Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Container Orchestration using kubernetes

Download as PPTX, PDF
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)

This document provides an overview of Kubernetes concepts including: - Kubernetes architecture with masters running control plane components like the API server, scheduler, and controller manager, and nodes running pods and node agents. - Key Kubernetes objects like pods, services, deployments, statefulsets, jobs and cronjobs that define and manage workloads. - Networking concepts like services for service discovery, and ingress for external access. - Storage with volumes, persistentvolumes, persistentvolumeclaims and storageclasses. - Configuration with configmaps and secrets. - Authentication and authorization using roles, rolebindings and serviceaccounts. It also discusses Kubernetes installation with minikube, and common networking and deployment

1 of 73
Classification: Public Kubernetes
Classification: Public Cloud Native Computing Foundation
Classification: Public every cloud supports kubernetes https://www.sinax.be/en/aws/ https://www.westconcomstor.com/za/en/vendors/wc-vendors/microsoft-azure-EN-UK.html https://www.g2crowd.com/products/google-kubernetes-engine-gke/details Kubernetes support on cloud
Classification: Public Kubernetes Market Adoption Survey
Classification: Public What does “Kubernetes” mean? Greek for “pilot” or “helmsman of a ship”
Classification: Public A Container Orchestration System. ● A project that was spun out of Google as an open source container orchestration platform (~2 billion containers/week). ● Built from the lessons learned in the experiences of developing and running Google’s Borg and Omega. ● Designed from the ground-up as a loosely coupled collection of components centred around deploying, maintaining and scaling workloads. What is Kubernetes?
Classification: Public What does Kubernetes do? ● Known as the linux kernel of distributed systems. ● Abstracts away the underlying hardware of the nodes and provides a uniform interface for workloads to be both deployed and consume the shared pool of resources. ● Works as an engine for resolving state by converging the actual and the desired state of the system.
Classification: Public Kubernetes is self-healing Kubernetes will ALWAYS try and steer the cluster to its desired state. ● User: “I want 3 healthy instances of Redis to always be running.” ● Kubernetes: “Okay, I’ll ensure there are always 3 instances up and running.” ● Kubernetes: “Oh look, one has died. I’m going to attempt to spin up a new one.”
Classification: Public What can Kubernetes really do? ● Autoscale Workloads ● Blue/Green Deployments ● Fire off Jobs and scheduled CronJobs ● Manage Stateless and Stateful Applications ● Built-in Service Discovery ● ~Easily integrate and support 3rd party apps~
Classification: Public Kubernetes in a nutshell
Classification: Public Service Model : Pets vs Cattle
Classification: Public Kubernetes Architecture
Classification: Public Kubernetes Architecture
Classification: Public Masters – Acts as the primary control plane for Kubernetes. • Masters are responsible at a minimum for running the API Server, scheduler and cluster controller. • They also manage storing cluster state, cloud-provider specificcomponents and other cluster essential services. Nodes -Are the ‘workers’ of a Kubernetes cluster. • Theyrun a minimal agent that manages the node itself, and execute workloads as designated by the master. Architecture Overview
Classification: Public kube-apiserver – the heart of the cluster ● Provides a forward facing REST interface into the Kubernetes control plane and datastore. ● All clients and other applications interact with Kubernetes strictly through the API Server. ● Acts as the gatekeeper to the cluster by handling authentication and authorization, request validation and admission control in addition to being the front-end to the backing datastore. Kubectl Kubectl is the official Kubernetes command line interface tool. It is used to communicate with the API.
Classification: Public etcd – the key-value datastore ● etcd acts as the cluster datastore. ● A standalone incubating CNCF project https://www.cncf.io/projects/ ● Purpose in relation to Kubernetes is to provide a strong, consistent and highly available key-value store for persisting all cluster state.
Classification: Public kube-controller-manager ● Serves as the primary daemon that manages all core components’ reconciliation loops. ● Handles a lot of the business logic of Kubernetes. ● Monitors the cluster state via the API Server and steers the cluster towards the desired state.
Classification: Public kube-scheduler Evaluates workload requirements and attempts to place it on a matching resource. ● The default scheduler uses the “binpacking” mode. ● Workload Requirements can include: general hardware requirements, affinity/anti-affinity, labels, and other various custom resource requirements. ● Is swappable, you can create your own scheduler
Classification: Public Node Components
Classification: Public kubelet Acts as the node agent responsible for managing pod lifecycle on its host. Kubelet understands YAML container manifests that it can read from several sources: ● File path ● HTTP Endpoint ● Etcd watch acting on any changes ● HTTP Server mode accepting container manifests over a simple API.
Classification: Public kube-proxy ● Manages the network rules for Services on each node. ● Performs connection forwarding or load balancing for Kubernetes Services. ● Available Proxy Modes: ○ ipvs (default if supported) ○ iptables (default fallback) ○ userspace (legacy)
Classification: Public Container Runtime – the executor ● A container runtime is a CRI (Container Runtime Interface) compatible application that executes and manages containers. ○ Docker (default, built into the kubelet atm) ○ containerd ○ cri-o ○ rkt ○ Kata Containers (formerly clear and hyper) ○ Virtlet (VM CRI compatible runtime)
Classification: Public Additional Services Kube-dns - Provides cluster wide DNS Services. Services are resolvable to <service>.<namespace>.svc.cluster.local. Heapster - Metrics Collector for kubernetes cluster, used by some resources such as the Horizontal Pod Autoscaler. (required for kubedashboard metrics) Kube-dashboard -A general purpose web based UI for kubernetes.
Classification: Public Additional Services Kube-dns - Provides cluster wide DNS Services. Services are resolvable to <service>.<namespace>.svc.cluster.local. Heapster - Metrics Collector for kubernetes cluster, used by some resources such as the Horizontal Pod Autoscaler. (required for kubedashboard metrics) Kube-dashboard -A general purpose web based UI for kubernetes.
Classification: Public Kube-dashboard
Classification: Public Kubernetes concepts
