Skip to main content

· 2 min read
  1. cka-exam'이라는 namespace를 만들고, 'cka-exam' namespace에 아래와 같은 Pod를 생성하시오. • pod Name: pod-01 • image: busybox • 환경변수 : CERT = "CKA-cert" • command: /bin/sh • args: -c "while true; do echo $(CERT); sleep 10;done"
// 네임스페이스 변경
$ kubectl config set-context --current --namespace=네임스페이스
// 네임스페이스 조회
$ kubectl config get-contexts

https://stackoverflow.com/questions/55373686/how-to-switch-namespace-in-kubernetes

static pod

API 서버 없이 특정 노드에 있는 kubelet 에 의해 직접 관리 /etc/kubernetes/manifests/ 디렉토리에 pod yaml 파일을 저장 시 적용됨

 static pod 디렉토리 구성
# cat /var/lib/kubelet/config.yaml

staticPodPath: /etc/kubernetes/manifests

/etc/kubernetes/manifests에 yaml 추가 시 pod 생성, yaml 파일 삭제 시 Pod 삭제 (자동으로)

multi-container

sidecar-container

sidecar

기본 컨테이너 기능을 확장하기 위해 사용 본래의 컨테이너는 기본 서비스에 충실하고, 추가 기능을 별도의 컨테이너를 이용해 적용

apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
labels:
app: myapp
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: alpine:latest
command:
[
"sh",
"-c",
'while true; do echo "logging" >> /opt/logs.txt; sleep 1; done',
]
volumeMounts:
- name: data
mountPath: /opt
initContainers:
- name: logshipper
image: alpine:latest
restartPolicy: Always
command: ["sh", "-c", "tail -F /opt/logs.txt"]
volumeMounts:
- name: data
mountPath: /opt
volumes:
- name: data
emptyDir: {}

https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/

· 2 min read
  • kind 설치하기
  • kind 멀티노드 설치

kind 설치하기

brew install kind
brew install kubectl
kind create cluster --name k8s-cluster
kubectl cluster-info --context k8s-cluster

kind 멀티노드 설치

cat > kind-config.yaml <<EOF
# three node (two workers) cluster config
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
EOF
kind create cluster --name k8s-playground --config kind-config.yaml
kind get clusters
kind get kubeconfig --name k8s-cluster
% kubectl cluster-info
Kubernetes control plane is running at https://127.0.0.1:49388
CoreDNS is running at https://127.0.0.1:49388/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
% kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* kind-k8s-cluster kind-k8s-cluster kind-k8s-cluster
% kubectl get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 4m42s
% kubectl get  nodes
NAME STATUS ROLES AGE VERSION
k8s-cluster-control-plane Ready control-plane 5m v1.32.0
% kubectl get pod
No resources found in default namespace.
% kubectl get namespaces
NAME STATUS AGE
default Active 5m45s
kube-node-lease Active 5m45s
kube-public Active 5m45s
kube-system Active 5m45s
local-path-storage Active 5m41s

Reference

https://mcvidanagama.medium.com/set-up-a-multi-node-kubernetes-cluster-locally-using-kind-eafd46dd63e5

· 3 min read

1

Java Source : 사용자가 작성한 Java 코드

Java Compiler : Java Source 파일을 JVM이 해석할 수 있는 Java Byte Code로 변경

Java Byte Code : Java Compiler에 의해 수행될 결과물 (.class 파일)

Execution Engine : Loading 된 클래스의 Bytecode를 해석

Runtime Data Area: : JVM이라는 프로세스가 프로그램을 수행하기 위해 OS에서 할당 받은 메모리 공간


Method Area: 클래스, 변수, Method, static 변수, 상수 정보 등이 저장되는 영역

Heap Area: new 명령어로 생성된 인스턴스와 객체가 저장되는 구역 (GC는 이 영역에서 수행. 모든 Thead 공유)

Stack Area: Method 내에서 사용되는 값들 (매개변수,지역변수,리턴값 등) 이 저장되는 구역. 메소드 호출될 때 LIFO로 하나씩 생성. 메소드 실행이 완료되면 LIFO로 하나씩 지워짐 (각 Thread별로 하나씩 생성)

