Learn Kubernetes part 1 – Web application in a Kubernetes cluster

This is a tutorial to script a simple web application deployment in an enterprise grade Kubernetes cluster that you can follow on your Macintosh. You only need to install Docker and enable Kubernetes.

The frontend of the web application is represented by an NGINX container that listens on port 80 and returns the NGINX default page. The application is exposed outside of the cluster via a kubernetes/ingress-nginx NGINX Ingress Controller, at the address http://localhost

Save all files in the same directory. During the development process open a terminal in the directory of the files, and periodically test the configuration with kubectl apply -f . to check the code (don’t forget the period at the end of the command). This way Kubernetes will build the system step-by-step giving you continuous feedback.

I have used unique label values to demonstrate which labels make the connection between the resources using the label and selector values. Most of the time the application name is used as label for easy maintenance, but as you learn Kubernetes, it is important to understand the relationships between the resources..

Script the deployment

The deployment configures the containers running in the pods and contains the label that has to match the selector of the service.

Connect the deployment to the pods

The label in spec: selector: matchLabels: connects the deployment to the pods specified in the deployment template via the same deployment’s spec: template: metadata: labels:

app1-frontend-deployment.yam
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app1-frontend-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app1-frontend-template-label
  template:
    metadata:
      labels:
        app: app1-frontend-template-label
    spec:
      containers:
        - name: app1-frontend-container-label
          image: nginx:1.7.9
          ports:
          - containerPort: 80

Create the pod

Launch the pod from the terminal. Don’t forget the period at the end of the line.

 kubectl apply -f .

Test the pod

To make sure the container in the pod is running, we can test the pod. Get the list of pods

kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
MY_POD_NAME   1/1     Running   0          10m

Temporarily set up port forwarding to access the pod from outside of the cluster. We only use this to test the pod.

kubectl port-forward MY_POD_NAME 8080:80
Forwarding from 127.0.0.1:8080 -> 80
Forwarding from [::1]:8080 -> 80

Connect to the pod with a web browser. Navigate to http://127.0.0.1:8080/

You should see the NGINX default page.

To stop the port forwarding, press CTRL-C in the terminal.

See Kubernetes Deployments for more info

Script the service

The service specifies the environment variables of the pods backing the service and exposes the pods to the rest of the Kubernetes cluster or to the outside world.

Connect the service to the pods

The label in the service’s spec: selector: has to match the label in spec: template: metadata: labels: of the deployment.

We will expose the service outside of the cluster with type: LoadBalancer

app1-frontend-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: app1-frontend-service
spec:
  selector:
    app: app1-frontend-template-label
  type: LoadBalancer
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 80

See Kubernetes Services for more info.

Create the resources

To launch the application and configure the resources to expose it outside of the Kubernetes cluster, open a terminal in the directory where you saved the files and execute

 kubectl apply -f .

Accessing the application

To access the application get the address of the service

kubectl get service
NAME                    TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
app1-frontend-service   LoadBalancer   10.99.210.235   localhost     8080:32569/TCP   9s

Open a web browser and navigate to the address indicated by the EXTERNAL-IP and PORT: http://localhost:8080

You should see the NGINX default page

Delete the resources

If you want to delete these resources from the Kubernetes cluster, execute

kubectl delete -f .

Next: Learn Kubernetes part 2 – NGINX Ingress Controller

Kubernetes Ingress Controllers

For security reasons it is not a good practice to create individual load balancers for each service.

The safer way is to create one application load balancer outside of the cluster and launch ingress controller NGINX containers to proxy the traffic to the individual services.

Ingress

“Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.”

To get the list of ingresses

kubectl get ingress

To show the details of an ingress

kubectl describe ingress

Creating an ingress

  • specify the URL of the application in spec: rules: – host:
    • if no host set, this rule handles the request to any URL
  • specify the path this rule applies to at spec: rules: – host: http: paths: – backend: path:
  • set the service name at spec: rules: … backend: serviceName:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: app1-frontend-service
          servicePort: 80

Kubernetes Pods

A pod can contain one or multiple containers, usually one.

Kubernetes only recommends to launch multiple containers in a pod, when those containers need to share a volume. For example a syslog-ng container saves log files in a volume, a Splunk Heavy Forwarder container monitors them and sends the log entries to the Splunk Indexer.

