Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWSのマネージドサービスを活かした Kubernetes 運用とAmazon EKS ...

Avatar for foostan foostan
June 13, 2019

AWSのマネージドサービスを活かした Kubernetes 運用とAmazon EKS によるクラスタのシングルテナント戦略について

Avatar for foostan

foostan

June 13, 2019
Tweet

More Decks by foostan

Other Decks in Technology

Transcript

  1. ຊ೔͓࿩͢Δ͜ͱ 7 αʔϏεن໛͕֦େɺαʔϏε਺͕૿Ճɺ։ൃऀ͕૿Ճ w ڧ͍ݖݶΛ͍࣋ͬͯΔͷͰԿͰ΋԰ʹͳΓ͕ͪ w 43&ʹ໰͍߹Θ͕ͤूத w ໨ઌͷλεΫʹ௥ΘΕΔ೔ʑ w

    43&ͷਓ਺͸ͳ͔ͳ͔૿͑ͳ͍ 43&͕ϘτϧωοΫʹ ։ൃऀνʔϜʹαʔϏεͷ ӡ༻Λ͓·͔ͤ͢Δ αʔϏεͷӡ༻ίετΛ෼ࢄͤ͞Δʁ
  2. 8 w Πϯϑϥߏங w ,VCFSOFUFTΫϥελߏங w ΞϓϦέʔγϣϯσϓϩΠ w αʔϏε؂ࢹ w

    ΞϥʔτରԠ ͳͲɺجຊతʹαʔϏεӡ༻ʹඞཁͳ͜ͱ͢΂ͯ ։ൃνʔϜ͚ͩͰαʔϏεӡ༻ͷຆͲΛ·͔ ͳ͑ΔΑ͏ͳج൫ͮ͘ΓΛ43&͕ߦ͏ ຊ೔͓࿩͢Δ͜ͱ ͓·͔ͤ͢Δ಺༰
  3. 13 w ਓҎ্ɺνʔϜdਓఔ౓ w νʔϜͰෳ਺ͷαʔϏεΛ݉೚͢Δ͜ͱ͕ଟ͍ w αʔϏεͷن໛ʹΑͬͯ͸ෳ਺ͷνʔϜͰ։ൃ͢Δ͜ͱ΋͋Δ Dev A Dev

    B Dev C αʔϏεA αʔϏ εB Dev D Dev E αʔϏεC αʔϏ εD Dev F αʔϏεE Dev G Dev H αʔϏ εG αʔϏ εH αʔϏ εF SRE GSFFFͷ։ൃνʔϜ GSFFFʹ͍ͭͯ
  4. 14 Dev A Dev B Dev C αʔϏεA αʔϏ εB

    Dev D Dev E αʔϏεC αʔϏ εD Dev F αʔϏεE Dev G Dev H αʔϏ εG αʔϏ εH αʔϏ εF SRE w ਓ w ͢΂ͯͷϓϩμΫταʔϏεͷΠϯϑϥΛࢧ͑ΔԣஅతͳνʔϜ w αʔϏεͷՁ஋ΛϢʔβʔʹಧ͚ΔͨΊʹɺ҆ఆͨ͠ΠϯϑϥΛ ఏڙ͠ଓ͚Δͷ͕ϛογϣϯ GSFFFͷ43&νʔϜ GSFFFʹ͍ͭͯ
  5. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 21 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ SG ALB SG Kubernetes AutoScalingGroup
  6. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 22 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ SG ALB SG Kubernetes SG RDS AutoScalingGroup
  7. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 23 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ w 3PVUFొ࿥ SG ALB SG Kubernetes SG RDS AutoScalingGroup
  8. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 24 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ w 3PVUFొ࿥ w ηΩϡϦςΟ֬อ SG ALB SG Kubernetes SG RDS AutoScalingGroup
  9. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 25 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ w 3PVUFొ࿥ w ηΩϡϦςΟ֬อ w *".ϩʔϧ௥Ճ SG ALB SG Kubernetes SG RDS AutoScalingGroup
  10. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 26 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ w 3PVUFొ࿥ w ηΩϡϦςΟ֬อ w *".ϩʔϧ௥Ճ SG ALB SG Kubernetes SG RDS AutoScalingGroup Developers w ΞϓϦέʔγϣϯ։ൃ
  11. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 27 ͱ͋Δ৽نϓϩμΫτΛϦϦʔε͢Δͱͯ͠ Product A SRE ΠϯϑϥϦιʔεͷίʔυԽ w ωοτϫʔΫ੔උ

