theknowledgeacademy

Kubernetes Training for

DevOps

New York • San Francisco • London • Sydney • Dubai • Singapore • Vancouver • Bangalore © 2022 The Knowledge Academy Ltd.
 About The Knowledge Academy
The world's largest provider of classroom and online training courses

 World Class Training Solutions

 Subject Matter Experts
 Highest Quality Training Material
 Accelerated Learning Techniques
 Project, Programme, and Change Management, ITIL® Consultancy
 Bespoke Tailor Made Training Solutions
 PRINCE2®, MSP®, ITIL®, Soft Skills, and More

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Course Syllabus
• Module 1: Kubernetes Core Concepts and
Networking
• Module 2: Kubernetes Services and
Scheduling
• Module 3: Kubernetes Controllers
• Module 4: Persistent Storage in
Kubernetes
• Module 5: Securing the Cluster

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Course Syllabus
• Module 6: Logging and Monitoring the
Cluster
• Module 7: Troubleshooting the Cluster

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 1: Kubernetes
Core Concepts and
Networking

© 2022 The Knowledge Academy Ltd.

 Core Concepts of Kubernetes

• Kubernetes is an extensible, open-source, and portable platform for managing containerised workloads
theknowledgeacademy

and services, that simplifies both declarative configuration and automation

• It has a large, quickly growing ecosystem. Kubernetes services, support, and tools are extensively
available

• Kubernetes provides you with:

o Service discovery and load balancing: Using Kubernetes, you can expose a container by using
the DNS name or by using their own IP address. In case the traffic to a container is high,
Kubernetes can load balance and divide the network traffic for stable deployment

o Automated rollouts and rollbacks: You can specify the desired state for your deployed containers
by using Kubernetes, and it can modify the current state to the desired state at a constrained rate.
For instance, you can automate Kubernetes for creating new containers for your deployment,
eradicate prevailing containers and use their resources for the new container

© 2022 The Knowledge Academy Ltd.

 Core Concepts of Kubernetes

(Continued)
theknowledgeacademy

o Storage orchestration: Kubernetes lets you automatically install your desired storage system, such
as public cloud providers, local storages, and more

o Self-healing: Kubernetes reboots containers that fail, replaces containers, removes those that do not
respond to your user-defined health check, and does not promote them to clients till they are ready
to serve

o Automatic bin packing: You offer Kubernetes with a cluster of nodes that it can utilise for
executing containerised tasks. It is you who defines how much CPU and memory (RAM) each
container requires. Kubernetes can fit containers onto your nodes for utilising your resources in the
best way

o Secret and configuration management: Kubernetes allows you to store and manage confidential
information, such as passwords, SSH keys, and OAuth tokens. Secrets and application
configuration can be deployed and updated without rebuilding container images, and without
exposing sensitive information in your stack configuration

© 2022 The Knowledge Academy Ltd.

 Core Concepts of Kubernetes

Architecture of Kubernetes
theknowledgeacademy

• Kubernetes follows client-server architecture:

KUBERNETES MASTER

etcd API Server Scheduler

Controller Manager

Linux Linux Linux

Machine Machine Machine

KUBERNETES NODE KUBERNETES NODE KUBERNETES NODE

Docker Kubelet Docker Kubelet Docker Kubelet

Kubernetes Proxy Kubernetes Proxy Kubernetes Proxy

© 2022 The Knowledge Academy Ltd.

 Core Concepts of Kubernetes

Kubernetes - Master Machine Components

theknowledgeacademy

1. etcd

• It stores the configuration information that each of the nodes in the cluster can use. It is a HA (highly
available) key value store that can be distributed in multiple nodes

• It can only be accessed by Kubernetes API server as it may have some confidential information. It is a
distributed key value Store that everyone can access

2. API Server

• Kubernetes is an API server which offers all the operation on cluster by using the API. API server
implements an interface, meaning that different tools and libraries can easily communicate with it

• Kubeconfig is a package that includes server-side tools which can be used for communication purpose.
It provides access to the Kubernetes API

© 2022 The Knowledge Academy Ltd.

 Core Concepts of Kubernetes

3. Controller Manager
theknowledgeacademy

• This component is behind most of the collector that regulates the cluster's state and performs a task

• Typically, it can be considered as a daemon that runs in a non-terminating loop and is responsible for
accumulating and sending information to API server

• It works toward obtaining the shared state of cluster and then alter for bringing the server's current
status to the desired state

• The key controllers are endpoint controller, replication controller, service account controller, and
namespace controller

• The controller manager runs various kind of controllers for handling nodes, endpoints, etc.

© 2022 The Knowledge Academy Ltd.

 Core Concepts of Kubernetes

4. Scheduler
theknowledgeacademy

• It is one of the main components of Kubernetes master. Scheduler is a service in master which is
responsible for dividing the workload

• It is accountable for tracking utilisation of working load on cluster nodes and then putting the
workload on which the resources are present and accept the workload

• Put differently, this is the mechanism accountable for designating pods to the available nodes. The
scheduler is accountable for workload utilisation and allotting pod to new node

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

• The following are the commands of Kubectl:

theknowledgeacademy

• Run the command kubectl get nodes. If the node status is NotReady, check the output:

• Run the command Kubectl get pods for checking f pods scheduled on your node are being moved to
another nodes

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• With further information, list all pods in ps output format (such as node name)

• In the ps output format, list a single replication controller with the specified NAME

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• In the "v1" version of the "apps" API group, list deployments in JSON output format:

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Create and execute a specific image, possibly replicated. Creates a job or deployment to handle the
newly generated container (s). Start a single nginx instance

• Delete all pods

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Run Kubectl get deployment

• Run Kubectl get service

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Describe all pods

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• cluster-info kubectl It's the cluster's information. Display the master and service addresses with labels.
kubernetes.io/cluster-service=true'kubectl cluster-info dump' can also be used to debug and diagnose
cluster issues

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Dumps cluster-info out suitable to debug and diagnose cluster issues. Dumps everything to stdout by
default. You can optionally define the directory with-output-directory

• The Kubernetes will build an assortment of files in which directory if you define the directory

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Run kubectl api-resources -o wide

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Run kubectl config current-context

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Display combined kubeconfig settings or a kubeconfig file that you specify. To extract specified values
using a JSON path expression, use —output jsonpath={...}. Run config view

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Obtain the resource's documentation as well as its fields. Enter the following code Kubectl explain
pods

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• Get the documentation of the particular field of the resource. Enter the following code:

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• All commands inherit the print flags.resource

© 2022 The Knowledge Academy Ltd.

