SlideShare a Scribd company logo

KubeCon 2017 Zero Touch Provision

RackN, profile picture
RackN

The document discusses advancements in provisioning Kubernetes on unmanaged infrastructure, highlighting the focus on immutable bootstrapping, node admission, and dynamic kubelet. It emphasizes the need for improved orchestration, allowing for faster and more predictable installations while using community-driven tools like kubeadm and kubespray. Key challenges include centralized configurations, the necessity of join tokens for new nodes, and exploring the effectiveness of dynamic configuration in Kubernetes environments.

Technology
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Zero-Configuration Pattern Provisioning Kubernetes on Unmanaged Infrastructure Rob @zehicle Hirschfeld, RackN November, 2017
Hang on to your Hats! Krazy New Stuff ● Immutable Bootstrap (demo!) ● Node Admission (v1.7) ● Dynamic Kubelet (v1.8)
3 #KubeCon - @zehicle Rob Hirschfeld (@zehicle) Involved in Kubernetes since launch Co-chair of Cluster Ops SIG Co-Founder of RackN & Digital Rebar Project We focus on operations automation for bare metal
4 #KubeCon - @zehicle We’ve been using Kubespray since Kubernetes v1.2 But first… Kubespray ● Very Solid Ansible Playbook ● Strong Community ● Amazing Features like HA & Upgrade HTTP://bit.ly/SYDkubespray But….
5 #KubeCon - @zehicle Why not Kubespray? We’d like to do better! ● No Centralized Orchestration ● No Inventory Building ● No SSH ● Immutable Booting ● and, much FASTER I don’t always Ansible, but when I do Ansible, I use Kubespray.
6 #KubeCon - @zehicle Let’s get Immutable! What? ● Create, Destroy & Repeat ● Machines recreated, not updated ● Typically “Pre-Baked” images Why? ● Very repeatable and predictable installation ● Simpler node configuration ● Faster deploy time
7 #KubeCon - @zehicle Community converging to single install utility! Leveraging Kubeadm Basic Three Step Cluster Initialization: 1. Initialize Master 2. Retrieve Token from Initialize 3. Join Nodes with Token Still requires coordination / synchronization
8 #KubeCon - @zehicle We need to build underlay infrastructure But First, Kubeadm Prereqs Basic Three Step Underlay: 1. install operating system with network access 2. attach disks (optional?!) 3. install Docker on the machine Oh, and we need to have some control mechanism on the nodes too.
9 #KubeCon - @zehicle A bootstrapping illustration node01 node02 node03 node04
10 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Install O/S Install Docker 1 2 Install O/S Install Docker Install O/S Install Docker node01 node02 node03 node04 Install Stage
11 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker 1 2 3 4 Install O/S Install Docker Install O/S Install Docker node01 node02 node03 node04 master node (random or selected)
12 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker Kubeadm -- Join wait for token 1 2 3 4 5 Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token node01 node02 node03 node04
13 #KubeCon - @zehicle Later... A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker Kubeadm -- Join wait for token 1 2 3 4 5 Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token node01 node02 node03 node04 nodeN
14 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker Kubeadm -- Join wait for token 1 2 3 4 5 Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token node01 node02 node03 node04 nodeN
PSA: THIS IS NOT A NEW INSTALLER At RackN, we push back against the distro installer wars (ala OpenStack). We believe that Kubernetes install tooling should be a shared community investment.
Demo! Kubeadm Rebar Immutable Bootstrap
Pretty Cool! But... There is more to do ● Adding Nodes requires Token ● Adding Kubelet requires Configuration ● Cluster API (Orchestrating Update)
18 #KubeCon - @zehicle Benefits! 1. Immutable Configuration 2. Auto Scaling 3. Faster Node Install 4. Centralized Configuration of Cluster 5. Coordinated Upgrades Still requires coordination / synchronization https://kubernetes.io/docs/admin/admission-controllers/ Node Admission
19 #KubeCon - @zehicle NOT Node specific! Admission control provides an API mechanism to block creation of new objects. In this case, Admission would allow an external system to validate that new nodes are known and trusted. HSM: Hardware Signing Module Node Admission Kubelet API Server External Node Validation 1 Install 2Create 3 Confirm 5Allow 4 Verify
20 #KubeCon - @zehicle HSM: Hardware Signing Module Node Admission with HSM Kubelet API Server External Node Validation 1 Install 2Create 3 Confirm 5Allow 4 Verify PKI A Pass Token B Encrypt Token Encrypted Token E Encrypted Token FEncrypted Token GVerfiy HSM ensures unique identy of machine by signing secret token. Only token creater (PKI) and machine know the secret. API Server cannot read or validate internally. C Public Key
21 #KubeCon - @zehicle Frankly, RackN is on the fence. If injecting a join cluster token then the external system has already verified the new node. Is Node Admission Needed?
22 #KubeCon - @zehicle https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ Kubelet Dynamic Configuration We want to eliminate external configuration tools. Kubernetes is already a system configuration database! Can’t we just use that capability to bootstrap the system? Then we have fewer tools to learn and managed! (IMHO, this is known as a the bootstrap fallacy)
23 #KubeCon - @zehicle Ideally, it would be like this... 1. Centrally Configurate 2. Install Kubelet 3. Allow Kubelet to Register 4. Kubelet Configures itself Kubelet2 Install 3Reg 4Config API Server1 Config
24 #KubeCon - @zehicle https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ Kubelet Dynamic Configuration 1. Install Node and Kubelet 2. Configure Kubelet 3. Allow Kubelet to Register 4. Register Configuration in API 5. Reconfigure Kubelet to use configuration from API 6. Manage configuration from API Kubelet 1 Install 3Reg 6Config API Server 2 Config 4 Config 5 ReConfig
25 #KubeCon - @zehicle Frankly, RackN is on the fence. Since we have to boostrap a node with some configuration, there is not much difference between some and all configuration. We have not eliminated configuration. Is Dynamic Configuration Needed?
We’re Making Great Progress! We can automatically bootstrap a cluster using open community tools with minimal configuration. And we have room to improve.
Thank you Join In! http://rebar.digital Follow: ● Rob Hirschfeld > @zehicle ● RackN > @rackngo ● Digital Rebar > @digitalrebar ● Cluster Ops SIG > http://bit.ly/k8sclops

