용어집

이 용어집은 쿠버네티스 용어의 종합적이고 표준화된 리스트를 제공한다. 용어집은 K8s 고유의 기술 용어 뿐만 아니라, 맥락을 이해하는데 유용한 더 일반적인 용어도 포함한다.

다음 [+] 표시를 클릭하면 각 용어에 대한 더 자세한 설명을 볼 수 있다.

• API 그룹(API Group)

  쿠버네티스 API의 연관된 경로들의 집합.

  [+]

  API 서버의 구성을 변경하여 각 API 그룹을 활성화하거나 비활성화할 수 있다. 특정 리소스에 대한 경로를 비활성화하거나 활성화할 수도 있다. API 그룹을 사용하면 쿠버네티스 API를 더 쉽게 확장할 수 있다. API 그룹은 REST 경로 및 직렬화된 오브젝트의 apiVersion 필드에 지정된다.

  • 자세한 내용은 [API 그룹(/ko/docs/concepts/overview/kubernetes-api/#api-그룹과-버전-규칙)을 참조한다.
• API 서버
  별칭: kube-apiserver
  

  API 서버는 쿠버네티스 API를 노출하는 쿠버네티스 컨트롤 플레인 컴포넌트이다. API 서버는 쿠버네티스 컨트롤 플레인의 프론트 엔드이다.

  [+]

  쿠버네티스 API 서버의 주요 구현은 kube-apiserver 이다. kube-apiserver는 수평으로 확장되도록 디자인되었다. 즉, 더 많은 인스턴스를 배포해서 확장할 수 있다. 여러 kube-apiserver 인스턴스를 실행하고, 인스턴스간의 트래픽을 균형있게 조절할 수 있다.

• API를 이용한 축출(Eviction)

  API를 이용한 축출은 축출 API를 사용하여 생성된 Eviction 오브젝트로 파드를 정상 종료한다.

  [+]

  kubectl drain 명령과 같은 kube-apiserver의 클라이언트를 사용하여 축출 API를 직접 호출해 축출 요청을 할 수 있다. Eviction 오브젝트가 생성되면, API 서버가 파드를 종료한다.

  API를 이용한 축출은 사용자가 설정한 PodDisruptionBudgets 및 terminationGracePeriodSeconds 값을 준수한다.

  API를 이용한 축출은 노드-압박 축출과 동일하지 않다.

  • 더 많은 정보는 API를 이용한 축출을 참고한다.
• Application Architect

  A person responsible for the high-level design of an application.

  [+]

  An architect ensures that an app's implementation allows it to interact with its surrounding components in a scalable, maintainable way. Surrounding components include databases, logging infrastructure, and other microservices.

• Application Developer

  A person who writes an application that runs in a Kubernetes cluster.

  [+]

  An application developer focuses on one part of an application. The scale of their focus may vary significantly in size.

• cAdvisor

  cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers.

  [+]

  It is a running daemon that collects, aggregates, processes, and exports information about running containers. Specifically, for each container it keeps resource isolation parameters, historical resource usage, histograms of complete historical resource usage and network statistics. This data is exported by container and machine-wide.

• cgroup

  선택적으로 리소스를 격리, 관리, 제한하는 리눅스 프로세스의 그룹.

  [+]

  cgroup은 프로세스 집합에 대해서 리소스 사용(CPU, 메모리, 디스크 I/O, 네트워크)을 격리하고, 관리하며, 제한하는 리눅스 커널 기능이다.

• CIDR

  CIDR (Classless Inter-Domain Routing)은 IP 주소 블록을 설명하는 표기법으로 다양한 네트워킹 구성에서 많이 사용한다.

  [+]

  쿠버네티스에서는 CIDR을 사용하여 시작 주소와 서브넷 마스크로 각 노드에 IP 주소 범위를 할당한다. 이를 통해 노드는 각 파드에 고유한 IP 주소를 할당할 수 있다. 원래 IPv4를 위한 개념이었지만 CIDR은 IPv6도 포함하도록 확장됐다.

• CLA (컨트리뷰터 사용권 계약|Contributor License Agreement)

  컨트리뷰터가 기여한 것에 대한 사용권을 오픈 소스 프로젝트에 허락하는 계약 조건.

  [+]

  CLA는 기부된 자료 및 지적 재산권(IP)과 관련된 법적 분쟁을 해결하는 데 도움이 됩니다.

