Slide 1

Slide 1 text

Kubernetes Workshop EV Box Mark van Straten & Piotr Zakrzewski - Q42

Slide 2

Slide 2 text

Agenda Now Introductions + Setup environments + K8s hello world 10:00 Monitoring & Alerting 11:00 Diagnosing & Resolving issues 12:00 Lunch 13:00 Network Policies 14:00 Istio 14:45 Multi Region 15:30 Free form discussion 16:30 Wrap up

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Case: Philips Hue

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text


Slide 7

Slide 7 text

Backend notifier Token validation service Bridge websocket API Bridge http API Hue Cloud API

Slide 8

Slide 8 text

1 prod cluster 25 services 160 nodes 600 pods

Slide 9

Slide 9 text

What is k8s? - Container orchestration system - Developed initially by Google now open source - By default works with Docker images - Provides framework for configuring deployment, networking and scaling

Slide 10

Slide 10 text

Why people use k8s? - Scalability! Strong toolkit for (esp. Horizontal) scaling - Scaling on RAM/CPU out of the box - Vertical pod scaling also possible - Custom scaling methods possible - Smart rollout strategies - Good abstractions for container orchestration - Network Policies - RBAC - Secrets/Config management - Powerful ecosystem for common tasks - Monitoring: Stackdriver, adapters for others like datadog or prometheus - CI/CD: Helm, Spinnaker - kubectl

Slide 11

Slide 11 text

Kubernetes Basics full version at

Slide 12

Slide 12 text

Kubernetes Basics

Slide 13

Slide 13 text

Kubernetes Basics

Slide 14

Slide 14 text

Hands on: Prep environment - Everybody needs to create its own project inside GCP - Billing needs to be enabled - We will provide you with a $40 voucher

Slide 15

Slide 15 text

Dev Env Setup for the Workshop - Create Google Cloud Project (link) using our voucher - Install GCE command line tools - hD6K3MZ8O0M/edit#heading=h.tremawe2ds3r - Install kubectl - Install docker gcloud - kubectl - `gcloud components install kubectl` Docker -

Slide 16

Slide 16 text

Hands on: Hello world k8s - Goal: basic 3 tier application (frontend-middleware-backend) running on k8s - See the Hands on document for a global step-by-step guide Verify you are connectected to your own cluster: Kubectl config get-contexts

Slide 17

Slide 17 text

Recap 3 tiers app frontend => middleware => backend backend => external service No scaling (HPA) yet Not much kubernetes magic

Slide 18

Slide 18 text

Monitoring & Alerting

Slide 19

Slide 19 text

Stackdriver structured logging ● Stackdriver by default takes stdout/stdin for your logs ● You can have your client generate structured logging json to enrich your experience Formats ● ● _representation

Slide 20

Slide 20 text

Example structured logging format { "message": "Error Message\njava.lang.NullPointerException: NPE\n\tat\n\t", "thread": "logTestThread", "severity": "ERROR", "sourceLocation": { "file": "", "line": "16", "function": "" }, "serviceContext": { "service": "myservice", "version": "1.0.0" } }

Slide 21

Slide 21 text

Results in Stackdriver logging Goto stackdriver logging (sign in required)

Slide 22

Slide 22 text

Metrics: Four golden signals ( #xref_monitoring_golden-signals) 1. Latency 2. Traffic 3. Errors 4. Saturation / Utilization

Slide 23

Slide 23 text

Handson - Monitoring with stackdriver Goal: Learn about metrics emissions towards stackdriver and how to get kubernetes metrics into stackdriver

Slide 24

Slide 24 text

DEMO: Philips Hue setup - signals 1. Latency - websocket latency 2. Traffic - connections opening/closing // messages today 3. Errors - bridge answered with a failure 4. Saturation - capacity left

Slide 25

Slide 25 text

DEMO: Philips Hue setup - signals

Slide 26

Slide 26 text

DEMO: Philips Hue setup - monitors

Slide 27

Slide 27 text

Diagnosing & Resolving issues

Slide 28

Slide 28 text

Handson: Stackdriver error reporting Goal: Experience ease of use for Stackdriver Error reporting

Slide 29

Slide 29 text

Handson: Cloud debugger Use your knowledge from previous parts to: - 1) Local milestone: run a Nodejs app with cloud debugger integration and capture a snapshot in Stackdriver - 2) k8s milestone with baked in secrets: deploy the same app with secrets included in the container - 3) k8s bonus milestone: Mount the secrets as a k8s resource (The Right Way)

