|
| 1 | +--- |
| 2 | +content_type: "reference" |
| 3 | +title: kubelet 所使用的本地文件和路径 |
| 4 | +weight: 42 |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +content_type: "reference" |
| 8 | +title: Local Files And Paths Used By The Kubelet |
| 9 | +weight: 42 |
| 10 | +--> |
| 11 | + |
| 12 | +<!-- |
| 13 | +The {{< glossary_tooltip text="kubelet" term_id="kubelet" >}} is mostly a stateless |
| 14 | +process running on a Kubernetes {{< glossary_tooltip text="node" term_id="node" >}}. |
| 15 | +This document outlines files that kubelet reads and writes. |
| 16 | +--> |
| 17 | +{{< glossary_tooltip text="kubelet" term_id="kubelet" >}} 是一个运行在 Kubernetes |
| 18 | +{{< glossary_tooltip text="节点" term_id="node" >}}上的无状态进程。本文简要介绍了 kubelet 读写的文件。 |
| 19 | + |
| 20 | +{{< note >}} |
| 21 | + |
| 22 | +<!-- |
| 23 | +This document is for informational purpose and not describing any guaranteed behaviors or APIs. |
| 24 | +It lists resources used by the kubelet, which is an implementation detail and a subject to change at any release. |
| 25 | +--> |
| 26 | +本文仅供参考,而非描述保证会发生的行为或 API。 |
| 27 | +本文档列举 kubelet 所使用的资源。所给的信息属于实现细节,可能会在后续版本中发生变更。 |
| 28 | + |
| 29 | +{{< /note >}} |
| 30 | + |
| 31 | +<!-- |
| 32 | +The kubelet typically uses the {{< glossary_tooltip text="control plane" term_id="control-plane" >}} as |
| 33 | +the source of truth on what needs to run on the Node, and the |
| 34 | +{{<glossary_tooltip text="container runtime" term_id="container-runtime">}} to retrieve |
| 35 | +the current state of containers. So long as you provide a _kubeconfig_ (API client configuration) |
| 36 | +to the kubelet, the kubelet does connect to your control plane; otherwise the node operates in |
| 37 | +_standalone mode_. |
| 38 | +--> |
| 39 | +kubelet 通常使用{{< glossary_tooltip text="控制面" term_id="control-plane" >}}作为需要在 Node |
| 40 | +上运行的事物的真实来源,并使用{{< glossary_tooltip text="容器运行时" term_id="container-runtime" >}}获取容器的当前状态。 |
| 41 | +只要你向 kubelet 提供 **kubeconfig**(API 客户端配置),kubelet 就会连接到你的控制面; |
| 42 | +否则,节点将以**独立(Standalone)**模式运行。 |
| 43 | + |
| 44 | +<!-- |
| 45 | +On Linux nodes, the kubelet also relies on reading cgroups and various system files to collect metrics. |
| 46 | +
|
| 47 | +On Windows nodes, the kubelet collects metrics via a different mechanism that does not rely on |
| 48 | +paths. |
| 49 | +
|
| 50 | +There are also a few other files that are used by the kubelet as well as kubelet communicates using local Unix-domain sockets. Some are sockets that the |
| 51 | +kubelet listens on, and for other sockets the kubelet discovers them and then connects |
| 52 | +as a client. |
| 53 | +--> |
| 54 | +在 Linux 节点上,kubelet 还需要读取 cgroups 和各种系统文件来收集指标。 |
| 55 | + |
| 56 | +在 Windows 节点上,kubelet 不依赖于路径,而是通过其他机制来收集指标。 |
| 57 | + |
| 58 | +kubelet 所使用的还有其他文件,包括其使用本地 Unix 域套接字进行通信的文件。 |
| 59 | +有些文件是 kubelet 要监听的套接字,而其他套接字则是 kubelet 先发现后作为客户端连接的。 |
| 60 | + |
| 61 | +{{< note >}} |
| 62 | + |
| 63 | +<!-- |
| 64 | +This page lists paths as Linux paths, which map to the Windows paths by adding a root disk |
| 65 | +`C:\` in place of `/` (unless specified otherwise). For example, `/var/lib/kubelet/device-plugins` maps to `C:\var\lib\kubelet\device-plugins`. |
