Pengoperasian (Operate)

Abdullah Fathi

www.fotia.com.my

Pautan Muat Turun

Muat Turun Slaid

Panduan DevOps

Apa itu pengoperasian?

Merujuk kepada proses dan aktiviti yang dilakukan untuk mengurus dan menyelenggara infrastruktur sistem aplikasi secara automasi. Matlamat pengoperasian adalah untuk memastikan infrastruktur sistem aplikasi
beroperasi pada tahap optimum

Panduan DevOps Sektor Awam - Muka Surat: 158

Aktiviti pada peringkat pengoperasian

  • Scale up/down resources
  • Penyandaran pangkalan data
    (Database Backup)
  • Pemulihan sistem aplikasi
  • Pengemasan Container Registry

Apa itu Kubernetes?

  • Kubernetes adalah platform orkestrasi container yang mengautomasikan proses penempatan, pengurusan dan penskalaan sistem aplikasi
  • Kubernetes dilengkapi dengan fungsi high availability (HA) kepada persekitaran container dan menyokong
    ciri-ciri self healing serta auto scaling

Kubernetes
Component

1. Pod

  • Smallest unit of k8s
  • Abstraction over container
  • Usually 1 container per Pod
  • Each Pod gets its own cluster-internal IP by default
  • New IP address on re-creation:
    Pods are ephemeral (it can die very easily)

2. Service

  • Permanent IP address and also a load balancer
  • Lifecycle of Pod and Service is not connected:
    Even if pod dies, the service and its IP address will stay
  • Type of service:
    • External Service: Accessible from public request
    • Internal Service: Not exposed to public request

3. Ingress

  • Forward to service

4. ConfigMap

  • External configuration of the application
  • Don't put credentials into ConfigMap

5. Secret

  • Used to store secret data
  • base64 encoded format
  • Reference secret in Deployment/Pod

6. Data Storage (Volume)

  • Data Persistence
  • Storage on local machine
    (on same server node where pod is running)
  • Remote storage outside of k8s cluster

7. Deployment

  • Blueprint for Pods
  • Abstraction of Pods
  • DB can't be replicated via Deployment

8. Stateful Set

  • Stateful apps or database
  • Avoid data inconsistencies:
    Manage which Pod is writing or reading the storage

Kubernetes Architecture

Apa itu Rancher?

Rancher adalah platform untuk menguruskan kluster Kubernetes melalui antara muka web

Kubernetes Configuration File

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels: ...
spec:
  replicas: 2
  selector: ...
  template: ...
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels: ...
spec:
  selector: ...
  ports: ...

Deployment

Service

1) Metadata

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels: ...
spec:
  replicas: 2
  selector: ...
  template: ...
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels: ...
spec:
  selector: ...
  ports: ...

2) Specification

Each configuration file has 3 parts

Attributes of "spec" are specific to the kind

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels: ...
spec:
  replicas: 2
  selector: ...
  template: ...

Each configuration file has 3 parts

3) Status (automatically generated by k8s)

  • k8s update state continuously
  • desired state == actual state
  • etcd holds the current status of any k8s component

Template

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels: ...
spec:
  replicas: 2
  selector: ...
  template: 
    metadata:
      labels:
        app:nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort:8080
  • Has it's own "metadata" and "spec" section
  • Applies to Prod
  • Blueprint for a Pod

Template

Connecting components

(Labels & Selectors & Ports)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 2
  selector: 
    matchLabels:
      app: nginx
  template: 
    metadata:
      labels:
        app:nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort:8080

Deployment

Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels: ...
spec:
  selector:
    app: nginx
  ports: ...

Metadata contains label

Specification contains selector

Labels & Selectors

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 2
  selector: 
    matchLabels:
      app: nginx
  template: 
    metadata:
      labels:
        app:nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort:8080

Deployment

  • any key-value pair from component

Connecting Deployment to Pods

labels:
  app: nginx
  • Pods get the label through the template blueprint
  • This label is matched by the selector
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 2
  selector: 
    matchLabels:
      app: nginx
  template: 
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort:8080

Deployment

Connecting Services to Deployments

Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels: ...
spec:
  selector:
    app: nginx
  ports: ...

Connection is made through the Selector of the Labels

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 2
  selector: 
    matchLabels:
      app: nginx
  template: 
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort:8080

Deployment

Ports in Service and Pod

Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels: ...
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

Other Service

Nginx Service

Pod

port: 80

targetPort: 8080

targetPort: Port to forward request (containerPort of Deployment)

containerPort: Port which pod listening

External Service

Make service as an external service

nodePort: between 30000-32767

IP address and port is not opened

Kubernetes: External Service

apiVersion: v1
kind: Service
metadata:
  name: system-a-external-service
spec:
  selector:
    app: system-a
  type: NodePort
  ports:
  	- protocol: TCP
      port: 8080
      targetPort: 8080
      nodePort: 30001

YAML File: External Service

Assign external IP address to service

Ingress

Kubernetes: Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: system-a-ingress
spec:
  rules:
  - host: system-a.fotia.com.my
    http:
    	paths:
        - backend:
        	serviceName: system-a-internal-service
            servicePort: 8080
  • kind: Ingress
  • Routing rules:
    • Forward request to the internal service
  • paths: the URL path

YAML File: Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: system-a-ingress
spec:
  rules:
  - host: system-a.fotia.com.my
    http:
    	paths:
        - backend:
        	serviceName: system-a-internal-service
            servicePort: 8080
apiVersion: v1
kind: Service
metadata:
  name: system-a-internal-service
spec:
  selector:
  	app: system-a
  ports:
  	- protocol: TCP
      port: 8080
      targetPort: 8080
  • No nodePort in Internal Service
  • Instead of LoadBalancer, default type: ClusterIP

Ingress and Internal Service Configuration

Configure Ingress in Kubernetes Cluster

  • We need an Ingress Controller to do an implementation for ingress
  • Ingress Controller: Evaluates and processes Ingress rules
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: system-a-ingress
spec:
  rules:
  - host: system-a.fotia.com.my
    http:
    	paths:
        - backend:
        	serviceName: system-a-internal-service
            servicePort: 8080

What is Ingress Controller?

Ingress Controller behind Proxy/LB

No server in Kubernetes cluster is accessible from outside

  • Good security practice
  • Separate server
  • Public IP address and open ports
  • Entrypoint to cluster

Multiple paths for same host

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: system-a-ingress
  annotations:
  	nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: system-a.fotia.com.my
    http:
    	paths:
        - path: /dashboard
          backend:
        	serviceName: dashboard-service
            servicePort: 8080
        - path: /cart
          backend:
          	serviceName: cart-service
            servicePort: 3000

Multiple sub-domains or domains

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: system-a-ingress
  annotations:
  	nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: dashboard.system-a.com.my
    http:
    	paths:
          backend:
        	serviceName: dashboard-service
            servicePort: 8080
  - host: cart.system-a.com.my
  	http:
    	paths:
          backend:
            serviceName: cart-service
            servicePort: 3000

Configure TLS Certificate - https

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-ingress
spec:
  tls:
  - hosts:
  	- system-a.fotia.com.my
    secretName: system-a-secret-tls
  rules:
  - host: system-a.fotia.com.my
    http:
    	paths:
        - path: /
          backend:
        	serviceName: system-a-internal-service
            servicePort: 8080
apiVersion: v1
kind: Secret
metadata:
  name: system-a-secret-tls
  namespace: default
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
type: kubernetes.io/tls
  • Data keys need to be "tls.crt" and "tls.key"
  • Values are file content not file paths/location
  • Secret component must be in the same namespace as the ingress component

Aliran Proses Kerja Peringkat  Pengoperasian

Rujuk Panduan DevOps Sektor Awam: Muka Surat 159

Your feedback matters

There are no secrets to success. It is the result of preparation, hard work, and learning from failure. - Colin Powell

THANK YOU