Kubernetes

An Introduction
 Project
Overview
What Does “Kubernetes” Mean?

Greek for “pilot” or

“Helmsman of a ship”
What is Kubernetes?
● Project that was spun out of Google as an open source
container orchestration platform.
● Built from the lessons learned in the experiences of
developing and running Google’s Borg and Omega.
● Designed from the ground-up as a loosely coupled
collection of components centered around deploying,
maintaining and scaling workloads.
What Does Kubernetes do?
● Known as the linux kernel of distributed systems.
● Abstracts away the underlying hardware of the
nodes and provides a uniform interface for workloads to
be both deployed and consume the shared pool of
resources.
● Works as an engine for resolving state by converging
actual and the desired state of the system.
Decouples Infrastructure and Scaling

● All services within Kubernetes are natively

Load Balanced.
● Can scale up and down dynamically.
● Used both to enable self-healing and
seamless upgrading or rollback of
applications.
Self Healing
Kubernetes will ALWAYS try and steer the cluster to its
desired state.

● Me: “I want 3 healthy instances of redis to always be

running.”
● Kubernetes: “Okay, I’ll ensure there are always 3
instances up and running.”
● Kubernetes: “Oh look, one has died. I’m going to
attempt to spin up a new one.”
What can Kubernetes REALLY do?
● Autoscale Workloads
● Blue/Green Deployments
● Fire off jobs and scheduled cronjobs
● Manage Stateless and Stateful Applications
● Provide native methods of service discovery
● Easily integrate and support 3rd party apps
Most Importantly...

Use the SAME API

across bare metal and
EVERY cloud provider!!!
Project Stats
● Over 55,000 stars on Github
● 2000+ Contributors to K8s Core
● Most discussed Repository by a large
margin
● 70,000+ users in Slack Team

07/2019
Project Stats
 A Couple
Key Concepts...
Pods
● Atomic unit or smallest
“unit of work”of Kubernetes.
● Pods are one or MORE
containers that share
volumes, a network
namespace, and are a part
of a single context.
Pods

They are
also
Ephemeral!
Services
● Unified method of accessing
the exposed workloads of Pods.
● Durable resource
○ static cluster IP
○ static namespaced
DNS name
Services
● Unified method of accessing
the exposed workloads of Pods.
● Durable resource
○ static cluster IP
○ static namespaced
DNS name

NOT Ephemeral!
Architecture
Overview
 Control Plane
Components

Architecture Overview
Control Plane Components

● kube-apiserver
● etcd
● kube-controller-manager
● kube-scheduler
kube-apiserver
● Provides a forward facing REST interface into the
kubernetes control plane and datastore.
● All clients and other applications interact with
kubernetes strictly through the API Server.
● Acts as the gatekeeper to the cluster by handling
authentication and authorization, request validation,
mutation, and admission control in addition to being the
front-end to the backing datastore.
etcd
● etcd acts as the cluster datastore.
● Purpose in relation to Kubernetes is to provide a strong,
consistent and highly available key-value store for
persisting cluster state.
● Stores objects and config information.
etcd
Uses “Raft Consensus”
among a quorum of systems
to create a fault-tolerant
consistent “view” of the
cluster.

https://raft.github.io/
Image Source
kube-controller-manager
● Serves as the primary daemon that
manages all core component control loops.
● Monitors the cluster state via the apiserver
and steers the cluster towards the
desired state.

List of core controllers: https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-controller-

manager/app/controllermanager.go#L344
kube-scheduler
● Verbose policy-rich engine that evaluates workload
requirements and attempts to place it on a matching
resource.
● Default scheduler uses bin packing.
● Workload Requirements can include: general hardware
requirements, affinity/anti-affinity, labels, and other
various custom resource requirements.
 Node
Components

Architecture Overview
Node Components

● kubelet
● kube-proxy
● Container Runtime Engine
kubelet
● Acts as the node agent responsible for managing the
lifecycle of every pod on its host.
● Kubelet understands YAML container manifests that it
can read from several sources:
○ file path
○ HTTP Endpoint
○ etcd watch acting on any changes
○ HTTP Server mode accepting container manifests
over a simple API.
kube-proxy
● Manages the network rules on each node.
● Performs connection forwarding or load balancing for
Kubernetes cluster services.
● Available Proxy Modes:
○ Userspace
○ iptables
○ ipvs (default if supported)
Container Runtime Engine
● A container runtime is a CRI (Container Runtime
Interface) compatible application that executes and
manages containers.
○ Containerd (docker)
○ Cri-o
○ Rkt
○ Kata (formerly clear and hyper)
○ Virtlet (VM CRI compatible runtime)
 Optional
Services

Architecture Overview
cloud-controller-manager
● Daemon that provides cloud-provider specific
knowledge and integration capability into the core
control loop of Kubernetes.
● The controllers include Node, Route, Service, and add
an additional controller to handle things such as
PersistentVolume Labels.
Cluster DNS
● Provides Cluster Wide DNS for Kubernetes
Services.
○ Built on top of CoreDNS
Kube Dashboard

A limited, general
purpose web front end
for the Kubernetes
Cluster.
Heapster / Metrics API Server
● Provides metrics for use with other
Kubernetes Components.
○ Heapster (deprecated, removed last Dec)
○ Metrics API (current)
 Networking

Architecture Overview
Kubernetes Networking
● Pod Network
○ Cluster-wide network used for pod-to-pod
communication managed by a CNI (Container
Network Interface) plugin.
● Service Network
○ Cluster-wide range of Virtual IPs managed by
kube-proxy for service discovery.
Container Network Interface (CNI)
● Pod networking within Kubernetes is plumbed via the
Container Network Interface (CNI).
● Functions as an interface between the container
runtime and a network implementation plugin.
● CNCF Project
● Uses a simple JSON Schema.
CNI Overview
CNI Overview
CNI Plugins

● Amazon ECS ● GCE

● Calico ● kube-router
● Cillium ● Multus
● Contiv ● OpenVSwitch
● Contrail ● Romana
● Flannel ● Weave
Fundamental Networking Rules
● All containers within a pod can communicate with each
other unimpeded.
● All Pods can communicate with all other Pods without
NAT.
● All nodes can communicate with all Pods (and vice-
versa) without NAT.
● The IP that a Pod sees itself as is the same IP that
others see it as.
Fundamentals Applied
● Container-to-Container
○ Containers within a pod exist within the same
network namespace and share an IP.
○ Enables intrapod communication over localhost.
● Pod-to-Pod
○ Allocated cluster unique IP for the duration of its life
cycle.
○ Pods themselves are fundamentally ephemeral.
Fundamentals Applied
● Pod-to-Service
○ managed by kube-proxy and given a persistent
cluster unique IP
○ exists beyond a Pod’s lifecycle.
● External-to-Service
○ Handled by kube-proxy.
○ Works in cooperation with a cloud provider or other
external entity (load balancer).
Concepts
and
Resources
 ● Namespaces
Core ● Pods
● Labels
Objects ● Selectors
● Services

Concepts and Resources

Core Concepts
Kubernetes has several core building blocks
that make up the foundation of their higher
level components.

Namespaces
Pods Services
Labels Selectors
Namespaces
Namespaces are a logical cluster or environment, and are
the primary method of partitioning a cluster or scoping
access.

apiVersion: v1 $ kubectl get ns --show-labels

NAME STATUS AGE LABELS
kind: Namespace default Active 11h <none>
metadata: kube-public Active 11h <none>
name: prod kube-system Active 11h <none>
prod Active 6s app=MyBigWebApp
labels:
app: MyBigWebApp
Default Namespaces
● default: The default $ kubectl get ns --show-labels
namespace for any object NAME default
STATUS
Active
AGE
11h
LABELS
<none>
without a namespace. kube-public
kube-system
Active
Active
11h
11h
<none>
<none>

● kube-system: Acts as
the home for objects and resources created by
Kubernetes itself.
● kube-public: A special namespace; readable by all
users that is reserved for cluster bootstrapping and
configuration.
Pod
● Atomic unit or smallest “unit of
work”of Kubernetes.
● Foundational building block of
Kubernetes Workloads.
● Pods are one or more containers
that share volumes, a network
namespace, and are a part of a
single context.
Pod Examples
apiVersion: v1 apiVersion: v1
kind: Pod
kind: Pod metadata:
name: multi-container-example
metadata: spec:
containers:
name: pod-example - name: nginx
image: nginx:stable-alpine
spec: ports:
containers: - containerPort: 80
volumeMounts:
- name: nginx - name: html
mountPath: /usr/share/nginx/html
image: nginx:stable-alpine - name: content
image: alpine:latest
ports: command: ["/bin/sh", "-c"]
- containerPort: 80 args:
- while true; do
date >> /html/index.html;
sleep 5;
done
volumeMounts:
- name: html
mountPath: /html
volumes:
- name: html
emptyDir: {}
Key Pod Container Attributes
● name - The name of the container Container
● image - The container image
name: nginx
● ports - array of ports to expose. image: nginx:stable-alpine
Can be granted a friendly name and ports:
protocol may be specified - containerPort: 80
name: http
● env - array of environment variables protocol: TCP
env:
● command - Entrypoint array (equiv
- name: MYVAR
to Docker ENTRYPOINT) value: isAwesome
● args - Arguments to pass to the command: [“/bin/sh”, “-c”]
command (equiv to Docker CMD) args: [“echo ${MYVAR}”]
Labels
● key-value pairs that are used to
identify, describe and group
together related sets of objects or
resources.
● NOT characteristic of uniqueness.
● Have a strict syntax with a slightly
limited character set*.

* https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set
Label Example
apiVersion: v1
kind: Pod
metadata:
name: pod-label-example
labels:
app: nginx
env: prod
spec:
containers:
- name: nginx
image: nginx:stable-alpine
ports:
- containerPort: 80
Selectors
apiVersion: v1
Selectors use labels to filter kind: Pod
metadata:
or select objects, and are name: pod-label-example
used throughout Kubernetes. labels:
app: nginx
env: prod
spec:
containers:
- name: nginx
image: nginx:stable-alpine
ports:
- containerPort: 80
nodeSelector:
gpu: nvidia
 Selector Example
apiVersion: v1
kind: Pod
metadata:
name: pod-label-example
labels:
app: nginx
env: prod
spec:
containers:
- name: nginx
image: nginx:stable-alpine
ports:
- containerPort: 80
nodeSelector:
gpu: nvidia
Selector Types
Equality based selectors allow for Set-based selectors are supported
simple filtering (=,==, or !=). on a limited subset of objects.
However, they provide a method of
filtering on a set of values, and
supports multiple operators including:
in, notin, and exist.

selector: selector:
matchLabels: matchExpressions:
gpu: nvidia - key: gpu
operator: in
values: [“nvidia”]
Services
● Unified method of accessing the exposed workloads
of Pods.
● Durable resource (unlike Pods)
○ static cluster-unique IP
○ static namespaced DNS name
<service name>.<namespace>.svc.cluster.local
Services
● Target Pods using equality based selectors.
● Uses kube-proxy to provide simple load-balancing.
● kube-proxy acts as a daemon that creates local
entries in the host’s iptables for every service.
Service Types
There are 4 major service types:
● ClusterIP (default)
● NodePort
● LoadBalancer
● ExternalName
ClusterIP Service
apiVersion: v1
ClusterIP services exposes a kind: Service
service on a strictly cluster metadata:
name: example-prod
internal virtual IP. spec:
selector:
app: nginx
env: prod
ports:
- protocol: TCP
port: 80
targetPort: 80
 Cluster IP Service
Name: example-prod
Selector: app=nginx,env=prod
Type: ClusterIP
IP: 10.96.28.176
Port: <unset> 80/TCP
TargetPort: 80/TCP
Endpoints: 10.255.16.3:80,
10.255.16.4:80

/ # nslookup example-prod.default.svc.cluster.local

Name: example-prod.default.svc.cluster.local
Address 1: 10.96.28.176 example-prod.default.svc.cluster.local
NodePort Service
apiVersion: v1
● NodePort services extend kind: Service
the ClusterIP service. metadata:
name: example-prod
● Exposes a port on every spec:
type: NodePort
node’s IP. selector:
app: nginx
● Port can either be statically env: prod
defined, or dynamically taken ports:
- nodePort: 32410
from a range between 30000- protocol: TCP
32767. port: 80
targetPort: 80
NodePort Service

Name: example-prod
Selector: app=nginx,env=prod
Type: NodePort
IP: 10.96.28.176
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 32410/TCP
Endpoints: 10.255.16.3:80,
10.255.16.4:80
LoadBalancer Service
apiVersion: v1
● LoadBalancer services kind: Service
extend NodePort. metadata:
name: example-prod
● Works in conjunction with an spec:
type: LoadBalancer
external system to map a selector:
cluster external IP to the app: nginx
env: prod
exposed service. ports:
protocol: TCP
port: 80
targetPort: 80
LoadBalancer Service

Name: example-prod
Selector: app=nginx,env=prod
Type: LoadBalancer
IP: 10.96.28.176
LoadBalancer
Ingress: 172.17.18.43
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 32410/TCP
Endpoints: 10.255.16.3:80,
10.255.16.4:80
Links
● Free Kubernetes Courses
https://www.edx.org/

● Interactive Kubernetes Tutorials

https://www.katacoda.com/courses/kubernetes

● Learn Kubernetes the Hard Way

https://github.com/kelseyhightower/kubernetes-the-hard-way

● Official Kubernetes Youtube Channel

https://www.youtube.com/c/KubernetesCommunity

● Official CNCF Youtube Channel

https://www.youtube.com/c/cloudnativefdn

● Track to becoming a CKA/CKAD (Certified Kubernetes Administrator/Application Developer)

https://www.cncf.io/certification/expert/

● Awesome Kubernetes
https://ramitsurana.gitbooks.io/awesome-kubernetes/content/
Questions?