Azure Kubernetes 服务Azure Kubernetes Service

Azure Kubernetes 服务 (AKS) 通过将操作开销卸载到 Azure,简化了在 Azure 中部署托管 Kubernetes 群集的过程。Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. 作为一个托管的 Kubernetes 服务,Azure 可以自动处理运行状况监视和维护等关键任务。As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. 由于 Kubernetes 主节点由 Azure 管理,因此你只需要管理和维护代理节点。Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. 因此,AKS 是免费的,你只需支付群集中的代理节点费,不需支付主节点的费用。Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.

可使用以下方式创建 AKS 群集:You can create an AKS cluster using:

当你部署 AKS 群集时,系统会为你部署和配置 Kubernetes 主节点和所有节点。When you deploy an AKS cluster, the Kubernetes master and all nodes are deployed and configured for you. 在部署过程中,可以配置高级网络、Azure Active Directory (Azure AD) 集成、监视和其他功能。Advanced networking, Azure Active Directory (Azure AD) integration, monitoring, and other features can be configured during the deployment process.

有关 Kubernetes 基础知识的详细信息,请参阅 AKS 的 Kubernetes 核心概念For more information on Kubernetes basics, see Kubernetes core concepts for AKS.

备注

AKS 还支持 Windows Server 容器。AKS also supports Windows Server containers.

访问权限、安全性和监视Access, security, and monitoring

要改善安全性和管理,AKS 允许集成 Azure AD 来实现以下目的:For improved security and management, AKS lets you integrate with Azure AD to:

  • 使用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC)。Use Kubernetes role-based access control (Kubernetes RBAC).
  • 监视群集和资源的运行状况。Monitor the health of your cluster and resources.

标识和安全管理Identity and security management

Kubernetes RBACKubernetes RBAC

为了限制对群集资源的访问,AKS 支持 Kubernetes RBACTo limit access to cluster resources, AKS supports Kubernetes RBAC. Kubernetes RBAC 控制对 Kubernetes 资源与命名空间的访问和权限。Kubernetes RBAC controls access and permissions to Kubernetes resources and namespaces.

Azure ADAzure AD

可将 AKS 群集配置为与 Azure AD 集成。You can configure an AKS cluster to integrate with Azure AD. 使用 Azure AD 集成可以基于现有的标识和组成员身份设置 Kubernetes 访问权限。With Azure AD integration, you can set up Kubernetes access based on existing identity and group membership. 可以为现有的 Azure AD 用户和组提供集成式登录体验,以及对 AKS 资源的访问权限。Your existing Azure AD users and groups can be provided with an integrated sign-on experience and access to AKS resources.

有关标识的详细信息,请参阅 AKS 的访问权限和标识选项For more information on identity, see Access and identity options for AKS.

若要确保 AKS 群集的安全性,请参阅将 Azure Active Directory 与 AKS 集成To secure your AKS clusters, see Integrate Azure Active Directory with AKS.

集成式日志记录和监视Integrated logging and monitoring

负责监视容器运行状况的 Azure Monitor 会从 AKS 群集和部署的应用程序中的容器、节点和控制器收集内存和处理器性能指标。Azure Monitor for Container Health collects memory and processor performance metrics from containers, nodes, and controllers within your AKS cluster and deployed applications. 可以查看容器日志和 Kubernetes 主日志,这些日志:You can review both container logs and the Kubernetes master logs, which are:

  • 存储在 Azure Log Analytics 工作区中。Stored in an Azure Log Analytics workspace.
  • 可通过 Azure 门户、Azure CLI 或 REST 终结点获取。Available through the Azure portal, Azure CLI, or a REST endpoint.

有关详细信息,请参阅监视 Azure Kubernetes 服务容器运行状况For more information, see Monitor Azure Kubernetes Service container health.

群集和节点Clusters and nodes

AKS 节点在 Azure 虚拟机 (VM) 上运行。AKS nodes run on Azure virtual machines (VMs). 通过 AKS 节点,可以将存储连接到节点和 Pod、升级群集组件以及使用 GPU。With AKS nodes, you can connect storage to nodes and pods, upgrade cluster components, and use GPUs. AKS 支持运行多个节点池的 Kubernetes 群集,以支持混合操作系统和 Windows Server 容器。AKS supports Kubernetes clusters that run multiple node pools to support mixed operating systems and Windows Server containers.

有关 Kubernetes 群集、节点和节点池功能的详细信息,请参阅 AKS 的 Kubernetes 核心概念For more information about Kubernetes cluster, node, and node pool capabilities, see Kubernetes core concepts for AKS.

群集节点和 Pod 缩放Cluster node and pod scaling

如果对资源的需求发生变化,用于运行服务的群集节点或 Pod 的数目会自动增多或减少。As demand for resources change, the number of cluster nodes or pods that run your services automatically scales up or down. 可以调整横向 Pod 自动缩放程序或群集自动缩放程序以根据需求做出调整,并只运行必要的资源。You can adjust both the horizontal pod autoscaler or the cluster autoscaler to adjust to demands and only run necessary resources.

