Professional Documents
Culture Documents
CERTIFIED
iii9
Iiiiiiiiiiiiii
iii iii
KUBERNETES
ADMINISTRATOR
ADNAN RASHID
CLUSTER ARCHITECTURE
ETCD
SCHEDULER
DATA
ASSIGNPOD
POD
TO NODE
Y y
MASTER
CONTROLLER
MANAGER
API
f off SERVER
eggs MAINTAIN
CLUSTER
Communication Hub
Iv
NODE REPLICATE
FAILURE COMPONENTS
API
SERVER
docker
CONTAINER
RUNTIME contained
t rkt
RUNS YOUR
CONTAINERS
APPLICATION RUNNING ON 1485
MODEL
MASTER 7 POD
KUBELET
2N
KUBE PROXY
DOCKER
L
IMAGE
REGISTRY
API PRIMITIVES
API Server is the only one that cmmunicates with eted
Every single component speak with API Server only not to each other
Objects like pods and services are
declaritiveginints
L
KUBECTL
convertto 050N J YAML
whenmakingRequest FILES
G IT
YAML FILE COMPOSITION
SPEC
container image
volume exposed ports
1 t 32767
32767
v v
µ SERVICE
SpoD
POD
n
J
POD
NODE 1 NODE 2
CONSISTENT IP ADDRESS
KUBE PROXY
API
SERVER
SERVICE
1 I
KUBE
KUBE
PROXY PROXY
IPTABLES BEST
IPTABLES
DEST I
POD
POD
NODE 1 NODE 2
vs
c
CLOUD on prem
ALSO
custom
2 Pre Built
Install Manually Mini habe
Configure your Mini shift
own network fabric
VS Micro K8s
Locate the release
binaries Ubuntu on D
Build you own Images Aws Azure GCP
Secure cluster comms
MASTER t WORKERS
DOCKER t G Pct KEY
KUBE
ADD REPOS
UPDATE PACKAGES
MASTER ONLY
Initialise Chester
Make directory for less
API SERVER
1 SCHED
Ill
a
NODE 1
LOAD BALANCER
9 t T
KUBELET KUBE LET KUBELET
WORKER 3
WORKER 1 WORKER 2
The controller manager and the scheduler
actively watch the cluster state and take
action when it changes
SCHEDULER CM 0 ARE WE IN
o C
i
I III CHARGE
CLUSTER
FE
Ijqg kEI
l WEIRET
f o 0 1
SCHEDULER CM
corruption HOW DO WE
DECIDE
LEADER
ELECT creates endpoint resource
OPTION L see in scheduler YAML
holderIdentity
REPLICATING ETCD
TOPOLOGY
I
stacked External
to
1 Kube Cluster
Each Control
Plane node
creates local
eted member
only communicates
API SERVER
rn
E
EID RAFT consensus Algorithm
l ETCD
l t
Requires majority
PLUGINS
Authentication Authorisation Admission validation
g
FAD
skip
calls to v
determine v create
Can this modify
request User perform
this action detete
L
HTTP CERTIFICATE
HEADER
ROLES AND Access
i
O
Role ACTION
f fiddling
7 or more
Wahoo
an
fat RESOURCE
can
be done
CLUSTERROLE CLUSTERROLEBINDING
CLUSTER LEVEL
RESOURCES
SERVICE ACCOUNT
Namespace 1 Namespace 2
POD
POD POD poD
L
SERVICE
ACCOUNT X
Only use service
SERVICE
ACCOUNT
Accontin same
namespace
RUNNING END TO END TESTS ON CLUSTER
Performance Example
and Why
Response of
Tests
Application
KubeTest
Poor Cluster Deployments can run
Performance Pods can run
Pods can be
directly accessed
Logs can be collected
Commands run from pod
Services can provide access
Kube adm
UPGRADING Kube CEL
5
CLUSTER
Operating System
upgrades
Get pods
Use Deployment Drain Node
OR replica sets Un cordon
put back to
Service
BACK UP cluster
AND state eyed
RESTORE v
Clu ER save
externally
POD AND NODE NETWORKING
PODI POD 2
ETHO ETH
t t
VETHZAA VE14808
Bridge I
10.244 l 1 24
NODE 1
NETWORK
CONTAINER NETWORK INTERFACE
10.244 1.2
10244 2.3
POD 1 ve th
I
v een c
Pop 2
tho c ethno Bridge
Bridge e
cµI
NODE I 172 31 43.91 NODE2 172 31 34 149
NETWORK
CNI is a network
Overlay
Allows building tunnel betweennodes
Sits on top of existing networks
Encapsulates Packet HEADER DATA TRAILER
APISERVER
SERVICE
10.109.185.62
10.244 i z
KUBEPROXY
f KUBEPROXY lo244 2.3
POD 1 ve th
v een c POD 2
p I e 40
I p
Bridge TABLES ethno TABLES
Bridge
1 f
NODE7 172 31 43 91 NODE2 172 31.34 149
NETWORK
Pods come and
go
How does clusterkeep track
services
Provides virtual interface Auto assigned to pods
behind interface
Redirect
J cannot split
like a
traffic
load balacer
clients talk
traffic to to LB to access
does not have
affindest application only accessible external p
internally
LOAD c 7 External IP address for every service
BALANEER
NODE7 NODEZ
INGRESS
SERVICE
NAME NAMESPACE BASE DOMAIN NAME
i I
JENKINS DEFAULT SVC CLUSTER LOCAL
POD
T'T
IP NAMESPACE BASE DOMAIN NAME
A PODS DNS SEARCH WILL INCLUDE THE PODS OWN NAMESPACE AND
THE CLUSTERS DEFAULT DOMAIN
CONFIGURING THE KUBERNETES SCHEDULER
WHY
HOWEVER
RULES ARE
PLACED BY CANCREATE V WORKERNODES
DEFAULT OWN SAMENODE HAVEDIFFERENT
TO DISKS
SAVEMONEY
1 t
Scheduler 1 Scheduler 2
t t t
Nodes I 2 3
EXAMPLE
TAINTS REPEL WORK MASTER NODE
NO SCHEDUAL
TOLERATIONS
27 ftp.Y n EfIFIEEoxyc mIsF7IunsEInF
NODES
CPUMEMORY SCHEDUALER
PODMAYNOTBE
POST
I
USINGALLREQUESTED
RESOURCE AT AGIVEN
8 STEPS
ftteffEEsurnloafks
RESOURCESREQUESTED
Time
I
BYEXISTINGPODS MOST REQUESTED LEAST REQUESTED
PRIORITY PRIORITY
r
POD LEVEL
SCHEDULER
G LEVEL
L PROBLEMS
1
EVENT LEVEL
DEPLOYING AN APPLICATION ROLLING UPDATES AND ROLLBACKS
REPLICASET REPLICASET
POD POD
POD POD
POD App
POD Appv2
DEPLOYMENT
EXIST
AVOIDING
BAD BLOCKBADVERSION
VERSIONS RELEASE
READINESS
MINREADY PROBE
SECONDS
i 1
HOWLONG A DETERMINES
NEWLY CREATED IF ASPECIFIC
PODSHOULD
PODSHOULD BE RELIEVE
READY BEFORE CLIENTREQUEST
CONSIDERED ORNOT
AVAILABLE
port80
POD configmap
configMapiappconfig
MULTIPLE
CONTAINERS
CAN USE
SAME
CREATING A SELF HEALING App
Recommended
REPLICA
Deployments
t SETS Loosing node
manage replicasets
has no impact
and no need to on App
manipulate a replicaset
y
stateful
Volume Claim
I Setsy
Pods are unique
Headless Service
t
1 uniquepods
I Poddies to
Needs own storage to certain traffic 10
as it is unique Replaced with
go to each pod
same hostname
and config
PERSISTENT VOLUMES
Pod terminated
Pods are ephemeral 1
Storage terminated
µ
PERSISTENT Storage
classes
VOLUME
Resovce in
cluster
Provisioning
1
static Dynamic
Pvc must
cluster admin request a storage class
creates and
avail for
consumption
VOLUME ACCESS MODES
By specifying your PV
an access mode with
Mount capability of
Access
node NOT pod
MODES
Volume can only be
READWRITEONCE mounted using one
t access mode at a time
off'Idgettaffydeevw
ffee
Rea NYMAN
1 ReasWRITE'MANY
Multiple node can 1
Mount volume for Multiple node or
reading
Mount for
RIN
PESISTENT VOLUME CLAIMS PVC
L
STAYS WITH
0 pv
pvc Pv
DEV
T
O
s IEEE.IE
CLUSTER
ADMIN
POD prc PV
B
RETAIN
DATA
L IN
Could alsobe VOLUME
recycle or delete
deletes
contentof delete underlying
volume storage
STORAGE OBJECTS
STILL BOUND
a
Pvc
Finalizes
POD PvcProtection
pv
Deletepod
prcatelaed gets deleted
Example
g
STORAGECLASSNAME Replica 1
Metadata Fast Image v1
Kubeserve ROLLOUT
FAST 100mi
ReadWriteOnce
VolumeMounts data
Volume volume data
Volumeclaim
Isis
PV
create
storageclass object
create Pvc object
create deployment
Rollout deployment
clean pods
create file on mane
List contents
SERVICE ACCOUNTS AND USERS
API
SERVER
4
FIRSTEVALUATES
PRIVATEKEY
SERVICE NORMAL USER 1 USER STORE
ACCOUNT FILE USERPASSLIST
I E JENKINS
f
v
ACCOUNTJENKINS
KuBECTLCREATESERVICE ASSIGN To POD IF YOUDO NOT USE
BYPUTTING IN SPECIFIC
POD MANIFEST WILLUSE DEFAULT
CREATESSERVICEAcc KUBECTLGETSA
SECRET I
WILLSHOWDEFACT BusyBoxYAML
HOLDSTHE 1 JENKINS
