Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 Years of Kubernetes Patterns Evolution

10 Years of Kubernetes Patterns Evolution

Much like the timeless 'Gang of Four' design patterns for object-oriented programming, Kubernetes has spawned its own timeless design patterns for distributed applications design. These patterns are not utilizing objects, classes, and interfaces, but new primitives pioneered by Kubernetes, such as Pods, Jobs, and Deployments, that span across processes, and nodes. In this talk, Bilgin & Roland will explore the most widely used Kubernetes design patterns and their evolution over the 10 years of Kubernetes existence. These patterns prevent reinventing the wheel by offering time-tested solutions to common challenges. Understanding this pattern language is crucial for grasping the Kubernetes' mindset, boosting your ability to comprehend, discuss, and design Kubernetes-based applications that are good cloud-native citizens set to last another decade.

Bilgin Ibryam

March 22, 2024
Tweet

More Decks by Bilgin Ibryam

Other Decks in Technology

Transcript

  1. Kubernetes • Open Source container orchestration system started by Google

    in 2014 ⎈ Scheduling ⎈ Self-healing ⎈ Horizontal and vertical scaling ⎈ Service discovery ⎈ Application Deployments • Declarative resource-centric REST API 34
  2. Liveness & Readiness • Liveness Probe ◦ Restarting containers if

    liveness probes fails • Readiness Probe ◦ Removing from service endpoint if readiness probe fails • Startup Probe ◦ Restarting containers if startup probes fails ▪ Probe methods ▪ HTTP endpoint ▪ gRPC endpoint 29 ▪ TCP socket endpoint ▪ Unix command return value
  3. Health Probe Example containers: - image: k8spatterns/random-generator:1.0 name: random-generator livenessProbe:

    httpGet: path: /actuator/health port: 8080 readinessProbe: grpc: port: 5000 startupProbe: exec: command: [ "stat", "/opt/jboss/wildfly/tmp/startup-marker"] initialDelaySeconds: 30 periodSeconds: 60 failureThreshold: 15 28
  4. Sidecar • Runtime collaboration of containers • Connected via shared

    resources: ◦ Network ◦ Volumes • Similar what AOP is for programming • Separation of concerns 25
  5. • Dedicated sidecar containers (since 1.29, beta): ◦ initContainers[].restartPolicy ==

    Always ◦ Continues to run after init containers have finished ◦ Supports probes 23 Startup Order
  6. Out-of-Application Locking • ReplicaSet with (at least) 1 replica •

    Highly available Pod which is monitored and restarted in case of failures • Favors availability over consistency → more than one Pod can exists temporarily • StatefulSet with (at most) 1 replica • Favors consistency over availability • Favors availability over consistency → less than one Pod can exists temporarily 21
  7. In-Application Locking • Distributed lock shared by simultaneously running applications

    • Active-Passive topology • Distributed lock implementations e.g. ◦ Zookeeper ◦ Consul ◦ Redis ◦ etcd, ◦ Kubernetes ConfigMaps, Lease resource 19
  8. Distributed lock API 18 ✖ Lock acquired Waiting for the

    lock curl -X POST http://localhost:3500/v1.0-alpha1/lock/lockstore -H 'Content-Type: application/json' -d ' {"resourceId":"my_file_name", "lockOwner":"abc123", "expiryInSeconds": 60}'
  9. Immutable Configuration • Configuration that can not be changed •

    Different sets of configuration for different environments (dev/prod) • Versioning and auditing for configuration • Solution: Configuration stored in container images ◦ Versioned via tags and digests ◦ Distributed via image registry 17
  10. 13 Directly sharing the container filesystem • Sharing the process

    namespace, including the file system via shareProcessNamespace: true • Technique for directly accessing another containers filesystem via /proc/<pid>/root • Used in modelcars in KServe for accessing large language models
  11. Run Containers with a Non-Root User Forces any container in

    the Pod to run with user ID 1000 and group ID 2000 19 apiVersion: v1 kind: Pod metadata: name: web-app spec: securityContext: runAsUser: 1000 runAsGroup: 2000 containers: - name: app apiVersion: v1 kind: Pod metadata: name: web-app spec: securityContext: runAsNonRoot: true containers: - name: app Prevent any container from starting with a root user—that is, a user with UID 0.
  12. Lock the Capabilities Prevents privilege escalation 19 apiVersion: v1 kind:

    Pod metadata: name: web-server spec: containers: - name: httpd image: httpd securityContext: allowPrivilegeEscalation: false apiVersion: v1 kind: Pod metadata: name: web-server spec: securityContext: capabilities drop: ['ALL'] add: ['NET_BIND_SERVICE'] containers: - name: httpd Reduce capabilities to required ones only
  13. Avoiding a Mutable Container Filesystem Set read only file system

    19 apiVersion: v1 kind: Pod metadata: name: web-server spec: containers: - name: httpd image: httpd securityContext: readOnlyRootFilesystem: true apiVersion: v1 kind: Pod metadata: name: web-server spec: containers: - name: httpd image: httpd securityContext: runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL add: ['NET_BIND_SERVICE'] Overview of options we covered:
  14. State Reconciliation • Kubernetes as distributed state manager • Make

    the actual state more like the declared target state. 🔎 Observe - Discover the actual state 🤔 Analyze - Determine difference to target state 🔨 Act- Perform actions to drive the actual to the desired state 8
  15. Definition “” An operator is a Kubernetes controller that understands

    two domains: Kubernetes and something else. By combining knowledge of both areas, it can automate tasks that usually require a human operator that understands both domains. Jimmy Zelinskie http://bit.ly/2Fjlx1h Operator = Controller + CustomResourceDefinition 6
  16. CustomResourceDefinition Custom resource is modelling a custom domain and managed

    through the Kubernetes API apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: configwatchers.k8spatterns.io spec: scope: Namespaced group: k8spatterns.io version: v1 names: kind: ConfigWatcher plural: configwatchers validation: openAPIV3Schema: ... 5
  17. CRD Classification • Installation CRDs ◦ Installing and operating applications

    ◦ Backup and Restore ◦ Monitoring and self-healing ◦ Example: Prometheus for installing Prometheus & components • Application CRDs ◦ Application specific domain concepts ◦ Example: ServiceMonitor for registering Kubernetes service to be scraped by Prometheus 3