Section 1
Events from external and internal event sources
are channeled through a trigger, and rules allow actions to react to these events.
rule
associates a trigger with an action. Every time the trigger fires, the rule uses the trigger event as input and invokes the associated action.
What are the main differences between a ReplicaSet and HPA?
ReplicaSet works with a set number of pods; HPA scales up and down as needed. HPA allows configuration of the desired state of CPU and memory and scales accordingly; ReplicaSets lack that ability.
Helm can do the following:
Create new charts from scratch Package charts into chart archive (tgz) files Interact with chart repositories where charts are stored Install and uninstall charts into an existing Kubernetes cluster Manage the release cycle of charts that have been installed with Helm
three service models
Infrastructure, Platform, Software
Which of the following is true on how to enable autoscaling for your application?
Can be created automatically behind the scenes to manage deployment Can be created manually by specifying kind: HorizontalPodAutoscaler in the YAML file.
PersistentVolume
is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes. It is a resource in the cluster just like a node is a cluster resource. PVs are volume plugins like Volumes, but have a lifecycle independent of any individual Pod that uses the PV. This API object captures the details of the implementation of the storage, be that NFS, iSCSI, or a cloud-provider-specific storage system.
Limit Ranges
is a policy to constrain resource allocations (to Pods or Containers) in a namespace.
IBM Cloud™ File Storage
is persistent, fast, and flexible network-attached, NFS-based File Storage. In this network-attached storage (NAS) environment, you have total control over your file shares function and performance. File Storage shares can be connected to up to 64 authorized devices over routed TCP/IP connections for resiliency.
IBM Cloud™ Block Storage
is persistent, high-performance iSCSI storage that is provisioned and managed independently of compute instances. iSCSI-based Block Storage LUNs are connected to authorized devices through redundant multi-path I/O (MPIO) connections.
Limiting Pod Compute Resources (Compute Resource Quota)
limits.cpu Across all pods in a non-terminal state, the sum of CPU limits cannot exceed this value. limits.memory Across all pods in a non-terminal state, the sum of memory limits cannot exceed this value. requests.cpu Across all pods in a non-terminal state, the sum of CPU requests cannot exceed this value. requests.memory Across all pods in a non-terminal state, the sum of memory requests cannot exceed this value.
Release
A release is a running instance of a chart, combined with a specific config.
how to add rolling updates
Add Liveness and Readiness Probes to your Deployments Add Rolling Update Strategy to your YAML file
Some of the security considerations for an enterprise grade registry are:
Assign Role-Based access control (RBAC). bullet Scan for vulnerabilities in images. bullet Digitally sign images to ensure each image is trusted. bullet Use authentication methods such as access tokens or JSON key files OR use Identity and Access Manager (IAM) settings, similar to what IBM's Cloud Container Registry does.
What should namespaces have (cr)?
Be unique across all IBM Cloud accounts in the same region Start and end with a letter or number. Contain lowercase letters, numbers, hyphens (-), and underscores (_) only. namespace must have 4-30 characters.
With IBM Cloud™ Kubernetes Service, you can manage in-cluster and external networking by making apps publicly or privately accessible.
true
You can limit the total sum of storage resources that can be requested in a given namespace. In addition, you can limit consumption of storage resources based on associated storage-class.
true
You could possibly supply the environment variable directly in the YAML file as shown below.
true
in release 1.10, quota support for extended resources is added.
true
Kubernetes storage class
used to abstract the underlying storage platform that is supported in IBM Cloud so that you do not have to know all the details about supported sizes, IOPS, or retention policies to successfully provision persistent storage in a cluster.
PersistentVolumeClaim
A PersistentVolumeClaim (PVC) is a request for storage by a user. It is similar to a Pod. Pods consume node resources and PVCs consume PV resources. Pods can request specific levels of resources (CPU and Memory). Claims can request specific size and access modes (e.g., they can be mounted once read/write or many times read-only).
What is a Container Registry?
A container registry is a service which provides a collection of repositories in which you can store images It can also have API paths and access control rules. Container registries can be hosted publicly or privately.
Kubernetes supports four basic types of network services:
ClusterIP NodePort LoadBalancer Ingress ClusterIP services make your apps accessible internally to allow communication between pods in your cluster only. NodePort, LoadBalancer, and Ingress services make your apps externally accessible from the public internet or a private network.
the information about limit ranges.
Compute Resources - Enforce minimum and maximum compute resources usage per Pod or Container in a namespace. Storage Request - Enforce minimum and maximum storage request per PersistentVolumeClaim in a namespace. Limit for a Resource in a Namespace - Enforce a ratio between request and limit for a resource in a namespace. Request/Limit for Compute Resources - Set default request/limit for compute resources in a namespace and automatically inject them to Containers at runtime.
three types of handlers:
ExecAction: Executes a specified command inside the Container. The diagnostic is considered successful if the command exits with a status code of 0. TCPSocketAction: Performs a TCP check against the Container's IP address on a specified port. The diagnostic is considered successful if the port is open. HTTPGetAction: Performs an HTTP Get request against the Container's IP address on a specified port and path. The diagnostic is considered successful if the response has a status code greater than or equal to 200 and less than 400.
Chart
The chart is a bundle of information necessary to create an instance of a Kubernetes application.
