Muutke küpsiste eelistusi

Core Kubernetes [Pehme köide]

3.81/5 (41 hinnangut Goodreads-ist)
,
  • Formaat: Paperback / softback, 425 pages, kõrgus x laius x paksus: 237x188x20 mm, kaal: 630 g
  • Ilmumisaeg: 27-Jun-2022
  • Kirjastus: Manning Publications
  • ISBN-10: 1617297550
  • ISBN-13: 9781617297557
Teised raamatud teemal:
Core KubernetesSuurem pilt
  • Formaat: Paperback / softback, 425 pages, kõrgus x laius x paksus: 237x188x20 mm, kaal: 630 g
  • Ilmumisaeg: 27-Jun-2022
  • Kirjastus: Manning Publications
  • ISBN-10: 1617297550
  • ISBN-13: 9781617297557
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781617297557.html
Märksõnad:
From its humble beginnings a container orchestration system, Kubernetes has become the de facto infrastructure for cloud native applications. Kubernetes impacts every aspect of the application development lifecycle, from design through deployment. To build and operate reliable cloud native systems, you need to understand what's going on below the surface. Core Kubernetes is packed with experience-driven insights and practical techniques, and takes you inside Kubernetes to teach you what you'll need to know to keep your system running like a well-oiled machine and prevent those panicked 3 AM phone calls.

about the technology Kubernetes is a platform-independent layer for deploying scalable container-based applications. Kubernetes provides abstractions for clustering, replicating, and scaling system components in real time. It's especially well-suited for microservices applications, where you can easily balance the load among services. Kubernetes has become a core component of cloud native applications, and all major cloud vendors now offer hosted versions of Kubernetes. Kubernetes was initially developed by Google and is now governed as an open source project by the Cloud Native Computing Foundation (CNCF).

about the book Core Kubernetes is a reference guide designed to teach operators, SREs, and developers how to improve reliability and performance of Kubernetes-based systems. In it, Kubernetes experts Chris Love and Jay Vyas provide a guided tour through all major aspects of Kubernetes, from managing iptables to setting up dynamically scaled clusters that respond to changes in load. You'll understand the unique security concerns of container-based applications, discover tips to minimize costly unused capacity, and get pro tips for maximizing performance. This awesome collection of undocumented internals, expert techniques, and practical guidance has invaluable information you won't find anywhere else.

what's inside - Kubernetes base components - Kubernetes networking - Storage and the Container Storage Interface - External load balancing and ingress - Kubernetes security - Different ways of creating a Kubernetes cluster - Configuring Kubernetes to use a GPU

about the reader Written for readers with a working knowledge of Kubernetes and microservices applications.

about the author After earning his PhD, Jay Vyas started his career contributing to Kubernetes' core features at RedHat, and next, he focused on helping multiple companies migrate to Cloud-Native solutions. He now resides at VMWare, once again contributing to Kubernetes and associated projects. When not coding, Jay likes to play with his video games, his synthesizers, and hang out in his Pod.

As a thought leader in the Kubernetes and DevOps segment, Chris Love is a founder of multiple technology companies with over 20 years' experience in software engineering. A Google Cloud Certified Fellow, Chris has contributed to several open-source projects including Kubernetes, Bazel, and Terraform. He enjoys speaking around the world about DevOps and Kubernetes and practices martial arts in his free time.
Preface xv
Acknowledgments xvi
About this book xviii
About the authors xxi
About the cover illustration xxiii
1 Why Kubernetes exists 1(13)
1.1 Reviewing a few key terms before we get started
2(1)
1.2 The infrastructure drift problem and Kubernetes
2(1)
1.3 Containers and images
3(2)
1.4 Core foundation of Kubernetes
5(2)
All infrastructure rules in Kubernetes are managed as plain YAML
7(1)
1.5 Kubernetes features
7(2)
1.6 Kubernetes components and architecture
9(3)
The Kubernetes API
9(2)
Example one: An online retailer
11(1)
Example two: An online giving solution
11(1)
1.7 When not to use Kubernetes
12(2)
2 Why the Pod? 14(25)
2.1 An example web application
16(3)
Infrastructure for our web application
18(1)
Operational requirements
18(1)
2.2 What is a Pod?
19(10)
A bunch of Linux namespaces
22(1)
Kubernetes, infrastructure, and the Pod
22(2)
The Node API object
24(4)
Our web application and the control plane
28(1)
2.3 Creating a web application with kubectl
29(6)
The Kubernetes API server: kube-apiserver
30(1)
The Kubernetes scheduler: kube-scheduler
31(1)
Infrastructure controllers
31(4)
2.4 Scaling, highly available applications, and the control plane
35(4)
Autoscaling
37(1)
Cost management
37(2)
3 Let's build a Pod 39(30)
3.1 Looking at Kubernetes primitives with kind
42(1)
3.2 What is a Linux primitive?
43(5)
Linux primitives are resource management tools
44(1)
Everything is a file (or a file descriptor)
45(1)
Files are composable
45(1)
Setting up kind
46(2)
3.3 Using Linux primitives in Kubernetes
48(7)
The prerequisites for running a Pod
48(1)
Running a simple Pod
49(2)
Exploring the Pod's Linux dependencies
51(4)
3.4 Building a Pod from scratch
55(9)
Creating an isolated process with chroot
56(2)
Using mount to give our process data to work with
58(1)
Securing our process with unshare
59(1)
Creating a network namespace
60(1)
Checking whether a process is healthy
61(1)
Adjusting CPU with cgroups
62(1)
Creating a resources stanza
63(1)
3.5 Using our Pod in the real world
64(5)
The networking problem
64(1)
Utilizing iptables to understand how kube-proxy implements Kubernetes services
65(1)
Using the kube-dns Pod
66(1)
Considering other issues
67(2)
4 Using cgroups for processes in our Pods 69(25)
4.1 Pods are idle until the prep work completes
70(2)
4.2 Processes and threads in Linux
72(6)
systemd and the init process
73(1)
cgroups for our process
74(3)
Implementing cgroups for a normal Pod
77(1)
4.3 Testing the cgroups
78(1)
4.4 How the kubelet manages cgroups
79(1)
4.5 Diving into how the kubelet manages resources
80(5)
Why can't the OS use swap in Kubernetes?
81(1)
Hack: The poor man's priority knob
82(1)
Hack: Editing Huge Pages with init containers
83(1)
QoS classes: Why they matter and how they work
83(1)
Creating QoS classes by setting resources
84(1)
4.6 Monitoring the Linux kernel with Prometheus, cAdvisor, and the API server
85(9)
Metrics are cheap to publish and extremely valuable
87(1)
Why do I need Prometheus?
88(1)
Creating a local Prometheus monitoring service
89(3)
Characterizing an outage in Prometheus
92(2)
5 CNIS and providing the Pod with a network 94(19)
5.1 Why we need software-defined networks in Kubernetes
96(1)
5.2 Implementing the service side of the Kubernetes SDN: The kube-proxy
97(5)
The kube-proxy's data plane
99(2)
What about NodePorts?
101(1)
5.3 CNI providers
102(1)
5.4 Diving into two CNI networking plugins: Calico and Antrea
103(10)
The architecture of a CNI plugin
104(1)
Let's play with some CNIs
105(1)
Installing the Calico CNI provider
106(3)
Kubernetes networking with OVS and Antrea
109(3)
A note on CNI providers and kube-proxy on different OSs
112(1)