 Kubectl Commands

(Continued)
theknowledgeacademy

• For the present context, print both the client and server versions

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
• Pods are the shortest deployable units of computing which can create and handle in Kubernetes
theknowledgeacademy

• A Pod is a group of one or more containers with shared storage and network resources and a
specification for running the containers

• A Pod models an application-specific "logical host": it comprises one or more application containers
that are relatively tightly related

• Applications run on the same physical or virtual machine are related to cloud applications run on the
same logical host in non-cloud contexts

• Also application containers, a Pod can include init containers that operate during Pod startup

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
Using Pods
theknowledgeacademy

• For creating the Pod displayed, run the following command:

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
Workload resources for managing pods
theknowledgeacademy

• In general, Pods, even singleton Pods, are not required to be created directly Rather than create the
Pods by using the workload resources like Job or Deployment

• Consider the Stateful Set, if your Pods require for tracking state. In the Kubernetes cluster, Pods are
used in two major ways:

1. Pods that run a single container

• The most typical Kubernetes use case is the "one-container-per-Pod" model. A Pod can be thought of
as a wrapper around a single container in this case. Kubernetes manages Pods instead of managing the
containers directly

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
2. Pods that run multiple containers that need to work together
theknowledgeacademy

• The Pod can encapsulate an application that is composed of various co-located containers which are
tightly coupled and require sharing resources. A single cohesive unit of service is formed by these co-
located containers

• For instance, one container that is serving data from a shared volume to the public, whereas a separate
sidecar container updates or refreshes those files

• The Pod wraps together these storage resources, containers as well as an ephemeral network identity
as a single unit

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
How Pods manage Multiple containers
theknowledgeacademy

• Pods are designed for supporting various cooperating processes (as the containers), forming a
cohesive unit of service

• The containers in the Pod are automatically co-scheduled and co-located on the same virtual or
physical machine within the cluster

• The containers can communicate with each other, share dependencies and resources, as well as,
coordinate when and how they are terminated

Working with Pods

• You will rarely create individual Pods, even singleton Pods, directly in Kubernetes. Due to the reason
that Pods are designed as relatively disposable, ephemeral entities. When you create a Pod (indirectly
by a controller or directly by you), the new Pod is scheduled for running on a Node in your cluster

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
(Continued)
theknowledgeacademy

• The Pod stays on that node unless it finishes its execution, the Pod is evicted due to lack of resources,
the Pod object is deleted, or the node get fails

• When a manifest gets created for the Pod object, ensure that the name you have specified is a valid
DNS subdomain name

Storage in Pods
• The set of shared storage volumes can be specified by a Pod. Every container in the Pod have access
to the shared volumes, enabling those containers for sharing data

• Volumes also enable persistent data in the Pod for surviving if one of the containers requires to be
restarted

© 2022 The Knowledge Academy Ltd.

 Understanding the Concepts of Pods and their
Networking
Pod Networking
theknowledgeacademy

• Every Pod is assigned a unique Internet Protocol address for every address family Each container in
the Pod shares the network namespace, involving the network ports and Internet Protocol address

• Within a pod, the containers belonging to a Pod can communicate with each other by using the
localhost

• Containers in a Pod should coordinate how they use shared network resources (such as ports) when
communicating with entities outside the Pod

• Containers inside a Pod share an Internet Protocol address as well as port space and can find each
other through localhost

• Within a Pod, containers can also communicate with each other by using the standard inter-process
communications such as POSIX shared memory or SystemV semaphores

• Containers in several Pods have different Internet Protocol addresses and can not communicate via
IPC (Inter-process communications) without special configuration
© 2022 The Knowledge Academy Ltd.
 Understanding the Concepts of Pods and their
Networking
(Continued)
theknowledgeacademy

• Containers that require interacting with a container running in a distinct Pod can use Internet Protocol
networking for communicating

• Containers inside the Pod view the system hostname as being the same as the Pod's configured name

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Install Minikube
theknowledgeacademy

Step 1: Click on link https://minikube.sigs.k8s.io/docs/start/ for downloading Minikube and click on

latest release

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Step 2: Click on drop-down arrow and click on Open

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Step 3: Click on Next

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Step 4: Click on I Agree

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Step 5: Click on Install

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Step 6: Click on Finish and the minikube will be installed successfully

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

Start your cluster

theknowledgeacademy

• For starting the cluster, execute the command minikube start

© 2022 The Knowledge Academy Ltd.

 Setting Up a Cluster

(Continued)
theknowledgeacademy

• To get the cluster ip address, execute minikube ip command

© 2022 The Knowledge Academy Ltd.

 Configure Kubernetes Network Using Calico

• The Calico is an open source networking and network security solution for virtual machines,
theknowledgeacademy

containers, and native host-based workloads

• It holds up wide spectrum of platforms including OpenShift, OpenStack, Kubernetes, Mirantis

Kubernetes Engine (MKE), and bare metal services

• Calico delivers cluster operators and developers with a uniform experience and set of abilities
whether running in public cloud or on a single node, on-prem, or across a multi-thousand node cluster

© 2022 The Knowledge Academy Ltd.

 Configure Kubernetes Network Using Calico

Install calicoctl as a container on a single host

theknowledgeacademy

• Log in to the target host and run the docker pull calico/ctl:v3.23.3 command to install calicoctl as a
container:

© 2022 The Knowledge Academy Ltd.

 Configure Kubernetes Network Using Calico

Install calicoctl as a Kubernetes pod

theknowledgeacademy

• To deploy the calicoctl container to your nodes, use the YAML that corresponds to your datastore type:

1. Etcd

© 2022 The Knowledge Academy Ltd.

 Configure Kubernetes Network Using Calico

2. Kubernetes API datastore

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Use Init Containers to Pre-Set an Environment

• A Pod can contain various containers that run apps, but it can also contain more than one init
theknowledgeacademy

containers that run before the app containers. Init containers are exactly such as regular containers,
except:

o Always execute the completion init containers

o Each init container should finish successfully before the next one can begin

© 2022 The Knowledge Academy Ltd.

 Use Init Containers to Pre-Set an Environment

• Start this Pod by running command kubectl apply -f myapp.yaml:

theknowledgeacademy

• You can also check its status with:

© 2022 The Knowledge Academy Ltd.

 Use Init Containers to Pre-Set an Environment

(Continued)
theknowledgeacademy

• Run the command kubectl describe -f myapp.yaml

© 2022 The Knowledge Academy Ltd.

