4. @joatmon08 @TWTechTalksNYC
“Build a Platform”
1. Must be hosted on public cloud.
Use AWS (existing skills & compliance).
2. Avoid vendor lock-in when possible.
Use Kubernetes (cross-cloud).
3. Use SaaS products when available.
Use ??? since EKS was not GA at the time.
4
5. @joatmon08 @TWTechTalksNYC
Building Capability is Difficult
Where do I start?
What’s actually useful?
Running it in production!?
Constraints
Time
Developer Capacity
Active Development
5
8. @joatmon08 @TWTechTalksNYC
Table of Contents
1. Start with a local tutorial. (Minikube)
2. What does it do?! (Deployments)
3. Put it on the cloud. (kops)
4. Somehow, reach my application. (Service Ingress)
5. Manage logging & metrics agents. (DaemonSets)
6. Manage stateful stuff like Consul. (StatefulSets)
7. We need more resources! (Autoscaling)
8. Testing, testing. 1, 2, 3. (Jobs)
9. “Good enough” security. (Secrets & More)
10. The cluster needs to use the new image. (Cluster Rolling Upgrade)
11. Goodbye, cluster! (Backup & Restore)
12. What’s still in backlog after go-live?
8
9. @joatmon08 @TWTechTalksNYC
Suspend Your Disbelief
1. Business Case for Containers / Kubernetes
2. Kubernetes Basics, A to Z
3. Kubernetes Troubleshooting
4. Kubernetes Internals by the Bits
5. Advanced Secrets Management
6. kops internals by the Bits
7. Advanced Key-Value Stores
8. Building Operational Knowledge (with Chaos Pygmy Marmoset)
Questions? Please wait until the end!
Want the slides? Check Meetup & Twitter!
9
13. @joatmon08 @TWTechTalksNYC
How do we manage these containers?
a. Group them.
b. Write some code to schedule them on resources.
c. Build some connectivity to bridge them all together.
d. Identify them in a human-friendly way.
13
14. @joatmon08 @TWTechTalksNYC
How do we manage these containers?
a. Group them.
b. Write some code to schedule them on resources.
c. Build some connectivity to bridge them all together.
d. Identify them in a human-friendly way.
e. All of the above!
14
17. @joatmon08 @TWTechTalksNYC
What is Minikube?
a. A smaller-than-average Kubernetes cluster.
b. A tool to deploy a local Kubernetes cluster.
c. A packing cube that compresses garments.
d. An alias for famous hip-hop star, Lil Kube.
17
18. @joatmon08 @TWTechTalksNYC
What is Minikube?
a. A smaller-than-average Kubernetes cluster.
b. A tool to deploy a local Kubernetes cluster.
c. A packing cube that compresses garments.
d. An alias for famous hip-hop star, Lil Kube.
18
21. @joatmon08 @TWTechTalksNYC
Pods
xyz
:123
abc
:456
PodSpec
I want
container xyz on
port 123
&
container abc
with ports 456.
Smallest unit of service
Groups of containers and/or
volumes
Shared storage / network
https://kubernetes.io/docs/tutorials/k8s101/
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
21
22. @joatmon08 @TWTechTalksNYC
Deployments
(Our) commonly used
construct
Consists of pods
Reconciliation loop (always
maintain desired state)
xyz
:123
abc
:456
xyz
:123
abc
:456
Deployment
And I want 2
pods.
https://kubernetes.io/docs/tutorials/k8s101/
https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
22
24. @joatmon08 @TWTechTalksNYC
What to use?
https://kubernetes.io/docs/setup/pick-right-solution/#table-of-solutions
24
43 on the list
(as of October 2018)
31. @joatmon08 @TWTechTalksNYC
Cluster
Load Balancer
DNS Alias DNS Alias
Load Balancer
Ingress
Controller
/hello
helloworld.com mycluster.com/hello
ClusterCluster
helloworld.default
Type: ClusterIP Type: LoadBalancer Ingress Controller
31
helloworld.default helloworld.default
32. @joatmon08 @TWTechTalksNYC
Should we go for an ingress controller?
a. Yes! It’s a standard for microservices.
b. Yes! We need a reverse proxy.
c. Not now, will add complexity (and scale isn’t a concern).
d. I searched it and it’s an augmented reality game…?
32
33. @joatmon08 @TWTechTalksNYC
Should we go for an ingress controller?
a. Yes! It’s a standard for microservices.
b. Yes! We need a reverse proxy.
c. Not now, will add complexity (and scale isn’t a concern).
d. I searched it and it’s an augmented reality game…?
33
43. @joatmon08 @TWTechTalksNYC
What do statefulsets allow that
deployments don’t?
a. Scaling.
b. Rolling upgrades.
c. Persistent storage.
d. Sticky identities for pods
43
44. @joatmon08 @TWTechTalksNYC
What do statefulsets allow that
deployments don’t?
a. Scaling.
b. Rolling upgrades.
c. Persistent storage.
d. Sticky identities for pods.
44
55. @joatmon08 @TWTechTalksNYC
Why don’t my queue consumers scale up?
a. Cookie monster is consuming my queue consumers.
b. They don’t process messages fast enough.
c. They are broken.
d. They pull one message at a time from the queue.
55
56. @joatmon08 @TWTechTalksNYC
Why don’t my queue consumers scale up?
a. Cookie monster is consuming my queue consumers.
b. They don’t process messages fast enough.
c. They are broken.
d. They pull one message at a time from the queue.
https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-metrics-APIs
56
62. @joatmon08 @TWTechTalksNYC
How can we test it (realistically)?
Test it the same way as the applications that run on it.
(Our CI framework is not inside of the cluster.)
62
89. @joatmon08 @TWTechTalksNYC
More Scale!
● Ingress Controller
● Sidecars for Handling Certificates
● Kubernetes OIDC
● Secrets Management
● Secrets Injection via Init Containers
89
90. @joatmon08 @TWTechTalksNYC
Which of the following would NOT give us
more security?
a. Ephemeral VMs (Bastions, Masters, and Nodes)
b. Cats on a Turntable
c. PodSecurityPolicy
d. NetworkPolicy
90
91. @joatmon08 @TWTechTalksNYC
Which of the following would NOT give us
more security?
a. Ephemeral VMs (Bastions, Masters, and Nodes)
b. Cats on a Turntable
c. PodSecurityPolicy
d. NetworkPolicy
91
92. @joatmon08 @TWTechTalksNYC
Which of the following would NOT give us
more security?
a. Ephemeral VMs (Bastions, Masters, and Nodes)
b. Cats on a Turntable
c. PodSecurityPolicy
d. NetworkPolicy
92
93. @joatmon08 @TWTechTalksNYC
Managed Kubernetes?
Maybe some struggles go
away…
● Cluster Autoscaler
● Virtual Machine Images
● CI in the Cluster
Questions don’t!
● How we do scalable RBAC?
● Init container with secrets?
● Resiliency testing when
upgrading?
● How do we test our
applications & components?
93
98. @joatmon08 @TWTechTalksNYC
There is a lot in the Kubernetes ecosystem.
A community is a powerful resource.
Be hands-on.
Expertise is in the ability to learn.
98