Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Kubernetes and Weave.net on bare metal
Search
Maxim Filatov
April 14, 2018
Technology
1
440
Kubernetes and Weave.net on bare metal
Talk about managing containers on bare metal hosts.
Video:
https://youtu.be/8v7vW_Eybkg?t=4314
Maxim Filatov
April 14, 2018
Tweet
Share
More Decks by Maxim Filatov
See All by Maxim Filatov
Kubernetes on bare metal: SSL
bregor
1
340
Using external services inside Kubernetes
bregor
0
75
Other Decks in Technology
See All in Technology
LINEヤフーのウェブアクセシビリティ
lycorptech_jp
PRO
2
170
社内での継続的な機械学習勉強会の開催のコツ
yudai00
2
390
シンプルなHITL機械学習と様々なタスクにおけるHITL機械学習
naohachi89
0
320
【TSkaigi】2024/05/11 当日スライド
kimitashoichi
14
4k
サービス開発におけるVue3とTypeScriptの親和性について
tsukuha
10
1.8k
TiDBにおけるテーブル設計と最適化の事例
cygames
0
790
個人的、Kubernetes の最新注目機能! (2024年5月版) / TechFeed Experts Night#28 〜 コンテナ技術最前線
pfn
PRO
3
210
Money-saving tips for the frugal serverless developer
theburningmonk
0
270
.NET GraphQL Client のリアル
sansantech
PRO
1
250
YJIT Makes Rails 1.7x faster / RubyKaigi 2024
k0kubun
3
460
AWS アーキテクチャ作図入門/aws-architecture-diagram-101
ma2shita
16
6.7k
Google Cloud Next '24 Recap in ZOZO AIにより変わる開発 運用/Development and operation changed by AI
gachimuchiengineer
0
190
Featured
See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
23
1.7k
How to name files
jennybc
65
94k
RailsConf 2023
tenderlove
9
580
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Writing Fast Ruby
sferik
622
60k
Thoughts on Productivity
jonyablonski
60
3.9k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.7k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
9
1.3k
Building Effective Engineering Teams - LeadDev
addyosmani
33
1.9k
Into the Great Unknown - MozCon
thekraken
15
1.1k
Ruby is Unlike a Banana
tanoku
96
10k
Transcript
Kubernetes and Weave.net on Kubernetes and Weave.net on bare metal
bare metal
None
Public solutions Public solutions kubespray kubeadm kube-up chef-kubernetes
Node view Node view
Components view Components view
What’s this all about What’s this all about SSL Etcd
Master node Worker node CNI
SSL SSL
SSL: Bundles SSL: Bundles 1 to 4 bundles per cluster
SSL: single bundle SSL: single bundle Single CA Keypairs: apiserver
kubelets etcd clients etcd peers
SSL: two bundles SSL: two bundles Kubernetes CA apiserver keypair
kubelets keypair Etcd CA peers keypair clients keypair
SSL: full paranoia SSL: full paranoia apiserver CA keypairs kubelets
CA keypairs etcd peers CA keypairs etcd clients CA keypairs
SSL: keypairs SSL: keypairs keypair per host keypair per component
SSL: CA SSL: CA Validity!
Etcd Etcd Distributed reliable key-value store
Etcd: Intercommunications Etcd: Intercommunications
Etcd: Apiserver communications Etcd: Apiserver communications
Etcd: initial args Etcd: initial args --initial-advertise-peer-urls=https://etcd0:2380 \ --initial-cluster-state=new \
--initial-cluster-token=RfDz6BPYvQWSshe8J0cEhUoAGbnm1LfgS0A77EsjCa \ --initial-cluster=etcd0=https://etcd0:2380,etcd1=https://etcd1:2380,etcd2=https://etcd2
Etcd: add node Etcd: add node on any old member:
on a new member start etcd changing following opts: $ etcdctl member add name peerURL --initial-cluster-state=existing --initial-cluster=all-old-members,https://new-member:2380
Etcd: remove node Etcd: remove node on any live member:
$ etcdctl member list $ etcdctl member remove ID
Etcd: fault tolerance Etcd: fault tolerance
Tolerance table Tolerance table CLUSTER SIZE MAJORITY FAILURE TOLERANCE 1
1 0 2 2 0 3 2 1 4 3 1 5 3 2
Majority = floor(Size/2) + 1 Majority = floor(Size/2) + 1
Tolerance = Size - Majority Tolerance = Size - Majority
Tolerance = Size - floor(Size/2) - 1 Tolerance = Size
- floor(Size/2) - 1
Etcd: proxy mode Etcd: proxy mode $ etcd grpc-proxy start
--endpoints=...
Master node Master node
Master node: multimaster Master node: multimaster Problems: load balancing leases
Master node: custom schedulers Master node: custom schedulers spec: template:
spec: schedulerName: default-scheduler
Master node: addon manager Master node: addon manager /etc/kubernetes/addons labels
simple shell script metadata: labels: addonmanager.kubernetes.io/mode: Recon kubernetes.io/cluster-service: "true"
Worker node Worker node
CNI CNI Container Network Interface Speci cation Tool Plugins
CNI: versions CNI: versions Speci cation: 0.3.1 Tool: 0.6.0 Plugins:
0.7.0
CNI: portmap CNI: portmap forward tra c from one or
more ports on the host to the container chained
CNI: con guration CNI: con guration /etc/cni/net.d/10-weave.conflist { "cniVersion": "0.3.1",
"name": "weave", "plugins": [ { "name": "weave", "type": "weave-net", "hairpinMode": true }, { "type": "portmap", "capabilities": { "portMappings": true }, "snat": true } ] }
Weave Weave Single click kubectl exec Kubernetes integration Fast Datapath
Encryption NPC Multi-hop routing CNI plugin
Weave: Node view Weave: Node view
Weave: Topology Weave: Topology
Weave: FDP Weave: FDP
Weave: Multi-hop routing Weave: Multi-hop routing
Weave: installation Weave: installation $ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=\ $(kubectl
version | base64 | tr -d '\n')"
Weave: be aware Weave: be aware Always remove /etc/cni/net.d/10-weave.conf
Tips and tricks Tips and tricks
Networks Networks Host network Pod network (CNI) Service network (Net
lter) Don’t forget ip route add service_network dev internal_interface
Encryption con g Encryption con g kind: EncryptionConfig apiVersion: v1
resources: - resources: - secrets - configmaps providers: - aescbc: keys: - name: key1 secret: RnVjayB0aGlzIHNoaXQhCg== - identity: {}
Encryption setup Encryption setup # kube-apiserver --experimental-encryption-provider-config=/etc/kubernetes/encryption-c
Actually encrypting the data Actually encrypting the data $ kubectl
get secrets --all-namespaces -o json | kubectl replace -f -
Endpoint reconciler Endpoint reconciler Good Bad # kube-apiserver --endpoint-reconciler-type=lease ...
# kube-apiserver --endpoint-reconciler-type=master-coun
Authentication Authentication
Authentication: WARNING Authentication: WARNING There is no authentication inside kubernetes!
AT ALL!
Authentication: strategies Authentication: strategies X509 Client Certs Static Token File
Static Password File OpenID Connect Tokens Webhook Token Authentication DEX
Bootstrap tokens Bootstrap tokens Apiserver: Kubelet: --enable-bootstrap-token-auth --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig-bootstra
Upgrade Upgrade Patch versions: smooth and simple Minor versions: all
pods restart
Questions? Questions?