Core Kubernetes
- Length: 336 pages
- Edition: 1
- Language: English
- Publisher: Manning
- Publication Date: 2022-06-21
- ISBN-10: 1617297550
- ISBN-13: 9781617297557
- Sales Rank: #3668015 (See Top 100 Books)
Core Kubernetes gives you a guided tour through all major aspects of Kubernetes, from managing iptables to setting up dynamically scaled clusters that respond to changes in load.
To build and operate reliable cloud native systems, you need to understand what’s going on below the surface. Core Kubernetes is packed with experience-driven insights and practical techniques, and takes you inside Kubernetes to teach you what you’ll need to know to keep your system running like a well-oiled machine.
Core Kubernetes gives you a guided tour through all major aspects of Kubernetes, from managing iptables to setting up dynamically scaled clusters that respond to changes in load. With this exclusive collection of undocumented internals, expert techniques, and practical guidance, you’ll understand the unique security concerns of container-based applications, discover tips to minimize costly unused capacity, and get pro tips for maximizing performance.
Core Kubernetes brief contents contents preface acknowledgments about this book Who should read this book How this book is organized: A road map About the code liveBook discussion forum about the authors about the cover illustration Chapter 1: Why Kubernetes exists 1.1 Reviewing a few key terms before we get started 1.2 The infrastructure drift problem and Kubernetes 1.3 Containers and images 1.4 Core foundation of Kubernetes 1.4.1 All infrastructure rules in Kubernetes are managed as plain YAML 1.5 Kubernetes features 1.6 Kubernetes components and architecture 1.6.1 The Kubernetes API 1.6.2 Example one: An online retailer 1.6.3 Example two: An online giving solution 1.7 When not to use Kubernetes Chapter 2: Why the Pod? 2.1 An example web application 2.1.1 Infrastructure for our web application 2.1.2 Operational requirements 2.2 What is a Pod? 2.2.1 A bunch of Linux namespaces 2.2.2 Kubernetes, infrastructure, and the Pod 2.2.3 The Node API object 2.2.4 Our web application and the control plane 2.3 Creating a web application with kubectl 2.3.1 The Kubernetes API server: kube-apiserver 2.3.2 The Kubernetes scheduler: kube-scheduler 2.3.3 Infrastructure controllers 2.4 Scaling, highly available applications, and the control plane 2.4.1 Autoscaling 2.4.2 Cost management Chapter 3: Let’s build a Pod 3.1 Looking at Kubernetes primitives with kind 3.2 What is a Linux primitive? 3.2.1 Linux primitives are resource management tools 3.2.2 Everything is a file (or a file descriptor) 3.2.3 Files are composable 3.2.4 Setting up kind 3.3 Using Linux primitives in Kubernetes 3.3.1 The prerequisites for running a Pod 3.3.2 Running a simple Pod 3.3.3 Exploring the Pod’s Linux dependencies 3.4 Building a Pod from scratch 3.4.1 Creating an isolated process with chroot 3.4.2 Using mount to give our process data to work with 3.4.3 Securing our process with unshare 3.4.4 Creating a network namespace 3.4.5 Checking whether a process is healthy 3.4.6 Adjusting CPU with cgroups 3.4.7 Creating a resources stanza 3.5 Using our Pod in the real world 3.5.1 The networking problem 3.5.2 Utilizing iptables to understand how kube-proxy implements Kubernetes services 3.5.3 Using the kube-dns Pod 3.5.4 Considering other issues Chapter 4: Using cgroups for processes in our Pods 4.1 Pods are idle until the prep work completes 4.2 Processes and threads in Linux 4.2.1 systemd and the init process 4.2.2 cgroups for our process 4.2.3 Implementing cgroups for a normal Pod 4.3 Testing the cgroups 4.4 How the kubelet manages cgroups 4.5 Diving into how the kubelet manages resources 4.5.1 Why can’t the OS use swap in Kubernetes? 