-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathlecture5.html
More file actions
755 lines (688 loc) · 26.3 KB
/
lecture5.html
File metadata and controls
755 lines (688 loc) · 26.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
<!DOCTYPE html>
<!--
Web 2.0, CTU course slides
(cc) 2010-2014 Tomas Vitvar, tomas@vitvar.com
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="course" content="Web 2.0" />
<meta name="lecture" content="Lecture 5" />
<meta name="keywords" content="cloud native, kubernetes" />
<link type="text/css" rel="stylesheet" href="css/meta.css">
</link>
<link type="text/css" rel="stylesheet" href="css/ctu-fit.css">
</link>
<link type="text/css" rel="stylesheet" href="humla/lib/core/humla.css">
</link>
<script type="text/javascript" src="humla/lib/humla.js"></script>
<title>Cloud Native and Kubernetes</title>
</head>
<body>
<footer>
<p><b>#META_LECTURE#: #TITLE#</b>, <span class="meta_semester" />,
<span class="meta_twitter" />
</p>
<p><b>‒ #SLIDE_NO# ‒</b></p>
</footer>
<div class="slide intro">
<hgroup>
<h1><span class="meta_course" /></h1>
<h2>#META_LECTURE#: #TITLE#</h2>
</hgroup>
<div class="author">
<p class="meta_author" />
<p><span class="meta_email" /> • <span class="meta_twitter" /> •
<span class="meta_web" />
</p>
</div>
<center>
<div class="meta_logo"></div>
</center>
<div class="org">
<p class="meta_org" />
<p><span class="meta_orgfac" /> • <span class="meta_field" />
• <span class="meta_orgweb" /></p>
</div>
<div class="etc">
<div class="text-info">
Modified: #LAST_MODIFIED#<br />
Humla v#HUMLA_VERSION#
</div>
<a href="http://creativecommons.org/licenses/by-sa/3.0/">
<div class="license"></div>
</a>
<div class="oppa"></div>
</div>
</div>
<div class="slide outline"></div>
<section>
<header>Cloud Native</header>
<div class="slide">
<hgroup>
<h1>Overview</h1>
</hgroup>
<ul class="xx-small">
<li>The Cloud Native Computing Foundation (CNCF)</li>
<ul>
<li>Motto: Building sustainable ecosystems for cloud native software</li>
<li>CNCF is part of the nonprofit Linux Foundation</li>
</ul>
<li>Cloud Native = scalable apps running in modern cloud environments</li>
<ul>
<li>containers, service mashes, microservices</li>
<li>Apps must be usually re-built from scratch or refactored</li>
<li>Benefits:</li>
<ul>
<li>loosely coupled systems that are resilient, manageable, and observable</li>
<li>automation allowing for predictable and frequent changes with minimal effort</li>
</ul>
<li>Trail Map</li>
<ul>
<li>provides an overview for enterprises starting their cloud native journey<span class="h-ref"
id="cnfs-trail-map" /></li>
</ul>
</ul>
<li>Lift and Shift</li>
<ul>
<li>Cloud transition program in organizations</li>
<li>Move app from on-premise to the cloud</li>
<li>Benefits</li>
<ul>
<li>Infrastructure cost cutting (OPEX vs. CAPEX)</li>
<li>Improved operations (scaling up/down if possible can be faster)</li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>CNCF Trail Map</h1>
</hgroup>
<img src="img/cncf-trail-map.png" style="width: 100%" />
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Kubernetes</header>
<section>
<header>Basic Concepts</header>
<div class="slide">
<hgroup>
<h1>Overview</h1>
</hgroup>
<ul class="x-small">
<li>In your architecture...</li>
<ul>
<li>Containers are atomic pieces of application architecture</li>
<li>Containers can be linked (e.g. web server, DB)</li>
<li>Containers access shared resources (e.g. disk volumes)</li>
</ul>
<li>Kubernetes</li>
<ul>
<li>Automation of deployments, scaling, management of containerized applications across number of nodes</li>
<li>Based on Borg, a parent project from Goolge</li>
</ul>
<img src="img/kubernetes-overview.png" width="400px" style="margin-top: 10px; margin-left: 20px"></img>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Key Design Principles</h1>
</hgroup>
<ul class="x-small">
<li>Kubernetes provides abstractions that separate application deployment from the underlying infrastructure
details</li>
<li>Application workloads and infrastructure decoupling</li>
<ul>
<li><b>Compute:</b> Define <i>what</i> to run without specifying <i>where</i> it runs</li>
<li><b>Storage:</b> Applications request storage independent of storage backend</li>
<li><b>Networking:</b> Stable access to applications regardless of IPs or location</li>
</ul>
<li>Benefits</li>
<ul>
