Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Introduction à Kubernetes
Search
Renaud Chaput
October 23, 2017
Technology
2
290
Introduction à Kubernetes
Présenté à Sysadmin Days #7 :
https://sysadmindays.fr
Renaud Chaput
October 23, 2017
Tweet
Share
More Decks by Renaud Chaput
See All by Renaud Chaput
L'Infrastructure as Code au complet (par Benoit Petit)
renchap
1
630
Autour des requêtes des TSDB
renchap
2
500
Operate HBase clusters at Scale
renchap
1
350
Versions (par Olivier Delhomme)
renchap
1
380
Prevent business logic attacks using dynamic instrumentation
renchap
1
400
Atelier Paris Web : Introduction à Docker
renchap
0
78
Alkemics CI & CD with Jenkins and Docker
renchap
1
260
Les containers : décryptage
renchap
2
230
Kubernetes en production : un an après
renchap
1
270
Other Decks in Technology
See All in Technology
君はPostScriptなウィンドウシステム 「NeWS」をご存知か?/sunnews
koyhoge
0
720
スタートアップ1人目QAエンジニアが QAチームを立ち上げ、“個”からチーム、 そして“組織”に成長するまで / How to set up QA team at reiwatravel
mii3king
1
1.1k
第13回 Data-Centric AI勉強会, 画像認識におけるData-centric AI
ksaito_osx
0
360
2.5Dモデルのすべて
yu4u
2
610
リアルタイム分析データベースで実現する SQLベースのオブザーバビリティ
mikimatsumoto
0
950
AndroidXR 開発ツールごとの できることできないこと
donabe3
0
110
トラシューアニマルになろう ~開発者だからこそできる、安定したサービス作りの秘訣~
jacopen
2
1.5k
Tech Blogを書きやすい環境づくり
lycorptech_jp
PRO
0
120
データの品質が低いと何が困るのか
kzykmyzw
6
1k
The 5 Obstacles to High-Performing Teams
mdalmijn
0
270
SCSAから学ぶセキュリティ管理
masakamayama
0
140
日経電子版 x AIエージェントの可能性とAgentic RAGによって提案書生成を行う技術
masahiro_nishimi
1
290
Featured
See All Featured
A Tale of Four Properties
chriscoyier
158
23k
Practical Orchestrator
shlominoach
186
10k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
29
4.6k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
400
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.2k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
A Philosophy of Restraint
colly
203
16k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Facilitating Awesome Meetings
lara
51
6.2k
Side Projects
sachag
452
42k
Transcript
Introduction à Kubernetes
Renaud Chaput @renchap
Kubernetes
Historique • Origine : Borg, l’orchestrateur de Google • En
2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF
Objectifs • Découpler infra et applications • Scale • Générique
/ Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)
Un gros projet 1500 contributeurs 32 000 PR depuis 2014
Structure • Code of Conduct et CLA • Doc claire
sur la participation • Special Interest Groups (SIGs) • Working groups • Committees
Releases
Releases
Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable
1.8 Septembre 2017 Alpha 1.6 Mars 2017
Fonctionnement
Objets apiVersion: v1 kind: Pod metadata: name: <name> namespace: default
spec: status:
Un même namespace / cgroup IP partagée (donc localhost commun)
Volumes communs IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar
apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: -
name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple
Deployment apiVersion: apps/v1beta2 kind: Deployment metadata: name: nginx-deployment labels: app:
nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 8080
Service apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector:
app: nginx ports: - protocol: TCP port: 80 targetPort: 8080
db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3
DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …
Architecture
etcd etcd etcd Key/Value store Distribué Watch
etcd etcd etcd API Server Scheduler Controller manager
kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod
Pod Pod
Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux
sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur
Container Runtime • Docker • CRI-O : interface OCI standard
• rkt (CoreOS) • Frakti : basé sur un hyperviseur
Node 1 Node 2 Node n etcd etcd etcd API
Server Scheduler Controller manager …
Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml $ kubectl get
all NAME READY STATUS RESTARTS AGE po/nginx 1/1 Running 0 12h NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/nginx-svc 10.0.0.116 <none> 80/TCP 7s
Federation
Add-ons
Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local
Dashboard
Ingress controllers • GCP / AWS / … • nginx
• haproxy
Heapster + InfluxDB, Grafana
Sécurité
Namespaces et quotas apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources
spec: hard: pods: "4" requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux:
rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'
NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector:
matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"
RBAC kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", “list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Projets autour • Helm • Kops / Kube-AWS / Bootkube
/ … • Træfik • Prometheus / Sysdig / Datadog / … • Kube-lego, …
Ressources • Minikube! • kubernetes.io • Kubernetes the hard way
• Slack Kubernetes • Awesome Kubernetes
Questions ?