检查 Kubernetes 群集中的最佳做法Checking for Kubernetes best practices in your cluster

对于 Kubernetes 部署,有多个应遵循的最佳做法,以确保应用程序的最佳性能和复原能力。There are several best practices that you should follow on your Kubernetes deployments to ensure the best performance and resilience for your applications. kube-advisor 工具可用于查找不遵循这些建议的部署。You can use the kube-advisor tool to look for deployments that aren't following those suggestions.

关于 kube-advisorAbout kube-advisor

kube-advisor 工具是单个容器,为在群集上运行而设计。The kube-advisor tool is a single container designed to be run on your cluster. 它将查询 Kubernetes API 服务器,以了解你的部署,并返回一组建议的改进。It queries the Kubernetes API server for information about your deployments and returns a set of suggested improvements.

Kube-advisor 工具可以报告 Windows 应用程序和 Linux 应用程序的 PodSpecs 中缺少的资源请求和限制,但 kube-advisor 工具本身必须在 Linux pod 上计划。The kube-advisor tool can report on resource request and limits missing in PodSpecs for Windows applications as well as Linux applications, but the kube-advisor tool itself must be scheduled on a Linux pod. 可以使用 pod 配置中的节点选择器,将 pod 计划为在具有特定 OS 的节点池上运行。You can schedule a pod to run on a node pool with a specific OS using a node selector in the pod's configuration.

备注

Azure 最大程度支持 kube-advisor 工具。The kube-advisor tool is supported by Azure on a best-effort basis. 应在 GitHub 上提交的问题和建议。Issues and suggestions should be filed on GitHub.

运行 kube-advisorRunning kube-advisor

若要在针对 Kubernetes 基于角色的访问控制 (Kubernetes RBAC) 配置的群集上运行此工具,请使用以下命令。To run the tool on a cluster that is configured for Kubernetes role-based access control (Kubernetes RBAC), using the following commands. 第一个命令可创建 Kubernetes 服务帐户。The first command creates a Kubernetes service account. 第二个命令使用该服务帐户在 pod 中运行该工具,并配置 pod 以在退出后删除。The second command runs the tool in a pod using that service account and configures the pod for deletion after it exits.

kubectl apply -f https://raw.githubusercontent.com/Azure/kube-advisor/master/sa.yaml

kubectl run --rm -i -t kubeadvisor --image=mcr.microsoft.com/aks/kubeadvisor --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"serviceAccountName\": \"kube-advisor\" } }" --namespace default

如果不使用 Kubernetes RBAC,可以按如下所示运行命令:If you aren't using Kubernetes RBAC, you can run the command as follows:

kubectl run --rm -i -t kubeadvisor --image=mcr.microsoft.com/aks/kubeadvisor --restart=Never

在几秒内,应会看到介绍部署的潜在改进的表。Within a few seconds, you should see a table describing potential improvements to your deployments.

kube-advisor 输出

执行的检查Checks performed

该工具可验证多个 Kubernetes 最佳做法,每个都有其建议的修正。The tool validates several Kubernetes best practices, each with their own suggested remediation.

资源请求和限制Resource requests and limits

Kubernetes 支持定义 pod 资源请求和限制规范Kubernetes supports defining resource requests and limits on pod specifications. 请求定义运行容器所需的最小 CPU 和内存。The request defines the minimum CPU and memory required to run the container. 限制定义应允许的最大 CPU 和内存。The limit defines the maximum CPU and memory that should be allowed.

默认情况下,未对 pod 规范设置任何请求或限制。By default, no requests or limits are set on pod specifications. 这可能导致节点被过度安排,而耗尽容器。This can lead to nodes being overscheduled and containers being starved. kube-advisor 工具可突出显示 pod,并且未设置请求和限制。The kube-advisor tool highlights pods without requests and limits set.

清理Cleaning up

如果群集已启用 Kubernetes RBAC,可以使用以下命令在运行工具后清理 ClusterRoleBindingIf your cluster has Kubernetes RBAC enabled, you can clean up the ClusterRoleBinding after you've run the tool using the following command:

kubectl delete -f https://raw.githubusercontent.com/Azure/kube-advisor/master/sa.yaml

如果针对未启用 Kubernetes RBAC 的群集运行该工具,则不需要进行任何清理。If you are running the tool against a cluster that is not Kubernetes RBAC-enabled, no cleanup is required.

后续步骤Next steps