More on this book
Community
Kindle Notes & Highlights
#KubernetesMoment:
Kubernetes this Month:
etcd prefers consistency over availability. This means that it will not tolerate a split-brain situation and will halt updates to the cluster in order to maintain consistency.
etcd uses the popular RAFT consensus algorithm to accomplish this.
Cluster DNS is based on CoreDNS
Keeping it high level, you ring-fence an area of the host OS, build a network stack, create a bunch of kernel namespaces, and run one or more containers in it. That’s a Pod.
seriously consider using a service mesh to secure traffic between Pods and application services.
Examples of higher-level controllers include; Deployments, DaemonSets, and StatefulSets.
Behind the scenes, Deployments, DaemonSets and StatefulSets implement a controller and a watch loop that is constantly observing the cluster making sure that current state matches desired state.
Service – it’s a stable network abstraction point that provides TCP and UDP load-balancing across a dynamic set of Pods.
Ingress, which understands HTTP and provides host and path-based routing.
Services bring stable IP addresses and DNS names to the unstable world of Pods.
The Pod is the basic building-block. Deployments add self-healing, scaling and updates. Services add stable networking and load-balancing.
At a high-level, kubectl converts user-friendly commands into the JSON payload required by the API server.
An infrastructure-centric use-case for multi-container Pods is a service mesh. In the service mesh model, a proxy container is inserted into every application Pod. This proxy container handles all network traffic entering and leaving the Pod, meaning it is ideally placed to implement features such as traffic encryption, network telemetry, intelligent routing, and more.
If you’re using Docker as the container runtime, a Pod is actually a special type of container called a pause container.
Each container in a Pod shares the Pod’s entire network namespace – IP, localhost adapter, port range, routing table, and more.
All containers in a Pod have access to the same volumes, the same memory, the same IPC sockets, and more.
it’s possible for two containers in the same Pod to have their own set of cgroup limits.
Singleton Pods are not reliable!
It’s not good practice to use the default namespace in the real world,
“A Strong Belief, Loosely Held: Bringing Empathy to IT”.
The -it flags make the exec session interactive and connects STDIN and STDOUT on your terminal to STDIN and STDOUT
The process on the worker node that accepts the PodSpec is the kubelet.
behind-the-scenes, Deployments leverage another object called a ReplicaSet.
Kubernetes is constantly making sure that current state matches desired state.
every Service gets its own stable IP address, its own stable DNS name, and its own stable port.
Each Service that is created, automatically gets an associated Endpoints object. All this Endpoints object is, is a dynamic list of all of the healthy Pods on the cluster that match the Service’s label selector.
Kubernetes supports several types of Service. The default type is ClusterIP.
ClusterIP. This is the default option and gives the Service a stable IP address internally within the cluster. It will not make the Service available outside of the cluster.
NodePort. This builds on top of ClusterIP and adds a cluster-wide TCP or UDP port. It makes the Service available outside of the cluster on a stable port.
LoadBalancer. This builds on top of NodePort and integrates with cloud...
This highlight has been truncated due to consecutive passage length restrictions.
Kubernetes automatically configures every container so that it can find and use the cluster DNS to convert Service names to IPs. It does this by populating every container’s /etc/resolv.conf file with the IP address of cluster DNS Service as well as any search domains that should be appended to unqualified names.
A default gateway is where a device sends traffic that it doesn’t have a specific route for. The default gateway will normally forward traffic to another device with a larger routing table that might have a route for the traffic.
The format of the FQDN is <object-name>.<namespace>.svc.cluster.local
Storage Classes take things to the next level by allowing applications to dynamically request storage. You create a Storage Class object that references a class, or tier, of storage from a storage back-end. Once created, the Storage Class watches the API Server for new Persistent Volume Claims that reference the Storage Class. When a matching PVC arrives, the SC dynamically creates the storage and makes it available as a PV that can be mounted as a volume into a Pod (container).
it is recommended to set automountServiceAccountToken to false for Pods that do not need to communicate with the API server.
Pod Security Policies are a relatively new feature that allow you to define security settings at the cluster level.
The most secure practical option is to host your own private registry within your own firewall.
This is similar to BGP. BGP Routing happens through a network of peers that help each other find a route for packets to go from one Pod to another.
Controller: Control plane process running as a reconciliation loop monitoring the cluster (via the API Server) and making the necessary changes so the observed state of the cluster matches desired state.
