Kubernetes Dictionary

This is the list of some common k8s concepts or terms that one would face on a daily basis

?

?A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z

Account: there are two types of accounts in Kubernetes —?a user account and a service account. The user account is used by humans and service accounts are used by machines. A user account could be for an administrator accessing the cluster to perform administrative tasks or a developer accessing the cluster to deploy applications etc. A service account could be an account used by an application to interact with a Kubernetes cluster.

Annotation: it provides a place to store non-identifying metadata for Kubernetes Objects which can be used to get a more elaborate context for an object. Annotations are also key/value pairs like Labels.

A/B Testing: It is?the practice of running two release versions of software simultaneously and then forwarding usage to a given version according to routing configuration settings.?It allows running multiple variants of functionality in parallel, so that through analytics of user behavior the better variant can be determined.?

ConfigMap: In programming, we use env files or separate configuration files to store settings, configurations, or variables that are required to execute the program. In k8s, we can use ConfigMaps to achieve the same functionality. It is a Kubernetes API object that can be used to store data as key-value pairs.?Kubernetes pods?can use the created ConfigMaps as a: Configuration file/ Environment variable/ Command-line argument.

ClusterIP: It is the preferred option for internal service access and uses an internal IP address to access the service. To visualize in simple terms: If you have lived in the gated society in the metro cities, you would have experienced that this society comprises multiple high-rise towers with multiple flats belonging to individual towers. Multiple families reside within each flat of the given tower. Imagine each tower having its own common address which in turn has a gateway to multiple flats with their own unique address, so if one has to reach out to a particular flat in tower B, it has to first locate the tower B gate address and then will be getting the access of local flat address lying within the tower B. The address of tower A & Tower B can be considered similar to?ClusterIP, this cluster IP’s of each tower acts like a single endpoint/ gateway (Service)to connect to each pod (Family) living in the given cluster having their own local IP addresses.

ClusterRole: Roles are used to assigning resources for a namespace, but if you need to assign resources on a cluster level, you need to use?ClusterRole. It is similar to Roles, but it can grant permissions that are cluster-scoped such as giving resource permissions across all namespaces in the cluster.

ClusterRoleBinding: it’s used to grant permission to a subject on a cluster-level in all the namespaces.

Daemon Set: It?makes sure that all (or several) nodes in your Kubernetes cluster run a copy of a pod.

Deployment: Run multiple replicas of the same application and auto replace unresponsive instances. It?provides declarative updates for?Pods?and?ReplicaSets. You describe a?desired state?in a Deployment, and the Deployment?Controller?changes the actual state to the desired state at a controlled rate. You can define Deployments to create new ReplicaSets, or to remove existing Deployments and adopt all their resources with new Deployments.

Dashboard: It is a web-based Kubernetes user interface. Can be used to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard. Dashboard also provides information on the state of Kubernetes resources in your cluster and on any errors that may have occurred.

External DNS: In short it makes Kubernetes resources discoverable via public DNS servers. Kubernetes contains an internal DNS module that automatically discovers and assigns DNS names to individual containers when instructed. In practice, this works very well and there is room for customization. However, when the time comes, we frequently need to expose some or all parts of the Kubernetes cluster to the public. For instance, if a cluster exists inside a public Cloud Provider like AWS or Google Cloud Platform, we would like to have a container service that interacts with this cloud provider and change any?A Records?to point to the nodes that expose those services. This is what the ExternalDNS project does. ExternalDNS is a Kubernetes project with a main purpose of automatically creating DNS records for Ingress or Service resources.

Helm: It is a package manager for k8s, it packages YAML files and distribute them in public/private repositories.

Helm Chart: Helm packages are called charts, a collection of packages YAML files. Someone else would have beautifully bundled their project and open sourced it using by pushing to Helm Repository. We can either download them and use right away or we could also create our own helm chart and publish it for the community.

Helm Templates: Sometimes many applications that needs deployment have very similar underlying YAML with just few lines of value changes here and there. It’s better to create common blueprints and replacing dynamic values with palceholders called “templates” and use either a value.yaml file or the --set flag to pass values to the placeholders within the template.

Ingress: An API object that manages external access to the services in a cluster, typically HTTP. It?is a collection of routing rules that govern how external users access services running in a Kubernetes cluster. In a nut shell, it’s an API for routing HTTP traffic into a cluster. It's not ONLY for bringing external traffic into the cluster, but that is what it is commonly used for

Ingress Controller: Ingress is actually not a type of service. Instead, it sits in front of multiple services and act as a “smart router” or entry point into your cluster. For our EKS we will need proper IAM policy, service account and IAM role for the alb-ingress-controller-pod. Just another pod(usually run with Deployment) running in k8. Ingress controller is responsible for reading the Ingress Resource information and processing that data accordingly. Simple explanation: A gun(Ingress), Ingress Controller(soldier with a Gun) and Ingress Rules(Person who commands the soldier to where to shoot).

