当前位置：首页 > backend >正文

云原生新手入门完整学习指南

backend 2025/9/2 5:42:22

学习路径概览

本指南按照从简单到复杂的路径设计，让您从Docker基础开始，逐步掌握Kubernetes和CI/CD，最终具备生产环境云原生应用部署能力。

第一步: Docker基础 → 第二步: K8s体验 → 第三步: CI/CD → 第四步: K8s进阶(1-2周)        (1-2周)        (2-3周)     (3-4周)

第一步：掌握Docker (1-2周)

目标

熟练使用Docker基本命令
能够将Spring Boot应用打包成镜像
理解容器化的核心概念

1.1 环境准备

Docker安装（Ubuntu为例）

# 更新包管理器
sudo apt update# 安装Docker
sudo apt install docker.io# 启动Docker服务
sudo systemctl start docker
sudo systemctl enable docker# 将用户添加到docker组
sudo usermod -aG docker $USER
newgrp docker# 验证安装
docker --version
docker run hello-world

Java环境准备

# 安装OpenJDK 11
sudo apt install openjdk-11-jdk# 安装Maven
sudo apt install maven# 验证安装
java --version
mvn --version

1.2 创建Spring Boot示例应用

项目结构

spring-boot-demo/
├── pom.xml
├── src/
│   └── main/
│       └── java/
│           └── com/
│               └── example/
│                   └── demo/
│                       ├── DemoApplication.java
│                       └── controller/
│                           └── HelloController.java
└── Dockerfile

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>com.example</groupId><artifactId>spring-boot-demo</artifactId><version>1.0.0</version><packaging>jar</packaging><name>spring-boot-demo</name><description>Demo project for Spring Boot</description><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.7.0</version><relativePath/></parent><properties><java.version>11</java.version></properties><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId></plugin></plugins></build>
</project>

DemoApplication.java

package com.example.demo;import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplication
public class DemoApplication {public static void main(String[] args) {SpringApplication.run(DemoApplication.class, args);}
}

HelloController.java

package com.example.demo.controller;import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;@RestController
public class HelloController {@GetMapping("/")public String hello() {return "Hello, Cloud Native World!";}@GetMapping("/health")public String health() {return "OK";}@GetMapping("/info")public String info() {return "Spring Boot Demo v1.0.0";}
}

1.3 创建Dockerfile

Dockerfile (多阶段构建)

# 第一阶段：构建应用
FROM maven:3.8.5-openjdk-11 AS builderWORKDIR /app
COPY pom.xml .
# 下载依赖（利用Docker缓存）
RUN mvn dependency:go-offline -BCOPY src ./src
# 构建应用
RUN mvn package -DskipTests# 第二阶段：运行应用
FROM openjdk:11-jre-slim# 创建非root用户
RUN addgroup --system app && adduser --system --group app# 设置工作目录
WORKDIR /app# 从构建阶段复制jar文件
COPY --from=builder /app/target/*.jar app.jar# 更改文件所有者
RUN chown app:app app.jar# 切换到非root用户
USER app# 暴露端口
EXPOSE 8080# 健康检查
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \CMD curl -f http://localhost:8080/health || exit 1# 启动命令
ENTRYPOINT ["java", "-jar", "app.jar"]

1.4 Docker核心命令实践

构建镜像

# 进入项目目录
cd spring-boot-demo# 构建镜像
docker build -t spring-boot-demo:1.0.0 .
docker build -t spring-boot-demo:latest .# 查看构建的镜像
docker images# 查看镜像详细信息
docker inspect spring-boot-demo:latest# 查看镜像构建历史
docker history spring-boot-demo:latest

运行容器

# 基本运行
docker run -p 8080:8080 spring-boot-demo:latest# 后台运行
docker run -d -p 8080:8080 --name demo-app spring-boot-demo:latest# 测试应用
curl http://localhost:8080/
curl http://localhost:8080/health
curl http://localhost:8080/info# 查看容器
docker ps
docker ps -a# 查看容器日志
docker logs demo-app
docker logs -f demo-app  # 实时查看# 进入容器
docker exec -it demo-app bash# 查看容器资源使用
docker stats demo-app

容器管理

# 停止容器
docker stop demo-app# 启动容器
docker start demo-app# 重启容器
docker restart demo-app# 删除容器
docker rm demo-app# 删除镜像
docker rmi spring-boot-demo:latest

1.5 第一步总结与练习

必掌握技能检查单

[ ] 能独立编写Dockerfile
[ ] 熟练使用docker build命令
[ ] 熟练使用docker run命令及常用参数
[ ] 能查看和管理容器日志
[ ] 理解镜像分层和缓存机制

练习作业

修改HelloController，添加一个返回当前时间的API
重新构建镜像，使用新的版本标签
同时运行多个容器实例，映射到不同端口

第二步：体验托管K8s (1-2周)

