Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Workshop @EVBox

Kubernetes Workshop @EVBox

Slides used during Kubernetes workshop at EVBox HQ (Amsterdam).

Mark van Straten

November 07, 2018

More Decks by Mark van Straten

Other Decks in Programming


  1. Agenda Now Introductions + Setup environments + K8s hello world

    10:00 Monitoring & Alerting 11:00 Diagnosing & Resolving issues 12:00 Lunch 13:00 Network Policies 14:00 Istio 14:45 Multi Region 15:30 Free form discussion 16:30 Wrap up
  2. What is k8s? - Container orchestration system - Developed initially

    by Google now open source - By default works with Docker images - Provides framework for configuring deployment, networking and scaling
  3. Why people use k8s? - Scalability! Strong toolkit for (esp.

    Horizontal) scaling - Scaling on RAM/CPU out of the box - Vertical pod scaling also possible - Custom scaling methods possible - Smart rollout strategies - Good abstractions for container orchestration - Network Policies - RBAC - Secrets/Config management - Powerful ecosystem for common tasks - Monitoring: Stackdriver, adapters for others like datadog or prometheus - CI/CD: Helm, Spinnaker - kubectl
  4. Hands on: Prep environment - Everybody needs to create its

    own project inside GCP - Billing needs to be enabled - We will provide you with a $40 voucher
  5. Dev Env Setup for the Workshop - Create Google Cloud

    Project (link) using our voucher - Install GCE command line tools - https://docs.google.com/document/d/1E03-g0h3MgFlohXqPNYCjl7Pv_CA_l0z hD6K3MZ8O0M/edit#heading=h.tremawe2ds3r - Install kubectl - Install docker gcloud - https://cloud.google.com/sdk/docs/quickstart-macos kubectl - `gcloud components install kubectl` Docker - https://www.docker.com/products/docker-desktop
  6. Hands on: Hello world k8s - Goal: basic 3 tier

    application (frontend-middleware-backend) running on k8s - See the Hands on document for a global step-by-step guide Verify you are connectected to your own cluster: Kubectl config get-contexts
  7. Recap 3 tiers app frontend => middleware => backend backend

    => external service No scaling (HPA) yet Not much kubernetes magic
  8. Stackdriver structured logging • Stackdriver by default takes stdout/stdin for

    your logs • You can have your client generate structured logging json to enrich your experience Formats • https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry • https://cloud.google.com/error-reporting/docs/formatting-error-messages#json _representation
  9. Example structured logging format { "message": "Error Message\njava.lang.NullPointerException: NPE\n\tat adam.Log4jTester.run(Log4jTester.java:16)\n\t",

    "thread": "logTestThread", "severity": "ERROR", "sourceLocation": { "file": "Log4jTester.java", "line": "16", "function": "adam.Log4jTester.run" }, "serviceContext": { "service": "myservice", "version": "1.0.0" } }
  10. Handson - Monitoring with stackdriver Goal: Learn about metrics emissions

    towards stackdriver and how to get kubernetes metrics into stackdriver
  11. DEMO: Philips Hue setup - signals 1. Latency - websocket

    latency 2. Traffic - connections opening/closing // messages today 3. Errors - bridge answered with a failure 4. Saturation - capacity left
  12. Handson: Cloud debugger Use your knowledge from previous parts to:

    - 1) Local milestone: run a Nodejs app with cloud debugger integration and capture a snapshot in Stackdriver - 2) k8s milestone with baked in secrets: deploy the same app with secrets included in the container - 3) k8s bonus milestone: Mount the secrets as a k8s resource (The Right Way)
  13. Cloud Debugger Hands On - Cloud debugger allows for investigating

    state of a web application running in GCE - Somewhat less extensive than typical debuggers you might be used to: no step over, this is only a snapshot - Cloud debugger needs to be installed in the webapp you want to debug - We will use a minimal app with cloud debugger enabled
  14. Debugger needs a service account ... - Debugger Agent needs

    a Service Account key to connect to your project and submit snapshots - The key is a secret, you cannot check it in into the repo - K8s has a first class support for secrets fortunately
  15. Material for the open-ended mile-stone - K8s Ddeployments https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ -

    K8s Secrets docs: https://kubernetes.io/docs/concepts/configuration/secret/ - Mounting volumes: https://kubernetes.io/docs/concepts/storage/volumes/
  16. Agenda Now ✔ Introductions + Setup environments + K8s hello

    world 10:00 ✔ Monitoring & Alerting 11:00 ✔ Diagnosing & Resolving issues 12:00 ✔ Lunch 13:00 Network Policies 14:00 Istio 14:45 Multi Region 15:30 Free form discussion 16:30 Wrap up
  17. Kubernetes networking basics - Kube dns and kube proxy -

    Services and name resolving - Load balancers and access to the cluster
  18. Network Policies - Implemented on OSI Level 3 (iptables->kernel) -

    Many implementations possible, we will use Calico during the workshop, this is also what we use at Hue - Ingress and Egress
  19. Network Policies Hands On - Assumption: everyone has access to

    the cluster with billing on - Create a deployment and a service with NGINX serving default NGINX welcome page on port 80 - kubectl run apiserver --image=nginx --labels app=bookstore,role=api --expose --port 80 - Verify that it works: - Create and login into a second container: kubectl run test-$RANDOM --rm -i -t --image=alpine - Send a request from the new container to the api container - You should get a 200 OK and HTML of a welcome page - We will use this deployment for the rest of the Hands-on
  20. Network Policies Hands On - Restrict access to a pod

    based on label - https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02-l imit-traffic-to-an-application.md - Only requests coming from pods with given label
  21. Network Policies Hands On - https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02a -allow-all-traffic-to-an-application.md - Allow all

    with empty ingress access selector - This Network policy does not apply to the traffic from the outside of the custer though ...
  22. Network Policies Hands On - https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/08- allow-external-traffic.md - [] allows

    ALL traffic, also from the outside of the cluster (if the pod is exposed) - It is often useful to restrict access to one port only, [] ingress selector can be combined with other rules such as “port”
  23. Caveats Istio replaces network policies (default Calico on GKE) AFAIK

    Kubernetes master access from service still requires k8s-rbac Managed Istio (GKE) is not GA yet, expected somewhere 2019
  24. Going Multi-region with K8s on Google Cloud - Regions Vs

    Zones - Some services are bound to regions, Nodes are bound to zones - It is possible to establish Multiregional Loadbalancers - K8s cluster self lives always within one region, can span multiple zones on highly available clusters
  25. Multi-Region support out of the box • Google Cloud Datastore

    • Google Cloud KMS • Google Cloud Storage • Google BigQuery • Google Cloud Spanner
  26. Kubernetes Federation (Going multi-region) - By default K8S rus on

    a single Zone with all of its nodes - It is also possible to create a high-availability regional cluster, its nodes span multiple zones of the same region - There is no support for full federation, i.e. cloud wide or true multi-region k8s cluster. - It is however possible to set-up a multiregion load balancer that directs requests to respective regional clusters
  27. Lets try it ourselves! - https://cloud.google.com/load-balancing/docs/https/cross-region-example - Big picture: -

    We need to setup two instance groups on Google Compute Engine, each in a different region - Configure a Load Balancer pointing to these groups
  28. DONE! Now ✔ Introductions + Setup environments + K8s hello

    world 10:00 ✔ Monitoring & Alerting 11:00 ✔ Diagnosing & Resolving issues 12:00 ✔ Lunch 13:00 ✔ Network Policies 14:00 ✔ Istio 14:45 ✔ Multi Region 15:30 ✔ Free form discussion 16:30 ✔ Wrap up