Section2

DEVOPS IN ADVANCE
Kubernetes administration
Docker infrastructure in advance
Core concepts
Scheduling
Cluster Monitoring
Agenda Cluster Security
Storage
Networking
Design and Install
Troubleshooting
Docker infrastructure in Kubernetes administration
advance:
Docker network
4 Network types:
• Bridge (default)
• Host
• Overlay
• ipvlan
advance:
Docker network
bridge:
advance:
Docker network
host:
advance:
Docker network
Overlay:
advance:
Docker network
ipvlan:
advance:
Docker storage
advance:
Docker storage
advance:
Docker storage
advance:
Docker storage
Core concepts: Kubernetes administration
Core concepts: Kubernetes administration
Resources:
Foundations: Workloads: Networking:
• Namespace • Deployment/replicaset • Service
• Pod • StatefulSet • DNS record
• DaemonSet • Ingress/Ingress Controllers
• Job/CronJob • Network policy
Storage: Others
• Volume • ConfigMaps
• Storage class • Secret
• Persistent volume • Resource quotas
• Persistent volume claim • Custom resources definition
Scheduling: Kubernetes administration
Scheduling refers to making sure that Pods are matched to Nodes so that Kubelet can run
them
Kube-scheduler is the default scheduler for Kubernetes and runs as part of the control-
plane. Kube-scheduler is designed so that, if you want and need to, you can write your
own scheduling component and use that instead
Kube-scheduler selects a node for the pod in a 2-step operation:

1.Filtering - finds the set of Nodes where it's feasible to schedule the Pod
2.Scoring - ranks the remaining nodes to choose the most suitable Pod
placement
Scheduling profile
• Can customize the behavior of the kube-scheduler by writing a
configuration file and passing its path as a command line
argument.
• A scheduling Profile allows you to configure the different stages of
scheduling in the kube-scheduler.
Labels and Selector:

• Labels are key/value pairs that are attached to objects
• Many objects can carry the same label(s).
• Via a label selector, the client/user can identify a set of objects
Labels and Selector:

2 types of selectors:
equality-based set-based
NodeName:
No scheduling Scheduling with selecting a node name

NodeSelector:
Scheduling with selecting node(s) by using label(s)
Affinity and anti-affinity:

Expands the types of constraints you can define:
• More control over the selection logic with labels.
• A rule can be soft or preferred, so that the scheduler still schedules the Pod even if it
can't find a matching node.
• Can constrain a Pod using labels on other Pods running on the node (or other
topological domain), instead of just node labels, which allows you to define rules for
which Pods can be co-located on a node.

2 types:
• Node affinity:
 requiredDuringSchedulingIgnoredDuringExecution for node
 preferredDuringSchedulingIgnoredDuringExecution for node
• Inter-pod affinity/anti-affinity
 requiredDuringSchedulingIgnoredDuringExecution for pod
 preferredDuringSchedulingIgnoredDuringExecution for pod

2 types:
• Node affinity:
 requiredDuringSchedulingIgnoredDuringExecution for node
 preferredDuringSchedulingIgnoredDuringExecution for node
• Inter-pod affinity/anti-affinity
 requiredDuringSchedulingIgnoredDuringExecution for pod
 preferredDuringSchedulingIgnoredDuringExecution for pod
Taints and tolerations :

Taints - allow a node to repel a set of pods.
Tolerations - allow the scheduler to schedule
pods with matching taints but don't
guarantee scheduling
Taints and tolerations work together to
ensure that pods are not scheduled onto
inappropriate nodes. One or more taints are
applied to a node; this marks that the node
should not accept any pods that do not
tolerate the taints
Taints and tolerations :
Use cases:
• Dedicated Nodes
• Nodes with Special Hardware
• Taint based Evictions
Pod topology spread constraints:

Resources management:
• CPU ( Request and limits - Burstable)
• RAM ( Request and limits - Burstable)
Resources management:
• Storage (ephemeral / Request and limits)

Static PODs:
• Managed directly by the kubelet daemon on a specific
node, without the API server observing them. The
kubelet watches each static Pod (and restarts it if it
fails).
• Static Pods are always bound to one kubelet on a
specific node
Cluster maintenance:
OS Upgrades and Patching

Manual for each node:
• Cordon node
• Drain node
• Upgrade or patch it
• Un-cordon node
Kubernetes version
Cluster Upgrade Process
Manual for each cluster:

• Upgrade masters (control plane)
• Upgrade the nodes
• Upgrade clients such as kubectl
• Adjust manifests and other resources
Backup and Restore
Resource candidate
Cluster Security:
Security basics
• Password based authentication disabled and use SSH Key based authentication instead
Who can access What can they do

