Kubernetes Workshop @EVBox

Transcript

1. Kubernetes Workshop EV Box Mark van Straten & Piotr Zakrzewski

   - Q42

2. Agenda Now Introductions + Setup environments + K8s hello world

   10:00 Monitoring & Alerting 11:00 Diagnosing & Resolving issues 12:00 Lunch 13:00 Network Policies 14:00 Istio 14:45 Multi Region 15:30 Free form discussion 16:30 Wrap up
3. None

4. Case: Philips Hue

5. None

6. USING KUBERNETES SINCE 2016

7. Backend notifier Token validation service Bridge websocket API Bridge http

   API Hue Cloud API

8. 1 prod cluster 25 services 160 nodes 600 pods

9. What is k8s? - Container orchestration system - Developed initially

   by Google now open source - By default works with Docker images - Provides framework for configuring deployment, networking and scaling

10. Why people use k8s? - Scalability! Strong toolkit for (esp.

    Horizontal) scaling - Scaling on RAM/CPU out of the box - Vertical pod scaling also possible - Custom scaling methods possible - Smart rollout strategies - Good abstractions for container orchestration - Network Policies - RBAC - Secrets/Config management - Powerful ecosystem for common tasks - Monitoring: Stackdriver, adapters for others like datadog or prometheus - CI/CD: Helm, Spinnaker - kubectl

11. Kubernetes Basics full version at https://kubernetes.io/docs/tutorials/kubernetes-basics

12. Kubernetes Basics

13. Kubernetes Basics

14. Hands on: Prep environment - Everybody needs to create its

    own project inside GCP - Billing needs to be enabled - We will provide you with a $40 voucher

15. Dev Env Setup for the Workshop - Create Google Cloud

    Project (link) using our voucher - Install GCE command line tools - https://docs.google.com/document/d/1E03-g0h3MgFlohXqPNYCjl7Pv_CA_l0z hD6K3MZ8O0M/edit#heading=h.tremawe2ds3r - Install kubectl - Install docker gcloud - https://cloud.google.com/sdk/docs/quickstart-macos kubectl - `gcloud components install kubectl` Docker - https://www.docker.com/products/docker-desktop

16. Hands on: Hello world k8s - Goal: basic 3 tier

    application (frontend-middleware-backend) running on k8s - See the Hands on document for a global step-by-step guide Verify you are connectected to your own cluster: Kubectl config get-contexts

17. Recap 3 tiers app frontend => middleware => backend backend

    => external service No scaling (HPA) yet Not much kubernetes magic

18. Monitoring & Alerting

19. Stackdriver structured logging • Stackdriver by default takes stdout/stdin for

    your logs • You can have your client generate structured logging json to enrich your experience Formats • https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry • https://cloud.google.com/error-reporting/docs/formatting-error-messages#json _representation

20. Example structured logging format { "message": "Error Message\njava.lang.NullPointerException: NPE\n\tat adam.Log4jTester.run(Log4jTester.java:16)\n\t",

    "thread": "logTestThread", "severity": "ERROR", "sourceLocation": { "file": "Log4jTester.java", "line": "16", "function": "adam.Log4jTester.run" }, "serviceContext": { "service": "myservice", "version": "1.0.0" } }

21. Results in Stackdriver logging Goto stackdriver logging (sign in required)

22. Metrics: Four golden signals (https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/ #xref_monitoring_golden-signals) 1. Latency 2. Traffic

    3. Errors 4. Saturation / Utilization

23. Handson - Monitoring with stackdriver Goal: Learn about metrics emissions

    towards stackdriver and how to get kubernetes metrics into stackdriver

24. DEMO: Philips Hue setup - signals 1. Latency - websocket

    latency 2. Traffic - connections opening/closing // messages today 3. Errors - bridge answered with a failure 4. Saturation - capacity left

25. DEMO: Philips Hue setup - signals

26. DEMO: Philips Hue setup - monitors

27. Diagnosing & Resolving issues

28. Handson: Stackdriver error reporting Goal: Experience ease of use for

    Stackdriver Error reporting

29. Handson: Cloud debugger Use your knowledge from previous parts to:

    - 1) Local milestone: run a Nodejs app with cloud debugger integration and capture a snapshot in Stackdriver - 2) k8s milestone with baked in secrets: deploy the same app with secrets included in the container - 3) k8s bonus milestone: Mount the secrets as a k8s resource (The Right Way)

30. Cloud Debugger Hands On - Cloud debugger allows for investigating

    state of a web application running in GCE - Somewhat less extensive than typical debuggers you might be used to: no step over, this is only a snapshot - Cloud debugger needs to be installed in the webapp you want to debug - We will use a minimal app with cloud debugger enabled

31. Debugger needs a service account ... - Debugger Agent needs

    a Service Account key to connect to your project and submit snapshots - The key is a secret, you cannot check it in into the repo - K8s has a first class support for secrets fortunately

32. Material for the open-ended mile-stone - K8s Ddeployments https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ -

    K8s Secrets docs: https://kubernetes.io/docs/concepts/configuration/secret/ - Mounting volumes: https://kubernetes.io/docs/concepts/storage/volumes/

33. Lunch break until 13:00

34. Agenda Now ✔ Introductions + Setup environments + K8s hello

    world 10:00 ✔ Monitoring & Alerting 11:00 ✔ Diagnosing & Resolving issues 12:00 ✔ Lunch 13:00 Network Policies 14:00 Istio 14:45 Multi Region 15:30 Free form discussion 16:30 Wrap up

35. Network Policies

36. Kubernetes networking basics - Kube dns and kube proxy -

    Services and name resolving - Load balancers and access to the cluster

37. Network Policies - Implemented on OSI Level 3 (iptables->kernel) -

    Many implementations possible, we will use Calico during the workshop, this is also what we use at Hue - Ingress and Egress
38. None

39. Network Policies Hands On - Assumption: everyone has access to

    the cluster with billing on - Create a deployment and a service with NGINX serving default NGINX welcome page on port 80 - kubectl run apiserver --image=nginx --labels app=bookstore,role=api --expose --port 80 - Verify that it works: - Create and login into a second container: kubectl run test-$RANDOM --rm -i -t --image=alpine - Send a request from the new container to the api container - You should get a 200 OK and HTML of a welcome page - We will use this deployment for the rest of the Hands-on

40. Network Policies Hands On - Restrict access to a pod

    based on label - https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02-l imit-traffic-to-an-application.md - Only requests coming from pods with given label

41. Network Policies Hands On - https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02a -allow-all-traffic-to-an-application.md - Allow all

    with empty ingress access selector - This Network policy does not apply to the traffic from the outside of the custer though ...

42. Network Policies Hands On - https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/08- allow-external-traffic.md - [] allows

    ALL traffic, also from the outside of the cluster (if the pod is exposed) - It is often useful to restrict access to one port only, [] ingress selector can be combined with other rules such as “port”

43. Istio

44. https://speakerdeck.com/saturnism/making-microservices-micro-with-istio-service- mesh

45. Caveats Istio replaces network policies (default Calico on GKE) AFAIK

    Kubernetes master access from service still requires k8s-rbac Managed Istio (GKE) is not GA yet, expected somewhere 2019

46. Multi Region

47. Going Multi-region with K8s on Google Cloud - Regions Vs

    Zones - Some services are bound to regions, Nodes are bound to zones - It is possible to establish Multiregional Loadbalancers - K8s cluster self lives always within one region, can span multiple zones on highly available clusters

48. Multi-Region support out of the box • Google Cloud Datastore

    • Google Cloud KMS • Google Cloud Storage • Google BigQuery • Google Cloud Spanner

49. Kubernetes Federation (Going multi-region) - By default K8S rus on

    a single Zone with all of its nodes - It is also possible to create a high-availability regional cluster, its nodes span multiple zones of the same region - There is no support for full federation, i.e. cloud wide or true multi-region k8s cluster. - It is however possible to set-up a multiregion load balancer that directs requests to respective regional clusters
50. None

51. Lets try it ourselves! - https://cloud.google.com/load-balancing/docs/https/cross-region-example - Big picture: -

    We need to setup two instance groups on Google Compute Engine, each in a different region - Configure a Load Balancer pointing to these groups

52. Free form discussion

53. DONE! Now ✔ Introductions + Setup environments + K8s hello

    world 10:00 ✔ Monitoring & Alerting 11:00 ✔ Diagnosing & Resolving issues 12:00 ✔ Lunch 13:00 ✔ Network Policies 14:00 ✔ Istio 14:45 ✔ Multi Region 15:30 ✔ Free form discussion 16:30 ✔ Wrap up

54. Piotr Zakrzewski - [email protected] Mark van Straten - [email protected] Thanks

    for your time!