More Related Content

PDF
Kubecon 2017 Zero Touch Kubernetes
rhirschfeld
 
PDF
#SREcon Immutable Infrastructure: rethinking configuration mgmt
rhirschfeld
 
PDF
Continuous Deployment with Jenkins on Kubernetes
Matt Baldwin
 
PPTX
Tectonic Summit 2016: Kubernetes 1.5 and Beyond
CoreOS
 
PDF
Building kubectl plugins with Quarkus | DevNation Tech Talk
Red Hat Developers
 
PPTX
Zero to Continuous Delivery on Google Cloud
James Heggs
 
PDF
Git deep dive – chopping Kubernetes
Stefan Schimanski
 
PDF
Kubelet with no Kubernetes Masters | DevNation Tech Talk
Red Hat Developers
 
Kubecon 2017 Zero Touch Kubernetes
rhirschfeld
 
#SREcon Immutable Infrastructure: rethinking configuration mgmt
rhirschfeld
 
Continuous Deployment with Jenkins on Kubernetes
Matt Baldwin
 
Tectonic Summit 2016: Kubernetes 1.5 and Beyond
CoreOS
 
Building kubectl plugins with Quarkus | DevNation Tech Talk
Red Hat Developers
 
Zero to Continuous Delivery on Google Cloud
James Heggs
 
Git deep dive – chopping Kubernetes
Stefan Schimanski
 
Kubelet with no Kubernetes Masters | DevNation Tech Talk
Red Hat Developers
 

What's hot (20)

PDF
Extend and build on Kubernetes
Stefan Schimanski
 
PDF
Achieving CI/CD with Kubernetes
Ramit Surana
 
PDF
Container Days Boston - Kubernetes in production
Mike Splain
 
PDF
Cantainer CI/ CD with Kubernetes
inwin stack
 
PDF
Kubernetes Architecture - beyond a black box - Part 2
Hao H. Zhang
 
PPTX
Tectonic Summit 2016: The Origins of Kubernetes
CoreOS
 
PDF
Cutting the Kubernetes Monorepo in pieces – never learnt more about git
Stefan Schimanski
 
PDF
Using Libvirt with Cluster API to manage baremetal Kubernetes
Himani Agrawal
 
PDF
Kube-AWS
CoreOS
 
PPTX
Scaling jenkins with kubernetes
Ami Mahloof
 
PDF
Bosh 2-0-reloaded
Gwenn Etourneau
 
PDF
Deep dive in container service discovery
Docker, Inc.
 
