SlideShare ist ein Scribd-Unternehmen logo

CKA Certified Kubernetes Administrator Notes

Adnan Rashid
Adnan Rashid

Unique course notes for the Certified Kubernetes Administrator (CKA) for each section of the exam. Designed to be engaging and used as a reference in the future for kubernetes concepts.

Technologie
1 von 58
Downloaden Sie, um offline zu lesen
These notes follow LinuxAcademy structure which can be found here: https:// linuxacademy.com/course/cloud-native-certified-kubernetes-administrator-cka/. I would recommend viewing the course to gain full and detailed explanations. I have created these notes as part of my personal learning and hope to be able to help and inspire others. As i am also learning, there may well be mistakes, please do reach out and let me know, so i can correct them. Follow me on instagram: https://www.instagram.com/adnans_techie_studies/ All my notes are hosted here: https://adnan.study Connect with me on LinkedIn: https://www.linkedin.com/in/adnanrashid1/ Overview
ETCD SCHEDULER DATAASSIGNPODPOD TO NODE NODE NODE NODE p CLUSTER CONFIG MASTER CONTROLLER y MANAGER 0 API t SERVER iE9iE9 MeffNsIAEtN COMMUNICATION HUB v NODE REPLICATE FAILURE COMPONENTS Cluster Architecture
API SERVER g r KUBELET KUBE PROXY r 7 API SERVER WORKER NODE NODES KP KP KP KP v CONTAINER DOCKER RUNTIME SCONTAINERD e RUNSYOUR CONTAINERS Network rules on nodes Manages containers on the node Network Proxy that runs on each node
MODEL MASTER POD KUBELET KUBE Proxy 2 N DOCKER IMAGE REGISTRY KUBECTL YAML FILES G IT Application running on Kubernetes API Primitives Convert to JSON when making request API server is the only one that communicates with Etcd Every component communicates with the API server only and not directly with one another. Objects like pods and services are declarative intents.
API VERSION KIND METADATA s L v SPEC STATUS s YAML File Composition Clear consistent view of resources The kind of object you want to create Pod• Deployment• Job• NamespaceName String UID Uniquely identify the object Container image volume exposed ports State of the object —> match desired states
u r 32767 32767 v v SERVICE s POD POD u POD NODE 1 NODE 2 CONSISTENT IP ADDRESS Services and Network Primitives Services allow you to dynamically access a group of replica pods
API SERVER SERVICE s KUBE KUBE PROXY PROXY IPTABLES DESTINATION IPTABLES DESTINATION POD POD NODE 1 NODE 2 Kube-Proxy Kube-Proxy handles the traffic associated with a service by creating IP table rules
PICKING THE RIGHT SOLUTION OR CLOUD ON PREM CUSTOM PRE BUILT OR Release Binaries, Provisioning and Types of Clusters Minikube• Minishift• Micro K8S• Ubuntu on LXD• AWS, Azure and GCP• Install manually• Configure your own network fabric• Locate the release binaries• Build your own Images• Secure cluster comms•
MASTER WORKERS DOCKER t s GPGKEY KUBERNETES ADDREPOS 2 UPDATEPACKAGES 3 INSTALL DOCKER KUBELET KUBEADM KUBECTL 4 MODIFY BRIDGE ADAPTERSETTINGS MASTER ONLY I INITIALISE CLUSTER 2 MAKEDIRECTORY FORK8S 3 COPY KUBE CONFIG 4 CHANGE OWERSHIP OF CONFIG 5 APPLY FLANNEL CNI Installing kubernetes master and nodes
MASTER 3 MASTER 2 MASTER I APISERVER t EDI Eh'InhIE ER or ACTIVE NODE 1 LOAD BALANCER n r KUBELET KUBELET KUBELET WORKER 1 WORKER2 WORKER3 All components can be replicated, but only certain ones can operate simultaneously Building highly available cluster
SCHEDULER CM o 0 ARE WE IN tEEEE II CHARGE IiiI CLUSTER igg theft o NOTTEIRET E o j SCHEDULER CM LEADINGTO DUPLICATERESOURCES OR CORRUPTION HOW DO WE DECIDE LEADER ELECT CREATESENDPOINT RESOURCE OPTION SEE IN SCHEDULER YAML HOLDERIDENTITY The controller manager and the scheduler actively watch the cluster state and take action when it changes
TOPOLOGY L J STACKED EXTERNAL TO KUBERNETES CLUSTER EACH CONTROL PLANE NODE CREATES LOCAL ETCDMEMBER ONLYCOMMUNICATES WITH API SERVER nv v ETCD ETCD RAFT CONSENSUS ALGORITHMin ETCD REQUIRES MAJORITY THEREMUST BE MORETHANHALF APISERVER TAKINGPLACE IN THE STATE CHANGEANDTHEREFORE THERE MUST BE ODDNUMBEROF NODES Replicating etcd
ALLCOMMUNICATION VIA HTTPS CLUSTERKUBERNETES KUBECTL a TRANSLATES API STATE r PROVIDES CRUD u v s CREATE READ UPDATE DELETE RETURN RESPONSE KUBECTL API STATE CREATE POD HTTPPOST SERVER STORED IN ETCD L i i 1 MULTIPLE AUTHENTICATION AUTHORISATION ADMISSION VALIDATION PLUGINS 7 7 7 READ SKIP CALLS TO CREATEDETERMINE CANTHIS USER REQUEST PERFORMTHIS MODIFY ACTION DELETE 1 1 HTTP HEADER CERTIFICATE Configuring Secure Cluster Communications
O ACTION f s ROLE ROLE BINDING 1012MORE v WHOIAN RESOURCE DO IT WHATCAN BEDONE ROLE ROLE BINDING NAMESPACE RESOURCE CLUSTERROLE CLUSTERROLEBINDING CLUSTER LEVEL RESOURCES RBAC is used to prevent unauthorised users from modifying the cluster state Building Highly Available Cluster
IDENTITY OF APP POD c SERVICE ACCOUNT RUNNING INPOD API r n KYLE.io YEr8FEeREEYouNTT0KENFILEATEfYIeff T'ON NAMESPACE 1 NAMESPACE 2 POD POD POD POD L SERVICE SERVICE ACCOUNT ACCOUNT ONLYUSESERVICE ACCOUNTIN SAME NAMESPACE Service Account
PERFORMANCE EXAMPLEAND WHY RESPONSE OF TESTS APPLICATION KUBETEST POORCLUSTER PERFORMANCE Running end to end tests on cluster Deployments can run• Pods can run• Pods can be directly accessed• Logs can be collected• Commands run from pods• Services can provide access• Nodes are healthy• Pods are healthy•
UPGRADING KUBEADM CLUSTER KUBECTL OPERATING SYSTEM UPGRADES j USE DEPLOYMENTS GETPODS ORREPLICA SETS DRAIN NODE UNCORDON PUTBACK TO SERVICE BACKUP CLUSTERAND s ETCD RESTORE STATE CLUSTER v SAVE EXTERNALLY Managing Cluster
NETWORKING WITHIN A NODE 10244 1.2 10 244 1.3 POD 1 POD 2 ETHO ETH v v VETHZAA VETH808 BRIDGE a 10.244 l 1 24 NODE 1 NETWORKING OUTSIDE OF THE NODE 10.244 t Z 102442.3 PODI VETH VETH C POD2 BRIDGE ETHO ETHO a BRIDGE NODEI 172 31.43 91 NODEZ 172.31 34.144 NETWORK Pod and Node Networking
10.244 t Z 102442.3 PODI VETH VETH a POD2 BRIDGE ETHO CNI ETHOL BRIDGE NODEI 172 31.43 91 NODEZ 172.31 34.144 NETWORK CNI IS A NETWORKOVERLAY ALLOWS BUILDING TUNNEL BETWEEN NODES SITS ONTOP OF EXISTING NETWORKS ENCAPSULATES PACKETS HEADER DATA TRAILER or a CHANGES SOURCEIDEST ADD TOWDOES CNI DO THIS THERE ISAMAPPING ASSOCIATED IN USERSPACE PROGRAM ALL PODIP ADDRESS'S TONODE IP WHEN REACH OTHER NODE DE ENCAPSULATE EXAMPLE CNI PACKET ANDGIVE TO BRIDGE As v APPEARSLOCAL 10 NODE MiCALICO FLANNEL Container Network Interface
