Docker镜像构建最佳实践
多阶段构建可显著减小最终镜像体积,基础镜像推荐使用Alpine或Distroless。通过分层优化减少构建时间,高频变更层放在Dockerfile下部。典型示例:
# 构建阶段
FROM golang:1.18 as builder
WORKDIR /app
COPY go.mod ./
RUN go mod download
COPY *.go ./
RUN CGO_ENABLED=0 GOOS=linux go build -o /app
# 运行阶段
FROM alpine:latest
COPY --from=builder /app /app
ENTRYPOINT ["/app"]
镜像扫描工具Trivy或Clair应在CI/CD流水线中集成,确保无CVE漏洞。镜像标签遵循语义化版本规范,禁止使用latest标签。
Kubernetes水平扩缩策略
HorizontalPodAutoscaler配置需结合自定义指标,CPU/Memory基础指标配合Prometheus Adapter采集QPS、延迟等业务指标。示例配置:
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: payment-service
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: payment
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: External
external:
metric:
name: http_requests_per_second
selector:
matchLabels:
app: payment
target:
type: AverageValue
averageValue: 500
PDB(PodDisruptionBudget)确保最小可用实例数,滚动更新策略设置maxSurge/maxUnavailable控制发布节奏。
云原生日志收集方案
Fluent Bit作为DaemonSet部署,通过轻量级处理管道转发日志到中心系统。典型架构:
App Pods -> Stdout -> Docker JSON Log -> Fluent Bit -> (Kafka/Elasticsearch/Loki)
Loki相比ELK栈节省70%存储成本,适合Kubernetes动态环境。日志标签应包含:
fluent-bit.io/parser: json
fluent-bit.io/exclude: "false"
日志采样配置示例(10%采样率):
[INPUT]
Name tail
Path /var/log/containers/*.log
Parser docker
Tag kube.*
Mem_Buf_Limit 5MB
Skip_Long_Lines On
Refresh_Interval 10
Sample 10
关键日志需设置独立输出通道,敏感信息通过Filter插件进行脱敏处理。日志保留策略建议按分级设置,生产环境核心业务日志保留30天以上。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
