Más contenido relacionado La actualidad más candente La actualidad más candente (20) Similar a Day Two Operations of Kubernetes on AWS (GPSTEC309) - AWS re:Invent 2018 Similar a Day Two Operations of Kubernetes on AWS (GPSTEC309) - AWS re:Invent 2018 (20) Más de Amazon Web Services Más de Amazon Web Services (20) Day Two Operations of Kubernetes on AWS (GPSTEC309) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Day Two Operations of Kubernetes
on AWS
G P S T E C 3 0 9
Chris Hein
heichris@amazon.com
@christopherhein
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is this?
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who can tell us what
“Kubernetes” is?
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Kubernetes?
Open source container
management platform
Helps you run
containers at scale
Gives you primitives
for building
modern applications
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
But… What does that mean?
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Let’s see it
$ kubectl get pods -v=7
GET https://apiserver/api/v1/namespaces/default/pods?limit=500
Request Headers:
Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io,
application/json
User-Agent: kubectl/v1.12.1 (linux/amd64) kubernetes/4ed3216
Response Status: 200 OK in 145 milliseconds
Response Headers:
Content-Type: application/json
Content-Length: 1909
Date: Wed, 28 Nov 2018 00:23:05 GMT
Audit-Id: 7b949a88-f3d2-429d-9b19-889c01f2c634
Response Body: ...
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The API layer
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1beta1",
...
]
}
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes objects
• A Kubernetes object is a “record of intent”
• Persistent entities in the Kubernetes system
• Marshal the desired state of your cluster
• Pods, Services, Ingress, NetworkPolicies, ConfigMaps, Secrets, etc.
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The scheduler.
state
auditreconcile
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What are the benefits?
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Day Two operations?
Day0 Requirements
Architecture
Design
Day1
Installation
Setup
Configuration
Day2
Security
Scaling
CI/CD
…
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What does Kubernetes give you?
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudFormation
• Exportable from Kops
• Standard provisioning tool for Amazon
Elastic Container Service for Kubernetes
(Amazon EKS)
Type: "AWS::EKS::Cluster”
Properties:`
Name: "prod"
Version: "1.10"
RoleArn: "arn:aws:iam::012345678910:role/eks-service-role"
ResourcesVpcConfig:
SecurityGroupIds: ["sg-6979fe18"]
SubnetIds: ["subnet-6782e71e", "subnet-e7e761ac"]
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Terraform
• Exportable from Kops
• Standard provisioning tool for Amazon EKS
resource "aws_eks_cluster" "demo" {
name = "${var.cluster-name}”
role_arn = "${aws_iam_role.demo-cluster.arn}"
vpc_config {
security_group_ids = ["${aws_security_group.demo-cluster.id}"]
subnet_ids = ["${aws_subnet.demo.*.id}"]
}
depends_on = [
"policy_attachment.demo-cluster-AmazonEKSClusterPolicy",
"attachment.demo-cluster-AmazonEKSServicePolicy",
]
}
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is gitops?
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is this?
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What did that just do?
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remember this?
state
auditreconcile
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where is this used?
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
horizontalpodautoscaling, job, namespace,
nodeipam, nodelifecycle,
persistentvolume-binder,
persistentvolume-expander, podgc, pv-
protection, pvc-protection, replicaset,
replicationcontroller, resourcequota, route,
service, serviceaccount, serviceaccount-
token, statefulset, tokencleaner, ttl, ttl-
after-finished
bootstrapsigner, tokencleaner
kube controller manager
Each one of these is a control loop
on its own
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
How can you use this?
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wait… controllers, what’s an operator?
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extending the control loop
Offer a database
solution?
Offer a storage
solution?
Offer anything
deployed in-cluster?
?
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security basics
Malicious User
Front End
Store
Payments
Users
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is layered
Network
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kubernetes specifics
Network Policy
Controller
Use RBAC Pod Security
Policy
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Container CVE scanning
Container CVE
Scanning Tool
38. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Chris Hein
heichris@amazon.com
@christopherhein
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.