Back to Recording

Summary

Overview

This course segment provides a hands-on demonstration of Kubernetes node and pod management, focusing on label manipulation, node selector usage, resource utilization inspection, and Kubernetes client certificate analysis. It reinforces foundational concepts of Kubernetes architecture, including node-pod relationships, labeling conventions, and TLS certificate lifecycle management in both development (minikube) and production contexts.

Topic (Timeline)

1. Node Labeling and Pod Deletion Workflow [00:00:00 - 00:02:31]

  • Corrected a typo in a YAML manifest by changing the label value from “fail” to “test” at the bottom of the file.
  • Demonstrated deleting a pod using kubectl delete with the same manifest file (replacing apply with delete).
  • Verified the updated label node-type=test was applied to the node using kubectl get nodes --show-labels.
  • Explained proper label naming convention: use full API domain prefix (e.g., kubernetes.io/) rather than shortcuts to ensure consistency across teams.
  • Confirmed pod restart and successful scheduling after label correction.
  • Used kubectl describe node to inspect resource utilization: CPU requests at 5%, memory requests at 1%, with no limits set on the node.

2. Node Selector Removal and Label Cleanup [00:02:31 - 00:03:30]

  • Deleted the pod using kubectl delete node with a node selector match, which automatically removed the pod and unlabeled the node.
  • Observed descriptive output confirming deletion of node selector and removal of the node-type=test label.
  • Verified cleanup by checking node labels again, confirming no residual labels remained.

3. Kubernetes Config and Client Certificate Analysis [00:03:30 - 00:05:38]

  • Located the kubeconfig file in the minikube cluster (~/.minikube/profiles/minikube/config).
  • Noted lack of descriptive naming in default config files; recommended using .yaml extensions and meaningful names in production.
  • Navigated to the client certificate directory: ~/.minikube/profiles/minikube/.
  • Removed the client.crt file to simulate certificate rotation or revocation.
  • Inspected the certificate’s expiration date: valid until 2025 (3-year validity in minikube).
  • Compared certificate lifespans: minikube (3 years), production clusters (typically 1 year), MicroK8s (10 years).
  • Identified signature algorithm used (not explicitly named, but implied to be RSA/SHA256 based on context).
  • Noted X.509 extension: CA: false, indicating this certificate is for client authentication only and cannot issue other certificates within the cluster.

4. Kubernetes Lifecycle and TLS Certificate Alignment [00:05:38 - 00:06:20]

  • Reviewed key concepts from Lesson 1: node-pod interaction, component architecture, versioning, node labeling, and node selectors.
  • Stated that the recommended lifecycle for a production Kubernetes cluster is no more than 13 months.
  • Explained alignment between TLS certificate validity (typically 12 months) and cluster upgrade cycles.
  • Emphasized that while clusters can operate beyond end-of-life (EOL) versions, they are designed to be upgraded annually to maintain security and compatibility.

Appendix

Key Principles

  • Labeling: Use fully qualified domain prefixes (e.g., kubernetes.io/) for labels to ensure standardization and avoid conflicts.
  • Node Selectors: Used to bind pods to specific nodes; removal triggers automatic pod eviction if no matching nodes exist.
  • Certificate Lifecycle: Production clusters should align TLS cert expiration (12 months) with upgrade cycles to avoid security drift.
  • Config Management: Avoid default filenames (e.g., config) in production; use descriptive, versioned YAML names.

Tools Used

  • kubectl get nodes --show-labels
  • kubectl describe node
  • kubectl delete (with node selector)
  • cat ~/.minikube/profiles/minikube/config
  • cd ~/.minikube/profiles/minikube/ && ls -l client.crt
  • openssl x509 -in client.crt -text -noout (implied for certificate inspection)

Common Pitfalls

  • Using unqualified label keys (e.g., node-type instead of kubernetes.io/node-type) leading to team inconsistencies.
  • Assuming minikube certificate lifespans apply to production (3-year vs. 1-year).
  • Neglecting to rename kubeconfig files in production environments, reducing auditability.

Practice Suggestions

  • Practice labeling nodes and using node selectors to schedule pods in a local cluster.
  • Manually inspect and decode kubeconfig client certificates using openssl.
  • Simulate certificate rotation by deleting and regenerating client certs in minikube.
  • Compare certificate validity periods across minikube, MicroK8s, and cloud-managed Kubernetes services.