Table of Contents
Core Kubernetes by Jay Vyas and Chris Love
Table of Contents
brief contents
3 Kubernetes - Let’s build a Pod
4 Kubernetes - Using cgroups for processes in our Pods
5 Kubernetes - CNIS and providing the Pod with a network
6 Kubernetes Troubleshooting large-scale network errors
7 Kubernetes Pod storage and the CSI
8 Kubernetes Storage implementation and modeling
9 Kubernetes - Running Pods - How the kubelet works
12 Kubernetes etcd and the control plane
13 Kubernetes Container and Pod security
14 Kubernetes Nodes and security
15 Kubernetes Installing applications
contents
Front matter
preface
acknowledgments
about this book
about the authors
about the cover illustration
1 Why Kubernetes exists
1.1 Reviewing a few key terms before we get started
1.2 The infrastructure drift problem and Kubernetes
1.3 Containers and images
1.4 Core foundation of Kubernetes
All infrastructure rules in Kubernetes are managed as plain YAML
1.5 Kubernetes features
1.6 Kubernetes components and architecture
The Kubernetes API
Example one: An online retailer
Example two: An online giving solution
1.7 When not to use Kubernetes
2 Why the Pod?
2.1 An example web application
Infrastructure for our web application
Operational requirements
2.2 What is a Pod?
A bunch of Linux namespaces
Kubernetes, infrastructure, and the Pod
The Node API object
Our web application and the control plane
2.3 Creating a web application with kubectl
The Kubernetes API server: kube-apiserver
The Kubernetes scheduler: kube-scheduler
Infrastructure controllers
2.4 Scaling, highly available applications, and the control plane
Autoscaling
Cost management
3 Let’s build a Pod
3.1 Looking at Kubernetes primitives with kind
3.2 What is a Linux primitive?
Linux primitives are resource management tools
Everything is a file (or a file descriptor)
Files are composable
Setting up kind
3.3 Using Linux primitives in Kubernetes
The prerequisites for running a Pod
Running a simple Pod
Exploring the Pod’s Linux dependencies
3.4 Building a Pod from scratch
Creating an isolated process with chroot
Using mount to give our process data to work with
Securing our process with unshare
Creating a network namespace
Checking whether a process is healthy
Adjusting CPU with cgroups
Creating a resources stanza
3.5 Using our Pod in the real world
The networking problem
Utilizing iptables to understand how kube-proxy implements Kubernetes services
Using the kube-dns Pod
Considering other issues
4 Using cgroups for processes in our Pods
4.1 Pods are idle until the prep work completes
4.2 Processes and threads in Linux
systemd and the init process
cgroups for our process
Implementing cgroups for a normal Pod
4.3 Testing the cgroups
4.4 How the kubelet manages cgroups
4.5 Diving into how the kubelet manages resources
Why can’t the OS use swap in Kubernetes?
Hack: The poor man’s priority knob
Hack: Editing HugePages with init containers
QoS classes: Why they matter and how they work
Creating QoS classes by setting resources
4.6 Monitoring the Linux kernel with Prometheus, cAdvisor, and the API server
Metrics are cheap to publish and extremely valuable
Why do I need Prometheus?
Creating a local Prometheus monitoring service
Characterizing an outage in Prometheus
5 CNIS and providing the Pod with a network
5.1 Why we need software-defined networks in Kubernetes
5.2 Implementing the service side of the Kubernetes SDN: The kube-proxy
The kube-proxy’s data plane
What about NodePorts?
5.3 CNI providers
5.4 Diving into two CNI networking plugins: Calico and Antrea
The architecture of a CNI plugin
Let’s play with some CNIs
Installing the Calico CNI provider
Kubernetes networking with OVS and Antrea
A note on CNI providers and kube-proxy on different OSs
6 Troubleshooting large-scale network errors
6.1 Sonobuoy: A tool for confirming your cluster is functioning
Tracing data paths for Pods in a real cluster
Setting up a cluster with the Antrea CNI provider
6.2 Inspecting CNI routing on different providers with the arp and ip commands
What is an IP tunnel and why do CNI providers use them?
How many packets are flowing through the network interfaces for our CNI?
Routes
CNI-specific tooling: Open vSwitch (OVS)
Tracing the data path of active containers with tcpdump
6.3 The kube-proxy and iptables
iptables-save and the diff tool
Looking at how network policies modify CNI rules
How are these policies implemented?
6.4 Ingress controllers
Setting up Contour and kind to explore ingress controllers
Setting up a simple web server Pod
7 Pod storage and the CSI
7.1 A quick detour: The virtual filesystem (VFS) in Linux
7.2 Three types of storage requirements for Kubernetes
7.3 Let’s create a PVC in our kind cluster
7.4 The container storage interface (CSI)
The in-tree provider problem
CSI as a specification that works inside of Kubernetes
CSI: How a storage driver works
Bind mounting
7.5 A quick look at a few running CSI drivers
The controller
The node interface
CSI on non-Linux OSs
8 Storage implementation and modeling
8.1 A microcosm of the broader Kubernetes ecosystem: Dynamic storage
Managing storage on the fly: Dynamic provisioning
Local storage compared with emptyDir
PersistentVolumes
CSI (container storage interface)
8.2 Dynamic provisioning benefits from CSI but is orthogonal
Storage classes
Back to the data center stuff
8.3 Kubernetes use cases for storage
Secrets: Sharing files ephemerally
8.4 What does a dynamic storage provider typically look like?
8.5 hostPath for system control and/or data access
hostPaths, CSI, and CNI: A canonical use case
Cassandra: An example of real-world Kubernetes application storage
Advanced storage functionality and the Kubernetes storage model
8.6 Further reading
9 Running Pods: How the kubelet works
9.1 The kubelet and the node
9.2 The core kubelet
Container runtimes: Standards and conventions
The kubelet configurations and its API
9.3 Creating a Pod and seeing it in action
Starting the kubelet binary
After startup: Node life cycle
Leasing and locking in etcd and the evolution of the node lease
The kubelet’s management of the Pod life cycle
CRI, containers, and images: How they are related
The kubelet doesn’t run containers: That’s the CRI’s job
Pause container: An “aha” moment
9.4 The Container Runtime Interface (CRI)
Telling Kubernetes where our container runtime lives
The CRI routines
The kubelet’s abstraction around CRI: The GenericRuntimeManager
How is the CRI invoked?
9.5 The kubelet’s interfaces
The Runtime internal interface
How the kubelet pulls images: The ImageService interface
Giving ImagePullSecrets to the kubelet
9.6 Further reading
10 DNS in Kubernetes
10.1 A brief intro to DNS (and CoreDNS)
NXDOMAINs, A records, and CNAME records
Pods need internal DNS
10.2 Why StatefulSets instead of Deployments?
DNS with headless services
Persistent DNS records in StatefulSets
Using a polyglot deployment to explore Pod DNS properties
10.3 The resolv.conf file
A quick note about routing
CoreDNS: The upstream resolver for the ClusterFirst Pod DNS
Hacking the CoreDNS plugin configuration
11 The core of the control plane
11.1 Investigating the control plane
11.2 API server details
API objects and custom API objects
Custom resource definitions (CRDs)
Scheduler details
Recap of scheduling
11.3 The controller manager
Storage
Service accounts and tokens
11.4 Kubernetes cloud controller managers (CCMs)
11.5 Further reading
12 etcd and the control plane
12.1 Notes for the impatient
Visualizing etcd performance with Prometheus
Knowing when to tune etcd
Example: A quick health check of etcd
etcd v3 vs. v2
12.2 etcd as a data store
The watch: Can you run Kubernetes on other databases?
Strict consistency
fsync operations make etcd consistent
12.3 Looking at the interface for Kubernetes to etcd
12.4 etcd’s job is to keep the facts straight
The etcd write-ahead log
Effect on Kubernetes
12.5 The CAP theorem
12.6 Load balancing at the client level and etcd
Size limitations: What (not) to worry about
12.7 etcd encryption at rest
12.8 Performance and fault tolerance of etcd at a global scale
12.9 Heartbeat times for a highly distributed etcd
12.10 Setting an etcd client up on a kind cluster
Running etcd in non-Linux environments
13 Container and Pod security
13.1 Blast radius
Vulnerabilities
Intrusion
13.2 Container security
Plan to update containers and custom software
Container screening
Container users—do not run as root
Use the smallest container
Container provenance
Linters for containers
13.3 Pod security
Security context
Escalated permissions and capabilities
Pod Security Policies (PSPs)
Do not automount the service account token
Root-like Pods
The security outskirts
14 Nodes and Kubernetes security
14.1 Node security
TLS certificates
Immutable OSs vs. patching nodes
Isolated container runtimes
Resource attacks
CPU units
Memory units
Storage units
Host networks vs. Pod networks
Pod example
14.2 API server security
Role-based access control (RBAC)
RBAC API definition
Resources and subresources
Subjects and RBAC
Debugging RBAC
14.3 Authn, Authz, and Secrets
IAM service accounts: Securing your cloud APIs
Access to cloud resources
Private API servers
14.4 Network security
Network policies
Load balancers
Open Policy Agent (OPA)
Multi-tenancy
14.5 Kubernetes tips
15 Installing applications
15.1 Thinking about apps in Kubernetes
Application scope influences what tools you should use
15.2 Microservice apps typically require thousands of lines of configuration code
15.3 Rethinking our Guestbook app installation for the real world
15.4 Installing the Carvel toolkit
Part 1: Modularizing our resources into separate files
Part 2: Patching our application files with ytt
Part 3: Managing and deploying Guestbook as a single application
Part 4: Constructing a kapp Operator to package and manage our application
15.5 Revisiting the Kubernetes Operator
15.6 Tanzu Community Edition: An end-to-end example of the Carvel toolkit
index