From 79b8e5f2f0030a7c89ea877db9037120a03b6375 Mon Sep 17 00:00:00 2001 From: AJ Bowen Date: Mon, 3 Jun 2019 22:28:04 -0500 Subject: [PATCH] Cherrypick tweaks from @soulshake --- slides/containers/Container_Network_Model.md | 4 ++-- slides/containers/Namespaces_Cgroups.md | 24 ++++++++++---------- slides/containers/Resource_Limits.md | 2 +- slides/k8s/architecture.md | 4 ++-- slides/k8s/cni.md | 14 ++++++------ slides/k8s/concepts-k8s.md | 2 +- slides/k8s/configuration.md | 6 ++--- slides/k8s/dmuc.md | 12 +++++----- slides/k8s/healthchecks.md | 2 +- slides/k8s/helm.md | 2 +- slides/k8s/horizontal-pod-autoscaler.md | 2 +- slides/k8s/ingress.md | 12 +++++----- slides/k8s/kubectlget.md | 4 ++-- slides/k8s/kubectlproxy.md | 4 ++-- slides/k8s/kubenet.md | 2 +- slides/k8s/kustomize.md | 2 +- slides/k8s/localkubeconfig.md | 6 ++--- slides/k8s/namespaces.md | 2 +- slides/k8s/prometheus.md | 4 ++-- slides/k8s/resource-limits.md | 2 +- slides/k8s/rollout.md | 8 +++---- slides/k8s/volumes.md | 6 ++--- slides/shared/connecting.md | 4 ++-- slides/shared/prereqs.md | 2 +- slides/shared/sampleapp.md | 4 ++-- 25 files changed, 68 insertions(+), 68 deletions(-) diff --git a/slides/containers/Container_Network_Model.md b/slides/containers/Container_Network_Model.md index fd77c3bd..87cf044f 100644 --- a/slides/containers/Container_Network_Model.md +++ b/slides/containers/Container_Network_Model.md @@ -474,7 +474,7 @@ When creating a network, extra options can be provided. * `--ip-range` (in CIDR notation) indicates the subnet to allocate from. -* `--aux-address` allows to specify a list of reserved addresses (which won't be allocated to containers). +* `--aux-address` allows specifying a list of reserved addresses (which won't be allocated to containers). --- @@ -556,7 +556,7 @@ General idea: * So far, we have specified which network to use when starting the container. -* The Docker Engine also allows to connect and disconnect while the container runs. +* The Docker Engine also allows connecting and disconnecting while the container is running. * This feature is exposed through the Docker API, and through two Docker CLI commands: diff --git a/slides/containers/Namespaces_Cgroups.md b/slides/containers/Namespaces_Cgroups.md index 46d1ac06..09b90561 100644 --- a/slides/containers/Namespaces_Cgroups.md +++ b/slides/containers/Namespaces_Cgroups.md @@ -86,13 +86,13 @@ class: extra-details, deep-dive - the `unshare()` system call. -- The Linux tool `unshare` allows to do that from a shell. +- The Linux tool `unshare` allows doing that from a shell. - A new process can re-use none / all / some of the namespaces of its parent. - It is possible to "enter" a namespace with the `setns()` system call. -- The Linux tool `nsenter` allows to do that from a shell. +- The Linux tool `nsenter` allows doing that from a shell. --- @@ -138,11 +138,11 @@ class: extra-details, deep-dive - gethostname / sethostname -- Allows to set a custom hostname for a container. +- Allows setting a custom hostname for a container. - That's (mostly) it! -- Also allows to set the NIS domain. +- Also allows setting the NIS domain. (If you don't know what a NIS domain is, you don't have to worry about it!) @@ -392,13 +392,13 @@ class: extra-details - Processes can have their own root fs (à la chroot). -- Processes can also have "private" mounts. This allows to: +- Processes can also have "private" mounts. This allows: - - isolate `/tmp` (per user, per service...) + - isolating `/tmp` (per user, per service...) - - mask `/proc`, `/sys` (for processes that don't need them) + - masking `/proc`, `/sys` (for processes that don't need them) - - mount remote filesystems or sensitive data, + - mounting remote filesystems or sensitive data,
