11-运维工具
Kubernetes kubectl、Helm、Kustomize 工具链全解析
学习目标
通过本模块学习,你将掌握:
- kubectl 高级用法和技巧
- Helm 包管理最佳实践
- Kustomize 配置管理
- K9s/Lens 可视化工具
- stern 日志聚合
- OPA Gatekeeper/Kyverno 策略管理
️ 一、kubectl 高级用法
1.1 输出格式化
JSON Path 查询
# 获取所有 Pod 的 IP
kubectl get pods -A -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.podIP}{"\n"}{end}'
# 获取节点的可分配资源
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.allocatable.cpu}{"\t"}{.status.allocatable.memory}{"\n"}{end}'
# 获取所有镜像列表
kubectl get pods -A -o jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}' | sort | uniq
# 获取 Service 的 ClusterIP
kubectl get svc -A -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.clusterIP}{"\n"}{end}'
# 复杂查询:获取所有非 Running 的 Pod
kubectl get pods -A -o jsonpath='{range .items[?(@.status.phase!="Running")]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.status.phase}{"\n"}{end}'
Custom Columns
# 自定义列显示
kubectl get pods -A -o custom-columns=\
NAME:.metadata.name,\
NAMESPACE:.metadata.namespace,\
STATUS:.status.phase,\
NODE:.spec.nodeName,\
IP:.status.podIP
# 显示资源使用
kubectl get pods -A -o custom-columns=\
NAME:.metadata.name,\
CPU_REQ:.spec.containers[*].resources.requests.cpu,\
MEM_REQ:.spec.containers[*].resources.requests.memory,\
CPU_LIM:.spec.containers[*].resources.limits.cpu,\
MEM_LIM:.spec.containers[*].resources.limits.memory
1.2 kubectl wait 和条件等待
# 等待 Deployment 就绪
kubectl wait --for=condition=available deployment/web --timeout=90s
# 等待 Pod 就绪
kubectl wait --for=condition=ready pod/web-pod --timeout=60s
# 等待 Pod 删除完成
kubectl wait --for=delete pod/web-pod --timeout=60s
# 等待所有 Pod 就绪
kubectl wait --for=condition=ready pods --all -n production --timeout=300s
# 在脚本中使用
#!/bin/bash
kubectl apply -f deployment.yaml
if kubectl wait --for=condition=available deployment/web --timeout=300s; then
echo "Deployment is ready"
kubectl rollout status deployment/web
else
echo "Deployment failed to become ready"
kubectl rollout undo deployment/web
exit 1
fi
1.3 kubectl plugin
安装 krew(kubectl 插件管理器)
# 安装 krew
(
set -x; cd "$(mktemp -d)" &&
OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
KREW="krew-${OS}_${ARCH}" &&
curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/${KREW}.tar.gz" &&
tar zxvf "${KREW}.tar.gz" &&
./"${KREW}" install krew
)
# 添加到 PATH
export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
常用插件
# 安装 kubectl tree(显示资源树)
kubectl krew install tree
kubectl tree deployment web
# 安装 kubectl ctx/ns(快速切换上下文和命名空间)
kubectl krew install ctx ns
kubectl ctx # 列出所有上下文
kubectl ctx production # 切换到 production 上下文
kubectl ns production # 切换到 production 命名空间
# 安装 kubectl whoami(查看当前用户)
kubectl krew install whoami
kubectl whoami
# 安装 kubectl df-pv(查看 PV 使用情况)
kubectl krew install df-pv
kubectl df-pv
# 安装 kubectl node-shell(进入节点 Shell)
kubectl krew install node-shell
kubectl node-shell <node-name>
1.4 kubectl 别名和函数
# 添加到 ~/.bashrc 或 ~/.zshrc
# 基础别名
alias k='kubectl'
alias kg='kubectl get'
alias kd='kubectl describe'
alias kdel='kubectl delete'
alias kl='kubectl logs'
alias kex='kubectl exec -it'
alias kaf='kubectl apply -f'
# 高级别名
alias kgpo='kubectl get pods'
alias kgpoa='kubectl get pods --all-namespaces'
alias kgpon='kubectl get pods -o name'
alias kgpow='kubectl get pods -o wide'
alias kgsvc='kubectl get svc'
alias kging='kubectl get ingress'
# 函数
klog() {
kubectl logs -f $1 -n ${2:-default}
}
kexec() {
kubectl exec -it $1 -n ${2:-default} -- ${3:-sh}
}
kdebug() {
kubectl run debug-$RANDOM --rm -it --image=nicolaka/netshoot -- bash
