Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Introduction à Kubernetes
Search
Renaud Chaput
October 23, 2017
Technology
2
270
Introduction à Kubernetes
Présenté à Sysadmin Days #7 :
https://sysadmindays.fr
Renaud Chaput
October 23, 2017
Tweet
Share
More Decks by Renaud Chaput
See All by Renaud Chaput
L'Infrastructure as Code au complet (par Benoit Petit)
renchap
1
610
Autour des requêtes des TSDB
renchap
2
460
Operate HBase clusters at Scale
renchap
1
320
Versions (par Olivier Delhomme)
renchap
1
360
Prevent business logic attacks using dynamic instrumentation
renchap
1
380
Atelier Paris Web : Introduction à Docker
renchap
0
73
Alkemics CI & CD with Jenkins and Docker
renchap
1
240
Les containers : décryptage
renchap
2
220
Kubernetes en production : un an après
renchap
1
250
Other Decks in Technology
See All in Technology
AI Builder について
miyakemito
1
130
都市伝説バスターズ「WebアプリのボトルネックはDBだから言語の性能は関係ない」 - Kaigi on Rails 2024
osyoyu
13
4.8k
サイロ化した金融システムを、packwerk を利用して無事故でリファクタリングした話
coincheck_recruit
3
3.2k
ガバメントクラウド単独利用方式におけるIaC活用
techniczna
3
180
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
3
180
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
140
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
0
250
リファクタリングへの耐性が高いモデルベースの統合テストの紹介 / Model-Base Integration Test for Refactoring
yuitosato
5
1.5k
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
2
140
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
340
来年もre:Invent2024 に行きたいあなたへ - “集中”と“つながり”で楽しむ -
ny7760
0
110
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
0
100
Featured
See All Featured
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Adopting Sorbet at Scale
ufuk
73
9k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
KATA
mclloyd
29
13k
Practical Orchestrator
shlominoach
186
10k
Building Better People: How to give real-time feedback that sticks.
wjessup
363
19k
How GitHub (no longer) Works
holman
311
140k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Transcript
Introduction à Kubernetes
Renaud Chaput @renchap
Kubernetes
Historique • Origine : Borg, l’orchestrateur de Google • En
2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF
Objectifs • Découpler infra et applications • Scale • Générique
/ Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)
Un gros projet 1500 contributeurs 32 000 PR depuis 2014
Structure • Code of Conduct et CLA • Doc claire
sur la participation • Special Interest Groups (SIGs) • Working groups • Committees
Releases
Releases
Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable
1.8 Septembre 2017 Alpha 1.6 Mars 2017
Fonctionnement
Objets apiVersion: v1 kind: Pod metadata: name: <name> namespace: default
spec: status:
Un même namespace / cgroup IP partagée (donc localhost commun)
Volumes communs IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar
apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: -
name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple
Deployment apiVersion: apps/v1beta2 kind: Deployment metadata: name: nginx-deployment labels: app:
nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.7.9 ports: - containerPort: 8080
Service apiVersion: v1 kind: Service metadata: name: nginx-svc spec: selector:
app: nginx ports: - protocol: TCP port: 80 targetPort: 8080
db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3
DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …
Architecture
etcd etcd etcd Key/Value store Distribué Watch
etcd etcd etcd API Server Scheduler Controller manager
kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod
Pod Pod
Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux
sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur
Container Runtime • Docker • CRI-O : interface OCI standard
• rkt (CoreOS) • Frakti : basé sur un hyperviseur
Node 1 Node 2 Node n etcd etcd etcd API
Server Scheduler Controller manager …
Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml $ kubectl get
all NAME READY STATUS RESTARTS AGE po/nginx 1/1 Running 0 12h NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE svc/nginx-svc 10.0.0.116 <none> 80/TCP 7s
Federation
Add-ons
Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local
Dashboard
Ingress controllers • GCP / AWS / … • nginx
• haproxy
Heapster + InfluxDB, Grafana
Sécurité
Namespaces et quotas apiVersion: v1 kind: ResourceQuota metadata: name: compute-resources
spec: hard: pods: "4" requests.cpu: "1" requests.memory: 1Gi limits.cpu: "2" limits.memory: 2Gi
PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux:
rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'
NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector:
matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"
RBAC kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader
rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", “list"] kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-pods namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Projets autour • Helm • Kops / Kube-AWS / Bootkube
/ … • Træfik • Prometheus / Sysdig / Datadog / … • Kube-lego, …
Ressources • Minikube! • kubernetes.io • Kubernetes the hard way
• Slack Kubernetes • Awesome Kubernetes
Questions ?