學習 Kubernetes 不是為了成為 YAML Engineer

5a84ea9a0afaca03be45b87dde58e51c?s=47 Kyle Bai
August 01, 2020

學習 Kubernetes 不是為了成為 YAML Engineer

5a84ea9a0afaca03be45b87dde58e51c?s=128

Kyle Bai

August 01, 2020
Tweet

Transcript

  1. @k2r2bai 學習 Kubernetes 不是為了成為 YAML Engineer COSCUP 2020 抱歉 其實我也只是個

    YAML Engineer
  2. @k2r2bai About Me ⽩凱仁(Kyle Bai) • Site Reliability Engineer at

    AMIS/MaiCoin • Co-organizer of Cloud Native Taiwan User Group. • Interested in emerging technologies. • Contributor to multiple OSS. • Top 3 Kubernetes contributor in Taiwan kairen k2r2bai.com https://k8s.devstats.cncf.io
  3. @k2r2bai Kubernetes • Container orchestration • Self-healing • Horizontal scaling

    • Service discovery and Load balancing • Automated rollouts and rollbacks • Secrets and conTguration management • Storage orchestration
  4. 重視細節

  5. @k2r2bai 舉個栗⼦

  6. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF
  7. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml
  8. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer
  9. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port>
  10. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈
  11. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod
  12. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh
  13. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080
  14. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080 #找不出問題 #像極了愛情
  15. @k2r2bai

  16. @k2r2bai 如果錢夠多的話

  17. @k2r2bai P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈ 你可以花錢找專業的

  18. @k2r2bai P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈ 但也可能花錢了 找錯廠商被⽩嫖

  19. @k2r2bai 再舉個栗⼦

  20. @k2r2bai $ kubectl create deploy nginx --image=nginx --replicas=3 $ kubectl

    scale deploy nginx --replicas=5
  21. @k2r2bai ⼤家知道這兩個操作 發⽣什麼事嗎?

  22. @k2r2bai

  23. @k2r2bai hMps://bit.ly/33c6zaV

  24. @k2r2bai

  25. @k2r2bai

  26. @k2r2bai

  27. @k2r2bai

  28. @k2r2bai

  29. @k2r2bai

  30. @k2r2bai 以 Docker 為例

  31. @k2r2bai

  32. @k2r2bai 那 CNI 呢?

  33. @k2r2bai

  34. @k2r2bai

  35. @k2r2bai

  36. @k2r2bai 再再舉個栗⼦

  37. @k2r2bai $ kubectl expose deploy nginx --port 80 Cluster IP:

    10.3.241.152
  38. @k2r2bai

  39. @k2r2bai 當⼀個 Container 存取 Cluster IP 呢?

  40. @k2r2bai hMps://bit.ly/3hYXDd1

  41. @k2r2bai hMps://bit.ly/3hYXDd1

  42. @k2r2bai hMps://bit.ly/3hYXDd1

  43. @k2r2bai hMps://bit.ly/3hYXDd1

  44. @k2r2bai hMps://bit.ly/3hYXDd1

  45. @k2r2bai 再再再舉個栗⼦

  46. @k2r2bai $ kubectl delete deploy nginx

  47. @k2r2bai hMps://bit.ly/2PeamMQ

  48. @k2r2bai

  49. @k2r2bai

  50. @k2r2bai 再再再再舉個栗⼦

  51. @k2r2bai $ kubeadm init --pod-network-cidr=10.244.0.0/16

  52. @k2r2bai

  53. @k2r2bai

  54. @k2r2bai

  55. @k2r2bai $ kubeadm join <master>:<port> \ --token U+5149U+5FA9U+9999U+6E2F

  56. @k2r2bai

  57. @k2r2bai

  58. @k2r2bai

  59. @k2r2bai 還有更多的栗⼦

  60. @k2r2bai A suspicious Kubeflow image was seen deployed to thousands

    of clusters in April, all from a single public repository. Closer inspection showed that the image runs a common open-source cryptojacking malware that mines the Monero virtual currency, known as XMRIG. Misconfigured Kubeflow workloads are a security risk hMps://bit.ly/2NI7Q0A
  61. @k2r2bai CVE-2019-14271 marks a security issue in the implementation of

    the Docker cp command that can lead to full container escape when exploited by an attacker. CVE-2019-14271 hMps://bit.ly/2VwF6Mr hMps://www.anquanke.com/post/id/193218
  62. @k2r2bai Allows attackers to overwrite the host runc binary (and

    consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: • A new container with an attacker-controlled image. • An existing container, to which the attacker previously had write access, that can be attached with docker exec. CVE-2019-5736 hMps://www.cvedetails.com/cve/CVE-2019-5736/
  63. 核⼼姿勢知識

  64. @k2r2bai • https://github.com/shubheksha/kubernetes-internals • https://github.com/daniel-hutao/k8s-source-code-analysis • https://github.com/kelseyhightower/kubernetes-the-hard-way • https://github.com/kubernetes/kubeadm/tree/master/docs/design •

    https://github.com/kubernetes/enhancements • https://github.com/containernetworking/cni/blob/master/SPEC.md • https://github.com/hwchiu/ithome-2020ironman Kubernetes
  65. @k2r2bai Distributed Systems hMps://bit.ly/30lgN7j

  66. @k2r2bai 那些年你可能讀過的書

  67. @k2r2bai 那些年你可能讀過的書

  68. Summary

  69. @k2r2bai 不要這麼累 當個 YAML Engineer 也很好

  70. @k2r2bai

  71. @k2r2bai

  72. @k2r2bai 真的很好吃

  73. @k2r2bai