有关管理 Azure Kubernetes 服务 (AKS) 中的资源的应用程序开发人员最佳做法Best practices for application developers to manage resources in Azure Kubernetes Service (AKS)

在 Azure Kubernetes 服务 (AKS) 中开发和运行应用程序时,需要考虑到几个重要方面。As you develop and run applications in Azure Kubernetes Service (AKS), there are a few key areas to consider. 如何应对应用程序部署可能对所提供服务的最终用户体验造成的负面影响。How you manage your application deployments can negatively impact the end-user experience of services that you provide. 为帮助获得成功,在 AKS 中开发和运行应用程序时,请遵循一些最佳做法。To help you succeed, keep in mind some best practices you can follow as you develop and run applications in AKS.

本最佳做法文章从应用程序开发人员的角度重点介绍如何运行群集和工作负荷。This best practices article focuses on how to run your cluster and workloads from an application developer perspective. 有关管理最佳做法的信息,请参阅有关 Azure Kubernetes 服务 (AKS) 中隔离和资源管理的群集操作员最佳做法For information about administrative best practices, see Cluster operator best practices for isolation and resource management in Azure Kubernetes Service (AKS). 本文内容:In this article, you learn:

  • pod 资源请求和限制是什么What are pod resource requests and limits
  • 使用 Visual Studio Code 开发和部署应用程序的方法Ways to develop and deploy applications with Visual Studio Code
  • 如何使用 kube-advisor 工具检查部署问题How to use the kube-advisor tool to check for issues with deployments

定义 pod 资源请求和限制Define pod resource requests and limits

最佳做法指导 - 在 YAML 清单中针对所有 pod 设置 pod 请求和限制。Best practice guidance - Set pod requests and limits on all pods in your YAML manifests. 如果 AKS 群集使用资源配额,而你未定义这些值,则可能会拒绝你的部署。If the AKS cluster uses resource quotas, your deployment may be rejected if you don't define these values.

管理 AKS 群集中的计算资源的主要方法是使用 pod 请求和限制。A primary way to manage the compute resources within an AKS cluster is to use pod requests and limits. 这些请求和限制可让 Kubernetes 计划程序知道应该为 pod 分配哪些计算资源。These requests and limits let the Kubernetes scheduler know what compute resources a pod should be assigned.

  • Pod CPU/内存请求定义 Pod 定期需要的固定 CPU 和内存量。Pod CPU/Memory requests define a set amount of CPU and memory that the pod needs on a regular basis.
    • 当 Kubernetes 计划程序尝试在节点上放置 Pod 时,将使用 Pod 请求来确定哪个节点有足够的可用资源进行计划。When the Kubernetes scheduler tries to place a pod on a node, the pod requests are used to determine which node has sufficient resources available for scheduling.
    • 如果未设置 Pod 请求,则默认情况下会将其设置为定义的限制。Not setting a pod request will default it to the limit defined.
    • 必须监视应用程序的性能并调整这些请求,这很重要。It is very important to monitor the performance of your application to adjust these requests. 如果发出的请求不足,应用程序可能会因节点计划过度而导致性能下降。If insufficient requests are made, your application may receive degraded performance due to over scheduling a node. 如果估算的请求数过高,则应用程序可能会更加难以进行计划。If requests are overestimated, your application may have increased difficulty getting scheduled.
  • Pod CPU/内存限制是 Pod 可以使用的最大 CPU 和内存量。Pod CPU/Memory limits are the maximum amount of CPU and memory that a pod can use. 内存限制有助于定义因资源不足而导致节点不稳定时应终止的 Pod。Memory limits help define which pods should be killed in the event of node instability due to insufficient resources. 如果没有适当的限制,则会终止固定的 Pod,直到解除资源压力。Without proper limits set pods will be killed until resource pressure is lifted. Pod 在一段时间内不一定能够超过 CPU 限制,但是 Pod 不会因超过 CPU 限制而被终止。A pod may or may not be able to exceed the CPU limit for a period of time, but the pod will not be killed for exceeding the CPU limit.
    • Pod 限制有助于定义 Pod 何时失去对资源消耗的控制。Pod limits help define when a pod has lost control of resource consumption. 超出限制时,会首先终止该 Pod 来维护节点运行状况,最大程度地减少对共享节点的 Pod 的影响。When a limit is exceeded, the pod is prioritized for killing to maintain node health and minimize impact to pods sharing the node.
    • 如果未设置 Pod 限制,则会将其默认设置为给定节点上的最高可用值。Not setting a pod limit defaults it to the highest available value on a given node.
    • 设置的 pod 限制不应超过节点可以支持的限制。Don't set a pod limit higher than your nodes can support. 每个 AKS 节点将为核心 Kubernetes 组件保留一定的 CPU 和内存量。Each AKS node reserves a set amount of CPU and memory for the core Kubernetes components. 应用程序可能会尝试消耗节点上的大量资源,使其他 pod 能够成功运行。Your application may try to consume too many resources on the node for other pods to successfully run.
    • 同样,请在一天或一周的不同时间监视应用程序的性能,这很重要。Again, it is very important to monitor the performance of your application at different times during the day or week. 确定峰值需求在何时,并根据满足应用程序的最大需求所需的资源来调整 Pod 限制。Determine when the peak demand is, and align the pod limits to the resources required to meet the application's max needs.

