Containerization PDF

- - - You can deploy docker images into azure web apps - - You can deploy docker image to azure function apps Azure Container Instances - Azure Container Instances is a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. For scenarios where you need full container orchestration, including service discovery across multiple containers, automatic scaling, and coordinated application upgrades, we recommend Azure Kubernetes Service (AKS) - Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is useful when building an application sidecar for logging, monitoring, or any other configuration where a service needs a second attached process. Azure Container Apps - Azure Container Apps is a serverless platform that allows you to maintain less infrastructure and save costs while running containerized applications Bicep file - A Bicep file in Azure is a domain-specific language (DSL) used for deploying Azure resources declaratively. Bicep simplifies the authoring experience of Azure Resource Manager (ARM) templates, making it easier to create and manage infrastructure as code (IaC). Using the following command you can run the bicep file: - az deployment group create --resource-group myResourceGroup --template-file storageAccount.bicep - AKS Cluster - - An AKS cluster is divided into two main components: Control plane, Nodes - - Control plane/Master Node is managed by Azure. Node pools - You can have multiple node pools that are separate and isolate deployments of VMs within the cluster. This way you can setup multiple environments within the same cluster, to have dedicated and isolated compute resources for different applications. For example: smaller less expensive vms for development and better ones for production Pods - A pod is a group of one or more containers that share the same network and storage resources and a specification for how to run the containers. - Pods typically have a 1:1 mapping with a container, but you can run multiple containers in a pod. - Component Description kube-apiserver The API server (kube-apiserver) exposes the Kubernetes API to enable requests to the cluster from inside and outside of the cluster. etcd etcd is a highly available key-value store that helps maintain the state of your Kubernetes cluster and configuration. kube-scheduler The scheduler (kube-scheduler) helps make scheduling decisions, watching for new pods with no assigned node and selecting a node for them to run on. kube-controller-manager The controller manager (kube-controller-manager) runs controller processes, such as noticing and responding when nodes go down. cloud-controller-manager The cloud controller manager (cloud-controller-manager) embeds cloud-specific control logic to run controllers specific to the cloud provider. kubelet kubelet is a linux service that runs on each worker node to ensure that containers are running in a pod. Get kubelets logs by this command: “journalctl -u kubelet -o cat” kube-proxy The kube-proxy is a network proxy that maintains network rules on nodes. container runtime The container runtime manages the execution and lifecycle of containers. - - When you create an AKS cluster in an Azure resource group, the AKS resource provider automatically creates a second resource group called the node resource group. This resource group contains all the infrastructure resources associated with the cluster, including virtual machines (VMs), virtual machine scale sets, and storage - Cost - For cost you should consider these: Right size for node pool: Standarnd_B2s is cheaper than Standard_D2s_v3 Stop cluster (manually) when not needed Use spot VMs User virtual node: which allow burstable scaling backend Definitions Deployment: object to control the behaviour of similar pods. We can specify how many instances of similar pods we have. Features include: Scaling using replicas, zero-downtime update, self-healing, Distribution across Nodes for availability. When we create a deployment, another Kubernetes object called Replica Set gets created - ReplicaSet: Ensure that a specific number of pod replicas are running at any time even in the event of failure. It automatically creates a new pod if a one fails DeamonSet: type of controller that ensures a specific pod runs on all nodes or a specific subset of nodes. - Key Features of DaemonSet: - One Pod per Node: Ensures that exactly one pod runs on every node (or a specific group of nodes) in the cluster. - Automatic Scheduling: When new nodes are added to the cluster, the DaemonSet automatically schedules the required pods on the new nodes. - Node-Specific Work: It is useful for tasks that require direct interaction with the node, such as collecting logs, monitoring resources, or running services like networking agents. - Common Use Cases: monitoring agents, Networking or storage plugins - - ClusterIP Service - NodePort Service - LoadBalancer Service - Secret, ConfigMap, - Namespace Commands - Install kubectl using following command: - (1) az aks install-cli - (2) az aks