Kubernetes Flashcards
container runtime
a k8s component, the underlying software that is used to run containers, e.g. docker
pod is what of k8s
k8s object
to see each pod’s node
kubectl get po -o wide
create yml of pod quickly
kubectl run redis –image=redis123 –dry-run=client -o yaml
edit pod
- use existing yml
- extract into yml and recreate pod
- k edit only for below properties
spec.containers[].image
spec.initContainers[].image
spec.activeDeadlineSeconds
spec.tolerations
spec.terminationGracePeriodSeconds
spec.replica
Replica Set (prev. replication controller)
difference of above two?
- high availability
- load balancer across nodes
selector: use to allow for managing pod that not created by replicaSet directly
edit replicaset
k replace -f xxx.yml
k scale –replicas=6 -f rs-definition.yml
k scale –replicas=6 replicaset my-rs
get version of a k object
k explain replicaset
quick delete multiple pods
in a line: k delete po po1 po2 po3 po4
deployment vs rs
deployment contains replicaset, rs contains pod
–all-namespaces
–label
short -A
-l=”tier=db”
Cert Tip: Imperative Command
Run an instance of the image webapp-color and publish port 8080 on the container to 8282 on the host.
docker run -p 8282:8080 webapp-color
light version docker image
python:3.6-alpine on alpine not debian
Practice test Docker images
answer is missing
docker ps vs docker ps -a
-a list all containers including the stopped ones
container automatically exit when its task/process is done, which is defined by “CMD”. The process has to be things like web server, db server but not “bash”
docker run ubuntu
will exit but
docker run ubuntu [cmd]
docker run ubuntu sleep 5 will lasts for 5 secs
or:
CMD sleep 5
CMD [“sleep”, “5”]
or:
ENTRYPOINT [“sleep”]
docker run ubuntu-sleeper 10
or:
ENTRYPOINT [“sleep”]
CMD [“5”] -> default value
or: modify during runtime
docker run –entrypoint sleep2.0 ubuntu-sleeper 10
k replace –force -f x.yml
replace pods
docker run –name ubuntu-container –entrypoint sleep2.0 ubuntu-sleeper 10 in pod definition
command:
args: [“10”]
imperative vs declarative
k create configmap
k create -f xxx.yml
convert base64
echo -n ‘paswrd’ | base64
echo -n ‘paswrd’ | base64 –decode
ubuntu install
apt-get install
list processes on docker host / inside container
security context
ps aux
PID for different containers on the host are different -> process isolation
by default process run as root, but root user inside container is not like it on the host
change root’s capability,
docker run –add-cap MAC_ADMIN
or –drop-cap
–privilege
get user inside pod
k exec po po-name – whoami
resource CPU unit
memory unit 1G vs 1Gi
1 vCPU
0.1 == 100 m vCPU mili vCPU
minimal 1m vCPU
1 G = gigabyte 1,000,000,000 bytes
1 Gi = gibibyte about 1073,000,000 bytes (2 to the power of 30)
can cpu or mem exceed the limit
CPU not, it is throttled. Mem yes, in the end it will be terminated with OOM (OOM kill)
what is the resource require and limit by default
best CPU configure:
no limit
with requests but no limit
when no request but limit set? what is request then?
request = limit set automatically by k8s
set default resource limit request globally for all newly created pod
limitRange object
restrict the total amount of resource
resourceQuota object
like hard limit/requests in the current namespace
check reason of failed pod
describe po and check last state and Reason: is there
default sa what is it? There’s also way to disable the mounting of sa token
it is automatically mounted to the pod of the ns, it has very restricted permission to run only basic kubectl cmd query. automountSAToken: false in spec
how to change the sa of a pod from default? of deployment?
change it in the spec and recreate! For deployment, no need to recreate, just edit
latest 1.24 sa token is not automatic created, how to create it?
