Kubernetes 与 GitOps 最佳实践
Kubernetes 与 GitOps 最佳实践
一、前言
哥们,别整那些花里胡哨的。GitOps 是现代 Kubernetes 运维的重要趋势,今天直接上硬货,教你如何在 Kubernetes 中实现 GitOps 工作流。
二、GitOps 核心概念
| 概念 | 描述 | 优势 |
|---|---|---|
| 声明式配置 | 所有配置以声明式方式定义 | 一致性强 |
| 版本控制 | 配置存储在 Git 仓库中 | 可追溯性 |
| 自动同步 | 自动将配置应用到集群 | 减少人工干预 |
| 回滚机制 | 基于 Git 历史进行回滚 | 安全可靠 |
三、实战配置
1. Argo CD 安装
# 安装 Argo CD kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml # 访问 Argo CD UI kubectl port-forward -n argocd svc/argocd-server 8080:443 # 访问 https://localhost:8080 # 获取默认密码 kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath="{.data.password}" | base64 -d2. 应用配置
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: app namespace: argocd spec: project: default source: repoURL: https://github.com/susu/k8s-manifests.git targetRevision: HEAD path: app destination: server: https://kubernetes.default.svc namespace: default syncPolicy: automated: prune: true selfHeal: true syncOptions: - Validate=false - CreateNamespace=true3. 多环境配置
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: app-dev namespace: argocd spec: project: default source: repoURL: https://github.com/susu/k8s-manifests.git targetRevision: dev path: app/overlays/dev destination: server: https://kubernetes.default.svc namespace: dev syncPolicy: automated: prune: true selfHeal: true --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: app-prod namespace: argocd spec: project: default source: repoURL: https://github.com/susu/k8s-manifests.git targetRevision: main path: app/overlays/prod destination: server: https://kubernetes.default.svc namespace: prod syncPolicy: automated: prune: true selfHeal: true4. Kustomize 配置
# kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base patches: - patch.yaml # patch.yaml apiVersion: apps/v1 kind: Deployment metadata: name: app spec: replicas: 3 template: spec: containers: - name: app resources: requests: cpu: "200m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi"四、GitOps 优化
1. CI/CD 集成
# .github/workflows/gitops.yml name: GitOps Pipeline on: push: branches: [ main, dev ] pull_request: branches: [ main, dev ] jobs: validate: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Install kubectl run: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x kubectl sudo mv kubectl /usr/local/bin/ - name: Validate manifests run: kubectl apply --dry-run=server -f app/ deploy: needs: validate runs-on: ubuntu-latest if: github.event_name == 'push' steps: - uses: actions/checkout@v3 - name: Sync with Argo CD run: | kubectl port-forward -n argocd svc/argocd-server 8080:443 & sleep 5 argocd login localhost:8080 --username admin --password ${{ secrets.ARGOCD_PASSWORD }} --insecure argocd app sync app-${{ github.ref_name }}2. 监控与告警
apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: argocd-metrics namespace: monitoring spec: selector: matchLabels: app.kubernetes.io/name: argocd-server endpoints: - port: metrics interval: 15s --- apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: argocd-alerts namespace: monitoring spec: groups: - name: argocd rules: - alert: ArgoCDSyncFailed expr: argocd_app_sync_status{status="Failed"} == 1 for: 5m labels: severity: critical annotations: summary: Argo CD sync failed description: Application {{ $labels.app }} sync failed - alert: ArgoCDSyncOutOfSync expr: argocd_app_sync_status{status="OutOfSync"} == 1 for: 10m labels: severity: warning annotations: summary: Argo CD sync out of sync description: Application {{ $labels.app }} is out of sync3. 安全配置
apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: production namespace: argocd spec: description: Production applications sourceRepos: - https://github.com/susu/k8s-manifests.git destinations: - namespace: prod server: https://kubernetes.default.svc clusterResourceWhitelist: - group: "" kind: Namespace - group: apps kind: Deployment - group: apps kind: StatefulSet - group: v1 kind: Service roles: - name: developer description: Developer role policies: - p, proj:production:developer, applications, sync, production/*, allow - p, proj:production:developer, applications, get, production/*, allow groups: - developers五、常见问题
1. 同步失败
解决方案:
- 检查 Git 仓库配置
- 验证集群权限
- 查看 Argo CD 日志
2. 配置冲突
解决方案:
- 解决 Git 冲突
- 检查配置语法
- 验证依赖关系
3. 权限问题
解决方案:
- 配置正确的 RBAC 权限
- 检查 Argo CD 服务账户
- 验证 Git 仓库访问权限
六、最佳实践总结
- 版本控制:将所有配置存储在 Git 仓库中
- 声明式配置:使用 YAML 定义所有资源
- 自动同步:配置 Argo CD 自动同步
- 多环境管理:使用 Kustomize 管理多环境配置
- 监控告警:配置 Argo CD 同步状态监控
- 安全管理:实施最小权限原则
七、总结
GitOps 是现代 Kubernetes 运维的重要趋势。按照本文的最佳实践,你可以构建一个高效、可靠的 GitOps 工作流,炸了!