Kubernetes – Ecosystem Top
Panorama des briques essentielles autour de Kubernetes (1 → 8)
1) Orchestration: Kubernetes 2) Packaging: Helm, Kustomize 3) Réseau: Calico, Cilium, Ingress (NGINX/Traefik) 4) Stockage: Longhorn, Ceph/Rook, CSI (EBS, PD, Disk) 5) Monitoring/Logs: Prometheus, Grafana, Loki/ELK, Jaeger, OTel 6) CI/CD: Jenkins, Argo CD, FluxCD, Tekton 7) Sécurité: Vault, Kyverno, RBAC, Trivy, Falco, Gatekeeper 8) Interface/Management: Lens, Rancher, OpenShift, K9s, Octant
1) Orchestration – Kubernetes
Kubernetes (K8s) orchestre les conteneurs (Pods) sur un cluster de nœuds, garantit l’état désiré et automatise déploiements/haute dispo.
- Déclaratif (YAML) & Reconciler Loop
- Scalabilité (HPA/VPA), Rolling updates, Self-healing
- Réseau, stockage, sécurité via CNI/CSI/RBAC
Control Plane
- API Server
- etcd
- Controller Manager
- Scheduler
Nodes
- Kubelet
- Kube-proxy
- Runtime (containerd/CRI-O)
$ kubectl get nodes $ kubectl create deployment web --image=nginx $ kubectl expose deployment web --port 80 --type=ClusterIP $ kubectl rollout status deployment/web $ kubectl scale deployment web --replicas=5
2) Packaging – Helm & Kustomize
Helm = gestionnaire de packages (charts) : templating Go, valeurs, releases versionnées.
$ helm repo add bitnami https://charts.bitnami.com/bitnami $ helm install myapp ./chart -f values-prod.yaml $ helm upgrade --install myapp ./chart
Kustomize = overlays YAML (base + patches), natif kubectl -k.
# kustomization.yaml resources: [ deployment.yaml, service.yaml ] patchesStrategicMerge: [ patch-prod.yaml ]
- Helm: packaging, partage, versioning, hooks – idéal multi-équipes.
- Kustomize: léger, sans serveur, parfait pour variantes env (dev/qa/prod).
- Souvent combinés (Helm chart + overlays Kustomize).
3) Réseau – CNI, Ingress, Mesh
- Calico: NetworkPolicies, BGP.
- Cilium: eBPF, observabilité, policies L7.
- Flannel: simple overlay.
Expose HTTP/HTTPS via Ingress Controller (NGINX, Traefik, HAProxy).
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata: { name: web, annotations: { nginx.ingress.kubernetes.io/rewrite-target: / } }
spec:
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend: { service: { name: web, port: { number: 80 } } }- Istio, Linkerd : mTLS, retries, canary, observabilité fine.
4) Stockage – CSI, Longhorn, Ceph/Rook
CSI = interface standard pour provisionner des volumes (EBS, PD, Azure Disk…).
apiVersion: v1
kind: PersistentVolumeClaim
metadata: { name: data }
spec:
accessModes: [ ReadWriteOnce ]
storageClassName: gp3
resources: { requests: { storage: 20Gi } }Longhorn: stockage distribué, snapshots/backup S3, restauration granulaire.
Rook opère Ceph (objets/blocs/fichiers) directement dans K8s.
5) Monitoring, Logs & Traces
- Prometheus + Alertmanager
- Grafana Dashboards
- Metrics Server (HPA)
- Loki (Promtail) • ELK (Filebeat/Fluentd)
- Jaeger • OpenTelemetry
6) CI/CD – Jenkins, Argo CD, Flux, Tekton
Argo CD / Flux: l’état du cluster = repo Git (pull-based), diff & sync automatiques, PR = déploiement.
pipeline {
agent any
stages {
stage('Build') { steps { sh 'docker build -t registry/app:$GIT_COMMIT .' } }
stage('Push') { steps { sh 'docker push registry/app:$GIT_COMMIT' } }
stage('Deploy'){ steps { sh 'helm upgrade --install app chart/ -f values.yaml' } }
}
}Tekton: CRDs Kubernetes pour pipelines (Tasks, Pipelines, Triggers).
7) Sécurité – Vault, Kyverno, RBAC, Trivy, Falco
- RBAC: Roles/RoleBindings
- Kyverno / Gatekeeper: admission policies
- NetworkPolicies: isolement inter-namespaces
- Vault / External Secrets / Sealed Secrets
- Trivy: scan d’images • Falco: détection d’anomalies
8) Interface & Management – Lens, Rancher, OpenShift, K9s
Lens
Vue temps réel sur workloads, logs, exec, port-forward.
Rancher
Multi-clusters, RBAC centralisé, catalogues, CIS scans.
OpenShift
Distribution K8s avec opérateurs, registry, pipelines.
K9s / Octant
Interfaces CLI/Web ultra rapides pour opérateurs.