目标

体验Kubernetes托管服务
掌握kubectl基本操作
理解Pod、Service等基础概念

2.1 选择云服务商

阿里云容器服务ACK

# 1. 登录阿里云控制台
# 2. 搜索"容器服务Kubernetes版"
# 3. 点击"免费试用"
# 4. 创建托管版集群（选择最小规格节省费用）

腾讯云TKE

# 1. 登录腾讯云控制台
# 2. 搜索"容器服务TKE"
# 3. 点击"免费试用"
# 4. 创建托管集群

2.2 kubectl安装和配置

Linux安装kubectl

# 下载最新版本
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"# 安装kubectl
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl# 验证安装
kubectl version --client

配置访问凭证

# 从云服务商控制台下载kubeconfig文件
# 通常保存在 ~/.kube/config# 验证连接
kubectl cluster-info
kubectl get nodes

2.3 推送镜像到镜像仓库

使用阿里云容器镜像服务

# 1. 在阿里云控制台创建容器镜像服务命名空间
# 2. 创建镜像仓库# 登录阿里云镜像仓库
docker login --username=your-username registry.cn-hangzhou.aliyuncs.com# 给镜像打标签
docker tag spring-boot-demo:latest registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo:latest# 推送镜像
docker push registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo:latest

使用Docker Hub

# 登录Docker Hub
docker login# 给镜像打标签
docker tag spring-boot-demo:latest your-dockerhub-username/spring-boot-demo:latest# 推送镜像
docker push your-dockerhub-username/spring-boot-demo:latest

2.4 通过控制台部署应用

控制台操作步骤

进入K8s集群控制台
选择"工作负载" -> "无状态"
点击"使用镜像创建"
配置如下参数：
- 应用名称：spring-boot-demo
- 镜像：your-registry/spring-boot-demo:latest
- 端口：8080
- 副本数：2

2.5 kubectl基本操作实践

查看资源

# 查看所有命名空间
kubectl get namespaces# 查看Pod
kubectl get pods
kubectl get pods -o wide
kubectl get pods -n kube-system# 查看部署
kubectl get deployments
kubectl get deploy# 查看服务
kubectl get services
kubectl get svc# 查看所有资源
kubectl get all

查看详细信息

# 描述Pod详细信息
kubectl describe pod <pod-name># 描述部署详细信息
kubectl describe deployment spring-boot-demo# 查看Pod日志
kubectl logs <pod-name>
kubectl logs -f <pod-name>  # 实时查看
kubectl logs <pod-name> -c <container-name>  # 多容器情况

Pod操作

# 进入Pod
kubectl exec -it <pod-name> -- bash
kubectl exec -it <pod-name> -- sh# 在Pod中执行命令
kubectl exec <pod-name> -- ls /app
kubectl exec <pod-name> -- curl http://localhost:8080/health# 端口转发
kubectl port-forward <pod-name> 8080:8080
kubectl port-forward service/spring-boot-demo 8080:8080

2.6 YAML配置文件部署

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:name: spring-boot-demolabels:app: spring-boot-demo
spec:replicas: 2selector:matchLabels:app: spring-boot-demotemplate:metadata:labels:app: spring-boot-demospec:containers:- name: spring-boot-demoimage: registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo:latestports:- containerPort: 8080env:- name: JAVA_OPTSvalue: "-Xmx512m -Xms256m"livenessProbe:httpGet:path: /healthport: 8080initialDelaySeconds: 30periodSeconds: 10readinessProbe:httpGet:path: /healthport: 8080initialDelaySeconds: 5periodSeconds: 5resources:limits:cpu: 500mmemory: 512Mirequests:cpu: 200mmemory: 256Mi

service.yaml

apiVersion: v1
kind: Service
metadata:name: spring-boot-demo-service
spec:selector:app: spring-boot-demoports:- protocol: TCPport: 80targetPort: 8080type: LoadBalancer  # 或者 ClusterIP, NodePort

使用YAML部署

# 部署应用
kubectl apply -f deployment.yaml
kubectl apply -f service.yaml# 或者一次性部署
kubectl apply -f deployment.yaml -f service.yaml# 查看部署状态
kubectl rollout status deployment/spring-boot-demo# 获取服务访问地址
kubectl get service spring-boot-demo-service

2.7 第二步总结与练习

必掌握技能检查单

[ ] 能使用kubectl连接到K8s集群
[ ] 熟练使用kubectl get、describe、logs命令
[ ] 理解Pod、Deployment、Service的基本概念
[ ] 能通过YAML文件部署应用

练习作业

尝试扩容和缩容应用副本数
修改应用配置，体验滚动更新
使用不同的Service类型访问应用

第三步：搭建简易CI/CD (2-3周)