• Cluster Architect

  A person who designs infrastructure that involves one or more Kubernetes clusters.

  [+]

  Cluster architects are concerned with best practices for distributed systems, for example: high availability and security.

• containerd

  A container runtime with an emphasis on simplicity, robustness and portability

  [+]

  containerd is a container runtime that runs as a daemon on Linux or Windows. containerd takes care of fetching and storing container images, executing containers, providing network access, and more.

• CRI-O

  A tool that lets you use OCI container runtimes with Kubernetes CRI.

  [+]

  CRI-O is an implementation of the Container Runtime Interface (CRI) to enable using container runtimes that are compatible with the Open Container Initiative (OCI) runtime spec.

  Deploying CRI-O allows Kubernetes to use any OCI-compliant runtime as the container runtime for running Pods, and to fetch OCI container images from remote registries.

• Downstream (disambiguation)

  May refer to: code in the Kubernetes ecosystem that depends upon the core Kubernetes codebase or a forked repo.

  [+]

  • In the Kubernetes Community: Conversations often use downstream to mean the ecosystem, code, or third-party tools that rely on the core Kubernetes codebase. For example, a new feature in Kubernetes may be adopted by applications downstream to improve their functionality.
  • In GitHub or git: The convention is to refer to a forked repo as downstream, whereas the source repo is considered upstream.
• Downward API

  Kubernetes' mechanism to expose Pod and container field values to code running in a container.

  [+]

  It is sometimes useful for a container to have information about itself, without needing to make changes to the container code that directly couple it to Kubernetes.

  The Kubernetes downward API allows containers to consume information about themselves or their context in a Kubernetes cluster. Applications in containers can have access to that information, without the application needing to act as a client of the Kubernetes API.

  There are two ways to expose Pod and container fields to a running container:

  • using environment variables
  • using a downwardAPI volume

  Together, these two ways of exposing Pod and container fields are called the downward API.

• Duration

  A string value representing an amount of time.

  [+]

  The format of a (Kubernetes) duration is based on the time.Duration type from the Go programming language.

  In Kubernetes APIs that use durations, the value is expressed as series of a non-negative integers combined with a time unit suffix. You can have more than one time quantity and the duration is the sum of those time quantities. The valid time units are "ns", "µs" (or "us"), "ms", "s", "m", and "h".

  For example: 5s represents a duration of five seconds, and 1m30s represents a duration of one minute and thirty seconds.

• EndpointSlice

  A way to group network endpoints together with Kubernetes resources.

  [+]

  A scalable and extensible way to group network endpoints together. These can be used by kube-proxy to establish network routes on each node.

• etcd

  모든 클러스터 데이터를 담는 쿠버네티스 뒷단의 저장소로 사용되는 일관성·고가용성 키-값 저장소.

  [+]

  쿠버네티스 클러스터에서 etcd를 뒷단의 저장소로 사용한다면, 이 데이터를 백업하는 계획은 필수이다.

  etcd에 대한 자세한 정보는, 공식 문서를 참고한다.

• Feature gate

  Feature gates are a set of keys (opaque string values) that you can use to control which Kubernetes features are enabled in your cluster.

  [+]

  You can turn these features on or off using the --feature-gates command line flag on each Kubernetes component. Each Kubernetes component lets you enable or disable a set of feature gates that are relevant to that component. The Kubernetes documentation lists all current feature gates and what they control.

• FlexVolume

  FlexVolume is a deprecated interface for creating out-of-tree volume plugins. The Container Storage Interface is a newer interface that addresses several problems with FlexVolume.

  [+]

  FlexVolumes enable users to write their own drivers and add support for their volumes in Kubernetes. FlexVolume driver binaries and dependencies must be installed on host machines. This requires root access. The Storage SIG suggests implementing a CSI driver if possible since it addresses the limitations with FlexVolumes.

  • FlexVolume in the Kubernetes documentation
  • More information on FlexVolumes
  • Volume Plugin FAQ for Storage Vendors
• Gateway API

  A family of API kinds for modeling service networking in Kubernetes.

  [+]

  Gateway API provides a family of extensible, role-oriented, protocol-aware API kinds for modeling service networking in Kubernetes.

• Group Version Resource
  별칭: GVR
  

  Means of representing unique Kubernetes API resource.

