Orchestrating the Cloud with Kubernetes

📒 link

Overview

• Goal

  • Provision a complete Kubernetes cluster using Kubernetes Engine

  • Deploy and manage Docker containers using kubectl

  • Break an application into microservices using Kubernetes’ Deployments and Services

• Example Application -> github

  • kelseyhightower/monolith - Monolith includes auth and hello services.

  • kelseyhightower/auth - Auth microservice. Generates JWT tokens for authenticated users.

  • kelseyhightower/hello - Hello microservice. Greets authenticated users.

  • nginx - Frontend to the auth and hello services.

Kubernetes can run on many different environments, from laptops to high-availability multi-node clusters, from public clouds to on-premise deployments, from virtual machine to bare metal.

Setup and requirements

✔️ Set the zone

gcloud config set compute/zone us-central1-b

✔️ Start up a cluster

gcloud container cluster create io

Task 1. Get the sample code

✔️ Clone the GitHub repository from the Cloud Shell command line

gsutil cp -r gs://spls/gsp021/* .

✔️ Change into the directory needed for this lab

cd orchestrate-with-kubernetes/kubernetes

✔️ List the files to see what you’re working with

ls

deployments/  /* Deployment manifests */
  ...
nginx/        /* nginx config files */
  ...
pods/         /* Pod manifests */
  ...
services/     /* Services manifests */
  ...
tls/          /* TLS certificates */
  ...
cleanup.sh    /* Cleanup script */

Task 2. Quick Kubernetes Demo

✔️ Launch a single instace of the nginx container

kubectl create deployment nginx --image=nginx:1.10.0

✔️ View the running nginx container

kubectl get pods

✔️ Expose nginx container outside of Kubernetes

kubectl expose deployment nginx --port 80 --type LoadBalancer

✔️ List our services

kubectl get services

✔️ Add the External IP to this command to hit the Nginx container remotely

curl http://<External IP>:80

Task 3. Pods

• What is Pods?

  • The smallest deployable units of computing that you can create and manage in Kubernetes.

  • Group of one or more containers with shared storage and network resources, and a specification for how to run the containers.

• What is Volumnes?

  • Data disk that live as long as the pods live, and can be used by the containers in that pod.

• What is Namespace ?

  • Provides a mechanism for isolating groups of resources within a single cluster.

Untitled

Task 4. Creating pods

✔️ Pod configuration file

cat pods/monolith.yaml

apiVersion: v1
kind: Pod
metadata:
  name: monolith
  labels:
    app: monolith
spec:
  containers:
    - name: monolith
      image: kelseyhightower/monolith:1.0.0
      args:
        - "-http=0.0.0.0:80"
        - "-health=0.0.0.0:81"
        - "-secret=secret"
      ports:
        - name: http
          containerPort: 80
        - name: health
          containerPort: 81
      resources:
        limits:
          cpu: 0.2
          memory: "10Mi"

• Pod is made up of one container (ths monolith).

• You’re passing a few arguments to our container.

• You’re opening up port 80 for http traffic.

✔️ Create the monolith

kubectl create -f pods/monolith.yaml

✔️ Examine your pods. (Use the kubectl get pods command to list all pods running in the default namespace)

kubectl get pods

✔️ Get more information about the monolith pod

kubectl describe pods monolith

Task 5. Interacting with pods

By default, pods allocated a private IP address and cannot be reached outside of the cluster. Map a local port to a port inside the monolith pod

◾️ 2nd terminal

✔️ Set up port-forwarding

kubectl port-forward monolith 10080:80

◾️ 1nd terminal

✔️ Start talking to your pod

curl http://127.0.0.1:10080

✔️ See what heppens when you hit a secure endpoint

curl http://127.0.0.1:10080/secure

✔️ Logging in to get an auth token back from the monolith

curl -u user http://127.0.0.1:10080/login

✔️ Create an environment variable for the token (Since Cloud Shell does not handle copying long strings well, create an environment variable for the token.)

TOKEN=$(curl
http://127.0.0.1:10080/login -u
user|jq -r '.token')

✔️ Use the token to hit secure endpoint

curl -H "Authorization: Bearer
$TOKEN" http://127.0.0.1:10080/secure

✔️ View the logs for the monolith Pod

kubectl logs monolith

◾️ 3rd terminal

✔️ View the logs for the monolith Pod

kubectl logs monolith

Get a stream of the logs happening in real-time

kubectl logs -f monolith

✔️ In the 1st teminal to interact with the monolith, you can see the logs updating(in the 3rd terminal):

curl http://127.0.0.1:10080

✔️ Run an interactive shell inside the Monolith Pod. (This can come in handy when you want to troubleshoot from within a container)

kubectl exec monolith --stdin --tty
-c monolith -- /bin/sh

✔️ Once you have a shell into the monolith container you can test external connectivity

ping -c 3 google.com

Log out when done you’re done with interactive shell

exit

Kubectl make it easy to interacting with pods. If you need to hit a container remotely.

