Is Kubernetes On-premises Hardway?

Kazuhiko Yamashita

November 05, 2021

570

Is Kubernetes On-premises Hardway?

CloudNativeDays Tokyo 2021にて登壇した資料です。

Kazuhiko Yamashita

November 05, 2021

Tweet

More Decks by Kazuhiko Yamashita

See All by Kazuhiko Yamashita

AI時代におけるSRE、 あるいはエンジニアの生存戦略

6

1.2k

Tuning GraphQL on Rails

2

1.2k

ttlcacheのここがスゴい

1

73

クラウドサービスの 利用コストを削減する技術 - 円安の真南風を感じて -

3

470

実践ARMアーキテクチャ移行

2

2.2k

リモートワーク時代の守護神 PHP開発者のためのセキュリティ強化術

3

1k

実践DevSecOps～クラウドネイティブとオンプレミスの間から～

1

65

ペパボOpenTelemetry革命

2

2k

Site Reliability Engineering for GMO

10

1.3k

Other Decks in Technology

See All in Technology

CysharpのOSS群から見るModern C#の現在地

2

3.4k

Amazon CloudWatch Network Monitor のススメ

1

210

Engineer Career Talk

lycorp_recruit_jp

0

180

【Pycon mini 東海 2024】Google Colaboratoryで試すVLM

kazuhitotakahashi

2

520

OCI Security サービス概要

oracle4engineer

0

6.5k

【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健

0

1.1k

ノーコードデータ分析ツールで体験する時系列データ分析超入門

0

410

iOS/Androidで同じUI体験をネイティブで作成する際に気をつけたい落とし穴

1

110

Lexical Analysis

1

150

Lambda10周年！Lambdaは何をもたらしたか

2

110

OCI Network Firewall 概要

oracle4engineer

0

4.1k

VideoMamba: State Space Model for Efficient Video Understanding

0

190

Featured

See All Featured

Testing 201, or: Great Expectations

38

7.1k

25

5k

Designing Experiences People Love

138

23k

What’s in a name? Adding method to the madness

productmarketing

22

3.1k

ReactJS: Keep Simple. Everything can be a component!

665

120k

The Art of Programming - Codeland 2020

52

13k

Building Applications with DynamoDB

90

6.1k

Optimising Largest Contentful Paint

33

2.9k

Bootstrapping a Software Product

305

110k

Product Roadmaps are Hard

49

11k

The Cost Of JavaScript in 2023

45

6.8k

Exploring the Power of Turbo Streams & Action Cable | RailsConf2023

27

4.3k

Transcript

Is Kubernetes On-premises Hardway? ʙ݁ࠗɺͦΕ͸ର࿩Ͱ͋Δʙ
ࢁԼ࿨඙!QZBNB (.0ϖύϘٕज़ج൫νʔϜ γχΞɾϓϦϯγύϧ UFOTOBQPODPN QZBNBGVO TUOTKQ
45/4 -JOVY/444FSWFS TUOTKQ
45/4
https://github.com/pyama86/github-replacer
ϗεςΟϯάࣄۀ &$ࢧԉࣄۀ ϋϯυϝΠυɾͦͷଞࣄۀ
Is Kubernetes On-premises Hardway?
ϚωʔδυαʔϏεͷϝϦοτ • Control Plane/Data Planeͷ؅ཧ • όʔδϣϯΞοϓͷ༰қ͞ • Ϋϥ΢υࣄۀऀ͕ఏڙ͢ΔͦͷଞͷϚωʔδυαʔϏεͱͷ࿈ܞͷ༰қ͞ •
ແݶεέʔϦϯά(If you have much money)
ΦϯϓϨϛεͷϝϦοτ • ͢΂ͯΛ΍ΒͶ͹ͳΒͳ͍͕ނʹࣗ༝ • ਓ݅අΛআ͘ϥϯχϯάίετͷ҆͞
ࠓ೔࿩͢͜ͱ • ϖύϘͷKubernetesΫϥελͷ֓ཁ • Hardwayͩͬͨ͜ͱ • ࠓޙ΍Γ͍ͨ͜ͱ
KubernetesΫϥελ • OpenStack (Nyah) • Nyah Kubernetes Engine(NKE)
KubernetesΫϥελ ن໛ײ • ঎ࡐ͝ͱʹΫϥελΛ෼཭͓ͯ͠Γɺ23Ϋϥελ(ൃද࣌఺) • ঎ࡐʹΑͬͯ͸NKE / GKE / EKSͰͷϋΠϒϦουΫϥ΢υͰར༻
• AWS Direct ConnectͰઐ༻ઢར༻
KubernetesΫϥελ ٕज़ج൫νʔϜ Embedded SRE • NKEίϚϯυͷ։ൃ • ϓϦηοτϚχϑΣετͷߋ৽ • Ϋϥελ্Ͱಈ͘ιϑτ΢ΣΞͷಋೖ
• όʔδϣϯΞοϓͳͲͷϝϯςφϯε ։ൃͱར༻ऀ͕ҟͳΔ
NKE • ΫϥελͷߏஙɺόʔδϣϯΞοϓ • Ϋϥελ؅ཧϚχϑΣετͷద༻ • Data Planeͷ௥Ճɺ࡟আ • AnsibleΛ༻͍ͨϓϩϏδϣχϯά
Ϋϥελ؅ཧΛίʔυԽ͠CLIΠϯλʔϑΣʔεʹͨ͠΋ͷ
NKE ઃఆϑΝΠϧɺൿಗ৘ใετΞʹج͖ͮɺ ΫϥελΛߏஙɺӡ༻ VM VM VM NKE tenant- con fi
g.toml Hashicorp Vault conta iner conta iner conta iner
NKE • Golang • Hashicorp Vault • Consul • Packer
ओཁίϯϙʔωϯτ
Kubernetesͷόʔδϣϯ؅ཧ
Kubernetesͷόʔδϣϯ؅ཧ • NKEͷϒϥϯν͝ͱʹόʔδϣϯ؅ཧ • trunk: ։ൃ༻ϒϥϯν • 1.20,1.21 ϦϦʔεϒϥϯν
Kubernetesͷόʔδϣϯ؅ཧ trunk 1.20 1.21 Unit Test E2E Test Unit Test
E2E Test Unit Test E2E Test merge merge
Kubernetesͷόʔδϣϯ؅ཧ • CIΛར༻ͨ͠ςετΛύεͨ͠৔߹͸ɺ։ൃ༻Ϋϥελɺࣾ಺πʔϧ༻Ϋ ϥελͷόʔδϣϯΞοϓίϚϯυΛ࣮ߦ • ֤Ϋϥελͷ؅ཧऀ͕όʔδϣϯΞοϓίϚϯυΛ࣮ߦ • ΫϥελʹΑͬͯ͸2ܥ࣋ͭΑ͏ʹͯ͠ɺόʔδϣϯΞοϓ࡞ۀͳͲͷ  μ΢ϯλΠϜΛආ͚Δ޻෉Λ͍ͯ͠Δ
Kubernetesͷόʔδϣϯ؅ཧ • Control Plane,Data Planeͱ΋ʹPodΛ௥͍ग़ͭͭ͠ɺ  ϩʔϦϯάΞοϓσʔτ • Control PlaneɺEtcdʹ͍ͭͯ͸1୆ೖΕସ͑͝ͱʹϔϧενΣοΫΛ  ͍Εͯμ΢ϯλΠϜΛආ͚͍ͯΔ
Kubernetesͷӡ༻؅ཧ
Kubernetesͷӡ༻؅ཧ • ؂ࢹ • ηΩϡϦςΟ؂ࠪ • CI/CD • ϩά؅ཧ
Kubernetesͷ؂ࢹ Prometheus Alert Manager Grafana mackerel-agent ࣌ܥྻσʔλͷอଘ ڞ௨ϧʔϧʹै͍ɺSlack௨஌ PrometheusͷσʔλͷϏδϡΞϥΠθʔγϣϯ Prometheus+AlertManagerͷ؂ࢹ
