Kubernetes

Kubernetes

aka K8s (K-8 letters-s)
Documentation

How to run Kubernetes workloads in systemd with Podman @RedHat: Use Kubernetes YAML with Podman template to spin up pods/containers through systemd.

Implementations, Frameworks and Distributions

• k8e: Kubernetes Easy Engine
• k3s
  • CIS Hardening Guide
• k0s
• Microk8s
• Minikube
• OKD
• OpenShift
• Quarks

  A Kubernetes Native Java stack tailored for OpenJDK HotSpot and GraalVM, crafted from the best of breed Java libraries and standards.

Architecture

Control Plane

1. Kubernetes API: kubectl and kubeadm communicate with REST interface
   • list components with: kubectl api-resources
   • show Kubernetes system pods: kubectl get pods -n kube-system
   • show API pod info with: kubectl describe pod kube-api... -n kube-system
2. etcd: open-source, highly-available key-value store - saves all data about cluster state
3. scheduler: assign new pods to nodes
4. controller-manager: constantly check components, e.g. pods to start a new one in case of an issue
5. cloud provider API: connection to AWS, GCP, Azure, etc.

Worker Nodes

• most clusters run with at least 3 worker nodes
• every node runs Kubelet, an agent ensuring pods are up and healthy, directly communicating with API
• container runtime interface (CRI): used by Kubelet to create containers
  • Containerd
  • CRI-O
  • Kata Containers
  • AWS Firecracker
  • Docker container engine removed in v1.24 (Dockershim), but images can be run
• Kube-proxy: communication between pods and services, direct connection to API

Services

• ClusterIP: expose cluster-internal IP addresses
• LoadBalancer
• NodePort: expose node IP addresses at static ports

Containers

• Resource management

  [!example]-

  ---
  apiVersion: v1
  kind: Pod
  metadata:
    name: frontend
  spec:
    containers:
    - name: app
      image: images.my-company.example/app:v4
      resources:
        requests:
          memory: "64Mi"
          cpu: "250m"
        limits:
          memory: "128Mi"
          cpu: "500m"
  

Pods

• Deployment: replicas, no-downtime upgrades
• DaemonSet: one pod per node, e.g. background processes collecting metrics
• Jobs: one ore more pods, run until completion, then deletes pod

Storage

• database outside of cluster, e.g. SQL with cloud providers offering connections
• Kubernetes Persistent Volumes: within cluster, objects called statefulSets can be used

Security

Some container best practices

• unprivileged containers
• read-only root filesystem

    spec:
      containers:

      - name: secured-container
        securityContext:
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: true

Tools

• Snyk: scan IaC files, including Kubernetes manifests

References

• US NSA Kubernetes hardening guide

Tools

• Konveyor

  The Konveyor community helps modernize applications by providing open source tools to rehost, replatform, and refactor applications to Kubernetes and cloud-native technologies.

Helm

Documentation

package manager for Kubernetes

Compose specification: Compose file format used to define multi-containers applications

References

• Canoncial: Kubernetes at the edge #dev/iot #dev/edge
• Guide/Blog FaaS cluster on RPi’s with Kubernetes
• training and certification
  • Linux Foundation
    • Linux Foundation: Introduction to Kubernetes (LFS158): free introduction course 15-20h course material, hands-on & assignments, …
    • Kubernetes and Cloud Native Associate exam
    • Certified Kubernetes Application Developer exam
    • Certified Kubernetes Administrator exam