but make it visible only for allowed processes - Mounts can be totally private, or shared. @@ -570,7 +570,7 @@ Check `man 2 unshare` and `man pid_namespaces` if you want more details. ## User namespace -- Allows to map UID/GID; e.g.: +- Allows mapping UID/GID; e.g.: - UID 0→1999 in container C1 is mapped to UID 10000→11999 on host - UID 0→1999 in container C2 is mapped to UID 12000→13999 on host @@ -947,7 +947,7 @@ Killed (i.e., "this group of process used X seconds of CPU0 and Y seconds of CPU1".) -- Allows to set relative weights used by the scheduler. +- Allows setting relative weights used by the scheduler. --- @@ -1101,9 +1101,9 @@ See `man capabilities` for the full list and details. - Original seccomp only allows `read()`, `write()`, `exit()`, `sigreturn()`. -- The seccomp-bpf extension allows to specify custom filters with BPF rules. +- The seccomp-bpf extension allows specifying custom filters with BPF rules. -- This allows to filter by syscall, and by parameter. +- This allows filtering by syscall, and by parameter. - BPF code can perform arbitrarily complex checks, quickly, and safely. diff --git a/slides/containers/Resource_Limits.md b/slides/containers/Resource_Limits.md index c74d2ebe..bb04e9de 100644 --- a/slides/containers/Resource_Limits.md +++ b/slides/containers/Resource_Limits.md @@ -72,7 +72,7 @@ - For memory usage, the mechanism is part of the *cgroup* subsystem. -- This subsystem allows to limit the memory for a process or a group of processes. +- This subsystem allows limiting the memory for a process or a group of processes. - A container engine leverages these mechanisms to limit memory for a container. diff --git a/slides/k8s/architecture.md b/slides/k8s/architecture.md index e3bf8c86..705548ac 100644 --- a/slides/k8s/architecture.md +++ b/slides/k8s/architecture.md @@ -356,9 +356,9 @@ We demonstrated *update* and *watch* semantics. - we create a Deployment object - - the Deployment controller notices it, creates a ReplicaSet + - the Deployment controller notices it, and creates a ReplicaSet - - the ReplicaSet controller notices it, creates a Pod + - the ReplicaSet controller notices the ReplicaSet, and creates a Pod --- diff --git a/slides/k8s/cni.md b/slides/k8s/cni.md index 306c4302..ff5d4557 100644 --- a/slides/k8s/cni.md +++ b/slides/k8s/cni.md @@ -26,7 +26,7 @@ The reference plugins are available [here]. -Look into each plugin's directory for its documentation. +Look in each plugin's directory for its documentation. [here]: https://github.com/containernetworking/plugins/tree/master/plugins @@ -98,7 +98,7 @@ class: extra-details - CNI_NETNS: path to network namespace file - - CNI_IFNAME: how the network interface should be named + - CNI_IFNAME: what the network interface should be named - The network configuration must be provided to the plugin on stdin @@ -193,7 +193,7 @@ class: extra-details - This DaemonSet will start one instance of kube-router on each node --- - + ## Logging into the new cluster .exercise[ @@ -221,7 +221,7 @@ class: extra-details - It is similar to the one we used with the `kubenet` cluster - The API server is started with `--allow-privileged` - + (because we will start kube-router in privileged pods) - The controller manager is started with extra flags too: @@ -254,7 +254,7 @@ class: extra-details --- -## The kube-router DaemonSet +## The kube-router DaemonSet - In the same directory, there is a `kuberouter.yaml` file @@ -599,13 +599,13 @@ done ## Updating kube-router configuration -- We need to add two command-line flags to the kube-router process +- We need to pass two command-line flags to the kube-router process .exercise[ - Edit the `kuberouter.yaml` file -- Add the following flags to the kube-router arguments,: +- Add the following flags to the kube-router arguments: ``` - "--peer-router-ips=`X.X.X.X`" - "--peer-router-asns=64512" diff --git a/slides/k8s/concepts-k8s.md b/slides/k8s/concepts-k8s.md index 32e241bb..0e27a464 100644 --- a/slides/k8s/concepts-k8s.md +++ b/slides/k8s/concepts-k8s.md @@ -177,7 +177,7 @@ class: extra-details - In that case, there is no "master node" -*For this reason, it is more accurate to say "control plane" rather than "master".* +*For this reason, it is more accurate to say "control plane" rather than "master."* --- diff --git a/slides/k8s/configuration.md b/slides/k8s/configuration.md index d1e57a6a..47b23ca7 100644 --- a/slides/k8s/configuration.md +++ b/slides/k8s/configuration.md @@ -22,7 +22,7 @@ - There are many ways to pass configuration to code running in a container: - - baking it in a custom image + - baking it into a custom image - command-line arguments @@ -125,7 +125,7 @@ - We can also use a mechanism called the *downward API* -- The downward API allows to expose pod or container information +- The downward API allows exposing pod or container information - either through special files (we won't show that for now) @@ -436,7 +436,7 @@ We should see connections served by Google, and others served by IBM. - We are going to store the port number in a configmap -- Then we will expose that configmap to a container environment variable +- Then we will expose that configmap as a container environment variable --- diff --git a/slides/k8s/dmuc.md b/slides/k8s/dmuc.md index a00d940c..d70972aa 100644 --- a/slides/k8s/dmuc.md +++ b/slides/k8s/dmuc.md @@ -584,7 +584,7 @@ Our pod is still `Pending`. 