Kuberretes Architecture Worker Node — | Master] —— kube Api Server Control EIcD Manager, | cluster Tocker APL Auth depycated fointeriner d antotace (CRI CRI itrectuced hye kag, to intyywote old confennerc Rurh'mes (Sony, with Docker Now orcherte () [kube APL Sener = Ruterh care User ~ Validate Teplerk $e - rdretve dota ~ updese eyep ‘heduler, Control Monagor ~ Scheduler uses kube Api Server to update Ted - kubelertt \Niew api Server ( kubeadm) kubeadmn — configures pre eted tmnto _pod cat /ete/ Kubernetes / manifests / Kube-api server. yr) es -anx [grep i kube-opi © | Contr} Manager | : j Wedeh Stectuls G' there ore (Contrellers for each Remectiote Process in K3S Situcch on ' Nede Moni Nede -fontroller "erie eee Replication Contller : Deploy ment Namespace — Endpoint Service Account comroller I all ove puckeaged Kube Contol Monger de View kube -controtler Hangec — (_Kubeadtn ) S it is Gotigured a a Pop ® | Kube scheduler | TS pnbg decid, whieh POD will ge on wlhich Worker Nede : L> tH doen't artudlly dep loay bre POD, His done ly KubeletKube Scheduler Sek CPU to Nodes oe cpu cro ® 16 © Filter Neda @ Renk Node ae View kube Schecter C Kube adm ) ~ ‘get | felez kubermedes J moniteds / Ku be - scheduler ym] ~ ps -aux [ grep kube Scheduler Seq The Nodes _ Lo Ack ke Captesn © Register Nede ® Create PODs ® Monitor Nede ond =PODs We hawe to Install MH manually © kube Prong © zntomal NW G fake, the sve POD Network He amd allows ® se wales to connect @ Always lbcks ab tor new svc with adeaal a.4b POD Ls applicatons are not alivectly cleplayed toto containers; ‘hey ove covered by Kas ohject called Fob Mult container Pods at share 2 per same al contetner NJolume a oa Confeurn or | Fon => (lontefner + Helper je deleted, helper aletebes A> the Conteliner s certeiner also YAML to Kubernetes apiVersion 2 ia apps /V! kind Pocl +S metudaba * eve deplaymend nNeme labels spec * Containers * ~ nar e imaqe * ° ° una Conte ner Ready Ch L ° ? total Contutner ip PopReplication ntroller / Replica Set e ‘S Ha ofthe jabels PO octd [uo Bultiple Nod we ge ands tof Wo Ww e Oodhes ane P P a? = poo Replication Controller | Replica Set apiVersion apiVersion + apes/i! kPod kind : ReplicaSot metadata | spec , spec —— template template PoD ; replicas 3 Pselector : match Labels Ve -definitron - ym] App > mycey Wete > RS can also manage PODS ) creoted bg begere RS wing Labels amd seledorsHe Scale & change replicas > > to replicas. & lo ku scale -- replicus =6 -e ws.q rod Ww ku Scale i— “repli co» 267 vrepUicersah OY APP 3 wolli'ng, Upded sro) lb excl. deploy ment yen => same w vs. yrod chenge_ re Seger’ Kind. Deploymert Always we Ku yun’ to get YAML ku run nginx mage nginx ~dey-tun client -° yarn) ku crecde deployment —~rimage = nginx —dy-run = cllont -o yor! > deployment-ym|@ Cluster Mode ip Node fort bile 7/192. 163-1 2 E 3003 p= = 192A bE 110 | ae 3 SVE \ i ia . : ‘Podefor® Cluster LP) | Clot Balencers S external access to the app Node Port 30 B00 - 324164 0 \ terge-port oO lca Nodefort = e a apiVerston = v1 rt , Kind + Sewtce add Labels 6 oe ; Wetec “shyfayp sve that YoU, any ee ‘ ec: goede) (N svc selector * ® e > NocePort ape) SOYORP ports = i tyre Awontend “Ftavgelfort + 96 , Port 730 nodefert : 3000> w oe ave created , jt looks &r all Pods i smote ing. Lobes omd Selectors & onto Registers thre PODs Wing labels aX NC for Multi Node bettps 1) 142.69 -L2* 3000! bips/f t2-169-1-3¢ 30007 Ue can acces yhe app with aame Noedefort by changin Node ip only (B Cluster LP frontenc) backend reds@ xe S we camot give Customer te load Baton cor ‘Share single URL Node: Port access @ ip to owe the appl cetti on. to acces the apa apiVersion:: vit Kind “Resource Quote metadata; / nome + Ccompute-qyoter namespace > dev Spec - Vowd + pods = to vequets.cpu = 4 Yepiests» memory = Shri limits. cpu = lo (mils memory = oie dev sve ns dbsenice. dev sve. cluster-locat Tan peradi VE. L> step vy step ins-yuch’on Dedatative eS & dedove vey Tovregotn l AvsibleSE kubect) Apply loca file dost applied kas \ ' b live Object app-a™ A Config local ‘systerr soo tormad Bored In { i % K&S cluster at “vo here this is stored Sn pmsl d t ts ts hy adding = 1 aise Mive objed Contig. metadata annotations + kubect. Kubemetes . Mot -applied stontiy = 2 ison g- Lobel s+E Sch eda Une, ue i ® @® Monual Senediabing ® labels / Selectors ® 'Reource |Amits ' MO Lremoy. sats GO Muliple: suedulers, © Scheduler events | ©, 7 Configure Acubornetes _ Seheditlor g chedullin bo i Monuel aI op ce a AR In polsGtet | these is, & field Por nodeNome MeO Igy met taentioned; Pot yemalns ip fendiin Shute, We Ca smanusttles "ade the modeNome amd oasign Node to Pap ~ apiverston..-/ We cannes!) ame er hale Rumning nd ala COD fem one Node to AMS anther Node \ y spec Containers ome I Image | modeNome! ku -yeplace force Ly delete , the sources annd ~ apply men a |se labels — ome Selectors Im kubernetes we have =) objects P| dep =apps — = > ku ye pods --Sleclor opp =app) we add Labels fp templates * PoDs and use Selectors wn RG ope deployment = Annotation & wel ‘to adelitional dete yin the YAML fle) oho ow email | cont | in | \ } HEV’ Vaknts and - lolerants ote aroot lee Lent : (bed sae oi TA xem ee tal = rou, Pot pop © en ma DP tan Twi —— - ; assipned to Nee ‘o) Taint = bluebe oe Moles. fe — : + Vain ts —_> app Lied to ‘Node Teleronte «(=> applied te FOND. or “Ohjeds i => ku faint nodes node-name- Key=Mabue ! ‘aint - { epBeat NoScheduie | tvofero Schedule i \lofxeate |e talwt mec es _mode! qone Naira “Blerations_ —> applied on Pod : . + @ Aint node Pe jaink modes ‘nodet opp=blue = Niehstule apiVersion’ { elec Ravdtn] o2 obs te Te Pop.is obrecichy. puadate roynin cra th has anes : “Tatortions, hon ee > a a ‘ory 5 fine applied on Node | nore will remove oll the "meg e “other PODs without ~ee een Tolovetions ~ Keyt Mapp” . Operoder > Y Equot aa ; : volwe = “blue” aster Wa a “Taint that... Phone 7s Oggeck =" NoSchedal de ost alow any Pops “& Maxtey Nede=F Nede._ Selectovs Lwe hawe ditt Node with | ae eae TESOUYE OES ‘ G detent usar Bay allocating Nede -te-,-Fop tS condom Step, Label tne Node [ku label nodes enode- ome > should have for CRU | Request JM ; No time on i i! oe ci ee 7 + [Banos =| c always deploys q aq ing * @& We can ‘deploy 14 Monitoring / Rogging <1 | servers OD Daemon sais ® GL Aso Kubeproxy Wede is. Also cleployed : - ~ wer taemen Set CDaemnsd == Replica St Kind = 2D wemen Set cre Copp og tre PODSF Stoic = Pods GS con independently monage & Node kubeled reads the. pod-yn! ond POD" ubemnds Adm in: This POBror PODs ave called Stetic PODs Kubelet us0cKs with PODs , tt conmot evette RS, Deployment depley SD 2 lool< this Note : We have Container a time. og ay comtuner merdctl ps SHetic Pods > When a Sing contiGue in, 3 Pop VAML cvictHl le Node is there , momually. ad etd / kube apicerver / contre) Manager Just eveate tne ond store it in a dee/eatonee smo if=> Tdontify POD, a stede POD, ls POD® ramen ends wit snode_nam e S | moyepp- Ts =,nodeov S look ot owner Reference We ood once = Coredns. ,* 4 aney cannot > kube proxy, deploy Not Static POD, . atedic pod > \ | Alor] 186 / kubelet/config. yoo | { Kkubetl run — static-bigy box ~-Tmage buy box ~-dryrun= client ~o yom) —Command ~- sleep (ooo we > steHc.ym) Push dis file 40 /ete/kubermetes /manitests/ jete/ Kubemetes/-manitests/} ep stece- ym }> Te delete o 2 «dind fhe © ast ® Yo lL find aver ee | = ssh x c amos ed x Ll WA static POD, in namespaces amenitest YAML file /ete/ Kubemedes /muni fer Aor | Le / Kubelet / the node ip. to the “node — Aiov/ tib/ kubelet/contig. ym read the. “path | for statiePodsbJE Multiple schedulers ) Gin kubemete, , we can create apt Schediers — and Configure it inte cluster 5 We com Also add Multi ple Schedulers, apiVersion efault-sthedulor Rind: Kubesinedutlor profile : ort gurcti = a-L Big, | sehedull - SchedulerName: ny healer 2 Sehedatler w a POD ) my te heditler mcomtig “My — pdtorn - scheduler: yr apiNoision 3 Rind + POD Griese ha metadata > Gaston Scheduler YA ome ¢ file omd qiv (pcoton a eee Spec + j conbeners » command eee am [ - ae a 7 ele/ Sees Jy -stbedullor-Ont's ‘ys ( tmage * . name = One Lwstorn Schecluler orn -b lepine Con execute: only der ‘ oe one Resource - or oe yylor wh a | ot se Namespace. 