目标

搭建GitLab和Jenkins环境
实现代码提交自动触发构建
完成自动部署到K8s的完整流程

3.1 环境准备

使用Docker搭建GitLab

# 创建GitLab目录
mkdir -p /opt/gitlab/{config,logs,data}# 运行GitLab容器
docker run -d \--hostname gitlab.example.com \-p 80:80 -p 443:443 -p 22:22 \--name gitlab \--restart always \-v /opt/gitlab/config:/etc/gitlab \-v /opt/gitlab/logs:/var/log/gitlab \-v /opt/gitlab/data:/var/opt/gitlab \--shm-size 256m \gitlab/gitlab-ce:latest# 查看初始密码
docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password

使用Docker搭建Jenkins

# 创建Jenkins数据目录
mkdir -p /opt/jenkins_home
sudo chown -R 1000:1000 /opt/jenkins_home# 运行Jenkins容器
docker run -d \-p 8080:8080 -p 50000:50000 \--name jenkins \--restart always \-v /opt/jenkins_home:/var/jenkins_home \-v /var/run/docker.sock:/var/run/docker.sock \-v /usr/bin/docker:/usr/bin/docker \jenkins/jenkins:lts# 获取初始管理员密码
docker exec jenkins cat /var/jenkins_home/secrets/initialAdminPassword

3.2 GitLab配置

创建项目

访问 http://localhost (GitLab)
使用root账户登录
创建新项目：spring-boot-demo
上传代码到GitLab仓库

# 配置Git（如果未配置）
git config --global user.name "Your Name"
git config --global user.email "your.email@example.com"# 初始化本地仓库
cd spring-boot-demo
git init
git add .
git commit -m "Initial commit"# 关联远程仓库
git remote add origin http://localhost/root/spring-boot-demo.git
git push -u origin master

创建GitLab CI配置

# .gitlab-ci.yml
stages:- build- test- deployvariables:IMAGE_NAME: "registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo"IMAGE_TAG: "$CI_COMMIT_SHORT_SHA"build:stage: buildimage: maven:3.8.5-openjdk-11services:- docker:dindvariables:DOCKER_HOST: tcp://docker:2375DOCKER_DRIVER: overlay2DOCKER_TLS_CERTDIR: ""before_script:- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRYscript:- mvn clean package -DskipTests- docker build -t $IMAGE_NAME:$IMAGE_TAG .- docker build -t $IMAGE_NAME:latest .- docker push $IMAGE_NAME:$IMAGE_TAG- docker push $IMAGE_NAME:latestartifacts:paths:- target/*.jarexpire_in: 1 hourtest:stage: testimage: maven:3.8.5-openjdk-11script:- mvn testdependencies:- builddeploy:stage: deployimage: bitnami/kubectl:latestscript:- echo $KUBECONFIG | base64 -d > /tmp/kubeconfig- export KUBECONFIG=/tmp/kubeconfig- kubectl set image deployment/spring-boot-demo spring-boot-demo=$IMAGE_NAME:$IMAGE_TAG- kubectl rollout status deployment/spring-boot-demoonly:- master

3.3 Jenkins配置

安装必需插件

访问 http://localhost:8080 (Jenkins)
安装建议的插件
额外安装以下插件：
- Git Plugin
- Docker Plugin
- Kubernetes Plugin
- Pipeline Plugin

创建Pipeline任务

新建Item -> Pipeline
配置Git仓库地址
创建Jenkinsfile

// Jenkinsfile
pipeline {agent anyenvironment {DOCKER_REGISTRY = 'registry.cn-hangzhou.aliyuncs.com'IMAGE_NAME = 'your-namespace/spring-boot-demo'KUBECONFIG_CREDENTIAL = 'kubeconfig'}stages {stage('Checkout') {steps {checkout scm}}stage('Build') {steps {sh 'mvn clean package -DskipTests'}}stage('Test') {steps {sh 'mvn test'}post {always {junit 'target/surefire-reports/*.xml'}}}stage('Docker Build') {steps {script {def imageTag = "${env.BUILD_NUMBER}-${env.GIT_COMMIT[0..7]}"def image = docker.build("${DOCKER_REGISTRY}/${IMAGE_NAME}:${imageTag}")docker.withRegistry("https://${DOCKER_REGISTRY}", 'docker-registry-credential') {image.push()image.push('latest')}env.IMAGE_TAG = imageTag}}}stage('Deploy to K8s') {steps {withKubeConfig([credentialsId: KUBECONFIG_CREDENTIAL]) {sh """kubectl set image deployment/spring-boot-demo \spring-boot-demo=${DOCKER_REGISTRY}/${IMAGE_NAME}:${env.IMAGE_TAG}kubectl rollout status deployment/spring-boot-demo"""}}}}post {always {cleanWs()}success {echo 'Pipeline succeeded!'}failure {echo 'Pipeline failed!'}}
}