Pc Register: CPU의 레지스터와 역할이 비슷. 현재 수행 중인 JVM 명령의 주소 값이 저장

Native Method Stack: 다른 언어(C/C++ 등)의 메소드 호출을 위해 할당되는 구역으로 언어에 맞게 Stack이 형성

Java Heap

Hotspot JVM

2

GC

명시적인 메모리 해제보다 느림 GC 순간 발생하는 Suspend Time으로 인해 다양한 문제 야기

Root Set의 광의적 개념으로서

Root Set에서 어떤 식으로든 Reference 관계가 있으면 Reaable Object라고 하며 이를 현재 사용되는 Object로 판단

Local variable Section, Operand Stack에 Object의 Reference 정보가 있다면 Reachable Object이다

Methoad Aread에 로딩된 클래스 중 contant pool에 있는 Refence 정보를 토대로 Thread에서 직접 참조하진 않지만 constant pool을 통해 간접 link를 하고 있는 Object는 Reachable Object이다.

아직 Memory에 남아 있으며 Native Method Area로 넘겨진 Object는 Reachable Object이다.

GC Fragment

메모리 Compaction

GC 튜닝

3

· 5 min read

DevOps 철학

  • 문화(Culture) - 하나의 문화를 만들어 나가기
  • 자동화(Automation) - 자동화를 통해 효율성과 빠른 속도를 지향하기
  • 측정(Measurement) - 지표를 측정하여 지속적으로 개선하기
  • 공유(Share) - 공유를 통한 발전
  • 축적(File Up & Pile Up) - 기록을 축적하고 더욱 개선하기

lifecycle

  • create_before_destory : 리소스 수정 시 신규 리소스를 우선 생성하고 기존 리소스를 삭제
  • prevent_destroy: 해당 리소스를 삭제하려 할 때 명시적으로 거부
  • ignore_changes : 리소스 요소에 선언된 인수의 변경 사항을 테라폼 실행 시 무시
  • precondition : 리스트 요소에 선언된 인수의 조건을 검증
  • postcondition: Plan과 Apply 이후의 결과를 속성 값으로 검증

homebrew 설치 권한 이슈

https://stackoverflow.com/questions/16432071/how-to-fix-homebrew-permissions

As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.
keke@MacBookPro ~ % sudo chown -R $(whoami) $(brew --prefix)/\*

terraform upgrade 1.2.3 -> 1.10.0

keke@MacBookPro ~ % brew upgrade terraform
==> Auto-updating Homebrew...
Adjust how often this is run with HOMEBREW_AUTO_UPDATE_SECS or disable with
HOMEBREW_NO_AUTO_UPDATE. Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
==> Downloading https://ghcr.io/v2/homebrew/portable-ruby/portable-ruby/blobs/sha256:d9faa506c014dedc0b034a68103ba75c9a58242f4d6c67b6ca0f649c39602bcf
######################################################################### 100.0%
==> Pouring portable-ruby-3.3.7.arm64_big_sur.bottle.tar.gz
==> Auto-updated Homebrew!
Updated 1 tap (homebrew/services).
No changes to formulae or casks.

