kubernetes-notes

kubernetes-notes-intro.md

K8s

Cloud native tech empower orgs to build and run scalalble apps in modern, dynamic envs (clouds). Containers, service meshes, microservices, immutable infra and declarative APIs exemplify this approach.

App Deployment

Set up and explore minikube cluster

minikube start

• minikube allows for provisioning of new cluster. kubectl allows management of Existing cluster.

• kubectl cluster-info

  • Shows IP address of K8s control plane.

• kubectl get nodes

• shows existing nodes, role of control plane, and K8s version

• kubectl get namespaces:

• namespaces are a way to isolate apps/services.

• Services act as load balancers within the cluster AND direct traffic to pods.

Create a namespace

Creating different namespaces from prod, and dev. Keeps data segregated kubectl apply -f namespace.yaml Contents of namespace.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: development
---
apiVersion: v1
kind: Namespace
metadata:
  name: production

This would create two new namespaces, one called development and one called production.

To delete namespace

kubectl delete -f namespace.yaml

• Deleting a namespace will delete all pods in the namespace.

Delete all pods within namespace

You can simply run kubectl delete -f deployment.yaml deployment.yaml would be the file that ran the initial deployment

Delete a single pod within namespace

kubectl delete pod <pod-name> -n namespace

Deploy an App

List all deployments for a namespace

kubectl get deployments -n development			# -A on any kubectl command will give you all, regardless of namespace

View pods that were created as a result of the deployment

kubectl get pods -n development

Check the health of a pod BY looking at the event log

Kubernetes saves the event logs when a pod is created. We can view these event logs to troubleshoot what went wrong

kubectl describe pod <pod-name> -n <namespace>

kubectl get pods -n development		# get name of pods

kubectl describe pod pod-info-deployment-7548c83c89f-nshz  -n development

• Most issues with pods, occur in first minute of the lifecycle
  • Out of resources, typo,
  • Container image not available

Check app is working with BusyBox

• Busybox is a binary that has many unix tools like awk, date, whoami, wget

• Good for tshooting linux env.

• Make a HTTP GET request to the application from BusyBox,

  • To do this, we need to get the IP of the pods the app is running in

kubectl get pods -n development -o wide

-o wide gives us the IP, Node the pod is on, nominated Node, and Readiness Gates. We need now exec into the busybox pod, Very similar to docker

kubectl exec -it <pod name in this case busybox name> -- /bin/sh

This gets us inside the pod(container) and with a shell Inside the pod we can now run

wget <pod ip>

NOW if you see an error that it cant connect on default port 80, check the deployment. its likely its set to another port

wget 172.17.0.7:3000

View application logs

kubectl logs <pod-name> -n development

Complex App Deployment

Expose app to internet with LoadBalancer

Kubernetes service is a load balancer that directs traffic from internet to K8 cluster. LB has a public, and private ip.

---
apiVersion: v1
kind: Service
metadata:
  name: demo-service
  namespace: development
spec:
  selector:
    app: pod-info
  ports:
    - port: 80
      targetPort: 3000
  type: LoadBalancer

• Note the kind is a Service
• port 80 is the ingress port, IE the port the internet communicates on, target port is where the LB forwards the traffic.
• There are three types of Load Balancer, LoadBaalancer, ClusterIP, and NodePort.

1. minikube tunnel
2. kubectl apply -f services.yaml
3. kubectl get services -n development
   • This will gives us name, type, cluster-ip, external-ip, Port info.

Accomplishment: You have used a K8 Load Balancer service to expose app to the Internet.

Add resource requests and limits to your pod (Best practice)

• Set memory/cpu limits on pods.
• requestsensure to start pod on a node with adequate resources
• If you have memory hungry pod/memory leak, it can take too much node resources to run the pod if you DONT use limits

requests are minimum, limits are maximums

ie

resources:
  requests:
    memory: "64Mi"
	cpu: "250m"
  limits:
    memory: "128Mi"
	cpu: 500m

Delete your K8s objects and tear down your cluster

minikube delete

Kubernetes Architecture

K8s control plane

Each instance of K8 has a control plane and atleast one Worker node.

• Control plane manages pods lifecycle.

Control Plane components

1. Kube API Server (most important)
   • All K8 objects have API endpoints.
   • K8s API has a REST interface
   • kubectl and kubeadm are CLI tools to communicate with K8s API via HTTP requests Kube API server is an app run as a pod
2. etcd
   • HA k/v store
   • Tracks state of teh cluster.
   • Only the Kube API server can communicate directly with etcd
3. Kube Scheduler
   • Identifies new pods that have NOT been assigned to a worker node.
   • Then chooses a node for the pod to run on.
4. Kube-controller-manager
   • Loop that runs continually, and checks the status of the cluster
   • Checks if all worker nodes are running,
   • Can replace a broken node, and replace it with a new worker node.
   • controller manager creates and checks many other things in the cluster
5. cloud-controller-manager
   • Allows connection to the cluster to a cloud provider's API, allowing the consumption of cloud resources

K8s worker nodes

3 components to each node

1. Kubelet
   • Agent that runs on each worker node.
   • Ensures containers in a pod are running and healthy
   • Communicates directly with the api-server in the control plane.
   • 'Receives' the pod that was handed off by the Kube Scheduler from the control plane
2. Container Runtime
   • After Kubelet is assigned a pod, the Container runtime starts the container with Container Runtime Interface(CRI)
   • CRI enables the Kubelet to create containers with teh following Container Engines
     • Containerd
     • CRI-O
     • Kata Containers
     • AWS Firecracker
3. Kube-proxy
   • Make sure pods and servics can communicate
   • Each Kube-proxy communicate directly with the Kube-apiserver

How the control plane and nodes worth together

Advanced Topics

Ways to manage K8s pods

K8s deployment is the most common way to manage group of pods

• No-downtime upgrades

DaemonSet

• One pod per node
  • Cant control number of replicas
• DaemonSets run containers that are agents/daemons running in the background.

Job

• Creates 1 or more pods, runs the pod until it successfully completes a task.
• Jobs is good for ad hoc, batch processing and then delete the pods.
• 1 and done tasks are good for K* Job

Running stateful workloads

A db running outside the Kubernetes cluster

• Think cloud storage like azure sql, or even postgres

####Kubernetes Persistent Volumes.

• Kubernetes stateful set allows an application to communicate with the same volume as a previously deleted pod did.

K8s security best practices

Hackers want to do 1 of 3 things.

1. Steal data from the cluster.
2. Steal compute (crypto mining).
3. DDoS Attack.

Best practices

1. Add securityContext info to your pod

securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: true

• runAsNonRoot: Run as regular user.
• allowPrivilegeEsclation: prevents sudo commands if an attacker gains access to a pod.
• dropping all capabilities hamstrings the pods and disallows the hacker to see permissions on pod.

2. Make sure container's file system is read only readOnlyRootFilesystem: true

3. Scan your Kubernetes file with a tool like snyk. Snyk will analyze your file and make sure you don't have glaring holes in the security.