}
# 快速获取资源
kget() {
kubectl get $1 -n ${2:-default} -o yaml
}
# 查看资源使用
ktop() {
kubectl top ${1:-pods} -A --sort-by=${2:-cpu}
}
二、Helm 包管理
2.1 Helm 基础
安装 Helm
# 安装 Helm 3
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# 验证安装
helm version
# 添加仓库
helm repo add stable https://charts.helm.sh/stable
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
基本操作
# 搜索 Chart
helm search repo nginx
# 安装 Chart
helm install my-nginx bitnami/nginx
# 查看 Release
helm list
helm list -A
# 升级 Release
helm upgrade my-nginx bitnami/nginx
# 回滚 Release
helm rollback my-nginx 1
# 卸载 Release
helm uninstall my-nginx
2.2 创建 Helm Chart
Chart 结构
mychart/
├── Chart.yaml # Chart 元数据
├── values.yaml # 默认配置值
├── charts/ # 依赖的 Charts
├── templates/ # 模板文件
│ ├── deployment.yaml
│ ├── service.yaml
│ ├── ingress.yaml
│ ├── _helpers.tpl # 辅助模板
│ └── NOTES.txt # 安装后的提示
└── .helmignore # 忽略文件
Chart.yaml
apiVersion: v2
name: myapp
description: A Helm chart for my application
type: application
version: 1.0.0
appVersion: "1.0"
keywords:
- web
- application
maintainers:
- name: Your Name
email: your.email@example.com
dependencies:
- name: postgresql
version: "12.x.x"
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled
values.yaml
# 默认配置值
replicaCount: 3
image:
repository: nginx
pullPolicy: IfNotPresent
tag: "1.21.0"
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: "nginx"
annotations: {}
hosts:
- host: myapp.example.com
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
postgresql:
enabled: true
auth:
username: myapp
password: mypassword
database: myappdb
deployment.yaml 模板
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "myapp.fullname" . }}
labels:
{{- include "myapp.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "myapp.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "myapp.selectorLabels" . | nindent 8 }}
spec:
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
_helpers.tpl
{{/*
Expand the name of the chart.
*/}}
{{- define "myapp.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
*/}}
{{- define "myapp.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "myapp.labels" -}}
helm.sh/chart: {{ include "myapp.chart" . }}
{{ include "myapp.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "myapp.selectorLabels" -}}
app.kubernetes.io/name: {{ include "myapp.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
2.3 Helm 高级功能
使用自定义 values
# 使用自定义 values 文件
helm install myapp ./mychart -f custom-values.yaml
# 命令行覆盖值
helm install myapp ./mychart --set replicaCount=5
# 多个 values 文件
helm install myapp ./mychart -f values.yaml -f production-values.yaml
# 查看生成的 YAML
helm template myapp ./mychart -f custom-values.yaml
Helm Hooks
# pre-install hook
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "myapp.fullname" . }}-pre-install
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
template:
spec:
containers:
- name: pre-install
image: busybox
command: ['sh', '-c', 'echo Pre-install tasks']
restartPolicy: Never
三、Kustomize 配置管理
3.1 Kustomize 基础
目录结构
kustomize/
├── base/
│ ├── kustomization.yaml
│ ├── deployment.yaml
│ ├── service.yaml
│ └── configmap.yaml
├── overlays/
│ ├── development/
│ │ ├── kustomization.yaml
│ │ ├── replica-patch.yaml
│ │ └── config-patch.yaml
│ ├── staging/
│ │ ├── kustomization.yaml
│ │ └── replica-patch.yaml
│ └── production/
│ ├── kustomization.yaml
│ ├── replica-patch.yaml
│ └── resource-patch.yaml
3.2 Base 配置
base/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yaml
- service.yaml
