GH GambleHub

Kubernetes: klasterler we Helm charts

Kubernetes: klasterler we Helm charts

1) Klasteriň arhitekturasy - ýokardan görnüş

Control Plane: 'kube-apiserver', 'etcd', 'kube-scheduler', 'kube-controller-manager', (dolandyrylýan bulutlarda bir bölegi gizlenýär).
Worker: 'kubelet', CRI-ranteim (containerd/CRI-O), CNI-plugin, kube-proxy/ebpf-proxy.
Içerki klaster ulgamy: Pod-to-Pod, Service-VIP/ClusterIP, DNS CoreDNS.
Ammar: CSI sürüjileri, dinamiki üpjünçilik PVC → PV (StorageClass).
Ret etmegiň çäkleri: düwün/AZ/sebit. Bellikleri zolaklar boýunça ýerleşdiriň (TopologySpreadConstraints/anti-affinity).

Adaty rollar

Platforma buýrugy: klasterleri, CNI/CSI/Ingress, syýasaty we GitOps döredýär/täzelenýär.
Azyk buýruklary: çartlary/goýberişleri deployarlar, howpsuzlyk syýasatlaryna we çeşmelerine eýerýärler.

2) Klasteriň durmuş sikli

Döredilen: kOps, kubeadm, Rancher, EKS/AKS/GKE. OIDC-tassyklamany we barlagy derrew açyň.
Täzelenmeler: nobat boýunça minor-wersiýalary (control plane → düwünler), maxUnavailable tarapyndan dolandyrylýan, steyjing synaglary.
Add-ons (hemmesi - Helm/GitOps arkaly): CNI (Calico/Cilium), CSI sürüjisi, Ingress-kontroller (NGINX/Gateway API/Contour/Traefik), Metrics-Server, Cluster -Autoscaler, Node-Local DNS, logistika/metrika/trace.
Bellikler: etcd snapshot (eger öz-özünden dolandyrylsa), namespace/PVC üçin Velero.

3) Ulgamlar, hyzmatlar we ingress

CNI: Calico (NetworkPolicy), Cilium (eBPF/servicemesh-фичи).
Service: 'ClusterIP', 'NodePort', 'LoadBalancer' (L4 bulut deňagramlylygy), 'ExternalName'.
Ingress/Gateway API: L7-marşrut, TLS, perimetrde rate-limit/WAF taryhy.
NetworkPolicy: deny-all + namespace/label boýunça aç-açan allow.
StatefulSet we Discovery Service üçin Headless-service ('clusterIP: None').

4) Ammar (CSI) we ýagdaý

StorageClass: 'reclaimPolicy', 'volumeBindingMode' ('WaitForFirstConsumer' has gowy ýerleşdirmek üçin).
StatefulSet: Durnukly atlar/jildler ('volumeClaimTemplates'), 'podManagementPolicy: Parallel'.
ReadWriteMany: paýlanan faýllary (EFS/Filestore) seresaplylyk bilen ulanyň - gizlinlige baha beriň.
Suratlar: 'VolumeSnapshotClass' + cron-backup.

5) Köp kärende we syýasat

Önüm/çarşenbe namespaces.
RBAC: mümkin bolan ýerlerde "ClusterRole" ýerine "Role "/" RoleBinding".
PSA (Pod Security Admission): 'baseline '/' restricted' (PSP-ni çalyşmak).
ResourceQuota / LimitRange: потолки CPU/Memory/PVC/LoadBalancer.
OPA Gatekeeper/Kyverno: giriş syýasaty (mysal üçin ': latest', 'resources', 'readOnlyRootFilesystem' talaby).
ImagePolicy/webhuklar: Şekilleriň goluny barlamak (cosign/policy-controller).

6) Gözegçilik etmek we peýdalanmak

Metrikler: Prometheus-stek, kube-state-metrics, node-eksportçylar.
Logy: Fluent Bit/Vector → obýekt/ES/OpenSearch, düwünlerde aýlanma.
Söwda: OpenTelemetry Collector.
SLO-daşbordlar: ingress we esasy hyzmatlarda RED-model.
Awtoskeýl: HPA (programmanyň metriklerine görä), ekzamen üçin VPA, düwünler üçin Cluster-Autoscaler.

7) Manifestleriň nusgalary (şpargalka)

