Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes and Weave.net on bare metal
Search
Maxim Filatov
April 14, 2018
Technology
1
480
Kubernetes and Weave.net on bare metal
Talk about managing containers on bare metal hosts.
Video:
https://youtu.be/8v7vW_Eybkg?t=4314
Maxim Filatov
April 14, 2018
Tweet
Share
More Decks by Maxim Filatov
See All by Maxim Filatov
Kubernetes on bare metal: SSL
bregor
1
530
Using external services inside Kubernetes
bregor
0
90
Other Decks in Technology
See All in Technology
シークレット管理だけじゃない!HashiCorp Vault でデータ暗号化をしよう / Beyond Secret Management! Let's Encrypt Data with HashiCorp Vault
nnstt1
3
190
ChatGPTとPlantUML/Mermaidによるソフトウェア設計
gowhich501
1
100
新規案件の立ち上げ専門チームから見たAI駆動開発の始め方
shuyakinjo
0
660
「魔法少女まどか☆マギカ Magia Exedra」での負荷試験の実践と学び
gree_tech
PRO
0
500
Browser
recruitengineers
PRO
8
2.3k
Webアクセシビリティ入門
recruitengineers
PRO
3
1.5k
kubellが考える戦略と実行を繋ぐ活用ファーストのデータ分析基盤
kubell_hr
0
130
役割は変わっても、変わらないもの 〜スクラムマスターからEMへの転身で学んだ信頼構築の本質〜 / How to build trust
shinop
0
160
AWSで推進するデータマネジメント
kawanago
0
920
250905 大吉祥寺.pm 2025 前夜祭 「プログラミングに出会って20年、『今』が1番楽しい」
msykd
PRO
1
270
Webブラウザ向け動画配信プレイヤーの 大規模リプレイスから得た知見と学び
yud0uhu
0
200
生成AI時代に必要な価値ある意思決定を育てる「開発プロセス定義」を用いた中期戦略
kakehashi
PRO
1
260
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
Designing for humans not robots
tammielis
253
25k
Testing 201, or: Great Expectations
jmmastey
45
7.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
Mobile First: as difficult as doing things right
swwweet
224
9.9k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
580
Designing Experiences People Love
moore
142
24k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
We Have a Design System, Now What?
morganepeng
53
7.8k
How to Think Like a Performance Engineer
csswizardry
26
1.9k
Transcript
Kubernetes and Weave.net on Kubernetes and Weave.net on bare metal
bare metal
None
Public solutions Public solutions kubespray kubeadm kube-up chef-kubernetes
Node view Node view
Components view Components view
What’s this all about What’s this all about SSL Etcd
Master node Worker node CNI
SSL SSL
SSL: Bundles SSL: Bundles 1 to 4 bundles per cluster
SSL: single bundle SSL: single bundle Single CA Keypairs: apiserver
kubelets etcd clients etcd peers
SSL: two bundles SSL: two bundles Kubernetes CA apiserver keypair
kubelets keypair Etcd CA peers keypair clients keypair
SSL: full paranoia SSL: full paranoia apiserver CA keypairs kubelets
CA keypairs etcd peers CA keypairs etcd clients CA keypairs
SSL: keypairs SSL: keypairs keypair per host keypair per component
SSL: CA SSL: CA Validity!
Etcd Etcd Distributed reliable key-value store
Etcd: Intercommunications Etcd: Intercommunications
Etcd: Apiserver communications Etcd: Apiserver communications
Etcd: initial args Etcd: initial args --initial-advertise-peer-urls=https://etcd0:2380 \ --initial-cluster-state=new \
--initial-cluster-token=RfDz6BPYvQWSshe8J0cEhUoAGbnm1LfgS0A77EsjCa \ --initial-cluster=etcd0=https://etcd0:2380,etcd1=https://etcd1:2380,etcd2=https://etcd2
Etcd: add node Etcd: add node on any old member:
on a new member start etcd changing following opts: $ etcdctl member add name peerURL --initial-cluster-state=existing --initial-cluster=all-old-members,https://new-member:2380
Etcd: remove node Etcd: remove node on any live member:
$ etcdctl member list $ etcdctl member remove ID
Etcd: fault tolerance Etcd: fault tolerance
Tolerance table Tolerance table CLUSTER SIZE MAJORITY FAILURE TOLERANCE 1
1 0 2 2 0 3 2 1 4 3 1 5 3 2
Majority = floor(Size/2) + 1 Majority = floor(Size/2) + 1
Tolerance = Size - Majority Tolerance = Size - Majority
Tolerance = Size - floor(Size/2) - 1 Tolerance = Size
- floor(Size/2) - 1
Etcd: proxy mode Etcd: proxy mode $ etcd grpc-proxy start
--endpoints=...
Master node Master node
Master node: multimaster Master node: multimaster Problems: load balancing leases
Master node: custom schedulers Master node: custom schedulers spec: template:
spec: schedulerName: default-scheduler
Master node: addon manager Master node: addon manager /etc/kubernetes/addons labels
simple shell script metadata: labels: addonmanager.kubernetes.io/mode: Recon kubernetes.io/cluster-service: "true"
Worker node Worker node
CNI CNI Container Network Interface Speci cation Tool Plugins
CNI: versions CNI: versions Speci cation: 0.3.1 Tool: 0.6.0 Plugins:
0.7.0
CNI: portmap CNI: portmap forward tra c from one or
more ports on the host to the container chained
CNI: con guration CNI: con guration /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.1",
"name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": { "portMappings": true }, "snat": true } ] }
Weave Weave Single click kubectl exec Kubernetes integration Fast Datapath
Encryption NPC Multi-hop routing CNI plugin
Weave: Node view Weave: Node view
Weave: Topology Weave: Topology
Weave: FDP Weave: FDP
Weave: Multi-hop routing Weave: Multi-hop routing
Weave: installation Weave: installation $ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=\ $(kubectl
version | base64 | tr -d '\n')"
Weave: be aware Weave: be aware Always remove /etc/cni/net.d/10-weave.conf
Tips and tricks Tips and tricks
Networks Networks Host network Pod network (CNI) Service network (Net
lter) Don’t forget ip route add service_network dev internal_interface
Encryption con g Encryption con g kind: EncryptionConfig apiVersion: v1
resources: - resources: - secrets - configmaps providers: - aescbc: keys: - name: key1 secret: RnVjayB0aGlzIHNoaXQhCg== - identity: {}
Encryption setup Encryption setup # kube-apiserver --experimental-encryption-provider-config=/etc/kubernetes/encryption-c
Actually encrypting the data Actually encrypting the data $ kubectl
get secrets --all-namespaces -o json | kubectl replace -f -
Endpoint reconciler Endpoint reconciler Good Bad # kube-apiserver --endpoint-reconciler-type=lease ...
# kube-apiserver --endpoint-reconciler-type=master-coun
Authentication Authentication
Authentication: WARNING Authentication: WARNING There is no authentication inside kubernetes!
AT ALL!
Authentication: strategies Authentication: strategies X509 Client Certs Static Token File
Static Password File OpenID Connect Tokens Webhook Token Authentication DEX
Bootstrap tokens Bootstrap tokens Apiserver: Kubelet: --enable-bootstrap-token-auth --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig-bootstra
Upgrade Upgrade Patch versions: smooth and simple Minor versions: all
pods restart
Questions? Questions?