<li>Portability across on-prem and cloud environments</li>
<li>Scalability and resilience through dynamic scheduling</li>
<li>Consistency and standardization of deployment model</li>
<li>Reduced vendor lock-in thanks to open standards</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Desired State and Reconciliation</h1>
</hgroup>
<ul class="xx-small">
<li>Kubernetes operates on a <b>desired state</b> model</li>
<ul>
<li>Users define the state they want through object specifications (YAML)</li>
<li>Example: “there should be 3 replicas of this application”</li>
</ul>
<li>Actual State vs. Desired State</li>
<ul>
<li>Kubernetes constantly monitors the cluster</li>
<li>If the actual state drifts from the desired state, it takes action to fix it</li>
</ul>
<li>Reconciliation Loop</li>
<ul>
<li>Controllers continuously compare desired vs. actual state</li>
<li>Automatically performs actions such as restarting, rescheduling, or scaling Pods</li>
</ul>
</ul>
<img src="img/kubernetes-state.png" width="400px" style="margin-top: 10px; margin-left: 70px"></img>
</div>
<div class="slide">
<hgroup>
<h1>Features</h1>
</hgroup>
<ul class="xx-small">
<li>Automatic binpacking</li>
<ul>
<li>Automatically places containers onto nodes based on their resource requirements and other constraints.
</li>
</ul>
<li>Horizontal scaling</li>
<ul>
<li>Scales your application up and down with a simple command, with a UI, or automatically based on CPU
usage.
</li>
</ul>
<li>Automated rollouts and rollbacks</li>
<ul>
<li>Progressive rollout out of changes to application/configuration, monitoring application health
and rollback when something goes wrong.</li>
</ul>
<li>Storage orchestration</li>
<ul>
<li>Automatically mounts the storage system (local or in the cloud)</li>
</ul>
<li>Self-healing</li>
<ul>
<li>Restarts containers that fail, replaces and reschedules containers when nodes die, kills containers that
don't respond to user-defined health checks.</li>
</ul>
<li>Service discovery and load balancing</li>
<ul>
<li>Gives containers their own IP addresses and a single DNS name for a set of containers, and can
load-balance across them.</li>
</ul>
</ul>
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Core Concepts and Architecture</header>
<div class="slide">
<hgroup>
<h1>Core Building Blocks</h1>
</hgroup>
<ul class="x-small">
<li><b>Cluster</b></li>
<ul>
<li>A set of worker nodes and a control plane</li>
<li>Runs and manages containerized applications</li>
</ul>
<li><b>Node</b></li>
<ul>
<li>A worker machine in Kubernetes (VM or physical)</li>
<li>Runs Pods scheduled by the control plane</li>
</ul>
<li><b>Control Plane</b></li>
<ul>
<li>Manages the overall state of the cluster</li>
<li>Schedules workloads and responds to cluster events</li>
</ul>
<li><b>Pod</b></li>
<ul>
<li>The smallest deployable unit in Kubernetes</li>
<li>One or more tightly-coupled containers</li>
<li>Containers share networking and storage within a Pod</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Architecture</h1>
</hgroup>
<img src="img/components-of-kubernetes.svg"
style="width: 800px; margin-left: 50px; margin-top: 50px; zoom: 0.88"></img>
</div>
<div class="slide">
<hgroup>
<h1>Control Plane Components (Part 1)</h1>
</hgroup>
<ul class="x-small">
<li>Global decisions about the cluster</li>
<ul>
<li>Schedulling</li>
<li>Detecting and responding to cluster events, starting up new pods</li>
</ul>
<li>kube-apiserver</li>
<ul>
<li>exposes the Kubernetes API</li>
<li>The API server is the front end for the Kubernetes control plane.</li>
</ul>
<li>etcd</li>
<ul>
<li>highly-available key value store used to store all cluster data</li>
</ul>
<li>kube-scheduler</li>
<ul>
<li>watches for newly created Pods with no assigned node</li>
<li>selects a node for Pods to run on.</li>
<li>Decision factors: resource requirements, hardware/software/policy constraints, affinity and
anti-affinity
specifications</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Control Plane Components (Part 2)</h1>
</hgroup>
<ul class="x-small">
<li>kube-controller-manager</li>
<ul>
<li>runs controller to ensure the desired state of cluster objects</li>
<li><b>Node controller</b></li>
<ul>
<li>noticing and responding when nodes go down</li>
</ul>
<li><b>Job controller</b></li>
<ul>
<li>creates Pods to run one-off tasks to completion.</li>
</ul>
<li><b>Endpoints controller</b></li>
<ul>
