just to get a developer VM, you had to send a request form, give the purpose, give the title of the project, who's responsible, give the internal cost center a call so that they can do recharges," says Daniel Eichten, Senior Director of Platform Engineering. "The best case is you got your machine in half an hour. Worst case is half a week or sometimes even a week."</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/buffer/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/buffer/<!-- <div class="banner1"> <h1>CASE STUDY: <img src="https://andygol-k8s.netlify.app/images/buffer.png" width="18%" style="margin-bottom:-5px;margin-left:10px;"><br> <div class="subhead">Making Deployments Easy for a Small, Distributed Team</div> </h1> </div> --> <div class="banner1"> <h1>案例研究: <img src="https://andygol-k8s.netlify.app/images/buffer.png" width="18%" style="margin-bottom:-5px;margin-left:10px;"><br> <div class="subhead">使小型分布式团队轻松部署</div> </h1> </div> <!-- <div class="details"> Company&nbsp;<b>Buffer</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Around the World</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Social Media Technology</b> </div> --> <div class="details"> 公司&nbsp;<b>Buffer</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;位置 &nbsp;<b>全球</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;行业 &nbsp;<b>社交媒体技术公司</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <!-- <h2>Challenge</h2> With a small but fully distributed team of 80 working across almost a dozen time zones, Buffer—which offers social media management to agencies and marketers—was looking to solve its "classic monolithic code base problem," says Architect Dan Farrelly. "We wanted to have the kind of liquid infrastructure where a developer could create an app and deploy it and scale it horizontally as&nbsp;necessary." --> <h2>挑战</h2> Buffer 拥有一支80人的分布式团队，他们遍布全球近十几个时区。这样一个为代理商和营销人员提供社交媒体管理的公司，希望解决其“典型的单一庞大编码基数问题”，架构师 Dan Farrelly 这样说。“我们希望拥有一种流动性的基础架构，开发人员可以创建一个应用程序，可以根据需要部署并横向扩展它”。 </div> <div class="col2"> <!-- <h2>Solution</h2> Embracing containerization, Buffer moved its infrastructure from Amazon Web Services’ Elastic Beanstalk to Docker on AWS, orchestrated with&nbsp;Kubernetes. --> <h2>解决方案</h2> 拥抱容器化，Buffer 将其基础设施从 AWS 上的 Elastic Beanstalk 迁移到由 Kubernetes 负责编排的 Docker 上。 <br> <br> <!-- <h2>Impact</h2> The new system "leveled up our ability with deployment and rolling out new changes," says Farrelly. "Building something on your computer and knowing that it’s going to work has shortened things up a lot. Our feedback cycles are a lot faster now&nbsp;too." --> <h2>影响</h2> Farrelly 说，新系统“提高了我们将新变化进行部署和上线的能力”。“在自己的计算机上构建一些东西，并且知道它是可用的，这已经让事情简单了很多；而且我们的反馈周期现在也快了很多。” </div> </div> </section> <div class="banner2"> <div class="banner2text"> <!-- "It’s amazing that we can use the Kubernetes solution off the shelf with our team. And it just keeps getting better. Before we even know that we need something, it’s there in the next release or it’s coming in the next few months."<br><br><span style="font-size:16px;letter-spacing:2px;">- DAN FARRELLY, BUFFER ARCHITECT</span> --> “我们的团队能够直接使用既有的 Kubernetes 解决方案，这太棒了，而且它还在不断改进中。在意识到我们需要某些功能之前，它就出现在下一个版本中，或者在未来几个月内出现。<br><br><span style="font-size:16px;letter-spacing:2px;">- DAN FARRELLY, BUFFER ARCHITECT</span> </div> </div> <section class="section2"> <div class="fullcol"> <!-- <h2>Dan Farrelly uses a carpentry analogy to explain the problem his company, <a href="https://buffer.com">Buffer</a>, began having as its team of developers grew over the past few years.</h2> --> <h2>Dan Farrelly 用木工类比来解释他的公司<a href="https://buffer.com"> Buffer </a>，随着过去几年的发展，公司开始有这个问题。</h2> <!-- "If you’re building a table by yourself, it’s fine," the company’s architect says. "If you bring in a second person to work on the table, maybe that person can start sanding the legs while you’re sanding the top. But when you bring a third or fourth person in, someone should probably work on a different table." Needing to work on more and more different tables led Buffer on a path toward microservices and containerization made possible by Kubernetes. --> “如果你自己做一张桌子，这很好！”公司的架构师说。“如果你请另一个人一起来做这个桌子，也许这个人可以在你抛光桌面时开始对腿进行抛光。但是，当你把第三个或第四个人带进来时，有人也许应该在另外一张桌子上工作。”需要处理越来越多不同的桌子，使 Buffer 走上了 Kubernetes 实现微服务和容器化的道路。 <br><br> <!-- Since around 2012, Buffer had already been using <a href="https://aws.amazon.com/elasticbeanstalk/">Elastic Beanstalk</a>, the orchestration service for deploying infrastructure offered by <a href="https://aws.amazon.com">Amazon Web Services</a>. "We were deploying a single monolithic <a href="http://php.net/manual/en/intro-whatis.php">PHP</a> application, and it was the same application across five or six environments," says Farrelly. "We were very much a product-driven company. --> 自2012年左右以来，Buffer 开始使用<a href="https://aws.amazon.com/elasticbeanstalk/"> Elastic Beanstalk </a>,这是<a href="https://aws.amazon.com">亚马逊网络服务</a>提供的网络基础设施编排服务。“我们部署了一个单一的<a href="http://php.net/manual/en/intro-whatis.php">PHP</a>应用程序,它是在五六个环境中相同的应用程序，”Farrelly 说。“我们在很大程度上是一家产品驱动型的公司。” <!-- It was all about shipping new features quickly and getting things out the door, and if something was not broken, we didn’t spend too much time on it. If things were getting a little bit slow, we’d maybe use a faster server or just scale up one instance, and it would be good enough. We’d move on." --> 这一切都是为了尽快给应用推出新功能并进行交付，如果能够正常运行，我们就不会花太多时间在上面。如果产品变得有点慢，我们可能会使用更快的服务器或只是增加一个实例，这些就已经足够了。然后继续前进。 <br><br> <!-- But things came to a head in 2016. With the growing number of committers on staff, Farrelly and Buffer’s then-CTO, Sunil Sadasivan, decided it was time to re-architect and rethink their infrastructure. "It was a classic monolithic code base problem," says Farrelly.<br><br>Some of the company’s team was already successfully using <a href="https://www.docker.com">Docker</a> in their development environment, but the only application running on Docker in production was a marketing website that didn’t see real user traffic. They wanted to go further with Docker, and the next step was looking at options for&nbsp;orchestration. --> 但事情在2016年就到了头。随着应用提交修改的数量不断增加，Farrelly 和 Buffer 当时的首席技术官 Sunil Sadasivan 决定,是重新思考和构建其基础架构的时候了。“这是一个典型的单一庞大编码基数问题，”Farrelly说。公司的一些团队已经在开发环境中成功使用<a href="https://www.docker.com">Docker</a>，但在生产环境中，运行在 Docker 上的唯一应用程序是一个看不到真实用户流量的营销网站。他们希望在使用 Docker 上更进一步,下一步是寻找业务流程的选项。 </div> </section> <div class="banner3"> <div class="banner3text"> <!-- And all the things Kubernetes did well suited Buffer’s needs. "We wanted to have the kind of liquid infrastructure where a developer could create an app and deploy it and scale it horizontally as necessary," says Farrelly. "We quickly used some scripts to set up a couple of test clusters, we built some small proof-of-concept applications in containers, and we deployed things within an hour. We had very little experience in running containers in production. It was amazing how quickly we could get a handle on it&nbsp;[Kubernetes]." --> Kubernetes 所做的所有事情都很好地适应了 Buffer 的需求。Farrelly 说：“我们希望拥有一种流动基础架构，开发人员可以创建一个应用程序，并在必要时部署并进行水平扩展。”“我们很快就使用一些脚本来设置几个测试集群，在容器中构建了一些小的概念性验证应用程序，并在一小时内部署了这些内容。我们在生产中运行容器方面经验很少。令人惊奇的是，我们能很快地用 Kubernetes 来处理。” </div> </div> <section class="section3"> <div class="fullcol"> <!-- First they considered <a href="https://mesosphere.com">Mesosphere</a>, <a href="https://dcos.io">DC/OS</a> and <a href="https://aws.amazon.com/ecs/">Amazon Elastic Container Service</a> (which their data systems team was already using for some data pipeline jobs). While they were impressed by these offerings, they ultimately went with Kubernetes. --> 首先，他们考虑了<a href="https://mesosphere.com">Mesosphere</a>、<a href="https://dcos.io">DC/OS</a>和<a href="https://aws.amazon.com/ecs/">Amazon Elastic Container Service</a>(他们的数据系统团队已经将其用于某些数据管道作业)。虽然他们对这些产品印象深刻，但他们最终还是与 Kubernetes 合作。 <!-- "We run on AWS still, so spinning up, creating services and creating load balancers on demand for us without having to configure them manually was a great way for our team to get into this," says Farrelly. "We didn’t need to figure out how to configure this or that, especially coming from a former Elastic Beanstalk environment that gave us an automatically-configured load balancer. I really liked Kubernetes’ controls of the command line. It just took care of ports. It was a lot more flexible. Kubernetes was designed for doing what it does, so it does it very well." --> Farrelly 说：“我们的应用仍在 AWS 上运行，但是我们的团队通过 Kubernetes 无需手动配置即可创建服务并按需创建负载均衡器，这是使用 Kubernetes 的最佳入门体验。”“我们不需要考虑如何配置这个或那个,特别是相较于以前的 Elastic Beanstalk 环境，它为我们提供了一个自动配置的负载均衡器。我真的很喜欢 Kubernetes 对命令行的控制，只需要对端口进行配置，这样更加灵活。Kubernetes 是为做它所做的事情而设计的,所以它做得非常好。” <br><br> <!-- And all the things Kubernetes did well suited Buffer’s needs. "We wanted to have the kind of liquid infrastructure where a developer could create an app and deploy it and scale it horizontally as necessary," says Farrelly. "We quickly used some scripts to set up a couple of test clusters, we built some small proof-of-concept applications in containers, and we deployed things within an hour. We had very little experience in running containers in production. It was amazing how quickly we could get a handle on it [Kubernetes]." --> Kubernetes 所做的所有事情都很好地适应了 Buffer 的需求。Farrelly 说：“我们希望拥有一种流动基础架构，开发人员可以创建一个应用程序，并在必要时部署并进行水平扩展。”“我们很快就使用一些脚本来设置几个测试集群，在容器中构建了一些小的概念性验证应用程序，并在一小时内部署了这些内容。我们在生产中运行容器方面经验很少。令人惊奇的是,我们能很快地用 Kubernetes 来处理。” <br><br> <!-- Above all, it provided a powerful solution for one of the company’s most distinguishing characteristics: their remote team that’s spread across a dozen different time zones. "The people with deep knowledge of our infrastructure live in time zones different from our peak traffic time zones, and most of our product engineers live in other places," says Farrelly. "So we really wanted something where anybody could get a grasp of the system early on and utilize it, and not have to worry that the deploy engineer is asleep. Otherwise people would sit around for 12 to 24 hours for something. It’s been really cool to see people moving much faster." --> 最重要的是，它为公司最显著的特征之一提供了强大的解决方案：他们的远程团队分布在十几个不同的时区。Farrelly 说：“对我们的基础设施有深入了解的人生活在不同于我们相对集中的时区，而我们的大部分产品工程师都住在其他地方。”“因此，我们确实希望有人能够尽早掌握这套系统并利用好它，而不必担心部署工程师正在睡觉。否则，人们会为了一些东西必须得等待12到24小时左右。看到人们前进得更快，这真的很酷。” <br><br> <!-- With a relatively small engineering team—just 25 people, and only a handful working on infrastructure, with the majority front-end developers—Buffer needed "something robust for them to deploy whatever they wanted," says Farrelly. Before, "it was only a couple of people who knew how to set up everything in the old way. With this system, it was easy to review documentation and get something out extremely quickly. It lowers the bar for us to get everything in production. We don't have the big team to build all these tools or manage the infrastructure like other larger companies&nbsp;might." --> Farrelly 说，Buffer 拥有相对较小的工程团队，只有 25 人，只有少数人从事基础设施工作，大多数前端开发人员都需要“一些强大的配置能力，以便部署任何他们想要的内容。”以前，“只有几个人知道如何用旧的方式设置一切。有了这个系统，审查文档变得很容易，并且能很快地看到效果。它降低了我们获取在开发环境中所需要一切的门槛。因为我们团队的人数不足以来构建所有这些工具或像其他大公司那样管理基础架构。” </div> </section> <div class="banner4"> <div class="banner4text"> <!-- "In our old way of working, the feedback loop was a lot longer, and it was delicate because if you deployed something, the risk was high to potentially break something else," Farrelly says. "With the kind of deploys that we built around Kubernetes, we were able to detect bugs and fix them, and get them deployed super fast. The second someone is fixing [a bug], it’s out the&nbsp;door." --> Farrelly 说：“在我们以往的工作方式中，反馈循环流程要长得多，而且很微妙，因为如果你部署了某些东西，就存在破坏其他东西的风险。”“我们通过围绕 Kubernetes 构建的部署类型，能够及时检测 Bug 并修复它们，并使其部署得超快。这一秒正在修复漏洞，不一会就上线运行了。” </div> </div> <section class="section4"> <div class="fullcol"> <!-- To help with this, Buffer developers wrote a deploy bot that wraps the Kubernetes deploy process and can be used by every team. "Before, our data analysts would update, say, a <a href="https://www.python.org">Python</a> analysis script and have to wait for the lead on that team to click the button and deploy it," Farrelly explains. "Now our data analysts can make a change, enter a <a href="https://slack.com">Slack</a> command, ‘/deploy,’ and it goes out instantly. They don’t need to wait on these slow turnaround times. They don’t even know where it’s running; it doesn’t matter." --> 为了帮助解决这一问题，Buffer 开发人员编写了一个部署机器人，该机器人包装了 Kubernetes 部署过程，并且每个团队都可以使用。”“以前,我们的数据分析师会更新<a href="https://www.python.org"> Python </a>分析脚本，并且必须等待该团队的主管单击该按钮并部署它，”Farrelly 解释道。“现在，我们的数据分析师可以进行更改，输入<a href="https://slack.com"> Slack </a>命令，‘/deploy’,它会立即进行部署。他们不需要等待这些缓慢的周转时间，他们甚至不知道它在哪里运行。这些都不重要了。 <br><br> <!-- One of the first applications the team built from scratch using Kubernetes was a new image resizing service. As a social media management tool that allows marketing teams to collaborate on posts and send updates across multiple social media profiles and networks, Buffer has to be able to resize photographs as needed to meet the varying limitations of size and format posed by different social networks. "We always had these hacked together solutions," says Farrelly. --> 团队使用 Kubernetes 从头开始构建的第一个应用程序是一种新的图像大小调整服务。作为一种社交媒体管理工具，它允许营销团队通过发帖进行协作，并通过多个社交媒体配置文件和网络发送更新，Buffer 必须能够根据需要调整照片的大小，以满足不同的社交网络。Farrelly 说：“我们一直有这些拼凑在一起的解决方案。” <br><br> <!