20180922 Cloud Native Hiroshima #01 EKS

Transcript

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. 谏⾱ し鋉 銮傈劤䬐䔲أُ٦ءّٝ،٦ؗذؙز ،وبٝ ؐؑـ ؟٦ؽأ آٍػٝ吳䒭⠓爡 2018.09.22 Amazon Elastic Container Service for Kubernetes (EKS) Cloud Native Hiroshima #01

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. 荈䊹稱➜ 谏⾱ し鋉 (סׄ׻׵ ״׃ך׶) • 銮傈劤䬐䔲 أُ٦ءّٝ ،٦ؗذؙز • AWS 㣐ꢻؔؿ؍أחְתׅ • ꟼ銮ךؽآطأثٍحزأة٦ز،حف⟰噟ד 6 䎃꟦ AWS ׾ 崞欽 • AWS ؟يٓ؎ 2013 • 㥨ֹז AWS ؟٦ؽأ: AWS ؟ه٦ز

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ،آؑٝت • ז׈؝ٝذشזךַ • "NB[PO
   &,4
   הכ • "NB[PO
   &,4
   כוך״ֲח⹛⡲ׅ׷ךַ • תה׭

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ؝ٝذش׾ⵃ欽׃׋Ꟛ涪ך㹋ꥷ

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ז׈؝ٝذشַ ػح؛٦آؚٝ ꂁ䋒 ؎ىُ٦ةـٕ ؎ٝؿٓأزؙٓثٍ

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ؝ٝذشךِ٦أ؛٦أ و؎ؙٗ؟٦ؽأ،٦ؗذؙثٍ 㢳侧ךو؎ؙٗ؟٦ؽأ׾ずׄ圫ח盖椚 ꬊず劍آّـ㹋遤 غحث؝ٝؾُ٦ذ؍ؚٝ آّـךؙٔؒأزח䘔ׄ׋厫鮾זأ؛٦ٕ 竰竲涸؎ٝذؚٖ٦ءّٝծ竰竲涸رفٗ؎ $*$% Ꟛ涪։ذأز։劤殢תד♧顐׃׋؎ً٦آ׾ⵃ欽

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ؝ٝذش׾ⵃ欽׃׋Ꟛ涪ח䗳銲ז䪮遭銲稆 • ،فٔךأذ٦زٖأ⻉ • ٖآأزٔ • ؝ٝزٗ٦ٕفٖ٦ٝ 
   ر٦ةفٖ٦ٝ • $*$%ػ؎فٓ؎ٝ

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ،فٔךأذ٦زٖأ⻉ ؝ٝذشך⚥חⰅ׸׷ךכأذ٦زٖأז،فٔח ؝ٝذشךًٔحز׾剑㣐ꣲ崞ַׇ׷ أذ٦زָ䗳銲ז׮ךכ؝ٝذشך㢩ח縧ֻ ⿫罋
   5XFMWFGBDUPS
   "QQMJDBUJPO
   ˊ *7
   #BDLJOH
   TFSWJDFT IUUQTGBDUPSOFUKBCBDLJOHTFSWJDFT "NB[PO
   &MBTUJ$BDIF Amazon RDS Amazon S3 Amazon DynamoDB

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All

   rights reserved. ٖآأزٔ ؝ٝذشך饯⹛⯋הז׷؎ً٦آך縧ֹ㜥䨽 ،فٔ㹋遤橆㞮׾QVTI
   
   㹋遤儗חQVMM׃ג饯⹛ 넝ְ〳欽䚍ծأ؛٦ٓؽٔذ؍ָ実׭׵׸׷ 衅׍׋׵رفٗ؎♶腉ծず儗ח㣐ꆀחQVMMׁ׸׷ֿה׮ 荈⵸ד䭯אה׉ך盖椚؝أزַַָ׷ ̔ "NB[PO
   &MBTUJD
   $POUBJOFS
   3FHJTUSZ
   &$3
   

