Over the past few months I’ve been trying to learn everything there is to know about Kubernetes. Kubernetes is an amazing technology for deploying and scaling containers though it comes with a cost. It’s an incredibly complex piece of software and there are a ton of bells and whistles to become familiar with. One way that I’ve found for coming up to speed is Joe Beda’s weekly TGIK live broadcast. This occurs each Friday at 4PM EST and is CHOCK full of fantastic information. In episode twenty-eight Joe discusses running cockroachdb in a statefulset. You can watch it here:
Here are some of my takeways from the episode:
- Dave Cheney from Heptio put out an amazing article on deploying web applications with contour and Let’s Encrypt.
- Joe put out an awesome blog post on securing the Kubernetes dashboard. This was a follow up to his killer TGIK on dashboard security.
- Joe mentioned Ahmet’s Debugging “FROM scratch” on Kubernetes article. Added this to my reading queue. Looks awesome!
- Stateful sets allow you to run stateful applications inside Kubernetes.
- Stateful workloads have a persistent storage requirement which can typically be solved through the use of persistent volumes and persistent volume claims.
- Persistent volumes have three types of access modes:
- ReadWriteOnce volumes can be mounted as read-write by a single node.
- ReadOnlyMany volumes can be mounted read-only by several nodes.
- ReadWriteMany volumes can be mounted read-write by several nodes.
- Pods in a statefulset have a unique ordinal index and a stable network identity.
- Deleting a stateful set doesn’t necessarily delete the PVs and PVCs associated with it.
- The persistent volume reclaim policy controls what happens to PVs when the resources using them are deleted.
- Three types of reclaim policies:
- Topology Aware Volume Scheduling will be available in Kubernetes 1.10. This allows the scheduler to take volume constraints (region, zone, etc.) into consideration.
- Cockroach was inspired by the Google spanner project.
- Roles are specific to the namespace they are deployed to. These can provide more fine grained security.
- Pod disruption budgets can be used to ensure that there is never more than maxUnavailable pods down at a time.
- Pod affinities allow you to tell the scheduler if pods should be scheduled together or isolated from each other.
- Cockroachdb will be adding liveness / readiness checks to the next release.
- You can view certificate signing requests with the
kubectl csr command:
kubectl get csr
- You can describe the contents of a certificate signign request with
kubectl describe csr:
kubectl describe csr default.node.cockroachdb-0
- You can approve a certificate signing request with
kubectl certificate approve:
kubectl certificate approve default.node.cockroachdb-0
- Cockroachdb has some UNREAL debugging and visibility data at igning requests with the kubectl csr command:
- Cockroachdb ships with 2 services:
- One for the public to use.
- For for internal cluster communication.
- The public cockroachdb service will funnel requests to all of the pods. An A record is also created with the IPs of all of the database members.
- Raft is a consensus algorithm that allows a number of devices to determine that something is true.
Things I need to learn more about:
- Need to sit down and read the RAFT spec.
- Need to play around with cockroachdb. It looks pretty incredible!
This article was posted by Matty on 2018-03-03 18:00:00 -0500 EST