15-Architecture-Cloud Controller Manager
279 / 0 / 创建于 4年前 /
cucytoman 的个人博客
concepts/architecture/cloud-controller/
Concepts Underlying the Cloud Controller Manager
云控制器管理器(ccm)的概念(不要与二进制代码混淆)最初是为了允许特定于云的供应商代码和kubernetes核心相互独立地发展而创建的。云控制器管理器与其他主组件(如kubernetes控制器管理器、api服务器和调度器)一起运行。它也可以作为kubernetes插件启动,在这种情况下,它运行在kubernetes之上。
云控制器管理器的设计基于一种插件机制,该机制允许新的云提供商使用插件轻松地与kubernetes集成。有计划在kubernetes上加入新的云提供商,并将云提供商从旧模型迁移到新的ccm模型。
本文讨论了云控制器管理器背后的概念,并详细介绍了其相关功能。
下面是没有云控制器管理器的kubernetes集群的架构:
- Design
- Components of the CCM
- Functions of the CCM
- Plugin mechanism
- Authorization
- Vendor Implementations
- Cluster Administration
Design
在上图中,kubernetes和云提供商通过几个不同的组件进行集成:
- Kubelet
- Kubernetes controller manager
- Kubernetes API server
ccm整合了前三个组件中所有与云相关的逻辑,以创建与云的单点集成。带有ccm的新体系结构如下所示:
Components of the CCM
ccm分离了kubernetes控制器管理器(kcm)的一些功能,并将其作为单独的进程运行。具体来说,它分离了kcm中依赖于云的控制器。KCM具有以下依赖于云的控制器循环:
- Node controller
- Volume controller
- Route controller
- Service controller
在版本1.9中,ccm从前面的列表运行以下控制器:
- Node controller
- Route controller
- Service controller
Note: Volume controller was deliberately chosen to not be a part of CCM. Due to the complexity involved and due to the existing efforts to abstract away vendor specific volume logic, it was decided that volume controller will not be moved to CCM.Volume 控制器被故意选择为不属于ccm的一部分。由于所涉及的复杂性以及现有的抽象特定于供应商的卷逻辑的工作,决定不将卷控制器移动到ccm。
使用ccm支持卷的最初计划是使用flex卷来支持可插入卷。然而,一个被称为csi的竞争对手正在计划取代flex。
考虑到这些动态,我们决定在CSI准备就绪之前采取中间的权宜之计。
Functions of the CCM
ccm从依赖于云提供程序的kubernetes组件继承其功能。本节是基于这些组件构建的。
1. Kubernetes controller manager
ccm的大部分功能都来自kcm。如前一节所述,ccm运行以下控制循环:
- Node controller
- Route controller
- Service controller
Node controller
The Node controller is responsible for initializing a node by obtaining information about the nodes running in the cluster from the cloud provider. The node controller performs the following functions节点控制器负责通过从云提供程序获取有关集群中运行的节点的信息来初始化节点。节点控制器执行以下功能:
- Initialize a node with cloud specific zone/region labels. 使用云特定的区域/区域标签初始化节点。
- Initialize a node with cloud specific instance details, for example, type and size. 使用特定于云的实例详细信息(例如,类型和大小)初始化节点。
- Obtain the node’s network addresses and hostname. 获取节点的网络地址和主机名。
- In case a node becomes unresponsive, check the cloud to see if the node has been deleted from the cloud. If the node has been deleted from the cloud, delete the Kubernetes Node object.如果某个节点变得无响应,请检查云以查看该节点是否已从云中删除。如果该节点已从云中删除,请删除kubernetes节点对象。
Route controller
The Route controller is responsible for configuring routes in the cloud appropriately so that containers on different nodes in the Kubernetes cluster can communicate with each other. The route controller is only applicable for Google Compute Engineclusters.路由控制器负责在云中适当地配置路由,以便kubernetes集群中不同节点上的容器可以相互通信。路由控制器仅适用于google计算引擎集群。
Service Controller
The Service controller is responsible for listening to service create, update, and delete events. Based on the current state of the services in Kubernetes, it configures cloud load balancers (such as ELB , Google LB, or Oracle Cloud Infrastructure LB) to reflect the state of the services in Kubernetes. Additionally, it ensures that service backends for cloud load balancers are up to date.服务控制器负责监听服务创建、更新和删除事件。基于kubernetes中服务的当前状态,它配置云负载平衡器(如elb、google lb或oracle cloud infrastructure lb)以反映kubernetes中服务的状态。此外,它还确保云负载平衡器的服务后端是最新的。
2. Kubelet
节点控制器包含kubelet的云相关功能。在引入ccm之前,kubelet负责使用特定于云的详细信息(如ip地址、区域/区域标签和实例类型信息)初始化节点。ccm的引入将此初始化操作从kubelet移到ccm中。
在这个新模型中,kubelet初始化一个没有特定于云的信息的节点。但是,它会给新创建的节点添加一个污点,使该节点在ccm使用特定于云的信息初始化该节点之前不可调度。然后它就消除了这个污点。
Plugin mechanism
The cloud controller manager uses Go interfaces to allow implementations from any cloud to be plugged in. Specifically, it uses the CloudProvider Interface defined here.云控制器管理器使用go接口允许插入来自任何云的实现。具体来说,它使用[此处]定义的cloud provider接口 here.
上面强调的四个共享控制器的实现,以及一些脚手架和共享cloudprovider接口,将保留在kubernetes核心中。特定于云提供商的实现将在核心之外构建,并实现核心中定义的接口。The implementation of the four shared controllers highlighted above, and some scaffolding along with the shared cloudprovider interface, will stay in the Kubernetes core. Implementations specific to cloud providers will be built outside of the core and implement interfaces defined in the core.
有关开发插件的更多信息,请参阅开发云控制器管理器.
Authorization
本节分解ccm执行其操作所需的对各种api对象的访问。
Node Controller
节点控制器仅适用于节点对象。它需要完全访问权才能获取、列出、创建、更新、修补、监视和删除节点对象。
v1/Node:
- Get
- List
- Create
- Update
- Patch
- Watch
- Delete
Route controller
路由控制器监听节点对象的创建并适当地配置路由。它需要访问节点对象。
v1/Node:
- Get
Service controller
The service controller listens to Service object create, update and delete events and then configures endpoints for those Services appropriately.服务控制器侦听服务对象创建、更新和删除事件,然后适当地配置这些服务的终结点。
To access Services, it requires list, and watch access. To update Services, it requires patch and update access.要访问服务,它需要列表和监视访问。要更新服务,它需要修补程序和更新访问权限。
To set up endpoints for the Services, it requires access to create, list, get, watch, and update.要为服务设置终结点,需要访问create、list、get、watch和update。
v1/Service:
- List
- Get
- Watch
- Patch
- Update
Others
The implementation of the core of CCM requires access to create events, and to ensure secure operation, it requires access to create ServiceAccounts.ccm核心的实现需要访问来创建事件,为了确保安全操作,它需要访问来创建服务帐户。
v1/Event:
- Create
- Patch
- Update
v1/ServiceAccount:
- Create
The RBAC ClusterRole for the CCM looks like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloud-controller-manager
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- '*'
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- apiGroups:
- ""
resources:
- services
verbs:
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- get
- list
- update
- watch
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- get
- list
- watch
- updateVendor Implementations 不同服务商的实现
The following cloud providers have implemented CCMs:
Cluster Administration
这里提供了配置和运行ccm的完整说明 here.
Feedback
Was this page helpful?
本作品采用《CC 协议》,转载必须注明作者和本文链接
关于 LearnKu
粤公网安备 44030502004330号
推荐文章: