deploy/base
放通用基础资源:Service、Deployment、HPA,不区分环境。deploy/overlays/{dev|release|prod}
每个环境只写差异项(补丁),通过patchesStrategicMerge覆盖 base。deploy/jobs-pre/base
放一次性Job的通用配置(同步脚本任务)。deploy/jobs-pre/overlays/{dev|release|prod}
各环境对Job的差异化补丁(命名空间、镜像拉取密钥、环境标签)。
一、应用服务配置(release 环境,按实际顺序)
1) base/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service.yaml
- deployment.yaml
- autoscaling.yaml
namespace: default
关键含义:
resources定义基础资源装配顺序:先服务、再部署、再弹性伸缩。namespace: default是 base 默认值,后续会被 release overlay 覆盖。
2) base/service.yaml
apiVersion: v1
kind: Service
metadata:
name: <app-name>
labels:
name: <app-name>
app: <app-name>
language: js
spec:
ports:
- port: 80
name: http
targetPort: 80
protocol: TCP
appProtocol: http
selector:
app: <app-name>
关键含义:
selector.app决定流量转发到哪些 Pod。port/targetPort表示集群内访问 80,转发到容器 80。appProtocol: http便于网关/观测系统识别协议。
3) base/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: <app-name>
spec:
strategy:
rollingUpdate:
maxSurge: 20%
maxUnavailable: 20%
type: RollingUpdate
replicas: 1
selector:
matchLabels:
app: <app-name>
template:
metadata:
labels:
app: <app-name>
service-type: assets
language: js
spec:
securityContext:
runAsUser: 0
hostAliases:
- ip: "<fixed-ip>"
hostnames:
- "<external-domain>"
containers:
- name: assets
image: imageName
readinessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 20
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 20
periodSeconds: 10
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 800m
memory: 512Mi
ports:
- containerPort: 80
name: http
volumeMounts:
- mountPath: /data/app/platform-admin-nfs
name: nfs
volumes:
- name: nfs
persistentVolumeClaim:
claimName: platform-admin-nfs
关键含义(代码级):
rollingUpdate:平滑发布策略,避免全量中断。selector.matchLabels与template.labels必须匹配,否则 Deployment 无法管理 Pod。readinessProbe与livenessProbe分别控制“是否接流量”和“是否重启修复”。resources.requests/limits影响调度与资源上限,避免 Pod 抢占失控。hostAliases是容器内静态 hosts 映射,通常用于固定解析。volumeMounts + PVC把共享存储挂进容器,适合静态资源同步场景。
4) base/autoscaling.yaml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: <app-name>-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: <app-name>
minReplicas: 1
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
关键含义:
scaleTargetRef指向要扩缩容的 Deployment。averageUtilization: 70表示 CPU 均值目标 70%,超出倾向扩容。min/maxReplicas控制弹性边界。
5) overlays/release/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patchesStrategicMerge:
- deployment.yaml
- service.yaml
- autoscaling.yaml
namespace: release
关键含义:
resources: ../../base引用基础模板。patchesStrategicMerge按资源类型做“局部覆盖”。namespace: release把整套资源落到 release 命名空间。
6) overlays/release/deployment.yaml(补丁)
apiVersion: apps/v1
kind: Deployment
metadata:
name: <app-name>
spec:
selector:
matchLabels:
env: release
template:
metadata:
labels:
env: release
spec:
imagePullSecrets:
- name: <registry-secret>
containers:
- name: assets
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 800m
memory: 512Mi
关键含义:
- 增加
env: release标签,做环境隔离。 imagePullSecrets指定私有镜像仓库凭据。- 可在此覆盖 base 的资源限制(当前值与 base 一致,便于后续单独调优)。
7) overlays/release/service.yaml(补丁)
apiVersion: v1
kind: Service
metadata:
name: <app-name>
spec:
selector:
env: release
关键含义:
- 给 Service selector 增加环境维度,确保只路由到 release Pod。
- 与 base 的
appselector 合并后,形成更精确匹配。
8) overlays/release/autoscaling.yaml(补丁)
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: <app-name>-hpa
spec:
minReplicas: 1
关键含义:
- 覆盖最小副本数,按环境控制基础容量。
二、预处理任务配置(release 环境,按实际顺序)
1) jobs-pre/base/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- job-assets-sync.yaml
namespace: default
2) jobs-pre/base/job-assets-sync.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: <app-name>-sync
spec:
completions: 1
parallelism: 1
backoffLimit: 0
ttlSecondsAfterFinished: 1800
template:
metadata:
labels:
job-name: <app-name>-sync
spec:
restartPolicy: Never
securityContext:
runAsUser: 0
containers:
- name: sync
image: imageName
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
command:
- /bin/sh
- -c
- /app/script/assets-sync.sh
volumeMounts:
- mountPath: /data/app/platform-admin-nfs
name: nfs
volumes:
- name: nfs
persistentVolumeClaim:
claimName: platform-admin-nfs
关键含义(代码级):
completions: 1 + parallelism: 1:单次串行执行。backoffLimit: 0:失败不自动重试,便于快速暴露问题。ttlSecondsAfterFinished:完成后自动回收 Job 资源。command:入口脚本就是同步任务本体。PVC:任务和应用共享存储,常见于资源预同步。
3) jobs-pre/overlays/release/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
patchesStrategicMerge:
- job-assets-sync.yaml
namespace: release
4) jobs-pre/overlays/release/job-assets-sync.yaml(补丁)
apiVersion: batch/v1
kind: Job
metadata:
name: <app-name>-sync
spec:
template:
metadata:
labels:
env: release
spec:
imagePullSecrets:
- name: <registry-secret>
containers:
- name: sync
resources:
requests:
cpu: "100m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "512Mi"
关键含义:
- 同样通过
env: release与镜像仓库凭据做环境隔离。 - Job 的资源也可独立于应用服务调优。
三、这套配置的关键机制(总结)
base负责“公共能力”,overlay负责“环境差异”,降低重复配置。Service selector+Pod labels的一致性是流量路由正确的前提。HPA与resources要配套,不然扩缩容效果会失真。Job与Deployment分离是合理设计:一个常驻服务,一个一次性流程。- 通过
namespace + env label + imagePullSecrets三件套实现环境隔离与发布安全。
