GH GambleHub

Kubernetes: klasterlar va Helm charts

Kubernetes: klasterlar va Helm charts

1) Klaster arxitekturasi - yuqoridan qarash

Control Plane:’kube-apiserver’,’etcd’,’kube-scheduler’,’kube-controller-manager’, (boshqariladigan bulutlarning bir qismi yashiringan).
Worker:’kubelet’, CRI-rantaym (containerd/CRI-O), CNI-plagin, kube-proxy/ebpf-proxy.
Klaster ichidagi tarmoq: Pod-to-Pod, Service-VIP/ClusterIP, DNS CoreDNS.
Omborxonalar: CSI drayverlari, dinamik provijining PVC → PV (StorageClass).
Rad etish chegaralari: tugun/AZ/mintaqa. Replikalarni zonalarga (TopologySpreadConstraints/anti-affinity) joylashtiring.

Namunaviy rollar

Platforma buyrugʻi: klaster, CNI/CSI/Ingress, siyosat va GitOps yaratadi/yangilaydi.
Oziq-ovqat buyruqlari: chartlar/relizlar, xavfsizlik siyosati va resurslarga amal qiladi.

2) Klaster hayot sikli

kOps, kubeadm, Rancher, EKS/AKS/GKE. OIDC autentifikatsiyasi va auditni darhol yoqing.
Yangilanishlar: navbat bo’yicha minor-versiyalar (control plane → uzellar), boshqariladigan maxUnavailable, steyjing testlari.
Add-ons (hammasi - Helm/GitOps orqali): CNI (Calico/Cilium), CSI drayveri, Ingress-kontroller (NGINX/Gateway API/Contour/Traefik), Metrics-Server, Cluster -Autoscaler, Node-Local DNS, logografiya/metrika/treys.
Bekaplar: etcd snapshot (agar self-managed boʻlsa), Velero namespace/PVC uchun.

3) Tarmoqlar, servislar va ingress

CNI: Calico (NetworkPolicy), Cilium (eBPF/servicemesh-фичи).
Service:’ClusterIP’,’NodePort’,’LoadBalancer’(L4 bulutlar muvozanati),’ExternalName’.
Ingress/Gateway API: L7-marshrutizatsiya, TLS, perimetrda rate-limit/WAF anamnezi.
NetworkPolicy: namespace/label uchun andoza deny-all + aniq allow.
StatefulSet va servis diskaveri uchun Headless-service (’clusterIP: None’).

4) Omborlar (CSI) va holatlar

StorageClass:’reclaimPolicy’,’volumeBindingMode’(yaxshiroq joylashtirish uchun’WaitForFirstConsumer’).
StatefulSet: barqaror nomlar/jildlar (’volumeClaimTemplates’),’podManagementPolicy: Parallel’.
ReadWriteMany: Tarqatilgan fayllardan (EFS/Filestore) ehtiyotkorlik bilan foydalaning - maxfiylikni baholang.
Rasmlar:’VolumeSnapshotClass’+ cron-backaplar.

5) Ko’p ijara va siyosat

Mahsulotlar/chorshanba boʻyicha Namespaces.
RBAC: minimal rollar, alohida servis-hisoblar, mumkin bo’lgan joyda «ClusterRole» o’rniga «Role »/« RoleBinding».
PSA (Pod Security Admission):’baseline ’/’ restricted’rejimlari (PSP almashtirish).
ResourceQuota / LimitRange: потолки CPU/Memory/PVC/LoadBalancer.
OPA Gatekeeper/Kyverno: kirish siyosati (masalan,’: latest’,’resources’,’readOnlyRootFilesystem’talablari).
ImagePolicy/vebxuklar: rasm imzosini tekshirish (cosign/policy-controller).

6) Kuzatish va foydalanish

Metriklar: Prometheus-stek, kube-state-metrics, node-eksportchilar.
Logi: Fluent Bit/Vector → obyekt/ES/OpenSearch, tugunlarda rotatsiya.
Treyslar: OpenTelemetry Collector.
SLO-dashbordlar: ingress va asosiy xizmatlarda RED-model.
Avtoskeyl: HPA (ilovaning metriklari bo’yicha), VPA to’plam uchun, Cluster-Autoscaler to’plam uchun.

7) Manifestlar patterni (shpargalka)