    w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ w 3PVUFొ࿥ w ηΩϡϦςΟ֬อ w *".ϩʔϧ௥Ճ SG ALB SG Kubernetes SG RDS AutoScalingGroup Developers w ΞϓϦέʔγϣϯ։ൃ w ΞϓϦέʔγϣϯσϓ ϩΠ
  12. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 30 ӡ༻ϑΣʔζͰ͸໰͍߹Θͤ͸43&ʹू·Γ͕ͪ Product A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG

    Kubernetes SG RDS AutoScalingGroup SRE Developers αʔϏε͕མͪ·ͨ͠ ☓ σϓϩΠࣦഊ͠·ͨ͠
  13. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 31 ӡ༻ϑΣʔζͰ͸໰͍߹Θͤ͸43&ʹू·Γ͕ͪ Product A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG

    Kubernetes SG RDS AutoScalingGroup SRE Developers ΞΫηε਺૿Ճͯ͠ ͞͹͖͖Ε·ͤΜ ☓ σϓϩΠࣦഊ͠·ͨ͠ αʔϏε͕མͪ·ͨ͠
  14. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 32 ӡ༻ϑΣʔζͰ͸໰͍߹Θͤ͸43&ʹू·Γ͕ͪ Product A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG

    Kubernetes SG RDS AutoScalingGroup SRE Developers %#ͷ*014ߴ͍Ͱ͢ɺ
 ଱͑ΒΕ·ͤΜ ☓ σϓϩΠࣦഊ͠·ͨ͠ αʔϏε͕མͪ·ͨ͠ ΞΫηε਺૿Ճͯ͠͞͹͖͖Ε·ͤΜ
  15. σϓϩΠδϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 33 ӡ༻ϑΣʔζͰ͸໰͍߹Θͤ͸43&ʹू·Γ͕ͪ ΠϯϑϥϦιʔεͷίʔυԽ SRE Developers αʔϏε͕૿͑·ͨ͠ σϓϩΠࣦഊ͠·ͨ͠ αʔϏε͕མͪ·ͨ͠

    ΞΫηε਺૿Ճͯ͠͞͹͖͖Ε·ͤΜ Product A SG ALB SG Kubernetes SG RDS AutoScalingGroup ProductB SG ALB SG Kubernetes SG RDS AutoScalingGroup
  16. σϓϩΠ δϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 34 ӡ༻ϑΣʔζͰ͸໰͍߹Θͤ͸43&ʹू·Γ͕ͪ Product A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB

    SG SG RDS SRE Developers αʔϏε͕૿͑·ͨ͠ σϓϩΠࣦഊ͠·ͨ͠ αʔϏε͕མͪ·ͨ͠ ΞΫηε਺૿Ճͯ͠͞͹͖͖Ε·ͤΜ αʔϏε͕૿͑·ͨ͠ Product B SG ALB SG SG RDS Product C SG ALB SG SG RDS
  17. σϓϩΠ δϣϒ 43&ͱ։ൃνʔϜͷ໾ׂ 35 ӡ༻ϑΣʔζͰ͸໰͍߹Θͤ͸43&ʹू·Γ͕ͪ A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG

    SG RDS SRE Developers αʔϏε͕૿͑·ͨ͠ σϓϩΠࣦഊ͠·ͨ͠ αʔϏε͕མͪ·ͨ͠ ΞΫηε਺૿Ճͯ͠͞͹͖͖Ε·ͤΜ αʔϏε͕૿͑·ͨ͠ αʔϏε͕૿͑·ͨ͠ B SG ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS
  18. σϓϩΠ δϣϒ 40 A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG SG RDS

    B SG ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS ͢΂ͯͷΞϓϦέʔγϣϯΛίϯςφԽ
  19. σϓϩΠδϣϒ 41 A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG SG RDS B

    SG ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS ECR ͢΂ͯͷΞϓϦέʔγϣϯΛίϯςφԽ ίϯςφʹٵऩ͞Εͯߟ͑ํ͕γϯϓϧʹ
  20. σϓϩΠδϣϒ 43 A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG SG RDS B

    SG ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS ECR ίϯςφΛ,VCFSOFUFTͰಈ͔͢ ΞϓϦέʔγϣϯͷߏ੒͕ίʔυԽ͞ΕΔ
  21. 44 A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG SG RDS B SG

    ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS ECR ίϯςφΛ,VCFSOFUFTͰಈ͔͢ namespace namespace namespace namespace namespace pod pod pod pod pod Manifests Manifests ΞϓϦέʔγϣϯͷߏ੒͕ίʔυԽ͞ΕΔ
  22. 46 A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG SG RDS B SG

    ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS એݴతʹ"84ϦιʔεΛ֬อ namespace namespace namespace namespace namespace pod pod pod pod pod SRE w ωοτϫʔΫ੔උ w -#௥Ճ w "VUP4DBMJOH(SPVQ ௥Ճ w σϓϩΠ؀ڥ੔උ w %#௥Ճ w 3PVUFొ࿥ w ηΩϡϦςΟ֬อ w *".ϩʔϧ௥Ճ
  23. 47 A ΠϯϑϥϦιʔεͷίʔυԽ SG ALB SG SG RDS B SG

    ALB SG SG RDS C SG ALB SG SG RDS D SG ALB SG SG RDS E SG ALB SG SG RDS એݴతʹ"84ϦιʔεΛ֬อ namespace namespace namespace namespace namespace pod pod pod pod pod Manifests TF Files "84Ϧιʔε͕ίʔυԽ͞ΕΔ
  24. Ϛϧνςφϯτ͔γϯάϧςφϯτ͔ 53 K8s cluster Product A Service A-1 Service A-2

    Service A-3 Product B Service B-1 ServiceB-2 Service B-3 Product C Service C-1 Service C-2 Service C-3 K8s cluster Product A Service A-1 Service A-2 Service A-3 K8s cluster Product B Service B-1 Service B-2 Service B-3 K8s cluster Product C Service C-1 Service C-2 Service C-3 ϓϩμΫτ ෼཭͍ͨ͠ݖ ݶ ୯ҐͰ෼ׂͨ͠γϯά ϧςφϯτ γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ ͢΂ͯͷϓϩμΫτ͕ಈ͍͍ͯΔ Ϛϧνςφϯτ
  25. γϯάϧςφϯτͷϝϦοτ w #MBTUSBEJVT ো֐ͷӨڹൣғ ͕ খ͍͞ w ηΩϡϦςΟͷڥքઢͷ໌֬Խ w Ϋϥελશମʹؔ܎͢ΔΞοϓσʔ

    τ࡞ۀ͕͠΍͍͢ γϯάϧςφϯτͷσϝϦοτ w ར༻ྉ͕ۚ૿͑Δ w ӡ༻ίετ͕૿͑Δ 54 ݖݶҠৡʹΑΓӡ༻ίετͷ ෼ࢄ͸Մೳ γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ Ϛϧνςφϯτ͔γϯάϧςφϯτ͔
  26. K8s cluster Product A Service A-1 Service A-2 Service A-3

    Product B Service B-1 ServiceB-2 Service B-3 Product C Service C-1 Service C-2 Service C-3 K8sͷόά Φϖϛε શαʔϏεμ΢ϯͷةݥ w #MBTUSBEJVT ো֐ͷӨڹൣғ ͕େ͖͍ w ӡ༻ͷ೉қ౓͕ߴ͍ w νϟϨϯδͮ͠Β͍ۭؾ ϚϧνςφϯτͷϦεΫ 56 γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ
  27. γϯάϧςφϯτʹΑΔϦεΫͷܰݮ 57 K8s cluster Product A Service A-1 Service A-2

