Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
what happens when k8s journy
Search
nnao45
March 25, 2019
Technology
16
9k
what happens when k8s journy
nnao45
March 25, 2019
Tweet
Share
More Decks by nnao45
See All by nnao45
MPI Performance Evaluation of Raspberry Pi4 Cluster with Android OS
nnao45
2
160
datalake-party-for-aws-20201118
nnao45
0
220
はじめてのNetwork Service Mesh
nnao45
4
2.1k
EKS for EFS
nnao45
4
1.4k
まだ大きくない僕たちに必要なCLoud Nativeを求めて
nnao45
8
1.1k
Firebase, Firestore Find mBaaS
nnao45
3
1k
Make App, Using with Study Group
nnao45
3
590
Chatops, AWS, And Ansible
nnao45
2
980
Ansible container in the kubernetes
nnao45
5
1.5k
Other Decks in Technology
See All in Technology
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
3
320
物価高なラスベガスでの過ごし方
zakky
0
350
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1k
新卒1年目が向き合う生成AI事業の開発を加速させる技術選定 / ai-web-launcher
cyberagentdevelopers
PRO
7
1.5k
ガバメントクラウド先行事業中間報告を読み解く
sugiim
1
1k
CyberAgent 生成AI Deep Dive with Amazon Web Services / genai-aws
cyberagentdevelopers
PRO
1
480
失敗しないOpenJDKの非互換調査
tabatad
0
270
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
160
プロダクトエンジニアが活躍する環境を作りたくて 事業責任者になった話 ~プロダクトエンジニアの行き着く先~
gimupop
1
460
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
で、ValhallaのValue Classってどうなったの?
skrb
1
660
Gradle: The Build System That Loves To Hate You
aurimas
2
140
Featured
See All Featured
Embracing the Ebb and Flow
colly
84
4.4k
Gamification - CAS2011
davidbonilla
80
5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Designing for Performance
lara
604
68k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Optimizing for Happiness
mojombo
376
69k
Become a Pro
speakerdeck
PRO
24
5k
Building Applications with DynamoDB
mza
90
6.1k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Bash Introduction
62gerente
608
210k
GraphQLの誤解/rethinking-graphql
sonatard
66
9.9k
Transcript
W H A T H A P P E N
S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3
C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide
Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたん ぶいちゅーばー友達募集! V言語って最強の静的型付言語なの? RustのGraphDBのライブラリかきたい @nnao45,
[email protected]
✔
C N D J P 3 AGENDA $ kubectl version
-o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"
C N D J P 4 AGENDA AUTH JOURNY CONTROLLER
LOOP POD DEPLOY
C N D J P 5 AUTH JOURNY What happens
when I type kubectl run? $ kubectl run --image=nginx --replicas=3
C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s
C N D J P 7 AUTH JOURNY NEXT…
C N D J P 8 AUTH JOURNY kubectl run
--image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 9 AUTH JOURNY BEFORE FIRE…
C N D J P 1 0 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中
C N D J P 1 1 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13
C N D J P 1 2 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something
C N D J P 1 3 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!
C N D J P 1 4 AUTH JOURNY
C N D J P 1 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔
C N D J P 1 6 AUTH JOURNY Authentication
kube-apiserver Use… bearer basic X509 or or
C N D J P 1 7 AUTH JOURNY X509
bearer basic Validate Client TLS Key from CA ROOT Certificate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method
C N D J P 1 8 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ
C N D J P 1 9 AUTH JOURNY Authorization(for
example: RBAC) kube-apiserver etcd Use…
C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d
Authorization(for example: RBAC)
C N D J P 2 1 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 2 AUTH JOURNY Admission
Controll kube-apiserver Use…
C N D J P 2 3 AUTH JOURNY Describe
Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
C N D J P 2 4 AUTH JOURNY Admission
Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request
C N D J P 2 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 6 AUTH JOURNY SOON
CREATE OBJECT PERSISTED SAVE
C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment
kube-apiserver *「リソース 登録ヲ確認 シマシタ。 」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service
C N D J P 2 8 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM
C N D J P 2 9 AUTH JOURNY RIQUEST
VALIDATION JSON DESELIZE VALIDATION REQUEST FORM
C N D J P 3 0 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment
C N D J P 3 1 AUTH JOURNY SOON
C N D J P 3 2 AUTH JOURNY AUTH
JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT
C N D J P 3 3 AUTH JOURNY AUTH
JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt
C N D J P 3 4 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT
C N D J P 3 5 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP
C N D J P 3 6 CONTROLLER LOOP NEXT…
C N D J P 3 7 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver
C N D J P 3 8 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE
C N D J P 3 9 CONTROLLER LOOP INITIALIZERS
SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/
C N D J P 4 0 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment
C N D J P 4 1 CONTROLLER LOOP PUT
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset
C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT
CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager
C N D J P 4 3 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset
C N D J P 4 4 CONTROLLER LOOP kube-apiserver
INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset
C N D J P 4 5 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending
C N D J P 4 6 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler
C N D J P 4 7 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 GET
C N D J P 4 8 CONTROLLER LOOP kube-scheduler
1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…
C N D J P 4 9 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 0 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 1 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True kubelet 詠唱中
C N D J P 5 2 POD DEPLOY NEXT…
C N D J P 5 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Pending NodeName: <BINDING NODE> PodScheduled: True kubelet GET 詠唱中
C N D J P 5 4 POD DEPLOY kubelet
kubelet kubelet Node A Node B Node C Node AのPodの状態は? Node BのPodの状態は? Node CのPodの状態は? kube-apiserver
C N D J P 5 5 POD DEPLOY kubelet
1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET
C N D J P 5 6 POD DEPLOY kubelet
CONTAINER POD METADATA VOLUMES x N
C N D J P 5 7 POD DEPLOY kubelet
5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)
C N D J P 5 8 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N
C N D J P 5 9 POD DEPLOY kubelet
6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)
C N D J P 6 0 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N
C N D J P 6 1 POD DEPLOY kubelet
7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE
C N D J P 6 2 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N
C N D J P 6 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Running NodeName: <BINDING NODE> kubelet PUT
C N D J P 6 4 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 5 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 6 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤
C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが
https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01