Exercises and notes were referenced from here.
- Image is the read-only template that tells us how the container will be realized.
-
Container is the runtime instance of an image that gets created.
-
Containers are ephemerous and stateless. Don't store data here. (refer to StatefulSet to deal with this, however, a better approach could be to use the Cloud provider database services)
-
Central respositories for container images.
-
Private/Public.
-
Docker Hub, Microsoft (Azure Container Registry), Amazon Elastic Container Registry, Google Container Registry.
docker images
docker stop xxxx
docker rm xxxx
docker build ....
docker run ....
-
Define and run multi-container applications.
-
Define using YAML files.
-
Run using the docker CLI with the compose plugin
Docker compose. -
Set Resource Limits (e.g. CPU, Memory), Environment Variables, and Restart Policy.
-
Use for Networking, Dependencies.
-
Workloads that don't require a full orchestrator.
-
Development and tests locally.
-
Use of a service that can run Docker-compose files.
-
-
Human friendly data serialization standard.
-
Used by Docker-Compose and Kubernetes (Copy from kubernetes.io/docs).
-
A superset of JSON.
-
Donated by Google to the Cloud Native Computing Foundation(CNCF).
-
Designed as a loosely coupled collection of components centered around deploying, maintaining and scaling workloads.
-
Vendor-neutral.
-
Backed by a huge community.
-
Service discovery and load balancing.
-
Storage orcestration (Local or Cloud based).
-
Automated rollouts and rollbacks.
-
Self-healing.
-
Seret and configuration management.
-
Use the same API across on-premise and every cloud providers.
-
Container runs in a Pod.
-
Pod runs in a Node. A pod can run many containers. One of the containers is the main worker, with application logic.
-
Node runs in a Cluster. A node can run many pods.
-
Master - Control Plane : location of the services and controller. We do NOT run containers in this master node!
-
etcd : key value datastore where the state of the cluster is stored. a. Single source of truth. b. NOT a database or a datastore for applications to use.
-
kube-apiserver : the only component that communicates with
etcd.a. Exposes a REST interface and client tools.
b. Saves state to the datastore (etcd).
c. All clients interact with this, NEVER directly to the datastore.
-
kube-control-manager : the controller of controllers.
-
cloud-control-manager : interacts with the cloud providers controlers.
-
kube-scheduler : watches newly created pods that have no node assigned, and selects a node for them to run on.
-
Worker Nodes have :
a. kubelet : manage the pods lifecycle.
b. kube-proxy : networy proxy that manages network rules on nodes.
c. container runtime : must implement the kubernets container runtime interface.
-
Pods
a. Atomic unit of the smallest unit work of K8s.
b. Encapsulates an application's container.
c. Represents a unit of deployment.
d. Can run one or multiple containers.
e. Containers within a pod share IP address space, mounted volumes, and communicate via Localhost, IPC.
f. Ephemeral (short lived).
g. Deploying a pod is an atomic operation.
h. If it fails, it is replaced with a new one with a shiny new IP address.
i. We don't update a pod, we replace it with an updated version.
j. We scale by adding more pods, not more containers in the pod.
-
kubectlcommunicates with the apiserver. -
Configuration stored locally.
a. ${HOME}/.kube/config
b. C:\Users\ {USER}\ .kube\config.
-
A context is a group of access parameters to a K8s cluster.
-
Contains a kubernetes cluster, a user, and a namespace.
-
The current context is the cluster that is currently the default for kubectl.
a. All
kubectlcommands run against that cluster.
-
A workload is an application running on kubernetes.
-
A Pod is the atomic workload.
-
StatefulSet
a. Designed for Pods that must persist or maintain state.
b. Unlike a Deployment, a StatefulSet maintains a sticky identity for each of their Pods.
c. Each has a persistent identifier (name-x)
d. If a pod dies, it is replaced with another one using the same identifier.
e. Creates a series of pods in sequence from 0 to X and deletes them from X to 0.
f. Typically used in stable, unique network identifiers and stable, databases using persistent storage.
g. Deleting a StatefulSet will not delete the PVCs (PersistentVolume Claims), it has to be done manually.
-
DaemonSet
a. Specialised workload that ensures all Nodes (or a subset) run an instance of a Pod.
b. Scheduled by the scheduler controller and run by the daemon controller.
c. Typically used in running a logs collection daemon on every node or running a node monitoring daemon on every node.
-
ReplicaSets
a. Primary method of managing pod replicas and their lifecycle to provide self-healing capabilities.
b. Their job is to always ensure the desired number of pods are running.
c. Provides self-healing and scalability functionality.
d. While we can create ReplicaSets, the recommended way is to create Deployments.