    Service A-3 K8s cluster Product B Service B-1 Service B-2 Service B-3 K8s cluster Product C Service C-1 Service C-2 Service C-3 K8sͷόά Φϖϛε Ұ෦ͷΈαʔϏεμ΢ϯ w #MBTUSBEJVT ো֐ͷӨڹൣғ ͕খ͍͞ w ӡ༻ͷ೉қ౓͸Լ͕Δ w νϟϨϯδ͠΍͍ۭ͢ؾ w ৺ཧత҆શੑ͕ߴ͍ γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ
  28. Product B ϚϧνςφϯτͰڥքઢͷ໌֬Խ͸೉͍͠ 60 Product A SG Kubernetes node Kubernetes

    node Service A-1 Service B-2 Service B-3 Kubernetes node Kubernetes node Service B-1 Service A-2 Service A-3 SG SG 4FDVSJUZ(SPVQʹΑΔ෼ׂ͸ෆՄ *".ͱ,JBNͰ"84Ϧιʔε΁ͷ੍ޚ͸Մೳ 3#"$Ͱ/BNFTQBDFؒͷΞΫηε੍ޚ͸Մೳ ͨͩ͠ϓϩμΫτؒͰ7.͸ڞ௨ ˣ ϓϩμΫτ୯ҐͰ/PEF(SPVQΛ෼ׂ͢Ε͹ର ԠՄೳ͕ͩɺͦͷͨΊͷ࢓૊Έͮ͘Γ͕ඞཁ γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ
  29. Product B SG Product A SG Kubernetes node Kubernetes node

    Service A-1 Service B-2 Service B-3 Kubernetes node Kubernetes node Service B-1 Service A-2 Service A-3 SG SG ςφϯτ͸෼཭͍ͨ͠ݖݶ୯Ґʹͳ͍ͬͯΔ 4FDVSJUZ(SPVQ͕ར༻Մೳ 3#"$Λซ༻ 7.ϨϕϧͰ෼ׂ͞Ε͍ͯΔ ˣ ࠓ·Ͱӡ༻͖ͯͨ͠ ރΕͨ ߏ੒ͱ ҰॹͳͷͰѻ͍͕؆୯ γϯάϧςφϯτͳΒڥքͷ໌֬Խ͸༰қ 61 γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ
  30. 63 γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ K8s cluster Product A Service A-1 Service A-2

    Service A-3 Product B Service B-1 ServiceB-2 Service B-3 Product C Service C-1 Service C-2 Service C-3 Developers A Developers B Developers C ӡ ༻ ӡ ༻ ӡ ༻ Ϛϧνςφϯτ͸Ϋϥελશମʹؔ܎͢Δ Ξοϓσʔτ࡞ۀ͕ͮ͠Β͍ ڞ௨෦෼ Product A SRE ΫϥελͷΞοϓ άϨʔυͳͲ w αʔϏεΛ͢΂ͯఀࢭͤ͞Δඞཁ͕͋Δ w ΞοϓάϨʔυʹࣦഊ͢ΔՄೳੑ͕͋Δ w ࣦഊͨ͠ͱ͖ͷϩʔϧόοΫͷίετ͕ߴ͍
  31. 64 γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ Developers A Developers B Developers C ӡ ༻

    ӡ ༻ ӡ ༻ γϯάϧςφϯτ͸Ϋϥελશମʹؔ܎͢Δ Ξοϓσʔτ࡞ۀ͕͠΍͍͢ SRE ΫϥελͷΞοϓ άϨʔυͳͲ w αʔϏεͷఀࢭ͸࠷খݶ w ΞοϓάϨʔυʹࣦഊͯ͠΋࠷খݶ w ࣦഊͨ͠ͱ͖ͷϩʔϧόοΫͷίετ΋࠷খݶ K8s cluster Product A Service A-1 Service A-2 Service A-3 K8s cluster Product B Service B-1 Service B-2 Service B-3 K8s cluster Product C Service C-1 Service C-2 Service C-3
  32. γϯάϧςφϯτͷϝϦοτ w #MBTUSBEJVT ো֐ͷӨڹൣғ ͕খ͍͞ w ηΩϡϦςΟͷڥքઢͷ໌֬Խ w Ϋϥελશମʹؔ܎͢ΔΞοϓσʔτ ࡞ۀ͕͠΍͍͢