3.4 完整部署YAML文件

k8s/namespace.yaml

apiVersion: v1
kind: Namespace
metadata:name: demo

k8s/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:name: spring-boot-demonamespace: demolabels:app: spring-boot-demoversion: v1
spec:replicas: 3selector:matchLabels:app: spring-boot-demotemplate:metadata:labels:app: spring-boot-demoversion: v1spec:containers:- name: spring-boot-demoimage: registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo:latestimagePullPolicy: Alwaysports:- containerPort: 8080name: httpenv:- name: JAVA_OPTSvalue: "-Xmx512m -Xms256m -Dspring.profiles.active=prod"- name: TZvalue: "Asia/Shanghai"livenessProbe:httpGet:path: /healthport: 8080initialDelaySeconds: 60periodSeconds: 10timeoutSeconds: 5failureThreshold: 3readinessProbe:httpGet:path: /healthport: 8080initialDelaySeconds: 10periodSeconds: 5timeoutSeconds: 3failureThreshold: 3resources:limits:cpu: 1000mmemory: 1Girequests:cpu: 500mmemory: 512MiimagePullSecrets:- name: registry-secret

k8s/service.yaml

apiVersion: v1
kind: Service
metadata:name: spring-boot-demo-servicenamespace: demolabels:app: spring-boot-demo
spec:type: ClusterIPports:- port: 80targetPort: 8080name: httpselector:app: spring-boot-demo

k8s/ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: spring-boot-demo-ingressnamespace: demoannotations:nginx.ingress.kubernetes.io/rewrite-target: /nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:rules:- host: demo.example.comhttp:paths:- path: /pathType: Prefixbackend:service:name: spring-boot-demo-serviceport:number: 80

3.5 自动化部署脚本

deploy.sh

#!/bin/bashset -e# 配置变量
NAMESPACE="demo"
APP_NAME="spring-boot-demo"
IMAGE_TAG=${1:-latest}echo "Deploying $APP_NAME with image tag: $IMAGE_TAG"# 创建命名空间（如果不存在）
kubectl create namespace $NAMESPACE --dry-run=client -o yaml | kubectl apply -f -# 部署应用
kubectl apply -f k8s/# 更新镜像
kubectl set image deployment/$APP_NAME \$APP_NAME=registry.cn-hangzhou.aliyuncs.com/your-namespace/$APP_NAME:$IMAGE_TAG \-n $NAMESPACE# 等待部署完成
kubectl rollout status deployment/$APP_NAME -n $NAMESPACE# 获取服务信息
echo "Deployment completed successfully!"
kubectl get pods -n $NAMESPACE
kubectl get svc -n $NAMESPACE

3.6 第三步总结与练习

必掌握技能检查单

[ ] 能搭建GitLab和Jenkins环境
[ ] 理解CI/CD流水线概念
[ ] 能编写Jenkinsfile或.gitlab-ci.yml
[ ] 实现代码提交自动触发部署

练习作业

添加代码质量检查阶段（如SonarQube）
实现多环境部署（开发、测试、生产）
添加部署失败自动回滚功能

第四步：深入学习K8s核心概念 (3-4周)

目标

掌握K8s核心资源对象
理解声明式API理念
具备生产环境K8s应用管理能力

4.1 核心概念深入理解

声明式API理念

# 传统命令式
kubectl run nginx --image=nginx --port=80
kubectl expose deployment nginx --type=LoadBalancer# 声明式
apiVersion: apps/v1
kind: Deployment
metadata:name: nginx
spec:replicas: 3selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:containers:- name: nginximage: nginxports:- containerPort: 80

4.2 Deployment深入学习

高级Deployment配置

apiVersion: apps/v1
kind: Deployment
metadata:name: spring-boot-demonamespace: productionlabels:app: spring-boot-demotier: backendversion: v2
spec:# 副本数量replicas: 5# 选择器selector:matchLabels:app: spring-boot-demotier: backend# 更新策略strategy:type: RollingUpdaterollingUpdate:maxUnavailable: 1      # 更新时最多不可用的Pod数量maxSurge: 2            # 更新时最多超出期望副本数的Pod数量# 修订历史限制revisionHistoryLimit: 10# 进度截止时间progressDeadlineSeconds: 600# Pod模板template:metadata:labels:app: spring-boot-demotier: backendversion: v2annotations:prometheus.io/scrape: "true"prometheus.io/port: "8080"prometheus.io/path: "/actuator/prometheus"spec:# 优雅停止时间terminationGracePeriodSeconds: 30# 重启策略restartPolicy: Always# 调度相关affinity:podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- weight: 100podAffinityTerm:labelSelector:matchExpressions:- key: appoperator: Invalues:- spring-boot-demotopologyKey: kubernetes.io/hostnamecontainers:- name: spring-boot-demoimage: registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo:v2.0.0imagePullPolicy: Alwaysports:- name: httpcontainerPort: 8080protocol: TCP- name: managementcontainerPort: 8081protocol: TCP# 环境变量env:- name: JAVA_OPTSvalue: "-Xmx1g -Xms512m -Dspring.profiles.active=prod"- name: SERVER_PORTvalue: "8080"- name: MANAGEMENT_SERVER_PORTvalue: "8081"# 资源限制resources:limits:cpu: 2000mmemory: 2Giephemeral-storage: 1Girequests:cpu: 1000mmemory: 1Giephemeral-storage: 500Mi# 健康检查livenessProbe:httpGet:path: /actuator/health/livenessport: 8081initialDelaySeconds: 90periodSeconds: 10timeoutSeconds: 5failureThreshold: 3successThreshold: 1readinessProbe:httpGet:path: /actuator/health/readinessport: 8081initialDelaySeconds: 30periodSeconds: 5timeoutSeconds: 3failureThreshold: 3successThreshold: 1# 启动探针startupProbe:httpGet:path: /actuator/healthport: 8081initialDelaySeconds: 20periodSeconds: 10timeoutSeconds: 5failureThreshold: 30# 安全上下文securityContext:allowPrivilegeEscalation: falserunAsNonRoot: truerunAsUser: 1000runAsGroup: 1000readOnlyRootFilesystem: truecapabilities:drop:- ALL# 挂载卷volumeMounts:- name: tmpmountPath: /tmp- name: app-configmountPath: /app/configreadOnly: true- name: app-logsmountPath: /app/logs# 定义卷volumes:- name: tmpemptyDir: {}- name: app-configconfigMap:name: spring-boot-demo-config- name: app-logsemptyDir: {}# 镜像拉取密钥imagePullSecrets:- name: registry-secret