| 66 | +--> |
| 67 | +本页列举的路径为 Linux 路径,若要映射到 Windows,你可以添加根磁盘 `C:\` 替换 `/`(除非另行指定)。 |
| 68 | +例如,`/var/lib/kubelet/device-plugins` 映射到 `C:\var\lib\kubelet\device-plugins`。 |
| 69 | + |
| 70 | +{{< /note >}} |
| 71 | + |
| 72 | +<!-- |
| 73 | +## Configuration |
| 74 | +
|
| 75 | +### Kubelet configuration files |
| 76 | +
|
| 77 | +The path to the kubelet configuration file can be configured |
| 78 | +using the command line argument `--config`. The kubelet also supports |
| 79 | +[drop-in configuration files](/docs/tasks/administer-cluster/kubelet-config-file/#kubelet-conf-d) |
| 80 | +to enhance configuration. |
| 81 | +--> |
| 82 | +## 配置 {#configuration} |
| 83 | + |
| 84 | +### kubelet 配置文件 {#kubelet-configuration-files} |
| 85 | + |
| 86 | +你可以使用命令行参数 `--config` 指定 kubelet 配置文件的路径。kubelet |
| 87 | +还支持[插件(Drop-in)配置文件](/zh-cn/docs/tasks/administer-cluster/kubelet-config-file/#kubelet-conf-d)来增强配置。 |
| 88 | + |
| 89 | +<!-- |
| 90 | +### Certificates |
| 91 | +
|
| 92 | +Certificates and private keys are typically located at `/var/lib/kubelet/pki`, |
| 93 | +but can be configured using the `--cert-dir` kubelet command line argument. |
| 94 | +Names of certificate files are also configurable. |
| 95 | +--> |
| 96 | +### 证书 {#certificates} |
| 97 | + |
| 98 | +证书和私钥通常位于 `/var/lib/kubelet/pki`,但你可以使用 `--cert-dir` kubelet 命令行参数进行配置。 |
| 99 | +证书文件的名称也是可以配置的。 |
| 100 | + |
| 101 | +<!-- |
| 102 | +### Manifests |
| 103 | +
|
| 104 | +Manifests for static pods are typically located in `/etc/kubernetes/manifests`. |
| 105 | +Location can be configured using the `staticPodPath` kubelet configuration option. |
| 106 | +--> |
| 107 | +### 清单 {#manifests} |
| 108 | + |
| 109 | +静态 Pod 的清单通常位于 `/etc/kubernetes/manifests`。 |
| 110 | +你可以使用 `staticPodPath` kubelet 配置选项进行配置。 |
| 111 | + |
| 112 | +<!-- |
| 113 | +### Systemd unit settings |
| 114 | +
|
| 115 | +When kubelet is running as a systemd unit, some kubelet configuration may be declared |
| 116 | +in systemd unit settings file. Typically it includes: |
| 117 | +
|
| 118 | +- command line arguments to [run kubelet](/docs/reference/command-line-tools-reference/kubelet/) |
| 119 | +- environment variables, used by kubelet or [configuring golang runtime](https://pkg.go.dev/runtime#hdr-Environment_Variables) |
| 120 | +--> |
| 121 | +### Systemd 单元设置 {#systemd-unit-settings} |
| 122 | + |
| 123 | +当 kubelet 作为 systemd 单元运行时,一些 kubelet 配置可以在 systemd 单元设置文件中声明。 |
| 124 | +这些配置通常包括: |
| 125 | + |
| 126 | +- [运行 kubelet 的命令行参数](/zh-cn/docs/reference/command-line-tools-reference/kubelet/) |
| 127 | +- kubelet 所使用的环境变量或[配置 Golang 运行时](https://pkg.go.dev/runtime#hdr-Environment_Variables) |
| 128 | + |
| 129 | +<!-- |
| 130 | +## State |
| 131 | +
|
| 132 | +### Checkpoint files for resource managers {#resource-managers-state} |
| 133 | +
|
| 134 | +All resource managers keep the mapping of Pods to allocated resources in state files. |
| 135 | +State files are located in the kubelet's base directory, also termed the _root directory_ |