在 Pod 规范中,必须根据上述信息定义这些请求和限制,这是最佳做法且很重要In your pod specifications, it's best practice and very important to define these requests and limits based on the above information. 如果不包含这些值,则 Kubernetes 计划程序无法考虑应用程序在制定决策时所需的资源。If you don't include these values, the Kubernetes scheduler cannot take into account the resources your applications require to aid in scheduling decisions.

如果计划程序在资源不足的节点上放置一个 Pod,则应用程序性能会下降。If the scheduler places a pod on a node with insufficient resources, application performance will be degraded. 强烈建议群集管理员针对需要你设置资源请求和限制的命名空间设置资源配额。It is highly recommended for cluster administrators to set resource quotas on a namespace that requires you to set resource requests and limits. 有关详细信息,请参阅 AKS 群集上的资源配额For more information, see resource quotas on AKS clusters.

定义 CPU 请求或限制时,值以 CPU 单位计量。When you define a CPU request or limit, the value is measured in CPU units.

  • 1.0 CPU 相当于节点上的一个基础虚拟 CPU 核心。1.0 CPU equates to one underlying virtual CPU core on the node.
  • GPU 使用与此相同的计量方法。The same measurement is used for GPUs.
  • 可以定义以毫核心数度量的分数。You can define fractions measured in millicores. 例如,100m 表示 0.1 个基础 vCPU 核心。For example, 100m is 0.1 of an underlying vCPU core.

在以下单个 NGINX pod 的基本示例中,pod 请求 100m 的 CPU 时间和 128 Mi 的内存。In the following basic example for a single NGINX pod, the pod requests 100m of CPU time, and 128Mi of memory. pod 的资源限制设置为 250m CPU 和 256Mi 内存:The resource limits for the pod are set to 250m CPU and 256Mi memory:

kind: Pod
apiVersion: v1
metadata:
  name: mypod
spec:
  containers:
  - name: mypod
    image: dockerhub.azk8s.cn/library/nginx:1.15.5
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 250m
        memory: 256Mi

有关资源度量和分配的详细信息,请参阅管理容器的计算资源For more information about resource measurements and assignments, see Managing compute resources for containers.

针对 AKS 群集开发和调试应用程序Develop and debug applications against an AKS cluster

最佳做法指导 - 开发团队应该使用 Dev Spaces 针对 AKS 群集进行部署和调试。Best practice guidance - Development teams should deploy and debug against an AKS cluster using Dev Spaces. 此开发模型可确保在将应用部署到生产环境之前,实现基于角色的访问控制、网络或存储需求。This development model makes sure that role-based access controls, network, or storage needs are implemented before the app is deployed to production.

使用 Azure Dev Spaces 直接针对 AKS 群集开发、调试和测试应用程序。With Azure Dev Spaces, you develop, debug, and test applications directly against an AKS cluster. 在整个应用程序生命周期,团队中的开发人员共同协作进行生成和测试。Developers within a team work together to build and test throughout the application lifecycle. 可以继续使用现有的工具,例如 Visual Studio 或 Visual Studio Code。You can continue to use existing tools such as Visual Studio or Visual Studio Code. 已为 Dev Spaces 安装扩展,该扩展提供用于在 AKS 群集中运行和调试应用程序的选项。An extension is installed for Dev Spaces that gives an option to run and debug the application in an AKS cluster.