- configmap.yaml
commonLabels:
app: myapp
managed-by: kustomize
commonAnnotations:
version: "1.0"
images:
- name: myapp
newName: myregistry.com/myapp
newTag: v1.0.0
base/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:latest
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: myapp-config
3.3 Overlay 配置
overlays/production/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
bases:
- ../../base
namespace: production
replicas:
- name: myapp
count: 5
images:
- name: myapp
newTag: v1.0.0-production
patchesStrategicMerge:
- replica-patch.yaml
- resource-patch.yaml
configMapGenerator:
- name: myapp-config
behavior: merge
literals:
- ENV=production
- LOG_LEVEL=info
overlays/production/resource-patch.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
template:
spec:
containers:
- name: myapp
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
3.4 使用 Kustomize
# 查看生成的 YAML
kubectl kustomize overlays/production
# 应用配置
kubectl apply -k overlays/production
# 删除配置
kubectl delete -k overlays/production
# 使用 kustomize 构建
kustomize build overlays/production | kubectl apply -f -
️ 四、可视化管理工具
4.1 K9s
安装和使用
# 安装 K9s
brew install derailed/k9s/k9s
# 或使用二进制
curl -sS https://webinstall.dev/k9s | bash
# 启动 K9s
k9s
# 常用快捷键
# :pods - 查看 Pods
# :svc - 查看 Services
# :deploy - 查看 Deployments
# :nodes - 查看 Nodes
# / - 搜索
# l - 查看日志
# d - 描述资源
# e - 编辑资源
# ctrl+d - 删除资源
# ? - 帮助
K9s 配置
# ~/.k9s/config.yml
k9s:
liveViewAutoRefresh: false
screenDumpDir: /tmp/k9s-screen-dumps
refreshRate: 2
maxConnRetry: 5
readOnly: false
noExitOnCtrlC: false
ui:
enableMouse: false
headless: false
logoless: false
crumbsless: false
reactive: false
noIcons: false
skipLatestRevCheck: false
disablePodCounting: false
shellPod:
image: busybox:1.35.0
namespace: default
limits:
cpu: 100m
memory: 100Mi
imageScans:
enable: false
exclusions:
namespaces: []
labels: {}
4.2 Lens
安装
# macOS
brew install --cask lens
# 或从官网下载
# https://k8slens.dev/
Lens 功能
- 多集群管理
- 资源可视化
- 日志查看
- Shell 访问
- Helm Charts 管理
- Prometheus 集成
五、日志聚合工具 stern
5.1 安装 stern
# 使用 brew 安装
brew install stern
# 或下载二进制
curl -LO https://github.com/stern/stern/releases/download/v1.26.0/stern_1.26.0_linux_amd64.tar.gz
tar xvzf stern_1.26.0_linux_amd64.tar.gz
sudo mv stern /usr/local/bin/
5.2 使用 stern
# 查看所有 Pod 日志
stern . -n production
# 使用正则表达式
stern "web-.*" -n production
# 查看多个容器
stern web -c "web|sidecar"
# 过滤时间
stern web --since 15m
stern web --since 2023-01-01T10:00:00Z
# 输出到文件
stern web -n production > app.log
# 彩色输出
stern web --color always
# 包含时间戳
stern web -t
# 排除特定 Pod
stern web --exclude "web-canary.*"
# 多命名空间
stern web -A
️ 六、策略管理工具
6.1 OPA Gatekeeper
安装 Gatekeeper
# 安装 Gatekeeper
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml
# 验证安装
kubectl get pods -n gatekeeper-system
ConstraintTemplate 示例
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
Constraint 示例
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: require-app-label
spec:
match:
kinds:
- apiGroups: ["apps"]
kinds: ["Deployment"]
namespaces:
- production
parameters:
labels:
- app
- environment
- owner
6.2 Kyverno
安装 Kyverno
# 安装 Kyverno
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.11.0/install.yaml
# 验证安装
kubectl get pods -n kyverno
ClusterPolicy 示例
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-labels
spec:
validationFailureAction: enforce
rules:
- name: check-for-labels
match:
any:
- resources:
kinds:
- Deployment
namespaces:
- production
validate:
message: "Label 'app' is required."
