PODs are mortal & is the smallest unit of deployment in K8s object mode or is like hosting a service.
Each pod can host different set of containers. The proxy is then used to control the exposing of these services to the outside world. You cannot create your own pods, they are created by replicasets or statefulsets. When ever a pod runs it calls a container image from registry(if not available locally) and deploy its container within it self. It can have more than one container.
each Pod has only 1 IP, irrespective of number of containers.
all container in a Pod shares IP, cgroups, namespaces, localhost adapter, volumes
every pod can interact directly with other pod via Pod N/W (Inter-Pod communication)
there are two types of communication in pods
Inter-pod
Intra-pod - every container in a pod can interact each other via shared localhost interface
lets see how a pod manifest file look like to run in a cluster pod.yaml
$ kubectl get pods $ kubectl describe pods (checks status) NOTE: we don't work directly on pods
so we use replication controller to manage container inside a pod, which implements the desired state get your sample replcationController.yml Now big question is, how do we access our pods ? Service is the answer.
1. accessing outside the cluster (Browser, client) 2. accessing inside the cluster (How Pods interact with each other) services nail both the above
every service gets a name and IP which are STABLE! which means name and this IP will never change throughout its life. services are REST objects in K8s, service stands infront of Pod so that outside world can interact to Pods via service. service never change mean its IP, DNS, Ports are reliable, unlike Pods which are unreliable in nature.
Service use Labels to identify the Pods and do the things on them.
now since pods are mortal and they come and go, so how do service identify which pods are alive. so Its Endpoint which maintains the list of available pods dynamically and let service know about the active pods.
accessing replication controller pod and exposing it to a different Port (create/get/describe)
$ kubectl expose rc myapp-rc --name=myapp-svc --taget-port=8000 --type=NodePort (this way it will expose the service hello-svc)
$ kubectl describe svc myapp-svc (describes the service with all its meaningful attributes like port, Namespace, labels etc.)
K8S Deployments: Deployment is about updates and rollbacks this is the superset of replication controller and can access deployment via node pod service
Kubernetes is an Open-source tool donated by Google after experiencing it for over 10 years as Borg. It is a platform to work with containers and is an orchestration framework for Docker containers which gives you: deployment, scaling, monitoring
K8s helps in moving from host-centric infrastructure to container-centric infrastructure
In virtualization world atomic unit of scheduling is VMsame way in docker its Container and in Kubernetes it is Pod
keys of kubernetes
- we describe our application requirement in k8s yaml's
- It expose containers as services to the outside world.
- Kubernetes follows client-server architecture.
- In K8s we enforce desired state management via a manifest.yaml file. Here we feed the cluster service to run on a desired state in our infrastructure.
- on the other side we have worker. Worker is a container host & it has a kubelet process running which is responsible for communicating with K8S cluster services.
**Kubernetes rule says- pod cannot be directly exposed it has to be via service**
Containers > pods > deployments
For example, you can have two services − One service would contain nginx and mongoDB, and another service would contain nginx and redis. Each service can have an IP or service point which can be connected by other applications. Kubernetes is then used to manage these services.
Resources in kubernetes
minion − is the node on which all the services run. You can have many minions running at one point in time. Each minion will host one or more POD.
Pod −Pods are Mortal & is the smallest unit of deployment in K8s object mode or is like hosting a service. Each POD can host a different set of Docker containers. The proxy is then used to control the exposing of these services to the outside world. You cannot create your own pods, they are created by replicasets.
ReplicaSet −replicasets are created by deployment, these deployments contains declaration of containers which you want to run in cluster. like image/tag, env variable, data volumes,
Kubernetes has several components in its architecture.
Labels − use labels in your deployment manifest to target specific pods. that means pod with specific labels will only be manipulated depending on the label you have defined in your deploy manifest.
etcd − k8s objects persisted here. This component is a highly available key-value store that is used for storing shared configuration and service discovery. Here the various applications will be able to connect to the services via the discovery service.
kube-apiserver − This is an API which can be used to orchestrate the Docker containers.
kube-controller-manager − This is used to control the Kubernetes services.
kube-scheduler − This is used to schedule the containers on hosts.
Kubelet − This is used to control the launching of containers via manifest files from worker host. (which talks with K8S cluster).
kube-proxy − This is used to provide network proxy services to the outside world.
