Kubernetes manifests management and operation in Mercari

@b4b4r07 (Apr 22, 2019) / Kubernete meetup tokyo #18 Kubernetes
manifests management & operation in Mercari

BABAROT / @b4b4r07 Mercari, Inc.  SRE, Microservices Platform Blog /
tellme.tokyo

Monolith Our current status Microservices

100+ microservices Our current status

200+ contributors Our current status

Our current status Service A namespace central GKE cluster Service
A pods RBAC for Service A team Each namespace is managed by each microservices team GKE cluster itself is managed by platform team

Agenda 1. Kubernetes YAML 1. GitHub Pull Requests 2. GitOps
3. Monorepo 4. Directories 2. Repository Ecosystem 3. Recap

Kubernetes YAML apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace:
x-echo-jp-dev spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80

How do you manage YAML and operate it to your
Kubernetes Clusters?

Write Apply

Write Apply Some points…

Write Apply How should we review it? How should we
apply it?

manage it? How should we apply it? How should we control it?

manage it? How should we apply it? How should we control it? YAML Operations YAML Management

manage it? How should we apply it? How should we control it? YAML Operations YAML Management Our practices are…

manage it? How should we apply it? How should we control it? 2. GitOps w/ kubectl 1. Pull Requests 3. Monorepo 4. Directories

Let’s see the each details

1. GitHub Pull Requests

Kubernetes Object Management Imperative commands Imperative  object  configuration Declarative  object 
configuration https://kubernetes.io/docs/concepts/overview/object-management-kubectl/overview/

Kubernetes Object Management Imperative  object  configuration Declarative  object  configuration https://kubernetes.io/docs/concepts/overview/object-management-kubectl/overview/
kubectl run nginx --image nginx

Kubernetes Object Management Declarative  object  configuration https://kubernetes.io/docs/concepts/overview/object-management-kubectl/overview/ kubectl run nginx
--image nginx kubectl create -f nginx.yaml

Kubernetes Object Management kubectl run nginx --image nginx https://kubernetes.io/docs/concepts/overview/object-management-kubectl/overview/ kubectl
create -f nginx.yaml kubectl apply -f manifests/

•It can be stored in VCS such as Git. •It
can integrate with processes such as reviewing changes. •It has better support for operating on directories and automatically detecting operation types per-object. Kubernetes Object Management Declarative  object  configuration https://kubernetes.io/docs/concepts/overview/object-management-kubectl/overview/

Pull Requests •Easy to review •Easy to track operations and
changes •Easy to recover from unexpected things • Just reverting

2. GitOps + -

GitOps - Operations by Pull Requests

https://www.weave.works/blog/gitops-operations-by-pull-request

Start 6 servers There are 6 servers

Start 6 servers There are 6 servers <

Let’s see Weaveworks case

GitHub Repository Kubernetes Cluster

Live Objects Source of Truth

Live Objects apply Source of Truth

Live Objects apply kubectl create Source of Truth

Live Objects apply kubectl create diff Source of Truth

Live Objects apply kubectl create diff Source of Truth unknown
objects

Live Objects apply kubectl create diff Git is the source
of truth Source of Truth unknown objects

GitHub Repository Kubernetes Cluster diff & sync Pull strategy

Let’s see our case

GitHub Repository Kubernetes Cluster CI

+ - GitHub Repository Kubernetes Cluster CI diff

+ - GitHub Repository Kubernetes Cluster CI merge diff

+ - apply GitHub Repository Kubernetes Cluster CI merge diff

kubectl create

kubectl create not implemented yet  (described later)

GitHub Repository Kubernetes Cluster CI merge & apply Push strategy

Let’s see the each differences

Pull (Weaveworks case) Push (Mercari case) •Git can be the
single source of truth •Bit difficult to implement the sync pipeline •Difficult to find divergence from the source •A common way of applying the changes

Pull (Weaveworks case) We know they recommend "Pull" strategy https://www.weave.works/blog/kubernetes-anti-patterns-let-s-do-gitops-not-ciops
•Git can be the single source of truth •Bit difficult to implement the sync pipeline

Push (Mercari case) Why do we choose "Push" strategy? Simple
Enough  to start  firstly Easy to implement •Difficult to find divergence from the source •A common way of applying the changes

Why do we choose "Push" strategy? Simple Enough  to start 
firstly Easy to implement Another most bigger reason is... Spinnaker

Enough  to start  firstly Spinnaker Why using Spinnaker also? •Our
CI pipeline which runs "kubectl apply" based on the changes is triggered by merging pull requests •However, in some resources (Job etc), we want to apply in our timing •Spinnaker "Provider V2" can handle Kubernetes manifests declaratively https://www.spinnaker.io/reference/providers/kubernetes-v2/

kubectl create not implemented yet  (described later) Spinnaker kick

3. Monorepo

Two type of repository styles

One repository Multiple repositories

Monorepo Polyrepo

Monorepo Polyrepo Service A Service B Service A Service C
Service B Service C

https://medium.com/@adamhjk/monorepo-please-do-3657e08a4b70 https://medium.com/@mattklein123/monorepos-please-dont-e9a279be011b

Monorepo •Advantages • Easy to share YAML code • Easy
to be reviewed by central team • Easy to be managed by central team • Easy to set up CI pipeline •Disadvantages • Take account into repo scale up • Take account into delegation of authority • CI/CD: No independence in each team

•Advantages • Build CI/CD pipeline by yourself • No dependency
of outside system • Easy to be scaled up themselves • Easy to change the pipeline cycle •Disadvantages • Not easy to share YAML code • Difficult to review by central team • Troublesome to build CI/CD pipeline by yourself Polyrepo

•We chose "Monorepo" style. •It was a good option to
start small. •The concrete reason will be shown in next section.

4. Directories

microservice

environment microservice

environment kind microservice

microservice environment kind resource

Spinnaker case

microservice

microservice environment

microservice environment pipeline

Pipeline

How do we apply the manifest changes?

Just run "kubectl" https://groups.google.com/forum/#!msg/kubernetes-sig-cli/M6t40JP6n0g/U6Snz-bsFQAJ

kubectl https://groups.google.com/forum/#!msg/kubernetes-sig-cli/M6t40JP6n0g/U6Snz-bsFQAJ •Microservices developers not only develop but also operate
the service by themselves •So they are familiar with kubectl basically •It means less learning cost than introducing other tools

the service by themselves •So they are familiar with kubectl basically •It means less learning cost than introducing other tools How do we apply the YAML files changed in the pull requests with kubectl?

the service by themselves •So they are familiar with kubectl basically •It means less learning cost than introducing other tools We have some scripts to make apply pipeline easier.  It can detect changed directories.

Let’s say we’d add new manifest

added Helper bash scripts detect changed directory from the PR
manifests/microservices/mercari-echo-jp/development/PodDisruptionBudget

changed_files() { declare basedir="${1}" declare current_branch="$(git rev-parse --abbrev-ref @)" if
[[ ${current_branch} == "master" ]]; then # (apply) # In the master branch, when listing files edited # you need to compare with previous merge commit git diff --name-only "HEAD^" "HEAD" "${basedir}" else # (plan) # In the topic branch, when listing files edited in the branch, # you need to compare with the commit at the time # the branch was created # https://git-scm.com/docs/git-merge-base git diff --name-only $(git merge-base origin/HEAD HEAD) "${basedir}" fi }

changed_dirs() { # Note: # If these files are changed
# - manifests/microservices/x/development/Ingress # - manifests/microservices/x/development/PersistentVolumeClaim # - manifests/microservices/y/production/PersistentVolumeClaim # - manifests/microservices/y/production/Pod # - manifests/microservices/y/production/PodDisruptionBudget # The files we have to pass to script/apply are only two dirs # - manifests/microservices/x/development # - manifests/microservices/y/production declare basedir="${1}" for file in $(changed_files "${basedir}") do get_target_dir "${file}" done | sort | uniq }

changed_dirs() { # Note: # If these files are changed
# - manifests/microservices/x/development/Ingress # - manifests/microservices/x/development/PersistentVolumeClaim # - manifests/microservices/y/production/PersistentVolumeClaim # - manifests/microservices/y/production/Pod # - manifests/microservices/y/production/PodDisruptionBudget # The files we have to pass to script/apply are only two dirs # - manifests/microservices/x/development # - manifests/microservices/y/production declare basedir="${1}" for file in $(changed_files "${basedir}") do get_target_dir "${file}" done | sort | uniq } •We have to pay attention the order to apply multiple manifests • Namespace must be created before all other resources • ConfigMap must be created before Deployment How do we get the order of files to be applied?

// InstallOrder is the order in which manifests should be
installed (by Kind). // Those occurring earlier in the list get installed before those occurring later in the list. var InstallOrder SortOrder = []string{ "Namespace", "ResourceQuota", "PodSecurityPolicy", "Secret", "ConfigMap", "PersistentVolume", "PersistentVolumeClaim", "CustomResourceDefinition", "Role", "RoleBinding", "Service", "DaemonSet", "Pod", "ReplicaSet", "Deployment", "StatefulSet", "Job", "CronJob", "Ingress", } https://github.com/helm/helm/blob/v2.10.0/pkg/tiller/kind_sorter.go

// InstallOrder is the order in which manifests should be
installed (by Kind). // Those occurring earlier in the list get installed before those occurring later in the list. var InstallOrder SortOrder = []string{ "Namespace", "ResourceQuota", "PodSecurityPolicy", "Secret", "ConfigMap", "PersistentVolume", "PersistentVolumeClaim", "CustomResourceDefinition", "Role", "RoleBinding", "Service", "DaemonSet", "Pod", "ReplicaSet", "Deployment", "StatefulSet", "Job", "CronJob", "Ingress", } https://github.com/helm/helm/blob/v2.10.0/pkg/tiller/kind_sorter.go ResourceQuota Secret ConfigMap PersistentVolume PersistentVolumeClaim ServiceAccount Role RoleBinding Service DaemonSet Pod ReplicaSet Deployment StatefulSet Job CronJob Ingress HorizontalPodAutoscaler NetworkPolicy PodDisruptionBudget kind_install_order.txt

sort_kinds_by_install_order() { kinds=( $(cat "kind_install_order.txt") ) args=( "${@}" ) for
kind in "${kinds[@]}" do for arg in "${args[@]}" do if [[ $(get_kind "${arg}") == ${kind} ]]; then echo "${arg}" fi done done } .../development/Deployment .../development/ConfigMap .../development/PodDisruptionBudget ConfigMap Deployment PodDisruptionBudget kind_install_order.txt

sort_kinds_by_install_order() { kinds=( $(cat "kind_install_order.txt") ) args=( "${@}" ) for
kind in "${kinds[@]}" do for arg in "${args[@]}" do if [[ $(get_kind "${arg}") == ${kind} ]]; then echo "${arg}" fi done done } .../development/Deployment .../development/ConfigMap .../development/PodDisruptionBudget ConfigMap Deployment PodDisruptionBudget kind_install_order.txt How about using kustomize?

It's easy to introduce our design but it has new
concepts of "overlay" etc.

•Our microservices is on the way •So developers are in
the middle of being microservices developers •They have to learn a lot of things: • Kubernetes, Kubernetes YAML itself, Spinnaker, etc... • So introducing kustomize feature to our pipeline was not now.  In the future.

