20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes

Deep-dive sur Kubernetes
avec le déploiement d'un micro-service
dans IBM Cloud
-
13 Février 2020
IBM Cloud Côte d'Azur Meetup

Who am I?
2IBM Cloud / © 2018 IBM Corporation
Lionel Macé
Solution Architect
IBM Cloud Europe
lionel.mace@fr.ibm.com

Agenda
§ Présentation approfondie de Red Hat OpenShift et IKS
(IBM Cloud Kubernetes Service)
§ Déployez vous-même une app micro-service dans un
cluster Kubernetes mis à votre disposition
De 18h30 à 20h30

Containers change the economics of delivery
Organizations are adopting containers to
improve developer productivity,
efficiency in DevOps, and application
portability
• Lightweight packaging that includes
the software and all its dependencies
• Easily portable across on-premises
and public cloud environments
• More efficient use of infrastructure
than traditional VM deployments

Everyone’s container journey starts with one container….

At first the growth is easy to handle….

But soon it is overwhelming… chaos reins

Regain control with Kubernetes

Image Registry
API
UI
User
Interface
CLI
Command
Line
Interface
Kubernetes
Master
Worker Node 1
Worker Node 2
Worker Node 3
Worker Node n
Kubernetes Architecture

API
UI
User
Interface
CLI
Command
Line
Interface
Kubernetes Master
API Server Scheduler Controller
etcd

Image Registry
Kubernetes
Master
Worker Node 1, 2, 3… n
Pod Pod Pod
docker
Kube-
proxy
Container
Container
Container
Container
Container
Container
Container
Container
Container
kubelet

Intelligent Scheduling Self-healing Horizontal scaling
Service discovery
& load balancing
Automated rollouts
and rollbacks
Secret and configuration
management
Kubernetes Capabilities

Kubernetes
K8S
IBM Solutions based on Kubernetes
IBM Cloud Kubernetes Service
IKS
IBM-Managed
Red Hat OpenShift on IBM Cloud
IBM-Managed

IBM Cloud Kubernetes Management Capabilities
Simplified cluster
management
Extend apps with
IBM Cloud
services
Security
& isolation
Design your
own cluster
Native open-
source
experience
Integrated
operational
tools

IBM Cloud Kubernetes Service (IKS) Architecture
Baremetal Dedicated VM Shared VM
Services
Persistent
Storage
Encryption Secrets Metrics Logging
Global Load
Balancing
containerd
Service
Discovery
Routing
Networking
(Calico)
Kubernetes
Service
Infrastructure
DevOps
CI/CD
Logging
LogDNA
Monitoring
Sysdig
Key
Protect
COS
Container
Registry
Certificate
Manager

IBM Cloud Container Registry
Managed stand-alone Docker Registry
Pre-integrated with Kubernetes Service.
Integration to IAM (Identity Access Management).
Built-in Vulnerability scanning

cluster
Single Zone Cluster
17
FRA02
EU-DE
w1
node
w2
node
•Cluster created in a single
datacenter
•Worker nodes provisioned
in a single datacenter
•Master managed by IKS
runs in the same datacenter
within the IKS account
w3
node
w4
node
w5
node
w6
node

Multizone Cluster
18
EU-DE
cluster
• Worker nodes are automatically provisioned in the other zones
• Three zones at 150% provides 100% capacity in event of a zone failure.
• 200% capacity required if using two zones
Worker Pool
FRA04
w5
node
w6
node
FRA05
w7
node
w8
node
w9
node
FRA02
w1
node
w2
node
w3
node
w4
node

Design your cluster for maximum availability with Multi Zone
Cluster
19IBM Cloud / © 2018 IBM Confidential

Available in six IBM regions WW, including 25+ datacenters
IBM Cloud / © 2018 IBM Confidential
1
Sao
Paulo
3
US South
1
MontrealToronto
1
3
US East
3
3 Frankfurt
London
1
Milan
1
Oslo
MZR (Multi Zone Region)
SZR (Single Zone Region)
3 AP South1
Melbourne
#
1
1
1
Paris
Amsterdam
1
Tokyo
1
Singapore
Hong Kong
1
Seoul
3

High Availability with Multi Zone Region (MZR)
3 AZ (Availability Zones) per region
Separate physical data center building.
Redundant links with dual POPs.
Less than 2msec latency between AZ.

Highly Available Architecture
Control Plane Nodes
Workers
Master
IBM Managed
Customer
Account
Availability
Zone 1
Availability
Zone 2
Availability
Zone 3
Workers Workers
Master Master

Certified Kubernetes
IKS Update process
• Support N - 2 kube minor versions
• N - 3 deprecated for 30 days before going out of support
• Master patches are automatically applied
• Customer requests master kube minor update (e.g., 1.16 > 1.17)
• Worker node updates up to the level of the master
• Worker nodes only updated upon customer request
Manage Kubernetes upgrades
ibmcloud ks kube-versions
DEVELOPER

Choice of Hardware: Virtual, Dedicated or Baremetal

Secure compute hosts
Built-in security and isolation
Hosted secured Private image Registry
Private network overlays
Automatic Vulnerability scanning
Securing Containers

Cluster Monitoring with the Kubernestes Dashboard

Manager Cluster using REST API
https://eu-de.containers. cloud.ibm.com/swagger-api/#/clusters

