SlideShare uma empresa Scribd logo

All the troubles you get into when setting up a production ready Kubernetes cluster

Transferir como PPTX, PDF
Jimmy Lu
Jimmy Lu

Have you ever try to set up a Kubernetes cluster manually by your own? It may be a small dish to you to set one up on your laptop. However, things are getting harder and harder once you have more nodes to handle, not to mention you also want security, monitoring, auto-scaling, and federated cluster enabled in the production environments. With more features added, the situation gets even worse and more complicated. We developers in Linker Networks had put in a tremendous amount of time in investigating on how to set up Kubernetes clusters efficiently. We designed and built our own tools to automate and facilitate such the painful processes. In this talk, I'll go through all the details and pitfalls in setting up a production ready cluster. Hopefully, the experience I shared could keep you out of these troubles, saving your precious time.

Software
1 de 42
All The Troubles You Get Into When Setting up a Production-ready Kubernetes Cluster Jimmy Lu Software Engineer @hyvesolutions jimmylu@hyvesolutions.com
Agenda Motivation Recap of Kubernetes Architecture Security Networking Miscellaneous High Availability
Motivation
Motivation • A Million Ways of Deploying a Kubernetes Cluster – DevOpsDays 2017 • https://goo.gl/5yHFHa • We tried to build our own solutions – Kubewizard • Large Clusters • Configurable/Customizable • Easy to Use • Fast • Production Ready • We wanna save your precious time, keeping you out of troubles
Recap of Kubernetes Architecture
Architecture Recap
Architecture Recap – Network
Architecture Recap – Authentication/Authorization
Clinical Cases
Case Study Sample Symptom 01 Diagnosis 02 Therapy 03
Security
SSL/TLS Recap
Architecture Recap
Security – SSL/TLS • Symptom: Unable to connect to the server: x509: certificate signed by unknown authority • Diagnosis: Check the CA data in .kubeconfig file • Therapy: Make your client CA data identical to the CA file assigned to the server • --client-ca-file of kube-apiserver and kubelet, --trusted-ca-file and --trusted- ca-file of etcd, and the CA of your authentication proxy
clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t…… server: https://xxx.xxx.xxx.xxx:6443 name: kw contexts: - context: cluster: kw namespace: default user: kw-admin name: kw current-context: kw kind: Config preferences: {} users: - name: kw-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL…… client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ……
Security – SSL/TLS • Symptom: You try to get the logs via ‘kubectl logs $(pod_name)’ but encounter x509: certificate signed by unknown authority • Diagnosis: Check if kubelet client CA assigned to kube-apiserver is correct • Therapy: Make your kubelet client CA assigned to kube-apiserver via - -kubelet-certificate-authority matches what is assigned to kubelets
Architecture Recap
Security – SSL/TLS • Symptom: Unable to connect to the server: x509: certificate is valid for 10.240.0.4, 10.240.0.5, 35.194.148.244 • Diagnosis: Check IPs and domains in the hosts part of the certificate request • Therapy: Make sure all the IPs and domains are included in your certificate request file when generating the server certificates
{ "CN": "kube-apiserver", "hosts": [ "kw-master-001", "kw-master-002", "10.240.0.4", "10.240.0.5", "35.194.148.244", "35.201.222.64", "35.201.171.127", "10.96.0.1", "127.0.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [{}] } Kube-DNS domain hostname internal ip external ip load balancer cluster ip
Security – Authentication • X509 Client Certs • Static Token File • Bootstrap Tokens • Static Password File • Service Account Tokens • OpenID Connect Tokens • Webhook Token Authentication • Authenticating Proxy • Keystone Password • Anonymous requests • https://kubernetes.io/docs/admin/au thentication/
Security – Authentication • Symptom: tls: failed to find any PEM data in certificate (or key) input • Diagnosis: Check the certificate and key data in .kubeconfig file • Therapy: Make sure the certificate and key data are correctly signed by the CA you created
clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t…… server: https://xxx.xxx.xxx.xxx:6443 name: kw contexts: - context: cluster: kw namespace: default user: kw-admin name: kw current-context: kw kind: Config preferences: {} users: - name: kw-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL…… client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ……
