20180922 Cloud Native Hiroshima #01 EKS

Slide 1

Slide 1 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 谏⾱し鋉銮傈劤䬐䔲أُ٦ءّٝ،٦ؗذؙز ،وبٝ ؐؑـ ؟٦ؽأ آٍػٝ吳䒭⠓爡 2018.09.22 Amazon Elastic Container Service for Kubernetes (EKS) Cloud Native Hiroshima #01

Slide 2

Slide 2 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 荈䊹稱➜ 谏⾱し鋉 (סׄ׻׵ ״׃ך׶) • 銮傈劤䬐䔲 أُ٦ءّٝ ،٦ؗذؙز • AWS 㣐ꢻؔؿ؍أחְתׅ • ꟼ銮ךؽآطأثٍحزأة٦ز،حف⟰噟ד 6 䎃꟦ AWS ׾ 崞欽 • AWS ؟يٓ؎ 2013 • 㥨ֹז AWS ؟٦ؽأ: AWS ؟ه٦ز

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ؝ٝذشךِ٦أ؛٦أ و؎ؙٗ؟٦ؽأ،٦ؗذؙثٍ 㢳侧ךو؎ؙٗ؟٦ؽأ׾ずׄ圫ח盖椚 ꬊず劍آّـ㹋遤 غحث؝ٝؾُ٦ذ؍ؚٝ آّـךؙٔؒأزח䘔ׄ׋厫鮾זأ؛٦ٕ 竰竲涸؎ٝذؚٖ٦ءّٝծ竰竲涸رفٗ؎ $*$% Ꟛ涪։ذأز։劤殢תד♧顐׃׋؎ً٦آ׾ⵃ欽

Slide 7

Slide 7 text

Slide 8

Slide 8 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ،فٔךأذ٦زٖأ⻉ ؝ٝذشך⚥חⰅ׸׷ךכأذ٦زٖأז،فٔח ؝ٝذشךًٔحز׾剑㣐ꣲ崞ַׇ׷ أذ٦زָ䗳銲ז׮ךכ؝ٝذشך㢩ח縧ֻ ⿫罋5XFMWFGBDUPS"QQMJDBUJPOˊ *7#BDLJOHTFSWJDFT IUUQTGBDUPSOFUKBCBDLJOHTFSWJDFT "NB[PO &MBTUJ$BDIF Amazon RDS Amazon S3 Amazon DynamoDB

Slide 9

Slide 9 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ٖآأزٔ ؝ٝذشך饯⹛⯋הז׷؎ً٦آך縧ֹ㜥䨽 ،فٔ㹋遤橆㞮׾QVTI㹋遤儗חQVMM׃ג饯⹛ 넝ְ〳欽䚍ծأ؛٦ٓؽٔذ؍ָ実׭׵׸׷ 衅׍׋׵رفٗ؎♶腉ծず儗ח㣐ꆀחQVMMׁ׸׷ֿה׮ 荈⵸ד䭯אה׉ך盖椚؝أزַַָ׷ ̔ "NB[PO&MBTUJD$POUBJOFS3FHJTUSZ &$3

Slide 10

Slide 10 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ؝ٝزٗ٦ٕفٖ٦ٝ ر٦ةفٖ٦ٝ ؝ٝزٗ٦ٕفٖ٦ٝ ؝ٝذشך盖椚׾ׅ׷㜥䨽 וֿד؝ٝذش׾⹛ַׅ欰娤כְא姺׭׷ رفٗ؎儗חוְֲֲ괏חꂁ縧ׅ׷ ̔ "NB[PO&MBTUJD$POUBJOFS4FSWJDF &$4 "NB[PO&MBTUJD $POUBJOFS 4FSWJDF GPS ,VCFSOFUFT &,4 ر٦ةفٖ٦ٝ 㹋ꥷח؝ٝذشָ珩⫴ׅ׷㜥䨽 ؝ٝزٗ٦ٕفٖ٦ַٝ׵ך䭷爙ח䖞׏ג饯⹛ ぐ珏朐䡾׾؝ٝزٗ٦ٕفٖ٦ٝחؿ؍٦سغحؙ ̔ "84'BSHBUF "NB[PO&MBTUJD$PNQVUF$MPVE &$

Slide 11

Slide 11 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. $*$%ػ؎فٓ؎ٝ ،فٔך؝٦س㢌刿։؝ٝذشךرفٗ؎׾盖椚ׅ׷ 荈⹛⻉ׅ׷ֿהד铩ָװ׏ג׮ずׄ״ֲחرفٗ؎〳腉 ؽٕسכ׮׍׹׿ծ⽃⡤ذأزװ窟さذأزծ頾蚚ذأز׮ ؕشٔ،رفٗ؎װٔ٦آّٝرفٗ؎זו׮ 鷿⚥חوصُ،ٕדך䪫钠׾䮠׿ד׮葺ְ ̔ "84$PEF1JQFMJOF "84$PEF#VJME ؝ٝزٗ٦ٕفٖ٦ٝך麩ְ׾ェ　ׅ׷ֿה׮דֹ׷ ⢽ずׄ؝٦سַ׵ծ"84כ&$4ؔٝفٖכ,VCFSOFUFTפ

Slide 12

Slide 12 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EC2 AWS CodePipeline AWS CodeCommit AWS CodeBuild Amazon RDS Amazon S3 Developer Control plane Data plane Backing service Registry CI/CD pipeline

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 5FOFUT • "NB[PO&,4כծ⟃♴אך 5FOFU׾䲓־؟٦ؽأ׾䲿⣘ 5FOFU &,4כ⟰噟ָ劤殢ךٙ٦ؙٗ٦س ׾㹋遤ׅ׷׋׭ךفٓحزؿؓ٦ يד֮׷ֿה 5FOFU &,4כط؎ذ؍ـד剑倜ך ,VCFSOFUFTך⡤꿀׾䲿⣘ׅ׷ֿה 5FOFU &,4ِ٦ؠָ➭ך "84؟٦ؽأ׾ ⢪ֲ儗ծء٦يٖأז鸬䵿׾㹋植 ׃♶銲ז⡲噟׾《׶ꤐֻ 5FOFU &,4ث٦يכ琎噰涸ח ,VCFSOFUFTفٗآؙؑزח顀柃׃ גְֻֿה

Slide 16

Slide 16 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ؝ٝزٗ٦ٕفٖ٦ٝ • "NB[PO&,4؝ٝزٗ٦ٕفٖ٦ٝכծFUDE ֶ״ן ,VCFSOFUFT"1* TFSWFSזוך ,VCFSOFUFTاؿزؐؑ،׾㹋遤ׅ׷؝ٝزٗ٦ٕفٖ٦ٝ ظ٦سד圓䧭 • "NB[PO&,4כծؿٕوط٦آسז؝ٝزٗ٦ٕفٖ٦ٝ׾䲿⣘ "WBJMBCJMJUZ ;POF FUDE $POUSPMMFS FUDE $POUSPMMFS FUDE $POUSPMMFS "WBJMBCJMJUZ ;POF "WBJMBCJMJUZ ;POF "1* TFSWFS $MPVE DPOUSPMMF S $POUSPMMF S NBOBHFS 4DIFEVMF S "EEPOT ,VCF%/4 ⹛⡲؝ٝه٦طٝز

Slide 17

Slide 17 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ٙ٦ؕ٦ظ٦س • "NB[PO&,4ٙ٦ؕ٦ظ٦سכծؙٓأة٦ "1*؟٦غ٦ؒٝسه؎ٝز ׾➜׃גؙٓأة٦ך؝ٝزٗ٦ٕفٖ٦ٝח䱸竲 • ؝ٝذشכٙ٦ؕ٦ظ٦س♳חꂁ縧 "WBJMBCJMJUZ ;POF FUDE $POUSPMMFS FUDE $POUSPMMFS "WBJMBCJMJUZ ;POF "WBJMBCJMJUZ ;POF FUDE $POUSPMMFS

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ءشٔؔ 1. Amazon Virtual Private Cloud (VPC) ך傀㶷圓䧭 Public ה Private subnet / Multi-AZ 2. Amazon EKS Cluster (control plane) ⡲䧭 / 钠鏾 3. Amazon EKS Worker Nodes 饯⹛ 4. CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦׾ⵃ欽׃׋ ؟٦ؽأך؎ٝة٦طحزⰕꟚ

Slide 24

Slide 24 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Public ה Private subnet ׾䭯א VPC / Multi-AZ 圓䧭 Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Public subnet 2 Availability Zone 1 NAT gateway NAT gateway Internet gateway IAM Public subnet 1 Availability Zone 2 Private subnet 1 Internet AWS Region

Slide 25

Slide 25 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ٔ٦آّٝה،ك؎ٓؽٔذ؍ب٦ٝ ٔ٦آّٝכ醱侧ך،ك؎ٓؽٔذ؍ب٦ٝ "; ד圓䧭ׁ׸גְתׅկ荈搫拄㹱װر٦ةإ ٝة٦⽃⡘ךꥺ㹱זוؽآطأח䕦갟׾♷ִ׷ٔأؙ׾剑㼭⻉ׅ׷״ֲ㖑椚涸ח䕦갟׾「ֽז ְ⼧ⴓꨄ׸׋㜥䨽ח֮׶ծ杝甧׃׋ꨵ彁ծ瑞锃ծ暟椚涸זإُؗٔذ؍׾⪒ִծ䎢䌒㚖דع؎ أؾ٦سך⯔㔐简ךغحؙن٦ٝח䱸竲ׁ׸גְתׅկ Data Center Data Center Data Center Data Center AZ AZ AZ AZ AZ Transit Transit

