News From The Front: v1.2

Google Cloud Platform News From The Front: v1.2 Bay Area
Kubernetes Meetup #5 Feb 11, 2016 Tim Hockin <[email protected]> Senior Staff SWE @thockin

Google Cloud Platform Kubernetes Greek for “Helmsman”; also the root
of the words “governor” and “cybernetic” • Runs and manages containers • Inspired and informed by Google’s experiences and internal systems • Supports multiple cloud and bare-metal environments • Supports multiple container runtimes • 100% Open source, written in Go Manage applications, not machines

Google Cloud Platform 1. Setting up the cluster • Choose
a cloud: GCE, AWS, Azure, Rackspace, on-premises, ... • Choose a node OS: CoreOS, Atomic, RHEL, Debian, CentOS, Ubuntu, ... • Provision machines: Boot VMs, install and run kube components, ... • Configure networking: IP ranges for Pods, Services, SDN, ... • Start cluster services: DNS, logging, monitoring, ... • Manage nodes: kernel upgrades, OS updates, hardware failures... Not the easy or fun part, but unavoidable This is where things like Google Container Engine (GKE) really help Container clusters: A story in two parts

Google Cloud Platform 2. Using the cluster • Run Pods
& Containers • Replication controllers • Services • Volumes This is the fun part! A distinct set of problems from cluster setup and management Don’t make developers deal with cluster administration! Accelerate development by focusing on the applications, not the cluster Container clusters: A story in two parts

Google Cloud Platform Services

Google Cloud Platform Services A group of pods that work
together • grouped by a selector Defines access policy • “load balanced” or “headless” Gets a stable virtual IP and port • sometimes called the service portal • also a DNS name VIP is managed by kube-proxy • watches all services • updates iptables when backends change Hides complexity - ideal for non-native apps Client Virtual IP

Google Cloud Platform iptables kube-proxy iptables kube-proxy apiserver Node X

Google Cloud Platform iptables kube-proxy apiserver Node X watch services
& endpoints iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X kubectl run
... watch iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X schedule watch
iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X watch kubectl
expose ... iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X new service!
update iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X watch configure
iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X watch VIP
iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X new endpoints!
update VIP iptables kube-proxy

Google Cloud Platform iptables kube-proxy apiserver Node X VIP watch
configure iptables kube-proxy

iptables kube-proxy

Client iptables kube-proxy

Google Cloud Platform External Services Services IPs are only available
inside the cluster Need to receive traffic from “the outside world” Builtin: Service “type” • NodePort: expose on a port on every node • LoadBalancer: provision a cloud load-balancer DiY load-balancer solutions • socat (for nodePort remapping) • haproxy • nginx

Google Cloud Platform Ingress (L7) Services are assumed L3/L4 Lots
of apps want HTTP/HTTPS Ingress maps incoming traffic to backend services • by HTTP host headers • by HTTP URL paths HAProxy, NGINX, AWS and GCE implementations in progress Now with SSL! Status: BETA in Kubernetes v1.2 URL Map Client

Google Cloud Platform ConfigMaps

Google Cloud Platform ConfigMaps Problem: how to manage app configuration
• ...without making overly-brittle container images 12-factor says config comes from the environment • Kubernetes is the environment Manage config via the Kubernetes API Inject config as a virtual volume into your Pods • late-binding, live-updated (atomic) • also available as env vars Status: GA in Kubernetes v1.2 node API Pod Config Map

Google Cloud Platform Secrets

Google Cloud Platform Secrets Problem: how to grant a pod
access to a secured something? • don’t put secrets in the container image! 12-factor says config comes from the environment • Kubernetes is the environment Manage secrets via the Kubernetes API Inject secrets as virtual volumes into your Pods • late-binding, tmpfs - never touches disk • also available as env vars node API Pod Secret

Google Cloud Platform Deployments

Google Cloud Platform Deployments Rolling update is too imperative Deployment
manages RC changes for you • stable object name • updates are done server-side rather than client • kubectl edit or kubectl apply is all you need Aggregates stats Can have multiple updates in flight Status: BETA in Kubernetes v1.2 ...

Google Cloud Platform Jobs

Google Cloud Platform Jobs Run-to-completion, as opposed to run-forever •
Express parallelism vs. required completions • Workflow: restart on failure • Build/test: don’t restart on failure Aggregates success/failure counts Built for batch and big-data work Status: GA in Kubernetes v1.2 ...

Google Cloud Platform HorizontalPodAutoscalers

Google Cloud Platform HorizontalPodAutoScalers Automatically scale ReplicationControllers to a target
utilization • CPU utilization for now • Probably more later Operates within user-defined min/max bounds Set it and forget it Status: GA in Kubernetes v1.2 ... Stats

Google Cloud Platform DaemonSets

Google Cloud Platform DaemonSets Problem: how to run a Pod
on every node • or a subset of nodes Similar to ReplicationController • principle: do one thing, don’t overload “Which nodes?” is a selector Use familiar tools and patterns Status: BETA in Kubernetes v1.2 Pod

Google Cloud Platform PersistentVolumes

Google Cloud Platform PersistentVolumes A higher-level abstraction • insulation from
any one cloud environment Admin provisions them, users claim them NEW: auto-provisioning (alpha in v1.2) Independent lifetime and fate Can be handed-off between pods and lives until user is done with it Dynamically “scheduled” and managed, like nodes and pods Claim

Google Cloud Platform Network Plugins

Google Cloud Platform Network Plugins Introduced in Kubernetes v1.0 •
VERY experimental Uses CNI (CoreOS) in v1.1 • Simple exec interface • Not using Docker libnetwork • but can defer to Docker for networking Cluster admins can customize their installs • DHCP, MACVLAN, Flannel, custom net Plugin Plugin Plugin

Google Cloud Platform New and coming soon • Cron (scheduled
jobs) • Custom metrics • “Apply” a config (even more declarative) • Interactive containers • Bandwidth shaping • Third-party API objects • Scalability: 1000 nodes, 100+ pods/node • Performance • Machine-generated Go clients (less deps!) • Volume usage stats • Multi-zone (AZ) support • Multi-scheduler support • Node affinity and anti-affinity • Multi-cluster federation • API federation • More volume types • Private Docker registry • External DNS integration • Volume classes and auto-provisioning • Node fencing • DiY Cloud Provider plugins • More container runtimes (e.g. Hyper) • Better auth{n,z} • Network policy (microsegmentation) • Big data integrations • Device scheduling (e.g. GPUs)

Google Cloud Platform Kubernetes status & plans Open sourced in
June, 2014 • v1.0 in July, 2015 • v1.1 in November, 2015 • v1.2 ... soon! Google Container Engine (GKE) • hosted Kubernetes - don’t think about cluster setup PaaSes: • RedHat OpenShift, Deis, Stratos Distros: • CoreOS Tectonic, Mirantis Murano (OpenStack),RedHat Atomic, Mesos Hitting a ~3 month release cadence

Google Cloud Platform The Goal: Shake things up Containers are
a new way of working Requires new concepts and new tools Google has a lot of experience... ...but we are listening to users Workload portability is important!

Google Cloud Platform Kubernetes is Open - open community -
open design - open source - open to ideas http://kubernetes.io https://github.com/kubernetes/kubernetes slack: kubernetes twitter: @kubernetesio

News From The Front: v1.2

News From The Front: v1.2

More Decks by Tim Hockin

Other Decks in Technology

Featured

Transcript