Kubernetes - kubelet
kubelet Config Files
The configuration file installed by the kubeadm package is written to /etc/systemd/system/kubelet.service.d/10-kubeadm.conf and is used by systemd.
kubelet config files:
/var/lib/kubelet/config.yaml
/etc/kubernetes/kubelet.conf
kubelet config flags:
- if you start kubelet with
--register-node=false, you need to manually create aNodeobject; iftrueit will createNodeobject on the api server. - if set the kubelet
--authorization-modeflag toWebhook, it will use theSubjectAccessReviewAPI to determine authorization. --network-plugin=cni: enables CNI (Container Network Interface).
kubelet deployment
kubelet is usually deployed as a systemd service; check status:
$ systemctl status kubelet
Communication
kubelet <=> kube-apiserver
kubelet needs a kubeconfig to authenticate itself to the API server.
kubelet.conf has this
users:
- name: default-auth
user:
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
/var/lib/kubelet/pki/kubelet-client-current.pem is used when talking to the api server. The cert has Subject: O = system:nodes, CN = system:node:<node_name>.
kubelet <=> CRI (e.g. containerd)
kubelet talks to container runtime to create containers; if the CRI is containerd, kubelet talks to it through a unix socket: unix:///run/containerd/containerd.sock.
The kubelet works in terms of a PodSpec. A PodSpec is a YAML or JSON object that describes a pod.
kubelet uses the podSpec and invokes the RunPodSandbox RPC. When a sandbox is created it involves creating a pause container.
- The
pausecontainer hosts pod-level resources (Linux namespaces) that workload containers use. - The
pausecontainer is a container which holds the network namespace for the pod.
Being in the same network namespace allows containers in the same pod to refer to one another using localhost. To set the networking for a pod kubelet uses CNI (Container Network Interface) plugin. CNI concerns itself only with network connectivity of containers and removing allocated resources when the container is deleted.
Once the sandbox is created and active, the kubelet starts creating a container for it via CRI. The container runtime starts downloading the corresponding docker image and completes the task.
Auth
The kubelet calls the TokenReview API on the configured API server to determine user information from bearer tokens.
/var/lib/kubelet
Kubernetes uses /var/lib/kubelet for local storage:
- ephemeral storage
- logs
- container runtime
"ephemeral" means if the node is gone, the data is gone; on the contrary, the "persistent" data should be stored in external storage.
Pods
/var/lib/kubelet/pods/POD_ID has all the pods, identified by a POD_ID, which should match the pod's .metadata.uid field. (This id does not match anything in crictl pods results).
Volumes
Check mounts:
$ mount | grep /var/lib/kubelet
Or list all the volumes:
$ ls -lad /var/lib/kubelet/pods/*/volumes/*
Containers
The files under /var/lib/kubelet/pods/*/containers/* are the termination log for each pod's container, and are created each time a container starts up.
$ ls -lad /var/lib/kubelet/pods/*/containers/*
The files are cleaned up when a pod is evicted, but they are not cleaned up on container restart.
How is Node registered?
Example kubelet service config (/etc/systemd/system/kubelet.service):
[Service]
ExecStart=/usr/local/bin/kubelet \
--config=/var/lib/kubelet/kubelet-config.yaml \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--register-node=true \
--v=2
It specifies --kubeconfig; the kubeconfig file should have the apiserver address; if --register-node=true, kubelet will register the Node to the apiserver.