Story of a kubectl command

Transcript

1. Story of a kubectl command DevConf, India 4th August, 2018

2. Hi, I'm Indra Indradhanush Gupta Software Engineer, Kinvolk Github: indradhanush

   Twitter: indradhanush92 Email: [email protected]

3. The Deep-stack Kubernetes Experts Engineering services and products for Kubernetes,

   containers, process management and Linux user-space + kernel Blog: kinvolk.io/blog Github: kinvolk Twitter: kinvolkio Email: [email protected] Kinvolk

4. What we will talk about? 1. What is Kubernetes? 2.

   What are the different components of Kubernetes? 3. What goes on behind the scenes of a kubectl command?

5. What we will talk about? 1. What is Kubernetes? 2.

   What are the different components of Kubernetes? 3. What goes on behind the scenes of a kubectl command?

6. What we will talk about? 1. What is Kubernetes? 2.

   What are the different components of Kubernetes? 3. What goes on behind the scenes of a kubectl command?

7. What we will talk about? 1. What is Kubernetes? 2.

   What are the different components of Kubernetes? 3. What goes on behind the scenes of a kubectl command?

8. What is Kubernetes?

9. Kubernetes ❏ Cluster manager ❏ Scheduler ❏ Orchestrator

10. Kubernetes ❏ Cluster manager ❏ Scheduler ❏ Orchestrator ...for containerized

    applications

11. Kubernetes Worker Worker Worker Worker Master Master Master

12. Moving parts!

13. Components in Master ❏ API Server ❏ etcd ❏ Controller

    Manager ❏ Scheduler

14. Components in Worker ❏ kubelet ❏ kube-proxy ❏ kube-dns

15. kubectl Master Worker Worker kubectl apply -f manifest.yaml

16. $ kubectl run nginx --image=nginx

17. $ kubectl run nginx --image=nginx deployment.apps "nginx" created

18. $ kubectl get pods

19. $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-65899c769f-58xbc

    0/1 ContainerCreating 0 5s

20. $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-65899c769f-58xbc

    1/1 Running 0 16s

21. Nginx Pod

22. None

23. API Server kubectl etcd

24. Client side validation ❏ Manifest ❏ Resources ❏ Image name

25. Generators $ kubectl run nginx --image=nginx deployment.apps "nginx" created

26. Generators $ kubectl run nginx --image=nginx deployment.apps "nginx" created $

    kubectl run nginx --image=nginx --generator run-pod/v1 pod "nginx" created

27. Kubernetes resources are generated

28. And it’s time to send the request!

29. But where?

30. API discovery ❏ OpenAPI schema exposed ❏ API group and

    version ❏ Cached at ~/.kube/cache

31. Nginx Pod Group: core Version: v1

32. Let’s take a verbose look at a request

33. $ kubectl get pods -v 6

34. $ kubectl get pods -v 6 I0802 16:04:15.085956 9383 loader.go:357]

    Config loaded from file /home/dhanush/.kube/config

35. $ kubectl get pods -v 6 I0802 16:04:15.085956 9383 loader.go:357]

    Config loaded from file /home/dhanush/.kube/config I0802 16:04:15.102658 9383 round_trippers.go:405] GET https://192.168.99.102:8443/api/v1/namespaces/default/pods?limit=50 0 200 OK in 9 milliseconds

36. $ kubectl get pods -v 6 I0802 16:04:15.085956 9383 loader.go:357]

    Config loaded from file /home/dhanush/.kube/config I0802 16:04:15.102658 9383 round_trippers.go:405] GET https://192.168.99.102:8443/api/v1/namespaces/default/pods?limit=50 0 200 OK in 9 milliseconds I0802 16:04:15.109898 9383 round_trippers.go:405] GET https://192.168.99.102:8443/openapi/v2 200 OK in 6 milliseconds

37. $ kubectl get pods -v 6 I0802 16:04:15.085956 9383 loader.go:357]

    Config loaded from file /home/dhanush/.kube/config I0802 16:04:15.102658 9383 round_trippers.go:405] GET https://192.168.99.102:8443/api/v1/namespaces/default/pods?limit=50 0 200 OK in 9 milliseconds I0802 16:04:15.109898 9383 round_trippers.go:405] GET https://192.168.99.102:8443/openapi/v2 200 OK in 6 milliseconds NAME READY STATUS RESTARTS AGE nginx-65899c769f-ndt2k 1/1 Running 0 9m

38. kubectl get pods -v 10

39. None

40. Client authentication ❏ Credentials from $KUBECONFIG ❏ Client certificates ❏

    Bearer Tokens ❏ Username / Password

41. API Server kubectl

42. Server side authentication ❏ Client certificates ❏ Bearer Tokens ❏

    Username / Password

43. API Server kubectl

44. Authorization chain ❏ ABAC ❏ RBAC ❏ Node ❏ Webhook

45. Admission controllers ❏ Not a chain ❏ Modify or reject

    requests ❏ No role in read requests

46. Examples: Admission controllers ❏ AlwaysPullImages ❏ PodSecurityPolicy

47. etcd ❏ Resource saved to data store ❏ <namespace>/<name> API

    Server kubectl etcd

48. Initializers ❏ Dynamic controller ❏ Intercepts resource before creation ❏

    Context specific logic

49. Initializers $ kubectl get pods --include-uninitialized

50. Deployments controller ❏ Detects new Deployment resource Deployment

51. ❏ Creates ReplicaSet resource Deployments controller ReplicaSet Deployment

52. Replicasets controller ❏ Detects new ReplicaSet resource ReplicaSet Deployment

53. Replicasets controller ❏ Creates Pod resource ReplicaSet Deployment Pod

54. Replicasets controller $ kubectl run nginx --image=nginx --replicas=3 ReplicaSet Deployment

    Pod Pod Pod

55. Pods ❏ State: Pending ❏ NodeName: empty ReplicaSet Deployment Pod

56. Scheduler ❏ Filters pods with empty NodeName ❏ Filter worker

    nodes based on resources and affinity ❏ Prioritizes filtered worker nodes ❏ Choose node with highest priority ❏ Creates Binding resource

57. Scheduler Binding Node Pod Name & UID Namespace

58. Kubelet ❏ Runs on worker node ❏ Manages Pods (containers,

    volume mounts etc) kubelet Worker 1 kubelet kubelet Worker 3 Worker 2

59. Kubelet ❏ Queries API server for Bindings with matching NodeName

    ❏ Creates pods not already created on the node ❏ Launches pause container

60. Pause container (almost there!) $ docker ps CONTAINER ID IMAGE

    COMMAND … fccc6b7a99a k8s.gcr.io/pause-amd64:3.1 "/pause" …

61. Pause container ❏ Holds namespace for all containers of the

    pod ❏ All application container share the same namespaces ❏ Simplified intra pod networking ❏ Reap zombies if PID namespace sharing is enabled

62. Containers ❏ Pull the image ❏ Create the container ❏

    Update Pod status

63. Summary ❏ Client side ❏ Validation and Authentication ❏ Server

    side ❏ Authentication ❏ Authorization ❏ Admission controllers ❏ Write to etcd!

64. Summary ❏ Wait for Initializers ❏ Deployments controller ❏ Create

    ReplicaSet ❏ ReplicaSets controller ❏ Create Pod

65. Summary ❏ Scheduler assigns a Node ❏ Kubelet ❏ Pause

    container ❏ Application container

66. Indradhanush Gupta Github: indradhanush Twitter: indradhanush92 Email: [email protected] Kinvolk Blog:

    kinvolk.io/blog Github: kinvolk Twitter: kinvolkio Email: [email protected] Thank you!

67. Questions?