5 x0 : Jeader€ kection + ries setae] ete lime ku get pod wresourceNumegpace » CKube-sys ku get deployment vesoureNerme = tock objet ~ -schedulaPOD —> Pending tee Cy Schectuler is not assigned eS config-y! tile IS net press Pres ert => ku get events -~o wide ‘ — a [Scheduler Profile (P| Crestedl PODs ove seat in Schetiling Queue : @ Plugins 1O 0 © G_] Cfriortty eort) > 2 Schedatin 4 Queue Filtec - (NodeResourceli+ ) Nedé Nome (NedeReseurcestit \>-santal aie p obter PESOUTCE assigned how much Resource ( Tana ge Lecotity > & Node which he ie Ie ae Tmage of, PD (High | Nede hes high Store D © All plugins ewe (umnatibinds > attached to ExtensionProfiles my ~etheduler-2 ay scheduler-3 Scheduler prof profiles = wy - scheduler-4 & apiNiersion » leind + RubeSchedutler Contig urestion profiles = — schedulerName * my-scheduler~ 2 _ achedulerNome * a voy schedulers my -sehedul Or-2 Taint Tolexhon —schedutlerNome * plugins + nae ton? Score + ers, disabled > . gor —mame = i ins enabled + ee pam e wel lhe: (spe? gisoble on 8 | as wats + My castor Pug in A Nyeustone PuginBSP | Admission — Comoller Kubect! )— _— Authentication —> Authorization ®p oD usec is addin or teh? ere Permissions ae Yo PODS / ep leyrments Rene does not have feuttive (any ma ole 2 (©) Only — peemit tmeages trom ? All thus \ocol cregistry- (D ee rot Pormit wos Meds ee & can't achelve OD Onby permit certain copab i lities ) with BAG @ op obvays har lobels Res ® © 4 _o ce @ ‘Rubect Juithootication = . aTTSION ertication > Authorization > Contvoller |> POD © Always Pall Lege © peQuult Stevage Class | View Enable Adrniesion Pome space Exisds \ Controllers @ Neny move t enable-admission ~plugins aad P we Kube~apisewwer ~h | grep Enable Admission Controller eee ku be-apiServer. sevice ~- enable -admission- plugins = NodeRestrichion, Namespace Auto ProursionNamission Controller KE lS does rot Autnonticde ls Neomespace Auto Provision (5 defauit ditablad Nei are uae ene Ce exec -it kube-dpr'servor-conbrelptane ~n ‘kube syetee ~- kube-apisowver ~b A grep enab)e~ddrits a pug ins GQ > by detautt enabled plugins —S Node Restriction CS © Nomespace Exists —s check NS is oxculable i + preseot Hen automat coll C (Natidasing FF nee (when enabled plugins’) @ Depaul Storage C Lacs —> keeps on looking for 4 Musesting) 7 PVC vreaqttests coe Konission > ED) 9 2 Ayre Web hoe & op Cater Contre = eae , Admissen —— obhool ; yotro ler | hoo Ci =Legging Moni toring O, Weis Cie aevens | Node Hetrics > RAM /cru No. og Nodes Pop -Meirtes <> RAN (CPU No. 9g Pop | Meri Server | 70 monitors Cluster Nodes ‘metrics , do _ tot stoves Mo avd «= clisk © Cannot view histow''cal dase => clone the metrics sewer Prom Girthub ku top node ku top pode A: Simple te Seep in (Contre) plane M clone — from Frithub ® ku top mode. [ku toys F_podsneme | [eu lois Ft } > View Live tale ‘ = =< e Maltiple centetiners ig Single POD, theo Specity me Conteriner = Neme° HE Application = Lifecycle Nonagemen t 0) Rolling Upelat cmd Roll ecectes ) Configure Applications (D Scale Applications () Self Healing ~ ppplic ation s Rellow / Versioning appN.'-4D —> appv ltt ee ee Ge) Poplist ae Tm ia ie | te te z Deploy Newer Versior Tyhme:10 Delete older Version X (Recresie — wbadegu 2 2 ge ADadg awa av a J ie Rolling Updede Depart Strategy “Reeves @ | Palling Update scaled down to oO sealed down wot gcoled upto 5 scaled up +05 Scaled doum +e 2 scolbd Up to 4OUpgrades —_——= | a = >| oug al Replica Set-I Replica Set-2 Dsploymect first Replica set is created When We eee “Deployment , ther Replia set oe the POD Now any change in Condiqueeedton / Depley not (eote, an— ovether Replicuseh = 2 and delete fhe older Replia set © Roll bacle : ku vollout undo deplagrmont/-mynen: eplowremeh & pe deletes fhe Replicaset-2 od crewkes the POD wing the Pep corel -! amd — Deployment is Back we previows VersionG) = RU vollout steckts aleployrnent/-myapp-deploy men? ku vollout history deployment Ku -yollouk undo deployment Ku set image olepley/myapp-deplotmont —onkoames bivy box v2 = ENTRY POINT Ly pentautner wil] aun H's emd when it ts create. Entry pein is the emd od CHD appends te ib cu> avguments FROM ubunty ENTRYPOINT [E"sleep"'J emp P's) ap? Version rv wind metucatu epee : tontw'ners + . ‘ image command * C "sleep “7 => ENTRYPO ENT ams: Co") = Mb(9 commond > Ci'sleep”, “sooo"J > Arr auy _toserearg © 2 command ] ay 2 use = ‘sleep" ~ 'so00!' Aw oy? ee wns Commend > ['sleep "I orgs = ['s000"'5 7 Way 2 YY ® All commends and Aye coy be Strin on gong B semetining in POD- i not allowrn to eclity then we Fre Lop, created ancl arepltce “the = POD [ ke replace ~-forre -f fovea) > 4 will delete the older POP and evedtes = new POD with edit chonges to feb Pop stile Ku yun nginx ~~Imageenginx -— ehosate _ (opttons fr Hi re Gi wed sarg> (OF ema) osde ENV voria bles @ oO Plat key Vole env : —name * valueFrom ¢ Contig Mapkey Ref : @ — ConfiyMap env: —OME = nalueFrom = Secrettcey Reg * © Seeret He GondigHa p step D create contighop APP_CoLOR : blue ku create tontignep \ Arp (tobe + pred nyetgreftORCBL0R ——Frow -liforel a APP_COLOR = blue G oc provide ———e—pr file peth_G@nfiomep. ym) Sed