Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Is Kubernetes On-premises Hardway?
Search
Kazuhiko Yamashita
November 05, 2021
Technology
2
490
Is Kubernetes On-premises Hardway?
CloudNativeDays Tokyo 2021にて登壇した資料です。
Kazuhiko Yamashita
November 05, 2021
Tweet
Share
More Decks by Kazuhiko Yamashita
See All by Kazuhiko Yamashita
ペパボOpenTelemetry革命
pyama86
2
170
Site Reliability Engineering for GMO
pyama86
9
1.1k
PHPアプリケーションのスケーラビリティと 信頼性を革新する nginx+ngx_mrubyとGoの融合
pyama86
2
290
ペパボOpenTelemetry革命
pyama86
0
700
ChatGPTの活用を体現し、 組織に浸透する技術
pyama86
1
910
リリースフラグと プログレッシブデリバリーを活用した 安全なWEBアプリケーションデプロイ
pyama86
2
170
PHPerのためのOpenTelemetry入門
pyama86
1
220
生成AIで仕事を もっとおもしろくする事例と詳解
pyama86
0
140
Goで実装された高速な 仮想待合室サーバの実装と詳解
pyama86
15
7k
Other Decks in Technology
See All in Technology
Max out Local LLM in Challenging Environments
sashimimochi
2
210
IaCからAWSに入門した初心者が CloudFormationを通して考えた「AWS操作」の使い分け
maimyyym
3
620
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
310
Zero Data Loss Autonomous Recovery Service サービス概要
oracle4engineer
PRO
0
1.9k
令和最新版 Ruby プロファイラ "Pf2" のご紹介
osyoyu
0
170
Grafana x PagerDuty Better Together
jacopen
1
340
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
35k
Gemini, Google's Large Language Model
glaforge
0
120
生成AIの変革の時代に、直近1年で直面した課題とその解決策
ktc_wada
1
790
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
10
1.1k
本当のガバクラ基礎
toru_kubota
0
230
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
2
420
Featured
See All Featured
A Modern Web Designer's Workflow
chriscoyier
689
190k
Raft: Consensus for Rubyists
vanstee
133
6.3k
Automating Front-end Workflow
addyosmani
1357
200k
The Invisible Side of Design
smashingmag
294
49k
What the flash - Photography Introduction
edds
64
11k
How to name files
jennybc
65
93k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
Testing 201, or: Great Expectations
jmmastey
30
6.4k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
It's Worth the Effort
3n
