Kubernetes

Exploring Containerization on AWS: Insights into ECS, EKS, Fargate, and ECR

Imagine exploring a vast universe, not of stars and galaxies, but of containers and cloud services. In AWS, this universe is populated by stellar services like ECS, EKS, Fargate, and ECR. Each, with its unique characteristics, serves different purposes, like stars in the constellation of cloud computing.

ECS: The Versatile Heart of AWS, ECS is like an experienced team of astronauts, managing entire fleets of containers efficiently. Picture a global logistics company using ECS to coordinate real-time shipping operations. Each container is a digital package, precisely transported to its destination. The scalability and security of ECS ensure that, even on the busiest days, like Black Friday, everything flows smoothly.

EKS: Kubernetes Orchestration in AWS, Think of EKS as a galactic explorer, harnessing the power of Kubernetes within the AWS cosmos. A university hospital uses EKS to manage electronic medical records. Like an advanced navigation system, EKS directs information through complex routes, maintaining the integrity and security of critical data, even as it expands into new territories of research and treatment.

Fargate: Containers without Server Chains, Fargate is like the anti-gravity of container services: it removes the weight of managing servers. Imagine a TV network using Fargate to broadcast live events. Like a spaceship that automatically adjusts to space conditions, Fargate scales resources to handle millions of viewers without the network having to worry about technical details.

ECR: The Image Warehouse in AWS Space, Finally, ECR can be seen as a digital archive in space, where container images are securely stored. A gaming startup stores versions of its software in ECR, ready to be deployed at any time. Like a well-organized archive, ECR allows this company to quickly retrieve what it needs, ensuring the latest games hit the market faster.

The Elegant Transition: From Complex Orchestration to Streamlined Efficiency

ECS: When Precision and Control Matter, Use ECS when you need fine-grained control over your container orchestration. It’s like choosing a manual transmission over automatic; you get to decide exactly how your containers run, network, and scale. It’s perfect for customized workflows and specific performance needs, much like a tailor-made suit.

EKS: For the Kubernetes Enthusiasts, Opt for EKS when you’re already invested in Kubernetes or when you need its specific features and community-driven plugins. It’s like using a Swiss Army knife; it offers flexibility and a range of tools, ideal for complex applications that require Kubernetes’ extensibility.

Fargate: Simplicity and Efficiency First, Choose Fargate when you want to focus on your application rather than infrastructure. It’s akin to flying autopilot; you define your destination (application), and Fargate handles the journey (server and cluster management). It’s best for straightforward applications where efficiency and ease of use are paramount.

ECR: Enhanced Container Registry for Docker and OCI Images

Leverage ECR for a secure, scalable environment to store and manage not just your Docker images but also OCI (Open Container Initiative) images. Envision ECR as a high-security vault that caters to the most utilized image format in the industry while also embracing the versatility of OCI standards. This dual compatibility ensures seamless integration with ECS and EKS and positions ECR as a comprehensive solution for modern container image management—crucial for organizations committed to security and forward compatibility.

Synthesizing Our Cosmic AWS Voyage

In this expedition through AWS’s container services, we’ve not only explored the distinct capabilities of ECS, EKS, Fargate, and ECR but also illuminated the scenarios where each shines brightest. Like celestial guides in the vast expanse of cloud computing, these services offer tailored paths to stellar solutions.

Choosing between them is less about picking the ‘best’ and more about aligning with your specific mission needs. Whether it’s the tailored precision of ECS, the expansive toolkit of EKS, the streamlined simplicity of Fargate, or the secure repository of ECR, each service is a specialized instrument in our technological odyssey.

Remember, understanding these services is not just about comprehending their technicalities but about appreciating their place in the grand scheme of cloud innovation. They are not just tools; they are the building blocks of modern digital architectures, each playing a pivotal role in scripting the future of technology.

Essential Tools and Services Before Diving into Kubernetes

Embarking on the adventure of learning Kubernetes can be akin to preparing for a daring voyage across the vast and unpredictable seas. Just as ancient mariners needed to understand the fundamentals of celestial navigation, tide patterns, and ship handling before setting sail, modern digital explorers must equip themselves with a compass of knowledge to navigate the Kubernetes ecosystem.

As you stand at the shore, looking out over the Kubernetes horizon, it’s important to gather your charts and tools. You wouldn’t brave the waves without a map or a compass, and in the same vein, you shouldn’t dive into Kubernetes without a solid grasp of the principles and instruments that will guide you through its depths.

Equipping Yourself with the Mariner’s Tools

Before hoisting the anchor, let’s consider the mariner’s tools you’ll need for a Kubernetes expedition:

The Compass of Containerization: Understand the world of containers, as they are the vessels that carry your applications across the Kubernetes sea. Grasping how containers are created, managed, and orchestrated is akin to knowing how to read the sea and the stars.
The Sextant of Systems Knowledge: A good grasp of operating systems, particularly Linux, is your sextant. It helps you chart positions and navigate through the lower-level details that Kubernetes manages.
The Maps of Cloud Architecture: Familiarize yourself with the layout of the cloud—the ports, the docks, and the routes that services take. Knowledge of cloud environments where Kubernetes often operates is like having detailed maps of coastlines and harbors.
The Rigging of Networking: Knowing how data travels across the network is like understanding the rigging of your ship. It’s essential for ensuring your microservices communicate effectively within the Kubernetes cluster.
The Code of Command Line: Proficiency in the command line is your maritime code. It’s the language spoken between you and Kubernetes, allowing you to deploy applications, inspect the state of your cluster, and navigate through the ecosystem.