-- To create this new service, one of the senior product engineers was assigned to learn Docker and Kubernetes, then build the service, test it, deploy it and monitor it—which he was able to do relatively quickly. "In our old way of working, the feedback loop was a lot longer, and it was delicate because if you deployed something, the risk was high to potentially break something else," Farrelly says. "With the kind of deploys that we built around Kubernetes, we were able to detect bugs and fix them, and get them deployed super fast. The second someone is fixing [a bug], it’s out the door." --> 为了创建这项新服务，一位高级产品工程师被指派学习 Docker 和 Kubernetes，然后构建服务、测试、部署和监视服务，他能够相对快速地完成该服务。Farrelly说：“在我们以往的工作方式中，反馈循环流程要长得多，而且很微妙，因为如果你部署了某些东西，就存在破坏其他东西的风险。”“我们通过围绕 Kubernetes 构建的部署类型，能够及时检测 Bug 并修复它们，并使其部署得超快。这一秒正在修复漏洞,不一会就上线运行了。” <br><br> <!-- Plus, unlike with their old system, they could scale things horizontally with one command. "As we rolled it out," Farrelly says, "we could anticipate and just click a button. This allowed us to deal with the demand that our users were placing on the system and easily scale it to handle it." --> 此外，与旧系统不同，他们只需一个命令就可以水平缩放内容。“当我们推出它,”Farrelly说，“我们可以预测，只需点击一个按钮。这使我们能够处理用户对系统的需求,并轻松扩展以处理它。” <br><br> <!-- Another thing they weren’t able to do before was a canary deploy. This new capability "made us so much more confident in deploying big changes," says Farrelly. "Before, it took a lot of testing, which is still good, but it was also a lot of ‘fingers crossed.’ And this is something that gets run 800,000 times a day, the core of our business. If it doesn’t work, our business doesn’t work. In a Kubernetes world, I can do a canary deploy to test it for 1 percent and I can shut it down very quickly if it isn’t working. This has leveled up our ability to deploy and roll out new changes quickly while reducing&nbsp;risk." --> 他们以前不能做的另外一件事是金丝雀部署。Farrelly说，这种新功能“使我们在部署重大变革方面更加自信。”“以前，虽然进行很多测试但仍表现不错，但它也存在很多‘手指交叉’。这是每天运行 800000 次的东西，这是我们业务的核心。如果它不工作，我们的业务也无法运行。在 Kubernetes 世界中，我可以执行金丝雀部署以测试 1%，如果它不工作，我可以很快将其关闭。这使我们在快速部署和推出新更改的同时降低风险的能力得到了提高。” </div> </section> <div class="banner5"> <div class="banner5text"> <!-- "If you want to run containers in production, with nearly the power that Google uses internally, this [Kubernetes] is a great way to do that," Farrelly says. "We’re a relatively small team that’s actually running Kubernetes, and we’ve never run anything like it before. So it’s more approachable than you might think. That’s the one big thing that I tell people who are experimenting with it. Pick a couple of things, roll it out, kick the tires on this for a couple of months and see how much it can handle. You start learning a lot this&nbsp;way." --> Farrelly 说：“如果你想在生产中运行容器，拥有像谷歌内部使用的那种效果，那么 Kubernetes 就是一个很好的方法。”“我们是一个相对较小的团，实际上运行 Kubernetes，我们之前从来没来做过这样的事情。因此，它比你想象的更容易上手，这正是我想要告诉正在尝试使用它的人们的一件很重要的事。挑几个应用,把它们准备好,在机器上运行几个月,看看它能处理的怎么样。通过这种方式你可以学到很多东西。” </div> </div> <section class="section5"> <div class="fullcol"> <!-- By October 2016, 54 percent of Buffer’s traffic was going through their Kubernetes cluster. "There’s a lot of our legacy functionality that still runs alright, and those parts might move to Kubernetes or stay in our old setup forever," says Farrelly. But the company made the commitment at that time that going forward, "all new development, all new features, will be running on Kubernetes." --> 到 2016 年 10 月，Buffer 54% 的流量都通过其 Kubernetes 集群。Farrelly 说：“我们很多传统功能仍然运行正常，这些部分可能会转移到 Kubernetes 或永远留在我们的旧设置中。”但该公司当时承诺，“所有新的开发，所有新功能,将在Kubernetes上运行。” <br><br> <!-- The plan for 2017 is to move all the legacy applications to a new Kubernetes cluster, and run everything they’ve pulled out of their old infrastructure, plus the new services they’re developing in Kubernetes, on another cluster. "I want to bring all the benefits that we’ve seen on our early services to everyone on the team," says Farrelly. --> 2017年计划是将所有旧应用程序迁移到新的 Kubernetes 集群，并运行他们从旧基础架构中撤出的所有内容，以及他们正在另一个 Kubernetes 集群上开发的新服务。Farrelly 说：“我想为团队中的每个人带来我们早期服务的所有好处。” <br><br> <h2> <!-- For Buffer’s engineers, it’s an exciting process. "Every time we’re deploying a new service, we need to figure out: OK, what’s the architecture? How do these services communicate? What’s the best way to build this service?" Farrelly says. "And then we use the different features that Kubernetes has to glue all the pieces together. It’s enabling us to experiment as we’re learning how to design a service-oriented architecture. Before, we just wouldn’t have been able to do it. This is actually giving us a blank white board so we can do whatever we want on it." --> 对于 Buffer 的工程师来说，这是一个令人兴奋的过程。“每次部署新服务时，我们都需要弄清楚:好的，体系结构是什么？这些服务如何沟通？构建此服务的最佳方式是什么？”Farrelly说。“然后，我们使用 Kubernetes 的特性将所有部分聚合到一起。在学习如何设计面向服务的体系结构时，它使我们能够进行试验。以前，我们只是不能做到这一点。这实际上给了我们一个空白的白板，所以我们可以做任何我们想要的。” </h2> <!-- Part of that blank slate is the flexibility that Kubernetes offers should the time come when Buffer may want or need to change its cloud. "It’s cloud agnostic so maybe one day we could switch to Google or somewhere else," Farrelly says. "We’re very deep in Amazon but it’s nice to know we could move away if we need to." --> 部分空白是 Kubernetes 提供的灵活性，如果某一天 Buffer 可能想要或需要改变他的云服务。“这是与云无关的，所以也许有一天我们可以切换到谷歌或其他地方，”Farrelly 说。“我们非常依赖亚马逊的基础服务，但很高兴知道，如果我们需要的话，我们可以搬走。” <br><br> <!-- At this point, the team at Buffer can’t imagine running their infrastructure any other way—and they’re happy to spread the word. "If you want to run containers in production, with nearly the power that Google uses internally, this [Kubernetes] is a great way to do that," Farrelly says. "We’re a relatively small team that’s actually running Kubernetes, and we’ve never run anything like it before. So it’s more approachable than you might think. That’s the one big thing that I tell people who are experimenting with it. Pick a couple of things, roll it out, kick the tires on this for a couple of months and see how much it can handle. You start learning a lot this&nbsp;way." --> 此时，Buffer 团队无法想象以任何其他方式运行其基础结构，他们很乐意传播这一信息。Farrelly 说：“如果你想在生产中运行容器，拥有像谷歌内部使用的那种效果，那么 Kubernetes 就是一个很好的方法。”“我们是一个相对较小的团队，实际上运行 Kubernetes，我们之前从来没来做过这样的事情。因此，它比你想象的更容易上手，这正是我想要告诉正在尝试使用它的人们的一件很重要的事。挑几个应用，把它们准备好，在机器上运行几个月，看看它能处理的怎么样。通过这种方式你可以学到很多东西。” <br><br> </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/ibm/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/ibm/<!-- <div class="banner1" style="background-image: url('/images/CaseStudy_ibm_banner1.jpg')"> <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/ibm_logo.png" class="header_logo" style="width:10%"><br> <div class="subhead">Building an Image Trust Service on Kubernetes with Notary and TUF</div></h1> </div> --> <div class="banner1"> <h1> 案例研究：<img src="https://andygol-k8s.netlify.app/images/ibm_logo.png" width="18%" style="margin-bottom:-5px;margin-left:10px;"><br> <div class="subhead">在 Kubernetes 上使用 Notary 和 TUF 建立镜像信任服务</div></h1> </div> <div class="details"> 公司 &nbsp;<b>IBM</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;位置 &nbsp;<b>阿蒙克， 纽约</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;行业 &nbsp;<b>云计算</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>挑战</h2> <!-- <a href="https://www.ibm.com/cloud/">IBM Cloud</a> offers public, private, and hybrid cloud functionality across a diverse set of runtimes from its OpenWhisk-based function as a service (FaaS) offering, managed <a href="https://kubernetes.io">Kubernetes</a> and containers, to <a href="https://www.cloudfoundry.org">Cloud Foundry</a> platform as a service (PaaS). These runtimes are combined with the power of the company’s enterprise technologies, such as MQ and DB2, its modern artificial intelligence (AI) Watson, and data analytics services. Users of IBM Cloud can exploit capabilities from more than 170 different cloud native services in its catalog, including capabilities such as IBM’s Weather Company API and data services. In the later part of 2017, the IBM Cloud Container Registry team wanted to build out an image trust service. --> <a href="https://www.ibm.com/cloud/">IBM Cloud</a> 提供公共、私有和混合云功能，包括基于 OpenWhisk 的服务 （FaaS）、托管于 <a href="https://kubernetes.io">Kubernetes</a> 和容器，以及 <a href="https://www.cloudfoundry.org">Cloud Foundry</a> 服务 （PaaS） 的各种运行时。这些运行时与公司企业技术（如 MQ 和 DB2、其现代人工智能 （AI） Watson 和数据分析服务）的强大功能相结合。IBM Cloud 用户可以使用其目录中 170 多个不同云原生服务的功能，包括 IBM 的气象公司 API 和数据服务等功能。在 2017 年后期，IBM 云容器托管团队希望构建镜像信任服务。<br><br> <h2>解决方案</h2> <!-- The work on this new service culminated with its public availability in the IBM Cloud in February 2018. The image trust service, called Portieris, is fully based on the <a href="https://www.cncf.io">Cloud Native Computing Foundation (CNCF)</a> open source project <a href="https://github.com/theupdateframework/notary">Notary</a>, according to Michael Hough, a software developer with the IBM Cloud Container Registry team. Portieris is a Kubernetes admission controller for enforcing content trust. Users can create image security policies for each Kubernetes namespace, or at the cluster level, and enforce different levels of trust for different images. Portieris is a key part of IBM’s trust story, since it makes it possible for users to consume the company’s Notary offering from within their IKS clusters. The offering is that Notary server runs in IBM’s cloud, and then Portieris runs inside the IKS cluster. This enables users to be able to have their IKS cluster verify that the image they're loading containers from contains exactly what they expect it to, and Portieris is what allows an IKS cluster to apply that verification. --> 2018 年 2 月，这项新服务在 IBM 云中公开发布。IBM 云容器托管团队的软件开发者 Michael Hough 说，名为 Portieris 的镜像信任服务完全基于 <a href="https://www.cncf.io">Cloud Native Computing Foundation (CNCF)</a> 的开源项目 <a href="https://github.com/theupdateframework/notary">Notary</a>。Portieris 是 Kubernetes 的准入控制器，用于强制执行适当的信任等级。用户可以为每个 Kubernetes 命名空间或在集群级别创建镜像安全策略，并为不同的镜像强制实施不同级别的信任。Portieris 是 IBM 信任内容的关键部分，因为它使用户能够从 IKS 集群中使用公司的 Notary。产品是 Notary 服务器在 IBM 的云中运行，然后 Portieris 在 IKS 集群内运行。这使用户能够让 IKS 集群验证他们加载容器的镜像是否包含他们期望的内容，而 Portieris 是允许 IKS 集群应用该验证的原因。 </div> <div class="col2"> <h2>影响</h2> <!-- IBM's intention in offering a managed Kubernetes container service and image registry is to provide a fully secure end-to-end platform for its enterprise customers. "Image signing is one key part of that offering, and our container registry team saw Notary as the de facto way to implement that capability in the current Docker and container ecosystem," Hough says. The company had not been offering image signing before, and Notary is the tool it used to implement that capability. "We had a multi-tenant Docker Registry with private image hosting," Hough says. "The Docker Registry uses hashes to ensure that image content is correct, and data is encrypted both in flight and at rest. But it does not provide any guarantees of who pushed an image. We used Notary to enable users to sign images in their private registry namespaces if they so choose." --> IBM 打算提供基于 Kubernetes 的容器服务和镜像托管服务，目的是为其企业客户提供完全安全的端到端平台。Hough 说：“镜像签名是该产品的关键部分之一，我们的容器托管团队将 Notary 视为在当前 Docker 和容器生态系统中实现该功能的实际方式。”该公司以前没有提供镜像签名，Notary 是它用来实现该功能的工具。“我们有一个多租户 Docker 托管服务，具有私有镜像托管功能，” Hough 说。“ Docker 托管使用哈希值来确保镜像内容正确，并且数据在传输和静态时都进行了加密。但它没有提供任何保证谁推镜像。我们使用 Notary 来允许用户在其专用仓库命名空间中签名镜像（如果他们愿意的话）。” </div> </div> </section> <div class="banner2"> <div class="banner2text"> <!-- "We see CNCF as a safe haven for cloud native open source, providing stability, longevity, and expected maintenance for member projects—no matter the originating vendor or project."<br style="height:25px"><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br>- Michael Hough, a software developer with the IBM Container Registry team</span> --> “我们将 CNCF 视为云原生开源的安全避难所，为成员项目（无论是原始供应商还是项目）提供稳定性、使用寿命和预期维护。”<br><br><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;">- Michael Hough, IBM 容器托管团队软件开发人员</span> </div> </div> <section class="section2"> <div class="fullcol"> <!-- <h2>Docker had already created the Notary project as an implementation of <a href="https://github.com/theupdateframework/specification" style="text-decoration:underline">The Update Framework (TUF)</a>, and this implementation of TUF provided the capabilities for Docker Content Trust.</h2> "After contribution to CNCF of both TUF and Notary, we perceived that it was becoming the de facto standard for image signing in the container ecosystem", says Michael Hough, a software developer with the IBM Cloud Container Registry team. --> <h2>Docker 已经创建了 Notary 项目作为 <a href="https://github.com/theupdateframework/specification" style="text-decoration:underline">The Update Framework (TUF)</a> 的实现，TUF 的此实现为 Docker 内容信任提供了功能。</h2> IBM 云容器托管团队的软件开发者 Michael Hough 说：“在 TUF 和 Notary 对 CNCF 做出了贡献后，我们发现它正在成为容器生态系统中镜像签名的实际标准。”<br><br> <!-- The key reason for selecting Notary was that it was already compatible with the existing authentication stack IBM’s container registry was using. So was the design of TUF, which does not require the registry team to have to enter the business of key management. Both of these were "attractive design decisions that confirmed our choice of Notary," he says. --> 选择 Notary 的关键原因是它已经与 IBM 的容器托管正在使用的现有身份验证技术兼容。TUF 的设计也是如此，它不要求托管团队必须涉足密钥管理业务。他说，这两项都是“有吸引力的设计决定，证实了我们对 Notary 的选择是正确的。”<br><br> <!-- The introduction of Notary to implement image signing capability in IBM Cloud encourages increased security across IBM's cloud platform, "where we expect it will include both the signing of official IBM images as well as expected use by security-conscious enterprise customers," Hough says. "When combined with security policy implementations, we expect an increased use of deployment policies in CI/CD pipelines that allow for fine-grained control of service deployment based on image signers." --> 在 IBM Cloud 中引入 Notary 功能以实现镜像签名，可提高 IBM 云平台的安全性，“我们预计这将包括签署 IBM 官方镜像以及预期的有安全需求的企业客户，” Hough 说。