Slide 1
Slide 1 text
Kubernetes Workshop
EV Box
Mark van Straten & Piotr Zakrzewski - Q42
Slide 2
Slide 2 text
Agenda
Now Introductions + Setup environments + K8s hello world
10:00 Monitoring & Alerting
11:00 Diagnosing & Resolving issues
12:00 Lunch
13:00 Network Policies
14:00 Istio
14:45 Multi Region
15:30 Free form discussion
16:30 Wrap up
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
Case: Philips Hue
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
USING KUBERNETES
SINCE 2016
Slide 7
Slide 7 text
Backend
notifier
Token
validation
service
Bridge
websocket
API
Bridge http
API
Hue
Cloud
API
Slide 8
Slide 8 text
1 prod cluster 25 services
160 nodes 600 pods
Slide 9
Slide 9 text
What is k8s?
- Container orchestration system
- Developed initially by Google now open source
- By default works with Docker images
- Provides framework for configuring deployment, networking and scaling
Slide 10
Slide 10 text
Why people use k8s?
- Scalability! Strong toolkit for (esp. Horizontal) scaling
- Scaling on RAM/CPU out of the box
- Vertical pod scaling also possible
- Custom scaling methods possible
- Smart rollout strategies
- Good abstractions for container orchestration
- Network Policies
- RBAC
- Secrets/Config management
- Powerful ecosystem for common tasks
- Monitoring: Stackdriver, adapters for others like datadog or prometheus
- CI/CD: Helm, Spinnaker
- kubectl
Slide 11
Slide 11 text
Kubernetes Basics
full version at https://kubernetes.io/docs/tutorials/kubernetes-basics
Slide 12
Slide 12 text
Kubernetes Basics
Slide 13
Slide 13 text
Kubernetes Basics
Slide 14
Slide 14 text
Hands on: Prep environment
- Everybody needs to create its own project inside GCP
- Billing needs to be enabled
- We will provide you with a $40 voucher
Slide 15
Slide 15 text
Dev Env Setup for the Workshop
- Create Google Cloud Project (link) using our voucher
- Install GCE command line tools
- https://docs.google.com/document/d/1E03-g0h3MgFlohXqPNYCjl7Pv_CA_l0z
hD6K3MZ8O0M/edit#heading=h.tremawe2ds3r
- Install kubectl
- Install docker
gcloud - https://cloud.google.com/sdk/docs/quickstart-macos
kubectl - `gcloud components install kubectl`
Docker - https://www.docker.com/products/docker-desktop
Slide 16
Slide 16 text
Hands on: Hello world k8s
- Goal: basic 3 tier application (frontend-middleware-backend) running on k8s
- See the Hands on document for a global step-by-step guide
Verify you are connectected to your own cluster:
Kubectl config get-contexts
Slide 17
Slide 17 text
Recap
3 tiers app frontend => middleware => backend
backend => external service
No scaling (HPA) yet
Not much kubernetes magic
Slide 18
Slide 18 text
Monitoring & Alerting
Slide 19
Slide 19 text
Stackdriver structured logging
● Stackdriver by default takes stdout/stdin for your logs
● You can have your client generate structured logging json to enrich your
experience
Formats
● https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry
● https://cloud.google.com/error-reporting/docs/formatting-error-messages#json
_representation
Slide 20
Slide 20 text
Example structured logging format
{
"message": "Error Message\njava.lang.NullPointerException: NPE\n\tat
adam.Log4jTester.run(Log4jTester.java:16)\n\t",
"thread": "logTestThread",
"severity": "ERROR",
"sourceLocation": {
"file": "Log4jTester.java",
"line": "16",
"function": "adam.Log4jTester.run"
},
"serviceContext": {
"service": "myservice",
"version": "1.0.0"
}
}
Slide 21
Slide 21 text
Results in Stackdriver logging
Goto stackdriver logging (sign in required)
Slide 22
Slide 22 text
Metrics: Four golden signals
(https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/
#xref_monitoring_golden-signals)
1. Latency
2. Traffic
3. Errors
4. Saturation / Utilization
Slide 23
Slide 23 text
Handson - Monitoring with stackdriver
Goal: Learn about metrics emissions towards stackdriver and how to get
kubernetes metrics into stackdriver
Slide 24
Slide 24 text
DEMO: Philips Hue setup - signals
1. Latency - websocket latency
2. Traffic - connections opening/closing // messages today
3. Errors - bridge answered with a failure
4. Saturation - capacity left
Slide 25
Slide 25 text
DEMO: Philips Hue setup - signals
Slide 26
Slide 26 text
DEMO: Philips Hue setup - monitors
Slide 27
Slide 27 text
Diagnosing & Resolving
issues
Slide 28
Slide 28 text
Handson: Stackdriver error reporting
Goal: Experience ease of use for Stackdriver Error reporting
Slide 29
Slide 29 text
Handson: Cloud debugger
Use your knowledge from previous parts to:
- 1) Local milestone: run a Nodejs app with cloud debugger integration and
capture a snapshot in Stackdriver
- 2) k8s milestone with baked in secrets: deploy the same app with secrets
included in the container
- 3) k8s bonus milestone: Mount the secrets as a k8s resource (The Right Way)
Slide 30
Slide 30 text
Cloud Debugger Hands On
- Cloud debugger allows for investigating state of a web application running in
GCE
- Somewhat less extensive than typical debuggers you might be used to: no
step over, this is only a snapshot
- Cloud debugger needs to be installed in the webapp you want to debug
- We will use a minimal app with cloud debugger enabled
Slide 31
Slide 31 text
Debugger needs a service account ...