Config
The config contains configuration information that can be merged into a packaged chart to create a releasable object.
Ingress
Expose multiple apps in a cluster by setting up routing with the Ingress application load balancer (ALB). The ALB uses a secured and unique public or private entry point, an Ingress subdomain, to route incoming requests to your apps. You can use one subdomain to expose multiple apps in your cluster as services. Ingress consists of three components: The Ingress resource defines the rules for how to route and load balance incoming requests for an app. The ALB listens for incoming HTTP, HTTPS, or TCP service requests. It forwards requests across the apps' pods based on the rules that you defined in the Ingress resource. The multizone load balancer (MZLB) for classic clusters or the VPC load balancer for VPC clusters handles all incoming requests to your apps and load balances the requests among the ALBs in the various zones. It also enables health checks for the public Ingress IP addresses.
benefits of the IBM Container Registry.
Highly available and scalable private registry Image security compliance with Vulnerability Advisor Quota limits for storage and pull traffic
Ingress consists of three components:
Ingress resources Application load balancers (ALBs) Multizone load balancer (MZLB) for classic clusters or the VPC load balancer for VPC clusters
When do I use static provisioning?
Make retained data available to the cluster Use an existing storage device Share persistent storage across clusters in the same zone Share persistent storage across namespaces in the same cluster
Why Use Helm?
Manage Complexity Easy Updates Simple Sharing Rollbacks
Which of the following are a cluster-level resource that controls security-sensitive aspects of the pod specification?
Pod security policies
When do I use dynamic provisioning?
Provision storage when needed Automate the creation of PVC, PV, and storage device Create and delete storage often
Vulnerability Advisor provides functions to help you to secure your images.
Scans images for issues. Provides an evaluation report that is based on security practices that are specific to IBM Cloud Kubernetes Service. Provides recommendations to secure configuration files for a subset of application types. Provides instructions about how to fix a reported vulnerable package or configuration issue in its reports. Provides verdicts to Enforcement Tools. Applies exemptions to reports at an account, namespace, repository, or tag level to mark when issues that are flagged do not apply to your use case.
Which statements are true for a container registry?
Service which provides a collection of repositories in which you can store images Have API paths and access control rules Can be hosted publicly or privately
Each probe has one of three results:
Success: The Container passed the diagnostic. Failure: The Container failed the diagnostic. Unknown: The diagnostic failed, so no action should be taken.
LoadBalancer
The LoadBalancer service type is implemented differently depending on your cluster's infrastructure provider. Classic clusters: Network load balancer (NLB). Every standard cluster is provisioned with four portable public and four portable private IP addresses that you can use to create a layer 4 TCP/UDP network load balancer (NLB) for your app. You can customize your NLB by exposing any port that your app requires. The portable public and private IP addresses that are assigned to the NLB are permanent and do not change when a worker node is re-created in the cluster. You can create a subdomain for your app that registers public NLB IP addresses with a DNS entry. You can also enable health check monitors on the NLB IPs for each subdomain. VPC clusters: Load Balancer for VPC. When you create a Kubernetes LoadBalancer service for an app in your cluster, a layer 7 VPC load balancer is automatically created in your VPC outside of your cluster. The VPC load balancer is multizonal and routes requests for your app through the private NodePorts that are automatically opened on your worker nodes. By default, the load balancer is also created with a hostname that you can use to access your app.
Configmaps can be created in a few different ways:
Using string literals. Using an existing properties or "key"="value" files. Providing a configmap YAML descriptor file. Both the first and second ways can help us create such a YAML file.
The steps for Vulnerability Advisor checks below.
Vulnerability Advisor checks for vulnerable packages in images that are using supported operating systems and provides a link to any relevant security notices about the vulnerability. Packages that contain known vulnerability issues are displayed in the scan results. The possible vulnerabilities are updated daily by using the published security notices for the Docker image types that are listed in the following table. The scanning of an image is triggered in one of the following ways: When a new image is pushed to the registry. When a new security notice is released for a package that is installed in the image, the image is queued for rescanning, which might take some time to complete. While an image is tagged in the registry, it is rescanned every week.
NodePort
When you expose apps with a NodePort service, a NodePort in the range of 30000 - 32767 and an internal cluster IP address is assigned to the service. To access the service from outside the cluster, you use the public or private IP address of any worker node and the NodePort in the format <IP_address>:<nodeport>. However, the public and private IP addresses of the worker node are not permanent.
The Rolling Updates feature best supports which of the following scenarios?
When you want to update an image with minimal downtime in the application. When you want to update the number of pods you are using with your application.
ClusterIP
You can expose apps only as cluster IP services on the private network. A clusterIP service provides an in-cluster IP address that is accessible by other pods and services inside the cluster only.
Probe
a diagnostic performed periodically by the kubelet on a Container. To perform a diagnostic, the kubelet calls a Handler implemented by the Container.
Red Hat OpenShift
an open source container application platform based on the Kubernetes container orchestrator. With Red Hat® OpenShift on IBM Cloud™ , you can deploy apps on highly available OpenShift clusters that run the Red Hat OpenShift on IBM Cloud Container Platform software on Red Hat Enterprise Linux machines.
Which of the following are compute resource types that can be limited, if desired, on each container within a pod?
cpu memory
Resource Quotas
defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that project.