Slide 26

Slide 26 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws eks create-cluster --name eks-demo --role-arn arn:aws:iam::account- id:role/eksServiceRole --resources-vpc-config subnetIds=subnet-public-az1-id, subnet-public-az2-id,subnet-private-az1-id,subnet-private-az2- id,securityGroupIds=sg-eks-control-plane-id

Slide 27

Slide 27 text

Slide 28

Slide 28 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. apiVersion: v1 clusters: - cluster: server: certificate-authority-data: name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: aws-iam-authenticator args: - "token" - "-i" - ""

Slide 29

Slide 29 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EKS Cluster (control plane) ⡲䧭 / 钠鏾 Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Public subnet 2 Availability Zone 1 NAT gateway NAT gateway Internet gateway IAM Public subnet 1 Availability Zone 2 Private subnet 1 EKS Cluster Internet kubectl AWS Region

Slide 30

Slide 30 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EKS Worker Nodes 饯⹛ AWS CloudFormation Template • Stack name • ClusterName • ClusterControlPlaneSecurityGroup • NodeGroupName • NodeAutoScalingGroupMinSize • NodeAutoScalingGroupMaxSize • NodeInstanceType • NodeImageId • KeyName • VpcId • Subnets

Slide 31

Slide 31 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes kubectl apply -f aws-auth-cm.yaml

Slide 32

Slide 32 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CNIفؚٓ؎ٝח״׷ ط؎ذ؍ـVPC طحزٙ٦ؚؗٝ 醱侧ךPodכVPCⰻח㶷㖈 ׅ׷״ֲחPodⰻחずׄ VPC،سٖأ׾䭯א ءٝفٕדإُؗ،ז طحزٙ٦ؙ GitHub♳דⰕꟚׁ׸גְ׷ ؔ٦فٝا٦أ … { } https://github.com/aws/amazon-vpc-cni-k8s

Slide 33

Slide 33 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Nginx Pod Java Pod ENI Secondary IPs: 10.0.0.1 10.0.0.2 Veth IP: 10.0.0.1 Veth IP: 10.0.0.2 Nginx Pod Java Pod ENI Veth IP: 10.0.0.20 Veth IP: 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2

Slide 34

Slide 34 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EKS Worker Nodes 饯⹛ Workers Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Workers Public subnet 2 Security Group Workers Availability Zone 1 NAT gateway NAT gateway Auto Scaling Internet gateway EKS Cluster IAM Public subnet 1 Availability Zone 2 Private subnet 1 Internet kubectl EKS Cluster AWS Region

Slide 35

Slide 35 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ٗ٦سغٓٝ؟٦ CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦: AWSָ؟ه٦ز Ingress ٔا٦أה׃ג Application Load Balancer (ALB) ׾ ⰕꟚדֹ׷ مأزせת׋כػأח״׷؝ٝذٝزك٦إٔ٦ذ؍ؚٝ׾ ؟ه٦ز׃׋L7ך頾蚚ⴓ侔ָ〳腉

Slide 36

Slide 36 text

Slide 37

Slide 37 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: exampleserver namespace: exampleserver annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/tags: Environment=dev,Team=test alb.ingress.kubernetes.io/subnets: 'subnet-public-az1-id,subnet-public-az2-id' alb.ingress.kubernetes.io/security-groups: 'sg-internet-facing-alb-id' alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]' alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account-id:certificate/UUID spec: rules: - host: exampleserver.example.com http: paths: - path: / backend: serviceName: exampleserver servicePort: 80

Slide 38

Slide 38 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ٗ٦سغٓٝ؟٦ Network Load Balancer: 1.9 ⟃꣬؟ه٦ز (Alpha) L4 ٗ٦سغٓٝ؟٦ • service.beta.kubernetes.io/aws-load-balancer-type: “nlb” 㢳ֻך؛٦أד Classic Load Balancer ך縧ֹ䳔ִהז׶䖤׷ • 植朐ծ LoadBalancer ׾䭷㹀ׅ׷ה Classic Load Balancer ָ⡲ 䧭ׁ׸׷

Slide 39

Slide 39 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦ Workers Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Workers Public subnet 2 Security Group Load Balancer Application Load Balancer Security Group Workers Availability Zone 1 NAT gateway NAT gateway Auto Scaling Internet gateway kubectl EKS Cluster IAM users Public subnet 1 Availability Zone 2 Private subnet 1 Internet AWS Region ACM

Slide 40

Slide 40 text

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Fluentd Cloudwatch Logs Kubernetes Worker Pool (EC2) Amazon CloudWatch Logs Fluentd Fluentd Fluentd https://github.com/fluent/fluentd-kubernetes-daemonset https://github.com/kubernetes/charts/tree/master/incubator/fluentd-cloudwatch