10 Kube Commandments We've been in the game for years That in - - PowerPoint PPT Presentation

▶

Mar 19, 2024 341 likes •1.02k views

10 Kube Commandments We've been in the game for years That in itself is admirable There's rules to this biz We wrote y'all a manual A step-by-step conf talk for you to get... Your clusters on track And not your releases pushed back Bryan

SLIDE 1

10 Kube Commandments

SLIDE 2

We've been in the game for years

SLIDE 3

That in itself is admirable

SLIDE 4

There's rules to this biz

SLIDE 5

We wrote y'all a manual

SLIDE 6

A step-by-step conf talk for you to get...

SLIDE 7

Your clusters on track

SLIDE 8

And not your releases pushed back

SLIDE 9

Staff Software Engineer Heptio Lots of years Years of Experience @bryanl

Bryan Liles

SLIDE 10

Senior Software Engineer DigitalOcean Observability Cloud Compute Services Systems Engineering @cagedmantis

Carlos Amedee

SLIDE 11

Rule Number Uno To go fast, you must start slow

SLIDE 12

Rule Number Uno To go fast, you must start deliberately

SLIDE 13

Public Cloud Datacenter Your Desktop

SLIDE 14

Public Cloud Datacenter Your Desktop

GKE on Google Cloud
AKS on Azure
*lots of vendors*
kubeadm
*lots of vendors*
Minikube
Minik8s
Docker for Mac or Windows

SLIDE 15

Public Cloud Datacenter

GKE on Google Cloud
AKS on Azure
*lots of vendors*
kubeadm
*lots of vendors*

X X

Not Declarative

SLIDE 16

Cluster API

SLIDE 17

Number Two Always let them know your next move

SLIDE 18

Your next move is the images you'll deploy to your cluster

SLIDE 19

Build Image Host Image

SLIDE 20

docker build

SLIDE 21

docker build

buildah
img
GCP Container Builder

SLIDE 22

Why are you still building your containers with root privileges?

SLIDE 23

Rule Number Three Never trust nobody: Hookup up that Pod Security Policy

SLIDE 24

apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: how-not-to-get-robbed spec: privileged: false runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny fsGroup: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes:

SLIDE 25

Number Four I know you heard this before: Never get high off what Kube supplies

SLIDE 26

Custom Resource Definition

CRD Custom Controller

SLIDE 27

Custom Resources Pattern

CRD Custom Controller K8s External Resource Native Resource

SLIDE 28

Custom Resources Pattern

CRD Custom Controller Operator

SLIDE 29

Custom Resources Pattern

CRD Custom Controller Native Resource Native Resource Native Resource

SLIDE 30

Rule Number Five Communicating With Pods Never Mix Internal and External Traffic

SLIDE 31

Ingress Traffic

SLIDE 32

Cluster IP

apiVersion: v1 kind: Service metadata: name: sample-service spec: selector: app: sample-app type: ClusterIP ports:

name: http

port: 80 targetPort: 80 protocol: TCP

Pod Pod Pod Service Proxy

SLIDE 33

Node Port

apiVersion: v1 kind: Service metadata: name: my-nodeport-service spec: selector: app: my-app type: NodePort ports:

name: http

port: 80 targetPort: 80 nodePort: 30036 protocol: TCP

Pod Pod Pod Service Pod

SLIDE 34

Load Balancer

apiVersion: v1 kind: Service metadata: name: sample-lb spec: selector: app: some-app type: LoadBalancer ports:

name: http

port: 80 targetPort: 80 protocol: TCP

Pod Pod Pod Service Load Balancer

SLIDE 35

Ingress

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: my-ingress spec: backend: serviceName: other servicePort: 8080 rules:

host: foo.mydomain.com

http: paths:

backend:

serviceName: foo servicePort: 8080

host: mydomain.com

http: paths:

path: /bar/*

backend: serviceName: bar servicePort: 8080

Pod Pod Pod Service Ingress Pod Pod Pod Service

SLIDE 36

Egress Traffic

SLIDE 37

Egress

apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: sample-network-policy spec: podSelector: matchLabels: role: my-app policyTypes:

Egress

egress:

to:
ipBlock:

cidr: 10.0.0.0/24

SLIDE 38

Service Mesh

SLIDE 39

Rule Number Six If You Think You Know What’s Happening In Your Cluster… Forget it.

