Upgrade to Pro — share decks privately, control downloads, hide ads and more …

20180922 Cloud Native Hiroshima #01 EKS

@twingo_b
September 22, 2018

20180922 Cloud Native Hiroshima #01 EKS

2018/09/22 Cloud Native Hiroshima #01 の資料です。

@twingo_b

September 22, 2018
Tweet

More Decks by @twingo_b

Other Decks in Technology

Transcript

  1. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 谏⾱ し鋉 銮傈劤䬐䔲أُ٦ءّٝ،٦ؗذؙز ،وبٝ ؐؑـ ؟٦ؽأ آٍػٝ吳䒭⠓爡 2018.09.22 Amazon Elastic Container Service for Kubernetes (EKS) Cloud Native Hiroshima #01
  2. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 荈䊹稱➜ 谏⾱ し鋉 (סׄ׻׵ ״׃ך׶) • 銮傈劤䬐䔲 أُ٦ءّٝ ،٦ؗذؙز • AWS 㣐ꢻؔؿ؍أחְתׅ • ꟼ銮ךؽآطأثٍحزأة٦ز،حف⟰噟ד 6 䎃꟦ AWS ׾ 崞欽 • AWS ؟يٓ؎ 2013 • 㥨ֹז AWS ؟٦ؽأ: AWS ؟ه٦ز
  3. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ،آؑٝت • ז׈؝ٝذشזךַ • "NB[PO&,4הכ • "NB[PO&,4כוך״ֲח⹛⡲ׅ׷ךַ • תה׭
  4. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝذش׾ⵃ欽׃׋Ꟛ涪ך㹋ꥷ
  5. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ז׈؝ٝذشַ ػح؛٦آؚٝ ꂁ䋒 ؎ىُ٦ةـٕ ؎ٝؿٓأزؙٓثٍ
  6. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝذشךِ٦أ؛٦أ و؎ؙٗ؟٦ؽأ،٦ؗذؙثٍ 㢳侧ךو؎ؙٗ؟٦ؽأ׾ずׄ圫ח盖椚 ꬊず劍آّـ㹋遤 غحث؝ٝؾُ٦ذ؍ؚٝ آّـךؙٔؒأزח䘔ׄ׋厫鮾זأ؛٦ٕ 竰竲涸؎ٝذؚٖ٦ءّٝծ竰竲涸رفٗ؎ $*$% Ꟛ涪։ذأز։劤殢תד♧顐׃׋؎ً٦آ׾ⵃ欽
  7. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝذش׾ⵃ欽׃׋Ꟛ涪ח䗳銲ז䪮遭銲稆 • ،فٔךأذ٦زٖأ⻉ • ٖآأزٔ • ؝ٝزٗ٦ٕفٖ٦ٝ ر٦ةفٖ٦ٝ • $*$%ػ؎فٓ؎ٝ
  8. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ،فٔךأذ٦زٖأ⻉ ؝ٝذشך⚥חⰅ׸׷ךכأذ٦زٖأז،فٔח ؝ٝذشךًٔحز׾剑㣐ꣲ崞ַׇ׷ أذ٦زָ䗳銲ז׮ךכ؝ٝذشך㢩ח縧ֻ ⿫罋5XFMWFGBDUPS"QQMJDBUJPOˊ *7#BDLJOHTFSWJDFT IUUQTGBDUPSOFUKBCBDLJOHTFSWJDFT "NB[PO &MBTUJ$BDIF Amazon RDS Amazon S3 Amazon DynamoDB
  9. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٖآأزٔ ؝ٝذشך饯⹛⯋הז׷؎ً٦آך縧ֹ㜥䨽 ،فٔ㹋遤橆㞮׾QVTI㹋遤儗חQVMM׃ג饯⹛ 넝ְ〳欽䚍ծأ؛٦ٓؽٔذ؍ָ実׭׵׸׷ 衅׍׋׵رفٗ؎♶腉ծず儗ח㣐ꆀחQVMMׁ׸׷ֿה׮ 荈⵸ד䭯אה׉ך盖椚؝أزַַָ׷ ̔ "NB[PO&MBTUJD$POUBJOFS3FHJTUSZ &$3 
  10. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝزٗ٦ٕفٖ٦ٝ ر٦ةفٖ٦ٝ ؝ٝزٗ٦ٕفٖ٦ٝ ؝ٝذشך盖椚׾ׅ׷㜥䨽 וֿד؝ٝذش׾⹛ַׅ欰娤כְא姺׭׷ رفٗ؎儗חוְֲֲ괏חꂁ縧ׅ׷ ̔ "NB[PO&MBTUJD$POUBJOFS4FSWJDF &$4 "NB[PO&MBTUJD $POUBJOFS 4FSWJDF GPS ,VCFSOFUFT &,4 ر٦ةفٖ٦ٝ 㹋ꥷח؝ٝذشָ珩⫴ׅ׷㜥䨽 ؝ٝزٗ٦ٕفٖ٦ַٝ׵ך䭷爙ח䖞׏ג饯⹛ ぐ珏朐䡾׾؝ٝزٗ٦ٕفٖ٦ٝחؿ؍٦سغحؙ ̔ "84'BSHBUF "NB[PO&MBTUJD$PNQVUF$MPVE &$
  11. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. $*$%ػ؎فٓ؎ٝ ،فٔך؝٦س㢌刿։؝ٝذشךرفٗ؎׾盖椚ׅ׷ 荈⹛⻉ׅ׷ֿהד铩ָװ׏ג׮ずׄ״ֲחرفٗ؎〳腉 ؽٕسכ׮׍׹׿ծ⽃⡤ذأزװ窟さذأزծ頾蚚ذأز׮ ؕشٔ،رفٗ؎װٔ٦آّٝرفٗ؎זו׮ 鷿⚥חوصُ،ٕדך䪫钠׾䮠׿ד׮葺ְ ̔ "84$PEF1JQFMJOF "84$PEF#VJME ؝ٝزٗ٦ٕفٖ٦ٝך麩ְ׾ェ ׅ׷ֿה׮דֹ׷ ⢽ずׄ؝٦سַ׵ծ"84כ&$4ؔٝفٖכ,VCFSOFUFTפ
  12. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EC2 AWS CodePipeline       AWS CodeCommit AWS CodeBuild Amazon RDS Amazon S3 Developer Control plane Data plane Backing service Registry CI/CD pipeline
  13. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. "NB[PO$POUBJOFS4FSWJDFT ٖآأزٔ "NB[PO&$3 ؝ٝزٗ٦ٕفٖ٦ٝ "NB[PO&$4 "NB[PO&,4 ر٦ةفٖ٦ٝ "84'BSHBUF
  14. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. E L A S T I C C O N T A I N E R S E R V I C E F O R K U B E R N E T E S (EKS)
  15. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. 5FOFUT • "NB[PO&,4כծ⟃♴אך 5FOFU׾䲓־؟٦ؽأ׾䲿⣘ 5FOFU &,4כ⟰噟ָ劤殢ךٙ٦ؙٗ٦س ׾㹋遤ׅ׷׋׭ךفٓحزؿؓ٦ يד֮׷ֿה 5FOFU &,4כط؎ذ؍ـד剑倜ך ,VCFSOFUFTך⡤꿀׾䲿⣘ׅ׷ֿה 5FOFU &,4ِ٦ؠָ➭ך "84؟٦ؽأ׾ ⢪ֲ儗ծء٦يٖأז鸬䵿׾㹋植 ׃♶銲ז⡲噟׾《׶ꤐֻ 5FOFU &,4ث٦يכ琎噰涸ח ,VCFSOFUFTفٗآؙؑزח顀柃׃ גְֻֿה
  16. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ؝ٝزٗ٦ٕفٖ٦ٝ • "NB[PO&,4؝ٝزٗ٦ٕفٖ٦ٝכծFUDE ֶ״ן ,VCFSOFUFT"1* TFSWFSזוך ,VCFSOFUFTاؿزؐؑ،׾㹋遤ׅ׷؝ٝزٗ٦ٕفٖ٦ٝ ظ٦سד圓䧭 • "NB[PO&,4כծؿٕوط٦آسז؝ٝزٗ٦ٕفٖ٦ٝ׾䲿⣘ "WBJMBCJMJUZ ;POF FUDE $POUSPMMFS FUDE $POUSPMMFS FUDE $POUSPMMFS "WBJMBCJMJUZ ;POF "WBJMBCJMJUZ ;POF "1* TFSWFS $MPVE DPOUSPMMF S $POUSPMMF S NBOBHFS 4DIFEVMF S "EEPOT ,VCF%/4 ⹛⡲؝ٝه٦طٝز
  17. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٙ٦ؕ٦ظ٦س • "NB[PO&,4ٙ٦ؕ٦ظ٦سכծؙٓأة٦ "1*؟٦غ٦ؒٝسه؎ٝز ׾➜׃גؙٓأة٦ך؝ٝزٗ٦ٕفٖ٦ٝח䱸竲 • ؝ٝذشכٙ٦ؕ٦ظ٦س♳חꂁ縧 "WBJMBCJMJUZ ;POF FUDE $POUSPMMFS FUDE $POUSPMMFS "WBJMBCJMJUZ ;POF "WBJMBCJMJUZ ;POF FUDE $POUSPMMFS
  18. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. mycluster.eks.amazonaws.com EKS Workers Kubectl  AZ 1 AZ 2 AZ 3 Your AWS account
  19. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubernetes Certified
  20. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubernetes 彊䬿 1. ه٦ةؽٔذ؍٦ה湱✼麊欽䚍׾⥂鏾 2. ة؎ئ٦ז،حفر٦ز 3. Confirmability
  21. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1.10 upstream == 1.10 in EKS
  22. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS כוך״ֲח⹛⡲ׅ׷ךַ
  23. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ءشٔؔ 1. Amazon Virtual Private Cloud (VPC) ך傀㶷圓䧭 Public ה Private subnet / Multi-AZ 2. Amazon EKS Cluster (control plane) ⡲䧭 / 钠鏾 3. Amazon EKS Worker Nodes 饯⹛ 4. CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦׾ⵃ欽׃׋ ؟٦ؽأך؎ٝة٦طحزⰕꟚ
  24. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Public ה Private subnet ׾䭯א VPC / Multi-AZ 圓䧭 Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Public subnet 2 Availability Zone 1 NAT gateway NAT gateway Internet gateway IAM Public subnet 1 Availability Zone 2 Private subnet 1 Internet AWS Region
