Cka PDF
Cka PDF
Cka PDF
These notes follow LinuxAcademy structure which can be found here: https://
linuxacademy.com/course/cloud-native-certified-kubernetes-administrator-cka/. I
would recommend viewing the course to gain full and detailed explanations.
I have created these notes as part of my personal learning and hope to be able to
help and inspire others.
As i am also learning, there may well be mistakes, please do reach out and let me
know, so i can correct them.
ETCD
SCHEDULER
ASSIGNPOD
DATA
POD
TO NODE
MASTER
CONTROLLER
y MANAGER
0 API
iE9 iE9
t
COMMUNICATION HUB
SERVER MeffNsIAEtN
v
NODE REPLICATE
FAILURE COMPONENTS
API
SERVER
r
g
WORKER
NODE NODES KP KP KP KP
Network Proxy that runs on each node
CONTAINER DOCKER
RUNTIME SCONTAINERD
e
RUNS YOUR
CONTAINERS
Application running on Kubernetes
MODEL
MASTER POD
KUBELET
2N
KUBE Proxy
DOCKER
IMAGE
REGISTRY
API Primitives
Every component communicates with the API server only and not directly with one another.
KUBECTL
YAML
Convert to JSON FILES
when making
request
G IT
YAML File Composition
L v
Name String UID Namespace
u r
32767 32767
v v
SERVICE s
POD
POD
u
POD
NODE 1 NODE 2
CONSISTENT IP ADDRESS
Kube-Proxy
Kube-Proxy handles the traffic associated with a service by creating IP table rules
API
SERVER
SERVICE
KUBE
KUBE
PROXY
PROXY
DESTINATION
IPTABLES
IPTABLES
DESTINATION
POD
POD
NODE 1 NODE 2
Release Binaries, Provisioning and Types of Clusters
OR
CLOUD
ON PREM
MASTER WORKERS
2 UPDATEPACKAGES
MASTER ONLY
I INITIALISE CLUSTER
All components can be replicated, but only certain ones can operate simultaneously
MASTER 3
MASTER 2
MASTER I
API SERVER
t EDI Eh'InhIE
ER
or
ACTIVE
NODE 1
LOAD BALANCER
n r
SCHEDULER CM 0
o ARE WE IN
tEE
i
EE
I I II
i
CHARGE
CLUSTER
theft
NOTTEIRET
igg E
o
o j
SCHEDULER CM
HOW DO WE
DECIDE
LEADER
ELECT CREATES ENDPOINT RESOURCE
OPTION SEE IN SCHEDULER YAML
IDENTITY
HOLDER
Replicating etcd
TOPOLOGY
L J
STACKED EXTERNAL TO
KUBERNETES CLUSTER
EACH CONTROL
PLANE NODE
CREATES LOCAL
ETCD MEMBER
ONLYCOMMUNICATES WITH
API SERVER
v n v
ETCD
ETCD
in
RAFT CONSENSUS ALGORITHM
KUBERNETES CLUSTER
KUBECTL a
TRANSLATES API STATE
r
PROVIDES CRUD
u v s
CREATE READ UPDATE DELETE
RETURN RESPONSE
L i i 1
MULTIPLE AUTHENTICATION AUTHORISATION ADMISSION VALIDATION
PLUGINS 7 7 7
READ SKIP
CALLS TO
DETERMINE CREATE
CAN THIS USER
REQUEST PERFORMTHIS
MODIFY
ACTION DELETE
1
1
HTTP
HEADER CERTIFICATE
Building Highly Available Cluster
RBAC is used to prevent unauthorised users from modifying the cluster state
O
ROLE ACTION
ROLE
f
s
BINDING
1012MORE v
RESOURCE
WHOIAN
WHATCAN
DO IT
BEDONE
CLUSTER LEVEL
RESOURCES
Service Account
IDENTITY OF APP
POD c SERVICE
ACCOUNT RUNNING IN POD API
r
n
T'ON
KYLE.io
YEr8FEeREEYouNTT0KENFILEATEfYIeff
NAMESPACE 1 NAMESPACE 2
SERVICE SERVICE
ACCOUNT
ACCOUNT
ONLYUSESERVICE
ACCOUNT IN SAME
NAMESPACE
Running end to end tests on cluster
PERFORMANCE
AND WHY EXAMPLE
RESPONSE OF TESTS
APPLICATION
KUBETEST
POORCLUSTER
• Deployments can run
PERFORMANCE • Pods can run
• Pods can be directly accessed
• Logs can be collected
• Commands run from pods
• Services can provide access
