Everything you want to know about Kubernetes

(preferably before using it)

Guillaume Gelin

ramnes.eu 🇪🇺 🇫🇷

Chapter 1

The origins

Where we are coming from

Kubernetes overview

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  selector:
    matchLabels:
      app: hello
  replicas: 1
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
      - name: hello
        image: numberly/hello

deployment.yaml

$ kubectl apply -f deployment.yaml

$ kubectl scale --replicas=4 deployment hello

apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8000
  selector:
    app: hello
  type: ClusterIP

service.yaml

$ kubectl apply -f service.yaml

$ kubectl get all
NAME                         READY   STATUS    RESTARTS   AGE
pod/hello-5688899d46-9nmzb   1/1     Running   0          23s

NAME            TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
service/hello   ClusterIP   10.16.0.122   <none>        80/TCP    19s

NAME                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/hello   1/1     1            1           24s

NAME                               DESIRED   CURRENT   READY   AGE
replicaset.apps/hello-5688899d46   1         1         1       24s

Why Kubernetes?

Developers autonomy
Same tooling for everyone
Same vocabulary for everyone
Write once, apply everywhere (e.g. observability)
Transparent self-healing
Resources isolation

Software engineers

Infrastructure engineers

Chapter 2

Minimum viable cluster

Requirements we settled on

On-premise
Simple networking component
Highly available

Choices we made

On-premise
Simple networking component
Highly available

https://github.com/cloudnativelabs/kube-router

What you get or miss
at this point

Kubernetes is a platform for building platforms. It's a better place to start; not the endgame.

Kelsey Hightower

Chapter 3

Going further

A few more choices

Security

Encrypted etcd
Google sign-in + RBAC
Each team in its own namespace
"mustRunAsNonRoot" Pod Security Policy
"readOnlyRootFilesystem" Pod Security Policy
Default Network Policy ("deny *" by default)
Default Limit Ranges and Quotas

Developer-first experience

Automating as much as possible
Tutorials, templates, documentation
Certification

Tools we decided to use

https://github.com/heptiolabs/gangway

https://github.com/danderson/metallb

https://github.com/kubernetes/ingress-nginx

https://github.com/kubernetes-sigs/external-dns

https://github.com/jetstack/cert-manager

Tools we developed ourselves

https://github.com/numberly/gitlab2rbac

https://github.com/numberly/kubemen

👀

Chapter 4

Nowadays

Current platform status

14 teams
100 users
400 pods

Live demo?

Next steps

Development workflows (Continuous Delivery?)
A “real” storage system
Vertical and horizontal auto-scaling
Distributed tracing (with a “service mesh”)
Chaos monkeys
More nodes

Chapter 5

Step back

Our opinion on Kubernetes

Becoming an industry standard
Really solved most of our problems
Operating Kubernetes is complex, using it is not
Still has a few missing pieces

Recommendations

Try the “user-side” with a free cluster (e.g. KubeSail)
For production, use Google Kubernetes Engine
Operate Kubernetes only if you can dedicate people

Thank you!

https://slides.com/ramnes/everything-kubernetes

https://github.com/numberly

Made with Slides.com