get-credentials –resource-group YourRG –name AKS-Service-Name #Merge as current context - kubectl run –image #creates a pod based on the image - kubectl get node - kubectl get pod - kubectl get pod -A #Get nodes including system nodes - kubectl get pod -o wide #More details - kubectl describe node - kubectl exec -it —- bash #bash inside the pod (with access only to app) - kubectl debug node\ -it --image=mcr.microsoft.com/dotnet/runtime-deps:7.0 #bash inside the pod with access to underlying infra of pod (ex: iptable command) - kubectl get cm #Get configmap - kubectl get secret/deploy/svc - kubectl get rs/ds #Get ReplicaSet/DeamonSet - kubectl logs —-namespace kube-system —-selector -f - kubectl top pod/node #see resource consumption using METRIC-SERVER - kubectl create deploy --image - kubectl expose deploy/pod/service --name --type LoadBalancer/ClusterIP/NodePort --port 80 #expose a resource as a new Kubernetes service Using imperative (step by step) command you can build a yaml file which is a declarative form - kubectl create deployment nginx-dryrun --image nginx --replicas 2 --dry-run=client -o yaml Connect directly to Kubernetes API: - kubectl proxy #creates a local proxy to directly access kubernetes api - EX: http://localhost:8001/api/v1/namespaces/default/pods will give u pods - http://localhost:8001/api/v1/nodes//proxy/configz will give you config of the node - A command like “kubectl get node” calls an api under the hood Node-Shell plugin - A third party plugin that is installed using this command: kubectl krew install node-shell - kubectl node-shell #give you shell access to node - journalctl -u kubelet -o cat #to get the log of kubeclet after accessing inside the node using node-shell - Systemctl status kubelet #get status of kubectl after node-shell Worker Node’s Side - If you describe any of these components (command: kubectl describe deploy coredns -n kubesystem) you will see a mode=Reconcile as their label which tells that if you delete them, they will be automatically recreated. azure-ip-masq-agent: - Implemented as a DeamonSet and acts as an IP masquerading agent using IP masquerade rules - By default, Azure IP Masq Agent masquerades the IP addresses of outgoing traffic for external destinations (like the internet). - You can configure the nonMasqueradeCIDRs to exclude specific IP ranges, ensuring that traffic within those ranges keeps its original pod IPs. cloud-node-manager - Annotate and label the nodes - Get the node’s hostname and network address - Verify health of the node - Update the nodes with the system’s unique identifier from the cloud provider core-dns + core-dns-autoscaler - Dns service csi-azuredisk-node & csi-azurefile-node - CSI = Container Storage Interface is an standard used for providing storage services to containerized applications, adopted by AKS to write, deploy and iterate plugins to expose a new and improved storage system. - CSI allows AKS to avoid touching Kubernetes code and wait for its release cycles konnectivity-agent - It enables the API server to establish network connections to the worker nodes for things like health checks and managing pod and node status kube-proxy - Pods are ephemeral, that is, they are recreated. It is recommended to expose the pods using kube-proxy. Kube-proxy configures the iptables rules on each node to forward traffic to the pods. Route Table - Route table is used to distribute the traffic from the pods to the nodes. Infrastructure Resource Group - The Azure resources inside Azure Resource Group, should be customized using AKS node pool. That means that if, for example, you want to enable auto scaling for your nodes, you should not go to the virtual machine scale set and enable that. Instead, you should enable the cluster autoscaler at the level and let it control the behavior of your virtual machine scale set. - You shouldn’t make any outbound rule changes directly on the Load Balancer instead it should be done through AKS Cluster. - Do not modify the nodes using IaaS APIs (ex:1 not going to VMMS and resize it.ex:2 Not creating a new VM or delete one directly but perform this with the help of node pool, ex:3 do not implement auto scaling at vm level but use cluster autoscaler at AKS level) - You can use NRGLockdown to prevent direct resource modification for the node resource group by Deny Assignment at the node resource Group level. Deny Assignment will be added to IAM with exclusion of a system assigned managed identity which represents the identity of our AKS cluster. Kubeconfig - It contains info about cluster such as API endpoint, CA certificate and authentication credentials - It can contain multiple contexts, each with it’s own cluster user and namespace configuration - kubeconfig config get-contexts #list of all contexts and the current context - cat.kube/config #shows content of the kubeconfig file - kubeconfig config use-context - Kubernetes extension will do all these visually

Containerization PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue