403 lines
17 KiB
Markdown
403 lines
17 KiB
Markdown
---
|
||
content_type: "reference"
|
||
title: kubelet 所使用的本地文件和路径
|
||
weight: 42
|
||
---
|
||
<!--
|
||
content_type: "reference"
|
||
title: Local Files And Paths Used By The Kubelet
|
||
weight: 42
|
||
-->
|
||
|
||
<!--
|
||
The {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} is mostly a stateless
|
||
process running on a Kubernetes {{< glossary_tooltip text="node" term_id="node" >}}.
|
||
This document outlines files that kubelet reads and writes.
|
||
-->
|
||
{{< glossary_tooltip text="kubelet" term_id="kubelet" >}} 是一个运行在 Kubernetes
|
||
{{< glossary_tooltip text="节点" term_id="node" >}}上的无状态进程。本文简要介绍了 kubelet 读写的文件。
|
||
|
||
{{< note >}}
|
||
|
||
<!--
|
||
This document is for informational purpose and not describing any guaranteed behaviors or APIs.
|
||
It lists resources used by the kubelet, which is an implementation detail and a subject to change at any release.
|
||
-->
|
||
本文仅供参考,而非描述保证会发生的行为或 API。
|
||
本文档列举 kubelet 所使用的资源。所给的信息属于实现细节,可能会在后续版本中发生变更。
|
||
|
||
{{< /note >}}
|
||
|
||
<!--
|
||
The kubelet typically uses the {{< glossary_tooltip text="control plane" term_id="control-plane" >}} as
|
||
the source of truth on what needs to run on the Node, and the
|
||
{{<glossary_tooltip text="container runtime" term_id="container-runtime">}} to retrieve
|
||
the current state of containers. So long as you provide a _kubeconfig_ (API client configuration)
|
||
to the kubelet, the kubelet does connect to your control plane; otherwise the node operates in
|
||
_standalone mode_.
|
||
-->
|
||
kubelet 通常使用{{< glossary_tooltip text="控制面" term_id="control-plane" >}}作为需要在 Node
|
||
上运行的事物的真实来源,并使用{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}获取容器的当前状态。
|
||
只要你向 kubelet 提供 **kubeconfig**(API 客户端配置),kubelet 就会连接到你的控制面;
|
||
否则,节点将以**独立(Standalone)**模式运行。
|
||
|
||
<!--
|
||
On Linux nodes, the kubelet also relies on reading cgroups and various system files to collect metrics.
|
||
|
||
On Windows nodes, the kubelet collects metrics via a different mechanism that does not rely on
|
||
paths.
|
||
|
||
There are also a few other files that are used by the kubelet as well,
|
||
as kubelet communicates using local Unix-domain sockets. Some are sockets that the
|
||
kubelet listens on, and for other sockets the kubelet discovers them and then connects
|
||
as a client.
|
||
-->
|
||
在 Linux 节点上,kubelet 还需要读取 cgroups 和各种系统文件来收集指标。
|
||
|
||
在 Windows 节点上,kubelet 不依赖于路径,而是通过其他机制来收集指标。
|
||
|
||
kubelet 所使用的还有其他文件,包括其使用本地 Unix 域套接字进行通信的文件。
|
||
有些文件是 kubelet 要监听的套接字,而其他套接字则是 kubelet 先发现后作为客户端连接的。
|
||
|
||
{{< note >}}
|
||
|
||
<!--
|
||
This page lists paths as Linux paths, which map to the Windows paths by adding a root disk
|
||
`C:\` in place of `/` (unless specified otherwise).
|
||
For example, `/var/lib/kubelet/device-plugins` maps to `C:\var\lib\kubelet\device-plugins`.
|
||
-->
|
||
本页列举的路径为 Linux 路径,若要映射到 Windows,你可以添加根磁盘 `C:\` 替换 `/`(除非另行指定)。
|
||
例如,`/var/lib/kubelet/device-plugins` 映射到 `C:\var\lib\kubelet\device-plugins`。
|
||
|
||
{{< /note >}}
|
||
|
||
<!--
|
||
## Configuration
|
||
|
||
### Kubelet configuration files
|
||
|
||
The path to the kubelet configuration file can be configured
|
||
using the command line argument `--config`. The kubelet also supports
|
||
[drop-in configuration files](/docs/tasks/administer-cluster/kubelet-config-file/#kubelet-conf-d)
|
||
to enhance configuration.
