Kubernetes in productionTomáš KukrálLinuxDays 2017

2017-10-07

1 / 26

Tomáš Kukráltom@6shore.net

@tomkukral

Cloud Architect at Mirantis MCP Kubernetes

Python developer

Prev: Infra engineer at FIT CTU

About me

2 / 26

From Docker to KubernetesContainers to podsCluster networkModular architectureDesired state

3 / 26

Kubernetes resourcesnode - machinepod - group of containersrc - replication-controllersvc - servicepv - persistent volumepvc - pv claim

4 / 26

5 / 26

apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: flaskspec: replicas: 3 template: metadata: labels: app: flask spec: containers: - name: nginx image: tomkukral/flask-app-demo imagePullPolicy: Always ports: - containerPort: 5000 env: - name: REDIS_MASTER_SERVICE_HOST value: redis

6 / 26

Let's install KubernetesMinikubePicokube

Kubeadm

Kubespray

Salt formula Kubernetes

Hosted solutions

7 / 26

Give me a HA!

8 / 26

Know you workloadsDynamic vs staticStateful vs statelessMulti vs single worker application

9 / 26

Kubernetes control planeEtcdApiserverScheduler, controller-managerKubeletProxy

10 / 26

11 / 26

12 / 26

StorageKubernetes is dynamic, storage should be dynamic

Ceph RBD or CephFS

AWS EBS, GCP disksNFS, hostPath

13 / 26

NetworkCustomer traffic

Overlay vs underlay

Don't use ClusterIP for customer traffic

LoadBalancer or Ingress controller

Advanced tools for microservice: istio, linkerd

14 / 26

15 / 26

Know your images.Diversity vs unificationKernel featuresDifferent libraries and versions

Image building pipeline

Registries: registry:2, Atomic registry

Audit images running in cluster

What is gcr.io/google_containers/pause-amd64:3.0?

16 / 26

Tune your KubernetesEtcd - snapshot-countApiserver - target-ram-mb, max-*requests-inflightController-manager - concurrent-*

Kubelet - max-pods, *-reserved

All daemons - kube-api-burst, kube-api-qps

Applatix: Making Kubernetes Production Ready – Part 2

17 / 26

LCM planupdate packages?minor/major updatesetcd updatesnetworking updates

18 / 26

Component dependenciesEverything is using apiserverapiserver is using etcd

calico?

Registry

DNS service

19 / 26

Inteligent monitoringPods starts and dieWorkload changesAdding (and removing) new minions

20 / 26

BackupScope of the backupsRecovery scenario

Recover or reborn?

Configuration

21 / 26

You don't need istio and linkerd for you webapp with 3 containers.

22 / 26

Let's run everything in Kubernetes!

23 / 26

Great, let's parse kubectl output!

24 / 26

Demo time!

25 / 26

Thanks for you attention.See you at Containers Meetup!

26 / 26