==> Upgrading 1 outdated package:
terraform 1.2.3 -> 1.5.7
Warning: terraform has been deprecated because it changed its license to BUSL on the next release! It will be disabled on 2025-04-04.
==> Downloading https://ghcr.io/v2/homebrew/core/terraform/manifests/1.5.7-1
######################################################################### 100.0%
==> Fetching terraform
==> Downloading https://ghcr.io/v2/homebrew/core/terraform/blobs/sha256:87e8faf4
######################################################################### 100.0%
==> Upgrading terraform
1.2.3 -> 1.5.7
==> Pouring terraform--1.5.7.arm64_sequoia.bottle.1.tar.gz
==> Caveats
We will not accept any new Terraform releases in homebrew/core (with the BUSL license).
The next release changed to a non-open-source license:
https://www.hashicorp.com/blog/hashicorp-adopts-business-source-license
See our documentation for acceptable licences:
https://docs.brew.sh/License-Guidelines
==> Summary
🍺 /opt/homebrew/Cellar/terraform/1.5.7: 7 files, 62.3MB
==> Running `brew cleanup terraform`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /opt/homebrew/Cellar/terraform/1.2.3... (6 files, 66.2MB)
==> `brew cleanup` has not been run in the last 30 days, running now...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /Users/keke/Library/Caches/Homebrew/act_bottle_manifest--0.2.61... (7.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/aom_bottle_manifest--3.9.1... (21.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/aom--3.9.1... (3.8MB)
Removing: /Users/keke/Library/Caches/Homebrew/boost_bottle_manifest--1.85.0... (30.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/boost--1.85.0... (94MB)
Removing: /Users/keke/Library/Caches/Homebrew/c-ares_bottle_manifest--1.33.0... (7.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/c-ares--1.33.0... (266.5KB)
Removing: /Users/keke/Library/Caches/Homebrew/ca-certificates_bottle_manifest--2024-07-02... (1.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/ca-certificates--2024-07-02... (129.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/edencommon_bottle_manifest--2024.08.12.00... (24.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/edencommon--2024.08.12.00... (420.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/fb303_bottle_manifest--2024.08.12.00... (23.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/fb303--2024.08.12.00... (732KB)
Removing: /Users/keke/Library/Caches/Homebrew/fbthrift_bottle_manifest--2024.08.12.00... (23.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/fbthrift--2024.08.12.00... (5MB)
Removing: /Users/keke/Library/Caches/Homebrew/fizz_bottle_manifest--2024.08.12.00... (20.6KB)
Removing: /Users/keke/Library/Caches/Homebrew/fizz--2024.08.12.00... (993.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/folly_bottle_manifest--2024.08.12.00... (19.5KB)
Removing: /Users/keke/Library/Caches/Homebrew/folly--2024.08.12.00... (6.3MB)
Removing: /Users/keke/Library/Caches/Homebrew/fribidi_bottle_manifest--1.0.15... (7.5KB)
Removing: /Users/keke/Library/Caches/Homebrew/fribidi--1.0.15... (141.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/gdbm_bottle_manifest--1.24... (7.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/gdbm--1.24... (272.6KB)
Removing: /Users/keke/Library/Caches/Homebrew/gdk-pixbuf_bottle_manifest--2.42.12... (22.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/gdk-pixbuf--2.42.12... (766.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/giflib_bottle_manifest--5.2.2... (7.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/giflib--5.2.2... (149.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/git_bottle_manifest--2.46.0... (15.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/glib_bottle_manifest--2.80.4... (23.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/glib--2.80.4... (8.5MB)
Removing: /Users/keke/Library/Caches/Homebrew/gnutls_bottle_manifest--3.8.4... (17.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/gnutls--3.8.4... (3.0MB)
Removing: /Users/keke/Library/Caches/Homebrew/gradle_bottle_manifest--8.10... (37.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/gradle--8.10... (189.1MB)
Removing: /Users/keke/Library/Caches/Homebrew/graphviz_bottle_manifest--12.1.0... (54.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/graphviz--12.1.0... (2.9MB)
Removing: /Users/keke/Library/Caches/Homebrew/harfbuzz_bottle_manifest--9.0.0... (31.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/harfbuzz--9.0.0... (2.5MB)
Removing: /Users/keke/Library/Caches/Homebrew/highway_bottle_manifest--1.2.0... (7.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/highway--1.2.0... (733.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/jasper_bottle_manifest--4.2.4... (8.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/jasper--4.2.4... (465.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/jenv_bottle_manifest--0.5.7... (1.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/jenv--0.5.7... (22.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/jpeg-turbo_bottle_manifest--3.0.3... (7.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/jpeg-turbo--3.0.3... (1.1MB)
Removing: /Users/keke/Library/Caches/Homebrew/jpeg-xl_bottle_manifest--0.10.3... (23.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/jpeg-xl--0.10.3... (11.9MB)
Removing: /Users/keke/Library/Caches/Homebrew/kotlin_bottle_manifest--2.0.10... (5.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/kotlin--2.0.10... (79.8MB)
Removing: /Users/keke/Library/Caches/Homebrew/libavif_bottle_manifest--1.1.1... (22.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/libavif--1.1.1... (195.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/libnghttp2_bottle_manifest--1.61.0... (7.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/libnghttp2--1.61.0... (224.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/librsvg_bottle_manifest--2.58.2... (37.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/librsvg--2.58.2... (14.8MB)