Ingress Controller Types: Nginx Ingress Controller / AWS Ingress Controller (Old) / AWS ALB Ingress Load Balancer / HA Proxy / Traefik / Contour / Kong Ingress

Ingress Resource vs Ingress Controller: Ingress Resource- object with a set of routing rules.

Ingress Traffic Mode: There are 2 types as of now ( Instance Mode & IP Mode ).

IAM OIDC: IAM OIDC identity providers are entities in IAM that describe an?external?identity provider (IdP) service that supports the OpenID Connect (OIDC) standard, such as Google or Salesforce. The role permits your organization's IdP to request temporary security credentials for access to AWS.

Labels: these are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users but are not used by the Kubernetes itself. Labels are fundamental qualities of the object that will be used for grouping, viewing, and operating.

LoadBalancer: This method uses an external LoadBalancer to expose services to the Internet. You can use LoadBalancer in a production environment, but Ingress is often preferred. Using a?LoadBalancer?service type automatically deploys an external load balancer. This external load balancer is associated with a specific IP address and routes external traffic to a Kubernetes service in your cluster.

Layer 4 Load Balancing: It operates at the intermediate?transport?layer, which deals with delivery of messages with no regard to the content of the messages. Transmission Control Protocol (TCP) is the Layer?4 protocol for?Hypertext Transfer Protocol (HTTP)?traffic on the Internet.?Layer?4 load balancers?simply forward network packets to and from the upstream server without inspecting the content of the packets. They can make limited routing decisions by inspecting the first few packets in the TCP stream.

Layer 7 Load Balancing: It operates at the high?level?application?layer, which deals with the actual content of each message. HTTP is the predominant Layer?7 protocol for website traffic on the Internet. Layer?7 load balancers route network traffic in a much more sophisticated way than Layer?4 load balancers, particularly applicable to TCP?based traffic such as HTTP. A Layer?7 load balancer terminates the network traffic and reads the message within. It can make a load?balancing decision based on the content of the message (the URL or cookie, for example). It then makes a new TCP connection to the selected upstream server (or reuses an existing one, by means of?HTTP keepalives) and writes the request to the server.

Namespaces: isolated virtual cluster within the same physical cluster

Nodeport: It opens a specific port on all the Nodes (the VMs), and any traffic that is sent to this port is forwarded to the service. It’s an open port on every node of your cluster. Kubernetes transparently routes incoming traffic on the NodePort to your service, even if your application is running on a different node.

Manifest File: It's basically a Kubernetes "API object description".?A manifest specifies the desired state of an object that Kubernetes will maintain when you apply the manifest. Each configuration file can contain multiple manifests.

Pod: Single instance of an application - smallest object that can be created in k8s

Package Manager: It is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a?OS in a consistent manner. It is a programming language’s tool to create project environments and easily import external dependencies.?

Public Endpoint Expose for Deployed Applications: public endpoints are usually exposed via?services of the LoadBalancer. Kubernetes engages the cloud provider’s API to create a load balancer offered by the cloud provider (e.g. for Amazon it will be an Amazon Elastic Load Balancer). A load balancer created by the cloud provider incurs some cost, so it’s recommended that you keep the number of balancers relatively low. When a cloud provider provisions a load balancer it will be assigned a?Public IP?and a generated DNS name. This is the URL that will point to a Kubernetes service of the?LoadBalancer-type, which then points to the Kubernetes Pod running the application.

RBAC: Role Based Access Control - it is an authorization mechanism for managing permissions around Kubernetes resources.

ReplicaSet: maintain stable set of Replica Pods running all time.

Role: it defines what you can do to a set of resources. It contains a set of rules which define a set of permission.

RoleBinding: it's used for granting permission to a Subject in a Kubernetes cluster. Subjects are nothing but a set of users, services or groups trying to access Kubernetes API. It defines what operations a user, service or group can perform. It provides privileges within the context of a particular namespace.

Service: sits infront of PODS and act as a Load Balancer - it gets a virtual IP address - A service is essentially a frontend for your application that automatically reroutes traffic to available pods in an evenly distributed way. Services are an abstract way of exposing an application running on a set of pods as a network service. Pods are immutable, which means that when they die, they are not resurrected. The Kubernetes cluster creates new pods in the same node or in a new node once a pod dies. Similar to pods and deployments, services are resources in Kubernetes. A service provides a single point of access from outside the Kubernetes cluster and allows you to dynamically access a group of replica pods.

Service Account: service accounts are used to provide an identity for pods. Pods that want to interact with the API server will authenticate with a particular service account. By default, applications will authenticate as the?default?service account in the namespace they are running in. This means, for example, that an application running in the?test?namespace will use the default service account of the?test?namespace.

Secrets: An object that contains a small amount of sensitive data such as a password, a token, or a key.

Server Certificates: It is a method of confirming identity between server and client. To establish trust, server certificates should always be issued from a Certificate Authority (CA) that can be recognized by every client device.