kubernetes the very hard way
play

Kubernetes the Very Hard Way Laurent Bernaille Staff Engineer, - PowerPoint PPT Presentation

Apr 05, 2024 •185 likes •960 views

Kubernetes the Very Hard Way Laurent Bernaille Staff Engineer, Infrastructure @lbernail Datadog 10000s hosts in our infra Over 350 integrations 10s of k8s clusters with 50-2500 nodes Over 1,200 employees Multi-cloud Over 8,000 customers

  1. Kubernetes the Very Hard Way Laurent Bernaille Staff Engineer, Infrastructure @lbernail

  2. Datadog 10000s hosts in our infra Over 350 integrations 10s of k8s clusters with 50-2500 nodes Over 1,200 employees Multi-cloud Over 8,000 customers Very fast growth Runs on millions of hosts Trillions of data points per day lbernail

  3. Why Kubernetes? Dogfooding Immutable Improve k8s integrations Move from Chef Multi Cloud Community Common API Large and Dynamic lbernail

  4. The very hard way?

  5. It was much harder

  6. This talk is about the fine print “Of course, you will need a HA master setup” “Oh, and yes, you will have to manage your certificates” “By the way, networking is slightly more complicated, look into CNI / ingress controllers” lbernail

  7. What happens after “Kube 101” 1. Resilient and Scalable Control Plane 2. Securing the Control Plane a. Kubernetes and Certificates b. Exceptions? c. Impact of Certificate Rotation 3. Efficient networking a. Giving pod IPs and routing them b. Ingresses: Getting data in the cluster lbernail

  8. What happens after “Kube 101” 1. Resilient and Scalable Control Plane 2. Securing the Control Plane a. Kubernetes and Certificates b. Exceptions? c. Impact of Certificate Rotation 3. Efficient networking a. Giving pod IPs and routing them b. Ingresses: Getting data in the cluster lbernail

  9. Resilient and Scalable Control Plane

  10. Kube 101 Control Plane Master etcd apiserver scheduler controllers Service in-cluster kubelet kubectl apps lbernail

  11. Making it resilient Master Master Master etcd etcd etcd apiserver apiserver apiserver scheduler controllers scheduler controllers scheduler controllers Service LoadBalancer in-cluster kubelet kubectl apps lbernail

  12. Kube 101 Control Plane Master etcd apiserver scheduler controllers Service in-cluster kubelet kubectl apps lbernail

  13. Separate etcd nodes etcd etcd Master Master Master apiserver apiserver apiserver scheduler controllers scheduler controllers scheduler controllers Service LoadBalancer in-cluster kubelet kubectl apps lbernail

  14. Single active Controller/scheduler etcd etcd Master Master Master apiserver apiserver apiserver scheduler controllers scheduler controllers scheduler controllers Service LoadBalancer in-cluster kubelet kubectl apps lbernail

  15. Split scheduler/controllers etcd apiserver apiserver apiserver controllers controllers Service LoadBalancer schedulers in-cluster schedulers kubelet kubectl apps lbernail

  16. Split etcd etcd etcd events apiserver apiserver apiserver controllers controllers Service LoadBalancer schedulers in-cluster schedulers kubelet kubectl apps lbernail

  17. Sizing the control plane 2x (3 or 5 nodes) disk + net ios etcd etcd events X nodes RAM + net ios apiserver apiserver apiserver 2 nodes controllers CPU controllers Service LoadBalancer 2 nodes schedulers CPU in-cluster schedulers kubelet kubectl apps lbernail

  18. What happens after “Kube 101” 1. Resilient and Scalable Control Plane 2. Securing the Control Plane a. Kubernetes and Certificates b. Exceptions? c. Impact of Certificate Rotation 3. Efficient networking a. Giving pod IPs and routing them b. Ingresses: Getting data in the cluster lbernail

  19. Kubernetes and Certificates

  20. From “the hard way” lbernail

  21. “Our cluster broke after ~1y” lbernail

  22. Certificates in Kubernetes ● Kubernetes uses certificates everywhere ● Very common source of incidents ● Our Strategy: Rotate all certificates daily lbernail

  23. Certificate management etcd PKI Peer/Server cert etcd Vault t r e c t n e i l C d c t E apiserver lbernail

  24. Certificate management etcd PKI Peer/Server cert etcd Vault t r e c t r e t c n t n e kube PKI e i l c t i e l l e C b u k / r d e v r c e s i t p E A apiserver controllers Controller client cert scheduler Scheduler client cert kubelet Kubelet client/server cert lbernail