• Nodes are healthy
• Pods are healthy
Managing Cluster
KUBEADM
UPGRADING
CLUSTER
KUBECTL
OPERATING SYSTEM
UPGRADES
j
USE DEPLOYMENTS GETPODS
OR REPLICA SETS DRAIN NODE
UNCORDON
PUT BACK
TO SERVICE
BACKUP
AND CLUSTER s ETCD
RESTORE STATE
v
CLUSTER
SAVE
EXTERNALLY
Pod and Node Networking
ETHO ETH
v v
VETHZAA VETH808
BRIDGE a
10.244 l 1 24
NODE 1
NETWORK
Container Network Interface
10.244 t Z 102442.3
PODI VETH
VETH a POD 2
BRIDGE
ETHO CNI ETHOL BRIDGE
NETWORK
API SERVER
SERVICE
10.104185.62
10244.12 102442.3
KUBEPROXY KUBEPROXY
PODI VETH a r POD2
VETHE
1
Ip Ip
BRIDGE TABLES ETHO ETHO TABLES BRIDGE
NETWORK
PODSCOMEANDGO
HOW DOES THE CLUSTER KEEP TRACK
SERVICES
PROVIDESVIRTUALINTERFACE AUTOASSIGNED TO
PODS BEHIND
EXAMPLE INTERFACE
CLUSTER IP AUTOCREATED ON
SERVICE CLUSTERCREATION
Ingress
SERVICE
NAME NAMESPACE BASEDOMAINNAME
Scheduler responsible for assigning pod to node based on resource requirements of the pod
I
WHY
RULES ARE HOWEVER
PLACEDBY CAN CREATE r
DEFAULT OWN WORKERNODES
SAMENODE
HAVEDIFFERENTO
DISKS
SAVE COSTS
SCHEDULER I DOESTHENODEHAVEADEQUATEHARDWARE
RESOURCES
2 ISTHENODERUNNINGOUT OF RESOURCES
6 IF PODREQUESTS AVOLUMECAN IT BE
MOUNTED
DOESTHEPODTOLERATETHETAINTS OF THE
7 NODE
SCHEDULER1 SCHEDULER2
NODES I 2 3
EXAMPLE
TAINTS REPEL WORK MASTERNODE
NOSCHEDUAL
DaemonSets ensure that a single replica of a pod is running on each node at all times
POD POD
POD
POD
EVEN LEVEL
Deploying an Application, Rolling Updates and Rollbacks
REPLICASET REPLICASET
POD POD
POD POD
DEPLOYMENT
FASTESTWAY
AVOIDING
BLOCKBADVERSION
BAD
DECISIONS RELEASE
POD NOT
a RELEASED
MIN READY READINESS pop errors
DEPLOYMENTv1 SECONDS PROBE ATS SECONDS v
ROLLBACK
MUSTRETURNSUCCESS VERSION
10
I
CHECKEVERY PORT 80
SECOND
KEY VOL
MULTIPLECONTAINERS JUST UPDATE
CANUSESAME NONEEDTO
REBUILDIMAGE
Creating a self-healing app
ReplicaSets ensure that identically configured pods are running at the desired replica count
RECOMMENDED
REPLICA
DEPLOYMENTS LOSING NODE
SETS HASNO IMPACT
MANAGES REPLICASETS ON APP
HEADLESS SERVICE
UNIQUEPODS
VOLUME CLAIM r
CERTAIN TRAFFIC
TO GO TO EACH POD
NEEDS OWN STORAGE
AS IT IS UNIQUE
Persistent Volumes
POD TERMINATED
PODS ARE EPHEMERAL
STORAGE TERMINATED
STORAGE CLASSES
PERSISTENT
VOLUME
PROVISIONING S
RESOURCE IN
CLUSTER
STATIC DYNAMIC
PVC MUST REQUEST
A STORAGE CLASS
CLUSTER ADMIN
CREATES AND
AVAILABLE FOR
CONSUMPTION
Volume Access Modes
By specifying an access mode with your PV, you allow the volume to be
mounted to one or many nodes, as well as read by one or many
ACCESS
MODES
READWRITEONCE READWRITEMANY
ONLY INODECAN MULTIPLE NODE
MOUNT THE VOLUME CAN MOUNT FOR
FOR READ AND WRITE
READ I WRITE
READOFLYMANY
MULTIPLE NODE
CAN MOUNT VOLUME
FOR READING
Persistent Volume Claims (PVC)
O pv STAYS WITH
PVC pv
at
DEV a
0
ACTUAL
STORAGE
CLUSTER
ADMIN
POD PVC PV
1Gt
VOLUMES RECLAIMPOLICY
U
BOUND
RETAIN DATA
IN VOLUME
COULD ALSO BE
RECYCLEORDELETE
DELETE CONTENTS
OF VOLUME DELETEUNDERLYING
STORAGE
Storage Objects
Volumes that are already in use by a pod are protected against data loss. This means even if you
delete a PVC, you can still access the volume from the pod.
