Kubernetes 与 GitOps 最佳实践

news2026/3/30 15:32:47

Kubernetes 与 GitOps 最佳实践一、前言哥们别整那些花里胡哨的。GitOps 是现代 Kubernetes 运维的重要趋势今天直接上硬货教你如何在 Kubernetes 中实现 GitOps 工作流。二、GitOps 核心概念概念描述优势声明式配置所有配置以声明式方式定义一致性强版本控制配置存储在 Git 仓库中可追溯性自动同步自动将配置应用到集群减少人工干预回滚机制基于 Git 历史进行回滚安全可靠三、实战配置1. Argo CD 安装# 安装 Argo CD kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml # 访问 Argo CD UI kubectl port-forward -n argocd svc/argocd-server 8080:443 # 访问 https://localhost:8080 # 获取默认密码 kubectl get secret argocd-initial-admin-secret -n argocd -o jsonpath{.data.password} | base64 -d2. 应用配置apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: app namespace: argocd spec: project: default source: repoURL: https://github.com/susu/k8s-manifests.git targetRevision: HEAD path: app destination: server: https://kubernetes.default.svc namespace: default syncPolicy: automated: prune: true selfHeal: true syncOptions: - Validatefalse - CreateNamespacetrue3. 多环境配置apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: app-dev namespace: argocd spec: project: default source: repoURL: https://github.com/susu/k8s-manifests.git targetRevision: dev path: app/overlays/dev destination: server: https://kubernetes.default.svc namespace: dev syncPolicy: automated: prune: true selfHeal: true --- apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: app-prod namespace: argocd spec: project: default source: repoURL: https://github.com/susu/k8s-manifests.git targetRevision: main path: app/overlays/prod destination: server: https://kubernetes.default.svc namespace: prod syncPolicy: automated: prune: true selfHeal: true4. Kustomize 配置# kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ../../base patches: - patch.yaml # patch.yaml apiVersion: apps/v1 kind: Deployment metadata: name: app spec: replicas: 3 template: spec: containers: - name: app resources: requests: cpu: 200m memory: 256Mi limits: cpu: 500m memory: 512Mi四、GitOps 优化1. CI/CD 集成# .github/workflows/gitops.yml name: GitOps Pipeline on: push: branches: [ main, dev ] pull_request: branches: [ main, dev ] jobs: validate: runs-on: ubuntu-latest steps: - uses: actions/checkoutv3 - name: Install kubectl run: | curl -LO https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl chmod x kubectl sudo mv kubectl /usr/local/bin/ - name: Validate manifests run: kubectl apply --dry-runserver -f app/ deploy: needs: validate runs-on: ubuntu-latest if: github.event_name push steps: - uses: actions/checkoutv3 - name: Sync with Argo CD run: | kubectl port-forward -n argocd svc/argocd-server 8080:443 sleep 5 argocd login localhost:8080 --username admin --password ${{ secrets.ARGOCD_PASSWORD }} --insecure argocd app sync app-${{ github.ref_name }}2. 监控与告警apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: argocd-metrics namespace: monitoring spec: selector: matchLabels: app.kubernetes.io/name: argocd-server endpoints: - port: metrics interval: 15s --- apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: argocd-alerts namespace: monitoring spec: groups: - name: argocd rules: - alert: ArgoCDSyncFailed expr: argocd_app_sync_status{statusFailed} 1 for: 5m labels: severity: critical annotations: summary: Argo CD sync failed description: Application {{ $labels.app }} sync failed - alert: ArgoCDSyncOutOfSync expr: argocd_app_sync_status{statusOutOfSync} 1 for: 10m labels: severity: warning annotations: summary: Argo CD sync out of sync description: Application {{ $labels.app }} is out of sync3. 安全配置apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: production namespace: argocd spec: description: Production applications sourceRepos: - https://github.com/susu/k8s-manifests.git destinations: - namespace: prod server: https://kubernetes.default.svc clusterResourceWhitelist: - group: kind: Namespace - group: apps kind: Deployment - group: apps kind: StatefulSet - group: v1 kind: Service roles: - name: developer description: Developer role policies: - p, proj:production:developer, applications, sync, production/*, allow - p, proj:production:developer, applications, get, production/*, allow groups: - developers五、常见问题1. 同步失败解决方案检查 Git 仓库配置验证集群权限查看 Argo CD 日志2. 配置冲突解决方案解决 Git 冲突检查配置语法验证依赖关系3. 权限问题解决方案配置正确的 RBAC 权限检查 Argo CD 服务账户验证 Git 仓库访问权限六、最佳实践总结版本控制将所有配置存储在 Git 仓库中声明式配置使用 YAML 定义所有资源自动同步配置 Argo CD 自动同步多环境管理使用 Kustomize 管理多环境配置监控告警配置 Argo CD 同步状态监控安全管理实施最小权限原则七、总结GitOps 是现代 Kubernetes 运维的重要趋势。按照本文的最佳实践你可以构建一个高效、可靠的 GitOps 工作流炸了

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.coloradmin.cn/o/2465402.html

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈，一经查实，立即删除！