Classification: Public Pod: The basic building block in Kubernetes. The name is the same idea as a pod of whales, one of more containers– or better said, a running process on the cluster — running on a given system which can be scaled up or down. Service: A consistent network access point for a pod. What this means is that regardless of the underlying containers’ state – restarts, etc, a service will always provide access to the given pod/application. ReplicaSet: Ensures a given number of pods are running in the cluster at a given time. Deployment: Suited for more ephemeral applications like web applications, anything that doesn’t have persistent qualities. It Provides declarative updates for Pods and ReplicaSets by describing a desired state the deployment in turn acts on.
Classification: Public Stateful Set: Suited for stateful applications like databases or even monitoring systems like Prometheus. Similar to a deployment in that it manages the deployment and scaling of a set of pods, but differs in that it ensures ordinal (things happen in a given sequence and are numbered) and uniqueness of pods. Overall, it ensures that all resources in the stateful set have a sticky identity across restarts. Labels: When creating Kubernetes objects, one can give any number of labels to each object which are discoverable across the system. For instance, one could create a database with the label “customer_database” and another application pod could reference it by simply using that name “customer_database” in the selector value of the manifest file. Namespaces: Virtual clusters. Provides a means to separate applications in the cluster.
Classification: Public Mini-kube : Install and configure Refer git repo for instructions.
Classification: Public Networking To be updated from this slide onwards
Classification: Public Networking -FundamentalRules 1) All Pods can communicate with all other Pods without NAT 2) All nodes can communicate with all Pods (and vice-versa) without NAT. 3) The IP that a Pod sees itself as is the same IP that others see it as.
Classification: Public Networking –Fundamentals Applied • Containers in a pod exist within the same network namespaceand share an IP; allowing for intrapod communication over localhost. • Pods are givena cluster unique IP for the duration of its lifecycle,but the pods themselves are fundamentally ephemeral. • Services are givena persistent cluster unique IP that spans the Pods lifecycle. • External Connectivity is generally handed by an integrated cloudprovider or other external entity (load balancer)
Classification: Public Networking -CNI Networking within Kubernetes is plumbed via the Container Network Interface (CNI), an interface between a container runtime and a network implementation plugin. Compatible CNI Network Plugins: ● Calico ● Cillium ● Contiv ● Contrail ● Flannel ● GCE ● kube-router ● Multus ● OpenVSwitch ● OVN ● Romana ● Weave
Classification: Public Kubernetes Concepts
Classification: Public Kubernetes Concepts-Core Cluster - A collection of hosts that aggregate their available resources including cpu, ram, disk, and their devices into a usable pool. Master - The master(s) represent a collection of components that make up the control plane of Kubernetes. These components are responsible for all cluster decisions including both scheduling and responding to cluster events. Node - A single host, physical or virtual capable of running pods. A node is managed by the master(s), and at a minimum runs both kubelet and kube-proxy to be considered part of the cluster. Namespace - A logical cluster or environment. Primary method of dividing a cluster or scoping access.
Classification: Public Concepts -Core(cont.) Label - Key-value pairs that are used to identify, describe and group together related sets of objects. Labels have a strict syntax and available character set. * Annotation - Key-value pairs that contain non-identifying information or metadata. Annotations do not have the the syntax limitations as labels and can contain structured or unstructured data. Selector - Selectors use labels to filter or select objects. Both equality-based (=, ==, !=) or simple key-value matching selectors are supported. * https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
Classification: Public Labels: app: nginx tier: frontned Annotations description: “nginxfrontend” Selector: app: nginx tier: frontend Labels, andAnnotations, and Selectors
Classification: Public Set-basedselectors Valid Operators: ● In ● NotIn ● Exists ● DoesNotExist Supported Objects with set-based selectors: ● Job ● Deployment ● ReplicaSet ● DaemonSet ● PersistentVolumeClaims
Classification: Public Concepts - Workloads Pod - A pod is the smallest unit of work or management resource within Kubernetes. It is comprised of one or more containers that share their storage, network, and context (namespace, cgroupsetc). ReplicationController - Method of managing pod replicas and their lifecycle. Their scheduling, scaling, anddeletion. ReplicaSet - Next Generation ReplicationController. Supports set-based selectors. Deployment - A declarative method of managing stateless Pods and ReplicaSets. Provides rollback functionality in addition to more granular update control mechanisms.
Classification: Public Deployment Contains configuration of how updates or ‘deployments’ should be managed in addition to the pod template used to generate the ReplicaSet. ReplicaSet Generated ReplicaSet from Deploymentspec.
Classification: Public Concepts -Workloads (cont.) StatefulSet - A controller tailored to managing Pods that must persist or maintain state. Pod identity including hostname, network, and storage will be persisted. DaemonSet - Ensures that all nodes matching certain criteria will run an instance of a supplied Pod. Ideal for cluster wide services such as log forwarding, or health monitoring.
Classification: Public StatefulSet ● Attaches to ‘headeless service’ (notshown) nginx. ● Pods given unique ordinal names using the pattern <statefulset name>-<ordinal index>. ● Creates independent persistent volumes based on the ‘volumeClaimTemplates’.
Classification: Public DaemonSet ● Bypasses default scheduler ● Schedules a single instance on every host while adhering to tolerances and taints.
Classification: Public Concepts -Workloads (cont.) Job - The job controller ensures one or more pods are executed and successfully terminates. It will do this until it satisfies the completion and/or parallelism condition. CronJob - An extension of the Job Controller, it provides a method of executing jobs on a cron-like schedule.
Classification: Public Jobs ● Number of pod executions can be controlled via spec.completions ● Jobs can be parallelized using spec.parallelism ● Jobs and Pods are NOT automatically cleaned up after a job has completed.
Classification: Public CronJob ● Adds cron schedule to job template
Classification: Public Concepts - Network Service - Services provide a method of exposing and consuming L4 Pod network accessible resources. They use label selectors to map groups of pods and ports to a cluster- unique virtual IP. Ingress - An ingress controller is the primary method of exposing a cluster service (usually http) to the outside world. These are load balancers or routers that usually offer SSL termination, name-based virtual hosting etc.
