Control plane assembly

ETCD

etcd It's a fast one 、 Distributed 、 Consistent key value storage , Used as persistent storage Kubernetes Object data （ Such as pod、replication controllers, secrets, services etc. ） Backup storage for . actually ,etcd yes Kubernetes The only place to store cluster status and metadata . Only direct and etcd The components of the dialogue are Kubernetes API Server. All other components pass through API Server Indirectly read and write data to etcd.

Etcd It also implements a monitoring function , It provides an event based interface , Used to asynchronously monitor key changes . Once the key is changed , Its observer will be notified .API Server Components rely heavily on this to get notifications and send etcd Move the current state of to the desired state .

etcd Should the number of instances be odd ？

stay HA Environment , You usually run 3、5 or 7 individual etcd example , But why ？ because etcd It's distributed data storage , So you can expand it horizontally , But you also need to make sure that the data in each instance is consistent , So , Your system needs to agree on the status .Etcd Used for this purpose RAFT Consensus algorithm ^[1].

The algorithm requires a majority of （ Or arbitration ） The cluster can enter the next state . If you only have 2 individual ectd example , If any of them fails , be etcd The cluster cannot transition to the new state , Because there is no majority , And in 3 In the case of two instances , One instance may fail and most instances can still be available .

API Server

API Server yes Kubernetes The only one with etcd Directly interacting components .Kubernetes And the client （kubectl） All other components in the must pass API Server To handle cluster status .API Server Provide the following functions ：

• Provide in etcd A consistent way of storing objects in .
• Perform validation of these objects , So that the client cannot store incorrectly configured objects , If they write directly etcd This can happen in the data store .
• Provide RESTful API To create 、 to update 、 Modify or delete resources .
• Provide optimistic concurrency locking , So in the case of concurrent updates , Changes to objects will never be overwritten by other clients .
• Perform authentication and authorization on requests sent by clients . It uses the plug-in to extract the user name of the client 、 user ID And the group to which the user belongs , And determine whether the authenticated user can perform the requested operation on the requested resource .
• If the request attempts to create 、 Modify or delete resources , execute Access control ^[2]. Example ：AlwaysPullImages、DefaultStorageClass、ResourceQuota etc. .
• Implement the monitoring mechanism for the client （ Be similar to etcd） To monitor changes . This allows the scheduler and Controller Manager And other components are loosely coupled with API Server Interaction .

Controller Manager

stay Kubernetes in , The controller is a control loop that monitors the status of the cluster , Then make or request changes as needed . Each controller attempts to move the current cluster state closer to the desired state . The controller tracks at least one Kubernetes The resource type , And these objects have a canonical field that represents the desired state .

Controller example ：

• Replication Manager（ReplicationController Controller of resources ）
• ReplicaSet、DaemonSet and Job controller
• Deployment controller
• StatefulSet controller
• node controller
• service controller
• endpoints controller
• namespace controller
• PersistentVolume controller

The controller uses a monitoring mechanism to get change notifications . Their surveillance API Server Changes to resources and actions for each change , Whether it's creating new objects or updating or deleting existing objects . Most of the time , These operations include creating other resources or updating the monitored resources themselves , However, the use of monitoring does not guarantee that the controller will not miss any events , They also perform periodic relist operations to ensure that nothing is missed .

Controller Manager It also performs lifecycle functions , For example, create lifecycles and namespaces 、 Event garbage collection 、 End pod Garbage collection 、 Cascade delete garbage collection ^[3]、 Node garbage collection, etc .

Scheduler

The scheduler is a control plane process , It will pod Assign to nodes . It monitors newly created nodes that are not assigned nodes pod, And for every pod, The scheduler is responsible for the pod Find the best node to run .

Satisfy Pod The node required by scheduling is called feasible node . If there is no proper node , be pod Will remain unscheduled , Until the scheduler can place it . Once a viable node is found , It will run a set of functions to rate the nodes , And select the node with the highest score . Then it will inform API Server Information about the selected node , This process is called binding .

The selection of nodes is divided into two steps ：

1. Filter List of all nodes for pod List of acceptable nodes that can be scheduled .（ for example ,PodFitsResources The filter checks whether the candidate nodes have enough available resources to meet Pod Specific resource requests ）
2. Yes, from the 1 Score the node list obtained in step And rank them to select the best node . If multiple nodes score the highest , Then the circulation method is used to ensure pod Deploy evenly on all nodes .

The factors to be considered in scheduling decision include ：

• Pod For hardware / Request for software resources ？ Whether the node reports memory or disk pressure ？
• Whether the node has a connection with pod The node selector in the specification matches the label ？
• If pod The request is bound to a specific host port , Whether the port is occupied on the node ？
• pod Whether to tolerate the stain of nodes ？
• pod Whether to specify node affinity or anti affinity rules ？ etc. .

The scheduler does not instruct the selected node to run pod.Scheduler All you do is through API Server to update pod Definition .API server adopt watch Mechanism notice Kubelet pod Has been scheduled . Then... On the target node kubelet Service see pod Has been scheduled to its node , Create it and run it pod The container of .

Work node component

Kubelet

Kubelet Is the agent running on each node in the cluster , It is the component responsible for all the contents running on the work node . It ensures that the container is Pod Run in .

kubelet The main functions of the service are ：

1. By means of API Server Create a node resource in to register the node it is running .
2. Continuous monitoring API Server Scheduled to node on Pod.
3. Use the configured container runtime to start pod The container of .
4. Continuously monitor running containers and their status 、 Report events and resource consumption to API Server.
5. Run container activity detection , Restart the container when the probe fails , In the container Pod from API Server Terminate container when deleted from , And notify the server Pod Terminated .

kube-proxy

It runs on each node , And make sure one pod Can be with another pod dialogue , A node can talk to another node , One container can communicate with another container, etc . It is responsible for monitoring API Server To understand Service and pod Change of definition , To keep the whole network configuration up to date . When one Service By multiple pod when ,proxy Will be in these pod Load balancing between .

kube-proxy The reason why it got its name is , Because it is an actual proxy server , Used to accept connections and proxy them to Pod, The current implementation uses iptables or ipvs Rules redirect packets to randomly selected backend Pod, Instead of passing them through the actual proxy server .

1. When creating a service , A virtual... Will be assigned immediately IP Address .
2. API Server Notifies the running on the work node kube-proxy The agent has created a new service .
3. Every kube-proxy By setting iptables Rules make services addressable , Ensure that every service is blocked IP/ Port pair , And modify the target address to support the service pod One of .
4. monitor API Server Changes to the service or its endpoint objects .

Container runtime

Focus on running containers 、 Set the namespace and container cgroup The container runtime of is called the low-level container runtime , Focus on format 、 Unpack 、 Manage and share images And provide API The container runtime that meets the needs of developers is called advanced container runtime （ Container engine ）.

When the container is running, it is responsible for ：

1. If local is not available , Then pull the container image required by the container from the image registry .
2. Extract the image to the copy file system on write , All container layers overlap each other to create a merged file system .
3. Prepare the container mounting point
4. Set metadata from container image , For example, covering CMD、 From user input ENTRYPOINT、 Set up SECCOMP Rules etc. , To ensure that the container operates as expected .
5. Change the kernel to assign some sort of isolation to the container , For example, the process 、 Networks and file systems .
6. Remind the kernel to allocate some resource restrictions , Such as CPU Or memory limit .
7. Call the system （syscall） Pass to the kernel to start the container .
8. Make sure SElinux/AppArmor Set up correctly .

Reference material