    65 γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ Ϋϥελͷӡ༻Λ͓·͔ͤ͢ΔͳΒγϯάϧςφϯτ͕Ϛον͢Δ
  33. 66 ։ൃνʔϜ͕ΫϥελΛ ӡ༻͢Δͷ͸؆୯Ͱ͸ͳ͍ ֤ΫϥελαʔϏεΛԣஅతʹ ໘౗ΛݟΔνʔϜΛઃஔ w 43& w ֤छΞοϓσʔτิॿɺΠϯγσϯτରԠิॿɺΫϥελ࡞੒ิॿɺπʔϧͷ ݕূ࡞੒ɺ044΁ͷίϛοτ

    w αʔϏεج൫ w ڞ௨Ͱ࢖͏ϥΠϒϥϦΛ੔උ w ϚΠΫϩαʔϏεҕһձ 43&ͱαʔϏεج൫ΛؚΉ֤αʔϏε୲౰ऀͰߏ੒  w ڞ௨ͷํ਑΍࢓༷ͷܾఆɺ৘ใڞ༗ɺԣల։ γϯάϧςφϯτͰݖݶΛ෼཭ͯ͠Ϋϥελͷӡ༻Λ͓·͔ͤ͢Δ
  34. 68 Product A SG SG SG Kubernetes node applications Product

    B SG SG SG Kubernetes node applications ,VCFSOFUFTʹͲ͜·Ͱ೚ͤΔʁ w "QQMJDBUJPO w %BUBCBTF w -PBE#BMBODFS w 4FDVSJUZ w "VUI &,4ΛϚωʔδυαʔϏεͱ૊Έ߹ΘͤͯΫϥελͷӡ༻ίετΛ཈͑Δ ALB RDS ALB RDS
  35. 70 Product A SG SG SG Kubernetes node applications Product

    B SG SG SG Kubernetes node applications Product A SG Product B SG SG SG Kubernete s node SG SG Kubernete s node &,4ΛϚωʔδυαʔϏεͱ૊Έ߹ΘͤͯΫϥελͷӡ༻ίετΛ཈͑Δ ,VCFSOFUFT͸ΞϓϦέʔγϣϯΛಈ͔͢͜ͱ͚ͩ ʹར༻͢Δ ALB RDS ALB RDS ALB RDS ALB RDS
  36. 72 Product A SG Product B SG SG SG Kubernete

    s node SG SG Kubernete s node ϚωʔδυαʔϏεͱ,VCFSOFUFTͷಘҙ෼໺͕ ׆͖Δ એݴతσϓϩΠ ࣗಈ഑ஔ ηϧϑώʔϦϯά ΦʔτεέʔϦϯά Databases MySQL/Redis/ ElasticSearch Load Balancer Application/Classic Load Balancer Security GuardDuty/IAM/ WAF &,4ΛϚωʔδυαʔϏεͱ૊Έ߹ΘͤͯΫϥελͷӡ༻ίετΛ཈͑Δ ALB RDS ALB RDS
  37. 73 Product A SG Product B SG SG SG Kubernete

    s node SG SG Kubernete s node ෦඼ͷަ׵Λ΍Γ΍͍͢ঢ়ଶʹอͭ ΑΓྑ͍΋ͷ͕ग़͖ͯͨͱ͖ʹͦΕΛऔΓࠐΈ΍͢ ͍ঢ়ଶʹ͓ͯ͘͠ "84"QQ.FTI *TUJP &,4PO'BSHBUF &$4PO'BSHBUF ,OBUJWF /FYUHFOFSBUJPO-# /FYUHFOFSBUJPO%# &,4ΛϚωʔδυαʔϏεͱ૊Έ߹ΘͤͯΫϥελͷӡ༻ίετΛ཈͑Δ ALB RDS ALB RDS
  38. &,4ҠߦϓϩδΣΫτ 77 w ݄Լ०ࠒ͔Βελʔτ w ݄೔·ͰʹશϓϩμΫτΛҠߦ͢Δ w γϯάϧςφϯτʹมߋ͢Δ w ඞཁͳ"84Ϧιʔε͸։ൃνʔϜओಋͰ༻ҙͯ͠΋Β͏

    w ,VCFSOFUFTΫϥελ΋։ൃνʔϜओಋͰߏஙͯ͠΋Β͏ 43&͔Β։ൃνʔϜ΁ݖݶҕৡΛՌͨ͠ɺ։ൃνʔϜʹαʔϏ εͷӡ༻Λ͓·͔ͤ͢Δ͜ͱ͕࠷େͷϛογϣϯ Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  39. ϓϩδΣΫτͷن໛ײ 78 w LVCFBXTͰ΋ͱ΋ͱಈ͍͍ͯͨϓϩμΫτ਺ w &,4ʹҠߦͨ͠ϓϩμΫτ਺ Ҡߦதʹͭ૿͑ͨ  w Ϋϥελ૯਺

