kind

kind

  • kubernetes in docker with podman KIND_EXPERIMENTAL_PROVIDER=podman ./kind-linux-amd64 create cluster --config cluster.yaml
    • BUG with worker node failing. Needs runc 1.2 (unreleased) for resolv.conf
    • Add delegate to systemd run with podman KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER=native KIND_EXPERIMENTAL_PROVIDER=podman systemd-run --scope --user --property=Delegate=yes ./kind-linux-amd64 create cluster --retain
  • KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER=native for zfs in kind >= 0.12
  • kind load docker-image IMAGE IMAGE to load images or mount path through config
  • postgresql (crunchydata)
    • clone https://github.com/CrunchyData/postgres-operator-examples/
      • kubectl apply -f kustomize/install for the operator
      • kubectl apply -f kustomize/postgres for default db
    • change persistent volumes policy to retain and modify postgres for restore
    • default forward primary port
PG_CLUSTER_PRIMARY_POD=$(kubectl get pod -n postgres-operator -o name -l postgres-operator.crunchydata.com/cluster=hippo,postgres-operator.crunchydata.com/role=master)
kubectl -n postgres-operator port-forward "${PG_CLUSTER_PRIMARY_POD}" 5432:5432
  • default connection
PGPASSWORD=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.password | base64decode}}') PGUSER=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.user | base64decode}}') PGDATABASE=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.dbname | base64decode}}') psql -h localhost
  • cross plane
    • deploy helm package (requires tiller)
    • configure cloud resources with kubernetes yaml
    • creates oci like images for xpackages
    • providers for cf/gcp/ansible/terraform/kubernetes
    • kube-provider manages operators/deployments across kubernetes clusters
  • hardening
    • require authorization (default no auth)
    • user accounts for rbac (default admin)
    • disable mounting of service token in pods
    • user namespace containers
    • read-only fs
    • drop capabilites
    • encrypt secrets
    • tls for services/kubelet/control plane
    • kubeadm
      • kubeadm certs check-expiration
      • kubeadm certs renew
      • does not support rotating CA (9 year default)
  • vault
    • manages ca and cert rotation
    • init/unseal with pgp keys
    • operator has webhook to avoid sidecar
      • configured through annotations and env vars
  • cluster api instead of federation
  • Gateway api instead of ingress api
  • kine is a shim for etcd to use mysql, postgres or sqlite as a backing store
    • used with k3s along with tunnel proxy for simple kube setups
  • k8s device plugin for gpus as resource selectors
  • set system-reserved, kube-reserved, eviction-threshold for node allocatable limit if memory pressure/cpu starvation.
  • KEDA for scaling to zero cluster deployments with prometheus trigger on ingress
  • knative does not support non http (gateway extension?)
  • cilium cluster mesh routes across kubernetes cluster services
    • uses ebpf and envoy
  • kind export logs after running create with --retain