  [+]

  Group Version Resources (GVRs) specify the API group, API version, and resource (name for the object kind as it appears in the URI) associated with accessing a particular id of object in Kubernetes. GVRs let you define and distinguish different Kubernetes objects, and to specify a way of accessing objects that is stable even as APIs change.

• Horizontal Pod Autoscaler
  별칭: HPA
  

  CPU 사용률 또는 사용자 정의 메트릭을 기반으로 파드의 레플리카 수를 자동으로 조절하는 API 리소스이다.

  [+]

  HPA는 일반적으로 레플리케이션 컨트롤러, 디플로이먼트, 레플리카셋과 함께 사용된다. 조절할 수 없는 개체(예: 데몬셋)에는 적용할 수 없다.

• Immutable Infrastructure

  Immutable Infrastructure refers to computer infrastructure (virtual machines, containers, network appliances) that cannot be changed once deployed.

  [+]

  Immutability can be enforced by an automated process that overwrites unauthorized changes or through a system that won’t allow changes in the first place. Containers are a good example of immutable infrastructure because persistent changes to containers can only be made by creating a new version of the container or recreating the existing container from its image.

  By preventing or identifying unauthorized changes, immutable infrastructures make it easier to identify and mitigate security risks. Operating such a system becomes a lot more straightforward because administrators can make assumptions about it. After all, they know no one made mistakes or changes they forgot to communicate. Immutable infrastructure goes hand-in-hand with infrastructure as code where all automation needed to create infrastructure is stored in version control (such as Git). This combination of immutability and version control means that there is a durable audit log of every authorized change to a system.

• Istio

  마이크로서비스의 통합을 위한 통일된 방법을 제공하는 오픈 플랫폼(쿠버네티스에 특정적이지 않음)이며, 트래픽 흐름을 관리하고, 정책을 시행하고, 텔레메트리 데이터를 모은다.

  [+]

  Istio를 추가하는 것은 애플리케이션 코드 변경을 요구하지 않는다. 그것은 서비스와 네트워크 사이의 인프라스트럭처 레이어이다. 이는 서비스 디플로이먼트와 조합되었을 때, 일반적으로 서비스 메시라고 일컫는다. Istio의 컨트롤 플레인은 쿠버네티스, Mesosphere 등과 같은 하부의 클러스터 관리 플랫폼을 추상화한다.

• JSON Web Token (JWT)

  A means of representing claims to be transferred between two parties.

  [+]

  JWTs can be digitally signed and encrypted. Kubernetes uses JWTs as authentication tokens to verify the identity of entities that want to perform actions in a cluster.

• kOps (Kubernetes Operations)

  kOps will not only help you create, destroy, upgrade and maintain production-grade, highly available, Kubernetes cluster, but it will also provision the necessary cloud infrastructure.

  [+]

  Note:

  AWS (Amazon Web Services) is currently officially supported, with DigitalOcean, GCE and OpenStack in beta support, and Azure in alpha.

  kOps is an automated provisioning system:

  • Fully automated installation
  • Uses DNS to identify clusters
  • Self-healing: everything runs in Auto-Scaling Groups
  • Multiple OS support (Amazon Linux, Debian, Flatcar, RHEL, Rocky and Ubuntu)
  • High-Availability support
  • Can directly provision, or generate terraform manifests
• kube-controller-manager

  컨트롤러 프로세스를 실행하는 컨트롤 플레인 컴포넌트.

  [+]

  논리적으로, 각 컨트롤러는 분리된 프로세스이지만, 복잡성을 낮추기 위해 모두 단일 바이너리로 컴파일되고 단일 프로세스 내에서 실행된다.

• kube-proxy

  kube-proxy는 클러스터의 각 노드에서 실행되는 네트워크 프록시로, 쿠버네티스의 서비스 개념의 구현부이다.

  [+]

  kube-proxy는 노드의 네트워크 규칙을 유지 관리한다. 이 네트워크 규칙이 내부 네트워크 세션이나 클러스터 바깥에서 파드로 네트워크 통신을 할 수 있도록 해준다.

  kube-proxy는 운영 체제에 가용한 패킷 필터링 계층이 있는 경우, 이를 사용한다. 그렇지 않으면, kube-proxy는 트래픽 자체를 포워드(forward)한다.

• kube-scheduler

  노드가 배정되지 않은 새로 생성된 파드 를 감지하고, 실행할 노드를 선택하는 컨트롤 플레인 컴포넌트.

