Slide 1

Slide 1 text

@k2r2bai 學習 Kubernetes 不是為了成為 YAML Engineer COSCUP 2020 抱歉 其實我也只是個 YAML Engineer

Slide 2

Slide 2 text

@k2r2bai About Me ⽩凱仁(Kyle Bai) • Site Reliability Engineer at AMIS/MaiCoin • Co-organizer of Cloud Native Taiwan User Group. • Interested in emerging technologies. • Contributor to multiple OSS. • Top 3 Kubernetes contributor in Taiwan kairen k2r2bai.com https://k8s.devstats.cncf.io

Slide 3

Slide 3 text

@k2r2bai Kubernetes • Container orchestration • Self-healing • Horizontal scaling • Service discovery and Load balancing • Automated rollouts and rollbacks • Secrets and conTguration management • Storage orchestration

Slide 4

Slide 4 text

重視細節

Slide 5

Slide 5 text

@k2r2bai 舉個栗⼦

Slide 6

Slide 6 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF

Slide 7

Slide 7 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml

Slide 8

Slide 8 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer

Slide 9

Slide 9 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl :

Slide 10

Slide 10 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl : curl: (7) Failed to connect to port : Network is unreachable P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈

Slide 11

Slide 11 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl : curl: (7) Failed to connect to port : Network is unreachable $ kubectl logs -f test-pod

Slide 12

Slide 12 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl : curl: (7) Failed to connect to port : Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh

Slide 13

Slide 13 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl : curl: (7) Failed to connect to port : Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080

Slide 14

Slide 14 text

@k2r2bai $ cat < pod.yaml apiVersion: v1 kind: Pod metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl : curl: (7) Failed to connect to port : Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080 #找不出問題 #像極了愛情

Slide 15

Slide 15 text

@k2r2bai

Slide 16

Slide 16 text

@k2r2bai 如果錢夠多的話

Slide 17

Slide 17 text

@k2r2bai P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈ 你可以花錢找專業的

Slide 18

Slide 18 text

@k2r2bai P.S. 雖然有徵求本⼈同意張貼,但還是需要保護當事⼈ 但也可能花錢了 找錯廠商被⽩嫖

Slide 19

Slide 19 text

@k2r2bai 再舉個栗⼦

Slide 20

Slide 20 text

@k2r2bai $ kubectl create deploy nginx --image=nginx --replicas=3 $ kubectl scale deploy nginx --replicas=5

Slide 21

Slide 21 text

@k2r2bai ⼤家知道這兩個操作 發⽣什麼事嗎?

Slide 22

Slide 22 text

@k2r2bai

Slide 23

Slide 23 text

@k2r2bai hMps://bit.ly/33c6zaV

Slide 24

Slide 24 text

@k2r2bai

Slide 25

Slide 25 text

@k2r2bai

Slide 26

Slide 26 text

@k2r2bai

Slide 27

Slide 27 text

@k2r2bai

Slide 28

Slide 28 text

@k2r2bai

Slide 29

Slide 29 text

@k2r2bai

Slide 30

Slide 30 text

@k2r2bai 以 Docker 為例

Slide 31

Slide 31 text

@k2r2bai

Slide 32

Slide 32 text

@k2r2bai 那 CNI 呢?

Slide 33

Slide 33 text

@k2r2bai

Slide 34

Slide 34 text

@k2r2bai

Slide 35

Slide 35 text

@k2r2bai

Slide 36

Slide 36 text

@k2r2bai 再再舉個栗⼦

Slide 37

Slide 37 text

@k2r2bai $ kubectl expose deploy nginx --port 80 Cluster IP: 10.3.241.152

Slide 38

Slide 38 text

@k2r2bai

Slide 39

Slide 39 text

@k2r2bai 當⼀個 Container 存取 Cluster IP 呢?

Slide 40

Slide 40 text

@k2r2bai hMps://bit.ly/3hYXDd1

Slide 41

Slide 41 text

@k2r2bai hMps://bit.ly/3hYXDd1

Slide 42

Slide 42 text

@k2r2bai hMps://bit.ly/3hYXDd1

Slide 43

Slide 43 text

@k2r2bai hMps://bit.ly/3hYXDd1

Slide 44

Slide 44 text

@k2r2bai hMps://bit.ly/3hYXDd1

Slide 45

Slide 45 text

@k2r2bai 再再再舉個栗⼦

Slide 46

Slide 46 text

@k2r2bai $ kubectl delete deploy nginx

Slide 47

Slide 47 text

@k2r2bai hMps://bit.ly/2PeamMQ

Slide 48

Slide 48 text

@k2r2bai

Slide 49

Slide 49 text

@k2r2bai

Slide 50

Slide 50 text

@k2r2bai 再再再再舉個栗⼦

Slide 51

Slide 51 text

@k2r2bai $ kubeadm init --pod-network-cidr=10.244.0.0/16

Slide 52

Slide 52 text

@k2r2bai

Slide 53

Slide 53 text

@k2r2bai

Slide 54

Slide 54 text

@k2r2bai

Slide 55

Slide 55 text

@k2r2bai $ kubeadm join : \ --token U+5149U+5FA9U+9999U+6E2F

Slide 56

Slide 56 text

@k2r2bai

Slide 57

Slide 57 text

@k2r2bai

Slide 58

Slide 58 text

@k2r2bai

Slide 59

Slide 59 text

@k2r2bai 還有更多的栗⼦

Slide 60

Slide 60 text

@k2r2bai A suspicious Kubeflow image was seen deployed to thousands of clusters in April, all from a single public repository. Closer inspection showed that the image runs a common open-source cryptojacking malware that mines the Monero virtual currency, known as XMRIG. Misconfigured Kubeflow workloads are a security risk hMps://bit.ly/2NI7Q0A

Slide 61

Slide 61 text

@k2r2bai CVE-2019-14271 marks a security issue in the implementation of the Docker cp command that can lead to full container escape when exploited by an attacker. CVE-2019-14271 hMps://bit.ly/2VwF6Mr hMps://www.anquanke.com/post/id/193218

Slide 62

Slide 62 text

@k2r2bai Allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: • A new container with an attacker-controlled image. • An existing container, to which the attacker previously had write access, that can be attached with docker exec. CVE-2019-5736 hMps://www.cvedetails.com/cve/CVE-2019-5736/

Slide 63

Slide 63 text

核⼼姿勢知識

Slide 64

Slide 64 text

@k2r2bai • https://github.com/shubheksha/kubernetes-internals • https://github.com/daniel-hutao/k8s-source-code-analysis • https://github.com/kelseyhightower/kubernetes-the-hard-way • https://github.com/kubernetes/kubeadm/tree/master/docs/design • https://github.com/kubernetes/enhancements • https://github.com/containernetworking/cni/blob/master/SPEC.md • https://github.com/hwchiu/ithome-2020ironman Kubernetes

Slide 65

Slide 65 text

@k2r2bai Distributed Systems hMps://bit.ly/30lgN7j

Slide 66

Slide 66 text

@k2r2bai 那些年你可能讀過的書

Slide 67

Slide 67 text

@k2r2bai 那些年你可能讀過的書

Slide 68

Slide 68 text

Summary

Slide 69

Slide 69 text

@k2r2bai 不要這麼累 當個 YAML Engineer 也很好

Slide 70

Slide 70 text

@k2r2bai

Slide 71

Slide 71 text

@k2r2bai

Slide 72

Slide 72 text

@k2r2bai 真的很好吃

Slide 73

Slide 73 text

@k2r2bai