API SERVER SERVICE 10.104185.62 10244.12 102442.3 KUBEPROXY KUBEPROXY PODI VETH a r VETHE POD2 Ip 1 Ip BRIDGE TABLES ETHO ETHO TABLES BRIDGE MODEL 17231.43 91 NODEZ 172 3134.149 NETWORK PODSCOMEANDGO HOWDOES THECLUSTERKEEP TRACK SERVICES PROVIDESVIRTUALINTERFACE AUTOASSIGNED TO PODSBEHIND EXAMPLE INTERFACE CLUSTERIP SERVICE AUTOCREATED ON CLUSTERCREATION TAKESCAREOF INTERNALROUTING NOMATTERWHEREMOVES OTHER PODS KNOW HOWTO COMMUNICATE TO IT Service Networking
SERVICE TALKS 101 NODE LOAD BALANCER AT A TIME CANNOTSPLIT TRAFFICLIKE A LOADBALANCER REDIRECTTRAFFIC CLIENTS TALK TOALLNODESAND TO LB TO ACCESS PORTS APPLICATION ONLYACCESSIBLE DOESNOTHAVE INTERNALLY EXTERNALIP LOAD 7 EXTERNAL IPADDRESS BALANCER FOREVERYSERVICE MODEL NODEZ i PODI 31732 31732 POD2 r Iv v SERVICE APP EXAMPLE.COM APP1 SERVICE POD POD INGRESS APP EXAMPLE.COM APP2 SERVICE pop pop WEB EXAMPLE COM SERVICE polo POD ACCESS MULTIPLESERVICESWITHSINGLE IPADDRESS Ingress Rules and Load Balancers Ingress
EVERY SERVICE DEFINED IN THE CLUSTER IS ASSIGNEDA DNSNAME SERVICE NAMESPACE BASEDOMAINNAMENAME JENKINS DEFAULT SVC CLUSTER LOCAL 50 lo O I DEFAULT POD CLUSTER LOCAL PODIP NAMESPACE BASEDOMAIN NAME A PODS DNS SEARCH WILL INCLUDE THE PODS OWN NAMESPACE AND THE CLUSTERS DEFAULT DOMAIN Cluster DNS
I 9 WHY RULES ARE HOWEVER PLACEDBY CAN CREATE r DEFAULT OWN WORKERNODES SAMENODE HAVEDIFFERENTODISKS SAVECOSTS SCHEDULER I DOESTHENODEHAVEADEQUATEHARDWARE RESOURCES 2 ISTHENODERUNNINGOUTOF RESOURCES 3 DOESTHEPODREQUEST A SPECIFICNODE 4 DOESTHENODE HAVE A MATCHINGLABEL s IFPOD REQUEST A PORTIS IT AVAILABLE 6 IF PODREQUESTS AVOLUMECAN IT BE MOUNTED 7 DOESTHEPODTOLERATETHETAINTSOFTHE NODE 8 DOESTHEPODSPECIFY NODORPOD AFFINITY Configuring the Kubernetes Scheduler Scheduler responsible for assigning pod to node based on resource requirements of the pod
POD POD POD POD SCHEDULER1 SCHEDULER2 r NODES I 2 3 EXAMPLE TAINTS REPELWORK MASTERNODE NOSCHEDUAL TOLERATIONS ALLOWYOUTO EXAMPLE DAEMONSETPOD TOLERATE A KUBEPROXY MUSTRUNON ALL TAINT NODES CPU MEMORY PODMAY NOTBE SCHEDULER USINGALLREQUESTED RESOURCEAT AGIVEN POST 8STEPS TIME L s SCHEDULERLOOKS MOSTREQUESTED LEASTREQUESTED ATTHESUMOF PRIORITY PRIORITY RESOURCESREQUESTED r BYEXISTINGPODS CLOUDENVIRONMENTS WHY YOUAREPAYINGFOR ALLRESOURCES It is possible to have 2 schedulers working alongside each other. Running multiple schedulers for multiple Pods Scheduling pods with limits and label selectors
POD POD POD POD NODEI NODEZ NODE3 POD DAEMONSETPOD IF YOUTRY DELETE A DAEMONSET POD REPLICASETPOD POD IT WILLSIMPLY RECREATE IT SCHEDULER POD LEVEL LOGLEVEL PROBLEMS EVEN LEVEL DaemonSets ensure that a single replica of a pod is running on each node at all times Display Scheduler Events DaemonSets
HIGHLEVEL RESOURCE FOR DEPLOYMENTS DEPLOYINGAND UPDATING APPS REPLICASET REPLICASET POD POD POD POD POD AppV1 POD Appv2 DEPLOYMENT KUBECTLAPPLY MODIFY OBJECTS TO EXISTING YAML AND IF DEPLOYMENT NOT CREATED ALSO CREATE KUBECTLREPLACE REPLACES OLD WITHNEW ANDOBJECT MUST EXIST ROLLING UPDATE PREFERREDWAY SERVICENOTINTERRUPTED FASTESTWAY KUBECTL ROLLOUT ROLLBACKPREVIOUS VERSION Deploying an Application, Rolling Updates and Rollbacks
AVOIDING BAD BLOCKBADVERSION DECISIONS RELEASE MIN READY READINESSSECONDS PROBE HOWLINGA AND DETERMINES IFNEWLYCREATED ASPECIFICPODPODSHOULD BE READY BEFORE SHOULDRELIEVE CLIENTREQUESTCONSIDERED ORNOT AVAILABLE PODNOT DEPLOYMENTv1 MINREADY READINESS pop errors aRELEASED SECONDS PROBE ATSSECONDS v ROLLBACK MUSTRETURNSUCCESS VERSION 10 I CHECKEVERY PORT80 SECOND CONTAINER CONFIGMAP APPCONFIG PASSINGCONFIGURATION OPTIONS TOAPP a CONFIGMAP KEYA OLI IETCCONFIG VOLUMECONFIG v KEYB VOLZENVIRONMENTVARIABLES IETCCERTS n S SECRET STOREINCONFIGMAP VOLUMECERTS SECRETAPPSECRET CREATESECRETANDPASSTO EV POD CERT VOL 9 KEY VOL MULTIPLECONTAINERS JUSTUPDATE CANUSESAME NONEEDTO REBUILDIMAGE Configuring an App for HA and Scale
RECOMMENDED REPLICADEPLOYMENTS LOSING NODE SETS HASNO IMPACT MANAGES REPLICASETS ON APP PODS AREUNIQUE 9 POD DIES REPLACEDWITH SAMEHOSTNAME AND CONFIG STATEFULSETS HEADLESS SERVICE UNIQUEPODS VOLUME CLAIM r CERTAIN TRAFFIC TO GO TO EACH POD NEEDSOWNSTORAGE ASIT IS UNIQUE ReplicaSets ensure that identically configured pods are running at the desired replica count Creating a self-healing app
PODS ARE EPHEMERAL POD TERMINATED STORAGETERMINATED STORAGE MUST BE INDEPENDENT IF PODMOVES STORAGEFOLLOWS STORAGECLASSES PERSISTENT VOLUME PROVISIONING S RESOURCE IN CLUSTER STATIC DYNAMIC PVCMUST REQUEST CLUSTERADMIN A STORAGECLASS CREATES AND AVAILABLE FOR CONSUMPTION Persistent Volumes
VOLUME CAN ONLY BE MOUNTED USING ONE ACCESS MODE AT A TIME MOUNT CAPABILITY OF NODE NOT POD ACCESS MODES READWRITEONCE READWRITEMANY ONLY INODECAN MULTIPLE NODE MOUNT THEVOLUME CAN MOUNT FOR FORREADANDWRITE READ I WRITE READOFLYMANY MULTIPLE NODE CAN MOUNT VOLUME FOR READING Volume Access Modes By specifying an access mode with your PV, you allow the volume to be mounted to one or many nodes, as well as read by one or many
O pv STAYS WITH at PVC pv DEV a 0 ACTUAL STORAGE CLUSTER ADMIN POD PVC PV VOLUMES 1Gt RECLAIMPOLICY MOUNTPATH RWO RETAIN U BOUND RETAIN DATA IN VOLUME COULDALSOBE RECYCLEORDELETE DELETECONTENTS OF VOLUME DELETEUNDERLYING STORAGE Persistent Volume Claims (PVC) PVC allows the application developer to request storage for the application, without having to know underlying infrastructure.
STORAGE OBJECT PVCCANNOT BE IN USEPROTECTION REMOVEDPREMATURELY STILLBOUND inPVC s POD FINALIZERS PV y PVCPROTECTION 3 DELETEPOD n v I 1 GETS DELETED PVCDELETED PROVISIONER PARAMETERRECLAIMPOLICY STORAGE CLASS AWSEBS GPI RETAIN Storage Objects Volumes that are already in use by a pod are protected against data loss. This means even if you delete a PVC, you can still access the volume from the pod.
EXAMPLE STORAGECLASS PVC DEPLOYMENT METADATA STORAGECLASSNAME REPLICA 1 ROLLOUT FAST FAST IMAGE KUBESERVEv1 100Mt VOLUMEMOUNT lDATA READWRITEONCE VOLUME VOLUMEDATA PERSISTENTVOLUMECLAIM PV Applications with Persistent Storage Create storage class object1. Create PVC object2. Create deployment3. Rollout deployment4. Check pods5. Create file on mount6. List contents7.