| 136 | +(but not the same as `/`, the node root directory). You can configure the base directory |
| 137 | +for the kubelet |
| 138 | +using the kubelet command line argument `--root-dir`. |
| 139 | +--> |
| 140 | +## 状态 {#state} |
| 141 | + |
| 142 | +### 资源管理器的检查点文件 {#resource-managers-state} |
| 143 | + |
| 144 | +所有资源管理器将 Pod 与已分配资源之间的映射保存在状态文件中。 |
| 145 | +状态文件位于 kubelet 的基础目录,也称为**根目录**(但与节点根目录 `/` 不同)之下。 |
| 146 | +你可以使用 kubelet 命令行参数 `--root-dir` 来配置 kubelet 的基础目录。 |
| 147 | + |
| 148 | +<!-- |
| 149 | +Names of files: |
| 150 | +
|
| 151 | +- `memory_manager_state` for the [Memory Manager](/docs/tasks/administer-cluster/memory-manager/) |
| 152 | +- `cpu_manager_state` for the [CPU Manager](/docs/tasks/administer-cluster/cpu-management-policies/) |
| 153 | +- `dra_manager_state` for [DRA](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/) |
| 154 | +--> |
| 155 | +文件名称: |
| 156 | + |
| 157 | +- `memory_manager_state` 对应[内存管理器](/zh-cn/docs/tasks/administer-cluster/memory-manager/) |
| 158 | +- `cpu_manager_state` 对应 [CPU 管理器](/zh-cn/docs/tasks/administer-cluster/cpu-management-policies/) |
| 159 | +- `dra_manager_state` 对应 [DRA](/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/) |
| 160 | + |
| 161 | +<!-- |
| 162 | +### Checkpoint file for device manager {#device-manager-state} |
| 163 | +
|
| 164 | +Device manager creates checkpoints in the same directory with socket files: `/var/lib/kubelet/device-plugins/`. |
| 165 | +The name of a checkpoint file is `kubelet_internal_checkpoint` for [Device Manager](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager) |
| 166 | +
|
| 167 | +### Pod status checkpoint storage {#pod-status-manager-state} |
| 168 | +--> |
| 169 | +### 设备管理器的检查点文件 {#device-manager-state} |
| 170 | + |
| 171 | +设备管理器在与套接字文件相同的目录(`/var/lib/kubelet/device-plugins/`)中创建检查点。 |
| 172 | +对于[设备管理器](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-integration-with-the-topology-manager), |
| 173 | +检查点文件的名称为 `kubelet_internal_checkpoint`。 |
| 174 | + |
| 175 | +### Pod 状态检查点存储 {#pod-status-manager-state} |
| 176 | + |
| 177 | +{{< feature-state feature_gate_name="InPlacePodVerticalScaling" >}} |
| 178 | + |
| 179 | +<!-- |
| 180 | +If your cluster has |
| 181 | +[in-place Pod vertical scaling](/docs/concepts/workloads/autoscaling/#in-place-resizing) |
| 182 | +enabled ([feature gate](/docs/reference/command-line-tools-reference/feature-gates/) |
| 183 | +name `InPlacePodVerticalScaling`), then the kubelet stores a local record of Pod status. |
| 184 | +
|
| 185 | +The file name is `pod_status_manager_state` within the kubelet base directory |
| 186 | +(`/var/lib/kubelet` by default on Linux; configurable using `--root-dir`). |
| 187 | +--> |
| 188 | +如果你的集群启用了[就地 Pod 垂直扩缩容](/zh-cn/docs/concepts/workloads/autoscaling/#in-place-resizing) |
| 189 | +([特性门控](/zh-cn/docs/reference/command-line-tools-reference/feature-gates/)名称为 `InPlacePodVerticalScaling`), |
| 190 | +则 kubelet 会在本地存储 Pod 状态。 |
| 191 | + |
| 192 | +文件名为 `pod_status_manager_state`,位于 kubelet 基础目录内 |
| 193 | +(在 Linux 上默认为 `/var/lib/kubelet`;你可以使用 `--root-dir` 进行配置)。 |
| 194 | + |
| 195 | +<!-- |
| 196 | +### Container runtime |
