Kubernetes 101 for Beginners

Kubernetes
For Beginners
UnrestrictedUnrestricted

Agenda
● Introduction
○ Legacy Systems
○ Docker
○ Docker-Compose
○ Docker-Swarm
○ What isKubernetes?
○ What doesKubernetesdo?
● Architecture
○ MasterComponents
○ NodeComponents
○ Additional Services
○ Kubectl
○ Kube Config
● Concepts
○ Core
○ Workloads
○ Network
○ Storage
○ Configuration
○ Auth and Identity
○ Helm
○ MiniKube
● Behind theScenes
● Deployment fromBeginningto
End
● AKS Deployment Demo
○ End to End AKS Deployment

Legacy Systems
Legacy App Deployment Model on Bare Metal Servers.

Legacy Systems
App Deployment on Virtual Machines Overview.

Virtual Machines vs Docker Containers

Container:
 Containers are an abstraction at the app layer that packages code and dependencies together.
 Multiple containers can run on the same machine and share the OS kernel with other containers,
each running as isolated processes in user space.
 Containers typically take up less space than VMs.
Virtual Machines
 Virtual machines (VMs) are an abstraction of physical hardware turning one server into
many servers.
 The hypervisor allows multiple VMs to run on a single machine.
 Each VM includes a full copy of an operating system, the application, necessary binaries
and libraries - taking up tens of GBs.
 VMs can also be slower to boot.

Docker Workshops
https://www.katacoda.com/courses/docker/deploying-first-Container
https://www.katacoda.com/courses/docker/3
Docker Basics:
Dockerize NodeJs:

COMPOSE
https://www.katacoda.com/boxboat/courses/df-dev/02-docker-compose
Workshop:
 Compose is a tool for defining and running
multi-container Docker applications.
 With Compose, you use a YAML file to configure
your application’s services. Then, with a single command,
you create and start all the services from your configuration.
 Compose is great for development, testing,
and staging environments, as well as CI workflows

SWARM
https://www.katacoda.com/boxboat/courses/df-ops/01-docker-swarm
https://www.katacoda.com/courses/docker-orchestration/getting-started-with-swarm-mode
Workshop:
 Docker Swarm is a clustering and scheduling
tool for Docker containers.
 With Swarm, IT administrators and developers
can establish and manage a cluster of Docker
nodes as a single virtual system.

Intro - Whatis Kubernetes?
Kubernetes or K8s wasaproject spunout of Googleasaopensource
next-gen container scheduler designed with the lessons learned from
developing andmanagingBorg andOmega.
Kubernetes wasdesignedfromtheground-upasalooselycoupled collection
of components centered around deploying, maintaining, and scaling
applications.

Intro - What Does Kubernetes do?
Kubernetes isthelinuxkernelof distributed systems.
Itabstractsawaytheunderlyinghardwareof thenodesandprovides a
uniform interface for applicationsto bebothdeployedandconsumethe
sharedpool of resources.
https://www.katacoda.com/loodse/courses/kubernetes/kubernetes-01-playground
Workshop:

Architecture Overview
Masters -Acts as the primary control plane for Kubernetes. Masters are
responsible ataminimumfor runningtheAPI Server, scheduler,andcluster
controller. Theycommonly alsomanagestoringcluster state,cloud-provider
specific componentsandother cluster essentialservices.
Nodes-Are the‘workers’of aKubernetes cluster. They runaminimalagent
that manages the node itself, and are tasked with executing workloads as
designatedbythemaster.

Master Components
● Kube-apiserver
● Etcd
● Kube-controller-manager
● Cloud-controller-manager
● Kube-scheduler

kube-apiserver
Theapiserverprovides aforward facingRESTinterface into thekubernetes
control plane and datastore. All clients, including nodes, users and other
applicationsinteract with kubernetes strictly through theAPI Server.
It is the true core of Kubernetes acting as the gatekeeper to the cluster by
handlingauthenticationandauthorization,requestvalidation,mutation, and
admission control in addition to beingthefront-end to thebackingdatastore.
kubectl api-resources  to see all api resources

etcd
Etcd actsasthecluster datastore;providing astrong,consistent andhighly
availablekey-valuestoreusedfor persisting cluster state.

kube-controller-manager
The controller-manager is the primary daemon that manages all core
componentcontrol loops.Itmonitorsthecluster state viatheapiserverand
steersthecluster towardsthedesired state.

cloud-controller-manager
The cloud-controller-manager is a daemon that provides cloud-provider
specific knowledge andintegration capabilityinto thecorecontrol loop of
Kubernetes. The controllers include Node, Route, Service, and add an
additional controller to handlePersistentVolumeLabels.

kube-scheduler
Kube-scheduler isaverbose policy-rich enginethatevaluatesworkload
requirements and attempts to place it on a matching resource. These
requirements canincludesuchthings asgeneralhardwarereqs,affinity,
anti-affinity, andother customresource requirements.

Node Components
● Kubelet
● Kube-proxy
● Containerruntime engine

kubelet
Acts as the node agent responsible for managing pod lifecycle on its host.
Kubelet understandsYAML containermanifeststhatit canreadfromseveral
sources:
● File path
● HTTP Endpoint
● Etcd watchacting onanychanges
● HTTP Servermodeaccepting containermanifestsoverasimpleAPI.

kube-proxy
Manages thenetwork rulesoneachnodeandperformsconnection
forwarding or loadbalancingfor Kubernetes cluster services.
Available ProxyModes:
● Userspace
● iptables
● ipvs(alphain1.8)

Container Runtime
With respect to Kubernetes,A containerruntime isaCRI (Container RuntimeInterface)
compatible application that executesandmanagescontainers.
● Containerd (docker)
● Cri-o
● Rkt
● Kata(formerlyclearandhyper)
● Virtlet (VM CRI compatible runtime)

Additional Services
Kube-dns-Provides cluster wide DNS Services.Servicesareresolvable to
<service>.<namespace>.svc.cluster.local.
Heapster - Metrics Collector for kubernetes cluster, usedbysomeresources
suchastheHorizontal Pod Autoscaler. (required for kubedashboardmetrics)
Kube-dashboard -A generalpurpose webbasedUIfor kubernetes.

Kubectl
kubectl [command] [TYPE] [NAME] [flags]
command: operation to perform (verb)
TYPE: the resource type to perform the operation on NAME:Specifies the name of the
resource
flags:optional flags
https://www.katacoda.com/courses/kubernetes/kubectl-run-containers
Workshop:

$KUBECONFIG
• Multiple configurations files as a list of paths
• KUBECONFIG
• Append new configurations temporarily
https://github.com/ahmetb/kubectx
KUBECTX:

https://www.katacoda.com/boxboat/courses/kubernetes-basic/module-2
Workshops:
https://www.katacoda.com/loodse/courses/kubernetes/kubernetes-03-cluster-
setup
App Deployment:
KubeAdm

Kubernetes Concepts - Core
Cluster - A collection of hoststhat aggregate their available resources including cpu,ram,disk,
andtheir devicesinto ausablepool.
Master - The master(s)represent acollection of components that makeupthecontrol planeof
Kubernetes. These components are responsible for all cluster decisions including both
schedulingandresponding to cluster events.
Node - A singlehost,physicalor virtual capableof runningpods.A nodeismanagedbythe
master(s),andat aminimumrunsboth kubelet andkube-proxyto beconsidered part of the
cluster.
Namespace- A logical cluster or environment. Primarymethodof dividing acluster or
scopingaccess.

Concepts - Core(cont.)
Label- Key-valuepairs that areusedto identify, describe andgrouptogetherrelated setsof
objects.Labelshaveastrict syntaxandavailable characterset.*
Annotation - Key-value pairs that contain non-identifying information or metadata.
Annotations donot havethethesyntaxlimitations aslabels andcancontainstructured or
unstructureddata.
Selector - Selectors uselabels to filter or select objects. Bothequality-based(=,==,!=)or
simplekey-valuematchingselectorsaresupported.
* https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set

Labels:
app:nginx
tier:frontned
Annotations
description: “nginxfrontend”
Selector:
app:nginx
tier:frontend
Labels, and Annotations,
and Selectors

Concepts - Workloads
Pod- A podisthesmallestunit of workormanagementresourcewithin Kubernetes.Itis
comprised of one or more containers that share their storage, network, and context
(namespace, cgroupsetc).
ReplicationController - Method of managingpodreplicasandtheir lifecycle. Their
scheduling,scaling,anddeletion.
ReplicaSet- Next GenerationReplicationController. Supportsset-basedselectors.
Deployment - A declarativemethodof managingstatelessPods andReplicaSets. Provides
rollback functionalityinaddition to moregranularupdatecontrol mechanisms.

Deployment
Contains configuration
of how updates or
‘deployments’ should be
managed in addition to
thepodtemplateusedto
generate theReplicaSet.
ReplicaSet
Generated ReplicaSet
fromDeployment spec.
https://www.katacoda.com/boxb
oat/courses/kf1/03-deployments
Workshop:

Concepts - Workloads (cont.)
StatefulSet - A controller tailored to managingPods thatmustpersistormaintainstate.Pod
identityincluding hostname,network,andstoragewill bepersisted.
DaemonSet - Ensuresthat all nodesmatchingcertain criteria will run aninstance of a
supplied Pod. Idealfor cluster wide services suchaslog forwarding, orhealth monitoring.

StatefulSet
● Attaches to ‘headeless service’ (notshown)nginx.
● Podsgivenunique ordinalnamesusingthepattern
<statefulset name>-<ordinalindex>.
● Createsindependent persistentvolumesbasedon
the‘volumeClaimTemplates’.

DaemonSet
● Bypasses defaultscheduler
● Schedulesasingle instanceonevery host while
adheringto tolerancesandtaints.
https://www.katacoda.com/reselbob/scenario
s/k8s-daemonset-w-node-affinity
Workshop:

Networking - FundamentalRules
1) All Pods cancommunicate with all other Pods withoutNAT
2) All nodescancommunicatewith all Pods (andvice-versa)without NAT.
3) TheIPthataPod seesitself asisthesameIPthatothersseeit as.

Networking - FundamentalsApplied
Containers in apodexist within thesamenetwork namespaceandsharean
IP;allowingfor intrapod communicationoverlocalhost.
Podsaregivenacluster uniqueIPfor thedurationof its lifecycle,butthepods
themselvesarefundamentallyephemeral.
Services aregivenapersistentcluster uniqueIPthatspansthePods lifecycle.
External Connectivity isgenerally handedbyanintegrated cloud provider or
other externalentity (loadbalancer)

Networking -CNI
Networking within Kubernetes is plumbed via the Container Network
Interface(CNI),aninterface betweenacontainerruntime andanetwork
implementation plugin.
Compatible CNI Network Plugins:
● Calico
● Cillium
● Contiv
● Contrail
● Flannel
● GCE
● kube-router
● Multus
● OpenVSwitch
● OVN
● Romana
● Weave

Concepts - Network
Service - Servicesprovide amethodof exposing andconsuming L4 Pod network accessible
resources. Theyuselabel selectorsto mapgroupsof podsandports to acluster-unique virtual
IP.
Ingress - An ingresscontroller is theprimarymethodof exposing acluster service (usually
http) to the outside world. These are load balancers or routers that usually offer SSL
termination,name-basedvirtualhostingetc.

Service
● Acts astheunified methodof accessingreplicated pods.
● Four majorServiceTypes:
○ CluterIP-Exposesserviceonastrictly cluster-internal IP(default)
○ NodePort-Serviceis exposedoneachnode’sIPonastatically
definedport.
○ LoadBalancer -Works in combination with acloudproviderto
exposeaserviceoutsidethecluster onastatic externalIP.
○ ExternalName -usedto referencesendpointsOUTSIDE thecluster
byprovidingastatic internally referencedDNSname.
https://www.katacoda.com/boxboat/courses/kf2/01-services
Workshop:

Ingress Controller
● Deployedasapodtooneormorehosts
● Ingresscontrollers areanexternal
controller with multipleoptions.
○ Nginx
○ HAproxy
○ Contour
○ Traefik
● Specificfeaturesandcontroller specific
configuration is passed through
annotations.
https://www.katacoda.com/boxboat/courses/kf2/03-ingress
Workshop:

Concepts - Storage
Volume - Storagethat istied to the Pod Lifecycle, consumablebyoneor more
containerswithin thepod.
PersistentVolume- A PersistentVolume (PV)represents astorageresource. PVs are
commonly linked to abacking storageresource,NFS,GCEPersistentDisk, RBD etc.andare
provisionedaheadof time.Their lifecycle ishandledindependently fromapod.
PersistentVolumeClaim - A PersistentVolumeClaim(PVC)is arequest for storagethat
satisfiesaset of requirements insteadof mappingto astorageresourcedirectly.Commonly
usedwith dynamicallyprovisionedstorage.
StorageClass - Storageclassesareanabstractionontopof anexternal storageresource.
These will include a provisioner, provisioner configuration parameters as well as a PV
reclaimPolicy.
https://www.katacoda.com/courses/kubernetes/storage-introduction
Workshop:

Concepts -Configuration
ConfigMap - Externalized data stored within kubernetes that can be referenced as a
commandlineargument,environment variable,or injected asafile into avolumemount.Ideal
for separatingcontainerizedapplication fromconfiguration.
Secret- Functionallyidenticalto ConfigMaps, but stored encoded asbase64,andencrypted at
rest (ifconfigured).

ConfigMaps andSecrets
● CanbeusedinPod Config:
○ Injectedasafile
○ Passedasanenvironmentvariable
○ Usedasacontainercommand(requirespassing asenvvar)
https://www.katacoda.com/javajon/courses/kubernetes-fundamentals/configmap-secret
Workshop:

Concepts - Auth and Identity (RBAC)
[Cluster]Role - Roles contain rules that act asaset of permissions that apply verbs like “get”,
“list”,“watch” etc over resources that arescopedto apiGroups.Roles arescopedto namespaces,
andClusterRolesareapplied cluster-wide.
[Cluster]RoleBinding - Grant thepermissionsasdefined in a[Cluster]Role to oneor more
“subjects”whichcanbeauser,group,orservice account.
ServiceAccount- ServiceAccounts provide aconsumableidentity for podsor external
servicesthatinteractwith thecluster directly andarescopedto namespaces.
https://www.katacoda.com/boxboat/courses/kf2/04-misc
Workshop:

[Cluster]Role
● Permissions translate to url
path. With “”defaultingto core
group.
● Resourcesactasitemstherole
shouldbegrantedaccessto.
● Verbsaretheactionstherole
canperform onthereferenced
resources.

[Cluster]RoleBinding
● Canreference multiplesubjects
● Subjectscanbeof kind:
○ User
○ Group
○ ServiceAccount
● roleRef targetsasinglerole only.

What is HELM
• Package manager
• Like yum, apt but for
Kubernetes
• Search and reuse or start from
scratch
• Lifecycle Management
• Create
• Install
• Upgrade/Rollback
• Delete
• Status
• Versioning
• Benefits
• Repeatability
• Reliability
• Multiple environment
• Ease collaboration
• Manage Complexity

Kubernetes Cluster
Helm
Components
• Helm Client
• Command-line client
• Interacts with Tiller Server
• Local chart development
• Tiller Server
• In-cluster
• Listens to the Helm client
• Interacts with Kubernetes APIServer
• Manages the lifecycle
Helm Client TillerServer
gRPC Kubernetes
API Server
REST
https://www.katacoda.com/javajon/c
ourses/kubernetes-pipelines/helm
Workshop:

MINIKUBE
https://www.katacoda.com/javajon/courses/kubernetes-fundamentals/minikube

Deployment From
Beginning toEnd

Kubectl
1)Kubectlperformsclient side
validationonmanifest(linting).
2)Manifestispreparedandserialized
creating aJSON payload.

APIserver Request Loop
3)Kubectl authenticatesto apiserverviax509,jwt,
http authproxy,otherplugins,or http-basic auth.
4)Authorization iteratesoveravailableAuthZ
sources:Node,ABAC, RBAC,or webhook.
5)AdmissionControlchecksresourcequotas,
othersecurityrelatedchecksetc.
6)Requestisstoredinetcd.
7)Initializersaregiven opportunityto mutate requestbeforethe objectispublished.
8)Requestispublishedonapiserver.

Deployment Controller
9)Deployment Controller isnotified of thenew
Deployment viacallback.
10)Deployment Controller evaluatescluster stateand
reconciles the desired vs current state and forms a
request for thenewReplicaSet.
11)apiserver request loopevaluatesDeployment
Controllerrequest.
12)ReplicaSet ispublished.

ReplicaSet Controller
13)ReplicaSetController isnotified of thenewReplicaSet
viacallback.
14)ReplicaSet Controller evaluates cluster state and
reconciles thedesiredvscurrentstateandformsarequest
for thedesiredamountof pods.
15)apiserver request loopevaluatesReplicaSet
Controllerrequest.
16)Podspublished, andenter ‘Pending’ phase.

Scheduler
17)Schedulermonitorspublished podswith no
‘NodeName’ assigned.
18)Appliesschedulingrulesandfilters to find a
suitablenodeto host thePod.
19)Schedulercreatesabinding of Pod to Node and
POSTs toapiserver.
20)apiserver request loopevaluatesPOST request.
21)Pod statusisupdatedwith nodebinding andsets
status to‘PodScheduled’.

Kubelet -PodSync
22)Thekubelet daemononeverynodepollstheapiserver filtering
for podsmatchingits own‘NodeName’; checkingits currentstate
with thedesiredstatepublished throughtheapiserver.
23)Kubelet will thenmovethroughaseries of internal processesto
prepare the pod environment. This includes pulling secrets,
provisioningstorage,applyingAppArmorprofiles andothervarious
scaffolding. During this period,it will asynchronouslybePOST’ing
the ‘PodStatus’ to the apiserver through the standard apiserver
request loop.

Pause and Plumbing
24)Kubelet thenprovisionsa‘pause’containerviathe
CRI (Container RuntimeInterface). The pausecontainer
actsastheparent containerfor thePod.
25)The network is plumbed to the Pod via the CNI
(Container Network Interface),creating aveth pair
attached to the pause container and to acontainer
bridge (cbr0).
26)IPAM handledbytheCNI plugin assignsanIPto the
pausecontainer.

Kubelet - Create
Containers
24)Kubelet pullsthecontainerImages.
25)Kubelet first creates andstartsanyinit containers.
26)Oncetheoptional init containerscomplete,the
primarypodcontainersarestarted.

Pod Status
27)Ifthere areanyliveless/readiness probes,theseareexecuted beforethe
PodStatus isupdated.
28)Ifall completesuccessfully,PodStatusis set to readyandthecontainer
has startedsuccessfully.
ThePodisDeployed!

Resources:
1. https://www.slideshare.net/BobKillen?utm_campaign=profiletracking&ut
m_medium=sssite&utm_source=ssslideview
2. https://www.katacoda.com/
3. https://kubernetes.io/

Kubernetes 101 for Beginners

More Related Content

What's hot

Similar to Kubernetes 101 for Beginners

Recently uploaded

Kubernetes 101 for Beginners

Editor's Notes