Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
what happens when k8s journy
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
nnao45
March 25, 2019
Technology
9.2k
17
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
what happens when k8s journy
nnao45
March 25, 2019
More Decks by nnao45
See All by nnao45
MPI Performance Evaluation of Raspberry Pi4 Cluster with Android OS
nnao45
2
210
datalake-party-for-aws-20201118
nnao45
0
290
はじめてのNetwork Service Mesh
nnao45
4
2.4k
EKS for EFS
nnao45
4
1.5k
まだ大きくない僕たちに必要なCLoud Nativeを求めて
nnao45
8
1.3k
Firebase, Firestore Find mBaaS
nnao45
3
1.2k
Make App, Using with Study Group
nnao45
3
670
Chatops, AWS, And Ansible
nnao45
2
1.1k
Ansible container in the kubernetes
nnao45
5
1.7k
Other Decks in Technology
See All in Technology
Making sense of Google’s agentic dev tools
glaforge
1
190
知らん間に、回ってる
ming_ayami
0
530
LLM/Agent評価:トップ営業の発言を「正解」にする 〜暗黙的正解による評価を営業資産に変える〜
takkuhiro
1
210
関数型の考えを TypeScript に持ち込んで、テストしやすい純粋関数を増やす / Pure at the Core, Effects at the Edge: Bringing Functional Thinking into TypeScript
kaminashi
1
110
AICoEでAIネイティブ組織への進化
yukiogawa
0
160
Claude Codeとハーネスについて考えてみる
oikon48
18
9.4k
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
3
3.6k
生成AIの活用/high_school2026
okana2ki
0
130
SRE本の知られざる名シーン / The Hidden Gems of Google SRE Book
nari_ex
1
380
人を動かすのは時間ではなく、納得感 〜新任EMが入社3ヶ月、組織を2回変えた話〜
kakehashi
PRO
3
220
DatabricksにおけるMCPソリューション
taka_aki
1
240
CIで使うClaude
iwatatomoya
0
250
Featured
See All Featured
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
220
Fantastic passwords and where to find them - at NoRuKo
philnash
52
3.8k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
230
How GitHub (no longer) Works
holman
316
150k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
190
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
490
Product Roadmaps are Hard
iamctodd
55
12k
Building a A Zero-Code AI SEO Workflow
portentint
PRO
0
630
[SF Ruby Conf 2025] Rails X
palkan
2
1.2k
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
600
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
Transcript
W H A T H A P P E N
S W H E N K 8 S J O U R N Y $ kubectl run --image=nginx --replicas=3
C N D J P 2 @nnao45 CyberAgent Inc. Infra/ServerSide
Engineer ✔ Naoya Yokoyama Tech Advisor Startup Company ✔ Zsh,BGP,Go,Rust,MySQL,K8S,AWS,Ansible ✔ Vtuber,Game,Tennis ✔ MySQLの商用版使いたい人生だった DynamoDBのインデックス設計つらたん ぶいちゅーばー友達募集! V言語って最強の静的型付言語なの? RustのGraphDBのライブラリかきたい @nnao45,
[email protected]
✔
C N D J P 3 AGENDA $ kubectl version
-o json | jq '.clientVersion.gitVersion' $ kubectl version -o json | jq '.serverVersion.gitVersion' "v1.13.4" "v1.13.4"
C N D J P 4 AGENDA AUTH JOURNY CONTROLLER
LOOP POD DEPLOY
C N D J P 5 AUTH JOURNY What happens
when I type kubectl run? $ kubectl run --image=nginx --replicas=3
C N D J P 6 AUTH JOURNY https://github.com/jamiehannaford/what-happens-when-k8s
C N D J P 7 AUTH JOURNY NEXT…
C N D J P 8 AUTH JOURNY kubectl run
--image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 9 AUTH JOURNY BEFORE FIRE…
C N D J P 1 0 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 詠唱中
C N D J P 1 1 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる 1. RESOURCE VALIDATE $ kubectl api-resources SEE 3. GENERATE REQUEST 2. LOAD API SCHEMA ~/.kube/cache/discovery/ LOOK BEFORE FIRE… https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13
C N D J P 1 2 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる BEFORE FIRE… 4. LOOK KUBECONFIG CHECK PRIORITY 1.USE $ kubectl --kubeconfig 2.USE $ ${KUBECONFIG} kubectl 3.LOOK ~/.kube or something
C N D J P 1 3 AUTH JOURNY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる FIRE!!!!!!!!!!!!
C N D J P 1 4 AUTH JOURNY
C N D J P 1 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔
C N D J P 1 6 AUTH JOURNY Authentication
kube-apiserver Use… bearer basic X509 or or
C N D J P 1 7 AUTH JOURNY X509
bearer basic Validate Client TLS Key from CA ROOT Certificate Validate Authorization Header $ curl -H ‘Authorization:Bearer xxxxx…’ --cacert … Validate Basic Auth $ curl -u ‘admin-user:admin-passwd’ $ curl —key client.key —cert client.crt —cacert ca.crt Authentication Method
C N D J P 1 8 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ
C N D J P 1 9 AUTH JOURNY Authorization(for
example: RBAC) kube-apiserver etcd Use…
C N D J P 2 0 AUTH JOURNY https://qiita.com/sheepland/items/67a5bb9b19d8686f389d
Authorization(for example: RBAC)
C N D J P 2 1 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 2 AUTH JOURNY Admission
Controll kube-apiserver Use…
C N D J P 2 3 AUTH JOURNY Describe
Admission Controll https://kubernetes.io/blog/2019/03/21/a-guide-to-kubernetes-admission-controllers/
C N D J P 2 4 AUTH JOURNY Admission
Controll Plugin Example AlwaysDeny…Deny All request SecurityContextDeny…Deny Security Context AlwaysAdmit…Accept All Request
C N D J P 2 5 AUTH JOURNY Authentication
Authorization Admission Controll ଓݩ͕͔֬ʹ ༻ҙ͞ΕͨΞΧ ϯτͷΫϥΠ Ξϯτ͔Ͳ͏͔ ड͚औͬͨཁٻ ʹରԠ͢Δૢ࡞ ʹରͯ͠ɺ༻ ͢ΔΞΧϯτ ͕ݖݶ͕͋Δ͔ɻ ड͚औͬͨཁٻ ͕ΫϥελʔϦ ιʔεʹ՝ͤΒ Ε੍ͨݶ͔Ͳ ͏͔ɻ
C N D J P 2 6 AUTH JOURNY SOON
CREATE OBJECT PERSISTED SAVE
C N D J P 2 7 AUTH JOURNY /apps/v1beta2/devployment
kube-apiserver *「リソース 登録ヲ確認 シマシタ。 」 Request HTTP HANDLER /apps/v1beta2/devployment /apps/v1/namespace /apps/v1/configmap /apps/v1/service
C N D J P 2 8 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment FORM
C N D J P 2 9 AUTH JOURNY RIQUEST
VALIDATION JSON DESELIZE VALIDATION REQUEST FORM
C N D J P 3 0 AUTH JOURNY kube-apiserver
Request HTTP HANDLER RIQUEST VALIDATION /apps/v1beta2/devployment
C N D J P 3 1 AUTH JOURNY SOON
C N D J P 3 2 AUTH JOURNY AUTH
JOURNY ETCD 1. USABLE HTTP WITH JSON 2. SECURE TLS ENCRYPT 3. RAPID KVS (FOCUS READ) ETCD IS… 4. DISTRIBUTED 5. BACKEND BBOLT
C N D J P 3 3 AUTH JOURNY AUTH
JOURNY BBOLT 1. ETCD BACKEND 2. FULLSERIAL TRANSACTION 3. ACID SEMANTICS BBOLT IS… 4. LOCK FREE 5. SINGLE WRITE MULTI READ https://godoc.org/go.etcd.io/bbolt
C N D J P 3 4 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT
C N D J P 3 5 AUTH JOURNY --image=nginx
--replicas=3 PUT Key Value → BBOLT SOON CONTROLLER LOOP
C N D J P 3 6 CONTROLLER LOOP NEXT…
C N D J P 3 7 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver
C N D J P 3 8 CONTROLLER LOOP --image=nginx
--replicas=3 GET Key Value → BBOLT BEFORE GET RESOURCE… 詠唱中 kube-apiserver INIT OPERATE
C N D J P 3 9 CONTROLLER LOOP INITIALIZERS
SETUP EXPEIMENSIBLE RESOURCE INIT OPERATE IS… INSERT PROXY SIDECAR SEE TOO LONG PASWORD IN SECRET https://ahmet.im/blog/initializers/
C N D J P 4 0 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment
C N D J P 4 1 CONTROLLER LOOP PUT
