Kubernetes Up Running, 3rd Edition (Burns, Brendan Beda, Joe Hightower etc.) (Z-Library)

📄 File Format: PDF

💾 File Size: 3.2 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

B urns, B ed a , H ig htow er & Evenson Brendan Burns, Joe Beda, Kelsey Hightower & Lachlan Evenson Kubernetes Up & Running Dive into the Future of Infrastructure Third Edition Compliments of

📄 Page 2

ENGINEERING “Written by four of the world’s most highly respected authorities on cloud native systems, Kubernetes: Up & Running is the go-to book for a solid foundation in Kubernetes concepts, with examples that help you explore it for yourself.” —Liz Rice Isovalent Kubernetes: Up & Running US $69.99 CAN $87.99 ISBN: 978-1-098-11020-8 Twitter: @oreillymedia linkedin.com/company/oreilly-media youtube.com/oreillymedia Kubernetes has radically changed the way developers and ops personnel build, deploy, and maintain applications in the cloud. With this book’s updated third edition, you’ll learn how this popular container orchestrator can help your company achieve new levels of velocity, agility, reliability, and efficiency; whether you’re new to distributed systems or have been deploying cloud native apps for some time. Kubernetes veterans Brendan Burns, Joe Beda, Kelsey Hightower, and Lachlan Evenson explain how this system fits into the life cycle of a distributed application. Software developers, engineers, and architects will learn ways to use tools and APIs to automate scalable distributed systems for online services, machine learning applications, and even a cluster of Raspberry Pi computers. This guide shows you how to: • Create a simple cluster to learn how Kubernetes works • Dive into the details of deploying an application using Kubernetes • Handle specialized objects in Kubernetes, such as DaemonSets, jobs, ConfigMaps, and Secrets • Explore deployments that tie together the life cycle of a complete application • Secure your application deployments • Deploy multicluster applications and access Kubernetes from programming languages Brendan Burns is a cofounder of Kubernetes and a distinguished engineer at Microsoft Azure, where he leads teams focusing on DevOps, open source, and microservices. Joe Beda is a cofounder of Kubernetes who recently retired from VMware, where he was principal engineer. Kelsey Hightower is an engineer and developer advocate in Google’s cloud computing division. He enjoys leadership roles focused on making things happen and shipping software. Lachlan Evenson is a principal product manager on the container compute team at Microsoft Azure. He’s helped numerous people adopt Kubernetes through hands-on teaching. B urns, B ed a , H ig htow er & Evenson Kub ernetes: U p & R unning Kub ernetes: U p & R unning 2197-6

📄 Page 3

(This page has no text content)

📄 Page 4

(This page has no text content)

📄 Page 5

Brendan Burns, Joe Beda, Kelsey Hightower, and Lachlan Evenson Kubernetes: Up and Running Dive into the Future of Infrastructure THIRD EDITION Boston Farnham Sebastopol TokyoBeijing

📄 Page 6

978-1-098-12197-6 [LSI] Kubernetes: Up and Running by Brendan Burns, Joe Beda, Kelsey Hightower, and Lachlan Evenson Copyright © 2022 Brendan Burns, Joe Beda, Kelsey Hightower, and Lachlan Evenson. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisition Editor: John Devins Development Editor: Sarah Gray Production Editor: Katherine Tozer Copyeditor: Piper Editorial Consulting, LLC Proofreader: Penelope Perkins Indexer: Ellen Troutman-Zaig Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea September 2017: First Edition August 2019: Second Edition August 2022: Third Edition Revision History for the Third Edition 2022-08-02: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098110208 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Kubernetes: Up and Running, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the authors, and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. This work is part of a collaboration between O’Reilly and VMware. See our statement of editorial independence.