Create a deployment to specify the image that will run in the pod as a container.To list the pods

kubectl get pods

To display the standard out (stdout) messages of a container

kubectl logs MY_POD_NAME

Execute a command in a container of a pod. As usually there is only one container runs in the pod, we don’t have to specify the container name.

kubectl exec -it MY_POD_NAME /bin/bash

If the pod has multiple containers add the –container option

kubectl exec -it MY_POD_NAME --container MY_CONTAINER_NAME /bin/bash

Kubernetes Deployments

You only need a deployment to launch a container in Kubernetes. Deployments tell Kubernetes

  • what container to run by specifying the Docker image name and tag
    • spec: template: spec: containers: – image:
  • when to pull the image from the registry
    • spec: template: spec: containers: imagePullPolicy:
      • If the image is always rebuilt with the same version, like “latest”, set the policy to Always to disable the image caching
  • what to do when the container crashes
    • spec: template: spec: containers: restartPolicy:
      • usually set to Always
  • how many replicas to launch simultaneously
    • spec: replicas
  • how to map this deployment to actual running containers
    • The label in spec: selector: matchLabels: connects the deployment to the pod specified in the deployment template via the same deployment’s spec: template: metadata: labels:
  • the way Kubernetes should replace containers when we update the deployment
    • strategy:
      • rollingUpdate (default)
  • the namespace
    • metadata: namespace:
      • if not specified, the “Default” namespace is used
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app1-frontend-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: app1-frontend-template-label
  template:
    metadata:
      labels:
        app: app1-frontend-template-label
    spec:
      containers:
        - name: app1-frontend-container-label
          image: nginx:1.7.9
          ports:
          - containerPort: 80

To list all deployments

kubectl get deployments

To launch the container specified in the deployment file

kubectl apply -f ./MY_DEPLOYMENT_FILE.yml

Display information about the deployment

kubectl describe deployment MY_DEPLOYMENT

The deployment creates pods. A pod can contain one or multiple containers, usually one. To list the pods

kubectl get pods

Working with Kubernetes in enterprise settings

How many Kubernetes clusters do I need?

Clusters

First, we want to separate the non-production and production environments:

  • Create two Kubernetes clusters for every application or application suite. One for pre-production and one for production.

Namespaces

We also want to separate each non-production and production like environment. Kubernetes offers namespaces to create segregated areas, resources in separate namespaces cannot see each other. Create a namespace for each environment:

  • In the non-production cluster
    • Dev namespace
    • QA namespace
    • UAT namespace
  • In the production cluster
    • Demo namespace
    • Stage namespace
    • Production namespace

To list all resources in a namespace use the -n option in the commands

kubectl get all -n MY_NAMESPACE

Security

Load Balancers

Load balancers are external to the cluster and point to the nodes to expose the applications outside of the cluster.

For security reasons large organizations don’t allow the creation of multiple load balancers. During the cluster creation they temporarily lift the restriction and one ingress load balancer is created. All inbound communication to the cluster passes through that load balancer.

Container images

Do not use the :latest version, as it is hard to control the actual version of the launched image and to roll back to an earlier (unidentified) version.

Use the imagePullPolicy: Always. The Docker caching semantics makes it very efficient, as the layers are cached in the cluster to avid unnecessary downloads..

Order of resource creation

Install the CoreDNS  add-on to provide in-cluster DNS service for pods, so all pods can find all services by name within the cluster.

Create the service before the deployment it refers to, because the service passes environment variables into the deployment when the containers start.

Create the target service and deployment before the caller deployment, so the target is available when the request is generated.

Switch between Kubernetes clusters

Companies launch multiple Kubernetes clusters, and the DevOps team needs access to all of them. The kubectl command-line utility can only work with one cluster at a time. To work with multiple Kubernetes clusters you need to switch between Kubernetes configurations on your workstation.

To connect to a Kubernetes cluster, add the cluster-info to the ~/.kube/config file. If you use AWS EKS the simplest way is to use the AWS CLI to update the file.

aws eks --region MY_REGION update-kubeconfig --name MY_CLUSTER_NAME

To see the configuration values execute

kubectl config view

To test the connectivity execute

kubectl get svc

If you are not the creator of the cluster you will get the error message

error: You must be logged in to the server (Unauthorized)

To access the cluster, in the [default] profile of the ~/.aws/credentials file use the access keys of the account that created the cluster. For more information see How do I resolve an unauthorized server error when I connect to the Amazon EKS API server?

