Kubernetes and Weave.net on bare metal

Transcript

1. Kubernetes and Weave.net on Kubernetes and Weave.net on bare metal

   bare metal
2. None

3. Public solutions Public solutions kubespray kubeadm kube-up chef-kubernetes

4. Node view Node view

5. Components view Components view

6. What’s this all about What’s this all about SSL Etcd

   Master node Worker node CNI

7. SSL SSL

8. SSL: Bundles SSL: Bundles 1 to 4 bundles per cluster

9. SSL: single bundle SSL: single bundle Single CA Keypairs: apiserver

   kubelets etcd clients etcd peers

10. SSL: two bundles SSL: two bundles Kubernetes CA apiserver keypair

    kubelets keypair Etcd CA peers keypair clients keypair

11. SSL: full paranoia SSL: full paranoia apiserver CA keypairs kubelets

    CA keypairs etcd peers CA keypairs etcd clients CA keypairs

12. SSL: keypairs SSL: keypairs keypair per host keypair per component

13. SSL: CA SSL: CA Validity!

14. Etcd Etcd Distributed reliable key-value store

15. Etcd: Intercommunications Etcd: Intercommunications

16. Etcd: Apiserver communications Etcd: Apiserver communications

17. Etcd: initial args Etcd: initial args --initial-advertise-peer-urls=https://etcd0:2380 \ --initial-cluster-state=new \

    --initial-cluster-token=RfDz6BPYvQWSshe8J0cEhUoAGbnm1LfgS0A77EsjCa \ --initial-cluster=etcd0=https://etcd0:2380,etcd1=https://etcd1:2380,etcd2=https://etcd2

18. Etcd: add node Etcd: add node on any old member:

    on a new member start etcd changing following opts: $ etcdctl member add name peerURL --initial-cluster-state=existing --initial-cluster=all-old-members,https://new-member:2380

19. Etcd: remove node Etcd: remove node on any live member:

    $ etcdctl member list $ etcdctl member remove ID

20. Etcd: fault tolerance Etcd: fault tolerance

21. Tolerance table Tolerance table CLUSTER SIZE MAJORITY FAILURE TOLERANCE 1

    1 0 2 2 0 3 2 1 4 3 1 5 3 2

22. Majority = floor(Size/2) + 1 Majority = floor(Size/2) + 1

23. Tolerance = Size - Majority Tolerance = Size - Majority

24. Tolerance = Size - floor(Size/2) - 1 Tolerance = Size

    - floor(Size/2) - 1

25. Etcd: proxy mode Etcd: proxy mode $ etcd grpc-proxy start

    --endpoints=...

26. Master node Master node

27. Master node: multimaster Master node: multimaster Problems: load balancing leases

28. Master node: custom schedulers Master node: custom schedulers spec: template:

    spec: schedulerName: default-scheduler

29. Master node: addon manager Master node: addon manager /etc/kubernetes/addons labels

    simple shell script metadata: labels: addonmanager.kubernetes.io/mode: Recon kubernetes.io/cluster-service: "true"

30. Worker node Worker node

31. CNI CNI Container Network Interface Speci cation Tool Plugins

32. CNI: versions CNI: versions Speci cation: 0.3.1 Tool: 0.6.0 Plugins:

    0.7.0

33. CNI: portmap CNI: portmap forward tra c from one or

    more ports on the host to the container chained

34. CNI: con guration CNI: con guration /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.1",

    "name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": { "portMappings": true }, "snat": true } ] }

35. Weave Weave Single click kubectl exec Kubernetes integration Fast Datapath

    Encryption NPC Multi-hop routing CNI plugin

36. Weave: Node view Weave: Node view

37. Weave: Topology Weave: Topology

38. Weave: FDP Weave: FDP

39. Weave: Multi-hop routing Weave: Multi-hop routing

40. Weave: installation Weave: installation $ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=\ $(kubectl

    version | base64 | tr -d '\n')"

41. Weave: be aware Weave: be aware Always remove /etc/cni/net.d/10-weave.conf

42. Tips and tricks Tips and tricks

43. Networks Networks Host network Pod network (CNI) Service network (Net

    lter) Don’t forget ip route add service_network dev internal_interface

44. Encryption con g Encryption con g kind: EncryptionConfig apiVersion: v1

    resources: - resources: - secrets - configmaps providers: - aescbc: keys: - name: key1 secret: RnVjayB0aGlzIHNoaXQhCg== - identity: {}

45. Encryption setup Encryption setup # kube-apiserver --experimental-encryption-provider-config=/etc/kubernetes/encryption-c

46. Actually encrypting the data Actually encrypting the data $ kubectl

    get secrets --all-namespaces -o json | kubectl replace -f -

47. Endpoint reconciler Endpoint reconciler Good Bad # kube-apiserver --endpoint-reconciler-type=lease ...

    # kube-apiserver --endpoint-reconciler-type=master-coun

48. Authentication Authentication

49. Authentication: WARNING Authentication: WARNING There is no authentication inside kubernetes!

    AT ALL!

50. Authentication: strategies Authentication: strategies X509 Client Certs Static Token File

    Static Password File OpenID Connect Tokens Webhook Token Authentication DEX

51. Bootstrap tokens Bootstrap tokens Apiserver: Kubelet: --enable-bootstrap-token-auth --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig-bootstra

52. Upgrade Upgrade Patch versions: smooth and simple Minor versions: all

    pods restart

53. Questions? Questions?