Slide 30

Slide 30 text

Cloud Debugger Hands On - Cloud debugger allows for investigating state of a web application running in GCE - Somewhat less extensive than typical debuggers you might be used to: no step over, this is only a snapshot - Cloud debugger needs to be installed in the webapp you want to debug - We will use a minimal app with cloud debugger enabled

Slide 31

Slide 31 text

Debugger needs a service account ... - Debugger Agent needs a Service Account key to connect to your project and submit snapshots - The key is a secret, you cannot check it in into the repo - K8s has a first class support for secrets fortunately

Slide 32

Slide 32 text

Material for the open-ended mile-stone - K8s Ddeployments - K8s Secrets docs: - Mounting volumes:

Slide 33

Slide 33 text

Lunch break until 13:00

Slide 34

Slide 34 text

Agenda Now ✔ Introductions + Setup environments + K8s hello world 10:00 ✔ Monitoring & Alerting 11:00 ✔ Diagnosing & Resolving issues 12:00 ✔ Lunch 13:00 Network Policies 14:00 Istio 14:45 Multi Region 15:30 Free form discussion 16:30 Wrap up

Slide 35

Slide 35 text

Network Policies

Slide 36

Slide 36 text

Kubernetes networking basics - Kube dns and kube proxy - Services and name resolving - Load balancers and access to the cluster

Slide 37

Slide 37 text

Network Policies - Implemented on OSI Level 3 (iptables->kernel) - Many implementations possible, we will use Calico during the workshop, this is also what we use at Hue - Ingress and Egress

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Network Policies Hands On - Assumption: everyone has access to the cluster with billing on - Create a deployment and a service with NGINX serving default NGINX welcome page on port 80 - kubectl run apiserver --image=nginx --labels app=bookstore,role=api --expose --port 80 - Verify that it works: - Create and login into a second container: kubectl run test-$RANDOM --rm -i -t --image=alpine - Send a request from the new container to the api container - You should get a 200 OK and HTML of a welcome page - We will use this deployment for the rest of the Hands-on

Slide 40

Slide 40 text

Network Policies Hands On - Restrict access to a pod based on label - - Only requests coming from pods with given label

Slide 41

Slide 41 text

Network Policies Hands On - - Allow all with empty ingress access selector - This Network policy does not apply to the traffic from the outside of the custer though ...

Slide 42

Slide 42 text

Network Policies Hands On - - [] allows ALL traffic, also from the outside of the cluster (if the pod is exposed) - It is often useful to restrict access to one port only, [] ingress selector can be combined with other rules such as “port”

Slide 43

Slide 43 text


Slide 44

Slide 44 text mesh

Slide 45

Slide 45 text

Caveats Istio replaces network policies (default Calico on GKE) AFAIK Kubernetes master access from service still requires k8s-rbac Managed Istio (GKE) is not GA yet, expected somewhere 2019

Slide 46

Slide 46 text

Multi Region

Slide 47

Slide 47 text

Going Multi-region with K8s on Google Cloud - Regions Vs Zones - Some services are bound to regions, Nodes are bound to zones - It is possible to establish Multiregional Loadbalancers - K8s cluster self lives always within one region, can span multiple zones on highly available clusters

Slide 48

Slide 48 text

Multi-Region support out of the box ● Google Cloud Datastore ● Google Cloud KMS ● Google Cloud Storage ● Google BigQuery ● Google Cloud Spanner

Slide 49

Slide 49 text

Kubernetes Federation (Going multi-region) - By default K8S rus on a single Zone with all of its nodes - It is also possible to create a high-availability regional cluster, its nodes span multiple zones of the same region - There is no support for full federation, i.e. cloud wide or true multi-region k8s cluster. - It is however possible to set-up a multiregion load balancer that directs requests to respective regional clusters

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

Lets try it ourselves! - - Big picture: - We need to setup two instance groups on Google Compute Engine, each in a different region - Configure a Load Balancer pointing to these groups

Slide 52

Slide 52 text

Free form discussion

Slide 53

Slide 53 text

DONE! Now ✔ Introductions + Setup environments + K8s hello world 10:00 ✔ Monitoring & Alerting 11:00 ✔ Diagnosing & Resolving issues 12:00 ✔ Lunch 13:00 ✔ Network Policies 14:00 ✔ Istio 14:45 ✔ Multi Region 15:30 ✔ Free form discussion 16:30 ✔ Wrap up

Slide 54

Slide 54 text

Piotr Zakrzewski - [email protected] Mark van Straten - [email protected] Thanks for your time!