Setting Sail with Confidence

With these tools in hand, you’ll be better equipped to set sail on the Kubernetes seas. The journey may still hold challenges—after all, the sea is an ever-changing environment. But with preparation, understanding, and the right instruments, you can turn a treacherous trek into a manageable and rewarding expedition.

In the next section, we’ll delve into the specifics of each tool and concept, providing you with the knowledge to not just float but to sail confidently into the world of Kubernetes.

The Compass and the Map: Understanding Containerization

Kubernetes is all about containers, much like how a ship contains goods for transport. If you’re unfamiliar with containerization, think of it as a way to package your application and all the things it needs to run. It’s as if you have a sturdy ship, a reliable compass, and a detailed map: your application, its dependencies, and its environment, all bundled into a compact container that can be shipped anywhere, smoothly and without surprises. For those setting out to chart these waters, there’s a beacon of knowledge to guide you: IBM offers a clear and accessible introduction to containerization, complete with a friendly video. It’s an ideal port of call for beginners to dock at, providing the perfect compass and map to navigate the fundamental concepts of containerization before you hoist your sails with Kubernetes.

Hoisting the Sails: Cloud Fundamentals

Next, envision the cloud as the vast ocean through which your Kubernetes ships will voyage. The majority of Kubernetes journeys unfold upon this digital sea, where the winds of technology shift with swift and unpredictable currents. Before you unfurl the sails, it’s paramount to familiarize yourself with the fundamentals of the cloud—those concepts like virtual machines, load balancers, and storage services that form the very currents and trade winds powering our voyage.

This knowledge is the canvas of your sails and the wood of your rudder, essential for harnessing the cloud’s robust power, allowing you to navigate its expanse swiftly and effectively. Just as sailors of yore needed to understand the sea’s moods and movements, so must you grasp how cloud environments support and interact with containerized applications.

For mariners eager to chart these waters, there exists a lighthouse of learning to illuminate your path: Here you can find a concise and thorough exploration of cloud fundamentals, including an hour-long guided video voyage that steps through the essential cloud services that every modern sailor should know. Docking at this knowledge harbor will equip you with a robust set of navigational tools, ensuring that your journey into the world of Kubernetes is both educated and precise.

Charting the Course: Declarative Manifests and YAML

Just as a skilled cartographer lays out the oceans, continents, and pathways of the world with care and precision, so does YAML serve as the mapmaker for your Kubernetes journey. It’s in these YAML files where you’ll chart the course of your applications, declaring the ports of call and the paths you wish to traverse. Mastering YAML is akin to mastering the reading of nautical charts; it’s not just about plotting a course but understanding the depths and the tides that will shape your voyage.

The importance of these YAML manifests cannot be overstated—they are the very fabric of your Kubernetes sails. A misplaced indent, like a misread star, can lead you astray into the vastness, turning a straightforward journey into a daunting ordeal. Becoming adept in YAML’s syntax, its nuances, and its structure is like knowing your ship down to the very last bolt—essential for weathering the storms and capitalizing on the fair winds.

To aid in this endeavor, Geekflare sets a lantern on the dark shores with their introduction to YAML, a guide as practical and invaluable as a sailor’s compass. It breaks down the elements of a YAML file with simplicity and clarity, complete with examples that serve as your constellations in the night sky. With this guide, the once cryptic symbols of YAML become familiar landmarks, guiding you toward your destination with confidence and ease.

So hoist your sails with the knowledge that the language of Kubernetes is written in YAML. It’s the lingo of the seas you’re about to navigate, the script of the adventures you’re about to write, and the blueprint of the treasures you’re set to uncover in the world of orchestrated containers.

Understanding the Stars: Networking Basics

In the age of exploration, navigators used the stars to guide their vessels across the uncharted waters. Today, in the realm of Kubernetes, the principles of networking serve as your celestial guideposts. It’s not merely about the rudimentary know-how of connecting points A to B; it’s about understanding the language of the digital seas, the signals that pass like whispers among ships, and the lighthouses that guide them to safe harbor.

Just as a sailor must understand the roles of different stars in the night sky, a Kubernetes navigator must grasp the intricacies of network components. Forward and Reverse Proxies, akin to celestial twins, play a critical role in guiding the data flow. To delve into their mysteries and understand their distinct yet complementary paths, consider my explorations in these realms: Exploring the Differences Between Forward and Reverse Proxies and the vital role of the API Gateway, a beacon in the network universe, detailed in How API Gateways Connect Our Digital World.

