The secret life of Pods


whoami

  • Pieter Lange
  • Infrastructure / DevOps engineer
  • pieter@ptlc.nl
  • github.com/pieterlange
  • Specialize in kubernetes based deployments

Agenda

"Don’t anthropomorphize computers, they hate that" - David Wheeler
  1. What is a Pod?
  2. Conception (CI build)
  3. Birth (deployment)
  4. Life (running in k8s)
    • The environment
    • Finding a mate (service discovery)
    • Health
  5. Retirement and death
  6. Deployment patterns
    • Sidecar
    • Ambassador
    • Adapter

What is a Pod?

What is a Pod?

Pods are not pets!

What is a Pod?

Unless they are....

What is a Pod?

Running instances of applications
  • Smallest schedulable unit
  • One or more containers that share the namespace/are tightly coupled
  • Ephemeral!
  • Namespace?
    1. Shared memory (SHM)
    2. Volumes
    3. IP
    4. hostname

Pods

Containers follow standards

The Twelve-Factor App

Build server


Overview

  1. git push
  2. Run your tests
  3. Start docker build
  4. Push artifact to registry
  5. Notify deployment manager
  6. Automatic canary/feature deployment
  7. (Choose environment to deploy to)

Birth certificate


https://grafeas.io

Birth


Birth



Birth

Pods are born from:
  1. Replication controllers
  2. Deployments (ReplicaSets)
  3. Cronjobs (Jobs)
  4. DaemonSet
  5. PetSet
    6. StatefulSet
Pod
              
apiVersion: v1
kind: Pod
metadata:
  name: ptlcdebug
spec:
  containers:
  - command:
    - sleep
    - "86400"
    image: alpine:3.7
    name: alpine
Everything's just Pod templates

Pod life


The environment

Variables
  • Neighbouring services
    • OPENLDAP_PORT_389_TCP_ADDR=10.102.226.153
    • OPENLDAP_PORT_389_TCP_PORT=389
    • OPENLDAP_PORT_389_TCP_PROTO=tcp
    • OPENLDAP_SERVICE_HOST=10.102.226.153
    • OPENLDAP_SERVICE_PORT=389
    • OPENLDAP_PORT_389_TCP=tcp://10.102.226.153:389
    • OPENLDAP_PORT=tcp://10.102.226.153:389

The environment

Variables
  • Variables in PodSpec
             
containers:
- name: mycontainer
  image: alpine:3.7
  <...>
  env:
  - name: MY_ENVIRONMENT_VARIABLE
    value: "value"
  - name: AND_ANOTHER
    value: "yup"

The environment

Variables
  • Variables in PodSpec from shared ConfigMap
             
containers:
- name: mycontainer
  image: alpine:3.7
  <...>
  env:
  - name: LOG_LEVEL
    valueFrom:
      configMapKeyRef:
        name: ddyparams
        key: loglevel

The environment

Variables
  • Variables in PodSpec from Secret
             
containers:
- name: mycontainer
  image: alpine:3.7
  <...>
  env:
  - name: DATABASE_URL
    valueFrom:
      secretKeyRef:
        name: myapp
        key: databaseurl

The environment

Variables
  • Variables in PodSpec from Downward API
             
containers:
- name: mycontainer
  image: alpine:3.7
  <...>
  env:
  - name: MY_POD_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name

The environment

Variables
  • Load all key/value pairs from ConfigMap or Secret using envFrom
             
containers:
- name: mycontainer
  image: alpine:3.7
  envFrom:
  - secretRef:
      name: app-secrets
  - configMapRef:
      name: app-configs

The environment

Volumes
  • emptyDir
  • hostPath
  • secret
  • GCEPersistentDisk
  • AWSElasticBlockStore
  • NFS
  • iSCSI
  • RBD
  • CephFS
  • Cinder
  • VsphereVolume

The environment

Kubernetes default serviceaccount
              
~ # ls -al /var/run/secrets/kubernetes.io/serviceaccount
total 0
drwxrwxrwt    3 root     root           140 Sep 24 14:26 .
drwxr-xr-x    3 root     root            27 Sep 24 14:26 ..
drwxr-xr-x    2 root     root           100 Sep 24 14:26 ..9989_24_09_14_26_34.196016358
lrwxrwxrwx    1 root     root            31 Sep 24 14:26 ..data -> ..9989_24_09_14_26_34.196016358
lrwxrwxrwx    1 root     root            13 Sep 24 14:26 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Sep 24 14:26 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Sep 24 14:26 token -> ..data/token

Health checks


Readiness checks


Classed society

  • QoS (CPU & memory)
    • Requests
    • Limits
  • SecurityContext
    • SElinux
    • Capabilities
      • NET_ADMIN
      • SETPCAP
      • SYS_RAWIO
      • NET_BIND_SERVICE
  • RBAC
  • NetworkPolicy (distributed firewall)
    • Ingress
    • Egress

Death


Death

Better known as "pod termination"
  • Containers in a Pod live and die together
  • Configurable "grace period" (get your affairs in order for a clean exit)

Termination

He died doing what he loved.. serving users..
  • Retirement
  • Node maintainance/swapout
  • OOMkiller ☠
  • "Natural causes" ☠

"Patterns for Composite Containers"


Sidecar

"Extend and enhance"

Sidecar

"Extend and enhance"

Sidecar

"Extend and enhance"

Ambassador

"Represent and present"

Adapter

"Normalize and abstract"

Adapter

"Normalize and abstract"

Adapter

"Extend and enhance"

Questions?


Shameless plugs: