K8s Components
Aggregated APIs (AA)
The API calls are then accepted by kube-apiserver, and then passed along to your custom API server to actually be handled and taken care of.
Why use helm?
The use of helm can be very handy for installing complex applications with many parts, both the ones that we might create, or we can add repositories and gain access to vendor provided software in a very easy-to-use manner.
Drawbacks of using federation
There will be an increase in inter-cluster communication, and data, using more bandwidth. Administration of a federated cluster adds another level of complexity and consideration. Also, large federated clusters are new, so code maturity can be a consideration.
In what metadata are object weights currently set?
annotations
How grant access to create new CRD resource and controller
if you use RBAC you need to grant access via this. If you use aggregated API, you can use the same or a different authentication process.
If a node has multiple taints the scheduler_____.
ignores those with matching tolerations. The remaining unignored taints have their typical effect.
What state will a pod be in when searching for a node with matching labels?
Pending
Prometheus
Provides time-series database as well as integration with Grafana for visualization and dashboards. Part of the Cloud Native Computing Foundation. As a K8s plugin, it allows one to scrape resource usage metrics from K8s objects across the entire cluster. It also has several client libraries which allow you to instrument your application code in order to collect application level metrics.
What is a collection of helm charts called?
Repository
add a helm package so you can view it
helm repo add <package>
display repos for helm
helm repo list
Search for packages
helm search <package>
nodeSelector:net: fast
Any node with a key of net set to fast would be a candidate for scheduling. Remember that labels are administrator-created tags, with no tie to actual resources. This node could have a slow network
Ingress Rule
An API resource that you can create with kubectl. When you create this resource, it reprograms and reconfigures your Ingress Controller to allow traffic to flow from the outside to an internal service. You can leave a service as a ClusterIP type and define how the traffic gets routed to that internal service using an Ingress Rule.
operator
An agent that creates and manages one more more instances of a specific stateful application. Examples are Deployments or DaemonSets.
toleration
A label that allows a pod to run on a tainted node.
Helm Chart
A template of what Helm should install. It would declare the volumes used, policies, pods, and applications that should be deployed.
What do we use to add a new API server to cluster acting as a subordinate to kube-apiserver?
Aggregated APIs
How does Federation give higher availability to our K8s cluster?
Because each of our independent K8s clusters will copy their information to the federated Control Plane. This allows us to move objects from one cluster to another very easily. This could be an advantage. Should a particular cluster fail, the objects created inside of that cluster would then be started on a different cluster without you having to do anything. We can affect where objects are deployed through weights that allow us to move our data closer to the end user (what we call locality of data). This can have advantages for performance.
Describe the lifecycle of a dependency with helm.
By initializing a database to keep track of what is installed, and how it's installed, and continue to use the helm command for the entire lifecycle fo the package.
NodeSelector
Call out a particular pod for a node to run on
Custom Resource Definition: kind
Camelcased singular type used in resource manifests
What are the three major components when working with Helm?
Chart
preferredDuringSchedulingIgnoredDuringExecution
Choose a node with the desired setting before those without. If no properly-labeled nodes are available, the Pod will execute anyway. This is more of a soft setting, which declares a preference instead of a requirement.
federation-controller-manager
Connects to each local API server, both sending API calls, as well as regular health interrogation
Custom Resource Definition: cope
Determines if the object exists in a singular namespace or is cluster-wide
Pool
Each path for traffic uses a group of like objects referred to as a pool. Each pool regularly checks the next hop up to ensure connectivity.
What is the main reason to use an Ingress Controller instead of multiple services?
Efficiency.
How often will a ClusterController sync with ClusterStatus to ensure the health of a cluster?
Every 40 seconds
Ingress Controller
Exposes a pod to other pods or the outside world. Efficient. Instead of individual services for each of the pods we can setup a controller that handles all the traffic. Currently, there are two supported controllers. One for nginx, the other one for GCE. HA proxy is being developed, but is not yet considered a supported and stable resource.
A chart deployment output tells us about missing dependencies (T/F)
False
All Custom Resource Definitions must exist in a namespace.
