Introduction à Kubernetes

415efaa445ed983307231341eaa4be55?s=47 Renaud Chaput
October 23, 2017
Technology
2
150

Introduction à Kubernetes

Présenté à Sysadmin Days #7 : https://sysadmindays.fr

415efaa445ed983307231341eaa4be55?s=128

Renaud Chaput

October 23, 2017
Tweet

Want more?

415efaa445ed983307231341eaa4be55?s=48 renchap
1
300
415efaa445ed983307231341eaa4be55?s=48 renchap
2
120
415efaa445ed983307231341eaa4be55?s=48 renchap
1
90
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
2
500
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
14
870
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
6
470
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
300
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
610
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
9
330
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
360
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
5
900
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
230

Transcript

  1. 1.

    Introduction à Kubernetes

  2. 2.

    Renaud Chaput @renchap

  3. 3.

    Kubernetes

  4. 4.

    Historique • Origine : Borg, l’orchestrateur de Google • En

    2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF
  5. 5.

    Objectifs • Découpler infra et applications • Scale • Générique

    / Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)
  6. 6.

    Un gros projet 1500 contributeurs 32 000 PR depuis 2014

  7. 7.

    Structure • Code of Conduct et CLA • Doc claire

    sur la participation • Special Interest Groups (SIGs) • Working groups • Committees
  8. 8.

    Releases

  9. 9.

    Releases

  10. 10.

    Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable

    1.8 Septembre 2017 Alpha 1.6 Mars 2017
  11. 11.

    Fonctionnement

  12. 12.

    Objets apiVersion: v1 kind: Pod metadata: name: <name>
 namespace: default


    spec:
 status:
  13. 13.

    Un même namespace / cgroup
 IP partagée (donc localhost commun)


    Volumes communs
 IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar
  14. 14.

    apiVersion: v1
 kind: Pod
 metadata: name: nginx
 spec:
 containers: -

    name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple
  15. 15.

    Deployment apiVersion: apps/v1beta2 kind: Deployment metadata:
 name: nginx-deployment
 labels:
 app:

    nginx spec:
 replicas: 3 selector:
 matchLabels:
 app: nginx template: metadata:
 labels:
 app: nginx
 spec:
 containers:
 - name: nginx
 image: nginx:1.7.9
 ports:
 - containerPort: 8080
  16. 16.

    Service apiVersion: v1 kind: Service metadata:
 name: nginx-svc spec: selector:


    app: nginx ports:
 - protocol: TCP
 port: 80
 targetPort: 8080
  17. 17.

    db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3

  18. 18.

    DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …

  19. 19.

    Architecture

  20. 20.

    etcd etcd etcd Key/Value store Distribué Watch

  21. 21.

    etcd etcd etcd API Server Scheduler Controller manager

  22. 22.

    kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod

    Pod Pod
  23. 23.

    Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux

    sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur
  24. 24.

    Container Runtime • Docker • CRI-O : interface OCI standard

    • rkt (CoreOS) • Frakti : basé sur un hyperviseur
  25. 25.

    Node 1 Node 2 Node n etcd etcd etcd API

    Server Scheduler Controller manager …
  26. 26.

    Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml
 $ kubectl get

    all
 NAME READY STATUS RESTARTS AGE
 po/nginx 1/1 Running 0 12h 
 NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
 svc/nginx-svc 10.0.0.116 <none> 80/TCP 7s
  27. 27.

    Federation

  28. 28.

    Add-ons

  29. 29.

    Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local

  30. 30.

    Dashboard

  31. 31.

    Ingress controllers • GCP / AWS / … • nginx

    • haproxy
  32. 32.

    Heapster + InfluxDB, Grafana

  33. 33.

    Sécurité

  34. 34.

    Namespaces et quotas apiVersion: v1
 kind: ResourceQuota
 metadata:
 name: compute-resources


    spec:
 hard:
 pods: "4"
 requests.cpu: "1"
 requests.memory: 1Gi
 limits.cpu: "2"
 limits.memory: 2Gi
  35. 35.

    PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux:

    rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'
  36. 36.

    NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector:

    matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"
  37. 37.

    RBAC kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 namespace: default
 name: pod-reader


    rules:
 - apiGroups: [""] resources: ["pods"]
 verbs: ["get", "watch", “list"] kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 name: read-pods
 namespace: default
 subjects:
 - kind: User
 name: jane
 apiGroup: rbac.authorization.k8s.io
 roleRef:
 kind: Role
 name: pod-reader
 apiGroup: rbac.authorization.k8s.io
  38. 38.

    Projets autour • Helm • Kops / Kube-AWS / Bootkube

    / … • Træfik • Prometheus / Sysdig / Datadog / … • Kube-lego, …
  39. 39.

    Ressources • Minikube! • kubernetes.io • Kubernetes the hard way

    • Slack Kubernetes • Awesome Kubernetes
  40. 40.

    Questions ?