From Confused to Proficient: Kubernetes Authentication and Scheduling

Caged Program

Code

Use the Go language to write a simple web server program app.go, which monitors port 2580. On accessing the root path of the service through HTTP, the service returns the string — “This is a small app for kubernetes…”.

package mainimport (        "github.com/gorilla/mux"        "log"        "net/http")func about(w http.ResponseWriter, r *http.Request) {        w.Write([]byte("This is a small app for kubernetes...\n"))}func main() {        r := mux.NewRouter()        r.HandleFunc("/", about)        log.Fatal(http.ListenAndServe("0.0.0.0:2580", r))}
# ldd applinux-vdso.so.1 => (0x00007ffd1f7a3000)libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f554fd4a000)libc.so.6 => /lib64/libc.so.6 (0x00007f554f97d000)/lib64/ld-linux-x86-64.so.2 (0x00007f554ff66000)

Cage

To make this program independent from the library files in the operating system, create a container image, that is, an isolated running environment.

  1. Download the base image of CentOS
  2. Save the executable file of the app to the /usr/local/bin directory of the image.
FROM centosADD app /usr/local/bin

Address

After the created image is stored in a local directory, upload it to the image repository, which is equivalent to an app store. You can use an image repository of Alibaba Cloud. After the upload, the image address changes to the following.

registry.cn-hangzhou.aliyuncs.com/kube-easy/app:latest

Get In

Portal

As an operating system, Kubernetes has the concept of APIs, such as common operating systems. With APIs, a cluster has a portal to enable access to the cluster.

API Server 内网连接端点: https://xx.xxx.xxx.xxx:6443

Bidirectional Digital Certificate Verification

The API server of Alibaba Cloud Kubernetes uses CA signature-based bidirectional digital certificate verification to ensure secure communication with the client, which is further explained as follows for beginners.

KubeConfig File

Log on to the cluster management console to obtain the KubeConfig file. The file contains a client certificate and a cluster CA certificate. Since the certificates are Base64-encoded, use Base64 to decode certificates and use OpenSSL to view them.

Certificate:    Data:        Version: 3 (0x2)        Serial Number: 787224 (0xc0318)    Signature Algorithm: sha256WithRSAEncryption        Issuer: O=c0256a3b8e4b948bb9c21e66b0e1d9a72, OU=default, CN=c0256a3b8e4b948bb9c21e66b0e1d9a72        Validity            Not Before: Nov 29 06:03:00 2018 GMT            Not After : Nov 28 06:08:39 2021 GMT        Subject: O=system:users, OU=, CN=252771643302762862
Certificate:    Data:        Version: 3 (0x2)        Serial Number: 787224 (0xc0318)    Signature Algorithm: sha256WithRSAEncryption        Issuer: O=c0256a3b8e4b948bb9c21e66b0e1d9a72, OU=default, CN=c0256a3b8e4b948bb9c21e66b0e1d9a72        Validity            Not Before: Nov 29 06:03:00 2018 GMT            Not After : Nov 28 06:08:39 2021 GMT        Subject: O=system:users, OU=, CN=252771643302762862
Certificate:    Data:        Version: 3 (0x2)        Serial Number: 2184578451551960857 (0x1e512e86fcba3f19)    Signature Algorithm: sha256WithRSAEncryption        Issuer: O=c0256a3b8e4b948bb9c21e66b0e1d9a72, OU=default, CN=c0256a3b8e4b948bb9c21e66b0e1d9a72        Validity            Not Before: Nov 29 03:59:00 2018 GMT            Not After : Nov 29 04:14:23 2019 GMT        Subject: CN=kube-apiserver
Certificate:    Data:        Version: 3 (0x2)        Serial Number: 786974 (0xc021e)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba, OU=ACS, CN=root        Validity            Not Before: Nov 29 03:59:00 2018 GMT            Not After : Nov 24 04:04:00 2038 GMT        Subject: O=c0256a3b8e4b948bb9c21e66b0e1d9a72, OU=default, CN=c0256a3b8e4b948bb9c21e66b0e1d9a72

Access

After understanding the principle, perform a simple test. Employing the certificate as a parameter, use cURL to access the API server and obtain the expected results.

# curl --cert ./client.crt --cacert ./ca.crt --key ./client.key https://xx.xx.xx.xxx:6443/api/{  "kind": "APIVersions",  "versions": [    "v1"  ],  "serverAddressByClientCIDRs": [    {      "clientCIDR": "0.0.0.0/0",      "serverAddress": "192.168.0.222:6443"    }  ]}

Best Choice

Two Types of Nodes and One Type of Tasks

As mentioned at the beginning, Kubernetes is an operating system that manages multiple nodes in a cluster. The roles of these nodes in the cluster need not be exactly the same. Kubernetes clusters have two types of nodes, including a master node and worker nodes.

Best Choice

The scheduling algorithm needs to rectify the issue by selecting a comfortable “residence” for the pod so that the task defined by the pod completes on this node.

Pod Configuration

Firstly, create a pod configuration file in JSON format. The configuration file has three key points, including the image address, command, and container port.

{    "apiVersion": "v1",    "kind": "Pod",    "metadata": {        "name": "app"    },    "spec": {        "containers": [            {                "name": "app",                "image": "registry.cn-hangzhou.aliyuncs.com/kube-easy/app:latest",                "command": [                    "app"                ],                "ports": [                    {                        "containerPort": 2580                    }                ]            }        ]    }}

Log Level

The cluster scheduling algorithm is implemented as a system component running on the master node, which is similar to the API server. The corresponding process name is kube-scheduler and it supports the output of logs at multiple levels. However, the community does not provide detailed log-level instructions. To view the process of filtering and scoring nodes by the scheduling algorithm, increase the log level to 10. Thus, add the parameter — v=10.

kube-scheduler --address=127.0.0.1 --kubeconfig=/etc/kubernetes/scheduler.conf --leader-elect=true --v=10

Pod Creation

Using cURL, the certificate, and the pod configuration file as parameters, send a POST request to access the API server interface and create the corresponding pod in the cluster.

# curl -X POST -H 'Content-Type: application/json;charset=utf-8' --cert ./client.crt --cacert ./ca.crt --key ./client.key https://47.110.197.238:6443/api/v1/namespaces/default/pods -d@app.json

Pre-selection

Pre-selection is the first phase in Kubernetes scheduling, which filters out the nodes that do not meet the conditions according to pre-defined rules. Pre-selection rules implemented by Kubernetes vary greatly with Kubernetes versions. However, the basic trend is that pre-selection rules will be richer and richer.

Preference

Preference is the second phase of the scheduling algorithm, where kube-scheduler scores the remaining nodes based on the available resources and other rules of the nodes.

Scores

Finally, the scheduling algorithm multiplies all score items by their weight and then sums the result to get the final score for each node. The test cluster uses the default scheduling algorithm that sets the weight to 1 for the score items in the logs. Therefore, if the scores are calculated based on the score items recorded in the logs, the final scores of the three nodes are 29, 28, and 29.

Conclusion

This article considers an example of a simple containerized web program to analyze how to use the API server of a Kubernetes cluster to authenticate a client and how to allocate container applications to appropriate nodes.

Original Source:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com