What Helm charts are supported in IBM Cloud Kubernetes Service?
iks-charts ibm-charts ibm-community kubernetes kubernetes-incubator entitled
The kubelet can optionally perform and react to three kinds of probes on running Containers:
livenessProbe Indicates whether the Container is running. If the liveness probe fails, the kubelet kills the Container, and the Container is subjected to its restart policy. If a Container does not provide a liveness probe, the default state is Success. readinessProbe Indicates whether the Container is ready to service requests. If the readiness probe fails, the endpoints controller removes the Pod's IP address from the endpoints of all Services that match the Pod. The default state of readiness before the initial delay is Failure. If a Container does not provide a readiness probe, the default state is Success. startupProbe Indicates whether the application within the Container is started. All other probes are disabled if a startup probe is provided until it succeeds. If the startup probe fails, the kubelet kills the Container, and the Container is subjected to its restart policy. If a Container does not provide a startup probe, the default state is Success.
By default, how many pods are assigned when you create a ReplicaSet?
one
what is not a result of a probe
paused
Rolling updates:
provide a way to rollout app changes in an automated and controlled fashion throughout your pods. bullet work with pod templates such a deployments. bullet allow for rollback if something goes wrong.
IBM Cloud Container Registry
provides a multi-tenant, highly available, scalable, and encrypted private image registry that is hosted and managed by IBM®. You can use IBM Cloud Container Registry by setting up your own image namespace and pushing container images to your namespace.
Developers can limit which of the following resources on pods? Click the two correct answers.
storage resources within a namespace consumption of storage resources based on associated storage-class
IBM® Cloud Object Storage
stores encrypted and dispersed data across multiple geographic locations. This getting started tutorial walks through the steps that are needed to use IBM Cloud Object Storage to create buckets, upload objects, and set up access policies to allow other users to work with your data.
what is true about replica sets
to handle fail overs in the event of a crash to run duplicate deployments to scale the applications to meet increasing demand to handle sudden spikes in demand
Horizontal Pod Autoscaler (HPA) enables applications to increase the number of pods based on __________.
traffic
A namespace is a collection of repositories that store your container images in IBM Cloud Container Registry.
true
All pods that are deployed to a worker node are assigned a private IP address in the 172.30.0.0/16 range and are routed between worker nodes only.
true
An image repository is used to store versions of a container images for distribution and deployment. You can push images to and pull images from a repository; push and pull are the container image terms similar to write and read.
true
ConfigMaps provide one way to provide this configuration data to pods and deployments so that they are not hardcoded inside the application code. Furthermore, you can reuse these configmaps and secrets for multiple deployments thus decoupling the environment from the deployments themselves! Secrets work similar to configmaps but are meant for sensitive information.
true
Dynamic provisioning is a feature that is native to Kubernetes and that allows a cluster developer to order storage with a pre-defined type and configuration without knowing all the details about how to provision the physical storage device.
true
Examples of these variables may include non sensitive information like environments (dev, test, prod) or sensitive information like API keys and account IDs for configmaps and secrets.
true
Helm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application. Charts are easy to create, version, share, and publish — so start using Helm and stop the copy-and-paste. Helm is a graduated project in the CNCF and is maintained by the Helm community.
true
Helm is a Kubernetes package manager that uses Helm charts to define, install, and upgrade complex Kubernetes apps in your cluster. Helm charts package the specifications to generate YAML files for Kubernetes resources that build your app. These Kubernetes resources are automatically applied in your cluster and assigned a version by Helm. You can also use Helm to specify and package your own app and let Helm generate the YAML files for your Kubernetes resources.
true
If you create a private Kubernetes LoadBalancer service, your app is accessible only to systems that are connected to your private subnets within the same region and VPC. If you are connected to your private VPC network, you can access your app through the hostname that is assigned by the VPC load balancer to the Kubernetes LoadBalancer service in the format 1234abcd-<region>.lb.appdomain.cloud.
true
If you create a public Kubernetes LoadBalancer service, you can access your app from the internet through the hostname that is assigned by the VPC load balancer to the Kubernetes LoadBalancer service in the format 1234abcd-<region>.lb.appdomain.cloud.
true
Kubernetes always try to keep the number of desired pods
true
Newer Clusters In clusters that were created after February 2018 in the dal13 zone or after October 2017 in any other zone, services are assigned an IP from one of the 65,000 IPs in the 172.21.0.0/16 range. Older Clusters In clusters that were created before February 2018 in the dal13 zone or before October 2017 in any other zone, services are assigned an IP from one of 254 IPs in the 10.10.10.0/24 range. If you hit the limit of 254 services and need more services, you must create a new cluster.
true
Vulnerability Advisor checks for vulnerable packages in specific Docker base images, and known vulnerabilities in app configuration settings. When vulnerabilities are found, information about the vulnerability is provided. You can use this information to resolve security and configuration issues
true
When you expose your app by creating a Kubernetes service of type NodePort, a NodePort in the range of 30000 - 32767 and an internal cluster IP address is assigned to the service. The NodePort service serves as the external entry point for incoming requests for your app. The assigned NodePort is publicly exposed in the kubeproxy settings of each worker node in the cluster. Every worker node starts listening on the assigned NodePort for incoming requests for the service. To access the service from the internet, you can use the public IP address of any worker node that was assigned during cluster creation and the NodePort in the format <IP_address>:<nodeport>. If you want to access the service on the private network, use the private IP address of any worker node instead of the public IP address.
