DEV Community

Cover image for Kubernetes foundation
soul-o mutwiri
soul-o mutwiri

Posted on • Edited on

Kubernetes foundation

Gitops Tools like Flux and ArgoCD are pull based approached... continously monitor the Git repository for changes and pull those changes to update the kubernetes cluster.

ingress objects define how external traffic shd be routed to different services within the cluster. They expose services within the cluster to external networks without need for each service havings its IP addresses.

pipeline help automate build, test and deployment of an application.

Cloud Native Orchestration

  1. High level of automation from development to deployment, CI/CD pipelines with minimal human involvement, backed with version control system like git. easier disaster recovery

  2. Self healing
    failing is expected, health checks monitor applications and restart them, one some parts stop working while other continue.

  3. Scalable
    handling more load, scaling based on metrics like memory to ensure performance of services.

  4. Cost efficient
    usage based pricing, optimized infrastructure usage.

  5. Easy to maintain
    microservices allow small and portable aplications easier to test & distribute across teams.

  6. Secure by default
    zero trust computing, user and processess are authenticated.

running containers
to start containers - docker run nginx

building container images

  • containers are metaphoe of shipping containers.
  • there is a standard format of a shipping containr to make it easy to stack on a container ship, unload and onto a truck no matter what is inside.

container images - are what makes containers portable and easy to reuse.
Docker describes a container image as following:

_

“A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings

``
__

dockerfile
images can be built by reading instructions from a buildfile called dockerfile.

The instructions are the same as the ones one would use to install an application on a server.

Every container image starts with a base image.

This could be your favorite linux distribution

FROM ubuntu:20.04

Run commands to add software and libraries to your image

Here we install python3 and the pip package manager

RUN apt-get update && \
apt-get -y install python3 python3-pip

The copy command can be used to copy your code to the image

Here we copy a script called "my-app.py" to the containers filesystem

COPY my-app.py /app/

Defines the workdir in which the application runs

From this point on everything will be executed in /app

WORKDIR /app

The process that should be started when the container runs

In this case we start our python app "my-app.py"

CMD ["python3","my-app.py"]

To build the image

docker build -t my-python-image -f dockerfile

-t my-python-image - specifies the name tag of your image.
-f Dockerfil - specify the dockerfile to be used.

to distribute these images we use a container registry; where you can upload and download images by push and pull commands

docker push my-registry.com/my-python-image
docker pull my0registry.com/my-python-image

some of the public registries is Docker Hub and QUay

4cs OF CLOUD NATIVE SECURITY
CLOUD
CLUSTER
CONTAINER
CODE

These are layer that need to be protected when using containers

CONTAINER ORCHESTRATION FUNDAMENTATIONS

  • it is harder to manage alot of containers so you need a system for management of these containers. container orchestration provides a way to build a cluster of multiple server and host container on top... most systems have a control plane for management of the containers and worker nodes that host the containers. one of the most common systems is kubernetes..to orchestrate containers.

Problems to be solved through container orchestration ssytems...

  1. providing computing resource like VMs where containers run on
  2. schedule containers to serve efficiently
  3. allocate resources like CPU and memory
  4. scale containers based on the load
  5. provide networking to connect containers together
  6. provide storage if containers need to persist data.

Networking
to make application accessible to outside - containers have the ability to map a port from the container to a port from the host system.
to communicate between container across host- overlay netwoekr is spanned across host systems. the overlay network manages ip address; which container gets which IP address and how the traffic has to flow to access individual containers.

CNI

CNI standard - guides writing and configuring network plugins and makes it easy to swap plugin in various orchestration platforms.

SERVICE DISCOVERY and DNS

no need to rememmer the ip addressses of important systems
1000s of containers have individual ip addresses.
diferent hosts in different Data centers and locations
information in containers can be removed when deleted
SERVICE REGISTRY all this information is put in a service registry
SERVICE DISCOVERY - process to find other services in the network and reguest information from them.

Approaches to Service Discovery

DNS servers - have a service APi that register new services as they are created.
KEY-VALUE store - datastore to store infomration about services. Popular choices for clustering are etcd, consul and apache zookeeper.
They are highly availble systems with strong failover mechanisms.

SERVICE MESH
Helps with monitoring, access control and encryption of network traffic when containers communicate with each other....a service mesh add a a proxy server to every container in your architecture....a proxy is a software that is used to manage network traffic.... it sits between client and server and modify/filter traffic before it reaches the server. POPULAR proxies are nginx, haproxy and envoy.
proxies handle communication between services....traffic is routed through proxies instead... popular service meshes are istio **and **linkerd. The proxies in a mesh service form the data plane shaping traffic flow... the rules and configs to be applied to proxies are managed centrally in the control plane of the service mesh.
Service mesh interface smi IS STANDARD .

