Kubernetes me This Batman

Or I how I quit worrying and learned to love container clustering

Disclaimer: I don’t work for google. Also, still mad about Google Reader. RIP sweet prince.

Presentation Schedule● Part 0: What Does This Have to Do With Batman?● Part 1: Kubernetes is very opinionated but I agree with

most of them.● Part 2: All about drawings.● Part 3: Demo Time!

Part 0: What Does This Have To Do With

Batman?

I like to think that I am Batman✓ Does not have superpowers

✓ Relies on his intuition and mental skills

✓ Has lots of cool gadgets

✓ Likes to surprise people

I like to DevOp and love to play with new tools to fight crime downtime

one day I started playing with containers because everyone else was doing it and that never went poorly so why not. (looks inviting)

And then I was gonna launch all my containers in production and wow all my friends (because my wife doesn’t get wowed by containers).

This was the result. It was not good. No-one was wowed.

And then I heard about this Kubernetes thing. And wanted to learn how to use it.

Kubernetes was like the Riddler to me✓ Likes to confuse people

✓ Is clever but not funny

✓ Does a lot of taunting

✓ Made me feel dumb

After a class at Oscon and some good ol’ learnin, I was able to outsmart the Riddler Kubernetes.

Part 1: Kubernetes is very opinionated but I agree with

most of them.

I was told memes were good to have in a presentation. Here is one right off the bat.

From Chapter 4 of Getting Real by 37 Signals

The best software has a vision. The best software takes sides. When someone uses software, they're not just looking for features, they're looking for an approach. They're looking for a vision. Decide what your vision is and run with it.

Running and scheduling containers is a very opinionated field.

Google has an opinion called Kubernetes.● Pronounced /koo-ber-nay'-tace/. It’s actually a Greek

term for “ship master”.● Developed at Google. The third iteration of container

management.○ Daddy was Omega.○ Grandaddy was Borg.

● Kubernetes is not a PaaS, but you can build one with it.● Google says that Kubernetes is planet scale.

k8sBTW, Google wants you to stop writing Kubernetes and use

this clever acronym instead. Although it technically should be pronounced “Kates”.

This is the Kubernetes logo. The lack of symmetry bugs me.

There are two big ideas in Kubernetes: labels and Pods.

Pods

● For the most part …● Pods can contain one or more containers.● The containers in a pod are scheduled on the same node.● Everything in Kubernetes is some flavor of of pod or an

extension of the pod spec.● Remember this for now, we’ll get back to it in a second.

A pod is a collection of containers.

Pods are flat files. No, really. Like YAML or JSON (boo*).apiVersion: v1kind: Podmetadata: name: "" labels: name: "" namespace: "" annotations: [] generateName: ""spec: ? "// See 'The spec schema' for details." : ~

{ "kind": "Pod", "apiVersion": "v1", "metadata": { "name": "", "labels": { "name": "" }, "generateName": "", "namespace": "", "annotations": [] }, "spec": {

// See 'The spec schema' for details.

}}

*Font size 14 vs font size 10, YAML is the clear winner. Especially in the context of Shannon’s Information Theory. The same density of information can be transmitted in less lines with YAML.

Pods. Both of these are the same.apiVersion: v1kind: Podmetadata: name: redis-django labels: app: webspec: containers: - name: key-value-store image: redis ports: - containerPort: 6379 - name: frontend image: django ports: - containerPort: 8000

K8S Node 1redis-django pod 1

redis container

django container

some-other pod

K8S Node 2redis-django pod 2

redis container

django container

redis-django pod 3

redis container

django container

The Pod Lifecycle in a ClusterLet’s say you want to fire up a pod. With kubectl you would:

1. Make a Pod request to the API server using a local pod definition file.

2. The API server saves the info for the pod in ETCD.3. The scheduler finds the unscheduled pod and schedules it

to a node.4. Kubelet sees the pod scheduled and fires up docker.5. Docker runs the container.

The entire lifecycle state of the pod is stored in ETCD.

Most of the things in Kubernetes are built on top of Pods.

Labels

Labels and selectors are the fairy dust in k8s.● A label is a key-value pair that is assigned to objects

in k8s.○ Pods, services, lots of things can have labels.

● A selector is a way to filter for labels that match a certain criteria or logic.○ There are two types of selectors:

■ Equality based■ Set based

An example of each."labels": { "environment" : "prod", "type" : "nginx"}

environment = prodtype != nginx

"labels": { "environment" : "prod", "type" : "redis"}

environment = prodtype != nginx

No

Yes"labels": { "environment" : "prod", "type" : "redis"}

environment in (prod, qa)type notin (nginx, mysql)!partitionYes

When one thing in k8s needs to find another thing in k8s, it uses labels.

The K8S Cluster

A basic cluster.K8S Node 1

redis-django pod 1

redis container

django container

some-other pod

K8S Node 2redis-django pod 2

redis container

django container

redis-django pod 3

redis container

django container

K8S Master

SkyDns pod

ETCD pod

Kibana pod

Grafana pod

Elasticsearch pod

Heapster pod

basic-cluster-01

bonus stuff● When you launch a

cluster, you get some built in services.

● Each one of these has their own endpoints and / or UIs.

● They run on the master directly though you could schedule them across the cluster or other masters.

