what happens when k8s journy

Transcript

1. W H A T H A P P E N

   S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3

2. C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide

   Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたん ぶいちゅーばー友達募集！ V言語って最強の静的型付言語なの？ RustのGraphDBのライブラリかきたい @nnao45,[email protected] ✔

3. C N D J P 3 AGENDA $ kubectl version

   -o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"

4. C N D J P 4 AGENDA AUTH JOURNY CONTROLLER

   LOOP POD DEPLOY

5. C N D J P 5 AUTH JOURNY What happens

   when I type kubectl run? $ kubectl run --image=nginx --replicas=3

6. C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s

7. C N D J P 7 AUTH JOURNY NEXT…

8. C N D J P 8 AUTH JOURNY kubectl run

   --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる

9. C N D J P 9 AUTH JOURNY BEFORE FIRE…

10. C N D J P 1 0 AUTH JOURNY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中

11. C N D J P 1 1 AUTH JOURNY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13

12. C N D J P 1 2 AUTH JOURNY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something

13. C N D J P 1 3 AUTH JOURNY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!

14. C N D J P 1 4 AUTH JOURNY

15. C N D J P 1 5 AUTH JOURNY Authentication

    Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔

16. C N D J P 1 6 AUTH JOURNY Authentication

    kube-apiserver Use… bearer basic X509 or or

17. C N D J P 1 7 AUTH JOURNY X509

    bearer basic Validate Client TLS Key from CA ROOT Certificate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method

18. C N D J P 1 8 AUTH JOURNY Authentication

    Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ࢖༻ ͢ΔΞΧ΢ϯτ ͕ݖݶ͕͋Δ͔ɻ

19. C N D J P 1 9 AUTH JOURNY Authorization(for

    example: RBAC) kube-apiserver etcd Use…

20. C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d

    Authorization(for example: RBAC)

21. C N D J P 2 1 AUTH JOURNY Authentication

    Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ࢖༻ ͢ΔΞΧ΢ϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ಺͔Ͳ ͏͔ɻ

22. C N D J P 2 2 AUTH JOURNY Admission

    Controll kube-apiserver Use…

23. C N D J P 2 3 AUTH JOURNY Describe

    Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/

24. C N D J P 2 4 AUTH JOURNY Admission

    Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request

25. C N D J P 2 5 AUTH JOURNY Authentication

    Authorization Admission Controll ઀ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ΢ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ࢖༻ ͢ΔΞΧ΢ϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ಺͔Ͳ ͏͔ɻ

26. C N D J P 2 6 AUTH JOURNY SOON

    CREATE OBJECT PERSISTED SAVE

27. C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment

    kube-apiserver *「リソース 　登録ヲ確認 　シマシタ。　　」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service

28. C N D J P 2 8 AUTH JOURNY kube-apiserver

    Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM

29. C N D J P 2 9 AUTH JOURNY RIQUEST

    VALIDATION JSON DESELIZE VALIDATION REQUEST FORM

30. C N D J P 3 0 AUTH JOURNY kube-apiserver

    Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment

31. C N D J P 3 1 AUTH JOURNY SOON

32. C N D J P 3 2 AUTH JOURNY AUTH

    JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT

33. C N D J P 3 3 AUTH JOURNY AUTH

    JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt

34. C N D J P 3 4 AUTH JOURNY --image=nginx

    --replicas=3 PUT Key Value → BBOLT

35. C N D J P 3 5 AUTH JOURNY --image=nginx

    --replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP

36. C N D J P 3 6 CONTROLLER LOOP NEXT…

37. C N D J P 3 7 CONTROLLER LOOP --image=nginx

    --replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver

38. C N D J P 3 8 CONTROLLER LOOP --image=nginx

    --replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE

39. C N D J P 3 9 CONTROLLER LOOP INITIALIZERS

    SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/

40. C N D J P 4 0 CONTROLLER LOOP GET

    BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment

41. C N D J P 4 1 CONTROLLER LOOP PUT

    BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset

42. C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT

    CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager

43. C N D J P 4 3 CONTROLLER LOOP GET

    BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset

44. C N D J P 4 4 CONTROLLER LOOP kube-apiserver

    INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset

45. C N D J P 4 5 CONTROLLER LOOP kube-apiserver

    BBOLT Pod フリーズ status: Pending

46. C N D J P 4 6 CONTROLLER LOOP kube-apiserver

    BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler

47. C N D J P 4 7 CONTROLLER LOOP kube-apiserver

    BBOLT Pod status: Pending kube-scheduler 詠唱中 GET

48. C N D J P 4 8 CONTROLLER LOOP kube-scheduler

    1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…

49. C N D J P 4 9 CONTROLLER LOOP kube-apiserver

    BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: <BINDING NODE> PodScheduled: True

50. C N D J P 5 0 CONTROLLER LOOP kube-apiserver

    BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True

51. C N D J P 5 1 CONTROLLER LOOP kube-apiserver

    BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True kubelet 詠唱中

52. C N D J P 5 2 POD DEPLOY NEXT…

53. C N D J P 5 3 POD DEPLOY kube-apiserver

    BBOLT Pod status: Pending NodeName: <BINDING NODE> PodScheduled: True kubelet GET 詠唱中

54. C N D J P 5 4 POD DEPLOY kubelet

    kubelet kubelet Node A Node B Node C Node AのPodの状態は？ Node BのPodの状態は？ Node CのPodの状態は？ kube-apiserver

55. C N D J P 5 5 POD DEPLOY kubelet

    1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET

56. C N D J P 5 6 POD DEPLOY kubelet

    CONTAINER POD METADATA VOLUMES x N

57. C N D J P 5 7 POD DEPLOY kubelet

    5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)

58. C N D J P 5 8 POD DEPLOY kubelet

    POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N

59. C N D J P 5 9 POD DEPLOY kubelet

    6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)

60. C N D J P 6 0 POD DEPLOY kubelet

    POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N

61. C N D J P 6 1 POD DEPLOY kubelet

    7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE

62. C N D J P 6 2 POD DEPLOY kubelet

    POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N

63. C N D J P 6 3 POD DEPLOY kube-apiserver

    BBOLT Pod status: Running NodeName: <BINDING NODE> kubelet PUT

64. C N D J P 6 4 POD DEPLOY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる

65. C N D J P 6 5 POD DEPLOY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる

66. C N D J P 6 6 POD DEPLOY kubectl

    run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤

67. C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが

    https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01