Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes and Weave.net on bare metal
Search
Maxim Filatov
April 14, 2018
Technology
1
460
Kubernetes and Weave.net on bare metal
Talk about managing containers on bare metal hosts.
Video:
https://youtu.be/8v7vW_Eybkg?t=4314
Maxim Filatov
April 14, 2018
Tweet
Share
More Decks by Maxim Filatov
See All by Maxim Filatov
Kubernetes on bare metal: SSL
bregor
1
460
Using external services inside Kubernetes
bregor
0
86
Other Decks in Technology
See All in Technology
サーバーレスアーキテクチャと生成AIの融合 / Serverless Meets Generative AI
_kensh
12
3.1k
白金鉱業Meetup Vol.17_あるデータサイエンティストのデータマネジメントとの向き合い方
brainpadpr
4
300
目の前の仕事と向き合うことで成長できる - 仕事とスキルを広げる / Every little bit counts
soudai
24
6.6k
株式会社EventHub・エンジニア採用資料
eventhub
0
4.2k
個人開発から公式機能へ: PlaywrightとRailsをつなげた3年の軌跡
yusukeiwaki
11
2.9k
Data-centric AI入門第6章:Data-centric AIの実践例
x_ttyszk
1
390
5分で紹介する生成AIエージェントとAmazon Bedrock Agents / 5-minutes introduction to generative AI agents and Amazon Bedrock Agents
hideakiaoyagi
0
230
ユーザーストーリーマッピングから始めるアジャイルチームと並走するQA / Starting QA with User Story Mapping
katawara
0
170
マルチモーダル理解と生成の統合 DeepSeek Janus, etc... / Multimodal Understanding and Generation Integration
hiroga
0
370
組織貢献をするフリーランスエンジニアという生き方
n_takehata
1
1.2k
ビジネスモデリング道場 目的と背景
masuda220
PRO
9
410
君も受託系GISエンジニアにならないか
sudataka
2
410
Featured
See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
99
18k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The World Runs on Bad Software
bkeepers
PRO
67
11k
Why Our Code Smells
bkeepers
PRO
336
57k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Docker and Python
trallard
44
3.3k
Unsuck your backbone
ammeep
669
57k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Transcript
Kubernetes and Weave.net on Kubernetes and Weave.net on bare metal
bare metal
None
Public solutions Public solutions kubespray kubeadm kube-up chef-kubernetes
Node view Node view
Components view Components view
What’s this all about What’s this all about SSL Etcd
Master node Worker node CNI
SSL SSL
SSL: Bundles SSL: Bundles 1 to 4 bundles per cluster
SSL: single bundle SSL: single bundle Single CA Keypairs: apiserver
kubelets etcd clients etcd peers
SSL: two bundles SSL: two bundles Kubernetes CA apiserver keypair
kubelets keypair Etcd CA peers keypair clients keypair
SSL: full paranoia SSL: full paranoia apiserver CA keypairs kubelets
CA keypairs etcd peers CA keypairs etcd clients CA keypairs
SSL: keypairs SSL: keypairs keypair per host keypair per component
SSL: CA SSL: CA Validity!
Etcd Etcd Distributed reliable key-value store
Etcd: Intercommunications Etcd: Intercommunications
Etcd: Apiserver communications Etcd: Apiserver communications
Etcd: initial args Etcd: initial args --initial-advertise-peer-urls=https://etcd0:2380 \ --initial-cluster-state=new \
--initial-cluster-token=RfDz6BPYvQWSshe8J0cEhUoAGbnm1LfgS0A77EsjCa \ --initial-cluster=etcd0=https://etcd0:2380,etcd1=https://etcd1:2380,etcd2=https://etcd2
Etcd: add node Etcd: add node on any old member:
on a new member start etcd changing following opts: $ etcdctl member add name peerURL --initial-cluster-state=existing --initial-cluster=all-old-members,https://new-member:2380
Etcd: remove node Etcd: remove node on any live member:
$ etcdctl member list $ etcdctl member remove ID
Etcd: fault tolerance Etcd: fault tolerance
Tolerance table Tolerance table CLUSTER SIZE MAJORITY FAILURE TOLERANCE 1
1 0 2 2 0 3 2 1 4 3 1 5 3 2
Majority = floor(Size/2) + 1 Majority = floor(Size/2) + 1
Tolerance = Size - Majority Tolerance = Size - Majority
Tolerance = Size - floor(Size/2) - 1 Tolerance = Size
- floor(Size/2) - 1
Etcd: proxy mode Etcd: proxy mode $ etcd grpc-proxy start
--endpoints=...
Master node Master node
Master node: multimaster Master node: multimaster Problems: load balancing leases
Master node: custom schedulers Master node: custom schedulers spec: template:
spec: schedulerName: default-scheduler
Master node: addon manager Master node: addon manager /etc/kubernetes/addons labels
simple shell script metadata: labels: addonmanager.kubernetes.io/mode: Recon kubernetes.io/cluster-service: "true"
Worker node Worker node
CNI CNI Container Network Interface Speci cation Tool Plugins
CNI: versions CNI: versions Speci cation: 0.3.1 Tool: 0.6.0 Plugins:
0.7.0
CNI: portmap CNI: portmap forward tra c from one or
more ports on the host to the container chained
CNI: con guration CNI: con guration /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.1",
"name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": { "portMappings": true }, "snat": true } ] }
Weave Weave Single click kubectl exec Kubernetes integration Fast Datapath
Encryption NPC Multi-hop routing CNI plugin
Weave: Node view Weave: Node view
Weave: Topology Weave: Topology
Weave: FDP Weave: FDP
Weave: Multi-hop routing Weave: Multi-hop routing
Weave: installation Weave: installation $ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=\ $(kubectl
version | base64 | tr -d '\n')"
Weave: be aware Weave: be aware Always remove /etc/cni/net.d/10-weave.conf
Tips and tricks Tips and tricks
Networks Networks Host network Pod network (CNI) Service network (Net
lter) Don’t forget ip route add service_network dev internal_interface
Encryption con g Encryption con g kind: EncryptionConfig apiVersion: v1
resources: - resources: - secrets - configmaps providers: - aescbc: keys: - name: key1 secret: RnVjayB0aGlzIHNoaXQhCg== - identity: {}
Encryption setup Encryption setup # kube-apiserver --experimental-encryption-provider-config=/etc/kubernetes/encryption-c
Actually encrypting the data Actually encrypting the data $ kubectl
get secrets --all-namespaces -o json | kubectl replace -f -
Endpoint reconciler Endpoint reconciler Good Bad # kube-apiserver --endpoint-reconciler-type=lease ...
# kube-apiserver --endpoint-reconciler-type=master-coun
Authentication Authentication
Authentication: WARNING Authentication: WARNING There is no authentication inside kubernetes!
AT ALL!
Authentication: strategies Authentication: strategies X509 Client Certs Static Token File
Static Password File OpenID Connect Tokens Webhook Token Authentication DEX
Bootstrap tokens Bootstrap tokens Apiserver: Kubelet: --enable-bootstrap-token-auth --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig-bootstra
Upgrade Upgrade Patch versions: smooth and simple Minor versions: all
pods restart
Questions? Questions?