$30 off During Our Annual Pro Sale. View Details »

本番環境のKubernetesマニフェストに 最低限必要な 7 のこと @ Japan Container Days v18.12 / jkd1812-prd-manifests

Masaya Aoyama (@amsy810)
December 04, 2018
Technology
21
5.7k

本番環境のKubernetesマニフェストに 最低限必要な 7 のこと @ Japan Container Days v18.12 / jkd1812-prd-manifests

Kubernetesのマニフェストに記述可能な項目は多岐にわたります。本セッションでは、プロダクションで利用するにあたり、最低限設定する必要のある頻出パターンとして、下記の7項目について説明します。

コンテナのライフサイクル(起動時)
コンテナのライフサイクル(停止時)
ヘルスチェック
メンテナンスとアップデート
スケジューリング
リソースの割り当てと基準
カーネルパラメータのチューニング
インターネットからのアクセス制御

Masaya Aoyama (@amsy810)

December 04, 2018
Tweet

More Decks by Masaya Aoyama (@amsy810)

See All by Masaya Aoyama (@amsy810)
Kubernetes as a Service の利用者を支える機能 - Platform Engineering Meetup #1 / pfem01-amsy810-k8s
masayaaoyama
1
1.6k
Kubernetes基盤を自律的に支えるController化の実装Tips / forkwell-202303-amsy810-k8s
masayaaoyama
6
3.3k
CyberAgentにおけるKubernetes as a Serviceの歩みと利用者を支える機能 / cainfra01-amsy810-kubernetes
masayaaoyama
2
1.3k
KubeClarityで始めるSBOM管理 @3-shake SRE Tech Talk / 3-shake-sre-teck-talk-202212
masayaaoyama
0
580
KubeCon + CNCon NA 2022 Overview & Towards Something Better Than CRDs In a Post-Operator World / k8sjp54-kubecon-recap
masayaaoyama
0
810
KubeCon + CloudNativeCon NA 2022 帰国後即日 Recap LT TechFeed Experts Night #7 / techfeed-expert-night-7-amsy810
masayaaoyama
0
440
Kubernetesクラスタ内のリソースに 柔軟なフィルタリングをかける方法 3-shake SRE Tech Talk #4 LT / SRETT4-LT-amsy810
masayaaoyama
0
310
KubeCon + CloudNativeCon EU 2022 Recap Kubernetes Meetup Tokyo #51 / k8sjp51-kubecon-eu-2022-recap
masayaaoyama
0
330
ebpfとWASMに思いを馳せる2022 / techfeed-conference-2022-ebpf-wasm-amsy810
masayaaoyama
1
1.5k

Other Decks in Technology

See All in Technology
論文紹介: Improving Implicit Feedback-Based Recommendation through Multi-Behavior Alignment(Xin Xin et al., 2023)
hakubishin3
0
170
LLMを活用した爆速アウトプットのすゝめ / bakusoku-outputs-with-llm
yuya4
8
3.9k
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
920
エンジニア不足の中で どう技術的負債と向き合ったのか RevComm Research の場合 -
revcomm_inc
4
3.2k
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
210
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
250
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
170
The future is already here – Mastering the challenges of the coming years
ufried
0
270
「極意本」サンプルコードをクラウド上で動かそう
upura
1
570
visionOSについてGlobeeが取り組んでいること
toshi0383
0
230
GPT APIを使ったテキスト生成コンペ@YANS2023に参加した話
naohachi89
2
670
Kuma UIのこれまでとこれから
poteboy
5
3.1k

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
It's Worth the Effort
3n
180
27k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Raft: Consensus for Rubyists
vanstee
130
6k
Producing Creativity
orderedlist
PRO
335
38k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
A better future with KSS
kneath
230
16k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
656
120k

Transcript

  1. Masaya Aoyama
    CyberAgent adtech studio
    ຊ൪؀ڥͷKubernetesϚχϑΣετʹ
    ࠷௿ݶඞཁͳ ͷ͜ͱ
    Japan Container Days v18.12
    MasayaAoyama @amsy810

    View Slide

  2. Japan Container Days v18.04 Keynote
    Cloud Native Day Tokyo co-chair
    Cloud Native Meetup Tokyo Organizer (+ KubeCon)

    for Kubernetes
    CKA #138CKAD #2
    OpenStack / Kubernetes Contributor
    Masaya Aoyama (@amsy810)
    Infrastructure Engineer

    View Slide

  3. Hobby == Kubernetes


    View Slide

  4. Agenda
    page
    04
    • &#%32+/4
    • &#%3(0/4
    • %
    • !&&'
    • "'$&
    • $'*-,1

    '%#!'"'&
    • &').

    View Slide



  5. spec.containers[].command
    spec.initContainers[]
    spec.containers[]
    spec.containers[].lifecycle.postStart

    View Slide

  6. 0<3/>@:=
    page
    06
    1. Entrypoint
    +2/>@
    • $(( $*4"&5;
    2. Init Containers1?
    • $((
    1?"&-8)5;
    • $((
    1?"&. ,
    3. Sidecar !*(
    *;9
    • *( *;9
    4. postStart %#1?
    • $(#'6@7$((
    6@

    View Slide

  7. 1. Entrypoint!
    "
    page
    07
    • Entrypoint!
    "
    • ex) #
    % $

    View Slide

  8. 1. Entrypoint!
    "
    page
    08
    • Entrypoint!
    "
    • ex) #
    % $

    View Slide

  9. 2. Init Container'
    page
    09
    • #&* ,
    • $("Volume%)
    • +
    -!
    Volume
    Store data Use data

    View Slide

  10. 2. Init Container
    page
    010



    Immutable Infrastructure

    View Slide

  11. 3. Sidecar %$
    page
    011
    • Pod
    Main , Sidecar
    • "'(
    Init Container !)*(
    %$ +
    • ex) #&(
    !&
    Volume
    Store data Use data

    View Slide

  12. 4. postStart $
    page
    012

    &%! () &*

    (#"'
    postStart
    script
    main process (entrypoint)

    View Slide

  13. !
    page
    013


    $
    %#
    1. entrypoint $ %
    2. initContainers $ %
    3. Sidecar $ "
    4. postStart $ %

    View Slide



  14. spec.restartPolicy
    spec.containers[].lifecycle.preStop
    Spec.terminationGracePeriodSeconds

    View Slide

  15. spec.restartPolicy (Pod)
    page
    015
    • Always
    • Pod Pod
    • OnFailure
    • PodPod
    • Never
    • Pod
    Pod
    Deployment Always
    Job OnFailure or Never

    View Slide


  16. page
    016
    +0s
    Terminating
    SIGTERM
    preStop
    (optional)
    Service

    SIGKILL
    Running
    spec.terminationGracePeriodSeconds = 30
    (
    30 )
    ~ 30s

    View Slide

  17. !
    page
    017
    +0s
    Terminating
    SIGTERM
    "
    preStop "
    Service
    &"
    SIGKILL "
    Running
    spec.terminationGracePeriodSeconds = 30
    ( 30 #)
    preStop "$
    2# SIGTERM "%
    +32s
    +30s

    View Slide


  18. spec.containers[].livenessProbe
    spec.containers[].readinessProbe

    View Slide

  19. "-#

    page
    019
    spec.containers[].livenessProbe
    Check %)*!+
    0" (1
    ,'&/
    spec.containers[].readinessProbe
    Check %)* Service .$
    Service-In ,

    View Slide



  20. PodDisruptionBudget

    View Slide

  21. ); $ &?
    page
    021
    kubectl drain' #$ $<+0@,>
    A7Pod4.
    -96*,>3…
    !%$%5/PDB
    =2(5/B
    "%-:18

    View Slide


  22. spec.nodeSelector
    spec.affinity.nodeAffinity
    spec.affinity.podAffinity
    spec.affinity.podAntiAffinity
    spec.torelations (+ taints)
    spec.priorityClassName (+ PriorityClass)

    View Slide

  23. *(
    page
    023
    1. 2+0 Node Affinity5nodeSelector6
    • &/
    2. Node Affinity / Node Anti-Affinity
    • -3 ,!(#
    .'
    • )4,!"$,!
    3. Inter-Pod Affinity / Inter-Pod Anti-Affinity
    • .'Pod51%6

    View Slide

  24. NodePool / Instance Group
    page
    024
    +#)% &$'
    • GKE NodePool
    • EKS Instance Group
    K8s "!
    *(Node

