Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
what happens when k8s journy
Search
nnao45
March 25, 2019
Technology
16
9k
what happens when k8s journy
nnao45
March 25, 2019
Tweet
Share
More Decks by nnao45
See All by nnao45
MPI Performance Evaluation of Raspberry Pi4 Cluster with Android OS
nnao45
2
160
datalake-party-for-aws-20201118
nnao45
0
230
はじめてのNetwork Service Mesh
nnao45
4
2.2k
EKS for EFS
nnao45
4
1.4k
まだ大きくない僕たちに必要なCLoud Nativeを求めて
nnao45
8
1.1k
Firebase, Firestore Find mBaaS
nnao45
3
1.1k
Make App, Using with Study Group
nnao45
3
590
Chatops, AWS, And Ansible
nnao45
2
990
Ansible container in the kubernetes
nnao45
5
1.5k
Other Decks in Technology
See All in Technology
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
270
re:Invent をおうちで楽しんでみた ~CloudWatch のオブザーバビリティ機能がスゴい!/ Enjoyed AWS re:Invent from Home and CloudWatch Observability Feature is Amazing!
yuj1osm
0
130
コンテナセキュリティのためのLandlock入門
nullpo_head
2
320
20241220_S3 tablesの使い方を検証してみた
handy
4
600
マルチプロダクト開発の現場でAWS Security Hubを1年以上運用して得た教訓
muziyoshiz
3
2.4k
なぜCodeceptJSを選んだか
goataka
0
160
ハイテク休憩
sat
PRO
2
160
サービスでLLMを採用したばっかりに振り回され続けたこの一年のあれやこれや
segavvy
2
480
PHPからGoへのマイグレーション for DMMアフィリエイト
yabakokobayashi
1
170
kargoの魅力について伝える
magisystem0408
0
210
MLOps の現場から
asei
6
650
小学3年生夏休みの自由研究「夏休みに Copilot で遊んでみた」
taichinakamura
0
160
Featured
See All Featured
Designing for Performance
lara
604
68k
Site-Speed That Sticks
csswizardry
2
190
For a Future-Friendly Web
brad_frost
175
9.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Thoughts on Productivity
jonyablonski
67
4.4k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
It's Worth the Effort
3n
183
28k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Optimising Largest Contentful Paint
csswizardry
33
3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
32
2.7k
Designing Experiences People Love
moore
138
23k
Testing 201, or: Great Expectations
jmmastey
40
7.1k
Transcript
W H A T H A P P E N
S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3
C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide
Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたん ぶいちゅーばー友達募集! V言語って最強の静的型付言語なの? RustのGraphDBのライブラリかきたい @nnao45,
[email protected]
✔
C N D J P 3 AGENDA $ kubectl version
-o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"
C N D J P 4 AGENDA AUTH JOURNY CONTROLLER
LOOP POD DEPLOY
C N D J P 5 AUTH JOURNY What happens
when I type kubectl run? $ kubectl run --image=nginx --replicas=3
C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s
C N D J P 7 AUTH JOURNY NEXT…
C N D J P 8 AUTH JOURNY kubectl run
--image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 9 AUTH JOURNY BEFORE FIRE…
C N D J P 1 0 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中
C N D J P 1 1 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13
C N D J P 1 2 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something
C N D J P 1 3 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!
C N D J P 1 4 AUTH JOURNY
C N D J P 1 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔
C N D J P 1 6 AUTH JOURNY Authentication
kube-apiserver Use… bearer basic X509 or or
C N D J P 1 7 AUTH JOURNY X509
bearer basic Validate Client TLS Key from CA ROOT Certificate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method
C N D J P 1 8 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ
C N D J P 1 9 AUTH JOURNY Authorization(for
example: RBAC) kube-apiserver etcd Use…
C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d
Authorization(for example: RBAC)
C N D J P 2 1 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 2 AUTH JOURNY Admission
Controll kube-apiserver Use…
C N D J P 2 3 AUTH JOURNY Describe
Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
C N D J P 2 4 AUTH JOURNY Admission
Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request
C N D J P 2 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 6 AUTH JOURNY SOON
CREATE OBJECT PERSISTED SAVE
C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment
kube-apiserver *「リソース 登録ヲ確認 シマシタ。 」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service
C N D J P 2 8 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM
C N D J P 2 9 AUTH JOURNY RIQUEST
VALIDATION JSON DESELIZE VALIDATION REQUEST FORM
C N D J P 3 0 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment
C N D J P 3 1 AUTH JOURNY SOON
C N D J P 3 2 AUTH JOURNY AUTH
JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT
C N D J P 3 3 AUTH JOURNY AUTH
JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt
C N D J P 3 4 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT
C N D J P 3 5 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP
C N D J P 3 6 CONTROLLER LOOP NEXT…
C N D J P 3 7 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver
C N D J P 3 8 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE
C N D J P 3 9 CONTROLLER LOOP INITIALIZERS
SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/
C N D J P 4 0 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment
C N D J P 4 1 CONTROLLER LOOP PUT
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset
C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT
CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager
C N D J P 4 3 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset
C N D J P 4 4 CONTROLLER LOOP kube-apiserver
INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset
C N D J P 4 5 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending
C N D J P 4 6 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler
C N D J P 4 7 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 GET
C N D J P 4 8 CONTROLLER LOOP kube-scheduler
1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…
C N D J P 4 9 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 0 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 1 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True kubelet 詠唱中
C N D J P 5 2 POD DEPLOY NEXT…
C N D J P 5 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Pending NodeName: <BINDING NODE> PodScheduled: True kubelet GET 詠唱中
C N D J P 5 4 POD DEPLOY kubelet
kubelet kubelet Node A Node B Node C Node AのPodの状態は? Node BのPodの状態は? Node CのPodの状態は? kube-apiserver
C N D J P 5 5 POD DEPLOY kubelet
1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET
C N D J P 5 6 POD DEPLOY kubelet
CONTAINER POD METADATA VOLUMES x N
C N D J P 5 7 POD DEPLOY kubelet
5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)
C N D J P 5 8 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N
C N D J P 5 9 POD DEPLOY kubelet
6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)
C N D J P 6 0 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N
C N D J P 6 1 POD DEPLOY kubelet
7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE
C N D J P 6 2 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N
C N D J P 6 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Running NodeName: <BINDING NODE> kubelet PUT
C N D J P 6 4 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 5 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 6 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤
C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが
https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01