  25. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٔ٦آّٝה،ك؎ٓؽٔذ؍ب٦ٝ ٔ٦آّٝכ醱侧ך،ك؎ٓؽٔذ؍ب٦ٝ "; ד圓䧭ׁ׸גְתׅկ荈搫拄㹱װر٦ةإ ٝة٦⽃⡘ךꥺ㹱זוؽآطأח䕦갟׾♷ִ׷ٔأؙ׾剑㼭⻉ׅ׷״ֲ㖑椚涸ח䕦갟׾「ֽז ְ⼧ⴓꨄ׸׋㜥䨽ח֮׶ծ杝甧׃׋ꨵ彁ծ瑞锃ծ暟椚涸זإُؗٔذ؍׾⪒ִծ䎢䌒㚖דع؎ أؾ٦سך⯔㔐简ךغحؙن٦ٝח䱸竲ׁ׸גְתׅկ Data Center Data Center Data Center Data Center AZ AZ AZ AZ AZ Transit Transit
  26. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. aws eks create-cluster --name eks-demo --role-arn arn:aws:iam::account- id:role/eksServiceRole --resources-vpc-config subnetIds=subnet-public-az1-id, subnet-public-az2-id,subnet-private-az1-id,subnet-private-az2- id,securityGroupIds=sg-eks-control-plane-id
  27. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Kubectl 3) AWS ID׾RBACד钠〳 K8s API 1) AWS ID׾鷏⥋ 2) AWS ID׾嗚鏾 4) K8s ،ؙءّٝ 鏩〳/⽱♴ AWS 钠鏾 IAM Authentication + Kubectl
  28. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. apiVersion: v1 clusters: - cluster: server: <endpoint-url> certificate-authority-data: <base64- encoded-ca-cert> name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} <cluster-name> users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1alpha1 command: aws-iam-authenticator args: - "token" - "-i" - "<cluster-name>"
  29. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS Cluster (control plane) ⡲䧭 / 钠鏾 Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Public subnet 2 Availability Zone 1 NAT gateway NAT gateway Internet gateway IAM Public subnet 1 Availability Zone 2 Private subnet 1 EKS Cluster Internet kubectl AWS Region
  30. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS Worker Nodes 饯⹛ AWS CloudFormation Template • Stack name • ClusterName • ClusterControlPlaneSecurityGroup • NodeGroupName • NodeAutoScalingGroupMinSize • NodeAutoScalingGroupMaxSize • NodeInstanceType • NodeImageId • KeyName • VpcId • Subnets
  31. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: <ARN of instance role> username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes kubectl apply -f aws-auth-cm.yaml
  32. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CNIفؚٓ؎ٝח״׷ ط؎ذ؍ـVPC طحزٙ٦ؚؗٝ 醱侧ךPodכVPCⰻח㶷㖈 ׅ׷״ֲחPodⰻחずׄ VPC،سٖأ׾䭯א ءٝفٕדإُؗ،ז طحزٙ٦ؙ GitHub♳דⰕꟚׁ׸גְ׷ ؔ٦فٝا٦أ … { } https://github.com/aws/amazon-vpc-cni-k8s
  33. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Nginx Pod Java Pod ENI Secondary IPs: 10.0.0.1 10.0.0.2 Veth IP: 10.0.0.1 Veth IP: 10.0.0.2 Nginx Pod Java Pod ENI Veth IP: 10.0.0.20 Veth IP: 10.0.0.22 Secondary IPs: 10.0.0.20 10.0.0.22 ec2.associateaddress() VPC Subnet – 10.0.0.0/24 Instance 1 Instance 2