-
Deployments
a. A deployment manages a single pod template.
b. A deployment for each microservice.
c. Deployments create ReplicaSets in the background.
d. We don't interact with the ReplicaSets directly.
e. Provides rolling updates (cycle through updating pods) and rollbacks functionality.
-
Jobs and CronJobs
-
Purpose of the services is to make the calls between pods more robust.
-
A service is another type of K8s object.
-
Pod IPs are unreliable but service IPs are.
-
Durable (unlike pods)
a. Static IP address.
b. Static DNS name. c.[servicename].[namespace].svc.cluster.local
-
Services are ways to access pods.
-
Target pods using Selectors.
-
Default service in kubernetes.
-
Visibility
a. CLuster internal
-
Port
a. The port the service is listening to.
-
TargetPort
a. Redirecting to the port the pod(s) are listening to. (Route the incoming traffic to this port)
-
Load balanced using round robin.
a. Session affinity is configurable.
-
When to use
a. To provide a durable way to communicate with pods inside the cluster.
-
With multiple microservices, we place the ClusterIP in front of each of them.
-
NodePort extends the ClusterIP service.
-
Visibility
a. Internal and external.
-
NodePort
a. The port the service is listening to externally.
b. Statically defined, or dynamically taken from a range between 30000-32767.
-
Port
a. The port the service is listening to internally.
-
Target Port
a. Redirecting to the port the pod(s) are listening to.
-
Nodes must have public IP addresses.
-
Use any Node IP + nodePort to access the service.
-
Layer 4 Load Balancing
a. Operating at the Transport Level (TCP).
b. Unable to make decisions based on content.
c. Simple algorithms such as round-robin routing.
-
Layer 7 Ingress
a. Operating at the application level (HTTP, SMTP, etc).
b. Able to make decisions based on the actual content of each message.
c. More intelligent load balancing decisions and content optimizations. (e.g. routing rules)
-
We need to store data outside the container in a Volume.
-
Volumes let containers store data into external storage systems.
-
Vendors create plugins for their storage systems according to the container storage interface.
-
Two ways to create storage
a. Static and Dynamic (Reclaim Policies are set to
Deleteas the default)
-
Persistent Volumes
a. Represent a storage resource
b. Cluster wide
c. Provisioned by an administrator
-
Persistent volume claim
a. A one-to-one mapping to a persistent volume.
-
One or more pods can use a Persistent Volume Claim.
-
Can be consumed by any of the containers within the pod.
-
Drawbacks
a. Waste of resources when a pod only needs a small slice, but no other pods can get a slice during this period.
-
Use hostPath only for local testing. It works only on single-node clusters.
-
Describes the "classes" of storage offered by the admin.
-
An abstraction on top of an external storage resource.
-
No need to set a capacity, as opposed to Persistent Volumes.
-
Eliminates the need for the admin to pre-provision a persistent volume.
-
Allows you to decouple and externalize configuration values.
-
Referenced as environment variables.
-
Created from:
a. Manifests (yaml files)
b. Files (text files, etc.)
c. Directories
-
Static meaning that if you change values, the containers will have to be restarted to get them.
-
A kind of K8s Objects.
-
Stored as base64 encoded strings.
-
Not secure as base54 strings are not encrypted.
-
Protect them using RBAC authorization policies.
-
Store secrets elsewhere if there are sensitive information.
a. Cloud providers offer ways to secure these secrets.
1. Azure Key Vault. 2. AWS Key Management Service. 3. Google Cloud KMS
-
Start up probes
a. To know when a container has started.
-
Readiness probes
a. To know when a container is ready to accept traffic.
b. A failing readiness probe will stop the application from receiving traffic.
-
Liveness probes
a. Indicates whether the code is running or not.
b. A failing liveness probe will restart the container.
-
Probing the container:
a. The kubelet checks periodically the containers using probes.
b. ExecAction - execute a command inside the container.
c. TCPSocketAction - check if a TCP socket port is open.
d. HTTPGetAction - performs an HTTP GET against a specific port and path.
-
Uses the K8s Metrics Server.
-
Pods must have requests and limits defined.
-
The HPA checks the Metrics Server every 30 seconds.
-
Scale according to the min and max number or replicas defined.
-
Cooldown / Delay
a. Prevent race conditions.
b. Once a change has been made, HPA waits.
c. By default, the delay on scale up events is 3 minutes, and the delay on scale down events is 5 mins.
-