name: container-orchestration description: “Docker和Kubernetes模式。触发词:Dockerfile、docker-compose、kubernetes、k8s、helm、pod、deployment、service、ingress、container、image。” compatibility: “Docker 20+, Kubernetes 1.25+, Helm 3+” allowed-tools: “Read Write Bash”
容器编排
适用于容器化应用的Docker和Kubernetes模式。
Dockerfile最佳实践
# 使用特定版本,而非:latest
FROM python:3.11-slim AS builder
# 设置工作目录
WORKDIR /app
# 先复制依赖文件(更好的缓存)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# 复制应用代码
COPY src/ ./src/
# 生产阶段(多阶段构建)
FROM python:3.11-slim
WORKDIR /app
# 创建非root用户
RUN useradd --create-home appuser
USER appuser
# 从构建阶段复制
COPY --from=builder /app /app
# 设置环境变量
ENV PYTHONUNBUFFERED=1
# 健康检查
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -f http://localhost:8000/health || exit 1
EXPOSE 8000
CMD ["python", "-m", "uvicorn", "src.main:app", "--host", "0.0.0.0"]
Dockerfile规则
应该做:
- 使用特定的基础镜像版本
- 使用多阶段构建
- 以非root用户运行
- 按变更频率排序命令
- 使用.dockerignore文件
- 添加健康检查
不应该做:
- 使用:latest标签
- 以root身份运行
- 复制不必要的文件
- 在镜像中存储密钥
- 在生产环境中安装开发依赖
Docker Compose
# docker-compose.yml
version: "3.9"
services:
app:
build:
context: .
dockerfile: Dockerfile
ports:
- "8000:8000"
environment:
- DATABASE_URL=postgres://user:pass@db:5432/app
depends_on:
db:
condition: service_healthy
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
interval: 30s
timeout: 10s
retries: 3
db:
image: postgres:15-alpine
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_USER: user
POSTGRES_PASSWORD: pass
POSTGRES_DB: app
healthcheck:
test: ["CMD-SHELL", "pg_isready -U user -d app"]
interval: 10s
timeout: 5s
retries: 5
volumes:
postgres_data:
Kubernetes基础
部署(Deployment)
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: app
image: myapp:1.0.0
ports:
- containerPort: 8000
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 8000
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /ready
port: 8000
initialDelaySeconds: 5
periodSeconds: 10
env:
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: app-secrets
key: database-url
服务(Service)
apiVersion: v1
kind: Service
metadata:
name: app-service
spec:
selector:
app: myapp
ports:
- port: 80
targetPort: 8000
type: ClusterIP
入口(Ingress)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
kubectl快速参考
| 命令 | 描述 |
|---|---|
kubectl get pods |
列出Pod |
kubectl logs <pod> |
查看日志 |
kubectl exec -it <pod> -- sh |
进入Pod的Shell |
kubectl apply -f manifest.yaml |
应用配置 |
kubectl rollout restart deployment/app |
重启部署 |
kubectl rollout status deployment/app |
检查滚动更新状态 |
kubectl describe pod <pod> |
调试Pod |
kubectl port-forward svc/app 8080:80 |
本地端口转发 |
附加资源
./references/dockerfile-patterns.md- 高级Dockerfile技术./references/k8s-manifests.md- 完整的Kubernetes清单示例./references/helm-patterns.md- Helm图表结构和值配置
脚本
./scripts/build-push.sh- 构建并推送Docker镜像
资源文件
./assets/Dockerfile.template- 生产环境Dockerfile模板./assets/docker-compose.template.yml- Compose启动模板