Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes and Weave.net on bare metal
Search
Maxim Filatov
April 14, 2018
Technology
1
460
Kubernetes and Weave.net on bare metal
Talk about managing containers on bare metal hosts.
Video:
https://youtu.be/8v7vW_Eybkg?t=4314
Maxim Filatov
April 14, 2018
Tweet
Share
More Decks by Maxim Filatov
See All by Maxim Filatov
Kubernetes on bare metal: SSL
bregor
1
460
Using external services inside Kubernetes
bregor
0
86
Other Decks in Technology
See All in Technology
日経電子版 x AIエージェントの可能性とAgentic RAGによって提案書生成を行う技術
masahiro_nishimi
1
290
2.5Dモデルのすべて
yu4u
2
610
リアルタイム分析データベースで実現する SQLベースのオブザーバビリティ
mikimatsumoto
0
950
SA Night #2 FinatextのSA思想/SA Night #2 Finatext session
satoshiimai
1
100
モノレポ開発のエラー、誰が見る?Datadog で実現する適切なトリアージとエスカレーション
biwashi
6
770
データ資産をシームレスに伝達するためのイベント駆動型アーキテクチャ
kakehashi
PRO
2
230
「海外登壇」という 選択肢を与えるために 〜Gophers EX
logica0419
0
500
20250208_OpenAIDeepResearchがやばいという話
doradora09
PRO
0
170
生成AIの利活用を加速させるための取り組み「prAIrie-dog」/ Shibuya_AI_1
visional_engineering_and_design
1
140
飲食店予約台帳を支えるインタラクティブ UI 設計と実装
siropaca
6
1.4k
現場で役立つAPIデザイン
nagix
29
10k
プロセス改善による品質向上事例
tomasagi
1
1.6k
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k
YesSQL, Process and Tooling at Scale
rocio
171
14k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Practical Orchestrator
shlominoach
186
10k
Building Applications with DynamoDB
mza
93
6.2k
The Language of Interfaces
destraynor
156
24k
Navigating Team Friction
lara
183
15k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.5k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
49
2.3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Transcript
Kubernetes and Weave.net on Kubernetes and Weave.net on bare metal
bare metal
None
Public solutions Public solutions kubespray kubeadm kube-up chef-kubernetes
Node view Node view
Components view Components view
What’s this all about What’s this all about SSL Etcd
Master node Worker node CNI
SSL SSL
SSL: Bundles SSL: Bundles 1 to 4 bundles per cluster
SSL: single bundle SSL: single bundle Single CA Keypairs: apiserver
kubelets etcd clients etcd peers
SSL: two bundles SSL: two bundles Kubernetes CA apiserver keypair
kubelets keypair Etcd CA peers keypair clients keypair
SSL: full paranoia SSL: full paranoia apiserver CA keypairs kubelets
CA keypairs etcd peers CA keypairs etcd clients CA keypairs
SSL: keypairs SSL: keypairs keypair per host keypair per component
SSL: CA SSL: CA Validity!
Etcd Etcd Distributed reliable key-value store
Etcd: Intercommunications Etcd: Intercommunications
Etcd: Apiserver communications Etcd: Apiserver communications
Etcd: initial args Etcd: initial args --initial-advertise-peer-urls=https://etcd0:2380 \ --initial-cluster-state=new \
--initial-cluster-token=RfDz6BPYvQWSshe8J0cEhUoAGbnm1LfgS0A77EsjCa \ --initial-cluster=etcd0=https://etcd0:2380,etcd1=https://etcd1:2380,etcd2=https://etcd2
Etcd: add node Etcd: add node on any old member:
on a new member start etcd changing following opts: $ etcdctl member add name peerURL --initial-cluster-state=existing --initial-cluster=all-old-members,https://new-member:2380
Etcd: remove node Etcd: remove node on any live member:
$ etcdctl member list $ etcdctl member remove ID
Etcd: fault tolerance Etcd: fault tolerance
Tolerance table Tolerance table CLUSTER SIZE MAJORITY FAILURE TOLERANCE 1
1 0 2 2 0 3 2 1 4 3 1 5 3 2
Majority = floor(Size/2) + 1 Majority = floor(Size/2) + 1
Tolerance = Size - Majority Tolerance = Size - Majority
Tolerance = Size - floor(Size/2) - 1 Tolerance = Size
- floor(Size/2) - 1
Etcd: proxy mode Etcd: proxy mode $ etcd grpc-proxy start
--endpoints=...
Master node Master node
Master node: multimaster Master node: multimaster Problems: load balancing leases
Master node: custom schedulers Master node: custom schedulers spec: template:
spec: schedulerName: default-scheduler
Master node: addon manager Master node: addon manager /etc/kubernetes/addons labels
simple shell script metadata: labels: addonmanager.kubernetes.io/mode: Recon kubernetes.io/cluster-service: "true"
Worker node Worker node
CNI CNI Container Network Interface Speci cation Tool Plugins
CNI: versions CNI: versions Speci cation: 0.3.1 Tool: 0.6.0 Plugins:
0.7.0
CNI: portmap CNI: portmap forward tra c from one or
more ports on the host to the container chained
CNI: con guration CNI: con guration /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.1",
"name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": { "portMappings": true }, "snat": true } ] }
Weave Weave Single click kubectl exec Kubernetes integration Fast Datapath
Encryption NPC Multi-hop routing CNI plugin
Weave: Node view Weave: Node view
Weave: Topology Weave: Topology
Weave: FDP Weave: FDP
Weave: Multi-hop routing Weave: Multi-hop routing
Weave: installation Weave: installation $ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=\ $(kubectl
version | base64 | tr -d '\n')"
Weave: be aware Weave: be aware Always remove /etc/cni/net.d/10-weave.conf
Tips and tricks Tips and tricks
Networks Networks Host network Pod network (CNI) Service network (Net
lter) Don’t forget ip route add service_network dev internal_interface
Encryption con g Encryption con g kind: EncryptionConfig apiVersion: v1
resources: - resources: - secrets - configmaps providers: - aescbc: keys: - name: key1 secret: RnVjayB0aGlzIHNoaXQhCg== - identity: {}
Encryption setup Encryption setup # kube-apiserver --experimental-encryption-provider-config=/etc/kubernetes/encryption-c
Actually encrypting the data Actually encrypting the data $ kubectl
get secrets --all-namespaces -o json | kubectl replace -f -
Endpoint reconciler Endpoint reconciler Good Bad # kube-apiserver --endpoint-reconciler-type=lease ...
# kube-apiserver --endpoint-reconciler-type=master-coun
Authentication Authentication
Authentication: WARNING Authentication: WARNING There is no authentication inside kubernetes!
AT ALL!
Authentication: strategies Authentication: strategies X509 Client Certs Static Token File
Static Password File OpenID Connect Tokens Webhook Token Authentication DEX
Bootstrap tokens Bootstrap tokens Apiserver: Kubelet: --enable-bootstrap-token-auth --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig-bootstra
Upgrade Upgrade Patch versions: smooth and simple Minor versions: all
pods restart
Questions? Questions?