|
||
-->
|
||
## 配置 {#configuration}
|
||
|
||
### kubelet 配置文件 {#kubelet-configuration-files}
|
||
|
||
你可以使用命令行参数 `--config` 指定 kubelet 配置文件的路径。kubelet
|
||
还支持[插件(Drop-in)配置文件](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/#kubelet-conf-d)来增强配置。
|
||
|
||
<!--
|
||
### Certificates
|
||
|
||
Certificates and private keys are typically located at `/var/lib/kubelet/pki`,
|
||
but can be configured using the `--cert-dir` kubelet command line argument.
|
||
Names of certificate files are also configurable.
|
||
-->
|
||
### 证书 {#certificates}
|
||
|
||
证书和私钥通常位于 `/var/lib/kubelet/pki`,但你可以使用 `--cert-dir` kubelet 命令行参数进行配置。
|
||
证书文件的名称也是可以配置的。
|
||
|
||
<!--
|
||
### Manifests
|
||
|
||
Manifests for static pods are typically located in `/etc/kubernetes/manifests`.
|
||
Location can be configured using the `staticPodPath` kubelet configuration option.
|
||
-->
|
||
### 清单 {#manifests}
|
||
|
||
静态 Pod 的清单通常位于 `/etc/kubernetes/manifests`。
|
||
你可以使用 `staticPodPath` kubelet 配置选项进行配置。
|
||
|
||
<!--
|
||
### Systemd unit settings
|
||
|
||
When kubelet is running as a systemd unit, some kubelet configuration may be declared
|
||
in systemd unit settings file. Typically it includes:
|
||
|
||
- command line arguments to [run kubelet](/docs/reference/command-line-tools-reference/kubelet/)
|
||
- environment variables, used by kubelet or [configuring golang runtime](https://pkg.go.dev/runtime#hdr-Environment_Variables)
|
||
-->
|
||
### systemd 单元设置 {#systemd-unit-settings}
|
||
|
||
当 kubelet 作为 systemd 单元运行时,一些 kubelet 配置可以在 systemd 单元设置文件中声明。
|
||
这些配置通常包括:
|
||
|
||
- [运行 kubelet 的命令行参数](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)
|
||
- kubelet 所使用的环境变量或[配置 Golang 运行时](https://pkg.go.dev/runtime#hdr-Environment_Variables)
|
||
|
||
<!--
|
||
## State
|
||
|
||
### Checkpoint files for resource managers {#resource-managers-state}
|
||
|
||
All resource managers keep the mapping of Pods to allocated resources in state files.
|
||
State files are located in the kubelet's base directory, also termed the _root directory_
|
||
(but not the same as `/`, the node root directory). You can configure the base directory
|
||
for the kubelet
|
||
using the kubelet command line argument `--root-dir`.
|
||
-->
|
||
## 状态 {#state}
|
||
|
||
### 资源管理器的检查点文件 {#resource-managers-state}
|
||
|
||
所有资源管理器将 Pod 与已分配资源之间的映射保存在状态文件中。
|
||
状态文件位于 kubelet 的基础目录,也称为**根目录**(但与节点根目录 `/` 不同)之下。
|
||
你可以使用 kubelet 命令行参数 `--root-dir` 来配置 kubelet 的基础目录。
|
||
|
||
<!--
|
||
Names of files:
|
||
|
||
- `memory_manager_state` for the [Memory Manager](/docs/tasks/administer-cluster/memory-manager/)
|
||
- `cpu_manager_state` for the [CPU Manager](/docs/tasks/administer-cluster/cpu-management-policies/)
|
||
- `dra_manager_state` for [DRA](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/)
|
||
-->
|
||
文件名称:
|
||
|
||
- `memory_manager_state` 对应[内存管理器](/zh-cn/docs/tasks/administer-cluster/memory-manager/)
|
||
- `cpu_manager_state` 对应 [CPU 管理器](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/)
|
||
- `dra_manager_state` 对应 [DRA](/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/)
|
||
|
||
<!--
|
||
### Checkpoint file for device manager {#device-manager-state}
|
||
|
||
Device manager creates checkpoints in the same directory with socket files: `/var/lib/kubelet/device-plugins/`.