k create token sa-name, it has by default 1h expiry time
or
(not recomanded, no time boundary)
create a kubernetes.io/s-a-token type secret for the account as before
check token of a sa
check taint of a no
describe it and check tokens:
describe and check taints:
check sa of a pod/deploy
describe the pod and find Service Account:
change sa of deploy from default
go to spec/template/spec/ add ServiceAccountName: sa-name
taint nodes
untain no
k taint no no-name app=blue:taint-effect
add a minus in the end
what is restricted by the taint and tolerants
it only restrict the no. A pod with a matched toleration will not guaranteed to be scheduled on the tainted node
check where is the po
-o wide
node-selector
label a node
nodeSelector in pod.spec
(very simple only one label: value)
k label no no-name key=value
node affinity
ensure a pod is hosted on a particular node. More advanced than nodeSelector
requiredDuringSchedulingIgnoredDuringExectution
during schedule of pod, must find the matched node, if not found, don’t schedule
During the pod execution, if node’s label is changed so that the condition doesn’t match any more, ignore it. if required is defined, pod will be evicted.
multi-container pods
logging agent + web server they need to share same lifecycle (volumn, storage, netware)
multi-container pod
sidecar (logging server +web server),
adapter: before sending logs to a central server, we adapt the log in to a unified format
ambassador: to connect to different stage db, you may choose to outsource such logic to separate container, such as at local host it connects to a local database, and the new container will proxy that request to other right db
check pod conditions
k describe po
check conditions section
readiness probes
check if a pod’s ready status is really true or false. it is application relevant, e.g. http test /api/ready. or if a particular TCP socket is listening or just exec a custom script
liveness probes
check if a container is health.
http test - /api/healthy or if a particular TCP socket is listening or just exec a custom script
docker run -d event-simulator
detach mode without output the log
print log of multi-container pod
k logs -f po-name container-name
metrics server
- one for each k8s cluster
- no historical data, only in-memory
with metrics-server, what can do
k top node
k top po
get things based on label
get all pod’s label
k get po –selector app=App1
k get po –l app=App1
k get po –show-labels
annotation
used to record other details for informationary purpose, phone numbers etc. or may be for other integration purpose
check status of each revision
kubectl rollout history deployment nginx –revision=1
record cause:
kubectl set image deployment nginx nginx=nginx:1.17 –record
edit deploy
kubectl rollout status deployment nginx
kubectl rollout history deployment nginx
set deploy image
k set image deploy frontend simple-webapp=kodecloud/webapp-color:v2
use pod to run 3+2, how to get output
k logs po-name
job
completion
parallelism
job will create po to run a certain one time task
completion will be the #pod to create, keep create this number of pod until they all successfully completed
parallelism
cronjob
schedule
how is the yaml vs job
job can be schedule
schedule: takes cron like format string
spec:
schedule:
jobTemplate:
spec (job’s spec)
check job successful history, attemps
describe job and check
Pods Statuses:
k8s network : how to access pod’s ip
inside node, accessable the pod’s ip directly
k8s service use case
service is in fact a virtual server inside the node, it has its own IP address, it is called cluster IP of the service
NodePort: to listen to a port on the note and forward request on that port to a port on the pod running the web app
clusterIP: virtual ip inside cluster to allow communication between different services, such as frontend to backend
LoadBalancer: service provisions a load balancer for our app in a supported cloud providers, it is to distribute load accross the different web server in your frontend tier
nodePort target port, port, node Port
target port: port on the pod
port: port on the service, service is in fact a virtual server inside the node
nodeport: the port on the node for external, between 30000 - 32767
only port is the must, target port by default equals to port
to access: use node ip/port number
cluster IP use case, target port, port
between tiers of a web app: frontend, backend, db.
target port is the port of backend exposes.
port is where the service is exposed
what is endpoint of a svc
endpoints is another name of the port identified by the label selectors. It can be used to check if our svc’s selector is correctly set
describe a frontend backend
There is a web server serving frontend to users, an app server serving backend API and the db server.
user send in request to web server, the web server send request to API server, then the api server get data from db and send it to backend
ingress vs egress
the direction of a request, but not that of response. netpol only define on ingress, egress is automatically configured itself for response
if need request out to other server, we need to configure egress rule in the netpol
by default connectivity
all allow, all can communicate to others
how to restrict
use network policy to only allow access from api-pod on port 3306.