Classification: Public Service ● Acts as the unified method of accessing replicated pods. ● Four major Service Types: ○ CluterIP - Exposes service on a strictly cluster-internal IP (default) ○ NodePort - Service is exposed on each node’s IP on a statically defined port. ○ LoadBalancer - Works in combination with a cloud provider to expose a service outside the cluster on a static external IP. ○ ExternalName - used to references endpoints OUTSIDE the cluster by providing a static internally referenced DNS name.
Classification: Public IngressController ● Deployed as a pod to one or more hosts ● Ingress controllers are an external controller with multiple options. ○ Nginx ○ HAproxy ○ Contour ○ Traefik ● Specific features and controller specific configuration is passed through annotations.
Classification: Public Concepts - Storage Volume - Storage that is tied to the Pod Lifecycle, consumable by one or more containers within the pod. PersistentVolume - A PersistentVolume (PV) represents a storage resource. PVs are commonly linked to a backing storage resource, NFS, GCEPersistentDisk, RBD etc. and are provisioned ahead of time. Their lifecycle is handled independently from a pod. PersistentVolumeClaim - A PersistentVolumeClaim (PVC) is a request for storage that satisfies a set of requirements instead of mapping to a storage resource directly. Commonly used with dynamically provisioned storage. StorageClass - Storage classes are an abstraction on top of an external storage resource. These will include a provisioner, provisioner configuration parameters as well as a PV reclaimPolicy.
Classification: Public Volumes
Classification: Public PersistentVolumes ● PVs are a cluster-wide resource ● Not directly consumable by a Pod ● PV Parameters: ○ Capacity ○ accessModes ■ ReadOnlyMany (ROX) ■ ReadWriteOnce (RWO) ■ ReadWriteMany (RWX) ○ persistentVolumeReclaimPolic y ■ Retain ■ Recycle ■ Delete ○ StorageClass
Classification: Public Persistent VolumeClaims ● PVCs are scoped to namespaces ● Supports accessModes likePVs ● Uses resource request model similar to Pods ● Claims will consume storage from matching PVs or StorageClasses based on storageClass and selectors.
Classification: Public StorageClasses ● Uses an external system defined by the provisioner to dynamically consume and allocate storage. ● Storage ClassFields ○ Provisioner ○ Parameters ○ reclaimPolicy
Classification: Public Concepts -Configuration • ConfigMap - Externalized data stored within kubernetes that can be referenced as a commandline argument, environment variable, or injected as a file into a volume mount. Ideal for separating containerized application from configuration. • Secret - Functionally identical to ConfigMaps, but stored encoded as base64, and encrypted at rest (if configured).
Classification: Public ConfigMaps andSecrets ● Can be used in Pod Config: ○ Injected as a file ○ Passed as an environment variable ○ Used as a container command (requires passing as env var)
Classification: Public Concepts -Auth and Identity(RBAC) [Cluster]Role - Roles contain rules that act as a set of permissions that apply verbs like “get”, “list”, “watch” etc over resources that are scoped to apiGroups. Roles are scoped to namespaces, and ClusterRoles are applied cluster-wide. [Cluster]RoleBinding - Grant the permissions as defined in a [Cluster]Role to one or more “subjects” which can be a user, group, or service account. ServiceAccount- ServiceAccounts provide a consumable identity for pods or external services that interact with the cluster directly and are scoped to namespaces.
Classification: Public [Cluster]Role ● Permissions translate to url path. With “” defaulting to core group. ● Resources act as items the role should be granted access to. ● Verbs are the actions the role can perform on the referenced resources.
Classification: Public [Cluster]RoleBinding ● Can reference multiple subjects ● Subjects can be of kind: ○ User ○ Group ○ ServiceAccount ● roleRef targets a single role only.
Classification: Public Behind TheScenes
Classification: Public Deployment From Beginning toEnd
Classification: Public
Classification: Public Kubectl 1)Kubectl performs client side validation on manifest (linting). 2)Manifest is prepared and serialized creating a JSON payload.
Classification: Public APIserver RequestLoop 3)Kubectl authenticates to apiserver via x509, jwt, http auth proxy, other plugins, or http-basic auth. 4)Authorization iterates over availableAuthZ sources: Node,ABAC, RBAC, or webhook. 5)AdmissionControl checks resource quotas, other security related checks etc. 6) Request is stored in etcd. 7) Initializers are given opportunity to mutate request before the object is published. 8) Request is published on apiserver.
Classification: Public DeploymentController 9)Deployment Controller is notified of the new Deployment via callback. 10)Deployment Controller evaluates cluster state and reconciles the desired vs current state and forms a request for the new ReplicaSet. 11)apiserver request loop evaluates Deployment Controller request. 12) ReplicaSet ispublished.
Classification: Public ReplicaSetController 13)ReplicaSet Controller is notified of the new ReplicaSet via callback. 14)ReplicaSet Controller evaluates cluster state and reconciles the desired vs current state and forms a request for the desired amount of pods. 15)apiserver request loop evaluates ReplicaSet Controller request. 16) Pods published, and enter ‘Pending’ phase.
Classification: Public
Classification: Public Scheduler 17)Scheduler monitors published pods with no ‘NodeName’ assigned. 18)Applies scheduling rules and filters to find a suitable node to host the Pod. 19)Scheduler creates a binding of Pod to Node and POSTs to apiserver. 20) apiserver request loop evaluates POST request. 21)Pod status is updated with node binding and sets status to‘PodScheduled’.
Classification: Public Kubelet -PodSync 22)The kubelet daemon on every node polls the apiserver filtering for pods matching its own ‘NodeName’; checking its current state with the desired state published through the apiserver. 23)Kubelet will then move through a series of internal processes to prepare the pod environment. This includes pulling secrets, provisioning storage, applying AppArmor profiles and other various scaffolding. During this period, it will asynchronously be POST’ing the ‘PodStatus’ to the apiserver through the standard apiserver request loop.
Classification: Public Pause andPlumbing 24)Kubelet then provisions a ‘pause’ container via the CRI (Container Runtime Interface). The pause container acts as the parent container for the Pod. 25)The network is plumbed to the Pod via the CNI (Container Network Interface), creating a veth pair attached to the pause container and to a container bridge (cbr0). 26)IPAM handled by the CNI plugin assigns an IP to the pause container.
Classification: Public Kublet -CreateContainers 24) Kubelet pulls the container Images. 25) Kubelet first creates and starts any init containers. 26)Once the optional init containers complete, the primary pod containers are started.
Classification: Public Pod Status 27)If there are any liveless/readiness probes, these are executed before the PodStatus isupdated. 28)If all complete successfully, PodStatus is set to ready and the container has started successfully. The Pod is Deployed!
Classification: Public Questions?