    View Slide

  25. Kubernetes

    page
    025
    Taints / Tolerations PriorityClass

    View Slide



  26. spec.containers[].resources.requests
    spec.containers[].resources.limits
    LimitRange

    View Slide

  27. $+
    page
    027
    Limits5"/3
    !.2
    Requests5"/ 3
    , #/
    *4 ! "(&
    ClusterAutoscaler Pending status Pod )'0%
    Requests
    -1

    View Slide

  28. page
    028
    Kubernetes Node
    Allocatable CPU: 1000m
    Requests(%) ": 1000m
    & $: 10m
    Request(%) : 100m
    & #!


    Cluster Autoscale
    Requests '

    View Slide

  29. page
    029
    Requests(&) #: 100m
    ' !%: 10000m
    Request(&) : 10m
    ' $"(


    Cluster Autoscale
    Requests
    Kubernetes Node
    Allocatable CPU:
    1000m

    View Slide

  30. '+
    4/)
    page
    030
    • Requests 3%
    • Requests / Limits *5
    CPU
    .($#1-
    Requests / Limits/)
    !
    " &0 ,2!4/

    View Slide

  31. LimitRange "8*-
    page
    031
    LimitRange
    (3%
    +$ / +&(3%
    requests / limits '73%
    GKE #!CPU Requests 100m 13%
    ,3%#!.74
    6
    #! OOM - CPU #!952/)
    Container: Pod
    7 0

    View Slide



  32. spec.securityContext.sysctls

    View Slide



  33. page
    033
    1. spec.securityContext.sysctls
    • Kubernetes v1.11
    2. Annotations (security.alpha.kubernetes.io/sysctls)
    • Kubernetes v1.10
    3. Privileged InitContainer


    View Slide



  34. page
    034
    Kubernetes v1.11 spec.securityContext.sysctls
    safe, unsafe

    View Slide

  35. %
    page
    035
    Kubernetes v1.10 Annotation
    #
    security.alpha.kubernetes.io/sysctls'" &
    security.alpha.kubernetes.io/unsafe-sysctls'" & $!

    View Slide



  36. page
    036
    or
    InitContainer +


    View Slide



  37. spec.loadBalancerSourceRanges (Service)
    spec.ingress (NetworkPolicy)
    BackendConfig (Ingress [GKE])

    View Slide

  38. !%2! &3
    page
    038
    1. “type: LoadBalancer” LB $ &3
    • LB$ &+!$ *4)
    2. NetworkPolicy Node $ &3
    • NetworkPolicy !#Node$ iptables &3
    • -.!" !1/
    3. Ingress LB $ &3
    • GKE ('BackendConfig # Cloud Armor
    0,

    View Slide

  39. 1. ”type: LoadBalancer” Service
    page
    039


    IP Address
    Load
    Balancer
    NIC NIC
    iptables iptables

    View Slide

  40. 2. Network Policy
    Node

    • In-bound / Out-bound
    • Label
    • Namespace
    Load
    Balancer
    NIC NIC
    iptables iptables
    page
    040

    View Slide

  41. 3. Ingress %
    page
    041
    GCP
    Cloud Armor$
    Load
    Balancer
    NIC NIC
    iptables iptables
    Service
    Annotation #"
    !K8s

    View Slide

  42. Conclusion
    summary

    View Slide

  43. Conclusion
    page
    043
    • &#%32+/4
    • &#%3(0/4
    • %
    • !&&'
    • "'$&
    • $'*-,1

    '%#!'"'&
    • &').

    View Slide



  44. View Slide

  45. 3 I H uNs P
    /D 6 IBK c a io sy P
    0 C 1 DD 3 I H
    W3 I HS M
    3 I H
    & 72 uNs C ID
    9 CD H uNs
    0BH K L 4 uNs
    / B 8I uNs
    /D HI uNs 5 I I uNs
    uNs N snN
    s h l o y f fl
    y s N
    snr N
    tk ye
    & hs c N uNsu ghd
    v
    o y
    /2 /0
    fl N s 8 KB 5 HA
    3 I H dNkyl
    3 I H b

    View Slide

  46. Thank you for your attention
    follow me: @amsy810

    View Slide