Security – RBAC Authorization • Symptom: Error from server (Forbidden): User "kubernetes-admin" cannot list nodes at the cluster scope. (get nodes) • Diagnosis: Check clusterrole, clusterrolebinding, role, rolebinding, and the user:group values in the kubeconfig, token, or http-headers • Therapy: Create corresponding roles and rolebindings for the users, groups, or service accounts
certificate request { "CN": "system:node:kw-etcd-001", "names": [ { "O": "system:nodes" } ] } authentication token 2915baa1f710cbada00aad86706ded28,kubelet- bootstrap,10001,"system:kubelet-bootstrap"
configmap clusters: - cluster: certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt server: https://10.96.0.1:443 name: default contexts: …… users: - name: default user: tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
Security – RBAC Authorization • Affects to all the components connecting to apiserver • Symptom: • Failed to list *v1.Pod, *v1.Node, etc. in the logs of all the components that talk to apisrever • kube-proxy – requests to the service cannot be proxied to the endpoints • kube-dns – domain name cannot be resolved • kubelet – nodes cannot join the cluster • overlay network – cannot assign IPs to pods thus no traffic to the pods • kube-controller-manager – primary features of Kubenretes are malfunctioned
Networking
Networking • Symptom: Nodes are in NotReady state when ‘kubectl get nodes’ • Diagnosis: Verify if overlay networks work • Therapy: Install CNI and CNI-plugins and make sure they work as expected
Networking • Symptom: All traffic between pods, or between nodes and pods are dropped • Diagnosis: Look at rules of iptables and routing tables • Therapy: Allow packet forward or downgrade to docker v1.12.x
$ sudo iptables-save -A INPUT -j KUBE-FIREWALL -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED - j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j DROP -A FORWARD -i docker0 -o docker0 -j DROP -A OUTPUT -j KUBE-FIREWALL -A DOCKER-ISOLATION -j RETURN
Miscellaneous
Miscellaneous • Symptom: Kubernetes components are signal to stop periodically • Diagnosis: Check the configuration of liveness probe and readiness probe. • Therapy: Make sure the host, port, scheme match the health-check targets. Also, make sure your applications are in the good states
kube-controller-manager.yaml livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 # default to pod’s IP path: /healthz port: 10252 scheme: HTTP initialDelaySeconds: 15 timeoutSeconds: 15
Miscellaneous • Symptom: Cannot create cloud load balancer or dynamic persistent volumes automatically • Diagnosis: Look at --clud-provider argument of kube-apiserver, kube- controller-manager, and kubelet • Therapy: Enable cloud integration by giving correct values to the -- cloud-provider argument
Miscellaneous • Symptom: TLS certificate request cannot work with static pods, -- run_once does not help solving the issue because it’s broken. • Therapy: Either applies TLS certificate request or static pods, not both
High Availability
High Availability • Symptom: controller.go:290] Resetting endpoints for master service "kubernetes" to...' • Diagnosis: Look at the --apiserver-count argument to see if it matches the actual number of apiservers • Therapy: Correct the value of the --apisrever-count argument • https://stackoverflow.com/questions/36337431/kubernetes-newer-api- server-shows-errors-resetting-endpoints-for-master-service
High Availability • Symptom: attempting to acquire leader lease... keep showing in the logs of kube-controller-managers and kube-schedulers • Diagnosis: Check to see if ‘successfully acquired lease…‘ appears in one of the logs of kube-controller-managers and kube-schedulers • Therapy: No action needed
High Availability • Use monit or systemctl to watch over kubelet and docker • Let the health check of external load balancer hits against insecure port of kube-apiserver (--insecure-port, --insecure-bind-address) • Load balancer may sometimes may aggravate the issues. E.g. some apiservers are in the good status, some are not. • etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet should all set to be high available
Kubewizard
Summary • Setting up a distributed system is never easy, especially the complex system like Kubernetes • Some suggestions • Be patient • Step-by-step, reduce the number of control factors to a minimum • Start from a small cluster, then to a HA cluster, then a large cluster • kubectl logs, kubectl describe, systemctl status, journalctl -xe, docker logs, minikube, and kubeadm, Kubernetes-the-hard-way are your good friends • RTFM (Read the Documents)
Q&A