  34. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Amazon EKS Worker Nodes 饯⹛ Workers Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Workers Public subnet 2 Security Group Workers Availability Zone 1 NAT gateway NAT gateway Auto Scaling Internet gateway EKS Cluster IAM Public subnet 1 Availability Zone 2 Private subnet 1 Internet kubectl EKS Cluster AWS Region
  35. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٗ٦سغٓٝ؟٦ CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦: AWSָ؟ه٦ز Ingress ٔا٦أה׃ג Application Load Balancer (ALB) ׾ ⰕꟚדֹ׷ مأزせת׋כػأח״׷؝ٝذٝزك٦إٔ٦ذ؍ؚٝ׾ ؟ه٦ز׃׋L7ך頾蚚ⴓ侔ָ〳腉
  36. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: exampleserver namespace: exampleserver annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/tags: Environment=dev,Team=test alb.ingress.kubernetes.io/subnets: 'subnet-public-az1-id,subnet-public-az2-id' alb.ingress.kubernetes.io/security-groups: 'sg-internet-facing-alb-id' alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]' alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account-id:certificate/UUID spec: rules: - host: exampleserver.example.com http: paths: - path: / backend: serviceName: exampleserver servicePort: 80
  37. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ٗ٦سغٓٝ؟٦ Network Load Balancer: 1.9 ⟃꣬؟ه٦ز (Alpha) L4 ٗ٦سغٓٝ؟٦ • service.beta.kubernetes.io/aws-load-balancer-type: “nlb” 㢳ֻך؛٦أד Classic Load Balancer ך縧ֹ䳔ִהז׶䖤׷ • 植朐ծ LoadBalancer ׾䭷㹀ׅ׷ה Classic Load Balancer ָ⡲ 䧭ׁ׸׷
  38. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. CoreOS AWS ALB Ingress ؝ٝزٗ٦ٓ٦ Workers Private subnet 2 RDS Aurora Reader RDS Aurora Writer Security Group RDS Workers Public subnet 2 Security Group Load Balancer Application Load Balancer Security Group Workers Availability Zone 1 NAT gateway NAT gateway Auto Scaling Internet gateway kubectl EKS Cluster IAM users Public subnet 1 Availability Zone 2 Private subnet 1 Internet AWS Region ACM
  39. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Fluentd  Cloudwatch Logs  Kubernetes Worker Pool (EC2) Amazon CloudWatch Logs Fluentd Fluentd Fluentd https://github.com/fluent/fluentd-kubernetes-daemonset https://github.com/kubernetes/charts/tree/master/incubator/fluentd-cloudwatch
  40. © 2018, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. תה׭ • "NB[PO&,4כծ"84ךوط٦آس؟٦ؽأהء٦ي ٖأח鸬䵿 • "NB[PO&,4כծؿٕوط٦آسז؝ٝز٦ٕفٖ٦ٝ ׾䲿⣘ • أذ٦زؿٕז׮ךכծ"NB[PO&,4׾ⵃ欽׃׋؝ٝذ شדכזֻوط٦آس؟٦ؽأ׾ⵃ欽