The network is the lifeblood of the Kubernetes ecosystem, carrying vital information through the cluster like currents and tides. Knowing how to chart the flow of these currents—grasping the essence of IP addresses, appreciating the beacon-like role of DNS, and navigating the complex routes data travels—is akin to a sailor understanding the sea’s moods and whims. This knowledge isn’t just ‘useful’; it’s the cornerstone upon which the reliability, efficiency, and security of your applications rest.

For those who wish to delve deeper into the vastness of network fundamentals, IBM casts a beam of clarity across the waters with their guide to networking. This resource simplifies the complexities of networking, much like a skilled astronomer simplifying the constellations for those new to the celestial dance.

With a firm grasp of networking, you’ll be equipped to steer your Kubernetes cluster away from the treacherous reefs and into the calm waters of successful deployment. It’s a knowledge that will serve you not just in the tranquil bays but also in the stormiest conditions, ensuring that your applications communicate and collaborate, just as a fleet of ships work in unison to conquer the vast ocean.

The Crew: Command Line Proficiency

Just as a seasoned captain relies on a well-trained crew to navigate through the roiling waves and the capricious winds, anyone aspiring to master Kubernetes must rely on the sturdy foundation of the Linux command line. The terminal is your deck, and the commands are your crew, each with their own specialized role in ensuring your journey through the Kubernetes seas is a triumphant one.

In the world of Kubernetes, your interactions will largely be through the whispers of the command line, echoing commands across the vast expanse of your digital fleet. To be a proficient captain in this realm, you must be versed in the language of the Linux terminal. It’s the dialect of directories and files, the vernacular of processes and permissions, the lingo of networking and resource management.

The command line is your interface to the Kubernetes cluster, just as the wheel and compass are to the ship. Here, efficiency is king. Knowing the shortcuts and commands—the equivalent of the nautical knots and navigational tricks—can mean the difference between smooth sailing and being lost at sea. It’s about being able to maneuver through the turbulent waters of system administration and scriptwriting with the confidence of a navigator charting a course by the stars.

While ‘kubectl’ will become your trusty first mate once you’re adrift in Kubernetes waters, it’s the Linux command line that forms the backbone of your vessel. With each command, you’ll set your applications in motion, you’ll monitor their performance, and you’ll adjust their course as needed.

For the Kubernetes aspirant, familiarity with the Linux command line isn’t just recommended, it’s essential. It’s the skill that keeps you buoyant in the surging tides of container orchestration.

To help you in this endeavor, FreeCodeCamp offers an extensive guide on the Linux command line, taking you from novice sailor to experienced navigator. This tutorial is the wind in your sails, propelling you forward with the knowledge and skills necessary to command the Linux terminal with authority and precision. So, before you hoist the Kubernetes flag and set sail, ensure you have spent time on the command line decks, learning each rope and pulley. With this knowledge and the guide as your compass, you can confidently take the helm, command your crew, and embark on the Kubernetes odyssey that awaits.

New Horizons: Beyond the Basics

While it’s crucial to understand containerization, cloud fundamentals, YAML, networking, and the command line, the world of Kubernetes is ever-evolving. As you grow more comfortable with these basics, you’ll want to explore the archipelagos of advanced deployment strategies, stateful applications with persistent storage, and the security measures that will protect your fleet from pirates and storms.

The Captains of the Clouds: Choosing Your Kubernetes Platform

In the harbor of cloud services, three great galleons stand ready: Amazon EKS, Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE). Each offers a seasoned crew and a vessel ready to brave the Kubernetes seas. While they share the same end goal, their tools, and amenities differ. Choose your ship wisely, captain, for it will be your home throughout your Kubernetes adventures.

The Journey Begins

Remember, Kubernetes is more than a technology; it’s a journey. As you prepare to embark on this adventure, know that the seas can be choppy, but with preparation, a clear map, and a skilled crew, you’ll find your way to the treasure of scalable, resilient, and efficient applications. So, weigh anchor and set sail; the world of Kubernetes awaits.

December 3, 2023 by Fernando SRE Cloud stuff DevOps stuff Kubernetes Linux Stuff 0

Kubectl Edit: Performing Magic in Kubernetes

‘Kubectl edit’ is an indispensable command-line tool for Kubernetes users, offering the flexibility to modify resource definitions dynamically. This article aims to demystify ‘Kubectl edit,’ explaining its utility and showcasing real-world applications.

What is ‘Kubectl Edit’?

‘Kubectl edit’ is a command that facilitates live edits to Kubernetes resource configurations, such as pods, services, deployments, or other resources defined in YAML files. It’s akin to wielding a magic wand, allowing you to tweak your resources without the hassle of creating or applying new configuration files.

Why is ‘Kubectl Edit’ Valuable?

Real-Time Configuration Changes: It enables immediate adjustments, making it invaluable for troubleshooting or adapting to evolving requirements.

Quick Fixes: It’s perfect for addressing issues or misconfigurations swiftly, without the need for resource deletion and recreation.

Experimentation: Ideal for experimenting and fine-tuning settings, helping you discover the best configurations for your applications.

Basic Syntax

The basic syntax for ‘Kubectl edit’ is straightforward:

kubectl edit <resource-type> <resource-name>

<resource-type>: The type of Kubernetes resource you want to edit (e.g., pod, service, deployment).
<resource-name>: The name of the specific resource to edit.

