search

kubernetes

[!TIP] kubernetes.io add /_print as suffix in the url, it will show pages into one page i.e.:

kubernetes orchestration control panel
kubernetes technology

hashtag
core design principlesarrow-up-right

hashtag
constants and well-known values and pathsarrow-up-right

hashtag
/etc/kubernetes/manifests

[!TIP] /etc/kubernetes/manifests as the path where kubelet should look for static Pod manifests. Names of static Pod manifests are:

  • etcd.yaml

  • kube-apiserver.yaml

  • kube-controller-manager.yaml

  • kube-scheduler.yaml

hashtag
/etc/kubernetes

[!TIP]

  • important kubernetes cluster configurationsarrow-up-right /etc/kubernetes/ as the path where kubeconfig files with identities for control plane components are stored. Names of kubeconfig files are:

  • kubelet.conf (bootstrap-kubelet.conf during TLS bootstrap)

  • controller-manager.conf

  • scheduler.conf

  • admin.conf for the cluster admin and kubeadm itself

hashtag
names of certificates and key files

[!TIP]

  • ca.crt, ca.key for the Kubernetes certificate authority

  • apiserver.crt, apiserver.key for the API server certificate

  • apiserver-kubelet-client.crt, apiserver-kubelet-client.key for the client certificate used by the API server to connect to the kubelets securely

  • sa.pub, sa.key for the key used by the controller manager when signing ServiceAccount

  • front-proxy-ca.crt, front-proxy-ca.key for the front proxy certificate authority

  • front-proxy-client.crt, front-proxy-client.key for the front proxy client

hashtag
API serverarrow-up-right

hashtag
static pod manifestarrow-up-right

[!TIP]

  • apiserver-advertise-address and apiserver-bind-port to bind to; if not provided, those value defaults to the IP address of the default network interface on the machine and port 6443

  • service-cluster-ip-range to use for services

  • If an external etcd server is specified, the etcd-servers address and related TLS settings (etcd-cafile, etcd-certfile, etcd-keyfile);

    • if an external etcd server is not be provided, a local etcd will be used ( via host network )

  • If a cloud provider is specified, the corresponding --cloud-provider is configured, together with the --cloud-config path if such file exists (this is experimental, alpha and will be removed in a future version)

hashtag
other api server flags

  • --insecure-port=0 to avoid insecure connections to the api server

  • --enable-bootstrap-token-auth=true to enable the BootstrapTokenAuthenticator authentication module. See TLS Bootstrapping for more details

  • --allow-privileged to true (required e.g. by kube proxy)

  • --requestheader-client-ca-file to front-proxy-ca.crt

  • --enable-admission-plugins to:

    • NamespaceLifecycle e.g. to avoid deletion of system reserved namespaces

    • LimitRanger and ResourceQuota to enforce limits on namespaces

    • ServiceAccount to enforce service account automation

    • PersistentVolumeLabel attaches region or zone labels to PersistentVolumes as defined by the cloud provider (This admission controller is deprecated and will be removed in a future version. It is not deployed by kubeadm by default with v1.9 onwards when not explicitly opting into using gce or aws as cloud providers)

    • DefaultStorageClass to enforce default storage class on PersistentVolumeClaim objects

    • DefaultTolerationSeconds

    • NodeRestriction to limit what a kubelet can modify (e.g. only pods on this node)

  • --kubelet-preferred-address-types to InternalIP,ExternalIP,Hostname; this makes kubectl logs and other API server-kubelet communication work in environments where the hostnames of the nodes aren't resolvable

  • Flags for using certificates generated in previous steps:

    • --client-ca-file to ca.crt

    • --tls-cert-file to apiserver.crt

    • --tls-private-key-file to apiserver.key

    • --kubelet-client-certificate to apiserver-kubelet-client.crt

    • --kubelet-client-key to apiserver-kubelet-client.key

    • --service-account-key-file to sa.pub

    • --requestheader-client-ca-file to front-proxy-ca.crt

    • --proxy-client-cert-file to front-proxy-client.crt

    • --proxy-client-key-file to front-proxy-client.key

  • Other flags for securing the front proxy (API Aggregation) communications:

