December 16, 2023

1. Introduction to Kubernetes: #

Kubernetes is a popular open source platform for container orchestration. It enables developers to easily build containerized applications and services, as well as scale, schedule and monitor those containers. What is Kubernetes container orchestration?

2. Architecture: #

  • Kubernetes Components: Master node, Worker node, etcd, kubelet, kube-proxy, etc.

Kubernetes Cluster Components source Tools Stack Wheel source Side by Side - Service Overview source

3. Setup and Installation: #

4. Pods: #

  • What is a Pod ? A Pod is is the smallest deployable unit that can be deployed and managed by Kubernetes. In other words, if you need to run a single container in Kubernetes, then you need to create a Pod for that container. At the same time, a Pod can contain more than one container, if these containers are relatively tightly coupled. In a pre-container world, they would have executed on the same server.

5. Replication Controllers and ReplicaSets: #

6. Deployments: #

  • When to use a ReplicaSet

  • A Deployment is a higher-level concept that manages ReplicaSets and provides declarative updates to Pods along with a lot of other useful features.

  • We recommend using Deployments instead of directly using ReplicaSets, unless you require custom update orchestration or don’t require updates at all.

  • What is Autoscaling in Kubernetes? Three common solutions for scaling applications in Kubernetes environments are:

    • Horizontal Pod Autoscaler (HPA): Automatically adds or removes pod replicas.
    • Vertical Pod Autoscaler (VPA): Automatically adds or adjusts CPU and memory reservations for your pods.
    • Cluster Autoscaler: Automatically adds or removes nodes in a cluster based on all pods’ requested resources.

7. Services: #

  • What are Kubernetes Services?

  • What are the components of a Kubernetes services?

  • Kubernetes services connect a set of pods to an abstracted service name and IP address.

  • Services provide discovery and routing between pods.

  • For example, services connect an application front-end to its backend, each of which running in separate deployments in a cluster.

  • Services use labels and selectors to match pods with other applications.

  • The core attributes of a Kubernetes service are:

    • A label selector that locates pods
    • The clusterIP IP address and assigned port number
    • Port definitions
    • Optional mapping of incoming ports to a targetPort
  • Services can be defined without pod selectors.

  • For example, to point a service to another service in a different namespace or cluster.

  • What are the types of Kubernetes services?

    • ClusterIP. Exposes a service which is only accessible from within the cluster.
    • NodePort. Exposes a service via a static port on each node’s IP.
    • LoadBalancer. Exposes the service via the cloud provider’s load balancer.
    • ExternalName. Maps a service to a predefined externalName field by returning a value for the CNAME record.
  • Communication between pods in kubernetes

    • Kubernetes assumes that pods can communicate with other pods, regardless of which host they land on.

8. ConfigMaps and Secrets: #

  • ConfigMaps
    • A ConfigMap is an API object used to store non-confidential data in key-value pairs.
    • Pods can consume ConfigMaps as environment variables, command-line arguments,
    • or as configuration files in a volume.
    • A ConfigMap allows you to decouple environment-specific configuration from your container images,
    • so that your applications are easily portable.
  • What are Kubernetes Secrets?
    • Similar to ConfigMaps, Kubernetes Secrets are API objects specifically built
    • to store confidential data.
    • Kubernetes Secrets contain small amounts of sensitive data,
    • such as passwords, tokens, or keys.
    • This type of information might be put in pod specs or a container image.
    • However, thanks to a Secret, you can keep your confidential data separate from your app code.

9. Volumes and Persistent Volumes: #

  • Using Kubernetes Persistent Volumes
    • Kubernetes persistent volumes provide data storage for stateful applications.
    • They abstract a storage system’s implementation from how it’s consumed by your pods.
    • A persistent volume could store data locally, on a network share,
    • or in a block storage volume provided by a cloud vendor.
  • When To Use Persistent Volumes
    • Database storage
    • Log storage
    • Protection of important data
    • Data independent of pods
  • Lifecycle of a volume and claim
    • PVs are resources in the cluster.
    • PVCs are requests for those resources and also act as claim checks to the resource.
    • The interaction between PVs and PVCs follows this lifecycle:
    • Provisioning - Static / Dynamic
    • Binding
    • Using
    • Storage Object in Use Protection
    • Reclaiming
    • PersistentVolume deletion Protection finalizer
    • Reserving a PersistentVolume
  • Types of Persistent Volumes
    • PersistentVolume types are implemented as plugins.
    • Kubernetes currently supports the following plugins:
      • csi - Container Storage Interface (CSI)
      • fc - Fibre Channel (FC) storage
      • hostPath - HostPath volume
        • for single node testing only;
        • WILL NOT WORK in a multi-node cluster;
        • consider using local volume instead
      • iscsi - iSCSI (SCSI over IP) storage
      • local - local storage devices mounted on nodes.
      • nfs - Network File System (NFS) storage

10. Network Policies #

  • What are Kubernetes Network Policies?
    • Kubernetes Network Policies are a Kubernetes resource that let you define rules for network traffic.
    • They are applied to pods based on labels and selectors, and they can specify the following:
      • direction of the traffic: ingress (incoming) or egress (outgoing)
      • source and destination of the traffic: pod selectors, namespace selectors, IP blocks, or ports
      • protocol and port of the traffic: TCP, UDP, SCTP, or ICMP
      • action to take on the traffic: allow or deny

11. Monitoring and Logging: #

  • Kubernetes cluster monitoring (via Prometheus)
    • Monitors Kubernetes cluster using Prometheus.
    • Shows overall cluster CPU / Memory / Filesystem usage
    • as well as individual pod, containers, systemd services statistics.
    • Uses cAdvisor metrics only.
  • Requirements
    • You only need to have a running Kubernetes cluster with deployed Prometheus.
    • Prometheus will use metrics provided by cAdvisor via kubelet service
    • (runs on each node of Kubernetes cluster by default) and via kube-apiserver service only.
  • Setup a Prometheus monitoring on Kubernetes using Grafana

12. Security Best Practices: #

  • Using RBAC Authorization
    • Role-based access control (RBAC) is a method of regulating access to computer
    • or network resources based on the roles of individual users within your organization.
    • RBAC authorization uses the rbac.authorization.k8s.io API group to drive
    • authorization decisions, allowing you to dynamically configure
    • policies through the Kubernetes API.
  • Secure cluster communication
    • If you wish to enable TLS for cluster communication, you need to provide two things:
      • a certificate file, and its private key.
    • The certificate chain file is expected to be a PEM public certificate file,
    • which should contain a x509 public certificate,
    • and may additionally contain an entire certificate chain.
  • Letsencrypt Stateless Mode to secure cluster communication
    • Configure your webserver to respond statelessly to challenges for a given account key.
    • This requires nothing more than a one-time web server configuration change and no “moving parts”.

13. Troubleshooting: #

14. Helm: #

  • What is Helm?
  • Helm helps you manage Kubernetes applications — Helm Charts help you define, install,
  • and upgrade even the most complex Kubernetes application.
  • Charts are easy to create, version, share, and publish
  • => so start using Helm and stop the copy-and-paste.

15. Advanced topics #

  • StatefulSets for stateful applications

    • StatefulSet is the workload API object used to manage stateful applications.
    • Manages the deployment and scaling of a set of Pods,
    • and provides guarantees about the ordering and uniqueness of these Pods.
  • DaemonSet

    • A DaemonSet ensures that all (or some) Nodes run a copy of a Pod.
    • As nodes are added to the cluster, Pods are added to them.
    • As nodes are removed from the cluster, those Pods are garbage collected.
    • Deleting a DaemonSet will clean up the Pods it created.