Deployment管理命令

# 部署应用
kubectl apply -f deployment.yaml# 查看部署状态
kubectl get deployments -n demo
kubectl describe deployment spring-boot-demo -n demo# 查看副本集
kubectl get replicasets -n demo
kubectl get rs -n demo# 扩容缩容
kubectl scale deployment spring-boot-demo --replicas=5 -n demo# 滚动更新
kubectl set image deployment/spring-boot-demo \spring-boot-demo=registry.cn-hangzhou.aliyuncs.com/your-namespace/spring-boot-demo:v2.1.0 \-n demo# 查看更新状态
kubectl rollout status deployment/spring-boot-demo -n demo# 查看更新历史
kubectl rollout history deployment/spring-boot-demo -n demo# 回滚
kubectl rollout undo deployment/spring-boot-demo -n demo
kubectl rollout undo deployment/spring-boot-demo --to-revision=2 -n demo# 暂停和恢复更新
kubectl rollout pause deployment/spring-boot-demo -n demo
kubectl rollout resume deployment/spring-boot-demo -n demo

4.3 Service深入学习

ClusterIP Service

apiVersion: v1
kind: Service
metadata:name: spring-boot-demo-clusteripnamespace: demolabels:app: spring-boot-demo
spec:type: ClusterIPselector:app: spring-boot-demoports:- name: httpport: 80targetPort: 8080protocol: TCP- name: managementport: 8081targetPort: 8081protocol: TCP

NodePort Service

apiVersion: v1
kind: Service
metadata:name: spring-boot-demo-nodeportnamespace: demo
spec:type: NodePortselector:app: spring-boot-demoports:- name: httpport: 80targetPort: 8080nodePort: 30080protocol: TCP

LoadBalancer Service

apiVersion: v1
kind: Service
metadata:name: spring-boot-demo-lbnamespace: demoannotations:service.beta.kubernetes.io/aws-load-balancer-type: nlbservice.beta.kubernetes.io/alicloud-loadbalancer-spec: slb.s1.small
spec:type: LoadBalancerselector:app: spring-boot-demoports:- name: httpport: 80targetPort: 8080externalTrafficPolicy: Local

Headless Service

apiVersion: v1
kind: Service
metadata:name: spring-boot-demo-headlessnamespace: demo
spec:clusterIP: Noneselector:app: spring-boot-demoports:- name: httpport: 8080targetPort: 8080

4.4 Ingress配置

Nginx Ingress Controller

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:name: spring-boot-demo-ingressnamespace: demoannotations:kubernetes.io/ingress.class: "nginx"nginx.ingress.kubernetes.io/rewrite-target: /nginx.ingress.kubernetes.io/ssl-redirect: "false"nginx.ingress.kubernetes.io/use-regex: "true"nginx.ingress.kubernetes.io/proxy-body-size: "10m"nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"nginx.ingress.kubernetes.io/proxy-send-timeout: "60"nginx.ingress.kubernetes.io/proxy-read-timeout: "60"# 限流配置nginx.ingress.kubernetes.io/rate-limit: "100"nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:tls:- hosts:- demo.example.comsecretName: demo-tlsrules:- host: demo.example.comhttp:paths:- path: /pathType: Prefixbackend:service:name: spring-boot-demo-serviceport:number: 80- path: /api/v1pathType: Prefixbackend:service:name: spring-boot-demo-serviceport:number: 80

SSL证书配置

apiVersion: v1
kind: Secret
metadata:name: demo-tlsnamespace: demo
type: kubernetes.io/tls
data:tls.crt: LS0tLS1CRUdJTi... # base64编码的证书tls.key: LS0tLS1CRUdJTi... # base64编码的私钥