|
||
The name of a checkpoint file is `kubelet_internal_checkpoint` for
|
||
[Device Manager](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager)
|
||
|
||
### Pod resource checkpoints
|
||
-->
|
||
### 设备管理器的检查点文件 {#device-manager-state}
|
||
|
||
设备管理器在与套接字文件相同的目录(`/var/lib/kubelet/device-plugins/`)中创建检查点。
|
||
对于[设备管理器](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager),
|
||
检查点文件的名称为 `kubelet_internal_checkpoint`。
|
||
|
||
### Pod 状态检查点 {#pod-resource-checkpoints}
|
||
|
||
{{< feature-state feature_gate_name="InPlacePodVerticalScaling" >}}
|
||
|
||
<!--
|
||
If a node has enabled the `InPlacePodVerticalScaling`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/),
|
||
the kubelet stores a local record of _allocated_ and _actuated_ Pod resources.
|
||
See [Resize CPU and Memory Resources assigned to Containers](/docs/tasks/configure-pod-container/resize-container-resources/)
|
||
for more details on how these records are used.
|
||
-->
|
||
如果某个节点已启用了 `InPlacePodVerticalScaling`
|
||
[特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/),
|
||
则 kubelet 存储有关 Pod 资源**已分配**和**已应用**状态的本地记录。
|
||
有关如何使用这些记录的更多细节,
|
||
请参阅[调整分配给容器的 CPU 和内存资源](/zh-cn/docs/tasks/configure-pod-container/resize-container-resources/)。
|
||
|
||
<!--
|
||
Names of files:
|
||
|
||
- `allocated_pods_state` records the resources allocated to each pod running on the node
|
||
- `actuated_pods_state` records the resources that have been accepted by the runtime
|
||
for each pod pod running on the node
|
||
|
||
The files are located within the kubelet base directory
|
||
(`/var/lib/kubelet` by default on Linux; configurable using `--root-dir`).
|
||
-->
|
||
文件名称如下:
|
||
|
||
- `allocated_pods_state`:记录分配给该节点上每个 Pod 的资源。
|
||
- `actuated_pods_state`:记录运行时已接受并应用于该节点上每个 Pod 的资源。
|
||
|
||
这些文件位于 kubelet 的基础目录中(在 Linux 系统中默认是 `/var/lib/kubelet`;
|
||
也可以通过 `--root-dir` 参数进行配置)。
|
||
|
||
<!--
|
||
### Container runtime
|
||
|
||
Kubelet communicates with the container runtime using socket configured via the
|
||
configuration parameters:
|
||
|
||
- `containerRuntimeEndpoint` for runtime operations
|
||
- `imageServiceEndpoint` for image management operations
|
||
|
||
The actual values of those endpoints depend on the container runtime being used.
|
||
-->
|
||
### 容器运行时 {#container-runtime}
|
||
|
||
kubelet 使用通过配置参数所配置的套接字与容器运行时进行通信:
|
||
|
||
- `containerRuntimeEndpoint` 用于运行时操作
|
||
- `imageServiceEndpoint` 用于镜像管理操作
|
||
|
||
这些端点的实际值取决于所使用的容器运行时。
|
||
|
||
<!--
|
||
### Device plugins
|
||
|
||
The kubelet exposes a socket at the path `/var/lib/kubelet/device-plugins/kubelet.sock` for
|
||
various [Device Plugins to register](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-implementation).
|
||
|
||
When a device plugin registers itself, it provides its socket path for the kubelet to connect.
|
||
|
||
The device plugin socket should be in the directory `device-plugins` within the kubelet base
|
||
directory. On a typical Linux node, this means `/var/lib/kubelet/device-plugins`.