SLIDE 40

Observability

What’s happening in your cluster?

SLIDE 41

What’s happening on your cluster?

SLIDE 42

Metrics and Alerting

SLIDE 43

Logging

SLIDE 44

Distributed Tracing

SLIDE 45

Observability Dashboard

SLIDE 46

Horizontal Pod Autoscaler

SLIDE 47

Rule Number Seven Keep your storage and the business rules to manage it completely separated.

SLIDE 48

Storage

SLIDE 49

Easily create your own storage implementation

SLIDE 50

Persistent Volume Snapshots

SLIDE 51

Number 8: Using Tools

SLIDE 52

Package Management Configuration Management

SLIDE 53

Helm 2
Bounds of YAML

Package Management

SLIDE 54

Configuration Management

ksonnet
Pulumi
Ballerina

SLIDE 55

SLIDE 56

Other types of tools?

skaffold
kustomize

SLIDE 57

Number 9: Extending Kubernetes

SLIDE 58

What happens if you get an API for free?

SLIDE 59

What happens when you outgrow the Kubernetes API?

SLIDE 60

Number 10: A live word called refinement -- Building On Kubernetes

SLIDE 61

Cluster

App 1 App 2 App 3

"On top of Kubernetes"

SLIDE 62

Cluster

App 1 App 2 App 3

"On Kubernetes"

SLIDE 63

Follow these rules

SLIDE 64

You'll have mad bread to break up

SLIDE 65

10 Kube Commandments

We've been in the game for years

That in itself is admirable

There's rules to this biz

We wrote y'all a manual

A step-by-step conf talk for you to get...

Your clusters on track

And not your releases pushed back

Staff Software Engineer Heptio Lots of years Years of Experience @bryanl

Bryan Liles

Senior Software Engineer DigitalOcean Observability Cloud Compute Services Systems Engineering @cagedmantis

Carlos Amedee

Rule Number Uno To go fast, you must start slow

Rule Number Uno To go fast, you must start deliberately

Public Cloud Datacenter Your Desktop

Public Cloud Datacenter Your Desktop

Public Cloud Datacenter

X X

Not Declarative

Cluster API

Number Two Always let them know your next move

Your next move is the images you'll deploy to your cluster

docker build

docker build

Why are you still building your containers with root privileges?

Rule Number Three Never trust nobody: Hookup up that Pod Security Policy

Number Four I know you heard this before: Never get high off what Kube supplies

Custom Resource Definition

Custom Resources Pattern

Custom Resources Pattern

Custom Resources Pattern

Rule Number Five Communicating With Pods Never Mix Internal and External Traffic

Ingress Traffic

Cluster IP

Node Port

Load Balancer

Ingress

Egress Traffic

Egress

Service Mesh

Rule Number Six If You Think You Know What’s Happening In Your Cluster… Forget it.

Observability

What’s happening in your cluster?

What’s happening on your cluster?

Metrics and Alerting

Logging

Distributed Tracing

Observability Dashboard

Horizontal Pod Autoscaler

Rule Number Seven Keep your storage and the business rules to manage it completely separated.

Storage

Easily create your own storage implementation

Persistent Volume Snapshots

Number 8: Using Tools

Package Management

Configuration Management

Other types of tools?

Number 9: Extending Kubernetes

What happens if you get an API for free?

What happens when you outgrow the Kubernetes API?

Number 10: A live word called refinement -- Building On Kubernetes

Cluster

"On top of Kubernetes"

Cluster

"On Kubernetes"

Follow these rules

You'll have mad bread to break up

If not, 24 hours of on-call with constant wake ups.