Deployment: 
yaml apiVersion: apps/v1 kind: Deployment metadata: { name: api, labels: { app: api } }
spec:
replicas: 3 strategy: { type: RollingUpdate, rollingUpdate: { maxUnavailable: 0, maxSurge: 1 } }
selector: { matchLabels: { app: api } }
template:
metadata:
labels: { app: api }
spec:
serviceAccountName: api-sa securityContext: { runAsNonRoot: true, fsGroup: 2000 }
containers:
- name: api image: registry. example. com/api:1. 2. 3 ports: [{ containerPort: 8080 }]
resources: { requests: { cpu: "200m", memory: "256Mi" }, limits: { cpu: "1", memory: "512Mi" } }
readinessProbe: { httpGet: { path: /healthz, port: 8080 }, periodSeconds: 5 }
livenessProbe: { httpGet: { path: /livez,  port: 8080 }, initialDelaySeconds: 20 }
StatefulSet (bölek): 
yaml apiVersion: apps/v1 kind: StatefulSet metadata: { name: db }
spec:
serviceName: db replicas: 3 podManagementPolicy: Parallel selector: { matchLabels: { app: db } }
template:
metadata: { labels: { app: db } }
spec:
containers:
- name: db image: postgres:16-alpine volumeMounts: [{ name: data, mountPath: /var/lib/postgresql/data }]
volumeClaimTemplates:
- metadata: { name: data }
spec:
accessModes: ["ReadWriteOnce"]
resources: { requests: { storage: 100Gi } }
storageClassName: fast-ssd
PDB (PodDisruptionBudget): 
yaml apiVersion: policy/v1 kind: PodDisruptionBudget metadata: { name: api-pdb }
spec:
minAvailable: 2 selector: { matchLabels: { app: api } }
Ingress (Nginx, gysgaça): 
yaml apiVersion: networking. k8s. io/v1 kind: Ingress metadata:
name: api annotations:
nginx. ingress. kubernetes. io/proxy-read-timeout: "30"
spec:
tls: [{ hosts: ["api. example. com"], secretName: api-tls }]
rules:
- host: api. example. com http:
paths:
- path: /
pathType: Prefix backend: { service: { name: api, port: { number: 80 } } }

8) Helm v3 - esaslary we gurluşy

Çart = şablonlar + bahalar + meta-maglumatlar.


mychart/
Chart. yaml     # name, version (semver), type (application/library), dependencies values. yaml # default values. schema. json # (recommended) validation values templates/# .yaml. gotmpl (Deployment, Service, Ingress, …)
templates/tests/  # helm tests (smoke)
charts/# local dependencies (or OCI dependencies)
Chart. yaml (mysal): 
yaml apiVersion: v2 name: api description: API service type: application version: 1. 4. 0 # chart version (semver)
appVersion: "1. 2. 3" # dependencies application version:
- name: redis version: 17. x.x repository: "oci://registry. example. com/charts"

9) Helm şablonlary - amallar

Helpers in '_ helpers. tpl 'atlar/bellikler/düşündirişler üçin.
Hemme ýerde 'resources', 'securityContext', 'readiness/liveness' belläň.
Standartlaşdyrylan shema ('app. kubernetes. io/`).
Aýratynlyklary 'values' (ingress/hpa/pdb/servicemonitor) arkaly opsiýa ediň.
'Values' -i açyň. schema. json '- nädogry konfigurasiýalardan dur.
Duýgur maglumatlar üçin - daşarky operatorlardan Secrets (External Secrets, SOPS), values-de saklamak däl.

Mysal '_ helpers. tpl '(bölek): 
gotmpl
{{- define "api. fullname" -}}
{{- printf "%s-%s".Chart. Name. Release. Name      trunc 63      trimSuffix "-" -}}
{{- end -}}
Deployment. tpl (bölek): 
gotmpl apiVersion: apps/v1 kind: Deployment metadata:
name: {{ include "api. fullname". }}
labels: {{- include "api. labels". nindent 4 }}
spec:
replicas: {{.Values. replicaCount }}
strategy:
rollingUpdate:
maxSurge: 1 maxUnavailable: 0 selector:
matchLabels: {{- include "api. selectorLabels". nindent 6 }}
template:
metadata:
labels: {{- include "api. selectorLabels". nindent 8 }}
spec:
serviceAccountName: {{ include "api. serviceAccountName". }}
securityContext: {{- toYaml. Values. podSecurityContext      nindent 8 }}
containers:
- name: {{.Chart. Name }}
image: "{{.Values. image. repository }}:{{.Values. image. tag }}"
imagePullPolicy: IfNotPresent ports: [{ containerPort: {{.Values. service. port }} }]
resources: {{- toYaml. Values. resources      nindent 10 }}
envFrom:
- secretRef: { name: {{.Values. secretsRef }} }

10) Garaşlylyk, repozitoriýa we OCI

Helm v3 OCI registrlerini goldaýar: 'oci ://registry/org/charts'.
Endikleriň wersiýalaryny ýazyň ('^ 1. 2. 0`, `~1. 2 ') we' helm dependency build '.
Çarty (prov) gol çekiň, artefaktlary CI artefakt-repozitorynda saklaň.
Library charts: gaýtadan ulanmak üçin umumy şablonlar (ingress/servicemonitor).

11) Hooks, CRD we amallaryň tertibi

Hooks: `pre-install`, `post-install`, `pre-upgrade`, `post-upgrade`, `test`. Policies ('before-hook-creation', 'hook-succeeded') goşuň.
CRD: 'crds/' -e goýuň (temperatura çenli gurlar), "uçuş" CRD täzelenmelerinden gaça duruň - göçmegi aýratyn ediň.
Göçmek DB/başlangyç - idempotency we wagt bilen job-hook.