|
||
-->
|
||
### 设备插件 {#device-plugins}
|
||
|
||
kubelet 在路径 `/var/lib/kubelet/device-plugins/kubelet.sock`
|
||
为各个[要注册的设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-implementation)公开一个套接字。
|
||
|
||
当设备插件注册自己时,它会为提供其套接字路径供 kubelet 连接使用。
|
||
|
||
设备插件套接字应位于 kubelet 基础目录中的 `device-plugins` 目录内。
|
||
在典型的 Linux 节点上,这意味着 `/var/lib/kubelet/device-plugins`。
|
||
|
||
<!--
|
||
### Pod resources API
|
||
|
||
[Pod Resources API](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources)
|
||
will be exposed at the path `/var/lib/kubelet/pod-resources`.
|
||
-->
|
||
### Pod Resources API
|
||
|
||
[Pod Resources API](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources)
|
||
将在路径 `/var/lib/kubelet/pod-resources` 上被公开。
|
||
|
||
<!--
|
||
### DRA, CSI, and Device plugins
|
||
|
||
The kubelet looks for socket files created by device plugins managed via [DRA](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/),
|
||
device manager, or storage plugins, and then attempts to connect
|
||
to these sockets. The directory that the kubelet looks in is `plugins_registry` within the kubelet base
|
||
directory, so on a typical Linux node this means `/var/lib/kubelet/plugins_registry`.
|
||
-->
|
||
### DRA、CSI 和设备插件 {#dra-csi-and-device-plugins}
|
||
|
||
kubelet 会查找通过 [DRA](/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/)
|
||
设备管理器或存储插件所管理的设备插件所创建的套接字文件,然后尝试连接到这些套接字。
|
||
kubelet 查找的目录是 kubelet 基础目录下的 `plugins_registry`,
|
||
因此在典型的 Linux 节点上这意味着 `/var/lib/kubelet/plugins_registry`。
|
||
|
||
<!--
|
||
Note, for the device plugins there are two alternative registration mechanisms
|
||
Only one should be used for a given plugin.
|
||
|
||
The types of plugins that can place socket files into that directory are:
|
||
|
||
- CSI plugins
|
||
- DRA plugins
|
||
- Device Manager plugins
|
||
|
||
(typically `/var/lib/kubelet/plugins_registry`).
|
||
-->
|
||
请注意,对于设备插件,有两种备选的注册机制。每个给定的插件只能使用其中一种注册机制。
|
||
|
||
可以将套接字文件放入该目录的插件类型包括:
|
||
|
||
- CSI 插件
|
||
- DRA 插件
|
||
- 设备管理器插件
|
||
|
||
(通常是 `/var/lib/kubelet/plugins_registry`)。
|
||
|
||
<!--
|
||
### Graceful node shutdown
|
||
-->
|
||
### 节点体面关闭 {#graceful-node-shutdown}
|
||
|
||
{{< feature-state feature_gate_name="GracefulNodeShutdown" >}}
|
||
|
||
<!--
|
||
[Graceful node shutdown](/docs/concepts/cluster-administration/node-shutdown/#graceful-node-shutdown)
|
||
stores state locally at `/var/lib/kubelet/graceful_node_shutdown_state`.
|
||
-->
|
||
[节点体面关闭](/zh-cn/docs/concepts/cluster-administration/node-shutdown/#graceful-node-shutdown)将状态存储在本地目录
|
||
`/var/lib/kubelet/graceful_node_shutdown_state`。
|
||
|
||
<!--
|
||
### Image Pull Records
|
||
-->
|
||
### 镜像拉取记录 {#image-pull-records}
|
||
|
||
{{< feature-state feature_gate_name="KubeletEnsureSecretPulledImages" >}}
|
||
|
||
<!--
|
||
The kubelet stores records of attempted and successful image pulls, and uses it
|
||
to verify that the image was previously successfully pulled with the same credentials.
|
||
-->
|
||
kubelet 存储镜像拉取的尝试记录和成功记录,并使用这些记录来验证镜像是否曾使用相同的凭据被成功拉取过。
|
||
|
||
<!--
|
||
These records are cached as files in the `image_registry` directory within
|
||
the kubelet base directory. On a typical Linux node, this means `/var/lib/kubelet/image_manager`.
