what happens when k8s journy

by nnao45

Slide 1

Slide 1 text

W H A T H A P P E N S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3

Slide 2

Slide 2 text

C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたんぶいちゅーばー友達募集！ V言語って最強の静的型付言語なの？ RustのGraphDBのライブラリかきたい @nnao45,[email protected] ✔

Slide 3

Slide 3 text

C N D J P 3 AGENDA $ kubectl version -o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"

Slide 4

Slide 4 text

C N D J P 4 AGENDA AUTH JOURNY CONTROLLER LOOP POD DEPLOY

Slide 5

Slide 5 text

C N D J P 5 AUTH JOURNY What happens when I type kubectl run? $ kubectl run --image=nginx --replicas=3

Slide 6

Slide 6 text

C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s

Slide 7

Slide 7 text

C N D J P 7 AUTH JOURNY NEXT…

Slide 8

Slide 8 text

C N D J P 8 AUTH JOURNY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる

Slide 9

Slide 9 text

C N D J P 9 AUTH JOURNY BEFORE FIRE…

Slide 10

Slide 10 text

C N D J P 1 0 AUTH JOURNY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中

Slide 11

Slide 11 text

C N D J P 1 1 AUTH JOURNY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13

Slide 12

Slide 12 text

C N D J P 1 2 AUTH JOURNY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something

Slide 13

Slide 13 text

C N D J P 1 3 AUTH JOURNY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!

Slide 14

Slide 14 text

C N D J P 1 4 AUTH JOURNY

Slide 15

Slide 15 text

C N D J P 1 5 AUTH JOURNY Authentication Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔

Slide 16

Slide 16 text

C N D J P 1 6 AUTH JOURNY Authentication kube-apiserver Use… bearer basic X509 or or

Slide 17

Slide 17 text

C N D J P 1 7 AUTH JOURNY X509 bearer basic Validate Client TLS Key from CA ROOT Certiﬁcate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method

Slide 18

Slide 18 text

C N D J P 1 8 AUTH JOURNY Authentication Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ࢖༻ ͢ΔΞΧ΢ϯτ ͕ݖݶ͕͋Δ͔ɻ

Slide 19

Slide 19 text

C N D J P 1 9 AUTH JOURNY Authorization(for example: RBAC) kube-apiserver etcd Use…

Slide 20

Slide 20 text

C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d Authorization(for example: RBAC)

Slide 21

Slide 21 text

C N D J P 2 1 AUTH JOURNY Authentication Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ࢖༻ ͢ΔΞΧ΢ϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ಺͔Ͳ ͏͔ɻ

Slide 22

Slide 22 text

C N D J P 2 2 AUTH JOURNY Admission Controll kube-apiserver Use…

Slide 23

Slide 23 text

C N D J P 2 3 AUTH JOURNY Describe Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/

Slide 24

Slide 24 text

C N D J P 2 4 AUTH JOURNY Admission Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request

Slide 25

Slide 25 text

C N D J P 2 5 AUTH JOURNY Authentication Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ࢖༻ ͢ΔΞΧ΢ϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ಺͔Ͳ ͏͔ɻ

Slide 26

Slide 26 text

C N D J P 2 6 AUTH JOURNY SOON CREATE OBJECT PERSISTED SAVE

Slide 27

Slide 27 text

C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment kube-apiserver *「リソース　登録ヲ確認　シマシタ。　　」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service

Slide 28

Slide 28 text

C N D J P 2 8 AUTH JOURNY kube-apiserver Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM

Slide 29

Slide 29 text

C N D J P 2 9 AUTH JOURNY RIQUEST VALIDATION JSON DESELIZE VALIDATION REQUEST FORM

Slide 30

Slide 30 text

C N D J P 3 0 AUTH JOURNY kube-apiserver Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment

Slide 31

Slide 31 text

C N D J P 3 1 AUTH JOURNY SOON

Slide 32

Slide 32 text

C N D J P 3 2 AUTH JOURNY AUTH JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT

Slide 33

Slide 33 text

C N D J P 3 3 AUTH JOURNY AUTH JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt

Slide 34

Slide 34 text

C N D J P 3 4 AUTH JOURNY --image=nginx --replicas=3 PUT Key Value → BBOLT

Slide 35

Slide 35 text

C N D J P 3 5 AUTH JOURNY --image=nginx --replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP

Slide 36

Slide 36 text

C N D J P 3 6 CONTROLLER LOOP NEXT…

Slide 37

Slide 37 text

C N D J P 3 7 CONTROLLER LOOP --image=nginx --replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver

Slide 38

Slide 38 text

C N D J P 3 8 CONTROLLER LOOP --image=nginx --replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE

Slide 39

Slide 39 text

C N D J P 3 9 CONTROLLER LOOP INITIALIZERS SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/

Slide 40

Slide 40 text

C N D J P 4 0 CONTROLLER LOOP GET BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment

Slide 41

Slide 41 text

C N D J P 4 1 CONTROLLER LOOP PUT BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset

Slide 42

Slide 42 text

C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager

Slide 43

Slide 43 text

C N D J P 4 3 CONTROLLER LOOP GET BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset

Slide 44

Slide 44 text

C N D J P 4 4 CONTROLLER LOOP kube-apiserver INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset

Slide 45

Slide 45 text

C N D J P 4 5 CONTROLLER LOOP kube-apiserver BBOLT Pod フリーズ status: Pending

Slide 46

Slide 46 text

C N D J P 4 6 CONTROLLER LOOP kube-apiserver BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler

Slide 47

Slide 47 text

C N D J P 4 7 CONTROLLER LOOP kube-apiserver BBOLT Pod status: Pending kube-scheduler 詠唱中 GET

Slide 48

Slide 48 text

C N D J P 4 8 CONTROLLER LOOP kube-scheduler 1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…

Slide 49

Slide 49 text

C N D J P 4 9 CONTROLLER LOOP kube-apiserver BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: PodScheduled: True

Slide 50

Slide 50 text

C N D J P 5 0 CONTROLLER LOOP kube-apiserver BBOLT Pod status: Pending フリーズ NodeName: PodScheduled: True

Slide 51

Slide 51 text

C N D J P 5 1 CONTROLLER LOOP kube-apiserver BBOLT Pod status: Pending フリーズ NodeName: PodScheduled: True kubelet 詠唱中

Slide 52

Slide 52 text

C N D J P 5 2 POD DEPLOY NEXT…

Slide 53

Slide 53 text

C N D J P 5 3 POD DEPLOY kube-apiserver BBOLT Pod status: Pending NodeName: PodScheduled: True kubelet GET 詠唱中

Slide 54

Slide 54 text

C N D J P 5 4 POD DEPLOY kubelet kubelet kubelet Node A Node B Node C Node AのPodの状態は？ Node BのPodの状態は？ Node CのPodの状態は？ kube-apiserver

Slide 55

Slide 55 text

C N D J P 5 5 POD DEPLOY kubelet 1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET

Slide 56

Slide 56 text

C N D J P 5 6 POD DEPLOY kubelet CONTAINER POD METADATA VOLUMES x N

Slide 57

Slide 57 text

C N D J P 5 7 POD DEPLOY kubelet 5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)

Slide 58

Slide 58 text

C N D J P 5 8 POD DEPLOY kubelet POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N

Slide 59

Slide 59 text

C N D J P 5 9 POD DEPLOY kubelet 6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)

Slide 60

Slide 60 text

C N D J P 6 0 POD DEPLOY kubelet POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N

Slide 61

Slide 61 text

C N D J P 6 1 POD DEPLOY kubelet 7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE

Slide 62

Slide 62 text

C N D J P 6 2 POD DEPLOY kubelet POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N

Slide 63

Slide 63 text

C N D J P 6 3 POD DEPLOY kube-apiserver BBOLT Pod status: Running NodeName: kubelet PUT

Slide 64

Slide 64 text

C N D J P 6 4 POD DEPLOY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる

Slide 65

Slide 65 text

C N D J P 6 5 POD DEPLOY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる

Slide 66

Slide 66 text

C N D J P 6 6 POD DEPLOY kubectl run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤

Slide 67

Slide 67 text

C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01