2. 2
The content contained herein is for informational purposes only, may
not be referenced or added to any contract, and should not be relied
upon to make purchasing decisions. It is not a commitment,
promise, or legal obligation to provide any features, functionality,
capabilities, code, etc. or to provide anything within any schedule,
date, time, etc. All Mirantis product and service decisions remain at
Mirantis sole and exclusive discretion.
Plus, I can't guarantee what features actually make it into
Kubernetes 1.18 when it's released next week.
Disclaimer
3. 3
Featured Presenter
Nick Chase
Head of Technical Content at Mirantis
Nick Chase is Head of Technical Content for Mirantis and a former member of the Kubernetes
release team. He is a former software developer and author or co-author of more than a
dozen books on various programming topics, including the OpenStack Architecture Guide,
Understanding OPNFV, and Machine Learning for Mere Mortals.
Reach him on Twitter @NickChase.
4. 4
A Little Housekeeping
● Please submit questions in the
Questions panel.
● We’ll provide a link where you
can download the slides at the
end of the webinar.
8. 8
● Windows worker nodes
● Controllers still run on Linux
RunAsUserName for Windows
9. 9
apiVersion: v1
kind: Pod
metadata:
name: username-demo-pod
spec:
securityContext:
windowsOptions:
runAsUserName: "ContainerUser"
containers:
- name: username-demo
image: mcr.microsoft.com/windows/servercore:ltsc2019
command: ["ping", "-t", "localhost"]
nodeSelector:
kubernetes.io/os: windows
RunAsUserName for Windows
10. 10
kubectl apply -f run-as-username-pod.yaml
kubectl exec -it username-demo-pod -- powershell
echo $env:USERNAME
ContainerUser
RunAsUserName for Windows
11. 11
● Limitations
○ Must be valid (non-empty) user (DOMAINUSER)
○ DOMAIN
■ Optional
■ NetBios name or DNS name
○ USER
■ <= 20 characters
■ Can have dots or spaces
■ No control characters
■ Not in / : * ? " < > |
RunAsUserName for Windows
13. 13
● Group Managed Service Account
○ Password management
○ Single identity for group of servers
● Deploy GMSACredentialSpec CRD
● Install validation webhooks (multiple steps)
● Provision gMSAs in Active Directory
Support gMSA for Windows workloads
14. 14
● Create the GMSACredentialSpec object:
apiVersion: windows.k8s.io/v1alpha1
kind: GMSACredentialSpec
metadata:
name: gmsa-WebApp1 #This is an arbitrary name but it will be used as a reference
credspec:
ActiveDirectoryConfig:
GroupManagedServiceAccounts:
- Name: WebApp1 #Username of the GMSA account
Scope: CONTOSO #NETBIOS Domain Name
- Name: WebApp1 #Username of the GMSA account
Scope: contoso.com #DNS Domain Name
CmsPlugins:
- ActiveDirectory
DomainJoinConfig:
DnsName: contoso.com #DNS Domain Name
DnsTreeName: contoso.com #DNS Domain Name Root
Guid: 244818ae-87ac-4fcd-92ec-e79e5252348a #GUID
MachineAccountName: WebApp1 #Username of the GMSA account
NetBiosName: CONTOSO #NETBIOS Domain Name
Sid: S-1-5-21-2126449477-2524075714-3094792973 #SID of GMSA
Support gMSA for Windows workloads
15. 15
● Configure cluster role to enable RBAC on specific
gMSA credential specs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webapp1-role
rules:
- apiGroups: ["windows.k8s.io"]
resources: ["gmsacredentialspecs"]
verbs: ["use"]
resourceNames: ["gmsa-WebApp1"]
Support gMSA for Windows workloads
16. 16
● Assign role to service accounts to use specific
gMSA credentialspecs
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-default-svc-account-read-on-gmsa-WebApp1
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: webapp1-role
apiGroup: rbac.authorization.k8s.io
Support gMSA for Windows workloads
17. 17
● Configure Pod to use the gMSA credential spec
apiVersion: apps/v1beta1
kind: Deployment
metadata:
labels:
run: with-creds
name: with-creds
namespace: default
spec:
replicas: 1
selector:
matchLabels:
run: with-creds
Support gMSA for Windows workloads
template:
metadata:
labels:
run: with-creds
spec:
securityContext:
windowsOptions:
gmsaCredentialSpecName: gmsa-webapp1
containers:
- image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
imagePullPolicy: Always
name: iis
nodeSelector:
beta.kubernetes.io/os: windows
18. 18
● Configure container to use the gMSA spec
apiVersion: apps/v1beta1
kind: Deployment
metadata:
labels:
run: with-creds
name: with-creds
namespace: default
spec:
replicas: 1
selector:
matchLabels:
run: with-creds
Support gMSA for Windows workloads
template:
metadata:
labels:
run: with-creds
spec:
containers:
- image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019
imagePullPolicy: Always
name: iis
securityContext:
windowsOptions:
gmsaCredentialSpecName: gmsa-Webapp1
nodeSelector:
beta.kubernetes.io/os: windows
25. 25
● Use an existing PersistentVolumeClaim as the
DataSource for a new PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cloned-pvc
spec:
storageClassName: my-csi-plugin
dataSource:
name: existing-src-pvc-name
kind: PersistentVolumeClaim
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
Cloning a PVC
31. 31
● Adds new fields to volume_context for
NodePublishVolumeRequest
○ csi.storage.k8s.io/pod.name: {pod.Name}
○ csi.storage.k8s.io/pod.namespace: {pod.Namespace}
○ csi.storage.k8s.io/pod.uid: {pod.UID}
○ csi.storage.k8s.io/serviceAccount.name: {pod.Spec.ServiceAccountName}
Pass Pod information in CSI calls
32. 32
● Manually include CSIDriver object in driver
manifests
● Used to need cluster-driver-registrar sidecar
container
● Container creates CSIDriver Object automatically
Pass Pod information in CSI calls
38. 38
● Create the request
● Create the object and send to K8s
● Approve the request
○ Manual or automatic
● Associated with a private key
○ Can be held by a pod
■ Identity
■ Authorization
● Be careful who can approve requests!
