Demystifying Kubernetes: the tool to manage Google-scale workloads in the cloud
Rohit Khare stashed this in Hacking
Stashed in: Cloud
When we provision containers, the same process repeats. But, instead of provisioning a new VM, the container orchestration engine might decide to boot the container in one of the running VMs. Based on the current availability of VMs, the orchestrator may also decide to launch a new VM and run the container within that.
So, container orchestration does to the VMs what a fabric controller does to the physical hardware.
Kubernetes is capable of launching containers in existing VMs or even provisioning new VMs and placing the containers in that. It goes beyond booting containers to monitoring and managing them. With Kubernetes, administrators can create Pods, which are logical collections of containers that belong to an application. These Pods are provisioned within the VMs or bare metal servers.
Containers do not containI hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system.
- Only run applications from a trusted source
- Run applications on a enterprise quality host
- Install updates regularly
- Drop privileges as quickly as possible
- Run as non-root whenever possible
- Watch your logs
- setenforce 1