有关详细信息,请参阅缩放 Azure Kubernetes 服务 (AKS) 群集For more information, see Scale an Azure Kubernetes Service (AKS) cluster.

群集节点升级Cluster node upgrades

AKS 提供多个 Kubernetes 版本。AKS offers multiple Kubernetes versions. 有新的版本可在 AKS 中使用后,可以使用 Azure 门户或 Azure CLI 升级群集。As new versions become available in AKS, you can upgrade your cluster using the Azure portal or Azure CLI. 在升级过程中,节点会被仔细封锁和排除以尽量减少对正在运行的应用程序造成中断。During the upgrade process, nodes are carefully cordoned and drained to minimize disruption to running applications.

若要详细了解生命周期版本,请参阅 AKS 中支持的 Kubernetes 版本To learn more about lifecycle versions, see Supported Kubernetes versions in AKS. 有关升级步骤,请参阅升级 Azure Kubernetes 服务 (AKS) 群集For steps on how to upgrade, see Upgrade an Azure Kubernetes Service (AKS) cluster.

启用了 GPU 的节点GPU-enabled nodes

AKS 支持创建启用了 GPU 的节点池。AKS supports the creation of GPU-enabled node pools. Azure 目前提供单个或多个启用了 GPU 的 VM。Azure currently provides single or multiple GPU-enabled VMs. 启用了 GPU 的 VM 是针对计算密集型、图形密集型和可视化工作负荷设计的。GPU-enabled VMs are designed for compute-intensive, graphics-intensive, and visualization workloads.

有关详细信息,请参阅使用 AKS 上的 GPUFor more information, see Using GPUs on AKS.

存储卷支持Storage volume support

若要支持应用程序工作负载,可以装载静态或动态存储卷来保存持久性数据。To support application workloads, you can mount static or dynamic storage volumes for persistent data. 根据预期要共享存储卷的已连接 Pod 数目,可以:Depending on the number of connected pods expected to share the storage volumes, you can use storage backed by either:

  • 使用 Azure 磁盘支持的存储访问单个 Pod,或Azure Disks for single pod access, or
  • 使用 Azure 文件存储支持的存储并发访问多个 Pod。Azure Files for multiple, concurrent pod access.

有关详细信息,请参阅 AKS 中应用程序的存储选项For more information, see Storage options for applications in AKS.

使用 Azure 磁盘Azure 文件存储完成动态永久性卷的入门。Get started with dynamic persistent volumes using Azure Disks or Azure Files.

虚拟网络和入口Virtual networks and ingress

AKS 群集可以部署到现有的虚拟网络中。An AKS cluster can be deployed into an existing virtual network. 在此配置中,群集中的每个 Pod 在虚拟网络中分配有一个 IP 地址,可直接与以下对象通信:In this configuration, every pod in the cluster is assigned an IP address in the virtual network, and can directly communicate with:

  • 群集中的其他 PodOther pods in the cluster
  • 虚拟网络中的其他节点。Other nodes in the virtual network.

Pod 还可以连接到对等互连虚拟网络中的其他服务,通过 ExpressRoute 或站点到站点 (S2S) VPN 连接连接到本地网络。Pods can also connect to other services in a peered virtual network and to on-premises networks over ExpressRoute or site-to-site (S2S) VPN connections.

有关详细信息,请参阅 AKS 中应用程序的网络概念For more information, see the Network concepts for applications in AKS.

开发工具集成Development tooling integration

Kubernetes 提供丰富的开发和管理工具生态系统,可与 AKS 无缝配合使用。Kubernetes has a rich ecosystem of development and management tools that work seamlessly with AKS. 这些工具包括用于 Visual Studio Code 的 Helm 和 Kubernetes 扩展。These tools include Helm and the Kubernetes extension for Visual Studio Code.

Docker 映像支持和专用容器注册表Docker image support and private container registry

AKS 支持 Docker 映像格式。AKS supports the Docker image format. 若要对 Docker 映像进行专用存储,可以将 AKS 与 Azure 容器注册表 (ACR) 集成。For private storage of your Docker images, you can integrate AKS with Azure Container Registry (ACR).

要创建专用映像存储,请参阅 Azure 容器注册表To create a private image store, see Azure Container Registry.

Kubernetes 认证Kubernetes certification

AKS 已被 CNCF 认证为符合 Kubernetes 规范。AKS has been CNCF-certified as Kubernetes conformant.

法规符合性Regulatory compliance

AKS 符合 SOC、ISO、PCI DSS 和 HIPAA 规范。AKS is compliant with SOC, ISO, PCI DSS, and HIPAA. 有关详细信息,请参阅 Azure 合规性概述For more information, see Overview of Azure compliance.

后续步骤Next steps

学习 Azure CLI 快速入门,了解有关部署和管理 AKS 的详细信息。Learn more about deploying and managing AKS with the Azure CLI Quickstart.