4.5 ConfigMap和Secret

ConfigMap示例

apiVersion: v1
kind: ConfigMap
metadata:name: spring-boot-demo-confignamespace: demo
data:# 属性文件格式application.properties: |server.port=8080management.server.port=8081management.endpoints.web.exposure.include=health,info,metrics,prometheusspring.datasource.url=jdbc:mysql://mysql-service:3306/demospring.datasource.username=app_userlogging.level.com.example=DEBUG# YAML格式application.yml: |server:port: 8080management:server:port: 8081endpoints:web:exposure:include: health,info,metrics,prometheusspring:datasource:url: jdbc:mysql://mysql-service:3306/demousername: app_userlogging:level:com.example: DEBUG# 普通文本配置nginx.conf: |upstream backend {server spring-boot-demo-service:80;}server {listen 80;location / {proxy_pass http://backend;}}

Secret示例

apiVersion: v1
kind: Secret
metadata:name: spring-boot-demo-secretnamespace: demo
type: Opaque
data:# base64编码的值database-password: cGFzc3dvcmQxMjM=  # password123api-key: YWJjZGVmZ2hpams=             # abcdefghijkstringData:# 明文值，会自动base64编码jwt-secret: "my-super-secret-jwt-key"redis-password: "redis123456"

在Pod中使用ConfigMap和Secret

apiVersion: v1
kind: Pod
metadata:name: demo-pod
spec:containers:- name: appimage: spring-boot-demo:latest# 环境变量方式env:- name: DB_PASSWORDvalueFrom:secretKeyRef:name: spring-boot-demo-secretkey: database-password- name: API_KEYvalueFrom:secretKeyRef:name: spring-boot-demo-secretkey: api-key# 环境变量组envFrom:- configMapRef:name: spring-boot-demo-config- secretRef:name: spring-boot-demo-secret# 文件挂载方式volumeMounts:- name: config-volumemountPath: /app/config- name: secret-volumemountPath: /app/secretsreadOnly: truevolumes:- name: config-volumeconfigMap:name: spring-boot-demo-configitems:- key: application.ymlpath: application.yml- name: secret-volumesecret:secretName: spring-boot-demo-secretdefaultMode: 0400

ConfigMap和Secret管理命令

# 创建ConfigMap
kubectl create configmap app-config --from-file=config/
kubectl create configmap app-config --from-literal=key1=value1 --from-literal=key2=value2# 创建Secret
kubectl create secret generic app-secret --from-file=secret-file.txt
kubectl create secret generic app-secret --from-literal=password=123456# 查看ConfigMap和Secret
kubectl get configmaps -n demo
kubectl get secrets -n demo# 查看详细内容
kubectl describe configmap spring-boot-demo-config -n demo
kubectl get secret spring-boot-demo-secret -o yaml -n demo# 编辑ConfigMap
kubectl edit configmap spring-boot-demo-config -n demo# 删除
kubectl delete configmap spring-boot-demo-config -n demo
kubectl delete secret spring-boot-demo-secret -n demo

4.6 水平自动扩缩容(HPA)

HPA配置

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:name: spring-boot-demo-hpanamespace: demo
spec:scaleTargetRef:apiVersion: apps/v1kind: Deploymentname: spring-boot-demominReplicas: 2maxReplicas: 10metrics:# CPU使用率- type: Resourceresource:name: cputarget:type: UtilizationaverageUtilization: 70# 内存使用率- type: Resourceresource:name: memorytarget:type: UtilizationaverageUtilization: 80# 自定义指标（需要metrics-server）- type: Podspods:metric:name: http_requests_per_secondtarget:type: AverageValueaverageValue: "100"# 扩缩容行为behavior:scaleDown:stabilizationWindowSeconds: 300policies:- type: Percentvalue: 50periodSeconds: 60- type: Podsvalue: 2periodSeconds: 60selectPolicy: MinscaleUp:stabilizationWindowSeconds: 60policies:- type: Percentvalue: 100periodSeconds: 15- type: Podsvalue: 4periodSeconds: 15selectPolicy: Max

HPA管理命令

# 查看HPA状态
kubectl get hpa -n demo
kubectl describe hpa spring-boot-demo-hpa -n demo# 手动测试扩容（压力测试）
kubectl run -i --tty load-generator --rm --image=busybox --restart=Never -- /bin/sh
# 在容器内执行
while true; do wget -q -O- http://spring-boot-demo-service.demo.svc.cluster.local/; done# 查看扩容过程
kubectl get pods -n demo -w

4.7 数据持久化

PersistentVolume和PersistentVolumeClaim

# PV定义
apiVersion: v1
kind: PersistentVolume
metadata:name: mysql-pv
spec:capacity:storage: 10GiaccessModes:- ReadWriteOncepersistentVolumeReclaimPolicy: RetainstorageClassName: standardhostPath:path: /data/mysql
---
# PVC定义
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: mysql-pvcnamespace: demo
spec:accessModes:- ReadWriteOnceresources:requests:storage: 10GistorageClassName: standard

