Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
what happens when k8s journy
Search
nnao45
March 25, 2019
Technology
17
9.1k
what happens when k8s journy
nnao45
March 25, 2019
Tweet
Share
More Decks by nnao45
See All by nnao45
MPI Performance Evaluation of Raspberry Pi4 Cluster with Android OS
nnao45
2
180
datalake-party-for-aws-20201118
nnao45
0
260
はじめてのNetwork Service Mesh
nnao45
4
2.3k
EKS for EFS
nnao45
4
1.5k
まだ大きくない僕たちに必要なCLoud Nativeを求めて
nnao45
8
1.2k
Firebase, Firestore Find mBaaS
nnao45
3
1.1k
Make App, Using with Study Group
nnao45
3
630
Chatops, AWS, And Ansible
nnao45
2
1k
Ansible container in the kubernetes
nnao45
5
1.6k
Other Decks in Technology
See All in Technology
HonoとJSXを使って管理画面をサクッと型安全に作ろう
diggymo
0
170
ソースを読むプロセスの例
sat
PRO
15
9.9k
頭部ふわふわ浄酔器
uyupun
0
110
データ戦略部門 紹介資料
sansan33
PRO
1
3.8k
物体検出モデルでシイタケの収穫時期を自動判定してみた。 #devio2025
lamaglama39
0
280
個人でデジタル庁の デザインシステムをVue.jsで 作っている話
nishiharatsubasa
3
4.7k
Digitization部 紹介資料
sansan33
PRO
1
5.7k
ハノーファーメッセ2025で見た生成AI活用ユースケース.pdf
hamadakoji
0
420
Zephyr(RTOS)にEdge AIを組み込んでみた話
iotengineer22
1
310
アウトプットから始めるOSSコントリビューション 〜eslint-plugin-vueの場合〜 #vuefes
bengo4com
3
1.6k
OCIjp_Oracle AI World_Recap
shinpy
1
170
会社を支える Pythonという言語戦略 ~なぜPythonを主要言語にしているのか?~
curekoshimizu
3
630
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.6k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
990
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
36
6.1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
10
880
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.2k
Being A Developer After 40
akosma
91
590k
Imperfection Machines: The Place of Print at Facebook
scottboms
269
13k
Product Roadmaps are Hard
iamctodd
PRO
55
11k
Build The Right Thing And Hit Your Dates
maggiecrowley
38
2.9k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Transcript
W H A T H A P P E N
S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3
C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide
Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたん ぶいちゅーばー友達募集! V言語って最強の静的型付言語なの? RustのGraphDBのライブラリかきたい @nnao45,
[email protected]
✔
C N D J P 3 AGENDA $ kubectl version
-o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"
C N D J P 4 AGENDA AUTH JOURNY CONTROLLER
LOOP POD DEPLOY
C N D J P 5 AUTH JOURNY What happens
when I type kubectl run? $ kubectl run --image=nginx --replicas=3
C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s
C N D J P 7 AUTH JOURNY NEXT…
C N D J P 8 AUTH JOURNY kubectl run
--image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 9 AUTH JOURNY BEFORE FIRE…
C N D J P 1 0 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中
C N D J P 1 1 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13
C N D J P 1 2 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something
C N D J P 1 3 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!
C N D J P 1 4 AUTH JOURNY
C N D J P 1 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔
C N D J P 1 6 AUTH JOURNY Authentication
kube-apiserver Use… bearer basic X509 or or
C N D J P 1 7 AUTH JOURNY X509
bearer basic Validate Client TLS Key from CA ROOT Certificate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method
C N D J P 1 8 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ
C N D J P 1 9 AUTH JOURNY Authorization(for
example: RBAC) kube-apiserver etcd Use…
C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d
Authorization(for example: RBAC)
C N D J P 2 1 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 2 AUTH JOURNY Admission
Controll kube-apiserver Use…
C N D J P 2 3 AUTH JOURNY Describe
Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
C N D J P 2 4 AUTH JOURNY Admission
Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request
C N D J P 2 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 6 AUTH JOURNY SOON
CREATE OBJECT PERSISTED SAVE
C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment
kube-apiserver *「リソース 登録ヲ確認 シマシタ。 」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service
C N D J P 2 8 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM
C N D J P 2 9 AUTH JOURNY RIQUEST
VALIDATION JSON DESELIZE VALIDATION REQUEST FORM
C N D J P 3 0 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment
C N D J P 3 1 AUTH JOURNY SOON
C N D J P 3 2 AUTH JOURNY AUTH
JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT
C N D J P 3 3 AUTH JOURNY AUTH
JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt
C N D J P 3 4 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT
C N D J P 3 5 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP
C N D J P 3 6 CONTROLLER LOOP NEXT…
C N D J P 3 7 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver
C N D J P 3 8 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE
C N D J P 3 9 CONTROLLER LOOP INITIALIZERS
SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/
C N D J P 4 0 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment
C N D J P 4 1 CONTROLLER LOOP PUT
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset
C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT
CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager
C N D J P 4 3 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset
C N D J P 4 4 CONTROLLER LOOP kube-apiserver
INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset
C N D J P 4 5 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending
C N D J P 4 6 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler
C N D J P 4 7 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 GET
C N D J P 4 8 CONTROLLER LOOP kube-scheduler
1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…
C N D J P 4 9 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 0 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 1 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True kubelet 詠唱中
C N D J P 5 2 POD DEPLOY NEXT…
C N D J P 5 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Pending NodeName: <BINDING NODE> PodScheduled: True kubelet GET 詠唱中
C N D J P 5 4 POD DEPLOY kubelet
kubelet kubelet Node A Node B Node C Node AのPodの状態は? Node BのPodの状態は? Node CのPodの状態は? kube-apiserver
C N D J P 5 5 POD DEPLOY kubelet
1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET
C N D J P 5 6 POD DEPLOY kubelet
CONTAINER POD METADATA VOLUMES x N
C N D J P 5 7 POD DEPLOY kubelet
5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)
C N D J P 5 8 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N
C N D J P 5 9 POD DEPLOY kubelet
6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)
C N D J P 6 0 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N
C N D J P 6 1 POD DEPLOY kubelet
7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE
C N D J P 6 2 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N
C N D J P 6 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Running NodeName: <BINDING NODE> kubelet PUT
C N D J P 6 4 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 5 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 6 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤
C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが
https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01