kubernetes

[!TIP] kubernetes.io add /_print as suffix in the url, it will show pages into one page i.e.:

kubernetes orchestration control panel
kubernetes technology

core design principles

constants and well-known values and paths

/etc/kubernetes/manifests

[!TIP] /etc/kubernetes/manifests as the path where kubelet should look for static Pod manifests. Names of static Pod manifests are:

  • etcd.yaml

  • kube-apiserver.yaml

  • kube-controller-manager.yaml

  • kube-scheduler.yaml

/etc/kubernetes

[!TIP]

  • important kubernetes cluster configurations /etc/kubernetes/ as the path where kubeconfig files with identities for control plane components are stored. Names of kubeconfig files are:

  • kubelet.conf (bootstrap-kubelet.conf during TLS bootstrap)

  • controller-manager.conf

  • scheduler.conf

  • admin.conf for the cluster admin and kubeadm itself

names of certificates and key files

[!TIP]

  • ca.crt, ca.key for the Kubernetes certificate authority

  • apiserver.crt, apiserver.key for the API server certificate

  • apiserver-kubelet-client.crt, apiserver-kubelet-client.key for the client certificate used by the API server to connect to the kubelets securely

  • sa.pub, sa.key for the key used by the controller manager when signing ServiceAccount

  • front-proxy-ca.crt, front-proxy-ca.key for the front proxy certificate authority

  • front-proxy-client.crt, front-proxy-client.key for the front proxy client

API server

static pod manifest

[!TIP]

  • apiserver-advertise-address and apiserver-bind-port to bind to; if not provided, those value defaults to the IP address of the default network interface on the machine and port 6443

  • service-cluster-ip-range to use for services

  • If an external etcd server is specified, the etcd-servers address and related TLS settings (etcd-cafile, etcd-certfile, etcd-keyfile);

    • if an external etcd server is not be provided, a local etcd will be used ( via host network )

  • If a cloud provider is specified, the corresponding --cloud-provider is configured, together with the --cloud-config path if such file exists (this is experimental, alpha and will be removed in a future version)

other api server flags

  • --insecure-port=0 to avoid insecure connections to the api server

  • --enable-bootstrap-token-auth=true to enable the BootstrapTokenAuthenticator authentication module. See TLS Bootstrapping for more details

  • --allow-privileged to true (required e.g. by kube proxy)

  • --requestheader-client-ca-file to front-proxy-ca.crt

  • --enable-admission-plugins to:

    • NamespaceLifecycle e.g. to avoid deletion of system reserved namespaces

    • LimitRanger and ResourceQuota to enforce limits on namespaces

    • ServiceAccount to enforce service account automation

    • PersistentVolumeLabel attaches region or zone labels to PersistentVolumes as defined by the cloud provider (This admission controller is deprecated and will be removed in a future version. It is not deployed by kubeadm by default with v1.9 onwards when not explicitly opting into using gce or aws as cloud providers)

    • DefaultStorageClass to enforce default storage class on PersistentVolumeClaim objects

    • DefaultTolerationSeconds

    • NodeRestriction to limit what a kubelet can modify (e.g. only pods on this node)

  • --kubelet-preferred-address-types to InternalIP,ExternalIP,Hostname; this makes kubectl logs and other API server-kubelet communication work in environments where the hostnames of the nodes aren't resolvable

  • Flags for using certificates generated in previous steps:

    • --client-ca-file to ca.crt

    • --tls-cert-file to apiserver.crt

    • --tls-private-key-file to apiserver.key

    • --kubelet-client-certificate to apiserver-kubelet-client.crt

    • --kubelet-client-key to apiserver-kubelet-client.key

    • --service-account-key-file to sa.pub

    • --requestheader-client-ca-file to front-proxy-ca.crt

    • --proxy-client-cert-file to front-proxy-client.crt

    • --proxy-client-key-file to front-proxy-client.key

  • Other flags for securing the front proxy (API Aggregation) communications:

    • --requestheader-username-headers=X-Remote-User

    • --requestheader-group-headers=X-Remote-Group

    • --requestheader-extra-headers-prefix=X-Remote-Extra-

    • --requestheader-allowed-names=front-proxy-client

controller manager

static Pod manifest

[!TIP]

  • If kubeadm is invoked specifying a --pod-network-cidr, the subnet manager feature required for some CNI network plugins is enabled by setting:

    • --allocate-node-cidrs=true

    • --cluster-cidr and --node-cidr-mask-size flags according to the given CIDR

  • If a cloud provider is specified, the corresponding --cloud-provider is specified, together with the --cloud-config path if such configuration file exists (this is experimental, alpha and will be removed in a future version)

other flags

  • --controllers enabling all the default controllers plus BootstrapSigner and TokenCleaner controllers for TLS bootstrap. See TLS Bootstrapping for more details

  • --use-service-account-credentials to true

  • Flags for using certificates generated in previous steps:

    • --root-ca-file to ca.crt

    • --cluster-signing-cert-file to ca.crt, if External CA mode is disabled, otherwise to ""

    • --cluster-signing-key-file to ca.key, if External CA mode is disabled, otherwise to ""

    • --service-account-private-key-file to sa.key

flow

pod creation

kubernetes pod creation flow

ingress traffic

ingress traffic flow

ports and protocols

contol plane

PROTOCOL
DIRECTION
PORT RANGE
PURPOSE
USED BY

TCP

Inbound

6443

Kubernetes API server

All

TCP

Inbound

2379-2380

etcd server client API

kube-apiserver, etcd

TCP

Inbound

10250

Kubelet API

Self, Control plane

TCP

Inbound

10259

kube-scheduler

Self

TCP

Inbound

10257

kube-controller-manager

Self

worker node(s)

PROTOCOL
DIRECTION
PORT RANGE
PURPOSE
USED BY

TCP

Inbound

10250

Kubelet API

Self, Control plane

TCP

Inbound

30000-32767

NodePort Services

All

architecture

Kubernetes Architecture

control pannel

kube-apiserver

Kubernetes Architecture : kube-apiserver

etcd

Kubernetes Architecture : etcd

kube-scheduler

Kubernetes Architecture : kube-scheduler

controller manager

Kubernetes Architecture : kube conntroller manager

ccm : cloud controller manager

Kubernetes Architecture : ccm

work node

[!NOTE]

RUNTIME
PATH TO UNIX DOMAIN SOCKET

containerd

unix:///var/run/containerd/containerd.sock

CRI-O

unix:///var/run/crio/crio.sock

Docker Engine (using cri-dockerd)

unix:///var/run/cri-dockerd.sock

  • windows

RUNTIME
PATH TO UNIX DOMAIN SOCKET

containerd

npipe:////./pipe/containerd-containerd

Docker Engine (using cri-dockerd)

npipe:////./pipe/cri-dockerd

kubelet

Kubernetes Architecture : kubelet

kube proxy

Kubernetes Architecture : kube-proxy

cri-o : container runtime

Kubernetes Architecture : cri-o

jsonpath

[!NOTE|label:references:]

options

explain

  • or

kubectl alias

__start_kubectl

_complete_alias

kubecolor

token

check token

generate token

[!NOET|label:see also:]

tear down

[!TIP]

  • ubuntu

  • CentOS/RHEL

references

PreviousvirtualizationNextinit

Last updated

Was this helpful?