parent: 3706caa2 | patch | commit | ignore whitespace
Olaf Bohlen
2020-04-17 175c1dc093dd964240db36a7b45a81e8654a23cf 
initial release
3 files added
110 ■■■■■ changed files
do280.org 110 ●●●●● patch | view | raw | blame | history
pods-1.png patch | view | raw | blame | history
rbac.png patch | view | raw | blame | history 
 do280.org


New file


@@ -0,0 +1,110 @@




* Pods


Pods are the most atomic item OpenShift/K8s manages, but a Pod can


contain multiple containers such as so called "side cars" which are


typically agents for backup/monitoring/etc.




#+begin_src ditaa :file pods-1.png :cmdline -E -s 0.8


 Pod <- most atomic K8s item


+------------------------------------+


|   Container   Container            |


|  +--------+  +------------------+  |


|  | apache |  | Monitoring Agent |  |


|  | (main) |  | (side car)       |  |


|  +--------+  +------------------+  |


|                                    |


+------------------------------------+




      ^                 ^


      |                 |


 apache image    Monitoring image


#+end_src




#+results:


[[file:pods-1.png]]




If you log in to a node with oc debug node/<nodename> and chroot


/host, you can see all containers by "crictl ps -a" and you will see


multiple containers per pod:




-> pod container


-> main app container


-> side car container








* RBAC


Keep in mind:


by using "oc adm policy add-cluster-role-to-user" or "oc policy


add-role-to-user" you are NOT assigning a role to a user, but you


create a new object called "ClusterRoleBinding" (cluster scope, so


affects all projects) or "RoleBinding" (for a specific project):




#+begin_src ditaa :file rbac.png :cmdline -E -s 0.8




+------+                                                      +-------+


| User |                                                      | Role  |


|      |--------+        +--------------------+         +-----|       |


+------+        +------->| ClusterRoleBinding | <-------+     +-------+


                         |                    |


                         +--------------------+


+-------+                      ^


| Group |----------------------+


|       |


+-------+






#+end_src




#+results:


[[file:rbac.png]]










* encrypted routes


- edge termination


  router terminates TLS: client -TLS-> router -PLAIN-> pod


- passthrough


  router will passthrough the TLS traffic: client -TLS->...router...-TLS-> pod


- re-encrypt


  router will terminate TLS and re-encrypt:   client -TLS-> router(reencrypts) -TLS-> prod






* Operators


Operators are pods running with higher privileges acting on your


behalf:


The monitor events/logs or wait for certain actions and will then run


code:




# read config


Operator (pod) -> K8s REST-API -> Custom Resource (CR) -> etcd




Operator -> events


Operator -> logs




* Command structure for "oc"




The oc command is a variant of "kubectl" and is usually structured in


4 words:


- oc


- command verb


- resource type


and optional:


- resource name




Best is to create yourself a table on a sheet of paper and visualize


for yourself that you can combine any command verb with any resource


type!




| oc | command verb | resource type                | <resource name>  |


|----+--------------+------------------------------+------------------|


| oc | get          | nodes                        | name of resource |


|    | describe     | pods                         |                  |


|    | delete       | services / svc               |                  |


|    | edit         | routes                       |                  |


|    |              | replication controllers / rc |                  |


|    |              | deployment configs / dc      |                  |


|    |              | build configs / bc           |                  |


|    |              | clusteroperators             |                  |


|    |              | clusterversion               |                  |




 pods-1.png




 rbac.png