Intro to the essential API resources in Kubernetes

Transcript

1. Intro to the essential API resources in Kubernetes Lucas Käldström

   - luxas labs 3rd of April 2018 - Helsinki Image credit: @ashleymcnamara bit.ly/k8sfin-apr-intro

2. $ whoami Lucas Käldström, Upper Secondary School Student, just turned

   18 CNCF Ambassador, Certified Kubernetes Administrator and Kubernetes SIG Lead Speaker at KubeCon in Berlin & Austin in 2017 Kubernetes Maintainer since April 2016, active in the community for +2 years Driving luxas labs which currently performs contracting for Weaveworks A guy that has never attended a computing class

3. How do I kick the tires with Kubernetes? Play with

   Kubernetes right away in your browser! Create a single-node cluster on your laptop or workstation with minikube Create a real cluster with only a couple of commands with kubeadm Create a production-ready cluster on AWS with kops Create a Kubernetes cluster on GCE with GKE (Google Kubernetes Engine) kubicorn is a Kubernetes installer project which has gained some traction

4. Nodes Master Kubernetes’ high-level component architecture Node 3 OS Container

   Runtime Kubelet Networking Node 2 OS Container Runtime Kubelet Networking Node 1 OS Container Runtime Kubelet Networking API Server (REST API) Controller Manager (Controller Loops) Scheduler (Bind Pod to Node) etcd (key-value DB, SSOT) User Legend: CNI CRI OCI Protobuf gRPC JSON

5. https://kubernetes.io/docs is your friend API reference documentation: https://kubernetes.io/docs/reference/ Other topics

   ->

6. Helm and Charts In order to simplify application deployment on

   top of k8s, Helm was created by the ecosystem. Helm is a package manager for Kubernetes. A “chart” is a package. The user installs charts via the Helm CLI. The community maintains loads of charts $ helm init $ helm search wordpress NAME CHART VERSION APP VERSION stable/wordpress 0.8.18 4.9.4 $ helm install stable/wordpress $ helm list NAME REVISION UPDATED STATUS CHART nasal-jellyfish 1 Tue Apr 3 2018 DEPLOYED wordpress-0.8.18

7. The core primitive: A Pod The basic, atomically deployable unit

   in Kubernetes. A Pod consists of one or many co-located containers. The containers in a Pod share the loopback interface (localhost) and can share mounted directories. A Pod represents a single instance of an application. Each Pod has it’s own, uniquely assigned and internal IP. Pods are mortal, which means that if the node the Pod runs on becomes unavailable, the workload also goes apiVersion: v1 kind: Pod metadata: name: nginx namespace: default labels: app: nginx spec: containers: - image: nginx:1.13.9 name: nginx ports: - name: http containerPort: 80

8. A replicated, upgradeable set of Pods: A Deployment With a

   Deployment, you can manage Pods in a declarative and upgradable manner. Note the replicas field. Kubernetes will make sure that amount of Pods created from the template always are running. When the Deployment is updated, Kubernetes will perform an rolling update of the Pods running in the cluster. Kubernetes will create one new Pod, and remove an old until all Pods are new. apiVersion: apps/v1 kind: Deployment metadata: labels: app: nginx name: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - image: nginx:1.13.9-alpine name: nginx ports: - name: http containerPort: 80 The Pod Template

9. Various possible Deployment upgrade strategies The built-in Deployment behavior The

   other strategies can be implemented fairly easily by talking to the API. Picture source: Kubernetes effect by Bilgin Ibryam

10. Access your replicated Pods by creating a Service A Service

    exposes one or many Pods via a stable, immortal, internal IP address in the cluster, a ClusterIP. The ClusterIP can be declaratively specified, or dynamically allocated. The service is also reachable via cluster-internal DNS: {service-name}.{namespace}.svc.cluster.local or nginx.default.svc.cluster.local The Service selects Pods based on the label key-value selectors (here app=nginx) A Service can expose multiple ports. apiVersion: v1 kind: Service metadata: name: nginx namespace: default labels: app: nginx spec: type: ClusterIP ports: - name: http port: 80 targetPort: 80 selector: app: nginx The Pod Selector

11. Expose your Service to the world with an Ingress A

    Service is by default only reachable inside of the cluster. In order to expose the Service to the internet, you must deploy an Ingress controller, like Traefik, and create an Ingress Rule The Ingress rule is the Kubernetes-way of mapping hostnames and paths from internet requests to cluster-internal Services. The Ingress controller is a loadbalancer that looks at the API when creating the rules. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx namespace: default labels: app: nginx spec: rules: - host: nginx.demo.kubernetesfinland.com http: paths: - path: / backend: serviceName: nginx servicePort: 80 The Service reference

12. Put all your stuff in a Namespace Internet nginx.demo.kubernetesfinland.com Traefik

    as Ingress Controller Namespace: default nginx Ingress Rule nginx Service nginx Pod 1 nginx Pod 2 nginx Pod 3 nginx Deployment A Namespace is a logical isolation method, most resources are namespace-scoped. You can group logically similar workloads in one namespace and enforce different policies. You can e.g. have one namespace per team, and let them play in their own virtual environment. Role Based Access Control (RBAC) can be used to control what Kubernetes users can do, and what resources in what namespaces an user can access is one of the parameters to play with there.

13. Wiring it all together $ kubectl get deployments NAME DESIRED

    CURRENT UP-TO-DATE AVAILABLE AGE nginx 3 3 3 3 31s $ kubectl get pods NAME READY STATUS RESTARTS AGE nginx-68f7ff696d-8wbxc 1/1 Running 0 1m nginx-68f7ff696d-lz7ng 1/1 Running 0 1m nginx-68f7ff696d-s4gtv 1/1 Running 0 1m $ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx ClusterIP 10.99.189.106 <none> 80/TCP 5s $ curl 10.99.189.106 <html> <head> <title>Welcome to nginx!</title> ... $ kubectl get ingress NAME HOSTS ADDRESS PORTS AGE nginx nginx.demo.kubernetesfinland.com 80 1m $ curl -sSL https://nginx.demo.kubernetesfinland.com <html> <head> <title>Welcome to nginx!</title> ...

14. Using kubectl to manage the workloads $ kubectl logs nginx-68f7ff696d-8wbxc

    10.32.0.1 - - [03/Apr/2018:11:31:40 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.55.1" "104.155.79.229" ... $ kubectl exec -it nginx-68f7ff696d-8wbxc /bin/sh / # ps aux PID USER TIME COMMAND 1 root 0:00 nginx: master process nginx -g daemon off; 7 nginx 0:00 nginx: worker process / # hostname nginx-68f7ff696d-8wbxc / # nginx -v nginx version: nginx/1.13.9 / # exit $ kubectl scale deployment nginx --replicas=2 deployment.apps "nginx" scaled $ kubectl set image deployment nginx nginx=nginx:1.13.10-alpine deployment.apps "nginx" image updated $ kubectl top pods NAME CPU(cores) MEMORY(bytes) nginx-55cd4c948d-2qxg7 0m 2Mi nginx-55cd4c948d-w5fpv 0m 2Mi $ kubectl exec -it nginx-55cd4c948d-2qxg7 /bin/sh / # nginx -v nginx version: nginx/1.13.10

15. Inject runtime data with ConfigMaps A ConfigMap is used for

    storing non-sensitive key-value config information in a central place (the API server). The ConfigMap is injected into the Pod as a Volume. The same ConfigMap can be injected into multiple containers. The ConfigMap is projected as a folder with the key-value pairs as files. This way the configuration can be decoupled from the Docker image. apiVersion: v1 kind: ConfigMap metadata: name: nginx-cfg namespace: default labels: app: nginx data: index.html: | <p>New website content!</p> apiVersion: v1 kind: Pod spec: containers: - image: nginx:1.13.10-alpine name: nginx ports: - name: http containerPort: 80 volumeMounts: - name: nginx-cfg mountPath: /usr/share/nginx/html volumes: - name: nginx-cfg configMap: name: nginx-cfg Injecting the ConfigMap

16. Create a Secret and protect the site with basic auth

    A Secret is like a ConfigMap, but is ought to contain sensitive information. You should make sure you restrict access to Secrets in the cluster by using RBAC. nginx-basic-auth contains htpasswd output for “admin:admin”. The Secret is read by Traefik, and used for basic auth. The Secret can also be mounted as a Volume, contain TLS certs, and optionally be encrypted. apiVersion: v1 kind: Secret metadata: name: nginx-basic-auth namespace: default type: Opaque data: auth: YWRtaW46JGFwcjEkdG14a2suY0MkWVlXT2lsMnJIalI3b… apiVersion: extensions/v1beta1 kind: Ingress metadata: name: nginx namespace: default labels: app: nginx annotations: ingress.kubernetes.io/auth-type: "basic" ingress.kubernetes.io/auth-secret: "nginx-basic-auth" spec: ... Tell Traefik to read auth info from this Secret

17. Let’s see how that worked $ kubectl apply -f nginx-configmap.yaml

    configmap "nginx-cfg" created $ kubectl get configmaps NAME DATA AGE nginx-cfg 1 1m $ kubectl apply -f nginx-deployment-with-configmap.yaml deployment.apps "nginx" configured $ curl 10.99.189.106 <p>New website content!</p> $ htpasswd -c auth admin Password: admin $ kubectl create secret generic nginx-basic-auth --from-file auth secret "nginx-basic-auth" created $ kubectl get secrets NAME TYPE DATA AGE traefik-basic-auth Opaque 1 3m $ kubectl apply -f basic-auth-ingress.yaml ingress.extensions "nginx" created $ curl -sSL https://nginx.demo.kubernetesfinland.com 401 Unauthorized $ curl -sSL -u admin:admin https://nginx.demo.kubernetesfinland.com <p>New website content!</p>

18. Demo time!

19. And more... - Storage-related objects: - PersistentVolume - PersistentVolumeClaim -

    StorageClass - Other ways of running applications: - DaemonSets - StatefulSets - Scheduling Jobs on top of Kubernetes: - Job - CronJob - Policy, Automation and Security - RBAC rules: ClusterRole, ClusterRoleBinding, Role, RoleBinding - NetworkPolicy - PodSecurityPolicy - HorizontalPodAutoscaler

20. Next steps / additional resources Follow the Kubernetes blog, YouTube

    channel & Twitter feed Do as 16 000+ others and take the free edX "Introduction to Kubernetes" course Join 31 000+ others in the Kubernetes Slack: http://slack.k8s.io Kick the tires with Kubernetes on your machines with minikube or kubeadm Check out the weekly Kubernetes Community Meeting at Zoom Don’t miss Kubernauts bi-weekly FREE Kubernetes trainings! Check this Comprehensive Overview of Kubernetes presentation by Bob Killen out! Or the Kubernetes’ Architecture Fundamentals presentation I made last year ...or some of the other awesome presentations linked to in cncf/presentations bit.ly/k8sfin-apr-intro

21. Join the community in Copenhagen!

22. Thank you! @luxas on Github @kubernetesonarm on Twitter [email protected]