API SERVER FIRSTEVALUATES v PRIVATE KEY SERVICE NORMALUSER USERSTORE IE JENKINS ACCOUNT FILE USERIPASS LIST v KUBECTLCREATESERVICEACCOUNTJENKINS ASSIGN10POD IF YOUDONOTUSESPECIFIC BYPUTTINGIN IT WILL USE DEFAULT PODMANIFEST L CREAAIESOUSNERYKE KUBECTLGETSA VBUSYBOXYAML v NAME BUSYBOX SECRET WILLSHOWDEFAULT 1JENKINS SPECv SERVICEACCOUNTNAME JENKINS HOLDSTHE ryAMLFORSERVICEACCOUNTPUBLIC A OF a APISERVERT KUBECTLGETSAJENKINS DYAML JWTTOKEN v JENKINSSERVER ADDSK8SCHPLUGINKUB.EC LGETSECRETtNAMLs SHOWSECRET NAME TOKEN NOWCAN THIS IS WHAT REQUEST CONTROLPODS WILL BE USED TO AUTH WITH API SERVER Service accounts and users
USER 0 ACCESSCLUSTERREMOTELY CREATECLUSTERROLEBINDING MASTER ADNAN SETCREDENTIALS KUBECTLCONFIG u SET CREDENTIALS CERT USERNAME ADNAN PASSWORD PASSWORD KUBECTLCONFIG SET CLUSTERKUBERNETES 2 SERVER_HTTP l l.l.la SETCLUSTER CERTIFICATE CERT 3 KUBECTL CONFIG c SET USER SET CREDENTIALS CONTEXT CAN BE USEDTO CONNECT TOMULTIPLECLUSTERS KUBECTLCONFIG SET CONTEXT KUBERNETES CLUSTER KUBERNETES USER NAMESPACE n 4 USECONTEXT KUBECTL GET NODES ASPER NORMAL 5 Service accounts and users
AUTHENTICATION AUTHORISATION WHATCAN FIRSTSTEPIN THEYDO RBACRULES RELIEVINGREQUEST v 4 RESOURCES WHO POD OR 2GROUPS WHOCAN HUMAN DO IT WHATCANBE u u PERFORMEDON ROLESAND ROLEBINDINGS WHICHRESOURCE CLUSTERROLES AND CLUSTERROLEBINDINGS ROLE ROLE ROLE BYNOLING ROLE BINDING ROLE BINDIFG NAMESPACE 1 NAMESPACE 2 NAMESPACES CLUSTER cluster KUBERNETES ROLE ROLE L CLUSTERBINDING ROLE REFERENCESINGLE CANBINDTO CREATE CREATE ROLE CREATE MULTIPLEUSER NAMESPACE ROLE ROLEBINDING SERVICEACCOUNTS ANDGROUPS LISTSERVICES WHAT FROMWEB ACTIONS NAMESPACE NOTWHO CLUSTERROLE POD CREATE CLUSTERROLE v CLUSTER BINDING CURLFROM ACCESS AT ROLE CONTAINER CLUSTER LEVEL VIEWPERSISTANT VOLUMES Cluster Authemtication and Authorisation
PORT3128 POD APPWEB POD APPDB PORT4269 HOW NETWORK CANAL CREATENETWORK CREATE PLUGIN PLUGIN POLICY DEPLOYMENT v u DENY ALLNET EXPOSE DEPLOYMENT KINDNETWORKPOLICY 9 NAMEDENYALL TRYACCESS TIMEOUT BLANKALLINHERIT PODSELECTOR 3 POLICYTYPEINGRESS CREATENETWORK LABEL POLICY PODS PODSELECTOR MATCHLABELS ALLOWCOMMSAPPDB BETWEENPODS INGRESS ANDSPECIFIED MATCHLABELS PORT APPWEB on PORT PORT4269 Network policies use selectors to copy rules to pods for communication throughout the cluster Configuring Network
API POD SERVER song IVARRUNSECRETS KUBERNETES.IOSERVICEACCOUNT CREATENEW CERTIFICATESIGNINGREQUEST CERT CSR c CERTIFICATE SIGNINGOBJECT KIND ERTIFICATESIGNINGREQUEST CREATE NAME CSRPODWEB REQUEST CATSERVER.GRBASE64TRD'IN VIEWCSR KUBECTLDESCRIBE CSR CSRPODWEB APPROVE CSR ISSUED Creating TLS certificates The CA is used to generate a TLS certificate and authenticate with the API server
DOCKERHUBPRIVATEREGISTRY POD N AWS CONTAINER 0 POD D AZURE RUNTIME POD E GCP POD CONTROLLING VULNERABILITIES CLAIR SCANNING IMAGES THAT GO INTO PRODUCTION SOMETHING ON IT CAUSE NODECRASH LOGIN TO PRIVATE REGISTRY TAG DOCKER IMAGE PUSH TO PRIVATE REGISTRY HOW I USE FOR IMAGE PULLS KUBERNETES DOCKER MODIFY CREATE REGISTRY TYPE SERVICE POD SECRET ACCOUNTS DOCKER SERVER v DOCKER USERNAME PRIVATEREGISTRY DOCKER PASSWORD IMAGE KUBECTIPATCH Secure Images
LIMITACCESS TOCERTAIN OBJECTS ATTHEPODAND CONTAINERLEVELTHISWILL ALLOWIMAGESTOREMAINSTABLE RUNASUSER POD FSGROUP N POD RUNASNONROOT CONTAINER 0 RUNTIME D POD PRIVILEGED E POD ADDSYS TIME KINDPOD IMAGEALPINE SECURITYCONTEXT RUNPODAS 405 RUNASUSER405 CANALSOPUT'RUNASROOT ABILITYTORUNAS PRIVILEGED PRIVILEGEDTRUE CONTAINER LEVEL ABILITY TO LOCK DOWN KERNEL SETTING ADD SECURITYCONTEXT LEVELFEATURES CAPABILITIES ADD ONCONTAINER ONPODLEVEL SYS TIME REMOVE NET ADMIN SECURITYCONTEXT DROP CHOWN Defining Security Context
DATA MUST LIVE BEYOND SECRETS KEY VALVE PAIR LIFEOFPOD v PASS AS ENVVAR NOTBEST OR PRACTICE EXPOSE AS FILES IN VOLUME MAYBE OUTPUTTO LOGFILES CONTAINER POD FILESYSTEM VARRUNSECRETS KUBERNETES.IO DEFAULT DEFAULTTOKENSECRET SERVICEACCOUNTS SECRET PACE TOKEN HTTPS TO WEBSITE GENERATE a KEY CERTIFICATE EFFET SECRET MOUPNoj.IN POD v COMBINED IN MEMORY FILE FILEST SYSTEM USE v SECRET SECRETNOT WRITTEN TO DISK Securing persistent key/value store Secrets allow you to expose entries as files in a volume keeping this data secure is crucial to cluster security
NODEMETRICS N POD CPUCCORETUTIL CONTAINER 0 MEMORY RUNTIME D E POD POD METRICS CPU MEMORY INSTALL KUBEC.TL OPNODEsCPUMEMORYFORALLTHENODES METRIC SERVER KUBECTLTOPPOD CPUMEMORY FORALLTHE PODS KUBECTLTOPPOD ALLNAMESPACE ALLNAMESPACE KUBEC.TL 0PP0D NkUBESYSTEM KUBE SYSTEMNAMESPACE KUBECTLTOPGROUP CONTEXT CONTAINERS POD CONTAINERS The metric server allows you to collect CPU and memory data from the nodes and pods in your cluster Monitoring the cluster components
USE KUBECTL APP LOGSTOCONTAINER STREAMED TO STDOUTS LOGS AND SYSTEM UNDERSTANDWHAT ISHAPPENINGINSIDECLUSTER LOGS DEBUGGING LOGS ACCUMULATE OVER TIME IF MANY MICROSERVICE WHICHLOGS ARE WHICH V LOGDIRECTORY VAR LOG CONTAINERS ACCUMULATES LOGS POD POD LOGGINGAGENT APPCONTAINER v v LOG LOG LOGGING AGENT CONTAINER CONTAINER I 2 LOGFILE LOG HAVESIDECARCONTAINERTO DO LOGGINGSOYOUCAN ACCESS SPECIFIC LOGS ABLETO ROTATE LOGSUSINGOTHERTOOLING NO NATIVE Managing cluster component logs
PODIYAML KINDPOD ABILITYTOWRITE NAMEP0D1 TERMINATION IMAGEBUSYBOX MESSAGE 10SPECIFIC COMMAND y KUBECTL FILEONCONTAINER DESCRIBE TERMINATION v MESSAGEPATH WILLSHOW ERRORMESSAGE ONLY PARTICULAR FIELDSCAN BECHANGED 1 E IMAGE TO CHANGEOTHERFIELDSOF FAILED POD EXPORTCONFIGURATION I MODIFY'AMLI E CHANGE MEMORYREQUEST DISCOVERYERRr APPCOMMERR IMAGEPULLERR APPLICATION FAILURE CRASHLOOPBACKOFFERR FAILEDMOUNTERR PENDING RBACERR Troubleshooting Application Failure
KUBERNETES API SERVERDOWN SOFTWARE CONTROL FAULT PLANE LOSE STORAGE ATTACHED TO CONTROL PLANE KUBELETSERVICE CRASH v INDEPENDENT ETCD COULD CRASH VIEWTHEEVENTSFROMCONTROLPLANECOMPONENTS CHECKSTATUSOFKUBELET SERVICE VIEWLOGSFORCONTROL PLANE PODS DISABLESWAP CHECKSTATUS OF DOCKER SERVICE CHECKFIREWALLDSERVICE VIEWKUBELET VIEW KUBECONFIGVIEWSYSLOG JOURNAL LOGS EVENTS a GENERATENEWTOKEN WORKER VIEWSTATUS TROUBLESHOOTING GET DETAILED INFO PINGNODE IPADDRESS SHINTONODE OFNODE ACCESSPODSDIRECTLY LOOKUPSERVICEVIADNS r a CHECKIPTABLERULES NETWORK DNSRESONE CONF ENDPOINTSOF v SERVICE v KUBERNETES CNIPLUGIN SERVICE Troubleshoot failures
Visit https://adnan.study for all notebooks

