Skip to main content

api-resources

Namespaces

Kubernetes includes a means to segment a single physical cluster into separate logical clusters using namespacing.

Pods

Whatever the runtime, Kubernetes fundamentally manages a logical grouping of one or more containers called a pod.

StatefulSets

Kubernetes controllers for managing workloads that require proper management of state.

ReplicaSet

One of the control loops available in Kubernetes that ensures that the desired number of pods are running.

Roles

Kubernetes has several access control schemes, and users should always default to role-based access controls to maximize security.

Ingresses and Load Balancing

In order to expose a service outside a cluster, a user should set up an ingress for layer 7 or define the configuration of a layer 4 load balancer using "type=loadbalancer" in the service definition.

Deployments

The declarative controller in Kubernetes that manages replicasets of pods.

Services

Defined by a label, a Kubernetes service is a logical layer that provides IP/DNS/etc. persistence to dynamic pods.

DaemonSet

A Kubernetes construct that enables users to run a pod on every node in the cluster.

Jobs and Cronjobs

Kubernetes includes the logic to run jobs, processes that run to completion, and cronjobs - processes that run at specific intervals and run to completion.

Extension Points

Kubernetes has a number of points to extend its core functionality.

Custom Resource Definition (CRD)

CRD allows users to extend Kubernetes with custom APIs for different objects beyond the standard ones supported by Kubernetes.

Container Runtime Interface (CRI)

CRI is a plugin API that enables Kubernetes to support other container runtimes beyond Docker and Containerd.

Container Network Interface (CNI)

CNI gives users a choice of network overlay that can be used with Kubernetes to add SDN features.

Container Storage Interface (CSI)

CSI empowers users to support different storage systems through a driver model.

Container Storage Interface(CSI) defines a standard interface for container orchestration systems (like Kubernetes) to expose arbitrary storage systems to their container workloads.

https://github.com/container-storage-interface/spec/blob/master/spec

Resource Types

Resource typeAbbreviated alias
apiservices
certificatesigningrequestscsr
clusters
clusterrolebindings
clusterroles
componentstatusescs
configmapscm
controllerrevisions
cronjobs
customresourcedefinitioncrd
daemonsetsds
deploymentsdeploy
endpointsep
eventsev
ingressesing
jobs
limitrangeslimits
namespacesns
networkpoliciesnetpol
nodesno
persistentvolumeclaimspvc
persistentvolumespv
poddisruptionbudgetpdb
podpreset
podspo
podsecuritypoliciespsp
podtemplates
replicasetsrs
replicationcontrollersrc
resourcequotasquota
rolebindings
roles
secrets
serviceaccountssa
servicessvc
statefulsets
storageclasses

Outline

- API Version: most resource type covered in the exam belongs to thecoregroup and are currently in the versionv1. Several special cases are listed below.
- v1: Pod, Service, ConfigMap, Secret, PersistentVolumeClaim, Namespace, ServiceAccount, Node
- apps/v1: Deployment
- batch/v1: Job
- batch/v1beta1: CronJob
- networking.k8s.io/v1: NetworkPolicy
- Object Metadata
- name:namefield is required and must be unique within a namespace.
- labels
- annotations: not queryable
- namespace
- Resource Type
- Pod
- affinity: nodeAffinity, podAffinity
- preferredDuringSchedulingIgnoredDuringExecution
- requiredDuringSchedulingIgnoredDuringExecution
- containers
- args: override Docker images's CMD
- command: override Docker images's Entrypoint
- env
- name/value
- name/valueFrom
- configMapKeyRef: pull env from ConfigMap
- name/key
- secretKeyRef: pull env from Secret
- envFrom
- configMapRef: convert all items from the specified ConfigMap to environment variables
- name
- secretRef: convert all items from the specified Secret to environment variables
- image
- imagePullPolicy
- Always (default)
- Never
- ifNotPresent
- probe: livenessProbe, readinessProbe
- initialDelaySeconds
- periodSeconds
- timeoutSeconds
- type:
- exec: run a command
- httpGet: check a http endpoint
- tcpSocket: check a tcp socket
- ports
- containerPort
- hostPort
- protocol
- resources: limits, requests
- cpu: e.g. 0.1, 1, 100m, etc.
- memory: e.g. 128974848, 129e6, 129M, 123Mi, etc.
- securityContext
- capabilities: add or drop capabilities. e.g. SYS_ADMIN, AUDIT_CONTROL, etc.
- runAsGroup
- runAsUser
- volumeMounts
- restartPolicy
- Always
- OnFailure
- Never
- securityContext
- runAsGroup: a valid GID
- runAsUser: a valid UID
- ServiceAccountName
- tolerations
- key
- operator
- Exists
- Equal
- value
- volumes
- configMap
- name
- items
- key/path
- emptyDir
- hostPath
- persistentVolumeClaim
- secret
- Deployment
- replicas
- selector
- matchExpressions
- matchLabels
- strategy: Recreate or RollingUpdate
- Pod Template
- Job
- activeDeadlineSeconds: job timeout seconds
- backoffLimit: number of retries
- completions: the desired number of successfully finished pods the job should be run with
- parallelism: the maximum desired number of pods the job should run at any given time
- selector: matchExpressions or matchLabels
- Job Pod Template: restartPolicy in the pod spec should beNever.
- CronJob
- Job Template
- schedule
- Service
- Types
- ClusterIP
- NodePort
- Service Port
- nodePort: set only when type=NodePort
- protocol: TCP or UDP
- port
- targetPort
- ConfigMap
- Secret: values in the Secret must be base64 encoded: `echo -n "<value>" | base64`
- Node
- taints
- key
- value
- effect
- NoSchedule
- PreferNoSchedule
- NoExecute
- PersistentVolumeClaim
- accessModes
- ReadWriteOnce
- ReadOnlyMany
- ReadWriteMany
- resources: limits, requests
- storage: e.g. 8Gi, 128M, etc.
- selector: matchExpressions or matchLabels
- storageClassName
- Namespace
- ServiceAccount
- NetworkPolicy
- policyTypes:
- Ingress
- Egress
- podSelector: matchExpressions or matchLabels
- ingress
- egress