true
When you push images to IBM Cloud Container Registry, you benefit from the built-in Vulnerability Advisor features that scan for potential security issues and vulnerabilities.
true
Two types of network access controls comprise the layers of VPC security:
Access Control Lists (ACLs) An ACL is a list of rules that limit who can access a particular subnet within your VPC. Security Group With a security group, you can create groups of resources (which may be situated in more than one subnet) and assign uniform access rules to them. For example, if you have three applications in three different subnets, and you want them all to be public Internet-facing, you can place them in the same security group. Security groups act like virtual firewalls, controlling the flow of traffic to your virtual servers, no matter which subnet they are in.
each step of a container's life cycle.
Acquire That life cycle starts with acquiring capabilities or content. Build The second step in the life cycle is the cloud application build. Deliver In the third step, you'll define deployment specifics. IBM provides automation tools to automate this process. You'll then hand the signed off application package to a production team. Deploy In the deploy step, the signed-off application is loaded into a production environment. The need for updates is also addressed in this step. Run The run step sets the management system and the runtime environment around your container. Maintain Finally, the maintenance step determines how you'll get visibility into your application.
vpc Features
Agile Secure Resilient VPC subnets
The purpose of container orchestration is that it:
Aids in the provisioning and deployment of containers to make this a more automated, unified, and smooth process. bullet Ensures that containers are redundant and available so that applications experience minimal downtime. bullet Scales containers up and down to meet demand, and it load balances requests across instances so that no one instance is overwhelmed. bullet Handles the scheduling of containers to underlying infrastructure. bullet Performs health checks to ensure that applications are running, and takes necessary actions when checks fail.
FROM
Any valid Dockerfile must first begin with a FROM instruction. This instruction initializes a new build stage and specifies the base image that subsequent instructions will build upon. Often this base image will be from a public repository, like an operating system or a base image for a specific language like Go or Node.js. This base image is the starting point for the rest of your image.
Hybrid Cloud Use Cases
Cloud Scaling A business has on-premise infrastructure that can handle a certain amount of user load. The hybrid allows them to scale up in response to a larger load then automatically de-provision resources when they no longer need them. Multicloud Composite cloud are applications that are spread across multiple cloud environments. If a business has on-premise architecture that allows them to run three components of their app but the system gets bogged down in busier times, such as holidays, they take advantage of the multicloud architecture by composing their application across multiple cloud environments. Modernization An example of modernization would be a company that's created a mobile application to modernize for new user experiences. Another option would be to add services to an existing airline reservation service. The second a flight is delayed passengers are notified through their phone to be able to rebook reservations.
vmware solutions use cases
Companies like American Airlines, TD Bank, Vodaphone, and Honeywell are just some of the large companies that partner with IBM using VMware Solutions to help them securely migrate to the IBM Cloud™. The client has the ability to select data centers and availability zones, and the client can then deploy, configure and manage services according to the client's requirements and subject to the applicable laws. VMware is out to innovate in everything including building and supporting products and enabling customers. By 2021, 30% of VMware workloads on the private cloud will migrate to the public cloud. VMware's Any Vision equals any device, with any application, on any cloud guarantees a consistent user experience on whatever device they're using.
key concepts of the hybrid cloud architecture
Connect Existing applications that are running On-Prem, private, and public cloud need a way to be securely connected. There are a lot of solutions, such as multi-cluster management tools and Kubernetes, that can help you with connectivity with hybrid cloud architectures. Modernize If you have an application that you want to break apart and move to the public cloud that would allow you to take better advantage of scaling what the public cloud offers. Security Take advantage of your existing on-premise assets, security, and ease of use, while securely moving some assets to a public and possibly private cloud.
some features of IBM Cloud™ for VMware Solutions.
Data center transformation Extend and migrate your virtual machines (VMs) to the cloud to consolidate multiple data centers, expand for additional capacity to address resource constraints, or replace aging infrastructure with the latest innovations in the cloud. Disaster recovery, business continuity, and high availability Easily stand up a disaster-recovery or backup site in the cloud, without the expense and complexity of additional on-premises infrastructure. Take advantage of the geographic resiliency and security profiles built into IBM Cloud™ and its no-cost data transfer capability between IBM Cloud™ sites. Workload security and compliance Offload security maintenance and access compliance measures through IBM Cloud. IBM Cloud™ offers the highest-level of key-management encryption with FIPS 140-2 Level 4 certification and bring-your-own-key (BYOK) security, so only you can access your data. Transformation and modernization of VMware workloads Modernize your VMware workloads with Red Hat® OpenShift®. Improve business outcomes with new technologies like AI and blockchain, integrate existing VMware-based applications into a hybrid cloud strategy and innovate freely between containers and VMware VMs.
some of the benefits of hybrid clouds:
Endless public resources to scale out your application while remaining with some private capabilities such as keeping your own infrastructure and hardware bullet With the option of the public cloud you're no longer tied to a specific vendor bullet Hybrid cloud architecture offers portability features bullet Better scalability leveraging public cloud for a period of time then returning to private when the surge is met
IBM Cloud™ has bare metal servers to fit every workload.