Flannel − This is a back-end network which is required for the containers.
Advance resources
context - it is a group of access parameters. Each context contains a Kubernetes cluster, a user, and a namespace. The current context is the cluster that is currently the default for kubectl : all kubectl commands run against that cluster.
ConfigMap - an API object that let you store your other object or application configuration, setting connection strings, analytics keys, and service URLs & further mounting them in volumes to use them as environment variable.
sidecar - is just a container that runs on the same Pod as the application container, because it shares the same volume and network as the main container, it can “help” or enhance how the application operates. Common examples of sidecar containers are log shippers, log watchers, monitoring agents among others, aka utility container.
helm −helm is a package manager for k8s which allows to package, configure & deploy applications & services to k8s-cluster.
helm Chart −helm packages are called charts, which consist of few YAML configs and some templates which are cooked into k8s manifest file.
helm chart repository − this packaged charts brought available and can be downloaded from chart repos.
Mandatory Fields while writing a manifest file
In manifest file for kubernetes objects you want to create, you’ll need to set values for the following fields:
metadata - Data that helps uniquely identify the object, including a name string, UID, and optional namespace
spec - What state you desire for the object.
Service in kubernetes
There are four ways to make a service accessible externally in kubernetes cluster
Nodeport: deployment that need to be exposed as a service to the outside world can be configured with the NodePort type. In this method when deployment exposed, cluster node opens a random port between default range: 30000-32767 on the node itself with IP (hence this name was given) and redirects traffic received on that random port to the underlying service endpoint which got generated when you expose your deployment. (combination of NodeIP + Port is NodePort ) accessing your app/svc as http://public-node-ip:nodePort
clusterIP is the default and most basic, which give service its own IP and is only reachable within the cluster.
Loadbalancer: an extension of the NodePort type—This makes the service accessible through a dedicated load balancer, provisioned from the cloud infrastructure Kubernetes is running on. The load balancer redirects traffic to the node port across all the nodes. Clients connect to the service through the load balancer’s IP.
Ingress resource, a radically different mechanism for exposing multiple services through a single IP address. It operates at the HTTP level (network layer 7) and can thus offer more features than layer 4 services can.
Network in kubernetes
Kubernetes default ethernet is called as cbr0 like you have docker0 for docker.
3 fundamental requirement in k8s networing model:
All the containers can communicate with each other directly without NAT.
All the nodes can communicate with all containers (and vice versa) without NAT.
The IP that a container sees itself as is the same IP that others see it as.
Pods Networks
Implemented by CNI plugins
pod network is big and flat
you have IP/Pod
every pod can talk to any other pod
Nodes Networks
All nodes needs to be able to talk
kubelet <-> API Server
Every node on the n/w has this process running called Kubeproxy & kubelet
n/w not implemeneted by k8s.
Service Networks
IP of your service is not tied up with any interface
Kube-proxy in IPVS modes create dummy interface on the service n/w, called kube-ipvs0
where as kube-proxy in IPTABLES mode does not.
Storage in kubernetes
there are three type of access mode:
RWO : Read Write Once - only one pod in cluster can access this volume
RWM : Read Write Many - All pods in cluster can acess data from this volume
ROM : Read Only Many - All pods in cluster can only read data from this volume
Not all volume support all modes
to claim the storage 3 properties has to match between PersistentVolume & PersistentVolumeClaim
After you create the persistentVolume & persistentVolumeClaim, the Kubernetes control plane looks for a PersistentVolume that satisfies the claim's requirements. If the control plane finds a suitable PersistentVolume with the same StorageClass, it binds the claim to the volume.
as of now the pv is not claimed by any pvc and thus is available and waiting for a pvc to claim it.
after you deploy the persistentVolume(pv) & persistentVolumeClaim (pvc) you can assign it to your running pod using below kind
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv
spec:
accessModes:
- ReadWriteOnce
storageClassName: ssd
capacity:
storage: 10Gi
hostPath:
path: "/mnt/mydata"
...
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: ssd
capacity:
storage: 10Gi
...