📄 Page 7

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Velocity 2 The Value of Immutability 3 Declarative Configuration 4 Self-Healing Systems 5 Scaling Your Service and Your Teams 6 Decoupling 6 Easy Scaling for Applications and Clusters 6 Scaling Development Teams with Microservices 7 Separation of Concerns for Consistency and Scaling 8 Abstracting Your Infrastructure 10 Efficiency 10 Cloud Native Ecosystem 12 Summary 13 2. Creating and Running Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Container Images 16 Building Application Images with Docker 18 Dockerfiles 18 Optimizing Image Sizes 20 Image Security 21 Multistage Image Builds 22 Storing Images in a Remote Registry 24 The Container Runtime Interface 25 Running Containers with Docker 25 Exploring the kuard Application 26 v

📄 Page 8

Limiting Resource Usage 26 Cleanup 27 Summary 28 3. Deploying a Kubernetes Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Installing Kubernetes on a Public Cloud Provider 30 Installing Kubernetes with Google Kubernetes Engine 30 Installing Kubernetes with Azure Kubernetes Service 30 Installing Kubernetes on Amazon Web Services 31 Installing Kubernetes Locally Using minikube 31 Running Kubernetes in Docker 32 The Kubernetes Client 32 Checking Cluster Status 33 Listing Kubernetes Nodes 34 Cluster Components 36 Kubernetes Proxy 36 Kubernetes DNS 36 Kubernetes UI 37 Summary 37 4. Common kubectl Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Namespaces 39 Contexts 39 Viewing Kubernetes API Objects 40 Creating, Updating, and Destroying Kubernetes Objects 41 Labeling and Annotating Objects 42 Debugging Commands 43 Cluster Management 44 Command Autocompletion 45 Alternative Ways of Viewing Your Cluster 45 Summary 46 5. Pods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Pods in Kubernetes 48 Thinking with Pods 48 The Pod Manifest 49 Creating a Pod 50 Creating a Pod Manifest 50 Running Pods 51 Listing Pods 52 Pod Details 52 Deleting a Pod 53 vi | Table of Contents

📄 Page 9

Accessing Your Pod 54 Getting More Information with Logs 54 Running Commands in Your Container with exec 55 Copying Files to and from Containers 55 Health Checks 55 Liveness Probe 55 Readiness Probe 57 Startup Probe 57 Advanced Probe Configuration 57 Other Types of Health Checks 57 Resource Management 58 Resource Requests: Minimum Required Resources 59 Capping Resource Usage with Limits 60 Persisting Data with Volumes 61 Using Volumes with Pods 61 Different Ways of Using Volumes with Pods 62 Putting It All Together 63 Summary 64 6. Labels and Annotations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Labels 65 Applying Labels 66 Modifying Labels 68 Label Selectors 68 Label Selectors in API Objects 70 Labels in the Kubernetes Architecture 71 Annotations 71 Cleanup 73 Summary 73 7. Service Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 What Is Service Discovery? 75 The Service Object 76 Service DNS 77 Readiness Checks 78 Looking Beyond the Cluster 79 Load Balancer Integration 81 Advanced Details 83 Endpoints 83 Manual Service Discovery 84 kube-proxy and Cluster IPs 85 Cluster IP Environment Variables 86 Table of Contents | vii

📄 Page 10

Connecting with Other Environments 86 Connecting to Resources Outside of a Cluster 87 Connecting External Resources to Services Inside a Cluster 87 Cleanup 88 Summary 88 8. HTTP Load Balancing with Ingress. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Ingress Spec Versus Ingress Controllers 90 Installing Contour 91 Configuring DNS 92 Configuring a Local hosts File 92 Using Ingress 93 Simplest Usage 93 Using Hostnames 94 Using Paths 96 Cleanup 97 Advanced Ingress Topics and Gotchas 97 Running Multiple Ingress Controllers 97 Multiple Ingress Objects 98 Ingress and Namespaces 98 Path Rewriting 98 Serving TLS 99 Alternate Ingress Implementations 100 The Future of Ingress 101 Summary 101 9. ReplicaSets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Reconciliation Loops 104 Relating Pods and ReplicaSets 104 Adopting Existing Containers 105 Quarantining Containers 105 Designing with ReplicaSets 105 ReplicaSet Spec 106 Pod Templates 106 Labels 107 Creating a ReplicaSet 107 Inspecting a ReplicaSet 108 Finding a ReplicaSet from a Pod 108 Finding a Set of Pods for a ReplicaSet 108 Scaling ReplicaSets 109 Imperative Scaling with kubectl scale 109 Declaratively Scaling with kubectl apply 109 viii | Table of Contents

