Skip to content

Latest commit

 

History

History
96 lines (90 loc) · 9.42 KB

README.md

File metadata and controls

96 lines (90 loc) · 9.42 KB
Raw

Kubernetes Concepts Cheat Sheet

  • Cluster:

    • Node: worker machine, e.g. VM of minikube

      • Container Runtime:
        • Container Runtime Engines, implementing CRI (Container Runtime Interface):
          • Default: Containerd, uses Docker.
          • Others: Cri-o, Rkt, Kata, Virtlet (uses VM), etc.
        • Pod: logical host with set of Containers, shared network and storage, as in docker-compose
          • Pod is immutable: you (or controller) have to delete and create a pod to "update" it.
          • Containers: running Images, e.g. Docker containers
            • Image: e.g. Docker image
            • hostname: name of Pod
            • DNS resolver uses CoreDNS server
          • Volumes: links to external persistent storage
        • kube-proxy: Pod allowing network requests to Pods at this Node
      • kubelet: agent making sure Containers are running in Pods at this Node
        • Lease: Object with renewTime updated on every heart beat of kubelet

    • Control Plane: kubectl get pods --namespace=kube-system

      • kube-apiserver: API server, entry point of Control Plane
      • etcd: consistent HA KV store of Cluster State
      • kube-controller-manager: runs Controllers
        • Controller: loop calling API to get its kind of objects to Desired State
        • E.g. Job Controller detects new Job has no Pods, asks API to create Pods, checks Job, updates Job status, asks API to delete Pods
      • kube-scheduler: selects Node for new Pod
      • cloud-controller-manager: runs Controllers syncing K8s Objects with cloud resources
        • E.g. Node Controller detects new cloud servers, creates K8s Node Objects, checks health of Nodes, deletes Nodes from Cluster
      • Addons:
        • CoreDNS: DNS server required for Services
        • storage-provisioner: auto-provisioning of storage on demand

    • Object: computational, storage, networking, etc. resource, tracked at Cluster State

      • Config: describes apiVersion, kind of the Object, metadata (namespace, name, labels), spec - its Desired State
        • Example
        • Sent by SDK or by kubectl apply -f configs/object.yaml as JSON to API
        • Low-level CRUD best practice:
          • kubectl diff -Rf configs/
          • kubectl apply -Rf configs/
          • While --prune flag is in alpha and kubectl apply fails for empty configs/ dir:
            kubectl delete -f configs/object.yaml && git rm $_
        • Use Helm for high-level CRUD, K8s package manager, templating (scripting) of K8s configs.
      • Kinds of Objects not defined above:
        • Workload: Controllers that schedule Pods - smallest workload units
          • ReplicaSet: low-level, how many replicas of Pod are desired
          • Deployment: most popular, ReplicaSet with rolling updates
          • StatefulSet: ReplicaSet for stateful app. Reserves resources for each of its unique ordered Pods: network name, volume, etc.
          • DaemonSet: ensures all (or some) Nodes run given Pod
          • Job: one-off task retrying its Pods until given number of successful completions
          • CronJob: creates Job on a repeating schedule
        • Network:
          • Service: exposes all Pods matching selector to a (usually external) network
            • ServiceTypes:
              • ClusterIP: default, internal IP address routes to each matching Pod. Such Service can be exposed externally e.g. via Ingress.
                • Ingress: rules (usually by HTTP /path) route external HTTP(S) traffic to multiple Services
              • NodePort: static port on external IP address of each Node (NodeIP:NodePort) in a Cluster routes to auto-created ClusterIP Service
              • LoadBalancer: most popular, Cloud LB routes to auto-created (usually a NodePort) Service
        • Storage:
          • Volume: a file directory (numerous types), defined with name in Pod, mounted in Container to a mountPath, dies with its Pod
          • PersistentVolume or PV: like Volume, but lives outside of Pods, can be mounted via PersistentVolumeClaim only
          • PersistentVolumeClaim:
            • Declares storage requirements
            • Binds to matching unbound PersistentVolume, if any
            • Can be referenced in a Volume of a Pod - the only way to use PersistentVolume in a Pod
          • StorageClass: what storage is available in this Cluster from numerous possible types, defines provisioner driver, etc
        • Config:
          • ConfigMap: non-secret key-values, used in Pod as a Volume or as env vars with valueFrom.configMapKeyRef, that can be passed to command args
          • Secret: a secret ConfigMap, types are Docker-registry creds, any Opaque data, Tls cert
        • CRD: Custom Resource Definition

    • Networking Rules:

      • External - Cloud LB, etc - kube-proxy - Service - kube-proxy - Pod
      • Pod-Pod and Pod-Node in the same Cluster talk via internal IP addresses
      • Container-Container in the same Pod talk via localhost port, IPC if process namespace is shared, volume if shared

    • Security:

      • User or Pod sends request to K8s API server, passing:
        • Authentication:
          • X509 Client Cert: CN=user, Org=group
          • Static Password File: password,user,uid,"group1,.."
          • Static Token File: token,user,uid,"group1,.."
          • Bearer Token or Bootstrap Token: Authorization: Bearer ...
          • Service Account Token: static file or signed by TLS private key of API Server
          • OpenID Connect Token (OIDC): JWT using ID token from OAuth2 token response
        • Authorization: which actions are allowed
          • Role: defines rules to allow do verbs (e.g. list) with resources (e.g. pods)
          • ClusterRole: a cluster-wide Role without metadata.namespace
          • RoleBinding: grants Role or ClusterRole (limited to namespace) to subjects of type User, Group, ServiceAccount
          • ClusterRoleBinding: a cluster-wide RoleBinding without metadata.namespace, can roleRef ClusterRole only
        • Admission Control: uses numerous Admission Controllers for rate limit, policies, other constraints

    • Etc Concepts