Day1

Trainer

Felix Tsang

​

擅長雲管理和雲計算技術 , IaaS 和 PaaS 及原生雲解決方案。

享受知識分享,也是國際開源基金會Linux Foundation APAC 的Open Source Evangelist, 推廣開源科技

​

CNCF認證 : LFAI , CKA, CKAD, CKS (Instructor , Developer , Security Specialist )

​

RedHat認證：RHCI (Instructor ), RHCA (Architect)

​

Email : felix@linux.com

Blog: https://medium.com/@felixltd

Registration

• Links:
• #3. Course Registration Link
• The URL to use with the class key is https://linux.thoughtindustries.com/redeem 
• The learner will be prompted to enter or create an LFID, they are then prompted to enter the class key/code:
• lfd459tcc20231218
• **Please make sure all students register at the beginning of the class.

​

Lab Material and VMs

• https://docs.google.com/document/d/1WRFkD2bOGwLHS-Np3wtJXu5QyM4JAZIL7YN48dhB1XU/edit?usp=sharing

​

​

CKA: Certified Kubernetes Administrator

CKAD: Certified Kubernetes Application Developer

CKS: Certified Kubernetes Security Specialist

Exam and Certifications

(Must CKA certified first)

14

​

​

Kubernetes (commonly stylized as K8s^[4]) is an open-source container-orchestration system for automating computer application deployment, scaling, and management.^[5]

It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation. It aims to provide a "platform for automating deployment, scaling, and operations of application containers across clusters of hosts".^[6] It works with a range of container tools, including Docker.^[7]

Many cloud services offer a Kubernetes-based platform or infrastructure as a service (PaaS or IaaS) on which Kubernetes can be deployed as a platform-providing service. Many vendors also provide their own branded Kubernetes distributions.

7 June 2014 By Google

2015 (CNCF)

(CNCF) is a Linux Foundation project

https://en.wikipedia.org/wiki/Kubernetes

Cloud Native Roles

• Cloud Architect�Responsible for adoption of cloud technologies, designing application landscape and infrastructure, �with a focus on security, scalability and deployment mechanisms.

​

• DevOps Engineer�Often described as a simple combination of developer and administrator, but that doesn't do the role justice. �DevOps engineers use tools and processes that balance out software development and operations. �Starting with approaches to writing, building, and testing software throughout the deployment lifecycle.

​

• Full-Stack Developer�An all-rounder who is at home in frontend and backend development, as well as infrastructure essentials.�
• Site Reliability Engineer (SRE)
• Security Engineer
• DevSecOps Engineer
• Data Engineer

​

16

​

​

Container vs VM

Abstract of OS kernel

Abstract of Hardware

CPU MEMORY Devices

OS

​

RT

KERNEL

RT

Container abstract of KERNEL

ENGINE [CRI-O /Docker]

CPU MEMORY Devices

OS

​

RT

KERNEL

RT

Container abstract of KERNEL

ENGINE [CRI-O /Docker]

Host 1

Host 2

On-Perm

On-Cloud

Cloud Native Architecture - CNCF Cloud Native Definition

​

​

What is Cloud Native?

​

“Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.

​

These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.”

​

​

“云原生技术有利于各组织在公有云、私有云和混合云等新型动态环境中，构建和运行可弹性扩展的应用。云原生的代表技术包括容器、服务网格、微服务、不可变基础设施和声明式API。

​

这些技术能够构建容错性好、易于管理和便于观察的松耦合系统。结合可靠的自动化手段，云原生技术使工程师能够轻松地对系统作出频繁和可预测的重大变更。“

Source from

CNCF (Cloud Native Computing Foundation )

19

Modern Application Development

• Short Development Cycle
• Function change on demand
• Highly integrated
• PoC from market
• Pilot Project model
• Faster deployment
• Multi-team

​

• ……

Cloud Native Architecture - CNCF Cloud Native Definition

​

- Increase complexity of applications

• Enable the change of the growing demand by users.
• Multiple teams, each holding ownership of different functions of application
• Technology and workforce Adoption

Monolithic vs Microservices Architecture

a clearly defined scope of functions are often referred to as microservices.