BBOLT kube-apiserver INIT OPERATE polling DEPLOYMENT CONTROLLER deployment replicaset
C N D J P 4 2 CONTROLLER LOOP DEPLOYMENT
CONTROLLER REPLICASET ENDPOINT CONTROLLER Service Account & Token CONTROLLER MANAGE kube-controller-manager
C N D J P 4 3 CONTROLLER LOOP GET
BBOLT kube-apiserver INIT OPERATE polling REPLICASET replicaset
C N D J P 4 4 CONTROLLER LOOP kube-apiserver
INIT OPERATE polling REPLICASET PUT BBOLT Pod replicaset
C N D J P 4 5 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending
C N D J P 4 6 CONTROLLER LOOP kube-apiserver
BBOLT Pod フリーズ status: Pending 詠唱中 kube-scheduler
C N D J P 4 7 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 GET
C N D J P 4 8 CONTROLLER LOOP kube-scheduler
1. FILL PODSPCE NODENAME FOR EMPTY VALUE POD 2. CHECK NODE RESOURCE 3. BIND POD TO NODE KUBE-SCHEDULER OPERATE…
C N D J P 4 9 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending kube-scheduler 詠唱中 PUT POST NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 0 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True
C N D J P 5 1 CONTROLLER LOOP kube-apiserver
BBOLT Pod status: Pending フリーズ NodeName: <BINDING NODE> PodScheduled: True kubelet 詠唱中
C N D J P 5 2 POD DEPLOY NEXT…
C N D J P 5 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Pending NodeName: <BINDING NODE> PodScheduled: True kubelet GET 詠唱中
C N D J P 5 4 POD DEPLOY kubelet
kubelet kubelet Node A Node B Node C Node AのPodの状態は? Node BのPodの状態は? Node CのPodの状態は? kube-apiserver
C N D J P 5 5 POD DEPLOY kubelet
1.SYNC POD STATUS IN ETCD AND LOCAL CACHE 2. CREATE CGROUP 3. BIND POD AND VOLUME KUBELET OPERATE… 4. BIND POD AND SECRET
C N D J P 5 6 POD DEPLOY kubelet
CONTAINER POD METADATA VOLUMES x N
C N D J P 5 7 POD DEPLOY kubelet
5.CREATE PAUSE CONTAINER KUBELET OPERATE… (CASE DOCKER)
C N D J P 5 8 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE CONTAINER x N
C N D J P 5 9 POD DEPLOY kubelet
6. ATTACHE NETWORK IF KUBELET OPERATE… (CASE DOCKER)
C N D J P 6 0 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF CONTAINER x N
C N D J P 6 1 POD DEPLOY kubelet
7. PULL CONTAINER IMAGE KUBELET OPERATE… (CASE DOCKER) 8. RUN CONTAINER IMAGE
C N D J P 6 2 POD DEPLOY kubelet
POD METADATA VOLUMES BASE PAUSE IMAGE NETWORK IF RUNNING IMAGE CONTAINER x N
C N D J P 6 3 POD DEPLOY kube-apiserver
BBOLT Pod status: Running NodeName: <BINDING NODE> kubelet PUT
C N D J P 6 4 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 5 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる
C N D J P 6 6 POD DEPLOY kubectl
run --image=nginx --replicas=3 たたかう kubectl get pod --all-namespaces sudo rm -rf / ——preserve-root コンテナをやめる $ kubectl get pod --all-namespaces NAME READY STATUS RESTARTS AGE nginx-65cf545976-22nsz 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d nginx-65cf545976-2lljh 1/1 Running 0 2d … … ❤
C N D J P 6 7 FIN THANKS いらすとやの『中二病の女の子』のイラストが
https://togetter.com/li/1221674 好きすぎてファンアートを描いてしまった。By @Aiuti01 https://twitter.com/Aiuti01