Cka PDF

Overview
These notes follow LinuxAcademy structure which can be found here: https://
linuxacademy.com/course/cloud-native-certified-kubernetes-administrator-cka/. I
would recommend viewing the course to gain full and detailed explanations.
I have created these notes as part of my personal learning and hope to be able to
help and inspire others.
As i am also learning, there may well be mistakes, please do reach out and let me
know, so i can correct them.
Follow me on instagram: https://www.instagram.com/adnans_techie_studies/
All my notes are hosted here: https://adnan.study
Connect with me on LinkedIn: https://www.linkedin.com/in/adnanrashid1/

Cluster Architecture
ETCD
SCHEDULER
ASSIGNPOD
DATA
POD
TO NODE
NODE NODE NODE

p
CLUSTER CONFIG
MASTER
CONTROLLER
y MANAGER
0 API
iE9 iE9
t
COMMUNICATION HUB
SERVER MeffNsIAEtN
v
NODE REPLICATE
FAILURE COMPONENTS
API
SERVER
r
g
KUBELET KUBE PROXY

r
Manages containers 7
on the node
API SERVER
WORKER
NODE NODES KP KP KP KP
Network Proxy that runs on each node
Network rules on nodes
CONTAINER DOCKER
RUNTIME SCONTAINERD
e
RUNS YOUR
CONTAINERS
Application running on Kubernetes
MODEL
MASTER POD
KUBELET
2N
KUBE Proxy
DOCKER
IMAGE
REGISTRY
API Primitives
API server is the only one that communicates with Etcd
Every component communicates with the API server only and not directly with one another.
Objects like pods and services are declarative intents.
KUBECTL
YAML
Convert to JSON FILES
when making
request
G IT
YAML File Composition
API VERSION Clear consistent view of resources
The kind of object you want to create

• Pod
KIND • Deployment
• Job
Uniquely identify the object

METADATA s
L v
Name String UID Namespace
Container image volume exposed ports

SPEC
s State of the object —> match desired states

STATUS
Services and Network Primitives
Services allow you to dynamically access a group of replica pods
u r
32767 32767
v v
SERVICE s
POD
POD
u
POD
NODE 1 NODE 2
CONSISTENT IP ADDRESS
Kube-Proxy
Kube-Proxy handles the traffic associated with a service by creating IP table rules
API
SERVER
SERVICE
KUBE
KUBE
PROXY
PROXY
DESTINATION
IPTABLES
IPTABLES
DESTINATION
POD
POD
NODE 1 NODE 2
Release Binaries, Provisioning and Types of Clusters
PICKING THE RIGHT SOLUTION
OR
CLOUD
ON PREM
CUSTOM PRE BUILT

• Install manually • Minikube
• Configure your own network fabric • Minishift
• Locate the release binaries OR • Micro K8S
• Build your own Images • Ubuntu on LXD
• Secure cluster comms • AWS, Azure and GCP
Installing kubernetes master and nodes
MASTER WORKERS
DOCKER t s GPG KEY

KUBERNETES
ADDREPOS
2 UPDATEPACKAGES
3 INSTALL DOCKER KUBELET KUBEADM KUBECTL
4 MODIFY BRIDGE ADAPTER SETTINGS
MASTER ONLY
I INITIALISE CLUSTER
2 MAKEDIRECTORY FOR K8S
3 COPY KUBE CONFIG
4 CHANGE OWERSHIP OF CONFIG
5 APPLY FLANNEL CNI

Building highly available cluster
All components can be replicated, but only certain ones can operate simultaneously
MASTER 3
MASTER 2
MASTER I
API SERVER
t EDI Eh'InhIE
ER
or
ACTIVE
NODE 1
LOAD BALANCER
n r
KUBELET KUBELET KUBELET