📄 Page 11

Autoscaling a ReplicaSet 110 Deleting ReplicaSets 111 Summary 112 10. Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Your First Deployment 114 Creating Deployments 116 Managing Deployments 117 Updating Deployments 118 Scaling a Deployment 118 Updating a Container Image 119 Rollout History 120 Deployment Strategies 123 Recreate Strategy 123 RollingUpdate Strategy 123 Slowing Rollouts to Ensure Service Health 126 Deleting a Deployment 128 Monitoring a Deployment 128 Summary 128 11. DaemonSets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 DaemonSet Scheduler 130 Creating DaemonSets 131 Limiting DaemonSets to Specific Nodes 133 Adding Labels to Nodes 133 Node Selectors 133 Updating a DaemonSet 135 Deleting a DaemonSet 136 Summary 136 12. Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 The Job Object 137 Job Patterns 138 One Shot 138 Parallelism 142 Work Queues 144 CronJobs 148 Summary 148 13. ConfigMaps and Secrets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 ConfigMaps 149 Creating ConfigMaps 149 Table of Contents | ix

📄 Page 12

Using a ConfigMap 150 Secrets 153 Creating Secrets 154 Consuming Secrets 155 Private Container Registries 156 Naming Constraints 157 Managing ConfigMaps and Secrets 158 Listing 158 Creating 159 Updating 159 Summary 161 14. Role-Based Access Control for Kubernetes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Role-Based Access Control 164 Identity in Kubernetes 164 Understanding Roles and Role Bindings 165 Roles and Role Bindings in Kubernetes 165 Techniques for Managing RBAC 168 Testing Authorization with can-i 168 Managing RBAC in Source Control 168 Advanced Topics 168 Aggregating ClusterRoles 169 Using Groups for Bindings 169 Summary 171 15. Service Meshes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Encryption and Authentication with Mutal TLS 174 Traffic Shaping 174 Introspection 175 Do You Really Need a Service Mesh? 176 Introspecting a Service Mesh Implementation 176 Service Mesh Landscape 177 Summary 178 16. Integrating Storage Solutions and Kubernetes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Importing External Services 180 Services Without Selectors 181 Limitations of External Services: Health Checking 183 Running Reliable Singletons 183 Running a MySQL Singleton 183 Dynamic Volume Provisioning 187 Kubernetes-Native Storage with StatefulSets 188 x | Table of Contents

📄 Page 13

Properties of StatefulSets 189 Manually Replicated MongoDB with StatefulSets 189 Automating MongoDB Cluster Creation 192 Persistent Volumes and StatefulSets 195 One Final Thing: Readiness Probes 195 Summary 196 17. Extending Kubernetes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 What It Means to Extend Kubernetes 197 Points of Extensibility 198 Patterns for Custom Resources 206 Just Data 206 Compilers 207 Operators 207 Getting Started 207 Summary 208 18. Accessing Kubernetes from Common Programming Languages. . . . . . . . . . . . . . . . . . 209 The Kubernetes API: A Client’s Perspective 209 OpenAPI and Generated Client Libraries 210 But What About kubectl x? 210 Programming the Kubernetes API 211 Installing the Client Libraries 211 Authenticating to the Kubernetes API 212 Accessing the Kubernetes API 214 Putting It All Together: Listing and Creating Pods in Python, Java, and .NET 214 Creating and Patching Objects 216 Watching Kubernetes APIs for Changes 217 Interacting with Pods 219 Summary 222 19. Securing Applications in Kubernetes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Understanding SecurityContext 223 SecurityContext Challenges 229 Pod Security 229 What Is Pod Security? 230 Applying Pod Security Standards 231 Service Account Management 233 Role-Based Access Control 234 RuntimeClass 234 Network Policy 236 Service Mesh 239 Table of Contents | xi