More Related Content

Similar to Container Orchestration using kubernetes

Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes-introduction to kubernetes for beginers.pptx
Kubernetes-introduction to kubernetes for beginers.pptxKubernetes-introduction to kubernetes for beginers.pptx
Kubernetes-introduction to kubernetes for beginers.pptx
rathnavel194
 
DevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesDevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to Kubernetes
Ronny Trommer
 
Containers kuberenetes
Containers kuberenetesContainers kuberenetes
Containers kuberenetes
Gayan Gunarathne
 
Containers kuberenetes
Containers kuberenetesContainers kuberenetes
Containers kuberenetes
Gayan Gunarathne
 
Containers kuberenetes
Containers kuberenetesContainers kuberenetes
Containers kuberenetes
csegayan
 
Docker Online Training | Kubernetes Training in Ameerpet
Docker Online Training | Kubernetes Training in AmeerpetDocker Online Training | Kubernetes Training in Ameerpet
Docker Online Training | Kubernetes Training in Ameerpet
navyatejavisualpath
 
KubernetesPPT.pptx
KubernetesPPT.pptxKubernetesPPT.pptx
KubernetesPPT.pptx
Ryuzaki360
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
Terry Cho
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
Oktay Esgul
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
TamalBanerjee16
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Gabriel Carro
 
Kubernetes intro
Kubernetes introKubernetes intro
Kubernetes intro
Pravin Magdum
 
Federated Kubernetes: As a Platform for Distributed Scientific Computing
Federated Kubernetes: As a Platform for Distributed Scientific ComputingFederated Kubernetes: As a Platform for Distributed Scientific Computing
Federated Kubernetes: As a Platform for Distributed Scientific Computing
Bob Killen
 
Intro to Kubernetes
Intro to KubernetesIntro to Kubernetes
Intro to Kubernetes
Joonathan Mägi
 
Kubernetes Immersion
Kubernetes ImmersionKubernetes Immersion
Kubernetes Immersion
Juan Larriba
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Kubernetes From Scratch .pdf
Kubernetes From Scratch .pdfKubernetes From Scratch .pdf
Kubernetes From Scratch .pdf
ssuser9b44c7
 
kubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfkubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdf
bchiriamina2
 
Containers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes LeoContainers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes Leo
Léopold Gault
 

Similar to Container Orchestration using kubernetes (20)

Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Kubernetes-introduction to kubernetes for beginers.pptx
Kubernetes-introduction to kubernetes for beginers.pptxKubernetes-introduction to kubernetes for beginers.pptx
Kubernetes-introduction to kubernetes for beginers.pptx
 
DevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to KubernetesDevJam 2019 - Introduction to Kubernetes
DevJam 2019 - Introduction to Kubernetes
 
Containers kuberenetes
Containers kuberenetesContainers kuberenetes
Containers kuberenetes
 
Containers kuberenetes
Containers kuberenetesContainers kuberenetes
Containers kuberenetes
 
Containers kuberenetes
Containers kuberenetesContainers kuberenetes
Containers kuberenetes
 
Docker Online Training | Kubernetes Training in Ameerpet
Docker Online Training | Kubernetes Training in AmeerpetDocker Online Training | Kubernetes Training in Ameerpet
Docker Online Training | Kubernetes Training in Ameerpet
 
KubernetesPPT.pptx
KubernetesPPT.pptxKubernetesPPT.pptx
KubernetesPPT.pptx
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
 
Kubernetes 101 for Beginners
Kubernetes 101 for BeginnersKubernetes 101 for Beginners
Kubernetes 101 for Beginners
 
01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx01. Kubernetes-PPT.pptx
01. Kubernetes-PPT.pptx
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes intro
Kubernetes introKubernetes intro
Kubernetes intro
 
Federated Kubernetes: As a Platform for Distributed Scientific Computing
Federated Kubernetes: As a Platform for Distributed Scientific ComputingFederated Kubernetes: As a Platform for Distributed Scientific Computing
Federated Kubernetes: As a Platform for Distributed Scientific Computing
 
Intro to Kubernetes
Intro to KubernetesIntro to Kubernetes
Intro to Kubernetes
 
Kubernetes Immersion
Kubernetes ImmersionKubernetes Immersion
Kubernetes Immersion
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes From Scratch .pdf
Kubernetes From Scratch .pdfKubernetes From Scratch .pdf
Kubernetes From Scratch .pdf
 
kubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdfkubernetesssssssssssssssssssssssssss.pdf
kubernetesssssssssssssssssssssssssss.pdf
 
