This presentation covers how app deployment model evolved from bare metal servers to Kubernetes World.
In addition to theoretical information, you will find free KATACODA workshops url to perform practices to understand the details of the each topics.
8. Container:
Containers are an abstraction at the app layer that packages code and dependencies together.
Multiple containers can run on the same machine and share the OS kernel with other containers,
each running as isolated processes in user space.
Containers typically take up less space than VMs.
Virtual Machines
Virtual machines (VMs) are an abstraction of physical hardware turning one server into
many servers.
The hypervisor allows multiple VMs to run on a single machine.
Each VM includes a full copy of an operating system, the application, necessary binaries
and libraries - taking up tens of GBs.
VMs can also be slower to boot.
10. COMPOSE
https://www.katacoda.com/boxboat/courses/df-dev/02-docker-compose
Workshop:
Compose is a tool for defining and running
multi-container Docker applications.
With Compose, you use a YAML file to configure
your application’s services. Then, with a single command,
you create and start all the services from your configuration.
Compose is great for development, testing,
and staging environments, as well as CI workflows
14. Intro - Whatis Kubernetes?
Kubernetes or K8s wasaproject spunout of Googleasaopensource
next-gen container scheduler designed with the lessons learned from
developing andmanagingBorg andOmega.
Kubernetes wasdesignedfromtheground-upasalooselycoupled collection
of components centered around deploying, maintaining, and scaling
applications.
15. Intro - What Does Kubernetes do?
Kubernetes isthelinuxkernelof distributed systems.
Itabstractsawaytheunderlyinghardwareof thenodesandprovides a
uniform interface for applicationsto bebothdeployedandconsumethe
sharedpool of resources.
https://www.katacoda.com/loodse/courses/kubernetes/kubernetes-01-playground
Workshop:
17. Architecture Overview
Masters -Acts as the primary control plane for Kubernetes. Masters are
responsible ataminimumfor runningtheAPI Server, scheduler,andcluster
controller. Theycommonly alsomanagestoringcluster state,cloud-provider
specific componentsandother cluster essentialservices.
Nodes-Are the‘workers’of aKubernetes cluster. They runaminimalagent
that manages the node itself, and are tasked with executing workloads as
designatedbythemaster.
21. kube-apiserver
Theapiserverprovides aforward facingRESTinterface into thekubernetes
control plane and datastore. All clients, including nodes, users and other
applicationsinteract with kubernetes strictly through theAPI Server.
It is the true core of Kubernetes acting as the gatekeeper to the cluster by
handlingauthenticationandauthorization,requestvalidation,mutation, and
admission control in addition to beingthefront-end to thebackingdatastore.
kubectl api-resources to see all api resources
23. kube-controller-manager
The controller-manager is the primary daemon that manages all core
componentcontrol loops.Itmonitorsthecluster state viatheapiserverand
steersthecluster towardsthedesired state.
24. cloud-controller-manager
The cloud-controller-manager is a daemon that provides cloud-provider
specific knowledge andintegration capabilityinto thecorecontrol loop of
Kubernetes. The controllers include Node, Route, Service, and add an
additional controller to handlePersistentVolumeLabels.
25. kube-scheduler
Kube-scheduler isaverbose policy-rich enginethatevaluatesworkload
requirements and attempts to place it on a matching resource. These
requirements canincludesuchthings asgeneralhardwarereqs,affinity,
anti-affinity, andother customresource requirements.
30. Container Runtime
With respect to Kubernetes,A containerruntime isaCRI (Container RuntimeInterface)
compatible application that executesandmanagescontainers.
● Containerd (docker)
● Cri-o
● Rkt
● Kata(formerlyclearandhyper)
● Virtlet (VM CRI compatible runtime)
31. Additional Services
Kube-dns-Provides cluster wide DNS Services.Servicesareresolvable to
<service>.<namespace>.svc.cluster.local.
Heapster - Metrics Collector for kubernetes cluster, usedbysomeresources
suchastheHorizontal Pod Autoscaler. (required for kubedashboardmetrics)
Kube-dashboard -A generalpurpose webbasedUIfor kubernetes.
32. Kubectl
kubectl [command] [TYPE] [NAME] [flags]
command: operation to perform (verb)
TYPE: the resource type to perform the operation on NAME:Specifies the name of the
resource
flags:optional flags
https://www.katacoda.com/courses/kubernetes/kubectl-run-containers
Workshop:
33. $KUBECONFIG
• Multiple configurations files as a list of paths
• KUBECONFIG
• Append new configurations temporarily
https://github.com/ahmetb/kubectx
KUBECTX:
36. Kubernetes Concepts - Core
Cluster - A collection of hoststhat aggregate their available resources including cpu,ram,disk,
andtheir devicesinto ausablepool.
Master - The master(s)represent acollection of components that makeupthecontrol planeof
Kubernetes. These components are responsible for all cluster decisions including both
schedulingandresponding to cluster events.
Node - A singlehost,physicalor virtual capableof runningpods.A nodeismanagedbythe
master(s),andat aminimumrunsboth kubelet andkube-proxyto beconsidered part of the
cluster.