Removing: /Users/keke/Library/Caches/Homebrew/libslirp_bottle_manifest--4.8.0... (17.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/libslirp--4.8.0... (148.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/libsodium_bottle_manifest--1.0.20... (7.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/libsodium--1.0.20... (309.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/libssh_bottle_manifest--0.11.0... (9.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/libx11_bottle_manifest--1.8.10... (15KB)
Removing: /Users/keke/Library/Caches/Homebrew/libx11--1.8.10... (2.1MB)
Removing: /Users/keke/Library/Caches/Homebrew/libxcb_bottle_manifest--1.17.0... (15.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/libxcb--1.17.0... (977.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/llvm_bottle_manifest--18.1.8... (38.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/llvm--18.1.8... (481.2MB)
Removing: /Users/keke/Library/Caches/Homebrew/mvfst_bottle_manifest--2024.08.12.00... (20.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/mvfst--2024.08.12.00... (1.6MB)
Removing: /Users/keke/Library/Caches/Homebrew/ncurses_bottle_manifest--6.5... (11.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/ncurses--6.5... (2.4MB)
Removing: /Users/keke/Library/Caches/Homebrew/netpbm_bottle_manifest--11.02.09... (13.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/netpbm--11.02.09... (1.7MB)
Removing: /Users/keke/Library/Caches/Homebrew/nettle_bottle_manifest--3.10... (8.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/nettle--3.10... (970.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/node_bottle_manifest--22.6.0... (18.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/node--22.6.0... (19.8MB)
Removing: /Users/keke/Library/Caches/Homebrew/openexr_bottle_manifest--3.2.4... (8.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/openexr--3.2.4... (1.9MB)
Removing: /Users/keke/Library/Caches/Homebrew/openjdk_bottle_manifest--22.0.2... (38.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/openjdk--22.0.2... (190.3MB)
Removing: /Users/keke/Library/Caches/Homebrew/openjdk@17_bottle_manifest--17.0.12... (38.6KB)
Removing: /Users/keke/Library/Caches/Homebrew/openjdk@21_bottle_manifest--21.0.4... (38.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/openjdk@21--21.0.4... (191.7MB)
Removing: /Users/keke/Library/Caches/Homebrew/openssl@1.1_bottle_manifest--1.1.1w... (10.9KB)
Removing: /Users/keke/Library/Caches/Homebrew/openssl@3_bottle_manifest--3.3.1... (9.2KB)
Removing: /Users/keke/Library/Caches/Homebrew/openssl@3--3.3.1... (9.5MB)
Removing: /Users/keke/Library/Caches/Homebrew/p11-kit_bottle_manifest--0.25.5-1... (10.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/p11-kit--0.25.5... (874.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/pango_bottle_manifest--1.54.0... (32.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/pango--1.54.0... (817KB)
Removing: /Users/keke/Library/Caches/Homebrew/pcre2_bottle_manifest--10.44... (8.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/pcre2--10.44... (2MB)
Removing: /Users/keke/Library/Caches/Homebrew/pyenv_bottle_manifest--2.4.10... (26.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/python@3.10_bottle_manifest--3.10.14_1... (25.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/python@3.10--3.10.14_1... (14.1MB)
Removing: /Users/keke/Library/Caches/Homebrew/python@3.11_bottle_manifest--3.11.9_1... (24.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/python@3.12_bottle_manifest--3.12.5... (24.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/python@3.12--3.12.5... (15.5MB)
Removing: /Users/keke/Library/Caches/Homebrew/qemu_bottle_manifest--9.0.2... (53.6KB)
Removing: /Users/keke/Library/Caches/Homebrew/qemu--9.0.2... (104.4MB)
Removing: /Users/keke/Library/Caches/Homebrew/ruby_bottle_manifest--3.3.4... (16.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/snappy_bottle_manifest--1.2.1... (7.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/snappy--1.2.1... (45.3KB)
Removing: /Users/keke/Library/Caches/Homebrew/sqlite_bottle_manifest--3.46.1... (8.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/sqlite--3.46.1... (2.2MB)
Removing: /Users/keke/Library/Caches/Homebrew/unbound_bottle_manifest--1.21.0... (14.5KB)
Removing: /Users/keke/Library/Caches/Homebrew/unbound--1.21.0... (2.8MB)
Removing: /Users/keke/Library/Caches/Homebrew/virtualenv_bottle_manifest--20.26.3... (15.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/wangle_bottle_manifest--2024.08.12.00... (21.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/wangle--2024.08.12.00... (836.0KB)
Removing: /Users/keke/Library/Caches/Homebrew/watchman_bottle_manifest--2024.08.12.00... (32.6KB)
Removing: /Users/keke/Library/Caches/Homebrew/watchman--2024.08.12.00... (3.5MB)
Removing: /Users/keke/Library/Caches/Homebrew/webp_bottle_manifest--1.4.0... (14.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/webp--1.4.0... (874.8KB)
Removing: /Users/keke/Library/Caches/Homebrew/xorgproto_bottle_manifest--2024.1... (14.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/xorgproto--2024.1... (699.7KB)
Removing: /Users/keke/Library/Caches/Homebrew/xz_bottle_manifest--5.6.2... (9.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/xz--5.6.2... (569KB)
Removing: /Users/keke/Library/Caches/Homebrew/z3_bottle_manifest--4.13.0... (7.4KB)
Removing: /Users/keke/Library/Caches/Homebrew/z3--4.13.0... (12.2MB)
Removing: /Users/keke/Library/Caches/Homebrew/zstd_bottle_manifest--1.5.6... (9.1KB)
Removing: /Users/keke/Library/Caches/Homebrew/zstd--1.5.6... (758.6KB)
Removing: /Users/keke/Library/Caches/Homebrew/portable-ruby-3.3.4_1.arm64_big_sur.bottle.tar.gz... (11.1MB)
Removing: /Users/keke/Library/Logs/Homebrew/gdk-pixbuf... (208B)
Removing: /Users/keke/Library/Logs/Homebrew/python@3.12... (2 files, 2KB)
Removing: /Users/keke/Library/Logs/Homebrew/glib... (64B)
Removing: /Users/keke/Library/Logs/Homebrew/openssl@3... (64B)
Removing: /Users/keke/Library/Logs/Homebrew/ca-certificates... (64B)
Removing: /Users/keke/Library/Logs/Homebrew/librsvg... (197B)
Removing: /Users/keke/Library/Logs/Homebrew/python@3.10... (2 files, 2.5KB)
Removing: /Users/keke/Library/Logs/Homebrew/node... (64B)
Removing: /Users/keke/Library/Logs/Homebrew/unbound... (64B)
Removing: /Users/keke/Library/Logs/Homebrew/gnutls... (64B)