4.5.2 Hack: The poor man’s priority knob 4.5.3 Hack: Editing HugePages with init containers 4.5.4 QoS classes: Why they matter and how they work 4.5.5 Creating QoS classes by setting resources 4.6 Monitoring the Linux kernel with Prometheus, cAdvisor, and the API server 4.6.1 Metrics are cheap to publish and extremely valuable 4.6.2 Why do I need Prometheus? 4.6.3 Creating a local Prometheus monitoring service 4.6.4 Characterizing an outage in Prometheus Chapter 5: CNIs and providing the Pod with a network 5.1 Why we need software-defined networks in Kubernetes 5.2 Implementing the service side of the Kubernetes SDN: The kube-proxy 5.2.1 The kube-proxy’s data plane 5.2.2 What about NodePorts? 5.3 CNI providers 5.4 Diving into two CNI networking plugins: Calico and Antrea 5.4.1 The architecture of a CNI plugin 5.4.2 Let’s play with some CNIs 5.4.3 Installing the Calico CNI provider 5.4.4 Kubernetes networking with OVS and Antrea 5.4.5 A note on CNI providers and kube-proxy on different OSs Chapter 6: Troubleshooting large-scale network errors 6.1 Sonobuoy: A tool for confirming your cluster is functioning 6.1.1 Tracing data paths for Pods in a real cluster 6.1.2 Setting up a cluster with the Antrea CNI provider 6.2 Inspecting CNI routing on different providers with the arp and ip commands 6.2.1 What is an IP tunnel and why do CNI providers use them? 6.2.2 How many packets are flowing through the network interfaces for our CNI? 6.2.3 Routes 6.2.4 CNI-specific tooling: Open vSwitch (OVS) 6.2.5 Tracing the data path of active containers with tcpdump 6.3 The kube-proxy and iptables 6.3.1 iptables-save and the diff tool 6.3.2 Looking at how network policies modify CNI rules 6.3.3 How are these policies implemented? 6.4 Ingress controllers 6.4.1 Setting up Contour and kind to explore ingress controllers 6.4.2 Setting up a simple web server Pod Chapter 7: Pod storage and the CSI 7.1 A quick detour: The virtual filesystem (VFS) in Linux 7.2 Three types of storage requirements for Kubernetes 7.3 Let’s create a PVC in our kind cluster 7.4 The container storage interface (CSI) 7.4.1 The in-tree provider problem 7.4.2 CSI as a specification that works inside of Kubernetes 7.4.3 CSI: How a storage driver works 7.4.4 Bind mounting 7.5 A quick look at a few running CSI drivers 7.5.1 The controller 7.5.2 The node interface 7.5.3 CSI on non-Linux OSs Chapter 8: Storage implementation and modeling 8.1 A microcosm of the broader Kubernetes ecosystem: Dynamic storage 8.1.1 Managing storage on the fly: Dynamic provisioning 8.1.2 Local storage compared with emptyDir 8.1.3 PersistentVolumes 8.1.4 CSI (container storage interface) 8.2 Dynamic provisioning benefits from CSI but is orthogonal 8.2.1 StorageClasses 8.2.2 Back to the data center stuff 8.3 Kubernetes use cases for storage 8.3.1 Secrets: Sharing files ephemerally 8.4 What does a dynamic storage provider typically look like? 8.5 hostPath for system control and/or data access 8.5.1 hostPaths, CSI, and CNI: A canonical use case 8.5.2 Cassandra: An example of real-world Kubernetes application storage 8.5.3 Advanced storage functionality and the Kubernetes storage model 8.6 Further reading Chapter 9: Running Pods: How the kubelet works 9.1 The kubelet and the node 9.2 The core kubelet 9.2.1 Container runtimes: Standards and conventions 9.2.2 The kubelet configurations and its API 9.3 Creating a Pod and seeing it in action 9.3.1 Starting the kubelet binary 9.3.2 After startup: Node life cycle 9.3.3 Leasing and locking in etcd and the evolution of the node lease 9.3.4 The kubelet’s management of the Pod life cycle 9.3.5 CRI, containers, and images: How they are related 9.3.6 The kubelet doesn’t run containers: That’s the CRI’s job 9.3.7 Pause container: An “aha” moment 9.4 The Container Runtime Interface (CRI) 9.4.1 Telling Kubernetes where our container runtime lives 9.4.2 The CRI routines 9.4.3 The kubelet’s abstraction around CRI: The GenericRuntimeManager 9.4.4 How is the CRI invoked? 