与安全策略实现结合使用时，我们预计 CI/CD 管道中会更多地使用部署策略，以便根据镜像签名者对服务部署进行精细控制。 <!-- The availability of image signing "is a huge benefit to security-conscious customers who require this level of image provenance and security," Hough says. "With our IBM Cloud Kubernetes as-a-service offering and the admission controller we have made available, it allows both IBM services as well as customers of the IBM public cloud to use security policies to control service deployment." --> Hough 说，镜像签名的可用性“对于需要这种级别镜像来源和安全性的客户来说，是一个巨大的好处。”“借助我们的 IBM 云上的 Kubernetes 以及我们提供的许可控制器，它允许 IBM 服务以及 IBM 公共云的客户使用安全策略来控制服务部署。” </div> </section> <div class="banner3"> <div class="banner3text"> <!-- "Image signing is one key part of our Kubernetes container service offering, and our container registry team saw Notary as the de facto way to implement that capability in the current Docker and container ecosystem"<span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br><br>- Michael Hough, a software developer with the IBM Cloud Container Registry team</span> --> 镜像签名是我们 Kubernetes 容器服务的关键部分之一，我们的容器托管团队将 Notary 视为在当前 Docker 和容器生态系统中实现该功能的实际方式。<br><br><span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;">- Michael Hough, IBM 容器托管团队软件开发人员</span> </div> </div> <section class="section3"> <div class="fullcol"> <!-- Now that the Notary-implemented service is generally available in IBM’s public cloud as a component of its existing IBM Cloud Container Registry, it is deployed as a highly available service across five IBM Cloud regions. This high-availability deployment has three instances across two zones in each of the five regions, load balanced with failover support. "We have also deployed it with end-to-end TLS support through to our back-end IBM Cloudant persistence storage service," Hough says. --> 现在，Notary 通常作为现有 IBM 云容器托管的一个组件在 IBM 的公共云中提供服务，因此它被部署为五个 IBM 云区域中的高可用服务。此高可用性部署在五个区域中的每个区域中各有三个实例，实现负载均衡与故障转移。Hough 说：“我们还将其部署到后端 IBM Cloudant 持久性存储服务，并随端到端 TLS 支持一起部署。”<br><br> <!-- The IBM team has created and open sourced a Kubernetes admission controller called Portieris, which uses Notary signing information combined with customer-defined security policies to control image deployment into their cluster. "We are hoping to drive adoption of Portieris through its use of our Notary offering," Hough says. --> IBM 团队创建并开源了名为 Portieris 的 Kubernetes 准入控制器，该控制器使用 Notary 签名信息与客户定义的安全策略相结合，以控制将镜像部署到集群中。“我们希望通过使用我们的 Notary 服务来推动 Portieris 的使用，” Hough 说。<br><br> <!-- IBM has been a key player in the creation and support of open source foundations, including CNCF. Todd Moore, IBM's vice president of Open Technology, is the current CNCF governing board chair and a number of IBMers are active across many of the CNCF member projects. --> IBM 在创建和支持开源基础（包括 CNCF）方面一直占据主导地位。IBM 开放技术副总裁 Todd Moore 是现任 CNCF 董事会主席，许多 IBM 员工活跃于 CNCF 成员项目中。 </div> </section> <div class="banner4"> <div class="banner4text"> <!-- "There are new projects addressing these challenges, including within CNCF. We will definitely be following these advancements with interest. We found the Notary community to be an active and friendly community open to changes, such as our addition of a CouchDB backend for persistent storage." <span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;"><br><br>- Michael Hough, a software developer with the IBM Cloud Container Registry team</span> --> “有新项目应对这些挑战，包括在 CNCF 内。我们一定会饶有兴趣地关注这些进步。我们发现 Notary 社区是一个积极友好的社区，对变化持开放态度，例如我们为持久存储添加的 CouchDB 后端。”<br><br> <span style="font-size:14px;letter-spacing:2px;text-transform:uppercase;margin-top:5% !important;">- Michael Hough, IBM 容器托管团队软件开发人员</span> </div> </div> <section class="section4"> <div class="fullcol"> <!-- The company has used other CNCF projects <a href="https://containerd.io">containerd</a>, <a href="https://www.envoyproxy.io">Envoy</a>, <a href="https://prometheus.io">Prometheus</a>, <a href="https://grpc.io">gRPC</a>, and <a href="https://github.com/containernetworking">CNI</a>, and is looking into <a href="https://github.com/spiffe">SPIFFE</a> and <a href="https://github.com/spiffe/spire">SPIRE</a> as well for potential future use. --> 该公司已经使用的 CNCF 项目有 <a href="https://containerd.io">containerd</a>，<a href="https://www.envoyproxy.io">Envoy</a>，<a href="https://prometheus.io">Prometheus</a>，<a href="https://grpc.io">gRPC</a>，<a href="https://github.com/containernetworking">CNI</a>，而且正在探索 <a href="https://github.com/spiffe">SPIFFE</a> 和 <a href="https://github.com/spiffe/spire">SPIRE</a> 在未来的潜在可用性。<br><br> <!-- What advice does Hough have for other companies that are looking to deploy Notary or a cloud native infrastructure? --> 对于希望部署 Notary 或云原生基础架构的其他公司，Hough 有何建议？<br><br> <!-- "While this is true for many areas of cloud native infrastructure software, we found that a high-availability, multi-region deployment of Notary requires a solid implementation to handle certificate management and rotation," he says. "There are new projects addressing these challenges, including within CNCF. We will definitely be following these advancements with interest. We found the Notary community to be an active and friendly community open to changes, such as our addition of a CouchDB backend for persistent storage." --> “虽然对于云原生基础结构软件的许多领域也是如此，但我们发现，高可用性、多区域的 Notary 部署需要扎实的实现来处理证书管理和轮换，”他说。“有新项目应对这些挑战，包括在 CNCF 内。我们一定会饶有兴趣地关注这些进步。我们发现 Notary 社区是一个积极友好的社区，对变化持开放态度，例如我们为持久存储添加的 CouchDB 后端。” </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/nordstrom/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/nordstrom/<!-- <h2>Challenge</h2> --> <h2>挑战</h2> <!-- <p>Nordstrom wanted to increase the efficiency and speed of its technology operations, which includes the Nordstrom.com e-commerce site. At the same time, Nordstrom Technology was looking for ways to tighten its technology operational costs.</p> --> <p>Nordstrom 希望提高其技术运营的效率和速度，其中包括 Nordstrom.com 电子商务网站。与此同时，Nordstrom 技术公司正在寻找压缩技术运营成本的方法。</p> <!-- <h2>Solution</h2> --> <h2>解决方案</h2> <!-- <p>After embracing a DevOps transformation and launching a continuous integration/continuous deployment (CI/CD) project four years ago, the company reduced its deployment time from three months to 30 minutes. But they wanted to go even faster across environments, so they began their cloud native journey, adopting Docker containers orchestrated with <a href="http://kubernetes.io/">Kubernetes</a>.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/wikimedia/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/wikimedia/<!-- title: Wikimedia Case Study case_study_styles: true cid: caseStudies new_case_study_styles: true heading_title_text: Wikimedia use_gradient_overlay: true subheading: > Using Kubernetes to Build Tools to Improve the World's Wikis case_study_details: - Company: Wikimedia - Location: San Francisco, CA --> <!-- <p>The non-profit Wikimedia Foundation operates some of the largest collaboratively edited reference projects in the world, including Wikipedia. To help users maintain and use wikis, it runs Wikimedia Tool Labs, a hosting environment for community developers working on tools and bots to help editors and other volunteers do their work, including reducing vandalism. The community around Wikimedia Tool Labs began forming nearly 10 years ago.</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/wink/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/wink/<div class="banner1"> <!-- <h1>CASE STUDY: <img src="https://andygol-k8s.netlify.app/images/wink_logo.png" width="13%" style="margin-bottom:-4px"><br> <div class="subhead">Cloud-Native Infrastructure Keeps Your Smart Home Connected</div> </h1> --> <h1>案例研究： <img src="https://andygol-k8s.netlify.app/images/wink_logo.png" width="13%" style="margin-bottom:-4px"><br> <div class="subhead">云原生基础设施让你的智能家居互联</div> </h1> </div> <!-- <div class="details"> Company &nbsp;<b>Wink</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>New York, N.Y.</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Internet of Things Platform</b> </div> --> <div class="details"> 公司 &nbsp;<b>Wink</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;位置 &nbsp;<b>纽约，纽约州</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;行业 &nbsp;<b>物联网平台</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>挑战</h2> <!-- Building a low-latency, highly reliable infrastructure to serve communications between millions of connected smart-home devices and the company’s consumer hubs and mobile app, with an emphasis on horizontal scalability, the ability to encrypt everything quickly and connections that could be easily brought back up if anything went wrong. --> 构建低延迟、高度可靠的基础设施，为数百万互联智能家居设备、公司消费者中心、移动应用之间的通信提供服务，强调水平可扩展性，能够快速加密所有内容和强健的连接。 <br><br> <h2>解决方案</h2> <!-- Across-the-board use of a Kubernetes-Docker-CoreOS Container Linux stack.<br><br> --> 全面使用 Kubernetes-Docker-CoreOS 容器的 Linux 系统。<br><br> </div> <div class="col2"> <h2>影响</h2> <!-- "Two of the biggest American retailers [Home Depot and Walmart] are carrying and promoting the brand and the hardware,” Wink Head of Engineering Kit Klein says proudly – though he adds that "it really comes with a lot of pressure. It’s not a retail situation where you have a lot of tech enthusiasts. These are everyday people who want something that works and have no tolerance for technical excuses.” And that’s further testament to how much faith Klein has in the infrastructure that the Wink team has built. With 80 percent of Wink’s workload running on a unified stack of Kubernetes-Docker-CoreOS, the company has put itself in a position to continually innovate and improve its products and services. Committing to this technology, says Klein, "makes building on top of the infrastructure relatively&nbsp;easy.” --> “美国最大的两家零售商 [Home Depot 和 Walmart] 正在使用和推广 Wink 品牌和硬件，” Wink 工程主管 Kit Klein 自豪地说，不过他补充道，“这确实带来了很大的压力。这不是普通的零售商客户像技术狂热者一样追求前沿技术。这些人每天都在想要一些行之有效的东西，并且不会容忍技术方面的借口。”这进一步证明了 Klein 对 Wink 团队所构建的基础设施有多大的信心。由于 Wink 80% 的工作量在 Kubernetes-Docker-CoreOS 的统一堆栈上运行，公司已使自己能够不断创新和改进其产品和服务。克莱因说，致力于这项技术“使得在基础设施之上的建设相对容易。” </div> </div> </section> <div class="banner2"> <div class="banner2text"> <!-- "It’s not proprietary, it’s totally open, it’s really portable. You can run all the workloads across different cloud providers. You can easily run a hybrid AWS or even bring in your own data center. That’s the benefit of having everything unified on one open source Kubernetes-Docker-CoreOS Container Linux stack. There are massive security benefits if you only have one Linux distro/machine image to validate. The benefits are enormous because you save money, and you save time.”<br><br><span style="font-size:15px;letter-spacing:0.08em">- KIT KLEIN, HEAD OF ENGINEERING, WINK</span> --> “它不是专有的，它是完全开放的，它非常可移植。你可以跨不同的云提供商运行所有工作负载。你可以轻松地运行混合形式的 AWS，甚至引入你自己的数据中心。这就是在一个开源 Kubernetes-Docker-CoreOS 容器 Linux 系统上统一所有内容的好处。如果你只有一个 Linux 发行版/计算机映像进行验证，则具有巨大的安全优势。好处是巨大的，因为即省钱又省时间。<br><br><span style="font-size:15px;letter-spacing:0.08em">- KIT KLEIN, WINK 工程主管</span> </div> </div> <section class="section2"> <div class="fullcol"> <!-- <h2>How many people does it take to turn on a light bulb?</h2> --> <h2>打开一个灯泡需要多少人？</h2> <!-- Kit Klein whips out his phone to demonstrate. With a few swipes, the head of engineering at Wink pulls up the smart-home app created by the New York City-based company and taps the light button. "Honestly when you’re holding the phone and you’re hitting the light,” he says, "by the time you feel the pressure of your finger on the screen, it’s on. It takes as long as the signal to travel to your brain.”<br><br> --> Kit Klein 拿出他的手机进行演示。只需轻扫几下，Wink 的工程主管打开由一家纽约公司开发的智能家居应用程序，然后轻触灯光按钮。“老实说，当你拿着手机，意味着你控制着灯光，”他说，“当你感觉到你的手指在屏幕上的压力，灯就打开了。开灯就和触觉反馈到你的大脑一样快。”<br><br> <!-- Sure, it takes just one finger and less than 200 milliseconds to turn on the light – or lock a door or change a thermostat. But what allows Wink to help consumers manage their connected smart-home products with such speed and ease is a sophisticated, cloud native infrastructure that Klein and his team built and continue to develop using a unified stack of CoreOS, the open-source operating system designed for clustered deployments, and Kubernetes, an open-source platform for automating deployment, scaling, and operations of application containers across clusters of hosts, providing container-centric infrastructure. "When you have a big, complex network of interdependent microservices that need to be able to discover each other, and need to be horizontally scalable and tolerant to failure, that’s what this is really optimized for,” says Klein. "A lot of people end up relying on proprietary services [offered by some big cloud providers] to do some of this stuff, but what you get by adopting CoreOS/Kubernetes is portability, to not be locked in to anyone. You can really make your own fate.”<br><br> --> 当然，只需一根手指，不到 200 毫秒即可打开灯，或锁上门或更换恒温器。但是，让 Wink 能够帮助消费者以如此快速和轻松的速度管理其互联智能家居产品的是一个复杂的云原生基础架构，Klein 和他的团队使用开源的 CoreOS 统一系统构建并继续开发专为集群部署设计的操作系统和 Kubernetes，Kubernetes 是一个开源平台，用于跨主机集群自动部署、扩展和操作应用程序容器，提供以容器为中心的基础结构。Klein 说：“当你拥有一个庞大而复杂的相互依赖的微服务网络，需要能够发现彼此，并且需要水平可伸缩和对故障的容忍度时，这就是真正优化的原因。”“很多人最终依靠一些大型云提供商提供的专有服务来执行某些操作，但通过采用 CoreOS/Kubernetes 获得的是可移植性，而不是依赖于固定的某人。你真的可以决定自己的命运。“”<br><br> <!