How-To-Kubernetes

How-To-Kubernetes.md

How-To-Kubernetes

Basics

• official doc: normally, the official doc is the best place for learning and doing
• The Kubernetes Book, 2023 Edition - Nigel Poulton and Pushkar Joglekar
• Kubernetes in Action, 2nd Edition - Marko Lukša: This 2nd edition will be released on August 29, 2023. The first edition is a little bit outdate.
• Kubernetes Design Principles: Understand the Why - Saad Ali, Google, KubeCon + CloudNativeCon North America 2018
• What is Helm in Kubernetes? Helm and Helm Charts explained, TechWorld with Nana 2020:
• Kubernetes for Sysadmins – Kelsey Hightower, PuppetConf 2016
• Cgroups, namespaces, and beyond: what are containers made from? - Jérôme Petazzoni, dockercon EU 2015

Design Proposals

• Kubernetes Enhancement Tracking and Backlog
• Kubernetes Design Proposals Archive

Network

• Kubernetes Networking 101 - Randy Abernethy, RX-M LLC, 2022
• "My CNI Plugin Did… What?!": Debugging CNI with Style and Aplomb - Douglas Smith & Daniel Mellado Area, Red Hat, KubeCon + CloudNativeCon North America 2022
• Kubernetes Networking Intro and Deep-Dive - Bowei Du & Tim Hockin, Google, KubeCon + CloudNativeCon Europe 2020
• Kubernetes and Networks: Why is This So Dang Hard? - Tim Hockin, 2020
• Life of a Packet - Michael Rubin, Google, 2017
• Life of a Packet through Istio - Matt Turner,QCon London 2019
• The ins and outs of networking in Google Container Engine and Kubernetes (Google Cloud Next '17) - Tim Hockin and Michael Rubin
• Container Networking From Scratch - Kristen Jacobs, Oracle, KubeCon + CloudNativeCon North America 2018
• Container Networking Deep Dive with Amazon ECS (CON401) - Shakeel Sorathia, AWS re:Invent 2017
• Container Network Interface: Network Plugins - Eugene Yakubovich, 2015
• The Container Network Interface (CNI) - Eugene Yakubovich, 2015
• MegaEase 技术分享：Kubernetes Networking Model - 赵锟

Scheduler

• A Deeper Dive of kube-scheduler - Akila Welihinda, OpenAI, 2023/12/11
• Unleash the Full Potential Of Kubernetes Scheduler, KubeCon + CloudNativeCon North America 2022: Configuration, Extension And Operation In Production - Yuan Chen, Yibo Zhuang & Wei Huang, Apple; Chen Wang, IBM Research
• Huang-Wei/sample-scheduler-extender
• Kubernetes scheduler simulator
• Building a Kubernetes Scheduler using Custom Metrics - Mateo Burillo, Sysdig, KubeConEU2018, slide, code
• How the Kubernetes scheduler works - Brendan Burns at MicroSoft Azure, 2019
• Deep Dive Into the Latest Kubernetes Scheduler Features: Abdullah Gharaibeh, Google Inc, KubeCon North America 2019

extend-kubernetes

• Vault '20 - Understanding Kubernetes Storage: Getting in Deep by Writing a CSI Driver
• Device Plugins 2.0: How to Build a Driver for Dynamic Resource Allocation - K Klues & Alexey Fomenko

Rootless

alpha at Kubernetes v1.25

Kubernetes Official Docs Conditions:

• at least Linux 6.3, as tmpfs started supporting idmap mounts in that version (the service account token that is mounted by default uses a tmpfs, Secrets use a tmpfs, etc.)
• CRI-O: version 1.25 (and later) supports user namespaces for containers
• containerd v1.7+

Limitations, if you set hostUsers: false then you are not allowed to set any of:

• hostNetwork: true
• hostIPC: true
• hostPID: true

The pod is allowed to use no volumes at all or, if using volumes, only these volume types are allowed:

• configmap
• secret
• projected
• downwardAPI
• emptyDir

K8s Proposals

• KEP-127: Support User Namespaces in stateless pods: Root Kubelet But Rootless Container, alpha at K8s 1.25
• KEP-2033: Kubelet-in-UserNS (aka Rootless mode): Rootless Kubelet and Rootless Container. In Progress, track issue