Recomendados

A Million ways of Deploying a Kubernetes Cluster
A Million ways of Deploying a Kubernetes ClusterA Million ways of Deploying a Kubernetes Cluster
A Million ways of Deploying a Kubernetes ClusterJimmy Lu
 
Webcast - Making kubernetes production ready
Webcast - Making kubernetes production readyWebcast - Making kubernetes production ready
Webcast - Making kubernetes production readyApplatix
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 
Orchestrating Docker Containers with Google Kubernetes on OpenStack
Orchestrating Docker Containers with Google Kubernetes on OpenStackOrchestrating Docker Containers with Google Kubernetes on OpenStack
Orchestrating Docker Containers with Google Kubernetes on OpenStackTrevor Roberts Jr.
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes MeetupKubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetupalexgervais
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesRamit Surana
 
LISA2017 Kubernetes: Hit the Ground Running
LISA2017 Kubernetes: Hit the Ground RunningLISA2017 Kubernetes: Hit the Ground Running
LISA2017 Kubernetes: Hit the Ground RunningChris McEniry
 

Recomendados

A Million ways of Deploying a Kubernetes Cluster
A Million ways of Deploying a Kubernetes ClusterA Million ways of Deploying a Kubernetes Cluster
A Million ways of Deploying a Kubernetes ClusterJimmy Lu
 
Webcast - Making kubernetes production ready
Webcast - Making kubernetes production readyWebcast - Making kubernetes production ready
Webcast - Making kubernetes production readyApplatix
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with KubernetesEastBanc Tachnologies
 
Orchestrating Docker Containers with Google Kubernetes on OpenStack
Orchestrating Docker Containers with Google Kubernetes on OpenStackOrchestrating Docker Containers with Google Kubernetes on OpenStack
Orchestrating Docker Containers with Google Kubernetes on OpenStackTrevor Roberts Jr.
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes MeetupKubernetes HA @ AppDirect - Montreal Kubernetes Meetup
Kubernetes HA @ AppDirect - Montreal Kubernetes Meetupalexgervais
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesRamit Surana
 
LISA2017 Kubernetes: Hit the Ground Running
LISA2017 Kubernetes: Hit the Ground RunningLISA2017 Kubernetes: Hit the Ground Running
LISA2017 Kubernetes: Hit the Ground RunningChris McEniry
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
Kubernetes @ meetic
Kubernetes @ meeticKubernetes @ meetic
Kubernetes @ meeticSébastien Le Gall
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Crevise Technologies
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Serverless technologies with Kubernetes
Serverless technologies with KubernetesServerless technologies with Kubernetes
Serverless technologies with KubernetesProvectus
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for DevelopersRoss Kukulinski
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with KubernetesCarlos Sanchez
 
Building Big Architectures
Building Big ArchitecturesBuilding Big Architectures
Building Big ArchitecturesRamit Surana
 
What's new in Kubernetes
What's new in KubernetesWhat's new in Kubernetes
What's new in KubernetesDaniel Smith
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Jacopo Nardiello
 
Kubernetes 101 Workshop
Kubernetes 101 WorkshopKubernetes 101 Workshop
Kubernetes 101 WorkshopVishal Biyani
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKel Cecil
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Baylisa - Dive Into OpenStack
Baylisa - Dive Into OpenStackBaylisa - Dive Into OpenStack
Baylisa - Dive Into OpenStackJesse Andrews
 
