Ingress For Anthosを活用した安全なk8sクラスタ運用/Ingress For Anthos In Production

Transcript

1. Ingress For Anthos In Production @taisho6339

2. ࣗݾ঺հ ࡔຊେক (Hiroki Sakamoto) Twitter: taisho6339 Github: taisho6339 ΩϟϦΞ Ϡϑʔ

   → ϦΫϧʔτςΫϊϩδʔζ → ϑϦʔϥϯε ݱࡏͷ࢓ࣄ k8sʹΑΔϚΠΫϩαʔϏεͷͨΊͷج൫ͮ͘Γͱӡ༻ ࠓޙͷํ਑ 2021/01 ~ ࠶ͼਖ਼ࣾһΤϯδχΞʹͳΔ͔ݕ౼த KubernetesΛΰϦΰϦ΍͍͖͍ͬͯͨ

3. ࢲͷνʔϜ͕୲౰͢ΔαʔϏε • ๭WebϝσΟΞαʔϏε • 2000 req ~ 4000 req /

   sec • ϚΠΫϩαʔϏεΞʔΩςΫνϟ • GKEͰӡ༻

4. ΞʔΩςΫνϟ Ingress Gateway Service A Service B Service C LB

   CDN

5. ΞʔΩςΫνϟ Ingress Gateway Service A Service B Service C LB

   CDN γϯάϧ ΫϥελͰӡ༻

6. ՝୊ʹͳ͍ͬͯΔϙΠϯτ ΫϥελͷԘ௮͚Խ

7. ӡ༻՝୊ Ԙ௮͚Խͱ͸ʁ ໰୊ • ΫϥελΞοϓάϨʔυϦεΫ • IstioͳͲͷίΞίϯϙʔωϯτͷΞο ϓάϨʔυϦεΫ ݁Ռ ͏͔ͭʹ৮ΕͣԘ௮͚Խ

8. ӡ༻՝୊ Ԙ௮͚Խͱ͸ʁ ໰୊ • ΫϥελΞοϓάϨʔυϦεΫ • IstioͳͲͷίΞίϯϙʔωϯτͷΞο ϓάϨʔυϦεΫ ݁Ռ ͏͔ͭʹ৮ΕͣԘ௮͚Խ

   ϚϧνΫϥελԽͷඞཁੑʂ

9. վળʹ͋ͨΔཁٻ Ͳ͏ͯ͠ϚϧνΫϥελԽ͢Δ͔ʁ • Ϋϥελ͝ͱʹϩʔϦϯάΞοϓσʔτ͍ͨ͠ • ໰୊ൃੜ࣌͸͙͢ʹFail Over͠ɺো֐Ϋϥελ΁ͷϧʔςΟϯά͸ε τοϓ͍ͨ͠

10. ϚϧνΫϥελͷ࣮ݱํ๏ • Anthos͸ΞʔΩςΫνϟͷϞφλΠθʔ γϣϯΛςʔϚʹ༷ʑͳϓϩμΫτΛఏ ڙʂ • Ingress For Anthosͱ͍͏ϓϩμΫτ͕Ϛ ϧνΫϥελԽΛαϙʔτ

    GCP Anthos

11. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos • ୯ҰVIPͷLB • IP AnycastͰ஍ཧ෼ࢄ

12. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos

13. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos ઃఆ༻ͷCustomResource ΛDeploy͢ΔΫϥελ

14. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos Managed Controller ͕LBϦιʔεΛੜ੒

15. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos

16. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos URL Map

17. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos LB Backend

18. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos LBͷϧʔςΟϯάઃఆ ͲͷϧʔϧͰ ͲͷMCSʹྲྀ͔͢

19. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos Ϋϥελʹލͬͨ Podͷ࿦ཧάϧʔϐϯά

20. Ingress For Anthos Ҿ༻: https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-for-anthos MCS͔Βࣗಈతʹੜ੒ NEGͱͯ͠ LBͷόοΫΤϯυʹొ࿥