<li>Populates the Endpoints object (that is, joins Services, Pods).</li>
</ul>
</ul>
<li>cloud-controller-manager</li>
<ul>
<li>Integration with cloud services (when the cluster is running in a cloud)</li>
<li><b>Node controller</b></li>
<ul>
<li>checks if a node has been deleted in the cloud after it stops responding</li>
</ul>
<li><b>Route controller</b></li>
<ul>
<li>For setting up routes in the underlying cloud infrastructure</li>
</ul>
<li><b>Service controller</b></li>
<ul>
<li>For creating, updating and deleting cloud provider load balancers</li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Node</h1>
</hgroup>
<ul class="x-small">
<li>Kubernetes runtime environment</li>
<ul>
<li>Run on every node</li>
<li>Maintaining running pods</li>
</ul>
<li>kubelet</li>
<ul>
<li>An agent that runs on each node in the cluster</li>
<li>It makes sure that containers are running in a Pod.</li>
</ul>
<li>kube-proxy</li>
<ul>
<li>maintains network rules on nodes</li>
<li>network rules allow network communication to Pods from inside or outside of the cluster</li>
<li>uses the operating system packet filtering layer or forwards the traffic itself.</li>
</ul>
<li>Container runtime</li>
<ul>
<li>Responsible for running containers</li>
<li>Kubernetes supports several container runtimes (containerd, CRI-O)</li>
<li>Any implementation of the Kubernetes CRI (Container Runtime Interface)</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Container Stack</h1>
</hgroup>
<div class="h-drawing" style="padding-top: 21px; padding-left: 21px; width: 600px"
id="1H0E2ljSysot6vb-m8T1hyy4XtyDz3QLb07H-Q0lbgqs"></div>
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Workloads</header>
<div class="slide">
<hgroup>
<h1>Namespaces</h1>
</hgroup>
<ul class="x-small">
<li>Logical grouping of cluster resources</li>
<ul>
<li>Allow you to organize and separate objects within a Kubernetes cluster</li>
<li>Useful when multiple teams, environments, or projects share the same cluster</li>
</ul>
<li>Rationale</li>
<ul>
<li>Provide isolation and boundaries between workloads</li>
<li>Prevent name collisions</li>
<ul>
<li>Objects can have the same name if in different namespaces</li>
</ul>
<li>Enable resource limits and access control per namespace</li>
</ul>
<li>Usage</li>
<ul>
<li>Common namespaces: <code>default</code>, <code>kube-system</code>, <code>kube-public</code>,
<code>kube-node-lease</code>
</li>
<li>Create separate namespaces for e.g. <i>dev</i>, <i>test</i>, <i>prod</i></li>
<li>Commands run in a namespace unless another is specified</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Pod</h1>
</hgroup>
<ul class="x-small">
<li>Pod</li>
<ul>
<li>A group of one or more tightly-coupled containers.</li>
<li>Containers share storage and network resources.</li>
<li>A Pod runs a single instance of a given application</li>
<li>Pod's containers are always co-located and co-scheduled</li>
<li>Pod's containers run in a shared context, i.e. in a set of Linux namespaces</li>
</ul>
<li>Pods are created using workload resources</li>
<ul>
<li>You do not create them directly</li>
</ul>
<li>Pods in a Kubernetes cluster are used in two main ways</li>
<ul>
<li>Run a single container, the most common Kubernetes use case</li>
<li>Run multiple containers that need to work together</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Workloads</h1>
</hgroup>
<ul class="xx-small">
<li>An application running on Kubernetes</li>
<li>Workloads run in a set of Pods</li>
<li>Pre-defined workload resources to manage lifecylce of Pods</li>
<ul>
<li><b>Deployment</b> and ReplicaSet</li>
<ul>
<li>managing a stateless application workload</li>
<li>any Pod in the Deployment is interchangeable and can be replaced if needed</li>
</ul>
<li><b>StatefulSet</b></li>
<ul>
<li>one or more related Pods that track state</li>
<li>For example, if a workload records data persistently, run a StatefulSet that matches each Pod with a
persistent volume.</li>
</ul>
<li>DaemonSet</li>
<ul>
<li>Ensures that all (or some) Nodes run a copy of a Pod</li>
<li>Such as a cluster storage daemon, logs collection, node monitoring running on every node</li>
</ul>
<li>Job and CronJob</li>
<ul>
<li>Define tasks that run to completion and then stop.</li>
<li>Jobs represent one-off tasks, whereas CronJobs recur according to a schedule.</li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Deployment Spec Example</h1>