PDF
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeAcademy
 
PDF
How to integrate Kubernetes in OpenStack: You need to know these project
inwin stack
 
PPTX
Managing Docker Containers In A Cluster - Introducing Kubernetes
Marc Sluiter
 
PDF
Beyond static configuration
Stefan Schimanski
 
PDF
Git 101: Git and GitHub for Beginners
HubSpot
 
PDF
Extending kubernetes with CustomResourceDefinitions
Stefan Schimanski
 
PPTX
How Kubernetes scheduler works
Himani Agrawal
 
PDF
Kubernetes 101 Workshop
Bret McGowen - NYC Google Developer Advocate
 
Extend and build on Kubernetes
Stefan Schimanski
 
Achieving CI/CD with Kubernetes
Ramit Surana
 
Container Days Boston - Kubernetes in production
Mike Splain
 
Cantainer CI/ CD with Kubernetes
inwin stack
 
Kubernetes Architecture - beyond a black box - Part 2
Hao H. Zhang
 
Tectonic Summit 2016: The Origins of Kubernetes
CoreOS
 
Cutting the Kubernetes Monorepo in pieces – never learnt more about git
Stefan Schimanski
 
Using Libvirt with Cluster API to manage baremetal Kubernetes
Himani Agrawal
 
Kube-AWS
CoreOS
 
Scaling jenkins with kubernetes
Ami Mahloof
 
Bosh 2-0-reloaded
Gwenn Etourneau
 
Deep dive in container service discovery
Docker, Inc.
 
KubeCon EU 2016: Kubernetes and the Potential for Higher Level Interfaces
KubeAcademy
 
How to integrate Kubernetes in OpenStack: You need to know these project
inwin stack
 
Managing Docker Containers In A Cluster - Introducing Kubernetes
Marc Sluiter
 
Beyond static configuration
Stefan Schimanski
 
Git 101: Git and GitHub for Beginners
HubSpot
 
Extending kubernetes with CustomResourceDefinitions
Stefan Schimanski
 
How Kubernetes scheduler works
Himani Agrawal
 
Kubernetes 101 Workshop
Bret McGowen - NYC Google Developer Advocate
 
Ad

Similar to KubeCon 2017 Zero Touch Provision (20)

PDF
Kubernetes on Bare Metal at the Kitchener-Waterloo Kubernetes and Cloud Nativ...
CloudOps2005
 
PDF
From Kubernetes to OpenStack in Sydney
SK Telecom
 
PDF
The App Developer's Kubernetes Toolbox
Nebulaworks
 
PDF
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
smalltown
 
PPTX
Helm and the zen of managing complex Kubernetes apps
Abhishek Chanda
 
PDF
Day 2 Kubernetes - Tools for Operability (KubeCon)
bridgetkromhout
 
PDF
Kubernetes for java developers - Tutorial at Oracle Code One 2018
Anthony Dahanne
 
PDF
Deploying on Kubernetes - An intro
André Cruz
 
PPTX
K8s in 3h - Kubernetes Fundamentals Training
Piotr Perzyna
 
PPTX
A Million ways of Deploying a Kubernetes Cluster
Jimmy Lu
 
PDF
Kubernetes for Java Developers
Anthony Dahanne
 
PDF
David Steiman - Getting serious with private kubernetes clusters & cloud nati...
Codemotion
 
PPTX
Simplify Your Way To Expert Kubernetes Management
DevOps.com
 
PPTX
A brief study on Kubernetes and its components
Ramit Surana
 
PPTX
Kubernetes Manchester - 6th December 2018
David Stockton
 
PPTX
Kubernetes is Hard! Lessons Learned Taking Our Apps to Kubernetes by Eldad Assis
AgileSparks
 
PPTX
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
Tibo Beijen
 
PDF
Container orchestration k8s azure kubernetes services
Rajesh Kolla
 
PPTX
Container Conf 2017: Rancher Kubernetes
Vishal Biyani
 
PDF
Containers, orchestration and security, oh my!
rhirschfeld
 
Kubernetes on Bare Metal at the Kitchener-Waterloo Kubernetes and Cloud Nativ...
CloudOps2005
 
From Kubernetes to OpenStack in Sydney
SK Telecom
 
The App Developer's Kubernetes Toolbox
Nebulaworks
 
Kubernetes Day 2017 - Build, Ship and Run Your APP, Production !!
smalltown
 
Helm and the zen of managing complex Kubernetes apps
Abhishek Chanda
 
Day 2 Kubernetes - Tools for Operability (KubeCon)
bridgetkromhout
 
Kubernetes for java developers - Tutorial at Oracle Code One 2018
Anthony Dahanne
 