Empfohlen

Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
Bytemark
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 

Empfohlen

Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
Kubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive OverviewKubernetes - A Comprehensive Overview
Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV
 
Kubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory GuideKubernetes for Beginners: An Introductory Guide
Kubernetes for Beginners: An Introductory Guide
Bytemark
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
QAware GmbH
 
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
Katherine Golovinova
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
DongHyeon Kim
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
Gabriel Carro
 
Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetes
NexThoughts Technologies
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
Abdennour TM
 
(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview
Bob Killen
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
Kubernetes
KubernetesKubernetes
Kubernetes
Meng-Ze Lee
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Martin Danielsson
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
Janakiram MSV
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
Ajeet Singh Raina
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
Piotr Perzyna
 
The age of orchestration: from Docker basics to cluster management
The age of orchestration: from Docker basics to cluster managementThe age of orchestration: from Docker basics to cluster management
The age of orchestration: from Docker basics to cluster management
Nicola Paolucci
 
Paolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationPaolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestration
Grzegorz Duda
 

Weitere ähnliche Inhalte

Was ist angesagt?

Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 

Was ist angesagt? (20)

OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Best Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes ServicesBest Practices with Azure Kubernetes Services
Best Practices with Azure Kubernetes Services
 
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
"Certified Kubernetes Administrator Exam – how it was" by Andrii Fedenishin
 
Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)Kubernetes internals (Kubernetes 해부하기)
Kubernetes internals (Kubernetes 해부하기)
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
Kubernetes a comprehensive overview
Kubernetes a comprehensive overviewKubernetes a comprehensive overview
Kubernetes a comprehensive overview
 
Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetes
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
 
(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview(Draft) Kubernetes - A Comprehensive Overview
(Draft) Kubernetes - A Comprehensive Overview
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistenceKubernetes dealing with storage and persistence
Kubernetes dealing with storage and persistence
 
Kubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best PracticesKubernetes Monitoring & Best Practices
Kubernetes Monitoring & Best Practices
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 

Ähnlich wie CKA Certified Kubernetes Administrator Notes

The age of orchestration: from Docker basics to cluster management
The age of orchestration: from Docker basics to cluster managementThe age of orchestration: from Docker basics to cluster management
The age of orchestration: from Docker basics to cluster management
Nicola Paolucci
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
Akihiro Suda
 
Content Staging in Drupal 8
Content Staging in Drupal 8Content Staging in Drupal 8
Content Staging in Drupal 8
Dick Olsson
 
Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)
Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)
Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)
petabridge
 

Ähnlich wie CKA Certified Kubernetes Administrator Notes (20)

The age of orchestration: from Docker basics to cluster management
The age of orchestration: from Docker basics to cluster managementThe age of orchestration: from Docker basics to cluster management
The age of orchestration: from Docker basics to cluster management
 
Paolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationPaolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestration
 
Containers orchestrators: Docker vs. Kubernetes
Containers orchestrators: Docker vs. KubernetesContainers orchestrators: Docker vs. Kubernetes
Containers orchestrators: Docker vs. Kubernetes
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020[KubeCon NA 2020] containerd: Rootless Containers 2020
[KubeCon NA 2020] containerd: Rootless Containers 2020
 
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
Docker San Francisco Meetup April 2015 - The Docker Orchestration Ecosystem o...
 