-- Indeed, Wink did. The company’s mission statement is to make the connected home accessible – that is, user-friendly for non-technical owners, affordable and perhaps most importantly, reliable. "If you can’t trust that when you hit the switch, you know a light is going to go on, or if you’re remote and you’re checking on your house and that information isn’t accurate, then the convenience of the system is lost,” says Klein. "So that’s where the infrastructure comes in.”<br><br> --> 事实上，Wink 做到了。公司的使命是使家庭互联无障碍，即对非技术业主来说，用户友好，价格合理，也许最重要的是，可靠。Klein 说：“如果你不相信，当你点击开关时就可以打开一盏灯，或者你在远处使用手机检查你的房子，但是反馈信息不准确，那么系统的便利性就会丧失。”这就是基础架构的用处。<br><br> <!-- Wink was incubated within Quirky, a company that developed crowd-sourced inventions. The Wink app was first introduced in 2013, and at the time, it controlled only a few consumer products such as the PivotPower Strip that Quirky produced in collaboration with GE. As smart-home products proliferated, Wink was launched in 2014 in Home Depot stores nationwide. Its first project: a hub that could integrate with smart products from about a dozen brands like Honeywell and Chamberlain. The biggest challenge would be to build the infrastructure to serve all those communications between the hub and the products, with a focus on maximizing reliability and minimizing latency.<br><br> --> Wink 是在 Quirky 公司孵化的，该公司开发众包产品。Wink 应用程序于 2013 年首次推出，当时，它只控制了少数消费类产品，如 Quirky 与 GE 合作生产的 PivotPower Strip。随着智能家居产品的激增，Wink 于 2014 年在全国的 Home Depot 商店推出。其第一个项目：可以与 Honeywell 和 Chamberlain 等十几个品牌的智能产品集成的平台。最大的挑战是构建基础设施，为信息中心和产品之间的所有这些通信提供服务，重点是最大限度地提高可靠性和最小化延迟。<br><br> <!-- "When we originally started out, we were moving very fast trying to get the first product to market, the minimum viable product,” says Klein. "Lots of times you go down a path and end up having to backtrack and try different things. But in this particular case, we did a lot of the work up front, which led to us making a really sound decision to deploy it on CoreOS Container Linux. And that was very early in the life of it.” --> Klein 说：“当我们最初推出时，我们正以非常快的速度尝试将第一个产品推向市场，即最低可行产品。”“很多时候，你走一条路，最终不得不回头尝试不同的东西。但是在这个特殊的情况下，我们预先做了许多工作，这导致我们作出了一个真正明智的决定，将其部署到使用 CoreOS 容器的 Linux 上。而且是在项目伊始时就这么做了。” </div> </section> <div class="banner3"> <div class="banner3text"> <!-- "...what you get by adopting CoreOS/Kubernetes is portability, to not be locked in to anyone. You can really make your own fate.” --> “...通过 CoreOS/Kubernetes 带来的可移植性，你可以不依赖于任何人。你真的可以决定自己的命运。” </div> </div> <section class="section3"> <div class="fullcol"> <!-- Concern number one: Wink’s products need to connect to consumer devices in people’s homes, behind a firewall. "You don’t have an end point like a URL, and you don’t even know what ports are open behind that firewall,” Klein explains. "So you essentially need to have this thing wake up and talk to your system and then open real-time, bidirectional communication between the cloud and the device. And it’s really, really important that it’s persistent because you want to decrease as much as possible the overhead of sending a message – you never know when someone is going to turn on the lights.”<br><br> --> 关注第一：Wink 的产品需要连接到人们家中在防火墙后面的消费设备。Klein 解释道：“由于没有 URL 这样的端点，你甚至不需要知道防火墙后面打开了哪些端口。”“因此，你基本上需要唤醒这些设备，然后与你的系统通信，然后在云和设备之间打开实时、双向通信。持续的连接真的非常重要，因为你希望尽可能减少发送消息的开销，你永远不知道什么时候有人会开灯。”<br><br> <!-- With the earliest version of the Wink Hub, when you decided to turn your lights on or off, the request would be sent to the cloud and then executed. Subsequent updates to Wink’s software enabled local control, cutting latency down to about 10 milliseconds for many devices. But with the need for cloud-enabled integrations of an ever-growing ecosystem of smart home products, low-latency internet connectivity is still a critical consideration. --> 使用 Wink Hub 的最早版本，当你决定打开或关闭灯光时，请求将发送到云，然后执行。Wink 软件的后续更新启用了本地控制，将许多设备的延迟缩短到大约 10 毫秒。但是，由于需要云支持的智能家居产品生态系统的集成，低延迟互联网连接仍然是一个关键的考虑因素。 <br><br> <!-- <h2>"You essentially need to have this thing wake up and talk to your system and then open real-time, bidirectional communication between the cloud and the device. And it’s really, really important that it’s persistent...you never know when someone is going to turn on the&nbsp;lights.”</h2> --> <h2>“你基本上需要唤醒此设备，然后与你的系统通信，然后在云和设备之间打开实时、双向通信。持续的连接真的非常重要，你永远不知道什么时候有人会开灯。”</h2> <!-- In addition, Wink had other requirements: horizontal scalability, the ability to encrypt everything quickly, connections that could be easily brought back up if something went wrong. "Looking at this whole structure we started, we decided to make a secure socket-based service,” says Klein. "We’ve always used, I would say, some sort of clustering technology to deploy our services and so the decision we came to was, this thing is going to be containerized, running on Docker.”<br><br> --> 此外，Wink 还有其他要求：水平可扩展性、快速加密所有内容的能力、在出现问题时可以轻松恢复的连接。Klein 说：“从一开始的整个结构来看，我们决定提供基于套接字的安全服务。”“我们总是使用某种集群技术来部署我们的服务，因此我们决定，这东西将被容器化，在 Docker 上运行。”<br><br> <!-- At the time – just over two years ago – Docker wasn’t yet widely used, but as Klein points out, "it was certainly understood by the people who were on the frontier of technology. We started looking at potential technologies that existed. One of the limiting factors was that we needed to deploy multi-port non-http/https services. It wasn’t really appropriate for some of the early cluster technology. We liked the project a lot and we ended up using it on other stuff for a while, but initially it was too targeted toward http workloads.”<br><br> --> 当时，就在两年多前，Docker 还没有被广泛使用，但是正如 Klein 指出的，“技术前沿的人们当然理解它。我们开始研究现有的潜在技术。限制因素之一是我们需要部署多端口非 http/https 服务。它并不真正适合某些早期的集群技术。我们非常喜欢这个项目，最后在其它东西上使用了一段时间，但最初它过于针对 http 工作负载。”<br><br> <!-- Once Wink’s backend engineering team decided on a Dockerized workload, they had to make decisions about the OS and the container orchestration platform. "Obviously you can’t just start the containers and hope everything goes well,” Klein says with a laugh. "You need to have a system that is helpful [in order] to manage where the workloads are being distributed out to. And when the container inevitably dies or something like that, to restart it, you have a load balancer. All sorts of housekeeping work is needed to have a robust infrastructure.” --> Wink 的后端工程团队决定使用 Docker 化的工作负载后，就不得不就操作系统和容器编排平台做出决定。Klein 笑着说：“很明显，你不能只是启动容器，希望一切顺利。”“你需要有一个有用的系统，以便管理工作负载的分发位置。当容器不可避免地死亡或类似的东西，重新启动它，你得有一个负载平衡器。要拥有强大的基础设施，需要进行各种内部事务管理工作。” </div> </section> <div class="banner4"> <div class="banner4text"> <!-- "Obviously you can’t just start the containers and hope everything goes well,” Klein says with a laugh. "You need to have a system that is helpful [in order] to manage where the workloads are being distributed out to. And when the container inevitably dies or something like that, to restart it, you have a load balancer. All sorts of housekeeping work is needed to have a robust infrastructure.” --> Klein 笑着说：“很明显，你不能只是启动容器，希望一切顺利。”“你需要有一个有用的系统，以便管理工作负载的分发位置。当容器不可避免地死亡或类似的东西，重新启动它，你得有一个负载平衡器。要拥有强大的基础设施，需要进行各种内部事务管理工作。” </div> </div> <section class="section4"> <div class="fullcol"> <!-- Wink considered building directly on a general purpose Linux distro like Ubuntu (which would have required installing tools to run a containerized workload) and cluster management systems like Mesos (which was targeted toward enterprises with larger teams/workloads), but ultimately set their sights on CoreOS Container Linux. "A container-optimized Linux distribution system was exactly what we needed,” he says. "We didn’t have to futz around with trying to take something like a Linux distro and install everything. It’s got a built-in container orchestration system, which is Fleet, and an easy-to-use API. It’s not as feature-rich as some of the heavier solutions, but we realized that, at that moment, it was exactly what we needed.”<br><br> --> Wink 考虑直接在通用 Linux 发行版（需要安装工具来运行容器化工作负载）和集群管理系统如 Mesos（面向拥有较大团队的企业）的基础上构建，但最终将目光投向了使用 CoreOS 容器的 Linux。“一个容器优化的Linux分发系统正是我们需要的，”他说。“我们不必为了尝试采用 Linux 发行版之类的东西来安装所有内容而四处奔波。它有一个内置的容器编排系统，Fleet ，和一个易于使用的 API。它不像一些较重的解决方案那样具有丰富的功能，但我们意识到，在那一刻，这正是我们需要的。”<br><br> <!-- Wink’s hub (along with a revamped app) was introduced in July 2014 with a short-term deployment, and within the first month, they had moved the service to the Dockerized CoreOS deployment. Since then, they’ve moved almost every other piece of their infrastructure – from third-party cloud-to-cloud integrations to their customer service and payment portals – onto CoreOS Container Linux clusters. <br><br> --> Wink 的核心（以及经过改进的应用程序）于 2014 年 7 月推出，并进行了短期部署，并在第一个月内将服务转移到 Docker 化的 CoreOS 上部署。自那时以来，他们几乎将基础设施的其他所有部分（从第三方云到云的集成迁移到其客户服务和支付门户）迁移到使用 CoreOS 容器的 Linux 集群上。<br><br> <!-- Using this setup did require some customization. "Fleet is really nice as a basic container orchestration system, but it doesn’t take care of routing, sharing configurations, secrets, et cetera, among instances of a service,” Klein says. "All of those layers of functionality can be implemented, of course, but if you don’t want to spend a lot of time writing unit files manually – which of course nobody does – you need to create a tool to automate some of that, which we did.”<br><br> --> 使用此设置确实需要一些额外的配置。Klein 说：“ Fleet 作为一个基本的容器编排系统确实很好，但它不负责服务实例之间的路由、配置共享、加密等。当然，所有这些功能层都可以实现，但如果你不想花费大量时间手动编写单元文件（当然没有人这样做），则需要创建一个工具来自动执行其中一些文件，我们做到了。”<br><br> <!-- Wink quickly embraced the Kubernetes container cluster manager when it was launched in 2015 and integrated with CoreOS core technology, and as promised, it ended up providing the features Wink wanted and had planned to build. "If not for Kubernetes, we likely would have taken the logic and library we implemented for the automation tool that we created, and would have used it in a higher level abstraction and tool that could be used by non-DevOps engineers from the command line to create and manage clusters,” Klein says. "But Kubernetes made that totally unnecessary – and is written and maintained by people with a lot more experience in cluster management than us, so all the better.” Now, an estimated 80 percent of Wink’s workload is run on Kubernetes on top of CoreOS Container Linux. --> Wink 在 2015 年推出并集成了 CoreOS 核心技术时，很快接受了 Kubernetes 容器集群管理器，正如所承诺的那样，它最终提供了 Wink 想要的功能，并计划构建这些功能。“如果不是 Kubernetes，我们很可能采用我们为所创建的自动化工具实现的逻辑和库，并将它用于更高级别的抽象和工具，这些抽象和工具可供命令行中的非 DevOps 工程师使用，以创建和管理集群，” Klein 说。“但 Kubernetes 完全没有必要这样做，并且由比我们在集群管理方面有经验更丰富的人编写和维护，因此更好。现在，估计 Wink 80% 的工作负载是在使用 CoreOS 容器的 Linux 之上的 Kubernetes 上运行。” </div> </section> <div class="banner5"> <div class="banner5text"> <!-- "Stay close to the development. Understand why decisions are being made. If you understand the intent behind the project, from the technological intent to a certain philosophical intent, then it helps you understand how to build your system in harmony with those systems as opposed to trying to work against it.” --> “同发展保持同步。了解决策原因。如果你了解项目背后的意图，从技术意图到某种哲学意图，那么它可以帮助你了解如何与这些系统和谐地构建系统，而不是试图与之对抗。” </div> </div> <section class="section5"> <div class="fullcol"> <!-- Wink’s reasons for going all in are clear: "It’s not proprietary, it’s totally open, it’s really portable,” Klein says. "You can run all the workloads across different cloud providers. You can easily run a hybrid AWS or even bring in your own data center. That’s the benefit of having everything unified on one Kubernetes-Docker-CoreOS Container Linux stack. There are massive security benefits if you only have one Linux distro to try to validate. The benefits are enormous because you save money, you save time.”<br><br> --> Wink 的去向理由很明确：“它不是专有的，它是完全开放的，它真的很便携，” Klein 说，“它很可移植。你可以跨不同的云提供商运行所有工作负载。你可以轻松地运行混合 AWS，甚至引入你自己的数据中心。这就是在一个使用 Kubernetes-Docker-CoreOS 容器的 Linux 系统上统一所有内容的好处。如果你只有一个 Linux 发行版来尝试验证，则具有巨大的安全优势。好处是巨大的，因为既省钱又省时间。” <!-- Klein concedes that there are tradeoffs in every technology decision. "Cutting-edge technology is going to be scary for some people,” he says. "In order to take advantage of this, you really have to keep up with the technology. You can’t treat it like it’s a black box. Stay close to the development. Understand why decisions are being made. If you understand the intent behind the project, from the technological intent to a certain philosophical intent, then it helps you understand how to build your system in harmony with those systems as opposed to trying to work against it.”<br><br> --> Klein 承认，每个技术决策都有权衡。他表示：“对一些人来说，尖端技术将非常可怕。”“为了利用这一优势，你确实必须跟上技术。你不能把它当作一个黑盒子。同发展保持同步。了解决策原因。如果你了解项目背后的意图，从技术意图到某种哲学意图，那么它可以帮助你了解如何与这些系统和谐地构建系统，而不是试图与之对抗。” <!-- Wink, which was acquired by Flex in 2015, now controls 2.3 million connected devices in households all over the country. What’s next for the company? A new version of the hub - Wink Hub 2 - hit shelves last November – and is being offered for the first time at Walmart stores in addition to Home Depot. "Two of the biggest American retailers are carrying and promoting the brand and the hardware,” Klein says proudly – though he adds that "it really comes with a lot of pressure. It’s not a retail situation where you have a lot of tech enthusiasts. These are everyday people who want something that works and have no tolerance for technical excuses.” And that’s further testament to how much faith Klein has in the infrastructure that the Wink team has have built.<br><br> --> Wink 于 2015 年被 Flex 收购，目前控制着全国 230 万台联网设备。公司下一步怎么办？去年11月，一款新版的 “Wink Hub 2”上架，除 Home Depot 外，Walmart 商店还首次上市。Klein 自豪地说：“美国最大的两家零售商都正在使用和推广 Wink 品牌和硬件，”不过他补充道，“这确实带来了很大的压力。这不是普通的零售商客户像技术狂热者一样追求前沿技术。这些人每天都在想要一些行之有效的东西，并且不会容忍技术方面的借口。这进一步证明了 Klein 对 Wink 团队所构建的基础设施有多大的信心。” <!-- Wink’s engineering team has grown exponentially since its early days, and behind the scenes, Klein is most excited about the machine learning Wink is using. "We built [a system of] containerized small sections of the data pipeline that feed each other and can have multiple outputs,” he says. "It’s like data pipelines as microservices.” Again, Klein points to having a unified stack running on CoreOS Container Linux and Kubernetes as the primary driver for the innovations to come. "You’re not reinventing the wheel every time,” he says. "You can just get down to work.” --> Wink 的工程团队从早期起就呈指数级增长，在幕后，Klein 对 Wink 使用的机器学习感到非常兴奋。“我们构建了一个数据管道的容器化小段系统，这些部分对整个团队都是有益的，并且可以有多个输出，”他说。“这就像数据管道作为微服务。”同样，Klein 指出，在使用 CoreOS 容器的 Linux 和 Kubernetes 上运行统一的系统是未来的创新的主要驱动力。“你不是每次都在重新发明轮子，”他说。“你可以专注于业务进行开发。” </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/workiva/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/workiva/<div class="banner1"> <!-- <h1> CASE STUDY:<img src="https://andygol-k8s.netlify.app/images/workiva_logo.png" style="margin-bottom:0%" class="header_logo"><br> <div class="subhead">Using OpenTracing to Help Pinpoint the Bottlenecks </div></h1> --> <h1> 案例研究：<img src="https://andygol-k8s.netlify.app/images/workiva_logo.png" style="margin-bottom:0%" class="header_logo"><br> <div class="subhead">使用 OpenTracing 帮助查找瓶颈 </div></h1> </div> <!-- <div class="details"> Company &nbsp;<b>Workiva</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>Ames, Iowa</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Industry &nbsp;<b>Enterprise Software</b> </div> --> <div class="details"> 公司 &nbsp;<b>Workiva</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Location &nbsp;<b>艾姆斯，爱荷华州</b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;行业 &nbsp;<b>企业软件</b> </div> <hr> <section class="section1"> <div class="cols"> <div class="col1"> <h2>挑战</h2> <!-- <a href="https://www.workiva.com/">Workiva</a> offers a cloud-based platform for managing and reporting business data. This SaaS product, Wdesk, is used by more than 70 percent of the Fortune 500 companies. As the company made the shift from a monolith to a more distributed, microservice-based system, "We had a number of people working on this, all on different teams, so we needed to identify what the issues were and where the bottlenecks were," says Senior Software Architect MacLeod Broad. With back-end code running on Google App Engine, Google Compute Engine, as well as Amazon Web Services, Workiva needed a tracing system that was agnostic of platform. While preparing one of the company’s first products utilizing AWS, which involved a "sync and link" feature that linked data from spreadsheets built in the new application with documents created in the old application on Workiva’s existing system, Broad’s team found an ideal use case for tracing: There were circular dependencies, and optimizations often turned out to be micro-optimizations that didn’t impact overall speed. --> <a href="https://www.workiva.com/">Workiva</a>提供了一个基于云的平台，用于管理和报告业务数据。此 SaaS 产品 Wdesk 被 70% 以上的财富 500 强企业使用。随着公司从单体系统向更分散的基于微服务的系统转变，“我们有许多人在研究这个问题，他们都在不同的团队中，所以我们需要确定问题是什么，瓶颈在哪里，”高级软件架构师 MacLeod Broad 说。随着后端代码在 Google App Engine，Google Compute Engine，以及 Amazon Web Services 上运行，Workiva 需要一个还未被开发的跟踪系统。在准备公司首批使用 AWS 的产品时，Broad 的团队将新应用程序中构建的电子表格数据与 Workiva 现有系统上的旧应用程序中创建的文档相关联，该功能涉及“同步和链接”功能，从而发现了一个理想的跟踪用例：存在循环依赖关系，而优化通常证明是不影响整体速度的微优化。 <br> </div> <div class="col2"> <h2>解决方案</h2> <!-- Broad’s team introduced the platform-agnostic distributed tracing system OpenTracing to help them pinpoint the bottlenecks. --> Broad 的团队推出了与平台无关的分布式跟踪系统 OpenTracing，帮助他们找出瓶颈。 <br> <h2>影响</h2> <!-- Now used throughout the company, OpenTracing produced immediate results. Software Engineer Michael Davis reports: "Tracing has given us immediate, actionable insight into how to improve our service. Through a combination of seeing where each call spends its time, as well as which calls are most often used, we were able to reduce our average response time by 95 percent (from 600ms to 30ms) in a single fix." --> 现在在整个公司使用，OpenTracing 产生了立竿见影的效果。软件工程师 Michael Davis 报告说：“跟踪让我们能够立即了解如何改进我们的服务。通过查看每个调用的花费时间以及最常使用哪些调用的组合，我们能够在单个修复中将平均响应时间减少 95%（从 600ms 到 30ms）。” </div> </div> </section> <div class="banner2"> <div class="banner2text"> <!-- "With OpenTracing, my team was able to look at a trace and make optimization suggestions to another team without ever looking at their code." <span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— MacLeod Broad, Senior Software Architect at Workiva</span> --> 使用 OpenTracing，我的团队能够查看跟踪，并针对其他团队提出优化建议，而无需查看他们的代码。<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— MacLeod Broad, Workiva 高级软件架构师</span> </div> </div> <section class="section2"> <div class="fullcol"> <!-- <h2>Last fall, MacLeod Broad’s platform team at Workiva was prepping one of the company’s first products utilizing <a href="https://aws.amazon.com/">Amazon Web Services</a> when they ran into a roadblock.</h2> --> <h2>去年秋天，MacLeod Broad 在 Workiva 的平台团队在准备该公司的首批产品之一，当遇到障碍时就使用 <a href="https://aws.amazon.com/">Amazon Web Services</a> 。</h2> <!-- Early on, Workiva’s backend had run mostly on <a href="https://cloud.google.com/appengine/">Google App Engine</a>. But things changed along the way as Workiva’s SaaS offering, <a href="https://www.workiva.com/wdesk">Wdesk</a>, a cloud-based platform for managing and reporting business data, grew its customer base to more than 70 percent of the Fortune 500 companies. "As customer needs grew and the product offering expanded, we started to leverage a wider offering of services such as Amazon Web Services as well as other Google Cloud Platform services, creating a multi-vendor environment."<br><br> --> 早期，Workiva 的后端主要运行在<a href="https://cloud.google.com/appengine/">Google App Engine</a>上。但随着 Workiva 的 SaaS 产品，<a href="https://www.workiva.com/wdesk">Wdesk</a>，一种基于云的管理和报告业务数据平台，将客户群增长到财富 500 强公司的 70% 以上，情况发生了变化。“随着客户需求的增长和产品供应的扩大，我们开始利用更广泛的服务，如 Amazon Web Services 以及其他 Google Cloud Platform 服务，从而创建一个多供应商环境。” <!-- With this new product, there was a "sync and link" feature by which data "went through a whole host of services starting with the new spreadsheet system [<a href="https://aws.amazon.com/rds/aurora/">Amazon Aurora</a>] into what we called our linking system, and then pushed through http to our existing system, and then a number of calculations would go on, and the results would be transmitted back into the new system," says Broad. "We were trying to optimize that for speed. We thought we had made this great optimization and then it would turn out to be a micro optimization, which didn’t really affect the overall speed of things." <br><br> --> 有了这个新产品，具备“同步和链接”功能，通过它，数据“经历了一大堆服务，从新的电子表格系统[<a href="https://aws.amazon.com/rds/aurora/">Amazon Aurora</a>]到我们所谓的链接系统，然后通过 http 推送到我们现有的系统，然后进行一些计算，结果将传回新系统，”Broad 说。“我们当时进行优化是为了速度。我们认为做了这种极好的优化，然后它会变成一个微观优化，这并没有真正影响系统的整体速度。”<br><br> <!-- The challenges faced by Broad’s team may sound familiar to other companies that have also made the shift from monoliths to more distributed, microservice-based systems. "We had a number of people working on this, all on different teams, so it was difficult to get our head around what the issues were and where the bottlenecks were," says Broad.<br><br> --> Broad 团队面临的挑战听起来可能为其他公司所熟悉，这些公司也从单体系统转向更分散的基于微服务的系统。Broad 说：“我们有许多人从事这方面的工作，他们都在不同的团队中，因此很难了解问题是什么以及瓶颈在哪里。”<br><br> <!-- "Each service team was going through different iterations of their architecture and it was very hard to follow what was actually going on in each teams’ system," he adds. "We had circular dependencies where we’d have three or four different service teams unsure of where the issues really were, requiring a lot of back and forth communication. So we wasted a lot of time saying, ‘What part of this is slow? Which part of this is sometimes slow depending on the use case? Which part is degrading over time? Which part of this process is asynchronous so it doesn’t really matter if it’s long-running or not? What are we doing that’s redundant, and which part of this is buggy?’" --> “每个服务团队都经历着不同的架构迭代，很难了解每个团队系统中的实际内容，”他补充道。“我们有循环依赖关系，其中有三个或四个不同的服务团队不确定问题的真正位置，需要大量的来回沟通。因此，我们浪费了很多时间说，‘这个哪一部分比较慢？根据应用场景的不同，哪一部分有时很慢？随着时间推移，哪一部分会逐渐变慢？这个进程的哪一部分是异步的，因此，它是否长时间运行并不重要？我们在做的哪些是多余的，其中哪一部分是错误？’” </div> </section> <div class="banner3"> <div class="banner3text"> <!-- "A tracing system can at a glance explain an architecture, narrow down a performance bottleneck and zero in on it, and generally just help direct an investigation at a high level. Being able to do that at a glance is much faster than at a meeting or with three days of debugging, and it’s a lot faster than never figuring out the problem and just moving on."<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— MACLEOD BROAD, SENIOR SOFTWARE ARCHITECT AT WORKIVA</span> --> “跟踪系统可以一目了然地解释体系结构，缩小性能瓶颈并归零，通常只是帮助指导高级别的调查。一眼就能做到这一点，比在会议或三天的调试中要快得多，而且比从来不找出问题得过且过要快得多。”<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— MACLEOD BROAD, WORKIVA 高级软件架构师</span> </div> </div> <section class="section3"> <div class="fullcol"> <!-- Simply put, it was an ideal use case for tracing. "A tracing system can at a glance explain an architecture, narrow down a performance bottleneck and zero in on it, and generally just help direct an investigation at a high level," says Broad. "Being able to do that at a glance is much faster than at a meeting or with three days of debugging, and it’s a lot faster than never figuring out the problem and just moving on."<br><br> --> 简而言之，它是跟踪的理想用例。Broad 说：“跟踪系统可以一目了然地解释体系结构，缩小性能瓶颈并归零，通常只是帮助在高级别指导调查。”“一眼就能做到这一点，比在会议或三天的调试中要快得多，而且比从不找出问题得过且过要快得多。”<br><br> <!-- With Workiva’s back-end code running on <a href="https://cloud.google.com/compute/">Google Compute Engine</a> as well as App Engine and AWS, Broad knew that he needed a tracing system that was platform agnostic. "We were looking at different tracing solutions," he says, "and we decided that because it seemed to be a very evolving market, we didn’t want to get stuck with one vendor. So OpenTracing seemed like the cleanest way to avoid vendor lock-in on what backend we actually had to use."<br><br> --> Workiva 的后端代码在 <a href="https://cloud.google.com/compute/">Google Compute Engine</a> 、App Engine 和 AWS 上运行，Broad 知道他需要一个与平台无关的跟踪系统。“我们正在研究不同的追踪解决方案，”他说，“我们决定，由于市场似乎是一个不断发展的市场，我们不想被一个供应商卡住。因此，OpenTracing 似乎是避免供应商限制我们实际使用的后端的最简捷方法。”<br><br> <!-- Once they introduced OpenTracing into this first use case, Broad says, "The trace made it super obvious where the bottlenecks were." Even though everyone had assumed it was Workiva’s existing code that was slowing things down, that wasn’t exactly the case. "It looked like the existing code was slow only because it was reaching out to our next-generation services, and they were taking a very long time to service all those requests," says Broad. "On the waterfall graph you can see the exact same work being done on every request when it was calling back in. So every service request would look the exact same for every response being paged out. And then it was just a no-brainer of, ‘Why is it doing all this work again?’"<br><br> --> Broad 说，一旦他们将 OpenTrace 引入到第一个用例中，“跟踪使得瓶颈所在位置变得非常明显。”尽管每个人都认为是 Workiva 的现有代码减缓了速度，但事实并非如此。Broad 说：“看起来现有代码速度很慢，只是因为它能够达到我们下一代服务的水平，而且它们需要很长时间才能处理所有这些请求。”“在瀑布图上，你可以看到每个请求在得到响应时所做的完全相同的工作。因此，对于被分页的每个响应，每个服务请求看起来都完全相同。然后，就不用费神去思考‘为什么它再次做所有这些工作？’”<br><br> <!-- Using the insight OpenTracing gave them, "My team was able to look at a trace and make optimization suggestions to another team without ever looking at their code," says Broad. "The way we named our traces gave us insight whether it’s doing a SQL call or it’s making an RPC. And so it was really easy to say, ‘OK, we know that it’s going to page through all these requests. Do the work once and stuff it in cache.’ And we were done basically. All those calls became sub-second calls immediately."<br><br> --> 使用 OpenTrace 的跟踪功能，“我的团队能够查看跟踪，并针对另一个团队提出优化建议，而无需查看他们的代码，”Broad 说。“我们命名跟踪的方式可以说明请求是执行 SQL 调用还是创建 RPC。因此，可以非常简单地说，‘好吧，我们知道它能处理所有这些请求。处理一次缓存一次。’我们基本上完成了。所有这些调用立即变成了亚秒级的调用。”<br><br> </div> </section> <div class="banner4"> <div class="banner4text"> <!-- "We were looking at different tracing solutions and we decided that because it seemed to be a very evolving market, we didn’t want to get stuck with one vendor. So OpenTracing seemed like the cleanest way to avoid vendor lock-in on what backend we actually had to&nbsp;use." <span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— MACLEOD BROAD, SENIOR SOFTWARE ARCHITECT AT WORKIVA</span> --> “我们正在研究不同的跟踪解决方案，我们决定使用 OpenTracing，由于市场似乎是一个不断发展的市场，我们不想被一个供应商卡住。因此，OpenTracing 似乎是避免供应商限制我们实际使用的后端的最简捷方法。”<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— MACLEOD BROAD, WORKIVA 高级软件架构师</span> </div> </div> <section class="section4"> <div class="fullcol"> <!-- After the success of the first use case, everyone involved in the trial went back and fully instrumented their products. Tracing was added to a few more use cases. "We wanted to get through the initial implementation pains early without bringing the whole department along for the ride," says Broad. "Now, a lot of teams add it when they’re starting up a new service. We’re really pushing adoption now more than we were before." <br><br> --> 在第一个用例成功后，参与尝试的每个人都回去重新编排了他们的产品。跟踪功能已添加到几个更多的用例中。Broad 说：“我们希望尽早度过最初的实施难关，而不会让整个部门一起渡过难关。”“现在，许多团队在启动新服务时添加它。我们现在确实比以前更将推动采用。”<br><br> <!