 Use Init Containers to Pre-Set an Environment

(Continued)
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 2: Kubernetes
Services and
Scheduling

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

Kubernetes Services
theknowledgeacademy

• The service of Kubernetes is a logical abstraction for a deployed set of pods into a cluster (these all
perform the similar function)

• As pods are ephemeral, a service allows a set of pods, that will offer distinct functions (image
processing, web services, etc.) to be assigned a name and unique IP address (clusterIP). It will not
change, as long as the service is running that IP address.

• Also, the policies are specified by the services for their access

Components of a Kubernetes services

• The services of Kubernetes link a group of pods to an abstracted service name and IP address. Services
offers routing and discovery between the pods

• For instance, the services link an application front-end to its backend, in which each running in
different deployments into a cluster

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

(Continued)
theknowledgeacademy

• Services use selectors and labels to match pods with further applications. The following are core
attributes of a Kubernetes service:

A label selector that locates pods

The clusterIP IP address and assigned port

number

Port definitions

Optional mapping of incoming ports to a

targetPort

Services can be defined without pod selectors

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

(Continued)
theknowledgeacademy

• The following are the four types of the services of Kubernetes:

1 ClusterIP

2 NodePort

Kubernetes
services
3 LoadBalancer

4 ExternalName

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy Kubernetes Services and Controllers

1. ClusterIP: It exposes a service within the cluster that is only accessible from it

2. NodePort: On IP of every node, it exposes a service through static port

3. LoadBalancer: It exposes the service through the cloud provider’s load balancer

4. ExternalName: Maps a service to a predefined external Name field by returning a value for the
CNAME record

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

Kubernetes Controllers
theknowledgeacademy

• The plane of Kubernetes control comprises a core component called the Kube-controller-manager.
Kube-controller-manager is responsible for running various kinds of controllers that maintain the
cluster's overall desired state

• All the controllers are packaged and shipped in the kube-controller-manager, which is a single daemon

• In Kubernetes, the resources are defined by manifest files which specify the desired state. During the
deployment of the resources, the relevant controllers assure that the existing state of the cluster is
updated to match the desired state

• Every controller is a control loop that monitors the cluster's shared state through the API server

• On the basis of information regarding the deployed resources, the controllers will make modifications
to move the current state of the cluster toward the desired state

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

(Continued)
theknowledgeacademy

• The controllers maintain track of what workloads are running, the resources available to those
deployed workloads, the nodes that they’re running on, and the policies about how they should act

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

(Continued)
theknowledgeacademy

• There are two main components of controllers through which it can maintain and regulate the cluster
state:

o the Informer/SharedInformer

o the Workqueue

Informer

• The process by which checking the actual vs. desired state includes the controller that communicates
for fetching the information of the object with the API server

• The API server from the controllers made the number of calls will increase exponentially with an
increased number of deployed Kubernetes objects

• The informers manage this issue by retrieving object data and storing it in the controller's local cache

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

(Continued)
theknowledgeacademy

• The Informer then monitors for the creation, modification, and deletion events which occur afterwards

SharedInformer

• The SharedInformer, as the name suggests, is used among the controllers so that the cache data store is
shared

• It solves the problem which is presented though the multiple controllers that are observing and
updating single resource/object inside the cluster

Workqueue

• The activities of each controller (because it’s shared) cannot track by the SharedInformer that is why
it depends on an external queuing system

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

(Continued)
theknowledgeacademy

• There are different queues types which are supported like the delayed queue ,the timed queue and the
rate-limiting queue

• When a resource or an object is modified, then into the Workqueue, the Resource Event Handler puts a
key

• The Keys will have the below format, resource_namespace/<resource_name. The key will simply be
resource_name, if there is no namespace, resource_namespace

© 2022 The Knowledge Academy Ltd.

 Kubernetes Services and Controllers

Types of Controllers
theknowledgeacademy

• Controllers have different types of controllers which allow you to configure behaviour on your
Kubernetes cluster. The types of controllers are as following:

ReplicaSet Deployment DaemonSet

StatefulSet Job CronJob

© 2022 The Knowledge Academy Ltd.

 Understand How Resource Limits Can Affect Pod
Scheduling
Resource Management for Pods and Containers
theknowledgeacademy

• You can specify how much of each resource a container requires when you specify a Pod. CPU and
RAM (memory) are the most common resources to specify

• For containers in a Pod, when you specify the request of resource, this information is used by the
kube-scheduler to decide which node to place the Pod on

• For a container when you specify a resource limit, the kubelet executes those limits so that the
running container is not permitted to use more of that resource than the limit you set

• Also the kubelet reserves at least the request amount of that system resource particularly for that
container to use

© 2022 The Knowledge Academy Ltd.

 Understand How Resource Limits Can Affect Pod
Scheduling
Requests and Limits
theknowledgeacademy

• It's allowed (and possible ) for a container to use more resource than its request for that resource
specifies, if the node where a Pod is running has enough of a resource available. Regardless, a
container is not permitted to use more than its limit of resource

• For instance, for a container, if you set a memory request of 256 MiB, and this container is into a Pod
scheduled to a Node with 8GiB of memory and no another Pods, then the container can attempt to
utilise more RAM

• For that container, if you set 4GiB memory limit, the kubelet (and container runtime) execute the
limit. The runtime controls the container to use more than the configured limit of resource

© 2022 The Knowledge Academy Ltd.

 Understand How Resource Limits Can Affect Pod
Scheduling
(Continued)
theknowledgeacademy

• For instance: in the container when a process attempts to consume more than the allowed memory
amount, it is terminated by the system that attempted the allocation, with an Out of Memory (OOM)
error

• The limits can be executed either by enforcement (the system controls the container from ever
overextending the limit) or reactively (the system interferes when it sees a violation). Various
runtimes can have different methods to enforce the similar restrictions

© 2022 The Knowledge Academy Ltd.

 Understand How Resource Limits Can Affect Pod
Scheduling
Resource Types
theknowledgeacademy

• The CPU, as well as the memory, are individually resource types. The resource type has a unit of
base. CPU describes the processing of compute and is specified in Kubernetes CPUs units. Memory is
specified in bytes units

• You can specify resources of the huge page for Linux workloads. The huge pages are a Linux-specific
feature in which the kernel of node allocates memory blocks which are much larger than the size of
default page

• For instance, on a system where the default size of a page is 4KiB, you could specify a limit, huge
pages-2Mi: 80Mi. If the container attempts allotting over 40 2MiB huge pages (a total of 80 MiB),
that allotment fails

© 2022 The Knowledge Academy Ltd.