How small the microservices?

Cloud Native Architecture Characteristics

• High level of automation�- CI/CD , Building, testing and deploying applications as well as infrastructure with minimal human involvement�
• Self healing�- health checks which help monitor your application from the inside and automatically restart them if necessary. �
• Scalable�- starting multiple copies of the same application and distributing the load across them�
• (Cost-) Efficient�- scaling up your application for high traffic situations, scaling down your application�
• Easy to maintain
• - Using Microservices allows to break down applications in smaller pieces and make them more portable, � easier to test and to distribute across multiple teams.�
• Secure by default�- Cloud environments are often shared between multiple customers or teams, which calls for different security models.

Cloud Native Architecture Characteristics

A good baseline and starting point for your cloud native journey is the twelve-factor app. The twelve factor app is a guideline for developing cloud native applications, which starts with simple things like version control of your codebase, environment-awar

Cloud Native Architecture Characteristics

Lab

nginx

nginx

Master

Deployment

Pod

Service

(application)

kubectl get pod -o wide

(control of the application)

kubectl get deployment

(how to access your application, ClusterIP, LoadBalacner, NodePort)

Kubectl get svc

SDN:80

SDN:80

service

Host Network:30122

External firewall

Pod , virtual network (private)

192.168.233.73

10.98.64.122:80

nginx

http://35.203.121.109:31345/

Lab

Nginx

Label:b

Nginx

Label:a

Master

Deployment

Pod

Service

(application)

kubectl get pod -o wide

(control of the application)

kubectl get deployment

(how to access your application, ClusterIP, LoadBalacner, NodePort)

Kubectl get svc

SDN:80

SDN:80

service

Host Network:30122

External firewall

Pod , virtual network (private)

192.168.233.73

10.98.64.122:80

nginx

http://35.203.121.109:31345/

Selector : label :a

Deployment

Replica

Label:a

Secret

configmap

docker/cri-o

Tool: docker >>> start , stop , rm

podman >>>

1.App 2.ENV

kubernetes

pod

Kind: pod , deployment , service, configmap , PVC, PV

>>>> yaml

Kubectl create –f xxx.yaml

Kubectl delete –f xxx.yaml

Kubectl get pod

Kubectl delete pod/pod_name

1 apiVersion: v1

2 kind: Pod

3 metadata:

4 name: basicpod

5 spec:

6 containers:

7 - name: webcont

8 image: nginx

9 ports: #<--Add this and following line

10 - containerPort: 80

Registry server

Quay.io

By yourself

27

​

​

Containerized Application

Application + Running ENV�(container)

up and run

container-orchestration

1

2

3

Coding

> Source / Docker image

code

compile

Docker image

docker file

Cloud Native Architecture Characteristics

Day2

Course Registration Link�

https://trainingportal.linuxfoundation.org/redeem

Manage yaml file for deployment

Helm

Httpd chart

Wordpress chart

1.Meta

2.Dependency ,指向另一個chart

Eg:

GO language Injected

To get parameter from values.yaml

Parameters Definition

More example

https://cwhu.medium.com/kubernetes-helm-chart-tutorial-fbdad62a8b61

Kustomize

​

kustomize build myapp/base | oc apply -f -

kustomize build myapp/base > /tmp/base.yaml

kubectl apply –f /tmp/base.yaml

​

https://ellis-wu.github.io/2018/07/26/kustomize-introduction/

More example

變量？？

Day 1-2 Kubernetes Note

• Play with yaml file
• Each resource is represented by a yaml file

https://kubernetes.io/docs/concepts/workloads/pods/

Official doc

Resources Kind:

• Deployment
• Pod
• svc <<<<< access type : ClusterIP, LoadBalacner, NodePort
• Node <<<< master default spec ” Taints” , no pod schedule

• kubectl get KIND/NAME –o yaml

Retrieve the resource yaml file

• kubectl create –f xxx.yaml

Create the resource from yaml file

Installation:

kubeadm , kubelet , kubectl

EXTRA

Deployments VS StatefulSets VS DaemonSet

Kind :Deployments

Deployment is the easiest and most used resource for deploying your application. It is a Kubernetes controller that matches the current state of your cluster to the desired state mentioned in the Deployment manifest.

