Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction à Kubernetes

Avatar for Renaud Chaput Renaud Chaput
October 23, 2017
Technology
2
370

Introduction à Kubernetes

Présenté à Sysadmin Days #7 : https://sysadmindays.fr

Avatar for Renaud Chaput

Renaud Chaput

October 23, 2017
Tweet

More Decks by Renaud Chaput

See All by Renaud Chaput
L'Infrastructure as Code au complet (par Benoit Petit)
Avatar for Renaud Chaput renchap
1
660
Autour des requêtes des TSDB
Avatar for Renaud Chaput renchap
2
570
Operate HBase clusters at Scale
Avatar for Renaud Chaput renchap
1
390
Versions (par Olivier Delhomme)
Avatar for Renaud Chaput renchap
1
420
Prevent business logic attacks using dynamic instrumentation
Avatar for Renaud Chaput renchap
1
430
Atelier Paris Web : Introduction à Docker
Avatar for Renaud Chaput renchap
0
92
Alkemics CI & CD with Jenkins and Docker
Avatar for Renaud Chaput renchap
1
290
Les containers : décryptage
Avatar for Renaud Chaput renchap
2
270
Kubernetes en production : un an après
Avatar for Renaud Chaput renchap
1
310

Other Decks in Technology

See All in Technology
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
Avatar for oracle4engineer oracle4engineer
PRO
4
10k
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
6
380k
S3アクセス制御の設計ポイント
Avatar for tommy tommy0124
3
190
[ JAWS-UG 東京 CommunityBuilders Night #2 ]SlackとAmazon Q Developerで 運用効率化を模索する
Avatar for sh_fk2 sh_fk2
3
390
バッチ処理で悩むバックエンドエンジニアに捧げるAWS Glue入門
Avatar for morimorikochan diggymo
3
200
20250913_JAWS_sysad_kobe
Avatar for Takuya Yonezawa takuyay0ne
2
150
250905 大吉祥寺.pm 2025 前夜祭 「プログラミングに出会って20年、『今』が1番楽しい」
Avatar for Masaya Kudo msykd
PRO
1
710
allow_retry と Arel.sql / allow_retry and Arel.sql
Avatar for Shintani Teppei euglena1215
1
160
DevIO2025_継続的なサービス開発のための技術的意思決定のポイント / how-to-tech-decision-makaing-devio2025
Avatar for Logy nologyance
1
380
RSCの時代にReactとフレームワークの境界を探る
Avatar for uhyo uhyo
10
3.4k
ChatGPTとPlantUML/Mermaidによるソフトウェア設計
Avatar for gowhich501 gowhich501
1
130
2025年になってもまだMySQLが好き
Avatar for yoku0825 yoku0825
8
4.7k

Featured

See All Featured
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
4k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
23
3.7k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.4k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.6k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
268
13k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
431
66k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
55
6.5k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
279
23k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
13k

Transcript

  1. Introduction à Kubernetes

  2. Renaud Chaput @renchap

  3. Kubernetes

  4. Historique • Origine : Borg, l’orchestrateur de Google • En

    2014, début du projet “Seven”, son remplaçant • Volonté de le rendre Open Source • Kubernetes est né ! • Version 1.0 en 2015, et don à la CNCF

  5. Objectifs • Découpler infra et applications • Scale • Générique

    / Flexible • Automatisable • Extensible • Portable (cloud provider, bare metal, …)

  6. Un gros projet 1500 contributeurs 32 000 PR depuis 2014

  7. Structure • Code of Conduct et CLA • Doc claire

    sur la participation • Special Interest Groups (SIGs) • Working groups • Committees

  8. Releases

  9. Releases

  10. Features Alpha 1.5 Décembre 2016 Beta 1.7 Juin 2017 Stable

    1.8 Septembre 2017 Alpha 1.6 Mars 2017

  11. Fonctionnement

  12. Objets apiVersion: v1 kind: Pod metadata: name: <name>
 namespace: default


    spec:
 status:

