Kubernetes

  1. Pod
  2. Node
  3. Ingress
  4. Security
  5. QoS
  6. Volume
    1. Persistent volume
  7. Service
  8. Deployment
  9. Namespace
  10. Networking

Pod

  • several containers in same namespace
  • sidecar: additional containers
  • shared storage, network
  • IP per pod
  • state
    • pending
    • running
    • succeeded
    • failed
    • unknown

Node

  • VM, bare metal
  • container runtime interface (CRI): wrapper over containers
    • Docker
    • containerd rktlet
    • Frakti
  • master node
    • kubelet: southbound API, agent on worker
    • API server
    • etcd: distributed key-value store
    • scheduler
    • controller: cluster-level functions
  • kube-proxy: network policies
  • cluster ≡ node pool

Ingress

  • HTTP(S) only
  • SSL termination
  • external URL for service
  • requires controller: nginx, GCE

Security

  • use specific tags, not latest
  • Clair: vulnerability scanner
  • sign container images: TUF, Notary, Docker Container Trust
  • RBAC: roles restrict HTTP verbs for resource per namespace
  • network policy:
    • via CNI
    • describes permit, the rest is denied
    • if no policy is defined – permit all
  • resource quotas per namespace

QoS

  • request ≡ guaranteed resources
  • limit ≡ max resources
  • classes
    • guaranteed
      • CPU request = CPU limit
      • RAM request = RAM limit
      • not destroyed
    • burstable
      • has requests
      • requests ≠ limits
      • destroyed after best effort
    • best effort
      • no requests or limits
      • destroyed first if there is resource shortage

Volume

  • shared storage within pod
  • volume lifetime = pod lifetime
  • types
    • awsElasticBlockStore
    • azureDisk
    • azureFile
    • Cephfs
    • configMap
    • Fc
    • gcePersistentDisk
    • hostPath
    • Local
    • nfs
    • EmptyDir: non-persistent

Persistent volume

  • available to all pods in cluster
  • access granted to pod via PersistentVolumeClaim
  • select manually specific volume or select pooled volume, based on attributes
  • enforces limits
  • hides implementation details from pod
  • must exist before mount

Service

  • ≈ DNS between pods, without TTL
  • redirects request via kube-proxy to pod, servicing application
  • types
    • ClusterIP: default, IP is reachable only within cluster
    • NodePort: <NODE_IP>:<NODE_PORT>, static
    • LoadBalancer: cloud provider LB backend
    • ExternalName: DNS CNAME in CoreDNS

Deployment

  • types
    • Recreate
      • big bang
      • downtime
    • RollingUpdate
      • maxSurge: how many pods to add per increment
      • maxUnavailable: how many pods are allowed to be down
      • starts new version and shuts down old pods
    • Blue-Green
      • manual
      • based on Service or Ingress modification
    • Canary
      • manual, like Green-Blue
      • instead of switchover on label – increase number of replicas
  • factors
    • downtime
    • infrastructure cost
    • real traffic testing
    • rollback
  • ReplicaSet: guarantees number of pods in cluster
  • DaemonSet: guarantees pod to be on every node

Namespace

  • virtual cluster: unique resource name, resource quotas, RBAC
  • cannot be nested
  • resource belongs only to one namespace

Networking