Kubernetes on CloudStack with coreOS
Kubernetes on CloudStack with coreOSKubernetes on CloudStack with coreOS
Kubernetes on CloudStack with coreOSSebastien Goasguen
 
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018Jorge Arteiro
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWSGrant Ellis
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Cluster management with Kubernetes
Cluster management with KubernetesCluster management with Kubernetes
Cluster management with KubernetesSatnam Singh
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Laurent Bernaille
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Laurent Bernaille
 

Mais conteúdo relacionado

Mais procurados

NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in KubernetesJerry Jalava
 
Serverless technologies with Kubernetes
Serverless technologies with KubernetesServerless technologies with Kubernetes
Serverless technologies with KubernetesProvectus
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for DevelopersRoss Kukulinski
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with KubernetesCarlos Sanchez
 
Building Big Architectures
Building Big ArchitecturesBuilding Big Architectures
Building Big ArchitecturesRamit Surana
 
What's new in Kubernetes
What's new in KubernetesWhat's new in Kubernetes
What's new in KubernetesDaniel Smith
 
Kubernetes 101 Workshop
Kubernetes 101 WorkshopKubernetes 101 Workshop
Kubernetes 101 WorkshopVishal Biyani
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKel Cecil
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
Baylisa - Dive Into OpenStack
Baylisa - Dive Into OpenStackBaylisa - Dive Into OpenStack
Baylisa - Dive Into OpenStackJesse Andrews
 
Kubernetes on CloudStack with coreOS
Kubernetes on CloudStack with coreOSKubernetes on CloudStack with coreOS
Kubernetes on CloudStack with coreOSSebastien Goasguen
 
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018Jorge Arteiro
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWSGrant Ellis
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionPeng Xiao
 
Cluster management with Kubernetes
Cluster management with KubernetesCluster management with Kubernetes
Cluster management with KubernetesSatnam Singh
 

Mais procurados (20)

NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013
 
Kubernetes @ meetic
Kubernetes @ meeticKubernetes @ meetic
Kubernetes @ meetic
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Secrets in Kubernetes
Secrets in KubernetesSecrets in Kubernetes
Secrets in Kubernetes
 
Serverless technologies with Kubernetes
Serverless technologies with KubernetesServerless technologies with Kubernetes
Serverless technologies with Kubernetes
 
Kubernetes 101 for Developers
Kubernetes 101 for DevelopersKubernetes 101 for Developers
Kubernetes 101 for Developers
 
Scaling Docker with Kubernetes
Scaling Docker with KubernetesScaling Docker with Kubernetes
Scaling Docker with Kubernetes
 
Building Big Architectures
Building Big ArchitecturesBuilding Big Architectures
Building Big Architectures
 
What's new in Kubernetes
What's new in KubernetesWhat's new in Kubernetes
What's new in Kubernetes
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Kubernetes 101 Workshop
Kubernetes 101 WorkshopKubernetes 101 Workshop
Kubernetes 101 Workshop
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
Kubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of ContainersKubernetes - Sailing a Sea of Containers
Kubernetes - Sailing a Sea of Containers
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
Baylisa - Dive Into OpenStack
Baylisa - Dive Into OpenStackBaylisa - Dive Into OpenStack
Baylisa - Dive Into OpenStack
 
Kubernetes on CloudStack with coreOS
Kubernetes on CloudStack with coreOSKubernetes on CloudStack with coreOS
Kubernetes on CloudStack with coreOS
 
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
AKS Azure Kubernetes Services - Azure Nights melbourne feb 2018
 
Kubernetes on AWS
Kubernetes on AWSKubernetes on AWS
Kubernetes on AWS
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Cluster management with Kubernetes
Cluster management with KubernetesCluster management with Kubernetes
Cluster management with Kubernetes
 

Semelhante a All the troubles you get into when setting up a production ready Kubernetes cluster

Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Laurent Bernaille
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Laurent Bernaille
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanCloudYuga
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...Xiaohui Chen
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesRajesh Kolla
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalMichel Schildmeijer
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Kubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancementsKubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancementsSaiyam Pathak
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Inhye Park
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Allan Naim
 
Meetup open stack_grizzly
Meetup open stack_grizzlyMeetup open stack_grizzly
Meetup open stack_grizzlyeNovance
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDays Riga
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesQAware GmbH
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsJim Bugwadia
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Duncan Wannamaker
 
From Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneyFrom Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneySK Telecom
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with KubernetesOleg Chunikhin
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineKit Merker
 

Semelhante a All the troubles you get into when setting up a production ready Kubernetes cluster (20)

Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019
 
K8s hard-way on DigitalOcean
K8s hard-way on DigitalOceanK8s hard-way on DigitalOcean
K8s hard-way on DigitalOcean
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
 
Container orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes services
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
CKA_1st.pptx
CKA_1st.pptxCKA_1st.pptx
CKA_1st.pptx
 
AKS
AKSAKS
AKS
 
Kubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancementsKubernetes 1.16 and rancher 2.3 enhancements
Kubernetes 1.16 and rancher 2.3 enhancements
 
Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307Docker kubernetes fundamental(pod_service)_190307
Docker kubernetes fundamental(pod_service)_190307
 
Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)Openstack days sv building highly available services using kubernetes (preso)
Openstack days sv building highly available services using kubernetes (preso)
 
Meetup open stack_grizzly
Meetup open stack_grizzlyMeetup open stack_grizzly
Meetup open stack_grizzly
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
 
Kubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
 
From Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in SydneyFrom Kubernetes to OpenStack in Sydney
From Kubernetes to OpenStack in Sydney
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with Kubernetes
 
DevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container EngineDevNexus 2015: Kubernetes & Container Engine
DevNexus 2015: Kubernetes & Container Engine
 

Mais de Jimmy Lu

Renaissance of JUnit - Introduction to JUnit 5
Renaissance of JUnit - Introduction to JUnit 5Renaissance of JUnit - Introduction to JUnit 5
Renaissance of JUnit - Introduction to JUnit 5Jimmy Lu
 
Event sourcing with reactor and spring statemachine
Event sourcing with reactor and spring statemachineEvent sourcing with reactor and spring statemachine
Event sourcing with reactor and spring statemachineJimmy Lu
 
Bootify your spring application
Bootify your spring applicationBootify your spring application
Bootify your spring applicationJimmy Lu
 
A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...
A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...
A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...Jimmy Lu
 
The Model of Spatiotemporal Dynamics of Alzheimer’s Disease
The Model of Spatiotemporal Dynamics of Alzheimer’s DiseaseThe Model of Spatiotemporal Dynamics of Alzheimer’s Disease
The Model of Spatiotemporal Dynamics of Alzheimer’s DiseaseJimmy Lu
 
The Models of Alzheimer's Disease Part II
The Models of Alzheimer's Disease Part IIThe Models of Alzheimer's Disease Part II
The Models of Alzheimer's Disease Part IIJimmy Lu
 
The Models of Alzheimer's Disease Part I
The Models of Alzheimer's Disease Part IThe Models of Alzheimer's Disease Part I
The Models of Alzheimer's Disease Part IJimmy Lu
 
The Models of Alzheimer's Disease Part III
The Models of Alzheimer's Disease Part IIIThe Models of Alzheimer's Disease Part III
The Models of Alzheimer's Disease Part IIIJimmy Lu
 
On the Development of a Brain Simulator
On the Development of a Brain SimulatorOn the Development of a Brain Simulator
On the Development of a Brain SimulatorJimmy Lu
 
Design the Brain Simulator
Design the Brain SimulatorDesign the Brain Simulator
Design the Brain SimulatorJimmy Lu
 
Research Proposal and Milestone
Research Proposal and MilestoneResearch Proposal and Milestone
Research Proposal and MilestoneJimmy Lu
 
