OpenShift Meetup Tokyo #3 (2019/3/28) Kazuki Suda @superbrothers oc observe コマンドではじめる
 Kubernetes コントローラ開発

@superbrothers Kazuki Suda superbrothers 2019年3⽉2⽇発売 2019年4⽉18⽇発売

@superbrothers Kubernetes コントローラとは何か Kubernetes オブジェクトの追加/削除/変更を監視して、オブジェクトを
 操作するビジネスロジックを実⾏する Observe Analyze Act

@superbrothers Kubernetes コントローラとは何か ▶ kubelet + Pods の追加/削除を監視してコンテナを操作する ▶ kube-proxy (iptables) + Services の追加/削除/変更を監視して、iptables のルールを操作する ▶ kube-controller-manager + Deployments, CronJobs などの追加/削除/変更を監視して、
 オブジェクトを操作する

No content

@superbrothers Kubernetes Operator とは何か Kubernetes のユーザに変わって複雑なステートフルアプリケーションのインスタ ンスを作成、スケール、アップグレード、設定変更などを⾏うコントローラ An Operator represents human operational knowledge in software to reliably manage an application. https://coreos.com/operators/

@superbrothers Kubernetes Operator とは何か 基本的な Kubernetes のリソースとコントローラの概念をもとにして、Kubernetes の拡張機能を活⽤しアプリケーション固有の運⽤ナレッジをソフトウェアとして プログラムする CustomResourceDefinitions + Kubernetes Controller

@superbrothers Kubernetes コントローラ/Operator 開発ツール ▶ kubernetes/client-go, kubernetes/code-generator ▶ kubernetes-sigs/controller-runtime, kubernetes/code-generator ▶ operator-framework/operator-sdk ▶ kubernetes-sigs/kubebuilder ▶ GoogleCloudPlatform/metacontroller ▶ oc observe コマンド

@superbrothers oc observe とは何か oc コマンドのサブコマンド ▶ Kubernetes オブジェクトの追加/削除/変更のイベントをトリガに
 任意のスクリプトファイルを呼び出す ▶ oc コマンドのオリジナルで kubectl には存在しない + OpenShift だけでなく、通常の Kubernetes でも利⽤できる ❗ 私たちは、PoC 実装⽤に Kubernetes 上で利⽤しています $ oc observe namespaces -- ./set_owner.sh

@superbrothers Observe Analyze Act oc observe ./set_owner.sh

@superbrothers #!/bin/sh if [[ "$(oc get namespace "$1" -o 'jsonpath={.metadata.annotations.owner}')" == "" ]]; then oc annotate namespace "$1" "owner=bob" fi

@superbrothers apiVersion: apps/v1 kind: Deployment metadata: name: mycontroller spec: selector: matchLabels: app: mycontroller template: metadata: labels: app: mycontroller spec: containers: - name: oc image: openshift/origin-cli:v3.11 command: - /bin/bash - -xec - | cat <<'SCRIPT' >./set_owner.sh #!/bin/bash if [[ "$(oc get namespace "$1" -o 'jsonpath={.metadata.annotations.owner}')" == "" ]]; then oc annotate namespace "$1" "owner=bob" fi SCRIPT chmod +x ./set_owner.sh oc observe namespaces -- ./set_owner.sh

@superbrothers より詳しい oc observe コマンドの使い⽅ $ oc observe -h Observe changes to resources and take action on them This command assists in building scripted reactions to changes that occur in Kubernetes or OpenShift resources. This is frequently referred to as a 'controller' in Kubernetes and acts to ensure particular conditions are maintained. On startup, observe will list all of the resources of a particular type and execute the provided script on each one. Observe watches the server for changes, and will reexecute the script for each update. Observe works best for problems of the form "for every resource X, make sure Y is true". Some examples of ways observe can be used include: * Ensure every namespace has a quota or limit range object * Ensure every service is registered in DNS by making calls to a DNS API * Send an email alert whenever a node reports 'NotReady' * Watch for the 'FailedScheduling' event and write an IRC message * Dynamically provision persistent volumes when a new PVC is created * Delete pods that have reached successful completion after a period of time. The simplest pattern is maintaining an invariant on an object - for instance, "every namespace should have an annotation that indicates its owner". If the object is deleted no reaction is necessary. A variation on that pattern is creating another object: "every namespace should have a quota object based on the resources allowed for an owner". $ cat set_owner.sh #!/bin/sh

@superbrothers

@superbrothers We’re hiring Kubernetes, Prometheus, CoreOS, Golang