by default everything are connected, but once one netpol is defined for a po, the po is default deny by that type of traffic (in or out)
network policy is not supported by all network solution on k8s, fiannel doesn’t support it, need to check its documentation. You can create, but it won’t work without any error msg
networkpolicy can define ingress from podSelector, namespaceSelector,
ipBlock for server outside of cluster
netpol yaml rule
- ports vs portsare different
each - starts a new rule
the rule can be defined with ports or to
they can also combine in one rule start with -
one rule combined with and
- to
ports:
two rules combined with Or
vs
-to:
- ports:
TCP UDP needs to define into seperate protocol inside ports:
pod A can ping pod B
ping doesn’t mean connection, it has a special port, with ICMP protocol
K8s ingress controller vs load balancer? Vs nginx server?
Ingress controller contains load balancer + nginx server (or any other load balancing solution) + other functions. It is a k8s deploy
K8s ingress controller role in k8s?
Ingress controller helps the apps deployed in k8s using a single accessible url that you can configure routes to different services within your cluster based on the url path. It also implement ssl security.
it also has to be published as a nodePort or loadbalancer svc, and it is a one-time config.
to inspect ing, logs the ingress pod and find wrong default-backend
–default-backend-service=green-space/default-backend-service
redeploy ingress-controller with above changes
Term of ingress rules?
Ingress resources, type Ingress, Ingress rule is defined for each host/domain-name (I call it base url), e.g. http://www.my-store.com/
3 types of ingress rule defined by yaml
spec.backend directly
spec.rules.http for each host/domain-name
spec.rules.-host (for multiple host)
nginx.ingress.kubernetes.io/rewrite-target: /$2, replace(“/something(/|$)(.*)”, “/$2”)
regular expression capturing group
docker copy-on-write mechanism
image layer is read only
container layer is read write,
when modify app.py, you can still modify it but it is copied to container layer firstly.
when container is removed, the container layer is gone
to persist data, use volumn
volume mounting:
docker volume create data_volume -> create a volume locally /var/lib/volume
docker run –mount my-volume:/path-in-container mysql
if you don’t run create volume before run container, it will be created automatically
external data source?
bind mounting: use the path directly
docker run -v /fullpath-to-data:/path-in-container
latest:
docker run –mount type=bind, source=fullpath-to-data, target=/path-in-container mysql
what is doing bind mounting?
what is doing volume mounting
storage driver: e.g. AUFS, ZFS, overlay
volume driver: azure file storage, netApp, rexray
docker run -it –name mysql –volume-driver rexray/ebs –mount src=ebs-vol, target …
docker container is meant to be transient
means they meant to last for a short period of time
pod.spec.volumes
not nice way: a file path on the node (host) on k8s:
hostpath.type: Directory
better: to use ebs
replace volumes.awsElasticBlockStore
persistent volumes
to manage volumes centrally, it is a cluster wide pool of storage volumes configured by admins. The developer can use it by creating PVC.
To bind it, use selector in PVC yaml.
PVC and PV is 1to1 mapping. If no PV available, pvc will be pending.
what happens when pvc is deleted
persistentVolumeReclaimPolicy: Retain/Delete/Recycle
retain: pv will be retained and cannot be used by other pvc
delete: pv will be deleted as well
recycle: scrubb the data and reused for other pvc
authentication vs authorization of kube apiserver
who can access?
static pwd files, static token file, certs, external identity providers like LDAP
SA
what can they do:
RBAC authorization
all communication between the components surrounded by kube apiserver is secured by ???
tls cetificates
auth:
Two types account: user, sa
cannot create user, external identity provide is needed for example.
SA can be created
kubeconfig
three things:
cluster, context, users
context is the thing which links above two.
k config view: to list it
k config use-context: to change it
context
specify namespace along with user and cluster
access api groups
curl http://localhost:6443 -k
to list resource group
curl http://localhost:6443/apis -k | grep name
to get more permissions, need to authenticate, –key, –cert –cacert etc.