Namespace- A logical cluster or environment. Primarymethodof dividing acluster or
scopingaccess.
37. Concepts - Core(cont.)
Label- Key-valuepairs that areusedto identify, describe andgrouptogetherrelated setsof
objects.Labelshaveastrict syntaxandavailable characterset.*
Annotation - Key-value pairs that contain non-identifying information or metadata.
Annotations donot havethethesyntaxlimitations aslabels andcancontainstructured or
unstructureddata.
Selector - Selectors uselabels to filter or select objects. Bothequality-based(=,==,!=)or
simplekey-valuematchingselectorsaresupported.
* https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
39. Concepts - Workloads
Pod- A podisthesmallestunit of workormanagementresourcewithin Kubernetes.Itis
comprised of one or more containers that share their storage, network, and context
(namespace, cgroupsetc).
ReplicationController - Method of managingpodreplicasandtheir lifecycle. Their
scheduling,scaling,anddeletion.
ReplicaSet- Next GenerationReplicationController. Supportsset-basedselectors.
Deployment - A declarativemethodof managingstatelessPods andReplicaSets. Provides
rollback functionalityinaddition to moregranularupdatecontrol mechanisms.
40. Deployment
Contains configuration
of how updates or
‘deployments’ should be
managed in addition to
thepodtemplateusedto
generate theReplicaSet.
ReplicaSet
Generated ReplicaSet
fromDeployment spec.
https://www.katacoda.com/boxb
oat/courses/kf1/03-deployments
Workshop:
41. Concepts - Workloads (cont.)
StatefulSet - A controller tailored to managingPods thatmustpersistormaintainstate.Pod
identityincluding hostname,network,andstoragewill bepersisted.
DaemonSet - Ensuresthat all nodesmatchingcertain criteria will run aninstance of a
supplied Pod. Idealfor cluster wide services suchaslog forwarding, orhealth monitoring.
45. Networking - FundamentalRules
1) All Pods cancommunicate with all other Pods withoutNAT
2) All nodescancommunicatewith all Pods (andvice-versa)without NAT.
3) TheIPthataPod seesitself asisthesameIPthatothersseeit as.
46. Networking - FundamentalsApplied
Containers in apodexist within thesamenetwork namespaceandsharean
IP;allowingfor intrapod communicationoverlocalhost.
Podsaregivenacluster uniqueIPfor thedurationof its lifecycle,butthepods
themselvesarefundamentallyephemeral.
Services aregivenapersistentcluster uniqueIPthatspansthePods lifecycle.
External Connectivity isgenerally handedbyanintegrated cloud provider or
other externalentity (loadbalancer)
47. Networking -CNI
Networking within Kubernetes is plumbed via the Container Network
Interface(CNI),aninterface betweenacontainerruntime andanetwork
implementation plugin.
Compatible CNI Network Plugins:
● Calico
● Cillium
● Contiv
● Contrail
● Flannel
● GCE
● kube-router
● Multus
● OpenVSwitch
● OVN
● Romana
● Weave
48. Concepts - Network
Service - Servicesprovide amethodof exposing andconsuming L4 Pod network accessible
resources. Theyuselabel selectorsto mapgroupsof podsandports to acluster-unique virtual
IP.
Ingress - An ingresscontroller is theprimarymethodof exposing acluster service (usually
http) to the outside world. These are load balancers or routers that usually offer SSL
termination,name-basedvirtualhostingetc.
49. Service
● Acts astheunified methodof accessingreplicated pods.
● Four majorServiceTypes:
○ CluterIP-Exposesserviceonastrictly cluster-internal IP(default)
○ NodePort-Serviceis exposedoneachnode’sIPonastatically
definedport.
○ LoadBalancer -Works in combination with acloudproviderto
exposeaserviceoutsidethecluster onastatic externalIP.
○ ExternalName -usedto referencesendpointsOUTSIDE thecluster
byprovidingastatic internally referencedDNSname.
https://www.katacoda.com/boxboat/courses/kf2/01-services
Workshop:
50. Ingress Controller
● Deployedasapodtooneormorehosts
● Ingresscontrollers areanexternal
controller with multipleoptions.
○ Nginx
○ HAproxy
○ Contour
○ Traefik
● Specificfeaturesandcontroller specific
configuration is passed through
annotations.
https://www.katacoda.com/boxboat/courses/kf2/03-ingress
Workshop:
51. Concepts - Storage
Volume - Storagethat istied to the Pod Lifecycle, consumablebyoneor more
containerswithin thepod.
PersistentVolume- A PersistentVolume (PV)represents astorageresource. PVs are
commonly linked to abacking storageresource,NFS,GCEPersistentDisk, RBD etc.andare
provisionedaheadof time.Their lifecycle ishandledindependently fromapod.
PersistentVolumeClaim - A PersistentVolumeClaim(PVC)is arequest for storagethat
satisfiesaset of requirements insteadof mappingto astorageresourcedirectly.Commonly
usedwith dynamicallyprovisionedstorage.
StorageClass - Storageclassesareanabstractionontopof anexternal storageresource.
These will include a provisioner, provisioner configuration parameters as well as a PV
reclaimPolicy.
https://www.katacoda.com/courses/kubernetes/storage-introduction
Workshop:
52. Concepts -Configuration
ConfigMap - Externalized data stored within kubernetes that can be referenced as a
commandlineargument,environment variable,or injected asafile into avolumemount.Ideal
for separatingcontainerizedapplication fromconfiguration.
Secret- Functionallyidenticalto ConfigMaps, but stored encoded asbase64,andencrypted at
rest (ifconfigured).
54. Concepts - Auth and Identity (RBAC)
[Cluster]Role - Roles contain rules that act asaset of permissions that apply verbs like “get”,
“list”,“watch” etc over resources that arescopedto apiGroups.Roles arescopedto namespaces,
andClusterRolesareapplied cluster-wide.
[Cluster]RoleBinding - Grant thepermissionsasdefined in a[Cluster]Role to oneor more
“subjects”whichcanbeauser,group,orservice account.
ServiceAccount- ServiceAccounts provide aconsumableidentity for podsor external
servicesthatinteractwith thecluster directly andarescopedto namespaces.
https://www.katacoda.com/boxboat/courses/kf2/04-misc
Workshop:
55. [Cluster]Role
● Permissions translate to url
path. With “”defaultingto core
group.
● Resourcesactasitemstherole
shouldbegrantedaccessto.
● Verbsaretheactionstherole
canperform onthereferenced
resources.
57. What is HELM
• Package manager
• Like yum, apt but for
Kubernetes
• Search and reuse or start from
scratch
• Lifecycle Management
• Create
• Install
• Upgrade/Rollback
• Delete
• Status
• Versioning
• Benefits
• Repeatability
• Reliability
• Multiple environment
• Ease collaboration
• Manage Complexity
58. Kubernetes Cluster
Helm
Components
• Helm Client
• Command-line client
• Interacts with Tiller Server
• Local chart development
• Tiller Server
• In-cluster
• Listens to the Helm client
• Interacts with Kubernetes APIServer
• Manages the lifecycle
Helm Client TillerServer
gRPC Kubernetes
API Server
REST
https://www.katacoda.com/javajon/c
ourses/kubernetes-pipelines/helm
Workshop:
65. Deployment Controller
9)Deployment Controller isnotified of thenew
Deployment viacallback.
10)Deployment Controller evaluatescluster stateand
reconciles the desired vs current state and forms a
request for thenewReplicaSet.
11)apiserver request loopevaluatesDeployment
Controllerrequest.
12)ReplicaSet ispublished.
66. ReplicaSet Controller
13)ReplicaSetController isnotified of thenewReplicaSet
viacallback.
14)ReplicaSet Controller evaluates cluster state and
reconciles thedesiredvscurrentstateandformsarequest
for thedesiredamountof pods.
15)apiserver request loopevaluatesReplicaSet
Controllerrequest.
16)Podspublished, andenter ‘Pending’ phase.
67.
68. Scheduler
17)Schedulermonitorspublished podswith no
‘NodeName’ assigned.
18)Appliesschedulingrulesandfilters to find a
suitablenodeto host thePod.
19)Schedulercreatesabinding of Pod to Node and
POSTs toapiserver.
20)apiserver request loopevaluatesPOST request.
21)Pod statusisupdatedwith nodebinding andsets
status to‘PodScheduled’.
69. Kubelet -PodSync
22)Thekubelet daemononeverynodepollstheapiserver filtering
for podsmatchingits own‘NodeName’; checkingits currentstate
with thedesiredstatepublished throughtheapiserver.
23)Kubelet will thenmovethroughaseries of internal processesto
prepare the pod environment. This includes pulling secrets,
provisioningstorage,applyingAppArmorprofiles andothervarious
scaffolding. During this period,it will asynchronouslybePOST’ing
the ‘PodStatus’ to the apiserver through the standard apiserver
request loop.
70. Pause and Plumbing
24)Kubelet thenprovisionsa‘pause’containerviathe
CRI (Container RuntimeInterface). The pausecontainer
actsastheparent containerfor thePod.
25)The network is plumbed to the Pod via the CNI
(Container Network Interface),creating aveth pair
attached to the pause container and to acontainer
bridge (cbr0).
26)IPAM handledbytheCNI plugin assignsanIPto the
pausecontainer.
72. Pod Status
27)Ifthere areanyliveless/readiness probes,theseareexecuted beforethe
PodStatus isupdated.
28)Ifall completesuccessfully,PodStatusis set to readyandthecontainer
has startedsuccessfully.
ThePodisDeployed!
Container:
Containers are an abstraction at the app layer that packages code and dependencies together. Multiple containers can run on the same machine and share the OS kernel with other containers, each running as isolated processes in user space. Containers typically take up less space than VMs. (Source: Docker.com)
Virtual Machine
Virtual machines (VMs) are an abstraction of physical hardware turning one server into many servers. The hypervisor allows multiple VMs to run on a single machine. Each VM includes a full copy of an operating system, the application, necessary binaries and libraries - taking up tens of GBs. VMs can also be slower to boot.(Source: Docker.com)