CertificateSigningRequest API
39. 39
● Must be set up to serve the certificates API
● Default signer implementation in controller
manager
○ Pass CA's keypair --cluster-signing-cert-file and
--cluster-signing-key-file to controller manager
CertificateSigningRequest API
41. 41
● Generates 2 files
○ Actual request (server.csr)
○ Encoded key for the final certificate (server-key.pem)
kubectl get csr
NAME AGE REQUESTOR CONDITION
my-svc.my-namespace 10m yourname@example.com Pending
kubectl certificate approve my-svc.my-namespace
● Download to server.crt
kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}'
| base64 --decode > server.crt
● Use server.crt and server-key.pem as keypair for HTTPS
server
CertificateSigningRequest API
48. 48
● Create a K8s node on Windows
● Run Windows-based containers
○ For Windows containers get Windows Server 2019 license
(or higher)
● Control plane still runs on Linux
Kubeadm for Windows
56. 56
● Limitations for Non-Uniform Memory Access
● Max NUMA nodes = 8.
○ state explosion
● Scheduler inot topology-aware
○ Can still fail
● Only Device Manager and the CPU Manager
support Topology Manager's HintProvider interface.
○ Memory and Hugepages not considered
Node Topology Manager
58. 58
● Feature parity with IPv4
● kubeadm uses default gateway network interface
○ advertise address for API server.
○ Specify kubeadm init
--apiserver-advertise-address=<ip-address> to change
○ For example --apiserver-advertise-address=fd00::101
IPv6 support added
66. 66
● Changes to match securityContext by default
● For large volumes can be slow
● fSGroupChangePolicy
● No effect on ephemeral volumes
○ secret
○ configMap
○ ephemeral
Skip Volume Ownership Change
68. 68
● Horizontal Pod Autoscaler
● Highest recommendation in window
● Configure with
○ --horizontal-pod-autoscaler-downscale-stabilization
○ behavior.scaleDown.stabilizationWindowSeconds
● Specify periodSeconds
○ Length of time for which condition must be true
Configurable scale velocity for HPA
73. 73
● Enables federation of clusters
● Identity provider --> relying parties
● Must be OIDC compliant
● system:service-account-issuer-discovery
ClusterRole
○ No role bindings included
○ Admin binds to system:authenticated or
system:unauthenticated
Provide OIDC discovery for service account token
issuer
77. 77
● For containers with no OS / debugging
capabilities
● Provides debugging container
kubectl alpha debug -it ephemeral-demo --image=busybox --target=ephemeral-demo
Defaulting debug container name to debugger-8xzrl.
If you don't see a command prompt, try pressing enter.
/ #
Kubectl debug
82. 82
● Populate a new PVC via a CRD
● Must have a controller installed
● Same namespace
● Dynamic provisioners must support that resource
● Write your own
○ Create the PV
○ Bind it to the PVC
Generic data populators
84. 84
● Not supported in Windows
● Must be pre-allocated
● requests == limits
● Isolated at the container level
● Each container has own limit on their cgroup sandbox as per
spec
● Control via ResourceQuota (like cpu or memory using
hugepages-<size> token)
● Multiple sizes
Extending the HugePage feature
87. 87
Mirantis Training - Kubernetes
training.mirantis.com
Webinar attendees! Get 15% off Mirantis training!
Use coupon code: WEBMIR2020
Kubernetes & Docker
Bootcamp I (KD100)
Learn Docker and Kubernetes to deploy, run, and manage
containerized applications
2 days
Kubernetes & Docker
Bootcamp II (KD200)
Advanced training for Kubernetes professionals,
preparation for CKA exam
3 days
Accelerated Kubernetes &
Docker Bootcamp (KD250)
Most popular course! A combination of KD100 & KD200 at
an accelerated pace, preps for the CKA exam
4 days
Kubernetes in Production
Bootcamp (KP300)
In Development Advanced training focused on
production grade architecture, operational best practices,
and cluster management.
2 days