🤔 Which is normal: it needs to be *scheduled*. -(i.e., something needs to decide on which node it should go.) +(i.e., something needs to decide which node it should go on.) --- @@ -658,7 +658,7 @@ class: extra-details - This is actually how the scheduler works! -- It watches pods, takes scheduling decisions, creates Binding objects +- It watches pods, makes scheduling decisions, and creates Binding objects --- @@ -686,7 +686,7 @@ We should see the `Welcome to nginx!` page. ## Exposing our Deployment -- We can now create a Service associated to this Deployment +- We can now create a Service associated with this Deployment .exercise[ @@ -711,11 +711,11 @@ This won't work. We need kube-proxy to enable internal communication. ## Starting kube-proxy -- kube-proxy also needs to connect to API server +- kube-proxy also needs to connect to the API server - It can work with the `--master` flag - (even though that will be deprecated in the future) + (although that will be deprecated in the future) .exercise[ @@ -832,6 +832,6 @@ class: extra-details - By default, the API server expects to be running directly on the nodes - (it could be as a bare process, or in a container/pod using host network) + (it could be as a bare process, or in a container/pod using the host network) - ... And it expects to be listening on port 6443 with TLS diff --git a/slides/k8s/healthchecks.md b/slides/k8s/healthchecks.md index 2563da68..a72fedbf 100644 --- a/slides/k8s/healthchecks.md +++ b/slides/k8s/healthchecks.md @@ -108,7 +108,7 @@ (as opposed to merely started) -- Containers in a broken state gets killed and restarted +- Containers in a broken state get killed and restarted (instead of serving errors or timeouts) diff --git a/slides/k8s/helm.md b/slides/k8s/helm.md index 004abb58..5c895daa 100644 --- a/slides/k8s/helm.md +++ b/slides/k8s/helm.md @@ -158,7 +158,7 @@ Where do these `--set` options come from? ] -The chart's metadata includes an URL to the project's home page. +The chart's metadata includes a URL to the project's home page. (Sometimes it conveniently points to the documentation for the chart.) diff --git a/slides/k8s/horizontal-pod-autoscaler.md b/slides/k8s/horizontal-pod-autoscaler.md index 38e363f6..6e660900 100644 --- a/slides/k8s/horizontal-pod-autoscaler.md +++ b/slides/k8s/horizontal-pod-autoscaler.md @@ -34,7 +34,7 @@ `TargetNumOfPods = ceil(sum(CurrentPodsCPUUtilization) / Target)` -- It scales up/down the related object to this target number of pods +- It scales the related object up/down to this target number of pods --- diff --git a/slides/k8s/ingress.md b/slides/k8s/ingress.md index 3188de96..9ccfdd8c 100644 --- a/slides/k8s/ingress.md +++ b/slides/k8s/ingress.md @@ -88,7 +88,7 @@ - the control loop watches over ingress resources, and configures the LB accordingly -- Step 2: setup DNS +- Step 2: set up DNS - associate DNS entries with the load balancer address @@ -126,7 +126,7 @@ - We could use pods specifying `hostPort: 80` - ... but with most CNI plugins, this [doesn't work or require additional setup](https://github.com/kubernetes/kubernetes/issues/23920) + ... but with most CNI plugins, this [doesn't work or requires additional setup](https://github.com/kubernetes/kubernetes/issues/23920) - We could use a `NodePort` service @@ -142,7 +142,7 @@ (sometimes called sandbox or network sandbox) -- An IP address is associated to the pod +- An IP address is assigned to the pod - This IP address is routed/connected to the cluster network @@ -239,7 +239,7 @@ class: extra-details - an error condition on the node