STILL BOUND
in
PVC
FINALIZERS
s
PV
POD
PVCPROTECTION
y
3 DELETE POD n
v I 1 GETS DELETED
PVC DELETED
EXAMPLE
PV
1. Create storage class object
2. Create PVC object
3. Create deployment
4. Rollout deployment
5. Check pods
6. Create file on mount
7. List contents
Service accounts and users
API
SERVER
FIRSTEVALUATES
v PRIVATE KEY
SERVICE NORMALUSER USER STORE
IE JENKINS ACCOUNT FILE USERIPASS LIST
v
KUBECTLCREATESERVICEACCOUNTJENKINS
ASSIGN10POD IF YOUDONOTUSESPECIFIC
BY PUTTINGIN IT WILL USE DEFAULT
PODMANIFEST
L
CREAAIESOUSNERYKE KUBECTLGETSA VBUSYBOXYAML
v
SECRET WILLSHOW DEFAULT 1JENKINS NAME BUSYBOX
v
SPEC
SERVICEACCOUNTNAME JENKINS
HOLDSTHE
PUBLIC A OF ryAML FORSERVICEACCOUNT a
USER
ACCESSCLUSTERREMOTELY CREATECLUSTERROLEBINDING
0
MASTER
ADNAN SETCREDENTIALS KUBECTLCONFIG
u SET CREDENTIALS
CERT USERNAME ADNAN
PASSWORD PASSWORD
KUBECTLCONFIG
SET CLUSTER KUBERNETES 2
SERVER_HTTP l l.l.la SETCLUSTER
CERTIFICATE CERT
3
KUBECTL CONFIG c SET USER
SET CREDENTIALS
AUTHENTICATION AUTHORISATION
WHATCAN
FIRSTSTEPIN THEY DO RBAC RULES
RELIEVINGREQUEST
v 4 RESOURCES
WHO POD OR 2 GROUPS WHOCAN
HUMAN DO IT
u u
WHATCANBE
ROLESAND ROLEBINDINGS
PERFORMEDON
ROLES
CLUSTER
WHICHRESOURCE AND
CLUSTERROLEBINDINGS
BYNOLING
ROLE ROLE
ROLE ROLE BINDING ROLE BINDIFG
CLUSTER
cluster
KUBERNETES
ROLE
ROLE L CLUSTER
BINDING
CLUSTERROLE
POD
CREATE CLUSTERROLE v
CLUSTER BINDING CURLFROM ACCESS AT
ROLE CONTAINER CLUSTER
LEVEL
VIEWPERSISTANT
VOLUMES
Configuring Network
Network policies use selectors to copy rules to pods for communication throughout the cluster
PORT3128
APPDB
POD APPWEB POD
PORT4269
HOW
NETWORK CANAL CREATE NETWORK CREATE
PLUGIN PLUGIN POLICY DEPLOYMENT
v u
DENY ALLNET EXPOSE
DEPLOYMENT
9
KINDNETWORKPOLICY
NAMEDENYALL
TRYACCESS TIMEOUT
BLANKALLINHERIT PODSELECTOR 3
TYPEINGRESS
POLICY
CREATENETWORK LABEL
POLICY PODS
PODSELECTOR
MATCHLABELS
APP DB ALLOW COMMS
BETWEEN PODS
INGRESS ANDSPECIFIED
MATCHLABELS PORT
APPWEB on
PORT
PORT4269
Creating TLS certificates
The CA is used to generate a TLS certificate and authenticate with the API server
API
POD SERVER
song
CERTIFICATESIGNINGREQUEST
CREATE NEW CSR c
CERT
CERTIFICATE
SIGNINGOBJECT KIND ERTIFICATESIGNINGREQUEST
CREATE NAME CSRPODWEB