Deploying on Kubernetes - An intro
André Cruz
 
K8s in 3h - Kubernetes Fundamentals Training
Piotr Perzyna
 
A Million ways of Deploying a Kubernetes Cluster
Jimmy Lu
 
Kubernetes for Java Developers
Anthony Dahanne
 
David Steiman - Getting serious with private kubernetes clusters & cloud nati...
Codemotion
 
Simplify Your Way To Expert Kubernetes Management
DevOps.com
 
A brief study on Kubernetes and its components
Ramit Surana
 
Kubernetes Manchester - 6th December 2018
David Stockton
 
Kubernetes is Hard! Lessons Learned Taking Our Apps to Kubernetes by Eldad Assis
AgileSparks
 
Kubernetes at NU.nl (Kubernetes meetup 2019-09-05)
Tibo Beijen
 
Container orchestration k8s azure kubernetes services
Rajesh Kolla
 
Container Conf 2017: Rancher Kubernetes
Vishal Biyani
 
Containers, orchestration and security, oh my!
rhirschfeld
 
Ad

More from RackN (12)

PDF
Immutable Infrastructure & Rethinking Configuration - Interop 2019
RackN
 
PDF
Digital Rebar Community Welcome Guide
RackN
 
PDF
Immutable Deployment Hands-On Lab Interop ITX
RackN
 
PDF
Composable Infrastructure Talk at Interop ITX 2018
RackN
 
PDF
SRECon 18 Immutable Infrastructure
RackN
 
PDF
Immutable infrastructure & Rethinking Configuration
RackN
 
PDF
Immutable infrastructure & Rethinking Configuration
RackN
 
PDF
Immutable Kubernetes with Digital Rebar Provision
RackN
 
PDF
RackN Company Overview
RackN
 
PDF
Operational Improvement Issues, Impacts and Solution from RackN
RackN
 
PDF
Data Center’s Last Mile: Zero Touch Metal Automation
RackN
 
PDF
DevOps vs SRE vs Cloud Native
RackN
 
Immutable Infrastructure & Rethinking Configuration - Interop 2019
RackN
 
Digital Rebar Community Welcome Guide
RackN
 
Immutable Deployment Hands-On Lab Interop ITX
RackN
 
Composable Infrastructure Talk at Interop ITX 2018
RackN
 
SRECon 18 Immutable Infrastructure
RackN
 
Immutable infrastructure & Rethinking Configuration
RackN
 
Immutable infrastructure & Rethinking Configuration
RackN
 
Immutable Kubernetes with Digital Rebar Provision
RackN
 
RackN Company Overview
RackN
 
Operational Improvement Issues, Impacts and Solution from RackN
RackN
 
Data Center’s Last Mile: Zero Touch Metal Automation
RackN
 
DevOps vs SRE vs Cloud Native
RackN
 

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 

KubeCon 2017 Zero Touch Provision

  • 1. Zero-Configuration Pattern Provisioning Kubernetes on Unmanaged Infrastructure Rob @zehicle Hirschfeld, RackN November, 2017
  • 2. Hang on to your Hats! Krazy New Stuff ● Immutable Bootstrap (demo!) ● Node Admission (v1.7) ● Dynamic Kubelet (v1.8)
  • 3. 3 #KubeCon - @zehicle Rob Hirschfeld (@zehicle) Involved in Kubernetes since launch Co-chair of Cluster Ops SIG Co-Founder of RackN & Digital Rebar Project We focus on operations automation for bare metal
  • 4. 4 #KubeCon - @zehicle We’ve been using Kubespray since Kubernetes v1.2 But first… Kubespray ● Very Solid Ansible Playbook ● Strong Community ● Amazing Features like HA & Upgrade HTTP://bit.ly/SYDkubespray But….
  • 5. 5 #KubeCon - @zehicle Why not Kubespray? We’d like to do better! ● No Centralized Orchestration ● No Inventory Building ● No SSH ● Immutable Booting ● and, much FASTER I don’t always Ansible, but when I do Ansible, I use Kubespray.
  • 6. 6 #KubeCon - @zehicle Let’s get Immutable! What? ● Create, Destroy & Repeat ● Machines recreated, not updated ● Typically “Pre-Baked” images Why? ● Very repeatable and predictable installation ● Simpler node configuration ● Faster deploy time
  • 7. 7 #KubeCon - @zehicle Community converging to single install utility! Leveraging Kubeadm Basic Three Step Cluster Initialization: 1. Initialize Master 2. Retrieve Token from Initialize 3. Join Nodes with Token Still requires coordination / synchronization
  • 8. 8 #KubeCon - @zehicle We need to build underlay infrastructure But First, Kubeadm Prereqs Basic Three Step Underlay: 1. install operating system with network access 2. attach disks (optional?!) 3. install Docker on the machine Oh, and we need to have some control mechanism on the nodes too.
  • 9. 9 #KubeCon - @zehicle A bootstrapping illustration node01 node02 node03 node04
  • 10. 10 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Install O/S Install Docker 1 2 Install O/S Install Docker Install O/S Install Docker node01 node02 node03 node04 Install Stage