Real-Life Examples

Let’s explore practical examples to understand how ‘Kubectl edit’ can be effectively utilized in real scenarios.

Example 1: Modifying a Pod Configuration

Imagine needing to adjust the resource requests and limits for a pod named ‘my-pod.’ Execute:

kubectl edit pod my-pod

This command opens the pod’s configuration in your default text editor. You’ll see a YAML file similar to this:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  ...
spec:
  containers:
  - name: my-container
    image: my-image
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"
  ...

In this file, focus on the resources section under containers. Here, you can modify the CPU and memory settings. For instance, to increase the CPU request to 500m and the memory limit to 256Mi, you would change the lines to:

   resources:
      requests:
        memory: "64Mi"
        cpu: "500m"
      limits:
        memory: "256Mi"
        cpu: "500m"

After making these changes, save and close the editor. Kubernetes will apply these updates to the pod ‘my-pod.’

Example 2: Updating a Deployment

To modify a deployment’s replicas or image version, use ‘kubectl edit’:

kubectl edit deployment my-deployment

This command opens the deployment’s configuration in your default text editor. You’ll see a YAML file similar to this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-deployment
  ...
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-container
        image: my-image:v1.0
        ports:
        - containerPort: 80
  ...

In this file, focus on the following sections:

To change the number of replicas, modify the replicas field. For example, to scale up to 5 replicas:

spec:
  replicas: 5

To update the image version, locate the image field under containers. For instance, to update to version v2.0 of your image:

 containers:
    - name: my-container
      image: my-image:v2.0

Save and close the editor and Kubernetes will apply these updates to the deployment ‘my-deployment.’

Example 3: Adjusting a Service

To fine-tune a service’s settings, such as changing the service type to LoadBalancer, you would use the command:

kubectl edit service my-service

The command will open the service’s configuration in your default text editor. You’ll likely see a YAML file similar to this:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  ...
spec:
  type: ClusterIP
  selector:
    app: my-app
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  ...

In this file, focus on the spec section:

To change the service type to LoadBalancer, modify the type field. For example:

spec:
  type: LoadBalancer

This change will alter the service type from ClusterIP to LoadBalancer, enabling external access to your service.

After making these changes, save and close the editor. Kubernetes will apply these updates to the service ‘my-service.’

Real-World Example: Debugging and Quick Fixes

If a pod is crashing due to a misconfigured environment variable, something I’ve seen happen countless times, use ‘kubectl edit’ to quickly access and correct the pod’s configuration, significantly reducing the downtime.

kubectl edit pod crashing-pod

Executing such a command will open the pod’s configuration in your default text editor, and you’ll likely see a YAML file similar to this:

apiVersion: v1
kind: Pod
metadata:
  name: crashing-pod
  ...
spec:
  containers:
  - name: my-container
    image: my-image
    env:
      - name: ENV_VAR
        value: "incorrect_value"
    ...

In this file, focus on the env section under containers. Here, you can find and correct the misconfigured environment variable. For instance, if ENV_VAR is set incorrectly, you would change it to the correct value:

    env:
      - name: ENV_VAR
        value: "correct_value"

After making this change, save and close the editor. Kubernetes will apply the update, and the pod should restart without the previous configuration issue.

It’s Not Magic: Understand What Happens Behind the Scenes

When you save changes made in the editor through kubectl edit, Kubernetes doesn’t simply apply these changes magically. Instead, a series of orchestrated steps occur to ensure that your modifications are implemented correctly and safely. Let’s demystify this process:

Parsing and Validation: First, Kubernetes parses the edited YAML or JSON file to ensure it’s correctly formatted. It then validates the changes against the Kubernetes API’s schema for the specific resource type. This step is crucial to prevent configuration errors from being applied.

Resource Versioning: Kubernetes keeps track of the version of each resource configuration. When you save your changes, Kubernetes checks the resource version in your edited file against the current version in the cluster. This is to ensure that you’re editing the latest version of the resource and to prevent conflicts.

Applying Changes: If the validation is successful and the version matches, Kubernetes proceeds to apply the changes. This is done by updating the resource’s definition in the Kubernetes API server.

Rolling Updates and Restart: Depending on the type of resource and the nature of the changes, Kubernetes may perform a rolling update. For example, if you edited a Deployment, Kubernetes would start creating new pods with the updated configuration and gradually terminate the old ones, ensuring minimal disruption.

Feedback Loop: Kubernetes controllers continuously monitor the state of resources. If the applied changes don’t match the desired state (for instance, if a new pod fails to start), Kubernetes attempts to rectify this by reverting to a previous, stable configuration.

Status Update: Finally, the status of the resource is updated to reflect the changes. You can view this status using commands like ‘kubectl get’ or ‘kubectl describe’ to ensure that your changes have been applied and are functioning as expected.

By understanding these steps, you gain insight into the robust and resilient nature of Kubernetes’ configuration management. It’s not just about making changes; it’s about making them in a controlled, reliable manner.

In Closing

‘Kubectl edit’ is a powerful tool for optimizing Kubernetes resources, offering simplicity and efficiency. With the examples provided, you’re now equipped to confidently fine-tune settings, address issues, and experiment with configurations, ensuring the smooth and efficient operation of your Kubernetes applications.