REQUEST CATSERVER.GRBASE64TRD'IN
PRIVATEREGISTRY DOCKERHUB
POD
N AWS
POD
CONTAINER 0
D AZURE
RUNTIME POD
E
GCP
POD
HOW
USE FOR IMAGE PULLS
I
KUBERNETES DOCKER MODIFY
CREATE REGISTRY TYPE SERVICE POD
SECRET ACCOUNTS
DOCKER SERVER v
LIMITACCESS TO CERTAIN
OBJECTS AT THE POD AND
CONTAINER LEVEL THIS WILL
ALLOWIMAGESTOREMAINSTABLE RUNASUSER
POD FSGROUP
N RUNASNONROOT
CONTAINER
POD
0
RUNTIME D POD PRIVILEGED
E
ADD SYS TIME
POD
KIND POD
IMAGE ALPINE
SECURITYCONTEXT RUNPOD AS 405
RUNASUSER405
CANALSOPUT'RUNASROOT
ABILITY TO RUN AS PRIVILEGED PRIVILEGED TRUE
CONTAINER LEVEL
ABILITY TO LOCK
DOWN KERNEL SETTING ADD SECURITYCONTEXT
LEVELFEATURES CAPABILITIES ADD
ON CONTAINER ONPOD LEVEL SYS TIME
NET ADMIN
REMOVE
SECURITYCONTEXT
DROP
CHOWN
Securing persistent key/value store
DATA MUST
LIVE BEYOND SECRETS KEY VALVE PAIR
LIFE OF POD v
PASS AS ENVVAR NOTBEST
OR PRACTICE
EXPOSE AS FILES
IN VOLUME MAYBE
OUTPUT TO
LOG FILES
CONTAINER POD
FILESYSTEM
VARRUNSECRETS
KUBERNETES.IO
DEFAULT DEFAULTTOKENSECRET
ACCOUNTS
SERVICE SECRET PACE
TOKEN
HTTPS TO WEBSITE
a KEY
GENERATE SECRET POD
CERTIFICATE EFFET MOUPNoj.IN
v
COMBINED IN MEMORY FILE
FILEST
USE
SYSTEM
v
SECRET SECRET NOT
WRITTEN TO
DISK
Monitoring the cluster components
The metric server allows you to collect CPU and memory data from the nodes and pods in your cluster
NODE METRICS
N POD CPUCCORETUTIL
CONTAINER MEMORY
0
RUNTIME
D
E
POD POD METRICS
CPU MEMORY
USE
KUBECTL
APP LOGSTO CONTAINER STREAMED TO STDOUTS LOGS
AND
SYSTEM UNDERSTAND WHAT IS HAPPENING INSIDE CLUSTER
LOGS
DEBUGGING
LOGS ACCUMULATE OVER TIME
IF MANY MICROSERVICE WHICHLOGS ARE WHICH
V
LOG DIRECTORY VAR LOG CONTAINERS
ACCUMULATES LOGS
POD POD
LOGGINGAGENT
APP CONTAINER
v v
LOG LOG LOGGING AGENT
CONTAINER CONTAINER
I 2 LOG FILE
LOG
PODIYAML
KINDPOD
ABILITY TOWRITE NAME P0D1
TERMINATION IMAGE BUSYBOX
MESSAGE 10 SPECIFIC COMMAND y KUBECTL
FILEON CONTAINER DESCRIBE
TERMINATION v
MESSAGEPATH WILLSHOW
ERRORMESSAGE
DISCOVERYERR
r
APPCOMMERR
APPLICATION
IMAGEPULLERR CRASHLOOPBACKOFFERR
FAILURE
FAILEDMOUNTERR
PENDING
RBACERR
Troubleshoot failures
CHECKIPTABLERULES
NETWORK DNS RESONE CONF
ENDPOINTSOF v
SERVICE v KUBERNETES
CNI PLUGIN SERVICE
Visit https://adnan.study for all notebooks