云原生环境中的边缘计算：从K3s到生产实践

云原生环境中的边缘计算从K3s到生产实践 硬核开场各位技术大佬们今天咱们来聊聊边缘计算和云原生的那些事儿。别跟我说你还在传统数据中心玩云原生那都out了现在的云原生早已经延伸到了边缘从工厂车间到智能交通从智能家居到工业物联网边缘计算正在改变我们的技术格局。今天susu就带你们从K3s开始一步步搭建边缘计算平台从部署到运维全给你整明白 核心内容1. 边缘计算与云原生的碰撞边缘计算是什么在靠近数据产生的地方进行计算减少延迟降低带宽成本云原生为什么适合边缘容器化、编排、自动化这些云原生特性完美适配边缘环境的资源受限、分布广泛的特点边缘计算的挑战资源有限、网络不稳定、部署分散、运维复杂2. K3s为边缘而生的Kubernetes发行版K3s是Rancher推出的轻量级Kubernetes发行版专为边缘计算设计只有512MB内存就能跑起来。2.1 K3s的核心特性轻量化移除了不必要的组件二进制文件只有不到100MB低资源占用最低512MB内存就能运行自包含内置SQLite作为默认存储也支持外部数据库易于部署单二进制文件支持多种安装方式边缘优化针对ARM架构优化支持各种边缘设备2.2 部署K3s服务器# 安装K3s服务器 curl -sfL https://get.k3s.io | sh -s - server # 查看K3s状态 systemctl status k3s # 查看节点状态 kubectl get nodes # 获取节点令牌用于添加agent k3s token create --print2.3 添加边缘节点# 在边缘设备上安装K3s agent # 替换TOKEN为上面获取的令牌 # 替换SERVER_IP为K3s服务器的IP curl -sfL https://get.k3s.io | K3S_URLhttps://SERVER_IP:6443 K3S_TOKENTOKEN sh - # 查看所有节点 kubectl get nodes3. 边缘应用部署实践3.1 部署边缘应用示例apiVersion: apps/v1 kind: Deployment metadata: name: edge-app namespace: default spec: replicas: 2 selector: matchLabels: app: edge-app template: metadata: labels: app: edge-app spec: nodeSelector: kubernetes.io/hostname: edge-node-1 # 指定边缘节点 containers: - name: edge-app image: nginx:alpine ports: - containerPort: 80 resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 256Mi --- apiVersion: v1 kind: Service metadata: name: edge-app-service spec: selector: app: edge-app ports: - port: 80 targetPort: 80 type: NodePort3.2 部署边缘AI推理服务apiVersion: apps/v1 kind: Deployment metadata: name: edge-ai-inference namespace: default spec: replicas: 1 selector: matchLabels: app: edge-ai template: metadata: labels: app: edge-ai spec: nodeSelector: kubernetes.io/hostname: edge-node-2 containers: - name: edge-ai image: tensorflow/serving:2.10.0 ports: - containerPort: 8501 resources: requests: cpu: 500m memory: 1Gi limits: cpu: 2 memory: 2Gi volumeMounts: - name: model-volume mountPath: /models volumes: - name: model-volume persistentVolumeClaim: claimName: edge-model-pvc4. 边缘网络管理边缘环境的网络通常不稳定需要特殊的网络配置。4.1 配置边缘网络策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: edge-network-policy namespace: default spec: podSelector: matchLabels: app: edge-app ingress: - from: - podSelector: matchLabels: app: edge-proxy ports: - protocol: TCP port: 80 egress: - to: - podSelector: matchLabels: app: edge-db ports: - protocol: TCP port: 54324.2 使用MetalLB实现边缘负载均衡# 安装MetalLB kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.7/config/manifests/metallb-native.yaml # 配置IP地址池 cat EOF | kubectl apply -f - apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: edge-ip-pool namespace: metallb-system spec: addresses: - 192.168.1.100-192.168.1.200 EOF # 配置L2广告 cat EOF | kubectl apply -f - apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: name: edge-l2-advertisement namespace: metallb-system spec: ipAddressPools: - edge-ip-pool EOF5. 边缘存储管理边缘设备的存储通常有限需要合理配置存储策略。5.1 配置本地存储apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: local-storage defaultClass: false provisioner: kubernetes.io/no-provisioner volumeBindingMode: WaitForFirstConsumer --- apiVersion: v1 kind: PersistentVolume metadata: name: edge-local-pv spec: capacity: storage: 10Gi accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Retain storageClassName: local-storage local: path: /mnt/edge-storage nodeAffinity: required: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/hostname operator: In values: - edge-node-15.2 配置存储资源请求apiVersion: v1 kind: PersistentVolumeClaim metadata: name: edge-app-pvc spec: storageClassName: local-storage accessModes: - ReadWriteOnce resources: requests: storage: 5Gi6. 边缘监控与可观测性边缘设备分布广泛监控尤为重要。6.1 部署Prometheus和Grafana# 使用Helm安装Prometheus和Grafana helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update helm install prometheus prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace # 查看监控组件 kubectl get pods -n monitoring6.2 配置边缘节点监控apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: edge-node-monitor namespace: monitoring spec: selector: matchLabels: app: edge-app endpoints: - port: metrics interval: 15s7. 边缘安全管理边缘设备通常暴露在非受控环境中安全至关重要。7.1 配置Pod安全策略apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: edge-psp annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - configMap - emptyDir - projected - secret - downwardAPI - persistentVolumeClaim hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: MustRunAs ranges: - min: 1 max: 65535 fsGroup: rule: MustRunAs ranges: - min: 1 max: 655357.2 配置网络安全策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: edge-security-policy namespace: default spec: podSelector: matchLabels: app: edge-app policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 192.168.1.0/24 ports: - protocol: TCP port: 80 egress: - to: - ipBlock: cidr: 10.0.0.0/8 ports: - protocol: TCP port: 443️ 最佳实践资源管理为边缘应用设置合理的资源限制避免资源耗尽使用节点亲和性将应用部署到合适的边缘节点定期清理未使用的资源保持边缘节点健康网络优化配置边缘节点的网络QoS确保关键应用的网络优先级使用本地缓存减少对云中心的网络依赖实现边缘节点间的通信优化减少延迟存储策略优先使用本地存储减少网络存储的依赖实现数据分层存储热数据保存在本地冷数据同步到云中心配置存储配额避免单个应用占用过多存储资源监控与告警部署轻量级监控组件减少监控对边缘资源的消耗设置关键指标的告警及时发现边缘节点的异常实现监控数据的边缘处理只将必要的数据传输到云中心安全防护为边缘节点配置防火墙限制不必要的网络访问定期更新边缘节点的系统和容器镜像修复安全漏洞实现边缘节点的身份认证和授权管理灾备与恢复实现边缘应用的自动重启和故障转移配置关键数据的备份策略确保数据安全建立边缘节点的快速恢复机制减少故障时间 总结边缘计算与云原生的结合正在开启一个全新的技术时代。通过本文的实践你应该已经掌握了使用K3s部署轻量级Kubernetes集群到边缘设备部署和管理边缘应用包括AI推理服务配置边缘网络、存储和安全策略实现边缘监控与可观测性应用边缘计算的最佳实践记住边缘计算的核心是靠近数据产生的地方进行处理减少延迟提高效率。在实施边缘计算时要根据实际场景选择合适的技术栈和部署策略。susu碎碎念K3s虽然轻量但生产环境还是要做好资源规划边缘设备的网络环境复杂要做好网络容错设计安全是边缘计算的重中之重不要忽视安全配置监控要轻量化避免监控本身成为边缘节点的负担觉得有用点个赞再走咱们下期见