K8S

Scaling K8S from 0 to hero

My (actual) tech journey

Contents

# Title Time
1 Intro 20'
2 Concepts 20'
3 Multi containers design patterns 20'
4 High availability 20'
5 Ingress 20'
6 Security 20'
7 RBAC 20'
8 Helm 20'
9 Cloud Providers 20'
10 Data Room 20'

1. Intro

  • Short story
  • Kubernetes intro
  • GitOps ecosystem
  • Starting with k8s

Paper https://dl.acm.org/doi/pdf/10.1145/3342195.3387517

Le fondamenta di Kubernetes
arrivano da casa Google.

it (1) hides the details of resource management and failure handling so
its users can focus on application development instead;

(2) operates with very high reliability and availability, and supports
applications that do the same;

(3) lets us run workloads across tens of thousands of machines
effectively

K8s, 8 stands for the number of letters between "K" and "s"

k8s meaning?

Grazie 

Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

It groups containers that make up an application into logical units for easy management and discovery.

Ref. https://kubernetes.io/

Kubernetes nature is declarative 

One of the interesting features of the Kubernetes container orchestration technology is that it’s state-based.

Under Kubernetes, once you define how the various resources within a cluster of virtual or physical machines are supposed to be configured, Kubernetes ensures that configuration is always in force.

Facade

Facade

Features

Meanwhile in the kitchen...

Component Role
etcd k8s database
apiserver k8s API (CRUD)
kube-scheduler watcher, scheduling decision
kube-controller-manager es. node watcher
cloud-controller-manager interaction between cloud provider <-> k8s

Control plane components

Component Role
kubelet worker node damon (ex. check pod liveness/readiness)
kube-proxy implementing k8s Service concept
kube-scheduler watcher, scheduling decision

Worker node components

Ref. https://cloudacademy.com/course/introduction-gitops/gitops-architecture/

GitOps ecosystem

🚀

my-service.yaml

deployment.yaml

...

"Infrastracture" As Code

  • Containers definition
  • High Availability configuration
  • Rollout Configuration
  • App Configuration
  • HTTP/TCP Rules
  • Network Policies

my-service.yaml

deployment.yaml

...

kubectl apply -f .

Api Server

Supported clients --> https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/

API REST

Idempotent

Starting with k8s

how much resource kubernetes consumes

Most common path

2. Concepts

  • Docker != Container
  • Pod
  • Namespace
  • Configuration
  • Resources
  • Liveness/Readiness

Please stop using Docker as synonymous of Container 

Docker != Container

Ref https://www.tutorialworks.com/difference-docker-containerd-runc-crio-oci/

Docker != Container

Ref https://www.tutorialworks.com/difference-docker-containerd-runc-crio-oci/

Docker != Container

Pods are the smallest deployable units of computing that you can create and manage in Kubernetes.

A Pod (as in a pod of whales or pea pod) is a group of one or more containers with shared storage and network resources.

Deployment

Use case Stateless applications
Example Web Applications
A single definition for Pods and ReplicaSets

Deployment

Text

StatefulSet

Use case Stateless applications
Example Web Applications
A single definition for Pods and ReplicaSets

Use case Statefulset applications
Example Database

Maintains a sticky identity for each of their Pods

StatefulSet

StatefulSet

(Cron)Job

Use case Stateless applications
Example Web Applications
A single definition for Pods and ReplicaSets

Use case Statefulset applications
Example Database

Maintains a sticky identity for each of their Pods

Use case Batch app
Example Email sender

Creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate.

(Cron)Job

DaemonSet

Use case Stateless applications
Example Web Applications
A single definition for Pods and ReplicaSets

Use case Statefulset applications
Example Database

Maintains a sticky identity for each of their Pods

Use case Logs collection, nodes monitor
Example Filebeat

Ensures that all (or some) Nodes run a copy of a Pod

Use case Batch app
Example Email sender

Creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate.

DaemonSet

In the .yaml file for the Kubernetes object you want to create, you'll need to set values for the following fields:

  • apiVersion - Which version of the Kubernetes API you're using to create this object
  • kind - What kind of object you want to create
  • metadata - Data that helps uniquely identify the object, including a name string, UID, and optional namespace
  • spec - What state you desire for the object

Yaml template

namespaces provides a mechanism for isolating groups of resources within a single cluster

  • Cluster shared between different teams, projects or environments
  • Names of resources need to be unique within a namespace

  • Namespaces are a way to divide cluster resources between multiple users (via resource quota).

