Docker 与 Kubernetes 部署实战云原生应用交付别叫我大神叫我 Alex 就好。容器化不是目的而是手段。Kubernetes 让应用部署变得标准化、自动化。一、Docker 最佳实践1.1 多阶段构建# Dockerfile - 多阶段构建示例 # 构建阶段 FROM maven:3.8-openjdk-17 AS builder WORKDIR /app COPY pom.xml . COPY src ./src RUN mvn clean package -DskipTests # 运行阶段 FROM eclipse-temurin:17-jre-alpine WORKDIR /app # 创建非 root 用户 RUN addgroup -S appgroup adduser -S appuser -G appgroup # 从构建阶段复制 jar COPY --frombuilder /app/target/*.jar app.jar # 设置权限 RUN chown -R appuser:appgroup /app USER appuser # 健康检查 HEALTHCHECK --interval30s --timeout3s --start-period60s --retries3 \ CMD wget --quiet --tries1 --spider http://localhost:8080/actuator/health || exit 1 EXPOSE 8080 # JVM 参数优化 ENV JAVA_OPTS-XX:UseContainerSupport -XX:MaxRAMPercentage75.0 -XX:InitialRAMPercentage50.0 ENTRYPOINT [sh, -c, java $JAVA_OPTS -jar app.jar]1.2 Docker Compose 配置# docker-compose.yml version: 3.8 services: app: build: context: . dockerfile: Dockerfile image: myapp:latest container_name: myapp ports: - 8080:8080 environment: - SPRING_PROFILES_ACTIVEdocker - SPRING_DATASOURCE_URLjdbc:postgresql://postgres:5432/mydb - SPRING_REDIS_HOSTredis - SPRING_KAFKA_BOOTSTRAP_SERVERSkafka:9092 depends_on: - postgres - redis - kafka networks: - app-network restart: unless-stopped deploy: resources: limits: cpus: 1.0 memory: 1G reservations: cpus: 0.5 memory: 512M postgres: image: postgres:15-alpine container_name: postgres environment: - POSTGRES_DBmydb - POSTGRES_USERappuser - POSTGRES_PASSWORDsecretpassword volumes: - postgres_data:/var/lib/postgresql/data - ./init.sql:/docker-entrypoint-initdb.d/init.sql ports: - 5432:5432 networks: - app-network healthcheck: test: [CMD-SHELL, pg_isready -U appuser -d mydb] interval: 10s timeout: 5s retries: 5 redis: image: redis:7-alpine container_name: redis command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru volumes: - redis_data:/data ports: - 6379:6379 networks: - app-network kafka: image: confluentinc/cp-kafka:7.5.0 container_name: kafka environment: KAFKA_BROKER_ID: 1 KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092 KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 depends_on: - zookeeper networks: - app-network zookeeper: image: confluentinc/cp-zookeeper:7.5.0 container_name: zookeeper environment: ZOOKEEPER_CLIENT_PORT: 2181 ZOOKEEPER_TICK_TIME: 2000 networks: - app-network volumes: postgres_data: redis_data: networks: app-network: driver: bridge二、Kubernetes 基础资源2.1 Deployment 配置# deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: myapp labels: app: myapp version: v1 spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 25% maxUnavailable: 0 selector: matchLabels: app: myapp template: metadata: labels: app: myapp version: v1 spec: serviceAccountName: myapp-sa securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 containers: - name: myapp image: myregistry/myapp:v1.0.0 imagePullPolicy: Always ports: - name: http containerPort: 8080 protocol: TCP env: - name: SPRING_PROFILES_ACTIVE value: kubernetes - name: JAVA_OPTS value: -XX:UseContainerSupport -XX:MaxRAMPercentage75.0 - name: DB_PASSWORD valueFrom: secretKeyRef: name: myapp-secrets key: db-password resources: requests: memory: 512Mi cpu: 500m limits: memory: 1Gi cpu: 1000m livenessProbe: httpGet: path: /actuator/health/liveness port: 8080 initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /actuator/health/readiness port: 8080 initialDelaySeconds: 30 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 volumeMounts: - name: config-volume mountPath: /app/config - name: tmp-volume mountPath: /tmp volumes: - name: config-volume configMap: name: myapp-config - name: tmp-volume emptyDir: {} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - myapp topologyKey: kubernetes.io/hostname2.2 Service 和 Ingress# service.yaml apiVersion: v1 kind: Service metadata: name: myapp-service labels: app: myapp spec: type: ClusterIP ports: - port: 80 targetPort: 8080 protocol: TCP name: http selector: app: myapp --- # ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myapp-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/proxy-body-size: 10m nginx.ingress.kubernetes.io/rate-limit: 100 cert-manager.io/cluster-issuer: letsencrypt-prod spec: ingressClassName: nginx tls: - hosts: - api.example.com secretName: myapp-tls rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp-service port: number: 80三、ConfigMap 和 Secret# configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: myapp-config data: application.yml: | server: port: 8080 spring: datasource: url: jdbc:postgresql://postgres-service:5432/mydb username: appuser hikari: maximum-pool-size: 20 minimum-idle: 5 redis: host: redis-service port: 6379 timeout: 2000ms lettuce: pool: max-active: 8 max-idle: 8 kafka: bootstrap-servers: kafka-service:9092 producer: retries: 3 acks: all logging: level: root: INFO com.example: DEBUG --- # secret.yaml apiVersion: v1 kind: Secret metadata: name: myapp-secrets type: Opaque stringData: db-password: your-secure-password jwt-secret: your-jwt-secret-key api-key: your-api-key四、HPA 和 VPA# hpa.yaml apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: myapp-hpa spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: myapp minReplicas: 3 maxReplicas: 20 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 80 - type: Pods pods: metric: name: http_requests_per_second target: type: AverageValue averageValue: 1000 behavior: scaleUp: stabilizationWindowSeconds: 60 policies: - type: Percent value: 100 periodSeconds: 15 scaleDown: stabilizationWindowSeconds: 300 policies: - type: Percent value: 10 periodSeconds: 60 --- # vpa.yaml apiVersion: autoscaling.k8s.io/v1 kind: VerticalPodAutoscaler metadata: name: myapp-vpa spec: targetRef: apiVersion: apps/v1 kind: Deployment name: myapp updatePolicy: updateMode: Auto resourcePolicy: containerPolicies: - containerName: myapp minAllowed: cpu: 100m memory: 256Mi maxAllowed: cpu: 2000m memory: 2Gi controlledResources: [cpu, memory]五、持久化存储# pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: postgres-pvc spec: accessModes: - ReadWriteOnce storageClassName: fast-ssd resources: requests: storage: 100Gi --- # statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: postgres spec: serviceName: postgres-headless replicas: 1 selector: matchLabels: app: postgres template: metadata: labels: app: postgres spec: containers: - name: postgres image: postgres:15-alpine ports: - containerPort: 5432 env: - name: POSTGRES_DB value: mydb - name: POSTGRES_USER value: appuser - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secrets key: password volumeMounts: - name: postgres-storage mountPath: /var/lib/postgresql/data resources: requests: memory: 1Gi cpu: 500m limits: memory: 2Gi cpu: 1000m volumeClaimTemplates: - metadata: name: postgres-storage spec: accessModes: [ReadWriteOnce] storageClassName: fast-ssd resources: requests: storage: 100Gi六、CI/CD 集成# .github/workflows/deploy.yml name: Build and Deploy on: push: branches: [main] pull_request: branches: [main] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - uses: actions/checkoutv4 - name: Set up JDK 17 uses: actions/setup-javav4 with: java-version: 17 distribution: temurin - name: Build with Maven run: ./mvnw clean package -DskipTests - name: Run tests run: ./mvnw test - name: Set up Docker Buildx uses: docker/setup-buildx-actionv3 - name: Log in to Container Registry uses: docker/login-actionv3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-actionv5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | typeref,eventbranch typeref,eventpr typesha,prefix{{branch}}- typeraw,valuelatest,enable{{is_default_branch}} - name: Build and push Docker image uses: docker/build-push-actionv5 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: typegha cache-to: typegha,modemax deploy: needs: build runs-on: ubuntu-latest if: github.ref refs/heads/main steps: - uses: actions/checkoutv4 - name: Configure kubectl uses: azure/setup-kubectlv3 - name: Set up Kustomize run: | curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash sudo mv kustomize /usr/local/bin/ - name: Configure AWS credentials uses: aws-actions/configure-aws-credentialsv4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - name: Update kubeconfig run: aws eks update-kubeconfig --name my-cluster - name: Deploy to Kubernetes run: | cd k8s/overlays/production kustomize edit set image myapp${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${GITHUB_SHA::7} kustomize build . | kubectl apply -f - kubectl rollout status deployment/myapp七、监控与日志# servicemonitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: myapp-metrics labels: release: prometheus spec: selector: matchLabels: app: myapp endpoints: - port: http path: /actuator/prometheus interval: 15s --- # podmonitor.yaml apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: myapp-jvm-metrics spec: selector: matchLabels: app: myapp podMetricsEndpoints: - port: http path: /actuator/prometheus interval: 15s --- # networkpolicy.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: myapp-network-policy spec: podSelector: matchLabels: app: myapp policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: postgres ports: - protocol: TCP port: 5432 - to: - podSelector: matchLabels: app: redis ports: - protocol: TCP port: 6379八、总结容器化和 Kubernetes 部署的核心要点镜像优化多阶段构建、最小化镜像资源配置合理的 requests 和 limits健康检查liveness 和 readiness probe弹性伸缩HPA 和 VPA 配置安全加固非 root 用户、NetworkPolicy这其实可以更优雅一点。云原生部署不仅是技术更是一种工程文化。参考资源Docker DocumentationKubernetes DocumentationKubernetes Best Practices
Docker 与 Kubernetes 部署实战:云原生应用交付
发布时间:2026/6/29 18:32:59
Docker 与 Kubernetes 部署实战云原生应用交付别叫我大神叫我 Alex 就好。容器化不是目的而是手段。Kubernetes 让应用部署变得标准化、自动化。一、Docker 最佳实践1.1 多阶段构建# Dockerfile - 多阶段构建示例 # 构建阶段 FROM maven:3.8-openjdk-17 AS builder WORKDIR /app COPY pom.xml . COPY src ./src RUN mvn clean package -DskipTests # 运行阶段 FROM eclipse-temurin:17-jre-alpine WORKDIR /app # 创建非 root 用户 RUN addgroup -S appgroup adduser -S appuser -G appgroup # 从构建阶段复制 jar COPY --frombuilder /app/target/*.jar app.jar # 设置权限 RUN chown -R appuser:appgroup /app USER appuser # 健康检查 HEALTHCHECK --interval30s --timeout3s --start-period60s --retries3 \ CMD wget --quiet --tries1 --spider http://localhost:8080/actuator/health || exit 1 EXPOSE 8080 # JVM 参数优化 ENV JAVA_OPTS-XX:UseContainerSupport -XX:MaxRAMPercentage75.0 -XX:InitialRAMPercentage50.0 ENTRYPOINT [sh, -c, java $JAVA_OPTS -jar app.jar]1.2 Docker Compose 配置# docker-compose.yml version: 3.8 services: app: build: context: . dockerfile: Dockerfile image: myapp:latest container_name: myapp ports: - 8080:8080 environment: - SPRING_PROFILES_ACTIVEdocker - SPRING_DATASOURCE_URLjdbc:postgresql://postgres:5432/mydb - SPRING_REDIS_HOSTredis - SPRING_KAFKA_BOOTSTRAP_SERVERSkafka:9092 depends_on: - postgres - redis - kafka networks: - app-network restart: unless-stopped deploy: resources: limits: cpus: 1.0 memory: 1G reservations: cpus: 0.5 memory: 512M postgres: image: postgres:15-alpine container_name: postgres environment: - POSTGRES_DBmydb - POSTGRES_USERappuser - POSTGRES_PASSWORDsecretpassword volumes: - postgres_data:/var/lib/postgresql/data - ./init.sql:/docker-entrypoint-initdb.d/init.sql ports: - 5432:5432 networks: - app-network healthcheck: test: [CMD-SHELL, pg_isready -U appuser -d mydb] interval: 10s timeout: 5s retries: 5 redis: image: redis:7-alpine container_name: redis command: redis-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru volumes: - redis_data:/data ports: - 6379:6379 networks: - app-network kafka: image: confluentinc/cp-kafka:7.5.0 container_name: kafka environment: KAFKA_BROKER_ID: 1 KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181 KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092 KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 depends_on: - zookeeper networks: - app-network zookeeper: image: confluentinc/cp-zookeeper:7.5.0 container_name: zookeeper environment: ZOOKEEPER_CLIENT_PORT: 2181 ZOOKEEPER_TICK_TIME: 2000 networks: - app-network volumes: postgres_data: redis_data: networks: app-network: driver: bridge二、Kubernetes 基础资源2.1 Deployment 配置# deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: myapp labels: app: myapp version: v1 spec: replicas: 3 strategy: type: RollingUpdate rollingUpdate: maxSurge: 25% maxUnavailable: 0 selector: matchLabels: app: myapp template: metadata: labels: app: myapp version: v1 spec: serviceAccountName: myapp-sa securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 containers: - name: myapp image: myregistry/myapp:v1.0.0 imagePullPolicy: Always ports: - name: http containerPort: 8080 protocol: TCP env: - name: SPRING_PROFILES_ACTIVE value: kubernetes - name: JAVA_OPTS value: -XX:UseContainerSupport -XX:MaxRAMPercentage75.0 - name: DB_PASSWORD valueFrom: secretKeyRef: name: myapp-secrets key: db-password resources: requests: memory: 512Mi cpu: 500m limits: memory: 1Gi cpu: 1000m livenessProbe: httpGet: path: /actuator/health/liveness port: 8080 initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /actuator/health/readiness port: 8080 initialDelaySeconds: 30 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 volumeMounts: - name: config-volume mountPath: /app/config - name: tmp-volume mountPath: /tmp volumes: - name: config-volume configMap: name: myapp-config - name: tmp-volume emptyDir: {} affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - myapp topologyKey: kubernetes.io/hostname2.2 Service 和 Ingress# service.yaml apiVersion: v1 kind: Service metadata: name: myapp-service labels: app: myapp spec: type: ClusterIP ports: - port: 80 targetPort: 8080 protocol: TCP name: http selector: app: myapp --- # ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myapp-ingress annotations: nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/proxy-body-size: 10m nginx.ingress.kubernetes.io/rate-limit: 100 cert-manager.io/cluster-issuer: letsencrypt-prod spec: ingressClassName: nginx tls: - hosts: - api.example.com secretName: myapp-tls rules: - host: api.example.com http: paths: - path: / pathType: Prefix backend: service: name: myapp-service port: number: 80三、ConfigMap 和 Secret# configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: myapp-config data: application.yml: | server: port: 8080 spring: datasource: url: jdbc:postgresql://postgres-service:5432/mydb username: appuser hikari: maximum-pool-size: 20 minimum-idle: 5 redis: host: redis-service port: 6379 timeout: 2000ms lettuce: pool: max-active: 8 max-idle: 8 kafka: bootstrap-servers: kafka-service:9092 producer: retries: 3 acks: all logging: level: root: INFO com.example: DEBUG --- # secret.yaml apiVersion: v1 kind: Secret metadata: name: myapp-secrets type: Opaque stringData: db-password: your-secure-password jwt-secret: your-jwt-secret-key api-key: your-api-key四、HPA 和 VPA# hpa.yaml apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: myapp-hpa spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: myapp minReplicas: 3 maxReplicas: 20 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70 - type: Resource resource: name: memory target: type: Utilization averageUtilization: 80 - type: Pods pods: metric: name: http_requests_per_second target: type: AverageValue averageValue: 1000 behavior: scaleUp: stabilizationWindowSeconds: 60 policies: - type: Percent value: 100 periodSeconds: 15 scaleDown: stabilizationWindowSeconds: 300 policies: - type: Percent value: 10 periodSeconds: 60 --- # vpa.yaml apiVersion: autoscaling.k8s.io/v1 kind: VerticalPodAutoscaler metadata: name: myapp-vpa spec: targetRef: apiVersion: apps/v1 kind: Deployment name: myapp updatePolicy: updateMode: Auto resourcePolicy: containerPolicies: - containerName: myapp minAllowed: cpu: 100m memory: 256Mi maxAllowed: cpu: 2000m memory: 2Gi controlledResources: [cpu, memory]五、持久化存储# pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: postgres-pvc spec: accessModes: - ReadWriteOnce storageClassName: fast-ssd resources: requests: storage: 100Gi --- # statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: postgres spec: serviceName: postgres-headless replicas: 1 selector: matchLabels: app: postgres template: metadata: labels: app: postgres spec: containers: - name: postgres image: postgres:15-alpine ports: - containerPort: 5432 env: - name: POSTGRES_DB value: mydb - name: POSTGRES_USER value: appuser - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: postgres-secrets key: password volumeMounts: - name: postgres-storage mountPath: /var/lib/postgresql/data resources: requests: memory: 1Gi cpu: 500m limits: memory: 2Gi cpu: 1000m volumeClaimTemplates: - metadata: name: postgres-storage spec: accessModes: [ReadWriteOnce] storageClassName: fast-ssd resources: requests: storage: 100Gi六、CI/CD 集成# .github/workflows/deploy.yml name: Build and Deploy on: push: branches: [main] pull_request: branches: [main] env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - uses: actions/checkoutv4 - name: Set up JDK 17 uses: actions/setup-javav4 with: java-version: 17 distribution: temurin - name: Build with Maven run: ./mvnw clean package -DskipTests - name: Run tests run: ./mvnw test - name: Set up Docker Buildx uses: docker/setup-buildx-actionv3 - name: Log in to Container Registry uses: docker/login-actionv3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-actionv5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | typeref,eventbranch typeref,eventpr typesha,prefix{{branch}}- typeraw,valuelatest,enable{{is_default_branch}} - name: Build and push Docker image uses: docker/build-push-actionv5 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: typegha cache-to: typegha,modemax deploy: needs: build runs-on: ubuntu-latest if: github.ref refs/heads/main steps: - uses: actions/checkoutv4 - name: Configure kubectl uses: azure/setup-kubectlv3 - name: Set up Kustomize run: | curl -s https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash sudo mv kustomize /usr/local/bin/ - name: Configure AWS credentials uses: aws-actions/configure-aws-credentialsv4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - name: Update kubeconfig run: aws eks update-kubeconfig --name my-cluster - name: Deploy to Kubernetes run: | cd k8s/overlays/production kustomize edit set image myapp${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${GITHUB_SHA::7} kustomize build . | kubectl apply -f - kubectl rollout status deployment/myapp七、监控与日志# servicemonitor.yaml apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: myapp-metrics labels: release: prometheus spec: selector: matchLabels: app: myapp endpoints: - port: http path: /actuator/prometheus interval: 15s --- # podmonitor.yaml apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: myapp-jvm-metrics spec: selector: matchLabels: app: myapp podMetricsEndpoints: - port: http path: /actuator/prometheus interval: 15s --- # networkpolicy.yaml apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: myapp-network-policy spec: podSelector: matchLabels: app: myapp policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: ingress-nginx ports: - protocol: TCP port: 8080 egress: - to: - podSelector: matchLabels: app: postgres ports: - protocol: TCP port: 5432 - to: - podSelector: matchLabels: app: redis ports: - protocol: TCP port: 6379八、总结容器化和 Kubernetes 部署的核心要点镜像优化多阶段构建、最小化镜像资源配置合理的 requests 和 limits健康检查liveness 和 readiness probe弹性伸缩HPA 和 VPA 配置安全加固非 root 用户、NetworkPolicy这其实可以更优雅一点。云原生部署不仅是技术更是一种工程文化。参考资源Docker DocumentationKubernetes DocumentationKubernetes Best Practices
相关文章
相场法模拟枝晶生长的karma模型研究:基于Matlab的实现
相场法模拟枝晶生长,karma模型,matlab咱们今天来玩点好玩的——用Matlab搞个金属凝固过程的枝晶生长模拟。相场法这玩意儿真是材料模拟界的万金油,特别是Karma模型,处理枝晶分岔那叫一个丝滑。先整点基础配置: % 基础参…
nanobot超轻量级AI助手效果实测:对话流畅,部署简单
nanobot超轻量级AI助手效果实测:对话流畅,部署简单 1. 产品概览:轻量级AI助手的革新 在AI助手领域,体积庞大、部署复杂的系统一直是主流,直到nanobot的出现打破了这一局面。这款基于Qwen3-4B-Instruct-2507模型的AI助…
金三银四AI大模型岗:程序员薪资天花板,Java后端转型大模型,月薪3W+
程序员群体悄然迎来新一轮职业决胜局——在行业深耕降本增效的核心基调下,如何突破职业瓶颈,通过技术深耕实现个人价值与薪资的双重跃升?这场关乎未来5年职业走向的硬仗,正随着春节后的金三银四招聘季全面打响。 而在DeepSeek等头…
ClaudeCode上下文压缩技术
在针对 ClaudeCode 泄露源码的技术洞察中,其针对上下文超过限制、Token 超长的处理机制非常值得学习。相比于传统“保留最近的、压缩舍弃老的”简单粗暴的做法,ClaudeCode 采用了一套极具工程韧性的多层级、渐进式上下文压缩机制。 1. 项目技术栈概览技术…
AI发展历史
https://www.bilibili.com/video/BV1E7wtzaEdq/?spm_id_from333.337.search-card.all.click&vd_source52a37eb8bc66bd0789316767444c7037 一、底层引擎:大语言模型(LLM) 核心定义与架构 LLM全称:Large Language Model(大语言模型&#x…
内核级硬件信息欺骗技术深度解析:EASY-HWID-SPOOFER架构设计与实现原理
内核级硬件信息欺骗技术深度解析:EASY-HWID-SPOOFER架构设计与实现原理 【免费下载链接】EASY-HWID-SPOOFER 基于内核模式的硬件信息欺骗工具 项目地址: https://gitcode.com/gh_mirrors/ea/EASY-HWID-SPOOFER EASY-HWID-SPOOFER是一款基于Windows内核模式的…
不要把 AI 编程当许愿池:用 Karpathy 四原则搭建可验证的编码工作流
写在前面 AI 编程工具越来越像一个“能干活的同事”:它可以读代码、改文件、跑测试、写文档,也可以把一个很小的问题一路扩展成一套复杂架构。 真正的问题不在于 AI 会不会写代码,而在于它经常会在没有充分理解上下文时,直接替你做决定:默认一种解释、隐藏不确定性、顺手…
嫌网上买手电筒的虚标、不够亮,那就自己DIY手电筒
一、准备材料与工具diy手电筒原件大体分四个:手电筒灯珠驱动板(分后来和侧开)、LED灯珠(带铝或铜板用来导热)、电池(一般用18650)、外壳。制作工具(用来焊驱动板和灯珠)&…
渗透测试实战入门:从零到精通DC-1靶场攻防全流程解析
1. 项目概述:为什么“从零到实战”是每个安全从业者的必经之路几年前,我刚从开发转行做安全,面对“渗透测试”这四个字,感觉就像面对一座没有地图的迷宫。网上资料要么是零散的“炫技”片段,要么是晦涩难懂的理论堆砌&…
Java开发者转型安全开发:从代码审计到自动化工具实践
1. 转型背景与核心驱动力最近几年,身边不少做Java后端开发的朋友,都开始或多或少地关注起安全开发这个方向。我自己也是从写了七八年Java业务代码,一步步转向了安全领域,现在主要做代码审计和自动化安全工具开发。这个转变不是一时…
【TEE从入门到精通及实战】75 TEE内Wasm沙箱的内存安全:从“段错误”到“编译时保证”
75 TEE内Wasm沙箱的内存安全:从“段错误”到“编译时保证” 开篇故事 去年夏天,我正帮一家金融科技公司优化他们的TEE内Wasm沙箱。他们的核心业务是在Intel SGX enclave里运行用户提交的Wasm合约,用于实时交易验证。 一天下午,运维突然报警:生产环境的enclave进程频繁崩…
YAML函数动态解析:打造智能接口自动化测试用例
1. 项目概述:为什么YAML测试用例需要函数动态解析?在接口自动化测试的实践中,我们常常会面临一个核心矛盾:测试用例的可维护性与灵活性。早期的测试脚本,无论是用Python的unittest还是pytest,往往将测试数据…
AI Coding 六个月真实ROI账本:产品经理的血泪教训,研发的冷静忠告
6个月前的2025年12月,Boris Cherny 公开宣布自己卸载了 IDE。一时间,Vibe Coding 成了全行业最热的话题。6个月后,当我们回过头来拉一份真实账本,发现事情远没有"一句话生成一个App"那么浪漫。本文从产品经理和研发两个…
华为OD机试2025C卷-字符统计及重排[100分]( Java _ Python3 _ C++ _ C语言 _ JsNode _ Go)实现100%通过率
📫 个人主页:深夜coding算法 📣 专栏系列:2026年华为最新OD机试题库详解 🔥 一次订阅,永久解锁 | 持续更新100篇 | 6语言全覆盖 文章目录❄️前言:☀️一:题目描述🌙 题目…
华为OD机试2025C卷-寻找相同子串[100分]( Java _ Python3 _ C++ _ C语言 _ JsNode _ Go)实现100%通过率
📫 个人主页:深夜coding算法 📣 专栏系列:2026年华为最新OD机试题库详解 🔥 一次订阅,永久解锁 | 持续更新100篇 | 6语言全覆盖 文章目录❄️前言:☀️一:题目描述🌙 题目…
Zotero Duplicates Merger:5步彻底清理文献库重复条目
Zotero Duplicates Merger:5步彻底清理文献库重复条目 【免费下载链接】ZoteroDuplicatesMerger A zotero plugin to automatically merge duplicate items 项目地址: https://gitcode.com/gh_mirrors/zo/ZoteroDuplicatesMerger 还在为文献库中堆积如山的重…
利用随机有限集理论对蜂群的ILQR和MPC控制研究附Matlab代码
✅作者简介:热爱科研的Matlab仿真开发者,擅长数据处理、建模仿真、程序设计、完整代码获取、论文复现及科研仿真。🍎 往期回顾关注个人主页:Matlab科研工作室🍊个人信条:格物致知,完整Matlab代码及仿真咨询…
为什么你的Gemini邮件CTE低于行业均值2.8倍?:从Prompt架构到发送时序的深度归因
更多请点击: https://intelliparadigm.com 第一章:为什么你的Gemini邮件CTE低于行业均值2.8倍?:从Prompt架构到发送时序的深度归因 Gemini邮件的客户转化效率(CTE)显著偏低,根本原因常被误判为…