openshift container platform 3.9 architecture .openshift container platform 3.9 architecture...

Download OpenShift Container Platform 3.9 Architecture .OpenShift Container Platform 3.9 Architecture OpenShift

Post on 19-Mar-2019

230 views

Category:

Documents

2 download

Embed Size (px)

TRANSCRIPT

OpenShift Container Platform 3.9

Architecture

OpenShift Container Platform 3.9 Architecture Information

Last Updated: 2019-03-07

OpenShift Container Platform 3.9 ArchitectureOpenShift Container Platform 3.9 Architecture Information

Legal NoticeCopyright 2019 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a CreativeCommons AttributionShare Alike 3.0 Unported license ("CC-BY-SA"). An explanation ofCC-BY-SA is available athttp://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it,you must provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not toassert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, theInfinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United Statesand other countries.

Linux is the registered trademark of Linus Torvalds in the United States and othercountries.

Java is a registered trademark of Oracle and/or its affiliates.

XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in theUnited States and/or other countries.

MySQL is a registered trademark of MySQL AB in the United States, the EuropeanUnion and other countries.

Node.js is an official trademark of Joyent. Red Hat Software Collections is not formallyrelated to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack Word Mark and OpenStack logo are either registeredtrademarks/service marks or trademarks/service marks of the OpenStack Foundation, inthe United States and other countries and are used with the OpenStack Foundation'spermission. We are not affiliated with, endorsed or sponsored by the OpenStackFoundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

AbstractLearn the architecture of OpenShift Container Platform 3.9 including the infrastructureand core components. These topics also cover authentication, networking and sourcecode management.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of ContentsCHAPTER 1. OVERVIEW

1.1. WHAT ARE THE LAYERS?1.2. WHAT IS THE OPENSHIFT CONTAINER PLATFORM ARCHITECTURE?1.3. HOW IS OPENSHIFT CONTAINER PLATFORM SECURED?

1.3.1. TLS Support

CHAPTER 2. INFRASTRUCTURE COMPONENTS2.1. KUBERNETES INFRASTRUCTURE

2.1.1. Overview2.1.2. Masters

2.1.2.1. High Availability Masters2.1.3. Nodes

2.1.3.1. Kubelet2.1.3.2. Service Proxy2.1.3.3. Node Object Definition

2.2. CONTAINER REGISTRY2.2.1. Overview2.2.2. Integrated OpenShift Container Registry2.2.3. Third Party Registries

2.2.3.1. Authentication2.3. WEB CONSOLE

2.3.1. Overview2.3.2. CLI Downloads2.3.3. Browser Requirements2.3.4. Project Overviews2.3.5. JVM Console2.3.6. StatefulSets

CHAPTER 3. CORE CONCEPTS3.1. OVERVIEW3.2. CONTAINERS AND IMAGES

3.2.1. Containers3.2.1.1. Init Containers

3.2.2. ImagesImage Version Tag Policy

3.2.3. Container Registries3.3. PODS AND SERVICES

3.3.1. Pods3.3.1.1. Pod Restart Policy3.3.1.2. Injecting Information into Pods Using Pod Presets

3.3.2. Init Containers3.3.3. Services

3.3.3.1. Service externalIPs3.3.3.2. Service ingressIPs3.3.3.3. Service NodePort3.3.3.4. Service Proxy Mode3.3.3.5. Headless services

3.3.3.5.1. Creating a headless service3.3.3.5.2. Endpoint discovery by using a headless service

3.3.4. Labels3.3.5. Endpoints

3.4. PROJECTS AND USERS

77899

121212121214141414151515161616161718182021

232323232424242525252829303132333334343435363637

Table of Contents

1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.4.1. Users3.4.2. Namespaces3.4.3. Projects

3.4.3.1. Projects provided at installation3.5. BUILDS AND IMAGE STREAMS

3.5.1. Builds3.5.1.1. Docker Build3.5.1.2. Source-to-Image (S2I) Build3.5.1.3. Custom Build3.5.1.4. Pipeline Build

3.5.2. Image Streams3.5.2.1. Important terms3.5.2.2. Configuring Image Streams3.5.2.3. Image Stream Images3.5.2.4. Image Stream Tags3.5.2.5. Image Stream Change Triggers3.5.2.6. Image Stream Mappings3.5.2.7. Working with Image Streams