Fast provisioning servers - IBM Cloud™ offers pre-configured servers that meet the needs of most use cases. These servers are considered "fast provision" because your compute options (number of cores, speed, RAM, and number of drives) are preset. Preset servers are ready to configure 30 - 40 minutes after provisioning. Custom-based servers - If one of the fast provisioning servers don't meet your workload needs, you can customize your Bare Metal Servers to meet your needs. Customized servers are provisioned in 2-3 hours and offer a greater variety of cores, speeds, RAM, and drives. SAP-certified bare metal servers - IBM Cloud™ Bare Metal Servers are certified to support your SAP HANA and SAP NetWeaver workloads.
vpc benefits
Flexible Business Growth Increase Customer Satisfaction Trusted Business Response
options for hosted and self-hosted registries.
Hosted Registry Several hosted registries are available, such as IBM Cloud Container Registry. In this case, the user does not need to deploy or maintain the registry in any way; this is done by the provider. The user is only responsible for using the registry as they wish. Self-Hosted Registry However, there are also registry offerings that can be run in private data centers or on the cloud of one's choosing. The functionality will be largely the same either way.
VMware Solutions Benefits
Hypervisor and full administrator access Multiple SDDC configurations and hardware options Multiple storage options Security and compliance Business continuity and high availability Network backbone and geographic reach Migration made easy VMware expertise Modernize apps to accelerate innovation Leverage and optimize investment in IBM Middleware
Availability zones
IBM Cloud™ Region - A region is a geographically and physically separate group of one or more availability zones with independent electrical and network infrastructures isolated from other regions. Regions are designed to remove shared single points of failure with other regions and guarantee low inter-zone latency within the region. IBM Cloud™ Availability Zone - An availability zone is a logically and physically isolated location within an IBM Cloud™ region with independent power, cooling, and network infrastructures. It is isolated from other zones to strengthen fault tolerance by avoiding single points of failure between zones while also guaranteeing high bandwidth and low inter-zone latency within a region.
Bare Metal Servers
IBM Cloud™ enables you to deploy a high-performance compute and storage infrastructure in over 60 IBM Cloud™ data centers around the world that are automated and standardized to provide a seamless global platform for cloud resources. Bare metal servers provide the raw horsepower that many organizations require for processor-intensive and disk I/O-intensive workloads. Many organizations favor IBM Cloud™ because of the easy access it provides to bare metal servers.
Private Cloud Benefits
IT control Reduced costs Controlled access & security Greater agility
the three service models.
Infrastructure-as-a-Service (Iaas) With IaaS, a vendor provides clients pay-as-you-go access to storage, networking, servers and other computing resources in the cloud. Platform-as-a-Service (Paas) With PaaS, a service provider offers access to a cloud-based environment in which users can build and deliver applications. The provider supplies the underlying infrastructure. Software-as-a-Service (Saas) With Saas, a service provider delivers software and applications through the internet. Users subscribe to the software and access it via the web or vendor APIs.
The following are the primary features of IaaS:
Instead of purchasing hardware outright, users pay for IaaS on demand bullet Infrastructure is scalable depending on processing and storage needs bullet Saves enterprises the costs of buying and maintaining their own hardware bullet Because data is on the cloud, there can be no single point of failure bullet Enables the virtualization of administrative tasks, freeing up time for other work
Which of the following is true about how to create a ReplicaSet?
It is created automatically when you create a Deployment. It can be built from scratch when you apply a YAML file with the kind "ReplicaSet."
each component of the k8s control plane.
Kubernetes API Server First is the Kubernetes API server, which exposes the Kubernetes API. All communication in the cluster utilizes this API. For example, the Kubernetes API server accepts commands to view or change the state of the cluster. ETCD Next is etcd, a highly-available key value store that contains all the cluster data. When you tell Kubernetes to deploy your application, that deployment configuration is stored in etcd. Etcd is thus the source of truth for the state in a Kubernetes cluster, and the system works to bring the cluster state into line with what is stored in etcd. Scheduler The Kubernetes scheduler assigns newly created Pods to nodes. This basically means that the kube-scheduler determines where your workloads should run within the cluster. You will learn more about Pods and nodes shortly. Kubernetes Controller Manager The Kubernetes controller manager runs all the controller processes that monitor the cluster state and ensure that the actual state of a cluster matches the desired state. You will learn more about controllers shortly. Cloud Controller Manager Finally, the cloud controller manager runs controllers that interact with the underlying cloud providers. Since Kubernetes is open source and would ideally be adopted by a variety of cloud providers and organizations, Kubernetes strives to be as cloud agnostic as possible. The cloud-controller-manager allows both Kubernetes and the cloud providers to evolve freely without introducing dependencies on the other.
The Kubernetes Master is a collection of three processes that run on a single node in your cluster, which is designated as the master node. Those processes are:
Kubernetes API server The Kubernetes API server validates and configures data for the API objects which include pods, services, replicationcontrollers, and others. The API Server services REST operations and provides the frontend to the cluster's shared state through which all other components interact. Kubernetes Controller Manager The Kubernetes controller manager is a daemon that embeds the core control loops shipped with Kubernetes. In applications of robotics and automation, a control loop is a non-terminating loop that regulates the state of the system. In Kubernetes, a controller is a control loop that watches the shared state of the cluster through the apiserver and makes changes attempting to move the current state towards the desired state. Kubernetes Scheduler The Kubernetes scheduler is a policy-rich, topology-aware, workload-specific function that significantly impacts availability, performance, and capacity. The scheduler needs to take into account individual and collective resource requirements, quality of service requirements, hardware/software/policy constraints, affinity and anti-affinity specifications, data locality, inter-workload interference, deadlines, and so on. Workload-specific requirements will be exposed through the API as necessary.
Use Cases for Containers
Microservices DevOps Hybrid, Multi-Vendor App Modernizing and Migration
private cloud uses cases.
Modernize Applications A private cloud is an opportunity for organizations to modernize and unify in-house & legacy applications. They can leverage the power of the compute resources on the cloud. Integrate Data & Services from Existing Applications Organizations can leverage their private cloud compute capability for larger jobs while pulling data into an application on a private cloud to leverage public cloud services or opening their data centers to work with cloud services. Application Portability This is a key feature of cloud platforms. The private cloud gives organizations the ability to build applications anywhere & move them without compromising security or compliance. Security Security and regulatory concerns from moving to a public cloud including data sensitivity makes for common use of the private cloud giving full control over critical security & compliance issues from within their dedicated cloud.
Some examples of Kubernetes objects are:
Namespaces Names Labels Selectors
five essential characteristics
On-demand Self-service, Broad Network Access, Resource Pooling, Rapid Elasticity, Measured Service
Public Cloud Benefits
On-demand resources Economies of scale Highly reliable
Pod States
PENDING - The API Server has created a pod resource and stored it in etcd, but the pod has not been scheduled yet, nor have container images been pulled from the registry. RUNNING - The pod has been scheduled to a node and all containers have been created by the kubelet. SUCCEEDED - All containers in the pod have terminated successfully and will not be restarted. FAILED - All containers in the pod have terminated. At least one container has terminated in failure. UNKNOWN - The API Server was unable to query the state of the pod, typically due to an error in communicating with the kubelet.
The following are the primary features of PaaS:
PaaS provides a platform with tools to test, develop and host applications in the same environment bullet Enables organizations to focus on development without having to worry about underlying infrastructure bullet Providers manage security, operating systems, server software and backups bullet Facilitates collaborative work even if teams work remotely
virtual server type (deployment) options.
Public The IBM Cloud™ Virtual Servers public offerings are IBM-managed, multi-tenant virtual server deployments. They give you rapid scalability and higher-cost effectiveness with pre-defined sizes that meet business requirements to get you up and running quickly. Public virtual servers have many advantages, including the following: Global availability The public virtual server offering is available in data centers across the globe. Configuration choices, rapid deployment, and scalability The public virtual server offering gives you small or large virtual server options to meet various workload requirements. Transient The IBM Cloud™ Virtual Servers transient offering is a good option if you have flexible workloads and want cost savings. You will save money by running your workload on a transient virtual server. Transient instances are provisioned when there is unused capacity available. Therefore, when data center resources are needed for full, on-demand accounts, you can also lose those resources. Transient instances are de-provisioned on a first-on, first-off basis when those resources need to be reclaimed. Transient virtual servers offer the following flexibility: Global availability The transient virtual server offering is available in data centers across the globe. Cost savings Transient virtual servers are ideal for non-production workloads. For example, you might use a transient instance to test and develop applications, or test scalability in environments that don't require constant uptime. Transient instances are public instances that use SAN-backed storage. The following families of public instances are available for this offering. Reserved IBM Cloud™ Virtual Servers reserved instances offering is a great option if you want guaranteed resources for future deployments and cost savings. You choose between either a one or three-year contract term for your reserved capacity. Within that reserved capacity, you can reserve a set of up to 20 virtual server instances of a specific size and provision those instances when you need them. You are guaranteed this capacity within the POD and data center of your choice for the life of the contract term. Reserved virtual server instances offer many advantages, including the following: Guaranteed capacity When you reserve capacity, this capacity is guaranteed for the life of your contract term. Global availability The reserved virtual server offering is available in data centers across the globe. Reliable provisioning You can provision and reclaim virtual server instances to your reserved capacities at any time. Cost savings Choosing either a one or three-year contract term allows for consistent monthly payments and reduced costs compared to hourly or monthly virtual server billing cycles. Reserved virtual server instances are public instances that use SAN-backed storage. The following families of public instances are available for this offering. Dedicated The IBM Cloud™ infrastructure dedicated host offering is a virtualized, single-tenant, dedicated server. It provides you with maximum control over workload placement and flexible post-provisioning options. You can decide which pre-determined IBM Cloud data center your virtual servers are placed in and can be assured capacity by allocating your host(s) directly to your account. The offering includes the following features: Affinity and anti-affinity. You can specify host-to-virtual server and virtual server-to-virtual server relationships that should remain, which are known as affinity and anti-affinity rules. These rules help you make sure that your workloads are placed appropriately based on your workload requirements. Post-deployment management. You can migrate virtual servers between dedicated hosts based on your workload requirements. Workload visibility. You can view resource consumption—core, RAM, and local storage—for each host, giving you maximum control over your workload management.
Three deployment models
Public The public cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Private The private cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off-premises. Hybrid The hybrid cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, public, on or off-premises) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
The following are the primary features of SaaS:
SaaS vendors provide users with software and applications via a subscription model bullet Users do not have to manage, install or upgrade software; SaaS providers manage this bullet Data is secure in the cloud; equipment failure does not result in loss of data bullet Use of resources can be scaled depending on service needs bullet Applications are accessible from almost any internet-connected device, from virtually anywhere in the world
key features of the virtual server.
Seamless integration Fully customizable Rapid provisioning Remote management Easily scalable
Public Cloud Concerns
Security Data sovereignty compliance
ADD and COPY
The ADD and COPY commands are similar and allow you to copy files into your image. You would use this to, for instance, put your application code or executable into your image. The main difference between these two is that COPY can only copy local files or directories while ADD can also add files from remote URLs.
ENV
The ENV command allows you to set environment variables in the image.
RUN
The RUN instruction executes commands. So, for instance, you can put a bash command in a RUN instruction to perform a desired action. Each instruction is a new layer, so this will commit a new layer on top of your previous layers.
kube-proxy
The container runtime is responsible for downloading images and running containers.
Lite
The features of lite account types include: Free account Never expires Use one org in one IBM cloud region Free basic support for non-production environments Email notifications on account status quota limits Cloud Foundry apps can access up to 256 MB of free runtime memory Provision one instance of any service in the catalog with a lite plan Apps become inactive without development in 10 days to reduce reaching memory quota limits Plans are deleted after 30 days of no development activity to prevent deleting instances before creating new ones
Pay-as-you-go
The features of pay-as-you-go account types include: For PAYGO credit card details need to be supplied Access to all services, plans, and regions Charges based on use of services Access to lite (free) services Eligible for free tier allowances on runtimes and services Billed monthly Promotional $200 credit when upgrading
Subscription
The features of subscription account types include: Designed for organizations with larger monthly spends Upgrade through IBM Cloud™ sales Combined minimum spending amount per month Subscription discount applied to that amount Spending over the subscription amount is charged at the non-discounted rate Full access to all services in all regions
CMD
There can only be one CMD instruction in a Dockerfile. If you put more than one, only the last will take effect. The main purpose for this instruction is to provide a default for executing a container. Often this instruction will define the executable that should run in your container.
IBM Cloud™ regions and zones provide a full cloud service stack that enables highly available, redundant, and geographically dispersed customer solutions. This architecture provides the foundation you need to build and deploy your mission-critical applications in the cloud:
Uniformity and consistency of cloud services between locations Improved resiliency and availability of the cloud platform and infrastructure
Containers have three possible states
Waiting: Default state of container. Running: Indicates that the container is executing without issues. Terminated: Indicates that the container completed its execution and has stopped running. A container enters into this when it has successfully completed execution or when it has failed for some reason.
package
a bundle of feeds and actions. Integrations with services and event providers can be added with packages.
Sequence
a chain of actions, invoked in order, where the output of one action is passed as input to the next action.
feed
a convenient way to configure an external event source to fire trigger events that can be consumed by Cloud Functions.
ReplicaSet
a group of identical Pods that are running.
The US National Institute of Standards and Technology (NIST) defines cloud computing as
a model for enabling convenient, on-demand network access a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Kubernetes
a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available."
IBM Cloud™ VPC
a protected space in the IBM Cloud™. IBM Cloud™ VPC provides the advanced security of a private cloud with the agility and ease of a public cloud. Define and control virtual networks in logically isolated segments of the IBM public cloud. Use virtual private clouds to isolate and provision network segments on the IBM Cloud™, deploy and manage compute, storage, and networking cloud resources. IBM Cloud™ VPC offers agile scalability for easy business growth, high availability for better customer satisfaction, security for workloads, and lower total cost of ownership.
VMware solutions shared
a standardized and customizable deployment of a VMware Virtual Data Center environment. It's a self-service, on-demand platform, with VMware Cloud Director running on IBM Cloud and uses public virtual compute providing an option for vCPU, RAM, storage, networking, and IP.
FaaS
a type of cloud-computing service that allows you to execute code in response to events without the complex infrastructure typically associated with building and launching microservices applications.
resource group
a way for you to organize your account resources into customizable groups so that you can quickly assign users access to more than one resource concurrently.
resource
an entity in your account that you create from the IBM Cloud™ catalog, such as a provisioned instance of an IBM Cloud™ service.
container
an executable unit of software in which application code is packaged, along with its libraries and dependencies, in common ways so that it can be run anywhere, whether on a desktop, on-premises, or in the cloud.
Deployment
an object that provides updates for both Pods and ReplicaSets.
Examples of Computing Resources Include:
applications networks services storage servers
IBM Cloud™ Virtual Servers
are scalable virtual servers that are purchased with cores and memory allocations.
A control loop
as a non-terminating loop that regulates the state of a system.
Use Cases for Bare Metal Servers
bullet Compliance related workloads that require single tenant devices bullet High performance and data-intensive applications requiring minimal latency-related delays bullet Big data analytic applications bullet Container-based solutions bullet SAP solutions bullet GPU - intensive solutions bullet Dedicated power for gaming bullet Media, monitoring and streaming applications. bullet Applications requiring high degrees of security control. bullet Applications that have traditionally run in an on-premises environment.
Challenges of Cloud Adoption
bullet Data security, associated with loss or unavailability of data causing business disruption bullet Governance and sovereignty issues bullet Legal, regulatory, and compliance issues bullet Lack of standardization in how the constantly evolving technologies integrate and interoperate bullet Choosing the right deployment and service models to serve specific needs bullet Partnering with the right cloud service providers bullet Concerns related to business continuity and disaster recovery
Namespaces
contain Cloud Functions entities, such as actions and triggers, and belong to a resource group.
two key types of commands:
declarative(kubectl apply) and imperative(kubectl create).
a dockerfile can be used with any open source containerization software
false
faas benefits
focus more on code not infrastructure allows you to divide server into functions that can be scaled automatically and independently pay only when an action occurs pay for the resources you use when you use them scale up and down automattically functions are scaled automattically, independently, and instantaneously as needed inherently high availibility get robust cloud infastructureo
trigger
is a declaration that you want to react to a certain type of event, whether from a user or by an event source.
Action
is a piece of code that performs one specific task. can also automatically respond to events from IBM Cloud™ services and third-party services by using a trigger.
faas best practices
make each function perform one action use few libriaries as possible don't make functions call other functions
VM solutions products
shared Multitenant infrastructure offers cost-effective, flexible capacity and scalability. Reserve capacity ahead of time or choose to consume on-demand dedicated Client-managed, single-tenant infrastructure offers higher levels of isolation for enhanced security and compliance readiness Single-node trials The single-node trial for migration is available in two tailored versions for the modernization of your VMware workloads or to try disaster recovery (DR) on IBM Cloud
container runtimes
software that executes containers
IBM Cloud™ for VMware Solutions
the most secure, enterprise-grade cloud for VMware at scale including security leadership, enterprise-grade, and the VMware expertise at scale. this utilizes the highest level of data encryption available, creates an automated way of deploying solutions with rapid provisioning, offers many options for storage, and is the largest manager of workloads.
Controllers
they watch the state of a Kubernetes cluster and take action to ensure that the cluster's state matches the desired state. Generally, the controller will send a message to the API server to initiate an action that will help bring the current state in line with the desired state.
A Pod represents a process running in your cluster; further, it represents a single instance of an application running in your cluster. Most often, a Pod wraps a single container, though in some cases a Pod may encapsulate multiple tightly coupled containers that share resources. This is a more advanced use case; in general, consider a Pod as a wrapper for a single container.
true
A deployment of Kubernetes is called a cluster
true
An IBM Cloud™ account is required for ordering and using IBM Cloud™ services. In this section, we'll review the different IBM accounts such as lite, pay-as-you-go, and subscription.
true
Consider the following regarding resource groups: Users are granted access to resources in a resource group Any account resource that is managed by using Cloud IAM access control belongs to a resource group within your account
true
FaaS is focused on the event-driven computing paradigm wherein application code, or containers, only run in response to events or requests.
true
Hyper Protect Virtual Servers is a LinuxOne based virtual server that clients may customize and purchase on IBM Cloud™
true
IBM Cloud™ Functions is an event-driven computer platform that runs code in response to events or direct invocations.
true
IBM Power Systems Virtual Servers are a form of infrastructure-as-a-service (IaaS) that allows AIX/IBM i capabilities in cloud today.
true
In general, there are three parts to an image name: 1 1 Hostname 2 2 Repository 3 3 Tag
true
Kubelet is the most important component. This controller communicates with the kube-apiserver to receive new and modified Pod specifications and ensure that those Pods and their associated containers are running as desired. The kubelet also reports to the control plane on health and status. In order to start a Pod, the kubelet uses the container runtime, the last component on the nodes.
true
Kubernetes objects define the state of your cluster.
true
Serverless is focused on any service category, such as compute, storage, database, messaging, api gateways, etc.
true
The IBMCloud™ Functions is a polyglot FaaS programming platform that is based on the open source project Apache OpenWhisk. With IBM Cloud™ Functions, you can create stateless code snippets, or actions, that are set to perform one specific task.
true
To grant users access to resources in an account organize the resources that are enabled to use Cloud IAM into resource groups and assign users to those groups.
true
Virtual servers are deployed to the same VLANs as physical servers, allowing you to spread workloads across virtual servers and bare metal servers, while maintaining interoperability. Virtual servers are fully customizable when you order them, with options to scale up as your compute needs grow.
true
With IBM Cloud™ Functions, you can create stateless code snippets, called actions, that are set to perform one specific task.
true
a dockerfile is a bluepirnt from which an image is built The dockerfile outlines all steps to be taken to build the desired image when you use docker to build from a dockerfile, an image results
true
a user can interface with container registry through cli or gui
true
declarative command is preferred for prod environments
true
kubernetes does not limit the types of applications
true
the benefits of cloud adoption categorized into flexibility, efficiency, and strategic value.
true
With IBM Cloud™ image templates,
you can capture an image of a virtual server to quickly replicate its configuration with minimal changes in the order process. Image templates provide an imaging option for all Virtual Servers, regardless of the operating system. Image templates are not compatible with bare metal servers.
With IBM Cloud™ Functions
you can use your favorite programming language to write lightweight code that runs app logic in a scalable way. You can run code on-demand with HTTP-based Application Programming Interface (API) requests from applications or run code in response to IBM Cloud™ services and third-party events.