Note: These are questions I have received via chat groups and communities. This is a living document and I will update the page whenever there is a new question or better answer or references.
- What are the features of OpenShift ?
- How to set number of pods per node in OpenShift ?
- What is a Distributed System ?
- TODO/ What is ODF ?
- TODO/ What is ServiceMesh ?
- What is Kiali ?
- What is Jeager ?
- TODO/ What is Kubernetes Admission Controller ?
- How Container Security Works ?
- What is
--pod-eviction-timeoutin Kubernetes ?
- TODO/ What is Red Hat Nooba ?
- What is Air-Gapped (disconnected) OpenShift Clusters
- What is new in Red Hat OpenShift 4 ?
- What is Quay ?
- TODO/ What is CoreOS and Why using CoreOS for OpenShift ?
- What is CRI-O ?
- TODO/ What is
- OpenShift Hardering - What is Compliance Operator ?
- TODO/ What is Kubernetes Operator (or OpenShift Operator) ?
- What is Operator Framework ?
- What Red Hat Advanced Cluster Security for Kubernetes (RHACS) ?
- What are the components of OpenShift Cluster Monitoring, Logging and Telemetry ?
- What is
cadvisorin kubernetes ?
- TODO/ What is Helm ?
- What are the points to note while architecting OpenShift Clusters ?
- How to Manage Roles and Permissons in OpenShift ?
- What is SRE and DevOps ?
- TODO/ How to Enabled OpenShift Node AutoScaling ?
- What is KeyStone ?
- Removing the kubeadmin user
- What is cgroup ? (CONTROL GROUPS)
- What is Multus Container Network Interface (CNI) ?
- What is blue green deployment?
- How to Size an OpenShift Cluster ?
What are the features of OpenShift ?
- High Availabilty
- Lightweight Operating System
- Load Balancing
- Automated Scaling
- Logging and Monitoring (based on prometheus, ElasticSearch)
- Service Discovery
- Application Management
- Cluster Extensibility
How to set number of pods per node in OpenShift ?
- How to set number of pods per node in OpenShift ? - Quick Guide
- OpenShift Scale: Running 500 Pods Per Node
- Managing the maximum number of pods per node
What is a Distributed System ?
A distributed system in its most simplest definition is a group of computers working together as to appear as a single computer to the end-user. These machines have a shared state, operate concurrently and can fail independently without affecting the whole system’s uptime.
Read more : A Thorough Introduction to Distributed Systems
- Fault Tolerance / High Availability
- Low Latency
TODO/ What is ODF ?
TODO/ What is ServiceMesh ?
- Installing Red Hat OpenShift Service Mesh
- Install Elastic Operator
- Install Jeager Operator
- Install Kiali Operator
- Install Red Hat OpenShift Service Mesh (OSSM) Operator
What is Kiali ?
Kiali is a management console for an Istio-based service mesh. It provides dashboards, observability, and lets you operate your mesh with robust configuration and validation capabilities. It shows the structure of your service mesh by inferring traffic topology and displays the health of your mesh.
What is Jeager ?
Distributed Tracing System - Monitor and troubleshoot transactions in complex distributed systems
TODO/ What is Kubernetes Admission Controller ?
How Container Security Works ?
- Secure the container host
- Secure the networking environment - intrusion prevention system (IPS) and web filtering for traffic moving from north to south, and to and from the internet, in order to stop attacks and filter malicious content.
- Secure your management stack - container registry, Kubernetes installation, network policies.
- Build on a secure foundation - patching, updates
- Secure your build pipeline
Secure your application
- Container Security in Six Steps
--pod-eviction-timeout in Kubernetes ?
The grace period for deleting pods on failed nodes. - The default eviction timeout duration is five minutes. In some cases when the node is unreachable, the API server is unable to communicate with the kubelet on the node. The decision to delete the pods cannot be communicated to the kubelet until communication with the API server is re-established.
TODO/ What is Red Hat Nooba ?
What is Air-Gapped (disconnected) OpenShift Clusters
Air-gapped environments are those that are physically isolated from other networks, but most importantly isolated from the Internet. No proxies, no jump hosts - nothing.
- Is your Operator Air-Gap Friendly?
- OpenShift 4 in an Air Gap (disconnected) environment- Part1, Part2
What is new in Red Hat OpenShift 4 ?
- Immutable Red Hat Enterprise Linux CoreOS
- Fullstack Automation
- OpenShift service mesh
- Operator framework
- Knative framework
- Managing Multiple Clusters Across Multiple Clouds
What is Clair ?
Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including OCI and docker).
What is Quay ?
Quay is a container image registry that enables you to build, organize, distribute, and deploy containers. This is the Community Distribution of Quay that powers Red Hat Quay and Quay.io
TODO/ What is CoreOS and Why using CoreOS for OpenShift ?
CoreOS was founded in 2013 with the mission to improve the security and reliability of the internet. On May 26, 2020, CoreOS Container Linux reached its end of life and will no longer receive updates.