Containers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes LeoContainers and Kubernetes -Notes Leo
Containers and Kubernetes -Notes Leo
 

More from Puneet Kumar Bhatia (MBA, ITIL V3 Certified)

Introduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOpsIntroduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Introduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOpsIntroduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOps
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Introduction to Devops and its applications
Introduction to Devops and its applicationsIntroduction to Devops and its applications
Introduction to Devops and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Java Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdfJava Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdf
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Java Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdfJava Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdf
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Aws interview questions
Aws interview questionsAws interview questions
Aws interview questions
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Changing paradigm in job market
Changing paradigm in job marketChanging paradigm in job market
Changing paradigm in job market
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Kaizen08
Kaizen08Kaizen08
Kaizen08
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Writing first-hudson-plugin
Writing first-hudson-pluginWriting first-hudson-plugin
Writing first-hudson-plugin
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Disney itil journey
Disney itil journeyDisney itil journey
Disney itil journey
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 
Using itil prince2_together_august_2010
Using itil prince2_together_august_2010Using itil prince2_together_august_2010
Using itil prince2_together_august_2010
Puneet Kumar Bhatia (MBA, ITIL V3 Certified)
 

More from Puneet Kumar Bhatia (MBA, ITIL V3 Certified) (17)

Ansible as configuration management tool for devops
Ansible as configuration management tool for devopsAnsible as configuration management tool for devops
Ansible as configuration management tool for devops
 
Microsoft Azure - Basic concepts presentation
Microsoft Azure - Basic concepts presentationMicrosoft Azure - Basic concepts presentation
Microsoft Azure - Basic concepts presentation
 
Introduction to the Nexus tool for DevOps
Introduction to the Nexus tool for DevOpsIntroduction to the Nexus tool for DevOps
Introduction to the Nexus tool for DevOps
 
Introduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOpsIntroduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOps
 
Introduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOpsIntroduction to Monitoring Tools for DevOps
Introduction to Monitoring Tools for DevOps
 
Introduction to Devops and its applications
Introduction to Devops and its applicationsIntroduction to Devops and its applications
Introduction to Devops and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Containerization using docker and its applications
Containerization using docker and its applicationsContainerization using docker and its applications
Containerization using docker and its applications
 
Java Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdfJava Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdf
 
Java Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdfJava Microservices_64 Hours_Day wise plan (002).pdf
Java Microservices_64 Hours_Day wise plan (002).pdf
 
Aws interview questions
Aws interview questionsAws interview questions
Aws interview questions
 
Changing paradigm in job market
Changing paradigm in job marketChanging paradigm in job market
Changing paradigm in job market
 
Kaizen08
Kaizen08Kaizen08
Kaizen08
 
Writing first-hudson-plugin
Writing first-hudson-pluginWriting first-hudson-plugin
Writing first-hudson-plugin
 
Network
NetworkNetwork
Network
 
Disney itil journey
Disney itil journeyDisney itil journey
Disney itil journey
 
Using itil prince2_together_august_2010
Using itil prince2_together_august_2010Using itil prince2_together_august_2010
Using itil prince2_together_august_2010
 

Recently uploaded

Performance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy EvertsPerformance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy Everts
ScyllaDB
 
Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1
FellyciaHikmahwarani
 
5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx
SATYENDRA100
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
Stephanie Beckett
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
What's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdfWhat's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdf
SeasiaInfotech2
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
BookNet Canada
 
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Earley Information Science
 
20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024
Matthew Sinclair
 
Running a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU ImpactsRunning a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU Impacts
ScyllaDB
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Chris Swan
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
GDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec
GDG Cloud Southlake #34: Neatsun Ziv: Automating AppsecGDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec
GDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec
James Anderson
 
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
Edge AI and Vision Alliance
 
UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
UiPathCommunity
 
AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)
apoorva2579
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
Linda Zhang
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
Enterprise Wired
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
Matthew Sinclair
 

Recently uploaded (20)

Performance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy EvertsPerformance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy Everts
 
Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1
 
5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
What's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdfWhat's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdf
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
 
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
 
20240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 202420240704 QFM023 Engineering Leadership Reading List June 2024
20240704 QFM023 Engineering Leadership Reading List June 2024
 
Running a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU ImpactsRunning a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU Impacts
 
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
GDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec
GDG Cloud Southlake #34: Neatsun Ziv: Automating AppsecGDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec
GDG Cloud Southlake #34: Neatsun Ziv: Automating Appsec
 
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
 
UiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs ConferenceUiPath Community Day Kraków: Devs4Devs Conference
UiPath Community Day Kraków: Devs4Devs Conference
 
AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
 
7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf7 Most Powerful Solar Storms in the History of Earth.pdf
7 Most Powerful Solar Storms in the History of Earth.pdf
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
 

