Kubernetes, dépassionné et pour les ultra débutants

Devoxx France 2023 Kubernetes, dépassionné et pour les ultra débutants Deep Dive

kers Spea Sébastien Blanc Horacio Gonzalez Sun Tan DevRel Aiven @sebi2706 DevRel OVHCloud @LostInBrittany Senior Software Engineer Red Hat @_sunix

INTRODUCTION Devoxx France 2023 AGENDA Why Kubernetes Containers What is Kubernetes? 1 - DIVE INTO K8S BUILDING BLOCKS Playing with kubectl YAML 2 - BEING A GOOD CLOUD NATIVE CITIZEN Requests and limits Health probes ConfigMap and Secrets 3 - ADVANCED K8S Persistent Volumes jKube Tolerance and taints Operators Quizz Kaoot : Le livre d’Aurélie

Devoxx France 2023 Introduction WHY KUBERNETES? CONTAINERS WHAT IS KUBERNETES?

k8s? Why A typical Java application Based on real life experiences

Pain point #1 MANUAL DEPLOYMENTS

Pain point #2 SCALING

Pain point #3 DEVELOPER ENVIRONMENT

Kubernetes To the rescue!

13 Source: https://pixabay.com

k8s? Why Think Big, Start Small, Scale Learn Fast Jim Carroll

k8s? Why Start small with Containers - Containers are used in Kubernetes - Containers could be used without Kubernetes

Devoxx France 2023 Introduction WHY KUBERNETES? CONTAINERS WHAT IS KUBERNETES?

iners Conta Container evolution Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

Container tools Docker Podman The most popular Daemon less Pods/containers

iners Conta Run an existing container 1. Select one from a Container Registry ● Docker.io https://hub.docker.com/_/httpd ● Quay.io 2. Run the container: $ docker run -p 8080:80 httpd:alpine 3. Access to the container http://localhost:8080 https://asciinema.org/a/PeItFbYUE8CFXcOezU9gtXXdO

iners Conta Inside the container 1. Execute a command in the container: $ docker ps $ docker exec [container-id] pwd 2. Get an interactive terminal(tty) inside the container $ docker exec -it [container-id] /bin/sh 3. Look at the filesystem and the processes https://asciinema.org/a/2fDbvIvFFRybcLhqhPuXNTrHA

iners Conta Containers are isolated processes of the host Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

iners Conta Create your own container image 1. Create a Dockerfile FROM docker.io/tomcat:10.1-jdk17-openjdk COPY target/*.war /usr/local/tomcat/webapps/ROOT.war 2. Build $ mvn clean install $ docker build -f src/main/docker/Dockerfile -t quay.io/sunix/hello-tomcat . https://asciinema.org/a/UiWGMAp5YllZO3konDnAvMya2

iners Conta Containers were there for a while Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

iners Conta Create your own container image 1. Create a Dockerfile 2. Build 3. Push $ docker login quay.io $ docker push quay.io/sunix/hello-tomcat 4. Run $ docker run -p 8888:8080 quay.io/sunix/hello-tomcat https://asciinema.org/a/8E0RbNOlayQVTwLVCDSdtYntb

iners Conta Container image From Zero to production with IaC Source code Build Push/Pull Run anywhere Basically a Dockerfile Using `Docker or Podman Optionally to a container image registry like dockerhub or quay.io Any linux host that support container technology should be able to run it. Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

iners Conta versus a Java application From Zero to production Source code Build Push/Pull Run anywhere Basically Java files Using Maven, or Gradle Optionally to a Maven repo like Nexus or Artifactory Any OS host that support JVM technology should be able to run it. Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

iners Conta Containers limitations Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

iners Conta Containers are easy for Devs No more “It works on my computer” problem!

iners Conta Less simple if you must operate them Like in a production context…

iners Conta Containers opened the doors to microservices Are you sure you want to operate them by hand?

iners Conta Kubernetes is a full orchestrator A shepherd for your containers

iners Conta A sweet spot between features and complexity And marketing, foundations and money

Devoxx France 2023 Introduction WHY KUBERNETES? CONTAINERS WHAT IS KUBERNETES?

Kube rnete s An open-source container orchestration system A cluster of instances

Kube rnete s Kubernetes cluster: more details

Kube rnete s Desired State management Declarative infrastructure

Kube rnete s Desired State management Let’s begin with five objects

tes? What is Ku berne Kubernetes Cluster - Nodes Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Primary api etcd scheduler controllers Istio proxy

tes? What is Ku berne Kubernetes Cluster - Declarative API Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Primary api image: repo/mytomcat:v1 replicas: 4 etcd scheduler controllers Istio proxy

tes? What is Ku berne K8s Cluster - 4 Tomcat Instances Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Primary api etcd scheduler controllers Istio proxy

tes? What is Ku berne Kubernetes Cluster - Pod Failure Node Primary kubelet Node kubelet Node kubelet kubelet Node kubelet Node kubelet X api etcd scheduler Node controllers Istio proxy

tes? What is Ku berne Kubernetes Cluster - Recovery Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Primary api etcd scheduler controllers Istio proxy

tes? What is Ku berne Kubernetes Cluster - Node Failure Node Primary api etcd scheduler kubelet Node kubelet Node kubelet Node kubelet Node kubelet X Node kubelet controllers Istio proxy

tes? What is Ku berne Kubernetes Cluster - Pods Replaced Node kubelet Node kubelet Node kubelet Node kubelet Primary api etcd scheduler Node kubelet controllers Istio proxy

tes? What is Ku berne Kubernetes Cluster - New Node Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Primary api etcd scheduler controllers Istio proxy