    TUBHJOH؀ڥΛؚΉ  w ؔΘͬͨਓ਺໿ਓ Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  40. &,4ҠߦϓϩδΣΫτͰ׆༂ͨ͠πʔϧ 79 w 5FSSBGPSN w LVCFDUM w FLTDUM w IFMNIFMNGJMF

    w FLTDMTU Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  41. 80 5FSSBGPSN ඞཁͳAWSϦιʔε͸͢΂ͯTerraformͰ༻ҙ/SREͷϨϏϡʔΛܦͯApply Product A SG SG SG Kubernetes node

    Kubernetes node Service A-1 Service A-2 Service A-3 Developers A PR apply SRE Review/Approve resource "aws_lb" "product-a-internal" { name = "product-a-internal" internal = true load_balancer_type = "application" security_groups = ["${var.lb_security_groups}"] subnets = ${var.subnets} ip_address_type = "ipv4" enable_deletion_protection = true } resource "aws_route53_record" "product-a-internal" { zone_id = "${var.route53_hosted_zone_id}" name = "${var.route53_dns_name}" type = "A" alias { name = "${aws_lb.product-a-internal.dns_name}" zone_id = "${aws_lb.product-a-internal.zone_id}" evaluate_target_health = true } } Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  42. 81 Product A SG SG SG Kubernetes node Kubernetes node

    Service A-1 Service A-2 Service A-3 Developers A (Admin) IAM Role ops via kubectl assume role LVCFDUM RBAC with aws-auth aws-auth Λར༻ͯ͠ IAM Role ͱඥ෇͚ͯݖݶΛߜͬͯར༻ apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: {{ .Values.rolearn }} username: system:node:{{`{{EC2PrivateDNSName}}`}} groups: - system:bootstrappers - system:nodes - rolearn: arn:aws:iam::<ID>:role/team-a-admin username: team-a-admin:{{`{{SessionName}}`}} groups: - system:masters - rolearn: arn:aws:iam::<ID>:role/team-a-readonly username: team-a-readonly:{{`{{SessionName}}`}} groups: - system:authenticated Developers A (ReadOnly) read only access Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  43. 82 FLTDUM Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ Product B SG SG SG Kubernetes node

    Kubernetes node Developers B eksctl create cluster PR Commands SRE Review/Approve apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: name: cluster-name region: ap-northeast-1 version: "1.13" vpc: id: “*****” cidr: "10.0.0.0/16" subnets: private: ap-northeast-1a: id: “*****” ap-northeast-1c: id: “*****” cluster.yaml ͰΫϥελΛఆٛɺeksctl create cluster Ͱ࡞੒ nodeGroups: - name: nodegroup1 instanceType: r5.large desiredCapacity: 2 availabilityZones: - ap-northeast-1a - ap-northeast-1c privateNetworking: true securityGroups: attachIDs: - ****** iam: withAddonPolicies: imageBuilder: true autoScaler: true attachPolicyARNs: - arn:aws:iam::aws:policy/*****
  44. 83 )FMN)FMNGJMFʹΑΔΞϓϦέʔγϣϯσϓϩΠ GitOps Ͱ KubernetesͷϚχϑΣετΛ҆શʹσϓϩΠ Product B SG SG SG

    Kubernetes node Kubernetes node Service B-1 Service B-2 Service B-3 Team B helmfile sync PR Commands SRE Review/Approve environments: production: values: - production.yaml releases: - name: kube-state-metrics namespace: kube-system chart: stable/kube-state-metrics version: 0.13.0 - name: metricbeat namespace: kube-system chart: stable/metricbeat version: 1.2.1 values: - values.yaml.gotmpl w )FMN )FMN$IBSU  w 5IF,VCFSOFUFT1BDLBHF .BOBHFS w ϚχϑΣετΛύοέʔδԽ w Α͋͘ΔπʔϧͷςϯϓϨ w )FMNGJMF w )FMN$IBSUͷґଘؔ܎ΛϑΝ ΠϧͰϑΝΠϧͰఆٛ w IFMNGJMFTZOD w IFMNGJMFEJGG w IFMNGJMFEFMFUF Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  45. 84 Templates Manifests FLTDMTUʹΑΔΫϥελͷςϯϓϨԽ Α͋͘Δߏ੒ͷΫϥελςϯϓϨԽ͠ɺΫϥελͷ࡞੒/ෳ੡Λ༰қʹ͢Δ New Product SG Kubernetes node

