Kubernetes Fundamentals Flashcards
Name Kubernetes control-plane services
etcd
kube-scheduler
kube-api-server
kube-controller-manager
cloud-controller-manager(optional)
Role of the Kubernetes control-plane?
Brains of kubernetes. Manages cluster and control critical functions like deployment, scheduling, self-healing, scaling.
Administrative traffic
Configuration
System control
Management
What’s inside every worker node?
kubelet
kube-proxy
container runtime
What kubelet is responsible for?
It talks to kube-api-server and container-runtime to handle the final stage of starting containers
What kube-proxy is responsible for?
Handles inside and outside communication of your cluster. It tries to rely on os networking capabilities to do so.
What container runtime is responsible for?
Responsible for running containers on worker nodes.
What’s the most popular container runtime?
containerd
Deprecated container runtime, since when?
Docker, since 1.24
What happens to worker nodes when control plane is not available?
Apps on worker nodes will keep running but scaling, scheduling new apps and some other functionality will be missing.
Is kubernetes namespace suitable for strong isolation?
No
How to divide cluster into multiple virtual clusters?
with namespaces
A database that holds state of the cluster?
etcd
Is etcd an official part of Kubernetes?
No, it is an independent project
Centerpiece of kubernetes. All components interact with it.
kube-api-server
User access kubernetes cluster through it
kube-api-server
Chooses a worker that can fit a new workload based on CPU etc.
kube-scheduler
Contain control loops that manage the state of the cluster
kube-controller-manager
Optional control plane service that allows to interact with cloud providers API
cloud-controller-manager
Server nodes types
Control plane node(s)
Worker nodes
Cloud providers with kubernetes
Amazon (EKS)
Google (GKE)
Microsoft (AKS)
DigitalOcean (DOKS)
Kubernetes distributions
OpenShift
Rancher
k3s
VMWare Tanzu
cluster installers(production grade)
kubeadm
kops
kubespray
test “clusters”
minikube
kind
microk8s
Communicating with cluster is impossible without it
kube-api-server
kube-api is implemented as a ___ interface that is exposed over ___
RESTful, HTTPS
Three stages request has to go through before processing
Authentication
Authorization
Admission Control
How kubernetes users are managed
always externally
Admission controller can’t block it
requests to read objects
An ___ is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.
admission controller
admission controller can be
validating
mutating
or both
Common ways of authentication in kubernetes
digital signed certificate X.509
external identity management system
service account for technical users
During this stage It is decided what the requester is allowed to do
Authorization
One of available Authorization methods in kubernetes
Role-based access control (RBAC)
kubernetes wrapper around container
Pod
Smallest compute unit in kubernetes
Pod
a plugin interface which enables kubelet to use a wide variety of container runtimes, without the need to recompile
Container Runtime Interface(CRI)
lightweight and performant implementation to run containers. Arguably the most popular container runtime right now. It is used by all major cloud providers for the Kubernetes As A Service products.
containerd
was created by Red Hat and with a similar code base to containerd closely related to podman and buildah.
CRI-O
a runtime that only contains the absolutely essentials to run containers
containerd
CRI-O
container runtime sandboxing tools
gvisor
Kata containers
A secure runtime that provides a lightweight virtual machine, but behaves like a container.
Kata containers
Made by Google, provides an application kernel that sits between the containerized process and the host kernel.
gvisor
Four networking problems in kubernetes
Container-to-container communications
Pod-to-pod communications
Pod-to-service communications
External-to-service communications
How External-to-Service communications is solved
It is implemented by the kube-proxy and packet filter on the node.
How Pod-to-Service communications is solved
It is implemented by the kube-proxy and packet filter on the node.
How Pod-to-Pod communications is solved
This can be solved with an overlay network.
How Container-to-Container communications is solved
This can be solved by the Pod concept
Kubernetes networking requirements
All pods can communicate with each other across nodes.
All nodes can communicate with all pods.
No Network Address Translation (NAT).
container networking and security solutions
Project Calico
Weave
Cilium
DNS server add-on which can provide service discovery and name resolution inside the cluster
core-dns
Does pods have ip address?
Yes every pod gets its own ip address
What if you create NetworkPolicy without a controller that will implement it?
it will have no effect
___ act as cluster internal firewalls
NetworkPolicy
how to control the traffic flow at the IP address or port level
use Network Policies
scheduling
the process of automatically choosing the right (worker) node to run a containerized workload on.