Container Orchestration using kubernetes

  • 2. Classification: Public Cloud Native Computing Foundation
  • 3. Classification: Public every cloud supports kubernetes https://www.sinax.be/en/aws/ https://www.westconcomstor.com/za/en/vendors/wc-vendors/microsoft-azure-EN-UK.html https://www.g2crowd.com/products/google-kubernetes-engine-gke/details Kubernetes support on cloud
  • 5. Classification: Public What does “Kubernetes” mean? Greek for “pilot” or “helmsman of a ship”
  • 6. Classification: Public A Container Orchestration System. ● A project that was spun out of Google as an open source container orchestration platform (~2 billion containers/week). ● Built from the lessons learned in the experiences of developing and running Google’s Borg and Omega. ● Designed from the ground-up as a loosely coupled collection of components centred around deploying, maintaining and scaling workloads. What is Kubernetes?
  • 7. Classification: Public What does Kubernetes do? ● Known as the linux kernel of distributed systems. ● Abstracts away the underlying hardware of the nodes and provides a uniform interface for workloads to be both deployed and consume the shared pool of resources. ● Works as an engine for resolving state by converging the actual and the desired state of the system.
  • 8. Classification: Public Kubernetes is self-healing Kubernetes will ALWAYS try and steer the cluster to its desired state. ● User: “I want 3 healthy instances of Redis to always be running.” ● Kubernetes: “Okay, I’ll ensure there are always 3 instances up and running.” ● Kubernetes: “Oh look, one has died. I’m going to attempt to spin up a new one.”
  • 9. Classification: Public What can Kubernetes really do? ● Autoscale Workloads ● Blue/Green Deployments ● Fire off Jobs and scheduled CronJobs ● Manage Stateless and Stateful Applications ● Built-in Service Discovery ● ~Easily integrate and support 3rd party apps~
  • 14. Classification: Public Masters – Acts as the primary control plane for Kubernetes. • Masters are responsible at a minimum for running the API Server, scheduler and cluster controller. • They also manage storing cluster state, cloud-provider specificcomponents and other cluster essential services. Nodes -Are the ‘workers’ of a Kubernetes cluster. • Theyrun a minimal agent that manages the node itself, and execute workloads as designated by the master. Architecture Overview
  • 15. Classification: Public kube-apiserver – the heart of the cluster ● Provides a forward facing REST interface into the Kubernetes control plane and datastore. ● All clients and other applications interact with Kubernetes strictly through the API Server. ● Acts as the gatekeeper to the cluster by handling authentication and authorization, request validation and admission control in addition to being the front-end to the backing datastore. Kubectl Kubectl is the official Kubernetes command line interface tool. It is used to communicate with the API.
  • 16. Classification: Public etcd – the key-value datastore ● etcd acts as the cluster datastore. ● A standalone incubating CNCF project https://www.cncf.io/projects/ ● Purpose in relation to Kubernetes is to provide a strong, consistent and highly available key-value store for persisting all cluster state.
  • 17. Classification: Public kube-controller-manager ● Serves as the primary daemon that manages all core components’ reconciliation loops. ● Handles a lot of the business logic of Kubernetes. ● Monitors the cluster state via the API Server and steers the cluster towards the desired state.
  • 18. Classification: Public kube-scheduler Evaluates workload requirements and attempts to place it on a matching resource. ● The default scheduler uses the “binpacking” mode. ● Workload Requirements can include: general hardware requirements, affinity/anti-affinity, labels, and other various custom resource requirements. ● Is swappable, you can create your own scheduler
  • 20. Classification: Public kubelet Acts as the node agent responsible for managing pod lifecycle on its host. Kubelet understands YAML container manifests that it can read from several sources: ● File path ● HTTP Endpoint ● Etcd watch acting on any changes ● HTTP Server mode accepting container manifests over a simple API.
  • 21. Classification: Public kube-proxy ● Manages the network rules for Services on each node. ● Performs connection forwarding or load balancing for Kubernetes Services. ● Available Proxy Modes: ○ ipvs (default if supported) ○ iptables (default fallback) ○ userspace (legacy)
  • 22. Classification: Public Container Runtime – the executor ● A container runtime is a CRI (Container Runtime Interface) compatible application that executes and manages containers. ○ Docker (default, built into the kubelet atm) ○ containerd ○ cri-o ○ rkt ○ Kata Containers (formerly clear and hyper) ○ Virtlet (VM CRI compatible runtime)
  • 23. Classification: Public Additional Services Kube-dns - Provides cluster wide DNS Services. Services are resolvable to <service>.<namespace>.svc.cluster.local. Heapster - Metrics Collector for kubernetes cluster, used by some resources such as the Horizontal Pod Autoscaler. (required for kubedashboard metrics) Kube-dashboard -A general purpose web based UI for kubernetes.
  • 24. Classification: Public Additional Services Kube-dns - Provides cluster wide DNS Services. Services are resolvable to <service>.<namespace>.svc.cluster.local. Heapster - Metrics Collector for kubernetes cluster, used by some resources such as the Horizontal Pod Autoscaler. (required for kubedashboard metrics) Kube-dashboard -A general purpose web based UI for kubernetes.
  • 27. Classification: Public Pod: The basic building block in Kubernetes. The name is the same idea as a pod of whales, one of more containers– or better said, a running process on the cluster — running on a given system which can be scaled up or down. Service: A consistent network access point for a pod. What this means is that regardless of the underlying containers’ state – restarts, etc, a service will always provide access to the given pod/application. ReplicaSet: Ensures a given number of pods are running in the cluster at a given time. Deployment: Suited for more ephemeral applications like web applications, anything that doesn’t have persistent qualities. It Provides declarative updates for Pods and ReplicaSets by describing a desired state the deployment in turn acts on.
