K8s EcoSystem

Resources

Public Cloud or Kubernetes - Eberhard Wolf

  • Kubernetes Finally the unversal abstraction
  • More competition and cost saving

Public Cloud teurer?

  • Ein Entwickler 2 Tage geblockt wegen Firewall Problemen
  • Am WE in der Public Cloud hochgezogen

Public Cloud unsicher?

  • Firewalls on Amazon build in,
  • Implemented on the network level
  • Easy to configure
  • rechenzentrum more security freatures
  • Physical access clearly defined
  • PCI, BSI C5 Compliance

Nicht abbildbar im “onpremise” Rechenzentrum

Cloud = Components

  • Databases included with Backup and desaster recovery

The advantage of the cloud are it’s components! And not the costs!

Monitoring in Kubernetes with Prometheus and Grafana - Bastian Hofman

Custom Resource Definitions for Prometheus Operator

  • Workload Management
    • Prometheus
    • Alertmanager
  • Prometheus Configuration
    • Service Monitor
    • PodMonitore

Grafana

  • Prometheus Operator deployed ein Sicecar container der die Grafana ConfigMap polled und Grafana das dashboard aktualisiert
  • Grafana Ingress Latenz

MySQL Operator Helm Chart

  • Erstellt auch gleich einen mysql exporter

Takeaways

  • Use Operator when possible!
  • Use Loki for Logmanagement, deutlich Ressourcen schonender
  • Bitname “Sealed Secrets” sicheres verwalten von Secrets, leichtgewichtiges Vault https://github.com/bitnami-labs/sealed-secrets
  • Longhorn ganz interessante Storage Solution

Resources

Kuberntes Operatory - Marcel Müller

What problem do we want to solve!?

  • Ops Lifecycle
    • Day0
    • Day1 Setup z.B. Helm
    • Day2 Maintenance, Optimization
      • Observe
      • Analyze
      • Act

Operators as Kubernetes native solution!

Kubernets Object

  • Each object has a spec, status and Metadata
    • spec is the desired state
    • status is the current state

Custom Resource Definition (CRD)

Similiar to a Java Class Implementation

  • Extension of K8s API
  • Registered at runtime
  • Added to K8s
  • Let you store and retrieve structured data
  • Allows validation and defaulting

Custom Resource (CR)

Similiar to an instance of a class

  • Instance of a CRD
  • Comes with Spec / Status / Metadata
  • Supports interaction like other K8s objects

Controller Pattern

  • Every resource in K8s which has an action has a controller
  • A controller watches at least one K8s resource type
  • e.g. Pod definition is checked by the pod controller which is trying to achieve the desired spec

Operator Definition

  • Operator Pod watches CR outside of the master
  • Operators act like controllers
  • Operators are clients of the kubernetes API

Operator Workflow

Could nee multiple loops

  1. Observe - the desired state (spec) and status the current state
  2. Analyze
  3. Act - Change the status to current state

Operator Interaction

  • Operator watch[list events

Operator Classes

  1. Packaging applications in easier to manage interfaces
  2. Managing infrastructure
    1. AWS-Operaotr
    2. Cluster-api operator (K8s manages K8s cluster => similiar to Rancher local Cluster)

Kubebuilder

Creates an operator template definition. Uses a simple reconcile function.

Conclusion

  • Utilize Operators
  • There are good and bad operators
  • Understand basics before usiing operators extensively
  • Operators are software projects
    • Don’t underestimate the development effort

Resources

Kubernetes Security - Erkan Yanar

  • Limit the RBAC admin role to namespace
  • Networkpolicy (Flannel geht nicht ,a berCalico), prevent access from outside
  • Podpriority classes => unwichtigworkload => the higher the number the more important
    • spec - priorityClassName: unwichtigworkload
    • Unwichtiger Workload wird removed und wichtiger workload gescheduled
  • ResourceQuotas
  • PodSecurity Policy

Lessons Learned

  • watch kubectl -n mynamespace get pods,deployments