LSmH6M0U

1# KUBERNETES MANUAL
2
3# Table of contents
4> [Key concepts](#key-concepts)
5> - [What is Kubernetes?](#what-is-kubernetes)
6> - [Containers Pods Nodes Deployments & Services](#containers-pods-nodes-deployments--services)
7> - [Autoscaling](#autoscaling)
8> - [Security](#security)
9
10# Key concepts
11## What is Kubernetes?
12
13Kubernetes (aka K8s) is a framework to organize a network of containers. This network of containers is refered as a __cluster__. Based on your requirements, you may have one or multiple clusters, but in a nutshell, you can see this cluster as a Cloud abstraction for an entire system (e.g., load balancer, firewall, app servers, storage, networking rules, etc). This cluster should, in theory, runs everywhere, as long as Kubernetes is installed. That's why K8s fits really well cloud migration. The first step is to Kubernetize your on-premise system and the second step is to migrate your clusters to the cloud. 
14
15Kubernetes is part of the __Infrastructure as Code (IoC)__ paradigm. Like many other tools and frameworks (e.g., Terraform, CloudFormation) it uses YAML files to describe its infrastructure in a declarative way. 
16
17Finally, on a more personal note, I have to admit that as of 2019, Kubernetes has become the new fad, the new cult. IMHO, the best way to explain this trend is that it is the first time that a technology can make all Cloud providers agree on the same sales and marketing strategy: __*Kubernetes is the best way to migrate big enterprises to the cloud*__. All big 3 Cloud providers (AWS, Google and Microsoft) have desperately tried to sell the cloud to big enterprises without really managing to find the silver bullet. Kubernetes, like any other technology, is not a silver bullet, but it is good enough to be presented as such by sales and marketers. This means that as of 2018, we've seen as plethora of marketing and sales bullshit from all cloud providers to position K8s as the magic hammer that makes all problems look like a nail (one of my favorite, why k8s is the best way to deploy static websites... Oh boy...). While K8s is a great piece of tech, it just is tech. Use it only if it fixes a specific business need. The cloud is full of amazing services, K8s is one of them, but you might not need it at all.
18
19## Containers Pods Nodes Deployments & Services 
20There are many important components that make K8s, but in this high-level overview, let's start with the main ones. In a nutshell, __containers__ are managed inside __pods__. The physical or virtual hardware that host pods are __nodes__ (this is what needs to be provisioned to scale your system up or down). Pods are grouped in __deployments__. The app developer does not really care about pods, he/she only cares about the app inside a deployment. How the deployment scales using its pods is configured inside its YAML file. Finally, each pods has a unique IP. Because the pods are ephemeral, you should never reference a pod's IP explicitly. That's why the __service__ exists. The service is a proxy in front of a deployment. It knows how to talk to the cluster's DNS to resolve the deployment's label to an available and healthy pod. There a few different service types:
21* __*Cluster IP*__: This is the default service type. It reserves an IP inside the cluster to allow other components of that same cluster to communicate with a specific deployment.
22* __*Node port*__: This covers the scenario where you wish to expose a pod in your cluster to one or many services outside of your cluster. The node port associate a pod's label to a specific port in your cluster. With that combinaison, an external service can communicate with a pod. Behind the scene, a ClusterIp service is also created.
23* __*Load balancer*__: Only useful when you are hosting your cluster on a cloud platform that can provision a load balancer. In that case, that cloud provider will automatically provision an LB. Behind the scene, both a ClusterIp and a NodePort services are created.
24
25
26## Autoscaling
27
28K8s requires 2 different objects to manage autoscaling:
291. [The Horizontal Pod Autoscaler (HPA)](#horizontal-pod-autoscaler-hpa)
302. [The Cluster Autoscaler (CA)](#cluster-autoscaler-ca)
31
32### Horizontal Pod Autoscaler (HPA)
33
34The HPA manages the rules to scale pods, _regardless of whether or not there are enough physical or virtual resources to support that change_. If there are not enough resources, the new pod's status is marked as _pending_. The provisioning of physical or virtual resources is managed by the [Cluster Autoscaler](#cluster-autoscaler).
35
36### Cluster Autoscaler (CA)
37
38The CA manages the node autoscaling. When pods are marked as pending, the CA attempts to provision more nodes so those pods can be provisioned. Likewise, when the pods are being scaled down, the CA will release nodes to decrease the resources consumption.
39
40## Security
41Security in K8s can be broken down into 3 steps:
421. __AuthN__, i.e., Authentication. You have to define your own strategy and plug it to a concrete implementation of your choice. You will most likely implement what your cloud provider offers (think IAM).
432. __AuthZ__, i.e., Authorization. K8s out-of-the box authorization mechanism is called __RBAC (Role-Based Access Control)__. More about this below.
443. __Admission Control__. This module is what determines if the request makes any sense. For example, you might be authenticated and authorized to delete a pod, but if the pod does not exist anymore, then the request will fail. This behavior is made possible because of an admission controller.
45
46### RBAC (Role-Based Access Control)
47
48The default user has full admin access. That's obviously the user you should spend a great deal of effort to protect. When creating a new users, that user has no right at all. The process to configure a user's access is refered as __RBAC (Role-Based Access Control)__. This process works as follow:
491. Provision an SSL certificate for a user and store that cert in K8s.
502. Create a new __role__ that can do stuff (typically following the least privileges principle).
513. Create a a new __role binding__ between that role and the SSL cert that represent the new user.