Kubernetes

 Posted on October 15, 2024  |  

Introduction

Kubernetes (k8s) is an open-source container orchestration platform that automates the deployment, scaling, and management of containerized applications.

Kubernetes Architecture

Masters

The master node manages the Kubernetes cluster. It coordinates all activities, such as scheduling, scaling, and updating applications.

  • Components:
    • API Server: The front-end of the Kubernetes control plane.
    • etcd: A distributed key-value store for configuration data.
    • Controller Manager: Manages controllers that handle routine tasks.
    • Scheduler: Assigns workloads to nodes based on resource availability and policies.

Nodes

Worker nodes run the containerized applications. Each node contains the necessary services to run Pods and communicate with the master node.

  • Components:
    • kubelet: Ensures containers are running in a Pod.
    • kube-proxy: Manages network routing for Kubernetes services.
    • Container Runtime: Software responsible for running containers (e.g., Docker, containerd).

Components

Understanding the architecture is crucial for effective cluster management and troubleshooting.

Setup and Installation

Prerequisites

  • Operating System: Linux distributions are commonly used.
  • Hardware Requirements: Adequate CPU, memory, and storage.
  • Networking: Proper network configuration for node communication.

Installation Methods

Minikube

Ideal for local development and testing.

# Install Minikube
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube

# Start Minikube
minikube start

kubeadm

Suitable for setting up production-grade clusters.

# Initialize Master Node
sudo kubeadm init --pod-network-cidr=10.244.0.0/16

# Set up Kubernetes configuration
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# Install a Pod network (e.g., Flannel)
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

Managed Kubernetes Services

Managed services simplify cluster setup and management.

  • Options:
    • Google Kubernetes Engine (GKE)
    • Amazon Elastic Kubernetes Service (EKS)
    • Azure Kubernetes Service (AKS)
    • Alibaba Cloud Container Service

Core Concepts

Pods

The smallest deployable units in Kubernetes, representing a single instance of a running process.

  • Features:
    • Can contain one or more containers.
    • Share storage, network, and specifications.

Services

Define a logical set of Pods and a policy to access them.

  • Types:
    • ClusterIP: Internal access within the cluster.
    • NodePort: Exposes the service on each node’s IP at a static port.
    • LoadBalancer: Exposes the service externally using a cloud provider’s load balancer.
    • ExternalName: Maps a service to a DNS name.

Deployments

Provide declarative updates for Pods and ReplicaSets.

  • Features:
    • Manage rolling updates and rollbacks.
    • Ensure desired state is maintained.

ReplicaSets

Ensure a specified number of Pod replicas are running at any given time.

Namespaces

Provide a way to divide cluster resources between multiple users.

  • Use Cases:
    • Environment segregation (e.g., dev, staging, production).
    • Resource isolation.

ConfigMaps and Secrets

  • ConfigMaps: Store non-confidential configuration data.
  • Secrets: Store sensitive information such as passwords and tokens.

Best Practices

Resource Management

Resource Requests and Limits

Define resource requirements to optimize scheduling and prevent resource contention.

resources:
  requests:
    memory: "64Mi"
    cpu: "250m"
  limits:
    memory: "128Mi"
    cpu: "500m"

Auto-scaling

Utilize Kubernetes’ auto-scaling features to handle varying workloads.

  • Horizontal Pod Autoscaler (HPA)

    apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
  name: hpa-example
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: myapp
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 80

  • Vertical Pod Autoscaler (VPA)

  • Cluster Autoscaler

Naming Conventions

Maintain consistent and descriptive names for resources.

  • Format: <project>-<component>-<environment>-<instance>
  • Example: webapp-api-prod-1

Configuration Management

Store configurations separately using ConfigMaps and Secrets to maintain flexibility and security.

Version Control

Manage Kubernetes manifests using version control systems like Git to track changes and enable collaboration.

Security Best Practices

RBAC (Role-Based Access Control)

Control access to Kubernetes resources by defining roles and role bindings.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: jane
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Network Policies

Define how Pods communicate with each other and other network endpoints.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
spec:
  podSelector: {}
  ingress:
  - from:
    - podSelector: {}

Pod Security Policies

Enforce security standards for Pods, such as restricting privileged containers.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny

Image Security

  • Use Trusted Images: Pull images from reputable sources.
  • Scan for Vulnerabilities: Use tools like Trivy or Clair.
  • Avoid Running as Root: Define non-root users in Dockerfiles.

Secrets Management

Use Kubernetes Secrets to manage sensitive data securely.

apiVersion: v1
kind: Secret
metadata:
  name: db-secret
type: Opaque
data:
  username: YWRtaW4=  # base64 encoded
  password: MWYyZDFlMmU2N2Rm

Networking

Service Types

  • ClusterIP: Default type; accessible only within the cluster.
  • NodePort: Exposes the service on each node’s IP at a static port.
  • LoadBalancer: Integrates with cloud provider load balancers.
  • ExternalName: Maps the service to an external DNS name.

Ingress Controllers

Manage external access to services, typically HTTP.

  • Popular Ingress Controllers:
    • NGINX Ingress Controller
    • Traefik
    • HAProxy
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port:
              number: 80

DNS Management

Kubernetes provides internal DNS for service discovery. Ensure proper DNS setup for ClusterDNS.

Service Mesh

Implement advanced networking features like traffic management, security, and observability.

  • Popular Service Meshes:
    • Istio
    • Linkerd
    • Consul Connect

Storage Management

Persistent Volumes (PVs) and Persistent Volume Claims (PVCs)

Use PVs and PVCs to manage storage resources dynamically.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-example
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi

Storage Classes

Define different storage backends and reclaim policies.

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: fast
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp2

Data Backup and Restore

Implement backup strategies for persistent data using tools like Velero or Kasten.

Monitoring and Logging

Monitoring Tools

  • Prometheus: Metrics collection and alerting.
  • Grafana: Visualization of metrics.
  • Kube-state-metrics: Kubernetes specific metrics.

Logging Solutions

  • ELK Stack (Elasticsearch, Logstash, Kibana)
  • Fluentd
  • Graylog
  • Loki

Alerting

Set up alerts for critical metrics and events using Alertmanager or integrated tools with Prometheus.

Deployment Strategies

Rolling Updates

Gradually replace Pods with new ones to ensure zero downtime.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: rolling-update-deployment
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
      maxSurge: 1
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp-container
        image: myapp:v2

Blue/Green Deployments

Maintain two environments (blue and green) and switch traffic between them during updates.

Canary Releases

Deploy new versions to a subset of users to monitor performance before a full rollout.

CI/CD Integration

Automated Builds and Deployments

Integrate Kubernetes with CI/CD pipelines for automated testing and deployment.

  • Tools: Jenkins, GitLab CI/CD, GitHub Actions, Argo CD
# Example GitHub Actions Workflow
name: CI/CD Pipeline

on:
  push:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build Docker Image
      run: docker build -t myapp:${{ github.sha }} .
    - name: Push to Registry
      run: docker push myapp:${{ github.sha }}
  
  deploy:
    runs-on: ubuntu-latest
    needs: build
    steps:
    - name: Deploy to Kubernetes
      uses: appleboy/k8s-action@v1.0.0
      with:
        kubeconfig: ${{ secrets.KUBECONFIG }}
        args: kubectl set image deployment/myapp-deployment myapp=myapp:${{ github.sha }}

GitOps

Adopt Git-centric workflows using tools like Argo CD or Flux to manage deployments declaratively.

Troubleshooting Tips

Common Issues

  • Pod Failing to Start: Check events and logs.
  • Service Unreachable: Verify Service and Ingress configurations.
  • Resource Limits Exceeded: Adjust requests and limits.

Debugging Tools

  • kubectl: Interact with Kubernetes clusters.
    • kubectl describe pod <pod-name>
    • kubectl logs <pod-name>
    • kubectl exec -it <pod-name> -- /bin/bash
  • k9s: Terminal UI to manage Kubernetes clusters.
  • Lens: Kubernetes IDE for visual management.

Examples

Sample Deployment YAML

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deployment
  labels:
    app: myapp
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
  template:
    metadata:
      labels:
        app: myapp
    spec:
      containers:
      - name: myapp-container
        image: myapp:1.0.0
        ports:
        - containerPort: 80
        env:
        - name: ENVIRONMENT
          value: "production"
        resources:
          requests:
            memory: "64Mi"
            cpu: "250m"
          limits:
            memory: "128Mi"
            cpu: "500m"

Sample Service YAML

apiVersion: v1
kind: Service
metadata:
  name: myapp-service
spec:
  selector:
    app: myapp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: LoadBalancer

Happy Orchestrating! 🚀

SystemDesign