- (for instance: "disk full", do not start new pods here!) + (for instance: "disk full," do not start new pods here!) - The `effect` can be: @@ -501,11 +501,11 @@ spec: (as long as it has access to the cluster subnet) -- This allows to use external (hardware, physical machines...) load balancers +- This allows the use of external (hardware, physical machines...) load balancers - Annotations can encode special features - (rate-limiting, A/B testing, session stickiness, etc.) + (rate-limiting, A/B testing, session stickiness, etc.) --- diff --git a/slides/k8s/kubectlget.md b/slides/k8s/kubectlget.md index 66a1fac1..44566b26 100644 --- a/slides/k8s/kubectlget.md +++ b/slides/k8s/kubectlget.md @@ -132,7 +132,7 @@ class: extra-details - short (e.g. `no`, `svc`, `deploy`) -- Some resources do not have a short names +- Some resources do not have a short name - `Endpoints` only have a plural form @@ -466,4 +466,4 @@ class: extra-details - For more details, see [KEP-0009] or the [node controller documentation] [KEP-0009]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/0009-node-heartbeat.md -[node controller documentation]: https://kubernetes.io/docs/concepts/architecture/nodes/#node-controller \ No newline at end of file +[node controller documentation]: https://kubernetes.io/docs/concepts/architecture/nodes/#node-controller diff --git a/slides/k8s/kubectlproxy.md b/slides/k8s/kubectlproxy.md index 749f8c0e..fa7f7505 100644 --- a/slides/k8s/kubectlproxy.md +++ b/slides/k8s/kubectlproxy.md @@ -77,9 +77,9 @@ If we wanted to talk to the API, we would need to: - This is a great tool to learn and experiment with the Kubernetes API -- ... And for serious usages as well (suitable for one-shot scripts) +- ... And for serious uses as well (suitable for one-shot scripts) -- For unattended use, it is better to create a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) +- For unattended use, it's better to create a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) --- diff --git a/slides/k8s/kubenet.md b/slides/k8s/kubenet.md index 0bb7c624..bc470475 100644 --- a/slides/k8s/kubenet.md +++ b/slides/k8s/kubenet.md @@ -54,7 +54,7 @@ (15 are listed in the Kubernetes documentation) -- Pods have level 3 (IP) connectivity, but *services* are level 4 +- Pods have level 3 (IP) connectivity, but *services* are level 4 (TCP or UDP) (Services map to a single UDP or TCP port; no port ranges or arbitrary IP packets) diff --git a/slides/k8s/kustomize.md b/slides/k8s/kustomize.md index 60641b4a..664f82f3 100644 --- a/slides/k8s/kustomize.md +++ b/slides/k8s/kustomize.md @@ -70,7 +70,7 @@ - We need to run `ship init` in a new directory -- `ship init` requires an URL to a remote repository containing Kubernetes YAML +- `ship init` requires a URL to a remote repository containing Kubernetes YAML - It will clone that repository and start a web UI diff --git a/slides/k8s/localkubeconfig.md b/slides/k8s/localkubeconfig.md index e95977dc..ff3c84b0 100644 --- a/slides/k8s/localkubeconfig.md +++ b/slides/k8s/localkubeconfig.md @@ -75,9 +75,9 @@ Platform:"linux/amd64"} --- -## Moving away the existing `~/.kube/config` +## Preserving the existing `~/.kube/config` -- If you already have a `~/.kube/config` file, move it away +- If you already have a `~/.kube/config` file, rename it (we are going to overwrite it in the following slides!) @@ -192,4 +192,4 @@ class: extra-details ] -We can now utilize the cluster exactly as we did before, ignoring that it's remote. +We can now utilize the cluster exactly as we did before, except that it's remote. diff --git a/slides/k8s/namespaces.md b/slides/k8s/namespaces.md index 13500990..51bbf774 100644 --- a/slides/k8s/namespaces.md +++ b/slides/k8s/namespaces.md @@ -26,7 +26,7 @@ - We cannot have two resources *of the same kind* with the same name - (but it's OK to have a `rng` service, a `rng` deployment, and a `rng` daemon set) + (but it's OK to have an `rng` service, an `rng` deployment, and an `rng` daemon set) -- diff --git a/slides/k8s/prometheus.md b/slides/k8s/prometheus.md index b78b1884..68ef6ca1 100644 --- a/slides/k8s/prometheus.md +++ b/slides/k8s/prometheus.md @@ -340,7 +340,7 @@ container_cpu_usage_seconds_total - that it's the total used since the container creation -- Since it's a "total", it is an increasing quantity +- Since it's a "total," it is an increasing quantity (we need to compute the derivative if we want e.g. CPU % over time) @@ -495,7 +495,7 @@ class: extra-details ## Querying labels -- What if we want to get metrics for containers belong