pd : mysgl- Cnty ap Vesion 4 fund = ComFig Hop Port * 3306 metadata: max —allow~ pace! : (23M data = ApPCOLOR + ble APP_HODE = prod step @ tnject env Veertable through Comtyg Me p- pay). apec . comtenin Ors - name Image ports env From 7 ~contighag Ret = Home . app-contig- nome ie or contig Mop 0 _ mysel contig VAML Prother Way VA Cy Nolumes + : name > app @nfiy-Nelume config Nap . mame * app-con tig+e Secrets (3 step create. secret secvet DBHOST = mysy! DB-USER + Yoot DB_PASSWORD ~ pussWorel Ku crete Secret myappscee generic myappsecrat —frorrliteral = key value secret —clate ym | apt Version = kind : Secreb = eae ‘ echo -n “mysql!” I pe-yost + mysql 4 iDs_vser = | voor Sas" DB- pass WORD * password echo -n'apsdzx'} benesy --decode > Altech Lever to POD sik @ Cecret ave aot encry pred - Only encoded (9 De not Push te Gri thud @ secrets ave not encrypted in ECD envErom = = secyetReQ + name ~ app-secrehce Encrypting secreh date step 0 Create, secreb ee generic murs) \ —-frormliteras = Keyt= Velie stepO srojath etcdctl Searcy etedlct| secreh VIL & Eit> stere ie date inte an weaduble Value . NOT encrypted step © Enable = ~-encrypHon- prov idorrconfig vl [ete/ kubernetes/ men iPest/teube-api server apiNersion kind = Enevypton(entiguretion YESDUYTOS + Whot Wwe ~ Tesource + re -secreass 7 enery pt secvets / config rep want te providers + ~Cesche Keys + ~mame = Secret: -banecu valueedit tne — kube-apiserver —- YAML == ENETY Ption- prov id ev- Cont? Cy enable add Ane Yolume mount dor he eneryption-ym\ dle tHe Kult oes Pods apiNersion : Kind = /-metadeta + spec = a 1 6 comtuiners « — nome : weber 2 = Tinage : bale pp a Conrteun ee | wo er - name = log-agent: 4 ey ee | ‘mage = eq agent al Conteuner 2+ Autoscoling Sealing Ty Kuberetes 0 Scaling Workloads S Theveaxin g POD over the Nodes o | ~ iol Goaealing Nodes in Cluster wor” (Qecrs [Monual | kubect] foro Kubectt calle Kubert. edit Pod > Vertical Awlomete. Cluster ty Auto scalor (He) (Pa) HPA Fracks muhiple \radt metricsae HPA WM Fodayvl gpiV ersion = ; D> \mete | — HPA e PO \SerN Ex kind + Bepleynent meledarta » Spec ¢ z ee ku autos cale ;-deploym ent — name myapp \ Emaqe ‘n= cpu- percent = 50 TESOUTCES . -- min=t —mM ak =10 "reyes: Ct i cpu: “260mi"! ibe { Umits: ) « tpu "' S00mi"' | el gee eu eeeeS emer ad To get YAML —dry-runs client -o yarn! $e Am place) Resine!” eg’! | POD G Detawt —> POD kill Fist , then cvecte mew POD with seu Reources ak . =In Place Plontainers : TORE GATES= - nome. image » resize Policy * ~ resourteNome > cpu FEA Change in CPU do net ca nebie [Restert en “Menno delete fob vestortfolicy Restor’ Corkiinor amd creete POD Wee PU oj: Kabel an — vescurceNome = memory “che J 7 7 willimage, Monua Dy. [reo ey ie xu edit depla , relent = : ' : a : - ( cpu? 250m" ¢ edit He ~eSourced Linetts | Limits > ( \ cpu: "svomi'! | NPA ave not pou in Bubernden @ Ku apply -# bipsH// github-om) Pod / Kee Zs ee Adm myapp-¥pa- ym! teelits “orbe bles amd Compares usith Pob eG omd Updete Resources “Kind + Vertical Poel AutoScalor J metadata : Spec - lorgetRet = peource FTG een loyrmentt faind = Deployment mDep aon eee” ott —> only recommend Fs, updotePolicy + ' ee ee updadeMede : “Audo"" pea, Autoie Bey clea fal] 00 / momory WEP APPS) microservico, DB workloads - Aroggic is mere ae Cluster © cluster © Rlaintenonce upgrade Process OS upgrades 2 Beckup ont Restore +e Os upyrade ; 2 : Node ee down; | Ater, interva) ©8 S min kube -apisower — declores Ho “Terminated Te POP is park Replica Sat y ai will ve created on other Nede, Ou mecle- 3 i mame olf PODs rors anode! ka drain mode-!{ =? amd wveaste na PODS on other sade mode , Also mats nodes i — oS Umsehedubeoblée Ka _covdon ropde-> => Mock mode? Unechedulalee ka Uncord6n — -node-! i Renee arstvicton Unsch eal fre 7 med 1drofn os Unmenaged POD. awe loct , = @ work a Unschedulabe @ delete olf PODs , and RS will smonage thom on itt nodes an) LL + = Kubernd®s = Version Vie ie 6g ee a mojon minor patch oan log fixes Fev month vie 10-0 (stable > Vers town; ee Kube -apisewer x NIL lates X=1 (wad x1 (wna) X-2 y X-2 (vies y Wis ew " |) teubect) } NID VAP NDS MD XH] > X-1 VIO PV O—”HCuster Upgrade Upavade el fe zl \ i up rede whe Mester Nede, Wortcer Node seeeys f Sop functioning * Pop tails | then ‘Yo arto heal oe vide a VMonag emer; ts io peo) Upgracte ene by one Worker Node, As POD eg Worker Node. voll) be cveotec| in Aift nodes «upgrade Worker Node-l . * ‘Now ; eepett “serne “Hor Worker - Node-2 ahrategy -2 LSS Add mew Worker Nate doth ladest Version G Gsible when Nodes one cvented ov Cloud |, Prov iders to me Eh teriae kubeadm Upgrade. ool > kubeadm —upysade . plan aiep © Upgracle the kubeadm ee 4 apt-get upgrade “y Kubeadtp = 1. 