tag: K8s

Kubernetes CPU Requests, Limits, and Throttling Impacts on Application Performance, some Best Practices CPU Throttled CPU Throttling (Kubernetes Workloads): A process where Kubernetes and Container Runtimes restricts a container’s CPU usage to stay within its assigned limits, often causing tasks to wait for the next scheduler quota period when they exceed their allowed CPU time. CPU Throttling (Linux Kernel): A mechanism in the CFS Bandwidth Control where the kernel prevents a cgroup from exceeding its allocated CPU quota, forcing tasks to stop running until the next quota period. ...

What Do You Back Up In Kubernetes? It’s easy to gloss over backups especially when you are setting up a new cluster, finally getting stuff running on it, and feeling excited that you can now deploy some service and basically automate certificates, ingress, and everything else that used to be a pain to do manually. But as soon as something fails, you will wish you spent a little more time not only thinking about backups, but also documenting step by step how to recover from a disaster. ...

About External Services External services are anything you want to route traffic to that does not live in your Kubernetes cluster. For example, you might be running MinIO in a VM and accessing it via IP address, but you want to basically reverse proxy to it. You can use Kubernetes Ingress to act as a reverse proxy to pretty much anything, even if it doesn’t live within your cluster. It’s pretty straightforward to do this, and you just need to create a few resources: Service, EndpointSlice and Ingress. For the sake of organization, I like to use a separate namespace to separate any external service resources. If you’re doing this, just create a new namespace as your first step. ...

What is cert-manager? https://cert-manager.io/ cert-manager is a certificate controller for Kubernetes which is capable of handling all your certificate needs. This of course includes acquiring and automatically renewing certificates from Let’s Encrypt, but it can also be used as a local CA (certificate authority) for private certificates between services, etc. Installation/Setup https://cert-manager.io/docs/ I run piHole internally on my network and also use DNS challenge for internal only hostnames. This means when I request a new certificate and cert-manager attempts to look up the DNS challenge record, it won’t be able to query it through my piHole. ...

Intro and Prerequisites In a previous post, I mentioned that I struggled to get OpenEBS working in Talos and instead went with democratic-csi. In recent weeks, I decided to revisit this and figure out how to get OpenEBS replicated storage working in order to evaluate replicated storage in my cluster. I now have multiple disks that I can dedicate to my Kubernetes cluster and wanted to avoid the issue with the single point of failure using a TrueNAS VM for democratic-csi. ...

Keycloak as an OIDC provider for Kubernetes The workflow The client requests an ID Token with claims for it’s identity (name) and the groups he/she belongs to The client then requests access to Kubernetes providing the ID token from the IDP obtained previously This token (which contains the claims for name, group ) is used in each request to the API Server The API Server in turn checks the ID Token validity with the ID provider If the token is valid, then the API Server will check if the request is authorized based on the token’s claims and the configured RBAC (by matching it with the corresponding resources) Finally, the actions will be performed or denied A response is sent back to the client From the user perspective, once everything is setup, we will perform this actions to obtain access to the cluster: ...

Kubernetes Automated Cluster Scaling algorithm AutoScaling is one of the most powerful concepts in Kubernetes. This involves two main mechanisms: Horizontal Pod Autoscaling (HPA) Vertical Pod Autoscaling (VPA). Automated cluster scaling refers to the process of dynamically adjusting the number of running pods (HPA) or their resource allocations (VPA) based on real-time metrics. This ensures that your applications can efficiently handle varying loads without manual intervention. With HPA, you can scale smarter, and with VPA, scale wiser. HPA handles traffic spikes like a champ. VPA makes sure your pods get the resources they deserve. ...

What is a Replication Controller? A Replication Controller (RC) ensures that a specified number of pod replicas are running at all times. It continuously monitors the cluster and if a pod fails, it will replace it to maintain the desired state. Features Ensures availability of pods by replacing failed ones. Basic scaling of pods by changing the replica count. Legacy Component: Being replaced by ReplicaSets in modern Kubernetes due to limited functionality. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 apiVersion: v1 kind: ReplicationController metadata: name: my-rc spec: replicas: 3 selector: app: myapp template: metadata: labels: app: myapp spec: containers: - name: nginx image: nginx:latest 1 kubectl get rc What is a ReplicaSet? A ReplicaSet (RS) is the newer, more advanced version of Replication Controllers. It provides additional functionality and is often managed by Deployments. Features ...

Kubernetes Init Containers Kubernetes init containers are specialized containers that run to completion before any of your application’s primary containers start. Unlike regular containers, they are not part of your ongoing workload but instead perform initialization tasks such as setting up prerequisites, configuring environments, or fetching secrets. This ensures that the main containers only start when the system is fully prepared. Isolation of Setup Tasks: They allow you to separate initialization logic from the main application, keeping your application images lean and secure. Different Resource Allocation: Init containers may require different CPU/memory limits. The effective pod resource requests are determined by the highest values among the init containers and the app containers. Using init containers offers several strategic advantages: ...

Helm helm fetch You can use helm fetch to Download a chart to your local directory, so You can change the values in values.yaml file and then install it. for example: 1 helm fetch stable/superset --untar