GitopsCentral

Core concepts

What is Kubernetes?

Kubernetes is an open source container orchestration tool developed by Google.

Currently, it’s under CNCF (Cloud Native Computing Foundation) project

Orchestration means SCAF

• Service Discovery
• Canary Deployments
• Auto Scaling
• Fault tolerance

What are the different components of kubernetes?

Master Node: “CASE”

• Control Manager
• API Server
• Scheduler &
• Etcd

Worker Node:

• Kubelet
• Kube Proxy

What are the different containers orchestration solutions other than k8s?

• Docker swarm
• Apache Mesos
• Amazon ECS
• Apache Nomad
• Openshift
• Rancher

What are the different types of workloads in K8s?

Stateless Application

Applications that don’t require their state to be saved.

Example: Tomcat, nginx server, frontend apps, etc.

Stateful Applications

Applications that require its state to be saved.

Example: Mongodb, Apache Zookeeper

Batch Jobs

Finite Independent tasks that run to their completion.

Example: Sending emails, perform calculations, video render etc.

Daemon

Ongoing background tasks.

Example: Fluentdcollecting logs continuously. You can use daemonset deployment

List all workload types in k8s

Answer

• Pod
• ReplicaSet
• Replication Controller
• Deployments
• StatefulSets
• Daemonset
• Jobs

What is a Pod?

Pod is a logical collection of containers

What is ReplicaSet?

What is Replication Controller?

What is Deployment?

When to use a ReplicaSet?

• ReplicaSets provides declarative updates to Pods along with a lot of other useful features.
• Always use Deployments instead of directly using ReplicaSets, unless you require custom update orchestration or don’t require updates at all.

Difference between ReplicaSet and a ReplicationController

Replication controller is based on equity-based selector

Example:

spec:
  replicas: 3
  selector:
    app: nginx

ReplicaSet is based on Set-based selector. You can give many labels & give matchLabel selector

Example:

metadata:
  name: frontend
  labels:
    app: guestbook
    tier: frontend
spec:
  # modify replicas according to your case
  replicas: 3
  selector:
    matchLabels:
      tier: frontend

What is StatefulSet?

It is a workload API object (almost every workload in k8s is called an object) used to manage stateful applications.

Example: MongoDB, mysql etc..

Explain how to deploy a StatefulSet

Let’s try to understand how to install mongodb on k8s using statefulset,

First of all in order to create a replicaset we need the following things,

• a Persistent Volume (PV) with storage class
• a Headless service for network identity

So, we are going to,

• First, we are going to create a headless service using Service deployment using nginx with label app=nginx then we are going to create statefulset for nginx image.
• using volumeClaimTemplate we are going to create persistent volume (PV) with a storage class


---
apiVersion: v1
kind: Service
metadata:
  name: mongo
  labels:
    name: mongo
spec:
  ports:
    - port: 27017
      targetPort: 27017
  clusterIP: None
  selector:
    role: mongo

---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
  name: mongo
spec:
  serviceName: "mongo"
  replicas: 3
  template:
    metadata:
      labels:
        role: mongo
        environment: test
    spec:
      termina

 

Observation

1) We need to observe that we have set the clusterIp to none to create a headless service.

2) Then we created a persistent volume with a storage class using volumeClaimTemplate

How do you terminate pods of StatefulSets?

StatefulSets and the associated pods, run the commands below

grace=$(kubectl get pods --template '{{.spec.terminationGracePeriodSeconds}}') 
kubectl delete statefulset -l app=myapp sleep $grace 
kubectl delete pvc -l app=myapp

What is Daemonset?

Daemonset is a workload object that deploys a pod on every single node.

Examples

• Logging applications: fluentd
• monitoring applications: AppDynamics, Instana, Datadog, Prometheus Node Exporter,Instana Agent

What is a headless Service?

Sometimes we have a single endpoint to a service & we don’t want to use load balancer, in that case we usea  headless service.

A service deployment without load balancing is called a Headless Service.

This is created by setting none to clusterIP (.spec.ClusterIP)

What is a Job?

A Job object will create one or more pods and will make sure that its terminated.

Deleting a job will clean up the pods. 

Explain the deployment flow.

For instance, if you requested to deploy an app via kubectl, then visualize the request flow between k8s components

API Server

Kube-API server validates & configures data for api objects like,

• pod
• service
• replication controllers
• etc

The API Server provides REST operations to

Scheduler

The scheduler watches for newly created pods that have no assigned node.

The scheduler finds such pods and is responsible for determining the best node on which to run that pod.

How does a scheduler decide the node?

It’s done based on —

• Filtering
• Scoring

Filtering: Finds a set of feasible nodes (nodes that meet scheduling requirements)

Scoring: Based on filtering, the scheduler gives a score to a node, & a node with the highest score will be selected first.

If scores are equal, then selection is random.

Know more about filtering/scoring factors here

How etcd works in k8s?

Etcd is like the brain to K8s cluster

It’s a distributed key-value store that stores all information about the cluster & its state.

For example, if we requested the API server to install something on the cluster, that information will first be recorded in etcd.

Etcd’s watch functionality is used by Kubernetes to monitor changes to either the actual or the desired state of its system. If they are different, Kubernetes makes changes to reconcile the two states. Every read by the kubectl command is retrieved from data stored in Etcd, any change made (kubectl apply) will create or update entries in Etcd, and every crash will trigger value changes in etcd

What is etcd?

• Etcd is an open-source distributed key-value store created by the CoreOS team, now managed by the CNCF.
• It is pronounced “et-cee-dee”, making reference to distributing the Unix /etc directory, where most global configuration files live, across multiple machines.

Properties of etcd

Reliable: The store is properly distributed using the Raft algorithm

Replicated: It’s available on every node of a cluster

Secure: Implements automatic TLS

Explain the leader election process in etcd

Etcd is based on the Raft algorithm. In a Raft-based system, the cluster holds an election to choose a leader for a given term

Handles client requests that need cluster consensus (an agreement). Responsible for accepting new changes, replicating the information to follower nodes, then committing changes once followers verify. Each cluster can have one leader at any given time.

If the Leader dies, then the rest of the nodes will begin a new election within a predetermined timeout.

How a leader is elected

If the node does not hear from the leader before a timeout occurs, the node begins a new election by starting a new term, marking itself as a candidate, and asking for votes from the other nodes.

Each node votes for the first candidate that requests its vote. If a candidate receives a vote from the majority of the nodes in the cluster, it becomes the new leader.

Since the election timeout differs on each node, the first candidate often becomes the new leader.

However, if multiple candidates exist and receive the same number of votes, the existing election term will end without a leader and a new term will begin with new randomized election timers.

How a leader makes changes

Any changes must be directed to the leader node & the leader node will send the proposed new value to each node of cluster then node sends the message confirming receipt of the new value.

If the majority of nodes confirm, then the leader commits the new value.

This is the process as per the Raft algorithm

What is a Namespace?

• Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces.
• Resource names are unique within a namespace

In which Namespace is k8s cluster created?

By default k8s cluster is created in three namespaces,

• default
• kube-system
• kube-public

What objects are present in a namespace?

Kubernetes resources such as pods, services, replication controllers etc are in some namespaces.

Low-level resources, such as nodes and persistentVolumes, are not in any namespace.

To see which Kubernetes resources are and aren’t in a namespace:

# In a namespace
kubectl api-resources --namespaced=true

# Not in a namespace
kubectl api-resources --namespaced=false

Explain different API groups

Answer

• Core group/Legacy group
  • api/v1
    • apiVersion: v1
• Named group
  • apis/$groupName/$version
    • apiVersion: batch/v1

 

Networking

What are the different Network Plugin in k8s?

• Calico
• Weavenet
• Flannel
• Cilium

Installation

Explain k8s installation

Installing k8s on CentOS

First launch three centOS instances whose ip’s are say,

• kubemaster: 192.168.1.99
• kube2: 192.168.1.109
• kube3: 192.168.1.167

Disable SELinux & Swap

setenforce 0
sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
swapoff -a
# /dev/mapper/centos-swap swap swap defaults 0 0

Enable br_netfilter

We’ll be enabling the br_netfilter kernel module on all three servers. This is done with the following commands:

modprobe br_netfilter 
echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables

Install Docker CE

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce

Update yum repos[kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

Install kubectl

yum install -y kubelet kubeadm kubectl

Once installation is complete, reboot all the machines & log back as sudo user.

update cgroup

update the cgroup of Docker-CE & Kubernetes to the same cgroup

Initialize the cluster

On the master node, issue this command, which will initialize & give ip of the master node and give the pod network IP range as per your needs.

kubeadm init --apiserver-advertise-address=192.168.1.99 --pod-network-cidr=192.168.1.0/16

Now let’s join the nodes using the command below,

kubeadm join 192.168.1.99:6443 --token TOKEN --discovery-token-ca-cert-hash DISCOVERY_TOKEN

Deploy flannel network

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

What is Dynamic Volume Provisioning? How is it done?

How to create a multi master node configuration?

You can use kube-up and just copy the existing master using the command below,

KUBE_GCE_ZONE=europe-west1-c KUBE_REPLICATE_EXISTING_MASTER=true ./cluster/kube-up.sh

Here, kube_gce_zone is the zone where the new master will be created

How to secure your K8s cluster?

Explain the Multi-master configuration

Logging and Monitoring

What are Resource Quotas?

What the different tools for monitoring K8s?

How to limit pod access only within the cluster?

What are the different types of service deployments?

How to set a static IP for Kubernetes cluster?

What is an ingress network?

What is a headless service?

Explain rolling update

Explain graceful shutdown

How to set hardware resource limits?

What is the default terminationGracePeriod value?

30 seconds

Explain the Kubernetes termination lifecycle

1) Terminating State 
Pod stops getting new traffic
2) preStopHook (optional)
A HTTP request you can use to terminate pods instead of SIGTERM
3) SIGTERM signal
Sends a signal to the container that they are going to be shut down now so that the code will clean up ongoing tasks like database connections, web sockets etc..
4) wait for grace period
You can use this option if your pod need more time to shut down
5) SIGKILL signal (if container is still running after grace period)