On the Development of a Brain Simulator
On the Development of a Brain SimulatorOn the Development of a Brain Simulator
On the Development of a Brain SimulatorJimmy Lu
 
Mining the Parkinson's Telemonitoring Data Set
Mining the Parkinson's Telemonitoring Data SetMining the Parkinson's Telemonitoring Data Set
Mining the Parkinson's Telemonitoring Data SetJimmy Lu
 
Brian Simulator (a draft)
Brian Simulator (a draft)Brian Simulator (a draft)
Brian Simulator (a draft)Jimmy Lu
 
Exploring Complex Networks
Exploring Complex NetworksExploring Complex Networks
Exploring Complex NetworksJimmy Lu
 
Brain Network - Thalamocortical Motif
Brain Network - Thalamocortical MotifBrain Network - Thalamocortical Motif
Brain Network - Thalamocortical MotifJimmy Lu
 
How To Build A Personal Portal On Google App Engine With Django
How To Build A Personal Portal On Google App Engine With DjangoHow To Build A Personal Portal On Google App Engine With Django
How To Build A Personal Portal On Google App Engine With DjangoJimmy Lu
 
Brain Networks
Brain NetworksBrain Networks
Brain NetworksJimmy Lu
 

Mais de Jimmy Lu (20)

Renaissance of JUnit - Introduction to JUnit 5
Renaissance of JUnit - Introduction to JUnit 5Renaissance of JUnit - Introduction to JUnit 5
Renaissance of JUnit - Introduction to JUnit 5
 
Event sourcing with reactor and spring statemachine
Event sourcing with reactor and spring statemachineEvent sourcing with reactor and spring statemachine
Event sourcing with reactor and spring statemachine
 
Bootify your spring application
Bootify your spring applicationBootify your spring application
Bootify your spring application
 
A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...
A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...
A Prototype of Brain Network Simulator for Spatiotemporal Dynamics of Alzheim...
 
The Model of Spatiotemporal Dynamics of Alzheimer’s Disease
The Model of Spatiotemporal Dynamics of Alzheimer’s DiseaseThe Model of Spatiotemporal Dynamics of Alzheimer’s Disease
The Model of Spatiotemporal Dynamics of Alzheimer’s Disease
 
The Models of Alzheimer's Disease Part II
The Models of Alzheimer's Disease Part IIThe Models of Alzheimer's Disease Part II
The Models of Alzheimer's Disease Part II
 
The Models of Alzheimer's Disease Part I
The Models of Alzheimer's Disease Part IThe Models of Alzheimer's Disease Part I
The Models of Alzheimer's Disease Part I
 
The Models of Alzheimer's Disease Part III
The Models of Alzheimer's Disease Part IIIThe Models of Alzheimer's Disease Part III
The Models of Alzheimer's Disease Part III
 
On the Development of a Brain Simulator
On the Development of a Brain SimulatorOn the Development of a Brain Simulator
On the Development of a Brain Simulator
 
Design the Brain Simulator
Design the Brain SimulatorDesign the Brain Simulator
Design the Brain Simulator
 
Research Proposal and Milestone
Research Proposal and MilestoneResearch Proposal and Milestone
Research Proposal and Milestone
 
Reward
RewardReward
Reward
 
On the Development of a Brain Simulator
On the Development of a Brain SimulatorOn the Development of a Brain Simulator
On the Development of a Brain Simulator
 
Mining the Parkinson's Telemonitoring Data Set
Mining the Parkinson's Telemonitoring Data SetMining the Parkinson's Telemonitoring Data Set
Mining the Parkinson's Telemonitoring Data Set
 
Brian Simulator (a draft)
Brian Simulator (a draft)Brian Simulator (a draft)
Brian Simulator (a draft)
 
Exploring Complex Networks
Exploring Complex NetworksExploring Complex Networks
Exploring Complex Networks
 