November 14, 2023 by Fernando SRE DevOps stuff Kubernetes 1

Are You Using “kubectl auth can-i”?. The Underutilized Command You Need to Know

In the Kubernetes realm, ensuring the security and proper assignment of roles and permissions within a cluster is paramount. Kubernetes administrators often face the challenge of verifying whether a particular user or service account has the necessary permissions to act. This is where the often underutilized ‘kubectl auth can-i’ command comes into play, offering a straightforward way to check access rights without executing the actual operation.

The Power of ‘kubectl auth can-i’:

The ‘kubectl auth can-i’ command is a part of the Kubernetes command-line tool that allows you to query the Kubernetes RBAC (Role-Based Access Control) to check if a user, group, or service account can perform a specific action. It’s an invaluable command for DevOps engineers and Kubernetes administrators to verify and troubleshoot permissions.

Basic Usage: To use ‘kubectl auth can-i’, you simply follow the syntax:

kubectl auth can-i <verb> <resource>

For example, if you want to check if your current user can create deployments in the default namespace, you would use:

kubectl auth can-i create deployments

Checking Permissions for a Service Account:

Let’s say you have a service account named ‘monitoring-sa’ in the ‘monitoring’ namespace, and you want to check if it has permission to list endpoints (which is crucial for service discovery in monitoring solutions). You could run:

kubectl auth can-i list endpoints --namespace monitoring --as system:serviceaccount:monitoring:monitoring-sa

This command will return ‘yes’ if the service account has the required permissions, or ‘no’ if it does not.

Advanced Examples:

You can also use ‘kubectl auth can-i’ to check permissions for verbs that are not part of the standard Kubernetes API. For instance, if you’re using Custom Resource Definitions (CRDs), you can check permissions for these as well:

kubectl auth can-i create mycustomresources.mydomain.com --as system:serviceaccount:monitoring:monitoring-sa

Besides checking permissions for standard Kubernetes API actions and Custom Resource Definitions (CRDs), ‘kubectl auth can-i’ can be used to verify permissions for specific API subresources. Subresources like ‘status’ and ‘scale’ are important for certain operations and can have separate permissions from the main resource.

For instance, if you want to check if a service account has the permission to update the status of a deployment, which is a common requirement for continuous deployment setups, you could use:

kubectl auth can-i update deployments/status --namespace production --as system:serviceaccount:default:deploy-sa

This command will check if the ‘deploy-sa’ service account in the ‘default’ namespace has permission to update the status subresource of deployments in the production namespace.

Another advanced use case is checking permissions for pod exec, which is crucial for debugging:

kubectl auth can-i create pod/exec --namespace development --as system:serviceaccount:default:debug-sa

This will verify if the ‘debug-sa’ service account in the ‘default’ namespace is allowed to execute commands in pods within the ‘development’ namespace. This is particularly useful when setting up service accounts for CI/CD pipelines that need to perform diagnostic commands in running pods.

By providing multiple advanced examples, we can demonstrate the versatility of the ‘kubectl auth can-i’ command in managing complex permission scenarios in Kubernetes.

Looking Ahead:

The ‘kubectl auth can-i’ command is a simple yet powerful tool to help manage and verify permissions within a Kubernetes cluster. It’s an essential command for anyone responsible for the security and integrity of their Kubernetes environment.

Remember, always verify before you deploy!

November 3, 2023 by Fernando SRE DevOps stuff Kubernetes 0

Basics: Kubernetes ConfigMaps and Secrets

Kubernetes offers robust tools for managing application configurations and safeguarding sensitive data: ConfigMaps and Secrets. This article provides hands-on examples to help you grasp these concepts.

What are ConfigMaps?

ConfigMaps in Kubernetes are designed to manage non-sensitive configuration data. They are generally created using YAML files that specify the configuration parameters.

Example: Environment Variables

Consider an application that requires a database URL and an API key. You can use a ConfigMap to set these as environment variables. Here’s a sample YAML file:

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DB_URL: jdbc:mysql://localhost:3306/db
  API_KEY: key123

Mounting ConfigMaps as Volumes

ConfigMaps can also be mounted as volumes, making them accessible to pods as files. This is useful for configuration files or scripts.

Example: Mount as Volume

To mount a ConfigMap as a volume, you can modify the pod specification like this:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  containers:
  - name: my-container
    image: my-image
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
  - name: config-volume
    configMap:
      name: app-config

What are Secrets?

Secrets are used for storing sensitive information like passwords and API tokens securely. It’s important to note that the data in Secrets should be encoded in base64 for an added layer of security.

Example: Secure API Token

To store an API token securely, you can create a Secret like this:

apiVersion: v1
kind: Secret
metadata:
  name: api-secret
data:
  API_TOKEN: base64_encoded_token

To generate a base64-encoded token, you can use the following command:

echo -n 'your_actual_token' | base64

In Summary

ConfigMaps and Secrets are indispensable tools in Kubernetes for managing configuration data and sensitive information. Understanding how to use them effectively is crucial for any Kubernetes deployment.