180
27k
GraphQLとの向き合い方2022年版
quramy
33
12k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
Transcript
Is Kubernetes On-premises Hardway? ʙ݁ࠗɺͦΕରͰ͋Δʙ
ࢁԼ!QZBNB (.0ϖύϘٕज़ج൫νʔϜ γχΞɾϓϦϯγύϧ UFOTOBQPODPN QZBNBGVO TUOTKQ
45/4 -JOVY/444FSWFS TUOTKQ
45/4
https://github.com/pyama86/github-replacer
ϗεςΟϯάࣄۀ &$ࢧԉࣄۀ ϋϯυϝΠυɾͦͷଞࣄۀ
Is Kubernetes On-premises Hardway?
ϚωʔδυαʔϏεͷϝϦοτ • Control Plane/Data Planeͷཧ • όʔδϣϯΞοϓͷ༰қ͞ • Ϋϥυࣄۀऀ͕ఏڙ͢ΔͦͷଞͷϚωʔδυαʔϏεͱͷ࿈ܞͷ༰қ͞ •
ແݶεέʔϦϯά(If you have much money)
ΦϯϓϨϛεͷϝϦοτ • ͯ͢ΛΒͶͳΒͳ͍͕ނʹࣗ༝ • ਓ݅අΛআ͘ϥϯχϯάίετͷ҆͞
ࠓ͢͜ͱ • ϖύϘͷKubernetesΫϥελͷ֓ཁ • Hardwayͩͬͨ͜ͱ • ࠓޙΓ͍ͨ͜ͱ
KubernetesΫϥελ • OpenStack (Nyah) • Nyah Kubernetes Engine(NKE)
KubernetesΫϥελ نײ • ࡐ͝ͱʹΫϥελΛ͓ͯ͠Γɺ23Ϋϥελ(ൃද࣌) • ࡐʹΑͬͯNKE / GKE / EKSͰͷϋΠϒϦουΫϥυͰར༻
• AWS Direct ConnectͰઐ༻ઢར༻
KubernetesΫϥελ ٕज़ج൫νʔϜ Embedded SRE • NKEίϚϯυͷ։ൃ • ϓϦηοτϚχϑΣετͷߋ৽ • Ϋϥελ্Ͱಈ͘ιϑτΣΞͷಋೖ
• όʔδϣϯΞοϓͳͲͷϝϯςφϯε ։ൃͱར༻ऀ͕ҟͳΔ
NKE • ΫϥελͷߏஙɺόʔδϣϯΞοϓ • ΫϥελཧϚχϑΣετͷద༻ • Data PlaneͷՃɺআ • AnsibleΛ༻͍ͨϓϩϏδϣχϯά
ΫϥελཧΛίʔυԽ͠CLIΠϯλʔϑΣʔεʹͨ͠ͷ
NKE ઃఆϑΝΠϧɺൿಗใετΞʹج͖ͮɺ ΫϥελΛߏஙɺӡ༻ VM VM VM NKE tenant- con fi
g.toml Hashicorp Vault conta iner conta iner conta iner
NKE • Golang • Hashicorp Vault • Consul • Packer
ओཁίϯϙʔωϯτ
Kubernetesͷόʔδϣϯཧ
Kubernetesͷόʔδϣϯཧ • NKEͷϒϥϯν͝ͱʹόʔδϣϯཧ • trunk: ։ൃ༻ϒϥϯν • 1.20,1.21 ϦϦʔεϒϥϯν
Kubernetesͷόʔδϣϯཧ trunk 1.20 1.21 Unit Test E2E Test Unit Test
E2E Test Unit Test E2E Test merge merge
Kubernetesͷόʔδϣϯཧ • CIΛར༻ͨ͠ςετΛύεͨ͠߹ɺ։ൃ༻Ϋϥελɺࣾπʔϧ༻Ϋ ϥελͷόʔδϣϯΞοϓίϚϯυΛ࣮ߦ • ֤Ϋϥελͷཧऀ͕όʔδϣϯΞοϓίϚϯυΛ࣮ߦ • ΫϥελʹΑͬͯ2ܥ࣋ͭΑ͏ʹͯ͠ɺόʔδϣϯΞοϓ࡞ۀͳͲͷ μϯλΠϜΛආ͚ΔΛ͍ͯ͠Δ
Kubernetesͷόʔδϣϯཧ • Control Plane,Data PlaneͱʹPodΛ͍ग़ͭͭ͠ɺ ϩʔϦϯάΞοϓσʔτ • Control PlaneɺEtcdʹ͍ͭͯ1ೖΕସ͑͝ͱʹϔϧενΣοΫΛ ͍ΕͯμϯλΠϜΛආ͚͍ͯΔ
Kubernetesͷӡ༻ཧ
Kubernetesͷӡ༻ཧ • ࢹ • ηΩϡϦςΟࠪ • CI/CD • ϩάཧ
Kubernetesͷࢹ Prometheus Alert Manager Grafana mackerel-agent ࣌ܥྻσʔλͷอଘ ڞ௨ϧʔϧʹै͍ɺSlack௨ PrometheusͷσʔλͷϏδϡΞϥΠθʔγϣϯ Prometheus+AlertManagerͷࢹ
KubernetesͷηΩϡϦςΟࠪ • Wazuh • Falco • GateKeeper
Wazuh https://atmarkit.itmedia.co.jp/ait/articles/1902/18/news012.html OSͷઃఆࠪ ෆਖ਼ΞΫηεݕ ੬ऑੑࠪ