6 Troubleshooting large-scale network errors 113(22)
6.1 Sonobuoy: A tool for confirming your cluster is functioning
114(3)
Tracing data paths for Pods in a real cluster
115(1)
Setting up a cluster with the Antrea CNI provider
116(1)
6.2 Inspecting CNI routing on different providers with the arp and ip commands
117(6)
What is an IP tunnel and why do CNI providers use them?
118(1)
How many packets are flowing through the network interfaces for our CNI?
118(1)
Routes
119(2)
CNI-specific tooling: Open vSwitch (OVS)
121(1)
Tracing the data path of active containers with tcpdump
121(2)
6.3 The kube-proxy and iptables
123(6)
iptables-save and the diff tool
123(1)
Looking at how network policies modify CNI rules
124(3)
How are these policies implemented?
127(2)
6.4 Ingress controllers
129(6)
Setting up Contour and kind to explore ingress controllers
129(1)
Setting up a simple web server Pod
130(5)
7 Pod storage and the CSI 135(17)
7.1 A quick detour: The virtual filesystem (VFS) in Linux
137(1)
7.2 Three types of storage requirements for Kubernetes
138(2)
7.3 Let's create a PVC in our kind cluster
140(4)
7.4 The container storage interface (CSI)
144(4)
The in-tree provider problem
145(1)
CSI as a specification that works inside of Kubernetes
146(1)
CSI: How a storage driver works
147(1)
Bind mounting
148(1)
7.5 A quick look at a few running CSI drivers
148(4)
The controller
149(1)
The node interface
149(1)
CSI on non-Linux OSs
150(2)
8 Storage implementation and modeling 152(20)
8.1 A microcosm of the broader Kubernetes ecosystem: Dynamic storage
153(5)
Managing storage on the fly: Dynamic provisioning
154(1)
Local storage compared with emptyDir
154(2)
Persistent Volumes
156(1)
CSI (container storage interface)
157(1)
8.2 Dynamic provisioning benefits from CSI but is orthogonal
158(3)
Storage classes
159(1)
Back to the data center stuff
160(1)
8.3 Kubernetes use cases for storage
161(3)
Secrets: Sharing files ephemerally
161(3)
8.4 What does a dynamic storage provider typically look like?
164(2)
8.5 hostPath for system control and/or data access
166(4)
hostPaths, CSI, and CNI: A canonical use case
166(2)
Cassandra: An example of real-world Kubernetes application storage
168(1)
Advanced storage functionality and the Kubernetes storage model
169(1)
8.6 Further reading
170(2)
9 Running Pods: How the kubelet works 172(20)
9.1 The kubelet and the node
173(1)
9.2 The core kubelet
174(4)
Container runtimes: Standards and conventions
175(1)
The kubelet configurations and its API
176(2)
9.3 Creating a Pod and seeing it in action
178(7)
Starting the kubelet binary
179(1)
After startup: Node life cycle
180(1)
Leasing and locking in etcd and the evolution of the node lease
180(1)
The kubelet's management of the Pod life cycle
181(1)
CRI, containers, and images: How they are related
182(1)
The kubelet doesn't run containers: That's the CRT's job
182(2)
Pause container: An "aha" moment
184(1)
9.4 The Container Runtime Interface (CRI)
185(2)
Telling Kubernetes where our container runtime lives
185(1)
The CRI routines
186(1)
The kubelet's abstraction around CRI: The GenericRuntimeManager
186(1)
How is the CRI invoked?
186(1)
9.5 The kubelet's interfaces
187(3)
The Runtime internal interface
187(1)
How the kubelet pulls images: The ImageService intelface
188(1)
Giving ImagePullSecrets to the kubelet
189(1)
9.6 Further reading
190(2)
10 DNS in Kubernetes 192(13)
10.1 A brief intro to DNS (and CoreDNS)
192(4)
NXDOMAINs, A records, and CNAME records
193(2)
Pods need internal DNS
195(1)
10.2 Why StatefulSets instead of Deployments?
196(4)
DNS with headless services
197(1)
Persistent DNS records in StatefulSets
198(1)
Using a polyglot deployment to explore Pod DNS properties
198(2)
10.3 The resolv.conf file
200(5)
A quick note about routing
200(2)
CoreDNS: The upstream resolver for the ClusterFirst Pod DNS
202(1)
Hacking the CoreDNS plugin configuration
203(2)
11 The core of the control plane 205(14)
11.1 Investigating the control plane
206(1)
11.2 API server details
207(7)
API objects and custom API objects
207(1)
Custom resource definitions (CRDs)
208(1)
Scheduler details
