Présenté à Sysadmin Days #7 : https://sysadmindays.fr
Introduction àKubernetes
View Slide
Renaud Chaput@renchap
Kubernetes
Historique• Origine : Borg, l’orchestrateur de Google• En 2014, début du projet “Seven”, son remplaçant• Volonté de le rendre Open Source• Kubernetes est né !• Version 1.0 en 2015, et don à la CNCF
Objectifs• Découpler infra et applications• Scale• Générique / Flexible• Automatisable• Extensible• Portable (cloud provider, bare metal, …)
Un gros projet1500 contributeurs32 000 PR depuis 2014
Structure• Code of Conduct et CLA• Doc claire sur la participation• Special Interest Groups (SIGs)• Working groups• Committees
Releases
FeaturesAlpha1.5Décembre 2016Beta1.7Juin 2017Stable1.8Septembre 2017Alpha1.6Mars 2017
Fonctionnement
ObjetsapiVersion: v1kind: Podmetadata:name: namespace: default spec: status:
Un même namespace / cgroup IP partagée (donc localhost commun) Volumes communs IPC / …./rails server./log_processor.pyPod AppServerSidecar
apiVersion: v1 kind: Pod metadata:name: nginx spec: containers:- name: nginximage: nginx:1.7.9ports:- containerPort: 8080Pod simple
DeploymentapiVersion: apps/v1beta2kind: Deploymentmetadata: name: nginx-deployment labels: app: nginxspec: replicas: 3selector: matchLabels: app: nginxtemplate:metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 8080
ServiceapiVersion: v1kind: Servicemetadata: name: nginx-svcspec:selector: app: nginxports: - protocol: TCP port: 80 targetPort: 8080
db-1volume-1StatefulSetDb-2Volume-2Db-3Volume-3
DaemonSet JobsCronJobsNetworkPolicySecretIngressVolume…
Architecture
etcd etcdetcdKey/Value storeDistribuéWatch
etcd etcdetcdAPI ServerSchedulerControllermanager
kubeletkube-proxyPod Pod Pod Pod PodPod Pod Pod Pod Pod
Pré-requis réseau• Tous les containers peuvent communiquer avec entre-euxsans NAT• Tous les noeuds peuvent communiquer avec tous lescontainers sans NAT• L’IP d’un container vue de l’intérieur du container est lamême que vu de l’extérieur
Container Runtime• Docker• CRI-O : interface OCI standard• rkt (CoreOS)• Frakti : basé sur un hyperviseur
Node 1 Node 2 Node netcd etcdetcdAPI ServerSchedulerControllermanager…
Kubectl$ kubectl apply -f nginx.yaml nginx-svc.yml $ kubectl get all NAME READY STATUS RESTARTS AGE po/nginx 1/1 Running 0 12h NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/nginx-svc 10.0.0.116 80/TCP 7s
Federation
Add-ons
Kube DNSnginx-svc.my-namespace.svc.cluster.local_http._tcp.nginx-svc.my-namespace.svc.cluster.local1-2-3-4.default.pod.cluster.local
Dashboard
Ingress controllers• GCP / AWS / …• nginx• haproxy
Heapster+ InfluxDB, Grafana
Sécurité
Namespaces et quotasapiVersion: v1 kind: ResourceQuota metadata: name: compute-resources spec: hard: pods: "4" requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
PodSecurityPolicyapiVersion: extensions/v1beta1kind: PodSecurityPolicymetadata:name: permissivespec:seLinux:rule: RunAsAnysupplementalGroups:rule: RunAsAnyrunAsUser:rule: RunAsAnyfsGroup:rule: RunAsAnyhostPorts:- min: 8000max: 8080volumes:- '*'allowedCapabilities:- '*'
NetworkPolicykind: NetworkPolicyapiVersion: networking.k8s.io/v1metadata:name: access-nginxspec:podSelector:matchLabels:run: nginxingress:- from:- podSelector:matchLabels:access: "true"
RBACkind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", “list"]kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Projets autour• Helm• Kops / Kube-AWS / Bootkube / …• Træfik• Prometheus / Sysdig / Datadog / …• Kube-lego, …
Ressources• Minikube!• kubernetes.io• Kubernetes the hard way• Slack Kubernetes• Awesome Kubernetes
Questions ?