Day Two Operations of Kubernetes on AWS (GPSTEC309) - AWS re:Invent 2018
•
0 likes•334 views
You've spent the time designing, architecting, setting up, and configuring your Kubernetes cluster. Now, it's on to day two. "Day two" refers to the functions of scaling, optimizing, monitoring, securing, and in general keeping the lights on. In this talk, we discuss the tools that you have available to help you build a reliable and resilient Kubernetes cluster and run workloads in production. We discuss how to control the network, secure your environment using threat detection, scan your containers for vulnerabilities, use monitoring tools, and create scalable containers and clusters.
Report
Share
Day Two Operations of Kubernetes on AWS (GPSTEC309) - AWS re:Invent 2018
- 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Day Two Operations of Kubernetes on AWS G P S T E C 3 0 9 Chris Hein heichris@amazon.com @christopherhein
- 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is this?
- 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Who can tell us what “Kubernetes” is?
- 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Kubernetes? Open source container management platform Helps you run containers at scale Gives you primitives for building modern applications
- 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. But… What does that mean?
- 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s see it $ kubectl get pods -v=7 GET https://apiserver/api/v1/namespaces/default/pods?limit=500 Request Headers: Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json User-Agent: kubectl/v1.12.1 (linux/amd64) kubernetes/4ed3216 Response Status: 200 OK in 145 milliseconds Response Headers: Content-Type: application/json Content-Length: 1909 Date: Wed, 28 Nov 2018 00:23:05 GMT Audit-Id: 7b949a88-f3d2-429d-9b19-889c01f2c634 Response Body: ...
- 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The API layer { "paths": [ "/api", "/api/v1", "/apis", "/apis/", "/apis/admissionregistration.k8s.io", "/apis/admissionregistration.k8s.io/v1beta1", ... ] }
- 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes objects • A Kubernetes object is a “record of intent” • Persistent entities in the Kubernetes system • Marshal the desired state of your cluster • Pods, Services, Ingress, NetworkPolicies, ConfigMaps, Secrets, etc.
- 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The scheduler. state auditreconcile
- 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What are the benefits?
- 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is Day Two operations? Day0 Requirements Architecture Design Day1 Installation Setup Configuration Day2 Security Scaling CI/CD …
- 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What does Kubernetes give you?
- 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS CloudFormation • Exportable from Kops • Standard provisioning tool for Amazon Elastic Container Service for Kubernetes (Amazon EKS) Type: "AWS::EKS::Cluster” Properties:` Name: "prod" Version: "1.10" RoleArn: "arn:aws:iam::012345678910:role/eks-service-role" ResourcesVpcConfig: SecurityGroupIds: ["sg-6979fe18"] SubnetIds: ["subnet-6782e71e", "subnet-e7e761ac"]
- 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Terraform • Exportable from Kops • Standard provisioning tool for Amazon EKS resource "aws_eks_cluster" "demo" { name = "${var.cluster-name}” role_arn = "${aws_iam_role.demo-cluster.arn}" vpc_config { security_group_ids = ["${aws_security_group.demo-cluster.id}"] subnet_ids = ["${aws_subnet.demo.*.id}"] } depends_on = [ "policy_attachment.demo-cluster-AmazonEKSClusterPolicy", "attachment.demo-cluster-AmazonEKSServicePolicy", ] }
- 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is gitops?
- 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is this?
- 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What did that just do?
- 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Remember this? state auditreconcile
- 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Where is this used?
- 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. horizontalpodautoscaling, job, namespace, nodeipam, nodelifecycle, persistentvolume-binder, persistentvolume-expander, podgc, pv- protection, pvc-protection, replicaset, replicationcontroller, resourcequota, route, service, serviceaccount, serviceaccount- token, statefulset, tokencleaner, ttl, ttl- after-finished bootstrapsigner, tokencleaner kube controller manager Each one of these is a control loop on its own
- 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. How can you use this?
- 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Wait… controllers, what’s an operator?
- 30. “Operators are domain specific” - Kris Nova
- 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Extending the control loop Offer a database solution? Offer a storage solution? Offer anything deployed in-cluster? ?
- 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security basics Malicious User Front End Store Payments Users
- 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security is layered Network
- 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Kubernetes specifics Network Policy Controller Use RBAC Pod Security Policy
- 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Container CVE scanning Container CVE Scanning Tool
- 38. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Chris Hein heichris@amazon.com @christopherhein
- 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.