📄 Page 14

Security Benchmark Tools 239 Image Security 241 Summary 241 20. Policy and Governance for Kubernetes Clusters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Why Policy and Governance Matter 243 Admission Flow 244 Policy and Governance with Gatekeeper 245 What Is Open Policy Agent? 245 Installing Gatekeeper 246 Configuring Policies 247 Understanding Constraint Templates 250 Creating Constraints 251 Audit 252 Mutation 253 Data Replication 255 Metrics 257 Policy Library 257 Summary 257 21. Multicluster Application Deployments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Before You Even Begin 260 Starting at the Top with a Load-Balancing Approach 262 Building Applications for Multiple Clusters 263 Replicated Silos: The Simplest Cross-Regional Model 265 Sharding: Regional Data 266 Better Flexibility: Microservice Routing 267 Summary 268 22. Organizing Your Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Principles to Guide Us 269 Filesystems as the Source of Truth 269 The Role of Code Review 270 Feature Gates 271 Managing Your Application in Source Control 272 Filesystem Layout 272 Managing Periodic Versions 273 Structuring Your Application for Development, Testing, and Deployment 275 Goals 275 Progression of a Release 275 Parameterizing Your Application with Templates 277 Parameterizing with Helm and Templates 277 xii | Table of Contents

📄 Page 15

Filesystem Layout for Parameterization 278 Deploying Your Application Around the World 279 Architectures for Worldwide Deployment 279 Implementing Worldwide Deployment 280 Dashboards and Monitoring for Worldwide Deployments 282 Summary 282 Building Your Own Kubernetes Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Table of Contents | xiii

📄 Page 16

(This page has no text content)

📄 Page 17

Preface Kubernetes would like to thank every sysadmin who has woken up at 3 a.m. to restart a process. Every developer who pushed code to production only to find that it didn’t run like it did on their laptop. Every systems architect who mistakenly pointed a load test at the production server because of a leftover hostname that they hadn’t updated. It was the pain, the weird hours, and the weird errors that inspired the development of Kubernetes. In a single sentence: Kubernetes intends to radically simplify the task of building, deploying, and maintaining distributed systems. It has been inspired by decades of real-world experience building reliable systems, and it has been designed from the ground up to make that experience if not euphoric, at least pleasant. We hope you enjoy the book! Who Should Read This Book Whether you are new to distributed systems or have been deploying cloud native systems for years, containers and Kubernetes can help you achieve new levels of velocity, agility, reliability, and efficiency. This book describes the Kubernetes cluster orchestrator and how its tools and APIs can be used to improve the development, delivery, security, and maintenance of distributed applications. Though no previous experience with Kubernetes is assumed, to make maximal use of the book, you should be comfortable building and deploying server-based applications. Familiarity with concepts like load balancers and network storage will be useful, though not required. Likewise, experience with Linux, Linux containers, and Docker, though not essential, will help you make the most of this book. xv

