Firefox & extensions

Firefox and its recommended extensions are recommended again:

https://addons.mozilla.org/en-US/firefox/search/?recommended=true&type=extension

Placement of argument matters - in few commands

--

For a command like podman, where the argument is placed matters.

for example:

 podman run -it  5a934bfaaf12 /bin/bash

This works.

--

If you run the command like

podman run   5a934bfaaf12 -it /bin/bash  -> This fails  where "-it"  is after the image hash. 

It fails saying:

Error: container_linux.go:345: starting container process caused "exec: \"-it\": executable file not found in $PATH"

: OCI runtime error

--

disable swap

How to disable swap?

swapoff -a


Check existing swap?

swapon -s

Password prompted with update in sudoers file

Password still prompted inspite of update in sudoers file ?

Check for any comment written there is space between # and the first word. 

If there is no space between # and the first word it is no longer a comment. 

By opening with gvim, I have identified the issue. 

Need to extra cautious even if you put a simple comment :)

I have a rule updated in "includedir /etc/sudoers.d" directory and it was improperly commented. 

With proper commenting(adding space) it is fixed. 

Kubernetes concepts

Topics covered: 

Kubernetes components

Kubernetes building blocks

Namespace

Batch job

Configmap secrets

Ingress controller

Application health checks

Advanced kubernetes scheduling

Statefulsets

Advanced volume management

Role based access control

Quota management 

Helm

Custom resource definition

Logging and Debugging

Monitoring with Prometheus

Istio

CICD

Microservice tracing

==

Kubeadm 

https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/

Kubeadm reset - To reset the node state

To know the last output:

kubeadm token create --print-join-command

==

Kubernetes components

API server

ETCD

Scheduler

Controller manager

Node

==

API server 

All administrative tasks performed via API server. 

User/Operator sends REST commands to API server, which validates and processes 

The requests.

--

ETCD

Key-value store - cluster state stored. 

Either with master or externally configured.

--

Scheduler

Schedules work to different worker nodes.

Schedule a work on a node where label disk == ssd is set

Works in terms of pods and services.

-- 

Controller manager:

Runs all the controllers. 

• Node controller
• Replication controller
• Endpoints controller
• Service account and Token controllers

--

Cloud Controller manager 

  Manage the underlying cloud provider. 

  Loadbalancer / EBS volumes in AWS. 

--

Node

3 main componenets

• Kubelet
• Kube-proxy
• Container runtime

--

Kubelet

Takes set of podspecs that are provided through various mechanism and 

Ensure containers in podspecs are running and healthy.

--

Kube-proxy

Helps in providing k8s service abstraction.

• Network rules, and forwarding incoming connection

--

Container runtime

• Main software responsible for running containers.

--

Pods and service used by kubernetes services.

4149 / TCP Kubelet

10250/TCP kubelet

10255/TCP  kubelet

9099/TCP calico-felix

6443/TCP  kube-apiserver

--

Static pods - system pods 

• Pods not under the control of API server 

/etc/kubernetes/manifest/ <static pods> 

• Make use of static ip - hostnetwork - 

1 vcpu  - 1000 millicores

/etc/kubernetes/admin.config

--

// to delete

Kubeadm reset

// master

Kubeadm init

// from the worker node

Kubeadm join

kubectl --config = /path

export KUBECONFIG=/tmp/config 

// default

~/.kube/config

--

Frontend + backend -> different type of scaling -> so different pods better.

Multiple containers in a pod -> login + transaction - complimentary in nature. runs together.

IP is per pod (not container).

CNI plugins

api<group> / version/ resource

// to view configuration

kubectl config view

// create / modify existing

kubectl apply 

--

Kubernetes Building blocks

• Pods
• Replicasets
• Deployments
• Labels, selectors, Annotation
• Annotations like label but 'without selector'
• Services
• - not tied to deployment 
• Daemonsets
• On each node 
• No replica count - only one on a node
• Used in monitoring logging

Namespaces

Way to divide the cluster resources between multiple users.

Name of resources are unique within the namespace. (means different namespace you can use same name).

Batch jobs

One or more pods successfully run and then terminate.

Deleting the job -> cleanup the pods created by it.

Configmaps and secrets: 

Configmaps are designed to work more conveniently with data

That does not container sensitive information.

Key-value pairs.

Can be used as

• Environment variables
• Command line args for a container.
• Config files in a volume

Configmaps as volumes.

Secrets:

Store and manage sensitive information like credentials and encryption keys.

Image pull secret

Ingress controllers:

Services and pods have IPs only routable by the cluster network.

An Ingress is a collection of rules that allow inbound connections to reach the cluster services.

• Can be configured to give services externally :
• Reachable URLs
• Load balance traffic
• Terminate SSL
• Name based virtual hosting.

kind: Ingress

example.com/b

example.com/g

b.example.com/

g.example.com/

Example:  https://github.com/kubernetes-sigs/aws-alb-ingress-controller

Application health checks

Liveness probe

Readiness probe

Scheduling 

Schedule work (pods) onto computing resources (nodes)

// It is not about running the pod , it is kublet’s  job.

Assigning pod to a node.

Pod auto scaling:

Horizontal pod autoscaling

Custom metrics

Graceful shutdown 

Prestop and termination grace period

Drain node

Pod affinity and anti-affinity

Pod disruption budget

Blue green and canary deployment

Taint toleration

Network policy

Statefulset

For stateful workloads like databases.

Manages deployment and scaling of the pods in ordered manner by maintaining a unique, sticky

Identity for each of their pods.

Statefulsets manage pods that are based on an identical container spec.

Pods in a statefulset are not interchangeable.

Each pod has a persistent identifier that it maintains across scheduling.

Kind: Statefulset

• Pod name does not change
• Order in which pods comes up

Storage management

PV

PVC 

dynamic provisioning

Storage classes

Subpath 

Allows you to mount multiple volumes inside the same directory.

Also, mounting a single volume multiple times with different sub-paths.

Role Based Access control (RBAC)

User -> Authentication -> Authorization -> Admission control (valid request ?) -> k8s objects

Users - not first class citizens in k8s.

• Normal users
• Service account

Service accounts with default names get created as we create a namespace.

User defined service accounts can be created as well, which we can attach to the pod running in the same namespace.

Dashboard  special  access API server -> needs service account

--

Context ->  Cluster  + User 

kubectl config get-contexts

kubectl config use-context <context name>

--

Operations possible with kubectl:

• Create
• Get
• Delete
• List
• Update
• Edit
• Patch
• Watch

RBAC roles

• Role  - only for namespace
• ClusterRole - cluster wide

• RoleBinding - namespace
• ClusterRoleBinding - cluster wide

Rolebinding  -> grants permission defined in a role to a user or a set of users.

Quota Resource limits

Resources request

Resource Limit

OOM killer

Resource Quota namespace

Storage limit

Default memory limits and requests

Quotas for API objects

--

Helm 

- yum in k8s world.

Manage kubernetes applications. 

Define, install and upgrade complex k8s applications.

Helm charts are easy to create, version, share and publish.

--

ksonnet -https://ksonnet.io/ 

https://github.com/kubernetes-sigs/kustomize 

--

CRD

CustomResourceDefinitions (CRD) -> plugging in your own managed object and application

as if it were a native k8s component. 

kubectl can be used to manage.

Custom controllers. 

• Can work with any resources, but effective with custom resources.

logging and Debugging

kubectl logs and exec

kubectl logs <podname > -c <container name>

kubectl get events

kubectl describe pod <podname>

/var/log/containers/kube-controller-manager….log

journalctl -fu kubelet

kubectl --v=6 get pods verbose

v=7, v=8

Monitoring with Prometheus

==

Istio

• Service mesh which provides platform to connect, manage and secure microservices

Network of deployed services with load balancing, service to service authentication, monitoring and more.

Deploying a special sidecar proxy along with the service that tracks all network communication

between microservices. 

Sidecars are configured and managed by Istio’s control plane functionality.

==

Traffic shifting:

70% and 30% to two different services.

Istio virtual service

Istio rule

Retry logic

Number of retry attempts for an HTTP request

Maximum number of retries with the default or overridden timeout period.

https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports

==

CICD

CircleCI

CircleCI workflow

ArgoCD

ArgoCD manifest

https://www.weave.works/technologies/gitops/

https://circleci.com/

https://github.com/argoproj/argo-cd

==