Back to DevOps & SRE

Module 3: Container Orchestration

Master Docker containers and Kubernetes orchestration for scalable, production-ready applications

🐳 Understanding Containers

Containers package your application with all its dependencies into a single, portable unit. They solve the "it works on my machine" problem by ensuring consistency across development, testing, and production.

Containers vs Virtual Machines

Containers

  • β€’ Share host OS kernel
  • β€’ Lightweight (MBs)
  • β€’ Start in seconds
  • β€’ More efficient resource usage
  • β€’ Process-level isolation

Virtual Machines

  • β€’ Full OS per VM
  • β€’ Heavy (GBs)
  • β€’ Start in minutes
  • β€’ More resource overhead
  • β€’ Hardware-level isolation

Docker Basics

Docker is the most popular container platform. It uses images (blueprints) to create containers (running instances).

# Dockerfile - defines how to build an image
FROM node:20-alpine

# Set working directory
WORKDIR /app

# Copy package files
COPY package*.json ./

# Install dependencies
RUN npm ci --only=production

# Copy application code
COPY . .

# Build application
RUN npm run build

# Expose port
EXPOSE 3000

# Start application
CMD ["npm", "start"]

Common Docker Commands:

docker build -t myapp:1.0 . - Build image

docker run -p 3000:3000 myapp:1.0 - Run container

docker ps - List running containers

docker logs container-id - View logs

docker stop container-id - Stop container

☸️ Kubernetes Architecture

Kubernetes (K8s) is a container orchestration platform that automates deployment, scaling, and management of containerized applications across clusters of machines.

Why Kubernetes?

Auto-scaling: Scale apps based on demand
Self-healing: Restart failed containers
Load balancing: Distribute traffic
Rolling updates: Zero-downtime deployments
Service discovery: Automatic DNS
Storage orchestration: Manage volumes

Cluster Components

Control Plane (Master)

API Server: Frontend for K8s control plane, handles all REST requests

etcd: Distributed key-value store for cluster data

Scheduler: Assigns pods to nodes based on resources

Controller Manager: Runs controllers (replication, endpoints, etc.)

Worker Nodes

Kubelet: Agent that ensures containers are running

Kube-proxy: Network proxy for service communication

Container Runtime: Runs containers (Docker, containerd, CRI-O)

πŸ“¦ Core Kubernetes Resources

1. Pods

Smallest deployable unit. One or more containers that share network and storage.

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
  labels:
    app: nginx
spec:
  containers:
  - name: nginx
    image: nginx:1.25
    ports:
    - containerPort: 80
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"

2. Deployments

Manages ReplicaSets and provides declarative updates for Pods. Handles rolling updates and rollbacks.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: api
  template:
    metadata:
      labels:
        app: api
    spec:
      containers:
      - name: api
        image: myapp/api:1.0
        ports:
        - containerPort: 8080
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0

3. Services

Exposes Pods to network traffic. Provides stable IP and DNS name for dynamic Pod IPs.

apiVersion: v1
kind: Service
metadata:
  name: api-service
spec:
  selector:
    app: api
  ports:
  - protocol: TCP
    port: 80
    targetPort: 8080
  type: LoadBalancer  # ClusterIP, NodePort, or LoadBalancer

4. ConfigMaps & Secrets

ConfigMaps store configuration data. Secrets store sensitive data (base64 encoded).

# ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DATABASE_HOST: "postgres.default.svc.cluster.local"
  LOG_LEVEL: "info"

---
# Secret
apiVersion: v1
kind: Secret
metadata:
  name: app-secrets
type: Opaque
data:
  DATABASE_PASSWORD: cGFzc3dvcmQxMjM=  # base64 encoded

---
# Using in Pod
spec:
  containers:
  - name: app
    envFrom:
    - configMapRef:
        name: app-config
    - secretRef:
        name: app-secrets

⎈ Helm: Kubernetes Package Manager

Helm is the package manager for Kubernetes. It uses "charts" (packages) to define, install, and upgrade complex Kubernetes applications.

Why Use Helm?

  • β€’ Package multiple K8s resources together
  • β€’ Templating for reusable configurations
  • β€’ Version control for deployments
  • β€’ Easy rollbacks
  • β€’ Share charts via repositories

Helm Chart Structure

mychart/
β”œβ”€β”€ Chart.yaml          # Chart metadata
β”œβ”€β”€ values.yaml         # Default configuration values
β”œβ”€β”€ templates/          # Kubernetes manifest templates
β”‚   β”œβ”€β”€ deployment.yaml
β”‚   β”œβ”€β”€ service.yaml
β”‚   β”œβ”€β”€ ingress.yaml
β”‚   └── _helpers.tpl   # Template helpers
└── charts/            # Dependent charts

Example: values.yaml

replicaCount: 3

image:
  repository: myapp/api
  tag: "1.0"
  pullPolicy: IfNotPresent

service:
  type: LoadBalancer
  port: 80

resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 250m
    memory: 256Mi

autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 80

Common Helm Commands

helm install myapp ./mychart - Install chart

helm upgrade myapp ./mychart - Upgrade release

helm rollback myapp 1 - Rollback to revision

helm list - List releases

helm uninstall myapp - Uninstall release

🏭 Production Best Practices

Resource Management

  • βœ“ Always set resource requests and limits
  • βœ“ Use Horizontal Pod Autoscaler (HPA)
  • βœ“ Configure Pod Disruption Budgets
  • βœ“ Use node affinity for workload placement

Health Checks

  • βœ“ Implement liveness probes
  • βœ“ Implement readiness probes
  • βœ“ Set appropriate timeouts
  • βœ“ Use startup probes for slow apps

Security

  • βœ“ Use RBAC for access control
  • βœ“ Run containers as non-root
  • βœ“ Use Pod Security Standards
  • βœ“ Scan images for vulnerabilities

Networking

  • βœ“ Use Network Policies
  • βœ“ Implement Ingress controllers
  • βœ“ Consider service mesh (Istio)
  • βœ“ Enable TLS for services

πŸ“ Module Summary

You've learned container orchestration with Docker and Kubernetes:

Docker:

  • βœ“ Container basics and benefits
  • βœ“ Dockerfile creation
  • βœ“ Image building and management
  • βœ“ Container lifecycle

Kubernetes:

  • βœ“ Cluster architecture
  • βœ“ Pods, Deployments, Services
  • βœ“ ConfigMaps and Secrets
  • βœ“ Helm package management

🎯 Next Steps

Now that you can orchestrate containers, let's learn Infrastructure as Code to manage your entire infrastructure declaratively.

Continue to Module 4: Infrastructure as Code β†’