📄 Page 18

Why We Wrote This Book We have been involved with Kubernetes since its very beginnings. It has been truly remarkable to watch it transform from a curiosity largely used in experiments to a crucial production-grade infrastructure that powers large-scale production applica‐ tions in varied fields, from machine learning to online services. As this transition occurred, it became increasingly clear that a book that captured both how to use the core concepts in Kubernetes and the motivations behind the development of those concepts would be an important contribution to the state of cloud native application development. We hope that in reading this book, you not only learn how to build reliable, scalable applications on top of Kubernetes but also receive insight into the core challenges of distributed systems that led to its development. Why We Updated This Book The Kubernetes ecosystem has continued to grow and evolve since the first and second editions of this book. There have been many Kubernetes releases, and many more tools and patterns for using Kubernetes have become de facto standards. In the third edition, we focused on the addition of topics that have grown in interest in the Kubernetes ecosystem including security, accessing Kubernetes from programming languages, as well as multicluster application deployments. We also updated all of the existing chapters to reflect the changes and evolution in Kubernetes since the first and second editions. We fully expect to revise this book again in a few years (and look forward to doing so) as Kubernetes continues to evolve. A Word on Cloud Native Applications Today From the first programming languages, to object-oriented programming, to the development of virtualization and cloud infrastructure, the history of computer science is a history of the development of abstractions that hide complexity and empower you to build ever more sophisticated applications. Despite this, the devel‐ opment of reliable, scalable applications is still dramatically more challenging than it ought to be. In recent years, containers and container orchestration APIs like Kubernetes have proven to be an important abstraction that radically simplifies the development of reliable, scalable distributed systems. Containers and orchestrators enable developers to build and deploy applications with a speed, agility, and reliability that would have seemed like science fiction only a few years ago. xvi | Preface

📄 Page 19

Navigating This Book This book is organized as follows. Chapter 1 outlines the high-level benefits of Kubernetes without diving too deeply into the details. If you are new to Kubernetes, this is a great place to start to understand why you should read the rest of the book. Chapter 2 provides a detailed introduction to containers and containerized applica‐ tion development. If you’ve never really played around with Docker before, this chapter will be a useful introduction. If you are already a Docker expert, it will likely be mostly review. Chapter 3 covers how to deploy Kubernetes. While most of this book focuses on how to use Kubernetes, you need to get a cluster up and running before you start using it. Although running a cluster for production is outside the scope of this book, this chapter presents a couple of easy ways to create a cluster so that you can understand how to use Kubernetes. Chapter 4 covers a selection of common commands used to interact with a Kubernetes cluster. Starting with Chapter 5, we dive into the details of deploying an application using Kubernetes. We cover Pods (Chapter 5), labels and annotations (Chapter 6), services (Chapter 7), Ingress (Chapter 8), and ReplicaSets (Chapter 9). These form the core basics of what you need to deploy your service in Kubernetes. We then cover deploy‐ ments (Chapter 10), which tie together the life cycle of a complete application. After those chapters, we cover some more specialized objects in Kubernetes: Dae‐ monSets (Chapter 11), Jobs (Chapter 12), and ConfigMaps and Secrets (Chapter 13). While these chapters are essential for many production applications, if you are just learning Kubernetes, you can skip them and return to them later, after you gain more experience and expertise. Next we introduce role-based access control (Chapter 14) and cover service meshes (Chapter 15) and integrating storage (Chapter 16) into Kubernetes. We discuss extending Kubernetes (Chapter 17) and accessing Kubernetes from programming languages (Chapter 18). We then focus on securing Pods (Chapter 19) along with Kubernetes policy and governance (Chapter 20). Finally, we conclude with some examples of how to develop and deploy multicluster applications (Chapter 21) and a discussion of how to organize your applications in source control (Chapter 22). Preface | xvii

📄 Page 20

Online Resources You will want to install Docker. You likely will also want to familiarize yourself with the Docker documentation if you have not already done so. Likewise, you will want to install the kubectl command-line tool. You may also want to join the Kubernetes Slack channel, where you will find a large community of users who are willing to talk and answer questions at nearly any hour of the day. Finally, as you grow more advanced, you may want to engage with the open source Kubernetes repository on GitHub. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. Constant width bold Shows commands or other text that should be typed literally by the user. Constant width italic Shows text that should be replaced with user-supplied values or by values deter‐ mined by context. This icon signifies a tip, suggestion, or general note. This icon indicates a warning or caution. xviii | Preface