External

• https://kubernetes.io/docs/concepts/

Internal

• Kubernetes
• API Resource Concepts
• Docker Concepts
• OpenShift Concepts

TODO

Deplete Kubernetes Concepts TO DEPLETE.

Overview

Kubernetes is an Apache 2.0 Open Source container orchestration platform, or a container orchestrator.

A high level abstraction often used for Kubernetes is "data center OS". The primary target of Kubernetes are containerized cloud-native applications, which are applications that are made from a set of small autonomous services (microservices) that communicate with each other. Kubernetes helps deploying, scaling up, scaling down, performing updates and rollbacks of these services, or more precisely of their embodiment as containers. In the process, it abstracts out details such as what specific compute nodes or physical storage volumes are allocated to applications.

Kubernetes instances are known as clusters. All management interactions with a Kubernetes cluster are performed by sending REST requests into an API Server. The API Server is responsible with managing and exposing the state of the cluster. The state of the cluster is internally stored by a Cluster Store control plane system service, which is currently implemented by etcd. The control loops essential to the declarative model implemented by Kubernetes are driven by the controller manager. The workloads are dispatched by the scheduler. All these components (API Server, cluster store, controllers, scheduler, cloud controller manager) are collectively known as the control plane. Externally, the state can be accessed and modified most commonly via a command line client named kubectl. The cluster consists in a set of nodes. There are master nodes and worker nodes. Each node runs a container runtime, usually Docker. However, support for other container runtimes is available, via Container Runtime Interface (CRI). The control plane, the API server and API server-related details, such as admission controllers, are discussed in Kubernetes Control Plane and Data Plane Concepts.

Worker nodes are used to run workloads, as Pods - pods are scheduled to nodes and closely monitored. A pod is a wrapper that allows containers to run on Kubernetes and it is the atomic unit of deployment in Kubernetes. A pod may include one one or more containers. Pods come and go - if a pod dies, it is not resurrected, but its failure is detected by the lack of response from probes embedded within it and another pod might be scheduled as replacement. In consequence, the IP address of an individual Pod cannot be relied on. To provide a stable access point to a set of equivalent pods - which is how applications are deployed on Kubernetes, Kubernetes uses a specialized resource: a Service. A service can be thought of stable networking access for a continuously changing set of pods. A Service's IP address and port can be relied on to not change for the life of the service. All live pods represented by a service at a moment in time are known as the service's "endpoints". There are several types of services: ClusterIP, NodePort and LoadBalancer. The association between services and pods they expose is loose, established logically by the service's Selector, which is a label-based mechanism: a pod "belongs" to a service if the service's selector matches the pod's labels. Services are explained at length in the Service Concepts section. A layer 7 complement to services, named Ingress, is available. Ingress is discussed in Ingress Concepts.

A pod by itself has no built-in resilience: if it fails for any reason, it is gone. A higher level primitive - the Deployment - is used to manage a set of pods from a high availability perspective: the Deployment insures that a specific number of equivalent pods is always running, and if one of more pods fail, the Deployment brings up replacement pods. The deployment relies on an intermediary concept - the ReplicaSet. Deployments are used to implement rolling updates and rollbacks. There are higher-level pod controllers that manage sets of pods in different ways: DaemonSets and StatefulSets. Individual pods can be managed as Jobs or CronJobs.

A Kubernetes cluster exposes external storage to pods with three API resources: PersistentVolumes, PersistentVolumeClaims and StorageClasses, which are part of the persistent volume subsystem. The actual storage is made available to Kubernetes by storage plugins (provisioners), which should abide by the Container Storage Interface (CSI). All these are explained at length in Storage Concepts.

Every pod in the Kubernetes cluster has its own IP address, which is directly routable to every other pod. The stable IP addresses provided by services are resolvable by the cluster's internal DNS service, as described in the DNS Concepts. This and other networking-related aspects are explained in Networking Concepts.

Configuration can be exposed to pods via ConfigMaps and Secrets. More details about these are available in Configuration Concepts.

Security. Security Concepts

Kubernetes is exposing pod information to the containers running inside the pod through files, which are projected in the container by a mechanism known as the Downward API.

Resources managed by Kubernetes are subject to policies: Limit Ranges, Resource Quotas and specifically for pods, Pod Security Policies.

Declarative versus Imperative Approach

The preferred style while operating Kubernetes is to use a declarative model: Kubernetes likes to manage application declaratively, where we describe how we want our application to look in a set of YAML files, named manifests, POST these files into the Kubernetes API Server with kubectl apply or other tools and wait for the changes to be applied. The controller manager insures that the current state matches the desired state. This pattern is referred to as control loop. Step-by-step, the declarative model works as follows:

1. The desired state of the application is declared in the manifest file.
2. The manifest file is POSTed into the API Server, usually with kubectl command.
3. The API server authenticates and authorizes the request and then validates the manifest.
4. The API server stores the state - as desired state - in the cluster store.
5. The API server identifies the controller responsible with enforcing and monitoring the state.
6. The controller in charge implements the desired state, by adjusting the current state to match it.
7. The controller manager's control loops monitor the current state and make sure that it does not diverge from the desired state. The current state of a resource can be obtained from the cluster with CLI commands.
8. If the current state of the cluster diverges from the desired state, the cluster control plane will perform whatever tasks are necessary to bring those states in sync.

This model is the opposite of the traditional imperative model, where a precise sequence of specific commands are issued to explicitly adjust the state. In other words, in the declarative model we tell the cluster how things should look, as opposite to telling it how to adjust the state.

Subjects

• Control Plane and Data Plane Concepts
• API Resources Concepts
  • Resource Manifests
• Container Runtime Concepts
• Pod and Container Concepts
• Higher Level Pod Controllers
• Service Concepts
• Networking Concepts
• DNS Concepts
• Storage Concepts
• Managed Kubernetes
• Cluster Configuration Concepts
• Security Concepts
• Namespace Concepts
• Labels and Annotations Concepts
• Selector Concepts
• Resource Management Concepts, Metrics in Kubernetes and Autoscaling Concepts
• Operational concepts: context
• Downward API Concepts
• Extending Kubernetes, Aggregation Layer, Custom Resources, Operators
• Kubernetes Policies
• OpenShift Concepts