</hgroup>
<ul class="x-small">
<li>Deployment spec</li>
<pre class="brush: bash; class-name: ''">
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 3 # tells deployment to run 3 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
</pre>
<ul>
<li>A desired state of an application running in the cluster</li>
<li>Kubernetes reads the Deployment spec and starts three app instances</li>
<li>If an instance fails, Kubernetes starts a replacement app instance</li>
</ul>
</ul>
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Services</header>
<div class="slide">
<hgroup>
<h1>What is a Service?</h1>
</hgroup>
<ul class="x-small">
<li>A Kubernetes <b>Service</b> is an abstraction that defines</li>
<ul>
<li>A logical set of Pods
<li>A policy to access them.</li>
</ul>
<li>Pods are ephemeral – their IPs change when recreated</li>
<li>A Service provides a stable virtual endpoint for a set of Pods</li>
<li>Services enable reliable communication between components:</li>
<ul>
<li>Internal pods communication</li>
<li>External access to cluster workloads</li>
</ul>
<li>Each Service gets</li>
<ul>
<li>A DNS name and</li>
<li>virtual IP (ClusterIP) inside the cluster.</li>
</ul>
<li>Kubernetes component <code>kube-proxy</code> manage routing to backend Pods.</li>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Service Types</h1>
</hgroup>
<ul class="x-small">
<li><b>ClusterIP</b></li>
<ul>
<li>Exposes the Service on an internal IP in the cluster only.</li>
<li>Used for internal communication between Pods.</li>
</ul>
<li><b>NodePort</b></li>
<ul>
<li>Exposes the Service on each Node’s IP at a static port (e.g. 30080).</li>
<li>Accessible externally via <code>NodeIP:NodePort</code>.</li>
</ul>
<li><b>LoadBalancer</b></li>
<ul>
<li>Provisions an external load balancer (e.g. in cloud environments).</li>
<li>Routes external traffic to the Service.</li>
</ul>
<li><b>ExternalName</b></li>
<ul>
<li>Maps the Service to an external DNS name.</li>
<li>No proxying — pure DNS CNAME redirection.</li>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>How Services Work</h1>
</hgroup>
<ul class="xx-small">
<li><strong>Selector</strong></li>
<ul>
<li>A Service usually defines a <code>selector</code> — a label query used to find matching Pods.</li>
<li>Example: <code>selector: app=nginx</code> matches all Pods with label <code>app=nginx</code>.</li>
<li>Kubernetes monitors Pods that match this selector and updates Service backends
</li>
</ul>
<li><strong>Endpoints / EndpointSlice</strong></li>
<ul>
<li>For every Service with a selector, Kubernetes creates an <code>Endpoints</code> (or
<code>EndpointSlice</code>) object listing all healthy Pod IPs and ports.
</li>
<li>This list changes dynamically as Pods are added, removed, or become unhealthy.</li>
</ul>
<li><strong>kube-proxy</strong></li>
<ul>
<li>Runs on every Node and watches Service and Endpoint objects.</li>
<li>Programs <code>iptables</code> or <code>IPVS</code> rules to forward traffic from the Service’s virtual
IP (<code>ClusterIP</code>) to one of the backend Pod IPs.</li>
<li>Load balancing is done using round-robin or IPVS algorithms.</li>
</ul>
<li><strong>DNS Integration</strong></li>
<ul>
<li><code>CoreDNS</code> automatically creates a DNS record for each Service:</li>
<ul>
<li><code><service>.<namespace>.svc.cluster.local</code></li>
</ul>
<li>Pods can reach the Service via DNS without knowing Pod IPs</li>
<ul>
<li><code>curl http://my-service.default.svc.cluster.local</code></li>
</ul>
</ul>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>ClusterIP Service Example</h1>
</hgroup>
<ul class="xx-small">
<li>Example configuration exposing an NGINX Deployment internally:</li>
<pre class="brush: bash; class-name: ''">
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 8080
type: ClusterIP
</pre>
<li>Pods with <code>app=nginx</code> receive traffic through <code>ClusterIP</code>.</li>
<li>DNS name: <code>nginx-svc.default.svc.cluster.local</code></li>
<li>Used by other Pods to connect via <code>http://nginx-svc:80</code>.</li>
</ul>
</div>
<div class="slide">
<hgroup>
<h1>Packet Forwarding and Load Balancing</h1>
</hgroup>
<ul class="xx-small">
<li><strong>iptables mode</strong></li>
<ul>
<li><code>kube-proxy</code> creates NAT rules in the <code>nat</code> table to redirect Service traffic.
