Slide 1
Slide 1 text
Masaya Aoyama
CyberAgent adtech studio
ຊ൪ڥͷKubernetesϚχϑΣετʹ
࠷ݶඞཁͳ ͷ͜ͱ
Japan Container Days v18.12
MasayaAoyama @amsy810
Slide 2
Slide 2 text
Japan Container Days v18.04 Keynote
Cloud Native Day Tokyo co-chair
Cloud Native Meetup Tokyo Organizer (+ KubeCon)
for Kubernetes
CKA #138CKAD #2
OpenStack / Kubernetes Contributor
Masaya Aoyama (@amsy810)
Infrastructure Engineer
Slide 3
Slide 3 text
Hobby == Kubernetes
Slide 4
Slide 4 text
Agenda
page
04
• &#
%32+/4
• &#
%3(0/4
• %
• !&& '
•
"'$&
• $'*-,1
•
'
%
#!'"'&
• &'
).
Slide 5
Slide 5 text
spec.containers[].command
spec.initContainers[]
spec.containers[]
spec.containers[].lifecycle.postStart
Slide 6
Slide 6 text
0<3/>@:=
page
06
1. Entrypoint
+2
/>@
• $((
$*
4"&5;
2. Init Containers1?
• $((
1?"&-8)5;
• $((
1?
"&. ,
3. Sidecar !*(
*;9
• *(
*;9
4. postStart %#
1?
• $(#'6@7
$((
6@
Slide 7
Slide 7 text
1. Entrypoint
!
"
page
07
• Entrypoint
!
"
• ex) #
%
$
Slide 8
Slide 8 text
1. Entrypoint
!
"
page
08
• Entrypoint
!
"
• ex) #
%
$
Slide 9
Slide 9 text
2. Init Container
'
page
09
•
# &*
,
• $("Volume
%)
• +
-!
Volume
Store data Use data
Slide 10
Slide 10 text
2. Init Container
page
010
Immutable Infrastructure
Slide 11
Slide 11 text
3. Sidecar
%$
page
011
• Pod
Main
, Sidecar
• "'(
Init Container !)*(
%$ +
• ex)
#&(
!&
Volume
Store data Use data
Slide 12
Slide 12 text
4. postStart
$
page
012
•
&%! ()
&*
•
(#"'
postStart
script
main process (entrypoint)
Slide 13
Slide 13 text
!
page
013
$
%#
1. entrypoint
$ %
2. initContainers $ %
3. Sidecar $ "
4. postStart
$ %
Slide 14
Slide 14 text
spec.restartPolicy
spec.containers[].lifecycle.preStop
Spec.terminationGracePeriodSeconds
Slide 15
Slide 15 text
spec.restartPolicy (Pod)
page
015
• Always
• Pod
Pod
• OnFailure
• Pod
Pod
• Never
• Pod
Pod
Deployment Always
Job OnFailure or Never
Slide 16
Slide 16 text
page
016
+0s
Terminating
SIGTERM
preStop
(optional)
Service
SIGKILL
Running
spec.terminationGracePeriodSeconds = 30
(
30 )
~ 30s
Slide 17
Slide 17 text
!
page
017
+0s
Terminating
SIGTERM
"
preStop "
Service
&
"
SIGKILL "
Running
spec.terminationGracePeriodSeconds = 30
( 30 #)
preStop "$
2# SIGTERM "%
+32s
+30s
Slide 18
Slide 18 text
spec.containers[].livenessProbe
spec.containers[].readinessProbe
Slide 19
Slide 19 text
"-#
page
019
spec.containers[].livenessProbe
Check %)*
!+
0" (1
,'&/
spec.containers[].readinessProbe
Check %)* Service .$
Service-In
,
Slide 20
Slide 20 text
PodDisruptionBudget
Slide 21
Slide 21 text
); $
&?
page
021
kubectl drain'
#$
$<+0@,>
A7Pod4.
-96*,>3…
!%$
%5/PDB
=2(5/B
"
% -:18
Slide 22
Slide 22 text
spec.nodeSelector
spec.affinity.nodeAffinity
spec.affinity.podAffinity
spec.affinity.podAntiAffinity
spec.torelations (+ taints)
spec.priorityClassName (+ PriorityClass)
Slide 23
Slide 23 text
*(
page
023
1. 2+0 Node Affinity5nodeSelector6
•
&
/
2. Node Affinity / Node Anti-Affinity
• -3 ,!(#
.'
• )4,!"$,!