● To find the endpoints type: kubectl cluster-info

Heapster

Namespaces.

A Virtual Cluster in Your Cluster● A namespace as an isolated section of a cluster.● It’s a virtual cluster in your cluster. ● Each cluster can have multiple namespaces.● The root services have their own.● Namespaces are in network isolation from each other and

can are (normally) used to house different environments on the same cluster.

Part 2: All about drawings.

Let’s look at a Kubernetes cluster diagram.

This diagram is a bit small, let’s break it down.

The master● Everything is done via

kubectl, which then makes calls against the kube-apiserver.

● The Controller Manager, Scheduler Service, and ETCD can be spread across nodes based on cluster size.

● All state about everything is stored in ETCD.

● Also, kubelet is running here too (more on that next slide).

The Node● The name of the agent

process is called kubelet. Think “cubed omelette”.

● The kubelet process manages the Pods, including containers & volumes.

● The kube-proxy service handles network routing and service exposure.

A master is a master because it has the api services and scheduler. The state is all in etcd.

Kubernetes objects.

My mental model of k8s● I find it easiest to think of everything as a variation

of a Pod or another object.● Google has done a very good job at extending base objects

to add flexibility or support new features.● This also means that the Pod spec is relatively stable

given the massive list of features that is dropped every release.

What k8s looks like in my head.PodSpec

Container

Replica SetPodSpec

Container

Replication Controller

PodSpec

Container

Daemon SetPodSpec

Container

Pet SetPodSpec

Container

Deployment

Replica SetPodSpec

Container

ServicePod

ServicePod

Ingress Service

SpecContainer

JobPodSpec

Container

Or this.

The Base Things in Containers are called Specs (Not like Dust, like Specification)● The only required field is

containers.○ And it requires two entries

■ name■ image

● restartPolicy is for all containers in a pod.

● volumes are volumes (duh) that any container in a pod can mount.

● The spec is very extensible by design.

Spec

Container

Then there is the pod● Specs don’t do anything by

themselves; for that you need a pod.

● Pods are just collections of containers that share a few things:○ Access to volumes.○ Networking.○ Are co-located.

● Pods can be run by themselves but have no guarantee to restart or stay running or scale or do anything useful really.

Pod

Spec

Container

Services.● Services point to a Pod.● … or to an external source.● With Pods a virtual endpoint is

created then routed to using the kube-proxy.

● For non-pod services a virtual IP in the cluster is used to route externally.

Service

Pod

Ingress Service = AWS API Gateway.● An Ingress Controller sits at the

boundary of the cluster and routes requests to Services.

● One Ingress Controller can handle multiple domains.

● Each route can point to a different Service.

● Relies on the creation of an Ingress Controller in the cluster (another service that is not enabled by default).

Service

Pod

Ingress Service

Daemon sets. Scary.● Daemons is an object that ensures that a copy

of each Pod runs on each node.● This is commonly used to make sure side-car

containers are running across the cluster.● If new nodes come up they’ll get a copy of the

daemon set and will come up.● Daemon sets don’t have scaling rules.

Daemon SetPodSpec

Container

Pet sets. Not so scary.● New in 1.3, Pet Sets allow you to create

complex microservices across the cluster.● They have the ability to set dependency on

other containers.● They require:

○ A stable hostname, available in DNS○ An ordinal index○ Stable storage: linked to the ordinal &

hostname● It’s for launching a cluster in your cluster.

Pet SetPodSpec

Container

Replication Controller (deprecated)● A Replication Controller was the best way to

run Pods. ● You set a number of pods to run and the

Replication Controller made sure that the number was running across the cluster.

● Rolling updates could be performed by starting a new Replication Controller and scaling up.

Replication Controller

PodSpec

Container

Replcia Set. The new hotness.● A Replica Set differs from the Replication

Controller because it can be updated.● If you update the Replica Set template you can

fire and update and automatically roll changes.

● Roll backs are also built in.● These are not designed to use directly. For

that you need ...

PodSpec

Container

Replica Set

Deployments. The king of the hill.● A Deployment controls the running state of

Pods and Replica Sets.● In k8s 1.3 it is the primary object you should

be manipulating.● Deployments have:

○ History.○ Rolling updates.○ Pausing updates.○ Roll-backs.

Deployment

Replica SetPodSpec

Container

There’s more stuff too.

Other stuff.● Secrets:

○ K8s comes with a built-in secret store that is namespaced and uses labels to control pod read access.

● Network Policies:○ You can use labels to define whitelist rules between pods.

● Persistent Volumes:○ These live outside of normal pod volumes and can be used for shared

storage for things like databases. Yes, databases in containers.

● Ubernetes:○ A way to cluster your clusters.

Part 3: Demo Time!

You Only Need a Computer, BTW● Minikube

○ https://github.com/kubernetes/minikube

○ Runs a Kubernetes node on top of your favorite (probably Virtualbox) VM.

○ Lots of involvement from the K8s community.

● Kube-solo○ https://github.com/TheNewNormal/kube-solo-osx○ Uses the Corectl app to run a Kube VM.○ Also has a multi-node version.

On to Minikube!

FIN

Contact me!keybase.io/richardboydii

@richardboydii

richardboydii.com

countzer0.com