-- Some teams were won over quickly. "Tracing has given us immediate, actionable insight into how to improve our [Workspaces] service," says Software Engineer Michael Davis. "Through a combination of seeing where each call spends its time, as well as which calls are most often used, we were able to reduce our average response time by 95 percent (from 600ms to 30ms) in a single fix." <br><br> --> 一些团队很快就赢了。软件工程师 Michael Davis 说：“跟踪让我们能够立即了解如何改进我们的（工作空间）服务。通过查看每个调用的花费时间以及最常使用哪些调用的组合，我们能够在单个修复中将平均响应时间减少 95%（从 600ms 到 30ms）”。<br><br> <!-- Most of Workiva’s major products are now traced using OpenTracing, with data pushed into <a href="https://cloud.google.com/stackdriver/">Google StackDriver</a>. Even the products that aren’t fully traced have some components and libraries that are. <br><br> --> Workiva 的大部分主要产品现在都使用 OpenTracing 进行跟踪，将数据推送到 <a href="https://cloud.google.com/stackdriver/">Google StackDriver</a>。即使未完全使用跟踪功能的产品，也具有一些组件和库。<br><br> <!-- Broad points out that because some of the engineers were working on App Engine and already had experience with the platform’s Appstats library for profiling performance, it didn’t take much to get them used to using OpenTracing. But others were a little more reluctant. "The biggest hindrance to adoption I think has been the concern about how much latency is introducing tracing [and StackDriver] going to cost," he says. "People are also very concerned about adding middleware to whatever they’re working on. Questions about passing the context around and how that’s done were common. A lot of our Go developers were fine with it, because they were already doing that in one form or another. Our Java developers were not super keen on doing that because they’d used other systems that didn’t require that."<br><br> --> Broad 指出，由于一些工程师正在使用 App Engine，并且已经拥有平台的 Appstats 库分析性能的经验，因此他们不需要花太多时间才能习惯使用 OpenTracing。但其他人则有点不情愿。“我认为，使用 OpenTracing 的最大障碍是担心引入跟踪和 StackDriver 的成本会是多少，”他说。“人们也非常关心将中间件添加到他们正在处理的任何内容中。有关传递上下文以及如何完成这些工作的问题很常见。我们的许多 Go 开发人员对此都很好，因为他们已经以这样或那样的形式这样做了。我们的 Java 开发人员并不热衷于这样做，因为他们使用了其他不需要该功能的系统。”<br><br> <!-- But the benefits clearly outweighed the concerns, and today, Workiva’s official policy is to use tracing." --> 但好处显然超过了人们的担忧，而今天，Workiva 的官方政策是使用追踪。 <!-- In fact, Broad believes that tracing naturally fits in with Workiva’s existing logging and metrics systems. "This was the way we presented it internally, and also the way we designed our use," he says. "Our traces are logged in the exact same mechanism as our app metric and logging data, and they get pushed the exact same way. So we treat all that data exactly the same when it’s being created and when it’s being recorded. We have one internal library that we use for logging, telemetry, analytics and tracing." --> 事实上，Broad 认为跟踪天然符合 Workiva 现有的日志记录和指标系统。“这是我们在内部展示的方式，也是我们设计使用方式的方式，”他说。“我们的跟踪记录在与我们的应用指标和日志记录数据完全相同的机制中，并且它们被推送的方式完全相同。因此，在创建和记录所有数据时，我们对待这些数据完全一样。我们有一个内部库，用于日志记录、遥测、分析和跟踪。” </div> </section> <div class="banner5"> <div class="banner5text"> <!-- "Tracing has given us immediate, actionable insight into how to improve our [Workspaces] service. Through a combination of seeing where each call spends its time, as well as which calls are most often used, we were able to reduce our average response time by 95 percent (from 600ms to 30ms) in&nbsp;a&nbsp;single&nbsp;fix." <span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— Michael Davis, Software Engineer, Workiva </span> --> “跟踪让我们能够立即、可操作地洞察如何改进我们的（工作空间）服务。通过查看每个调用花费的时间以及最常使用哪些调用的组合，我们能够在单个修复中将平均响应时间减少 95%（从 600ms 到 30ms）。”<span style="font-size:14px;letter-spacing:0.12em;padding-top:20px;text-transform:uppercase"><br>— Michael Davis, 软件工程师, Workiva </span> </div> </div> <section class="section5"> <div class="fullcol"> <!-- For Workiva, OpenTracing has become an essential tool for zeroing in on optimizations and determining what’s actually a micro-optimization by observing usage patterns. "On some projects we often assume what the customer is doing, and we optimize for these crazy scale cases that we hit 1 percent of the time," says Broad. "It’s been really helpful to be able to say, ‘OK, we’re adding 100 milliseconds on every request that does X, and we only need to add that 100 milliseconds if it’s the worst of the worst case, which only happens one out of a thousand requests or one out of a million requests."<br><br> --> 对于 Workiva，OpenTracing 已成为一种重要工具，通过观察使用模式来聚焦最佳优化和确定什么是微观优化。Broad 说：“在某些项目中，我们经常假设客户正在做什么，我们针对这些疯狂的测试案例进行优化，这些案例的 1% 是同用户实际非常相符的。”“这样是非常有益的，‘好吧，我们在每个执行 X 的请求上添加 100 毫秒，如果最坏的情况，我们也只需要添加 100 毫秒，这仅发生在千分之一的请求或一百万个请求中的一个。’”<br><br> <!-- Unlike many other companies, Workiva also traces the client side. "For us, the user experience is important—it doesn’t matter if the RPC takes 100 milliseconds if it still takes 5 seconds to do the rendering to show it in the browser," says Broad. "So for us, those client times are important. We trace it to see what parts of loading take a long time. We’re in the middle of working on a definition of what is ‘loaded.’ Is it when you have it, or when it’s rendered, or when you can interact with it? Those are things we’re planning to use tracing for to keep an eye on and to better understand."<br><br> --> 与许多其他公司不同，Workiva 还跟踪客户端。Broad 说：“对我们来说，用户体验很重要，如果 RPC 执行后还需要 5 秒才能在浏览器中显示，则 RPC 执行需要 100 毫秒就不重要了。”“因此，对于我们而言，这些客户端响应时间非常重要。我们跟踪它，看看加载的哪些部分需要很长时间。我们正在研究什么是“加载”的定义。是当你访问到它，还是当它被渲染时，或者当你可以与它交互时？我们计划使用跟踪来关注和更好地了解这些内容。”<br><br> <!-- That also requires adjusting for differences in external and internal clocks. "Before time correcting, it was horrible; our traces were more misleading than anything," says Broad. "So we decided that we would return a timestamp on the response headers, and then have the client reorient its time based on that—not change its internal clock but just calculate the offset on the response time to when the client got it. And if you end up in an impossible situation where a client RPC spans 210 milliseconds but the time on the response time is outside of that window, then we have to reorient that."<br><br> --> 这还需要根据外部和内部时钟的差异进行调整。“在时间纠正之前，这是非常恐怖的；我们的跟踪比什么都更具有误导性，” Broad 说。“因此，我们决定在响应标头上返回一个时间戳，然后让客户端根据该时间调整其时间，而不是更改其内部时钟，而只需计算客户端收到时响应时间的偏移量。如果最终出现一种不可能的情况，客户端的 RPC 调用持续了 210 毫秒但响应返回时间并不在这个范围内，那就必须得重新调用请求。”<br><br> <!-- Broad is excited about the impact OpenTracing has already had on the company, and is also looking ahead to what else the technology can enable. One possibility is using tracing to update documentation in real time. "Keeping documentation up to date with reality is a big challenge," he says. "Say, we just ran a trace simulation or we just ran a smoke test on this new deploy, and the architecture doesn’t match the documentation. We can find whose responsibility it is and let them know and have them update it. That’s one of the places I’d like to get in the future with tracing." --> Broad 对 OpenTracing 对公司产生的影响感到兴奋，并且也在展望该技术还能实现什么。一种可能性是使用跟踪实时更新文档。他表示：“使文档与现实保持同步是一项重大挑战。”“例如，我们刚刚运行了跟踪模拟，或者我们刚刚在此新部署上运行了烟雾测试，但是结果显示架构与文档不匹配。我们可以找到是谁的责任，并通知他们进行更新。这是我希望在未来通过追踪获得的功能之一。” </div> </section>https://andygol-k8s.netlify.app/zh-cn/case-studies/zalando/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/zalando/<!-- title: Zalando Case Study case_study_styles: true cid: caseStudies new_case_study_styles: true heading_background: /images/case-studies/zalando/banner1.jpg heading_title_logo: /images/zalando_logo.png subheading: > Europe's Leading Online Fashion Platform Gets Radical with Cloud Native case_study_details: - Company: Zalando - Location: Berlin, Germany - Industry: Online Fashion --> <!-- <h2>Challenge</h2> --> <h2>挑战</h2> <!-- <p>Zalando, Europe's leading online fashion platform, has experienced exponential growth since it was founded in 2008. In 2015, with plans to further expand its original e-commerce site to include new services and products, Zalando embarked on a <a href="https://jobs.zalando.com/tech/blog/radical-agility-study-notes/">radical transformation</a> resulting in autonomous self-organizing teams. This change requires an infrastructure that could scale with the growth of the engineering organization. Zalando's technology department began rewriting its applications to be cloud-ready and started moving its infrastructure from on-premise data centers to the cloud. While orchestration wasn't immediately considered, as teams migrated to <a href="https://aws.amazon.com/">Amazon Web Services</a> (AWS): "We saw the pain teams were having with infrastructure and Cloud Formation on AWS," says Henning Jacobs, Head of Developer Productivity. "There's still too much operational overhead for the teams and compliance. " To provide better support, cluster management was brought into play.</p>https://andygol-k8s.netlify.app/zh-cn/releases/version-skew-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/releases/version-skew-policy/<!-- reviewers: - sig-api-machinery - sig-architecture - sig-cli - sig-cluster-lifecycle - sig-node - sig-release title: Version Skew Policy type: docs description: > The maximum version skew supported between various Kubernetes components. --> <!-- overview --> <!-- This document describes the maximum version skew supported between various Kubernetes components. Specific cluster deployment tools may place additional restrictions on version skew. --> <p>本文档描述了 Kubernetes 各个组件之间所支持的最大版本偏差。 特定的集群部署工具可能会对版本偏差添加额外的限制。</p> <!-- body --> <!-- ## Supported versions Kubernetes versions are expressed as **x.y.z**, where **x** is the major version, **y** is the minor version, and **z** is the patch version, following [Semantic Versioning](https://semver.org/) terminology. For more information, see [Kubernetes Release Versioning](https://git.k8s.io/sig-release/release-engineering/versioning.md#kubernetes-release-versioning). The Kubernetes project maintains release branches for the most recent three minor releases (1.35, 1.34, 1.33). Kubernetes 1.19 and newer receive [approximately 1 year of patch support](/releases/patch-releases/#support-period). Kubernetes 1.18 and older received approximately 9 months of patch support. --> <h2 id="supported-versions">支持的版本</h2> <p>Kubernetes 版本以 <strong>x.y.z</strong> 表示，其中 <strong>x</strong> 是主要版本， <strong>y</strong> 是次要版本，<strong>z</strong> 是补丁版本，遵循<a href="https://semver.org/">语义版本控制</a>术语。 更多信息请参见 <a href="https://git.k8s.io/sig-release/release-engineering/versioning.md#kubernetes-release-versioning">Kubernetes 版本发布控制</a>。</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/mutating-admission-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/mutating-admission-policy/<!-- reviewers: - deads2k - sttts - cici37 title: Mutating Admission Policy content_type: concept --> <!-- overview --> <div class="feature-state-notice feature-beta"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.34 [beta]</code> </div> <!-- due to feature gate history, use manual version specification here --> <!-- This page provides an overview of _MutatingAdmissionPolicies_. --> <p>本页概要介绍 <strong>MutatingAdmissionPolicy（变更性准入策略）</strong>。</p> <!-- MutatingAdmissionPolicies allow you to change what happens when someone writes a change to the Kubernetes API. If you want to use declarative policies just to prevent a particular kind of change to resources (for example: protecting platform namespaces from deletion), [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) is a simpler and more effective alternative. To use the feature, enable the `MutatingAdmissionPolicy` feature gate (which is off by default) and set `--runtime-config=admissionregistration.k8s.io/v1beta1=true` on the kube-apiserver. --> <p>MutatingAdmissionPolicies 允许你在有人向 Kubernetes API 写入变更时修改发生的操作。 如果你只想使用声明式策略来阻止对资源的某种更改（例如：保护平台命名空间不被删除）， <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/validating-admission-policy/">ValidatingAdmissionPolicy</a> 是更简单且更有效的替代方案。</p>https://andygol-k8s.netlify.app/zh-cn/releases/patch-releases/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/releases/patch-releases/<!-- title: Patch Releases type: docs --> <!-- Schedule and team contact information for Kubernetes patch releases. For general information about Kubernetes release cycle, see the [release process description]. --> <p>Kubernetes 补丁版本的发布时间表和团队联系信息。</p> <p>有关 Kubernetes 发布周期的常规信息，请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/releases/release">发布流程说明</a>。</p> <!-- ## Cadence Our typical patch release cadence is monthly. It is commonly a bit faster (1 to 2 weeks) for the earliest patch releases after a 1.X minor release. Critical bug fixes may cause a more immediate release outside of the normal cadence. We also aim to not make releases during major holiday periods. --> <h2 id="cadence">节奏</h2> <p>我们的补丁发布节奏通常是每月一次。 在 1.X 次要版本之后，最早的补丁版本通常要快一些（提前 1 到 2 周）。 严重错误修复可能会导致超出正常节奏而更快速的发布。 我们尽量避免在重要的节假日期间发布。</p>https://andygol-k8s.netlify.app/zh-cn/docs/test/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/test/<!-- title: Docs smoke test page main_menu: false --> <!-- This page serves two purposes: - Demonstrate how the Kubernetes documentation uses Markdown - Provide a "smoke test" document we can use to test HTML, CSS, and template changes that affect the overall documentation. --> <p>本页面服务于两个目的：</p> <ul> <li>展示 Kubernetes 中文版文档中应如何使用 Markdown</li> <li>提供一个测试用文档，用来测试可能影响所有文档的 HTML、CSS 和模板变更</li> </ul> <!-- ## Heading levels The above heading is an H2. The page title renders as an H1. The following sections show H3 - H6. --> <h2 id="heading-levels">标题级别</h2> <p>上面的标题是 H2 级别。页面标题（Title）会渲染为 H1。以下各节分别展示 H3-H6 的渲染结果。