Kubernetes Crash Course

Launching Your Next Big Idea

Contents

  1. 💡 The Idea - An overview.
  2. 🔨 Build It - Docker.
  3. 🏃 Run It - Pods.
  4. 🩹 Keep It Running - Workloads, Scaling, and Storage.
  5. 🍽️ Serve It - Services and Endpoints.
  6. 🏰 Secure It - Network Policy.
  7. 💎 Rarely Needed Gems - Controllers and Operators.
2

💡 The Idea

Fizz Buzz as a Service

Bring fizz buzz to the masses!

3

Objective

4

🔨 Build It

5

Docker Build & Publish

🔨 Build It

# Build image.
FROM golang:1.17-bullseye as build

WORKDIR /go/src/app

COPY go.* ./
RUN go mod download

COPY . ./
RUN --mount=type=cache,target=/root/.cache/go-build make linux

# Distroless is a lightweight base image.
FROM gcr.io/distroless/base-debian11
COPY --from=build /go/src/app/fizzbuzz /
CMD ["/fizzbuzz"]

docker build . -t nfinstana/fizzbuzz:1.0.0-85d759de && \
docker push nfinstana/fizzbuzz:1.0.0-85d759de
6

🏃 Run It

7

Overview

🏃 Run It

  1. What is a Resource
  2. Minimal Pod Spec
  3. Requests & Limits
  4. Taints & Tolerations
  5. Affinity
  6. Anti-affinity
8

What is a Resource

🏃 Run It

apiVersion: $(API_VERSION)      # e.g. batch/v1, apps/v1, v1
kind: $(RESOURCE_KIND)          # e.g. Pod, CronJob, Deployment
metadata:
  name: $(UNIQUE_NAME)          # unique name for the resource kind
  namespace: $(NAMESPACE)       # namespace, some kinds are global, otherwise defaulted
  labels:
    $(LABEL_MAP)                # key-value pairs
  annotations:
    $(ANNOTATION_MAP)           # key-value pairs
spec:
  # ... resource definition
9

Minimal Pod Spec

🏃 Run It

10

Minimal Pod Spec

🏃 Run It

apiVersion: v1
kind: Pod
metadata:
  name: fizzbuzz
  namespace: instana-dev
  labels:
    # Standard labels - https://helm.sh/docs/chart_best_practices/labels/#standard-labels
    app.kubernetes.io/name: "fizzbuzz"
    app.kubernetes.io/version: "1.0.0-85d759de"
spec:
  containers:
  - name: fizbuzz
    image: nfinstana/fizzbuzz:1.0.0-85d759de
11

Requests & Limits

🏃 Run It

12

Requests & Limits

🏃 Run It

apiVersion: v1
kind: Pod
# ...
spec:
  containers:
  - name: fizbuzz
    resources:
      requests:
        cpu: "10m"
        memory: "64Mi"
      limits:
        cpu: "100m"
        memory: "128Mi"
    # ...
13

Taints & Tolerations

🏃 Run It

14

Taints & Tolerations

🏃 Run It

Node Taint

kubectl taint nodes node01 role=ingress:NoSchedule

Pod Toleration

apiVersion: v1
kind: Pod
# ...
spec:
  containers:
  # ...
  tolerations:
  - key: "role"
    operator: "Equal"
    value: "ingress"
    effect: "NoSchedule"
15

Affinity

🏃 Run It

16

Affinity

🏃 Run It

apiVersion: v1
kind: Pod
# ...
spec:
  containers:
  # ...
  affinity:
    nodeAffinity:
      requiredDuringSchedulingRequiredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: "role"
            operator: "Equal"
            value: "ingress"
            effect: "NoSchedule"
17

Anti-affinity

🏃 Run It

18

Anti-affinity

🏃 Run It

apiVersion: v1
kind: Pod
# ...
spec:
  containers:
  # ...
  affinity:
    # ...
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: "app.kubernetes.io/name"
            operator: In
            values:
            - fizzbuzz
        topologyKey: "kubernetes.io/hostname"
19

🩹 Keep It Running

20

Workload Types

🩹 Keep It Running

@

===============================================
Type          | Description
===============================================
CronJobs      | repetitive time based execution
DaemonSets    | clusterwide resources
Deployments   | scalable stateless resources
StatefulSets  | persistent storage resources
21

Deployments

🩹 Keep It Running

  1. Pod
  2. ReplicaSet
  3. Deployment
  4. Horizontal Pod Autoscaler (HPA)
22

Deployments

🩹 Keep It Running

apiVersion: apps/v1
kind: Deployment
metadata:
  name: fizzbuzz
  namespace: instana-dev
  labels:
    app.kubernetes.io/name: "fizzbuzz"
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: "fizzbuzz"
  template:
    metadata:
      labels:
        app.kubernetes.io/name: "fizzbuzz"
        app.kubernetes.io/version: "1.0.0-85d759de"
    spec:
      containers:
      - name: fizbuzz
        image: gcr.io/google_containers/pause-amd64:3.0
23

