學習 Kubernetes 不是為了成為 YAML Engineer

Transcript

1. @k2r2bai 學習 Kubernetes 不是為了成為 YAML Engineer COSCUP 2020 抱歉 其實我也只是個

   YAML Engineer

2. @k2r2bai About Me ⽩凱仁(Kyle Bai) • Site Reliability Engineer at

   AMIS/MaiCoin • Co-organizer of Cloud Native Taiwan User Group. • Interested in emerging technologies. • Contributor to multiple OSS. • Top 3 Kubernetes contributor in Taiwan kairen k2r2bai.com https://k8s.devstats.cncf.io

3. @k2r2bai Kubernetes • Container orchestration • Self-healing • Horizontal scaling

   • Service discovery and Load balancing • Automated rollouts and rollbacks • Secrets and conTguration management • Storage orchestration

4. 重視細節

5. @k2r2bai 舉個栗⼦

6. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

   metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF

7. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

   metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml

8. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

   metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer

9. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

   metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port>

10. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable P.S. 雖然有徵求本⼈同意張貼，但還是需要保護當事⼈

11. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod

12. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh

13. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080

14. @k2r2bai $ cat <<EOF > pod.yaml apiVersion: v1 kind: Pod

    metadata: name: test-pod spec: containers: - image: k8s.gcr.io/test-webserver name: test-container volumeMounts: - mountPath: /test-pd name: test-volume ports: - containerPort: 80 volumes: - name: test-volume hostPath: path: /data type: Directory EOF $ kubectl apply -f pod.yaml $ kubectl expose pod test-pod --port 80 --type LoadBalancer $ curl <IP>:<port> curl: (7) Failed to connect to <IP> port <port>: Network is unreachable $ kubectl logs -f test-pod $ kubectl exec -ti test-pod sh $ kubectl port-forward service/test-pod 80:8080 #找不出問題 #像極了愛情

15. @k2r2bai

16. @k2r2bai 如果錢夠多的話

17. @k2r2bai P.S. 雖然有徵求本⼈同意張貼，但還是需要保護當事⼈ 你可以花錢找專業的

18. @k2r2bai P.S. 雖然有徵求本⼈同意張貼，但還是需要保護當事⼈ 但也可能花錢了 找錯廠商被⽩嫖

19. @k2r2bai 再舉個栗⼦

20. @k2r2bai $ kubectl create deploy nginx --image=nginx --replicas=3 $ kubectl

    scale deploy nginx --replicas=5

21. @k2r2bai ⼤家知道這兩個操作 發⽣什麼事嗎?

22. @k2r2bai

23. @k2r2bai hMps://bit.ly/33c6zaV

24. @k2r2bai

25. @k2r2bai

26. @k2r2bai

27. @k2r2bai

28. @k2r2bai

29. @k2r2bai

30. @k2r2bai 以 Docker 為例

31. @k2r2bai

32. @k2r2bai 那 CNI 呢?

33. @k2r2bai

34. @k2r2bai

35. @k2r2bai

36. @k2r2bai 再再舉個栗⼦

37. @k2r2bai $ kubectl expose deploy nginx --port 80 Cluster IP:

    10.3.241.152

38. @k2r2bai

39. @k2r2bai 當⼀個 Container 存取 Cluster IP 呢?

40. @k2r2bai hMps://bit.ly/3hYXDd1

41. @k2r2bai hMps://bit.ly/3hYXDd1

42. @k2r2bai hMps://bit.ly/3hYXDd1

43. @k2r2bai hMps://bit.ly/3hYXDd1

44. @k2r2bai hMps://bit.ly/3hYXDd1

45. @k2r2bai 再再再舉個栗⼦

46. @k2r2bai $ kubectl delete deploy nginx

47. @k2r2bai hMps://bit.ly/2PeamMQ

48. @k2r2bai

49. @k2r2bai

50. @k2r2bai 再再再再舉個栗⼦

51. @k2r2bai $ kubeadm init --pod-network-cidr=10.244.0.0/16

52. @k2r2bai

53. @k2r2bai

54. @k2r2bai

55. @k2r2bai $ kubeadm join <master>:<port> \ --token U+5149U+5FA9U+9999U+6E2F

56. @k2r2bai

57. @k2r2bai

58. @k2r2bai

59. @k2r2bai 還有更多的栗⼦

60. @k2r2bai A suspicious Kubeflow image was seen deployed to thousands

    of clusters in April, all from a single public repository. Closer inspection showed that the image runs a common open-source cryptojacking malware that mines the Monero virtual currency, known as XMRIG. Misconfigured Kubeflow workloads are a security risk hMps://bit.ly/2NI7Q0A

61. @k2r2bai CVE-2019-14271 marks a security issue in the implementation of

    the Docker cp command that can lead to full container escape when exploited by an attacker. CVE-2019-14271 hMps://bit.ly/2VwF6Mr hMps://www.anquanke.com/post/id/193218

62. @k2r2bai Allows attackers to overwrite the host runc binary (and

    consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: • A new container with an attacker-controlled image. • An existing container, to which the attacker previously had write access, that can be attached with docker exec. CVE-2019-5736 hMps://www.cvedetails.com/cve/CVE-2019-5736/

63. 核⼼姿勢知識

64. @k2r2bai • https://github.com/shubheksha/kubernetes-internals • https://github.com/daniel-hutao/k8s-source-code-analysis • https://github.com/kelseyhightower/kubernetes-the-hard-way • https://github.com/kubernetes/kubeadm/tree/master/docs/design •

    https://github.com/kubernetes/enhancements • https://github.com/containernetworking/cni/blob/master/SPEC.md • https://github.com/hwchiu/ithome-2020ironman Kubernetes

65. @k2r2bai Distributed Systems hMps://bit.ly/30lgN7j

66. @k2r2bai 那些年你可能讀過的書

67. @k2r2bai 那些年你可能讀過的書

68. Summary

69. @k2r2bai 不要這麼累 當個 YAML Engineer 也很好

70. @k2r2bai

71. @k2r2bai

72. @k2r2bai 真的很好吃

73. @k2r2bai