A stateful cluster

I started with StatefulSet and later switched to the K8s Operator.

Job

In addition to stateless clustering and Statefulset, there are batch applications. To support such applications, Kubernetes introduced a new resource object, Job.

The Jobs controller provides two parameters to control the number of concurrent operations: Completions and Parallelism. Completions indicates the total number of tasks that need to be run, and Parallelism indicates the number of concurrent operations.

The copy of the Pod controlled by the Job is ephemeral and can be thought of as a set of containers, each of which is run only once.

Later, Kubernetes added cronjobs to perform tasks periodically.

ConfigMap

Distribution of configuration files can be a headache when multiple replicas are deployed on different machines, so many distributed systems have a configuration central component that solves this problem. But configuration hubs often introduce new apis, leading to application coupling and intrusion. Kubernetes uses a simple solution to circumvent this problem, as shown in Figure 1.13:

1. The user saves the contents of the configuration file to ConfigMap.
2. When modeling the user application, define the ConfigMap as a special Volume to mount in the Pod. When a Pod is scheduled to a specific Node, the configuration files in ConfigMap are automatically restored to a local directory and mapped to the configuration directory specified in the Pod so that the user’s program can read the configuration without being aware of it.
3. After the ConfigMap content is modified, Kubernetes automatically retrieves the ConfigMap content and updates the corresponding file on the target node.

Secret

It addresses the configuration of sensitive information, such as database usernames and passwords, application digital certificates, tokens, SSH keys, and other sensitive configurations that need to be kept secret. After Kubernetes version 1.7, the data in Secret can be stored in encrypted form, which was previously stored in BASE64 encoding format.

Horizontal Pod Autoscaler (HPA)

That is to automatically control the increase or decrease of Pod number. Determine if the number of copies of the target Pod needs to be tailored by tracking and analyzing the load changes of all the target pods specified for Deployment control.

VPA

Automatically infer and set reasonable CPU and memory requirements for pods based on container resource utilization to more accurately schedule pods. VPA is a relatively new feature and cannot operate the same set of target pods with HPA.

Store related resource objects

Static storage (Volume)

Volume is a shared directory in Pod that can be accessed by multiple containers. Volume is not quite the same as Docker Volume.

1. EmptyDir is used as a temporary directory or multi-container shared directory
2. HostPath is a file or directory on a host mounted to a Pod for permanent storage or access to host data
3. Public cloud Volume
4. Others include ConfigMap and Secret

Dynamic storage

Related concepts: Persistent Volume, StorageClass, and PVC.

Security-related resource objects

Only authenticated users can query, create and maintain corresponding resource objects through Kubernetes API Server.

Service Account represents the Account of Pod application. The Service Account saves the corresponding user (application) identity credentials through Secret. When the container in Pod is created, Kubernetes will persist the identity information (ca.crt, Token, etc.) in the corresponding Secret object to the local file in a fixed location in the container. Therefore, when the user process in the container accesses the API Server through the client API provided by Kubernetes, These apis automatically read these identity information files and attach them to HTTPS requests to be passed to the API Server for authentication logic.

After the identity authentication passes, it involves the problem of “Access authorization”, which is the problem to be solved by RBAC (Role-based Access Control).