Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes and Weave.net on bare metal
Search
Maxim Filatov
April 14, 2018
Technology
1
480
Kubernetes and Weave.net on bare metal
Talk about managing containers on bare metal hosts.
Video:
https://youtu.be/8v7vW_Eybkg?t=4314
Maxim Filatov
April 14, 2018
Tweet
Share
More Decks by Maxim Filatov
See All by Maxim Filatov
Kubernetes on bare metal: SSL
bregor
1
530
Using external services inside Kubernetes
bregor
0
90
Other Decks in Technology
See All in Technology
なぜテストマネージャの視点が 必要なのか? 〜 一歩先へ進むために 〜
moritamasami
0
220
Aurora DSQLはサーバーレスアーキテクチャの常識を変えるのか
iwatatomoya
1
970
Firestore → Spanner 移行 を成功させた段階的移行プロセス
athug
1
480
Codeful Serverless / 一人運用でもやり抜く力
_kensh
7
420
新アイテムをどう使っていくか?みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo
akkiesoft
0
260
オブザーバビリティが広げる AIOps の世界 / The World of AIOps Expanded by Observability
aoto
PRO
0
380
5年目から始める Vue3 サイト改善 #frontendo
tacck
PRO
3
220
LLMを搭載したプロダクトの品質保証の模索と学び
qa
0
1.1k
初めてAWSを使うときのセキュリティ覚書〜初心者支部編〜
cmusudakeisuke
1
250
250905 大吉祥寺.pm 2025 前夜祭 「プログラミングに出会って20年、『今』が1番楽しい」
msykd
PRO
1
900
企業の生成AIガバナンスにおけるエージェントとセキュリティ
lycorptech_jp
PRO
2
170
AWSで始める実践Dagster入門
kitagawaz
1
620
Featured
See All Featured
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Agile that works and the tools we love
rasmusluckow
330
21k
Site-Speed That Sticks
csswizardry
10
810
Docker and Python
trallard
45
3.6k
Music & Morning Musume
bryan
46
6.8k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
810
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
920
Build your cross-platform service in a week with App Engine
jlugia
231
18k
How to train your dragon (web standard)
notwaldorf
96
6.2k
The Cult of Friendly URLs
andyhume
79
6.6k
Context Engineering - Making Every Token Count
addyosmani
3
43
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
Transcript
Kubernetes and Weave.net on Kubernetes and Weave.net on bare metal
bare metal
None
Public solutions Public solutions kubespray kubeadm kube-up chef-kubernetes
Node view Node view
Components view Components view
What’s this all about What’s this all about SSL Etcd
Master node Worker node CNI
SSL SSL
SSL: Bundles SSL: Bundles 1 to 4 bundles per cluster
SSL: single bundle SSL: single bundle Single CA Keypairs: apiserver
kubelets etcd clients etcd peers
SSL: two bundles SSL: two bundles Kubernetes CA apiserver keypair
kubelets keypair Etcd CA peers keypair clients keypair
SSL: full paranoia SSL: full paranoia apiserver CA keypairs kubelets
CA keypairs etcd peers CA keypairs etcd clients CA keypairs
SSL: keypairs SSL: keypairs keypair per host keypair per component
SSL: CA SSL: CA Validity!
Etcd Etcd Distributed reliable key-value store
Etcd: Intercommunications Etcd: Intercommunications
Etcd: Apiserver communications Etcd: Apiserver communications
Etcd: initial args Etcd: initial args --initial-advertise-peer-urls=https://etcd0:2380 \ --initial-cluster-state=new \
--initial-cluster-token=RfDz6BPYvQWSshe8J0cEhUoAGbnm1LfgS0A77EsjCa \ --initial-cluster=etcd0=https://etcd0:2380,etcd1=https://etcd1:2380,etcd2=https://etcd2
Etcd: add node Etcd: add node on any old member:
on a new member start etcd changing following opts: $ etcdctl member add name peerURL --initial-cluster-state=existing --initial-cluster=all-old-members,https://new-member:2380
Etcd: remove node Etcd: remove node on any live member:
$ etcdctl member list $ etcdctl member remove ID
Etcd: fault tolerance Etcd: fault tolerance
Tolerance table Tolerance table CLUSTER SIZE MAJORITY FAILURE TOLERANCE 1
1 0 2 2 0 3 2 1 4 3 1 5 3 2
Majority = floor(Size/2) + 1 Majority = floor(Size/2) + 1
Tolerance = Size - Majority Tolerance = Size - Majority
Tolerance = Size - floor(Size/2) - 1 Tolerance = Size
- floor(Size/2) - 1
Etcd: proxy mode Etcd: proxy mode $ etcd grpc-proxy start
--endpoints=...
Master node Master node
Master node: multimaster Master node: multimaster Problems: load balancing leases
Master node: custom schedulers Master node: custom schedulers spec: template:
spec: schedulerName: default-scheduler
Master node: addon manager Master node: addon manager /etc/kubernetes/addons labels
simple shell script metadata: labels: addonmanager.kubernetes.io/mode: Recon kubernetes.io/cluster-service: "true"
Worker node Worker node
CNI CNI Container Network Interface Speci cation Tool Plugins
CNI: versions CNI: versions Speci cation: 0.3.1 Tool: 0.6.0 Plugins:
0.7.0
CNI: portmap CNI: portmap forward tra c from one or
more ports on the host to the container chained
CNI: con guration CNI: con guration /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.1",
"name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": { "portMappings": true }, "snat": true } ] }
Weave Weave Single click kubectl exec Kubernetes integration Fast Datapath
Encryption NPC Multi-hop routing CNI plugin
Weave: Node view Weave: Node view
Weave: Topology Weave: Topology
Weave: FDP Weave: FDP
Weave: Multi-hop routing Weave: Multi-hop routing
Weave: installation Weave: installation $ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=\ $(kubectl
version | base64 | tr -d '\n')"
Weave: be aware Weave: be aware Always remove /etc/cni/net.d/10-weave.conf
Tips and tricks Tips and tricks
Networks Networks Host network Pod network (CNI) Service network (Net
lter) Don’t forget ip route add service_network dev internal_interface
Encryption con g Encryption con g kind: EncryptionConfig apiVersion: v1
resources: - resources: - secrets - configmaps providers: - aescbc: keys: - name: key1 secret: RnVjayB0aGlzIHNoaXQhCg== - identity: {}
Encryption setup Encryption setup # kube-apiserver --experimental-encryption-provider-config=/etc/kubernetes/encryption-c
Actually encrypting the data Actually encrypting the data $ kubectl
get secrets --all-namespaces -o json | kubectl replace -f -
Endpoint reconciler Endpoint reconciler Good Bad # kube-apiserver --endpoint-reconciler-type=lease ...
# kube-apiserver --endpoint-reconciler-type=master-coun
Authentication Authentication
Authentication: WARNING Authentication: WARNING There is no authentication inside kubernetes!
AT ALL!
Authentication: strategies Authentication: strategies X509 Client Certs Static Token File
Static Password File OpenID Connect Tokens Webhook Token Authentication DEX
Bootstrap tokens Bootstrap tokens Apiserver: Kubelet: --enable-bootstrap-token-auth --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig-bootstra
Upgrade Upgrade Patch versions: smooth and simple Minor versions: all
pods restart
Questions? Questions?