9.5 The kubelet’s interfaces 9.5.1 The Runtime internal interface 9.5.2 How the kubelet pulls images: The ImageService interface 9.5.3 Giving ImagePullSecrets to the kubelet 9.6 Further reading Chapter 10: DNS in Kubernetes 10.1 A brief intro to DNS (and CoreDNS) 10.1.1 NXDOMAINs, A records, and CNAME records 10.1.2 Pods need internal DNS 10.2 Why StatefulSets instead of Deployments? 10.2.1 DNS with headless services 10.2.2 Persistent DNS records in StatefulSets 10.2.3 Using a polyglot deployment to explore Pod DNS properties 10.3 The resolv.conf file 10.3.1 A quick note about routing 10.3.2 CoreDNS: The upstream resolver for the ClusterFirst Pod DNS 10.3.3 Hacking the CoreDNS plugin configuration Chapter 11: The core of the control plane 11.1 Investigating the control plane 11.2 API server details 11.2.1 API objects and custom API objects 11.2.2 Custom resource definitions (CRDs) 11.2.3 Scheduler details 11.2.4 Recap of scheduling 11.3 The controller manager 11.3.1 Storage 11.3.2 Service accounts and tokens 11.4 Kubernetes cloud controller managers (CCMs) 11.5 Further reading Chapter 12: etcd and the control plane 12.1 Notes for the impatient 12.1.1 Visualizing etcd performance with Prometheus 12.1.2 Knowing when to tune etcd 12.1.3 Example: A quick health check of etcd 12.1.4 etcd v3 vs. v2 12.2 etcd as a data store 12.2.1 The watch: Can you run Kubernetes on other databases? 12.2.2 Strict consistency 12.2.3 fsync operations make etcd consistent 12.3 Looking at the interface for Kubernetes to etcd 12.4 etcd’s job is to keep the facts straight 12.4.1 The etcd write-ahead log 12.4.2 Effect on Kubernetes 12.5 The CAP theorem 12.6 Load balancing at the client level and etcd 12.6.1 Size limitations: What (not) to worry about 12.7 etcd encryption at rest 12.8 Performance and fault tolerance of etcd at a global scale 12.9 Heartbeat times for a highly distributed etcd Setting an etcd client up on a kind cluster 12.10 Running etcd in non-Linux environments 12.10.1 Chapter 13: Container and Pod security 13.1 Blast radius 13.1.1 Vulnerabilities 13.1.2 Intrusion 13.2 Container security 13.2.1 Plan to update containers and custom software 13.2.2 Container screening 13.2.3 Container users—do not run as root 13.2.4 Use the smallest container 13.2.5 Container provenance 13.2.6 Linters for containers 13.3 Pod security 13.3.1 Security context 13.3.2 Escalated permissions and capabilities 13.3.3 Pod Security Policies (PSPs) 13.3.4 Do not automount the service account token 13.3.5 Root-like Pods 13.3.6 The security outskirts Chapter 14: Nodes and Kubernetes security 14.1 Node security 14.1.1 TLS certificates 14.1.2 Immutable OSs vs. patching nodes 14.1.3 Isolated container runtimes 14.1.4 Resource attacks 14.1.5 CPU units 14.1.6 Memory units 14.1.7 Storage units 14.1.8 Host networks vs. Pod networks 14.1.9 Pod example 14.2 API server security 14.2.1 Role-based access control (RBAC) 14.2.2 RBAC API definition 14.2.3 Resources and subresources 14.2.4 Subjects and RBAC 14.2.5 Debugging RBAC 14.3 Authn, Authz, and Secrets 14.3.1 IAM service accounts: Securing your cloud APIs 14.3.2 Access to cloud resources 14.3.3 Private API servers 14.4 Network security 14.4.1 Network policies 14.4.2 Load balancers 14.4.3 Open Policy Agent (OPA) 14.4.4 Multi-tenancy 14.5 Kubernetes tips Chapter 15: Installing applications 15.1 Thinking about apps in Kubernetes 15.1.1 Application scope influences what tools you should use 15.2 Microservice apps typically require thousands of lines of configuration code 15.3 Rethinking our Guestbook app installation for the real world 15.4 Installing the Carvel toolkit 15.4.1 Part 1: Modularizing our resources into separate files 15.4.2 Part 2: Patching our application files with ytt 15.4.3 Part 3: Managing and deploying Guestbook as a single application 15.4.4 Part 4: Constructing a kapp Operator to package and manage our application 15.5 Revisiting the Kubernetes Operator 15.6 Tanzu Community Edition: An end-to-end example of the Carvel toolkit index A B C D E F G H I J K L M N O P Q R S T U V W Y Z
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.