Sandbox

Question 1

FaaS adv and disadv

Answer 1

Advantages:
q No provisioning of servers.
q Automatic scaling.
q Reduction of costs.
q Underlying servers shared among different function invocations.
Disadvantages:
q Focused on stateless functions.
q Performance variations due to restart latencies.
q Not suitable for heavy compute-intensive workloads, own VMs might be cheaper.
q Limited security: shared VMs, no control over the network

Question 2

Containers vs VMs

Answer 2

Containers
§ Using Linux primitives.
§ Share Linux Kernel.
§ Fast Starts, minimal overheads.
§ Flexible Isolation.

Virtual Machines
§ Virtualisation or emulate hardware components.
§ Completely separate kernels.
§ Slower starts, must boot kernel and set-up
hardware.

Question 3

Container Ecosystem

Answer 3

CRI
Defines an API between K8s and the container runtime.
OCI
Specifications for container images and running containers.
Runc
Implementation of the OCI Spec.
Responsible for creating and running the container processes.

Question 4

Containerd

Answer 4

Industry-standard container runtime.
Manages complete container lifecycle of its host system, e.g., image transfer and storage,
container execution and supervision.
Fully supports OCI runtime specification for running containers.
Supports snapshotting.
Supports running sandboxes through containerd-shims.

Question 5

shim

Answer 5

Piece of software that resides between
containerd and a low-level container runtime
(runc, runsc).
Abstract low-level runtimes.
Lives as long as the container process.
In contrast, OCI runtimes just start a fork/exec
container process and then exits.
Intercepts container’s stdin, stdout and stderr
streams and redirects them to logs.

Question 6

gVisor

Answer 6

Open-source, secure-container runtime, developed by Google

Sentry intercepts the syscalls made by the application
Only few syscalls are made by the sentry to the host linux kernel
Seccomp profile for filtering allowed syscalls by the sentry
Access to filesystem via a separate process called gofer.
Drawbacks:
* Not well suited for syscall heavy workloads
* Not all syscalls are implemented
* Uses containerd-shim-v1 API

Question 7

AWS Firecracker

Answer 7

VMM that uses KVM to create and manage microVMs.
q Specifically designed for serverless computing.

Question 8

Kata Containers

Answer 8

Secure and isolated containers with a seperate kernel

Question 9

WebAssembly

Answer 9

Binary format, with alternative human-readable
text representation

Question 10

WebAssembly module

Answer 10

Application code as WASM ISA
Defines functions, globals, memories, imports,
exports, static data

Question 11

WebAssembly Embedder

Answer 11

Parses WASM modules and executes the
application code
Execution strategies:
* Interpreter (Blockchain Smart Contracts,
Browser)
* JIT (Browser, Standalone)
* AOT (Standalone)

Question 12

krustlet

Answer 12

Enables running WebAssembly workloads natively on Kubernetes

Question 13

Knative

Answer 13

Platform which deploys on top of K8s.
Knative Eventing enables event-driven
architecture for applications, e.g.,
producer/consumer

Question 14

Knative Serving

Answer 14

Provides scale-to-zero, request-driven
functionality

Question 15

Traditional CI/CD Push-based Workflow

Answer 15

Starts with the CI system and then continues its path through a series of encoded scripts
to push changes to the Kubernetes cluster.

Adv:
✚ ease of use
✚ Not bound to the specific tool

Disadv:
− Cluster credentials are inside the build
system, requires to open the firewall.
− CI/CD through scripts is not declarative and
takes effort to make idempotent and
reconcile the state.

Question 16

GitHub actions

Answer 16

Platform that allows to automate the build, test, and deployment pipeline.

Question 17

GitOps

Answer 17

A way to manage cloud-native applications/Infrastructure.

A GitOps agent (Flux, ArgoCD) automatically applies all code, configuration, &
policies across environments.

If there is any divergence between Git and what’s running in a cluster, Kubernetes
reconcilers automatically update or roll back the cluster.

Question 18

GitOps Pull Workflow for Application Deployment

Answer 18

In pull-based approach, all changes are applied from inside the cluster.
* There is an operator/agent inside the cluster, that regularly scans the associated git
repositories and docker registries and if a change occurs, the cluster state will be
updated from inside.

Adv:
✚ No external client has the right to publish
to the cluster, all updates are coming
from inside.
✚ changes can be automatically detected
and applied without human intervention
easier scaling of identical clusters

Disadv:
− Through the pull approach, you are
bound to the tools executing the pull.
− limited to Kubernetes only

Question 19

Kustomize.io

Answer 19

Kustomize is a configuration management solution.
* It leverages layering to preserve the base settings of your applications and components
* Selectively override default settings without actually changing the original files by
overlaying declarative yaml artifacts (called patches).

Question 20

Continuous Delivery Sync (ArgoCD)

Answer 20

• It is a declarative, GitOps continuous delivery tool for Kubernetes.
• ArgoCD follows the GitOps pattern of using Git repositories as the source of truth.
• Kubernetes manifests in ArgoCD can be specified in several ways:
• kustomize applications
• helm charts
• jsonnet files
• Plain directory of YAML/json manifests
• ArgoCD is implemented as a Kubernetes controller.
• It continuously monitors running applications and compares the current, live state
  against the desired target state (as specified in the Git repo).

Question 21

Infrastructure-as-Code Automation (Terraform)

Answer 21

Terraform is an infrastructure
as code tool that allows to
build, change, and version
infrastructure safely and
efficiently.

Question 22

Open Policy Agent (OPA)

Answer 22

• Policy engine to provide a common framework
  for applying policy-as-code to any domain.
• OPA provides a high-level declarative language
  (Rego) for writing policy as code.
• When a policy decision needs to be made, a
  service sends JSON as input to OPA, then OPA
  after evaluation returns the decision.

Question 23

Policy-as-Code in IaC Automation using Regula

Answer 23

PaC can be integrated with IaC to
automatically enforce infrastructural policies.
* Regula is a tool that evaluates IaC files for
potential security and compliance violations
prior to deployment.
* Regula includes a library of rules written in
Rego.
* The Regula CLI is built using Go and it reads in
infrastructure as code files and uses OPA to
evaluate them against Regula’s library of rules.