  [+]

  스케줄링 결정을 위해서 고려되는 요소는 리소스에 대한 개별 및 총체적 요구 사항, 하드웨어/소프트웨어/정책적 제약, 어피니티(affinity) 및 안티-어피니티(anti-affinity) 명세, 데이터 지역성, 워크로드-간 간섭, 데드라인을 포함한다.

• kubeadm

  쿠버네티스를 빠르게 설치하고 안전한(secure) 클러스터를 설정하는 도구

  [+]

  kubeadm을 사용하여 컨트롤 플레인과 워커 노드 구성 요소를 설치할 수 있다.

• Kubectl
  별칭: kubectl
  

  쿠버네티스 API를 사용하여 쿠버네티스 클러스터의 컨트롤 플레인과 통신하기 위한 커맨드라인 툴

  [+]

  사용자는 쿠버네티스 오브젝트를 생성, 점검, 업데이트, 삭제하기 위해서 kubectl을 사용할 수 있다.

• Kubelet

  클러스터의 각 노드에서 실행되는 에이전트. Kubelet은 파드에서 컨테이너가 확실하게 동작하도록 관리한다.

  [+]

  Kubelet은 다양한 메커니즘을 통해 제공된 파드 스펙(PodSpec)의 집합을 받아서 컨테이너가 해당 파드 스펙에 따라 건강하게 동작하는 것을 확실히 한다. Kubelet은 쿠버네티스를 통해 생성되지 않는 컨테이너는 관리하지 않는다.

• Master

  Legacy term, used as synonym for nodes hosting the control plane.

  [+]

  The term is still being used by some provisioning tools, such as kubeadm, and managed services, to label nodes with kubernetes.io/role and control placement of control plane pods.

• Minikube

  로컬에서 쿠버네티스를 실행하기 위한 도구.

  [+]

  Minikube는 VM이나 사용자 컴퓨터에서 단일 노드 클러스터를 실행한다. Minikube를 사용하여 학습 환경에서 쿠버네티스 시도하기를 할 수 있다.

• Mixed Version Proxy (MVP)
  별칭: MVP
  

  Feature to let a kube-apiserver proxy a resource request to a different peer API server.

  [+]

  When a cluster has multiple API servers running different versions of Kubernetes, this feature enables resource requests to be served by the correct API server.

  MVP is disabled by default and can be activated by enabling the feature gate named UnknownVersionInteroperabilityProxy when the API Server is started.

• Operator pattern

  The operator pattern is a system design that links a Controller to one or more custom resources.

  [+]

  You can extend Kubernetes by adding controllers to your cluster, beyond the built-in controllers that come as part of Kubernetes itself.

  If a running application acts as a controller and has API access to carry out tasks against a custom resource that's defined in the control plane, that's an example of the Operator pattern.

• Platform Developer

  A person who customizes the Kubernetes platform to fit the needs of their project.

  [+]

  A platform developer may, for example, use Custom Resources or Extend the Kubernetes API with the aggregation layer to add functionality to their instance of Kubernetes, specifically for their application. Some Platform Developers are also contributors and develop extensions which are contributed to the Kubernetes community. Others develop closed-source commercial or site-specific extensions.

• Pod Disruption Budget
  별칭: PDB
  

  A Pod Disruption Budget allows an application owner to create an object for a replicated application, that ensures a certain number or percentage of Pods with an assigned label will not be voluntarily evicted at any point in time.

  [+]

  Involuntary disruptions cannot be prevented by PDBs; however they do count against the budget.

• PodTemplate
  별칭: pod template
  

  An API object that defines a template for creating Pods. The PodTemplate API is also embedded in API definitions for workload management, such as Deployment or StatefulSets.

  [+]

  Pod templates allow you to define common metadata (such as labels, or a template for the name of a new Pod) as well as to specify a pod's desired state. Workload management controllers use Pod templates (embedded into another object, such as a Deployment or StatefulSet) to define and manage one or more Pods. When there can be multiple Pods based on the same template, these are called replicas. Although you can create a PodTemplate object directly, you rarely need to do so.

• PriorityClass

  A PriorityClass is a named class for the scheduling priority that should be assigned to a Pod in that class.

  [+]

  A PriorityClass is a non-namespaced object mapping a name to an integer priority, used for a Pod. The name is specified in the metadata.name field, and the priority value in the value field. Priorities range from -2147483648 to 1000000000 inclusive. Higher values indicate higher priority.

