logo

Kubernetes - Objects

Get a list of object types

Each K8s version may have a different set of supported object types, check yours by:

$ kubectl version
$ kubectl api-versions
$ kubectl api-resources

List all objects grouped by API versions:

a=$(kubectl api-versions) ; for n in $a ; do echo ; echo "apiVersion: $n" ; kubectl api-resources --api-group="${n%/*}" ; done

Object vs kind vs resources

  • A Kubernetes object is a persistent entities in the Kubernetes system.
  • A Kubernetes resource is an endpoint in the Kubernetes API that stores a collection of API objects of a certain kind; for example, the built-in pods resource contains a collection of Pod objects.

Object Definition

All the object has a .spec and a .status, plus some metadata (.kind, .apiVersion, .metadata).

Obj {
  TypeMeta.APIVersion
  TypeMeta.Kind
  ObjectMeta
  Spec
  Status
}

To define a new object Foo:

type Foo struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   FooSpec   `json:"spec,omitempty"`
	Status FooStatus `json:"status,omitempty"`
}

apiVersion

Format: $GROUP_NAME/$VERSION, for example, apiVersion: batch/v1.

metadata

annotations, labels, taints and finalizers are all list of strings in metadata.

https://kubernetes.io/docs/reference/labels-annotations-taints/

finalizers

If metadata.finalizers is not empty, when you attempt to delete the resource, it will not be delete right away, but will be in the Terminating status. Only when finalizers is emptied by some reconcilers (or by manually modification) will the resource be deleted.

E.g. these finalizers are used to prevent accidental deletion of PV and PVC:

kubernetes.io/pv-protection
kubernetes.io/pvc-protection

deletionGracePeriodSeconds

metadata.deletionGracePeriodSeconds is initialized when you delete a resource. The init value comes from spec.terminationGracePeriodSeconds field, but could be overridden by --grace-period, e.g. kubectl delete pod <name> --grace-period <seconds>

Built-in Objects

  • App: Pod, Deployment, DaemonSet, StatefulSet
  • Storage: PersistentVolume, PersistentVolumeClaim, StorageClass

EndpointSlice

Services will create Endpoints, one for each healthy pod. (I.e. each Endpoint is a ip:port pointing to the Pod that is part of this Service.)

EndpointSlice replaces Endpoints.

Relations:

Service <= (ownerReferences) <= EndpointSlice => (targetRef) => Pods

Deployment

A deployment is responsible for keeping a set of pods running.

Gateway

Incoming requests: Gateway -> Service (of type LoadBalancer) -> Deployment -> ReplicaSet -> Pod.

Istio defines a Gateway but it is migrating to Kubernetes' Gateway.

Gateway configuration resources allow external traffic to enter the Istio service mesh and make the traffic management and policy features of Istio available for edge services.

CronJob

cronjob controller will create jobs.

Application

applications, app.k8s.io/v1beta1

(https://github.com/kubernetes-sigs/application)

Cluster

A "Cluster" is conceptually the collection of all the control plane and worker node components.

k8s has a built-in Cluster object in cluster-api sig: config/crd/bases/cluster.x-k8s.io_clusters.yaml. (https://github.com/kubernetes-sigs/cluster-api/)

Some projects built upon k8s may also have a Cluster object, e.g. Anthos Bare Metal.

Lease

apiVersion: coordination.k8s.io/v1
kind: Lease

Node lease: Each Node has an associated Lease object in the kube-node-lease namespace.

Under the hood, every kubelet heartbeat is an update request to this Lease object, updating the spec.renewTime field for the Lease. The Kubernetes control plane uses the time stamp of this field to determine the availability of this Node.

API Server lease: provides a mechanism for clients to discover how many instances of kube-apiserver are operating the Kubernetes control plane.

namespace: kube-system
name: apiserver-<sha256-hash>

ValidatingAdmissionPolicy

A new declarative alternative to validating admission webhooks.

Introduced in Kubernetes 1.26, set to become the standard for validating Kubernetes resources; using CEL, Common Expression Language, to define the conditions.

Admission webhooks can be burdensome to develop and operate. Webhook developers must implement and maintain a webhook binary to handle admission requests. Also, admission webhooks are complex to operate. Each webhook must be deployed, monitored and have a well defined upgrade and rollback plan. To make matters worse, if a webhook times out or becomes unavailable, the Kubernetes control plane can become unavailable.

ValidatingAdmissionPolicy: just create a ValidatingAdmissionPolicy and a ValidatingAdmissionPolicyBinding, no backend to maintain.

logo
PRIVACY POLICYABOUT中文