12.000 Kubead upgrade — opply Me 12.0 yet “re Segmde ease wi) Het cela upgtede wy “ubelel- #12. 6-00 = “er Note Systemeth restart — kubelet >*p@ upgrade __ Warker_-Nede. © |Rubet|) drain node-) apt-get upgrade -y . Rubeadie I. 12-Q-00 On Oo apt-get upgrade -Y Kulbelet= !-12-0-00 seo . . der’, a -Kubeadm —upgvude Node contig. e -_ kubelet-Vorsion uM 12-0 z fig systema! vesterrt rabeled bye! 8 Lubect! | uncordon nede-i |” asd ,te Cluster =U pyrode Ku get = nodes => chek Version Cot Zetec / * yelease* fivst change scepusitorias trom kubernela0 co pkg. kas-io eho "deb add the new Vewion curl» - SSL : For Worker | node. esh ~nodeo!+= Backup and Restore i 2 ae =—P : Contig « . Re re Resource « u Cond guevadions . Ku get all ~-all-narnespaces -o yaml > all deploy~serice.yry 3E Backup etcep &S stores information obout sede op kubermetes cluster ~~ [Ee aie ° ee FICDCTLAPI =3 etedet\ eted. sowvice Snapshot save Geapshot.d ® _ data-dir= Aor lib Jeted -from-backup eis oe © Restore ; add on tig tile Ls stop Kulbe-apiserver in © © Sewice ~ Kube-ctpiserver © EICDCIL-API =3 eledet! \ stop snapshot ‘restore Conapshotdb ~data-dir Arwy/lib /eted-frow-bae kupaes “Yo stoke Backup f @ step 1 2 descvibe the, |- ded = controlplang _ pod | oe Whol 4 : G This ts wstetie Pod rote all the volues ; et belive Ne si - endpoints ( b bets venir - tusted-ca-cert step 2 ; beet ETD. ARIS etcdet) anupshor Seve ~-ondpoints= 12%.0.0:0: 2394) _- cacort =/ete/ Kuberneles /pki /ekd /ca.crt N ~- cort = /ec/eubernedes/pki /ered / sewver-crt —- Key = ele/ kubemdes/ pki /eted/ sowver-key ,\ Jopt path Restore orginal = Stete eC hiater FX restore i+ from Snapshot: Sedet\ Iyestere — --dada-cir — /var/lib /eted - Pom-backup fe shot - pre-boot-db where we want (mma beh, tee a path oR snepshot | l 1 @ “update tne —ekcd-controlplone «/ YAML file - Aiolumpe i 3 Cheds ‘no ster feds ave” available fr contro] Plene a Sivssh controlp lane | : qo gt dake “Ps ret | grep ~) eted &B cextemeal ae eacd ; =fo ake backup 8 E1cD @ © eh % the control plone qavertt9¢ clout ® Btepetl-Arr=3 ectdct ~-end points: f —- cacort =/ete/ kubernehe /pki feted /cacrt -~Cect = [sonser~cr ~teey = ([senver-kkey \ snapshot seve — /opt / clusterrelly To copy from comtrol plane to — cluster etudentnod-e str scp —cluster!- Coghrd plane = Jopt /clustortel b /et/ ‘Restore EICD scp — Jopt/cluster2.db eted server Toot seh to eted-Servor SGo ETCDCTL_APT © 3 Wedet! © smapshot ‘restore AK (root /clustor.db = ~~ dasa-dir = /var] Lib /eted-des Update the YAML APL sewer S chow n ehcd tetcd etcd-data vi [etc /systemd /2ystem / efed-s@ry (ei edit asdata-dir = systemct| daemon-veload systemctl stasus etcd oystemctt vestart — etcd)Security ® @. _kubernetes security Prim tes © Secrre Persistent key Volue Store © Arthsetcaton! ® Authorizotron © Searrthy, contexts © “TLS Corti codes ©. tmnege, , Beery ® Ni/w, Polteres, te Seuurity Prim tives Who. can Access What they can Do S| Authentication | Cs ae -T RBAC TES) Cort fieahes “ALK Components imertich With» Kuberaprsecyer ancl. 'Kube- apisen es b& protected with TLS Kube-a aie Como Ss 2 Khe oe Kube [Kube Schaller | 7te Authentication Ad ae Prada ? G BROKERS | Oxy SPRUE rt per ui integration > ae do not > kuberdeles manages manage Useys service (atdounts ” — Ve cont crete ~w ners mh Ruberndes oS au in Kiubeovnetes ae Auth Mechantems aA SO agree keube -api'sen or Ss Process . cil Sregaésh user t QO state user file. - #*¥ usor -dedails -eoV password 123, Userl, ie a 1 kube -apiserver-SOrvice {isa 1) rr ooo! ~~ berste-aurth - -eiTe= : User-deteils. csv @ | stette: token tle 2 eee users ee le es Kubeady > . Use ee Fount RBAC , -for | sehe TLS coph tt mbes - gererdte : ; : date Corti Fi cotes Ga Ve bei 4 — froubleshoot ‘ i Symmelvic enerypton — Same k usec for _ encrypt amd decry pt ~ jNocker ges the Rix emd decryph the dota | “4 we : | “To solve +h i's Asyromedte te enerypttor Prjvete key | _ Public” key Private key 1S only Public key ton be shaved with user over N/w te . > provide, the path bo private key. => ssh-keygen id su i ssh =i id-vea i roat@ corverCert Hi cate Authority Cad Y I Root tert mas . Coch H Cate _ sorver. ert Cx sorvoy . pem Ce e - SAVOr Cort Weak | client Cort fate