Difference between revisions of "Kubernetes"
Jump to navigation
Jump to search
Line 40: | Line 40: | ||
| Inbound | | Inbound | ||
| 10250 | | 10250 | ||
| Kubelet TLS secure API, accepts connections from the API server (master) | | EKS - Kubelet TLS secure API, accepts connections from the API server (master)<br>GKE - unauthenticated API served on the read-only port - disabled on 31-01-2024 | ||
| Self, Control plane | |||
|- | |||
| TCP | |||
| Inbound | |||
| 10255 | |||
| EKS, GKE - Authenticated Kubelet TLS secure API, accepts connections from the API server (master). Disabled in GKE 1.29. | |||
| Self, Control plane | | Self, Control plane | ||
|- | |- |
Latest revision as of 09:12, 18 July 2023
- Kubernetes/Amazon EKS
- Kubernetes/ArgoCD
- Kubernetes/ConfigMap and Secrets
- Kubernetes/Container Runtimes OCI
- Kubernetes/DNS
- Kubernetes/Deployment, ReplicaSet and Pod
- Kubernetes/Echoserver
- Kubernetes/Google GKE
- Kubernetes/Helm
- Kubernetes/Ingress controller
- Kubernetes/Install Master and nodes
- Kubernetes/Istio
- Kubernetes/Istio-logs-default-install
- Kubernetes/Istio/Observability
- Kubernetes/Jobs,CronJob
- Kubernetes/Kind
- Kubernetes/Kubelet
- Kubernetes/Kustomize
- Kubernetes/Monitoring
- Kubernetes/Networking
- Kubernetes/Progressive Delivery Flux and Flagger
- Kubernetes/Rancher
- Kubernetes/Requests and Limits, units
- Kubernetes/Resources,Objects and API
- Kubernetes/Resources and Limits
- Kubernetes/SAN-Storage
- Kubernetes/Scheduling
- Kubernetes/Security and RBAC
- Kubernetes/Storage
- Kubernetes/Tilt
- Kubernetes/Tools
- Kubernetes/external-dns
- Kubernetes/minikube
Common ports
- Docker
TCP :2375 - docker.d http TCP :2376 - docker.d https
- Kubernetes
Control-plane node(s)
Protocol | Direction | Port | Purpose | UsedBy |
---|---|---|---|---|
TCP | Inbound | 443 | Kubernetes API Server (or 8080 if TLS is disabled) | Worker nodes, API requests and End-Users |
TCP | Inbound | 6443* | Kubernetes API Server (or 8080 if TLS is disabled) | All |
TCP | Inbound | 2379-2380 | etcd server client API | kube-apiserver, etcd |
TCP | Inbound | 10250 | EKS - Kubelet TLS secure API, accepts connections from the API server (master) GKE - unauthenticated API served on the read-only port - disabled on 31-01-2024 |
Self, Control plane |
TCP | Inbound | 10255 | EKS, GKE - Authenticated Kubelet TLS secure API, accepts connections from the API server (master). Disabled in GKE 1.29. | Self, Control plane |
TCP | Inbound | 10251 | kube-scheduler | Self |
TCP | Inbound | 10252 | kube-controller-manager | Self |
TCP | 10255 | Read-Only (non-secure) Kubelet API, *disabled on EKS |
Worker node(s)
Protocol | Direction | Port | Purpose | UsedBy |
---|---|---|---|---|
TCP | Inbound | 10250 | Kubelet API | Self, Control plane |
TCP | Inbound | 30000-32767 | NodePort Services (defaults) | All |
UDP | Inbound | 8285 | flannel overlay network - udp backend (default) | |
UDP | Inbound | 8472 | flannel overlay network, vxlan backend | |
TCP | Inbound | 179 | Calico BGP network - BGP backend | |
TCP | Inbound | 2379-2380 | etcd server client API only if using flannel or Calico |
Others
127.0.0.1:45039 - CRI (Container Runtime Interface)streaming server port, used by kubectl exec/attach/port-forward shim is build in into kublet
Kubernetes curls:
curl localhost:<port>/metrics /healthz /api
Kubernetes components
Core components
- kube-proxy
- it's responsible for forwarding traffic from an overlay network to backend pods. The name is misleading as it's not a real proxy, it programs iptables to intercept traffic and ask the Linux Kernel to do its job. Iptables randomly select one of the backend pods when forwarding the traffic, perform NAT and PAT before sending a packet to the destination pod.
Containers runtime
Since v1.6.0, Kubernetes has enabled the use of CRI, Container Runtime Interface, by default.
Docker /var/run/docker.sock CRI-O /var/run/crio/crio.sock containerd /run/containerd/containerd.sock
Kubernetes Entrypoint and Cmd
Docker allows you to define an Entrypoint
and Cmd
which you can mix and match in a Dockerfile. Entrypoint is the executable, and Cmd are the arguments passed to the Entrypoint. The Dockerfile schema is quite lenient and allows users to set Cmd without Entrypoint, which means that the first argument in Cmd will be the executable to run.
Kubernetes uses a different naming convention for Docker Entrypoint and Cmd. In Kubernetes command
is Docker Entrypoint
and Kubernetes args
is Docker Cmd
.
Description Docker_field_name Kubernetes_field_name The command run by the container entrypoint command: Arguments passed to the command cmd args:
K8s overrides: tail -f /dev/null
or sleep infinity
- References
- container runtimes Fascinating reading, published in 2017