209(5)
Recap of scheduling
214(1)
11.3 The controller manager
214(2)
Storage
214(1)
Service accounts and tokens
215(1)
11.4 Kubernetes cloud controller managers (CCMs)
216(1)
11.5 Further reading
217(2)
12 etcd and the control plane 219(21)
12.1 Notes for the impatient
220(7)
Visualizing etcd performance with Prometheus
221(4)
Knowing when to tune etcd
225(1)
Example: A quick health check of etcd
226(1)
etcd v3 vs. v2
227(1)
12.2 etcd as a data store
227(4)
The watch: Can you run Kubernetes on other databases?
228(1)
Strict consistency
229(1)
fsync operations make etcd consistent
230(1)
12.3 Looking at the interface for Kubernetes to etcd
231(1)
12.4 etcd's job is to keep the facts straight
231(2)
The etcd write-ahead log
232(1)
Effect on Kubernetes
233(1)
12.5 The CAP theorem
233(1)
12.6 Load balancing at the client level and etcd
234(2)
Size limitations: What (not) to worry about
235(1)
12.7 etcd encryption at rest
236(1)
12.8 Performance and fault tolerance of etcd at a global scale
237(1)
12.9 Heartbeat times for a highly distributed etcd
237(1)
12.10 Setting an etcd client up on a kind cluster
237(3)
Running etcd in non-Linux environments
238(2)
13 Container and Pod security 240(14)
13.1 Blast radius
241(1)
Vulnerabilities
242(1)
Intrusion
242(1)
13.2 Container security
242(3)
Plan to update containers and custom software
242(1)
Container screening
243(1)
Container users-do not run as root
243(1)
Use the smallest container
244(1)
Container provenance
244(1)
Linters for containers
245(1)
13.3 Pod security
245(9)
Security context
245(3)
Escalated permissions and capabilities
248(1)
Pod Security Policies (PSPs)
249(2)
Do not automount the service account token
251(1)
Root-like Pods
251(1)
The security outskirts
252(2)
14 Nodes and Kubernetes security 254(27)
14.1 Node security
254(7)
TLS certificates
255(1)
Immutable OSs vs. patching nodes
256(1)
Isolated container runtimes
257(1)
Resource attacks
257(1)
CPU units
258(1)
Memory units
259(1)
Storage units
259(1)
Host networks vs. Pod networks
259(1)
Pod example
260(1)
14.2 API server security
261(6)
Role-based access control (RBAC)
261(1)
RBAC API definition
261(3)
Resources and subresources
264(1)
Subjects and RBAC
265(1)
Debugging RBAC
266(1)
14.3 Authn, Authz, and Secrets
267(2)
IAM service accounts: Securing your cloud APIs
267(1)
Access to cloud resources
268(1)
Private API servers
269(1)
14.4 Network security
269(10)
Network policies
269(4)
Load balancers
273(1)
Open Policy Agent (OPA)
274(3)
Multi-tenancy
277(2)
14.5 Kubernetes tips
279(2)
15 Installing applications 281(20)
15.1 Thinking about apps in Kubernetes
282(1)
Application scope influences what tools you should use
283(1)
15.2 Microservice apps typically require thousands of lines of configuration code
283(1)
15.3 Rethinking our Guestbook app installation for the real world
284(1)
15.4 Installing the Carvel toolkit
284(11)
Part 1: Modularizing our resources into separate files
285(1)
Part 2: Patching our application files with ytt
286(3)
Part 3: Managing and deploying Guestbook as a single application
289(3)
Part 4: Constructing a kapp Operator to package and manage our application
292(3)
15.5 Revisiting the Kubernetes Operator
295(4)
15.6 Tanzu Community Edition: An end-to-end example of the Carvel toolkit
299(2)
Index 301
After earning his PhD, Jay Vyas started his career contributing to Kubernetes' core features at RedHat, and next, he focused on helping multiple companies migrate to Cloud-Native solutions. He now resides at VMWare, once again contributing to Kubernetes and associated projects. When not coding, Jay likes to play with his video games, his synthesizers, and hang out in his Pod. As a thought leader in the Kubernetes and DevOps segment, Chris Love is a founder of multiple technology companies with over 20 years' experience in software engineering. A Google Cloud Certified Fellow, Chris has contributed to several open-source projects including Kubernetes, Bazel, and Terraform. He enjoys speaking around the world about DevOps and Kubernetes and practices martial arts in his free time.