Slide 1
Slide 1 text
Masaya Aoyama
CyberAgent adtech studio
ຊ൪ڥͷKubernetesϚχϑΣετʹ
࠷ݶඞཁͳ ͷ͜ͱ
Japan Container Days v18.12
MasayaAoyama @amsy810
Slide 2
Slide 2 text
Japan Container Days v18.04 Keynote
Cloud Native Day Tokyo co-chair
Cloud Native Meetup Tokyo Organizer (+ KubeCon)
for Kubernetes
CKA #138CKAD #2
OpenStack / Kubernetes Contributor
Masaya Aoyama (@amsy810)
Infrastructure Engineer
Slide 3
Slide 3 text
Hobby == Kubernetes
Slide 4
Slide 4 text
Agenda
page
04
• &#%32+/4
• &#%3(0/4
• %
• !&&'
•
"'$&
• $'*-,1
•
'%#!'"'&
• &').
Slide 5
Slide 5 text
spec.containers[].command
spec.initContainers[]
spec.containers[]
spec.containers[].lifecycle.postStart
Slide 6
Slide 6 text
0<3/>@:=
page
06
1. Entrypoint
+2/>@
• $((
$*4"&5;
2. Init Containers1?
• $((
1?"&-8)5;
• $((
1?"&. ,
3. Sidecar !*(
*;9
• *( *;9
4. postStart %#1?
• $(#'6@7$((
6@
Slide 7
Slide 7 text
1. Entrypoint!
"
page
07
• Entrypoint!
"
• ex) #
% $
Slide 8
Slide 8 text
1. Entrypoint!
"
page
08
• Entrypoint!
"
• ex) #
% $
Slide 9
Slide 9 text
2. Init Container'
page
09
• #&*
,
• $("Volume%)
• +
-!
Volume
Store data Use data
Slide 10
Slide 10 text
2. Init Container
page
010
Immutable Infrastructure
Slide 11
Slide 11 text
3. Sidecar
%$
page
011
• Pod
Main , Sidecar
• "'(
Init Container !)*(
%$ +
• ex) #&(
!&
Volume
Store data Use data
Slide 12
Slide 12 text
4. postStart
$
page
012
•
&%! () &*
•
(#"'
postStart
script
main process (entrypoint)
Slide 13
Slide 13 text
!
page
013
$
%#
1. entrypoint $ %
2. initContainers $ %
3. Sidecar $ "
4. postStart $ %
Slide 14
Slide 14 text
spec.restartPolicy
spec.containers[].lifecycle.preStop
Spec.terminationGracePeriodSeconds
Slide 15
Slide 15 text
spec.restartPolicy (Pod)
page
015
• Always
• Pod
Pod
• OnFailure
• PodPod
• Never
• Pod
Pod
Deployment Always
Job OnFailure or Never
Slide 16
Slide 16 text
page
016
+0s
Terminating
SIGTERM
preStop
(optional)
Service
SIGKILL
Running
spec.terminationGracePeriodSeconds = 30
(
30 )
~ 30s
Slide 17
Slide 17 text
!
page
017
+0s
Terminating
SIGTERM
"
preStop "
Service
&"
SIGKILL "
Running
spec.terminationGracePeriodSeconds = 30
( 30 #)
preStop "$
2# SIGTERM "%
+32s
+30s
Slide 18
Slide 18 text
spec.containers[].livenessProbe
spec.containers[].readinessProbe
Slide 19
Slide 19 text
"-#
page
019
spec.containers[].livenessProbe
Check %)*!+
0" (1
,'&/
spec.containers[].readinessProbe
Check %)* Service .$
Service-In
,
Slide 20
Slide 20 text
PodDisruptionBudget
Slide 21
Slide 21 text
); $ &?
page
021
kubectl drain'
#$ $<+0@,>
A7Pod4.
-96*,>3…
!%$%5/PDB
=2(5/B
"%-:18
Slide 22
Slide 22 text
spec.nodeSelector
spec.affinity.nodeAffinity
spec.affinity.podAffinity
spec.affinity.podAntiAffinity
spec.torelations (+ taints)
spec.priorityClassName (+ PriorityClass)
Slide 23
Slide 23 text
*(
page
023
1. 2+0 Node Affinity5nodeSelector6
• &/
2. Node Affinity / Node Anti-Affinity
• -3 ,!(#
.'
• )4,!"$,!