- It’s the successor to both Fedora Atomic Host and CoreOS Container Linux
- Based on RHEL
- Controlled immutability
- CRI-O container runtime
- Set of container tools:
What is CRI-O ?
LIGHTWEIGHT CONTAINER RUNTIME FOR KUBERNETES
CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. It is a lightweight alternative to using Docker as the runtime for kubernetes. It allows Kubernetes to use any OCI-compliant runtime as the container runtime for running pods.
cri- container runtime interface came in picture as new container engines supports included in kubernetes.
cni- container network interface is for networking support
csi- container storage interface is to support storage drivers and solutions
TODO/ What is
etcd is a distributed key-value store.
OpenShift Hardering - What is Compliance Operator ?
The Compliance Operator lets OpenShift Container Platform administrators describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate them.
- Understanding the Compliance Operator
- How does Compliance Operator work for OpenShift? Part 1, Part 2
- Compliance Operartor - GitHub
- Understanding the Compliance Operator
- Also read - kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.
TODO/ What is Kubernetes Operator (or OpenShift Operator) ?
Use the Kubernetes API to create, configure, and automatically manage applications. Operator have 2 components;
- CRD - Custom Resource Definition
- Controller - which controls the application deployment.
- Use Helm/Ansible/Go
OLMstands for Operator Lifecyle Management
- What is an Operator - OpenShift.com
- Troubleshooting OpenShift Operator issues
- Building Kubernetes Operators with the Operator Framework and Ansible
What is Operator Framework ?
5 Levels of Operator Framework
- Basic Install
- Seamless Upgrade
- Full Lifecycle
- Deep Insight
- Auto Pilot
- Operator SDK - Provides tooling to build and package operators
- Operator Lifecyle Management (OLM) - Governs operator scope and lifecycle
- Metering - historical information to be gathered and reported on
- OperatorHub - marketplace for community operators
What Red Hat Advanced Cluster Security for Kubernetes (RHACS) ?
Red Hat® Advanced Cluster Security for Kubernetes, powered by StackRox technology, protects your vital applications across build, deploy, and runtime.
- Control the trusted sources of content
- Defend applications from attachs and vulnerabilities
- Extend secure services through standard interface and API’s
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat OpenShift container security
- OpenShift Security Best Practices for Kubernetes Cluster Design
What are the components of OpenShift Cluster Monitoring, Logging and Telemetry ?
- collection - This is the component that collects logs from the cluster, formats them, and forwards them to the log store. The current implementation is Fluentd.
- log store - This is where the logs are stored. The default implementation is Elasticsearch. You can use the default Elasticsearch log store or forward logs to external log stores. The default log store is optimized and tested for short-term storage.
visualization - This is the UI component you can use to view logs, graphs, charts, and so forth. The current implementation is Kibana.
- Installing OpenShift Logging
Sends a carefully chosen subset of the cluster monitoring metrics to Red Hat.
cadvisor in kubernetes ?
cAdvisor is an open-source agent integrated into the kubelet binary that monitors resource usage and analyzes the performance of containers. It collects statistics about the CPU, memory, file, and network usage for all containers running on a given node (it does not operate at the pod level)
- Tools for Monitoring Resources
- Native Kubernetes Monitoring, Part 1: Monitoring and Metrics for Users
- MONITORING DOCKER CONTAINER METRICS USING CADVISOR
TODO/ What is Helm ?
What are the points to note while architecting OpenShift Clusters ?
How to Manage Roles and Permissons in OpenShift ?
What is SRE and DevOps ?
TODO/ How to Enabled OpenShift Node AutoScaling ?
What is KeyStone ?
Keystone is an OpenStack project that provides identity, token, catalog, and policy services. You can configure the integration with Keystone so that the new OpenShift Container Platform users are based on either the Keystone user names or unique Keystone IDs.
Removing the kubeadmin user
After you define an identity provider and create a new
cluster-admin user, you can remove the
kubeadmin to improve cluster security.
Warning: If you follow this procedure before another user is a cluster-admin, then OpenShift Container Platform must be reinstalled. It is not possible to undo this command.
- You must have configured at least one identity provider.
- You must have added the cluster-admin role to a user.
- You must be logged in as an administrator.
-- Remove the kubeadmin secrets: $ oc delete secrets kubeadmin -n kube-system
What is cgroup ? (CONTROL GROUPS)
cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage of a collection of processes.
- Understanding resource limits in kubernetes: memory
- NTRODUCTION TO CONTROL GROUPS (CGROUPS)
- Linux Control Groups and Process Isolation
What is Multus Container Network Interface (CNI) ?
Multus CNI enables attaching multiple network interfaces to pods in Kubernetes.
What is blue green deployment?
Blue green deployment is an application release model that gradually transfers user traffic from a previous version of an app or microservice to a nearly identical new release—both of which are running in production.