Настройка Kubernetes для оркестрации веб-приложения
Kubernetes (k8s) — стандарт оркестрации контейнеров. Автоматически перезапускает упавшие поды, масштабирует по нагрузке, управляет конфигурацией и секретами, реализует rolling updates и rollbacks.
Минимальный набор манифестов
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: myapp
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-web
namespace: myapp
spec:
replicas: 3
selector:
matchLabels: { app: myapp-web }
template:
metadata:
labels: { app: myapp-web }
spec:
containers:
- name: web
image: registry.example.com/myapp:v1.0.0
ports:
- containerPort: 8080
envFrom:
- configMapRef: { name: myapp-config }
- secretRef: { name: myapp-secrets }
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "500m"
memory: "512Mi"
readinessProbe:
httpGet: { path: /health/ready, port: 8080 }
initialDelaySeconds: 10
periodSeconds: 5
livenessProbe:
httpGet: { path: /health/live, port: 8080 }
initialDelaySeconds: 30
periodSeconds: 30
terminationGracePeriodSeconds: 60
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: myapp-web
namespace: myapp
spec:
selector: { app: myapp-web }
ports:
- port: 80
targetPort: 8080
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
namespace: myapp
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
spec:
ingressClassName: nginx
tls:
- hosts: [example.com]
secretName: myapp-tls
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: myapp-web
port: { number: 80 }
ConfigMap и Secrets
# config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: myapp-config
namespace: myapp
data:
APP_ENV: production
APP_URL: https://example.com
REDIS_HOST: redis-master
---
apiVersion: v1
kind: Secret
metadata:
name: myapp-secrets
namespace: myapp
type: Opaque
data:
# echo -n "value" | base64
DB_PASSWORD: c2VjcmV0cGFzcw==
APP_KEY: YmFzZTY0Oi4uLg==
Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: myapp-hpa
namespace: myapp
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: myapp-web
minReplicas: 2
maxReplicas: 20
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
Jobs и CronJobs
apiVersion: batch/v1
kind: CronJob
metadata:
name: cleanup-old-files
namespace: myapp
spec:
schedule: "0 2 * * *"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: cleanup
image: registry.example.com/myapp:latest
command: ["php", "artisan", "files:cleanup"]
envFrom:
- secretRef: { name: myapp-secrets }
Деплой через Kustomize
# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: myapp
images:
- name: registry.example.com/myapp
newTag: v1.2.0
resources:
- namespace.yaml
- deployment.yaml
- service.yaml
- ingress.yaml
- hpa.yaml
kubectl apply -k ./k8s/production/
# Обновить образ
kustomize edit set image registry.example.com/myapp:v1.3.0
kubectl apply -k .
# Статус
kubectl rollout status deployment/myapp-web -n myapp
# Откат
kubectl rollout undo deployment/myapp-web -n myapp
GitHub Actions деплой
- name: Update k8s image
run: |
kubectl set image deployment/myapp-web \
web=registry.example.com/myapp:${{ github.sha }} \
-n myapp
kubectl rollout status deployment/myapp-web -n myapp --timeout=5m
Срок реализации
| Задача | Срок |
|---|---|
| Базовые манифесты + деплой | 3–4 дня |
| Ingress + cert-manager + TLS | +1–2 дня |
| HPA + resource limits | +1 день |
| Полный GitOps пайплайн | 7–10 дней |