    • --requestheader-username-headers=X-Remote-User

    • --requestheader-group-headers=X-Remote-Group

    • --requestheader-extra-headers-prefix=X-Remote-Extra-

    • --requestheader-allowed-names=front-proxy-client

hashtag
controller managerarrow-up-right

hashtag
static Pod manifestarrow-up-right

[!TIP]

  • If kubeadm is invoked specifying a --pod-network-cidr, the subnet manager feature required for some CNI network plugins is enabled by setting:

    • --allocate-node-cidrs=true

    • --cluster-cidr and --node-cidr-mask-size flags according to the given CIDR

  • If a cloud provider is specified, the corresponding --cloud-provider is specified, together with the --cloud-config path if such configuration file exists (this is experimental, alpha and will be removed in a future version)

hashtag
other flags

  • --controllers enabling all the default controllers plus BootstrapSigner and TokenCleaner controllers for TLS bootstrap. See TLS Bootstrapping for more details

  • --use-service-account-credentials to true

  • Flags for using certificates generated in previous steps:

    • --root-ca-file to ca.crt

    • --cluster-signing-cert-file to ca.crt, if External CA mode is disabled, otherwise to ""

    • --cluster-signing-key-file to ca.key, if External CA mode is disabled, otherwise to ""

    • --service-account-private-key-file to sa.key

hashtag
flow

hashtag
pod creation

kubernetes pod creation flowarrow-up-right

hashtag
ingress traffic

ingress traffic flow

hashtag
ports and protocolsarrow-up-right

hashtag
contol plane

PROTOCOL
DIRECTION
PORT RANGE
PURPOSE
USED BY

TCP

Inbound

6443

Kubernetes API server

All

TCP

Inbound

2379-2380

etcd server client API

kube-apiserver, etcd

TCP

Inbound

10250

Kubelet API

Self, Control plane

TCP

Inbound

10259

kube-scheduler

Self

TCP

Inbound

10257

kube-controller-manager

Self

hashtag
worker node(s)

PROTOCOL
DIRECTION
PORT RANGE
PURPOSE
USED BY

TCP

Inbound

10250

Kubelet API

Self, Control plane

TCP

Inbound

30000-32767

NodePort Servicesarrow-up-right

All

hashtag
architecturearrow-up-right

Kubernetes Architecture

hashtag
control pannel

hashtag
kube-apiserver

Kubernetes Architecture : kube-apiserver

hashtag
etcd

Kubernetes Architecture : etcd

hashtag
kube-scheduler

Kubernetes Architecture : kube-scheduler

hashtag
controller manager

Kubernetes Architecture : kube conntroller manager

hashtag
ccm : cloud controller manager

Kubernetes Architecture : ccm

hashtag
work node

[!NOTE]

RUNTIME
PATH TO UNIX DOMAIN SOCKET

containerd

unix:///var/run/containerd/containerd.sock

CRI-O

unix:///var/run/crio/crio.sock

Docker Engine (using cri-dockerd)

unix:///var/run/cri-dockerd.sock

  • windows

RUNTIME
PATH TO UNIX DOMAIN SOCKET

containerd

npipe:////./pipe/containerd-containerd

Docker Engine (using cri-dockerd)

npipe:////./pipe/cri-dockerd

hashtag
kubelet

Kubernetes Architecture : kubelet

hashtag
kube proxy

Kubernetes Architecture : kube-proxy

hashtag
cri-o : container runtime

Kubernetes Architecture : cri-o

hashtag
jsonpath

[!NOTE|label:references:]

hashtag
options

hashtag
explain

  • or

hashtag
kubectl aliasarrow-up-right

hashtag
__start_kubectl

hashtag
_complete_alias

hashtag
kubecolor

hashtag
token

hashtag
check token

hashtag
generate token

[!NOET|label:see also:]

hashtag
tear downarrow-up-right

[!TIP]

  • ubuntu

  • CentOS/RHEL

hashtag
references

circle-info
PreviousvirtualizationNextinit

Last updated

Was this helpful?