使用动态存储

# StorageClass定义
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:name: fast-ssd
provisioner: kubernetes.io/aws-ebs
parameters:type: gp2fsType: ext4
allowVolumeExpansion: true
---
# 使用StorageClass的PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:name: app-data-pvcnamespace: demo
spec:accessModes:- ReadWriteOncestorageClassName: fast-ssdresources:requests:storage: 20Gi

MySQL有状态应用示例

apiVersion: apps/v1
kind: StatefulSet
metadata:name: mysqlnamespace: demo
spec:serviceName: mysqlreplicas: 1selector:matchLabels:app: mysqltemplate:metadata:labels:app: mysqlspec:containers:- name: mysqlimage: mysql:8.0ports:- containerPort: 3306name: mysqlenv:- name: MYSQL_ROOT_PASSWORDvalueFrom:secretKeyRef:name: mysql-secretkey: root-password- name: MYSQL_DATABASEvalue: "demo"- name: MYSQL_USERvalue: "app_user"- name: MYSQL_PASSWORDvalueFrom:secretKeyRef:name: mysql-secretkey: user-passwordvolumeMounts:- name: mysql-storagemountPath: /var/lib/mysql- name: mysql-configmountPath: /etc/mysql/conf.dlivenessProbe:exec:command:- mysqladmin- ping- -h- localhostinitialDelaySeconds: 30periodSeconds: 10timeoutSeconds: 5readinessProbe:exec:command:- mysql- -h- localhost- -u- root- -p$MYSQL_ROOT_PASSWORD- -e- "SELECT 1"initialDelaySeconds: 10periodSeconds: 5timeoutSeconds: 3volumes:- name: mysql-configconfigMap:name: mysql-configvolumeClaimTemplates:- metadata:name: mysql-storagespec:accessModes: [ "ReadWriteOnce" ]storageClassName: fast-ssdresources:requests:storage: 20Gi

4.8 命名空间和资源配额

命名空间管理

apiVersion: v1
kind: Namespace
metadata:name: productionlabels:environment: productionteam: backend
---
apiVersion: v1
kind: Namespace
metadata:name: staginglabels:environment: stagingteam: backend

ResourceQuota配置

apiVersion: v1
kind: ResourceQuota
metadata:name: compute-quotanamespace: production
spec:hard:requests.cpu: "10"requests.memory: 20Gilimits.cpu: "20"limits.memory: 40Gipersistentvolumeclaims: "10"pods: "50"services: "10"secrets: "20"configmaps: "20"

LimitRange配置

apiVersion: v1
kind: LimitRange
metadata:name: default-limit-rangenamespace: production
spec:limits:- default:cpu: 1000mmemory: 1GidefaultRequest:cpu: 200mmemory: 256Mitype: Container- max:cpu: 2000mmemory: 4Gimin:cpu: 100mmemory: 128Mitype: Container

4.9 高级调度策略

节点选择器

apiVersion: v1
kind: Pod
metadata:name: demo-pod
spec:nodeSelector:disktype: ssdzone: us-west1-acontainers:- name: appimage: spring-boot-demo:latest

节点亲和性

apiVersion: apps/v1
kind: Deployment
metadata:name: spring-boot-demo
spec:replicas: 3selector:matchLabels:app: spring-boot-demotemplate:metadata:labels:app: spring-boot-demospec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/archoperator: Invalues:- amd64preferredDuringSchedulingIgnoredDuringExecution:- weight: 100preference:matchExpressions:- key: disktypeoperator: Invalues:- ssdpodAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- weight: 100podAffinityTerm:labelSelector:matchExpressions:- key: appoperator: Invalues:- spring-boot-demotopologyKey: kubernetes.io/hostnamecontainers:- name: spring-boot-demoimage: spring-boot-demo:latest

污点和容忍

# 给节点添加污点
kubectl taint nodes node1 key1=value1:NoSchedule# 查看节点污点
kubectl describe node node1# 删除污点
kubectl taint nodes node1 key1=value1:NoSchedule-

# Pod容忍配置
apiVersion: v1
kind: Pod
metadata:name: demo-pod
spec:tolerations:- key: "key1"operator: "Equal"value: "value1"effect: "NoSchedule"- key: "dedicated"operator: "Equal"value: "gpu"effect: "NoSchedule"containers:- name: appimage: spring-boot-demo:latest

4.10 监控和可观测性

Prometheus监控配置

apiVersion: v1
kind: ServiceMonitor
metadata:name: spring-boot-demonamespace: demolabels:app: spring-boot-demo
spec:selector:matchLabels:app: spring-boot-demoendpoints:- port: managementpath: /actuator/prometheusinterval: 30sscrapeTimeout: 10s