Kubernetes - Why It's Cool & Why It Maaters
Kubernetes - Why It's Cool & Why It MaatersKubernetes - Why It's Cool & Why It Maaters
Kubernetes - Why It's Cool & Why It Maaters
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red HatPractical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
 
Dockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and NovaDockerizing the Hard Services: Neutron and Nova
Dockerizing the Hard Services: Neutron and Nova
 
Kubernetes for Java developers
Kubernetes for Java developersKubernetes for Java developers
Kubernetes for Java developers
 
Content Staging in Drupal 8
Content Staging in Drupal 8Content Staging in Drupal 8
Content Staging in Drupal 8
 
Kubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on KubernetesKubered -Recipes for C2 Operations on Kubernetes
Kubered -Recipes for C2 Operations on Kubernetes
 
OpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A TutorialOpenDaylight Integration with OpenStack Neutron: A Tutorial
OpenDaylight Integration with OpenStack Neutron: A Tutorial
 
Docker Swarm and Traefik 2.0
Docker Swarm and Traefik 2.0Docker Swarm and Traefik 2.0
Docker Swarm and Traefik 2.0
 
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on AzureDocker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
Docker Seattle Meetup April 2015 - The Docker Orchestration Ecosystem on Azure
 
Project kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes NextProject kuryr returns: Docker delivered, Kubernetes Next
Project kuryr returns: Docker delivered, Kubernetes Next
 
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
Docker New York Meetup May 2015 - The Docker Orchestration Ecosystem on Azure
 
Big Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and MesosBig Data in Container; Hadoop Spark in Docker and Mesos
Big Data in Container; Hadoop Spark in Docker and Mesos
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
 
Docker and SDL Web/Tridion - SDL UK User Group April 2017
Docker and SDL Web/Tridion - SDL UK User Group April 2017Docker and SDL Web/Tridion - SDL UK User Group April 2017
Docker and SDL Web/Tridion - SDL UK User Group April 2017
 
Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)
Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)
Continuous Deployment with Akka.Cluster and Kubernetes (Akka.NET)
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

