Introduction à Kubernetes

Renaud Chaput @renchap

Kubernetes

Historique • Origine : Borg, l’orchestrateur de Google • En
2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF

Objectifs • Découpler infra et applications • Scale • Générique
/ Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)

Un gros projet 1500 contributeurs 32 000 PR depuis 2014

Structure • Code of Conduct et CLA • Doc claire
sur la participation • Special Interest Groups (SIGs) • Working groups • Committees

Releases

Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable
1.8 Septembre 2017 Alpha 1.6 Mars 2017

Fonctionnement

Objets apiVersion: v1 kind: Pod metadata: name: <name>  namespace: default 
spec:  status:

Un même namespace / cgroup  IP partagée (donc localhost commun) 
Volumes communs  IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar

apiVersion: v1  kind: Pod  metadata: name: nginx  spec:  containers: -
name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple

Deployment apiVersion: apps/v1beta2 kind: Deployment metadata:  name: nginx-deployment  labels:  app:
nginx spec:  replicas: 3 selector:  matchLabels:  app: nginx template: metadata:  labels:  app: nginx  spec:  containers:  - name: nginx  image: nginx:1.7.9  ports:  - containerPort: 8080

Service apiVersion: v1 kind: Service metadata:  name: nginx-svc spec: selector: 
app: nginx ports:  - protocol: TCP  port: 80  targetPort: 8080

db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3

DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …

Architecture

etcd etcd etcd Key/Value store Distribué Watch

etcd etcd etcd API Server Scheduler Controller manager

kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod
Pod Pod

Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux
sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur

Container Runtime • Docker • CRI-O : interface OCI standard
• rkt (CoreOS) • Frakti : basé sur un hyperviseur

Node 1 Node 2 Node n etcd etcd etcd API
Server Scheduler Controller manager …

Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml  $ kubectl get
all  NAME READY STATUS RESTARTS AGE  po/nginx 1/1 Running 0 12h   NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE  svc/nginx-svc 10.0.0.116 <none> 80/TCP 7s

Federation

Add-ons

Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local

Dashboard

Ingress controllers • GCP / AWS / … • nginx
• haproxy

Heapster + InﬂuxDB, Grafana

Sécurité

Namespaces et quotas apiVersion: v1  kind: ResourceQuota  metadata:  name: compute-resources 
spec:  hard:  pods: "4"  requests.cpu: "1"  requests.memory: 1Gi  limits.cpu: "2"  limits.memory: 2Gi

PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux:
rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'

NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector:
matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"

RBAC kind: Role  apiVersion: rbac.authorization.k8s.io/v1  metadata:  namespace: default  name: pod-reader 
rules:  - apiGroups: [""] resources: ["pods"]  verbs: ["get", "watch", “list"] kind: RoleBinding  apiVersion: rbac.authorization.k8s.io/v1  metadata:  name: read-pods  namespace: default  subjects:  - kind: User  name: jane  apiGroup: rbac.authorization.k8s.io  roleRef:  kind: Role  name: pod-reader  apiGroup: rbac.authorization.k8s.io

Projets autour • Helm • Kops / Kube-AWS / Bootkube
/ … • Træﬁk • Prometheus / Sysdig / Datadog / … • Kube-lego, …

Ressources • Minikube! • kubernetes.io • Kubernetes the hard way
• Slack Kubernetes • Awesome Kubernetes

Questions ?

Introduction à Kubernetes

Introduction à Kubernetes

More Decks by Renaud Chaput

Other Decks in Technology

Featured

Transcript