OR kubectl proxy, it launches a proxy service locally on port 8001 and will use the cred from the kube-config file. No need to auth anymore
curl, check a svc
-m 5 set timeout
curl -m 5 jupiter-crew-svc:8080 (svc name:port)
for nodeport:
curl nodeIp:nodeport
wget vs curl
do http request
wget -O- frontend:80
-O-: print content
wget focus on downloading file
curl serves more general purpose, by default don’t download things
kubectl proxy
a http proxy service created by kubectl utility to access the kube-api server without auth
to know preferred version of a api group
k proxy 8001& (& run in the background)
curl localhost:8001/apis/authorization.k8s.io
kube-apiserver –authorization-mode=Node, RBAC, Webhook
define the order of authorization option, by default it is alwaysallow
role
apiGroups [””] core as empty
resources: [“pod”]
verbs: [get, create]
even to a specific pod
resourceName: [“blue-po”, “red-po”]
rolebinding
bind role to a user
subjects: for user detail
roleRef: role detail
check my permission
as admin you can check other’s permission
k auth can-i delete nodes
k create po –as dev-user
clusterRole
role is namespaced, but there are resources that are not namespaced but cluster scoped, such as node, pv, ns.
clusterRole can also authorize a user to access pods across all ns
Get the API groups and resource names
k api-resources
get default enabled admission controller
k -n kube-system exec kubeapi-server-pod – kube-apiserver -h | grep enable-admission-plugins
check second paragraph:
admission plugins that should be enabled in addition to default enabled ones (…here all default enabled ones!!!)
to edit in a kubeadm setup when it is running as a po:
vi /etc/kubernetes/manifests/kube-apiserver.yaml
or follow documentation
vim search
https://monovm.com/blog/how-to-search-in-vim-editor/#:~:text=Press%20the%20%22%2F%22%20key%20to%20enter%20search%20mode.,occurrence%20of%20the%20character%20string.
two type admission controller
mutating: DefaultStorageClass , NamespaceAutoProvision
validate: NamespaceExits
mutate is invoked first followed by validate
mutating/validating admission webhook server
two special admission controller to support external admission controller, we need to point it to our own server within or outside k8s cluster to run our own code & logic.
on k8s: kind: ValidatingWebhookConfiguration
webhook will send a AdmissionReview object to the sever for reviewing, the server will return a true or false
api version: alpha beta, how to enable?
enable api groups
not enable by default,
in ExecStart=
–runtime-config=batch/v2alpha1
beta vs alpha vs GA (stable)
beta has e2e tests, has only minor bugs, commit to move to GA (general availble)
what is preferred version
mulitple version can be deployed to a k8s cluster, but when run k get deploy, it only return the preferred version.
To know preferred version:
k explain deploy
or
/apis/batch
storage version: only one version can be defined as storage version. when other version is created, it will be converted to the preferred before storing to edcd version
storage and preferred are usually the same but they don’t necessarily have to be the same
api deprecation policy
- api elements may only be removed by incrementing the version of the API group
- api objects must be able to round-trip between api versions in a given release without information loss, with the exception of whole REST resources that do not exist in some versions
4a, beta support at least 9 month or 3 releases
GA supports 12 months or 3 releases
5, when a release supports both new and previous version (v1beta2, v1beta1), after 1 release, we can change the storage/preferred version to the new version.