 Understand How Resource Limits Can Affect Pod
Scheduling
Resource requests and limits of Pod and container
theknowledgeacademy

• You can specify limits and requests of resource for each container, including the following:

o spec.containers[].resources.limits.memory

o spec.containers[].resources.limits.hugepages-<size>

o spec.containers[].resources.limits.cpu

o spec.containers[].resources.requests.hugepages-<size>

o spec.containers[].resources.requests.memory

© 2022 The Knowledge Academy Ltd.

 Understand How Resource Limits Can Affect Pod
Scheduling
(Continued)
theknowledgeacademy

o spec.containers[].resources.requests.cpu

• Although for individual containers, you can only specify requests and limits, it is also useful to think
regarding the overall requests and limits of the resource for a Pod

• For a specific resource, a Pod request/limit of resource is the sum of the resource requests/limits of
that type for individual container in the Pod

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 3: Kubernetes
Controllers

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

ReplicaSet
theknowledgeacademy

• The purpose of a ReplicaSet is to maintain a stable set of replica Pods running at any provided time.
As such, it is frequently used to ensure the availability of particluar identical Pods number

Example

• Create a yaml file

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• When you save this manifest to frontend.yaml and submit it to a Kubernetes cluster, it will create the
specified ReplicaSet and the Pods it handles

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• The current ReplicaSets deployed can then be obtained:

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• Moreover, you can verify the ReplicaSet' state

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• Finally, you can check for the Pods, execute command kubectl get pods

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• You can also check that these pods' owner reference is set to the frontend ReplicaSet:

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

ReplicationController
theknowledgeacademy

• A ReplicationController guarantees which only a certain number of pod replicas are executing at any
given time

Running an example ReplicationController

• Create a yaml file

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• Execute the command kubectl apply -f https://k8s.io/examples/controllers/replication.yaml

© 2022 The Knowledge Academy Ltd.

 ReplicaSet and ReplicationController

(Continued)
theknowledgeacademy

• By using the command kubectl describe replicationcontrollers/nginx, check on the status of the
replicationcontroller

© 2022 The Knowledge Academy Ltd.

 DaemonSets

• A DaemonSet is a controller that guarantees the pod runs on all cluster nodes. DaemonSet
theknowledgeacademy

automatically adds or deletes the pod if the node is added or removed from the cluster. Some common
use cases of the DaemonSet is for running cluster level applications such as:

o Monitoring Exporters: You would like to monitor all of the nodes in your cluster, so you will
need to run a monitor on all of the cluster's nodes, such as NodeExporter

o Logs Collection Daemon: You would like for exporting logs from all nodes, so you require the
DaemonSet of log collector such as Fluentd to export logs from all your nodes

• On the YAML file, create a DaemonSet based:

© 2022 The Knowledge Academy Ltd.

 Deployments

• Deployment is the simplest and most used resource to deploy your application. A Kubernetes
theknowledgeacademy

controller matches your cluster's current state to the desired state mentioned in the Deployment
manifest

• A Kubernetes controller matches your cluster's current state to the clusters' desired state mentioned
within the Deployment manifest. Deployments are typically used to stateless applications

• Although you can store the deployment's state by attaching the Persistent Volume to it, and it makes
stateful, all the pods of the deployment will be sharing the same Volume as well as data over all of
them will be same

• We will use the following manifest to deploy the sample counter app using a deployment; you can
deploy it by copying the below manifest and saving it in a file, such as deployment.yaml, and then
applying by

© 2022 The Knowledge Academy Ltd.

 Deployments

• The following are the step to create deployment:

theknowledgeacademy

Step 1: Create a deployment yaml file

© 2022 The Knowledge Academy Ltd.

 Deployments

Step 2: Execute the command kubectl apply -f https://k8s.io/examples/controllers/nginx-

theknowledgeacademy

deployment.yaml for creating deployment

Step 3: If the Deployment was created, run kubectl get deployments for checking:

© 2022 The Knowledge Academy Ltd.

 Deployments

Step 4:Execute the command kubectl rollout status deployment/nginx-deployment, for seeing the
theknowledgeacademy

Deployment rollout status

Step 5: Execute the command kubectl get deployments

© 2022 The Knowledge Academy Ltd.

 Deployments

Step 6: Execute kubectl get rs,for seeing the ReplicaSet (rs) created by the Deployment
theknowledgeacademy

Step 7: Run kubectl get pods --show-labels for seeing the labels automatically generated for each Pod

© 2022 The Knowledge Academy Ltd.

 Ingress
• From outside the cluster to services within the cluster, ingress discloses HTTP as well as HTTPS
routes. Traffic routing can be controlled by rules specified on the Ingress resource
theknowledgeacademy

• In the following figure an Ingress sends all its traffic to one Service:

Pod

Client Ingress-Managed
Ingress routing rule Service
load balancer

Pod

© 2022 The Knowledge Academy Ltd.

 Ingress
• A procedural language is a type of computer programming language which include a set of functions,
instructions, as well as statements that should be executed in specific order to achieve a job or program
theknowledgeacademy

• The following are the steps to create ingress:

Step 1: The following is the yaml file of ingress. Copy the link of file

© 2022 The Knowledge Academy Ltd.

 Ingress

Step 2: Paste link and execute the command kubectl apply -f

theknowledgeacademy

https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/service/network
ing/example-ingress.yaml

Step 3: Execute the command kubectl get ingress

© 2022 The Knowledge Academy Ltd.

 Using HPA
Use HPA
theknowledgeacademy

• HPA can be configured to auto-scale application pods on the bases of target CPU utilization. The
following are the two ways to create an HPA resource:

1. The kubectl autoscale command

2. The HPA YAML resource file

• Execute the command kubectl create ns hpa-test for creating a namespace to HPA test:

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• Create a deployment yaml file for HPA testing and save it as example-app.yaml

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• Execute the command kubectl create -f example-app.yaml

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• Execute the command kubectl get deploy -n hpa-test to make sure the deployment is created and the
pod is running

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• After the deployment is up and running, create the HPA by executing the command kubectl -n hpa-
test autoscale deployment php-apache --cpu-percent=50 --min=1 --max=5

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• The declarative form of the same command would be to create the following Kubernetes resource

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• Execute the command kubectl -n hpa-test get hpa to examine the current state of HPA

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• Execute the command kubectl -n hpa-test get hpa php-apache -o yaml, Currently there is no load on
the running application so the current and desired pods are equal to the initial number which is 1

© 2022 The Knowledge Academy Ltd.

 Using HPA
(Continued)
theknowledgeacademy

• Execute the command kubectl -n hpa-test get hpa

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 4: Persistent
Storage in Kubernetes

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

• A persistent volume (PV) is a storage unit made available by a Kubernetes cluster administrator. When
theknowledgeacademy

a developer wants persistent storage for an application running in the cluster, they create a persistent
volume claim (PVC), mount the volume to a path in the pod, and then request that storage

• The pod then claims any volume that meets its standards after that (such as size, access mode, and so
on)

• Multiple PVs with varying capacity and configurations can be created by an administrator. Developers
are responsible for providing a PVC for storage, and Kubernetes then matches the PVC with an
appropriate PV

• The StorageClass dynamically creates a PV and binds it to the PVC if there is no PV to match the
PVC

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Persistent Volume Use cases

theknowledgeacademy

• The following are the two use cases of persistent volume:

1. Providing Storage for Database Applications

• Applications using databases need persistent storage that is long-lasting. A database application can
continuously gather and store millions of data from many sources. If the data disappears when you
restart or shut down the database application, it becomes a serious issue

• As a result, in order to host database applications in a Kubernetes cluster, you must set their pod to use
PV in order to ensure that the data is accessible even after the pod is no longer in use

2. Storage Beyond Regular Pod Lifecycle

• In addition to database applications, there are a few additional types of applications that need long-
term storage. Applications that save error logs for later analysis, for instance, need the logs to be
accessible for a long time, even if you terminate or replace the pod

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

• Perform the following steps to create persistentvolume and persistentvolumeclaim:

theknowledgeacademy

Step 1: Write the following yaml code in tka-pv.yaml file

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Step 2: Execute the kubectl apply –f tka-pv.yaml command

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Step 3: Create the new file tka-pvc and write the following yaml code inside it
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Step 4: Execute the kubectl create –f tka-pvc.yaml command

theknowledgeacademy

Step 5: Execute the kubectl get pvc command to verify the persistentvolumeclaim status

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Step 6: Create a pod file demo-pod.yaml and write the following yaml code inside it
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Step 7: Execute the kubectl apply –f demo-pod.yaml

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 PersistentVolume and PersistentVolumeClaim

Step 8: Execute the kubectl get pod command. PV and PVC Pod will be created successfully
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Access Modes for Volumes

• The following are the four access modes are their for Persistent volume:
theknowledgeacademy

1. ReadWriteOnce

2. ReadWriteMany

3. ReadOnlyMany

4. ReadWriteOncePod

© 2022 The Knowledge Academy Ltd.

 Access Modes for Volumes

1. ReadWriteOnce: It enables only a one node to access the volume in read-write mode. Moreover,
theknowledgeacademy

every pod in that node can read and write to such volumes

2. ReadWriteMany: Multiple nodes can read and write to the volume

3. ReadOnlyMany: The volume will be in a read-only mode and accessible by multiple nodes

4. ReadWriteOncePod: Only a single pod can gain access to the volume

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

Secrets
theknowledgeacademy

Step 1: Create a new text file Firstname.txt inside Mysecret folder

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

Step 2: Create a second lastname.txt file

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

Step 3: Go inside the Mysecret folder and execute the kubectl create secret generic secretstone –from-
theknowledgeacademy

file=C:\Users\training\Downloads\Secret\Mysecret command. Secret will be created successfully

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

Step 4: Execute the kubectl get secrets command. Secretone will be shown successfully
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

ConfigMaps
theknowledgeacademy

Step 1: Create conf.txt file and write port and token inside it

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

Step 2: Execute the kubectl create cm conf –from-file=conf.txt –from literal=first_name=JOHN –

theknowledgeacademy

from-literal=last_name=DOE. Configmap will be created successfully

© 2022 The Knowledge Academy Ltd.

 Secrets and ConfigMaps in Pods

Step 3: Execute the kubectl get cm command to check the conf file status
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Storage Classes

• The "classes" of storage that administrators offer can be described by using a StorageClass. Various
theknowledgeacademy

classes might map to different quality-of-service levels, backup policies, or arbitrary policies chosen
by the cluster administrators

• Regarding what classes should stand for, Kubernetes is neutral. In some other storage systems, this
concept is referred to as "profiles“

The StorageClass Resource

• When a PersistentVolume belonging to the class has to be dynamically provisioned, the fields
provisioner, parameters, and reclaimPolicy are present in each StorageClass and are used

• The name of a StorageClass object is important since it allows users to ask for a specific class. When
originally generating StorageClass objects, administrators specify the class's name and other
specifications; once created, the instances are immutable

© 2022 The Knowledge Academy Ltd.

 Storage Classes

(Continued)
theknowledgeacademy

• The following is an example of storage class file:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: standard
provisioner: kubernetes.io/aws-ebs
parameters:
type: gp2
reclaimPolicy: Retain
allowVolumeExpansion: true
mountOptions:
- debug
volumeBindingMode: Immediate

© 2022 The Knowledge Academy Ltd.

 Headless Services

• When single-service IP addresses or load balancing are not required. In order to create a service
theknowledgeacademy

grouping, you can create a headless service

• That doesn't route traffic or assign an IP address. You may accomplish this by specifically setting
ClusterIP in the mainfest file to "None," which indicates that no cluster IP is assigned

• For instance, If you run MongoDB on a single pod, you need a service definition on top of it to
handle pod restarts for obtaining a new IP address

• However, load balancing and routing are not what you want. Simply patch the request to the back-end
pod using the service. As a result, you use Headless Service because it lacks an IP

• Clients can use DNS lookups to find pod IPs with Kubernetes. The DNS server often returns a single
IP address, known as the service's cluster IP, when you search for a service using DNS.

• The DNS server will instead return the individual pod IPs if you set ClusterIP to None if you don't
need the cluster IP for your service. Any of them can then be connected to by the client

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 1: Create a deploy.yaml file and write yaml code inside it

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 2: Execute the kubectl create –f deploy.yaml command

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 3: Create regularserv. txt file for regular services

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 4: Execute Kubectl create –f regularserv.yaml

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 5: Create headless.txt file

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 6: Execute the kubectl create –f headless.yaml file

theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 Headless Services

Step 7: Execute kubectl get all command. You can see that the headless service created successfully
theknowledgeacademy

© 2022 The Knowledge Academy Ltd.