· 3 min read

S3 암호화

  1. SSE-S3: S3가 소유한 키로 암복호화
  2. SSE-KMS (Key Management service) : KMS 내 키로 암호화화
  3. SSE-C : 키가 AWS 외부에 위치
  4. 클라이언트 측 암호화

S3 암호화 전송을 강제하려면 -> 정책을 수정 { aws:SecureTransport: false } 추가

S3 CORS 설정 가능

S3 MFA Delete

S3 Access Logs - Audit (감사)

S3 pre-signed urls : 퍼블릭이 아닌 s3에서 업로드, 다운로드가 가능한 url을 임시로 만들고 그 url로 수행

Glacier(글리시어)

S3 객체 잠금 (S3 Object Lock)

버킷 내의 모든 객체를 잠금

  • 규정 준수 모드 : 덮어쓰거나 삭제 불가
  • 거버넌스 보존 모드 : 관리자나 일부 사용자 IAM 권한으로 객체를 변경/삭제 가능
  • 법적 보존 : 영구적 보존

S3 액세스 포인트

  • S3 객체에 접근할 때 각각의 액세스 포인트에 특정 경로를 정의하고 그 객체만 접근 가능

CloudFront (CDN)

CloudFront Origins :

  • S3
  • Custom Origin(HTTP) S3 website, ec2, ALB, any http server

CloudFront - S3 :

Geo Restriction (지리적 제한)

AWS Global Accelerator

캐시가 아닌 가장 응답이 빠른 리전의 서비스 애플리케이션으로 트래픽 전송


AWS SQS

Message Queue

visivility time : (한 소비자가) 대기열에서 수신한 메시지가 다른 메시지 소비자에게 보이지 않게 되는 시간을 설정

Long Polling : 한 번에 많은 메세지를 가져오기 위함. 빈 응답 수(ReceiveMessage 요청에 사용할 수 있는 메시지가 없는 경우)와 잘못된 빈 응답(메시지를 사용할 수 있지만 응답에 포함되지 않은 경우)을 제거하여 Amazon SQS 사용 비용을 줄이는 데 도움

AWS SNS

producer/consumer pub/sub

tobic 발행 (카프카랑 비슷??)

SNS + SQS : Fan Out 패턴

Kinesis (키네시스)

실시간 스트리밍 데이터

  • Kinesis Data Stream
  • Kinesis Data Firehose
  • Kinesis Data Analytics
  • Kinesis + SQS FIFO

ECS

  • Launch EC2 type: EC2 내 docker 에이전트 기반으로 실행
  • Fragate : serverless 방식

· 3 min read

AWS EC2 배포그룹

배치 그룹(Placement groups)

  • 클러스터(Cluster)

클러스터 전략은 인스턴스간 물리적 거리가 극도로 짧기 때문에 네트워크 성능을 최대한 끌어올릴 수 있다는 장점이 있습니다.

그러나 한 랙에 문제가 생기면 모든 인스턴스들에 문제가 생길 수 있다는 치명적인 위험이 존재

1

  • 분산(Spread)

분산(Spread) 전략은 랙 당 하나의 인스턴스를 배치하고, 여러 AZ에 분산해 배치하는 전략

2

  • 파티션(Partition)

파티션(partition) 전략은 클러스터 전략과 분산 전략의 장점

3

ENI 탄력적 네트워크 인터페이스

AWS 인스턴스 스토리지

EBS == network drive

ec2에서 분리 및 다른 ec2에 연결 가능

AZ 간에 이동은 불가능

  • gp2, gp3 : 낮은 지연성, SSD
  • io1, io2 : 고사양
  • st1, st2 : HDD

EBS 다중 연결 (io1, io2) 1

AWS ELB

ALB - L7 NLB - L4 GWLB - L3

X-FORWARD-FOR, X-FORWARD-PORT : 로드벨런서가 클라이언트가 요청하는 정보를 해더에 기록

Sticky Session 쿠키를 기반으로 요청하는 인스턴스 고정하는 방법

크로스존 로드벨런싱 (Cross Zone Load Balancer)

ACM (AWS Certificate Manager)

ELB와 연결된 EC2가 종료될때 연결 드레이닝 (Connection Draing) 수행 (바로 종료되는게 아니라 기존에 요청 온 응답을 전부 수행 후 종료)

Auto Scaling Group

Dynamic scaling: 동적 스케일링 Schedule scaling: 시간 기준으로 스케일링 Predictive scaling : 예측 모델 기반으로 스케일링

스케일의 기준

  • CPU지표
  • 요청횟수
  • 평균 네트워크 in/out
  • custom metric

Scaling Cooldown

  • 쿨다운시간 동안 인스턴스를 만들거나 삭제하지 않음
  • 쿨다운시간을 줄여 보다 빠르게 업데이트 되게 설정

· One min read

aws cli 설치

https://docs.aws.amazon.com/ko_kr/cli/latest/userguide/getting-started-install.html

curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
sudo installer -pkg ./AWSCLIV2.pkg -target /
% which aws
/usr/local/bin/aws
% aws --version
aws-cli/2.23.12 Python/3.12.6 Darwin/23.6.0 exe/x86_64

액세스키 설정

aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: ap-northeast-2
Default output format [None]:

aws sam-cli 설치

AWS Serverless Application Model(AWS SAM)은 코드형 인프라(IaC)를 사용하여 서버리스 애플리케이션을 빌드하기 위한 오픈 소스 프레임워크

AWS SAM의 간편 구문을 사용하여 배포 중에 인프라로 변환되는 AWS CloudFormation 리소스와 특수한 서버리스 리소스를 선언

https://docs.aws.amazon.com/ko_kr/serverless-application-model/latest/developerguide/install-sam-cli.html