3: v2alpha won’t deprecate GA v1 version. v2 can deprecate GA v1
k convert
k convert -f old-yaml-file –output-version new-version. it outputs new version’s yaml
need to install kubectl convert plugin
get short name of resource
k api-resources
what happens to etcd db when create resource ? what is controller
the resource is store the object in etcd data store
controller keeps monitoring etcd and create the replica set based on defined.
each resource has a controller, deploy has deploy controller in Go
to define a custom resource other than deploy, replicaset etc
use CRD, it only allow you to create resource via k, but it didn’t really does anything. To further do things, custom controller is needed.
scope: namespaced or not
group: define api group, e.g. flights.com
names:
kind: of the resources
singular:
plural:
shortName:
version, schema of its yaml
custom controller
loops: monitor and change
usually in Go, as it is easier. It can be in python but it is expensive, it needs to create own queueing and caching mechanism
operator framework
is CRD + custom controller together
operatorHub.io
helm concept
package manager for k8s app
os
install helm with snap utility
apt-based system such as Debian or ubuntu apt-get
package-based system, pkg install helm
to get version of linux
lsb_release -a
cat /etc/release
Chart.yaml
it has info about the helm chart, the version, name etc.
artifacthub.io - chart repository
to search it:
helm search hub wordpress
to search other repo, need to add the repo:
helm repo add bitnami https://charts.bitnami.com/bitnami
to search this repo:
helm search repo wordpress
helm repo list - to list the charts
helm repo update - update chart list from remote
to find resource installed by a certain helm release, use selector
kubectl get all -n NAMESPACE –selector=release=RELEASE_NAME
helm command install
helm install release-name chart-name/chart-directory:
download the chart, extract, install it locally.
release: each install of a chart is called a release. it is like id
to list package: helm install
to uninstall package: helm uninstall rellease-name
To only download/extract hem chart:
helm pull –untar bitnami/workpress
app creation order
pv, pvc, po, svc!
first create pvc
remove pvc
delete finalizers in the yaml metadata
use /finalizers to search in vim editor
networkpolicy
check connectivity?
root@controlplane:~$ kubectl exec -it webapp-color – sh
/opt # nc -v -z -w 5 secure-service 80
create temporary pod
kubectl run tmp –restart=Never –rm –image=nginx:alpine -i – curl http://project-plt-6cc-svc.pluto:3333
–rm: delete po after exits
run not exec!!!
exec command in a pod
k -n moon exec web-moon-c77655cc-dc8v4 find /usr/share/nginx/html
vim: multiple line edit
ctrl V: select
shit I: insert
esc: save
containerPort:
ports : containerPortList of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational!!!
Not specifying a port here DOES NOT prevent that port from being exposed.
tcp vs http
http is later higher than tcp. TCP checks basic network connection, http checks app level connection
assign po to a no
spec.
nodeSelector with labels
nodeName with name
run as root:
add capability
spec.securityContext.runAsUser: 0
spec.container.security.securityContext.capabilities.add
echo to log
while true; do echo $(date) Hi i am shell»_space; date.txt;sleep 5; done;
kubectl get event –field-selector involvedObject.name=probe-ckad-aom
get events who has label name=probe-ckad-aom, e.g. pod
get first field
kubectl get ns | cut -d’ ‘ -f1
batch process
k -n sun label pod -l type=runner protected=true # run for label runner and label them all with protected
k get po –selector type=label –no-headers | awk ‘{print $1}’ | xargs -I {} kubectl label po {} protected=true –namespace=sun
search po based on text
k describe po | grep happy-shop -A10 -B10
grep before and after 10 lines!
cm: –from-env-file vs –from-file
–from-env-file: key-value pairs
–from-file: the whole file content will be the value, the file name will be its key.
OR: –from-file=<my-key-name>=<path-to-file></path-to-file></my-key-name>
istio, what is it?
it is a service mesh (pattern), it manages communication between microservices. istio is the implementation
what is its function and why?
To make in-cluster security in microservice archtecture.
it introduces a
1. sidecar pattern with evovy proxy: it separates the non-business logic from the microservice. These logic like comunication configuration (COMM), security logic (SEC), retry logic (R), metrics & tracing logic (MT) can be configured once from control plane (istiod) to all microservices (pods)
2. traffic split: canary deployment (90 % new version)
how to configure istio?
two crd, virtualservice and destinationrule, both are on istiod. By conifgure istiod, we configure the proxy.
istio ingress gateway
entrypoint to your cluster. It is an alternative to nginx ingress controller. configure as crd: gateway
