Containers Flashcards
Binary Authorization
Ensures only trusted containers run in infrastructure (K8 and Cloud Run)
Requires images signed by trusted provider
Verifies signature before releasing image
Node affinity labels
Used to group nodes and schedule VMs on specific nodes
K8 API Server
Apps make calls to master via API server
Handles intercluster interactions
K8 scheduler
Determines where to run pods
etcd
Distributed key value store for state info across a cluster
K8 control plane components (4)
Controller Manager
API server
Scheduler
etcd
kubelet
Agent in nodes that communicate with cluster master
kube-proxy
Network proxy on each node that implements rules for network communication inside and outside cluster
GKE supported runtimes (4)
Docker *deprecated soon
containerd
CRI-O
Runtimes that implements K8 Container Runtime Interface (CRI)
Components in nodes (3)
kubelet
kube-proxy
container runtime
PersistentVolumes
Persistent storage for pods
StatefulSets
Pods that are stateful
Clients paired with pod
Ingress Controller
Controller that controls external access to services in a cluster
Node pool
Set of clusters with the same config and node label
GKE modes of operation (2)
Standard
Autopilot - preconfigured, managed
GKE cluster zone and region options (3)
Zonal - 1 control plane in 1 zone, nodes and control in same zone
Multizonal - 1 control plane in 1 zone, nodes in multiple zones
Regional - replicas of control plane in multiple zones in 1 region, node pools replicated across 3 zones by default
VPC native cluster
Uses alias IPs to route traffic between pods
Routes-based cluster
Uses Google Cloud routes to route traffic between pods
K8 supported IPs (3)
Cluster IP - fixed to a service
Pod IP - ephemeral IP for a pod
Node IP - IP of a node
ClusterIP
Default service type
Internal clients send requests to stable internal IP
Makes service reachable from WITHIN the cluster
NodePort
External clients sends request to IP of a node on static nodePort specified by the service
LoadBalancer (service type)
Clients send requests to IP of a network load balancer
Fleet
Group of multiple clusters (managed as one)
All Anthos deployment types include…(2)
Anthos Service Mesh
Anthos Config Management
Anthos Service Mesh features (4)
Traffic control for HTTPS
Metrics, logs, traces for HTTP traffic
Authentication and authorization with service level
Support for A/B testing and canary rollouts
Anthos Config Management
Cluster configuration
Policy Controller - security and auditing rules across fleet
Anthos Service Mesh deployment options (3)
In-cluster control plane
- Istiod service manages security, traffic, config, service discovery
Managed Anthos Service Mesh
- Google managed control plane (upgrades, scaling, security)
- Option to enable Google managed data plane by installing in-cluster controller that manages sidecar proxies
Anthos Service Mesh for Compute Engine VMs
- Observe, secure, manage traffic of MIGs in mesh
Anthos deployment options (4)
GKE - GCP hosts control plan and manages nodes
On-Prem - Anthos clusters on VMware
Multi-Cloud - Anthos clusters in AWS or Azure
Attached Cluster - Anthos only manages Anthos services running in clusters (third party K8 distribution)
Scaling GKE workloads
- Automatic options (3)
Horizontal pod autoscaler
Vertical pod autoscaler
Node auto-provisioning (scale underlying compute resources)
GKE Usage Metering
Analyzes cluster usage by namespaces and labels