  13. Un même namespace / cgroup
 IP partagée (donc localhost commun)


    Volumes communs
 IPC / … ./rails server ./log_processor.py Pod AppServer Sidecar

  14. apiVersion: v1
 kind: Pod
 metadata: name: nginx
 spec:
 containers: -

    name: nginx image: nginx:1.7.9 ports: - containerPort: 8080 Pod simple

  15. Deployment apiVersion: apps/v1beta2 kind: Deployment metadata:
 name: nginx-deployment
 labels:
 app:

    nginx spec:
 replicas: 3 selector:
 matchLabels:
 app: nginx template: metadata:
 labels:
 app: nginx
 spec:
 containers:
 - name: nginx
 image: nginx:1.7.9
 ports:
 - containerPort: 8080

  16. Service apiVersion: v1 kind: Service metadata:
 name: nginx-svc spec: selector:


    app: nginx ports:
 - protocol: TCP
 port: 80
 targetPort: 8080

  17. db-1 volume-1 StatefulSet Db-2 Volume-2 Db-3 Volume-3

  18. DaemonSet Jobs CronJobs NetworkPolicy Secret Ingress Volume …

  19. Architecture

  20. etcd etcd etcd Key/Value store Distribué Watch

  21. etcd etcd etcd API Server Scheduler Controller manager

  22. kubelet kube-proxy Pod Pod Pod Pod Pod Pod Pod Pod

    Pod Pod

  23. Pré-requis réseau • Tous les containers peuvent communiquer avec entre-eux

    sans NAT • Tous les noeuds peuvent communiquer avec tous les containers sans NAT • L’IP d’un container vue de l’intérieur du container est la même que vu de l’extérieur

  24. Container Runtime • Docker • CRI-O : interface OCI standard

    • rkt (CoreOS) • Frakti : basé sur un hyperviseur

  25. Node 1 Node 2 Node n etcd etcd etcd API

    Server Scheduler Controller manager …

  26. Kubectl $ kubectl apply -f nginx.yaml nginx-svc.yml
 $ kubectl get

    all
 NAME READY STATUS RESTARTS AGE
 po/nginx 1/1 Running 0 12h 
 NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
 svc/nginx-svc 10.0.0.116 <none> 80/TCP 7s

  27. Federation

  28. Add-ons

  29. Kube DNS nginx-svc.my-namespace.svc.cluster.local _http._tcp.nginx-svc.my-namespace.svc.cluster.local 1-2-3-4.default.pod.cluster.local

  30. Dashboard

  31. Ingress controllers • GCP / AWS / … • nginx

    • haproxy

  32. Heapster + InfluxDB, Grafana

  33. Sécurité

  34. Namespaces et quotas apiVersion: v1
 kind: ResourceQuota
 metadata:
 name: compute-resources


    spec:
 hard:
 pods: "4"
 requests.cpu: "1"
 requests.memory: 1Gi
 limits.cpu: "2"
 limits.memory: 2Gi

  35. PodSecurityPolicy apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: permissive spec: seLinux:

    rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*' allowedCapabilities: - '*'

  36. NetworkPolicy kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: name: access-nginx spec: podSelector:

    matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: access: "true"

  37. RBAC kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 namespace: default
 name: pod-reader


    rules:
 - apiGroups: [""] resources: ["pods"]
 verbs: ["get", "watch", “list"] kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
 name: read-pods
 namespace: default
 subjects:
 - kind: User
 name: jane
 apiGroup: rbac.authorization.k8s.io
 roleRef:
 kind: Role
 name: pod-reader
 apiGroup: rbac.authorization.k8s.io

  38. Projets autour • Helm • Kops / Kube-AWS / Bootkube

    / … • Træfik • Prometheus / Sysdig / Datadog / … • Kube-lego, …

  39. Ressources • Minikube! • kubernetes.io • Kubernetes the hard way

    • Slack Kubernetes • Awesome Kubernetes

  40. Questions ?