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝزٗ٦ٕفٖ٦ٝ 
    ر٦ةفٖ٦ٝ ؝ٝزٗ٦ٕفٖ٦ٝ 
    ؝ٝذشך盖椚׾ׅ׷㜥䨽 וֿד؝ٝذش׾⹛ַׅ欰娤כְא姺׭׷ رفٗ؎儗חוְֲֲ괏חꂁ縧ׅ׷ ̔ "NB[PO
    &MBTUJD
    $POUBJOFS
    4FSWJDF
    &$4 "NB[PO
    &MBTUJD $POUBJOFS 4FSWJDF GPS ,VCFSOFUFT &,4 ر٦ةفٖ٦ٝ 
    㹋ꥷח؝ٝذشָ珩⫴ׅ׷㜥䨽 ؝ٝزٗ٦ٕفٖ٦ַٝ׵ך䭷爙ח䖞׏ג饯⹛ ぐ珏朐䡾׾؝ٝزٗ٦ٕفٖ٦ٝחؿ؍٦سغحؙ ̔ "84
    'BSHBUF 
    "NB[PO
    &MBTUJD
    $PNQVUF
    $MPVE
    &$

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. $*$%ػ؎فٓ؎ٝ ،فٔך؝٦س㢌刿։؝ٝذشךرفٗ؎׾盖椚ׅ׷ 荈⹛⻉ׅ׷ֿהד铩ָװ׏ג׮ずׄ״ֲחرفٗ؎〳腉 ؽٕسכ׮׍׹׿ծ⽃⡤ذأزװ窟さذأزծ頾蚚ذأز׮ ؕشٔ،رفٗ؎װٔ٦آّٝرفٗ؎זו׮ 鷿⚥חوصُ،ٕדך䪫钠׾䮠׿ד׮葺ְ ̔ "84
    $PEF1JQFMJOF 
    "84
    $PEF#VJME ؝ٝزٗ٦ٕفٖ٦ٝך麩ְ׾ェ　ׅ׷ֿה׮דֹ׷ ⢽
    ずׄ؝٦سַ׵ծ"84כ&$4
    
    ؔٝفٖכ,VCFSOFUFTפ

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EC2 AWS CodePipeline  
       AWS CodeCommit AWS CodeBuild Amazon RDS Amazon S3 Developer Control plane Data plane Backing service Registry CI/CD pipeline

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. "NB[PO
    $POUBJOFS
    4FSWJDFT ٖآأزٔ "NB[PO
    &$3 ؝ٝزٗ٦ٕفٖ٦ٝ "NB[PO
    &$4 "NB[PO
    &,4 ر٦ةفٖ٦ٝ "84
    'BSHBUF

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. E L A S T I C C O N T A I N E R S E R V I C E F O R K U B E R N E T E S (EKS)

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 5FOFUT • "NB[PO
    &,4
    כծ⟃♴אך 5FOFU
    ׾䲓־؟٦ؽأ׾䲿⣘ 5FOFU
     &,4
    כ⟰噟ָ劤殢ךٙ٦ؙٗ٦س ׾㹋遤ׅ׷׋׭ךفٓحزؿؓ٦ يד֮׷ֿה 5FOFU
     &,4
    כط؎ذ؍ـד剑倜ך ,VCFSOFUFT
    ך⡤꿀׾䲿⣘ׅ׷ֿה 5FOFU
     &,4
    ِ٦ؠָ➭ך "84
    ؟٦ؽأ׾ ⢪ֲ儗ծء٦يٖأז鸬䵿׾㹋植 ׃♶銲ז⡲噟׾《׶ꤐֻ 5FOFU
     &,4
    ث٦يכ琎噰涸ח ,VCFSOFUFT
    فٗآؙؑزח顀柃׃ גְֻֿה

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝزٗ٦ٕفٖ٦ٝ • "NB[PO
    &,4
    ؝ٝزٗ٦ٕفٖ٦ٝכծFUDE ֶ״ן ,VCFSOFUFT
    "1*
    TFSWFS
    זוך ,VCFSOFUFT
    اؿزؐؑ،׾㹋遤ׅ׷؝ٝزٗ٦ٕفٖ٦ٝ ظ٦سד圓䧭 • "NB[PO
    &,4
    כծؿٕوط٦آسז؝ٝزٗ٦ٕفٖ٦ٝ׾䲿⣘ "WBJMBCJMJUZ
    ;POF
     FUDE $POUSPMMFS FUDE $POUSPMMFS FUDE $POUSPMMFS "WBJMBCJMJUZ
    ;POF
     "WBJMBCJMJUZ
    ;POF
     "1*
    TFSWFS $MPVE
    DPOUSPMMF S $POUSPMMF S
    NBOBHFS 4DIFEVMF S "EEPOT ,VCF%/4 ⹛⡲؝ٝه٦طٝز