  • 28. Classification: Public Stateful Set: Suited for stateful applications like databases or even monitoring systems like Prometheus. Similar to a deployment in that it manages the deployment and scaling of a set of pods, but differs in that it ensures ordinal (things happen in a given sequence and are numbered) and uniqueness of pods. Overall, it ensures that all resources in the stateful set have a sticky identity across restarts. Labels: When creating Kubernetes objects, one can give any number of labels to each object which are discoverable across the system. For instance, one could create a database with the label “customer_database” and another application pod could reference it by simply using that name “customer_database” in the selector value of the manifest file. Namespaces: Virtual clusters. Provides a means to separate applications in the cluster.
  • 29. Classification: Public Mini-kube : Install and configure Refer git repo for instructions.
  • 30. Classification: Public Networking To be updated from this slide onwards
  • 31. Classification: Public Networking -FundamentalRules 1) All Pods can communicate with all other Pods without NAT 2) All nodes can communicate with all Pods (and vice-versa) without NAT. 3) The IP that a Pod sees itself as is the same IP that others see it as.
  • 32. Classification: Public Networking –Fundamentals Applied • Containers in a pod exist within the same network namespaceand share an IP; allowing for intrapod communication over localhost. • Pods are givena cluster unique IP for the duration of its lifecycle,but the pods themselves are fundamentally ephemeral. • Services are givena persistent cluster unique IP that spans the Pods lifecycle. • External Connectivity is generally handed by an integrated cloudprovider or other external entity (load balancer)
  • 33. Classification: Public Networking -CNI Networking within Kubernetes is plumbed via the Container Network Interface (CNI), an interface between a container runtime and a network implementation plugin. Compatible CNI Network Plugins: ● Calico ● Cillium ● Contiv ● Contrail ● Flannel ● GCE ● kube-router ● Multus ● OpenVSwitch ● OVN ● Romana ● Weave
  • 35. Classification: Public Kubernetes Concepts-Core Cluster - A collection of hosts that aggregate their available resources including cpu, ram, disk, and their devices into a usable pool. Master - The master(s) represent a collection of components that make up the control plane of Kubernetes. These components are responsible for all cluster decisions including both scheduling and responding to cluster events. Node - A single host, physical or virtual capable of running pods. A node is managed by the master(s), and at a minimum runs both kubelet and kube-proxy to be considered part of the cluster. Namespace - A logical cluster or environment. Primary method of dividing a cluster or scoping access.
  • 36. Classification: Public Concepts -Core(cont.) Label - Key-value pairs that are used to identify, describe and group together related sets of objects. Labels have a strict syntax and available character set. * Annotation - Key-value pairs that contain non-identifying information or metadata. Annotations do not have the the syntax limitations as labels and can contain structured or unstructured data. Selector - Selectors use labels to filter or select objects. Both equality-based (=, ==, !=) or simple key-value matching selectors are supported. * https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
  • 37. Classification: Public Labels: app: nginx tier: frontned Annotations description: “nginxfrontend” Selector: app: nginx tier: frontend Labels, andAnnotations, and Selectors
  • 38. Classification: Public Set-basedselectors Valid Operators: ● In ● NotIn ● Exists ● DoesNotExist Supported Objects with set-based selectors: ● Job ● Deployment ● ReplicaSet ● DaemonSet ● PersistentVolumeClaims
  • 39. Classification: Public Concepts - Workloads Pod - A pod is the smallest unit of work or management resource within Kubernetes. It is comprised of one or more containers that share their storage, network, and context (namespace, cgroupsetc). ReplicationController - Method of managing pod replicas and their lifecycle. Their scheduling, scaling, anddeletion. ReplicaSet - Next Generation ReplicationController. Supports set-based selectors. Deployment - A declarative method of managing stateless Pods and ReplicaSets. Provides rollback functionality in addition to more granular update control mechanisms.
  • 40. Classification: Public Deployment Contains configuration of how updates or ‘deployments’ should be managed in addition to the pod template used to generate the ReplicaSet. ReplicaSet Generated ReplicaSet from Deploymentspec.
  • 41. Classification: Public Concepts -Workloads (cont.) StatefulSet - A controller tailored to managing Pods that must persist or maintain state. Pod identity including hostname, network, and storage will be persisted. DaemonSet - Ensures that all nodes matching certain criteria will run an instance of a supplied Pod. Ideal for cluster wide services such as log forwarding, or health monitoring.
  • 42. Classification: Public StatefulSet ● Attaches to ‘headeless service’ (notshown) nginx. ● Pods given unique ordinal names using the pattern <statefulset name>-<ordinal index>. ● Creates independent persistent volumes based on the ‘volumeClaimTemplates’.
  • 43. Classification: Public DaemonSet ● Bypasses default scheduler ● Schedules a single instance on every host while adhering to tolerances and taints.
  • 44. Classification: Public Concepts -Workloads (cont.) Job - The job controller ensures one or more pods are executed and successfully terminates. It will do this until it satisfies the completion and/or parallelism condition. CronJob - An extension of the Job Controller, it provides a method of executing jobs on a cron-like schedule.
  • 45. Classification: Public Jobs ● Number of pod executions can be controlled via spec.completions ● Jobs can be parallelized using spec.parallelism ● Jobs and Pods are NOT automatically cleaned up after a job has completed.
  • 46. Classification: Public CronJob ● Adds cron schedule to job template
  • 47. Classification: Public Concepts - Network Service - Services provide a method of exposing and consuming L4 Pod network accessible resources. They use label selectors to map groups of pods and ports to a cluster- unique virtual IP. Ingress - An ingress controller is the primary method of exposing a cluster service (usually http) to the outside world. These are load balancers or routers that usually offer SSL termination, name-based virtual hosting etc.
  • 48. Classification: Public Service ● Acts as the unified method of accessing replicated pods. ● Four major Service Types: ○ CluterIP - Exposes service on a strictly cluster-internal IP (default) ○ NodePort - Service is exposed on each node’s IP on a statically defined port. ○ LoadBalancer - Works in combination with a cloud provider to expose a service outside the cluster on a static external IP. ○ ExternalName - used to references endpoints OUTSIDE the cluster by providing a static internally referenced DNS name.