WORKER 1 WORKER2 WORKER 3
The controller manager and the scheduler actively watch
the cluster state and take action when it changes
SCHEDULER CM 0
o ARE WE IN
tEE
i
EE
I I II
i
CHARGE
CLUSTER
theft
NOTTEIRET
igg E
o
o j
SCHEDULER CM
LEADING TO DUPLICATERESOURCES OR CORRUPTION
HOW DO WE
DECIDE
LEADER
ELECT CREATES ENDPOINT RESOURCE
OPTION SEE IN SCHEDULER YAML
IDENTITY
HOLDER
Replicating etcd
TOPOLOGY
L J
STACKED EXTERNAL TO
KUBERNETES CLUSTER
EACH CONTROL
PLANE NODE
CREATES LOCAL
ETCD MEMBER
ONLYCOMMUNICATES WITH
API SERVER
v n v
ETCD
ETCD
in
RAFT CONSENSUS ALGORITHM
ETCD REQUIRES MAJORITY
THEREMUST BE MORETHAN HALF

TAKINGPLACE IN THE STATE
API SERVER
CHANGE ANDTHEREFORE THERE
MUST BE ODD NUMBEROF NODES
Configuring Secure Cluster Communications
ALL COMMUNICATION VIA HTTPS
KUBERNETES CLUSTER
KUBECTL a
TRANSLATES API STATE
r
PROVIDES CRUD
u v s
CREATE READ UPDATE DELETE
RETURN RESPONSE
KUBECTL API STATE

CREATE POD
HTTP POST SERVER STORED IN
ETCD
L i i 1
MULTIPLE AUTHENTICATION AUTHORISATION ADMISSION VALIDATION
PLUGINS 7 7 7
READ SKIP
CALLS TO
DETERMINE CREATE
CAN THIS USER
REQUEST PERFORMTHIS
MODIFY
ACTION DELETE
1
1
HTTP
HEADER CERTIFICATE
Building Highly Available Cluster
RBAC is used to prevent unauthorised users from modifying the cluster state
O
ROLE ACTION
ROLE
f
s
BINDING
1012MORE v
RESOURCE
WHOIAN
WHATCAN
DO IT
BEDONE
ROLE ROLE BINDING NAMESPACE RESOURCE
CLUSTERROLE CLUSTERROLE BINDING
CLUSTER LEVEL
RESOURCES
Service Account
IDENTITY OF APP
POD c SERVICE
ACCOUNT RUNNING IN POD API
r
n
T'ON
KYLE.io
YEr8FEeREEYouNTT0KENFILEATEfYIeff
NAMESPACE 1 NAMESPACE 2
POD POD POD POD

L
SERVICE SERVICE
ACCOUNT
ACCOUNT
ONLYUSESERVICE
ACCOUNT IN SAME
NAMESPACE
Running end to end tests on cluster
PERFORMANCE
AND WHY EXAMPLE
RESPONSE OF TESTS
APPLICATION
KUBETEST
POORCLUSTER
• Deployments can run
PERFORMANCE • Pods can run
• Pods can be directly accessed
• Logs can be collected
• Commands run from pods
• Services can provide access
• Nodes are healthy
• Pods are healthy
Managing Cluster
KUBEADM
UPGRADING
CLUSTER
KUBECTL
OPERATING SYSTEM
UPGRADES
j
USE DEPLOYMENTS GETPODS
OR REPLICA SETS DRAIN NODE
UNCORDON
PUT BACK
TO SERVICE
BACKUP
AND CLUSTER s ETCD
RESTORE STATE
v
CLUSTER
SAVE
EXTERNALLY
Pod and Node Networking
NETWORKING WITHIN A NODE
10244 1.2 10 244 1.3

POD 1 POD 2
ETHO ETH
v v
VETHZAA VETH808
BRIDGE a
10.244 l 1 24
NODE 1
NETWORKING OUTSIDE OF THE NODE

10.244 t Z 102442.3
PODI VETH
VETH C POD 2
BRIDGE
ETHO ETHO a BRIDGE
NODEI 172 31.43 91 NODEZ 172.31 34.144
NETWORK
Container Network Interface
10.244 t Z 102442.3
PODI VETH
VETH a POD 2
BRIDGE
ETHO CNI ETHOL BRIDGE
NODEI 172 31.43 91 NODEZ 172.31 34.144
NETWORK
CNI IS A NETWORK OVERLAY
ALLOWS BUILDING TUNNEL BETWEEN NODES
SITS ON TOP OF EXISTING NETWORKS