<<< controlled by replica , PVC is shared

Kind : StatefulSets

StatefulSet(stable-GA in k8s v1.9) is a Kubernetes resource used to manage stateful applications. It manages the deployment and scaling of a set of Pods, and provides guarantee about the ordering and uniqueness of these Pods.

<<< ensure pods run on each node

Kind: DaemonSet

A DaemonSet is a controller that ensures that the pod runs on all the nodes of the cluster. If a node is added/removed from a cluster, DaemonSet automatically adds/deletes the pod.

<<<PVC is NOT shared. Eg DB cluster

• 配置 Probe
• Probe 中有很多精确和详细的配置，通过它们你能准确的控制 liveness 和 readiness 检查：
• initialDelaySeconds：容器启动后第一次执行探测是需要等待多少秒。
• periodSeconds：执行探测的频率。默认是 10 秒，最小 1 秒。
• timeoutSeconds：探测超时时间。默认 1 秒，最小 1 秒。
• successThreshold：探测失败后，最少连续探测成功多少次才被认定为成功。默认是 1。对于 liveness 必须是 1。最小值是 1。
• failureThreshold：探测成功后，最少连续探测失败多少次才被认定为失败。默认是 3。最小值是 1。

​

Probes can be configured in many ways based on how often they need to run, the success and failure thresholds, and how long to wait for responses.

​

• initialDelaySeconds (default value 0): If you know your application needs n seconds (for example, 30 seconds) to warm up, you can add delay in seconds until the first check is executed by using initialDelaySeconds.
• periodSeconds (default value 10): If you want to specify how often you execute a check, you can define that using periodSeconds.
• timeoutSeconds (default value 1): This defines the maximum number of seconds until the probe operation is timed out.
• successThreshold (default value 1): This is the number of attempts until the probe is considered successful after the failure.
• failureThreshold (default value 3): In case of probe failure, Kubernetes makes multiple attempts before the probe is marked as failed.

​

​

​

​

​

Note: By default, the probe will stop if the application is not ready after three attempts. In case of a liveness probe, it will restart the container. In the case of a readiness probe, it will mark pods as unhealthy.

Day 3

Volume and Data

PersistentVolumeClaim

this is for container volume mount

​

PersistentVolume

this is for abstract the storage backend , NFS, S3, Cloud Disk etc.

StorageClass

dynamic provision the storage with backend

​

Secret <<< kubectl create secret generic –h ….from file ? From key value?

data value : base64 encode

ConfigMap <<< kubectl create cm –h ….from file ? From key value?

data value: raw text

/home

/etc

/tmp

/tmp

Moutpoint /var/app/img

App

​

pod

app

pod

Vol

img

NFS

Cloud S3

OS /Path

PV , PersistentVolume

PVC, Persistent Volume Claims

Moutpoint /abc/ap

ENV

Volume

Expose Secret/ configMap data to Container

StorageClass

Moutpoint /var/app/img

App

​

pod

app

Vol

img

NFS

Cloud S3

OS /Path

PV , PersistentVolume

secret

ConfigMap

PVC, Persistent Volume Claims

Moutpoint /abc/ap

emptyDir: {}

ENV

Volume

Expose secret/ configMap data to Container

StrageClass

App

​

pod

Moutpoint /var/app/img

Log

sidecar

​

Moutpoint /tmp/img

Study Progress

Command :

$ kubectl get KIND –n namepsace

$ kubectl create KIND NAME

$ kubectl describe KIND NAME

$ kubectl get KIND NAME -o yaml > NAME.yaml

$ kubectl delete KIND NAME

$ kubectl exec pod/NAME -it – sh

$ kubectl logs podxxxx

$ kubectl xxx –record

$ kubectl rollout xxx

​

​

Kind:

