kubernetes LoadBalancer appProtocol

Typically, you set the protocol for the Service to TCP and add an annotation (usually specific to your cloud provider) that configures the load balancer to handle traffic at the HTTP level. This configuration might also include serving HTTPS (HTTP over TLS) and reverse-proxying plain HTTP to your workload.

You might additionally want to specify that the application protocol of the connection is http or https. Use http if the session from the load balancer to your workload is HTTP without TLS, and use https if the session from the load balancer to your workload uses TLS encryption.
https://kubernetes.io/docs/reference/networking/service-protocols/

The appProtocol field provides a way to specify an application protocol for each Service port. This is used as a hint for implementations to offer richer behavior for protocols that they understand.
https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol

kubernetes operator custom resource creation

Yesterday I had a terrible doubt about kubernetes operator deployments. Briefly, I wanted to be sure when it is 100% safe for a custom resource to be created and what possible race-conditions should be taken into account between operator controller instances and its corresponding ‘watched’ custom resources.

I dag on google through post and specs but this chatGTP pretty much summarises my conclusions. I did it following the same questions I did to myself when googling and then used the chat to validate them (and play a bit with the bot), hope it is helpful for you too:

me>> what happens if a kubernetes custom resource is created before the corresponding operator controller is running?

If a Kubernetes custom resource is created before the corresponding operator controller is running, the controller will not be able to process the resource until it is started. Depending on the implementation of the operator and the custom resource, the resource may not be fully functional or may not be monitored for updates until the controller is running. It is recommended to start the operator controller before creating any custom resources to ensure proper functionality.

me>> why is it recommended to start the operator controller before creating any custom resources ?

It is recommended to start the operator controller before creating any custom resources because the controller is responsible for managing the lifecycle of the custom resources. This includes creating, updating, and deleting resources based on the desired state specified in the custom resource.

If the controller is not running when a custom resource is created, the controller will not be able to process the resource and ensure that it is in the desired state. Additionally, the controller may not be able to monitor the resource for updates, which can lead to the resource becoming out of sync with the desired state.

By starting the operator controller before creating any custom resources, you can ensure that the controller is able to immediately process and manage the resources as they are created, which helps to maintain a consistent and desired state of resources, which is the main objective of using kubernetes operator.

me>> does kubernetes operator controller use webhooks?

Yes, Kubernetes operator controllers can use webhooks as a way to perform certain actions on custom resources.

Webhooks are a way to trigger an external service to perform an action when certain events occur in the Kubernetes cluster. For example, a webhook could be configured to validate a custom resource before it is created, or to mutate a custom resource before it is updated.

Operators can use webhooks to perform specific actions on custom resources, such as validating the resource’s configuration, mutating the resource’s specification, or performing a pre- or post-hook.

Webhooks are typically implemented using a Kubernetes admission controller and a separate service that handles the webhook requests. The admission controller intercepts the request to create or update a resource, and sends it to the webhook service, which performs the necessary action before allowing the request to continue.

me>> which alternative to webhooks can be used in kubernetes operator controller?

An alternative to webhooks that can be used in a Kubernetes operator controller is to use a Kubernetes controller pattern.

A controller pattern is a way to implement a specific behavior in a Kubernetes operator. It is a specific type of controller that runs in the same process as the operator, and watches for changes to custom resources. It then takes the appropriate actions to bring the custom resource to the desired state.

Controller patterns are typically implemented using the Go client library for Kubernetes (client-go) and the controller-runtime library. This allows the operator to watch for changes to custom resources and take appropriate actions using the Kubernetes API.

Controller pattern is an alternative to webhooks, as it allows the operator to perform actions on custom resources directly, rather than relying on an external service to handle the webhook request. This can be more efficient and easier to implement, but also might require more knowledge and expertise of kubernetes API.

me>> if an operator controller uses controller pattern, can it process existing resources already present when operator starts running?

If an operator controller uses the controller pattern, it can process existing resources that are already present in the cluster when the operator starts running.

When the operator starts, it will typically register a watch on the custom resources it manages. The watch will trigger a callback function for each existing resource in the cluster, allowing the operator to process these resources.

Depending on the implementation of the operator, it may take different actions when processing existing resources. The operator could, for example, check the current state of the resource and ensure it matches the desired state, or it could update the resource to the desired state.

