Take a deep dive into Kubernetes inner components and discover what really powers a Kubernetes cluster. This in-depth guide shines a light on Kubernetes' murky internals, to help you better plan cloud native architectures and ensure the reliability of your systems.
In Core Kubernetes you will learn about:
• Kubernetes base components
• Kubernetes networking
• Storage and the Container Storage Interface
• External load balancing and ingress
• Kubernetes security
• Different ways of creating a Kubernetes cluster
• Configuring Kubernetes to use a GPU
To build and operate reliable Kubernetes-based systems, you need to understand what’s going on below the surface. Core Kubernetes is an in-depth guide to Kubernetes’ internal workings written by Kubernetes contributors Chris Love and Jay Vyas. It’s packed with experience-driven insights and advanced techniques you won’t find anywhere else. You’ll understand the unique security concerns of container-based applications, minimize costly unused capacity, and get pro tips for maximizing performance. Diagrams, labs, and hands-on examples ensure that the complex ideas are easy to understand and practical to apply.
About the technology
Real-world Kubernetes deployments are messy. Even small configuration errors or design problems can bring your system to its knees. In the real world, it pays to know how each component works so you can quickly troubleshoot, reset, and get on to the next challenge. This one-of-a-kind book includes the details, hard-won advice, and pro tips to keep your Kubernetes apps up and running.
About the book
This book is a tour of Kubernetes under the hood, from managing iptables to setting up dynamically scaled clusters that respond to changes in load. Every page will give you new insights on setting up and managing Kubernetes and dealing with inevitable curveballs. Core Kubernetes is a comprehensive reference guide to maintaining Kubernetes deployments in production.
What's inside
• Kubernetes base components
• Storage and the Container Storage Interface
• Kubernetes security
• Different ways of creating a Kubernetes cluster
• Details about the control plane, networking, and other core components
About the reader
For intermediate Kubernetes developers and administrators.
About the author
Jay Vyas and Chris Love are seasoned Kubernetes developers.
Author(s): Jay Vyas, Chris Love
Edition: 1
Publisher: Manning Publications
Year: 2022
Language: English
Commentary: Vector PDF
Pages: 336
City: Shelter Island, NY
Tags: Linux; Security; DNS; Network Security; Troubleshooting; Kubernetes
Core Kubernetes
brief contents
contents
preface
acknowledgments
about this book
Who should read this book
How this book is organized: A road map
About the code
liveBook discussion forum
about the authors
about the cover illustration
Chapter 1: Why Kubernetes exists
1.1 Reviewing a few key terms before we get started
1.2 The infrastructure drift problem and Kubernetes
1.3 Containers and images
1.4 Core foundation of Kubernetes
1.4.1 All infrastructure rules in Kubernetes are managed as plain YAML
1.5 Kubernetes features
1.6 Kubernetes components and architecture
1.6.1 The Kubernetes API
1.6.2 Example one: An online retailer
1.6.3 Example two: An online giving solution
1.7 When not to use Kubernetes
Chapter 2: Why the Pod?
2.1 An example web application
2.1.1 Infrastructure for our web application
2.1.2 Operational requirements
2.2 What is a Pod?
2.2.1 A bunch of Linux namespaces
2.2.2 Kubernetes, infrastructure, and the Pod
2.2.3 The Node API object
2.2.4 Our web application and the control plane
2.3 Creating a web application with kubectl
2.3.1 The Kubernetes API server: kube-apiserver
2.3.2 The Kubernetes scheduler: kube-scheduler
2.3.3 Infrastructure controllers
2.4 Scaling, highly available applications, and the control plane
2.4.1 Autoscaling
2.4.2 Cost management
Chapter 3: Let’s build a Pod
3.1 Looking at Kubernetes primitives with kind
3.2 What is a Linux primitive?
3.2.1 Linux primitives are resource management tools
3.2.2 Everything is a file (or a file descriptor)
3.2.3 Files are composable
3.2.4 Setting up kind
3.3 Using Linux primitives in Kubernetes
3.3.1 The prerequisites for running a Pod
3.3.2 Running a simple Pod
3.3.3 Exploring the Pod’s Linux dependencies
3.4 Building a Pod from scratch
3.4.1 Creating an isolated process with chroot
3.4.2 Using mount to give our process data to work with
3.4.3 Securing our process with unshare
3.4.4 Creating a network namespace
3.4.5 Checking whether a process is healthy
3.4.6 Adjusting CPU with cgroups
3.4.7 Creating a resources stanza
3.5 Using our Pod in the real world
3.5.1 The networking problem
3.5.2 Utilizing iptables to understand how kube-proxy implements Kubernetes services
3.5.3 Using the kube-dns Pod
3.5.4 Considering other issues
Chapter 4: Using cgroups for processes in our Pods
4.1 Pods are idle until the prep work completes
4.2 Processes and threads in Linux
4.2.1 systemd and the init process
4.2.2 cgroups for our process
4.2.3 Implementing cgroups for a normal Pod
4.3 Testing the cgroups
4.4 How the kubelet manages cgroups
4.5 Diving into how the kubelet manages resources
4.5.1 Why can’t the OS use swap in Kubernetes?
4.5.2 Hack: The poor man’s priority knob
4.5.3 Hack: Editing HugePages with init containers
4.5.4 QoS classes: Why they matter and how they work
4.5.5 Creating QoS classes by setting resources
4.6 Monitoring the Linux kernel with Prometheus, cAdvisor, and the API server
4.6.1 Metrics are cheap to publish and extremely valuable
4.6.2 Why do I need Prometheus?
4.6.3 Creating a local Prometheus monitoring service
4.6.4 Characterizing an outage in Prometheus
Chapter 5: CNIs and providing the Pod with a network
5.1 Why we need software-defined networks in Kubernetes
5.2 Implementing the service side of the Kubernetes SDN: The kube-proxy
5.2.1 The kube-proxy’s data plane
5.2.2 What about NodePorts?
5.3 CNI providers
5.4 Diving into two CNI networking plugins: Calico and Antrea
5.4.1 The architecture of a CNI plugin
5.4.2 Let’s play with some CNIs
5.4.3 Installing the Calico CNI provider
5.4.4 Kubernetes networking with OVS and Antrea
5.4.5 A note on CNI providers and kube-proxy on different OSs
Chapter 6: Troubleshooting large-scale network errors
6.1 Sonobuoy: A tool for confirming your cluster is functioning
6.1.1 Tracing data paths for Pods in a real cluster
6.1.2 Setting up a cluster with the Antrea CNI provider
6.2 Inspecting CNI routing on different providers with the arp and ip commands
6.2.1 What is an IP tunnel and why do CNI providers use them?
6.2.2 How many packets are flowing through the network interfaces for our CNI?
6.2.3 Routes
6.2.4 CNI-specific tooling: Open vSwitch (OVS)
6.2.5 Tracing the data path of active containers with tcpdump
6.3 The kube-proxy and iptables
6.3.1 iptables-save and the diff tool
6.3.2 Looking at how network policies modify CNI rules
6.3.3 How are these policies implemented?
6.4 Ingress controllers
6.4.1 Setting up Contour and kind to explore ingress controllers
6.4.2 Setting up a simple web server Pod
Chapter 7: Pod storage and the CSI
7.1 A quick detour: The virtual filesystem (VFS) in Linux
7.2 Three types of storage requirements for Kubernetes
7.3 Let’s create a PVC in our kind cluster
7.4 The container storage interface (CSI)
7.4.1 The in-tree provider problem
7.4.2 CSI as a specification that works inside of Kubernetes
7.4.3 CSI: How a storage driver works
7.4.4 Bind mounting
7.5 A quick look at a few running CSI drivers
7.5.1 The controller
7.5.2 The node interface
7.5.3 CSI on non-Linux OSs
Chapter 8: Storage implementation and modeling
8.1 A microcosm of the broader Kubernetes ecosystem: Dynamic storage
8.1.1 Managing storage on the fly: Dynamic provisioning
8.1.2 Local storage compared with emptyDir
8.1.3 PersistentVolumes
8.1.4 CSI (container storage interface)
8.2 Dynamic provisioning benefits from CSI but is orthogonal
8.2.1 StorageClasses
8.2.2 Back to the data center stuff
8.3 Kubernetes use cases for storage
8.3.1 Secrets: Sharing files ephemerally
8.4 What does a dynamic storage provider typically look like?
8.5 hostPath for system control and/or data access
8.5.1 hostPaths, CSI, and CNI: A canonical use case
8.5.2 Cassandra: An example of real-world Kubernetes application storage
8.5.3 Advanced storage functionality and the Kubernetes storage model
8.6 Further reading
Chapter 9: Running Pods: How the kubelet works
9.1 The kubelet and the node
9.2 The core kubelet
9.2.1 Container runtimes: Standards and conventions
9.2.2 The kubelet configurations and its API
9.3 Creating a Pod and seeing it in action
9.3.1 Starting the kubelet binary
9.3.2 After startup: Node life cycle
9.3.3 Leasing and locking in etcd and the evolution of the node lease
9.3.4 The kubelet’s management of the Pod life cycle
9.3.5 CRI, containers, and images: How they are related
9.3.6 The kubelet doesn’t run containers: That’s the CRI’s job
9.3.7 Pause container: An “aha” moment
9.4 The Container Runtime Interface (CRI)
9.4.1 Telling Kubernetes where our container runtime lives
9.4.2 The CRI routines
9.4.3 The kubelet’s abstraction around CRI: The GenericRuntimeManager
9.4.4 How is the CRI invoked?
9.5 The kubelet’s interfaces
9.5.1 The Runtime internal interface
9.5.2 How the kubelet pulls images: The ImageService interface
9.5.3 Giving ImagePullSecrets to the kubelet
9.6 Further reading
Chapter 10: DNS in Kubernetes
10.1 A brief intro to DNS (and CoreDNS)
10.1.1 NXDOMAINs, A records, and CNAME records
10.1.2 Pods need internal DNS
10.2 Why StatefulSets instead of Deployments?
10.2.1 DNS with headless services
10.2.2 Persistent DNS records in StatefulSets
10.2.3 Using a polyglot deployment to explore Pod DNS properties
10.3 The resolv.conf file
10.3.1 A quick note about routing
10.3.2 CoreDNS: The upstream resolver for the ClusterFirst Pod DNS
10.3.3 Hacking the CoreDNS plugin configuration
Chapter 11: The core of the control plane
11.1 Investigating the control plane
11.2 API server details
11.2.1 API objects and custom API objects
11.2.2 Custom resource definitions (CRDs)
11.2.3 Scheduler details
11.2.4 Recap of scheduling
11.3 The controller manager
11.3.1 Storage
11.3.2 Service accounts and tokens
11.4 Kubernetes cloud controller managers (CCMs)
11.5 Further reading
Chapter 12: etcd and the control plane
12.1 Notes for the impatient
12.1.1 Visualizing etcd performance with Prometheus
12.1.2 Knowing when to tune etcd
12.1.3 Example: A quick health check of etcd
12.1.4 etcd v3 vs. v2
12.2 etcd as a data store
12.2.1 The watch: Can you run Kubernetes on other databases?
12.2.2 Strict consistency
12.2.3 fsync operations make etcd consistent
12.3 Looking at the interface for Kubernetes to etcd
12.4 etcd’s job is to keep the facts straight
12.4.1 The etcd write-ahead log
12.4.2 Effect on Kubernetes
12.5 The CAP theorem
12.6 Load balancing at the client level and etcd
12.6.1 Size limitations: What (not) to worry about
12.7 etcd encryption at rest
12.8 Performance and fault tolerance of etcd at a global scale
12.9 Heartbeat times for a highly distributed etcd
Setting an etcd client up on a kind cluster
12.10
Running etcd in non-Linux environments
12.10.1
Chapter 13: Container and Pod security
13.1 Blast radius
13.1.1 Vulnerabilities
13.1.2 Intrusion
13.2 Container security
13.2.1 Plan to update containers and custom software
13.2.2 Container screening
13.2.3 Container users—do not run as root
13.2.4 Use the smallest container
13.2.5 Container provenance
13.2.6 Linters for containers
13.3 Pod security
13.3.1 Security context
13.3.2 Escalated permissions and capabilities
13.3.3 Pod Security Policies (PSPs)
13.3.4 Do not automount the service account token
13.3.5 Root-like Pods
13.3.6 The security outskirts
Chapter 14: Nodes and Kubernetes security
14.1 Node security
14.1.1 TLS certificates
14.1.2 Immutable OSs vs. patching nodes
14.1.3 Isolated container runtimes
14.1.4 Resource attacks
14.1.5 CPU units
14.1.6 Memory units
14.1.7 Storage units
14.1.8 Host networks vs. Pod networks
14.1.9 Pod example
14.2 API server security
14.2.1 Role-based access control (RBAC)
14.2.2 RBAC API definition
14.2.3 Resources and subresources
14.2.4 Subjects and RBAC
14.2.5 Debugging RBAC
14.3 Authn, Authz, and Secrets
14.3.1 IAM service accounts: Securing your cloud APIs
14.3.2 Access to cloud resources
14.3.3 Private API servers
14.4 Network security
14.4.1 Network policies
14.4.2 Load balancers
14.4.3 Open Policy Agent (OPA)
14.4.4 Multi-tenancy
14.5 Kubernetes tips
Chapter 15: Installing applications
15.1 Thinking about apps in Kubernetes
15.1.1 Application scope influences what tools you should use
15.2 Microservice apps typically require thousands of lines of configuration code
15.3 Rethinking our Guestbook app installation for the real world
15.4 Installing the Carvel toolkit
15.4.1 Part 1: Modularizing our resources into separate files
15.4.2 Part 2: Patching our application files with ytt
15.4.3 Part 3: Managing and deploying Guestbook as a single application
15.4.4 Part 4: Constructing a kapp Operator to package and manage our application
15.5 Revisiting the Kubernetes Operator
15.6 Tanzu Community Edition: An end-to-end example of the Carvel toolkit
index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
Y
Z