K8s Components

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Aggregated APIs (AA)

The API calls are then accepted by kube-apiserver, and then passed along to your custom API server to actually be handled and taken care of.

Why use helm?

The use of helm can be very handy for installing complex applications with many parts, both the ones that we might create, or we can add repositories and gain access to vendor provided software in a very easy-to-use manner.

Drawbacks of using federation

There will be an increase in inter-cluster communication, and data, using more bandwidth. Administration of a federated cluster adds another level of complexity and consideration. Also, large federated clusters are new, so code maturity can be a consideration.

In what metadata are object weights currently set?

annotations

How grant access to create new CRD resource and controller

if you use RBAC you need to grant access via this. If you use aggregated API, you can use the same or a different authentication process.

If a node has multiple taints the scheduler_____.

ignores those with matching tolerations. The remaining unignored taints have their typical effect.

What state will a pod be in when searching for a node with matching labels?

Pending

Prometheus

Provides time-series database as well as integration with Grafana for visualization and dashboards. Part of the Cloud Native Computing Foundation. As a K8s plugin, it allows one to scrape resource usage metrics from K8s objects across the entire cluster. It also has several client libraries which allow you to instrument your application code in order to collect application level metrics.

What is a collection of helm charts called?

Repository

add a helm package so you can view it

helm repo add <package>

display repos for helm

helm repo list

Search for packages

helm search <package>

nodeSelector:net: fast

Any node with a key of net set to fast would be a candidate for scheduling. Remember that labels are administrator-created tags, with no tie to actual resources. This node could have a slow network

Ingress Rule

An API resource that you can create with kubectl. When you create this resource, it reprograms and reconfigures your Ingress Controller to allow traffic to flow from the outside to an internal service. You can leave a service as a ClusterIP type and define how the traffic gets routed to that internal service using an Ingress Rule.

operator

An agent that creates and manages one more more instances of a specific stateful application. Examples are Deployments or DaemonSets.

toleration

A label that allows a pod to run on a tainted node.

Helm Chart

A template of what Helm should install. It would declare the volumes used, policies, pods, and applications that should be deployed.

What do we use to add a new API server to cluster acting as a subordinate to kube-apiserver?

Aggregated APIs

How does Federation give higher availability to our K8s cluster?

Because each of our independent K8s clusters will copy their information to the federated Control Plane. This allows us to move objects from one cluster to another very easily. This could be an advantage. Should a particular cluster fail, the objects created inside of that cluster would then be started on a different cluster without you having to do anything. We can affect where objects are deployed through weights that allow us to move our data closer to the end user (what we call locality of data). This can have advantages for performance.

Describe the lifecycle of a dependency with helm.

By initializing a database to keep track of what is installed, and how it's installed, and continue to use the helm command for the entire lifecycle fo the package.

NodeSelector

Call out a particular pod for a node to run on

Custom Resource Definition: kind

Camelcased singular type used in resource manifests

What are the three major components when working with Helm?

Chart

preferredDuringSchedulingIgnoredDuringExecution

Choose a node with the desired setting before those without. If no properly-labeled nodes are available, the Pod will execute anyway. This is more of a soft setting, which declares a preference instead of a requirement.

federation-controller-manager

Connects to each local API server, both sending API calls, as well as regular health interrogation

Custom Resource Definition: cope

Determines if the object exists in a singular namespace or is cluster-wide

Pool

Each path for traffic uses a group of like objects referred to as a pool. Each pool regularly checks the next hop up to ensure connectivity.

What is the main reason to use an Ingress Controller instead of multiple services?

Efficiency.

How often will a ClusterController sync with ClusterStatus to ensure the health of a cluster?

Every 40 seconds

Ingress Controller

Exposes a pod to other pods or the outside world. Efficient. Instead of individual services for each of the pods we can setup a controller that handles all the traffic. Currently, there are two supported controllers. One for nginx, the other one for GCE. HA proxy is being developed, but is not yet considered a supported and stable resource.

A chart deployment output tells us about missing dependencies (T/F)

False

All Custom Resource Definitions must exist in a namespace.