1

· 2 min read

terraform 설치하기

https://developer.hashicorp.com/terraform/install?product_intent=terraform

terraform workflow

1

Terraform 주요 특징

  • Infrastructure as Code 정의한 코드를 쉽게 공유할 수 있어 효율적으로 협업 가능

  • Execution Plan 변경 계획과 변경 적용을 분리하여 변경 내용을 적용할 때 발생할 수 있는 실수를 줄일 수 있음

  • Resource Graph 사소한 변경이 인프라 전체에 어떤 영향을 미칠지 미리 확인 종속성 그래프를 작성하여 이 그래프를 바탕으로 계획을 세우고, 이 계획을 적용했을 때 변경되는 인프라 상태를 확인

  • Change Automation 여러 장소에 같은 구성의 인프라를 구축하고 변경할 수 있도록 자동화할 수 있습니다. 인프라를 구축하는 데 드는 시간을 절약할 수 있고, 실수도 줄일 수 있습니다.

· One min read
% kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
serviceaccount/metrics-server created
clusterrole.rbac.authorization.k8s.io/system:aggregated-metrics-reader created
clusterrole.rbac.authorization.k8s.io/system:metrics-server created
rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader created
clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator created
clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server created
service/metrics-server created
deployment.apps/metrics-server created
apiservice.apiregistration.k8s.io/v1beta1.metrics.k8s.io created
% kubectl apply -f php-apache.yaml
deployment.apps/php-apache created
service/php-apache created
% kubectl autoscale deployment php-apache --cpu-percent=50 --min=1 --max=10
horizontalpodautoscaler.autoscaling/php-apache autoscaled
 % kubectl get hpa
NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE
php-apache Deployment/php-apache cpu: 0%/50% 1 10 1 119s
kubectl run -i --tty load-generator --rm --image=busybox --restart=Never -- /bin/sh -c "while sleep 0.01; do wget -q -o- http://php-apache; done"
% kubectl get deployment php-apache
NAME READY UP-TO-DATE AVAILABLE AGE
php-apache 6/6 6 6 5m16s

· 5 min read
$ kubectl create ns monitoring
namespace/monitoring created
  1. 프로메테우스가 k8s API에 접근할 수 있는 권한을 부여하기 위해 ClusterRole 생성
% kubectl apply -f prometheus-cluster-role.yaml 
clusterrole.rbac.authorization.k8s.io/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
apiVersion: rbac.authorization.k8s.io/v1    
kind: ClusterRole
metadata:
name: prometheus
namespace: monitoring
rules:
- apiGroups: [""]
resources:
- nodes
- nodes/proxy
- services
- endpoints
- pods
verbs: ["get", "list", "watch"]
- apiGroups:
- extensions
resources:
- ingresses
verbs: ["get", "list", "watch"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: prometheus
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: prometheus
subjects:
- kind: ServiceAccount
name: default
namespace: monitoring
  1. 프로메테우스에서 수집할 지표를 정의 configMap
% kubectl apply -f prometheus-config-map.yaml 
configmap/prometheus-server-conf created
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-server-conf
labels:
name: prometheus-server-conf
namespace: monitoring
data:
prometheus.rules: |-
groups:
- name: container memory alert
rules:
- alert: container memory usage rate is very high( > 55%)
expr: sum(container_memory_working_set_bytes{pod!="", name=""})/ sum (kube_node_status_allocatable_memory_bytes) * 100 > 55
for: 1m
labels:
severity: fatal
annotations:
summary: High Memory Usage on
identifier: ""
description: " Memory Usage: "
- name: container CPU alert
rules:
- alert: container CPU usage rate is very high( > 10%)
expr: sum (rate (container_cpu_usage_seconds_total{pod!=""}[1m])) / sum (machine_cpu_cores) * 100 > 10
for: 1m
labels:
severity: fatal
annotations:
summary: High Cpu Usage
prometheus.yml: |-
global:
scrape_interval: 5s
evaluation_interval: 5s
rule_files:
- /etc/prometheus/prometheus.rules
alerting:
alertmanagers:
- scheme: http
static_configs:
- targets:
- "alertmanager.monitoring.svc:9093"
scrape_configs:
- job_name: 'kubernetes-apiservers'
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
action: keep
regex: default;kubernetes;https
- job_name: 'kubernetes-nodes'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics
- job_name: 'kubernetes-pods'
kubernetes_sd_configs:
- role: pod
relabel_configs:
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]
action: replace
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
target_label: __address__
- action: labelmap
regex: __meta_kubernetes_pod_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_pod_name]
action: replace
target_label: kubernetes_pod_name
- job_name: 'kube-state-metrics'
static_configs:
- targets: ['kube-state-metrics.kube-system.svc.cluster.local:8080']
- job_name: 'kubernetes-cadvisor'
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- target_label: __address__
replacement: kubernetes.default.svc:443
- source_labels: [__meta_kubernetes_node_name]
regex: (.+)
target_label: __metrics_path__
replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
- job_name: 'kubernetes-service-endpoints'
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
action: keep
regex: true
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
action: replace
target_label: __scheme__
regex: (https?)
- source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
action: replace
target_label: __metrics_path__
regex: (.+)
- source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
action: replace
target_label: __address__
regex: ([^:]+)(?::\d+)?;(\d+)
replacement: $1:$2
- action: labelmap
regex: __meta_kubernetes_service_label_(.+)
- source_labels: [__meta_kubernetes_namespace]
action: replace
target_label: kubernetes_namespace
- source_labels: [__meta_kubernetes_service_name]
action: replace
target_label: kubernetes_name
  1. 프로메테우스 파드 생성

