- Cluster:
-
Node: worker machine, e.g. VM of minikube
- Container Runtime:
- Container Runtime Engines, implementing CRI (Container Runtime Interface):
- Default: Containerd, uses Docker.
- Others: Cri-o, Rkt, Kata, Virtlet (uses VM), etc.
- Pod: logical host with set of Containers, shared network and storage, as in
docker-compose
- Pod is immutable: you (or controller) have to delete and create a pod to "update" it.
- Containers: running Images, e.g. Docker containers
- Volumes: links to external persistent storage
- kube-proxy: Pod allowing network requests to Pods at this Node
- Container Runtime Engines, implementing CRI (Container Runtime Interface):
- kubelet: agent making sure Containers are running in Pods at this Node
- Lease: Object with
renewTime
updated on every heart beat ofkubelet
- Lease: Object with
- Container Runtime:
-
Control Plane:
kubectl get pods --namespace=kube-system
- kube-apiserver: API server, entry point of Control Plane
- CLI: kubectl, kubeadm, etc.
- SDK
- API reference
- etcd: consistent HA KV store of Cluster State
- kube-controller-manager: runs Controllers
- Controller: loop calling API to get its kind of objects to Desired State
- E.g. Job Controller detects new Job has no Pods, asks API to create Pods, checks Job, updates Job status, asks API to delete Pods
- kube-scheduler: selects Node for new Pod
- cloud-controller-manager: runs Controllers syncing K8s Objects with cloud resources
- E.g. Node Controller detects new cloud servers, creates K8s Node Objects, checks health of Nodes, deletes Nodes from Cluster
- Addons:
- CoreDNS: DNS server required for Services
- storage-provisioner: auto-provisioning of storage on demand
- kube-apiserver: API server, entry point of Control Plane
-
Object: computational, storage, networking, etc. resource, tracked at Cluster State
- Config: describes
apiVersion
,kind
of the Object,metadata
(namespace
,name
,labels
),spec
- its Desired State- Example
- Sent by SDK or by
kubectl apply -f configs/object.yaml
as JSON to API - Low-level CRUD best practice:
kubectl diff -Rf configs/
kubectl apply -Rf configs/
- While
--prune
flag is in alpha andkubectl apply
fails for emptyconfigs/
dir:
kubectl delete -f configs/object.yaml && git rm $_
- Use Helm for high-level CRUD, K8s package manager, templating (scripting) of K8s configs.
- Kinds of Objects not defined above:
- Workload: Controllers that schedule Pods - smallest workload units
- ReplicaSet: low-level, how many replicas of Pod are desired
- Deployment: most popular, ReplicaSet with rolling updates
- StatefulSet: ReplicaSet for stateful app. Reserves resources for each of its unique ordered Pods: network name, volume, etc.
- DaemonSet: ensures all (or some) Nodes run given Pod
- Job: one-off task retrying its Pods until given number of successful completions
- CronJob: creates Job on a repeating schedule
- Network:
- Service: exposes all Pods matching
selector
to a (usually external) network- ServiceTypes:
- ClusterIP: default, internal IP address routes to each matching Pod. Such Service can be exposed externally e.g. via Ingress.
- Ingress: rules (usually by HTTP /path) route external HTTP(S) traffic to multiple Services
- NodePort: static port on external IP address of each Node (
NodeIP:NodePort
) in a Cluster routes to auto-created ClusterIP Service - LoadBalancer: most popular, Cloud LB routes to auto-created (usually a NodePort) Service
- ClusterIP: default, internal IP address routes to each matching Pod. Such Service can be exposed externally e.g. via Ingress.
- ServiceTypes:
- Service: exposes all Pods matching
- Storage:
- Volume: a file directory (numerous types), defined with
name
in Pod, mounted in Container to amountPath
, dies with its Pod - PersistentVolume or PV: like Volume, but lives outside of Pods, can be mounted via PersistentVolumeClaim only
- PersistentVolumeClaim:
- Declares storage requirements
- Binds to matching unbound PersistentVolume, if any
- Can be referenced in a Volume of a Pod - the only way to use PersistentVolume in a Pod
- StorageClass: what storage is available in this Cluster from numerous possible types, defines
provisioner
driver, etc
- Volume: a file directory (numerous types), defined with
- Config:
- ConfigMap: non-secret key-values, used in Pod as a Volume or as
env
vars withvalueFrom.configMapKeyRef
, that can be passed tocommand
args - Secret: a secret ConfigMap, types are Docker-registry creds, any Opaque data, Tls cert
- ConfigMap: non-secret key-values, used in Pod as a Volume or as
- CRD: Custom Resource Definition
- Workload: Controllers that schedule Pods - smallest workload units
- Config: describes
-
Networking Rules:
- External - Cloud LB, etc -
kube-proxy
- Service -kube-proxy
- Pod - Pod-Pod and Pod-Node in the same Cluster talk via internal IP addresses
- Container-Container in the same Pod talk via localhost port, IPC if process namespace is shared, volume if shared
- External - Cloud LB, etc -
-
- User or Pod sends request to K8s API server, passing:
- Authentication:
- X509 Client Cert: CN=user, Org=group
- Static Password File: password,user,uid,"group1,.."
- Static Token File: token,user,uid,"group1,.."
- Bearer Token or Bootstrap Token:
Authorization: Bearer ...
- Service Account Token: static file or signed by TLS private key of API Server
- OpenID Connect Token (OIDC): JWT using ID token from OAuth2 token response
- Authorization: which actions are allowed
- Role: defines
rules
to allow doverbs
(e.g.list
) withresources
(e.g.pods
) - ClusterRole: a cluster-wide Role without
metadata.namespace
- RoleBinding: grants Role or ClusterRole (limited to namespace) to
subjects
of type User, Group, ServiceAccount - ClusterRoleBinding: a cluster-wide RoleBinding without
metadata.namespace
, canroleRef
ClusterRole only
- Role: defines
- Admission Control: uses numerous Admission Controllers for rate limit, policies, other constraints
- Authentication:
- User or Pod sends request to K8s API server, passing:
-
Etc Concepts
-