• Deployment
• Pod
• Service
• Node
• Jobs
• CronJob
• PersistentVolumeClaim
• PersistentVolume
• StorageClass
• Secret
• ConfigMap

​

​

crontab.guru <<<< cronjob tool

​

Tools

ClusterRole , Role

Cluster Level (namespace)

Project Level(namespace)

>>>

--verb=create --resource=deployments,statefulsets,daemonsets

• System User (service account)
• Normal User

clusterrolebinding

​

rolebinding

​

DEPLOYMENT

1

2

3

Study Progress

Command :

$ kubectl get KIND –n namepsace

$ kubectl create KIND NAME

$ kubectl describe KIND NAME

$ kubectl get KIND NAME -o yaml > NAME.yaml

$ kubectl delete KIND NAME

$ kubectl exec pod/NAME -it – sh

$ kubectl logs podxxxx

$ kubectl xxx –record

$ kubectl rollout xxx

​

​

Kind:

• Deployment
• Pod
• Service
• Node
• Jobs
• CronJob
• PersistentVolumeClaim
• PersistentVolume
• StorageClass
• Secret
• ConfigMap
• Role
• culsterRole
• RoleBinding
• ClusterRoleBinding
• ServiceAccount
• NetworkPolicy
• Namespace

​

​

crontab.guru <<<< cronjob tool

​

Tools

Day 5

Services (also called microservices) are objects which declare a policy to access a logical set of Pods. They are typically assigned with labels to allow persistent access to a resource, when front or back end containers are terminated and replaced. Native applications can use the Endpoints API for access. Non-native applications can use a Virtual IP-based bridge to access back end pods. ServiceTypes Type could be:

​

• ClusterIP default - exposes on a cluster-internal IP. Only reachable within cluster

A Pod – B Pod

​

• NodePort Exposes node IP at a static port. A ClusterIP is also automatically created.

VM:port >> A Pod

​

• LoadBalancer Exposes service externally using cloud providers load balancer. NodePort and ClusterIP

automatically created.

Ask to create IP to map the nodeport >>> Pod

​

• ExternalName Maps service to contents of externalName using a CNAME record.

​

nginx

nginx

Master

Deployment

Pod

Service

(application)

kubectl get pod -o wide

(control of the application)

kubectl get deployment

(how to access your application, ClusterIP, LoadBalacner, NodePort)

Kubectl get svc

SDN:80

SDN:80

service

Host Network:30122

External firewall

Pod , virtual network (private)

192.168.233.73

10.98.64.122:80

nginx

http://35.203.121.109:31345/

Use selector and forward the request/traffic

To the pod with label matched

Expose network

• https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0

Study Progress

Command :

$ kubectl get KIND –n namepsace

$ kubectl create KIND NAME

$ kubectl describe KIND NAME

$ kubectl get KIND NAME -o yaml > NAME.yaml

$ kubectl delete KIND NAME

$ kubectl exec pod/NAME -it – sh

$ kubectl logs podxxxx

$ kubectl xxx –record

$ kubectl rollout xxx

​

​

Kind:

• Deployment
• Pod
• Service
• Node
• Jobs
• CronJob
• PersistentVolumeClaim
• PersistentVolume
• StorageClass
• Secret
• ConfigMap
• Role
• culsterRole
• RoleBinding
• ClusterRoleBinding
• ServiceAccount
• NetworkPolicy
• Namespace
• Ingress
• Service > 4 types(ClusterIP, NodePort , LoadBalancer ,ExternalName)

​

​

crontab.guru <<<< cronjob tool

​

Tools

plaftform

Kubectl get event >> eg : get docker image failed

>> registry authen

​

Pod

0. kubectl exec -ti tester-<tab> -- /bin/sh

• Kubectl logs pod/xxxxx
• Kubectl describe pod/xxxxx

​

Pod <!> Pod

>>> NetworkPolicy

>>> Service > label

Pod status >>> Pending , ImagePullBackoff , OOMKill , Completed