% kubectl apply -f prometheus-deployment.yaml deployment.apps/prometheus-deployment created

apiVersion: apps/v1
kind: Deployment
metadata:
name: prometheus-deployment
namespace: monitoring
spec:
replicas: 1
selector:
matchLabels:
app: prometheus-server
template:
metadata:
labels:
app: prometheus-server
spec:
containers:
- name: prometheus
image: prom/prometheus:latest
args:
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus/"
ports:
- containerPort: 9090
volumeMounts:
- name: prometheus-config-volume
mountPath: /etc/prometheus/
- name: prometheus-storage-volume
mountPath: /prometheus/
volumes:
- name: prometheus-config-volume
configMap:
defaultMode: 420
name: prometheus-server-conf
- name: prometheus-storage-volume
emptyDir: {}
  1. Node exporter 정의

Node exporter = 쿠버네티스 노드에 대한 정보를 수집하는 역할

각 노드에 하나씩 파드 형태로 존재해야하기에 데몬셋으로 생성

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: node-exporter
namespace: monitoring
labels:
k8s-app: node-exporter
spec:
selector:
matchLabels:
k8s-app: node-exporter
template:
metadata:
labels:
k8s-app: node-exporter
spec:
containers:
- image: prom/node-exporter
name: node-exporter
ports:
- containerPort: 9100
protocol: TCP
name: http
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: node-exporter
name: node-exporter
namespace: kube-system
spec:
ports:
- name: http
port: 9100
nodePort: 31672
protocol: TCP
type: NodePort
selector:
k8s-app: node-exporter
% kubectl apply -f prometheus-node-exporter.yaml 
daemonset.apps/node-exporter created
service/node-exporter created
  1. 외부에서 프로메테우스 파드에 접근하기 위해 서비스 생성
% kubectl apply -f prometheus-svc.yaml 
service/prometheus-service created
apiVersion: v1
kind: Service
metadata:
name: prometheus-service
namespace: monitoring
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '9090'
spec:
selector:
app: prometheus-server
type: NodePort
ports:
- port: 8080
targetPort: 9090
nodePort: 30001
  1. port-forward
% kubectl port-forward -n monitoring svc/prometheus-service 8080:8080
Forwarding from 127.0.0.1:8080 -> 9090
Forwarding from [::1]:8080 -> 9090
  1. 그라파나 (시각화 도구)
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana
namespace: monitoring
spec:
replicas: 1
selector:
matchLabels:
app: grafana
template:
metadata:
name: grafana
labels:
app: grafana
spec:
containers:
- name: grafana
image: grafana/grafana:latest
ports:
- name: grafana
containerPort: 3000
env:
- name: GF_SERVER_HTTP_PORT
value: "3000"
- name: GF_AUTH_BASIC_ENABLED
value: "false"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
- name: GF_SERVER_ROOT_URL
value: /
---
apiVersion: v1
kind: Service
metadata:
name: grafana
namespace: monitoring
annotations:
prometheus.io/scrape: 'true'
prometheus.io/port: '3000'
spec:
selector:
app: grafana
type: NodePort
ports:
- port: 3000
targetPort: 3000
nodePort: 30004