to pod tagged `worker`? +- What if we want to get metrics for containers belonging to a pod tagged `worker`? - The cAdvisor exporter does not give us Kubernetes labels diff --git a/slides/k8s/resource-limits.md b/slides/k8s/resource-limits.md index e641fe78..047f29af 100644 --- a/slides/k8s/resource-limits.md +++ b/slides/k8s/resource-limits.md @@ -392,7 +392,7 @@ These quotas will apply to the namespace where the ResourceQuota is created. count/roles.rbac.authorization.k8s.io: 10 ``` -(The `count/` syntax allows to limit arbitrary objects, including CRDs.) +(The `count/` syntax allows limiting arbitrary objects, including CRDs.) --- diff --git a/slides/k8s/rollout.md b/slides/k8s/rollout.md index 31331985..958ad5e2 100644 --- a/slides/k8s/rollout.md +++ b/slides/k8s/rollout.md @@ -5,9 +5,9 @@ - new pods are created - old pods are terminated - + - ... all at the same time - + - if something goes wrong, ¯\\\_(ツ)\_/¯ --- @@ -212,7 +212,7 @@ class: extra-details ## Checking the dashboard during the bad rollout -If you haven't deployed the Kubernetes dashboard earlier, just skip this slide. +If you didn't deploy the Kubernetes dashboard earlier, just skip this slide. .exercise[ @@ -255,7 +255,7 @@ Note the `3xxxx` port. ``` --> -- Cancel the deployment and wait for the dust to settle down: +- Cancel the deployment and wait for the dust to settle: ```bash kubectl rollout undo deploy worker kubectl rollout status deploy worker diff --git a/slides/k8s/volumes.md b/slides/k8s/volumes.md index dc7c355a..58b6849a 100644 --- a/slides/k8s/volumes.md +++ b/slides/k8s/volumes.md @@ -28,11 +28,11 @@ class: extra-details
but it refers to Docker 1.7, which was released in 2015!) -- Docker volumes allow to share data between containers running on the same host +- Docker volumes allow us to share data between containers running on the same host - Kubernetes volumes allow us to share data between containers in the same pod -- Both Docker and Kubernetes volumes allow us access to storage systems +- Both Docker and Kubernetes volumes enable access to storage systems - Kubernetes volumes are also used to expose configuration and secrets @@ -60,7 +60,7 @@ class: extra-details - correspond to concrete volumes (e.g. on a SAN, EBS, etc.) - - cannot be associated to a Pod directly; but through a Persistent Volume Claim + - cannot be associated with a Pod directly; but through a Persistent Volume Claim - won't be discussed further in this section diff --git a/slides/shared/connecting.md b/slides/shared/connecting.md index 11f9568a..2e83d996 100644 --- a/slides/shared/connecting.md +++ b/slides/shared/connecting.md @@ -84,14 +84,14 @@ You will need a Docker ID to use Play-With-Docker. - Unless instructed, **all commands must be run from the first VM, `node1`** -- We will only checkout/copy the code on `node1` +- We will only check out/copy the code on `node1` - During normal operations, we do not need access to the other nodes - If we had to troubleshoot issues, we would use a combination of: - SSH (to access system logs, daemon status...) - + - Docker API (to check running containers and container engine status) --- diff --git a/slides/shared/prereqs.md b/slides/shared/prereqs.md index 52684b34..9daca01a 100644 --- a/slides/shared/prereqs.md +++ b/slides/shared/prereqs.md @@ -90,7 +90,7 @@ class: in-person ## Why don't we run containers locally? -- Installing that stuff can be hard on some machines +- Installing this stuff can be hard on some machines (32 bits CPU or OS... Laptops without administrator access... etc.) diff --git a/slides/shared/sampleapp.md b/slides/shared/sampleapp.md index cd9db553..8b001b4c 100644 --- a/slides/shared/sampleapp.md +++ b/slides/shared/sampleapp.md @@ -134,7 +134,7 @@ How does each service find out the address of the other ones? - We do not hard-code IP addresses in the code -- We do not hard-code FQDN in the code, either +- We do not hard-code FQDNs in the code, either - We just connect to a service name, and container-magic does the rest @@ -173,7 +173,7 @@ class: extra-details - Compose file version 2+ makes each container reachable through its service name -- Compose file version 1 did require "links" sections +- Compose file version 1 required "links" sections to accomplish this - Network aliases are automatically namespaced