Private me RT eublte at TE gemer Cortifi cede ; 7 server oct ® | kube-ap i server aa aes 7 “eos apiserver. key. ecb 2 eted Soren crt © Kabeler Server — > acd server. key as a sorver-crt ewer. Kgadminsert admin key ube-aprsenvey ] Act whee Coe cules Tatles with. © ete server id ‘sched loreert actrechtterte ochedluler-Key apiservek - eted -client.ert « q r Lo ke kube : { . t contro | Mo ageT eottrol- mon ag +e ne \ @ kubelet sewer weed eret'Soven,- ~kubelet~ on cn : cca kubeproxy. ext Rube =p J — i kube proxy key : J coon & casey+ TLS erection using operes=| openss | © Gees ee i ae openss! gonysa + 6ub' as OUR oe , Openssl rey, ~new - key éa.key subs Reps ee a aout cancsr CSR vy ‘ Cus sign epmss! xBOT -rey, -In Ccl-£S¥ 81g pkey Conificete : ear.Key | our ca.crt Gren erect’ Client — Cont H cates Cee opens! genrse opt - acltni'n.key\ 20u8 Me Caine > ” Corti fi cate openss ( ve, ~ney —key admin. Keg. a‘ Stgning. s-suby) "Jes=kube-admin '? out achacs 7 ee Kabe-admin /Q =Systom= mastors ago Corti Picador penss| x50% --rep ~Ib — adm/n. csr 4 1K -CA taurcrt - CAlkey ca-Key Ms st adm n.ert ec ~ cpeedfollow Same Process, ‘ gut. add bube proxy : SYSTEM begore name aK te suby "Jew's SYSTEM * KUBE-SCHEDDLER ] Sewer Cert't cates | ° E Kube-s chedulor Contvo| Monagor Neg Cod eted-yam) Pac etccl Server crt fe ~+— key tiles /etalsorver. ky ine Beg i ~ => cort-tile = /sevver-cet \ : ~~. trusted-ca File =/ node sn eodeo) ee& Kub eadw corti aotes J r Nitewn |: Conti ti codes 1 I. jl 1 ce /ete/eubornees/-mont teats! kube-eaps'server- yo) --elion} -ca- filles -/PKP/ carert |. = shed - catile = (pki /eted / caer b == eed - corttile = / pte’ / apraorver- etjcch cl’ént. crt acd ~- eted - Reytile = /pki/ apiservor-ehed ~cliont- Key - ) ~hibel et =eliont corti cate = /pki / apisoryo- tub elet- paleo Y ie Went. ert +kubelet -eLtont - Key = /pkif oo. . key. ~-Hs - cort—Aile = [pki apisowor.ert Hs _ private-Key = Jett J aplserv or- key. "lop | each CotiPrcate. Ak | View detail apensel x 509 ~in _ Loe faiboraeders etci /asisorsonert i ohect ~noout Note. no tssuev rope a : cn : ¢ PUSE Ctrte se > Doc: Alternate nawe ; bxcot ate file => Al compononl are | | Keb => 4 ployee as’ PIDTg Kube-apiserver fs down, Yhen we decker — exnd! > No Nlomtrfy.” logs 1 | - Tm kube-apisower ym] A | i atheel -corts one ee fy? /pki ] etcel Zi veld. ors path 2 7 1 You? tech cort Kubeudy Steves the Root Cee certs” mm Mester - Node >] user : | gamely i+ : a ' ~vequent Jone CET \xuloomdes Ce pl + ku ger CST toi ficade approve Jone ~o vyerro | Ku ku get cer ehot } th. | teanegy aMonagi nq approval <8 Corlificethes “Hyroug h api is Controlled by ude Control! ev ‘ Man ager at Kube Guivollor Man ager CSR- Approving cat [e]\eubomcbofman texts /kube- comtvel orm angonp = cluster: ~signing- cont +Hile Apri / ca sent Paha shytg key tile = _- cluster sim ing Rey tiles /ste/ Kuberneten/ pis Corky1 te kube Conti g Kube conf!’ tile When’ we run ~-Sewer -my-kube + 6443 ~- client-Key admin key : The . Kube-apiserver ge ~~ client- cert admin-ert OW KEYS trom the > Conti ficarte - curtroyity / ‘ea:ert tong, tiles Cotect => Usin avoilable clusters with ack available twers permission - apiversioa + V4 kind = Cont'g : . _ clusters + etsors-: =name : kube-playq-round, cluster u comterets > Cert-auth 7 Ca-cvt -nome - server: context + cluster t kube-playgvount user: kube-ddmin Users, fects = 6 kube-admin “eRint-cort 2 admin-ert eliont -key = admin -Keyte View Gonig , i 5 Ku Lontig Niew Rotana AL othe contr = © ‘ 7 [ee contig view — kube configs TATcastom og | #eChonge — contect ku contig Use Combex + prod-user@production G& updates the tonhg vile con add Name space a i i ud ==> provide ert olso provides ext wey. to Ku be-apiserver = dev ~us9v we testeclupter-) my-kulbe font = Teas file ¢ ack aes 7 - PE heat Lines Contig ; : + vesearth — /voet /my-Kube- contr J acently wpecerigs een (root mmr hues conti ‘ Wes me i content Pash og custom ie ' Cong Make — -my-kube-tontigs os * detautt Oo mv frost /my ~hube- contig root /. kube /contig ®a Tf > 4 2 e 7 o — A e Gg ¢ 7 g Newsion /ap\ Jmelvies as cove Nom 2 ‘ el Zapis a oe Reatura, [endpoints modes 7 binclings |) [V_\ Tetgmep) = (See BVO a _ : “aps ( [7apes etworn: 7 ae /ensitiote!