Devoxx France 2023 1 - Dive Into K8S Building Blocks PLAYING WITH KUBECTL YAML

th ku bectl Playi ng wi Kubectl > pronunciation fight Pronounce “kubectl” as you want :-)

th ku bectl ng wi Playi Kubectl > kubernetes tool/cli

Devoxx France 2023 1 - Dive Into K8S Building Blocks PLAYING WITH KUBECTL YAML

K8S Y AML Kubernetes - A distributed and structured YAML database • CRUD, structured and typed objects: Resources • Resources live in Namespaces https://asciinema.org/a/lfxttSBoSoVH9hkS4lOxzuGdk

K8S Y AML Create a Resource object • speaker.yaml apiVersion: “stable.world.com/v1” kind: Speaker metadata: name: horacio spec: name: “Horacio” title: “DevRel at OVH Cloud” action: “speak” • Execute $ kubectl apply -f speaker.yaml $ kubectl get Speaker

K8S Y AML Kubernetes - A distributed and structured YAML database - Controllers that do the job ● Listening to Resources Create/Update/Delete events: the user requirements ● Perform to match the user requirements

K8S Y AML Kubernetes Source: https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/

K8S Y AML Kubernetes - A distributed and structured YAML database - Controllers that do the job ● Listening to Resources Create/Update/Delete events: the user requirements ● Perform to match the user requirements - By default, a set of Resources and Controllers to manage a cluster of machines

K8S Y AML Pod 1-n containers sharing network addressing/volumes, etc. • mypod.yaml apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: hellotomcat-container image: quay.io/sunix/hello-tomcat ports: - containerPort: 8080 imagePullPolicy: IfNotPresent https://asciinema.org/a/EeeNkoQ2eJ76Twx2S0sCybTzz

K8S Y AML Deployment Deploy and manage pods that looks similar: Scaling • hello-tomcat-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: hellotomcat labels: app: hellotomcat spec: replicas: 2 selector: matchLabels: app: hellotomcat template: metadata: labels: app: hellotomcat spec: containers: - name: hellotomcat-container image: quay.io/sunix/hello-tomcat ports: - containerPort: 8080 imagePullPolicy: IfNotPresent https://asciinema.org/a/EsaRue6eDKWyvRCHmRKxIfydI

K8S Y AML Service Load balancer Let the pods communicates in the cluster or outside • myservice.yaml apiVersion: v1 kind: Service metadata: name: hellotomcat-service spec: type: NodePort selector: app: hellotomcat ports: - protocol: TCP port: 8080 targetPort: 8080

K8S Y AML Ingress Manage the paths and domain name redirections Services • myingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hellotomcat-ingress labels: app: hellotomcat spec: rules: - host: 192.168.49.2.nip.io http: paths: - path: / pathType: Prefix backend: service: name: hellotomcat-service port: number: 8080 https://asciinema.org/a/PpW6P3EftEUWb13UOvoBK6wOW

Devoxx France 2023 2 - BEING A GOOD CLOUD NATIVE CITIZEN Requests and limits Health probes ConfigMap and Secrets

Limit s ests & Requ Resource management apiVersion: v1 kind: Pod metadata: name: frontend spec: containers: - name: app image: images.my-company.example/app resources: requests: memory: “64Mi” cpu: “250m” limits: memory: “128Mi” cpu: “500m”

Limit s ests & Requ What if a pod uses too many resources?

Limit s ests & Requ Resource quota kind: ResourceQuota metadata: name: compute-resources spec: hard: requests.cpu: “1” requests.memory: 1Gi limits.cpu: “2” limits.memory: 2Gi requests.nvidia.com/gpu: 4 Limit the total sum of compute resources that can be requested in a given namespace

Limit s ests & Requ Limit range apiVersion: v1 kind: LimitRange metadata: name: cpu-resource-constraint spec: limits: - default: # this section defines default limits cpu: 500m defaultRequest: # this section defines default requests cpu: 500m max: # max and min define the limit range cpu: “1” min: cpu: 100m type: Container Default, minimum and maximum resources usage per pod in a namespace