12) Çarty we CI synagy

'helm lint' + shema tassyklamasy.
Helm unittest (unit), chart-testing (ct) - CI-de kind/minikube-de gurnama/gurnama.
Şablon snapshot synaglary ('helm template' → standart bilen deňeşdiriň).
Smoke-testler 'helm test' ('Pod' -y barlamak bilen galdyrýar).

13) GitOps (Argo CD/Flux)

Hakykatyň çeşmesi - repozitoriýa. Çart HelmRelease/HelmChart (Flux) ýa-da Application (Argo) hökmünde saklanýar.
Synk syýasatlary: prune/self-heal, statuslar we health-checks bilen auto-sync.
Wersiýalary mahabatlandyrmak: tag-botlar/semver-range, PR-flow.
Repo-ny apps (charts) we env (overrides/values) diýip bölüň.
Secret-management: SOPS (age/KMS), External Secrets.

14) Howpsuzlyk: zerur bolan iň az

PSA restricted: artykmaçlyklar ýok, hostPath ýok, çäklendirilen capabilities, read-only rootfs.
ImagePolicy: diňe gol çekilen/ynanylan şekiller.
NetworkPolicy: "Standart gulplandy".
RBAC: per-app hyzmat hasaby, namespace-de 'Role '/' RoleBinding'.
Admission-control: Gatekeeper/Kyverno düzgünleri (resources/limits, labels, no latest).
Syrlar: SOPS/External Secrets; values/plain Git.

15) Anti-patternler

': latest' çartlarda we şekillerde; 'values ýok. schema. json`.
Modullaryň ýerine "hemme zat üçin" ullakan çarta.
CRD 'templates/' → täzelenmelerdäki bulam-bujarlykda täzelenýär.
Şablonlarda gaty kodlanan atlar/port/namespace.
Çeşmeleriň/çäkleriň we nusgalaryň ýoklugy → gizlinligiň süýşmegi we durnuksyzlyk.
Ýok PDB → drain/täzelenmelerde nol düşmek mümkin däl.
Gizlin Git; syýasatsyz manifestler.

16) Giriş çek-sanawy (0-45 gün)

0-10 gün

_ helpers bilen esasy çart-skeleti başla. tpl ', labels, probes, resources, PDB/Ingress goşmaça.
Включить PSA restricted, NetworkPolicy deny-all, ResourceQuota/LimitRange.
GitOps (Argo/Flux), şahsy registrini, şekilleriň/tertipleriň goluny sazla.

11-25 gün

Çartyny modullara/garaşlylyklara bölmek, 'values' goşmak. schema. json ', synaglar (' helm lint ', unit, ct).
Observability (ServiceMonitor/PodMonitor), log agentlerini, OTel birikdirmek.
Täzelenme prosesini giriziň: staging → canary → prod, rollback-den hook-göçmek.

26-45 gün

Garaşlylyk täzelenmelerini awtomatlaşdyrmak (botlar/semver-ranges + PR).
CI-e Gatekeeper/Kyverno syýasatlaryny we syýasatlaryny goşuň.
Klasteriň täzelenen runbook, DR-proseduralary (Velero/etcd snapshot).

17) Kämillik ölçegleri

Programmalaryň 100% -i Helm/GitOps arkaly, "kubectl apply" -siz el bilen iberilýär.
Ähli diagrammalarda 'values' bar. schema. json ', synaglar, gol we endikleriň kesgitlenen wersiýalary.
PSA restricted/NetworkPolicy ähli namespace-de bar.
PDB we HPA ähli möhüm hyzmatlarda bar.
Ygtybarly syrlar (SOPS/External Secrets), "no latest" syýasaty, şekilleriň goly.
Klaster we çartyň täzelenmeleri düşewüntsiz (canary/blue-green) geçirilýär, dikeldiş synaglary yzygiderli geçirilýär.

18) Netijenama

Güýçli Kubernetes-binýady = ygtybarly klaster arhitekturasy + berk syýasat + GitOps tarapyndan dolandyrylýan senagat hiliniň Helm-diagrammalary. Şablonlary standartlaşdyryň, PSA/NetworkPolicy/RBAC gurşawyny goraň, values tassyklaň we synaglary, gollary we mahabatlary awtomatlaşdyryň. Şonda täzelenmeler we goýberişler öňünden aýdyp bolar we platforma azyk toparlary üçin durnukly we amatly bolar.

Contact

Biziň bilen habarlaşyň

Islendik sorag ýa-da goldaw boýunça bize ýazyp bilersiňiz.Biz hemişe kömek etmäge taýýar.

Telegram
@Gamble_GC
Integrasiýany başlamak

Email — hökmany. Telegram ýa-da WhatsApp — islege görä.

Adyňyz obýýektiw däl / islege görä
Email obýýektiw däl / islege görä
Tema obýýektiw däl / islege görä
Habar obýýektiw däl / islege görä
Telegram obýýektiw däl / islege görä
@
Eger Telegram görkezen bolsaňyz — Email-den daşary şol ýerden hem jogap bereris.
WhatsApp obýýektiw däl / islege görä
Format: ýurduň kody we belgi (meselem, +993XXXXXXXX).

Düwmäni basmak bilen siz maglumatlaryňyzyň işlenmegine razylyk berýärsiňiz.