False
All resources can be federated in Kubernetes v1.9 (T/F)
False
Heapster
For ingesting key metrics for applications. Also used for horizontal pod autoscaling. Integrated with the K8s dashboard
For the Google Load Balancer Controller (GLBC) multi-pool path
Global forwarding rule -> Target HTTP proxy -> URL map -> Backend Service -> Instance Group
A Custom Ingress Controller Template
Has easy integration with RBAC Uses the annotation kubernetes.io/ingress.class: "nginx" L7 traffic requires the proxy-real-ip-cidr setting Bypasses kube-proxy to allow session affinty Does not use conntrack entries for iptables DNAT TLS requires the host field to be defined.
What are some useful tools for monitoring?
Heapster, Fluentd, Prometheus, Grafana
What do multiple etcd databases within federation allow for?
Higher availability Scalability Greater fault tolerance Moving data based on weights
Why add Federation to K8s?
Higher availability, better performance, avoiding vendor lock.
Basic Troubleshooting Steps
If there are errors on command line investigate them first. The symptoms of the issue will probably determine the next step. Working from the application running inside a container to the cluster may be a good idea. If the pod is running use 'kubectl logs pod-name' to view the standard out of the container. Without logs you may consider deploying a sidecar container in the Pod to generate and handle logging. Next check networking, including DNS, firewalls, and general connectivity, using standard Linux commands and tools.
What does the following for podAntiAffinity mean? podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: -key: security operator: In values: - S2 topologyKey: kubernetes.io/hostname
In a large, varied environment, there may be multiple situations to be avoided. As a preference, this setting tries to avoid certain labels, but will still schedule the Pod on some node. As the Pod will still run, we can provide a weight to a particular rule.
operators for pod affinity
In, NotIn, Exists, DoesNotExist, Gt, and Lt.
An Ingress controller uses ____ to handle traffic from outside the cluster
Ingress Rules
Were does federation run?
Inside of a pod on a chosen host cluster and stores cluster information via a PVC in a new 10Gi etcd database
What is Helm?
Is like a package manager for Kubernetes
How is an Ingress Controller different than most controllers
It does nto run as part of the kube-controller-manager binary.
How does an Ingress Controller work?
It is a daemon running in a pod which watches /ingresses endpoint on the API server, which is found under the extensions/v1beta1 group for new objects. When a new endpoint is created, the daemon uses the configured set of rules to allow inbound connection to a service, most often HTTP traffic. This allows easy access to a service through an edge router to Pods, regardless of where the pod is deployed.
Master components
Master components provide the cluster's control plane. Master components make global decisions about the cluster (for example, scheduling), and detecting and responding to cluster events (starting up a new pod when a replication controller's 'replicas' field is unsatisfied). Master components can be run on any machine in the cluster. However, for simplicity, set up scripts typically start all master components on the same machine, and do not run user containers on this machine.
taint effects
NoSchedule, PreferNoSchedule, NoExecute
Why do we need exterior monitor tools for k8s?
Not ingested by K8s
TLS Ingress does not support
SNI
If a container does not provide logging, what could be used to generate and handle logging in the Pod?
Sidecar container
There are two ways of adding custom resources to the cluster.
Simple is adding a new object to the existing cluster. A potentially more complex way is what's called aggregated APIs
Currently TLS Ingress assumes
TLS termination
What does the following for podAffinity mean? affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector matchExpressions: - key: security operator: In values: - S1 topologyKey: failure-domain.beta.kubernetes.io/zone
The Pod can be scheduled on a node running a Pod with a key label of security and a value of S1. If this requirement is not met, the Pod will remain in Pending state.
tolerationSeconds
The amount of time a Pod will remain on a server. When time runes out, the pod will be evicted.
Custom Resource Definition: group
The group name will become part of the REST API under /apis/group/version
In a federated cluster if a member node does not respond properly
The manager control-loop will redeploy resources until the expected deployment state has been met.
taint effect "PreferNoSchedule"
The scheduler will avoid using this node, unless there are no untainted nodes for the Pods toleration. Existing pods are unaffected.
taint effect "NoSchedule"
The scheduler will not schedule a Pod on this node, unless the Pod has this toleration. Existing Pods continue to run, regardless of toleration.
NoExecute
This will cause existing Pods to be evacuated and no future Pods scheduled. Should an existing Pod have a toleration, it will continue to run. If the Pod tolerationSeconds is set, they will remain for that many seconds, the be evicted. Certain node issues will cause the kubelet to add 300 second tolerations to avoid unnecessary evictions.
How does helm install dependencies using a chart?
Through a process called Tiller. Tiller uses the cart to determine what to install and how to install it.
Why do we monitor?
To collect key metrics such as CPU, memory, and disk usage, and the network bandwidth of your nodes.
When a node has been tainted, what does a Pod required to be deployed on that node?
Toleration
Multiple Ingress Controllers
Traffic should use annotations to select the proper controller. The lack of a matching annotation will cause every controller to attempt to satisfy ingress traffic.
Both L3 and L7 can be configured (T/F)
True
In v1.9 we can still use the resources known as Third Party resources prior to Kubernetes v1.8.
True
Kubernetes does not provide cluster-wide logging. (T/F)
True
Custom Resource Definition
We can add our own objects, controllers, or watch loops. While adding an object is very straightforward. It could be complex to add a watch loop, depending on the resource you are trying to monitor.
preferredDuringSchedulingIgnoredDuringExecution weights.
Weights can be declared as a value from 1 to 100. The scheduler then tries to choose, or avoid the node with the greatest combined value.
Federation
When we add another control plane above our existing K8s cluster.
nodeName and nodeSelector allow
a Pod to be assigned to a single node or a group of nodes with particular labels.
If using PreferredDuringScheduling an empty topologyKey is assumed to be
all or the combination of kubernetes.io/hostname, failure-domain.beta.kubernetes.io/zone and failure-domain.beta.kubetenetes.io/region
taints
allow a node to be labeld such that Pods would not be scheduled for some reason, such as the master node after initialization. A tolerator allows a Pod to ignore the taint and be scheduled assuming other requirements are met
topologyKey
allows a general grouping of Pod deployments. Affinity (or the inverse anti-affinity) will try to run on nodes with the declared topology key and running Pods with a particular label. The topology key could be any legal key, with some important considerations.
Where can you run Federated Ingress?
as of June 2018, only GCE
Reasons for anti-affinity on nodes
availabillity
All taints cause pods to stop running on a node
false
Initialize helm
helm init
install a helm package
helm install <>/<name>
If using requiredDuringScheduling and the admission controller LimitPodHardAntiAffinityToplogy setting, the toplogyKey must be set to
kubernetes.io/hostname.
tainted node
label to tell a pod to avoid a node.
Reasons for affinity on nodes
locality of data.
RBAC provides
mandatory or discretionary access control in a granular manner.
requiredDuringSchedulingIgnoredDuringExecution
means that the Pod will not be scheduled on a node unless the following operator is true. If the operator changes to become false in the future, the Pod will continue to run. This could be seen as a hard rule
When affinity becomes stable what is planned to be deprecated?
nodeSelector
props for pod affinity
podAffinity podAntiAffinity
affinity and anti-affinity can be used to
require or prefer which node is used by the scheduler. If using a preference instead, a matching node is chosen first, but other nodes would be used if no match is present
How to tell a pod to use a custom scheduler
scheduleName
You can build helm from
source or download the tarball
TaintBasedEvictions
still alpha feature. The kubelet uses taints to rate-limit evictions when the node has problems.
Custom Resource Definition: plural
the end of the API url as plural
Custom Resource Definition: singular
the end of the API url as singular. Represents the name with displayed and make CLI usage easier.
A ConfigMap is similar to a Secret, except...
they are not base64 byte encoded arrays
TLS Secret for TLS Ingress must contain keys named
tls.crt and tls.key
How do we interact with Helm?
with the helm command
How does the kubelet write logs
writes container logs to local files via the Docker logging driver. The kubectl logs command allows you to retrive these logs.