Limit s ests & Requ Verifying resource usage % kubectl top pods NAME hello-world-deployment-bc4fd6b9-dgspd hello-world-deployment-bc4fd6b9-f85mf hello-world-deployment-bc4fd6b9-hh7xs hello-world-deployment-bc4fd6b9-lz494 CPU(cores) 3m 3m 4m 5m % kubectl top pods —containers POD hello-world-deployment-bc4fd6b9-dgspd hello-world-deployment-bc4fd6b9-f85mf hello-world-deployment-bc4fd6b9-hh7xs hello-world-deployment-bc4fd6b9-lz494 NAME hello-world hello-world hello-world hello-world % kubectl top nodes NAME MEMORY% nodepool-ce18c6cd-1291-4a6e-83-node-5c283f nodepool-ce18c6cd-1291-4a6e-83-node-85b011 nodepool-ce18c6cd-1291-4a6e-83-node-c3cfcf MEMORY(bytes) 2Mi 2Mi 2Mi 2Mi CPU(cores) 0m 1m 1m 0m MEMORY(bytes) 2Mi 2Mi 2Mi 2Mi CPU(cores) CPU% MEMORY(bytes) 110m 104m 121m 5% 5% 6% 1214Mi 1576Mi 1142Mi 23% 30% 22%

Devoxx France 2023 2 - BEING A GOOD CLOUD NATIVE CITIZEN Requests and limits Health probes ConfigMap and Secrets

h Pro be Healt Tell people youʼre ready

h Pro be Healt Tell people youʼre alive

Devoxx France 2023 2 - BEING A GOOD CLOUD NATIVE CITIZEN Requests and limits Health probes ConfigMap and Secrets

& Sec rets gMap Confi Secret: a piece of information that is only known by one person or a few people and should not be told to others.

& Sec rets gMap Confi Kubernetes Cluster - Nodes Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Node kubelet Primary api etcd scheduler controllers Istio proxy

& Sec rets gMap Confi ● ● Kubernetes object that contains a small amount of sensitive data. Injected as volume or environment variable.

& Sec rets gMap Confi All YAMLs and base64

& Sec rets gMap Confi Encryption Configuration

& Sec rets Confi gMap Vaults provide full encryption https

Devoxx France 2023 3 - ADVANCED K8S Persistent Volumes StatefulSets & Jobs (ou JKube) Tolerance and taints Operators

es volum stent Persi Local storage is a BAD idea

es volum stent Persi Persistent Volumes

es volum stent Persi The storage dilemma

Devoxx France 2023 3 - ADVANCED K8S Persistent Volumes Jkube Tolerance and taints Operators

E JKUB A typical Java application Based on real life experiences

E JKUB Your Java to Kubernetes 😨 Container Registry .java pom.xml mvn package Java App (jar or war) docker build Container Image Kubernetes Pod kubectl apply Dockerfile s K8s manifest files Your app in production environment

E JKUB Eclipse JKube

E JKUB Eclipse JKube https://jkube-website-quickstarts.surge.sh/j kube/

E JKUB JKube with Ingress and 5 replicas • pom.xml <plugin> <groupId>org.eclipse.jkube</groupId> <artifactId>kubernetes-maven-plugin</artifactId> <version>1.10.1</version> </plugin> <jkube.createExternalUrls>true</jkube.createExternalUrls> <jkube.replicas>5</jkube.replicas> mvn clean install k8s:build \ k8s:resource \ k8s:apply \ -Djkube.domain=$(minikube ip).nip.io https://asciinema.org/a/dCGQ7B45XZP2T1emHq6zIUNI1

E JKUB Your Java to Kubernetes 😨 Container Registry .java pom.xml mvn package Java App (jar or war) docker build Container Image Kubernetes Pod kubectl apply Dockerfile s K8s manifest files Your app in production environment

E JKUB Your Java to Kubernetes with JKube .java pom.xml mvn package k8s:build k8s:resource s k8s:apply Java App (jar or war) Container Image Kubernetes Pod Container Registry Your app in production environment

E JKUB Eclipse JKube benefits Minimize the Dockerfile or YAML files to maintain It generates container images and kubernetes manifests based on defaults. Of course these defaults could be overridden or enriched. Use your CI You can use JKube without docker or kubectl. It perfectly fits to any CI One tool to deploy them all ! It doesn’t require Docker or kubectl. JIB or S2i can be used for build. Kubernetes communication is done with the Java Fabric8 Kubernetes client.

E JKUB Transporter

Neuilly 252 AB

Devoxx France 2023 3 - ADVANCED K8S Persistent Volumes StatefulSets & Jobs (JKube) Tolerance and taints Operators

ces leran s & to Taint Taints & Tolerances Taint - applied to a Kubernetes Node that signals the scheduler to avoid or not schedule certain Pods. Toleration - applied to a Pod definition and provides an exception to the taint.

ces leran s & to Taint Affinity & Anti-affinity Node Aﬃnity - rules that ban the node where pods can run, but also to favor where they should run Pod Aﬃnity - indicate a group of pods should always be deployed together on the same node (because of network communication, shared storage, etc.)