October 25, 2023 by Fernando SRE DevOps stuff Kubernetes 0

Understanding the Differences: kubectl exec vs kubectl attach

Kubernetes has become a cornerstone in the container orchestration world, and being adept at maneuvering through the Kubernetes environment is crucial for DevOps professionals.

Among the various tools at our disposal, kubectl stands out as an essential command-line tool for interacting with clusters.

kubectl exec

The kubectl exec command is utilized to run commands in a specific container within a Pod.

When you execute kubectl exec, it creates a new terminal session inside the container which allows for both interactive and non-interactive command execution.

Example: Suppose you have a running Pod hosting a web service and you wish to check the contents of a specific directory. You could use kubectl exec to run the ls command in the container, listing the files in that directory.

kubectl attach

On the other hand, kubectl attach allows you to attach to a running process within a container.

Unlike kubectl exec, kubectl attach connects to an existing terminal session, allowing you to observe the standard output and error of the running process.

Example: If you have a Pod running an application that writes logs to standard output, you could use kubectl attach to view these logs in real time.

Summarizing:

While kubectl exec spawns a new terminal session, kubectl attach connects to an existing session.

kubectl exec is more versatile for executing arbitrary commands, whereas kubectl attach is useful for interacting with running processes and observing their real-time behavior.

The key takeaway is understanding when to use kubectl exec versus kubectl attach based on the task at hand.

October 18, 2023 by Fernando SRE DevOps stuff Kubernetes 0

Understanding Kubernetes: CRDs, Resource Definitions, and Operators

Kubernetes has made a significant impact as a container orchestration tool, but it’s crucial to understand that its utility doesn’t end there. One of its most compelling features is the ability to extend its API with Custom Resource Definitions (CRDs), especially since Kubernetes version 1.7. This article delves into what CRDs are, why they are essential, and how they work in conjunction with controllers to simplify complex tasks within a Kubernetes cluster.

.- What are Custom Resource Definitions (CRDs)?

CRDs act as extensions of the Kubernetes API, allowing users to create new types of resources without adding another API server. Simply put, CRDs serve as vehicles to extend the Kubernetes ecosystem. They are vital for enriching Kubernetes functionalities beyond its basic scope.

.- Basic Kubernetes Functionality Without CRDs

In an out-of-the-box Kubernetes setup, users can define deployments that spawn replica sets, which in turn create pods for running containers. Users can also set up services and ingress controllers for network access to these containers. However, this native functionality has limitations, such as lacking an in-built storage solution.

.- The Need for Extending Kubernetes

The real power of Kubernetes lies in its extensibility. Almost every third-party tool or service designed for Kubernetes operates through CRDs, which extend your cluster’s functionalities. For instance, if you are implementing a service mesh like Istio, it will extend your cluster with several CRDs like VirtualServices and Gateways.

.- The Role of Controllers in CRDs

CRDs by themselves are not functional. When a custom resource is created, the Kubernetes API only signals an event stating that a resource is created. Controllers respond to these events. They watch for specific changes to custom resources and take action accordingly, thereby breathing life into CRDs.

.- Benefits of Using CRDs and Controllers

The duo of CRDs and controllers can significantly simplify many tasks. They move the heavy lifting from the client-side to the server-side, reducing complexity and eliminating the need for client-side templating solutions. As a result, end-users can define their applications in a more Kubernetes-native way, without diving into the lower-level details.

Example: Creating a Simple CRD:

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: myresources.mycompany.com
spec:
  group: mycompany.com
  versions:
    - name: v1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                key:
                  type: string

.- Understanding Kubernetes Operators

After we’ve laid down the groundwork by discussing CRDs and controllers, it’s essential to touch upon Kubernetes Operators, which bring the two together in a well-organized manner. In essence, an Operator is a method of packaging, deploying, and managing a Kubernetes application.

An Operator extends Kubernetes to automate the management of the entire lifecycle of a particular application, API, or resource. It builds upon the basic Kubernetes resource and controller concepts but includes domain or application-specific knowledge to automate common tasks. For example, an Operator could manage a database cluster, handling tasks such as backups, updates, and scaling.

.- Using an Operator to Manage a Database Cluster

Imagine you have a PostgreSQL database running within your Kubernetes cluster. You could deploy a PostgreSQL Operator that automatically handles routine tasks like backups, updates, or even scaling. This Operator would use CRDs to understand custom resources that define the desired state for these tasks and use a controller to ensure the current state matches the desired state.

Here is a simplified YAML example defining a PostgresCluster custom resource, which could be managed by a PostgreSQL Operator:

Example: Using an Operator to Manage a Database Cluster

apiVersion: postgresql.org/v1
kind: PostgresCluster
metadata:
  name: my-postgres-cluster
spec:
  replicas: 3
  version: "12"
  backup:
    enabled: true
    schedule: "0 0 * * *"

.- Recommendations and Best Practices

While CRDs and controllers offer immense utility, it’s critical to rely on established practices and tools when implementing them. Do not attempt to write your controllers manually unless you are very experienced; instead, rely on tools like Operator SDK for creating operators for your CRDs.