</li>
<li>Example traffic comming to <code>NodeIP:NodePort</code> (e.g. <code>192.168.1.11:30080</code>)</li>
<pre class="brush: bash; class-name: ''">
# 1. Match NodePort traffic coming from outside
-A KUBE-NODEPORTS -p tcp --dport 30080 -m addrtype ! --src-type LOCAL \
-j KUBE-MARK-MASQ
# Mark all external traffic for SNAT (so replies go back via this node)
# 2. NodePort forwards traffic to the Service chain
-A KUBE-NODEPORTS -p tcp --dport 30080 \
-m comment --comment "default/my-service: NodePort" \
-j KUBE-SVC-XYZ123
# 3. Service chain chooses one backend Pod
-A KUBE-SVC-XYZ123 -m statistic --mode random --probability 0.5 \
-j KUBE-SEP-A1B2C3
-A KUBE-SVC-XYZ123 -j KUBE-SEP-D4E5F6
# 4. Pod DNAT rule to redirect to Pod IP:port
-A KUBE-SEP-A1B2C3 -p tcp -m tcp -j DNAT --to-destination 10.42.0.12:8080
-A KUBE-SEP-D4E5F6 -p tcp -m tcp -j DNAT --to-destination 10.42.1.7:8080
</pre>
</ul>
<ul>
<li>The node’s routing table determines how to reach the Pod’s IP:</li>
<ul>
<li><code>10.42.0.0/24 via 192.168.1.12 dev flannel.1</code></li>
<li>packets to Pods in <code>10.42.0.0/24</code> (running on Node 2) are sent through the
VXLAN interface <code>flannel.1</code> to Node 2’s IP <code>192.168.1.12</code></li>
</ul>
</ul>
</div>
</section>
<div class="slide outline"></div>
<section>
<header>Beyond the Basics</header>
<div class="slide">
<hgroup>
<h1>Advanced Topics</h1>
</hgroup>
<ul class="xx-small">
<li>Custom APIs and Controllers</li>
<ul>
<li>CRDs, Operators, reconciliation loops</li>
<li>Admission webhooks (mutating/validating)</li>
</ul>
<li>Security</li>
<ul>
<li>RBAC, Namespaces, Pod Security (seccomp, capabilities, rootless)</li>
<li>Image signing and supply chain (SBOM, cosign), Secret management (Vault/CSI)</li>
<li>Policy engines: OPA Gatekeeper, Kyverno</li>
</ul>
<li>Networking</li>
<ul>
<li>CNI, eBPF (Cilium), NetworkPolicies, Ingress</li>
<li>Gateway API, Service Mesh (mTLS, traffic shaping)</li>
</ul>
<li>Storage</li>
<ul>
<li>CSI drivers, snapshots, expansion, topology-aware PVs</li>
<li>Backup/DR (e.g., Velero), StatefulSet patterns</li>
</ul>
<li>Scaling and Scheduling</li>
<ul>
<li>HPA/VPA/KEDA (event-driven), Cluster Autoscaler</li>
<li>Affinity/anti-affinity, taints/tolerations, topology spread</li>
</ul>
<li>Ops and Delivery</li>
<ul>
<li>GitOps (Argo CD/Flux), progressive delivery (canary, blue/green)</li>
<li>Observability: metrics/logs/traces (Prometheus, OpenTelemetry)</li>
</ul>
<li>Runtimes and Isolation</li>
<ul>
<li>containerd/CRI-O, shims, sandboxed runtimes (gVisor, Kata)</li>
<li>Wasm/WASI experiments</li>
</ul>
<li>Multi-Cluster and Platform</li>
<ul>
<li>Cluster API, federation, service discovery across clusters</li>
<li>Multi-tenancy, quotas, cost allocation</li>
</ul>
</ul>
</div>
</section>
</section>