| 197 | +
|
| 198 | +Kubelet communicates with the container runtime using socket configured via the |
| 199 | +configuration parameters: |
| 200 | +
|
| 201 | +- `containerRuntimeEndpoint` for runtime operations |
| 202 | +- `imageServiceEndpoint` for image management operations |
| 203 | +
|
| 204 | +The actual values of those endpoints depend on the container runtime being used. |
| 205 | +--> |
| 206 | +### 容器运行时 {#container-runtime} |
| 207 | + |
| 208 | +kubelet 使用通过配置参数所配置的套接字与容器运行时进行通信: |
| 209 | + |
| 210 | +- `containerRuntimeEndpoint` 用于运行时操作 |
| 211 | +- `imageServiceEndpoint` 用于镜像管理操作 |
| 212 | + |
| 213 | +这些端点的实际值取决于所使用的容器运行时。 |
| 214 | + |
| 215 | +<!-- |
| 216 | +### Device plugins |
| 217 | +
|
| 218 | +The kubelet exposes a socket at the path `/var/lib/kubelet/device-plugins/kubelet.sock` for |
| 219 | +various [Device Plugins to register](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-implementation). |
| 220 | +
|
| 221 | +When a device plugin registers itself, it provides its socket path for the kubelet to connect. |
| 222 | +
|
| 223 | +The device plugin socket should be in the directory `device-plugins` within the kubelet base |
| 224 | +directory. On a typical Linux node, this means `/var/lib/kubelet/device-plugins`. |
| 225 | +--> |
| 226 | +### 设备插件 {#device-plugins} |
| 227 | + |
| 228 | +kubelet 在路径 `/var/lib/kubelet/device-plugins/kubelet.sock` |
| 229 | +为各个[要注册的设备插件](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#device-plugin-implementation)公开一个套接字。 |
| 230 | + |
| 231 | +当设备插件注册自己时,它会为提供其套接字路径供 kubelet 连接使用。 |
| 232 | + |
| 233 | +设备插件套接字应位于 kubelet 基础目录中的 `device-plugins` 目录内。 |
| 234 | +在典型的 Linux 节点上,这意味着 `/var/lib/kubelet/device-plugins`。 |
| 235 | + |
| 236 | +<!-- |
| 237 | +### Pod resources API |
| 238 | +
|
| 239 | +[Pod Resources API](/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources) |
| 240 | +will be exposed at the path `/var/lib/kubelet/pod-resources`. |
| 241 | +--> |
| 242 | +### Pod Resources API |
| 243 | + |
| 244 | +[Pod Resources API](/zh-cn/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/#monitoring-device-plugin-resources) |
| 245 | +将在路径 `/var/lib/kubelet/pod-resources` 上被公开。 |
| 246 | + |
| 247 | +<!-- |
| 248 | +### DRA, CSI, and Device plugins |
| 249 | +
|
| 250 | +The kubelet looks for socket files created by device plugins managed via [DRA](/docs/concepts/scheduling-eviction/dynamic-resource-allocation/), |
| 251 | +device manager, or storage plugins, and then attempts to connect |
| 252 | +to these sockets. The directory that the kubelet looks in is `plugins_registry` within the kubelet base |
| 253 | +directory, so on a typical Linux node this means `/var/lib/kubelet/plugins_registry`. |
| 254 | +--> |
| 255 | +### DRA、CSI 和设备插件 {#dra-csi-and-device-plugins} |
| 256 | + |
| 257 | +kubelet 会查找通过 [DRA](/zh-cn/docs/concepts/scheduling-eviction/dynamic-resource-allocation/) |
| 258 | +设备管理器或存储插件所管理的设备插件所创建的套接字文件,然后尝试连接到这些套接字。 |
| 259 | +kubelet 查找的目录是 kubelet 基础目录下的 `plugins_registry`, |
| 260 | +因此在典型的 Linux 节点上这意味着 `/var/lib/kubelet/plugins_registry`。 |
| 261 | + |