 StatefulSets

• The workload API object used to manage stateful apps is called StatefulSet. It Assures the ordering
theknowledgeacademy

and uniqueness of a group of pods while managing their deployment and scalability

• A StatefulSet maintains Pods that are built on the same container specification as a Deployment. A
StatefulSet keeps a sticky identity for each of its Pods, unlike a Deployment

• Despite being created from the identical specifications, these pods cannot be swapped out since they
each have a persistent identifier that they keep up through any schedule changes

• You can use a StatefulSet as part of the solution if you want to use storage volumes to provide
persistence for your workload

• Despite the possibility of individual Pods in a StatefulSet failing, the permanent Pod identifiers make
it simpler to

© 2022 The Knowledge Academy Ltd.

 StatefulSets

• Perform the following steps to create statefulsets:

theknowledgeacademy

Step 1: Copy the URL of the github YAML file

© 2022 The Knowledge Academy Ltd.

 StatefulSets

Step 2: Execute the kubectl apply

theknowledgeacademy

https://raw.githubusercontent.com/kubernetes/website/master/content/en/examples/application/
web/web.yaml command. Statefulset will be created successfully

© 2022 The Knowledge Academy Ltd.

 StatefulSets

Step 3: Execute the kubectl get pods –w –l app=nginx command. You can see web-0 and web-1
theknowledgeacademy

statefulsets

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 5: Securing
the Cluster

© 2022 The Knowledge Academy Ltd.

 Authentication

• The user account does not manage by Kubernetes natively it depends upon an external source such as
theknowledgeacademy

a file with the details of the user or the certificates or a third party identify service such as LDAP to
handle the users. So you are not able to make users for the developers and the administrators

• The cluster of Kubernetes comprises numerous nodes physical or virtual and different parts which
work together

o Administrators: It perform administrative tasks by accessing the cluster

o Developers: To test or deploy applications by accessing the cluster

o Third-party applications: The integration purposes is done by accessing the cluster

• Execute the following command to create serviceaccount

© 2022 The Knowledge Academy Ltd.

 Authentication

(Continued)
theknowledgeacademy

• Execute the following command to check the all serviceaccounts:

• There are various mechanisms of authentication which can be configured

o A list of usernames and tokens in a static token file

o Third party authentication protocols such as LDAP

o A list of usernames and passwords in a static password file

o Authenticate with certificates

© 2022 The Knowledge Academy Ltd.

 Authorization

• Authentication means how a person can gain credentials to a cluster. And once they gain credentials,
theknowledgeacademy

what can they do? is defined by authorization

Why Authorization?

• A cluster administrator, you were capable to all sorts of operations into it, like viewing different
objects like nodes, pods, as well as deployments, also, making or deleting objects like adding or
deleting pods or even nodes into the cluster

• How about the other testers, developers, administrators, or other applications such as monitoring
applications or ongoing delivery applications such as Jenkins

• Thus to access the cluster by making usernames and passwords or assigned certificates or tokens or
service accounts, you need to make accounts for them

• In the case, if the user is a developer then you can able them to view, but not modify, but they could
have access to deploy applications

© 2022 The Knowledge Academy Ltd.

 Authorization

(Continued)
theknowledgeacademy

• When you share your cluster between various teams or organisations with logically partitioning it by
using namespaces, you want to prohibit credentials to the users, to their namespaces alone. In this way,
authorization can assist you within the cluster

Authorization Modes:

• The API server of Kubernetes may authorize a request by using one of various authorization modes:

01 Node 03 RBAC

02 ABAC 04 Webhook

© 2022 The Knowledge Academy Ltd.

 Authorization

1. Node
theknowledgeacademy

• Node authorization is a special-purpose authorization mode which grants permissions to kubelets

based upon on the pods they are scheduled to run

2. ABAC

• The ABAC is Attribute-based access control that describes an access control paradigm by which the
user access rights are granted via the use of policies that merge attributes together

• Any type of attributes (resource attributes, user attributes, object, environment attributes, etc.) can
used by the policies

3. RBAC

• RBAC stands for Role-based access control. It is a way of handling access to computer or network
resources on the basis of the roles of each user within an industry

© 2022 The Knowledge Academy Ltd.

 Authorization

(Continued)
theknowledgeacademy

• In this context, for each user, access is the ability to complete a particular task, like view, create, or
modify a file

o When specified Role-Based Access Control (RBAC) uses the rbac.authorization.k8s.io API group
for driving the authorization decisions, permitting admins for dynamically configuring permission
policies via the Kubernetes API

o Start the apiserver with --authorization-mode=RBAC for enabling RBAC

4. Webhook

• It is an HTTP callback: an HTTP POST that occurs when something happens; a simple event-
notification through HTTP POST

• A web application executing WebHooks will POST a message to a URL when certain things occur

© 2022 The Knowledge Academy Ltd.

 Authorization

(Continued)
theknowledgeacademy

• For example, an open policy agent is a third-party tool which helps with authorization and admission
control

AlwaysAllow and AlwaysDeny

• AlwaysAllow: always allow all requests

• AlwaysDeny: always deny all requests

• When you have numerous modes configured, your request is authorized by using each one in the order
it is specified

• Every time a module declines the request, it goes to the next one in the chain, and as soon as a module
approves the request, no more checks are done and the user is granted permission

© 2022 The Knowledge Academy Ltd.

 Kubernetes Security Primitives

• For hosting production, security is prime in Kubernetes. All-access to these hosts must be secured,
theknowledgeacademy

password-based authentication disabled, root access disabled, and only authentication of ssh key-based
to be made available

• And another measures you need to take to secure the virtual or physical infrastructure that hosts
Kubernetes

• Within Kubernetes, Kube-apiserver is at the center of operations. We communicate with it via the
kubectl utility or directly by accessing the API and via that you can perform almost any operation on
the cluster

• It is the first defense line. Controlling access to the API server itself

o Who can access the cluster?

 It is defined by the Authentication mechanisms that who can access the API server

© 2022 The Knowledge Academy Ltd.

 Kubernetes Security Primitives

(Continued)
theknowledgeacademy

 There are different ways that you can authenticate to the API Server. Starting with user ids and
passwords stored in a static file, to tokens, certificates, or integration with external
authentication providers. Finally, for machines, you can create service accounts.

o What can they do?