False

All resources can be federated in Kubernetes v1.9 (T/F)

False

Heapster

For ingesting key metrics for applications. Also used for horizontal pod autoscaling. Integrated with the K8s dashboard

For the Google Load Balancer Controller (GLBC) multi-pool path

Global forwarding rule -> Target HTTP proxy -> URL map -> Backend Service -> Instance Group

A Custom Ingress Controller Template

Has easy integration with RBAC Uses the annotation kubernetes.io/ingress.class: "nginx" L7 traffic requires the proxy-real-ip-cidr setting Bypasses kube-proxy to allow session affinty Does not use conntrack entries for iptables DNAT TLS requires the host field to be defined.

What are some useful tools for monitoring?

Heapster, Fluentd, Prometheus, Grafana

What do multiple etcd databases within federation allow for?

Higher availability Scalability Greater fault tolerance Moving data based on weights

Why add Federation to K8s?

Higher availability, better performance, avoiding vendor lock.

Basic Troubleshooting Steps

If there are errors on command line investigate them first. The symptoms of the issue will probably determine the next step. Working from the application running inside a container to the cluster may be a good idea. If the pod is running use 'kubectl logs pod-name' to view the standard out of the container. Without logs you may consider deploying a sidecar container in the Pod to generate and handle logging. Next check networking, including DNS, firewalls, and general connectivity, using standard Linux commands and tools.

What does the following for podAntiAffinity mean? podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: -key: security operator: In values: - S2 topologyKey: kubernetes.io/hostname

In a large, varied environment, there may be multiple situations to be avoided. As a preference, this setting tries to avoid certain labels, but will still schedule the Pod on some node. As the Pod will still run, we can provide a weight to a particular rule.

operators for pod affinity

In, NotIn, Exists, DoesNotExist, Gt, and Lt.

An Ingress controller uses ____ to handle traffic from outside the cluster

Ingress Rules

Were does federation run?

Inside of a pod on a chosen host cluster and stores cluster information via a PVC in a new 10Gi etcd database

What is Helm?

Is like a package manager for Kubernetes

How is an Ingress Controller different than most controllers

It does nto run as part of the kube-controller-manager binary.

How does an Ingress Controller work?

It is a daemon running in a pod which watches /ingresses endpoint on the API server, which is found under the extensions/v1beta1 group for new objects. When a new endpoint is created, the daemon uses the configured set of rules to allow inbound connection to a service, most often HTTP traffic. This allows easy access to a service through an edge router to Pods, regardless of where the pod is deployed.

Master components

Master components provide the cluster's control plane. Master components make global decisions about the cluster (for example, scheduling), and detecting and responding to cluster events (starting up a new pod when a replication controller's 'replicas' field is unsatisfied). Master components can be run on any machine in the cluster. However, for simplicity, set up scripts typically start all master components on the same machine, and do not run user containers on this machine.

taint effects

NoSchedule, PreferNoSchedule, NoExecute

Why do we need exterior monitor tools for k8s?

Not ingested by K8s

TLS Ingress does not support

SNI

If a container does not provide logging, what could be used to generate and handle logging in the Pod?

Sidecar container

There are two ways of adding custom resources to the cluster.

Simple is adding a new object to the existing cluster. A potentially more complex way is what's called aggregated APIs

Currently TLS Ingress assumes

TLS termination

What does the following for podAffinity mean? affinity: podAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector matchExpressions: - key: security operator: In values: - S1 topologyKey: failure-domain.beta.kubernetes.io/zone

The Pod can be scheduled on a node running a Pod with a key label of security and a value of S1. If this requirement is not met, the Pod will remain in Pending state.

tolerationSeconds

The amount of time a Pod will remain on a server. When time runes out, the pod will be evicted.

Custom Resource Definition: group

The group name will become part of the REST API under /apis/group/version

In a federated cluster if a member node does not respond properly

The manager control-loop will redeploy resources until the expected deployment state has been met.

taint effect "PreferNoSchedule"

The scheduler will avoid using this node, unless there are no untainted nodes for the Pods toleration. Existing pods are unaffected.

taint effect "NoSchedule"

The scheduler will not schedule a Pod on this node, unless the Pod has this toleration. Existing Pods continue to run, regardless of toleration.

NoExecute

This will cause existing Pods to be evacuated and no future Pods scheduled. Should an existing Pod have a toleration, it will continue to run. If the Pod tolerationSeconds is set, they will remain for that many seconds, the be evicted. Certain node issues will cause the kubelet to add 300 second tolerations to avoid unnecessary evictions.

How does helm install dependencies using a chart?

Through a process called Tiller. Tiller uses the cart to determine what to install and how to install it.

Why do we monitor?

To collect key metrics such as CPU, memory, and disk usage, and the network bandwidth of your nodes.

When a node has been tainted, what does a Pod required to be deployed on that node?

Toleration

Multiple Ingress Controllers

Traffic should use annotations to select the proper controller. The lack of a matching annotation will cause every controller to attempt to satisfy ingress traffic.

Both L3 and L7 can be configured (T/F)

True

In v1.9 we can still use the resources known as Third Party resources prior to Kubernetes v1.8.

True

Kubernetes does not provide cluster-wide logging. (T/F)

True

Custom Resource Definition

We can add our own objects, controllers, or watch loops. While adding an object is very straightforward. It could be complex to add a watch loop, depending on the resource you are trying to monitor.

preferredDuringSchedulingIgnoredDuringExecution weights.

Weights can be declared as a value from 1 to 100. The scheduler then tries to choose, or avoid the node with the greatest combined value.

Federation

When we add another control plane above our existing K8s cluster.

nodeName and nodeSelector allow

a Pod to be assigned to a single node or a group of nodes with particular labels.

If using PreferredDuringScheduling an empty topologyKey is assumed to be

all or the combination of kubernetes.io/hostname, failure-domain.beta.kubernetes.io/zone and failure-domain.beta.kubetenetes.io/region

taints

allow a node to be labeld such that Pods would not be scheduled for some reason, such as the master node after initialization. A tolerator allows a Pod to ignore the taint and be scheduled assuming other requirements are met

topologyKey

allows a general grouping of Pod deployments. Affinity (or the inverse anti-affinity) will try to run on nodes with the declared topology key and running Pods with a particular label. The topology key could be any legal key, with some important considerations.

Where can you run Federated Ingress?

as of June 2018, only GCE

Reasons for anti-affinity on nodes

availabillity

All taints cause pods to stop running on a node

false

Initialize helm

helm init

install a helm package

helm install <>/<name>

If using requiredDuringScheduling and the admission controller LimitPodHardAntiAffinityToplogy setting, the toplogyKey must be set to

kubernetes.io/hostname.

tainted node

label to tell a pod to avoid a node.

Reasons for affinity on nodes

locality of data.

RBAC provides

mandatory or discretionary access control in a granular manner.

requiredDuringSchedulingIgnoredDuringExecution

means that the Pod will not be scheduled on a node unless the following operator is true. If the operator changes to become false in the future, the Pod will continue to run. This could be seen as a hard rule

When affinity becomes stable what is planned to be deprecated?

nodeSelector

props for pod affinity

podAffinity podAntiAffinity

affinity and anti-affinity can be used to

require or prefer which node is used by the scheduler. If using a preference instead, a matching node is chosen first, but other nodes would be used if no match is present

How to tell a pod to use a custom scheduler

scheduleName

You can build helm from

source or download the tarball

TaintBasedEvictions

still alpha feature. The kubelet uses taints to rate-limit evictions when the node has problems.

Custom Resource Definition: plural

the end of the API url as plural

Custom Resource Definition: singular

the end of the API url as singular. Represents the name with displayed and make CLI usage easier.

A ConfigMap is similar to a Secret, except...

they are not base64 byte encoded arrays

TLS Secret for TLS Ingress must contain keys named

tls.crt and tls.key

How do we interact with Helm?

with the helm command

How does the kubelet write logs

writes container logs to local files via the Docker logging driver. The kubectl logs command allows you to retrive these logs.


Set pelajaran terkait

Dosage Calculations Assignment Quiz

View Set

Organization - Employee and Labor Relations

View Set