Brain Network - Thalamocortical Motif
Brain Network - Thalamocortical MotifBrain Network - Thalamocortical Motif
Brain Network - Thalamocortical Motif
 
How To Build A Personal Portal On Google App Engine With Django
How To Build A Personal Portal On Google App Engine With DjangoHow To Build A Personal Portal On Google App Engine With Django
How To Build A Personal Portal On Google App Engine With Django
 
Brain Networks
Brain NetworksBrain Networks
Brain Networks
 
WECO Lab
WECO LabWECO Lab
WECO Lab
 

Último

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 

Último (20)

Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 

All the troubles you get into when setting up a production ready Kubernetes cluster

  • 1. All The Troubles You Get Into When Setting up a Production-ready Kubernetes Cluster Jimmy Lu Software Engineer @hyvesolutions jimmylu@hyvesolutions.com
  • 2. Agenda Motivation Recap of Kubernetes Architecture Security Networking Miscellaneous High Availability
  • 4. Motivation • A Million Ways of Deploying a Kubernetes Cluster – DevOpsDays 2017 • https://goo.gl/5yHFHa • We tried to build our own solutions – Kubewizard • Large Clusters • Configurable/Customizable • Easy to Use • Fast • Production Ready • We wanna save your precious time, keeping you out of troubles
  • 8. Architecture Recap – Authentication/Authorization
  • 14. Security – SSL/TLS • Symptom: Unable to connect to the server: x509: certificate signed by unknown authority • Diagnosis: Check the CA data in .kubeconfig file • Therapy: Make your client CA data identical to the CA file assigned to the server • --client-ca-file of kube-apiserver and kubelet, --trusted-ca-file and --trusted- ca-file of etcd, and the CA of your authentication proxy
  • 15. clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t…… server: https://xxx.xxx.xxx.xxx:6443 name: kw contexts: - context: cluster: kw namespace: default user: kw-admin name: kw current-context: kw kind: Config preferences: {} users: - name: kw-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL…… client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ……
  • 16. Security – SSL/TLS • Symptom: You try to get the logs via ‘kubectl logs $(pod_name)’ but encounter x509: certificate signed by unknown authority • Diagnosis: Check if kubelet client CA assigned to kube-apiserver is correct • Therapy: Make your kubelet client CA assigned to kube-apiserver via - -kubelet-certificate-authority matches what is assigned to kubelets
  • 18. Security – SSL/TLS • Symptom: Unable to connect to the server: x509: certificate is valid for 10.240.0.4, 10.240.0.5, 35.194.148.244 • Diagnosis: Check IPs and domains in the hosts part of the certificate request • Therapy: Make sure all the IPs and domains are included in your certificate request file when generating the server certificates
  • 20. Security – Authentication • X509 Client Certs • Static Token File • Bootstrap Tokens • Static Password File • Service Account Tokens • OpenID Connect Tokens • Webhook Token Authentication • Authenticating Proxy • Keystone Password • Anonymous requests • https://kubernetes.io/docs/admin/au thentication/
  • 21. Security – Authentication • Symptom: tls: failed to find any PEM data in certificate (or key) input • Diagnosis: Check the certificate and key data in .kubeconfig file • Therapy: Make sure the certificate and key data are correctly signed by the CA you created
  • 22. clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t…… server: https://xxx.xxx.xxx.xxx:6443 name: kw contexts: - context: cluster: kw namespace: default user: kw-admin name: kw current-context: kw kind: Config preferences: {} users: - name: kw-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL…… client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQ……
  • 23. Security – RBAC Authorization • Symptom: Error from server (Forbidden): User "kubernetes-admin" cannot list nodes at the cluster scope. (get nodes) • Diagnosis: Check clusterrole, clusterrolebinding, role, rolebinding, and the user:group values in the kubeconfig, token, or http-headers • Therapy: Create corresponding roles and rolebindings for the users, groups, or service accounts
