Knative Serving 安装

发布时间: 更新时间: 总字数:1796 阅读时间:4m 作者:IP:上海 网址

Knative Serving 安装

knative 与 k8s 对应关系

部署 Serving

示例参考

# 1. 安装 CRDs
kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.7.0/serving-crds.yaml

# 2. 安装 Serving 核心组件
curl -Lfs -o serving-core.yaml https://github.com/knative/serving/releases/download/knative-v1.7.0/serving-core.yaml

# 原始镜像被墙,使用mirrors源
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/webhook#gcrioknative/serving-webhook#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/activator#gcrioknative/serving-activator#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping-webhook#gcrioknative/serving-domain-mapping-webhook#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping#gcrioknative/serving-domain-mapping#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/controller#gcrioknative/serving-controller#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler#gcrioknative/serving-autoscaler#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/serving/cmd/queue#gcrioknative/serving-queue#g' -i *.yaml

# 替换镜像版本
sed "s#@sha256:.*#:v1.7.0#g" -i serving-core.yaml

# 测试环境限制集群规模
sed 's#maxReplicas: 20#maxReplicas: 1#g' -i serving-core.yaml
sed 's#maxReplicas: 5#maxReplicas: 1#g' -i serving-core.yaml

# 安装
kubectl apply -f serving-core.yaml

说明:

Serving 安装日志

Serving-install-log

部署网络层组件

Istio

# 0. 准备
curl -Lfs -o istio.yaml https://github.com/knative/net-istio/releases/download/knative-v1.7.0/istio.yaml

# 根据版本不同,一些 API 不兼容,升级下配置文件的版本即可,kubectl api-resources |grep PodDisruptionBudget
sed 's#policy/v1beta1#policy/v1#g' -i istio.yaml
sed 's#maxReplicas: 10#maxReplicas: 2#g' -i istio.yaml
sed 's#minReplicas: 3#minReplicas: 1#g' -i istio.yaml

# 1. 安装 CRDs
kubectl apply -l knative.dev/crd-install=true -f istio.yaml

# 2. 安装 Istio 插件
kubectl apply -f istio.yaml

# 3. 安装 Knative Istio controller
curl -LfS -o net-istio.yaml https://github.com/knative/net-istio/releases/download/knative-v1.7.0/net-istio.yaml

sed 's#gcr.io/knative-releases/knative.dev/net-istio/cmd/controller#gcrioknative/net-istio-controller#g' -i *.yaml
sed 's#gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook#gcrioknative/net-istio-webhook#g' -i *.yaml

# 替换镜像版本
sed "s#@sha256:.*#:v1.7.0#g" -i net-istio.yaml

kubectl apply -f net-istio.yaml

# 4. 查看 istio ingressgateway svc 信息
root@k8s-master:~/knative# kubectl --namespace istio-system get service istio-ingressgateway
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                                      AGE
istio-ingressgateway   NodePort   10.96.242.187   <none>        15021:30455/TCP,80:30999/TCP,443:32324/TCP   36h
  • 安装 istio-net 日志
knative-istio-net-install
  • 操作后,检查资源情况如下:
^Croot@k8s-master:~/knative# kubectl -n knative-serving get pod
NAME                                     READY   STATUS    RESTARTS   AGE
activator-84cbcd7bd-njnpt                1/1     Running   0          51m
autoscaler-75965477fd-vd5rf              1/1     Running   0          51m
controller-76dd96d457-mw6rz              1/1     Running   0          51m
domain-mapping-ccdcfcd89-d6v9v           1/1     Running   0          51m
domainmapping-webhook-79f6f4f9d6-xgxzq   1/1     Running   0          51m
net-istio-controller-6899897874-nkfss    1/1     Running   0          5m11s
net-istio-webhook-7679886d7-97dbh        1/1     Running   0          5m11s
webhook-5448865f65-km9ps                 1/1     Running   0          40m
root@k8s-master:~/knative# kubectl -n istio-system get pod
NAME                                    READY   STATUS    RESTARTS   AGE
istio-egressgateway-579dc4df64-dtwms    1/1     Running   0          36h
istio-ingressgateway-6849fc894d-759lj   1/1     Running   0          28m
istio-ingressgateway-6849fc894d-c95np   1/1     Running   0          28m
istio-ingressgateway-6849fc894d-rfpzx   1/1     Running   0          28m
istiod-9c5b49645-2jp49                  1/1     Running   0          28m
istiod-9c5b49645-vjghz                  0/1     Pending   0          27m

