Kubernetes 生产环境实战：从集群规划到故障恢复完整指南

# 很多人这样规划资源  
Master节点：2C4G × 3  
Worker节点：4C8G × 5

# 基于业务负载的科学规划  
Master节点：4C8G × 3 (奇数个，避免脑裂)  
Worker节点：8C16G × N (根据业务峰值 × 1.5倍规划)  
ETCD独立部署：2C4G × 3 (SSD存储必备)

apiVersion: operator.tigera.io/v1  
kind: Installation  
metadata:  
 name: default  
spec:  
 calicoNetwork:  
 ipPools:  
 - blockSize: 26  
 cidr: 10.244.0.0/16  
 encapsulation: VXLAN  
 natOutgoing: Enabled  
 nodeMetricsPort: 9091

#!/bin/bash  
# K8s集群自动化部署脚本 v2.0  
set -e  
  
# 环境检查  
check_requirements() {  
 echo "🔍 检查系统环境..."  
   
 # 检查操作系统  
 if [[ ! -f /etc/redhat-release ]] && [[ ! -f /etc/debian_version ]]; then  
 echo "❌ 仅支持 CentOS/RHEL 或 Ubuntu 系统"  
 exit 1  
 fi  
   
 # 检查内存  
 total_mem=$(free -m | awk 'NR==2{printf "%.0f", $2}')  
 if [[ $total_mem -lt 2048 ]]; then  
 echo "⚠️ 警告：内存小于2GB，可能影响集群稳定性"  
 fi  
   
 echo "✅ 环境检查通过"  
}  
  
# 系统初始化  
init_system() {  
 echo "🛠️ 初始化系统配置..."  
   
 # 关闭防火墙和SELinux  
 systemctl disable --now firewalld  
 setenforce 0  
 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config  
   
 # 关闭swap  
 swapoff -a  
 sed -i '/ swap / s/^\(.\*\)$/#\1/g' /etc/fstab  
   
 # 加载内核模块  
 cat <<EOF | tee /etc/modules-load.d/k8s.conf  
br_netfilter  
overlay  
EOF  
   
 modprobe br_netfilter  
 modprobe overlay  
   
 # 配置内核参数  
 cat <<EOF | tee /etc/sysctl.d/k8s.conf  
net.bridge.bridge-nf-call-iptables = 1  
net.bridge.bridge-nf-call-ip6tables = 1  
net.ipv4.ip_forward = 1  
EOF  
   
 sysctl --system  
 echo "✅ 系统初始化完成"  
}  
  
# 安装容器运行时  
install_containerd() {  
 echo "📦 安装 containerd..."  
   
 # 安装依赖  
 yum install -y yum-utils device-mapper-persistent-data lvm2  
   
 # 添加Docker仓库  
 yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo  
   
 # 安装containerd  
 yum install -y containerd.io  
   
 # 配置containerd  
 mkdir -p /etc/containerd  
 containerd config default | tee /etc/containerd/config.toml  
   
 # 使用systemd cgroup driver  
 sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml  
   
 # 配置镜像加速器  
 sed -i 's|registry.k8s.io|registry.aliyuncs.com/google_containers|g' /etc/containerd/config.toml  
   
 systemctl enable --now containerd  
 echo "✅ containerd 安装完成"  
}  
  
# 安装kubeadm、kubelet、kubectl  
install_kubernetes() {  
 echo "🎯 安装 Kubernetes 组件..."  
   
 cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo  
[kubernetes]  
name=Kubernetes  
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/  
enabled=1  
gpgcheck=1  
repo_gpgcheck=1  
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg  
EOF  
   
 yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes  
 systemctl enable --now kubelet  
   
 echo "✅ Kubernetes 组件安装完成"  
}  
  
# 主节点调用  
main() {  
 check_requirements  
 init_system  
 install_containerd  
 install_kubernetes  
   
 echo "🎉 集群基础环境准备完成！"  
 echo "📋 接下来执行："  
 echo " Master节点: kubeadm init --config=kubeadm-config.yaml"  
 echo " Worker节点: kubeadm join <master-ip>:6443 --token <token>"  
}  
  
main "$@"

apiVersion: kubeadm.k8s.io/v1beta3  
kind: InitConfiguration  
localAPIEndpoint:  
 advertiseAddress: 192.168.1.10  
 bindPort: 6443  
---  
apiVersion: kubeadm.k8s.io/v1beta3  
kind: ClusterConfiguration  
kubernetesVersion: v1.28.2  
controlPlaneEndpoint: "k8s-api.example.com:6443"  
networking:  
 serviceSubnet: "10.96.0.0/16"  
 podSubnet: "10.244.0.0/16"  
 dnsDomain: "cluster.local"  
etcd:  
 external:  
 endpoints:  
 - https://192.168.1.11:2379  
 - https://192.168.1.12:2379  
 - https://192.168.1.13:2379  
 caFile: /etc/kubernetes/pki/etcd/ca.crt  
 certFile: /etc/kubernetes/pki/etcd/server.crt  
 keyFile: /etc/kubernetes/pki/etcd/server.key  
apiServer:  
 certSANs:  
 - "k8s-api.example.com"  
 - "192.168.1.10"  
 - "192.168.1.20"  
 - "192.168.1.30"  
 extraArgs:  
 audit-log-maxage: "30"  
 audit-log-maxbackup: "10"  
 audit-log-maxsize: "100"  
 audit-log-path: "/var/log/audit.log"  
---  
apiVersion: kubelet.config.k8s.io/v1beta1  
kind: KubeletConfiguration  
cgroupDriver: systemd  
maxPods: 110

# prometheus-values.yaml  
prometheus:  
 prometheusSpec:  
 retention: 30d  
 resources:  
 requests:  
 memory: 2Gi  
 cpu: 1000m  
 limits:  
 memory: 8Gi  
 cpu: 2000m  
 storageSpec:  
 volumeClaimTemplate:  
 spec:  
 storageClassName: fast-ssd  
 accessModes: ["ReadWriteOnce"]  
 resources:  
 requests:  
 storage: 100Gi  
 additionalScrapeConfigs:  
 - job_name: 'kubernetes-nodes'  
 kubernetes_sd_configs:  
 - role: node  
 relabel_configs:  
 - source_labels: [__address__]  
 regex: '(.*):10250'  
 replacement: '${1}:9100'  
 target_label: __address__  
   
grafana:  
 persistence:  
 enabled: true  
 size: 20Gi  
 storageClassName: fast-ssd  
 plugins:  
 - grafana-piechart-panel  
 - grafana-kubernetes-app  
 dashboardProviders:  
 dashboardproviders.yaml:  
 apiVersion: 1  
 providers:  
 - name: 'default'  
 orgId: 1  
 folder: ''  
 type: file  
 disableDeletion: false  
 updateIntervalSeconds: 10  
 options:  
 path: /var/lib/grafana/dashboards

# critical-alerts.yaml  
groups:  
- name: kubernetes-critical  
 rules:  
 - alert: KubernetesNodeNotReady  
 expr: kube_node_status_condition{condition="Ready",status="true"} == 0  
 for: 5m  
 labels:  
 severity: critical  
 annotations:  
 summary: "Node {{ $labels.node }} is not ready"  
 description: "Node {{ $labels.node }} has been not ready for more than 5 minutes."  
   
 - alert: KubernetesPodCrashLooping  
 expr: rate(kube_pod_container_status_restarts_total[15m]) > 0  
 for: 5m  
 labels:  
 severity: warning  
 annotations:  
 summary: "Pod {{ $labels.pod }} is crash looping"  
 description: "Pod {{ $labels.pod }} in namespace {{ $labels.namespace }} is restarting frequently."  
   
 - alert: KubernetesMemoryPressure  
 expr: kube_node_status_condition{condition="MemoryPressure",status="true"} == 1  
 for: 2m  
 labels:  
 severity: critical  
 annotations:  
 summary: "Node {{ $labels.node }} has memory pressure"  
 description: "Node {{ $labels.node }} is under memory pressure."  
   
 - alert: EtcdClusterDown  
 expr: up{job="etcd"} == 0  
 for: 1m  
 labels:  
 severity: critical  
 annotations:  
 summary: "Etcd cluster is down"  
 description: "Etcd cluster has been down for more than 1 minute."