.- Wrapping Up

We’ve explored the powerful features Kubernetes provides beyond its basic functionalities. Custom Resource Definitions (CRDs) allow us to extend the Kubernetes API, enabling more tailored operations within our cluster. Controllers breathe life into these CRDs by reacting to events and ensuring that the state of our resources aligns with our specifications.

Moreover, we touched upon Kubernetes Operators, which encapsulate both CRDs and controllers, along with domain-specific logic, to manage complex applications effortlessly. Operators serve as the cherry on top in the Kubernetes extensibility model, automating routine tasks and simplifying cluster management even further.

By embracing CRDs, controllers, and operators, we can exploit Kubernetes’ full potential and create an environment that’s not only flexible but also significantly easier to manage. As Kubernetes continues to evolve, leveraging these elements will undoubtedly make our journey in the cloud-native world much smoother.

October 11, 2023 by Fernando SRE DevOps stuff Kubernetes 0

Decoding Kubernetes: When HPA Can’t Fetch Metrics

The Horizontal Pod Autoscaler (HPA) is pivotal in Kubernetes. It’s like our trusty assistant, automatically adjusting the number of pods in a deployment according to observed metrics like CPU usage. However, there are moments when it encounters hurdles. One such instance is when you stumble upon error messages such as:

Name:                                                  widget-app-sun
Namespace:                                             development
...
Metrics:                                               ( current / target )
  resource cpu on pods  (as a percentage of request):  <unknown> / 55%
Min replicas:                                          1
Max replicas:                                          3
Deployment pods:                                       1 current / 0 desired
Conditions:
  Type           Status  Reason                   Message
  ----           ------  ------                   -------
  AbleToScale    True    SucceededGetScale        the HPA controller was able to get the target's current scale
  ScalingActive  False   FailedGetResourceMetric  the HPA was unable to compute the replica count: unable to get metrics for resource cpu: no metrics returned from resource metrics API
Events:
  Type     Reason                        Age                 From                       Message
  ----     ------                        ----                ----                       -------
  Warning  FailedComputeMetricsReplicas  20m (x20 over 9m)   horizontal-pod-autoscaler  invalid metrics (1 invalid out of 1), first error is: failed to get cpu utilization: unable to get metrics for resource cpu: no metrics returned from resource metrics API
  Warning  FailedGetResourceMetric       12s (x29 over 9m)   horizontal-pod-autoscaler  unable to get metrics for resource cpu: no metrics returned from resource metrics API

What’s the Scoop?

This cryptic message is essentially HPA’s way of saying, “I’m having a hard time fetching those CPU metrics I need.” But why? Here are a few culprits:

Perhaps Metrics-server isn’t installed or isn’t operating correctly.
Maybe Metrics-server is present, but it’s struggling to fetch metrics from the nodes.
It could be a misconfiguration on HPA’s end.
Sometimes, network policies or RBAC restrictions come into play, obstructing access to the metrics API.

The Detective Work: Troubleshooting Steps

.- Is Metrics-server Onboard?

kubectl get deployments -n kube-system | grep metrics-server

metrics-server           1/1     1            1           221d

If it’s missing in action, it’s time to deploy it. Helm is a handy tool for this. https://artifacthub.io/packages/helm/metrics-server/metrics-server

.- How’s Metrics-server Feeling Today?

kubectl get pods -n kube-system -l k8s-app=metrics-server

NAME                              READY   STATUS    RESTARTS      AGE
metrics-server-5f9f776df5-zlg42   1/1     Running   6 (71d ago)   221d

Make sure it’s running smoothly. If it’s throwing a tantrum, dive into its logs:

kubectl logs metrics-server-5f9f776df5-zlg42 -n kube-system

I0730 17:07:50.422754       1 secure_serving.go:266] Serving securely on [::]:10250
I0730 17:07:50.425140       1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0730 17:07:50.425155       1 shared_informer.go:240] Waiting for caches to sync for RequestHeaderAuthRequestController

.- A Peek into Metrics-server’s Config

Sometimes, it needs some flags to communicate correctly, especially if your cluster has a unique CNI or is lounging on a special cloud provider. You might need to check and adjust flags like:

--kubelet-preferred-address-types or --kubelet-insecure-tls

.- The Network or RBAC Culprits

Are there any stringent network policies that are hindering the conversation between the metrics-server and the API server or the kubelets? Or maybe, metrics-server doesn’t have the right RBAC permissions to access metrics?

Peek into network policies in the kube-system namespace:

kubectl get networkpolicy -n kube-system

And don’t forget to inspect the ClusterRole:

kubectl describe clusterrole | grep metrics-server -A10

Name:         system:metrics-server
Labels:       objectset.rio.cattle.io/hash=9a6f488150c249811b9df07e116280789628963e
Annotations:  objectset.rio.cattle.io/applied:
                H4sIAAAAAAAA/4yRwY6bMBCGX6WasyEhSQkg9VD10ENvPfRScRjsSXABG80Yom7Eu69MotVKq93syRr/+j7711wBR/uHWKx3UAE3qFOcQuvZPmGw3qVdIan1mzkDBZ11Bir40U8SiH...