Deployments - Manual Scaling

🩹 Keep It Running

kubectl scale --replicas=2 -n instana-dev deployment/fizzbuzz
24

Deployments - HPA

🩹 Keep It Running

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: fizzbuzz
  namespace: instana-dev
spec:
  minReplicas: 3
  maxReplicas: 10
  metrics:
  - resource:
      name: cpu
      target:
        averageUtilization: 50
        type: Utilization
    type: Resource
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: fizzbuzz
25

StatefulSets

🩹 Keep It Running

26

StatefulSets

🩹 Keep It Running

  1. Storage Class
  2. Persistent Volume (PV)
  3. Persistent Volume Claim (PVC)
  4. StatefulSet
27

StatefulSets - Storage Class

🩹 Keep It Running

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
28

StatefulSets - Persistent Volume

🩹 Keep It Running

apiVersion: v1
kind: PersistentVolume
metadata:
  name: local-pv
  labels:
    type: local
spec:
  storageClassName: local-storage
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt"
29

StatefulSets - Stateful Set

🩹 Keep It Running

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: web
spec:
  selector:
    matchLabels:
      app: nginx
  serviceName: "nginx"
  template:
    metadata:
      labels:
        app: nginx
    spec:
      terminationGracePeriodSeconds: 10
      containers:
      - name: nginx
        image: nginx
30

StatefulSets - Stateful Set w/ Volume

🩹 Keep It Running

# ...
spec:
  containers:
  - name: nginx
    image: nginx
    volumeMounts:
    - name: www
      mountPath: /usr/share/nginx/html
31

StatefulSets - Stateful Set w/ PVC Template

🩹 Keep It Running

# ...
      volumeMounts:
      - name: www
        mountPath: /usr/share/nginx/html
volumeClaimTemplates:
- metadata:
    name: www
  spec:
    accessModes: [ "ReadWriteOnce" ]
    storageClassName: "local-storage"
    resources:
      requests:
        storage: 1Gi
32

DaemonSets

🩹 Keep It Running

33

DaemonSets

🩹 Keep It Running

  1. Pod
  2. DaemonSet
34

DaemonSets

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: fluentd-elasticsearch
spec:
  selector:
    matchLabels:
      name: fluentd-elasticsearch
  template:
    metadata:
      labels:
        name: fluentd-elasticsearch
    spec:
      containers:
      - name: fluentd-elasticsearch
        image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2
        volumeMounts:
        - name: varlog
          mountPath: /var/log
      volumes:
      - name: varlog
        hostPath:
          path: /var/log
35

CronJobs

🩹 Keep It Running

  1. Pod
  2. Job
  3. CronJob
36

CronJobs

🩹 Keep It Running

apiVersion: batch/v1
kind: CronJob
metadata:
  name: hello2
spec:
  schedule: "* * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello2
            image: busybox
            command: ["/bin/sh", "-c", "sleep 10"]
          restartPolicy: OnFailure
37

🍽️ Serve It

38

🍽️ Serve It

  1. Service
  2. Endpoint Slice
39

Service

🍽️ Serve It

40

Service

🍽️ Serve It

apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: kube-dns
  name: kube-dns
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: dns
    port: 53
    protocol: UDP
    targetPort: 53
  selector:
    k8s-app: kube-dns
  sessionAffinity: None
  type: ClusterIP
41

Endpoint Slice

🍽️ Serve It

$ kubectl get -n kube-system   endpointslices/kube-dns-vmpct
NAME             ADDRESSTYPE   PORTS        ENDPOINTS               AGE
kube-dns-vmpct   IPv4          9153,53,53   10.244.0.2,10.244.0.3   14d

$ kubectl get pods -n kube-system -l k8s-app=kube-dns
NAME                       READY   STATUS    RESTARTS   AGE
coredns-84f998787d-dp445   1/1     Running   0          14d
coredns-84f998787d-g7sh2   1/1     Running   0          14d
42

🏰 Secure It

43

Network Policy

🏰 Secure It

44

Network Policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
    - namespaceSelector:
        matchLabels:
          project: instana-dev
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 8080
45

💎 Rarely Needed Gems

46

Controllers

💎 Rarely Needed Gems

47

Controllers

💎 Rarely Needed Gems

  1. Mutating.
  2. Validating.
48

Operators

💎 Rarely Needed Gems

49

Thank you

Launching Your Next Big Idea

Summary: Kubernetes Crash Course

09 Jan 2022

[email protected]