  • 24. certificate request { "CN": "system:node:kw-etcd-001", "names": [ { "O": "system:nodes" } ] } authentication token 2915baa1f710cbada00aad86706ded28,kubelet- bootstrap,10001,"system:kubelet-bootstrap"
  • 25. configmap clusters: - cluster: certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt server: https://10.96.0.1:443 name: default contexts: …… users: - name: default user: tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
  • 26. Security – RBAC Authorization • Affects to all the components connecting to apiserver • Symptom: • Failed to list *v1.Pod, *v1.Node, etc. in the logs of all the components that talk to apisrever • kube-proxy – requests to the service cannot be proxied to the endpoints • kube-dns – domain name cannot be resolved • kubelet – nodes cannot join the cluster • overlay network – cannot assign IPs to pods thus no traffic to the pods • kube-controller-manager – primary features of Kubenretes are malfunctioned
  • 28. Networking • Symptom: Nodes are in NotReady state when ‘kubectl get nodes’ • Diagnosis: Verify if overlay networks work • Therapy: Install CNI and CNI-plugins and make sure they work as expected
  • 29. Networking • Symptom: All traffic between pods, or between nodes and pods are dropped • Diagnosis: Look at rules of iptables and routing tables • Therapy: Allow packet forward or downgrade to docker v1.12.x
  • 30. $ sudo iptables-save -A INPUT -j KUBE-FIREWALL -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED - j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j DROP -A FORWARD -i docker0 -o docker0 -j DROP -A OUTPUT -j KUBE-FIREWALL -A DOCKER-ISOLATION -j RETURN
  • 32. Miscellaneous • Symptom: Kubernetes components are signal to stop periodically • Diagnosis: Check the configuration of liveness probe and readiness probe. • Therapy: Make sure the host, port, scheme match the health-check targets. Also, make sure your applications are in the good states
  • 33. kube-controller-manager.yaml livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 # default to pod’s IP path: /healthz port: 10252 scheme: HTTP initialDelaySeconds: 15 timeoutSeconds: 15
  • 34. Miscellaneous • Symptom: Cannot create cloud load balancer or dynamic persistent volumes automatically • Diagnosis: Look at --clud-provider argument of kube-apiserver, kube- controller-manager, and kubelet • Therapy: Enable cloud integration by giving correct values to the -- cloud-provider argument
  • 35. Miscellaneous • Symptom: TLS certificate request cannot work with static pods, -- run_once does not help solving the issue because it’s broken. • Therapy: Either applies TLS certificate request or static pods, not both
  • 37. High Availability • Symptom: controller.go:290] Resetting endpoints for master service "kubernetes" to...' • Diagnosis: Look at the --apiserver-count argument to see if it matches the actual number of apiservers • Therapy: Correct the value of the --apisrever-count argument • https://stackoverflow.com/questions/36337431/kubernetes-newer-api- server-shows-errors-resetting-endpoints-for-master-service
  • 38. High Availability • Symptom: attempting to acquire leader lease... keep showing in the logs of kube-controller-managers and kube-schedulers • Diagnosis: Check to see if ‘successfully acquired lease…‘ appears in one of the logs of kube-controller-managers and kube-schedulers • Therapy: No action needed
  • 39. High Availability • Use monit or systemctl to watch over kubelet and docker • Let the health check of external load balancer hits against insecure port of kube-apiserver (--insecure-port, --insecure-bind-address) • Load balancer may sometimes may aggravate the issues. E.g. some apiservers are in the good status, some are not. • etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet should all set to be high available
  • 41. Summary • Setting up a distributed system is never easy, especially the complex system like Kubernetes • Some suggestions • Be patient • Step-by-step, reduce the number of control factors to a minimum • Start from a small cluster, then to a HA cluster, then a large cluster • kubectl logs, kubectl describe, systemctl status, journalctl -xe, docker logs, minikube, and kubeadm, Kubernetes-the-hard-way are your good friends • RTFM (Read the Documents)
  • 42. Q&A