Falco ίϯςφͷৼΔ͍ࠪɾݕ
Gatekeeper Admission ControllerͰಈ࡞͢Δ ϚχϑΣετͷࠪͳͲ Ұॹʹͬͯ͘Δਓɺೖࣾͯ͘͠Εʙʙʙʙ
ࣗಈApply ࢹɺηΩϡϦςΟϙϦγʔҰ੪ tag cluster A cluster B cluster C apply
CI/CD • ςετɺίϯςφϏϧυɺ੬ऑੑεΩϟϯGithub ActionsͷSelf Hosted Runner্Ͱ࣮ߦ • ίϯςφΠϝʔδͷεΩϟϯΤϯδϯtrivyΛར༻ • CDArgoCD
+ argocd-image-updaterΛར༻
ϩάཧ Kafkaʹूͯ͠ɺ༻్ʹԠͯ͡SaaS
͜͜·Ͱͨ͜͠ͱ • NKEίϚϯυͷ։ൃʹΑͬͯΫϥελͷߏஙϝϯςφϯεΛࣗಈԽͯ͠ ͍Δ • ࢹηΩϡϦςΟࠪʹ͍ͭͯNKEͰϕʔεͱͳΔͷΛఏڙ • όʔδϣϯΞοϓʹ͍ͭͯE2EͰಈ࡞Λ୲อͭͭ͠ɺ։ൃ༻ΫϥελͰ ͕ͳ͍͜ͱΛ֬ೝͯ͠ɺద༻͍ͯ͠Δ
Hardwayͩͬͨ͜ͱ
1.12.7
[࠶ܝ]KubernetesΫϥελ ٕज़ج൫νʔϜ Embedded SRE • NKEίϚϯυͷ։ൃ • ϓϦηοτϚχϑΣετͷߋ৽ • Ϋϥελ্Ͱಈ͘ιϑτΣΞͷಋೖ
• όʔδϣϯΞοϓͳͲͷϝϯςφϯε ։ൃͱར༻ऀ͕ҟͳΔ
όʔδϣϯΞοϓͷಈػ͕͍͜ͱ͕͋Δ • Ϋϥελͷ༻్ • ୲ऀ͕ଟ • Kubernetesɺ͍͍ͩͨݹͯ͘ಈ͘ • όʔδϣϯΞοϓʹର͢Δ৺ཧোน
όʔδϣϯཧࣗಈԽ͍ͨ͠ NKE Manifests Cluster A NKE Manifests Cluster B NKE
Manifests Cluster C NKE Cluster A Cluster B Cluster C manifestͷఆٛʹج͍ͮͯࣗಈͰऩଋͯ͠΄͍͠
͋Δಥવͷ ”error: You must be logged in to the server
(Unauthorized)”
Կ͕ى͖͔ͨ kube-apiserver Service Account token ServiceAccountͷར༻͍ͯ͠ΔτʔΫϯ͕ࣦޮͯ͠ೝূΤϥʔ
ͳͥى͖͔ͨ • Kubernetes ͷ SAτʔΫϯ༗ޮظݶ͕Forever • ϖύϘͷKubernetesͷSAτʔΫϯͷ伴ࣗಈͰϩʔςʔγϣϯ͍ͯ͠Δ
Կ͕ى͖͔ͨ kube-apiserver Service Account token ূ໌ॻɺ伴ͷߋ৽ɺHashicorpVaultͰࣗಈԽ kube-controller- manager τʔΫϯͷ͍ग़͠ τʔΫϯͷݕূ
Hashicorp Vault Cert Key ূ໌ॻͱ伴ͷࣗಈ
Կ͕ى͖͔ͨ kube-apiserver Service Account token ূ໌ॻɺ伴ͷߋ৽ɺHashicorpVaultͰࣗಈԽ kube-controller- manager τʔΫϯͷ͍ग़͠ τʔΫϯͷݕূ
Hashicorp Vault Cert Key ূ໌ॻͱ伴ͷࣗಈ Ӭٱอଘʂʂʂ
Կ͕ى͖͔ͨ kube-apiserver Service Account token ূ໌ॻɺ伴ͷߋ৽ɺHashicorp VaultͰࣗಈԽ kube-controller- manager τʔΫϯͷ͍ग़͠
τʔΫϯͷݕূ Hashicorp Vault Cert Key ূ໌ॻͱ伴ͷࣗಈ 伴͕ߋ৽͞ΕΔ͜ͱͰ ݕূ͕Ͱ͖ͳ͘ͳΔ
ରॲʂѹతఆରॲʂʂʂ ಈ͍͍ͯΔϙουಈ͖ଓ͚Δ͕ɺϦεέδϡʔϧ͕Ͱ͖ͳ͍ͷͰ ·ͣShellͰରॲ ͜ͷ͋ͱɺূ໌ॻͷঢ়گΛࢹͯ͠ஔ͖͑ΔϓϩηεΛಈ͔͍ͯ͠·͢
࠷ޙͷॴײ • ΦϯϓϨKubernetesΔͳΒཧιϑτΣΞΛ։ൃͨ͠΄͏͕౷߹తʹཧͰ͖ΔͷͰ ࠷ऴίετམͱͤΔͱࢥ͏ • Kubernetesͦͷͷͱͯྑ͘Ͱ͖͍ͯͯɺKubernetesࣗମͷԿ͔Λ౿Ή͜ͱͦΜͳʹͳ͍ • ࠓհ͍ͯ͠ͳ͍ωοτϫʔΫपΓͷΧʔωϧνϡʔχϯάͳͲɺඞཁͳέʔε͋ͬͨͷ Ͱɺͦ͏͍͏ྖҬΛݟΕΔਓ͕͍ͳ͍ͱݫ͍͠ͱࢥ͏ •
େମͷϢʔεέʔεVM + DockerͰࣄΓΔͷͰɺ΄ΜͱʹͦΕKubernetes͍Δͷʁͱ͍͏ έʔε݁ߏ͋Δͱࢥ͏ • ͜Ε·ͰͷιϑτΣΞʹՃ͑ͯɺKubernetesͱ͍͏ϨΠϠʔ͕ೖΔ͜ͱͰτϥϒϧγϡʔτ ཧେมʹͳΔ
͓͠·͍ ࠷৽ͷ࠾༻ใΛνΣοΫˠ !QC@SFDSVJU