21. ߟྀ͢Δ՝୊ ߟྀϙΠϯτ • Fail Overͷ৚݅͸ʁ • HealthCheckͰԿΛ୲อ͢Δ͔ʁ • αʔϏε͝ͱʹFail Over͸Մೳ͔ʁ

22. ߟྀ͢Δ՝୊ FailOverͷ৚݅ • Health Check͕ࣦഊͨ͠ΒFail Over

23. ߟྀ͢Δ՝୊ αʔϏε͝ͱͷFail Over • Istio ͷSingle Control Plane of Multi

    Cluster ύλʔϯͳΒՄೳ • Traffic DirectorͳͲΛ࢖͑͹ڪΒ͘Մೳ • ಛघͳߏ੒ΛऔΕ͹Մೳ

24. ߟྀ͢Δ՝୊ αʔϏε͝ͱͷFail Over • Istio ͷSingle Control Plane of Multi

    Cluster ύλʔϯͳΒՄೳ • Traffic DirectorͳͲΛ࢖͑͹ڪΒ͘Մೳ • ಛघͳߏ੒ΛऔΕ͹Մೳ Too HeavyͳͷͰ Ұ୴அ೦

25. ݕ౼ͨ͠ಛघΞʔΩςΫνϟ

26. ߟྀ͢Δ՝୊ कΓ͍ͨ΋ͷ k8s΍IstioىҼͰ αʔϏεͷμ΢ϯλΠϜ͕ͳ͍͜ͱ ࣮૷ Ϋϥελʹ৐ͬͯΔαʔϏε͕ શ෦HealthyͳΒ HealthyΛฦ͢ ಠࣗαʔϏεΛར༻ Health

    CheckͰԿΛ୲อ͢Δʁ

27. ߟྀ͢Δ՝୊ ಠࣗHealth Checker • Ϋϥελߋ৽͚࣌ͩɺશαʔϏεͷHealth CheckϞʔυ • ͦΕҎ֎ͷฏৗ࣌͸ɺಛʹԿ΋ͤͣ200Λฦ٫

28. ߟྀ͢Δ՝୊ ಠࣗHealth Checker • Ϋϥελߋ৽͚࣌ͩɺશαʔϏεͷHealth CheckϞʔυ • ͦΕҎ֎ͷฏৗ࣌͸ɺಛʹԿ΋ͤͣ200Λฦ٫ • LBͷϨΠϠͰ͸Ϋϥελ͚ͩ

    νΣοΫ • ΞϓϦέʔγϣϯ૚͸ ArgoRolloutͳͲͰؤுΔ

29. ϚϧνΫϥελΞʔΩςΫνϟ Ingress Gateway Service A Service B Service C LB

    Ingress Gateway Service A Service B Service C CDN ࠷ऴతͳߏ੒ Health Checker Health Checker

30. Pros/Cons Pros • DNS ͳͲͷTTLʹࢧ഑͞Εͳ͍ • ஍ཧ෼ࢄͰ࠷దͳϧʔςΟϯά • ಉҰϦʔδϣϯͷϚϧνΫϥελͳΒκʔϯͰۉҰ෼ࢄ •

    ҙ֎ͱ͍҆

31. Pros/Cons Cons • ྑ͘΋ѱ͘΋κʔϯͰۉҰ෼ࢄ ◦ ΧφϦΞ͸Ͱ͖ͳ͍ ◦ ҰؾʹτϥϑΟοΫ͕ྲྀΕΔ͜ͱ΋͋Δ ◦ Podͷκʔϯ͝ͱͷ෼ࢄঢ়گ͸ߟྀ͞Εͳ͍

    • Config Cluster͕༨෼ʹඞཁ • ෳࡶͳϧʔςΟϯά͍ͨ͠৔߹͸URL Mapͷ੍໿ʹ஫ҙ

32. Follow Me!! @taisho6339

33. Thank you for listening!