App Configuration

Name Usage
Configmap No sensitive data
Secret Sensitive data

App Configuration

Please not store your clear secrets inside shared GitRepository

Solutions

Maintain them encrypted

(ex. Sealed Secrets)

https://github.com/bitnami-labs/sealed-secrets

Use managed secret by cloud providers

(ex. Secret Manager aws)

https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html

Resource Management

Resource Management

If your usage is much lower than your request, you are wasting money.

 

Resource Management

If it is higher, you are risking performance issues in the node.

CPU throttling

Memory pressure

⚠️

Resource Management

Sum of cpu requests <= total cpu

Sum of cpu requests <= total mem

Sum of cpu limit can be > total cpu

Sum of mem limit can be > total mem

Resource Management

Liveness/Readiness

The kubelet uses liveness probes to know when to restart a container.

The kubelet uses readiness probes to know when a container is ready to start accepting traffic

3. Multi containers design patterns

A Pod (as in a pod of whales or pea pod) is a group of one or more containers with shared storage and network resources.

https://azure.microsoft.com/it-it/resources/designing-distributed-systems/

Main design patterns


● Init Container
● Sidecar pattern
● Ambassadors
● Adapter Pattern

Design patterns - Init container

  • tendere una condizione esterna prima di avviare l’applicativo

  • Avvisare sistemi esterni che un certo applicativo si sta avviando

  • Setup iniziali propedeutici allo startup applicativo

Design patterns - Sidecar pattern

Terminazione HTTP sistema legacy HTTP

Sincronizzazione automatica configurazioni

Design patterns - Ambassadors

External Service Discovery

Proxy sharding (es. Twitter twemproxy)

A/B Test

https://github.com/twitter/twemproxy

Design patterns - Adapter

Adattare servizi per abbracciare più esigenze lasciando inalterato l’applicativo

Healthcheck database

4. High Availability

Autoscaling

  • Cluster Autoscaling (CA)

  • Horizontal pod autoscaling (HPA)

  • Vertical Pod autoscaling (VPA

Affinity

  • Cluster Autoscaling (CA)

  • Horizontal pod autoscaling (HPA)

  • Vertical Pod autoscaling (VPA

Autoscaling

Cluster Autoscaling (CA)

Horizontal pod autoscaling (HPA)

Vertical pod autoscaling (VPA)

Affinity

Multi Zone cluster

Pod (Anti)Affinity

Node Affinity

Node Affinity

5. Exposing applications

  • Service
  • Ingress

Pods are nonpermanent resources

Each Pod gets its own IP address

Service automagically expose ready pods with unique internal DNS

Service yaml example

Pod to Pod communication

Ingress Controller

Ingress Controller in Kubernetes

Ingress Controller in

Cloud Services

Ingress Example yaml

Ingress Example yaml

Ingress Controller (ex. Nginx / Managed by cloud provider)

Auto sync

Nginx Deployment

Nginx Service

Ingress Example yaml

Ingress Controller (ex. Nginx)

Auto sync

Nginx Deployment

Nginx Service

https://cat-bounce.com/

6. Security

  • Net rules
  • Update k8s

Network Policies

Pods are non-isoleted by default

 Control traffic flow at the IP address or port level (OSI layer 3 or 4),

NetworkPolicies are an application-centric construct which allow you to specify how a pod is allowed to communicate with various network "entities"

Use case

Ingress / Egress Flow

Network Policy yaml example

Update k8s cluster

https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html

Proactively update your clusters to use the latest available version

Tipically test new k8s version in dev Cluster before going in production

Cloud provider give you the tools in order to upgrade K8S

(control-plane, worker-nodes)

And this is NOT automatically done.

Upgrade process

  1. cordon old node --> unschedulable label
  2. drain old node
  3. once drained, stop old node
  4. start new fresh node (unready state)
  5. attach new node to control-plane
  6. make new node ready

7. RBAC

kube-api-server responsables of Authentication and Authorization

https://learnk8s.io/authentication-kubernetes

https://learnk8s.io/authentication-kubernetes

https://learnk8s.io/authentication-kubernetes

Text

RBAC example

8. Helm

"Helm is the best way to find, share, and use software built for Kubernetes."

Ref. https://helm.sh/

8. Helm

https://artifacthub.io/

9. Cloud Provider

Provider Managed K8S Fully Managed
Azure AKS Container Instance
AWS EKS Fargate
Google GKE - Standard GKE - Autopilot
IBM Cloud Kubernetes Service -

https://www.exoscale.com/syslog/why-managed-kubernetes/

10. DataRoom

From https://www.gartner.com/en/newsroom/press-releases/2021-04-21-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-23-percent-in-2021

 

Data room - Wasted cloud spend

From https://www.parkmycloud.com

Head in the clouds feet on the ground

Thank you

K8S

By Yuri Bacciarini

Made with Slides.com

K8S

  • 53

More from Yuri Bacciarini