How do we apply PodDisruptionBudget? •Some resource kinds (e.g., PodDisruptionBudget)
cannot update in-place •It means we cannot update existing PodDisruptionBudget or StatefulSet by kubectl apply.

kubectl_apply() { # ... for manifest in $(sort_kinds_by_install_order "${manifests[@]}"); do
case ${kind} in PodDisruptionBudget) # Need to be recreated if it already exists if kubectl get -n "${namespace}" "${kind}" "${resource}"; then kubectl delete -n "${namespace}" "${kind}" "${resource}" fi kubectl apply -n "${namespace}" -f "${manifes}" ;; Secret) ansible-vault view "${manifest}" \ | kubectl apply -n "${namespace}" -f - ;; *) kubectl apply -n "${namespace}" -f "${manifest}" ;; esac done } In order to deal with those special kinds, we prepare for easy wrapper script for kubectl.

The delegation of directory authority

mercari-echo-jp team should not be able to change mercari-xxx-jp's team
code, and vice versa

GitHub CODEOWNERS feature https://blog.github.com/2017-07-06-introducing-code-owners/

GitHub CODEOWNERS feature https://help.github.com/articles/about-codeowners/

Repository Ecosystem

Repository Ecosystem •Our microservices-kubernetes repository has some awesome tools to
make it maintain easier and more handy like the ecosystem •One of those tools is a linter for Kubernetes YAML: Stein Stein Documentations

Repository Ecosystem •For example, let's say you don't make the
developers omit metadata.namespace field in their YAMLs to prevent from unexpected apply •However, do you have a way to do it in existing tools...? apiVersion: v1 kind: Pod metadata: name: nginx-pod namespace: x-echo-jp-dev spec: containers: - name: nginx-container image: nginx ports: - containerPort: 80 metadata: namespace: x-echo-jp-dev

Stein can do that.

rule "namespace_specification" { description = "Check namespace name is not
empty" conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } Stein configuration Stein allows you to enforce the rule defined by you based on your policy upon your YAML.

empty" conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } Stein configuration Stein allows you to enforce the rule defined by you based on your policy upon your YAML. rule definition the condition this rule fails or not if it fails it returns 1 with message according to this block

empty" conditions = [ "${jsonpath("metadata.namespace") != ""}", ] report { level = "ERROR" message = "Namespace is not specified" } } Stein configuration stein can interpret HCL like Terraform stein supports many built-in functions like Terraform

$ stein apply x-echo-jp/development/Pod/test.yaml [ERROR] rule.namespace_specification Namespace is not specified
===================== 7 error(s), 2 warn(s) •Stein checks the policy files and applies them to your config files. If there are violation rules, Stein returns exit code 1. •Stein can work as a linter in CI step etc well.

•Stein concepts and design comes from HashiCorp Sentinel one. •"Policy
as Code" (PaC) is provided by HashiCorp and Sentinel. •PaC means the way to describe "ideal configuration files" and force it upon real configuration files. Policy as Code infrastructure code policy IaC PaC Policy as Code - Sentinel by HashiCorp Why Policy as Code? - HashiCorp Blog

kubectl create not implemented yet  (described later)

kubectl create Stein: Adminmission Controller •TODO: Stein can work the admission controller also. • By doing so, it is possible to check whether YAML having violated rules is going to be applied. • It can be compatible with "Push" strategy.

1. Write manifests 2. Send Pull Request •kubectl pipeline •stein
lint step •Dir base delegation •apply when merged 3. Run apply (dry-run)

1. Write manifests 2. Send Pull Request •kubectl pipeline •stein
lint step •Dir base delegation •apply when merged 3. Run apply (dry-run) We can provide the common resources to all microservices

•By using Monorepo style, • we can provide the common
guard rail to start to develop & operate their own microservices • apply pipeline • review by central team • common lint step • Of course, it has also disadvantages • It's trade-offs for scaling up

•Thank you

Kubernetes manifests management and operation i...

Kubernetes manifests management and operation in Mercari

More Decks by BABAROT

Other Decks in Technology

Featured

Transcript