- Debugger Agent needs a Service Account key to connect to your project and
submit snapshots
- The key is a secret, you cannot check it in into the repo
- K8s has a first class support for secrets fortunately
Slide 32
Slide 32 text
Material for the open-ended mile-stone
- K8s Ddeployments
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
- K8s Secrets docs: https://kubernetes.io/docs/concepts/configuration/secret/
- Mounting volumes: https://kubernetes.io/docs/concepts/storage/volumes/
Slide 33
Slide 33 text
Lunch break until 13:00
Slide 34
Slide 34 text
Agenda
Now ✔ Introductions + Setup environments + K8s hello world
10:00 ✔ Monitoring & Alerting
11:00 ✔ Diagnosing & Resolving issues
12:00 ✔ Lunch
13:00 Network Policies
14:00 Istio
14:45 Multi Region
15:30 Free form discussion
16:30 Wrap up
Slide 35
Slide 35 text
Network Policies
Slide 36
Slide 36 text
Kubernetes networking basics
- Kube dns and kube proxy
- Services and name resolving
- Load balancers and access to the cluster
Slide 37
Slide 37 text
Network Policies
- Implemented on OSI Level 3 (iptables->kernel)
- Many implementations possible, we will use Calico during the workshop, this
is also what we use at Hue
- Ingress and Egress
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
Network Policies Hands On
- Assumption: everyone has access to the cluster with billing on
- Create a deployment and a service with NGINX serving default NGINX
welcome page on port 80
- kubectl run apiserver --image=nginx --labels app=bookstore,role=api --expose --port 80
- Verify that it works:
- Create and login into a second container: kubectl run test-$RANDOM --rm -i -t --image=alpine
- Send a request from the new container to the api container
- You should get a 200 OK and HTML of a welcome page
- We will use this deployment for the rest of the Hands-on
Slide 40
Slide 40 text
Network Policies Hands On
- Restrict access to a pod based on label
- https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02-l
imit-traffic-to-an-application.md
- Only requests coming from pods with given label
Slide 41
Slide 41 text
Network Policies Hands On
- https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/02a
-allow-all-traffic-to-an-application.md
- Allow all with empty ingress access selector
- This Network policy does not apply to the traffic from the outside of the custer
though ...
Slide 42
Slide 42 text
Network Policies Hands On
- https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/08-
allow-external-traffic.md
- [] allows ALL traffic, also from the outside of the cluster (if the pod is exposed)
- It is often useful to restrict access to one port only, [] ingress selector can be
combined with other rules such as “port”
Slide 43
Slide 43 text
Istio
Slide 44
Slide 44 text
https://speakerdeck.com/saturnism/making-microservices-micro-with-istio-service-
mesh
Slide 45
Slide 45 text
Caveats
Istio replaces network policies (default Calico on GKE)
AFAIK Kubernetes master access from service still requires k8s-rbac
Managed Istio (GKE) is not GA yet, expected somewhere 2019
Slide 46
Slide 46 text
Multi Region
Slide 47
Slide 47 text
Going Multi-region with K8s on Google Cloud
- Regions Vs Zones
- Some services are bound to regions, Nodes are bound to zones
- It is possible to establish Multiregional Loadbalancers
- K8s cluster self lives always within one region, can span multiple zones on
highly available clusters
Slide 48
Slide 48 text
Multi-Region support out of the box
● Google Cloud Datastore
● Google Cloud KMS
● Google Cloud Storage
● Google BigQuery
● Google Cloud Spanner
Slide 49
Slide 49 text
Kubernetes Federation (Going multi-region)
- By default K8S rus on a single Zone with all of its nodes
- It is also possible to create a high-availability regional cluster, its nodes span
multiple zones of the same region
- There is no support for full federation, i.e. cloud wide or true multi-region k8s
cluster.
- It is however possible to set-up a multiregion load balancer that directs
requests to respective regional clusters
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
Lets try it ourselves!
- https://cloud.google.com/load-balancing/docs/https/cross-region-example
- Big picture:
- We need to setup two instance groups on Google Compute Engine, each in a different region
- Configure a Load Balancer pointing to these groups
Slide 52
Slide 52 text
Free form discussion
Slide 53
Slide 53 text
DONE!
Now ✔ Introductions + Setup environments + K8s hello world
10:00 ✔ Monitoring & Alerting
11:00 ✔ Diagnosing & Resolving issues
12:00 ✔ Lunch
13:00 ✔ Network Policies
14:00 ✔ Istio
14:45 ✔ Multi Region
15:30 ✔ Free form discussion
16:30 ✔ Wrap up
Slide 54
Slide 54 text
Piotr Zakrzewski - [email protected]
Mark van Straten - [email protected]
Thanks for your time!