eks immersion day - deptno/deptno.github.io GitHub Wiki
eks immersion day
-
Container Overview
- chroot -> pivot root
- namespace ->
- cgroup -> νλ‘μΈμ€λ³λ‘ κ°μ© μ»΄ν¨ν μμμ μ μ΄
-
Dockerfile
-
from
-
label
-
expose
-
healthcheck
-
run
-
env
-
add
-
copy
-
entrypoint
-
cmd
-
add, copy
- add λ κΈ°λ₯μ΄ λ λ§λ€.
- μμΆλ νμΌμ add νλ©΄μ ν΄μ λκ°λ₯
- url λ μ§μ κ°λ₯ -> λΉλ μΊμκ° μλ λ―
-
entrypoint, cmd
- entrypoint λ λ³κ²½λμ§ μμΌλ―λ‘ λ³΄ν΅ ex) node
- cmd λ μ€λ²λΌμ΄λ©μ΄ λ¨, ex) node μ νλΌλ©ν°
-
-
docker expect λ‘ κ΅¬μ‘° νμΈ κ°λ₯ union mount system
-
docker network ls
- bridge
- host
- container
- none
-
iptables > docker proxy μμ
-
multi stage
- buildμ λ°νμμ νμν λνλμκ° λ€λ₯Έκ²½μ° μ²λ¦¬
-
kubletμ agent ννλ‘ λ°λ‘ μ€μΉλ¨
-
pod μμ΄νΌλ₯Ό containerλ 곡μ λ°λλ€ (sidecar μΈκ²½μ° λ μμ΄νΌκ° κ°μ)
-
k8s
-
volume
- emptyDir - νΈμ€νΈ ν΄λ μ΄μ© νλ μμ μ μ κ±°
- hostPath - λ ΈνΈ λ°λμμλ μ¬μ©λΆκ°
- pv - λ Έλκ° λ°κ»΄λ μ¬μ©κ°λ₯
-
pv
- dynamic pv -> pvc μ μν΄μ pvλ₯Ό μμ±νλ©΄μ ν λΉ
-
network
- overlay network, κ°μνκ° λ λ λ€λ₯Έ λ Έλμ κ°μνμμ ipκ° κ²ΉμΉμ§ μλλ‘ ν¨
-
eth0, lo -> λ컀 μ€μΉν docker0 μ΄ μΆκ°λ¨
-
docker network ls
docker network ispect
sudo su
iptables -t nat -S # port-forwarding ν ν΄λ³΄μ
-
role - rbac
- rbac role -> namespace λ¨μ
- cluster role -> cluster λ¨μ
- service account -> pod κ° κ°μ§λ κΆν
-
eks
- cordon ν΄λΉ λ Έλμ νλλ₯Ό λμ°μ§ μλλ‘ νλ€. μ€μΌμ€λ§ μ κ±°
- drain ν΄λΉ λ Έλμ νλλ₯Ό λ€λ₯Έ νλλ‘ μ΄λμν¨λ€.
- pod disruption budge
- νΉμ νλ μλ μ μ§νλ©΄μ νλ μ λ°μ΄νΈλ₯Ό ν μ μλ€.
- νΉμ λ©νλ°μ΄ν°λ₯Ό μ£Όμ νλ©΄ fargate μ€μΌμ€λ¬μ μν΄μ λ°λ‘ κ΄λ¦¬λ¨
-
network
- docker network -> local
- overlay network -> node κ°
- cni
- vpc - aws λ vpc cni
- secondary ip κ° μΈμ€ν΄μ€ νμ μ’ μμ μΌλ‘ κ°―μκ° μ ν΄μ§
- vcpu μ μΊνμ μν΄μλ μ νλ¨
- pod μμ± κ°―μκ° μ ν λ¨
- secondary ip = network interface, private ip / network interface + @
- vpc cni νλ¬κ·ΈμΈμ μ¬μ©νλ©΄ secondary ip * 16 μ΄ κ°λ₯
- vpc - aws λ vpc cni
- svc -> k-proxy -> iptables μμ
- svc nodeport μμ externalTrafficPolicy = local λ‘ μ€μ , s-not κ΄λ ¨ μ€λͺ μΈλ° μΆν μ°Ύμλ³Ό κ²
- lb μμ±νλ©΄ aws lb κ° μμ±λ¨ cloud λ²€λ λ³λ‘ 맀λμ§λ¨ΈνΈ μμ€ν μ΄ μ‘΄μ¬
- alb
- instance mode -> node μμ μ¬ λΌμ°ν
- ip mode -> λ€μ΄λ νΈλ‘ νλ, μ±λ₯ up
- csi, conatiner storage interface
- ebs λ κ°μ azμμλ§ λ§μ΄νΈ κ°λ₯
-
security
- kms μ μ©νλ©΄ secret μ΄ μνΈνΈλ¨
- guard duty
- kubectl <-> iam authenticator client <-> sts
- iam authenticator -> config map = aws-auth
- irsa, iam role for service account
- application μ κΆν - pod
- ec2μ κΆνλ κ°λ₯νλ pod λ μ΄λ€ node μ λ°°ν¬λ μ§ μ ν΄μ Έ μμ§ μλ€.
- k8s sa μ annotation μ ν΅ν΄μ iam role κ³Ό λ°μΈλ©λ¨
- pod
- AWS_ROLE_ARN
- AWS_WEB_IDENTITY_TOKEN_FILE
-
νμ₯
- cluster auto-scaler λ Έλ νμ₯μ μν νλ¬κ·ΈμΈ
- karpenter λ μ μ°, node group μ λ¬Άμ΄μ§ μλλ€.
- kubetl edit μλμͺ½μ status λ etcd μμ λ€μ΄μ¨λ€
- ingress controller
- ingress - alb
- service - nlb
- aws lb
- instance(default) -> node port λ‘ λ³΄λ΄κ³ μμμ route
- ip -> albμμ νλ μμ²΄λ‘ λΌμ°ν
- autoscaling μ μν΄μλ metric-server κ° νμν¨
-
kubelet μ worker node μμ μ§μ νμΈμ΄ κ°λ₯
-
q&a
alb.ingress.kubernetes.io/group.name: eks-demo-group
alb.ingress.kubernetes.io/group.order: '1'
- keyword
- netfilter
- iptables
- cni
- eni
- aws load balancer controller
- csi
- bastion server
- argocd vs flux
- eks blue prints
- watch -n1
- blue-green max-surge
- siege λΆν ν μ€νΈ k6 μ λΉκ΅
- https://codeberg.org/hjacobs/kube-ops-view