 It is defined by authorization mechanisms that what can they do

 RBAC Authorization, Role-Based Access Control

 ABAC Authorization, Attribute-Based Access Control

 Node Authorization

 Webhook Mode

© 2022 The Knowledge Academy Ltd.

 Kubernetes Security Primitives

(Continued)
theknowledgeacademy

• With the cluster, all communication between the different components like the ETCD cluster,
Scheduler, Kube Controller Manager, API Server, and those running on the worker nodes like
kubeproxy and kubelet is secured by using TLS Encryption

• All pods can access all other pods into the cluster by default. Using Network Policies, you can restrict
access between them

© 2022 The Knowledge Academy Ltd.

 SecurityContexts

• On the pod level to execute policies, you can use Kubernetes SecurityContext field in the specification
theknowledgeacademy

of a pod. A security context is used to describe various privileges as well as access level control
settings for any Container or Pod running inside the Pod

• The following are some of the settings that can be configured as components of Kubernetes
SecurityContext field:

o runAsUser for specifying the UID by which individual container will run

o runAsNonRoot flag which will simply control beginning containers that run as root or UID 0

o runAsGroup GID id used to run the container process entrypoint

o supplementalGroups for the first process, specify the Group (GID) in every container

o fsGroup for filesystem ownership and new files you can specify the Group (GID). This can be used
for whole Pod and not on individual container

© 2022 The Knowledge Academy Ltd.

 SecurityContexts

(Continued)
theknowledgeacademy

o allowPrivilegeEscalation it controls whether any process in the container can attain more privilege
to perform the individual task

o readOnlyRootFilesystem will mount the container root file system into the Pod as read-only by
default

o capabilities it controls the various capabilities that can be added by using 'add' or disabled by using
'drop' keyword for the container

o Seccomp: it filters a process's system calls

o AppArmor: to restrict the capabilities of each programs, it uses program profiles

o Security Enhanced Linux (SELinux) security labels are assigned by objects

© 2022 The Knowledge Academy Ltd.

 SecurityContexts

Using runAsUser with Kubernetes SecurityContext

theknowledgeacademy

• The runAsUser can be used at Container Level or at Pod Level

Example: Define runAsUser for entire Pod

• You have a multi container pod where you will define runAsUser parameter under Kubernetes
SecurityContext for all the containers running inside the Pod. Create Securitycontext.yaml file

© 2022 The Knowledge Academy Ltd.

 SecurityContexts

(Continued)
theknowledgeacademy

• Create the Pod by run the kubectl create –f securitycontext.yaml command:

• Now check the status of the Pod that our containers are in Running state:

© 2022 The Knowledge Academy Ltd.

 Create and Use Roles and RoleBindings

Cluster Roles
theknowledgeacademy

• The cluster roles are similar like roles except they are for a resources of cluster scoped

• For instance to provide a cluster administrator permissions, a cluster admin role can be created to
view create or delete nodes into a cluster

• Similarly, a storage administrator role can be created to authorise a storage administrator to

create persistent volumes and claims.Specify the rules in a file and create a cluster definition
with the type cluster roll. Create cluster-admin-role.yaml file

© 2022 The Knowledge Academy Ltd.

 Create and Use Roles and RoleBindings

(Continued)
theknowledgeacademy

• Now by using the kubectl create role command, create the cluster role

© 2022 The Knowledge Academy Ltd.

 Create and Use Roles and RoleBindings

Cluster Role Binding

theknowledgeacademy

• Now you need to the next step which is to link the user to that cluster role . For this create other object
known as Cluster Role Binding. Name it as cluster-admin-role-binding

© 2022 The Knowledge Academy Ltd.

 Create and Use Roles and RoleBindings

(Continued)
theknowledgeacademy

• Now by using the kubectl create command, create the cluster role binding

• Basically the Cluster roles and Cluster role bindings are used for clusters of resources. But it is not a
difficult rule you can create a cluster role for resources of namespace as well. The user will have
access to these resources when you do that across all name spaces

© 2022 The Knowledge Academy Ltd.

 Use Probes and Configure a Restart Policy for Pods

Readiness Probe
theknowledgeacademy

• Distributed systems are extremely complicated. They have many moving parts, and when one of
problems, the others must detect it, understand not to access or send requests to it, as well as hopefully
heal or replace the failed component

• Automated health reviews can assist one component in a distributed system in determining when
another component is down and attempting to resolve the issue

• A pod in Kubernetes receives traffic by default when all containers within it are running. This is
sufficient for some deployments, but if you require greater reliability, you can use various types of
readiness probes to check the status of applications running within your pods

• Probes are essentially a way to perform customised health reviews on your Kubernetes environments.
A readiness probe determines whether applications in a container are ready for receiving traffic

© 2022 The Knowledge Academy Ltd.

 Use Probes and Configure a Restart Policy for Pods

Types of Kubernetes Probes:

theknowledgeacademy

• Kubernetes supports the following probe types. If the container does not implement the probe handler,
the result for all of these types is always success:

2. Readiness
Probe

1. Liveness 3. Startup
Probe Probe

Types

© 2022 The Knowledge Academy Ltd.

 Use Probes and Configure a Restart Policy for Pods

1. Liveness Probe
theknowledgeacademy

• Indicates whether or not the container is in use. If that is the case, no action is taken. If not, the kubelet
kills as well as restarts the container

2. Readiness Probe

• Indicates whether the container's application is ready for accepting requests. If this is the case,
Services matching the pod are permitted to send traffic to it. If not, the endpoints controller removes
the pod from all Kubernetes Services that match

3. Startup Probe

• Indicates whether the application executing in the container has begun. If this is the case, other probes
begin to function. If this is not the case, the kubelet kills and restarts the container

© 2022 The Knowledge Academy Ltd.

 Use Probes and Configure a Restart Policy for Pods

When to Use Readiness Probes

theknowledgeacademy

• When an application is temporarily malfunctioning and unable to serve traffic, readiness probes are
useful. If the application is up and running but not fully available, Kubernetes may be unable to scale
it up, and new deployments may fail

• A readiness probe enables Kubernetes for waiting until the service is active before the sending it
traffic

• Keep in mind that if you use a readiness probe, Kubernetes will only send traffic to the pod if the
probe succeeds

© 2022 The Knowledge Academy Ltd.

 Use Probes and Configure a Restart Policy for Pods

(Continued)
theknowledgeacademy

• Execute the command kubectl rollout restart deployment httpd for restarting the pods

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 6: Logging and

Monitoring the Cluster

© 2022 The Knowledge Academy Ltd.

