Speaker Deck
Sign in
Sign up
for free
Introduction à Kubernetes
Renaud Chaput
October 23, 2017
Technology
2
160
Introduction à Kubernetes
Présenté à Sysadmin Days #7 :
https://sysadmindays.fr
Renaud Chaput
October 23, 2017
Tweet
Share
More Decks by Renaud Chaput
See All by Renaud Chaput
renchap
1
310
renchap
2
140
renchap
1
92
renchap
1
73
renchap
0
50
renchap
0
13
renchap
1
130
renchap
2
180
renchap
1
210
Other Decks in Technology
See All in Technology
uenitty
1
280
ngyt
1
430
usamomokawa
0
190
soudai
1
330
kakutani
2
580
kenwakamatsu
0
310
miuranobuki
0
990
dena_tech
0
240
typewriter
1
1k
shinpy
0
110
monoqlo
6
400
fromatom
5
670
Featured
See All Featured
scottboms
250
11k
cromwellryan
100
5.7k
kastner
52
1.8k
chrislema
170
14k
holman
287
130k
denniskardys
219
110k
jakevdp
769
190k
chriscoyier
142
19k
revolveconf
195
9.5k
jeffersonlam
324
14k
brad_frost
154
6.2k
tenderlove
49
3.2k
Transcript
Introduction à Kubernetes
Renaud Chaput @renchap
Kubernetes
Historique • Origine : Borg, l’orchestrateur de Google • En
2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF
Objectifs • Découpler infra et applications • Scale • Générique
/ Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)
Un gros projet 1500 contributeurs 32 000 PR depuis 2014
Structure • Code of Conduct et CLA • Doc claire
sur la participation • Special Interest Groups (SIGs) • Working groups • Committees
Releases
Releases
Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable
1.8 Septembre 2017 Alpha 1.6 Mars 2017
Fonctionnement
Objets apiVersion: v1 kind: Pod metadata: name: <name> namespace: default
spec: status:
Un même namespace / cgroup IP partagée (donc localhost commun)
Volumes communs IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar
apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: -
name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple
Deployment apiVersion: apps/v1beta2 kind: Deployment metadata: name: nginx-deployment labels: app:
nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 8080
Service apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector:
app: nginx ports: - protocol: TCP port: 80 targetPort: 8080
db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3
DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …
Architecture
etcd etcd etcd Key/Value store Distribué Watch
etcd etcd etcd API Server Scheduler Controller manager
kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod
Pod Pod
Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux
sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur
Container Runtime • Docker • CRI-O : interface OCI standard
• rkt (CoreOS) • Frakti : basé sur un hyperviseur
Node 1 Node 2 Node n etcd etcd etcd API
Server Scheduler Controller manager …
Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml $ kubectl get
all NAME READY STATUS RESTARTS AGE po/nginx 1/1 Running 0 12h NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/nginx-svc 10.0.0.116 <none> 80/TCP 7s
Federation
Add-ons
Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local
Dashboard
Ingress controllers • GCP / AWS / … • nginx
• haproxy
Heapster + InfluxDB, Grafana
Sécurité
Namespaces et quotas apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources
spec: hard: pods: "4" requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux:
rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'
NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector:
matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"
RBAC kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", “list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Projets autour • Helm • Kops / Kube-AWS / Bootkube
/ … • Træfik • Prometheus / Sysdig / Datadog / … • Kube-lego, …
Ressources • Minikube! • kubernetes.io • Kubernetes the hard way
• Slack Kubernetes • Awesome Kubernetes
Questions ?
renchap
uenitty
ngyt
usamomokawa
soudai
kakutani
kenwakamatsu
miuranobuki
dena_tech
typewriter
shinpy
monoqlo
fromatom
scottboms
cromwellryan
kastner
chrislema
holman
denniskardys
jakevdp
chriscoyier
revolveconf
jeffersonlam
brad_frost
tenderlove