Task 6. Services

What is Services?

• An abstract way to expose an application running on a set of Pods as a network service.

• Kubernetes gives Pods their own IP addresses and a single DNS name for a set of Pods, and can load-balance across them.

services

Cluster IP (internal)

• The default type means that this Service is only visible inside of the cluster

NodePort

• NodePort gives each node in the cluster an externally accessible IP and

LoadBalancer

• Adds a load balancer from the cloud provider which forwards traffic from the service to Nodes within it.

Ref

• node port vs load balancer vs ingress

Task 7. Creating a service

Create a secure pod that can handle https traffic.

✔️ If you’ve changed directories, make sure you return to the ~/orchestrate-with-kubernetes/kubernetes directory

cd ~/orchestrate-with-kubernetes/kubernetes

✔️ Explore the monolith service configuration file

cat pods/secure-monolith.yaml

✔️ Creat the secure-monolith pods and their configuration data

kubectl create secret generic tls-certs --from-file tls/
kubectl create configmap nginx-proxy-conf --from-file nginx/proxy.conf
kubectl create -f pods/secure-monolith.yaml

✔️ Expose the secure-monolith Pod externally.

To do that, create a Kubernetes service.

cat services/monolith.yaml

kind: Service
apiVersion: v1
metadata:
  name: "monolith"
spec:
  selector:
    app: "monolith"
    secure: "enabled"
  ports:
    - protocol: "TCP"
      port: 443
      targetPort: 443
      nodePort: 31000
  type: NodePort

✔️ Create the monolith service rom the monolith service configuration file

kubectl create -f services/monolith.yaml

✔️ Allow traffic to the monolith service on the exposed nodeport

gcloud compute firewall-rules create allow-monolith-nodeport \
  --allow=tcp:31000

✔️ Get an external IP address for one of the nodes

gcloud compute instances list

✔️ Hitting the secure-monolith services using curl

curl -k https://<EXTERNAL_IP>:31000

Uh oh! that timed out.

Task 8. Adding labels to pods

✔️ See that you have quite a few pods running with the monolith label.

kubectl get pods -l "app=monolith"

✔️ But what about “app=monolith” and “secure-enabled”?

kubectl get pods -l "app=monolith,secure=enabled"

✔️ Add the missing secure=enavled label to the secure-monolith Pod.

kubectl label pods secure-monolith 'secure=enabled'
kubectl get pods secure-monolith --show-labels

Now that pods are correctly labeled.

✔️ View the list of endpoints on the monolith service

kubectl describe services monolith | grep Endpoints

✔️ Test this out by hitting one of our nodes again

gcloud compute instances list
curl -k https://<EXTERNAL_IP>:31000

Task 9. Deploying applications with Kubernetes

• What is Deployments ?

  • Declarative way to ensure that the number of Pods running is equal to the desired number of Pods, specified by the user.

• What is Replica Sets ?

  • Maintain stable set of replica Pods running at any given time.

  • It often used to guarantee the avaliability of a specified number of identical Pods.

deployments

Task 10. Creating a deployments

Monolith App with three separate pieces

• auth : Generates JWT tokens for authenticated users.

• hello : Greet authenticated users.

• frontend : Routes trafic to the auth and hello services

✔️ Deployment configuration file

cat deployments/auth.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: auth
spec:
  selector:
    matchlabels:
      app: auth
  replicas: 1
  template:
    metadata:
      labels:
        app: auth
        track: stable
    spec:
      containers:
        - name: auth
          image: "kelseyhightower/auth:2.0.0"
          ports:
            - name: http
              containerPort: 80
            - name: health
              containerPort: 81
...

✔️ Create deployment object

kubectl create -f deployments/auth.yaml

✔️ Create a service for your auth deployment

kubectl create -f services/auth.yaml

✔️ Create and Expose deployment

hello deployment

kubectl create -f deployments/hello.yaml
kubectl create -f services/hello.yaml

frontend deployment

kubectl create configmap nginx-frontend-conf --from-file=nginx/frontend.conf
kubectl create -f deployments/frontend.yaml
kubectl create -f services/frontend.yaml

✔️ Interact with the frontend by grabbing its External IP and then curling to it

kubectl get services frontend

curl -k https://<EXTERNAL-IP>

Summary

• Provision a complete Kubernetes cluster using Kubernetes Engine

• Deploy and manage Docker containers using kubectl

• Break an application into microservices using Kubernetes’ Deployments and a Services