3. Inter-Pod Affinity / Inter-Pod Anti-Affinity
• .'
Pod
51%6
Slide 24
Slide 24 text
NodePool / Instance Group
page
024
+#)
%
&$'
• GKE NodePool
• EKS Instance Group
K8s
"!
* (Node
Slide 25
Slide 25 text
Kubernetes
page
025
Taints / Tolerations PriorityClass
Slide 26
Slide 26 text
spec.containers[].resources.requests
spec.containers[].resources.limits
LimitRange
Slide 27
Slide 27 text
$+
page
027
Limits5
"/ 3
! .2
Requests5
"/ 3
,
#/
*4
!
"
(&
ClusterAutoscaler Pending status Pod )'0%
Requests
-1
Slide 28
Slide 28 text
page
028
Kubernetes Node
Allocatable CPU: 1000m
Requests(%)
": 1000m
&
$: 10m
Request(%) : 100m
&
#!
Cluster Autoscale
Requests '
Slide 29
Slide 29 text
page
029
Requests(&)
#: 100m
'
!%: 10000m
Request(&) : 10m
'
$"
(
Cluster Autoscale
Requests
Kubernetes Node
Allocatable CPU:
1000m
Slide 30
Slide 30 text
'+
4/)
page
030
• Requests 3%
• Requests / Limits *
5
CPU
.($
#1-
Requests / Limits/)
!
"
&0
,2
!4/
Slide 31
Slide 31 text
LimitRange
"8*-
page
031
LimitRange
(3%
+$ / +&
(3%
requests / limits '73%
GKE #!CPU Requests 100m 1
3%
,3%#!.
74
6
#! OOM -
CPU #!952/)
Container : Pod
7 0
Slide 32
Slide 32 text
spec.securityContext.sysctls
Slide 33
Slide 33 text
page
033
1. spec.securityContext.sysctls
• Kubernetes v1.11
2. Annotations (security.alpha.kubernetes.io/sysctls)
• Kubernetes v1.10
3. Privileged InitContainer
•
•
Slide 34
Slide 34 text
page
034
Kubernetes v1.11
spec.securityContext.sysctls
safe, unsafe
Slide 35
Slide 35 text
%
page
035
Kubernetes v1.10
Annotation
#
security.alpha.kubernetes.io/sysctls'
"
&
security.alpha.kubernetes.io/unsafe-sysctls'
"
&
$!
Slide 36
Slide 36 text
page
036
or
InitContainer +
Slide 37
Slide 37 text
spec.loadBalancerSourceRanges (Service)
spec.ingress (NetworkPolicy)
BackendConfig (Ingress [GKE])
Slide 38
Slide 38 text
!
%2!
&3
page
038
1. “type: LoadBalancer”
LB $ &3
• LB$ &+
!$
*4)
2. NetworkPolicy Node $ &3
• NetworkPolicy !#Node$
iptables &3
• -.
!"
!1/
3. Ingress LB $ &3
• GKE
('BackendConfig # Cloud Armor
0,
Slide 39
Slide 39 text
1. ”type: LoadBalancer” Service
page
039
IP Address
Load
Balancer
NIC NIC
iptables iptables
Slide 40
Slide 40 text
2. Network Policy
Node
• In-bound / Out-bound
• Label
• Namespace
Load
Balancer
NIC NIC
iptables iptables
page
040
Slide 41
Slide 41 text
3. Ingress %
page
041
GCP
Cloud Armor$
Load
Balancer
NIC NIC
iptables iptables
Service
Annotation #
"
!K8s
Slide 42
Slide 42 text
Conclusion
summary
Slide 43
Slide 43 text
Conclusion
page
043
• &#
%32+/4
• &#
%3(0/4
• %
• !&& '
•
"'$&
• $'*-,1
•
'
%
#!'"'&
• &'
).
Slide 44
Slide 44 text
Slide 45
Slide 45 text
3 I H uNs P
/D 6 IBK c a io sy P
0 C 1 DD 3 I H
W3 I HS M
3 I H
& 72 uNs C ID
9 CD H uNs
0BH K L 4 uNs
/ B 8I uNs
/D HI uNs 5 I I uNs
uNs N snN
s h l o y f fl
y s N
snr N
tk ye
& hs c N uNsu ghd
v
o y
/2 /0
fl N s 8 KB 5 HA
3 I H dNkyl
3 I H b
Slide 46
Slide 46 text
Thank you for your attention
follow me: @amsy810