  • 11. 11 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker 1 2 3 4 Install O/S Install Docker Install O/S Install Docker node01 node02 node03 node04 master node (random or selected)
  • 12. 12 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker Kubeadm -- Join wait for token 1 2 3 4 5 Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token node01 node02 node03 node04
  • 13. 13 #KubeCon - @zehicle Later... A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker Kubeadm -- Join wait for token 1 2 3 4 5 Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token node01 node02 node03 node04 nodeN
  • 14. 14 #KubeCon - @zehicle A bootstrapping illustration Install O/S Install Docker Kubeadm -- Init Cluster Token Install O/S Install Docker Kubeadm -- Join wait for token 1 2 3 4 5 Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token Install O/S Install Docker Kubeadm -- Join wait for token node01 node02 node03 node04 nodeN
  • 15. PSA: THIS IS NOT A NEW INSTALLER At RackN, we push back against the distro installer wars (ala OpenStack). We believe that Kubernetes install tooling should be a shared community investment.
  • 17. Pretty Cool! But... There is more to do ● Adding Nodes requires Token ● Adding Kubelet requires Configuration ● Cluster API (Orchestrating Update)
  • 18. 18 #KubeCon - @zehicle Benefits! 1. Immutable Configuration 2. Auto Scaling 3. Faster Node Install 4. Centralized Configuration of Cluster 5. Coordinated Upgrades Still requires coordination / synchronization https://kubernetes.io/docs/admin/admission-controllers/ Node Admission
  • 19. 19 #KubeCon - @zehicle NOT Node specific! Admission control provides an API mechanism to block creation of new objects. In this case, Admission would allow an external system to validate that new nodes are known and trusted. HSM: Hardware Signing Module Node Admission Kubelet API Server External Node Validation 1 Install 2Create 3 Confirm 5Allow 4 Verify
  • 20. 20 #KubeCon - @zehicle HSM: Hardware Signing Module Node Admission with HSM Kubelet API Server External Node Validation 1 Install 2Create 3 Confirm 5Allow 4 Verify PKI A Pass Token B Encrypt Token Encrypted Token E Encrypted Token FEncrypted Token GVerfiy HSM ensures unique identy of machine by signing secret token. Only token creater (PKI) and machine know the secret. API Server cannot read or validate internally. C Public Key
  • 21. 21 #KubeCon - @zehicle Frankly, RackN is on the fence. If injecting a join cluster token then the external system has already verified the new node. Is Node Admission Needed?
  • 22. 22 #KubeCon - @zehicle https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ Kubelet Dynamic Configuration We want to eliminate external configuration tools. Kubernetes is already a system configuration database! Can’t we just use that capability to bootstrap the system? Then we have fewer tools to learn and managed! (IMHO, this is known as a the bootstrap fallacy)
  • 23. 23 #KubeCon - @zehicle Ideally, it would be like this... 1. Centrally Configurate 2. Install Kubelet 3. Allow Kubelet to Register 4. Kubelet Configures itself Kubelet2 Install 3Reg 4Config API Server1 Config
  • 24. 24 #KubeCon - @zehicle https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/ Kubelet Dynamic Configuration 1. Install Node and Kubelet 2. Configure Kubelet 3. Allow Kubelet to Register 4. Register Configuration in API 5. Reconfigure Kubelet to use configuration from API 6. Manage configuration from API Kubelet 1 Install 3Reg 6Config API Server 2 Config 4 Config 5 ReConfig
  • 25. 25 #KubeCon - @zehicle Frankly, RackN is on the fence. Since we have to boostrap a node with some configuration, there is not much difference between some and all configuration. We have not eliminated configuration. Is Dynamic Configuration Needed?
  • 26. We’re Making Great Progress! We can automatically bootstrap a cluster using open community tools with minimal configuration. And we have room to improve.
  • 27. Thank you Join In! http://rebar.digital Follow: ● Rob Hirschfeld > @zehicle ● RackN > @rackngo ● Digital Rebar > @digitalrebar ● Cluster Ops SIG > http://bit.ly/k8sclops