Runtime Status

• Docker Rootless GA after v20.10: Maybe some Volume and Networks limitations, test it later
• 2021 Rootless Containers from Scratch - Liz Rice, Aqua Security
• 2020/12 Rootless Containers in Gitpod
• 2021 Overview of Rootless Podman: Part 1 - Understanding Root Inside and Outside a Container
• 2021 Overview of Rootless Podman: Part 2 - How User Namespaces Work in Rootless Containers

RootlessKit

• Rootless Containers

Others

• API Codebase Tour - Stefan Schimanski, Red Hat, Kubernetes Contributor Summit 2018
• K3s Under the Hood: Building a Product-grade Lightweight Kubernetes Distro - Darren Shepherd, KubeCon + CloudNativeCon North America 2019
• Kubernetes Failure Stories and How to Crash Your Clusters - Henning Jacobs, Zalando SE, KubeCon + CloudNativeCon Europe 2019
• 10 Ways to Shoot Yourself in the Foot with Kubernetes, #9 Will Surprise You - Laurent Bernaille, KubeCon + CloudNativeCon Europe 2019
• Deep Dive: Virtual Kubelet - Jeremy Rickard, Microsoft & Lei Zhang, Alibaba Cloud, KubeCon + CloudNativeCon Europe 2019
• Deep Dive into Kubernetes Internals for Builders and Operators - Jérôme Petazzoni, LISA19
• Building a Kubernetes on Bare-Metal Cluster - Alexandros Kosiaris & Guiseppe Lavagettom, 2019
• Single Sign-On for Kubernetes - Joel Speed, Pusher
• Lessons Learned Migrating Kubernetes from Docker to containerd Runtime - Ana Calin, Paybase, KubeCon + CloudNativeCon Europe 2019
• Building a Raspberry Pi Kubernetes Cluster and running .NET Core - Alex Ellis & Scott Hanselman, NDC London 2018
• Horizontal Pod Autoscaler Reloaded - Scale on Custom Metrics - Maciej Pytel & Solly Ross, KubeCon EU 2018
• Kubernetes the Very Hard Way - LISA19

Container is not for multi-tenant

• Dynamically Hacking the Kernel with Containers
• Escaping containers using the Dirty Pipe vulnerability
• Understanding Docker container escapes
• Exploiting CVE-2021-3490 for Container Escapes
• HackTricks: Escape from Privileged Containers
• A Compendium of Container Escapes

Kata

• OpenInfra Foundation List: Everything Kata Containers
• 2019 - Kata Containers An introduction and overview
• 2023 - Experience with “Hard Multi-Tenancy” in Kubernetes Using Kata Containers - Shuo Chen, Databricks
• 2023 - Kata Containers 3 0 Virtualization optimized for cloud native

others.md

kubectl cheat sheet

raw api output JSON

kubectl get --raw /api/v1/pods

{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "resourceVersion": "6196466"
  },
  "items": []
}

list Pods that refer to the ConfigMap name

kubectl get po -n dora3-env-dev -o json | jq -r '.items | map(select(.spec.volumes[]?.configMap.name == "boots-proxy-service-config" ) | .metadata.name) | .[]' | uniq

Kubermark Dockerfile

FROM golang:1.20.3-bullseye as builder

RUN apt update && apt install -y rsync
RUN mkdir -p /go/src/k8s.io
RUN mkdir -p ./src/k8s.io
RUN cd src/k8s.io && git clone https://github.com/kubernetes/kubernetes.git && cd kubernetes && make all WHAT=cmd/kubemark GOFLAGS=-v

FROM registry.k8s.io/build-image:v2.3.1-go1.20.3-bullseye.0

COPY --from=builder /go/src/k8s.io/kubernetes/_output/bin/kubemark /kubemark

How Pause Works

• https://groups.google.com/g/kubernetes-users/c/jVjv0QK4b_o
• https://www.ianlewis.org/en/almighty-pause-container
• https://github.com/kubernetes/kubernetes/blob/3b17aece1fa492e98aa82b948597b3641961195f/build/pause/linux/pause.c
• https://medium.com/hackernoon/my-process-became-pid-1-and-now-signals-behave-strangely-b05c52cc551c

sig controller

index objects and get objects by index

func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
	// index pods by nodeName
  mgr.GetFieldIndexer().IndexField(context.Background(), &corev1.Pod{}, "spec.nodeName", func(rawObj client.Object) []string {
		pod := rawObj.(*corev1.Pod)
		return []string{pod.Spec.NodeName}
	});
}

// get pods by nodeName
var pdList corev1.PodList
err := r.List(ctx, &pdList, &client.MatchingFields{"spec.nodeName": node})