# developer-rbac.yaml  
apiVersion: v1  
kind: Namespace  
metadata:  
 name: development  
---  
apiVersion: v1  
kind: ServiceAccount  
metadata:  
 namespace: development  
 name: developer  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: Role  
metadata:  
 namespace: development  
 name: developer-role  
rules:  
- apiGroups: [""]  
 resources: ["pods", "services", "configmaps", "secrets"]  
 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]  
- apiGroups: ["apps"]  
 resources: ["deployments", "replicasets"]  
 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: RoleBinding  
metadata:  
 name: developer-binding  
 namespace: development  
subjects:  
- kind: ServiceAccount  
 name: developer  
 namespace: development  
roleRef:  
 kind: Role  
 name: developer-role  
 apiGroup: rbac.authorization.k8s.io

# pod-security-policy.yaml  
apiVersion: policy/v1beta1  
kind: PodSecurityPolicy  
metadata:  
 name: restricted-psp  
spec:  
 privileged: false  
 allowPrivilegeEscalation: false  
 requiredDropCapabilities:  
 - ALL  
 volumes:  
 - 'configMap'  
 - 'emptyDir'  
 - 'projected'  
 - 'secret'  
 - 'downwardAPI'  
 - 'persistentVolumeClaim'  
 runAsUser:  
 rule: 'MustRunAsNonRoot'  
 seLinux:  
 rule: 'RunAsAny'  
 fsGroup:  
 rule: 'RunAsAny'

#!/bin/bash  
# k8s-health-check.sh - 集群健康检查脚本  
  
echo "🏥 开始Kubernetes集群健康检查..."  
  
# 1. 检查节点状态  
echo "📋 1. 检查节点状态"  
kubectl get nodes -o wide  
echo ""  
  
# 2. 检查系统Pod状态  
echo "📋 2. 检查系统Pod状态"  
kubectl get pods -n kube-system  
echo ""  
  
# 3. 检查存储类  
echo "📋 3. 检查存储类"  
kubectl get storageclass  
echo ""  
  
# 4. 检查网络插件  
echo "📋 4. 检查网络插件状态"  
kubectl get pods -n kube-system | grep -E "(calico|flannel|weave|cilium)"  
echo ""  
  
# 5. 检查API服务器连通性  
echo "📋 5. 检查API服务器"  
kubectl cluster-info  
echo ""  
  
# 6. 检查etcd状态  
echo "📋 6. 检查etcd集群状态"  
kubectl get pods -n kube-system | grep etcd  
echo ""  
  
# 7. 检查资源使用情况  
echo "📋 7. 检查资源使用情况"  
kubectl top nodes  
echo ""  
  
# 8. 检查事件  
echo "📋 8. 最近的集群事件"  
kubectl get events --sort-by=.metadata.creationTimestamp | tail -10  
echo ""  
  
echo "✅ 健康检查完成！"

#!/bin/bash  
# etcd-backup.sh - etcd自动备份脚本  
  
BACKUP_DIR="/opt/etcd-backup"  
DATE=$(date +%Y%m%d-%H%M%S)  
BACKUP_NAME="etcd-backup-${DATE}.db"  
  
# 创建备份目录  
mkdir -p ${BACKUP_DIR}  
  
# 执行备份  
ETCDCTL_API=3 etcdctl snapshot save ${BACKUP_DIR}/\${BACKUP_NAME} \
 --endpoints=https://127.0.0.1:2379 \  
 --cacert=/etc/kubernetes/pki/etcd/ca.crt \  
 --cert=/etc/kubernetes/pki/etcd/server.crt \  
 --key=/etc/kubernetes/pki/etcd/server.key  
  
# 验证备份  
ETCDCTL_API=3 etcdctl snapshot status \${BACKUP_DIR}/\${BACKUP_NAME} \  
 --endpoints=https://127.0.0.1:2379 \  
 --cacert=/etc/kubernetes/pki/etcd/ca.crt \  
 --cert=/etc/kubernetes/pki/etcd/server.crt \  
 --key=/etc/kubernetes/pki/etcd/server.key  
  
if [ $? -eq 0 ]; then  
 echo "✅ etcd备份成功: ${BACKUP_NAME}"  
   
 # 清理7天前的备份  
 find ${BACKUP_DIR} -name "etcd-backup-*.db" -mtime +7 -delete  
   
 # 上传到云存储（可选）  
 # aws s3 cp ${BACKUP_DIR}/${BACKUP_NAME} s3://your-backup-bucket/etcd/  
else  
 echo "❌ etcd备份失败"  
 exit 1  
fi

# 1. 停止所有Master节点的etcd和api-server  
systemctl stop etcd kubelet  
  
# 2. 移除旧的etcd数据  
mv /var/lib/etcd /var/lib/etcd.backup  
  
# 3. 从备份恢复  
ETCDCTL_API=3 etcdctl snapshot restore /opt/etcd-backup/etcd-backup-latest.db \  
 --data-dir=/var/lib/etcd \  
 --name=master1 \  
 --initial-cluster=master1=https://192.168.1.10:2380 \  
 --initial-cluster-token=etcd-cluster-1 \  
 --initial-advertise-peer-urls=https://192.168.1.10:2380  
  
# 4. 修复权限  
chown -R etcd:etcd /var/lib/etcd  
  
# 5. 重启服务  
systemctl start etcd kubelet

# kube-apiserver优化参数  
apiVersion: v1  
kind: Pod  
metadata:  
 name: kube-apiserver  
 namespace: kube-system  
spec:  
 containers:  
 - command:  
 - kube-apiserver  
 - --advertise-address=192.168.1.10  
 - --max-requests-inflight=2000  
 - --max-mutating-requests-inflight=1000  
 - --default-watch-cache-size=500  
 - --watch-cache-sizes=nodes#1000,pods#5000  
 - --enable-admission-plugins=NodeRestriction,LimitRanger,ResourceQuota  
 - --audit-log-maxage=30  
 - --audit-log-maxbackup=10  
 - --audit-log-maxsize=100  
 - --request-timeout=300s  
 - --storage-backend=etcd3  
 - --etcd-compaction-interval=5m

# kubelet-config.yaml  
apiVersion: kubelet.config.k8s.io/v1beta1  
kind: KubeletConfiguration  
maxPods: 110  
podsPerCore: 10  
enableControllerAttachDetach: true  
hairpinMode: promiscuous-bridge  
serializeImagePulls: false  
registryPullQPS: 10  
registryBurst: 20  
eventRecordQPS: 50  
eventBurst: 100  
kubeAPIQPS: 50  
kubeAPIBurst: 100  
systemReserved:  
 cpu: 500m  
 memory: 1Gi  
 ephemeral-storage: 2Gi  
kubeReserved:  
 cpu: 500m  
 memory: 1Gi  
 ephemeral-storage: 1Gi  
evictionHard:  
 memory.available: "200Mi"  
 nodefs.available: "10%"  
 imagefs.available: "15%"

# calico-config.yaml  
apiVersion: v1  
kind: ConfigMap  
metadata:  
 name: calico-config  
 namespace: kube-system  
data:  
 calico_backend: "bird"  
 cluster_type: "k8s,bgp"  
 felix_ipinipmtu: "1440"  
 felix_vxlanmtu: "1410"  
 felix_wireguardmtu: "1420"  
 felix_bpfenabled: "true"  
 felix_bpflogfilters: "all"  
 felix_prometheusmetricsenabled: "true"  
 felix_prometheusmetricsport: "9091"  
 felix_iptablesbackend: "nft"  
 felix_chaininsertmode: "insert"

# 1. 紧急扩容HPA配置  
apiVersion: autoscaling/v2  
kind: HorizontalPodAutoscaler  
metadata:  
 name: web-app-hpa  
spec:  
 scaleTargetRef:  
 apiVersion: apps/v1  
 kind: Deployment  
 name: web-app  
 minReplicas: 10  
 maxReplicas: 100  
 metrics:  
 - type: Resource  
 resource:  
 name: cpu  
 target:  
 type: Utilization  
 averageUtilization: 50  
 - type: Resource  
 resource:  
 name: memory  
 target:  
 type: Utilization  
 averageUtilization: 70  
 behavior:  
 scaleUp:  
 stabilizationWindowSeconds: 60  
 policies:  
 - type: Percent  
 value: 100  
 periodSeconds: 60  
 scaleDown:  
 stabilizationWindowSeconds: 300  
 policies:  
 - type: Percent  
 value: 10  
 periodSeconds: 60

# 1. 紧急评估数据损坏程度  
etcdctl endpoint health --cluster  
  
# 2. 从备份快速恢复  
./etcd-restore.sh backup-20231201-030000.db  
  
# 3. 验证集群状态  
kubectl get nodes  
kubectl get pods --all-namespaces  
  
# 4. 重建丢失的配置  
kubectl apply -f critical-workloads/