Deployment

yaml apiVersion: apps/v1 kind: Deployment metadata: { name: api, labels: { app: api } }
spec:
replicas: 3 strategy: { type: RollingUpdate, rollingUpdate: { maxUnavailable: 0, maxSurge: 1 } }
selector: { matchLabels: { app: api } }
template:
metadata:
labels: { app: api }
spec:
serviceAccountName: api-sa securityContext: { runAsNonRoot: true, fsGroup: 2000 }
containers:
- name: api image: registry. example. com/api:1. 2. 3 ports: [{ containerPort: 8080 }]
resources: { requests: { cpu: "200m", memory: "256Mi" }, limits: { cpu: "1", memory: "512Mi" } }
readinessProbe: { httpGet: { path: /healthz, port: 8080 }, periodSeconds: 5 }
livenessProbe: { httpGet: { path: /livez,  port: 8080 }, initialDelaySeconds: 20 }
StatefulSet (parcha): 
yaml apiVersion: apps/v1 kind: StatefulSet metadata: { name: db }
spec:
serviceName: db replicas: 3 podManagementPolicy: Parallel selector: { matchLabels: { app: db } }
template:
metadata: { labels: { app: db } }
spec:
containers:
- name: db image: postgres:16-alpine volumeMounts: [{ name: data, mountPath: /var/lib/postgresql/data }]
volumeClaimTemplates:
- metadata: { name: data }
spec:
accessModes: ["ReadWriteOnce"]
resources: { requests: { storage: 100Gi } }
storageClassName: fast-ssd
PDB (PodDisruptionBudget): 
yaml apiVersion: policy/v1 kind: PodDisruptionBudget metadata: { name: api-pdb }
spec:
minAvailable: 2 selector: { matchLabels: { app: api } }
Ingress (Nginx, qisqacha): 
yaml apiVersion: networking. k8s. io/v1 kind: Ingress metadata:
name: api annotations:
nginx. ingress. kubernetes. io/proxy-read-timeout: "30"
spec:
tls: [{ hosts: ["api. example. com"], secretName: api-tls }]
rules:
- host: api. example. com http:
paths:
- path: /
pathType: Prefix backend: { service: { name: api, port: { number: 80 } } }

8) Helm v3 - asoslari va tuzilishi

Chart = namunalar + qiymatlar + meta maʼlumotlar.


mychart/
Chart. yaml     # name, version (semver), type (application/library), dependencies values. yaml # default values. schema. json # (recommended) validation values templates/# .yaml. gotmpl (Deployment, Service, Ingress, …)
templates/tests/  # helm tests (smoke)
charts/# local dependencies (or OCI dependencies)
Chart. yaml (misol): 
yaml apiVersion: v2 name: api description: API service type: application version: 1. 4. 0 # chart version (semver)
appVersion: "1. 2. 3" # dependencies application version:
- name: redis version: 17. x.x repository: "oci://registry. example. com/charts"

9) Helm shablonlari - amaliyot

Helpers’_ helpers’dan foydalaning. tpl’nomlar/belgilar/izohlar uchun.
Hamma joyda’resources’,’securityContext’,’readiness/liveness’.
Standartlashtirilgan sxema (’app. kubernetes. io/`).
Fichlarni’values’(ingress/hpa/pdb/servicemonitor) orqali ixtiyoriy qiling.
’values’ ni yoqing. schema. json’- notoʻgʻri moslamalardan toʻxtash.
Sezgir ma’lumotlar uchun - tashqi operatorlardan Secrets (External Secrets, SOPS), values-da saqlanmaydi.

Misol’_ helpers. tpl’(parcha): 
gotmpl
{{- define "api. fullname" -}}
{{- printf "%s-%s".Chart. Name. Release. Name      trunc 63      trimSuffix "-" -}}
{{- end -}}
Deployment. tpl (parcha): 
gotmpl apiVersion: apps/v1 kind: Deployment metadata:
name: {{ include "api. fullname". }}
labels: {{- include "api. labels". nindent 4 }}
spec:
replicas: {{.Values. replicaCount }}
strategy:
rollingUpdate:
maxSurge: 1 maxUnavailable: 0 selector:
matchLabels: {{- include "api. selectorLabels". nindent 6 }}
template:
metadata:
labels: {{- include "api. selectorLabels". nindent 8 }}
spec:
serviceAccountName: {{ include "api. serviceAccountName". }}
securityContext: {{- toYaml. Values. podSecurityContext      nindent 8 }}
containers:
- name: {{.Chart. Name }}
image: "{{.Values. image. repository }}:{{.Values. image. tag }}"
imagePullPolicy: IfNotPresent ports: [{ containerPort: {{.Values. service. port }} }]
resources: {{- toYaml. Values. resources      nindent 10 }}
envFrom:
- secretRef: { name: {{.Values. secretsRef }} }

10) Qaramliklar, repozitoriyalar va OCI

Helm v3 OCI registrlarini qoʻllab-quvvatlaydi:’oci ://registry/org/charts’.
Bogʻliqlik versiyasi (’^ 1. 2. 0`, `~1. 2’) va’helm dependency build’ni haydang.
Chartni imzolang (prov), artefaktlarni CI artefakt-repozitoriyasida saqlang.
Library charts: qayta foydalanish uchun umumiy namunalar (ingress/servicemonitor).

11) Hooks, CRD va operatsiyalar tartibi

Hooks: `pre-install`, `post-install`, `pre-upgrade`, `post-upgrade`, `test`. Policies (’before-hook-creation’,’hook-succeeded’) qoʻshing.
CRD:’crds/’ ga qo’ying (templeytalargacha o’rnatiladi), CRD yangilanishlaridan qoching - alohida ko’chib o’ting.
DB migratsiyasi/boshlang’ich - idempotency va taymautli job-hook.