| { ACE GROUSE Nt re fa tf as ashen ite dir od eee Lt, aa) — ie to ee (GED$e [RubectT prowy A> [oma preg b> kube -upiservey kube proxy x kube cH pToxy > enables commectvity proxy Server thet bedween Pods fake user crts kes G NW end Pe end cutthenticate fe . teube—ap ts erver <= oe a ] Author t2ation ' ; - sk Once Authenticated, whe Wer "eon do . - , A o> ddmins dev pregrems Senvyice _ Accounst Processae Authoriz atop Mechow'sm i. | ABAC RBAC |Webhook (D Node -Node Authorize, controls omy Veqpest from Kubelet ov USO > Tt ‘controls omy -reyest Mat Contains certificate with> System: node *nodeo) ee a cae Group | @ ABAC ([Atir’bute bared access Contre! ee, _— > con View /creake (delete PODs can view /ereste / — PODs can views (Create /lelete PoDs dew ~user2 = ———> . —— admin© RBAc : & we creabeo a Role +tnet contains al a ond Ackoss Can he performed & “this Role te then ottached ft. user aw required ‘ ieedene Role Con View ales -user2_ SF CaM Creat, can delete Dev dev-user can View CSR Con approve CSR . security eee Advemrtage. Ls eas thy modify the | Role ond Ws get *eleckedl to all | USers @® TWebhook | Grinstead & prebuilt mechanism. , Use , another plattorm — for Authorizston a ural ™— . [sanJere / kubernetes /manitests / Kube-apiserver G _~ uutthorigedion-mode = Node, &BAC, Webhook Node —> only outhovize Nodes ee +e FBAc- developer -~ole - yn} apiVersion + & sections Ree kind + Role D ametadata + 7 nome - developer vules - dpiGroups > C" ny wvesouTces = i “ pods" J Verbs + Lilistt, Nget, “eveate”, “delete "J Te use ft Ole Feu ; binding —> Wink user okjech te Rele object dev user - develo por ~ boindking. yr) apiVevsion + lend 1 Role bineing- subj ects . . : » stand : User User details nome : Ae-user apiGroup : bac .cutthorizedion. KBs .io os | a , a. . Me elo or 7 Role detate view RBAC “get voles Ku get -volebirdhings BAC orem ae G © Crete Rele @D create loinc’ ¢ - +k «Cheek “Aness > eu eatth Sane f create ' deployments) --as dev-user ue : : —IT : ibe uUsoF “Te give. Access | te PoDs but not Ot Pods 7 repeats : ee veer ee ' v S Pop pie” [Bes-9- POP POD yen & whith PoD Deploy ment Ls whith eeploywent_ Ae> ku crete vole — Tole-neme __vesourc@= pods, deployments —Vorle= yeh; Ust , create crete + wolebin cing srole- binding ~nume ~-‘Tole = volemam e = dev (User — ku ~- USE +e Cluster’: Rele We cannet isolates) Node» to % . aped tic Nomespace Clste Sep pods J ed } oe : Ss Nodes a deployments . PV" roles : esR vrole binding namespaces oT@ te > cluster! Roles cluster-“ale -yn] -\Can Niew Node com create Node com delete Node J rules 2) ~apiG@roups » C" “7 wESOUTCED + Cmodes""T verbs » f" list", gee Adwt Cluster hin, ae com View PV (1) Crete * Role can eveste PV com delete PVC: © Crece Role loindin 3° Storage Admin t t eluster- admin ~9 le- binching yy subjects * : wee ( tend > User nome : cluster- admin ae een - mole Ret = Role [ | wternd + cluster Rel e ~~ Name = cluster- vole. Note = Cluster Roles ton be. .crecha for Namespaced — Resources ods Access ‘to Yesources G Cluster Role eg ge oh ReRole Cluster Role G Limiced ton teyt 6. gram access for porHieelay Nevnospate atl ks Nomespaces ae [Sete Reo] Use. ; ' oo r <>, admin de [Prormetnaas | ; omen sal Ts ‘credihed! Ly ® create a 90 object (D it then creates a sa’ token “( Secred, shj etd ku get gecvets , |= ie, a pod is eveatecl, 0 Vottime mount is — qudemneds cally Creahed with degutt Sa token 6 Sa token Tar [run /seevds/ Kubondes 73a attech Gator Sa to POD apes ion > kind + Pos metackate + spec ‘ ‘ \. > Conteinevs : : —meme * Cust Se ge ee 2s) somite Accéunt Name + dah board-se iG (= SS Se wabt 3° agicadlay mou 48 Lubernaes D/ aleployment ao Resources fo G this makes the sa tke — accessibleNa.24 — When We create sa) eC automatic telsen is created Now . ea dashboate|-Se © create se qoken — dashboard-se © Cvente apiry js | athkedhed te token 7 os ab Fmage Se arty docker.fo / Librory / ngiox "Yow k9S Uw ean ew Reet ae) i: access gishy account nde prevete Repity ger-lo (D creche a secret azure-acr-to dlockor- ve ry @® Poo imagerul] Seords : —nome = SEde Decker Security 7 ; & containers omd host shove the Resources Al) process «yu containers ; Tun len' the ° host but ty aiff memespace é Tpetkex We : process OD ses | ’ FROM ubunte — J VSER (Doo hr ROOT : b 2 ie ny . Gortteiner post! ect User yoot user. - pur! deelbe rest user i \ fuse / inetrde/ Unix /capa/ tite has mitted capability po Seeker carn Gap add’? MAG=ADHANTI é uburty deste, “On — oe -dirop) | MAG-ADM IN ulountu Nockeg 000 | aguaet © loo! ubuyte WNete conranerd movdet | evict SSHE Secunity Context t epiVersion : fatvd "! Pod metadeta = spec: secur ity Coatect ? yuvAsUser +1000 containers + -name * image + command ; oak - . yok CLL TE securityConted * Z| Seo level 1 wuvde User,; L000 TP cotedner o « te the security cacesper avait, Hero eve | Note * . Capabi Utes | over «Supported Covttsine (evel) area’ POD. level.