• Files – Username and Passwords • RBAC Authorization
• Files – Username and Tokens • ABAC Authorization
• Certificates • Node Authorization
• External Authentication providers - LDAP • Webhook Mode
• Service Accounts
Cluster Security:
TLS in Kubernetes
Cluster Security:
TLS in Kubernetes
Cluster Security:
TLS in Kubernetes
Cluster Security:
KubeConfig File
Cluster Security: Kubernetes administration
RBAC in Kubernetes
RBAC in Kubernetes
RBAC in Kubernetes
Role and ClusterRole
An RBAC Role or ClusterRole contains rules that represent a set of

permissions. Permissions are purely additive (there are no "deny" rules).
A Role always sets permissions within a particular namespace; when you create a
Role, you have to specify the namespace it belongs in.
ClusterRole, by contrast, is a non-namespaced resource. The resources have
different names (Role and ClusterRole) because a Kubernetes object always has to be
either namespaced or not namespaced; it can't be both.
RBAC in Kubernetes
Role
RBAC in Kubernetes
Namespaced
RBAC in Kubernetes
Namespaced
RBAC in Kubernetes
ClusterRole
RBAC in Kubernetes
ClusterRoleBinding
RBAC in Kubernetes
RoleBinding and ClusterRoleBinding
• A role binding grants the permissions defined in a role to a user or set of

users
• A ClusterRoleBinding grant permissions across a whole cluster
RBAC in Kubernetes
Check access method
Cluster Security:
Image Security
Networking:
• DNS in Kubernetes
• Ingress
Networking:
Cluster Networking
Networking:
Cluster Networking
Networking:
Cluster Networking
Networking:
POD Networking
• Every POD should have an IP Address
• Every POD should be able to communicate with every other POD in the same node.
• Every POD should be able to communicate with every other POD on other nodes without NAT.
Networking:
Service Networking
ClusterIP
Networking:
Service Networking
NodePort
Networking:
Service Networking
LoadBalancer
Networking:
Service Networking
ExternalName
Networking:
Ingress
An API object that manages external

access to the services in a cluster, typically
HTTP that may provide load balancing, SSL
termination and name-based virtual
hosting.
Networking:
Ingress
Networking:
Ingress
Networking:
DNS in Kubernetes
Design and Install:
How-to design a Kubernetes cluster
Objective
• Node Considerations
• Resource Requirements
• Network Considerations
Design and Install:
Objective
• Node Considerations
• Resource Requirements
• Network Considerations
Design and Install:
Ask
Design and Install:
Kubernetes limits
• Upto 5000 nodes

• Upto 150,000 PODs in the cluster
• Upto 300,000 Total Containers
• Upto 100 PODs per Node
Design and Install:
Storage
• High Performance – SSD Backed Storage

• Multiple Concurrent connections – Network based storage
• Persistent shared volumes for shared access across multiple PODs
• Label nodes with specific disk types
• Use Node Selectors to assign applications to nodes with specific disk types
Design and Install:
Network
Design and Install:
Nodes
• Sizing and template
• Based on technical stacks
• Linux X86_64 Architecture
• No host workloads on Master nodes
Troubleshooting:
Application failure
Check Service
Troubleshooting:
Application failure
Check POD
Troubleshooting:
Application failure
Others
• Check dependent service
• Check dependent application
Troubleshooting:
Control plane failure

Check Nodes and PODs
Troubleshooting:

Check Control plane PODs
Troubleshooting:

Check Control plane services
Troubleshooting:

Check Control plane services logs
Troubleshooting:
Worker Node failure
Check Nodes status
Troubleshooting:
Worker Node failure
Check Nodes
Troubleshooting:
Worker Node failure
Check kubelet
Troubleshooting:
Worker Node failure
Check certificates
Troubleshooting:
Network troubleshooting
• Check Network Plugin

• Check DNS
• Check KubeProxy
Q&
A

Section2

Uploaded by

Copyright:

Available Formats

You might also like

Section2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Section2

Uploaded by

Copyright:

Available Formats

DEVOPS IN ADVANCE

Agenda Cluster Security

Design and Install

Kube-scheduler selects a node for the pod in a 2-step operation:

Labels and Selector:

Labels and Selector:

No scheduling Scheduling with selecting a node name

Affinity and anti-affinity:

Affinity and anti-affinity:

Affinity and anti-affinity:

Taints and tolerations :

Taints and tolerations :

Pod topology spread constraints:

• Storage (ephemeral / Request and limits)

OS Upgrades and Patching

Manual for each cluster:

Who can access What can they do

An RBAC Role or ClusterRole contains rules that represent a set of

• A role binding grants the permissions defined in a role to a user or set of

An API object that manages external

• Upto 5000 nodes

• High Performance – SSD Backed Storage

Control plane failure

Control plane failure

Control plane failure

Control plane failure

• Check Network Plugin

You might also like