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-gpus/scheduling-gpus/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-gpus/scheduling-gpus/<!-- reviewers: - vishh content_type: concept title: Schedule GPUs description: Configure and schedule GPUs for use as a resource by nodes in a cluster. --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.26 [stable]</code> </div> <!-- Kubernetes includes **stable** support for managing AMD and NVIDIA GPUs (graphical processing units) across different nodes in your cluster, using <a class='glossary-tooltip' title='一种软件扩展，可以使 Pod 访问由特定厂商初始化或者安装的设备。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/' target='_blank' aria-label='device plugins'>device plugins</a>. This page describes how users can consume GPUs, and outlines some of the limitations in the implementation. --> <p>Kubernetes 支持使用<a class='glossary-tooltip' title='一种软件扩展，可以使 Pod 访问由特定厂商初始化或者安装的设备。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/' target='_blank' aria-label='设备插件'>设备插件</a>来跨集群中的不同节点管理 AMD 和 NVIDIA GPU（图形处理单元），目前处于<strong>稳定</strong>状态。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/debug-running-pod/<!-- reviewers: - verb - soltysh title: Debug Running Pods content_type: task --> <!-- overview --> <!-- This page explains how to debug Pods running (or crashing) on a Node. --> <p>本页解释如何在节点上调试运行中（或崩溃）的 Pod。</p> <h2 id="准备开始">准备开始</h2> <!-- * Your <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> should already be scheduled and running. If your Pod is not yet running, start with [Debugging Pods](/docs/tasks/debug/debug-application/). * For some of the advanced debugging steps you need to know on which Node the Pod is running and have shell access to run commands on that Node. You don't need that access to run the standard debug steps that use `kubectl`. --> <ul> <li> <p>你的 <a class='glossary-tooltip' title='Pod 表示你的集群上一组正在运行的容器。' data-toggle='tooltip' data-placement='top' href='https://andygol-k8s.netlify.app/zh-cn/docs/concepts/workloads/pods/' target='_blank' aria-label='Pod'>Pod</a> 应该已经被调度并正在运行中， 如果你的 Pod 还没有运行，请参阅<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/">调试 Pod</a>。</p>https://andygol-k8s.netlify.app/zh-cn/releases/release-managers/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/releases/release-managers/<!-- title: Release Managers type: docs --> <!-- "Release Managers" is an umbrella term that encompasses the set of Kubernetes contributors responsible for maintaining release branches and creating releases by using the tools SIG Release provides. The responsibilities of each role are described below. --> <p>“发布管理员（Release Managers）” 是一个总称，通过使用 SIG Release 提供的工具， 负责维护发布分支、标记发行版本以及创建发行版本的贡献者。</p> <p>每个角色的职责如下所述。</p> <!-- - [Contact](#contact) - [Security Embargo Policy](#security-embargo-policy) - [Handbooks](#handbooks) - [Release Managers](#release-managers) - [Becoming a Release Manager](#becoming-a-release-manager) - [Release Manager Associates](#release-manager-associates) - [Becoming a Release Manager Associate](#becoming-a-release-manager-associate) - [SIG Release Leads](#sig-release-leads) - [Chairs](#chairs) - [Technical Leads](#technical-leads) --> <ul> <li><a href="#contact">联系方式</a> <ul> <li><a href="#security-embargo-policy">安全禁运政策</a></li> </ul> </li> <li><a href="#handbooks">手册</a></li> <li><a href="#release-managers">发布管理员</a> <ul> <li><a href="#becoming-a-release-manager">成为发布管理员</a></li> </ul> </li> <li><a href="#release-manager-associates">发布管理员助理</a> <ul> <li><a href="#becoming-a-release-manager-associate">成为发布管理员助理</a></li> </ul> </li> <li><a href="#sig-release-leads">SIG 发布负责人</a> <ul> <li><a href="#chairs">首席</a></li> <li><a href="#technical-leads">技术负责人</a></li> </ul> </li> </ul> <!-- ## Contact | Mailing List | Slack | Visibility | Usage | Membership | | --- | --- | --- | --- | --- | | [release-managers@kubernetes.io](mailto:release-managers@kubernetes.io) | [#release-management](https://kubernetes.slack.com/messages/CJH2GBF7Y) (channel) / @release-managers (user group) | Public | Public discussion for Release Managers | All Release Managers (including Associates, and SIG Chairs) | | [release-managers-private@kubernetes.io](mailto:release-managers-private@kubernetes.io) | N/A | Private | Private discussion for privileged Release Managers | Release Managers, SIG Release leadership | | [security-release-team@kubernetes.io](mailto:security-release-team@kubernetes.io) | [#security-release-team](https://kubernetes.slack.com/archives/G0162T1RYHG) (channel) / @security-rel-team (user group) | Private | Security release coordination with the Security Response Committee | [security-discuss-private@kubernetes.io](mailto:security-discuss-private@kubernetes.io), [release-managers-private@kubernetes.io](mailto:release-managers-private@kubernetes.io) | --> <h2 id="contact">联系方式</h2> <table> <thead> <tr> <th>邮件列表</th> <th>Slack</th> <th>可见范围</th> <th>用法</th> <th>会员资格</th> </tr> </thead> <tbody> <tr> <td><a href="mailto:release-managers@kubernetes.io">release-managers@kubernetes.io</a></td> <td><a href="https://kubernetes.slack.com/messages/CJH2GBF7Y">#release-management</a>（频道）/@release-managers（用户组）</td> <td>公共</td> <td>发布管理员公开讨论</td> <td>所有发布管理员（包括助理和 SIG 主席）</td> </tr> <tr> <td><a href="mailto:release-managers-private@kubernetes.io">release-managers-private@kubernetes.io</a></td> <td>不适用</td> <td>私人</td> <td>拥有特权的发布管理员私人讨论</td> <td>发布管理员，SIG Release 负责人</td> </tr> <tr> <td><a href="mailto:security-release-team@kubernetes.io">security-release-team@kubernetes.io</a></td> <td><a href="https://kubernetes.slack.com/archives/G0162T1RYHG">#security-release-team</a>（频道）/@security-rel-team（用户组）</td> <td>私人</td> <td>与安全响应委员会协调安全发布</td> <td><a href="mailto:security-discuss-private@kubernetes.io">security-discuss-private@kubernetes.io</a>, <a href="mailto:release-managers-private@kubernetes.io">release-managers-private@kubernetes.io</a></td> </tr> </tbody> </table> <!-- ### Security Embargo Policy Some information about releases is subject to embargo and we have defined policy about how those embargoes are set. Please refer to the [Security Embargo Policy](https://github.com/kubernetes/committee-security-response/blob/main/private-distributors-list.md#embargo-policy) for more information. --> <h3 id="security-embargo-policy">安全禁运政策</h3> <p>发布的相关信息受到禁运，我们已经定义了有关如何设置这些禁运的政策。 更多信息请参考<a href="https://github.com/kubernetes/committee-security-response/blob/main/private-distributors-list.md#embargo-policy">安全禁运政策</a>。</p>https://andygol-k8s.netlify.app/zh-cn/releases/notes/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/releases/notes/<!-- linktitle: Release Notes title: Notes type: docs description: > Kubernetes release notes. sitemap: priority: 0.5 --> <!-- Release notes can be found by reading the [Changelog](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG) that matches your Kubernetes version. View the changelog for 1.35 on [GitHub](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.35.md). Alternately, release notes can be searched and filtered online at: [relnotes.k8s.io](https://relnotes.k8s.io). View filtered release notes for 1.35 on [relnotes.k8s.io](https://relnotes.k8s.io/?releaseVersions=1.35.0). --> <p>可以通过阅读与你的 Kubernetes 版本对应的 <a href="https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG">Changelog</a> 找到发行版本说明。 在 <a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.35.md">GitHub</a> 上查看 1.35 的变更日志。</p> <p>或者，可以在以下位置在线搜索和筛选发行版本说明：<a href="https://relnotes.k8s.io">relnotes.k8s.io</a>。 在 <a href="https://relnotes.k8s.io/?releaseVersions=1.35.0">relnotes.k8s.io</a> 上查看 1.35 的筛选后的版本说明。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster/<!-- title: Manage TLS Certificates in a Cluster content_type: task reviewers: - mikedanese - beacham - liggit --> <!-- overview --> <!-- Kubernetes provides a `certificates.k8s.io` API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust. `certificates.k8s.io` API uses a protocol that is similar to the [ACME draft](https://github.com/ietf-wg-acme/acme/). --> <p>Kubernetes 提供 <code>certificates.k8s.io</code> API，可让你配置由你控制的证书颁发机构（CA） 签名的 TLS 证书。 你的工作负载可以使用这些 CA 和证书来建立信任。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-hugepages/scheduling-hugepages/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/manage-hugepages/scheduling-hugepages/<!-- reviewers: - derekwaynecarr title: Manage HugePages content_type: task description: Configure and manage huge pages as a schedulable resource in a cluster. ---> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： HugePages"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.14 [stable]</code>（默认启用）</div> <!-- Kubernetes supports the allocation and consumption of pre-allocated huge pages by applications in a Pod. This page describes how users can consume huge pages. ---> <p>Kubernetes 支持在 Pod 应用中使用预先分配的巨页。本文描述了用户如何使用巨页，以及当前的限制。</p> <h2 id="准备开始">准备开始</h2> <!-- Kubernetes nodes must [pre-allocate huge pages](https://www.kernel.org/doc/html/latest/admin-guide/mm/hugetlbpage.html) in order for the node to report its huge page capacity. A node can pre-allocate huge pages for multiple sizes, for instance, the following line in `/etc/default/grub` allocates `2*1GiB` of 1 GiB and `512*2 MiB` of 2 MiB pages: ---> <p>为了使节点能够上报巨页容量，Kubernetes 节点必须<a href="https://www.kernel.org/doc/html/latest/admin-guide/mm/hugetlbpage.html">预先分配巨页</a>。</p>https://andygol-k8s.netlify.app/zh-cn/case-studies/huawei/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/case-studies/huawei/<!-- title: Huawei Case Study case_study_styles: true cid: caseStudies new_case_study_styles: true heading_background: /images/case-studies/huawei/banner1.jpg heading_title_logo: /images/huawei_logo.png subheading: > Embracing Cloud Native as a User – and a Vendor case_study_details: - Company: Huawei - Location: Shenzhen, China - Industry: Telecommunications Equipment --> <!-- <h2>Challenge</h2> --> <h2>挑战</h2> <p> <!-- A multinational company that's the largest telecommunications equipment manufacturer in the world, Huawei has more than 180,000 employees. In order to support its fast business development around the globe, <a href="https://www.huawei.com/">Huawei</a> has eight data centers for its internal I.T. department, which have been running 800+ applications in 100K+ VMs to serve these 180,000 users. With the rapid increase of new applications, the cost and efficiency of management and deployment of VM-based apps all became critical challenges for business agility. "It's very much a distributed system so we found that managing all of the tasks in a more consistent way is always a challenge," says Peixin Hou, the company's Chief Software Architect and Community Director for Open Source. "We wanted to move into a more agile and decent practice." --> 华为作为一个跨国企业，是世界上最大的电信设备制造商，拥有超过 18 万名员工。 为了支持华为在全球的快速业务发展，<a href="https://www.huawei.com/">华为</a>内部 IT 部门有 8 个数据中心， 这些数据中心在 10 万多台虚拟机上运行了 800 多个应用程序，为内部 18 万用户提供服务。 随着新应用程序的快速增长，基于虚拟机的应用程序管理和部署的成本和效率都成为业务敏捷性的关键挑战。 该公司首席软件架构师、开源社区总监侯培新表示： “这是一个超大的分布式系统，因此我们发现，以更一致的方式管理所有任务始终是一个挑战。 我们希望进入一种更敏捷、更得体的实践”。 </p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/<!-- overview --> <!-- This page shows how to use `kubectl exec` to get a shell to a running container. --> <p>本文介绍怎样使用 <code>kubectl exec</code> 命令获取正在运行容器的 Shell。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/client-authentication.v1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/client-authentication.v1/<!-- title: Client Authentication (v1) content_type: tool-reference package: client.authentication.k8s.io/v1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#client-authentication-k8s-io-v1-ExecCredential">ExecCredential</a></li> </ul> <h2 id="client-authentication-k8s-io-v1-ExecCredential"><code>ExecCredential</code></h2> <!-- ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports. --> <p>ExecCredential 由基于 exec 的插件使用，与 HTTP 传输组件沟通凭据信息。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>client.authentication.k8s.io/v1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>ExecCredential</code></td></tr> <tr><td><code>spec</code> <B><!--[Required]-->[必需]</B><br/> <a href="#client-authentication-k8s-io-v1-ExecCredentialSpec"><code>ExecCredentialSpec</code></a> </td> <td> <!-- Spec holds information passed to the plugin by the transport. --> 字段 spec 包含由 HTTP 传输组件传递给插件的信息。 </td> </tr> <tr><td><code>status</code><br/> <a href="#client-authentication-k8s-io-v1-ExecCredentialStatus"><code>ExecCredentialStatus</code></a> </td> <td> <!-- Status is filled in by the plugin and holds the credentials that the transport should use to contact the API. --> 字段 status 由插件填充，包含传输组件与 API 服务器连接时需要提供的凭据。 </td> </tr> </tbody> </table> <h2 id="client-authentication-k8s-io-v1-Cluster"><code>Cluster</code></h2> <!-- **Appears in:** --> <p><strong>出现在：</strong></p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/client-authentication.v1beta1/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/config-api/client-authentication.v1beta1/<!-- title: Client Authentication (v1beta1) content_type: tool-reference package: client.authentication.k8s.io/v1beta1 auto_generated: true --> <!-- ## Resource Types --> <h2 id="resource-types">资源类型</h2> <ul> <li><a href="#client-authentication-k8s-io-v1beta1-ExecCredential">ExecCredential</a></li> </ul> <h2 id="client-authentication-k8s-io-v1beta1-ExecCredential"><code>ExecCredential</code></h2> <!-- ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports. --> <p>ExecCredential 由基于 exec 的插件使用，与 HTTP 传输组件沟通凭据信息。</p> <table class="table"> <thead><tr><th width="30%"><!--Field-->字段</th><th><!--Description-->描述</th></tr></thead> <tbody> <tr><td><code>apiVersion</code><br/>string</td><td><code>client.authentication.k8s.io/v1beta1</code></td></tr> <tr><td><code>kind</code><br/>string</td><td><code>ExecCredential</code></td></tr> <tr> <td><code>spec</code> <B><!--[Required]-->[必需]</B><br/> <a href="#client-authentication-k8s-io-v1beta1-ExecCredentialSpec"><code>ExecCredentialSpec</code></a> </td> <td> <!-- Spec holds information passed to the plugin by the transport. --> <p>字段 <code>spec</code> 包含由 HTTP 传输组件传递给插件的信息。</p> </td> </tr> <tr> <td><code>status</code><br/> <a href="#client-authentication-k8s-io-v1beta1-ExecCredentialStatus"><code>ExecCredentialStatus</code></a> </td> <td> <!-- Status is filled in by the plugin and holds the credentials that the transport should use to contact the API. --> <p>字段 <code>status</code> 由插件填充，包含传输组件与 API 服务器连接时需要提供的凭据。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/extend-service-ip-ranges/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/extend-service-ip-ranges/<!-- reviewers: - thockin - dwinship min-kubernetes-server-version: v1.29 title: Extend Service IP Ranges content_type: task --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： MultiCIDRServiceAllocator"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.33 [stable]</code>（默认启用）</div> <!-- This document shares how to extend the existing Service IP range assigned to a cluster. --> <p>本文将介绍如何扩展分配给集群的现有 Service IP 范围。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/audit/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/audit/<!-- reviewers: - soltysh - sttts content_type: concept title: Auditing --> <!-- overview --> <!-- Kubernetes _auditing_ provides a security-relevant, chronological set of records documenting the sequence of actions in a cluster. The cluster audits the activities generated by users, by applications that use the Kubernetes API, and by the control plane itself. Auditing allows cluster administrators to answer the following questions: --> <p>Kubernetes <strong>审计（Auditing）</strong> 功能提供了与安全相关的、按时间顺序排列的记录集， 记录每个用户、使用 Kubernetes API 的应用以及控制面自身引发的活动。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/local-debugging/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/local-debugging/<!-- title: Developing and debugging services locally using telepresence content_type: task --> <!-- overview --> <div class="alert alert-secondary callout third-party-content" role="note"><strong>说明：</strong>&puncsp;本部分链接到提供 Kubernetes 所需功能的第三方项目。Kubernetes 项目作者不负责这些项目。此页面遵循<a href="https://github.com/cncf/foundation/blob/main/policies-guidance/website-guidelines.md" target="_blank">CNCF 网站指南</a>，按字母顺序列出项目。要将项目添加到此列表中，请在提交更改之前阅读<a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/style/content-guide/#third-party-content">内容指南</a>。</div> <!-- Kubernetes applications usually consist of multiple, separate services, each running in its own container. Developing and debugging these services on a remote Kubernetes cluster can be cumbersome, requiring you to [get a shell on a running container](/docs/tasks/debug/debug-application/get-shell-running-container/) in order to run debugging tools. --> <p>Kubernetes 应用程序通常由多个独立的服务组成，每个服务都在自己的容器中运行。 在远端的 Kubernetes 集群上开发和调试这些服务可能很麻烦， 需要<a href="https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-application/get-shell-running-container/">在运行的容器上打开 Shell</a>， 以运行调试工具。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/manual-rotation-of-ca-certificates/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/manual-rotation-of-ca-certificates/<!-- title: Manual Rotation of CA Certificates content_type: task --> <!-- overview --> <!-- This page shows how to manually rotate the certificate authority (CA) certificates. --> <p>本页展示如何手动轮换证书机构（CA）证书。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/search/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/search/<!-- layout: search title: Search Results -->https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/certificate-rotation/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/tls/certificate-rotation/<!-- reviewers: - jcbsmpsn - mikedanese title: Configure Certificate Rotation for the Kubelet content_type: task --> <!-- overview --> <!-- This page shows how to enable and configure certificate rotation for the kubelet. --> <p>本文展示如何在 kubelet 中启用并配置证书轮换。</p> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.19 [stable]</code> </div> <h2 id="准备开始">准备开始</h2> <!-- * Kubernetes version 1.8.0 or later is required --> <ul> <li>要求 Kubernetes 1.8.0 或更高的版本</li> </ul> <!-- steps --> <!-- ## Overview The kubelet uses certificates for authenticating to the Kubernetes API. By default, these certificates are issued with one year expiration so that they do not need to be renewed too frequently. --> <h2 id="概述">概述</h2> <p>Kubelet 使用证书进行 Kubernetes API 的认证。 默认情况下，这些证书的签发期限为一年，所以不需要太频繁地进行更新。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/docs/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/docs/<!-- content_type: concept title: Contribute to Kubernetes Documentation weight: 09 card: name: contribute weight: 11 title: Contribute to documentation --> <!-- This website is maintained by [Kubernetes SIG Docs](/docs/contribute/#get-involved-with-sig-docs). The Kubernetes project welcomes help from all contributors, new or experienced! Kubernetes documentation contributors: - Improve existing content - Create new content - Translate the documentation - Manage and publish the documentation parts of the Kubernetes release cycle The blog team, part of SIG Docs, helps manage the official blogs. Read [contributing to Kubernetes blogs](/docs/contribute/blog/) to learn more. --> <p>本网站由 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/contribute/#get-involved-with-SIG-Docs">Kubernetes SIG Docs</a>（文档特别兴趣小组）维护。 Kubernetes 项目欢迎所有贡献者（无论是新手还是经验丰富的贡献者）提供帮助！</p>https://andygol-k8s.netlify.app/zh-cn/releases/download/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/releases/download/<!-- title: Download Kubernetes type: docs --> <!-- Kubernetes ships binaries for each component as well as a standard set of client applications to bootstrap or interact with a cluster. Components like the API server are capable of running within container images inside of a cluster. Those components are also shipped in container images as part of the official release process. All binaries as well as container images are available for multiple operating systems as well as hardware architectures. --> <p>Kubernetes 为每个组件提供二进制文件以及一组标准的客户端应用来引导集群或与集群交互。 像 API 服务器这样的组件能够在集群内的容器镜像中运行。 这些组件作为官方发布过程的一部分，也以容器镜像的形式提供。 所有二进制文件和容器镜像都可用于多种操作系统和硬件架构。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/validate-dual-stack/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/validate-dual-stack/<!-- reviewers: - lachie83 - khenidak - bridgetkromhout min-kubernetes-server-version: v1.23 title: Validate IPv4/IPv6 dual-stack content_type: task --> <!-- overview --> <!-- This document shares how to validate IPv4/IPv6 dual-stack enabled Kubernetes clusters. --> <p>本文分享了如何验证 IPv4/IPv6 双协议栈的 Kubernetes 集群。</p> <h2 id="准备开始">准备开始</h2> <!-- * Provider support for dual-stack networking (Cloud provider or otherwise must be able to provide Kubernetes nodes with routable IPv4/IPv6 network interfaces) * A [network plugin](/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) that supports dual-stack networking. * [Dual-stack enabled](/docs/concepts/services-networking/dual-stack/) cluster --> <ul> <li>驱动程序对双协议栈网络的支持 (云驱动或其他方式必须能够为 Kubernetes 节点提供可路由的 IPv4/IPv6 网络接口)</li> <li>一个能够支持<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dual-stack/">双协议栈</a>网络的 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/">网络插件</a>。</li> <li><a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/services-networking/dual-stack/">启用双协议栈</a>集群</li> </ul> 你的 Kubernetes 服务器版本必须不低于版本 v1.23. <p>要获知版本信息，请输入 <code>kubectl version</code>.</p>https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/validating-admission-policy/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/reference/access-authn-authz/validating-admission-policy/<!-- reviewers: - liggitt - jpbetz - cici37 title: Validating Admission Policy content_type: concept --> <!-- overview --> <div class="feature-state-notice feature-stable"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.30 [stable]</code> </div> <!-- This page provides an overview of Validating Admission Policy. --> <p>本页面提供验证准入策略（Validating Admission Policy）的概述。</p> <!-- body --> <!-- ## What is Validating Admission Policy? Validating admission policies offer a declarative, in-process alternative to validating admission webhooks. Validating admission policies use the Common Expression Language (CEL) to declare the validation rules of a policy. Validation admission policies are highly configurable, enabling policy authors to define policies that can be parameterized and scoped to resources as needed by cluster administrators. --> <h2 id="what-is-validating-admission-policy">什么是验证准入策略？</h2> <p>验证准入策略提供一种声明式的、进程内的替代方案来验证准入 Webhook。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/kubectl-node-debug/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/debug/debug-cluster/kubectl-node-debug/<!-- title: Debugging Kubernetes Nodes With Kubectl content_type: task min-kubernetes-server-version: 1.20 --> <!-- overview --> <!-- This page shows how to debug a [node](/docs/concepts/architecture/nodes/) running on the Kubernetes cluster using `kubectl debug` command. --> <p>本页演示如何使用 <code>kubectl debug</code> 命令调试在 Kubernetes 集群上运行的<a href="https://andygol-k8s.netlify.app/zh-cn/docs/concepts/architecture/nodes/">节点</a>。</p> <h2 id="准备开始">准备开始</h2> <p><!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/extend-kubectl/kubectl-plugins/<!-- title: Extend kubectl with plugins reviewers: - juanvallejo - soltysh description: Extend kubectl by creating and installing kubectl plugins. content_type: task --> <!-- overview --> <!-- This guide demonstrates how to install and write extensions for [kubectl](/docs/reference/kubectl/kubectl/). By thinking of core `kubectl` commands as essential building blocks for interacting with a Kubernetes cluster, a cluster administrator can think of plugins as a means of utilizing these building blocks to create more complex behavior. Plugins extend `kubectl` with new sub-commands, allowing for new and custom features not included in the main distribution of `kubectl`. --> <p>本指南演示了如何为 <a href="https://andygol-k8s.netlify.app/zh-cn/docs/reference/kubectl/kubectl/">kubectl</a> 安装和编写扩展。 通过将核心 <code>kubectl</code> 命令看作与 Kubernetes 集群交互的基本构建块， 集群管理员可以将插件视为一种利用这些构建块创建更复杂行为的方法。 插件用新的子命令扩展了 <code>kubectl</code>，允许新的和自定义的特性不包括在 <code>kubectl</code> 的主要发行版中。</p>https://andygol-k8s.netlify.app/zh-cn/docs/contribute/localization_zh/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/contribute/localization_zh/<!-- overview --> <p>本节详述文档中文本地化过程中须注意的事项。 这里列举的内容包含了<strong>中文本地化小组</strong>早期给出的指导性建议和后续实践过程中积累的经验。 在阅读、贡献、评阅中文本地化文档的过程中，如果对本文的指南有任何改进建议， 都请直接提出 PR。我们欢迎任何形式的补充和更正！</p> <!-- body --> <h2 id="general">一般规定</h2> <p>本节列举一些译文中常见问题和约定。</p> <h3 id="commented-en-text">英文原文的保留</h3> <p>为便于译文审查和变更追踪，所有中文本地化 Markdown 文件中都应使用 HTML 注释 <code>&lt;!--</code> 和 <code>--&gt;</code> 将英文原文逐段注释起来，后跟对应中文译文。例如：</p> <pre tabindex="0"><code>&lt;!-- This is English text ... --&gt; 中文译文对应 ... </code></pre><p>不建议采用下面的方式注释英文段落，除非英文段落非常非常短：</p> <pre tabindex="0"><code>&lt;!-- This is English text ... --&gt; 中文译文对应 ... </code></pre><p>无论英文原文或者中文译文中，都不要保留过多的、不必要的空白行。</p> <h4 id="paras">段落划分</h4> <p>请避免大段大段地注释和翻译。一般而言，每段翻译可对应两三个自然段。 段落过长会导致译文很难评阅。但也不必每个段落都单独翻译。例如：</p> <pre tabindex="0"><code>&lt;!-- ## Overview ### Concept First paragraph, not very long. --&gt; ## 概述 {#overview} ### 概念 {#concept} 第一段落，不太长。 </code></pre><p>以下风格是不必要的：</p> <pre tabindex="0"><code>&lt;!-- ## Overview --&gt; ## 概述 {#overview} &lt;!-- ### Concept --&gt; ### 概念 {#concept} &lt;!-- First paragraph, not very long. --&gt; 第一段落，不太长。 </code></pre><h4 id="list">编号列表的处理</h4> <p>编号列表需要编号的连续性，处理不好的话可能导致输出结果错误。 由于有些列表可能很长，一次性等将整个列表注释掉再翻译也不现实。 推荐采用下面的方式。</p>https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/reconfigure-default-service-ip-ranges/Mon, 01 Jan 0001 00:00:00 +0000https://andygol-k8s.netlify.app/zh-cn/docs/tasks/network/reconfigure-default-service-ip-ranges/<!-- reviewers: - thockin - dwinship min-kubernetes-server-version: v1.33 title: Kubernetes Default ServiceCIDR Reconfiguration content_type: task --> <!-- overview --> <div class="feature-state-notice feature-stable" title="特性门控： MultiCIDRServiceAllocator"> <span class="feature-state-name">特性状态：</span> <code>Kubernetes v1.33 [stable]</code>（默认启用）</div> <!-- This document shares how to reconfigure the default Service IP range(s) assigned to a cluster. --> <p>本文介绍如何重新配置集群中分配的默认 Service IP 范围。</p> <h2 id="准备开始">准备开始</h2> <!-- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using [minikube](https://minikube.sigs.k8s.io/docs/tutorials/multi_node/) or you can use one of these Kubernetes playgrounds: --> <p>你必须拥有一个 Kubernetes 的集群，且必须配置 kubectl 命令行工具让其与你的集群通信。 建议运行本教程的集群至少有两个节点，且这两个节点不能作为控制平面主机。 如果你还没有集群，你可以通过 <a href="https://minikube.sigs.k8s.io/docs/tutorials/multi_node/">Minikube</a> 构建一个你自己的集群，或者你可以使用下面的 Kubernetes 练习环境之一：</p>