Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
what happens when k8s journy
Search
nnao45
March 25, 2019
Technology
16
9k
what happens when k8s journy
nnao45
March 25, 2019
Tweet
Share
More Decks by nnao45
See All by nnao45
MPI Performance Evaluation of Raspberry Pi4 Cluster with Android OS
nnao45
2
160
datalake-party-for-aws-20201118
nnao45
0
240
はじめてのNetwork Service Mesh
nnao45
4
2.2k
EKS for EFS
nnao45
4
1.4k
まだ大きくない僕たちに必要なCLoud Nativeを求めて
nnao45
8
1.2k
Firebase, Firestore Find mBaaS
nnao45
3
1.1k
Make App, Using with Study Group
nnao45
3
600
Chatops, AWS, And Ansible
nnao45
2
1k
Ansible container in the kubernetes
nnao45
5
1.6k
Other Decks in Technology
See All in Technology
スキルだけでは満たせない、 “組織全体に”なじむオンボーディング/Onboarding that fits “throughout the organization” and cannot be satisfied by skills alone
bitkey
0
160
AWSを活用したIoTにおけるセキュリティ対策のご紹介
kwskyk
0
310
プロダクトエンジニア構想を立ち上げ、プロダクト志向な組織への成長を続けている話 / grow into a product-oriented organization
hiro_torii
1
350
AIエージェント入門
minorun365
PRO
30
16k
【詳説】コンテンツ配信 システムの複数機能 基盤への拡張
hatena
0
210
EDRの検知の仕組みと検知回避について
chayakonanaika
11
4.5k
AIエージェント元年
shukob
0
150
内製化を加速させるlaC活用術
nrinetcom
PRO
2
130
NFV基盤のOpenStack更新 ~9世代バージョンアップへの挑戦~
vtj
0
340
エンジニアリング価値を黒字化する バリューベース戦略を用いた 技術戦略策定の道のり
kzkmaeda
6
2.2k
Visualize, Visualize, Visualize and rclone
tomoaki0705
9
80k
【5分でわかる】セーフィー エンジニア向け会社紹介
safie_recruit
0
18k
Featured
See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
A designer walks into a library…
pauljervisheath
205
24k
Code Review Best Practice
trishagee
67
18k
Building Adaptive Systems
keathley
40
2.4k
A better future with KSS
kneath
238
17k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Building a Modern Day E-commerce SEO Strategy
aleyda
38
7.1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
430
GitHub's CSS Performance
jonrohan
1030
460k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
133
33k
The Cult of Friendly URLs
andyhume
78
6.2k
Transcript
W H A T H A P P E N
S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3
C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide
Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたん ぶいちゅーばー友達募集! V言語って最強の静的型付言語なの? RustのGraphDBのライブラリかきたい @nnao45,
[email protected]
✔
C N D J P 3 AGENDA $ kubectl version
-o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"
C N D J P 4 AGENDA AUTH JOURNY CONTROLLER
LOOP POD DEPLOY
C N D J P 5 AUTH JOURNY What happens
when I type kubectl run? $ kubectl run --image=nginx --replicas=3
C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s
C N D J P 7 AUTH JOURNY NEXT…
C N D J P 8 AUTH JOURNY kubectl run
--image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 9 AUTH JOURNY BEFORE FIRE…
C N D J P 1 0 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中
C N D J P 1 1 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13
C N D J P 1 2 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something
C N D J P 1 3 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!
C N D J P 1 4 AUTH JOURNY
C N D J P 1 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔
C N D J P 1 6 AUTH JOURNY Authentication
kube-apiserver Use… bearer basic X509 or or
C N D J P 1 7 AUTH JOURNY X509
bearer basic Validate Client TLS Key from CA ROOT Certificate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method
C N D J P 1 8 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ
C N D J P 1 9 AUTH JOURNY Authorization(for
example: RBAC) kube-apiserver etcd Use…
C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d
Authorization(for example: RBAC)
C N D J P 2 1 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 2 AUTH JOURNY Admission
Controll kube-apiserver Use…
C N D J P 2 3 AUTH JOURNY Describe
Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
C N D J P 2 4 AUTH JOURNY Admission
Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request
C N D J P 2 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 6 AUTH JOURNY SOON
CREATE OBJECT PERSISTED SAVE
C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment
kube-apiserver *「リソース 登録ヲ確認 シマシタ。 」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service
C N D J P 2 8 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM
C N D J P 2 9 AUTH JOURNY RIQUEST
VALIDATION JSON DESELIZE VALIDATION REQUEST FORM
C N D J P 3 0 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment
C N D J P 3 1 AUTH JOURNY SOON
C N D J P 3 2 AUTH JOURNY AUTH
JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT
C N D J P 3 3 AUTH JOURNY AUTH
JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt
C N D J P 3 4 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT
C N D J P 3 5 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP
C N D J P 3 6 CONTROLLER LOOP NEXT…
C N D J P 3 7 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver
C N D J P 3 8 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE
C N D J P 3 9 CONTROLLER LOOP INITIALIZERS
SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/
C N D J P 4 0 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment
C N D J P 4 1 CONTROLLER LOOP PUT
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset
C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT
CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager
C N D J P 4 3 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset
C N D J P 4 4 CONTROLLER LOOP kube-apiserver
INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset
C N D J P 4 5 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending
C N D J P 4 6 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler
C N D J P 4 7 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 GET
C N D J P 4 8 CONTROLLER LOOP kube-scheduler
1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…
C N D J P 4 9 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 0 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 1 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True kubelet 詠唱中
C N D J P 5 2 POD DEPLOY NEXT…
C N D J P 5 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Pending NodeName: <BINDING NODE> PodScheduled: True kubelet GET 詠唱中
C N D J P 5 4 POD DEPLOY kubelet
kubelet kubelet Node A Node B Node C Node AのPodの状態は? Node BのPodの状態は? Node CのPodの状態は? kube-apiserver
C N D J P 5 5 POD DEPLOY kubelet
1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET
C N D J P 5 6 POD DEPLOY kubelet
CONTAINER POD METADATA VOLUMES x N
C N D J P 5 7 POD DEPLOY kubelet
5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)
C N D J P 5 8 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N
C N D J P 5 9 POD DEPLOY kubelet
6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)
C N D J P 6 0 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N
C N D J P 6 1 POD DEPLOY kubelet
7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE
C N D J P 6 2 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N
C N D J P 6 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Running NodeName: <BINDING NODE> kubelet PUT
C N D J P 6 4 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 5 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 6 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤
C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが
https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01