kind

HPAScaleToZero and HPAContainerMetrics feature gates for scale to zero without Keda
kubernetes in docker with podman KIND_EXPERIMENTAL_PROVIDER=podman ./kind-linux-amd64 create cluster --config cluster.yaml
- BUG with worker node failing. Needs runc 1.2 (unreleased) for resolv.conf
- Add delegate to systemd run with podman KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER=native KIND_EXPERIMENTAL_PROVIDER=podman systemd-run --scope --user --property=Delegate=yes ./kind-linux-amd64 create cluster --retain
KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER=native for zfs in kind >= 0.12
kind load docker-image IMAGE IMAGE to load images or mount path through config
postgresql (crunchydata)
- clone https://github.com/CrunchyData/postgres-operator-examples/
  - kubectl apply -f kustomize/install for the operator
  - kubectl apply -f kustomize/postgres for default db
- change persistent volumes policy to retain and modify postgres for restore
- default forward primary port

PG_CLUSTER_PRIMARY_POD=$(kubectl get pod -n postgres-operator -o name -l postgres-operator.crunchydata.com/cluster=hippo,postgres-operator.crunchydata.com/role=master)
kubectl -n postgres-operator port-forward "${PG_CLUSTER_PRIMARY_POD}" 5432:5432

default connection

PGPASSWORD=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.password | base64decode}}') PGUSER=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.user | base64decode}}') PGDATABASE=$(kubectl get secrets -n postgres-operator "${PG_CLUSTER_USER_SECRET_NAME}" -o go-template='{{.data.dbname | base64decode}}') psql -h localhost

cross plane
- deploy helm package (requires tiller)
- configure cloud resources with kubernetes yaml
- creates oci like images for xpackages
- providers for cf/gcp/ansible/terraform/kubernetes
- kube-provider manages operators/deployments across kubernetes clusters
hardening
- require authorization (default no auth)
- user accounts for rbac (default admin)
- disable mounting of service token in pods
- user namespace containers
- read-only fs
- drop capabilites
- encrypt secrets
- tls for services/kubelet/control plane
- kubeadm
  - kubeadm certs check-expiration
  - kubeadm certs renew
  - does not support rotating CA (9 year default)
vault
- manages ca and cert rotation
- init/unseal with pgp keys
- operator has webhook to avoid sidecar
  - configured through annotations and env vars
cluster api instead of federation
Gateway api instead of ingress api
kine is a shim for etcd to use mysql, postgres or sqlite as a backing store
- used with k3s along with tunnel proxy for simple kube setups
k8s device plugin for gpus as resource selectors
set system-reserved, kube-reserved, eviction-threshold for node allocatable limit if memory pressure/cpu starvation.
KEDA for scaling to zero cluster deployments with prometheus trigger on ingress
knative does not support non http (gateway extension?)
cilium cluster mesh routes across kubernetes cluster services
- uses ebpf and envoy
kind export logs after running create with --retain
add metrics server
- kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.5.0/components.yaml
  - kubectl patch -n kube-system deployment metrics-server --type=json -p '[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--kubelet-insecure-tls"}]'

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  HPAScaleToZero: true
  HPAContainerMetrics: true
  LogarithmicScaleDown: true
nodes:
- role: control-plane
- role: worker

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: resource-consumer-v2
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: resource-consumer
  minReplicas: 1
  maxReplicas: 5
  metrics:
  - type: Object
    object:
      metric:
        name: requests-per-second
      describedObject:
        apiVersion: networking.k8s.io/v1
        kind: Ingress
        name: main-route
      target:
        type: Value
        value: 10k