Get the list of configured Kubernetes clusters. The asterisk in the first column of the output shows the currently selected cluster.

kubectl config get-contexts

Switch to another cluster

kubectl config use-context THE_VALUE_OF_THE_CONTEXT_NAME # (the name:attribute of the context)

To remove a cluster from the kube config

Display the config 

kubectl config view

Delete the user

kubectl config unset users.THE_NAME_VALUE_OF_THE_USER

Delete the cluster

kubectl config unset clusters.THE_NAME_VALUE_OF_THE_USER

Delete the context

kubectl config unset contexts.THE_NAME_VALUE_OF_THE_CONTEXT

Kubernetes Deployment Scaling

Get all deployments

kubectl get deployments

Get all pods

kubectl get pods

Scale the deployment

kubectl scale deployment --replicas=4 MY_DEPLOYMENT_NAME

Check the result of the scaling with

kubectl get deployments
kubectl get pods -o wide

Get the deployment events at the end of the output of

kubectl describe deployments/MY_DEPLOYMENT_NAME

To scale down the replicas, execute the scale command again

kubectl scale deployments/MY_DEPLOYMENT_NAME --replicas=2

Kubernetes Services

Kubernetes Services route traffic across a set of pods. The service specifies how deployments (applications) are exposed to each other or the outside world.

Source https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/

Service types

The service type specifies how the deployment will be exposed

ClusterIP

The ClusterIP service is only visible within the cluster. To expose the pod to other services in the cluster

  • set the published port with spec: port:
  • set the port inside the container with spec: targetPort:
  • other services can find this service by its name, specified by metadata: name: even if the IP address of the pod changes
  • spec: selector: specifies the label of the template within the deployment. All pods started by the template will back the service.
  • set the service type to ClusterIP with spec: type: to only expose it within the cluster. Use Ingress to expose your Service outside of the cluster with consolidated proxy rules via a single IP address.
apiVersion: v1
kind: Service
metadata:
  name: app1-frontend-service
spec:
  selector:
    app: app1-frontend-template-label
  ports:
    - protocol: TCP
      port: 8080
      targetPort: 80

LoadBalancer

Creates a load balancer external to the cluster and points itself to the nodes to expose the application outside of the cluster.

For security reasons large organizations don’t allow the creation of multiple load balancers. During the cluster creation they temporarily lift the restriction and one ingress load balancer is created. All inbound communication to the cluster passes through that load balancer.

Best practices

Don’t specify the hostPort for a Pod unless it is really necessary, as it limits the flexibility of the resource creation, because each hostIP, hostPort, protocol combination has to be unique within the cluster.

Avoid using the hostNetwork as it also limits the networking flexibility.

Use the IPVS proxy mode, as other proxy modes, userspace and iptables are based on iptables operations that slow down dramatically in large scale cluster e.g 10,000 Services. IPVS-based kube-proxy also has more sophisticated load balancing algorithms (least conns, locality, weighted, persistence).

Commands

List all pods

kubectl get pods

List all deployments

kubectl get deployments

List all services of the cluster. 

kubectl get services

Create a new service and expose a poet of the pod via a node port (the same random port on every node)

kubectl expose deployment/MY_DEPLOYMENT_NAME --type="NodePort" --port 8080

To find the IP and port of the endpoint where the service is exposed, see the value of the ‘Endpoints:’ in the output of the describe command

kubectl describe services/MY_SERVICE_NAME

The endpoint is the pod IP and port. If the service is a web site or API you can test it with

curl ENDPOINT_IP:ENDPOINT_PORT

To test the pod via the service get the Kubernetes cluster IP and use the ‘NodePort:’ value

curl CLUSTER_IP:NODE_PORT

Get the ‘Labels:’ of the service from the output of the describe command above. List the pods of the service

kubectl get pods -l run=LABEL_IN_SERVICE

List the service of the pod by label

kubectl get services -l run=LABEL_IN_SERVICE

Add a new label to the pod

kubectl label pod MY_POD_NAME app=v1

Display the pod information

kubectl describe pods MY_POD_NAME

Delete the service by label

kubectl delete service -l run=LABEL_IN_SERVICE