12) Chart va CI testlari

’helm lint’ + sxemani validatsiya qilish.
Helm unittest (unit), chart-testing (ct) - CI’da kind/minikube’da yig’ish/o’rnatish.
Shablon snapshot-testlari (’helm template’→ etalon bilan solishtiring).
Smoke-testlar’helm test’(tekshirishlar bilan’Pod’ni ko’taradi).

13) GitOps (Argo CD/Flux)

Haqiqat manbai - ombor. Chart HelmRelease/HelmChart (Flux) yoki Application (Argo) sifatida saqlanadi.
Sink siyosati: prune/self-heal bilan auto-sync, maqomi va health-checks.
Versiyalar targ’iboti: tag-botlar/semver-range, PR-flow.
Reponi apps (charts) va env (overrides/values) ga ajrating.
Secret-menejment: SOPS (age/KMS), External Secrets.

14) Xavfsizlik: minimal zarur

PSA restricted: imtiyozlarsiz, hostPath’siz, cheklangan capabilities, read-only rootfs.
ImagePolicy: faqat imzolangan/ishonchli tasvirlar.
NetworkPolicy: «andoza ravishda qulflangan».
RBAC: servis-hisob per-app, namespace’da’Role ’/’ RoleBinding’.
Admission-control: Gatekeeper/Kyverno qoidalari (resources/limits, labels, no latest).
Sirlar: SOPS/External Secrets; values/plain Git.

15) Anti-patternlar

chartlar va tasvirlarda’: latest’; ’values yo’ qligi. schema. json`.
Modullar o’rniga bitta katta «hamma uchun» charti.
CRD’templates/’ → yangilanishdagi xaos namunalari bilan yangilanadi.
Shablonlarda qattiq kodlangan nomlar/port/namespace.
Resurslar/limitlar va namunalar yo’qligi → latentlik dreyfi va beqarorlik.
Hech qanday PDB → nol tugma drain/yangilanishda mumkin emas.
Git’da shifrlanmagan sirlar; siyosat-checkssiz manifestlar.

16) Joriy etish chek-varaqasi (0-45 kun)

0-10 kun

Asosiy chart- skeletni s’_ helpers bilan boshlash. tpl’, labels, probes, resources, PDB/Ingress ixtiyoriy.
Включить PSA restricted, NetworkPolicy deny-all, ResourceQuota/LimitRange.
GitOps (Argo/Flux), shaxsiy registrni, rasmlar/chartlar imzosini moslash.

11-25 kun

Chartni modullarga/qaramliklarga boʻlish,’values’qoʻshish. schema. json’, testlar (’helm lint’, unit, ct).
Observability (ServiceMonitor/PodMonitor), log agentlari, OTel.
Yangilash jarayonini kiritish: staging → canary → prod, rollback bilan xook-migratsiya.

26-45 kun

Bogʻliqlik yangilanishlarini avtomatlashtirish (botlar/semver-ranges + PR).
Gatekeeper/Kyverno siyosati va siyosatini CIga qoʻshish.
Klaster dastur runbook, DR-protseduralarini hujjatlashtirish (Velero/etcd snapshot).

17) Etuklik metrikasi

100% ilovalar Helm/GitOps orqali,’kubectl apply’bilan qo’lda yuboriladi.
Barcha chartlarda values mavjud. schema. json’, testlar, imzo va bog’liqlikning qayd etilgan versiyalari.
PSA restricted/NetworkPolicy barcha namespace’larda mavjud.
PDB va HPA barcha tanqidiy xizmatlarda mavjud.
Xavfsiz sirlar (SOPS/External Secrets), «no latest» siyosati, tasvirlar imzosi.
Klaster va chartning yangilanishlari to’xtovsiz (canary/blue-green) o’tkaziladi, restore-testlar muntazam o’tkaziladi.

18) Xulosa

Kuchli Kubernetes-poydevor = ishonchli klaster arxitekturasi + qat’iy siyosat + GitOps tomonidan boshqariladigan sanoat sifatidagi Helm-chartlar. Namunalarni standartlashtiring, PSA/NetworkPolicy/RBAC muhitini himoya qiling, valuesni tasdiqlang va testlar, imzo va reklama vositalarini avtomatlashtiring. Shunda yangilanishlar va relizlar bashorat qilinadigan bo’ladi, platforma esa oziq-ovqat jamoalari uchun barqaror va qulay bo’ladi.

Contact

Biz bilan bog‘laning

Har qanday savol yoki yordam bo‘yicha bizga murojaat qiling.Doimo yordam berishga tayyormiz.

Telegram
@Gamble_GC
Integratsiyani boshlash

Email — majburiy. Telegram yoki WhatsApp — ixtiyoriy.

Ismingiz ixtiyoriy
Email ixtiyoriy
Mavzu ixtiyoriy
Xabar ixtiyoriy
Telegram ixtiyoriy
@
Agar Telegram qoldirilgan bo‘lsa — javob Email bilan birga o‘sha yerga ham yuboriladi.
WhatsApp ixtiyoriy
Format: mamlakat kodi va raqam (masalan, +998XXXXXXXX).

Yuborish orqali ma'lumotlaringiz qayta ishlanishiga rozilik bildirasiz.