PUBLICCHOE NAME BUSYBOY
APISERVER u YAML for SERVICEAcc
SPEC
JWTTOKEN KUBECTLGETSAJENKINS
04AM service NAMEJENKINS
Account
t
SECRET1NAMEc
KuBECTLGET SHOWSECRET NAME
f
THIS IS WHATREQUEST WILL JENKINS SERVER
BE USEDTOAUTHWITH API ADD KSS CLI PWGIN
SERVER t TOKEN
NOWCAN CONTROL
CREATE CLUSTER
0 ACCESSCLUSTERREMOTELY ROLEBINDING PODS
USER MASTER
ADNAN
t
CERT
SETIREDEN
irn lstt.is IEnnnEoIaEn'anEIpSEE.IEaYIoYo
ES
KuBECTcconfectSETcwstekkuber.NET SET CUSTER
server Herrc i i i i certificatecent
KuBECTL CONFIGSET CREDENTIALS 2 SET USER
AUTHENTICATION AUTHORISATION
1
Firststepinrecieving what can RBACRULES
they do
request who ffodm.at
t
4 RESOURCES OR
2 Groups
ROLES
i l
Whatcan be ROLE BINDINGS
performedonwhich
CLUSTERROLES 1
CLUSTERROLEBINDINGS
resource r
Whocando it
NAMESPACE 1 NAMESPACE
2 NAMESPACE 3
CUSTER KUBERNETES
auster
BELYEA ROLE L CLUSTER
port3128
port4269
How
NETWORK CANAL CREATENETWORK CREATE
PLUGIN PLUGIN POLICY DEPLOYMENT
U
DENY ALLNET 1
EXPOSE
kind NetworkPolicy DEPLOYMENT
NameDenyALL
Blank i Akinherit Selector
pod f
policyType Ingress
Try ACCESS TIMEOYT
CREATENETWORK LABEL
POLICY PODS
f
podselector Allow comms
matchLabels between pods
appdb and specified
ingress
port
matchLabels
L
app web
port
port 4269
CREATING TLS CERTIFICATES
API
POD SERVER
war
µ POD
Aws
CONTAINER 0
RUNTIME D AZURE
POD
E
GOOGLE
POD
How
eats
KUBERNETES
CREATE DOCKERREGISTRY
TEENIE MODIFY
SECRET TYPE SERVICE POD
docker server AcuasT to
docker username
docker password
1
Kubectlpatch
PRIVATEREGISTRY
IMAGE
DEFINING SECURITY CONTEXT
kind pod
image alpine Run pod as
securitycontext 405
MASUser 405
CONTAINER LEVEL
rem
IEjE
searing.ge
SECURING PERSISTENT KEY VALUE STORE
DATA MUST
LIVE BEYOND SECRETS KEY VALUE PAIR
LIFE OF POD 1
PASS AS ENV VAR NOT BEST
0K PRACTICE
EXPOSE AS FILES 1
IN VOLUME MAY BE
OUTPUTTO
GFILES
POD
CONTAINER
FILESYSTEM
variantsecrets
lkobernetes.io
eserviceaccontsl DEFAULT defaulttokenSecret
SECRET g ca crt
namespace
token
HTTPS 10WEBSITE
GENERATE
CERTIFICATE
FELT SECRET MOUNT IN POD
FILE 4 POD
COMBINED IN MEMORY FILE
FILES SYSTEM
1
SECRET SECRET NOT
WRITTEN To
DISK
MONITORING THE CLUSTER COMPONENTS
NODE METRICS
N POD CPU cores oeil
CONTAINER 0 MEMORY
RUNTIME D
E POD PODMETRICS
Cpu MEMORY
READINESS
CONTAINER CONTAINER
PROBE LWENESS
PROBE
N
POD pop
AREYouALIVE
AREYOU READY similar To
FORREQUESTS LIVENESS PROBE
1 HTTPGET 2 3 TYPES
I EXEC
IF FAILS IT IS
REMOVED
NORMAL
v v
FAILED
TCPSOCKET
1
f
CHECKS
RESPONSE OPENTCP
4 t CONNECTION EXIT
RESTART CODE
START To PORT
NORMALCY CONTAINER
MANAGING CLUSTER COMPONENT LOGS
V
LOG DIRECTORY IVARILOGICONTAINERS
T
ACCUMULATES LOGS
POD POD
LOGGING AGENT
APP CONTAINER
1 1 LOGGING AGENT
LOG LOG
CONTAINER CONTAINER
I 2 LOG FILE C
LOG
PODIYAML
Discovery
Erry AppCommErr
APPLICATION
ImagePullErr CrashLoopBackorfErr
FAILURES
t FailedMountErr
RbacErr
L
f
Pending
I ROUBLESHOOT FAILURES
Kubernetes c
CONTOL API server down
software
fault PLANE
Loose storage attached to
controlplane
Kobelet serfice
crash v
Independent eted
could crash
View theevents from controlplanecomponents check status of Kobelet service
View logs for control planepods Disable swap
9g f
WORKER
y
generate new token
view status
TROUBLESHOOTING
Getdeceived into
I pingnode
IPaddress of Shinto node
node
Accesspods
directly Lookupservice viaDNS
q y
check
iptable
rules NETWORK DNSresolveconf
file
Endpointsof
tkubernetes
service
CNIPlugin service
THANKYOU FOR READING
ADNAN
pas A