+E Netwoyk folicies podSelector : mochch Labels = male: 4 St. f policy pe : ingre: - Ingress ! : Ingress ¢ —— ~ from P. oe s pouseledtor « 2 4 motchLebals : mome > api oy spec } eo phot Is poteded podSelector + 2 eg 1 mertchLabels : by nl Po : wole > db polos ta. 7 ingress 5? {ateoteded) ~ Ingress s ( iwbour Ingress > 7 ~from + : 5 “= PodSeledtor : Pod what ‘can + Acces + metehLabels : | ree ab pop ‘ 7 name : api-ped protected Pop “ports: . heb fe = ro tOCo | fort t q allowed nN] pork? 3306 (D selec label which POD_ te ve protect ad Select ingress | on | egress -e@ Q® Select which extemal Pod Cam atress Q select Port : ne : allows current no mespie use. -ip Block : Ar crdt : 192. 163.5.l0 /ap' : eSelector: amotch Labdls + ome » pro nom Roperesing Tess —from : [ + podSelectot = 2 ) Sst AND I - nameSelechot \ bt in ipBlock : ~t AND sit \ eid? * egress ~ to: + ~ ipBlock = i ord ~ pod Selector > * ~ sRemeSpureSefe > { swomespace Selector: c 5 7 protwco| : port+e Custom Resource [Resour 2 \ i POD wi ee every, Recurce depley ment hos i's own we _ Cont coll er” that : Conia looks ae ‘onto | ler a [chonge | pod Ly detine the Gstom Resource “=> CRD custem-detinition yr) apt ersten : Kind : Custom Resouvre Biniton metadata : apec . x Scope .Nomespaced versions = {roup + Flights. com Seed 2 eue momeind + FiighFUcket aan. ee opanAPI V3 Sc horor: shovt Nemes ¢ from vet rs auTmborHE Gwto~ — Controtler 2 GelonyHE Storoge M Porsistent Volume QD Persistent Nelume” Claims OD Grkgure opps with eV (® Access Hocles Velume © kKubometes Stovege claject ae Decker Btovage Aref b /dockoy Layered] — Avchitectuve FROM ubuntu cults C ine RUN apt get updale image RUN flak Nolurmes cory - /oet ENTRYPOINT — python", pp-y's : layor) + Bese ubuntu loy or Deck Cg ee Layern + changes in apt ie Layers . changes io pip Rel coche Soe as Teles Leyoru urce. Code le mnext layers + Update entyypotut Co i tenn ZOPY on WRETE who gy Laer 2 Riis antainerde Nolumes docker volume “ ereste data Volume Avr] lib /docker volumes < Host Os - L gota volume docker run -~V date Name! fror/Uib/mysyl ™ysel / ne SG Container poth ' : Nod tib) myeg! esate A = 7 Real Only mys! image lager a + ete fae. %;% = “ aRectly™ Launch » «cicentatner by mourting — velume which is met created , then docks oudemestclly creates the Volume . dover van ~V peur /vor(Uibf my sel i austomnatt celle ercated) by olockerVolume mount bind = mount > mounts the Volume >. mounts the Volume clocker Volumes trom any chirechay from Panis r afr “of the locker Host Tocker run -v dutavolume: /ver/lib/mysel “ony seel po aw, aS elocker Conteunen . mn ‘ euth Volume © does yun =v (dete /mysgl’t vor) ib/mysel mysy! Host path | Cortetiney Bind — Mount" : = dockor run N —— moun pee bind , sourtes /dota/mysyl , orya = Asor/ Ub/mny sq) De at my sel Ml these ~ Fesks are done by Storage TDetvers : ee eae. fettead Se v= 1 ate Ner ar os Praga aa <7te NVelum e Forage Drivers AVES 2es Volum /data type = “Directory nrolumes : ~name: dataNolime aws€ Lute Block Store : wolumedtd = fstype > exty name :, data-volume ‘| afuzh te Pob f creaking Volume on Host+e Persistent Velume All Pots demands for a Volume , Mm jbl. to add Volumes Go to make this Fase @ L so we have POD detinition Sle cosy for Admin le] = Os “Pevsis gat Volume Claim Cpye) bee » Porsistent pv-definiton. yn! apiVerston = j letud ; Porsits ton Volume metadate = spec : ,acessledes +. ~ Read Write Once eapaaty + storage *! (Gr dws Elastic Block Store + ~wolumetd * faty pe exyy, [epee | Volumes (PV) Pool og Volume ReadOuly Mony Read WriteOnce Read Write Many: aft (D access Hode O capac} O pathHE Persistent Volume Claim Pv, 4 bth awe See oleh avo 3S ote Wm \kubernetes 1 Tre] “any PVC hes 2 mnadch found, then Wwe yr "PM Labéls. [ seletor apiVersion : f lencl 2 Povsi stent Volume Claim eda: melee. rthen Clainn ts epec - é e 7 me access odes > |. rcveated Kuberncte a Medes telonce starts Looking resources for avatlable’ * vrequests = PV Pw Nodes: storage s1600 MC : od Use PVC! th POO As claim is deleted, ee Nolumé''s alse ‘kéleted spec * ; : ; covrtadn evs * detete ange : Heche % “SST edo ts otPath + pomp POISE to volumes * “Name+ mypve pop, ave Jase ~nume :myeVe pve 15 pevsistontVelume(leim + qhen claimName : my claim -