Introduction to GKE

The blog is an introduction to the theory of Kubernetes on Google Cloud Platform. This is somethimes reffered to as GKE on GCP.

GKE has the following Key Features of a managed service:

  • Fault Tolerance
  • Auto healing
  • Isolation
  • Scaling
  • Autoscaling
  • Load Balancing

Pods objects

  • Container run isolated inside a pod
  • Cannot run a container without enclosing pod
  • Pods act as a sandbox for enclosed containers
  • Multi-container pods are possible but not usally recommended (maybe for Apps that share memory)
  • YAML code creates the desired end state of the object
  • Pods are automatically assigned a unique IP address

Higher-level abstractions objects

Kubernetes works with these abstractions to provider FT / Healing / Scaling etc

  • ReplicaSet, ReplicationController
    • scaling and healing
    • Multiple copies of the pod are managed by replica sets
    • If pod crashes – replica set will start a new on
  • Deployment
    • Versioning and Rollback
    • Easy to push new version of a container
    • Triggers creation of new ReplicaSet and new containers
    • Pods in old ReplicaSet gradually reduce to zero
  • Services (service objects)
    • Static (non-ephemeral) IP addresses
    • Stable networking
    • Containers expose ports in pod spec
    • Load balancers can be used for traffic management
    • Kubernetes uses label metadata to chose pods to expose – this enables dynamic addresses to pods
  • Persistent Volumes
    • Non-ephemeral storage
    • Permanent storage that outlives individual pods and containers
    • Shared state
    • Can leverage GCP services – cloud storage / cloud sql / big table etc
    • Persistent volumes provisioned by:
      • STATIC – Administrator pre-creates the volume
      • DYNAMIC – Container gain access by filing PersistentVolumeClaim
Volumes Persistent State
Storage abstraction with life longer than individual container inside pod Storage abstraction with life longer than individual pod
Life tied to life of pod Life not tied to life of pod

Kubernetes manages the Master node, worker nodes, Job scheduling, resource allocation and desired state configuration. Kubernetes manages the replica sets automatically.

Load Balancing Service

Has:

  • Stable front-end IP
  • Forward rules to funnel traffic
  • Connects to backend server
  • Distributes load intelligently
  • Healthchecks can create new node and avoid damaged nodes

Ingress Service

Ingress service is a Kubernetes object with a set of rules that allow inbound connects to reach clustered services. On GKE, a single ingress object can control access to multiple services.

Ingress objects make sense of defined rules to point traffic at service or multiple services.

Ingress supports:

  • Externally reachable URLs
  • Load Balancing (HTTP enabled by default)
  • SSL Termination
  • Name-based Virtual hosting

StatefulSets and DeamonSets

StatefulSets are a set of pods, similar to ReplicaSet – but with some important differences:

  • Pods created are unique
  • Identified by name
  • Not interchangeable
  • Always associated with persistent volume

DaemonSets manage groups of replicated pods:

  • Attemps to keep one pod per node
  • Across all nodes or a subset
  • As nodes added, pods created too
  • As nodes removed, pods are garbage collected

DeamonSets are used for background processes such as:

  • Cluster storage daemons
  • Log Collection daemons
  • Node Monitoring daemons
  • DaemonSets not scalable

Binary Authorization

A deploy-time security control tat ensures only trusted container images are deployed on Google Kubernetes Engine.

  • Require images to be signed by trusted authorities
  • Signing must occur during development
  • Signature validation during deployment
  • Reduces risk of malicious or unintended code in production
  • Integrates with Google Container registry vulnerability scanning

BA process

  1. Configure Policy
    1. Set of rules that govern image deployment
    1. Deafult and cluster specific rules, exempt images
  2. Set up Attestor
    1. Entity that signs off that due process followed
    1. Human or build and test system with public key
  3. Sign container image     
    1. Create Attestation
    1. Digitally signed record with full path to image
  4. Deploy container image
    1. Process the exact same as normal deployment