STORAGE
containers are ephemeral
container images are read only so we need to add a read-write layer to allow writing files.
if need to persist data on host, a volume can be used to achieve that.
directories on host are passed through into container filesystem.

**CONTROL PLANE NODES

  1. ## KUBE-APISERVER centerpiece, all components interact with Api-server, users access the cluster thro it.
  2. ## ETCD a db that holds state of cluster
  3. ## KUBE-SCHEDULER when a new workload is scheduled, kube-scheduler chooses a worker node that could fit.
  4. ## KUBE-CONTROLLER-MANAGER manage state of cluster. A desired no of application is available all the time.
  5. ## CLOUD-CONTROLLER-MANAGER interacts with api of cloud providers like load balancers,storage or SG.

**Worker PLANE NODES

  1. Container runtime responsible for running containers of worker node. Docker and now containerd
  2. kubelet Agent that runs on every worker node in cluster. talks to api-server and container runtime to handle stage of starting containers.
  3. kube-proxy network proxy that handles inside and outside communication. networking capabiliites of underlying os.

kubernetes namespace are used to divide a cluster into virtual clusters, organize objects and manage which users has access to which folder.

setting up a test cluster : minikube, kind, MicroK8s.
setting up prod grade cluster: kubeadmin, kops, kubespray
cloude provider: EKS, GKE, AKS

Kubernetes API: Authentication (X.509 digitally signed certificates), authorization(RBAC), admission control (Open poLICY Agent to manage admission control externally).
Thro the API a user or service can create, delete, retrieve resources in k8s.

k8s api

RUNNING CONTAINERS IN KUBERNETES
Unlike in local machine where you start containers directly, in K8S, they use PODS.

kubelet <-->cri containerd plugin containers

NETWORKING
-Container-to-container communications {pod }
-pod to pod communication {overlay network}

  • pod-to-service communication {kube-proxy and packet filter on the node} -external-to-service communications {kube-proxy and packet filter on node}

When implementing networking, choose network vendors: CALICO, CILIUM, WEAVE.

Every pod gets it own ip address dynamically, USING core-dns, a dns server used for service discovery and name resolution in the cluster.

Network policies: cluster internal firewalls, with help of selector to specify the traffic allowed to and from pods that match the selector.

SCHEDULING

  • process of choosing the right worker node to run a containerized workload on. scheduling process starts when a pod is created. when a pod is described, scheduler selects a node where the pod actually get started by kubelet and container runtime. scheduler uses information about application requirements, to filter all nodes that fit the requirements, if multiple fit, the node with least amount of pods is choosen. if fails, the scheduler keeps trying.

KUBERNETES objects vs WORKLOAD OBJECTS

Objects are described in data serialization language YAML and send them to the API-server, where they get validated before being created.
the version(apiversion), kind of object to be created (kind), metadata(unique data that can be used to indentify it), Spec(specifications of the object).

  • K8s cluster like a factory has many components...security, storage, management of pods.
  • K8s objects control how pods are deployed, scaled and managed....they are like different parts of the factory.
  • Configuration management, cross-node networking, routing of external traffic, load balancing or scaling of the pods.
  • Workload Objects - they actually build and manage the applications.

Breakdown of the Analogy using a factory
Kubernetes Concept Factory Analogy Purpose

Pod A single worker assembling a product

Runs one or more containers (the "product").

ReplicaSet A controller object to ensure desired number of pods is running at any given time.

Deployment An automated assembly line for mass production Ensures many copies of a Pod run smoothly::by defining lifecycle, managing replicasetss,stateless applications in k8s.

StatefulSet A specialized assembly line for custom orders Manages Pods that need unique identities like ip add, stable name, persistent storage and graceful handling of updates and scaling (e.g., stateful applications like databases).

DaemonSet Maintenance crew in every section of the factory

Runs a Pod on every node (e.g., log collectors, monitoring and other infrastructure related workload).

Job A temporary worker hired for a one-time task Runs a Pod to completion (e.g., a backup job).

CronJob A scheduled task (like a nightly cleanup crew) Runs Jobs at specific times.

Service The shipping department (delivers products) Exposes Pods to the network.

ConfigMap/Secret Blueprints & security documents Stores configuration & sensitive data.

PersistentVolume Warehouse storage Provides long-term storage for Pods.

Namespace Different factory departments (e.g., "Production" vs. "R&D") Isolates resources in the cluster.

Key Takeaway
Workload objects = Assembly lines (they handle the actual work of running apps).

Other Kubernetes objects = Supporting roles (security, storage, networking, etc.).