Deployment in kubernetes
Deployment is all about scaling and updating your release. You deploy your container inside a pod and scale them using replicaSet. It is not like only updating replicaSet will do the rolling update, we need to add a strategy in deployment manifest to get the job done
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 1
an ideal deployment manifest will look likedeployment.yml
its deployment manifest you need to update every time when you want to scale you application tune your number of replicaSet, if you want to update the app modify your image version or anything just tweak deployment manifest and it will redeploy your pod communicating with apiServer
$ kubectl apply -f deployment.yml
Autoscaling in kubernetes
when demand goes up, spin up more Pods but not via replicas this time. horizontal pod autoScaler is the answer
IF
---
apiVersion: v1
kind: Deployment
metadata:
name: mydeploy
spec:
replicas: 4
...
THEN
---
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaller
...
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: deployment
name: mydeploy
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 50
...
Launching kubernetes as a single node cluster locally
Minikubeis the tool that allows you to launch K8S locally. Minikubes runs a single-node-K8S-cluster inside a VM at your local.
before you install kubectl Install minikube on Linux:
use this script to launch K8S VM on local and interact with Minikube cluster install-minikube.sh
basic minikube command
Function
Command
verify kubectl to talk to cluster
kubectl config current-context ( should return minikube)
Launching Kubernetes-Cluster on Google Cloud Platform
Presuming you holding account with GCP and is active then follow:
Go to Navigation menu--> Kubernetes engine --> clusters
provide all the details as per requirement like Zone, number of CPU's, OS, size of cluster(number of nodes/minions not include master- as that's taken care by platform behind the scene) and create
or same time we have command line option to create the cluster as:
*Launching K8S-cluster locally (1-Master and 2 Node)
Note: not all versions of docker supports kubernetes you need to install compatible version when needed Pre-reqs:
docker - runtime container
kubelet - k8s node agent that runs on all nodes in your cluster and starts pods and containers
kubeadm - admin tool that bootstrap the cluster
kubectl - command line util to talk to you cluster
CNI - install support for Container networking/ContainerN/wInterface
check if your Linux is in permissive mode: $ getenforce should return Permissive
if you fails to add k8s repository add it manually $ vi /etc/apt/sources.list.d/kubernetes.list (for Ubuntu) $ vi /etc/yum.repos.d/kubernetes.list(for Linux) add--> deb http://apt.kubernetes.io/ kubernetes-xenial main
If it fails with lower docker version update docker: docker.io (used for older versions 1.10.x) docker-engine (is used for before 1.13.x ) docker-ce ( used for higher version since 17.03) $ apt-get install docker-engine
if fails with [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service' $ systemctl enable kubelet.service
If fails with [ERROR Swap]: running with swap on is not supported. Please disable swap. $ swapoff -a if fails with [ERROR NumCPU]: the number of available CPUs 1 is less than the required 2 use command with flag --ignore-preflight-errors=NumCPU this will actually skip the issue. Please note this is OK to use in Dev/test only.. not in production. Run again $ kubeadm init --apiserver-advertise-address=MasterIP --pod-network-cidr=192.168.0.0/16 --ignore-preflight-errors=NumCPU and result will be like:
now grab the three commands from output and run them with a regular user so as to configure our account on master to have admin access to API server from a non-privileged account
$ mkdir -p $HOME/.kube $ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config $ sudo chown $(id -u):$(id -g) $HOME/.kube/config $ kubectl get nodes $ kubectl get pods --all-namespaces if your normal user is not a sudoer then do this: $ vi /etc/sudoers add following entry somewhere like: root ALL=(ALL) ALL red ALL=(ALL) NOPASSWD:ALL
if still fails to run kubectl command and fails with below error:
The connection to the server x.x.x.x:6443 was refused - did you specify the right host or port?
consider checking kubelet status by running below command it should be active and running
$ sudo systemctl kubelet status
if it is inactive
check swap status, if it is enabled, disable it (sudo swapoff -a) and restart kubelet service
the status remains pending until we will not create pod networks
to add pod-network you can install only one pod-network/cluster either use calico, weave, flannel or any as cin provider $ kubectl apply --filename https://git.io/weave-kube $ kubectl apply -f https://docs.projectcalico.org/v3.11/manifests/calico.yaml
if at all you failed to deploy pod network, you might need to do the following:
if fails while joining cluster with [ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
