Professional Documents
Culture Documents
yaml
* kube-apiserver
- All cluster -> master communicated only thru apiserver
- communicate thru 443 port
- relatively secure
* communication : Cluster to Master and Master to Cluster
* Cluster to Master -> Relatively secure ->
* Master to Cluster -> apiserver->kublete / apiserver->nodes/pods/services
* apiserver->kublete (huddles)
- Certificate not verified by default
- Vulnerable to man-in-the-middle attacks
- Don't run on public network
- To harden
- set --kubelete-certificate-authority
- use SSH tunnelling
* apiserver -> nodes/pods/services (huddles)
- Not safe
- Plain HTTP
- Neither authenticated or encrypted
- On public clouds, SSH tunnelling provided by cloud provider
* etcd -
is consistent and highly available key-value store
source-of-truth for the cluster state
* kube-scheduler -
Handle pod creation and management
kube-scheduler match/assign nodes to pods
complex-affinities, taints, tolerations
* controller-manager
cloud-controller-manager :
used when k8s runs on cloud
cloud-specific
kube-controller-manager
used when not running on public cloud
not infra-specfic
POD:
Atomic unit of deployment in Kubernetes
consists of 1 or more tightly couple containers
Prod runs on node, which is controlled by master
Kubernets only knows auto pods
Cannt start container without a pod
Pod => sandbox for 1 or more containers
multi-container pods
1 pod usually contains 1 container
multi-container pods are possible too
such containers are tightly coupled
share access to memory space
connect to each other using localhost
share access to the same volumes (storage abstraction)
- Federated Clusters
Individual Cluster
- All nodes on same infra
- Administer with kubectl
Federation (Federated Cluster)
- Nodes in multiple clusters
- Administer with kubefed
- Limitation
* No Auto healing or scalling or rollback
* Pod crashes? must be handled higher level
* ReplicaSet, Deployment, Service
* Ephemeral: IP addresses are ephemeral
- Advantages
* Fault-tolerance: Pod/Node failures
* Rollback: Advanced deployment options
* Auto-healing: Crashed containers restart
* Auto-scalling: More clients? More demand
* Load-balancing: Distribute client requests
* Isolation: Sandboxes so that containers dont interfere
- LAB :
* Create Multi-Container POD ansible program
----------------------------------------------------------------------
apiVersion: v1
kind: Pod
metadata: frontend
spec
containers:
- name: db
image: mysql
env:
- name: MYSQL_ROOT_PASSWORD
value: "password"
resources:
requestes:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
- name: wp
image: wordpress
resources:
requestes:
memory: "64Mi"
cpu: "250Mi"
limits:
memory: "128Mi"
cpu: "500m"
----------------------------------------------------------------------
Declarative Pod Example:
apiVersion: v1
kind: Pod
metadata:
name: declarative-pod
spec:
containers:
- name: memory-demo-ctr
image: nginx
----------------------------------------------------------------------
Kubernetes node
- kubelet : agent running on this node
listens to kubernetes master
port 10255
- container engine : Works with kubelet
: pulling images
: start/stopping
: could be docker or rkt (containerd)
- kube-proxy : needed because pod ip addressess are ephemeral
: network - will make sense when we discuss service objects