k8s-diagrams
A collection of diagrams explaining kubernetes, extracted from our
- k8s trainings
- k8s AppOps Security eBook (German)
- blog articles
- and talks (k8s sec, k8s intro)
For questions or suggestions you are welcome to join us at our myCloudogu community forum.
The diagrams are realized using PlantUML, so they're basically text and can be adjusted easily.
Note that the diagrams don't use UML notation. They are rather box and line diagrams.
Table of contents
- Deployment ➜ Pod ➜ Container
- Pod ➜ Node
- Services, Nodes and Pods explained
- Services, Nodes and Pods explained (including IP addresses)
- Ingresses explained
- Rolling Updates explained
- Authentication and Authorization
- Role Based Access Control (RBAC) Resources
- PodSecurityPolicy Activation via RBAC
- Troubleshooting Kubernetes PodSecurityPolicies
- GitOps
Deployment ➜ Pod ➜ Container
Relationship between Deployment, Pod and Container.
Simplified - leaves out ReplicaSets for brevity.
Pod ➜ Node
Relationship between Pod and Node.
Services, Nodes and Pods explained
Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes.
Services, Nodes and Pods explained (including IP addresses)
Traffic flow from Cloud LoadBalancer via Service to Pods running on Nodes. Including different address IP address ranges and ports:
- external IP,
- node internal and external IP and node port,
- service IP,
- pod IP and target port (on container)
Ingresses explained
Progress of a requests from the ingress controller's service to the actual pod, illustrating the role of the ingress
resource.
Rolling Updates explained
Authentication and Authorization
Flow from user API server request to response: check authn via identity provider, then authz via RBAC.
Role Based Access Control (RBAC) Resources
A simplified display of resources involved in RBAC and their correlations.
Note that
Permission
is not a k8s resource, but a list of rules inside the (Cluster-)roles that make up a kind of permission.
It consits of resources and verbs granted on it. For example:- resources: "secrets"
- verbs: "get"
Subject
can be a serviceAccount, user or group
PodSecurityPolicy Activation via RBAC
Connection from Pod to PSP via RBAC (Role, RoleBinding, ServiceAccount).
Troubleshooting Kubernetes PodSecurityPolicies
A diagram to help debugging Kubernetes PodSecurityPolicies.
GitOps
Diagrams describing the general concepts of gitOps and distinguishing it from "ciOps".
See also our
- GitOps playground (to experience argocd and flux hands-on in a local k8s cluster),
- GitOps glossary and
- offerings for consulting.
High-level overview
Details
There are different options when implementing GitOps. Some of them are depicted bellow.
CI Server writes image version to GitOps Repo.
CI Server read-only on GitOps Repo; GitOps Operator writes image version to GitOps Repo.
Infra as Code stays in app repo, CI Server writes to GitOps repo.