Kubernetes 核心概念面试题
Kubernetes 核心概念是容器编排的基础,涵盖集群架构、核心对象和资源管理等关键知识点。
🔥 基础概念面试题
1. Kubernetes 架构深度解析
问题:详细解释 Kubernetes 集群架构,各组件的作用和交互关系是什么?
参考答案:
yaml
# Master 节点组件
apiVersion: v1
kind: Node
metadata:
name: master-node
labels:
node-role.kubernetes.io/master: ""Master 节点组件:
- API Server:集群的前端接口,处理所有 REST 请求
- etcd:分布式键值存储,保存集群状态和配置
- Controller Manager:运行控制器进程,维护集群期望状态
- Scheduler:根据资源需求将 Pod 调度到合适的节点
Worker 节点组件:
- Kubelet:节点代理,管理 Pod 生命周期
- Kube-proxy:网络代理,维护网络规则和服务发现
- Container Runtime:容器运行时(Docker、containerd、CRI-O)
2. Pod 生命周期和管理
问题:解释 Pod 的生命周期阶段,以及如何进行 Pod 健康检查?
参考答案:
yaml
apiVersion: v1
kind: Pod
metadata:
name: web-app
labels:
app: web
spec:
containers:
- name: web-container
image: nginx:1.21
ports:
- containerPort: 80
# 存活性探测
livenessProbe:
httpGet:
path: /health
port: 80
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
# 就绪性探测
readinessProbe:
httpGet:
path: /ready
port: 80
initialDelaySeconds: 5
periodSeconds: 5
timeoutSeconds: 3
successThreshold: 1
# 启动探测
startupProbe:
httpGet:
path: /startup
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 30
# 资源限制
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
restartPolicy: AlwaysPod 生命周期阶段:
- Pending:调度中或镜像拉取中
- Running:至少一个容器在运行
- Succeeded:所有容器成功终止
- Failed:所有容器终止且至少一个失败
- Unknown:无法获取 Pod 状态
3. Service 和服务发现
问题:Kubernetes 如何实现服务发现和负载均衡?不同类型的 Service 适用场景是什么?
参考答案:
yaml
# ClusterIP Service (内部访问)
apiVersion: v1
kind: Service
metadata:
name: web-service
spec:
selector:
app: web
ports:
- port: 80
targetPort: 8080
type: ClusterIP
---
# NodePort Service (外部访问)
apiVersion: v1
kind: Service
metadata:
name: web-nodeport
spec:
selector:
app: web
ports:
- port: 80
targetPort: 8080
nodePort: 30080
type: NodePort
---
# LoadBalancer Service (云环境)
apiVersion: v1
kind: Service
metadata:
name: web-loadbalancer
spec:
selector:
app: web
ports:
- port: 80
targetPort: 8080
type: LoadBalancer
---
# Headless Service (直接访问Pod)
apiVersion: v1
kind: Service
metadata:
name: web-headless
spec:
selector:
app: web
ports:
- port: 80
targetPort: 8080
clusterIP: NoneService 类型对比:
- ClusterIP:集群内部访问,默认类型
- NodePort:通过节点端口外部访问
- LoadBalancer:云环境外部负载均衡器
- ExternalName:DNS 别名映射
4. Deployment 和滚动更新
问题:如何使用 Deployment 实现应用的滚动更新和回滚?
参考答案:
yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-deployment
labels:
app: web
spec:
replicas: 3
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web
image: nginx:1.21
ports:
- containerPort: 80
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
---
# 水平 Pod 自动扩缩容
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: web-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: web-deployment
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80滚动更新命令:
bash
# 更新镜像
kubectl set image deployment/web-deployment web=nginx:1.22
# 查看滚动更新状态
kubectl rollout status deployment/web-deployment
# 查看更新历史
kubectl rollout history deployment/web-deployment
# 回滚到上个版本
kubectl rollout undo deployment/web-deployment
# 回滚到指定版本
kubectl rollout undo deployment/web-deployment --to-revision=2💡 高级概念面试题
5. 存储管理和持久化
问题:解释 Kubernetes 中 PV、PVC 和 StorageClass 的关系和作用?