模拟向网关发送请求

# header 参考 https://github.com/knative/serving/blob/v0.46.5/pkg/activator/activator.go#L30

# kubectl -n kourier-system get pod -o wide 获取 ip
curl -H "Knative-Serving-Revision: xxx-00001" -H "Knative-Serving-Namespace: xxx" ip:8012

相关配置

config-deployment

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-deployment
  namespace: knative-serving
  labels:
    serving.knative.dev/release: devel
  annotations:
    knative.dev/example-checksum: "fa67b403"
data:
  # This is the Go import path for the binary that is containerized
  # and substituted here.
  queue-sidecar-image: ko://knative.dev/serving/cmd/queue
  # List of repositories for which tag to digest resolving should be skipped
  registries-skipping-tag-resolving: "kind.local,ko.local,dev.local"
  # digest-resolution-timeout is the maximum time allowed for an image's
  # digests to be resolved.
  digest-resolution-timeout: "10s"
  # progress-deadline is the duration we wait for the deployment to
  # be ready before considering it failed.
  progress-deadline: "600s"
  # queue-sidecar-cpu-request is the requests.cpu to set for the queue proxy sidecar container.
  # If omitted, a default value (currently "25m"), is used.
  queue-sidecar-cpu-request: "25m"
  # queue-sidecar-cpu-limit is the limits.cpu to set for the queue proxy sidecar container.
  # If omitted, no value is specified and the system default is used.
  queue-sidecar-cpu-limit: "1000m"
  # queue-sidecar-memory-request is the requests.memory to set for the queue proxy container.
  # If omitted, no value is specified and the system default is used.
  queue-sidecar-memory-request: "400Mi"
  # queue-sidecar-memory-limit is the limits.memory to set for the queue proxy container.
  # If omitted, no value is specified and the system default is used.
  queue-sidecar-memory-limit: "800Mi"
  # queue-sidecar-ephemeral-storage-request is the requests.ephemeral-storage to
  # set for the queue proxy sidecar container.
  # If omitted, no value is specified and the system default is used.
  queue-sidecar-ephemeral-storage-request: "512Mi"
  # queue-sidecar-ephemeral-storage-limit is the limits.ephemeral-storage to set
  # for the queue proxy sidecar container.
  # If omitted, no value is specified and the system default is used.
  queue-sidecar-ephemeral-storage-limit: "1024Mi"

F&Q

Knative may default this to secure in a future release

  • 错误日志
Warning: Kubernetes default value is insecure, Knative may default this to secure in a future release: spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation, spec.template.spec.containers[0].securityContext.capabilities, spec.template.spec.containers[0].securityContext.runAsNonRoot, spec.template.spec.containers[0].securityContext.seccompProfile

解决这个警告的最佳方式是显式地在你的 Knative Service YAML 中设置这些 securityContext 字段,使其符合更安全的实践。

以下是一些建议的配置,可以帮助你解决这些警告:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: your-knative-service
spec:
  template:
    spec:
      containers:
      - image: your-image-name # 替换为你的容器镜像
        # ... 其他容器配置
        securityContext:
          allowPrivilegeEscalation: false # 禁止特权升级
          capabilities:
            drop: # 丢弃所有不需要的 Linux capabilities
            - ALL
            add: # 如果需要,只添加必要的 capabilities,例如:
            # - NET_BIND_SERVICE # 如果你的应用需要绑定到 1024 以下的端口
          runAsNonRoot: true # 以非 root 用户运行
          # 如果你的容器镜像默认以 root 运行,你需要同时设置 runAsUser 为非 0 的 UID
          # runAsUser: 1000 # 例如,将用户设置为 UID 1000
          seccompProfile: # 设置 seccompProfile 为 RuntimeDefault
            type: RuntimeDefault

hostPath 支持

rev 部署失败

使用命令 kubectl describe rev xxx 查询原因

最新评论
本文总阅读量 次 本站总访问量 次 本站总访客数