 Monitoring the Cluster Using Prometheus
Prometheus Architecture
theknowledgeacademy

• The following is the Prometheus Architecture:

etc.

Email Slack

Storage HTTP Server Push alerts

Retrieval
Alertmanager
Pulls
Stores Accept
metrics data
metrics data queries

Data Retrieval Worker Time Series Database Accepts PromQL queries

© 2022 The Knowledge Academy Ltd.

 Monitoring the Cluster Using Prometheus
Setup with Helm Chart
theknowledgeacademy

• Execute the command helm install prometheus prometheus-community/kube-prometheus-stack.

Prometheus will be installed successfully and ready to monitor the cluster

© 2022 The Knowledge Academy Ltd.

 Monitoring the Cluster Using Prometheus
(Continued)
theknowledgeacademy

• Execute the command Kubectl get pod to see all the Prometheus pods. Prometheus will be ready to
monitor the cluster

© 2022 The Knowledge Academy Ltd.

 Visualising Cluster Logs Using EFK Stack
EFK Stack
theknowledgeacademy

• Elasticsearch, Fluentd, and Kibana is the full name of EFK. EFK is a famous and the best open-source
choice for the Kubernetes log analysis and aggregation

EFK Architecture
• The EFK Architecture is as follow:

© 2022 The Knowledge Academy Ltd.

 Visualising Cluster Logs Using EFK Stack
Setup EFK Stack on Kubernetes
theknowledgeacademy

• Execute the command wget https://github.com/scriptcamp/kubernetes-efk

© 2022 The Knowledge Academy Ltd.

 Visualising Cluster Logs Using EFK Stack
Deploy Elasticsearch Statefulset
theknowledgeacademy

• Elasticsearch is deployed as a Statefulset and using the headless service the numerous replicas
connect. The headless svc helps in the DNS domain of the pods

• Create a es-svc.yaml file as given below:

© 2022 The Knowledge Academy Ltd.

 Visualising Cluster Logs Using EFK Stack
(Continued)
theknowledgeacademy

• Execute the command kubectl create -f es-svc.yaml

© 2022 The Knowledge Academy Ltd.

 Jobs
• A job create one or more than one pod as well as it will continue to retry the implementation of pods
until a specified number of them are successfully completed
theknowledgeacademy

• The Job tracks the successful completions as pods are successfully completed. The task (ie, Job) is
completed, when a specified number of successful completions is reached

• The Pods it created will clean up by deleting a job. Until the Job is resumed again suspending a Job
will delete its active Pods

• In order to reliably run one Pod to completion, a simple case is to create one Job object. If the first Pod
fails or is deleted, the Job object will start a new Pod

© 2022 The Knowledge Academy Ltd.

 Jobs
(Continued)
theknowledgeacademy

• Create a job.yaml file as given below:

© 2022 The Knowledge Academy Ltd.

 Jobs
(Continued)
theknowledgeacademy

• Execute the command kubectl apply -f https://kubernetes.io/examples/controllers/job.yaml

© 2022 The Knowledge Academy Ltd.

 Helm Charts
• For installing the helm first install the scoop
theknowledgeacademy

• Execute the command Set-ExecutionPolicy RemoteSigned -scope CurrentUser to set the execution
policy

© 2022 The Knowledge Academy Ltd.

 Helm Charts
(Continued)
theknowledgeacademy

• Execute the command iwr -useb get.scoop.sh | iex to download and run the Scoop Package Manager
installation

• Execute the command scoop install helm to install helm

© 2022 The Knowledge Academy Ltd.

 Helm Charts
Create Helm Chart
theknowledgeacademy

• Execute the command helm create phoenix to create a helm chart

© 2022 The Knowledge Academy Ltd.

 Helm Charts
Configure Helm Chart Image Pull Policy
theknowledgeacademy

• Create values.yaml file and locate the image values and then, change the image pullPolicy from
IfNotPresent to Always

© 2022 The Knowledge Academy Ltd.

 Helm Charts
Helm Chart Name Override
theknowledgeacademy

• To override the chart name in the values.yaml file, add values to the nameOverride and
fullnameOverride

© 2022 The Knowledge Academy Ltd.

 Helm Charts
Specify Service Account Name
theknowledgeacademy

• Enter name

© 2022 The Knowledge Academy Ltd.

 Helm Charts
Change Networking Service Type
theknowledgeacademy

• Change the type from ClusterIP to NodePort

© 2022 The Knowledge Academy Ltd.

 Helm Charts
Deploy Helm Chart
theknowledgeacademy

• Execute the command minikube start

© 2022 The Knowledge Academy Ltd.

 Helm Charts
(Continued)
theknowledgeacademy

• Execute the command helm install phoenix-chart phoenixnap/ --values phoenixnap/values.yaml

• The helm install command deploys the app

© 2022 The Knowledge Academy Ltd.

theknowledgeacademy

Module 7:
Troubleshooting the
Cluster

© 2022 The Knowledge Academy Ltd.

 Troubleshooting Application Failures
Debugging Pods
theknowledgeacademy

• Check the pod's current state and recent events with the executing the command kubectl describe
httpd-5dfdbf5947-mwxjj

© 2022 The Knowledge Academy Ltd.

 Troubleshooting Application Failures
Debugging Services
theknowledgeacademy

• Services offer load balancing across a pods set. There are different common issues which can make
services not work correctly. Execute the command kubectl describe httpd-5dfdbf5947-mwxjj to
describe the endpoint service

© 2022 The Knowledge Academy Ltd.

 Troubleshooting Application Failures
Debug Services
theknowledgeacademy

Setup

• Execute the command kubectl create deployment hostnames --image=k8s.gcr.io/serve_hostname

• The type and name of the resource created or mutated will be printed by kubectl commands, that can
then be utilised in subsequent commands:

© 2022 The Knowledge Academy Ltd.

 Troubleshooting Cluster Failures
Listing your Cluster
theknowledgeacademy

• The first thing to check in your cluster is that all of your nodes are properly registered . Execute the
command kubectl get nodes

© 2022 The Knowledge Academy Ltd.

 Troubleshooting Cluster Failures
(Continued)
theknowledgeacademy

• Execute the command Kubectl describe node minikube

© 2022 The Knowledge Academy Ltd.

Congratulations
Congratulations on completing this course!
Contact Us
[email protected]

www.theknowledgeacademy.com/tickets

https://uk.trustpilot.com/review/theknowledgeacademy.com

theknowledgeacademy