参考答案:
yaml
# StorageClass 定义
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: fast-ssd
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp3
iops: "3000"
encrypted: "true"
reclaimPolicy: Delete
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
# PersistentVolume 静态配置
apiVersion: v1
kind: PersistentVolume
metadata:
name: mysql-pv
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: fast-ssd
hostPath:
path: /data/mysql
---
# PersistentVolumeClaim 存储申请
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
storageClassName: fast-ssd
---
# 在 Pod 中使用存储
apiVersion: v1
kind: Pod
metadata:
name: mysql-pod
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
value: "password123"
volumeMounts:
- name: mysql-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-storage
persistentVolumeClaim:
claimName: mysql-pvc6. 配置管理和密钥管理
问题:ConfigMap 和 Secret 的使用场景和最佳实践是什么?
参考答案:
yaml
# ConfigMap 配置管理
apiVersion: v1
kind: ConfigMap
metadata:
name: app-config
data:
app.properties: |
database.host=mysql
database.port=3306
database.name=myapp
cache.enabled=true
log.level=INFO
nginx.conf: |
server {
listen 80;
location / {
proxy_pass http://backend:8080;
}
}
---
# Secret 敏感信息管理
apiVersion: v1
kind: Secret
metadata:
name: app-secrets
type: Opaque
data:
database-username: bXl1c2Vy # myuser (base64)
database-password: cGFzc3dvcmQxMjM= # password123 (base64)
stringData:
api-key: "your-api-key-here" # 直接字符串
---
# 在 Pod 中使用配置
apiVersion: v1
kind: Pod
metadata:
name: app-pod
spec:
containers:
- name: app
image: myapp:latest
# 环境变量方式
envFrom:
- configMapRef:
name: app-config
- secretRef:
name: app-secrets
# 单个环境变量
env:
- name: DATABASE_USER
valueFrom:
secretKeyRef:
name: app-secrets
key: database-username
# 挂载为文件
volumeMounts:
- name: config-volume
mountPath: /etc/app
- name: secret-volume
mountPath: /etc/secrets
readOnly: true
volumes:
- name: config-volume
configMap:
name: app-config
- name: secret-volume
secret:
secretName: app-secrets
defaultMode: 0400🚀 实战场景面试题
7. Ingress 和外部访问
问题:如何使用 Ingress 管理外部 HTTP/HTTPS 流量?SSL 终端和路由规则如何配置?
参考答案:
yaml
# Ingress 控制器部署 (NGINX)
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx-ingress
template:
spec:
containers:
- name: nginx-ingress
image: k8s.gcr.io/ingress-nginx/controller:v1.0.0
---
# SSL 证书 Secret
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1... # base64 encoded certificate
tls.key: LS0tLS1... # base64 encoded private key
---
# Ingress 资源配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/rate-limit: "100"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
ingressClassName: nginx
tls:
- hosts:
- api.example.com
- web.example.com
secretName: tls-secret
rules:
- host: web.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
- host: api.example.com
http:
paths:
- path: /api/v1
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
- path: /api/v2
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 80808. 命名空间和资源隔离
问题:如何使用 Namespace 实现多环境资源隔离?ResourceQuota 如何配置?
参考答案:
yaml
# 创建命名空间
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
environment: production
team: backend
---
# 资源配额限制
apiVersion: v1
kind: ResourceQuota
metadata:
name: production-quota
namespace: production
spec:
hard:
pods: "10"
requests.cpu: "4"
requests.memory: 8Gi
limits.cpu: "8"
limits.memory: 16Gi
persistentvolumeclaims: "5"
services: "10"
secrets: "10"
configmaps: "20"
---
# 限制范围
apiVersion: v1
kind: LimitRange
metadata:
name: production-limits
namespace: production
spec:
limits:
- type: Container
default:
cpu: "500m"
memory: "512Mi"
defaultRequest:
cpu: "100m"
memory: "128Mi"
max:
cpu: "2"
memory: "4Gi"
min:
cpu: "50m"
memory: "64Mi"
- type: PersistentVolumeClaim
max:
storage: "50Gi"
min:
storage: "1Gi"这些面试题涵盖了 Kubernetes 的核心概念和实际应用场景,帮助候选人全面展示容器编排技能和实战经验。