IBM Log Analysis with LogDNA
Collect and aggregate data from any platform
Easily integrate with leading runtime environments
Expedite Insights with blazing fast search coupled with natural language query and alerts
Log management and analysis for debug of system and application issues

Monitoring for application visibility, alerting with Sysdig
Slide Title Goes Here
BM Cloud Kubernetes Service | IBM Conﬁdential | ©2018 IBM Corporation
Introducing IBM Cloud Monitoring with Sysdig
Fully managed enterprise-grade monitoring for application visibility, alerting, and troubleshooting.
Transparent instrumentation dynamically
discovers applications, containers, hosts,
networks, and custom metrics
Deep container visibility and integration with
Kubernetes to see beyond infrastructure into
how apps and services are performing
Robust dashboards enable at-a-glance views
Turn-key horizontal scalability, enterprise
access control and security
Automatic correlation of data across
infrastructure
Configurable alerts enable proactive
notification of any condition including events,
downtime and anomalies
o Transparent instrumentation
dynamically discovers apps,
containers, hosts, networks,
and custom metrics
o Deep container visibility and
integration with Kubernetes
o Robust Dashboards
o Configurable alerts

Policy Violations
Vulnerable Packages
Vulnerability Advisor

IBM Container
Registry CVEs
Open Toolchain with Delivery Pipeline for Kubernetes
Source
Control
GitHub
Build docker
image
Deploy to
Kubernetes
Checking
vulnerabilities
against CVE

Terraform

Account
Region
Resource Group
CONTAINER
REGISTRY
Development
CLOUDANT
NOSQL DB
CLOUD OBJECT
STORAGE
LOG ANALYSISMONITORING
DEVELOPMENT
CLUSTER
Multi-Cluster
Resource Group
TESTING
CLUSTER
Testing
CLOUDANT
NOSQL DB
CLOUD OBJECT
STORAGE
Resource Group
Production
CLOUDANT
NOSQL DB
CLOUD OBJECT
STORAGE
PRODUCTION
CLUSTER

Account
Region
Resource Group
CONTAINER
REGISTRY
Non-Production Cluster
Development
Namespace
Testing
Namespace
Production Cluster
Multi-Tenant
Development
CLOUDANT
NOSQL DB
CLOUD OBJECT
STORAGE
Testing
CLOUDANT
NOSQL DB
CLOUD OBJECT
STORAGE
Production Space
CLOUDANT
NOSQL DB
CLOUD OBJECT
STORAGE
Production Cluster
Production
Namespace

Multi-tenant vs Multi-cluster
Multi tenant
o Enforced by RBAC
o Separate by namespace, enforce quotas and policies
o Underlying workers shared and overcommit
o Noisy neighbors – shared bandwidth, disk
o Recommend for dev, pre-stage (possibly staging)
Multi-cluster
o No escape, no noisy neighbors
o Minimize access to production environment
o Extra hardware for burst partly idle during lulls
o Easier Kubernetes version management per cluster

Best Practises
o Do not use DEFAULT namespace
o Set readiness/liveness probe
o Deploy at least 2 replicas
o Use Secret when required and use non-root user in Dockerfile

Set Resource Request and Limits for Containers
Improve Kubernetes Scheduler to place pods
efficiently and improve performance.
If cpu limits are too low your pods will have
insufficient cpu to operate optimally.
If memory limits are too low it may be
terminated and restarted.
If resources limits are too high, Kubernetes will
schedule too few pods on nodes and resources
will be under utilized.
If no resource limits are specified then the limit
will be either be the limit of the namespace (if
one is set) or all of the available resources on
the Node.
apiVersion: v1
kind: Deployment
metadata:
name: mytodos
spec:
replicas: 2
template
spec:
containers:
- name: mytodos
image: mytodos:v12
imagePullPolicy: Always
resources:
requests:
memory: 100Mi
cpu: 250m
limits:
memory: 300Mi
cpu: 500m
250 millicores = ¼ core
100 MiB

POD Anti-Affinity
• Used to spread PODs across worker nodes
• Use “preferredDuringSchedulingIgnoredDuringExecution”
• Ensures availability if there is a worker node failure
apiVersion: v1
kind: Deployment
metadata:
name: mytodos
spec:
replicas: 3
template
spec:
affinity:
podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution

Block POD communication
o Network Policies used to block/allow traffic
between specific pods
o Ensures that a compromised pod cannot
communicate to any arbitrary pod
o Ensures compromised pods cannot
communicate to privileged pods
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: block-dashboard-policy
namespace: kube-system
spec:
podSelector:
matchLabels:
k8s-app: kubernetes-dashboard
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 169.61.0.0/16

Kubernetes Certifications
Container & Kubernetes Essentials with IBM Cloud
https://cognitiveclass.ai/courses/kubernetes-course
Getting started with Microservices with Istio and IKS
https://cognitiveclass.ai/courses/get-started-with-
microservices-istio-and-ibm-cloud-container-service/
Beyond the Basics: Istio and IBM Cloud Kubernetes Service
https://cognitiveclass.ai/courses/beyond-the-basics-istio-
and-ibm-cloud-kubernetes-service/

Reach out to the IKS community via Slack
https://cloud.ibm.com/kubernetes/slack

20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes

Similar to 20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes (20)

More from IBM France Lab

More from IBM France Lab (20)

Recently uploaded

Recently uploaded (20)

20200113 - IBM Cloud Côte d'Azur - DeepDive Kubernetes