    Kubernetes node cluster-autoscaler Metricbeat Filebeat New Developers eksctl
 create cluster PR Commands Manifests eksclst init Templates cluster.yaml
 helmfile.yaml aws-auth.yaml ͳͲ helmfile sync w ΫϥελΛྔ࢈͢Δ಺੡πʔϧ w DMVTUFSZBNM w BXTBVUIZBNM w NFUSJDCFBUGJMFCFBU w ͳͲɺҰ͔Βॻ͘ίετΛ࡟ݮ͢Δ ͨΊʹςϯϓϨΛ༻ҙ Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  46. New Product A Ҡߦ࡞ۀ 85 Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ Product A Product A

    SG SG SG Kubernetes node Kubernetes node Service B-1 Service B-2 Service B-3 SG Kubernetes node Kubernetes node Service B-1 Service B-2 Service B-3 Kube-aws্ͷϓϩμΫτ (࣮ࡍ͸Ϛϧνςφϯτ) EKS্ͷϓϩμΫτ Weighted Routing 80% 20% w ಉ͡ߏ੒ͷΫϥελΛ༻ҙ w "84Ϧιʔε͸ڞ༗Ͱ͖Δ΋ͷ͸ڞ ༗͢Δ %#͸ඞਢ  w 3PVUFͷ8FJHIUFE3PVUJOHΛར ༻ͯ͠ঃʑʹϦΫΤετΛྲྀ͠ࠐΉ w αʔϏεʹΑͬͯ͸3PVUFͰ͸ͳ ͘-#Λڞ௨Խͯ͠ɺ,VCFSOFUFT OPEFΛࠩ͠ସ͑Δํ๏Λ࢖༻ w ϊʔϝϯςͰ੾Γସ͑
  47. ϓϩδΣΫτ੒ޭͷཁҼ 86 w ؔΘͬͨ։ൃνʔϜͷ,VCFSOFUFT΁ͷҙཉ͕ߴ͍ w υΩϡϝϯτΛօͰฤू͠ͳ͕Β ৘ใަ׵Λີʹ͠ ͳ͕Β ਐΊͨ w

    ׬ᘳͰ͸ͳ͍υΩϡϝϯτ΋ϝϯόʔ͕ҙਤΛټΈ औͬͯཧղͯ͘͠Εͨ w ࠷ޙ·ͰϞνϕʔγϣϯ͕Լ͕Βͳ͔ͬͨ Ϛϧνςφϯτ͔Βγϯάϧςφϯτͳ&,4ʹҠߦ࣮ͨ͠ྫ
  48. ·ͱΊ ΠϯϑϥϦιʔεͷίʔυԽͱ,VCFSOFUFTͷγϯά ϧςφϯτԽͰαʔϏεͷӡ༻ίετΛ෼ࢄͤ͞Δ w ΠϯϑϥϦιʔεͷίʔυԽ͸ඞਢ w Ϋϥελӡ༻Λ͓·͔ͤ͢Δʹ͸γϯάϧςφϯτ͕͓͢͢Ί w Ϋϥελࣗମͷӡ༻ίετΛ཈͑Δʹ͸ϚωʔδυαʔϏεΛ͏·͘࢖͏ w

    ։ൃνʔϜʹ,VCFSOFUFTʹର͢Δߴ͍ҙཉ͕͋Δ͜ͱ͕ॏཁ 87 νʔϜͷߏ੒΍ਓ਺ʹΑͬͯ͜ͷํ๏͕Ϛον͢Δ͔ܾ·ΔͷͰ ৗʹͲ͏͢Δͷ͕ϕλʔͳͷ͔ߟ͑ͳ͕Βӡ༻͍ͯ͘͠ͷ͕ॏཁ