这种使用 Dev Spaces 的集成式开发和测试过程减少了对 minikube 等本地测试环境的需求。This integrated development and test process with Dev Spaces reduces the need for local test environments, such as minikube. 可以针对 AKS 群集进行开发和测试。Instead, you develop and test against an AKS cluster. 可根据前面有关使用命名空间逻辑隔离群集的部分中所述保护和隔离此群集。This cluster can be secured and isolated as noted in previous section on the use of namespaces to logically isolate a cluster. 当准备好将应用部署到生产环境时,可以放心地进行部署,因为针对真正 AKS 群集的所有开发工作均已完成。When your apps are ready to deploy to production, you can confidently deploy as your development was all done against a real AKS cluster.

Azure Dev Spaces 适用于在 Linux Pod 和节点上运行的应用程序。Azure Dev Spaces is intended for use with applications that run on Linux pods and nodes.

使用适用于 Kubernetes 的 Visual Studio Code 扩展Use the Visual Studio Code extension for Kubernetes

最佳做法指导 - 编写 YAML 清单时安装并使用适用于 Kubernetes 的 VS Code 扩展。Best practice guidance - Install and use the VS Code extension for Kubernetes when you write YAML manifests. 还可将该扩展用于集成式部署解决方案,不经常与 AKS 群集交互的应用程序所有者也许可从中获得帮助。You can also use the extension for integrated deployment solution, which may help application owners that infrequently interact with the AKS cluster.

适用于 Kubernetes 的 Visual Studio Code 扩展可帮助你开发应用程序并将其部署到 AKS。The Visual Studio Code extension for Kubernetes helps you develop and deploy applications to AKS. 该扩展为 Kubernetes 资源以及 Helm 图表和模板提供 intellisense 功能。The extension provides intellisense for Kubernetes resources, and Helm charts and templates. 还可以从 VS Code 内部浏览、部署和编辑 Kubernetes 资源。You can also browse, deploy, and edit Kubernetes resources from within VS Code. 该扩展还针对 pod 规范中设置的资源请求或限制提供 intellisense 检查:The extension also provides an intellisense check for resource requests or limits being set in the pod specifications:

适用于 Kubernetes 的 VS Code 扩展中有关缺少内存限制的警告

定期使用 kube-advisor 检查应用程序问题Regularly check for application issues with kube-advisor

最佳做法指导 - 定期运行最新版本的 kube-advisor 开放源代码工具,以检测群集中的问题。Best practice guidance - Regularly run the latest version of kube-advisor open source tool to detect issues in your cluster. 如果针对现有 AKS 群集应用资源配额,请先运行 kube-advisor,以查找未定义资源请求和限制的 pod。If you apply resource quotas on an existing AKS cluster, run kube-advisor first to find pods that don't have resource requests and limits defined.

kube-advisor 工具是一个关联的 AKS 开放源代码项目,它将扫描 Kubernetes 群集,并报告它找到的问题。The kube-advisor tool is an associated AKS open source project that scans a Kubernetes cluster and reports on issues that it finds. 一项有用的检查是识别未应用资源请求和限制的 pod。One useful check is to identify pods that don't have resource requests and limits in place.

kube-advisor 工具可以报告 PodSpecs for Windows 应用程序以及 Linux 应用程序中缺少的资源请求和限制,但 kube-advisor 工具本身必须在 Linux Pod 上进行计划。The kube-advisor tool can report on resource request and limits missing in PodSpecs for Windows applications as well as Linux applications, but the kube-advisor tool itself must be scheduled on a Linux pod. 可以使用 Pod 配置中的节点选择器安排 Pod 在具有特定 OS 的节点池上运行。You can schedule a pod to run on a node pool with a specific OS using a node selector in the pod's configuration.

在托管许多开发团队和应用程序的 AKS 群集中,可能很难跟踪未设置这些资源请求和限制的 pod。In an AKS cluster that hosts many development teams and applications, it can be hard to track pods without these resource requests and limits set. 最佳做法是定期针对 AKS 群集运行 kube-advisorAs a best practice, regularly run kube-advisor on your AKS clusters.

后续步骤Next steps

本最佳做法文章从群集操作员的角度重点介绍了如何运行群集和工作负荷。This best practices article focused on how to run your cluster and workloads from a cluster operator perspective. 有关管理最佳做法的信息,请参阅有关 Azure Kubernetes 服务 (AKS) 中隔离和资源管理的群集操作员最佳做法For information about administrative best practices, see Cluster operator best practices for isolation and resource management in Azure Kubernetes Service (AKS).

若要实施其中的某些最佳做法,请参阅以下文章:To implement some of these best practices, see the following articles: