brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: improved readibility

Browse Source
This commit is contained in:
Michele Cereda
2023-12-08 20:02:38 +01:00
parent cda6227f65
commit 005a2ee265
1 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
knowledge base/kubernetes/README.md
View File

@@ -8,7 +8,6 @@ Hosted by the [Cloud Native Computing Foundation][cncf].
1. [Basics](#basics) 1. [Basics](#basics)
1. [The control plane](#the-control-plane) 1. [The control plane](#the-control-plane)
1. [The API server](#the-api-server) 1. [The API server](#the-api-server)
1. [`etcd`](#etcd)
1. [`kube-scheduler`](#kube-scheduler) 1. [`kube-scheduler`](#kube-scheduler)
1. [`kube-controller-manager`](#kube-controller-manager) 1. [`kube-controller-manager`](#kube-controller-manager)
1. [`cloud-controller-manager`](#cloud-controller-manager) 1. [`cloud-controller-manager`](#cloud-controller-manager)
@@ -47,9 +46,10 @@ Hosted by the [Cloud Native Computing Foundation][cncf].
When using Kubernetes, one is using a cluster. When using Kubernetes, one is using a cluster.
Kubernetes clusters consist of one or more hosts (_nodes_) executing containerized applications. In cloud environments, nodes are also available in grouped sets (_node pools_) capable of automatic scaling. Kubernetes clusters consist of one or more hosts (_nodes_) executing containerized applications.<br/>
In cloud environments, nodes are also available in grouped sets (_node pools_) capable of automatic scaling.
Nodes host the application workloads in the form of _pods_. Nodes host application workloads in the form of [_pods_][pods].
The [_control plane_](#the-control-plane) manages the nodes and the pods in the cluster. It is itself a set of pods which expose the APIs and interfaces used to define, deploy, and manage the lifecycle of the cluster's resources.<br/> The [_control plane_](#the-control-plane) manages the nodes and the pods in the cluster. It is itself a set of pods which expose the APIs and interfaces used to define, deploy, and manage the lifecycle of the cluster's resources.<br/>
In higher environments, the control plane usually runs across multiple **dedicated** nodes to provide improved fault-tolerance and high availability. In higher environments, the control plane usually runs across multiple **dedicated** nodes to provide improved fault-tolerance and high availability.
@@ -64,7 +64,8 @@ Detects and responds to cluster events (like starting up a new pod when a deploy
The control plane is composed by: The control plane is composed by:
- [the API server](#the-api-server); - [the API server](#the-api-server);
- [`etcd`](#etcd); - The _distributed store_ for the cluster's configuration data.<br/>
The current store of choice is [`etcd`][etcd].
- [the scheduler](#kube-scheduler); - [the scheduler](#kube-scheduler);
- [the cluster controller](#kube-controller-manager); - [the cluster controller](#kube-controller-manager);
- [the cloud controller](#cloud-controller-manager). - [the cloud controller](#cloud-controller-manager).
@@ -91,11 +92,6 @@ The Kubernetes API can be extended:
- using _custom resources_ to declaratively define how the API server should provide your chosen resource API, or - using _custom resources_ to declaratively define how the API server should provide your chosen resource API, or
- extending the Kubernetes API by implementing an aggregation layer. - extending the Kubernetes API by implementing an aggregation layer.
### `etcd`
`etcd` is a consistent and highly-available key-value store used as Kubernetes' backing store for all cluster data.<br/>
See its [website][etcd] for more information.
### `kube-scheduler` ### `kube-scheduler`
Detects newly created pods with no assigned node, and selects one for them to run on. Detects newly created pods with no assigned node, and selects one for them to run on.
@@ -169,7 +165,7 @@ See [addons] for an extended list of the available addons.
## Workloads ## Workloads
Workloads consist of groups of containers (_pods_) and a specification for how to run them (_manifest_).<br/> Workloads consist of groups of containers ([_pods_][pods]) and a specification for how to run them (_manifest_).<br/>
Configuration files are written in YAML (preferred) or JSON format and are composed of: Configuration files are written in YAML (preferred) or JSON format and are composed of:
- metadata, - metadata,
@@ -179,10 +175,10 @@ Configuration files are written in YAML (preferred) or JSON format and are compo
### Pods ### Pods
The smallest deployable unit of computing that one can create and manage in Kubernetes.<br/> The smallest deployable unit of computing that one can create and manage in Kubernetes.<br/>
Pods contain one or more relatively tightly coupled application containers; they are always co-located (executed on the same host) and co-scheduled (executed together), and share context, storage/network resources, and a specification for how to run them. Pods contain one or more relatively tightly coupled application containers; they are always co-located (executed on the same host) and co-scheduled (executed together), and **share** context, storage and network resources, and a specification for how to run them.
Pods are usually created trough workload resources (like _Deployments_, _StatefulSets_, or _Jobs_) and **not** directly.<br/> Pods are (and _should be_) usually created trough other workload resources (like _Deployments_, _StatefulSets_, or _Jobs_) and **not** directly.<br/>
Those leverage and manage _ReplicaSets_, which in turn manage copies of the same pod. When deleted, all the resources they manage are deleted with them. Such parent resources leverage and manage _ReplicaSets_, which in turn manage copies of the same pod. When deleted, **all** the resources they manage are deleted with them.
Gotchas: Gotchas:
@@ -243,18 +239,21 @@ Also see [configuration best practices] and the [production best practices check
- Instrument applications to detect and respond to the SIGTERM signal. - Instrument applications to detect and respond to the SIGTERM signal.
- Avoid using bare pods.<br/> - Avoid using bare pods.<br/>
Prefer defining them as part of a replica-based resource, like Deployments, StatefulSets, ReplicaSets or DaemonSets. Prefer defining them as part of a replica-based resource, like Deployments, StatefulSets, ReplicaSets or DaemonSets.
- Restrict traffic between objects in the cluster.<br/>
See [network policies].
- Leverage [autoscalers](#autoscaling). - Leverage [autoscalers](#autoscaling).
- Pod disruption budgets. - Try to avoid workload disruption.<br/>
- Try to use all nodes possible.<br/> Leverage pod disruption budgets.
- Try to use all available nodes.<br/>
Leverage affinities, taint and tolerations. Leverage affinities, taint and tolerations.
- Push for automation.<br/> - Push for automation.<br/>
[GitOps]. [GitOps].
- Apply the principle of least privilege.<br/> - Apply the principle of least privilege.<br/>
Reduce container privileges where possible.<br/> Reduce container privileges where possible.<br/>
Leverage Role-based access control (RBAC). Leverage Role-based access control (RBAC).
- Restrict traffic between objects in the cluster.<br/>
See [network policies].
- Continuously audit events and logs regularly, also for control plane components. - Continuously audit events and logs regularly, also for control plane components.
- Keep an eye on connection tables.<br/>
Specially valid when using [connection tracking].
- Protect the cluster's ingress points.<br/> - Protect the cluster's ingress points.<br/>
Firewalls, web application firewalls, application gateways. Firewalls, web application firewalls, application gateways.
@@ -416,7 +415,7 @@ All kubernetes clusters should:
Each node pool should: Each node pool should:
- have a _meaningful_ **name** (like \<prefix..>-\<randomid>) to make it easy to recognize the workloads running on it or the features of the nodes in it; - have a _meaningful_ **name** (like `<prefix>-<workload_type>-<random_id>`) to make it easy to recognize the workloads running on it or the features of the nodes in it;
- have a _minimum_ set of _meaningful_ **labels**, like: - have a _minimum_ set of _meaningful_ **labels**, like:
- cloud provider information; - cloud provider information;
- node information and capabilities; - node information and capabilities;
@@ -514,7 +513,7 @@ Leverage the `preStop` hook instead of `postStart`.
> Use a script if you need them. See [container hooks] and [preStop hook doesn't work with env variables] > Use a script if you need them. See [container hooks] and [preStop hook doesn't work with env variables]
Since kubernetes version 1.9 and forth, volumeMounts behavior on secret, configMap, downwardAPI and projected have changed to Read-Only by default. Since kubernetes version 1.9 and forth, volumeMounts behavior on secret, configMap, downwardAPI and projected have changed to Read-Only by default.
A workaround to the problem is to create an `emtpyDir` Volume and copy the contents into it and execute/write whatever you need: A workaround to the problem is to create an `emptyDir` Volume and copy the contents into it and execute/write whatever you need:
```yaml ```yaml
initContainers: initContainers:
@@ -652,7 +651,9 @@ All the references in the [further readings] section, plus the following:
<!-- Knowledge base --> <!-- Knowledge base -->
[azure kubernetes service]: ../azure/aks.md [azure kubernetes service]: ../azure/aks.md
[cert-manager]: cert-manager.md [cert-manager]: cert-manager.md
[connection tracking]: ../connection%20tracking.placeholder
[create an admission webhook]: ../../examples/kubernetes/create%20an%20admission%20webhook/README.md [create an admission webhook]: ../../examples/kubernetes/create%20an%20admission%20webhook/README.md
[etcd]: ../etcd.placeholder
[external-dns]: external-dns.md [external-dns]: external-dns.md
[flux]: flux.md [flux]: flux.md
[gitops]: ../gitops.md [gitops]: ../gitops.md
@@ -678,7 +679,6 @@ All the references in the [further readings] section, plus the following:
[cncf]: https://www.cncf.io/ [cncf]: https://www.cncf.io/
[container capabilities in kubernetes]: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/ [container capabilities in kubernetes]: https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/
[elasticsearch]: https://github.com/elastic/helm-charts/issues/689 [elasticsearch]: https://github.com/elastic/helm-charts/issues/689
[etcd]: https://etcd.io/docs/
[how to run a command in a pod after initialization]: https://stackoverflow.com/questions/44140593/how-to-run-command-after-initialization/44146351#44146351 [how to run a command in a pod after initialization]: https://stackoverflow.com/questions/44140593/how-to-run-command-after-initialization/44146351#44146351
[kubernetes cluster autoscaler]: https://www.kubecost.com/kubernetes-autoscaling/kubernetes-cluster-autoscaler/ [kubernetes cluster autoscaler]: https://www.kubecost.com/kubernetes-autoscaling/kubernetes-cluster-autoscaler/
[kubernetes securitycontext capabilities explained]: https://www.golinuxcloud.com/kubernetes-securitycontext-capabilities/ [kubernetes securitycontext capabilities explained]: https://www.golinuxcloud.com/kubernetes-securitycontext-capabilities/