3. Inter-Pod Affinity / Inter-Pod Anti-Affinity
• .'Pod51%6
Slide 24
Slide 24 text
NodePool / Instance Group
page
024
+#)% &$'
• GKE NodePool
• EKS Instance Group
K8s "!
*(Node
Slide 25
Slide 25 text
Kubernetes
page
025
Taints / Tolerations PriorityClass
Slide 26
Slide 26 text
spec.containers[].resources.requests
spec.containers[].resources.limits
LimitRange
Slide 27
Slide 27 text
$+
page
027
Limits5"/3
!.2
Requests5"/ 3
,
#/
*4
! "(&
ClusterAutoscaler Pending status Pod )'0%
Requests
-1
Slide 28
Slide 28 text
page
028
Kubernetes Node
Allocatable CPU: 1000m
Requests(%) ": 1000m
&
$: 10m
Request(%) : 100m
&
#!
Cluster Autoscale
Requests '
Slide 29
Slide 29 text
page
029
Requests(&) #: 100m
'
!%: 10000m
Request(&) : 10m
'
$"(
Cluster Autoscale
Requests
Kubernetes Node
Allocatable CPU:
1000m
Slide 30
Slide 30 text
'+
4/)
page
030
• Requests 3%
• Requests / Limits *5
CPU
.($#1-
Requests / Limits/)
!
" &0
,2!4/
Slide 31
Slide 31 text
LimitRange
"8*-
page
031
LimitRange
(3%
+$ / +&(3%
requests / limits '73%
GKE #!CPU Requests 100m 13%
,3%#!.74
6
#! OOM -
CPU #!952/)
Container: Pod
7 0
Slide 32
Slide 32 text
spec.securityContext.sysctls
Slide 33
Slide 33 text
page
033
1. spec.securityContext.sysctls
• Kubernetes v1.11
2. Annotations (security.alpha.kubernetes.io/sysctls)
• Kubernetes v1.10
3. Privileged InitContainer
•
•
Slide 34
Slide 34 text
page
034
Kubernetes v1.11 spec.securityContext.sysctls
safe, unsafe
Slide 35
Slide 35 text
%
page
035
Kubernetes v1.10 Annotation
#
security.alpha.kubernetes.io/sysctls'"
&
security.alpha.kubernetes.io/unsafe-sysctls'"
& $!
Slide 36
Slide 36 text
page
036
or
InitContainer +
Slide 37
Slide 37 text
spec.loadBalancerSourceRanges (Service)
spec.ingress (NetworkPolicy)
BackendConfig (Ingress [GKE])
Slide 38
Slide 38 text
!%2!
&3
page
038
1. “type: LoadBalancer”
LB $ &3
• LB$ &+!$
*4)
2. NetworkPolicy Node $ &3
• NetworkPolicy !#Node$
iptables &3
• -.!"
!1/
3. Ingress LB $ &3
• GKE
('BackendConfig # Cloud Armor
0,
Slide 39
Slide 39 text
1. ”type: LoadBalancer” Service
page
039
IP Address
Load
Balancer
NIC NIC
iptables iptables
Slide 40
Slide 40 text
2. Network Policy
Node
• In-bound / Out-bound
• Label
• Namespace
Load
Balancer
NIC NIC
iptables iptables
page
040
Slide 41
Slide 41 text
3. Ingress %
page
041
GCP
Cloud Armor$
Load
Balancer
NIC NIC
iptables iptables
Service
Annotation #"
!K8s
Slide 42
Slide 42 text
Conclusion
summary
Slide 43
Slide 43 text
Conclusion
page
043
• &#%32+/4
• &#%3(0/4
• %
• !&&'
•
"'$&
• $'*-,1
•
'%#!'"'&
• &').
Slide 44
Slide 44 text
Slide 45
Slide 45 text
3 I H uNs P
/D 6 IBK c a io sy P
0 C 1 DD 3 I H
W3 I HS M
3 I H
& 72 uNs C ID
9 CD H uNs
0BH K L 4 uNs
/ B 8I uNs
/D HI uNs 5 I I uNs
uNs N snN
s h l o y f fl
y s N
snr N
tk ye
& hs c N uNsu ghd
v
o y
/2 /0
fl N s 8 KB 5 HA
3 I H dNkyl
3 I H b
Slide 46
Slide 46 text
Thank you for your attention
follow me: @amsy810