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٙ٦ؕ٦ظ٦س • "NB[PO
    &,4
    ٙ٦ؕ٦ظ٦سכծؙٓأة٦ "1*
    ؟٦غ٦ؒٝسه؎ٝز ׾➜׃גؙٓأة٦ך؝ٝزٗ٦ٕفٖ٦ٝח䱸竲 • ؝ٝذشכٙ٦ؕ٦ظ٦س♳חꂁ縧 "WBJMBCJMJUZ
    ;POF
     FUDE $POUSPMMFS FUDE $POUSPMMFS "WBJMBCJMJUZ
    ;POF
     "WBJMBCJMJUZ
    ;POF
     FUDE $POUSPMMFS

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. mycluster.eks.amazonaws.com EKS Workers Kubectl 
     AZ 1 AZ 2 AZ 3 Your AWS account

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubernetes Certified

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubernetes 彊䬿 1. ه٦ةؽٔذ؍٦ה湱✼麊欽䚍׾⥂鏾 2. ة؎ئ٦ז،حفر٦ز 3. Confirmability

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.10 upstream == 1.10 in EKS

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS כוך״ֲח⹛⡲ׅ׷ךַ

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ءشٔؔ 1. Amazon Virtual Private Cloud (VPC) ך傀㶷圓䧭 Public ה Private subnet / Multi-AZ 2. Amazon EKS Cluster (control plane) ⡲䧭 / 钠鏾 3. Amazon EKS Worker Nodes 饯⹛ 4. CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦׾ⵃ欽׃׋ ؟٦ؽأך؎ٝة٦طحزⰕꟚ

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Public ה Private subnet ׾䭯א VPC / Multi-AZ 圓䧭 Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Public subnet 2 Availability Zone 1 NAT gateway NAT gateway Internet gateway IAM Public subnet 1 Availability Zone 2 Private subnet 1 Internet AWS Region

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٔ٦آّٝה،ك؎ٓؽٔذ؍ب٦ٝ ٔ٦آّٝכ醱侧ך،ك؎ٓؽٔذ؍ب٦ٝ
    ";
    ד圓䧭ׁ׸גְתׅկ荈搫拄㹱װر٦ةإ ٝة٦⽃⡘ךꥺ㹱זוؽآطأח䕦갟׾♷ִ׷ٔأؙ׾剑㼭⻉ׅ׷״ֲ㖑椚涸ח䕦갟׾「ֽז ְ⼧ⴓꨄ׸׋㜥䨽ח֮׶ծ杝甧׃׋ꨵ彁ծ瑞锃ծ暟椚涸זإُؗٔذ؍׾⪒ִծ䎢䌒㚖דع؎ أؾ٦سך⯔㔐简ךغحؙن٦ٝח䱸竲ׁ׸גְתׅկ Data Center Data Center Data Center Data Center AZ AZ AZ AZ AZ Transit Transit

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. aws eks create-cluster --name eks-demo --role-arn arn:aws:iam::account- id:role/eksServiceRole --resources-vpc-config subnetIds=subnet-public-az1-id, subnet-public-az2-id,subnet-private-az1-id,subnet-private-az2- id,securityGroupIds=sg-eks-control-plane-id

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubectl 3) AWS ID׾RBACד钠〳 K8s API 1) AWS ID׾鷏⥋ 2) AWS ID׾嗚鏾 4) K8s ،ؙءّٝ 鏩〳/⽱♴ AWS 钠鏾 IAM Authentication + Kubectl

28. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. apiVersion: v1 clusters: - cluster: server: <endpoint-url> certificate-authority-data: <base64- encoded-ca-cert> name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} <cluster-name> users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: aws-iam-authenticator args: - "token" - "-i" - "<cluster-name>"

29. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS Cluster (control plane) ⡲䧭 / 钠鏾 Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Public subnet 2 Availability Zone 1 NAT gateway NAT gateway Internet gateway IAM Public subnet 1 Availability Zone 2 Private subnet 1 EKS Cluster Internet kubectl AWS Region

30. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS Worker Nodes 饯⹛ AWS CloudFormation Template • Stack name • ClusterName • ClusterControlPlaneSecurityGroup • NodeGroupName • NodeAutoScalingGroupMinSize • NodeAutoScalingGroupMaxSize • NodeInstanceType • NodeImageId • KeyName • VpcId • Subnets

31. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: <ARN of instance role> username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes kubectl apply -f aws-auth-cm.yaml

32. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CNIفؚٓ؎ٝח״׷ ط؎ذ؍ـVPC طحزٙ٦ؚؗٝ 醱侧ךPodכVPCⰻח㶷㖈 ׅ׷״ֲחPodⰻחずׄ VPC،سٖأ׾䭯א ءٝفٕדإُؗ،ז طحزٙ٦ؙ GitHub♳דⰕꟚׁ׸גְ׷ ؔ٦فٝا٦أ … { } https://github.com/aws/amazon-vpc-cni-k8s

33. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Nginx Pod Java Pod ENI Secondary IPs: 10.0.0.1 10.0.0.2 Veth IP: 10.0.0.1 Veth IP: 10.0.0.2 Nginx Pod Java Pod ENI Veth IP: 10.0.0.20 Veth IP: 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2

34. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS Worker Nodes 饯⹛ Workers Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Workers Public subnet 2 Security Group Workers Availability Zone 1 NAT gateway NAT gateway Auto Scaling Internet gateway EKS Cluster IAM Public subnet 1 Availability Zone 2 Private subnet 1 Internet kubectl EKS Cluster AWS Region

35. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٗ٦سغٓٝ؟٦ CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦: AWSָ؟ه٦ز Ingress ٔا٦أה׃ג Application Load Balancer (ALB) ׾ ⰕꟚדֹ׷ مأزせת׋כػأח״׷؝ٝذٝزك٦إٔ٦ذ؍ؚٝ׾ ؟ه٦ز׃׋L7ך頾蚚ⴓ侔ָ〳腉

36. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٗ٦سغٓٝ؟٦

37. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: exampleserver namespace: exampleserver annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/tags: Environment=dev,Team=test alb.ingress.kubernetes.io/subnets: 'subnet-public-az1-id,subnet-public-az2-id' alb.ingress.kubernetes.io/security-groups: 'sg-internet-facing-alb-id' alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]' alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account-id:certificate/UUID spec: rules: - host: exampleserver.example.com http: paths: - path: / backend: serviceName: exampleserver servicePort: 80

38. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٗ٦سغٓٝ؟٦ Network Load Balancer: 1.9 ⟃꣬؟ه٦ز (Alpha) L4 ٗ٦سغٓٝ؟٦ • service.beta.kubernetes.io/aws-load-balancer-type: “nlb” 㢳ֻך؛٦أד Classic Load Balancer ך縧ֹ䳔ִהז׶䖤׷ • 植朐ծ LoadBalancer ׾䭷㹀ׅ׷ה Classic Load Balancer ָ⡲ 䧭ׁ׸׷

39. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦ Workers Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Workers Public subnet 2 Security Group Load Balancer Application Load Balancer Security Group Workers Availability Zone 1 NAT gateway NAT gateway Auto Scaling Internet gateway kubectl EKS Cluster IAM users Public subnet 1 Availability Zone 2 Private subnet 1 Internet AWS Region ACM

40. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Fluentd 
     Cloudwatch Logs  Kubernetes Worker Pool (EC2) Amazon CloudWatch Logs Fluentd Fluentd Fluentd https://github.com/fluent/fluentd-kubernetes-daemonset https://github.com/kubernetes/charts/tree/master/incubator/fluentd-cloudwatch

41. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. תה׭ • "NB[PO
    &,4
    כծ"84
    ךوط٦آس؟٦ؽأהء٦ي ٖأח鸬䵿 • "NB[PO
    &,4
    כծؿٕوط٦آسז؝ٝز٦ٕفٖ٦ٝ ׾䲿⣘ • أذ٦زؿٕז׮ךכծ"NB[PO
    &,4
    ׾ⵃ欽׃׋؝ٝذ شדכזֻوط٦آس؟٦ؽأ׾ⵃ欽