| 262 | +<!-- |
| 263 | +Note, for the device plugins there are two alternative registration mechanisms. Only one should be used for a given plugin. |
| 264 | +
|
| 265 | +The types of plugins that can place socket files into that directory are: |
| 266 | +
|
| 267 | +- CSI plugins |
| 268 | +- DRA plugins |
| 269 | +- Device Manager plugins |
| 270 | +
|
| 271 | +(typically `/var/lib/kubelet/plugins_registry`). |
| 272 | +--> |
| 273 | +请注意,对于设备插件,有两种备选的注册机制。每个给定的插件只能使用其中一种注册机制。 |
| 274 | + |
| 275 | +可以将套接字文件放入该目录的插件类型包括: |
| 276 | + |
| 277 | +- CSI 插件 |
| 278 | +- DRA 插件 |
| 279 | +- 设备管理器插件 |
| 280 | + |
| 281 | +(通常是 `/var/lib/kubelet/plugins_registry`)。 |
| 282 | + |
| 283 | +<!-- |
| 284 | +## Security profiles & configuration |
| 285 | +
|
| 286 | +### Seccomp |
| 287 | +
|
| 288 | +Seccomp profile files referenced from Pods should be placed in `/var/lib/kubelet/seccomp`. |
| 289 | +See the [seccomp reference](/docs/reference/node/seccomp/) for details. |
| 290 | +--> |
| 291 | +## 安全配置文件和配置 {#security-profiles-configuration} |
| 292 | + |
| 293 | +### Seccomp |
| 294 | + |
| 295 | +被 Pod 引用的 Seccomp 配置文件应放置在 `/var/lib/kubelet/seccomp`。 |
| 296 | +有关细节请参见 [Seccomp 参考](/zh-cn/docs/reference/node/seccomp/)。 |
| 297 | + |
| 298 | +<!-- |
| 299 | +### AppArmor |
| 300 | +
|
| 301 | +The kubelet does not load or refer to AppArmor profiles by a Kubernetes-specific path. |
| 302 | +AppArmor profiles are loaded via the node operating system rather then referenced by their path. |
| 303 | +
|
| 304 | +## Locking |
| 305 | +--> |
| 306 | +### AppArmor |
| 307 | + |
| 308 | +kubelet 不会通过特定于 Kubernetes 的路径加载或引用 AppArmor 配置文件。 |
| 309 | +AppArmor 配置文件通过节点操作系统被加载,而不是通过其路径被引用。 |
| 310 | + |
| 311 | +## 加锁 {#locking} |
| 312 | + |
| 313 | +{{< feature-state state="alpha" for_k8s_version="v1.2" >}} |
| 314 | + |
| 315 | +<!-- |
| 316 | +A lock file for the kubelet; typically `/var/run/kubelet.lock`. The kubelet uses this to ensure |
| 317 | +that two different kubelets don't try to run in conflict with each other. |
| 318 | +You can configure the path to the lock file using the the `--lock-file` kubelet command line argument. |
| 319 | +
|
| 320 | +If two kubelets on the same node use a different value for the lock file path, they will not be able to |
| 321 | +detect a conflict when both are running. |
| 322 | +--> |
| 323 | +kubelet 的锁文件;通常为 `/var/run/kubelet.lock`。 |
| 324 | +kubelet 使用此文件确保尝试运行两个不同的、彼此冲突的 kubelet。 |
| 325 | +你可以使用 `--lock-file` kubelet 命令行参数来配置这个锁文件的路径。 |
| 326 | + |
| 327 | +如果同一节点上的两个 kubelet 使用不同的锁文件路径值,则这两个 kubelet 在同时运行时将不会检测到冲突。 |
| 328 | + |
| 329 | +## {{% heading "whatsnext" %}} |
| 330 | + |
| 331 | +<!-- |
| 332 | +- Learn about the kubelet [command line arguments](/docs/reference/command-line-tools-reference/kubelet/). |
| 333 | +- Review the [Kubelet Configuration (v1beta1) reference](/docs/reference/config-api/kubelet-config.v1beta1/) |
| 334 | +--> |
| 335 | +- 了解 kubelet [命令行参数](/zh-cn/docs/reference/command-line-tools-reference/kubelet/)。 |
| 336 | +- 查阅 [kubelet 配置 (v1beta1) 参考文档](/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/) |
0 commit comments