• Probe

  A check that the kubelet periodically performs against a container that is running in a pod, that will define container's state and health and informing container's lifecycle.

  [+]

  To learn more, read container probes.

• QoS 클래스(QoS Class)

  QoS 클래스(서비스 품질 클래스)는 쿠버네티스가 클러스터 안의 파드들을 여러 클래스로 구분하고, 스케줄링과 축출(eviction)에 대한 결정을 내리는 방법을 제공한다.

  [+]

  파드의 QoS 클래스는 생성 시점의 컴퓨팅 리소스 요청량과 제한 값에 기반해서 설정된다. QoS 클래스는 파드의 스케줄링과 축출을 위한 결정을 내릴 때 사용된다. 쿠버네티스는 파드에 Guaranteed, Burstable 또는 BestEffort 중 하나를 QoS 클래스로 할당할 수 있다.

• RBAC(역할 기반 엑세스 제어)

  인가 결정을 관리하며, 운영자가 쿠버네티스 API를 통해서 동적으로 엑세스 정책을 설정하게 해준다.

  [+]

  RBAC은 퍼미션(permission) 규칙을 포함하는 역할 과 역할에 정의된 퍼미션을 사용자 집합에 부여하는 역할 바인딩 을 이용한다.

• Replica

  A copy or duplicate of a Pod or a set of pods. Replicas ensure high availability, scalability, and fault tolerance by maintaining multiple identical instances of a pod.

  [+]

  Replicas are commonly used in Kubernetes to achieve the desired application state and reliability. They enable workload scaling and distribution across multiple nodes in a cluster.

  By defining the number of replicas in a Deployment or ReplicaSet, Kubernetes ensures that the specified number of instances are running, automatically adjusting the count as needed.

  Replica management allows for efficient load balancing, rolling updates, and self-healing capabilities in a Kubernetes cluster.

• Security Context

  The securityContext field defines privilege and access control settings for a Pod or container.

  [+]

  In a securityContext, you can define: the user that processes run as, the group that processes run as, and privilege settings. You can also configure security policies (for example: SELinux, AppArmor or seccomp).

  The PodSpec.securityContext setting applies to all containers in a Pod.

• Shuffle-sharding

  A technique for assigning requests to queues that provides better isolation than hashing modulo the number of queues.

  [+]

  We are often concerned with insulating different flows of requests from each other, so that a high-intensity flow does not crowd out low-intensity flows. A simple way to put requests into queues is to hash some characteristics of the request, modulo the number of queues, to get the index of the queue to use. The hash function uses as input characteristics of the request that align with flows. For example, in the Internet this is often the 5-tuple of source and destination address, protocol, and source and destination port.

  That simple hash-based scheme has the property that any high-intensity flow will crowd out all the low-intensity flows that hash to the same queue. Providing good insulation for a large number of flows requires a large number of queues, which is problematic. Shuffle-sharding is a more nimble technique that can do a better job of insulating the low-intensity flows from the high-intensity flows. The terminology of shuffle-sharding uses the metaphor of dealing a hand from a deck of cards; each queue is a metaphorical card. The shuffle-sharding technique starts with hashing the flow-identifying characteristics of the request, to produce a hash value with dozens or more of bits. Then the hash value is used as a source of entropy to shuffle the deck and deal a hand of cards (queues). All the dealt queues are examined, and the request is put into one of the examined queues with the shortest length. With a modest hand size, it does not cost much to examine all the dealt cards and a given low-intensity flow has a good chance to dodge the effects of a given high-intensity flow. With a large hand size it is expensive to examine the dealt queues and more difficult for the low-intensity flows to dodge the collective effects of a set of high-intensity flows. Thus, the hand size should be chosen judiciously.

• Sidecar Container

  One or more containers that are typically started before any app containers run.

  [+]

  Sidecar containers are like regular app containers, but with a different purpose: the sidecar provides a Pod-local service to the main app container. Unlike init containers, sidecar containers continue running after Pod startup.

  Read Sidecar containers for more information.

• SIG(special interest group)

  대규모 쿠버네티스 오픈소스 프로젝트에서 진행되는 내용을 공동으로 관리하는 커뮤니티 멤버들이다.

  [+]

  SIG 멤버들은 아키텍처, API, 또는 문서화 같이 특정 영역을 발전시키는 데 공통적으로 관심을 갖고 있다. 기본적으로 SIG