講師: Tzung-En Chiang, Solutions Architect, Amazon Web Services - Kubernetes Cluster Setup - CI/CD with applications deployed on Kubernetes - IAM - Visibility - Demo - Network Plugin Introduction

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
James Chiang, AWS Solution Architect
2018/03
Kubernetes on AWS

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is Kubernetes?

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes concepts
port 8080 port 8080
ReplicaSet
#Pods—2
label selector: v1
ReplicaSet
#Pods—1
label selector: v2
Node
Docker
Pod
Containers

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes concepts

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kubernetes cluster
setup—choices

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CI/CD of apps
on Kubernetes

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access
Management (IAM)

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Visibility in cluster

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Region
CloudWatch
Logs
Elasticsearch
Kibana
Fluentd
DaemonSet

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Networking Plugin

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CNI Plugins
• The Container Network Interface is a set of specs and libs for writing
networking plugins
• Handles standards around namespace and interface configuration
• Configured by passing “—networking CNI” flag in cluster spec; then
installing the desired plugin as a daemonset (run once on all hosts)
• CNI standards have allowed for a number of networking approaches in
Kubernetes, each with their own advantages and disadvantages
https://github.com/containernetworking/cni/blob/master/SPEC.md  you should read this

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Nginx Pod
Java Pod
ENI
Secondary IPs:
10.0.0.1
10.0.0.2
Veth IP: 10.0.0.1
Veth IP: 10.0.0.2
Nginx Pod
Java Pod
ENI
Veth IP: 10.0.0.20
Veth IP: 10.0.0.22
Secondary IPs:
10.0.0.20
10.0.0.22
ec2.associateaddress()
VPC Subnet – 10.0.0.0/24
Instance 1 Instance 2

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• CoreOS project
• Stores configuration data
in etcd
• VXLan for L2 encap
(default)
• Each pod gets a /24
subnet on the flannel /16
overlay

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Open source project
owned by Weaveworks
• No backing k/v store
required; cluster state
replicated in memory
• Supports multicast + NaCL
encryption
• Has DNS service
discovery and load
balancing built in

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overlay Networks
• Agnostic to underlying topology
and platform
• Can easily span networks and
platforms
• Some offer cool functionality
(encryption, multicast)
• No cluster size limitations due to
routes or hosts
• Can be difficult to troubleshoot
due to encapsulation
• Require port mapping on host or
load balancers for access from
other networks
• Performance overhead
• Can’t use security groups
Pros: Cons:

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC – 10.0.0.0/16
instance1
10.0.0.10
10.0.0.12
Calico Subnet –
172.16.1.0/16
172.16.0.1/24 172.16.0.2/24
Calico BGP
daemon
instance2
IF on Calico
Subnet –
172.16.0.2/24
instance2
10.0.0.12
Instance2 route table:
172.16.0.1/24 via 10.0.0.10
Src/dst
disabled
instance3
Calico Subnet –
172.16.1.0/16
172.16.0.3/24 172.16.0.4/24
instance4
10.0.1.2210.0.1.20
Calico IPIP tunnel
across subnets

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Layer 3 networking (Calico)
• No encap/decap overhead*
• Easier debugging, well known
tools/protocols (iptables, BGP)
• Uses BGP for routing - supports
large clusters
• No cluster size limitations due to
routes or hosts
• Limited to UDP/ICMP/TCP
protocol support
• Uses BGP for routing -
complexity
• Can’t use security groups*
Pros: Cons:
*except across subnets

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Networking (Kubenet)
• Default networking mode for
KOPS
• --network-plugin=kubenet
• Creates a bridge called
cbr0; connects a Veth pair
to each pods
• Manages an out-of-band
subnet across the cluster
(like Calico, so src/dst =
disabled is required)

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC Networking (Kubenet)
• Interacts directly with the VPC
• No encap/decap overhead
• Easier debugging
• Uses VPC routing tables*
• Cluster size limited to number of
routes per subnet
• Can’t use security groups
• Doesn’t automatically update
routes on scaling events
(userdata/lifecycle hooks?)
• Is recommended to be used in its
own subnet to prevent route table
conflicts
Pros: Cons:
*maybe also a negative

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.