It is important to note that if the resources were created before the operator and not managed by it, they may not match the desired state that the operator is expecting and may require additional logic or steps to reconcile them.

Also, if the resources were created with some properties which are not recognized by the operator, it may not be able to reconcile them and may require manual intervention or updates to the operator’s code to handle those cases.

me>> but what happens if webhook is used instead of controller pattern?

If a webhook is used instead of a controller pattern in an operator, the behavior when the operator starts and processes existing resources will be different.

When the operator starts, it will register a webhook with the Kubernetes API server. The webhook will be triggered for any new resources that are created or updated, but it will not be triggered for existing resources that were already present in the cluster when the operator starts.

This means that the operator will not be able to process existing resources that were already present in the cluster when it starts. The operator will only be able to process resources that are created or updated after it starts.

To reconcile the existing resources and bring them to the desired state, the operator would have to have additional logic that periodically scans the cluster for resources that it is supposed to manage, and if it finds any, it would need to invoke the webhook manually.

It is worth noting that using a webhook can be useful in situations where you want to perform a specific action on a resource before it is created or updated, such as validating its configuration or mutating its specification. But it is less efficient and might require more complexity to reconcile the existing resources, when compared to using a controller pattern.
from https://chat.openai.com/chat

This explains why the results I got changed from one operator to another. Some of them can handle ‘existing’ custom resources created after CRDs are deployed but before the controller is up and running while others require to check the running state of the controller before creating any custom resource.

kubectl debug

Sometimes, it might be a good idea to copy a Pod before starting the debugging. Luckily, the kubectl debug command has a flag for that --copy-to <new-name>. The new Pod won’t be owned by the original workload, nor will it inherit the labels of the original Pod, so it won’t be targeted by a potential Service object in front of the workload. This should give you a quiet copy to investigate!
https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/

kubectl debug -it -c debugger --image=busybox \
  --copy-to test-pod \
  --share-processes \
  ${POD_NAME}

AGIC and let’s encrypt

AGIC helps eliminate the need to have another load balancer/public IP in front of the AKS cluster and avoids multiple hops in your datapath before requests reach the AKS cluster. Application Gateway talks to pods using their private IP directly and does not require NodePort or KubeProxy services. This also brings better performance to your deployments.
https://docs.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: aspnetapp
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: aspnetapp
          servicePort: 80

ingress-shim watches Ingress resources across your cluster. If it observes an Ingress with annotations described in the Supported Annotations section, it will ensure a Certificate resource with the name provided in the tls.secretName field and configured as described on the Ingress exists.
https://cert-manager.io/docs/usage/ingress/

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # add an annotation indicating the issuer to use.
    cert-manager.io/cluster-issuer: nameOfClusterIssuer
  name: myIngress
  namespace: myIngress
spec:
  rules:
  - host: example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: myservice
            port:
              number: 80
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
  - hosts:
    - example.com
    secretName: myingress-cert # < cert-manager will store the created certificate in this secret.

The ACME Issuer type represents a single account registered with the Automated Certificate Management Environment (ACME) Certificate Authority server. When you create a new ACME Issuer, cert-manager will generate a private key which is used to identify you with the ACME server.
https://cert-manager.io/docs/configuration/acme/#solving-challenges

SSL is handled by the ingress controller, not the ingress resource. Meaning, when you add TLS certificates to the ingress resource as a kubernetes secret, the ingress controller access it and makes it part of its configuration.
https://devopscube.com/configure-ingress-tls-kubernetes/

apiVersion: v1
kind: Secret
metadata:
  name: hello-app-tls
  namespace: dev
type: kubernetes.io/tls
data:
  server.crt: |
       <crt contents here>
  server.key: |
       <private key contents here>

You can secure an Ingress by specifying a Secret that contains a TLS private key and certificate. The Ingress resource only supports a single TLS port, 443, and assumes TLS termination at the ingress point (traffic to the Service and its Pods is in plaintext).