日志收集配置

apiVersion: v1
kind: ConfigMap
metadata:name: filebeat-confignamespace: demo
data:filebeat.yml: |filebeat.inputs:- type: containerpaths:- /var/log/containers/*spring-boot-demo*.logprocessors:- add_kubernetes_metadata:host: ${NODE_NAME}matchers:- logs_path:logs_path: "/var/log/containers/"resource_type: "container"output.elasticsearch:hosts: ["elasticsearch:9200"]setup.kibana:host: "kibana:5601"

4.11 安全配置

RBAC配置

# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:name: spring-boot-demo-sanamespace: demo
---
# Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:namespace: demoname: demo-role
rules:
- apiGroups: [""]resources: ["pods", "configmaps", "secrets"]verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]resources: ["deployments"]verbs: ["get", "list", "watch", "update"]
---
# RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:name: demo-rolebindingnamespace: demo
subjects:
- kind: ServiceAccountname: spring-boot-demo-sanamespace: demo
roleRef:kind: Rolename: demo-roleapiGroup: rbac.authorization.k8s.io

NetworkPolicy配置

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:name: spring-boot-demo-netpolnamespace: demo
spec:podSelector:matchLabels:app: spring-boot-demopolicyTypes:- Ingress- Egressingress:- from:- namespaceSelector:matchLabels:name: ingress-nginx- podSelector:matchLabels:app: nginxports:- protocol: TCPport: 8080egress:- to:- podSelector:matchLabels:app: mysqlports:- protocol: TCPport: 3306- to: []ports:- protocol: TCPport: 53- protocol: UDPport: 53

4.12 完整的生产环境部署示例

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomizationresources:
- namespace.yaml
- configmap.yaml
- secret.yaml
- deployment.yaml
- service.yaml
- ingress.yaml
- hpa.yamlimages:
- name: spring-boot-demonewTag: v2.1.0namespace: productioncommonLabels:app: spring-boot-demoenvironment: productionversion: v2.1.0replicas:
- name: spring-boot-democount: 5

使用Kustomize部署

# 查看生成的YAML
kubectl kustomize overlays/production# 部署到生产环境
kubectl apply -k overlays/production# 查看部署状态
kubectl get all -n production -l app=spring-boot-demo

4.13 故障排除和调试

常用调试命令

# 查看Pod详细信息
kubectl describe pod <pod-name> -n demo# 查看Pod日志
kubectl logs <pod-name> -n demo
kubectl logs <pod-name> -c <container-name> -n demo
kubectl logs -f <pod-name> -n demo  # 实时日志
kubectl logs --previous <pod-name> -n demo  # 查看上一次的日志# 进入Pod调试
kubectl exec -it <pod-name> -n demo -- bash
kubectl exec -it <pod-name> -n demo -c <container-name> -- sh# 端口转发调试
kubectl port-forward pod/<pod-name> 8080:8080 -n demo
kubectl port-forward service/spring-boot-demo-service 8080:80 -n demo# 查看事件
kubectl get events -n demo --sort-by=.metadata.creationTimestamp
kubectl get events --field-selector involvedObject.name=<pod-name> -n demo# 查看资源使用情况
kubectl top nodes
kubectl top pods -n demo# 调试DNS解析
kubectl run test-pod --image=busybox --rm -it --restart=Never -- nslookup spring-boot-demo-service.demo.svc.cluster.local

常见问题排查

Pod无法启动

# 1. 查看Pod状态
kubectl get pods -n demo# 2. 查看Pod详细信息
kubectl describe pod <pod-name> -n demo# 3. 常见原因和解决方法
# - ImagePullBackOff: 检查镜像地址、拉取权限
# - CrashLoopBackOff: 检查应用日志、健康检查配置
# - Pending: 检查资源限制、节点调度条件

服务无法访问

# 1. 检查Service配置
kubectl get svc -n demo
kubectl describe svc spring-boot-demo-service -n demo# 2. 检查EndPoints
kubectl get endpoints spring-boot-demo-service -n demo# 3. 测试服务连通性
kubectl run test-pod --image=busybox --rm -it --restart=Never -n demo -- wget -qO- http://spring-boot-demo-service:80

4.14 最佳实践总结

资源管理最佳实践

# 1. 始终设置资源请求和限制
resources:requests:cpu: 200mmemory: 256Milimits:cpu: 1000mmemory: 1Gi# 2. 使用合适的健康检查
livenessProbe:httpGet:path: /healthport: 8080initialDelaySeconds: 60periodSeconds: 10readinessProbe:httpGet:path: /readyport: 8080initialDelaySeconds: 10periodSeconds: 5# 3. 设置安全上下文
securityContext:runAsNonRoot: truerunAsUser: 1000allowPrivilegeEscalation: falsereadOnlyRootFilesystem: true

命名和标签最佳实践

metadata:name: spring-boot-demolabels:app.kubernetes.io/name: spring-boot-demoapp.kubernetes.io/instance: demo-instanceapp.kubernetes.io/version: "v2.1.0"app.kubernetes.io/component: backendapp.kubernetes.io/part-of: demo-applicationapp.kubernetes.io/managed-by: kustomizeenvironment: productionteam: backend