Kubernetes Fundamentals - FrOSCon

Kubernetes fundamentals Roadmap from KubeCon 2019 End

Kubernetes Fundamentals

Oleg Fiksel |Michael Siebertz

Email: [email protected] | [email protected]: @oleg:fiksel.info | @captain.vsan:matrix.org

2019-08-10 FrOSCon

mailto:[email protected]



KUBERNETES HISTORY

I Borg 2003I Omega 2013I Kubernetes 2014

I Greek for “pilot” or “Helmsman of a ship”I Cloud Native Computing Foundation Project


KUBERNETES HISTORY

I Borg 2003

I Omega 2013I Kubernetes 2014



KUBERNETES HISTORY

I Borg 2003I Omega 2013

I Kubernetes 2014



KUBERNETES HISTORY




KUBERNETES HISTORY


I Greek for “pilot” or “Helmsman of a ship”

I Cloud Native Computing Foundation Project


KUBERNETES HISTORY




GOALS OF KUBERNETES

Provides tools necessary to buildand deploy reliable, scalable

distributed applications usingcontainers.


GALILEO MYSTERY


PODS

I pods are the smallest deployable unitsI group of one or more containersI shared storage/networkI use labels to group pods + servicesI always co-located and co-scheduled


PODS

I pods are the smallest deployable units

I group of one or more containersI shared storage/networkI use labels to group pods + servicesI always co-located and co-scheduled


PODS

I pods are the smallest deployable unitsI group of one or more containers

I shared storage/networkI use labels to group pods + servicesI always co-located and co-scheduled


PODS

I pods are the smallest deployable unitsI group of one or more containersI shared storage/network

I use labels to group pods + servicesI always co-located and co-scheduled


PODS

I pods are the smallest deployable unitsI group of one or more containersI shared storage/networkI use labels to group pods + services

I always co-located and co-scheduled


PODS

I pods are the smallest deployable unitsI group of one or more containersI shared storage/networkI use labels to group pods + servicesI always co-located and co-scheduled


POD LIFECYCLE

I Pod Status: Pending / RunningI RestartPolicy: Always / OnFailure / NeverI Failed States: CrashLoopBackoff / Failed / Unknown


POD LIFECYCLE

I Pod Status: Pending / Running

I RestartPolicy: Always / OnFailure / NeverI Failed States: CrashLoopBackoff / Failed / Unknown


POD LIFECYCLE

I Pod Status: Pending / RunningI RestartPolicy: Always / OnFailure / Never

I Failed States: CrashLoopBackoff / Failed / Unknown


POD LIFECYCLE

I Pod Status: Pending / RunningI RestartPolicy: Always / OnFailure / NeverI Failed States: CrashLoopBackoff / Failed / Unknown


CONFIGMAPS

I configuration, commandline arguments, environmentvariables, portnumbers etc.

I decoupling configuration artifacts from image contentI unencrypted = suitable for non confident contents


CONFIGMAPS


I decoupling configuration artifacts from image content

I unencrypted = suitable for non confident contents


CONFIGMAPS


I decoupling configuration artifacts from image contentI unencrypted = suitable for non confident contents


SECRETS

I base64 encodedI can be mounted as volume mount / exposed as

environment variablesI bound to namespaceI limit: 1 MB per secret


SECRETS

I base64 encoded

I can be mounted as volume mount / exposed asenvironment variables

I bound to namespaceI limit: 1 MB per secret


SECRETS


environment variables

I bound to namespaceI limit: 1 MB per secret


SECRETS


environment variablesI bound to namespace

I limit: 1 MB per secret


SECRETS


environment variablesI bound to namespaceI limit: 1 MB per secret


PV / PVC

I local scratch directories created on demandI cloud block storage

I GCE Persistent DiskI AWS Elastic Block Storage

I cluster storageI File: NFS, Gluster, CephI Block: iSCSI, Cinder, Ceph

I special volumesI Git repositoryI Secret


DAEMONSET / REPLICASET / DEPLOYMENT

I daemonset

I run pod on every node beside exclusions

I replicaset

I guarantee the availability of a specified number ofidentical pods

I deployment

I declarative updates for pods and replicasets



I daemonsetI run pod on every node beside exclusions

I replicaset

I guarantee the availability of a specified number ofidentical pods

I deployment





I replicasetI guarantee the availability of a specified number of

identical pods

I deployment





I replicasetI guarantee the availability of a specified number of

identical pods

I deploymentI declarative updates for pods and replicasets


LABELS AND SELECTORS


SERVICES

I provide static dns name inside cluster for a set of pods-> including Loadbalancing

I usually determined by a selectorI manual creation possible with: service / endpoint

definition


SERVICES


I usually determined by a selector

I manual creation possible with: service / endpointdefinition


SERVICES


I usually determined by a selectorI manual creation possible with: service / endpoint

definition


NODEPORT


INGRESS

I external access to the services in a clusterI load balancing / SSL termination / name-based virtual

hostingI most common: HAProxy / Træfik / Istio / Nginx


INGRESSI external access to the services in a cluster

I load balancing / SSL termination / name-based virtualhosting

I most common: HAProxy / Træfik / Istio / Nginx


INGRESSI external access to the services in a clusterI load balancing / SSL termination / name-based virtual

hosting

I most common: HAProxy / Træfik / Istio / Nginx


INGRESSI external access to the services in a clusterI load balancing / SSL termination / name-based virtual

hostingI most common: HAProxy / Træfik / Istio / Nginx


NAMESPACES

I multiple virtual clusters backed by the same physicalcluster

I resources need to be unique within a namespace, but notacross namespaces

(a) dev (b) qs (c) prod


KUBERNETES RBAC

I Role based access control

Subjects API Ressources OperationsDeveloper

Admin CustomPod ConfigMapsService PV PVC

DeploymentJob Ingress

Nodes CronjobSecrets Service

Autoscaler

list get watch cre-ate delete patch


CLUSTER


GITLAB ARCHITECTURE


SELFHOSTED VS MANAGED

SelfHostedMinikube

KopsKubeadmKubesprayTerraform

Fix stuff by yourself

ManagedAWS

AzureDigitalOcean

GKEIBM

Hope for the best


PERSONAL MONITORING SETUPI Selfhosted vs Managed

I Blackbox

I Icinga2I Federated Prometheus

I Whitebox

I Kubernetes ServiceMonitorI JaegerI PrometheusI Prometheus Node ExporterI Icinga2I Graylog


PERSONAL MONITORING SETUPI Selfhosted vs ManagedI Blackbox


I Whitebox




I Icinga2

I Federated PrometheusI Whitebox





I Whitebox





I WhiteboxI Kubernetes ServiceMonitor

I JaegerI PrometheusI Prometheus Node ExporterI Icinga2I Graylog




I WhiteboxI Kubernetes ServiceMonitorI Jaeger

I PrometheusI Prometheus Node ExporterI Icinga2I Graylog




I WhiteboxI Kubernetes ServiceMonitorI JaegerI Prometheus

I Prometheus Node ExporterI Icinga2I Graylog




I WhiteboxI Kubernetes ServiceMonitorI JaegerI PrometheusI Prometheus Node Exporter

I Icinga2I Graylog




I WhiteboxI Kubernetes ServiceMonitorI JaegerI PrometheusI Prometheus Node ExporterI Icinga2

I Graylog




I WhiteboxI Kubernetes ServiceMonitorI JaegerI PrometheusI Prometheus Node ExporterI Icinga2I Graylog


ROADMAP FROM KUBECON 2019

I Kubernetes in Embeded (K3s)I CRD (K8s as a Framework)

I Kubernetes OperatorsI Cluster Lifecycle Management

(K8s manages K8s clusters as Pods)

I Security is a topic nowI Service mesh hype

I istio, Linkerd, Træfik EE, Aspen Mesh, NSX Service Mesh...



I Kubernetes in Embeded (K3s)

I CRD (K8s as a Framework)








I Kubernetes Operators

I Cluster Lifecycle Management(K8s manages K8s clusters as Pods)








I Security is a topic now

I Service mesh hype



Thanks!

Oleg Fiksel |Michael SiebertzEmail: [email protected] | [email protected]

Matrix: @oleg:fiksel.info | @captain.vsan:matrix.org




LINKS

I K3s (lightweight K8s)

https://k3s.io

Kubernetes Fundamentals - FrOSCon

Documents

Transcript of Kubernetes Fundamentals - FrOSCon