ENCAPSULATES PACKETS HEADER DATA TRAILER
or a
CHANGES SOURCEIDEST ADD
TOW DOES
CNI DO
THIS THERE ISAMAPPING ASSOCIATED IN USERSPACE
PROGRAM ALL PODIP ADDRESS'S TONODE IP
WHEN REACH OTHER NODE DE ENCAPSULATE
PACKET AND GIVE TO BRIDGE
EXAMPLE CNI
As v
APPEARS LOCAL 10 NODE
CALICO FLANNEL Mi
Service Networking
API SERVER
SERVICE
10.104185.62
10244.12 102442.3
KUBEPROXY KUBEPROXY
PODI VETH a r POD2
VETHE
1
Ip Ip
BRIDGE TABLES ETHO ETHO TABLES BRIDGE
MODEL 17231.43 91 NODEZ 172 3134.149
NETWORK
PODSCOMEANDGO
HOW DOES THE CLUSTER KEEP TRACK
SERVICES
PROVIDESVIRTUALINTERFACE AUTOASSIGNED TO
PODS BEHIND
EXAMPLE INTERFACE
CLUSTER IP AUTOCREATED ON
SERVICE CLUSTERCREATION
TAKES CARE OF INTERNAL ROUTING

NOMATTERWHEREMOVES OTHER PODS
KNOW HOW TO COMMUNICATE TO IT
Ingress Rules and Load Balancers
TALKS 101 NODE

LOAD BALANCER SERVICE AT A TIME
CANNOT SPLIT
TRAFFICLIKE A
LOADBALANCER
REDIRECT TRAFFIC CLIENTS TALK
TO ALLNODESAND TO LB TO ACCESS
PORTS APPLICATION
ONLYACCESSIBLE DOESNOT HAVE

INTERNALLY EXTERNAL IP
LOAD 7 EXTERNAL IP ADDRESS

BALANCER FOREVERY SERVICE
MODEL NODEZ
i
PODIr 31732 31732 POD2
v
I
v
SERVICE
Ingress
APP EXAMPLE.COM APP1 SERVICE POD POD
INGRESS APP EXAMPLE.COM APP2 SERVICE pop pop
WEB EXAMPLE COM SERVICE polo POD
ACCESS MULTIPLESERVICES WITH SINGLE IP ADDRESS

Cluster DNS
EVERY SERVICE DEFINED IN THE CLUSTER IS ASSIGNED A DNSNAME
SERVICE
NAME NAMESPACE BASEDOMAINNAME
JENKINS DEFAULT SVC CLUSTER LOCAL
50 lo O I DEFAULT POD CLUSTER LOCAL
POD IP NAMESPACE BASEDOMAIN NAME
A PODS DNS SEARCH WILL INCLUDE THE PODS OWN

NAMESPACE AND THE CLUSTERS DEFAULT DOMAIN
Configuring the Kubernetes Scheduler
Scheduler responsible for assigning pod to node based on resource requirements of the pod
I
WHY
RULES ARE HOWEVER
PLACEDBY CAN CREATE r
DEFAULT OWN WORKERNODES
SAMENODE
HAVEDIFFERENTO
DISKS
SAVE COSTS
SCHEDULER I DOESTHENODEHAVEADEQUATEHARDWARE
RESOURCES
2 ISTHENODERUNNINGOUT OF RESOURCES
3 DOESTHEPOD REQUEST A SPECIFIC NODE
4 DOESTHENODE HAVE A MATCHINGLABEL
s IFPOD REQUEST A PORT IS IT AVAILABLE
6 IF PODREQUESTS AVOLUMECAN IT BE
MOUNTED
DOESTHEPODTOLERATETHETAINTS OF THE
7 NODE
8 DOESTHE PODSPECIFY NODORPOD

AFFINITY
Running multiple schedulers for multiple Pods
It is possible to have 2 schedulers working alongside each other.
POD POD POD POD
SCHEDULER1 SCHEDULER2
NODES I 2 3
Scheduling pods with limits and label selectors
EXAMPLE
TAINTS REPEL WORK MASTERNODE
NOSCHEDUAL
ALLOWYOUTO EXAMPLE DAEMONSET POD

TOLERATIONS TOLERATE A KUBE PROXY MUSTRUN ON ALL
TAINT NODES
CPU MEMORY
PODMAY NOT BE SCHEDULER
USING ALLREQUESTED
RESOURCE AT AGIVEN POST 8 STEPS
TIME
L s
SCHEDULERLOOKS MOSTREQUESTED LEAST REQUESTED
ATTHESUM OF PRIORITY PRIORITY
RESOURCESREQUESTED r
BY EXISTINGPODS CLOUD ENVIRONMENTS

WHY YOUAREPAYINGFOR
ALL RESOURCES
DaemonSets
DaemonSets ensure that a single replica of a pod is running on each node at all times
POD POD
POD
POD
NODEI NODEZ NODE 3
POD DAEMONSETPOD IF YOUTRY DELETE A DAEMONSET

POD IT WILL SIMPLY RECREATE IT
POD REPLICASETPOD
Display Scheduler Events
SCHEDULER POD LEVEL

LOGLEVEL PROBLEMS
EVEN LEVEL
Deploying an Application, Rolling Updates and Rollbacks
HIGH LEVEL RESOURCE FOR

DEPLOYMENTS
DEPLOYING AND UPDATING APPS
REPLICASET REPLICASET
POD POD
POD POD
POD App POD

V1 Appv2
DEPLOYMENT
KUBECTLAPPLY MODIFY OBJECTS TO EXISTING YAML AND

IF DEPLOYMENT NOT CREATED ALSO CREATE
KUBECTL REPLACE REPLACES OLD WITH NEW AND OBJECT

MUST EXIST
ROLLING UPDATE PREFERRED WAY SERVICE NOTINTERRUPTED
FASTESTWAY
KUBECTL ROLLOUT ROLLBACKPREVIOUS VERSION

Configuring an App for HA and Scale
AVOIDING
BLOCKBADVERSION
BAD
DECISIONS RELEASE
MIN READY READINESS

SECONDS
PROBE
HOWLINGA AND DETERMINES IF
NEWLYCREATED
PODSHOULD BE ASPECIFICPOD
READY BEFORE SHOULDRELIEVE
CONSIDERED CLIENT REQUEST
OR NOT
AVAILABLE
POD NOT
a RELEASED
MIN READY READINESS pop errors
DEPLOYMENTv1 SECONDS PROBE ATS SECONDS v
ROLLBACK
MUSTRETURNSUCCESS VERSION
10
I
CHECKEVERY PORT 80
SECOND
CONTAINER CONFIGMAP APPCONFIG

PASSINGCONFIGURATION
OPTIONS TOAPP CONFIGMAP
a KEYA OLI
IETC CONFIG VOLUMECONFIG
v
ENVIRONMENT VARIABLES KEYB VOLZ
n
IETCCERTS S SECRET
VOLUMECERTS SECRET APPSECRET
STOREINCONFIGMAP
CREATESECRETANDPASSTO EV
POD CERT VOL
9
KEY VOL
MULTIPLECONTAINERS JUST UPDATE
CANUSESAME NONEEDTO
REBUILDIMAGE
Creating a self-healing app
ReplicaSets ensure that identically configured pods are running at the desired replica count
RECOMMENDED
REPLICA
DEPLOYMENTS LOSING NODE
SETS HASNO IMPACT
MANAGES REPLICASETS ON APP
PODS ARE UNIQUE

9
POD DIES
REPLACED WITH
SAME HOSTNAME
AND CONFIG
STATEFULSETS
HEADLESS SERVICE
UNIQUEPODS
VOLUME CLAIM r
CERTAIN TRAFFIC
TO GO TO EACH POD
NEEDS OWN STORAGE
AS IT IS UNIQUE
Persistent Volumes
POD TERMINATED
PODS ARE EPHEMERAL
STORAGE TERMINATED
STORAGE MUST BE INDEPENDENT IF POD MOVES

STORAGEFOLLOWS
STORAGE CLASSES
PERSISTENT
VOLUME
PROVISIONING S
RESOURCE IN
CLUSTER
STATIC DYNAMIC
PVC MUST REQUEST
A STORAGE CLASS
CLUSTER ADMIN
CREATES AND
AVAILABLE FOR
CONSUMPTION
Volume Access Modes
By specifying an access mode with your PV, you allow the volume to be
mounted to one or many nodes, as well as read by one or many
VOLUME CAN ONLY

BE MOUNTED USING
ONE ACCESS MODE
AT A TIME
MOUNT CAPABILITY OF
NODE NOT POD
ACCESS
MODES
READWRITEONCE READWRITEMANY
ONLY INODECAN MULTIPLE NODE
MOUNT THE VOLUME CAN MOUNT FOR
FOR READ AND WRITE
READ I WRITE
READOFLYMANY
MULTIPLE NODE
CAN MOUNT VOLUME
FOR READING
Persistent Volume Claims (PVC)
PVC allows the application developer to request storage for the

application, without having to know underlying infrastructure.
O pv STAYS WITH
PVC pv
at
DEV a
0
ACTUAL
STORAGE
CLUSTER
ADMIN
POD PVC PV
1Gt
VOLUMES RECLAIMPOLICY
MOUNTPATH RWO RETAIN
U
BOUND
RETAIN DATA
IN VOLUME
COULD ALSO BE
RECYCLEORDELETE
DELETE CONTENTS
OF VOLUME DELETEUNDERLYING
STORAGE
Storage Objects
Volumes that are already in use by a pod are protected against data loss. This means even if you
delete a PVC, you can still access the volume from the pod.
STORAGE OBJECT PVCCANNOT BE

IN USE PROTECTION REMOVED PREMATURELY
STILL BOUND
in
PVC
FINALIZERS
s
PV
POD
PVCPROTECTION
y
3 DELETE POD n
v I 1 GETS DELETED
PVC DELETED
PROVISIONER PARAMETER RECLAIMPOLICY STORAGE

CLASS
AWSEBS GPI RETAIN
Applications with Persistent Storage
EXAMPLE
STORAGECLASS PVC DEPLOYMENT

METADATA STORAGECLASSNAME REPLICA 1
KUBESERVE v1 ROLLOUT
FAST IMAGE
FAST 100Mt VOLUMEMOUNT lDATA
READWRITEONCE VOLUME VOLUME DATA
PERSISTENTVOLUMECLAIM
PV
1. Create storage class object
2. Create PVC object
3. Create deployment
4. Rollout deployment
5. Check pods
6. Create file on mount
7. List contents
Service accounts and users
API
SERVER
FIRSTEVALUATES
v PRIVATE KEY
SERVICE NORMALUSER USER STORE
IE JENKINS ACCOUNT FILE USERIPASS LIST
v
KUBECTLCREATESERVICEACCOUNTJENKINS
ASSIGN10POD IF YOUDONOTUSESPECIFIC
BY PUTTINGIN IT WILL USE DEFAULT
PODMANIFEST
L
CREAAIESOUSNERYKE KUBECTLGETSA VBUSYBOXYAML
v
SECRET WILLSHOW DEFAULT 1JENKINS NAME BUSYBOX
v
SPEC
SERVICEACCOUNTNAME JENKINS
HOLDSTHE
PUBLIC A OF ryAML FORSERVICEACCOUNT a
APISERVERT KUBECTLGETSA JENKINS D YAML

JWTTOKEN v JENKINSSERVER
KUB.EC LGETSECRETtNAMLs SHOW SECRET NAME ADDSK8SCHPLUGIN
TOKEN
NOWCAN
CONTROLPODS
THIS IS WHAT REQUEST
WILL BE USED TO AUTH
WITH API SERVER
Service accounts and users
USER
ACCESSCLUSTERREMOTELY CREATECLUSTERROLEBINDING
0
MASTER
ADNAN SETCREDENTIALS KUBECTLCONFIG
u SET CREDENTIALS
CERT USERNAME ADNAN
PASSWORD PASSWORD
KUBECTLCONFIG
SET CLUSTER KUBERNETES 2
SERVER_HTTP l l.l.la SETCLUSTER
CERTIFICATE CERT
3
KUBECTL CONFIG c SET USER
SET CREDENTIALS
CONTEXT CAN BE USEDTO CONNECT

TO MULTIPLE CLUSTERS
KUBECTL CONFIG SET CONTEXT

KUBERNETES CLUSTER KUBERNETES
USER NAMESPACE
n
4
USE CONTEXT
KUBECTL GET NODES ASPER NORMAL

5
Cluster Authemtication and Authorisation
AUTHENTICATION AUTHORISATION
WHATCAN
FIRSTSTEPIN THEY DO RBAC RULES
RELIEVINGREQUEST
v 4 RESOURCES
WHO POD OR 2 GROUPS WHOCAN
HUMAN DO IT
u u
WHATCANBE
ROLESAND ROLEBINDINGS
PERFORMEDON
ROLES
CLUSTER
WHICHRESOURCE AND
CLUSTERROLEBINDINGS
BYNOLING
ROLE ROLE
ROLE ROLE BINDING ROLE BINDIFG
NAMESPACE 1 NAMESPACE 2 NAMESPACES
CLUSTER
cluster
KUBERNETES
ROLE
ROLE L CLUSTER
BINDING
ROLE REFERENCESINGLE CANBINDTO

CREATE CREATE ROLE CREATE MULTIPLE USER
NAMESPACE ROLE ROLEBINDING SERVICEACCOUNTS
AND GROUPS
LISTSERVICES WHAT
FROMWEB ACTIONS
NAMESPACE NOTWHO
CLUSTERROLE
POD
CREATE CLUSTERROLE v
CLUSTER BINDING CURLFROM ACCESS AT
ROLE CONTAINER CLUSTER
LEVEL
VIEWPERSISTANT
VOLUMES
Configuring Network
Network policies use selectors to copy rules to pods for communication throughout the cluster
PORT3128
APPDB
POD APPWEB POD
PORT4269
HOW
NETWORK CANAL CREATE NETWORK CREATE
PLUGIN PLUGIN POLICY DEPLOYMENT
v u
DENY ALLNET EXPOSE
DEPLOYMENT
9
KINDNETWORKPOLICY
NAMEDENYALL
TRYACCESS TIMEOUT
BLANKALLINHERIT PODSELECTOR 3
TYPEINGRESS
POLICY
CREATENETWORK LABEL
POLICY PODS
PODSELECTOR
MATCHLABELS
APP DB ALLOW COMMS
BETWEEN PODS
INGRESS ANDSPECIFIED
MATCHLABELS PORT
APPWEB on
PORT
PORT4269
Creating TLS certificates
The CA is used to generate a TLS certificate and authenticate with the API server
API
POD SERVER
song
IVAR RUN SECRETS KUBERNETES.IO SERVICEACCOUNT
CERTIFICATESIGNINGREQUEST
CREATE NEW CSR c
CERT
CERTIFICATE
SIGNINGOBJECT KIND ERTIFICATESIGNINGREQUEST
CREATE NAME CSRPODWEB
REQUEST CATSERVER.GRBASE64TRD'IN
VIEWCSR KUBECTL DESCRIBE CSR CSR PODWEB
APPROVE CSR ISSUED

Secure Images
PRIVATEREGISTRY DOCKERHUB
POD
N AWS
POD
CONTAINER 0
D AZURE
RUNTIME POD
E
GCP
POD
CONTROLLING VULNERABILITIES CLAIR SCANNING

IMAGES THAT
GO INTO
PRODUCTION SOMETHING ON IT CAUSE NODE CRASH
LOGIN TO PRIVATE REGISTRY

TAG DOCKER IMAGE
PUSH TO PRIVATE REGISTRY
HOW
USE FOR IMAGE PULLS
I
KUBERNETES DOCKER MODIFY
CREATE REGISTRY TYPE SERVICE POD
SECRET ACCOUNTS
DOCKER SERVER v
DOCKER USERNAME PRIVATE REGISTRY

DOCKER PASSWORD IMAGE
KUBECTIPATCH
Defining Security Context
LIMITACCESS TO CERTAIN
OBJECTS AT THE POD AND
CONTAINER LEVEL THIS WILL
ALLOWIMAGESTOREMAINSTABLE RUNASUSER
POD FSGROUP
N RUNASNONROOT
CONTAINER
POD
0
RUNTIME D POD PRIVILEGED
E
ADD SYS TIME
POD
KIND POD
IMAGE ALPINE
SECURITYCONTEXT RUNPOD AS 405
RUNASUSER405
CANALSOPUT'RUNASROOT
ABILITY TO RUN AS PRIVILEGED PRIVILEGED TRUE
CONTAINER LEVEL
ABILITY TO LOCK
DOWN KERNEL SETTING ADD SECURITYCONTEXT
LEVELFEATURES CAPABILITIES ADD
ON CONTAINER ONPOD LEVEL SYS TIME
NET ADMIN
REMOVE
SECURITYCONTEXT
DROP
CHOWN
Securing persistent key/value store
Secrets allow you to expose entries as files in a volume

keeping this data secure is crucial to cluster security
DATA MUST
LIVE BEYOND SECRETS KEY VALVE PAIR
LIFE OF POD v
PASS AS ENVVAR NOTBEST
OR PRACTICE
EXPOSE AS FILES
IN VOLUME MAYBE
OUTPUT TO
LOG FILES
CONTAINER POD
FILESYSTEM
VARRUNSECRETS
KUBERNETES.IO
DEFAULT DEFAULTTOKENSECRET
ACCOUNTS
SERVICE SECRET PACE
TOKEN
HTTPS TO WEBSITE
a KEY
GENERATE SECRET POD
CERTIFICATE EFFET MOUPNoj.IN
v
COMBINED IN MEMORY FILE
FILEST
USE
SYSTEM
v
SECRET SECRET NOT
WRITTEN TO
DISK
Monitoring the cluster components
The metric server allows you to collect CPU and memory data from the nodes and pods in your cluster
NODE METRICS
N POD CPUCCORETUTIL
CONTAINER MEMORY
0
RUNTIME
D
E
POD POD METRICS
CPU MEMORY
INSTALL KUBEC.TL OPNODEsCPUMEMORYFORALLTHENODES

METRIC
SERVER KUBECTLTOPPOD CPUMEMORY FORALLTHE PODS
KUBECTLTOPPOD ALLNAMESPACE ALLNAMESPACE
KUBEC.TL 0PP0D NkUBE SYSTEM KUBE SYSTEMNAMESPACE
KUBECTLTOPGROUP CONTEXT CONTAINERS POD CONTAINERS
Managing cluster component logs
USE
KUBECTL
APP LOGSTO CONTAINER STREAMED TO STDOUTS LOGS
AND
SYSTEM UNDERSTAND WHAT IS HAPPENING INSIDE CLUSTER
LOGS
DEBUGGING
LOGS ACCUMULATE OVER TIME
IF MANY MICROSERVICE WHICHLOGS ARE WHICH
V
LOG DIRECTORY VAR LOG CONTAINERS
ACCUMULATES LOGS
POD POD
LOGGINGAGENT
APP CONTAINER
v v
LOG LOG LOGGING AGENT
CONTAINER CONTAINER
I 2 LOG FILE
LOG
HAVE SIDECARCONTAINER TO DO LOGGING SO YOU CAN

ACCESS SPECIFIC LOGS
ABLE TO ROTATE LOGS USING OTHER TOOLING NO NATIVE

Troubleshooting Application Failure
PODIYAML
KINDPOD
ABILITY TOWRITE NAME P0D1
TERMINATION IMAGE BUSYBOX
MESSAGE 10 SPECIFIC COMMAND y KUBECTL
FILEON CONTAINER DESCRIBE
TERMINATION v
MESSAGEPATH WILLSHOW
ERRORMESSAGE
ONLY PARTICULAR FIELDS CAN BE CHANGED 1 E IMAGE
TO CHANGE OTHERFIELDS OF FAILED POD

EXPORT CONFIGURATION
I
MODIFY'AMLI E CHANGE MEMORY REQUEST
DISCOVERYERR
r
APPCOMMERR
APPLICATION
IMAGEPULLERR CRASHLOOPBACKOFFERR
FAILURE
FAILEDMOUNTERR
PENDING
RBACERR
Troubleshoot failures
KUBERNETES API SERVER DOWN

SOFTWARE CONTROL
FAULT
PLANE
LOSE STORAGE ATTACHED
TO CONTROL PLANE
KUBELETSERVICE
CRASH v
INDEPENDENT
ETCD COULD
CRASH
VIEWTHEEVENTSFROMCONTROLPLANE COMPONENTS CHECKSTATUS OFKUBELET

SERVICE
VIEWLOGSFORCONTROL PLANE PODS
DISABLE SWAP
CHECK STATUS OF DOCKER SERVICE
CHECKFIREWALLDSERVICE
VIEW KUBELET VIEW KUBE CONFIG
VIEW SYSLOG JOURNAL LOGS
EVENTS a
GENERATENEW TOKEN
WORKER VIEW STATUS
TROUBLESHOOTING
GET DETAILED INFO
PING NODE
IPADDRESS SHINTO NODE
OFNODE
ACCESSPODS DIRECTLY LOOKUPSERVICE VIA DNS

r a
CHECKIPTABLERULES
NETWORK DNS RESONE CONF
ENDPOINTSOF v
SERVICE v KUBERNETES
CNI PLUGIN SERVICE
Visit https://adnan.study for all notebooks

Cka PDF

Uploaded by

Copyright:

Available Formats

You might also like

Cka PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cka PDF

Uploaded by

Copyright:

Available Formats

Overview

Follow me on instagram: https://www.instagram.com/adnans_techie_studies/

All my notes are hosted here: https://adnan.study

Connect with me on LinkedIn: https://www.linkedin.com/in/adnanrashid1/

NODE NODE NODE

KUBELET KUBE PROXY

Network rules on nodes

API server is the only one that communicates with Etcd

Objects like pods and services are declarative intents.

API VERSION Clear consistent view of resources

The kind of object you want to create

Uniquely identify the object

Container image volume exposed ports

s State of the object —> match desired states

Services allow you to dynamically access a group of replica pods

PICKING THE RIGHT SOLUTION

CUSTOM PRE BUILT

DOCKER t s GPG KEY

3 INSTALL DOCKER KUBELET KUBEADM KUBECTL

4 MODIFY BRIDGE ADAPTER SETTINGS

2 MAKEDIRECTORY FOR K8S

3 COPY KUBE CONFIG

4 CHANGE OWERSHIP OF CONFIG

5 APPLY FLANNEL CNI

KUBELET KUBELET KUBELET

LEADING TO DUPLICATERESOURCES OR CORRUPTION

ETCD REQUIRES MAJORITY

THEREMUST BE MORETHAN HALF

ALL COMMUNICATION VIA HTTPS

KUBECTL API STATE

ROLE ROLE BINDING NAMESPACE RESOURCE

CLUSTERROLE CLUSTERROLE BINDING

POD POD POD POD

NETWORKING WITHIN A NODE

10244 1.2 10 244 1.3

NETWORKING OUTSIDE OF THE NODE

NODEI 172 31.43 91 NODEZ 172.31 34.144

NODEI 172 31.43 91 NODEZ 172.31 34.144

CNI IS A NETWORK OVERLAY

ALLOWS BUILDING TUNNEL BETWEEN NODES

SITS ON TOP OF EXISTING NETWORKS

MODEL 17231.43 91 NODEZ 172 3134.149

TAKES CARE OF INTERNAL ROUTING

TALKS 101 NODE

ONLYACCESSIBLE DOESNOT HAVE

LOAD 7 EXTERNAL IP ADDRESS

APP EXAMPLE.COM APP1 SERVICE POD POD

INGRESS APP EXAMPLE.COM APP2 SERVICE pop pop

WEB EXAMPLE COM SERVICE polo POD

ACCESS MULTIPLESERVICES WITH SINGLE IP ADDRESS

EVERY SERVICE DEFINED IN THE CLUSTER IS ASSIGNED A DNSNAME

JENKINS DEFAULT SVC CLUSTER LOCAL

50 lo O I DEFAULT POD CLUSTER LOCAL

POD IP NAMESPACE BASEDOMAIN NAME

A PODS DNS SEARCH WILL INCLUDE THE PODS OWN

3 DOESTHEPOD REQUEST A SPECIFIC NODE

4 DOESTHENODE HAVE A MATCHINGLABEL