Referencing this secret in an Ingress tells the Ingress controller to secure the channel from the client to the load balancer using TLS. You need to make sure the TLS secret you created came from a certificate that contains a Common Name (CN), also known as a Fully Qualified Domain Name (FQDN) for https-example.foo.com.
https://kubernetes.io/docs/concepts/services-networking/ingress/

I found this error when installing helm chart and creating Issuer:

custom resource (ClusterIssuer) takes some time to properly register in API server. In case when CRD ClusterIssuer was just created and then immediately one tries to create custom resource — this error will happen.
https://github.com/hashicorp/terraform-provider-kubernetes-alpha/issues/72

so I have to split cert-manager chart installation from Cluster Issuer creation.

Pod namespaces

By default, Pods are non-isolated, and they accept traffic from any source including other Pods present within the cluster. Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. Network policies affect only Pod-to-Pod communication and do not affect service-to-service traffic directly. Network policies use labels specified within the PodSelector attribute of their definition to select the Pods on which the associated traffic rules will be enforced.
https://docs.robin.io/platform/latest/manage_network.html?highlight=interface#how-it-works

Does SR-IOV CNI requires using DPDK?

No. Kernel o DPDK driver can be used, configured at network attachment definition.

A Network Attachment Definition for SR-IOV CNI takes the form:
apiVersion: “k8s.cni.cncf.io/v1”
kind: NetworkAttachmentDefinition
metadata:
name: sriov-net1
annotations:
k8s.v1.cni.cncf.io/resourceName: intel.com/intel_sriov_netdevice
spec:
config: ‘{
[…]
}’
This is the [extended] configuration for a working kernel driver interface using an SR-IOV Virtual Function. It applies an IP address using the host-local IPAM plugin in the range of the subnet provided:
{
“cniVersion”: “0.3.1”,
“name”: “sriov-advanced”,
“type”: “sriov”,
“vlan”: 1000,
“spoofchk”: “off”,
“trust”: “on”,
“ipam”: {
“type”: “host-local”,
“subnet”: “10.56.217.0/24”,
“routes”: [{
“dst”: “0.0.0.0/0”
}],
“gateway”: “10.56.217.1”
}
}
The below config will configure a VF using a userspace driver (uio/vfio) for use in a container. If this plugin is used with a VF bound to a dpdk driver then the IPAM configuration will still be respected, but it will only allocate IP address(es) using the specified IPAM plugin, not apply the IP address(es) to container interface.
{
“cniVersion”: “0.3.1”,
“name”: “sriov-dpdk”,
“type”: “sriov”,
“vlan”: 1000
}
Note DHCP IPAM plugin can not be used for VF bound to a dpdk driver (uio/vfio).
Note When VLAN is not specified in the Network-Attachment-Definition, or when it is given a value of 0, VFs connected to this network will have no vlan tag.
https://github.com/openshift/sriov-cni

Kubernetes CSI, CDI, openEBS

The Container Storage Interface (CSI) is a standard for exposing storage to workloads on Kubernetes. To enable automatic creation/deletion of volumes for CSI Storage, a Kubernetes resource called StorageClass must be created and registered within the Kubernetes cluster.
Associated with the StorageClass is a CSI provisioner plugin that does the heavy lifting at disk and storage management layers to provision storage volumes based on the various attributes defined in the StorageClass. Kubernetes CSI was introduced in Kubernetes v1.9 release, promoted to beta in Kuberentes v1.10 release as CSI v0.3, followed by a GA release in Kubernetes v1.13 as CSI v1.0.
https://docs.robin.io/storage/latest/storage.html

Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes. It’s primary goal is to provide a declarative way to build Virtual Machine Disks on PVCs for Kubevirt VMs.
CDI works with standard core Kubernetes resources and is storage device agnostic, while its primary focus is to build disk images for Kubevirt, it’s also useful outside of a Kubevirt context to use for initializing your Kubernetes Volumes with data.
The kubevirt content type indicates that the data being imported should be treated as a Kubevirt VM disk. CDI will automatically decompress and convert the file from qcow2 to raw format if needed. It will also resize the disk to use all available space.
CDI is designed to be storage agnostic.
https://github.com/kubevirt/containerized-data-importer