CKA Certified Kubernetes Administrator Notes

  • 1.
  • 2.
  • 3.
  • 4. These notes follow LinuxAcademy structure which can be found here: https:// linuxacademy.com/course/cloud-native-certified-kubernetes-administrator-cka/. I would recommend viewing the course to gain full and detailed explanations. I have created these notes as part of my personal learning and hope to be able to help and inspire others. As i am also learning, there may well be mistakes, please do reach out and let me know, so i can correct them. Follow me on instagram: https://www.instagram.com/adnans_techie_studies/ All my notes are hosted here: https://adnan.study Connect with me on LinkedIn: https://www.linkedin.com/in/adnanrashid1/ Overview
  • 5.
  • 6. ETCD SCHEDULER DATAASSIGNPODPOD TO NODE NODE NODE NODE p CLUSTER CONFIG MASTER CONTROLLER y MANAGER 0 API t SERVER iE9iE9 MeffNsIAEtN COMMUNICATION HUB v NODE REPLICATE FAILURE COMPONENTS Cluster Architecture
  • 7. API SERVER g r KUBELET KUBE PROXY r 7 API SERVER WORKER NODE NODES KP KP KP KP v CONTAINER DOCKER RUNTIME SCONTAINERD e RUNSYOUR CONTAINERS Network rules on nodes Manages containers on the node Network Proxy that runs on each node
  • 8. MODEL MASTER POD KUBELET KUBE Proxy 2 N DOCKER IMAGE REGISTRY KUBECTL YAML FILES G IT Application running on Kubernetes API Primitives Convert to JSON when making request API server is the only one that communicates with Etcd Every component communicates with the API server only and not directly with one another. Objects like pods and services are declarative intents.
  • 9. API VERSION KIND METADATA s L v SPEC STATUS s YAML File Composition Clear consistent view of resources The kind of object you want to create Pod• Deployment• Job• NamespaceName String UID Uniquely identify the object Container image volume exposed ports State of the object —> match desired states
  • 10. u r 32767 32767 v v SERVICE s POD POD u POD NODE 1 NODE 2 CONSISTENT IP ADDRESS Services and Network Primitives Services allow you to dynamically access a group of replica pods
  • 11. API SERVER SERVICE s KUBE KUBE PROXY PROXY IPTABLES DESTINATION IPTABLES DESTINATION POD POD NODE 1 NODE 2 Kube-Proxy Kube-Proxy handles the traffic associated with a service by creating IP table rules
  • 12.
  • 13. PICKING THE RIGHT SOLUTION OR CLOUD ON PREM CUSTOM PRE BUILT OR Release Binaries, Provisioning and Types of Clusters Minikube• Minishift• Micro K8S• Ubuntu on LXD• AWS, Azure and GCP• Install manually• Configure your own network fabric• Locate the release binaries• Build your own Images• Secure cluster comms•
  • 14. MASTER WORKERS DOCKER t s GPGKEY KUBERNETES ADDREPOS 2 UPDATEPACKAGES 3 INSTALL DOCKER KUBELET KUBEADM KUBECTL 4 MODIFY BRIDGE ADAPTERSETTINGS MASTER ONLY I INITIALISE CLUSTER 2 MAKEDIRECTORY FORK8S 3 COPY KUBE CONFIG 4 CHANGE OWERSHIP OF CONFIG 5 APPLY FLANNEL CNI Installing kubernetes master and nodes
  • 15. MASTER 3 MASTER 2 MASTER I APISERVER t EDI Eh'InhIE ER or ACTIVE NODE 1 LOAD BALANCER n r KUBELET KUBELET KUBELET WORKER 1 WORKER2 WORKER3 All components can be replicated, but only certain ones can operate simultaneously Building highly available cluster
  • 16. SCHEDULER CM o 0 ARE WE IN tEEEE II CHARGE IiiI CLUSTER igg theft o NOTTEIRET E o j SCHEDULER CM LEADINGTO DUPLICATERESOURCES OR CORRUPTION HOW DO WE DECIDE LEADER ELECT CREATESENDPOINT RESOURCE OPTION SEE IN SCHEDULER YAML HOLDERIDENTITY The controller manager and the scheduler actively watch the cluster state and take action when it changes
  • 17. TOPOLOGY L J STACKED EXTERNAL TO KUBERNETES CLUSTER EACH CONTROL PLANE NODE CREATES LOCAL ETCDMEMBER ONLYCOMMUNICATES WITH API SERVER nv v ETCD ETCD RAFT CONSENSUS ALGORITHMin ETCD REQUIRES MAJORITY THEREMUST BE MORETHANHALF APISERVER TAKINGPLACE IN THE STATE CHANGEANDTHEREFORE THERE MUST BE ODDNUMBEROF NODES Replicating etcd
  • 18. ALLCOMMUNICATION VIA HTTPS CLUSTERKUBERNETES KUBECTL a TRANSLATES API STATE r PROVIDES CRUD u v s CREATE READ UPDATE DELETE RETURN RESPONSE KUBECTL API STATE CREATE POD HTTPPOST SERVER STORED IN ETCD L i i 1 MULTIPLE AUTHENTICATION AUTHORISATION ADMISSION VALIDATION PLUGINS 7 7 7 READ SKIP CALLS TO CREATEDETERMINE CANTHIS USER REQUEST PERFORMTHIS MODIFY ACTION DELETE 1 1 HTTP HEADER CERTIFICATE Configuring Secure Cluster Communications
  • 19. O ACTION f s ROLE ROLE BINDING 1012MORE v WHOIAN RESOURCE DO IT WHATCAN BEDONE ROLE ROLE BINDING NAMESPACE RESOURCE CLUSTERROLE CLUSTERROLEBINDING CLUSTER LEVEL RESOURCES RBAC is used to prevent unauthorised users from modifying the cluster state Building Highly Available Cluster
  • 20. IDENTITY OF APP POD c SERVICE ACCOUNT RUNNING INPOD API r n KYLE.io YEr8FEeREEYouNTT0KENFILEATEfYIeff T'ON NAMESPACE 1 NAMESPACE 2 POD POD POD POD L SERVICE SERVICE ACCOUNT ACCOUNT ONLYUSESERVICE ACCOUNTIN SAME NAMESPACE Service Account
  • 21. PERFORMANCE EXAMPLEAND WHY RESPONSE OF TESTS APPLICATION KUBETEST POORCLUSTER PERFORMANCE Running end to end tests on cluster Deployments can run• Pods can run• Pods can be directly accessed• Logs can be collected• Commands run from pods• Services can provide access• Nodes are healthy• Pods are healthy•
  • 22. UPGRADING KUBEADM CLUSTER KUBECTL OPERATING SYSTEM UPGRADES j USE DEPLOYMENTS GETPODS ORREPLICA SETS DRAIN NODE UNCORDON PUTBACK TO SERVICE BACKUP CLUSTERAND s ETCD RESTORE STATE CLUSTER v SAVE EXTERNALLY Managing Cluster
  • 23.
  • 24. NETWORKING WITHIN A NODE 10244 1.2 10 244 1.3 POD 1 POD 2 ETHO ETH v v VETHZAA VETH808 BRIDGE a 10.244 l 1 24 NODE 1 NETWORKING OUTSIDE OF THE NODE 10.244 t Z 102442.3 PODI VETH VETH C POD2 BRIDGE ETHO ETHO a BRIDGE NODEI 172 31.43 91 NODEZ 172.31 34.144 NETWORK Pod and Node Networking
  • 25. 10.244 t Z 102442.3 PODI VETH VETH a POD2 BRIDGE ETHO CNI ETHOL BRIDGE NODEI 172 31.43 91 NODEZ 172.31 34.144 NETWORK CNI IS A NETWORKOVERLAY ALLOWS BUILDING TUNNEL BETWEEN NODES SITS ONTOP OF EXISTING NETWORKS ENCAPSULATES PACKETS HEADER DATA TRAILER or a CHANGES SOURCEIDEST ADD TOWDOES CNI DO THIS THERE ISAMAPPING ASSOCIATED IN USERSPACE PROGRAM ALL PODIP ADDRESS'S TONODE IP WHEN REACH OTHER NODE DE ENCAPSULATE EXAMPLE CNI PACKET ANDGIVE TO BRIDGE As v APPEARSLOCAL 10 NODE MiCALICO FLANNEL Container Network Interface
  • 26. API SERVER SERVICE 10.104185.62 10244.12 102442.3 KUBEPROXY KUBEPROXY PODI VETH a r VETHE POD2 Ip 1 Ip BRIDGE TABLES ETHO ETHO TABLES BRIDGE MODEL 17231.43 91 NODEZ 172 3134.149 NETWORK PODSCOMEANDGO HOWDOES THECLUSTERKEEP TRACK SERVICES PROVIDESVIRTUALINTERFACE AUTOASSIGNED TO PODSBEHIND EXAMPLE INTERFACE CLUSTERIP SERVICE AUTOCREATED ON CLUSTERCREATION TAKESCAREOF INTERNALROUTING NOMATTERWHEREMOVES OTHER PODS KNOW HOWTO COMMUNICATE TO IT Service Networking
  • 27. SERVICE TALKS 101 NODE LOAD BALANCER AT A TIME CANNOTSPLIT TRAFFICLIKE A LOADBALANCER REDIRECTTRAFFIC CLIENTS TALK TOALLNODESAND TO LB TO ACCESS PORTS APPLICATION ONLYACCESSIBLE DOESNOTHAVE INTERNALLY EXTERNALIP LOAD 7 EXTERNAL IPADDRESS BALANCER FOREVERYSERVICE MODEL NODEZ i PODI 31732 31732 POD2 r Iv v SERVICE APP EXAMPLE.COM APP1 SERVICE POD POD INGRESS APP EXAMPLE.COM APP2 SERVICE pop pop WEB EXAMPLE COM SERVICE polo POD ACCESS MULTIPLESERVICESWITHSINGLE IPADDRESS Ingress Rules and Load Balancers Ingress
  • 28. EVERY SERVICE DEFINED IN THE CLUSTER IS ASSIGNEDA DNSNAME SERVICE NAMESPACE BASEDOMAINNAMENAME JENKINS DEFAULT SVC CLUSTER LOCAL 50 lo O I DEFAULT POD CLUSTER LOCAL PODIP NAMESPACE BASEDOMAIN NAME A PODS DNS SEARCH WILL INCLUDE THE PODS OWN NAMESPACE AND THE CLUSTERS DEFAULT DOMAIN Cluster DNS
  • 29.
  • 30. I 9 WHY RULES ARE HOWEVER PLACEDBY CAN CREATE r DEFAULT OWN WORKERNODES SAMENODE HAVEDIFFERENTODISKS SAVECOSTS SCHEDULER I DOESTHENODEHAVEADEQUATEHARDWARE RESOURCES 2 ISTHENODERUNNINGOUTOF RESOURCES 3 DOESTHEPODREQUEST A SPECIFICNODE 4 DOESTHENODE HAVE A MATCHINGLABEL s IFPOD REQUEST A PORTIS IT AVAILABLE 6 IF PODREQUESTS AVOLUMECAN IT BE MOUNTED 7 DOESTHEPODTOLERATETHETAINTSOFTHE NODE 8 DOESTHEPODSPECIFY NODORPOD AFFINITY Configuring the Kubernetes Scheduler Scheduler responsible for assigning pod to node based on resource requirements of the pod
  • 31. POD POD POD POD SCHEDULER1 SCHEDULER2 r NODES I 2 3 EXAMPLE TAINTS REPELWORK MASTERNODE NOSCHEDUAL TOLERATIONS ALLOWYOUTO EXAMPLE DAEMONSETPOD TOLERATE A KUBEPROXY MUSTRUNON ALL TAINT NODES CPU MEMORY PODMAY NOTBE SCHEDULER USINGALLREQUESTED RESOURCEAT AGIVEN POST 8STEPS TIME L s SCHEDULERLOOKS MOSTREQUESTED LEASTREQUESTED ATTHESUMOF PRIORITY PRIORITY RESOURCESREQUESTED r BYEXISTINGPODS CLOUDENVIRONMENTS WHY YOUAREPAYINGFOR ALLRESOURCES It is possible to have 2 schedulers working alongside each other. Running multiple schedulers for multiple Pods Scheduling pods with limits and label selectors
  • 32. POD POD POD POD NODEI NODEZ NODE3 POD DAEMONSETPOD IF YOUTRY DELETE A DAEMONSET POD REPLICASETPOD POD IT WILLSIMPLY RECREATE IT SCHEDULER POD LEVEL LOGLEVEL PROBLEMS EVEN LEVEL DaemonSets ensure that a single replica of a pod is running on each node at all times Display Scheduler Events DaemonSets
  • 33.
  • 34. HIGHLEVEL RESOURCE FOR DEPLOYMENTS DEPLOYINGAND UPDATING APPS REPLICASET REPLICASET POD POD POD POD POD AppV1 POD Appv2 DEPLOYMENT KUBECTLAPPLY MODIFY OBJECTS TO EXISTING YAML AND IF DEPLOYMENT NOT CREATED ALSO CREATE KUBECTLREPLACE REPLACES OLD WITHNEW ANDOBJECT MUST EXIST ROLLING UPDATE PREFERREDWAY SERVICENOTINTERRUPTED FASTESTWAY KUBECTL ROLLOUT ROLLBACKPREVIOUS VERSION Deploying an Application, Rolling Updates and Rollbacks
  • 35. AVOIDING BAD BLOCKBADVERSION DECISIONS RELEASE MIN READY READINESSSECONDS PROBE HOWLINGA AND DETERMINES IFNEWLYCREATED ASPECIFICPODPODSHOULD BE READY BEFORE SHOULDRELIEVE CLIENTREQUESTCONSIDERED ORNOT AVAILABLE PODNOT DEPLOYMENTv1 MINREADY READINESS pop errors aRELEASED SECONDS PROBE ATSSECONDS v ROLLBACK MUSTRETURNSUCCESS VERSION 10 I CHECKEVERY PORT80 SECOND CONTAINER CONFIGMAP APPCONFIG PASSINGCONFIGURATION OPTIONS TOAPP a CONFIGMAP KEYA OLI IETCCONFIG VOLUMECONFIG v KEYB VOLZENVIRONMENTVARIABLES IETCCERTS n S SECRET STOREINCONFIGMAP VOLUMECERTS SECRETAPPSECRET CREATESECRETANDPASSTO EV POD CERT VOL 9 KEY VOL MULTIPLECONTAINERS JUSTUPDATE CANUSESAME NONEEDTO REBUILDIMAGE Configuring an App for HA and Scale
  • 36. RECOMMENDED REPLICADEPLOYMENTS LOSING NODE SETS HASNO IMPACT MANAGES REPLICASETS ON APP PODS AREUNIQUE 9 POD DIES REPLACEDWITH SAMEHOSTNAME AND CONFIG STATEFULSETS HEADLESS SERVICE UNIQUEPODS VOLUME CLAIM r CERTAIN TRAFFIC TO GO TO EACH POD NEEDSOWNSTORAGE ASIT IS UNIQUE ReplicaSets ensure that identically configured pods are running at the desired replica count Creating a self-healing app
  • 37.
  • 38. PODS ARE EPHEMERAL POD TERMINATED STORAGETERMINATED STORAGE MUST BE INDEPENDENT IF PODMOVES STORAGEFOLLOWS STORAGECLASSES PERSISTENT VOLUME PROVISIONING S RESOURCE IN CLUSTER STATIC DYNAMIC PVCMUST REQUEST CLUSTERADMIN A STORAGECLASS CREATES AND AVAILABLE FOR CONSUMPTION Persistent Volumes
  • 39. VOLUME CAN ONLY BE MOUNTED USING ONE ACCESS MODE AT A TIME MOUNT CAPABILITY OF NODE NOT POD ACCESS MODES READWRITEONCE READWRITEMANY ONLY INODECAN MULTIPLE NODE MOUNT THEVOLUME CAN MOUNT FOR FORREADANDWRITE READ I WRITE READOFLYMANY MULTIPLE NODE CAN MOUNT VOLUME FOR READING Volume Access Modes By specifying an access mode with your PV, you allow the volume to be mounted to one or many nodes, as well as read by one or many
  • 40. O pv STAYS WITH at PVC pv DEV a 0 ACTUAL STORAGE CLUSTER ADMIN POD PVC PV VOLUMES 1Gt RECLAIMPOLICY MOUNTPATH RWO RETAIN U BOUND RETAIN DATA IN VOLUME COULDALSOBE RECYCLEORDELETE DELETECONTENTS OF VOLUME DELETEUNDERLYING STORAGE Persistent Volume Claims (PVC) PVC allows the application developer to request storage for the application, without having to know underlying infrastructure.
  • 41. STORAGE OBJECT PVCCANNOT BE IN USEPROTECTION REMOVEDPREMATURELY STILLBOUND inPVC s POD FINALIZERS PV y PVCPROTECTION 3 DELETEPOD n v I 1 GETS DELETED PVCDELETED PROVISIONER PARAMETERRECLAIMPOLICY STORAGE CLASS AWSEBS GPI RETAIN Storage Objects Volumes that are already in use by a pod are protected against data loss. This means even if you delete a PVC, you can still access the volume from the pod.
  • 42. EXAMPLE STORAGECLASS PVC DEPLOYMENT METADATA STORAGECLASSNAME REPLICA 1 ROLLOUT FAST FAST IMAGE KUBESERVEv1 100Mt VOLUMEMOUNT lDATA READWRITEONCE VOLUME VOLUMEDATA PERSISTENTVOLUMECLAIM PV Applications with Persistent Storage Create storage class object1. Create PVC object2. Create deployment3. Rollout deployment4. Check pods5. Create file on mount6. List contents7.
  • 43.
  • 44. API SERVER FIRSTEVALUATES v PRIVATE KEY SERVICE NORMALUSER USERSTORE IE JENKINS ACCOUNT FILE USERIPASS LIST v KUBECTLCREATESERVICEACCOUNTJENKINS ASSIGN10POD IF YOUDONOTUSESPECIFIC BYPUTTINGIN IT WILL USE DEFAULT PODMANIFEST L CREAAIESOUSNERYKE KUBECTLGETSA VBUSYBOXYAML v NAME BUSYBOX SECRET WILLSHOWDEFAULT 1JENKINS SPECv SERVICEACCOUNTNAME JENKINS HOLDSTHE ryAMLFORSERVICEACCOUNTPUBLIC A OF a APISERVERT KUBECTLGETSAJENKINS DYAML JWTTOKEN v JENKINSSERVER ADDSK8SCHPLUGINKUB.EC LGETSECRETtNAMLs SHOWSECRET NAME TOKEN NOWCAN THIS IS WHAT REQUEST CONTROLPODS WILL BE USED TO AUTH WITH API SERVER Service accounts and users
  • 45. USER 0 ACCESSCLUSTERREMOTELY CREATECLUSTERROLEBINDING MASTER ADNAN SETCREDENTIALS KUBECTLCONFIG u SET CREDENTIALS CERT USERNAME ADNAN PASSWORD PASSWORD KUBECTLCONFIG SET CLUSTERKUBERNETES 2 SERVER_HTTP l l.l.la SETCLUSTER CERTIFICATE CERT 3 KUBECTL CONFIG c SET USER SET CREDENTIALS CONTEXT CAN BE USEDTO CONNECT TOMULTIPLECLUSTERS KUBECTLCONFIG SET CONTEXT KUBERNETES CLUSTER KUBERNETES USER NAMESPACE n 4 USECONTEXT KUBECTL GET NODES ASPER NORMAL 5 Service accounts and users
  • 46. AUTHENTICATION AUTHORISATION WHATCAN FIRSTSTEPIN THEYDO RBACRULES RELIEVINGREQUEST v 4 RESOURCES WHO POD OR 2GROUPS WHOCAN HUMAN DO IT WHATCANBE u u PERFORMEDON ROLESAND ROLEBINDINGS WHICHRESOURCE CLUSTERROLES AND CLUSTERROLEBINDINGS ROLE ROLE ROLE BYNOLING ROLE BINDING ROLE BINDIFG NAMESPACE 1 NAMESPACE 2 NAMESPACES CLUSTER cluster KUBERNETES ROLE ROLE L CLUSTERBINDING ROLE REFERENCESINGLE CANBINDTO CREATE CREATE ROLE CREATE MULTIPLEUSER NAMESPACE ROLE ROLEBINDING SERVICEACCOUNTS ANDGROUPS LISTSERVICES WHAT FROMWEB ACTIONS NAMESPACE NOTWHO CLUSTERROLE POD CREATE CLUSTERROLE v CLUSTER BINDING CURLFROM ACCESS AT ROLE CONTAINER CLUSTER LEVEL VIEWPERSISTANT VOLUMES Cluster Authemtication and Authorisation
  • 47. PORT3128 POD APPWEB POD APPDB PORT4269 HOW NETWORK CANAL CREATENETWORK CREATE PLUGIN PLUGIN POLICY DEPLOYMENT v u DENY ALLNET EXPOSE DEPLOYMENT KINDNETWORKPOLICY 9 NAMEDENYALL TRYACCESS TIMEOUT BLANKALLINHERIT PODSELECTOR 3 POLICYTYPEINGRESS CREATENETWORK LABEL POLICY PODS PODSELECTOR MATCHLABELS ALLOWCOMMSAPPDB BETWEENPODS INGRESS ANDSPECIFIED MATCHLABELS PORT APPWEB on PORT PORT4269 Network policies use selectors to copy rules to pods for communication throughout the cluster Configuring Network
  • 48. API POD SERVER song IVARRUNSECRETS KUBERNETES.IOSERVICEACCOUNT CREATENEW CERTIFICATESIGNINGREQUEST CERT CSR c CERTIFICATE SIGNINGOBJECT KIND ERTIFICATESIGNINGREQUEST CREATE NAME CSRPODWEB REQUEST CATSERVER.GRBASE64TRD'IN VIEWCSR KUBECTLDESCRIBE CSR CSRPODWEB APPROVE CSR ISSUED Creating TLS certificates The CA is used to generate a TLS certificate and authenticate with the API server
  • 49. DOCKERHUBPRIVATEREGISTRY POD N AWS CONTAINER 0 POD D AZURE RUNTIME POD E GCP POD CONTROLLING VULNERABILITIES CLAIR SCANNING IMAGES THAT GO INTO PRODUCTION SOMETHING ON IT CAUSE NODECRASH LOGIN TO PRIVATE REGISTRY TAG DOCKER IMAGE PUSH TO PRIVATE REGISTRY HOW I USE FOR IMAGE PULLS KUBERNETES DOCKER MODIFY CREATE REGISTRY TYPE SERVICE POD SECRET ACCOUNTS DOCKER SERVER v DOCKER USERNAME PRIVATEREGISTRY DOCKER PASSWORD IMAGE KUBECTIPATCH Secure Images
  • 50. LIMITACCESS TOCERTAIN OBJECTS ATTHEPODAND CONTAINERLEVELTHISWILL ALLOWIMAGESTOREMAINSTABLE RUNASUSER POD FSGROUP N POD RUNASNONROOT CONTAINER 0 RUNTIME D POD PRIVILEGED E POD ADDSYS TIME KINDPOD IMAGEALPINE SECURITYCONTEXT RUNPODAS 405 RUNASUSER405 CANALSOPUT'RUNASROOT ABILITYTORUNAS PRIVILEGED PRIVILEGEDTRUE CONTAINER LEVEL ABILITY TO LOCK DOWN KERNEL SETTING ADD SECURITYCONTEXT LEVELFEATURES CAPABILITIES ADD ONCONTAINER ONPODLEVEL SYS TIME REMOVE NET ADMIN SECURITYCONTEXT DROP CHOWN Defining Security Context
  • 51. DATA MUST LIVE BEYOND SECRETS KEY VALVE PAIR LIFEOFPOD v PASS AS ENVVAR NOTBEST OR PRACTICE EXPOSE AS FILES IN VOLUME MAYBE OUTPUTTO LOGFILES CONTAINER POD FILESYSTEM VARRUNSECRETS KUBERNETES.IO DEFAULT DEFAULTTOKENSECRET SERVICEACCOUNTS SECRET PACE TOKEN HTTPS TO WEBSITE GENERATE a KEY CERTIFICATE EFFET SECRET MOUPNoj.IN POD v COMBINED IN MEMORY FILE FILEST SYSTEM USE v SECRET SECRETNOT WRITTEN TO DISK Securing persistent key/value store Secrets allow you to expose entries as files in a volume keeping this data secure is crucial to cluster security
  • 52.
  • 53. NODEMETRICS N POD CPUCCORETUTIL CONTAINER 0 MEMORY RUNTIME D E POD POD METRICS CPU MEMORY INSTALL KUBEC.TL OPNODEsCPUMEMORYFORALLTHENODES METRIC SERVER KUBECTLTOPPOD CPUMEMORY FORALLTHE PODS KUBECTLTOPPOD ALLNAMESPACE ALLNAMESPACE KUBEC.TL 0PP0D NkUBESYSTEM KUBE SYSTEMNAMESPACE KUBECTLTOPGROUP CONTEXT CONTAINERS POD CONTAINERS The metric server allows you to collect CPU and memory data from the nodes and pods in your cluster Monitoring the cluster components
  • 54. USE KUBECTL APP LOGSTOCONTAINER STREAMED TO STDOUTS LOGS AND SYSTEM UNDERSTANDWHAT ISHAPPENINGINSIDECLUSTER LOGS DEBUGGING LOGS ACCUMULATE OVER TIME IF MANY MICROSERVICE WHICHLOGS ARE WHICH V LOGDIRECTORY VAR LOG CONTAINERS ACCUMULATES LOGS POD POD LOGGINGAGENT APPCONTAINER v v LOG LOG LOGGING AGENT CONTAINER CONTAINER I 2 LOGFILE LOG HAVESIDECARCONTAINERTO DO LOGGINGSOYOUCAN ACCESS SPECIFIC LOGS ABLETO ROTATE LOGSUSINGOTHERTOOLING NO NATIVE Managing cluster component logs
  • 55.
  • 56. PODIYAML KINDPOD ABILITYTOWRITE NAMEP0D1 TERMINATION IMAGEBUSYBOX MESSAGE 10SPECIFIC COMMAND y KUBECTL FILEONCONTAINER DESCRIBE TERMINATION v MESSAGEPATH WILLSHOW ERRORMESSAGE ONLY PARTICULAR FIELDSCAN BECHANGED 1 E IMAGE TO CHANGEOTHERFIELDSOF FAILED POD EXPORTCONFIGURATION I MODIFY'AMLI E CHANGE MEMORYREQUEST DISCOVERYERRr APPCOMMERR IMAGEPULLERR APPLICATION FAILURE CRASHLOOPBACKOFFERR FAILEDMOUNTERR PENDING RBACERR Troubleshooting Application Failure
  • 57. KUBERNETES API SERVERDOWN SOFTWARE CONTROL FAULT PLANE LOSE STORAGE ATTACHED TO CONTROL PLANE KUBELETSERVICE CRASH v INDEPENDENT ETCD COULD CRASH VIEWTHEEVENTSFROMCONTROLPLANECOMPONENTS CHECKSTATUSOFKUBELET SERVICE VIEWLOGSFORCONTROL PLANE PODS DISABLESWAP CHECKSTATUS OF DOCKER SERVICE CHECKFIREWALLDSERVICE VIEWKUBELET VIEW KUBECONFIGVIEWSYSLOG JOURNAL LOGS EVENTS a GENERATENEWTOKEN WORKER VIEWSTATUS TROUBLESHOOTING GET DETAILED INFO PINGNODE IPADDRESS SHINTONODE OFNODE ACCESSPODSDIRECTLY LOOKUPSERVICEVIADNS r a CHECKIPTABLERULES NETWORK DNSRESONE CONF ENDPOINTSOF v SERVICE v KUBERNETES CNIPLUGIN SERVICE Troubleshoot failures