.- Version Harmony: HPA & Metrics-server

Compatibility matters! Ensure HPA and metrics-server are on the same page. Sometimes, a version mismatch might be the root cause.

Here’s how to check your Kubernetes version:

kubectl version

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3

And let’s not forget about the metrics-server:

kubectl describe deployment metrics-server -n kube-system | grep Image:

Image:      rancher/mirrored-metrics-server:v0.6.2

Troubleshooting in Kubernetes can be challenging, but with a systematic approach, many issues, like the HPA metrics problem, can be resolved. It’s essential to understand the components involved and to remain adaptable. As Kubernetes continues to evolve, so too should our methods for diagnosing and fixing problems.

October 9, 2023 by Fernando SRE DevOps stuff Kubernetes 0

Navigating Kubernetes: Understanding and Addressing the OutOfPods Error

When maneuvering through Kubernetes, one might often encounter the notorious “OutOfPods” error. This error message is predominantly seen when delving into the details of a pod that has failed to be scheduled, illustrated in the example below:

Name:        user-api-server-7869b4c8d9-qw4zp
Namespace:   default
Priority:    0
Node:        <none>
Labels:      app=user-api-server
Annotations: <none>
Status:      Pending
Reason:      Unschedulable
IP:          <none>
IPs:         <none>

Events:
  Type     Reason           Age                 From               Message
  ----     ------           ----                ----               -------
  Warning  FailedScheduling 4m32s (x7 over 5m)  default-scheduler  0/6 nodes are available: 3 OutOfPods, 6 node(s) had taints that the pod didn't tolerate.

In this context, the “Reason” field is categorized as “Unschedulable,” and the “Message” field clarifies why the pod couldn’t be scheduled. In this scenario, three nodes have reached their scheduling capacity, denoted by “3 OutOfPods.”

Understanding the OutOfPods Error
The “OutOfPods” error signifies that a node has surpassed its pod allocation capacity. Each node within a Kubernetes cluster harbors a specific threshold on the number of pods it can operate, influenced by several factors including the node’s specific configuration and the overall cluster setting.

To investigate this limit, the command kubectl describe node can be employed:

Capacity:
  cpu:                1
  ephemeral-storage:  47145992Ki
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  hugepages-32Mi:     0
  hugepages-64Ki:     0
  memory:             6058428Ki
  pods:               110

Both the “Capacity” and “Allocatable” fields illustrate the maximum number of pods that can be scheduled on the node.

Strategies to Mitigate OutOfPods Error
When confronted with an “OutOfPods” error, it reveals that the node has attained its capacity, and can’t accommodate any more pods until the current ones are terminated or additional resources are integrated.

Node Capacity:

Every node possesses a definitive limit on the pods it can run, influenced by the node’s resources and its configuration.
Solutions: Scale up the nodes if they are perpetually operating at or near capacity, or optimize resource requests and limits.

Cluster Scaling:

Implement auto-scaling solutions to dynamically adapt the number of nodes as needed, especially if your entire cluster is consistently approaching its capacity.

Pod Configuration:

Assess and review resource requests and limits to ensure that pods are not demanding more resources than necessary. Leverage Quality of Service (QoS) classes to aid the scheduler in making more informed decisions.
Implementing QoS Classes: In Kubernetes, pods are categorized into one of three QoS classes: Guaranteed, Burstable, and BestEffort, based on the resource requests and limits set on them.
.- Guaranteed: All containers in the pod have memory and CPU limits, and they are equal to the requests. Use this for critical pods that need specific resources.

.- Burstable: At least one container in the pod has a memory or CPU request. Use this for pods that require a minimum amount of resources to run but can use more resources when available.

.- BestEffort: The pod doesn’t have memory or CPU limits or requests. Use this for non-critical tasks that can run with the remaining resources.

Resource Fragmentation:

Employ affinity and anti-affinity rules to minimize fragmentation by intelligently placing the pods, ensuring optimal utilization of available resources.

Kubelet Configuration:

Adjusting the maxPods configuration option in the Kubelet configuration can alleviate “OutOfPods” errors by allowing more pods to run on a node, considering the node’s available resources.
Implementing Adjustment:
To adjust the maxPods value, you would typically need to modify the Kubelet configuration file, usually located at /var/lib/kubelet/config.yaml on the node. You need to do this on every node you want to adjust.
For example, open the Kubelet configuration file in a text editor:

sudo vim /var/lib/kubelet/config.yaml

Find the line with maxPods and adjust the value to the desired number, or add a new line with maxPods: if it’s not there.
Save and exit the text editor.
Restart the Kubelet service for the changes to take effect:

sudo systemctl restart kubelet

Conclusion

The OutOfPods error in Kubernetes underscores the criticality of proper resource management within a cluster. Addressing this can be achieved by optimizing node and pod configurations, conscientiously adjusting the maxPods value, and employing Quality of Service (QoS) classes to ensure effective resource allocation. By proactively implementing these strategies, operational hurdles can be avoided, maintaining a robust and efficient Kubernetes environment.

October 1, 2023 by Fernando SRE Cloud stuff DevOps stuff Kubernetes 0