pattern:
metadata:
labels:
app: "?*"
environment: "?*"
镜像验证策略
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image
spec:
validationFailureAction: enforce
rules:
- name: verify-signature
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "myregistry.com/*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
️ 七、命令速记
Helm 命令
# 基本操作
helm install <release> <chart>
helm upgrade <release> <chart>
helm rollback <release> <revision>
helm uninstall <release>
# 查询
helm list
helm status <release>
helm history <release>
# Chart 管理
helm create <chart-name>
helm package <chart-dir>
helm lint <chart-dir>
helm template <chart-dir>
Kustomize 命令
# 构建配置
kubectl kustomize <dir>
kustomize build <dir>
# 应用配置
kubectl apply -k <dir>
kubectl delete -k <dir>
# 查看差异
kubectl diff -k <dir>
可视化工具命令
# K9s
k9s
k9s -n production
k9s --context prod-cluster
# Lens
# 图形界面操作
# stern
stern <pod-query>
stern <pod-query> -n <namespace>
stern <pod-query> --since 15m
八、面试核心问答
Q1: Helm 和 Kustomize 的区别是什么?
答案要点:
- Helm:模板化,包管理器,支持依赖管理
- Kustomize:基于 overlay 的配置管理,无模板
- Helm:适合复杂应用和版本管理
- Kustomize:适合多环境配置管理
- 可以结合使用
Q2: 如何使用 kubectl jsonpath 查询复杂数据?
答案要点:
- 使用 range 遍历数组
- 使用过滤器
?(@.field==value) - 嵌套字段使用点号访问
- 数组索引使用
[*]或[0] - 结合
\t和\n格式化输出
Q3: Gatekeeper 和 Kyverno 如何选择?
答案要点:
- Gatekeeper:基于 OPA,Rego 语言,更灵活
- Kyverno:YAML 配置,易于使用
- Gatekeeper:适合复杂策略
- Kyverno:适合常见策略和快速实施
- 根据团队技能和需求选择
Q4: Helm Chart 的最佳实践是什么?
答案要点:
- 使用 _helpers.tpl 定义通用模板
- 提供合理的默认 values
- 支持多种配置选项
- 文档化所有配置项
- 版本化管理
- 测试 Chart
Q5: 如何调试 Kustomize 配置?
答案要点:
- 使用
kubectl kustomize查看生成的 YAML - 使用
kubectl diff -k查看差异 - 检查 base 和 overlay 配置
- 验证 patch 格式
- 使用
kustomize build单独构建
九、最佳实践
工具选择建议
kubectl 优化
- 配置 alias 和函数
- 使用 kubectl plugins
- 掌握 jsonpath 和 custom-columns
- 使用 wait 命令
包管理选择
- 复杂应用:Helm
- 多环境配置:Kustomize
- 可以组合使用
- GitOps 集成
可视化工具
- 命令行:K9s
- 图形界面:Lens
- 日志聚合:stern
- 根据场景选择
策略管理
- 安全策略:OPA Gatekeeper
- 通用策略:Kyverno
- CI/CD 集成
- 定期审查策略
效率提升建议
命令优化
- 配置 shell 别名
- 使用自动补全
- 编写常用脚本
- 使用快捷工具
配置管理
- 版本控制所有配置
- 环境分离
- 自动化部署
- 文档化流程
协作流程
- 统一工具链
- 共享最佳实践
- Code Review
- 知识分享
十、总结
通过本模块学习,你已经掌握了:
- kubectl 高级用法和技巧
- Helm 包管理最佳实践
- Kustomize 配置管理
- K9s/Lens 可视化工具
- stern 日志聚合
- OPA Gatekeeper/Kyverno 策略管理
- 运维工具链最佳实践
下一步建议:继续学习 12-生产清单,深入了解 Kubernetes 上线检查清单和最佳实践。