|
||
There are two subdirectories to `image_manager`:
|
||
* `pulling` - stores records about images the Kubelet is attempting to pull.
|
||
* `pulled` - stores records about images that were successfully pulled by the Kubelet,
|
||
along with metadata about the credentials used for the pulls.
|
||
-->
|
||
这些记录作为文件缓存在 kubelet 基础目录下的 `image_registry` 目录中。
|
||
在典型的 Linux 节点上,这个路径通常为 `/var/lib/kubelet/image_manager`。
|
||
`image_manager` 目录下包含两个子目录:
|
||
|
||
* `pulling`:存储 kubelet 正在尝试拉取的镜像的相关记录。
|
||
* `pulled`:存储 kubelet 成功拉取的镜像记录,以及与拉取所用凭据相关的元数据。
|
||
|
||
<!--
|
||
See [Ensure Image Pull Credential Verification](/docs/concepts/containers/images#ensureimagepullcredentialverification)
|
||
for details.
|
||
-->
|
||
更多细节请参阅[确保镜像拉取凭据验证](/zh-cn/docs/concepts/containers/images#ensureimagepullcredentialverification)。
|
||
|
||
<!--
|
||
## Security profiles & configuration
|
||
|
||
### Seccomp
|
||
|
||
Seccomp profile files referenced from Pods should be placed in `/var/lib/kubelet/seccomp`.
|
||
See the [seccomp reference](/docs/reference/node/seccomp/) for details.
|
||
-->
|
||
## 安全配置文件和配置 {#security-profiles-configuration}
|
||
|
||
### Seccomp
|
||
|
||
被 Pod 引用的 Seccomp 配置文件应放置在 `/var/lib/kubelet/seccomp`。
|
||
有关细节请参见 [Seccomp 参考](/zh-cn/docs/reference/node/seccomp/)。
|
||
|
||
<!--
|
||
### AppArmor
|
||
|
||
The kubelet does not load or refer to AppArmor profiles by a Kubernetes-specific path.
|
||
AppArmor profiles are loaded via the node operating system rather then referenced by their path.
|
||
|
||
## Locking
|
||
-->
|
||
### AppArmor
|
||
|
||
kubelet 不会通过特定于 Kubernetes 的路径加载或引用 AppArmor 配置文件。
|
||
AppArmor 配置文件通过节点操作系统被加载,而不是通过其路径被引用。
|
||
|
||
## 加锁 {#locking}
|
||
|
||
{{< feature-state state="alpha" for_k8s_version="v1.2" >}}
|
||
|
||
<!--
|
||
A lock file for the kubelet; typically `/var/run/kubelet.lock`. The kubelet uses this to ensure
|
||
that two different kubelets don't try to run in conflict with each other.
|
||
You can configure the path to the lock file using the the `--lock-file` kubelet command line argument.
|
||
|
||
If two kubelets on the same node use a different value for the lock file path, they will not be able to
|
||
detect a conflict when both are running.
|
||
-->
|
||
kubelet 的锁文件;通常为 `/var/run/kubelet.lock`。
|
||
kubelet 使用此文件确保尝试运行两个不同的、彼此冲突的 kubelet。
|
||
你可以使用 `--lock-file` kubelet 命令行参数来配置这个锁文件的路径。
|
||
|
||
如果同一节点上的两个 kubelet 使用不同的锁文件路径值,则这两个 kubelet 在同时运行时将不会检测到冲突。
|
||
|
||
## {{% heading "whatsnext" %}}
|
||
|
||
<!--
|
||
- Learn about the kubelet [command line arguments](/docs/reference/command-line-tools-reference/kubelet/).
|
||
- Review the [Kubelet Configuration (v1beta1) reference](/docs/reference/config-api/kubelet-config.v1beta1/)
|
||
-->
|
||
- 了解 kubelet [命令行参数](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)。
|
||
- 查阅 [kubelet 配置 (v1beta1) 参考文档](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/)
|