  • 49. Classification: Public IngressController ● Deployed as a pod to one or more hosts ● Ingress controllers are an external controller with multiple options. ○ Nginx ○ HAproxy ○ Contour ○ Traefik ● Specific features and controller specific configuration is passed through annotations.
  • 50. Classification: Public Concepts - Storage Volume - Storage that is tied to the Pod Lifecycle, consumable by one or more containers within the pod. PersistentVolume - A PersistentVolume (PV) represents a storage resource. PVs are commonly linked to a backing storage resource, NFS, GCEPersistentDisk, RBD etc. and are provisioned ahead of time. Their lifecycle is handled independently from a pod. PersistentVolumeClaim - A PersistentVolumeClaim (PVC) is a request for storage that satisfies a set of requirements instead of mapping to a storage resource directly. Commonly used with dynamically provisioned storage. StorageClass - Storage classes are an abstraction on top of an external storage resource. These will include a provisioner, provisioner configuration parameters as well as a PV reclaimPolicy.
  • 52. Classification: Public PersistentVolumes ● PVs are a cluster-wide resource ● Not directly consumable by a Pod ● PV Parameters: ○ Capacity ○ accessModes ■ ReadOnlyMany (ROX) ■ ReadWriteOnce (RWO) ■ ReadWriteMany (RWX) ○ persistentVolumeReclaimPolic y ■ Retain ■ Recycle ■ Delete ○ StorageClass
  • 53. Classification: Public Persistent VolumeClaims ● PVCs are scoped to namespaces ● Supports accessModes likePVs ● Uses resource request model similar to Pods ● Claims will consume storage from matching PVs or StorageClasses based on storageClass and selectors.
  • 54. Classification: Public StorageClasses ● Uses an external system defined by the provisioner to dynamically consume and allocate storage. ● Storage ClassFields ○ Provisioner ○ Parameters ○ reclaimPolicy
  • 55. Classification: Public Concepts -Configuration • ConfigMap - Externalized data stored within kubernetes that can be referenced as a commandline argument, environment variable, or injected as a file into a volume mount. Ideal for separating containerized application from configuration. • Secret - Functionally identical to ConfigMaps, but stored encoded as base64, and encrypted at rest (if configured).
  • 56. Classification: Public ConfigMaps andSecrets ● Can be used in Pod Config: ○ Injected as a file ○ Passed as an environment variable ○ Used as a container command (requires passing as env var)
  • 57. Classification: Public Concepts -Auth and Identity(RBAC) [Cluster]Role - Roles contain rules that act as a set of permissions that apply verbs like “get”, “list”, “watch” etc over resources that are scoped to apiGroups. Roles are scoped to namespaces, and ClusterRoles are applied cluster-wide. [Cluster]RoleBinding - Grant the permissions as defined in a [Cluster]Role to one or more “subjects” which can be a user, group, or service account. ServiceAccount- ServiceAccounts provide a consumable identity for pods or external services that interact with the cluster directly and are scoped to namespaces.
  • 58. Classification: Public [Cluster]Role ● Permissions translate to url path. With “” defaulting to core group. ● Resources act as items the role should be granted access to. ● Verbs are the actions the role can perform on the referenced resources.
  • 59. Classification: Public [Cluster]RoleBinding ● Can reference multiple subjects ● Subjects can be of kind: ○ User ○ Group ○ ServiceAccount ● roleRef targets a single role only.
  • 63. Classification: Public Kubectl 1)Kubectl performs client side validation on manifest (linting). 2)Manifest is prepared and serialized creating a JSON payload.
  • 64. Classification: Public APIserver RequestLoop 3)Kubectl authenticates to apiserver via x509, jwt, http auth proxy, other plugins, or http-basic auth. 4)Authorization iterates over availableAuthZ sources: Node,ABAC, RBAC, or webhook. 5)AdmissionControl checks resource quotas, other security related checks etc. 6) Request is stored in etcd. 7) Initializers are given opportunity to mutate request before the object is published. 8) Request is published on apiserver.
  • 65. Classification: Public DeploymentController 9)Deployment Controller is notified of the new Deployment via callback. 10)Deployment Controller evaluates cluster state and reconciles the desired vs current state and forms a request for the new ReplicaSet. 11)apiserver request loop evaluates Deployment Controller request. 12) ReplicaSet ispublished.
  • 66. Classification: Public ReplicaSetController 13)ReplicaSet Controller is notified of the new ReplicaSet via callback. 14)ReplicaSet Controller evaluates cluster state and reconciles the desired vs current state and forms a request for the desired amount of pods. 15)apiserver request loop evaluates ReplicaSet Controller request. 16) Pods published, and enter ‘Pending’ phase.
  • 68. Classification: Public Scheduler 17)Scheduler monitors published pods with no ‘NodeName’ assigned. 18)Applies scheduling rules and filters to find a suitable node to host the Pod. 19)Scheduler creates a binding of Pod to Node and POSTs to apiserver. 20) apiserver request loop evaluates POST request. 21)Pod status is updated with node binding and sets status to‘PodScheduled’.
  • 69. Classification: Public Kubelet -PodSync 22)The kubelet daemon on every node polls the apiserver filtering for pods matching its own ‘NodeName’; checking its current state with the desired state published through the apiserver. 23)Kubelet will then move through a series of internal processes to prepare the pod environment. This includes pulling secrets, provisioning storage, applying AppArmor profiles and other various scaffolding. During this period, it will asynchronously be POST’ing the ‘PodStatus’ to the apiserver through the standard apiserver request loop.
  • 70. Classification: Public Pause andPlumbing 24)Kubelet then provisions a ‘pause’ container via the CRI (Container Runtime Interface). The pause container acts as the parent container for the Pod. 25)The network is plumbed to the Pod via the CNI (Container Network Interface), creating a veth pair attached to the pause container and to a container bridge (cbr0). 26)IPAM handled by the CNI plugin assigns an IP to the pause container.
  • 71. Classification: Public Kublet -CreateContainers 24) Kubelet pulls the container Images. 25) Kubelet first creates and starts any init containers. 26)Once the optional init containers complete, the primary pod containers are started.
  • 72. Classification: Public Pod Status 27)If there are any liveless/readiness probes, these are executed before the PodStatus isupdated. 28)If all complete successfully, PodStatus is set to ready and the container has started successfully. The Pod is Deployed!