Get to Know Kubernetes | Application Configuration Management

Image for post
Image for post

1) Need

Background

First, let’s take a look at the needs this solution addresses. For instance, several issues must be taken care of before using a container image to start a container.

  • Storage and Usage of Sensitive Information: For example, applications may need some passwords or tokens.
  • Access to the Cluster by a Container: For example, the need for identity authentication in case the container needs to access kube-apiserver.
  • Resource Requirements of a Container After it Runs on a Node.
  • Security Control for Containers that Share the Kernel on a Node.
  • Prerequisite Check Before Container Startup: For example, the need to check whether the DNS service or network is available before starting a container.

Pod Configuration Management

The following figure shows pod configuration management in Kubernetes.

  • Secret: The Sensitive Information
  • ServiceAccount: The Identity Authentication
  • Resources: The Resource Configuration
  • SecurityContext: The Security Control
  • Init Container: The Prerequisite Verification
Image for post
Image for post

2) ConfigMap

ConfigMap Introduction

This section introduces the functions and benefits of ConfigMap. ConfigMap manages some variable configurations, such as some configuration files, its internal environment variables, or some command-line parameters.

Image for post
Image for post

ConfigMap Creation

We recommend running the kubectl command to create ConfigMap. The command contains the NAME and DATA parameters, where DATA may specify a file, directory, or key-value pair. The following figure shows an example.

Image for post
Image for post

ConfigMap Usage

Image for post
Image for post
  • Use ConfigMap to configure command-line parameters. The command-line parameter is SPECIAL_LEVEL_KEY. Obtain it from the first line of the environment variables and run the cmd command to use it.
  • Mount its volume to a directory in a container. In the preceding example, the content of the ConfigMap named special-config is mounted to the /etc/config directory in the container.

Notes

Pay attention to the following points while using ConfigMap:

3) Secret

Secret Introduction

A secret is a resource object used to store some sensitive information, such as passwords and tokens. The sensitive information is stored in Base64 encoding. The following figure defines Secret data.

Image for post
Image for post
  • Service-account-token: authenticates the service account identity
  • dockerconfigjson: pulls images from a private warehouse
  • bootstrap.token verifies node access to clusters

Secret Creation

Image for post
Image for post
  • Created by Users: We recommend running the kubectl Alibaba Cloud CLI to create Secret data. The command for creating Secret data contains one more parameter than the command for creating ConfigMap: type. The data field specifies the file and key-value pair. If the type field is not set, the default value is Opaque.

Secret Usage

Secret data is mounted to a specified directory in a container as volumes in a pod. Then, the business process in the container reads the Secret data from the directory. In addition, Secret data is referenced to access the private image warehouse.

Image for post
Image for post
  • As shown on the right of the preceding figure, the system automatically generates serviceaccount-secret and mounts it to the "/var/run/secrets/kubernetes.io/serviceaccount" directory in the container. Two certificate files containing authentication information are generated, ca.crt and "token."

Using a Private Image Warehouse

Let’s understand how to use a private image warehouse through Secret. Information about the private image warehouse is stored in Secret. To pull images from the private warehouse, configure Secret in one of the following two ways.

  • The other way is to automatically inject Secret. Configure imagePullSecrets in ServiceAccount to be used in a pod. Then, the system automatically injects the value of imagePullSecrets.
Image for post
Image for post

Notes

Pay attention to the following points while using Secret:

4) ServiceAccount

ServiceAccount Introduction

ServiceAccount authenticates the identity of a pod in a cluster. The identity authentication information is stored in Secret.

Image for post
Image for post

Example — Applications in a Pod Access a Kubernetes Cluster of the Pod

This section describes how a pod uses ServiceAccount or Secret to access its Kubernetes cluster.

Image for post
Image for post
  • Bearer Token, which authenticates the pod identity. On the server, the “token” field is used for pod identity authentication.

5) Resources

Container Resource Management

This section describes how to manage resource configurations for a container.

Image for post
Image for post

Pod QoS Configuration

Based on the CPU’s demands for container memory resources, divide the quality of service (QoS) of pods into Guaranteed, Burstable, and BestEffort.

  • Burstable: At least one container has a request for CPU and memory.
  • BestEffort: All QoSs other than Guaranteed and Burstable.

6) SecurityContext

SecurityContext Introduction

SecurityContext restricts the behavior of containers and ensures system and container security. This capability is not inherent in Kubernetes or the container runtime environment. Instead, SecurityContext is configured by users, loaded to the kernel, and then enabled through the kernel mechanism. The following briefly describes the content.

  • Pod level, which is valid for all containers in a pod
  • Cluster level, which is PSP and is valid for all pods in a cluster
Image for post
Image for post

7) Init Container

Init Container Introduction

The differences between Init Containers and common containers are as follows:

Image for post
Image for post

Summary

The following pointers summarize the overall course:

  • The pod identity authentication section described the associations between ServiceAccount and Secret, analyzed the pod identity authentication process and implementation details by looking at the source code, and introduced pod permission management (RBAC configuration management).
  • The container resources and security sections introduced the configurations of common resource types (CPU and memory) for containers, described pod QoS types in detail, and briefly described the valid levels and permission configuration items of SecurityContext.
  • The Init Container section introduced the differences between Init Containers and common containers and used examples to describe the usage of Init Containers.

Original Source:

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store