3.5.2.7.1. Getting Information about Image Streams3.5.2.7.2. Adding Additional Tags to an Image Stream3.5.2.7.3. Adding Tags for an External Image3.5.2.7.4. Updating an Image Stream Tag3.5.2.7.5. Removing Image Stream Tags from an Image Stream3.5.2.7.6. Configuring Periodic Importing of Tags

3.6. DEPLOYMENTS3.6.1. Replication controllers3.6.2. Replica set3.6.3. Jobs3.6.4. Deployments and Deployment Configurations

3.7. TEMPLATES3.7.1. Overview

CHAPTER 4. ADDITIONAL CONCEPTS4.1. AUTHENTICATION

4.1.1. Overview4.1.2. Users and Groups4.1.3. API Authentication

4.1.3.1. Impersonation4.1.4. OAuth

4.1.4.1. OAuth Clients4.1.4.2. Service Accounts as OAuth Clients4.1.4.3. Redirect URIs for Service Accounts as OAuth Clients

4.1.4.3.1. API Events for OAuth4.1.4.3.1.1. Sample API Event Caused by a Possible Misconfiguration

4.1.4.4. Integrations4.1.4.5. OAuth Server Metadata4.1.4.6. Obtaining OAuth Tokens4.1.4.7. Authentication Metrics for Prometheus

4.2. AUTHORIZATION4.2.1. Overview4.2.2. Evaluating Authorization4.2.3. Cluster and Local RBAC4.2.4. Cluster Roles and Local Roles

37373838383939394040414344454647485151525353535354545556565858

595959595960616162626466686970737373798080

OpenShift Container Platform 3.9 Architecture

2

4.2.4.1. Updating Cluster Roles4.2.4.2. Applying Custom Roles and Permissions4.2.4.3. Cluster Role Aggregation

4.2.5. Security Context Constraints4.2.5.1. SCC Strategies

4.2.5.1.1. RunAsUser4.2.5.1.2. SELinuxContext4.2.5.1.3. SupplementalGroups4.2.5.1.4. FSGroup

4.2.5.2. Controlling Volumes4.2.5.3. Restricting Access to FlexVolumes4.2.5.4. Seccomp4.2.5.5. Admission

4.2.5.5.1. SCC Prioritization4.2.5.5.2. Understanding Pre-allocated Values and Security Context Constraints

4.2.6. Determining What You Can Do as an Authenticated User4.3. PERSISTENT STORAGE

4.3.1. Overview4.3.2. Lifecycle of a Volume and Claim

4.3.2.1. Provisioning4.3.2.2. Binding4.3.2.3. Using4.3.2.4. Persistent Volume Claim Protection4.3.2.5. Releasing4.3.2.6. Reclaiming

4.3.2.6.1. Recycling4.3.3. Persistent Volumes

4.3.3.1. Types of Persistent Volumes4.3.3.2. Capacity4.3.3.3. Access Modes4.3.3.4. Reclaim Policy4.3.3.5. Phase4.3.3.6. Mount Options

4.3.4. Persistent Volume Claims4.3.4.1. Storage Class4.3.4.2. Access Modes4.3.4.3. Resources4.3.4.4. Claims As Volumes

4.3.5. Block Volume Support4.4. SOURCE CONTROL MANAGEMENT4.5. ADMISSION CONTROLLERS

4.5.1. Overview4.5.2. General Admission Rules4.5.3. Customizable Admission Plug-ins4.5.4. Admission Controllers Using Containers

4.6. CUSTOM ADMISSION CONTROLLERS4.6.1. Overview4.6.2. Admission Webhooks

4.6.2.1. Types of Admission Webhooks4.6.2.2. Create the Admission Webhook4.6.2.3. Admission Webhook Example

4.7. OTHER API OBJECTS4.7.1. LimitRange

818182828686868686868888888990919191929292929393939495959696989899

100100100100100101103104104104105105106106106107110111112112

Table of Contents

3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Recommended

View more >