New file |
| | |
| | | |
| | | * Pods |
| | | Pods are the most atomic item OpenShift/K8s manages, but a Pod can |
| | | contain multiple containers such as so called "side cars" which are |
| | | typically agents for backup/monitoring/etc. |
| | | |
| | | #+begin_src ditaa :file pods-1.png :cmdline -E -s 0.8 |
| | | Pod <- most atomic K8s item |
| | | +------------------------------------+ |
| | | | Container Container | |
| | | | +--------+ +------------------+ | |
| | | | | apache | | Monitoring Agent | | |
| | | | | (main) | | (side car) | | |
| | | | +--------+ +------------------+ | |
| | | | | |
| | | +------------------------------------+ |
| | | |
| | | ^ ^ |
| | | | | |
| | | apache image Monitoring image |
| | | #+end_src |
| | | |
| | | #+results: |
| | | [[file:pods-1.png]] |
| | | |
| | | If you log in to a node with oc debug node/<nodename> and chroot |
| | | /host, you can see all containers by "crictl ps -a" and you will see |
| | | multiple containers per pod: |
| | | |
| | | -> pod container |
| | | -> main app container |
| | | -> side car container |
| | | |
| | | |
| | | |
| | | * RBAC |
| | | Keep in mind: |
| | | by using "oc adm policy add-cluster-role-to-user" or "oc policy |
| | | add-role-to-user" you are NOT assigning a role to a user, but you |
| | | create a new object called "ClusterRoleBinding" (cluster scope, so |
| | | affects all projects) or "RoleBinding" (for a specific project): |
| | | |
| | | #+begin_src ditaa :file rbac.png :cmdline -E -s 0.8 |
| | | |
| | | +------+ +-------+ |
| | | | User | | Role | |
| | | | |--------+ +--------------------+ +-----| | |
| | | +------+ +------->| ClusterRoleBinding | <-------+ +-------+ |
| | | | | |
| | | +--------------------+ |
| | | +-------+ ^ |
| | | | Group |----------------------+ |
| | | | | |
| | | +-------+ |
| | | |
| | | |
| | | #+end_src |
| | | |
| | | #+results: |
| | | [[file:rbac.png]] |
| | | |
| | | |
| | | |
| | | |
| | | * encrypted routes |
| | | - edge termination |
| | | router terminates TLS: client -TLS-> router -PLAIN-> pod |
| | | - passthrough |
| | | router will passthrough the TLS traffic: client -TLS->...router...-TLS-> pod |
| | | - re-encrypt |
| | | router will terminate TLS and re-encrypt: client -TLS-> router(reencrypts) -TLS-> prod |
| | | |
| | | |
| | | * Operators |
| | | Operators are pods running with higher privileges acting on your |
| | | behalf: |
| | | The monitor events/logs or wait for certain actions and will then run |
| | | code: |
| | | |
| | | # read config |
| | | Operator (pod) -> K8s REST-API -> Custom Resource (CR) -> etcd |
| | | |
| | | Operator -> events |
| | | Operator -> logs |
| | | |
| | | * Command structure for "oc" |
| | | |
| | | The oc command is a variant of "kubectl" and is usually structured in |
| | | 4 words: |
| | | - oc |
| | | - command verb |
| | | - resource type |
| | | and optional: |
| | | - resource name |
| | | |
| | | Best is to create yourself a table on a sheet of paper and visualize |
| | | for yourself that you can combine any command verb with any resource |
| | | type! |
| | | |
| | | | oc | command verb | resource type | <resource name> | |
| | | |----+--------------+------------------------------+------------------| |
| | | | oc | get | nodes | name of resource | |
| | | | | describe | pods | | |
| | | | | delete | services / svc | | |
| | | | | edit | routes | | |
| | | | | | replication controllers / rc | | |
| | | | | | deployment configs / dc | | |
| | | | | | build configs / bc | | |
| | | | | | clusteroperators | | |
| | | | | | clusterversion | | |