  25. Certificate management etcd PKI Peer/Server cert etcd Vault t r e c t r e t c n t n e kube PKI e i l c t i e l l e C b u k / r d e v r c e s i t p E A apiserver SA public key kube kv SA private key controllers Controller client cert n e k o t A S scheduler Scheduler client cert In-cluster kubelet app Kubelet client/server cert lbernail

  26. Certificate management etcd PKI Peer/Server cert etcd Apiservice cert (proxy/webhooks) apiservice PKI Vault t r e c t r e t c n t n e kube PKI e i l c t i e l l e C b u k / r d e v r c e s i t p E A apiserver SA public key kube kv SA private key controllers Controller client cert n e k o t A S scheduler Scheduler client cert In-cluster apiservice kubelet app webhook... Kubelet client/server cert lbernail

  27. Certificate management etcd PKI Peer/Server cert OIDC etcd provider Apiservice cert (proxy/webhooks) apiservice PKI Vault t r e c t r e t c n t n e kube PKI e i l c t i e l l e C b u k / r d e v r c e OIDC auth s i t p E A kubectl apiserver SA public key kube kv SA private key controllers Controller client cert n e k o t A S scheduler Scheduler client cert In-cluster apiservice kubelet app webhook... Kubelet client/server cert lbernail

  28. Exception ? Incident...

  29. Kubelet: TLS Bootstrap apiserver kube PKI Vault 3- Get signing key kube kv controllers 1- Create Bootstrap token admin 2- Add Bootstrap token to vault lbernail

  30. Kubelet: TLS Bootstrap 3- Verify Token and map groups apiserver kube PKI Vault kube kv controllers 2- Authenticate with token 4- Create CSR 5- Verify RBAC for CSR creator 6- Sign certificate 7- Download certificate 8- Authenticate with cert 9- Register node 1- Get Bootstrap token kubelet lbernail

  31. Kubelet certificate issue 1. One day, some Kubelets were failing to start or took 10s of minutes 2. Nothing in logs 3. Everything looked good but they could not get a cert 4. Turns out we had a lot of CSRs in flight 5. Signing controller was having a hard time evaluating them all CSR resources in the cluster Lower is better! lbernail

  32. Why? Kubelet Authentication ● Initial creation: bootstrap token, mapped to group “ system:bootstrappers ” ● Renewal: use current node certificate, mapped to group “ system:nodes “ Required RBAC permissions ● CSR creation ● CSR auto-approval CSR creation CSR auto-approval system:bootstrappers OK OK system:nodes OK lbernail

  33. Exception 2? Incident 2...

  34. Temporary solution apiserver Create webhook with self-signed cert as CA Vault Get cert and key admin webhook kube kv Add self-signed cert + key to Vault One day, after ~1 year ● Creation of resources started failing (luckily only a Custom Resource) ● Cert had expired... lbernail

  35. Take-away ● Rotate server/client certificates ● Not easy But, “If it’s hard, do it often” > no expiration issues anymore lbernail

  36. Impact of Certificate rotation

  37. Apiserver certificate rotation

  38. Impact on etcd apiserver restarts We have multiple apiservers We restart each daily etcd traffic Significant etcd network impact (caches are repopulated) etcd slow queries Significant impact on etcd performances lbernail

  39. Impact on Load-balancers apiserver restarts ELB surge queue Significant impact on LB as connections are reestablished Mitigation: increase queues on apiservers net.ipv4.tcp_max_syn_backlog net.core.somaxconn

  40. Impact on apiserver clients apiserver restarts ● Apiserver restarts ● clients reconnect and refresh their cache coredns memory usage > Memory spike for impacted apps No real mitigation today lbernail

  41. Impact on traffic balance 15MB/s 2.5MB/s Number of connections / traffic very unbalanced Because connections are very long-lived More clients => Bigger impact clusterwide 2300 connections 300 connections lbernail

  42. Why? Simple simulation Simulation for 48h ● 5 apiservers ● 10000 connections (4 x 2500 nodes) ● Every 4h, one apiserver restarts ● Reconnections evenly dispatched Cause ● Cloud TCP load-balancers use round-robin ● Long-lived connections ● No rebalancing lbernail

  43. Kubelet certificate rotation

  44. Pod graceful termination admin or apiserver controller Delete pod Stop Container with timeout “terminationGracePeriodSeconds” kubelet containerd Send SIGTERM After timeout, send SIGKILL container

  45. Restarts impact graceful termination admin or apiserver controller Delete pod kubelet containerd Send SIGTERM After timeout, or Context Cancelled send SIGKILL container Kubelet restarts end graceful termination Fixed upstream “Do not SIGKILL container if container stop is cancelled” https://github.com/containerd/cri/pull/1099

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Continuous Delivery the hard way with Kubernetes Luke Marsden, Developer Experience @lmarsden

Continuous Delivery the hard way with Kubernetes Luke Marsden, Developer Experience @lmarsden

Continuous Delivery the hard way with Kubernetes Luke Marsden, Developer Experience @lmarsden Agenda 1. Why should I deliver continuously? 2. Kubernetes primer 3. GitLab primer 4. OK, so weve got these pieces, how are we going to put

638 views • 62 slides
Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes

Airflow on Kubernetes: Containerizing your Workflows By Michael Hewitt Agenda Kubernetes Overview 1 Airflows integration with Kubernetes 2 Deployment of Airflow on Kubernetes 3 Kubernetes Pod Operator and its benefits 4 DAG Development

2.79k views • 14 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source

Kubernetes Matthias Haeussler Mirna Alaisami Overview Overview Kubernetes is an open-source platform designed to automate deploying , scaling , and operating application containers . Kubernetes v1.0 was released in 2015. It utilizes

916 views • 52 slides
K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi

K8s or Die! You must do Kubernetes. Or should you? If so when, where, why? How?! Marco Ceppi @marcoceppi Ryan Beisner @ryanbeisner Why Kubernetes Computing in the modern age Virtual Process Machines Containers Traditional Container

516 views • 24 slides
From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang

From Laptop to the World With Kubernetes @saturnism @googlecloud #kubernetes Ray Tsang Developer Advocate Google Cloud Platform @saturnism | +RayTsang @saturnism @googlecloud #kubernetes Ray Tsang Developer Architect Traveler

1.29k views • 65 slides
Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes

Contributing to kubernetes Who am I? Senior Software Engineer at Gojek Organizer at Kubernetes & Cloud Native Meetups in Jakarta and Bandung https://www.meetup.com/jakarta-kubernetes/ https://www.meetup.com/Microservice-JKT/ You can find

709 views • 47 slides
Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes?

Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes?

@MELANIECEBULA / MARCH 2019 / CON LONDON Developing Kubernetes Services at Airbnb Scale @MELANIECEBULA What is kubernetes? @MELANIECEBULA Who am I? A BRIEF HISTORY @MELANIECEBULA Why Microservices? 4000000 3000000 2000000 MONOLITH

1.74k views • 111 slides
Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes

Kubernetes Networking and Istio Apurva Bhandari $whoami SRE / DevOps Docker & Kubernetes Enthusiast Speaker at Meetups Email: apurvbhandari@gmail.com LinkedIn: https://www.linkedin.com/in/apurvabhandari-linux GitHub:

2.16k views • 28 slides
Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software

Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software

Kubernetes APIs Under the Hood @pwittrock Who Am I? Phillip Wittrock (@pwittrock) Software Engineer at Google working on GKE and OSS Kubernetes My mission is to make using Kubernetes simple and enjoyable You might have come across me

1.12k views • 27 slides
Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes

Stateful workloads on kubernetes with ceph Agenda CaaS Kubernetes Ceph Storage Operation NVRAMOS 2019 10/28/2019 Cloud Service Model On Premises IaaS CaaS PaaS SaaS Applications Applications

660 views • 36 slides
Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd.

Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd.

Kubernetes Administration from Zero to (junior) Hero Lszl Budai Component Soft Ltd. Agenda 1.Introduction 2.Accessing the kubernetes API 3.Kubernetes workloads 4.Accessing applications 5.Volumes and persistent storage 2 (c) 2018

1.17k views • 57 slides
OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com)

OpenStack on Kubernetes: Make OpenStack and Kubernetes Fail-Safe Seungkyu Ahn (ahnsk@sk.com) Jaesuk Ahn (jay.ahn@sk.com) Open System Lab Network IT Convergence R&D Center SK Telecom Wil Reichert (wil@solinea.com) Solinea What will

1.26k views • 46 slides
Lessons learnt building Kubernetes controllers David Cheney - Heptio gday Craig McLuckie

Lessons learnt building Kubernetes controllers David Cheney - Heptio gday Craig McLuckie

Lessons learnt building Kubernetes controllers David Cheney - Heptio gday Craig McLuckie and Joe Beda 2/3rds of a pod Connaissez-vous Kubernetes? Kubernetes is an open-source system for automating deployment, scaling, and

747 views • 63 slides
Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4

Kubernetes on ARM64 Kubernetes on ARM64 Raspberry PI 4 Kubernetes cloud for a Raspberry PI 4 Kubernetes cloud for a few Euros! few Euros! Jean-Frederic Clere Jean-Frederic Clere @jfclere @jfclere Fosdem 2020 Feb. 1-2, 2020 TM Who am I?

529 views • 26 slides
Lecture 3: Kubernetes AC295 AC295 Advanced Practical Data Science Pavlos Protopapas Outline

Lecture 3: Kubernetes AC295 AC295 Advanced Practical Data Science Pavlos Protopapas Outline

Lecture 3: Kubernetes AC295 AC295 Advanced Practical Data Science Pavlos Protopapas Outline 1: Communications 2: Recap 3: Introduction to Kubernetes 4: Creating and Running Containers | Review 5: Anatomy of a Kubernetes Cluster 6:

820 views • 38 slides
Draft Report & Recommendations Briefing for: Mayors Task Force on the Prevention of

Draft Report & Recommendations Briefing for: Mayors Task Force on the Prevention of

Briefing on: Draft Report & Recommendations Briefing for: Mayors Task Force on the Prevention of Flooding in Bloomingdale and LeDroit Park December 6, 2012 1 1 Agenda Task Force Report Overview Section 1 - Introduction

553 views • 18 slides
IN A LAGRANGIAN MODELLING SYSTEM FOR EMERGENCY RESPONSE PURPOSES Patrick ARMAND 1 , Christophe

IN A LAGRANGIAN MODELLING SYSTEM FOR EMERGENCY RESPONSE PURPOSES Patrick ARMAND 1 , Christophe

RECENT PHYSICAL DEVELOPMENTS IN A LAGRANGIAN MODELLING SYSTEM FOR EMERGENCY RESPONSE PURPOSES Patrick ARMAND 1 , Christophe OLRY 2 , Jacques MOUSSAFIR 2 , Armand ALBERGEL 2 , and Olivier OLDRINI 3 1 Commissariat lnergie Atomique et aux

301 views • 15 slides
Illustra(on showing the new shipping lane with easy direct

Illustra(on showing the new shipping lane with easy direct

Illustra(on showing the new shipping lane with easy direct from the open Pacific Ocean, direct to Waimango Port and illustra(ng the central posi(on of

654 views • 16 slides
IP IP Ea Earn rnings ings Anc Anchor hored ed 14% 14% Gr Growt owth h in in Gr Group

IP IP Ea Earn rnings ings Anc Anchor hored ed 14% 14% Gr Growt owth h in in Gr Group

IP IP Ea Earn rnings ings Anc Anchor hored ed 14% 14% Gr Growt owth h in in Gr Group oup Cor Core e Pr Profit ofit The Wharf (Holdings) Limited 2016 Interim Results 10 Aug 2016 1 Ov Over ervie view Hong Kong IP China IP

789 views • 55 slides
Public Utilities Commission Fiscal Year 2016 17 and 2017 18 2 Year Capital Budget

Public Utilities Commission Fiscal Year 2016 17 and 2017 18 2 Year Capital Budget

Public Utilities Commission Fiscal Year 2016 17 and 2017 18 2 Year Capital Budget Request Capital Planning Committee March 14, 2016 2 Year Capital Budget Development Capital budget was developed as part of update to the 10

420 views • 23 slides
WATER COMMITTEE MEETING June 24, 2020 (Via Teleconference) Agenda AGENDA Opening Remarks A.

WATER COMMITTEE MEETING June 24, 2020 (Via Teleconference) Agenda AGENDA Opening Remarks A.

Regional Service Through Unity Meeting our Regions Needs Today and Tomorrow WATER COMMITTEE MEETING June 24, 2020 (Via Teleconference) Agenda AGENDA Opening Remarks A. Chairman/Executive Director/Committee Champion Status Report

1.2k views • 85 slides
C Community Board Eight Community Board Eight C it B it B d Ei ht d Ei ht Second Avenue

C Community Board Eight Community Board Eight C it B it B d Ei ht d Ei ht Second Avenue

1 SECOND AVENUE SUBWAY PROJECT C Community Board Eight Community Board Eight C it B it B d Ei ht d Ei ht Second Avenue Subw ay Task Force Second Avenue Subw ay Task Force June 17th 2008 June 17th 2008 June 17th , 2008 June 17th ,

964 views • 59 slides
Technical Team Meeting #10 February 24, 2014 CDOT I-70 Mountain Corridor | HDR Engineering,

Technical Team Meeting #10 February 24, 2014 CDOT I-70 Mountain Corridor | HDR Engineering,

STATE OF COLORADO DEPARTMENT OF TRANSPORTATION REGION 1 I-70 MTN CORRIDOR PROGRAM 425A CORPORATE CIRLCE - GOLDEN, CO 80401 (720) 497-6900 (OFFICE), (720) 497-6901 (FAX) I-70 EB Peak Period Shoulder Lane Project Project Number: NHPP 0703-401

1.23k views • 92 slides

More recommend