KubernetesͷηΩϡϦςΟ؂ࠪ • Wazuh • Falco • GateKeeper
Wazuh https://atmarkit.itmedia.co.jp/ait/articles/1902/18/news012.html OSͷઃఆ؂ࠪ ෆਖ਼ΞΫηεݕ஌ ੬ऑੑ؂ࠪ
Falco ίϯςφͷৼΔ෣͍؂ࠪɾݕ஌
Gatekeeper Admission ControllerͰಈ࡞͢Δ ϚχϑΣετͷ؂ࠪͳͲ Ұॹʹ΍ͬͯ͘Δਓɺೖࣾͯ͘͠Εʙʙʙʙ
ࣗಈApply ؂ࢹɺηΩϡϦςΟϙϦγʔ͸Ұ੪഑෍ tag cluster A cluster B cluster C apply
CI/CD • ςετɺίϯςφϏϧυɺ੬ऑੑεΩϟϯ͸Github ActionsͷSelf Hosted Runner্Ͱ࣮ߦ • ίϯςφΠϝʔδͷεΩϟϯΤϯδϯ͸trivyΛར༻ • CD͸ArgoCD
+ argocd-image-updaterΛར༻
ϩά؅ཧ Kafkaʹू໿ͯ͠ɺ༻్ʹԠͯ͡SaaS΁
͜͜·Ͱ࿩ͨ͜͠ͱ • NKEίϚϯυͷ։ൃʹΑͬͯΫϥελͷߏங΍ϝϯςφϯεΛࣗಈԽͯ͠ ͍Δ • ؂ࢹ΍ηΩϡϦςΟ؂ࠪʹ͍ͭͯ͸NKEͰϕʔεͱͳΔ΋ͷΛఏڙ • όʔδϣϯΞοϓʹ͍ͭͯ͸E2EͰಈ࡞Λ୲อͭͭ͠ɺ։ൃ༻ΫϥελͰ ໰୊͕ͳ͍͜ͱΛ֬ೝͯ͠ɺద༻͍ͯ͠Δ
Hardwayͩͬͨ͜ͱ
1.12.7
[࠶ܝ]KubernetesΫϥελ ٕज़ج൫νʔϜ Embedded SRE • NKEίϚϯυͷ։ൃ • ϓϦηοτϚχϑΣετͷߋ৽ • Ϋϥελ্Ͱಈ͘ιϑτ΢ΣΞͷಋೖ
• όʔδϣϯΞοϓͳͲͷϝϯςφϯε ։ൃͱར༻ऀ͕ҟͳΔ
όʔδϣϯΞοϓͷಈػ͕௿͍͜ͱ͕͋Δ • Ϋϥελͷ༻్ • ୲౰ऀ͕ଟ๩ • Kubernetesɺ͍͍ͩͨݹͯ͘΋ಈ͘ • όʔδϣϯΞοϓʹର͢Δ৺ཧোน
όʔδϣϯ؅ཧࣗಈԽ͍ͨ͠ NKE Manifests Cluster A NKE Manifests Cluster B NKE
Manifests Cluster C NKE Cluster A Cluster B Cluster C manifestͷఆٛʹج͍ͮͯࣗಈͰऩଋͯ͠΄͍͠
͋Δ೔ಥવͷ ”error: You must be logged in to the server
(Unauthorized)”
Կ͕ى͖͔ͨ kube-apiserver Service Account token ServiceAccountͷར༻͍ͯ͠ΔτʔΫϯ͕ࣦޮͯ͠ೝূΤϥʔ
ͳͥى͖͔ͨ • Kubernetes ͷ SAτʔΫϯ͸༗ޮظݶ͕Forever • ϖύϘͷKubernetesͷSAτʔΫϯͷ伴͸ࣗಈͰϩʔςʔγϣϯ͍ͯ͠Δ
Կ͕ى͖͔ͨ kube-apiserver Service Account token ূ໌ॻɺ伴ͷߋ৽ɺ഑෍͸HashicorpVaultͰࣗಈԽ kube-controller- manager τʔΫϯͷ෷͍ग़͠ τʔΫϯͷݕূ
Hashicorp Vault Cert Key ূ໌ॻͱ伴ͷࣗಈ഑෍
Կ͕ى͖͔ͨ kube-apiserver Service Account token ূ໌ॻɺ伴ͷߋ৽ɺ഑෍͸HashicorpVaultͰࣗಈԽ kube-controller- manager τʔΫϯͷ෷͍ग़͠ τʔΫϯͷݕূ
Hashicorp Vault Cert Key ূ໌ॻͱ伴ͷࣗಈ഑෍ Ӭٱอଘʂʂʂ
Կ͕ى͖͔ͨ kube-apiserver Service Account token ূ໌ॻɺ伴ͷߋ৽ɺ഑෍͸Hashicorp VaultͰࣗಈԽ kube-controller- manager τʔΫϯͷ෷͍ग़͠
τʔΫϯͷݕূ Hashicorp Vault Cert Key ূ໌ॻͱ伴ͷࣗಈ഑෍ 伴͕ߋ৽͞ΕΔ͜ͱͰ ݕূ͕Ͱ͖ͳ͘ͳΔ
ରॲʂѹ౗త࢑ఆରॲʂʂʂ ಈ͍͍ͯΔϙου͸ಈ͖ଓ͚Δ͕ɺϦεέδϡʔϧ͕Ͱ͖ͳ͍ͷͰ ·ͣ͸ShellͰରॲ ͜ͷ͋ͱɺূ໌ॻͷঢ়گΛ؂ࢹͯ͠ஔ͖׵͑ΔϓϩηεΛಈ͔͍ͯ͠·͢
࠷ޙͷॴײ • ΦϯϓϨKubernetes΍ΔͳΒ؅ཧιϑτ΢ΣΞΛ։ൃͨ͠΄͏͕౷߹తʹ؅ཧͰ͖ΔͷͰ  ࠷ऴίετ͸མͱͤΔͱࢥ͏ • Kubernetesͦͷ΋ͷ͸ͱͯ΋ྑ͘Ͱ͖͍ͯͯɺKubernetesࣗମͷԿ͔Λ౿Ή͜ͱ͸ͦΜͳʹͳ͍ • ࠓ೔঺հ͍ͯ͠ͳ͍ωοτϫʔΫपΓͷΧʔωϧνϡʔχϯάͳͲɺඞཁͳέʔε΋͋ͬͨͷ Ͱɺͦ͏͍͏ྖҬΛݟΕΔਓ͕͍ͳ͍ͱݫ͍͠ͱ͸ࢥ͏ •
େମͷϢʔεέʔε͸VM + DockerͰࣄ଍ΓΔͷͰɺ΄ΜͱʹͦΕKubernetes͍Δͷʁͱ͍͏ έʔε͸݁ߏ͋Δͱࢥ͏ • ͜Ε·Ͱͷιϑτ΢ΣΞʹՃ͑ͯɺKubernetesͱ͍͏ϨΠϠʔ͕ೖΔ͜ͱͰτϥϒϧγϡʔτ ΍؅ཧ͸େมʹͳΔ
͓͠·͍ ࠷৽ͷ࠾༻৘ใΛνΣοΫˠ !QC@SFDSVJU