- HPAScaleToZero and HPAContainerMetrics feature gates for scale to zero without Keda
- kubernetes in docker with podman
KIND_EXPERIMENTAL_PROVIDER=podman ./kind-linux-amd64 create cluster --config cluster.yaml
- BUG with worker node failing. Needs runc 1.2 (unreleased) for resolv.conf
- Add delegate to systemd run with podman
KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER=native KIND_EXPERIMENTAL_PROVIDER=podman systemd-run --scope --user --property=Delegate=yes ./kind-linux-amd64 create cluster --retain
KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER=native
for zfs in kind >= 0.12
kind load docker-image IMAGE IMAGE
to load images or mount path through config
- postgresql (crunchydata)
- clone
https://github.com/CrunchyData/postgres-operator-examples/
kubectl apply -f kustomize/install
for the operator
kubectl apply -f kustomize/postgres
for default db
- change persistent volumes policy to retain and modify postgres for restore
- default forward primary port
PG_CLUSTER_PRIMARY_POD=$(kubectl get pod -n postgres-operator -o name -l postgres-operator.crunchydata.com/cluster=hippo,postgres-operator.crunchydata.com/role=master)
kubectl -n postgres-operator port-forward "${PG_CLUSTER_PRIMARY_POD}" 5432:5432
PGPASSWORD=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.password | base64decode}}') PGUSER=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.user | base64decode}}') PGDATABASE=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.dbname | base64decode}}') psql -h localhost
- cross plane
- deploy helm package (requires tiller)
- configure cloud resources with kubernetes yaml
- creates oci like images for xpackages
- providers for cf/gcp/ansible/terraform/kubernetes
- kube-provider manages operators/deployments across kubernetes clusters
- hardening
- require authorization (default no auth)
- user accounts for rbac (default admin)
- disable mounting of service token in pods
- user namespace containers
- read-only fs
- drop capabilites
- encrypt secrets
- tls for services/kubelet/control plane
- kubeadm
- kubeadm certs check-expiration
- kubeadm certs renew
- does not support rotating CA (9 year default)
- vault
- manages ca and cert rotation
- init/unseal with pgp keys
- operator has webhook to avoid sidecar
- configured through annotations and env vars
- cluster api instead of federation
- Gateway api instead of ingress api
- kine is a shim for etcd to use mysql, postgres or sqlite as a backing store
- used with k3s along with tunnel proxy for simple kube setups
- k8s device plugin for gpus as resource selectors
- set system-reserved, kube-reserved, eviction-threshold for node allocatable limit if memory pressure/cpu starvation.
- KEDA for scaling to zero cluster deployments with prometheus trigger on ingress
- knative does not support non http (gateway extension?)
- cilium cluster mesh routes across kubernetes cluster services
kind export logs
after running create with --retain
- add metrics server
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.5.0/components.yaml
kubectl patch -n kube-system deployment metrics-server --type=json -p '[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]'
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
HPAScaleToZero: true
HPAContainerMetrics: true
LogarithmicScaleDown: true
nodes:
- role: control-plane
- role: worker
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: resource-consumer-v2
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: resource-consumer
minReplicas: 1
maxReplicas: 5
metrics:
- type: Object
object:
metric:
name: requests-per-second
describedObject:
apiVersion: networking.k8s.io/v1
kind: Ingress
name: main-route
target:
type: Value
value: 10k