Fiabiliser ses déploiements sur Kubernetes

1 Pyxida © 2018 - Reproduction interdite sans autorisation préalable
Bordeaux 33000 > France > www.pyxida.io Fiabiliser ses mises en production avec Kubernetes Meetup CNCF Bordeaux #5 Etienne Coutaud 4 Juin 2019

Founder @Pyxida Certiﬁed Kubernetes Administrator (CKA) https://github.com/etiennecoutaud @etiennecoutaud whoami : Etienne Coutaud

Une bonne mise en production ? • Invisible • Indolore • Maîtrisée • Choisie

Les déploiements sur Kubernetes apiVersion: apps/v1 kind: Deployment metadata: name: myapp labels: app: myapp spec: replicas: 3 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: myapp:v1.0.0 ports: - containerPort: 8080 [...]

Ma mise en prod en v2.0.0 ? $> kubectl set image deployment/myapp myapp=myapp:v2.0.0 apiVersion: apps/v1 kind: Deployment metadata: name: myapp labels: app: myapp spec: replicas: 3 selector: matchLabels: app: myapp template: metadata: labels: app: myapp spec: containers: - name: myapp image: myapp:v2.0.0 ports: - containerPort: 8080 [...]

Le mécanisme du rolling update (1/6) myapp.pyxida.io 100% -> v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0

Le mécanisme du rolling update (2/6) myapp.pyxida.io 100% -> v1.0.0 myapp:v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 $> kubectl set image deployment/myapp myapp=myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 Check santé du pod

Le mécanisme du rolling update (3/6) myapp.pyxida.io 67% -> v1.0.0 33% -> v2.0.0 myapp:v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0

Le mécanisme du rolling update (4/6) myapp.pyxida.io 33% -> v1.0.0 67% -> v2.0.0 myapp:v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0

Le mécanisme du rolling update (5/6) myapp.pyxida.io 100% -> v2.0.0 myapp:v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0

Le mécanisme du rolling update (6/6) myapp.pyxida.io 100% -> v2.0.0 myapp:v2.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0

Une bonne liveness et Readiness ﬁabilise ce mécanisme apiVersion: apps/v1 kind: Deployment metadata: name: myapp [...] spec: replicas: 3 [...] template: [...] spec: containers: - name: myapp image: myapp:v2.0.0 ports: - containerPort:8080 livenessProbe: httpGet: path: /healthz port: 8080 readinessProbe httpGet: path: /ready port: 8080 KO KO OK Kubernetes tente de redémarrer le pod OK OK KO Le pod sort du loadbalancing

Généralités sur les probes Liveness et Readiness se conﬁgure de la même manière 3 façon de faire des probes • La requête HTTP • TCP • Script/commande Voici un bout de code qui est une liveness :) http.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(200) w.Write([]byte("ok")) })

Si on résume ce mécanisme basique • Montée de version en ZDD (Zero downtime deployment) • Transparent pour les OPS, automatisé par Kubernetes • Historique des replicasets nous permet de faire un rollout Ce mécanisme nous empêche cependant de pouvoir tester le comportement de notre application en amont dans les mêmes conditions

Testons en faisant du blue/green deployment (1/3) myapp.pyxida.io 100% -> v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0

Testons en faisant du blue/green deployment (2/3) myapp.pyxida.io 100% -> v1.0.0 0% -> v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0

Testons en faisant du blue/green deployment (3/3) myapp.pyxida.io 0% -> v1.0.0 100% -> v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0

Juste une histoire de labels (1/2) apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 3 selector: matchLabels: app: myapp version: v1.0.0 template: metadata: labels: app: myapp version: v1.0.0 spec: containers: - name: myapp image: myapp:v1.0.0 ports: - containerPort: 8080 name: http [...] apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 3 selector: matchLabels: app: myapp version: v2.0.0 template: metadata: labels: app: myapp version: v2.0.0 spec: containers: - name: myapp image: myapp:v2.0.0 ports: - containerPort: 8080 name: http [...] apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - name: http port: 8080 protocol: TCP targetPort: http selector: app: myapp version: v1.0.0

Juste une histoire de labels (2/2) apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 3 selector: matchLabels: app: myapp version: v1.0.0 template: metadata: labels: app: myapp version: v1.0.0 spec: containers: - name: myapp image: myapp:v1.0.0 ports: - containerPort: 8080 name: http [...] apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 3 selector: matchLabels: app: myapp version: v2.0.0 template: metadata: labels: app: myapp version: v2.0.0 spec: containers: - name: myapp image: myapp:v2.0.0 ports: - containerPort: 8080 name: http [...] apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - name: http port: 8080 protocol: TCP targetPort: http selector: app: myapp version: v2.0.0

Si on résume ce mécanisme • Mise en production consiste uniquement en l’update d’un service pour faire pointer vers un nouveau label • La nouvelle stack peut être montée et testée en amont • Rollout simpliﬁé, il suffit de refaire pointer le service vers l’ancienne version Cependant : • C’est raté pour le ZDD • La nouvelle stack peut être tester sur la même infrastructure mais pas dans les mêmes conditions que la “vrai” production

Passons au canary release

Mécanisme général du canary deployment myapp:v1.0.0 myapp:v2.0.0 30% 70%

Sur Kubernetes - Méthode 1 : Avec les replicas myapp.pyxida.io 67% -> v1.0.0 33% -> v2.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0

apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - name: http port: 8080 protocol: TCP targetPort: http selector: app: myapp Toujours une histoire de labels apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 3 selector: matchLabels: app: myapp version: v1.0.0 template: metadata: labels: app: myapp version: v1.0.0 spec: containers: - name: myapp image: myapp:v1.0.0 ports: - containerPort: 8080 name: http [...] apiVersion: apps/v1 kind: Deployment metadata: name: myapp spec: replicas: 3 selector: matchLabels: app: myapp version: v2.0.0 template: metadata: labels: app: myapp version: v2.0.0 spec: containers: - name: myapp image: myapp:v2.0.0 ports: - containerPort: 8080 name: http [...]

Peu précis et gourmand en pods Version A Version B % voulu Nbr conteneurs % voulu Nbr conteneurs 99 99 1 1 85 6 15 1 70 2 30 1 50 1 1 1

Si on résume ce mécanisme • Mécanisme de canary release “by design” • Permet un déploiement progressif Cependant : • Pas très précis • Les proportions ne sont plus bonne en cas d’autoscalabilité

Et si on passait par les ingress ?

Un “vrai” canary release myapp.pyxida.io myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 86% 14% myapp-v1 myapp-v2

C’est là que cela se passe apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: traefik.ingress.kubernetes.io/service-weights: | myapp-v1: 86% myapp-v2: 14% name: my-app spec: rules: - http: paths: - backend: serviceName: myapp-v1 servicePort: 8080 path: / - backend: serviceName: myapp-v2 servicePort: 8080 path: /

Si on résume ce mécanisme • Les annotations facilitent la mise en place. • Traeﬁk et Nginx supportent cette feature • Contrôle ﬁn sur les pourcentages • Plus de problème liés à la scalabilité Cependant : • Quid des services internes qui ne sont pas exposé par une Ingress ?

Besoin d’un maillage plus ﬁn du réseau

Architecture de Istio

Notre archi avec Istio myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1.0.0 weight: 90 - destination: host: myapp subset: v2.0.0 weight: 10 myapp apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1.0.0 labels: version: v1.0.0 - name: v1.0.0 labels: version: v1.0.0

apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1.0.0 labels: version: v1.0.0 - name: v2.0.0 labels: version: v2.0.0 Notre archi avec Istio myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1.0.0 weight: 90 - destination: host: myapp subset: v2.0.0 weight: 10 myapp

apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1.0.0 labels: version: v1.0.0 - name: v2.0.0 labels: version: v2.0.0 Notre archi avec Istio myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1.0.0 weight: 90 - destination: host: myapp subset: v2.0.0 weight: 10 myapp Labels des pods

apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1.0.0 labels: version: v1.0.0 - name: v2.0.0 labels: version: v2.0.0 Notre archi avec Istio myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1.0.0 weight: 90 - destination: host: myapp subset: v2.0.0 weight: 10 myapp

apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: myapp spec: host: myapp subsets: - name: v1.0.0 labels: version: v1.0.0 - name: v2.0.0 labels: version: v2.0.0 Notre archi avec Istio myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp spec: hosts: - myapp http: - route: - destination: host: myapp subset: v1.0.0 weight: 90 - destination: host: myapp subset: v2.0.0 weight: 10 myapp 90% 10%

Un service mesh est donc la meilleure solution ? • Gestion fine du trafic • Géré par des ressources externes à la base de l’architecture • Gestion au niveau du service donc feature disponible à tout niveau Cependant : • Complexifie l’architecture • Plus compliqué à debugger • Mais surtout ...

Et si on le faisait nous même ? myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v1.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp:v2.0.0 myapp-v1 myapp-v2 myapp backend balance roundrobin server srv1 myapp-v1:8080 weight 90 server srv2 myapp-v2:8080 weight 10 90% 10%

De manière automatisée c’est mieux

Automatisation de l’opérateur (1/2)

Automatisation de l’opérateur (2/2)

Bordeaux 33000 > France > www.pyxida.io Take Away ! • Plein de façons de gérer ses déploiements sur k8s • Votre méthode de MEP reﬂète votre organisation • Sans test, le blue/green ne sert à rien • Sans métrique, oubliez le canary • Les services mesh apportent des features … • mais aussi de la complexité • La meilleure des MEP est celle que vous avez décidée

www.pyxida.io Bordeaux 33000 > France > www.pyxida.io

Fiabiliser ses déploiements sur Kubernetes

Fiabiliser ses déploiements sur Kubernetes

More Decks by Etienne Coutaud

Other Decks in Technology

Featured

Transcript