KUBECTL official command line interface client

kubectl api-resources - - to list available objects

kubectl explain pod - - to get more info about object

kubectl explain pod.spec - - more about pod spec

kubectl create -f .yaml - - create object in k8s from yaml

HELM

  • used to create templates and package k8s objects. package manager, allowing easier update and interaction with objects.

HELM Charts - helm packages k8s objects in charts, which can be shared with other via registry (artifactHub).

POD CONCEPT

  • Collection of one or more containers that shared a namespace and cgroups.

  • it is the smallest unit of deployable unit in k8s.
    A pod allows combination of multiple processes that are interdependent. all containers in a pod share ip address and even filesystem even if they are different images.

  • Sidecare container - supports the main application like logging, monitoring,security, proxying within the same pod.

  • initContainers - starts containers before main application starts....containers: .... initContainers: .....

  1. Resources - set a resource request and a maximum limit for CPU and memory
  2. LivelinessProbe - configure health check that periodically check if container is alive, if check fails, container restarted.
  3. SecurityContext - set user and group setting and kernel capabilities.

Pod lifecycle phases

pending -- when a pod is in a cluster but no container is set up and ready to run...waiting to be scheduled or downloading images over the network.
Running -- when pod is bound to a node and all containers created, atleast one container running/starting/restarting.
Succeeded -- all containers are terminated and not restarted
Failed -- all container in pod terminated, atleast non-zero status container
Unknown - state could not be obtained.

**NETWORKING OBJECTS

** defines and abstract netwokring

  1. Service objects - used to expose set of pods as network sertvice.
  2. ingress objects

service types

clusterIP - round-robin load balancer- single endpoint for a set of pods. most common service type.
NodePort - extends ClusterIP by adding simple routing rules ..opens a port on every node in a cluster and maps it clusterip - allows external traffic to cluster
LoadBalancer - extends NodePort by deploying external LB instance. need API like GCP, AWS.
ExternalName - Uses K8S internal DNS server to create DNS alias. resolves hostnames..
Headless Services - depends on whether service has selectors defined ...eg statefulset containter

Service Types

Ingress Objects
provides a means to expose HTTP and HTTPS routes from outside of cluster for a service within the cluster. it routing rules are implemented with ingress controller.

  • ingress and egress rules are deffined in NetworkPolicies.

kubectl expose -- help
--exposes a resource as a new kubernetes service
kubectl get service --- helps list services exposed
kubectl scale --help ;;; scales as per replicasets indicated

Configuration Objects
-storing confiigs in env

  • its bad practice to include config in container build -configMap - store config files as key-value pairs.
  • - mount configMap as a volume in Pod
  • - map variable from configMap to env variables in pod

volumes:

  • name: nginx-conf configMap: name: nginx-conf
    • to store passwords, key and other sensitive information, secret objects are used... secrets as base64 encoded.

HASHICORP vault is a seret management tool in cloud environment.

AUTOSCALING Objects

  1. Horizontal Pod Autoscaler (HPA)
  2. most used, a second pod, third pod gets scheduled if capacity threshold is met...metrics-server
  3. Cluster Autoscaler
  4. if cluster capacity if fized, new worker nodes are added to cluster as per demand...
  5. Vertical pod Autoscaler
  6. pod resource requests and limits increase dynamically, new concept...

CLOUD NATIVE APPLICATION DELIVERY
continous intergration - building and testing of code - version control and collaboration of temas
Continous Delivery - automates deployment of pre-built software. deployed to development or staging before prod envirments or systems.
CICD tools: ArgoCD, jenkins , GitLab

  • Principles of GITops and how it intergrates with kubernetes Gitops - intergrates provisioning and change process of infrastructure with version control operations. ,, manages infrastructure changes... Pull based: agent watches the git repository for changes and if changes are detected, they are applied to the infrastructure running state/// FLUX and ArgoCD...

CLOUD NATIVE OBSERVABILITY

  • Allow analysis of collected data, understand system and react to errorr states. ## PROMOTHEUS metrics - quantitative measurements taken over time..error rate logs - messages of error, warning, debug infor present.. traces - progress of request as it passes through a service ; in distributed system, how long it took when being processed by a service.

docker log nginx - views logs in a container nginx
kubectl logs nginx
kubectl logs -p -c ruby web-1 -- view previous terminated container logs from pod web-1

kubectl logs -f -c ruby web-1 -- streaming of logs

fluentd or filebear tools can ship and store logs ... grafana
prometheus - open source monitoing system to collect metrics

prometheus collect data and grafana helps build dashboard for collected metrics,,with prometheus one of the data sources..

counter 0 value that increases(error count)
gauge 0 value that increase or decrease(memory)
node-level logging, logging via sidecare container, application-level logging 00pushes logs directly from application running in a cluster...

Top comments (0)