Tweet
Tweet

Slide 1

Slide 1 text

Introduction à Kubernetes

Slide 2

Slide 2 text

Renaud Chaput @renchap

Slide 3

Slide 3 text

Kubernetes

Slide 4

Slide 4 text

Historique • Origine : Borg, l’orchestrateur de Google • En 2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF

Slide 5

Slide 5 text

Objectifs • Découpler infra et applications • Scale • Générique / Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)

Slide 6

Slide 6 text

Un gros projet 1500 contributeurs 32 000 PR depuis 2014

Slide 7

Slide 7 text

Structure • Code of Conduct et CLA • Doc claire sur la participation • Special Interest Groups (SIGs) • Working groups • Committees

Slide 8

Slide 8 text

Releases

Slide 9

Slide 9 text

Releases

Slide 10

Slide 10 text

Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable 1.8 Septembre 2017 Alpha 1.6 Mars 2017

Slide 11

Slide 11 text

Fonctionnement

Slide 12

Slide 12 text

Objets apiVersion: v1 kind: Pod metadata: name: 
 namespace: default
 spec:
 status:

Slide 13

Slide 13 text

Un même namespace / cgroup
 IP partagée (donc localhost commun)
 Volumes communs
 IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar

Slide 14

Slide 14 text

apiVersion: v1
 kind: Pod
 metadata: name: nginx
 spec:
 containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple

Slide 15

Slide 15 text

Deployment apiVersion: apps/v1beta2 kind: Deployment metadata:
 name: nginx-deployment
 labels:
 app: nginx spec:
 replicas: 3 selector:
 matchLabels:
 app: nginx template: metadata:
 labels:
 app: nginx
 spec:
 containers:
 - name: nginx
 image: nginx:1.7.9
 ports:
 - containerPort: 8080

Slide 16

Slide 16 text

Service apiVersion: v1 kind: Service metadata:
 name: nginx-svc spec: selector:
 app: nginx ports:
 - protocol: TCP
 port: 80
 targetPort: 8080

Slide 17

Slide 17 text

db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3

Slide 18

Slide 18 text

DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …

Slide 19

Slide 19 text

Architecture

Slide 20

Slide 20 text

etcd etcd etcd Key/Value store Distribué Watch

Slide 21

Slide 21 text

etcd etcd etcd API Server Scheduler Controller manager

Slide 22

Slide 22 text

kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod Pod Pod

Slide 23

Slide 23 text

Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur

Slide 24

Slide 24 text

Container Runtime • Docker • CRI-O : interface OCI standard • rkt (CoreOS) • Frakti : basé sur un hyperviseur

Slide 25

Slide 25 text

Node 1 Node 2 Node n etcd etcd etcd API Server Scheduler Controller manager …

Slide 26

Slide 26 text

Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml
 $ kubectl get all
 NAME READY STATUS RESTARTS AGE
 po/nginx 1/1 Running 0 12h 
 NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
 svc/nginx-svc 10.0.0.116 80/TCP 7s

Slide 27

Slide 27 text

Federation

Slide 28

Slide 28 text

Add-ons

Slide 29

Slide 29 text

Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local

Slide 30

Slide 30 text

Dashboard

Slide 31

Slide 31 text

Ingress controllers • GCP / AWS / … • nginx • haproxy

Slide 32

Slide 32 text

Heapster + InfluxDB, Grafana

Slide 33

Slide 33 text

Sécurité

Slide 34

Slide 34 text

Namespaces et quotas apiVersion: v1
 kind: ResourceQuota
 metadata:
 name: compute-resources
 spec:
 hard:
 pods: "4"
 requests.cpu: "1"
 requests.memory: 1Gi
 limits.cpu: "2"
 limits.memory: 2Gi

Slide 35

Slide 35 text

PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'

Slide 36

Slide 36 text

NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"

Slide 37

Slide 37 text

RBAC kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 namespace: default
 name: pod-reader
 rules:
 - apiGroups: [""] resources: ["pods"]
 verbs: ["get", "watch", “list"] kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 name: read-pods
 namespace: default
 subjects:
 - kind: User
 name: jane
 apiGroup: rbac.authorization.k8s.io
 roleRef:
 kind: Role
 name: pod-reader
 apiGroup: rbac.authorization.k8s.io

Slide 38

Slide 38 text

Projets autour • Helm • Kops / Kube-AWS / Bootkube / … • Træfik • Prometheus / Sysdig / Datadog / … • Kube-lego, …

Slide 39

Slide 39 text

Ressources • Minikube! • kubernetes.io • Kubernetes the hard way • Slack Kubernetes • Awesome Kubernetes

Slide 40

Slide 40 text

Questions ?