OpenEBS is Kubernetes native Container Attached Storage solution that makes it possible for Stateful applications to easily access Dynamic Local PVs or Replicated PVs
OpenEBS can be used across all Kubernetes distributions – On-premise and Cloud.
OpenEBS turns any storage available on the Kubernetes worker nodes into local or distributed Kubernetes Persistent Volumes.
OpenEBS is the leading choice for NVMe based storage deployments. OpenEBS is completely Open Source and Free.
The Stateful Pod writes the data to the OpenEBS engines that synchronously replicates the data to multiple nodes in the cluster. OpenEBS engine itself is deployed as pod and orchestrated by Kubernetes.
https://openebs.io/docs/

EKS Anywhere

EKS-A is Amazon’s own version of Anthos. Just like Anthos, it’s tightly integrated with vSphere, can be installed on bare metal or any other cloud. But the key difference is that there is no meta control plane to manage all the EKS-A clusters from a single pane of glass.
There is nothing open source about EKS-A. It’s an opaque installer that rolls out an EKS-like cluster on a set of compute nodes. If you want to customize the cluster components, switch to EKS-D, and assemble your own stack.
Combined with a new addition called EKS Console, multiple EKS-A clusters can be managed from the familiar AWS Console.
https://www.forbes.com/sites/janakirammsv/2020/12/06/aws-responds-to-anthos-and-azure-arc-with-amazon-eks-anywhere/

EKS Console, the web-based interface originally launched to manage EKS clusters in the cloud, now supports registering EKS Anywhere. Branded as EKS Connector […]
https://www.forbes.com/sites/janakirammsv/2021/09/09/amazon-announces-the-general-availability-of-eks-anywhere/

Amazon EKS displays connected clusters in Amazon EKS console for workload visualization only and does not manage them. […] is in preview release for Amazon EKS and is subject to change.
https://docs.aws.amazon.com/eks/latest/userguide/eks-connector.html

EKS Distro is the same Kubernetes distribution used in AWS and that includes out-of-the-box optional defaults for node OS, container runtime, service load balancer, container network interface (CNI), and ingress and storage classes
https://cloud.netapp.com/blog/cvo-blg-eks-anywhere-and-ecs-anywhere-multicloud-services

EKS on AWS Outposts was one of the options where users were able to run Kubernetes in their own data centers but on AWS infrastructure. With EKS Anywhere users can deploy Kubernetes on their own infrastructure and is managed by the customer with a consistent AWS management experience in their data center.
The cluster registration process involves two steps: registering the cluster with Amazon EKS and applying a connector YAML manifest file in the target cluster to enable connectivity.
The eks-connector is deployed as a StatefulSet and consists of two containers – amazon-ssm-agent (connector-agent) and eks-connector (connector-proxy). Amazon EKS leverages AWS Systems Manager’s agent to connect to AWS services.
The ‘Workloads‘ section displays all objects of Type: Deployment, DaemonSet and StatefulSet. […] other objects of the cluster (like services, ingress, secrets, etc.) are not available for visualization.
https://www.linkedin.com/pulse/amazon-eks-anywhere-connector-gokul-chandra/

To show you how easy it is to get started, let’s install the EKS Anywhere CLI, create a local development cluster, and deploy [docker provider] an example workload with only four commands.
brew install aws/tap/eks-anywhere
eksctl anywhere generate clusterconfig local-cluster \ –provider docker > local-cluster.yaml
eksctl anywhere create cluster -f local-cluster.yaml
https://aws.amazon.com/blogs/containers/introducing-general-availability-of-amazon-eks-anywhere/

Kubernetes at the edge

The biggest question to ask about running Kubernetes at the edge is whether your IT organization’s edge resources are comparable to its cloud resources. If they are, a standard Kubernetes deployment — with set node affinities and related pod-assignment parameters to steer edge pods to edge nodes — is the more effective setup. If the edge and cloud environments are symbiotic, rather than unified, consider KubeEdge. Most edge users should consider this to be the default option.
The more dissimilar the edge and cloud environments or requirements are, the more logical it is to keep the two separated — particularly if edge resources are too limited to run standard Kubernetes. If you want common orchestration of both edge and cloud workloads so the cloud can back up the edge, for example, use MicroK8s or a similar distribution. If latency or resource specialization at the edge eliminates the need for that cohesion, K3s is a strong choice.
https://searchitoperations.techtarget.com/tip/Run-Kubernetes-at-the-edge-with-these-K8s-distributions

Are kubernetes secrets secret?

“By default, the identity provider is used to protect secrets in etcd, which provides no encryption.”
https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/