
Kubernetes - An Enterprise Guide - Second Edition
Kubernetes has taken the world by storm, becoming the standard infrastructure for DevOps teams to develop, test, and run applications. With significant updates in each chapter, this revised edition will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment.
The book introduces you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You'll get to grips with containerization and understand its core functionalities such as creating ephemeral multinode clusters using KinD. The book has replaced PodSecurityPolicies (PSP) with OPA/Gatekeeper for PSP-like enforcement. You'll integrate your container into a cloud platform and tools including MetalLB, externalDNS, OpenID connect (OIDC), Open Policy Agent (OPA), Falco, and Velero. After learning to deploy your core cluster, you'll learn how to deploy Istio and how to deploy both monolithic applications and microservices into your service mesh. Finally, you will discover how to deploy an entire GitOps platform to Kubernetes using continuous integration and continuous delivery (CI/CD).
- Preface
- Who this book is for
- What this book covers
- To get the most out of this book
- Get in touch
- Docker and Container Essentials
- Technical requirements
- Understanding the need for containerization
- Understanding why Kubernetes is deprecating Docker
- Introducing Docker
- Understanding Docker
- Containers are ephemeral
- Docker images
- Image layers
- Persistent data
- Accessing services running in containers
- Installing Docker
- Preparing to install Docker
- Installing Docker on Ubuntu
- Granting Docker permissions
- Using the Docker CLI
- docker help
- docker run
- docker ps
- docker start and stop
- docker attach
- docker exec
- docker logs
- docker rm
- Summary
- Questions
- Deploying Kubernetes Using KinD
- Technical requirements
- Introducing Kubernetes components and objects
- Interacting with a cluster
- Using development clusters
- Why did we select KinD for this book?
- Working with a base KinD Kubernetes cluster
- Understanding the node image
- KinD and Docker networking
- Keeping track of the nesting dolls
- Installing KinD
- Installing KinD prerequisites
- Installing kubectl
- Installing the KinD binary
- Installing KinD prerequisites
- Creating a KinD cluster
- Creating a simple cluster
- Deleting a cluster
- Creating a cluster config file
- Multi-node cluster configuration
- Customizing the control plane and Kubelet options
- Creating a custom KinD cluster
- Installing Calico
- Installing an Ingress controller
- Reviewing your KinD cluster
- KinD storage objects
- Storage drivers
- KinD storage classes
- Using KinDs storage provisioner
- Adding a custom load balancer for Ingress
- Installation prerequisites
- Creating the KinD cluster configuration
- Deploying a custom HAProxy container
- Understanding HAProxy traffic flow
- Simulating a kubelet failure
- Summary
- Questions
- Kubernetes Bootcamp
- Technical requirements
- An overview of Kubernetes components
- Exploring the control plane
- The Kubernetes API server
- The Etcd database
- kube-scheduler
- kube-controller-manager
- cloud-controller-manager
- Understanding the worker node components
- kubelet
- kube-proxy
- Container runtime
- Interacting with the API server
- Using the Kubernetes kubectl utility
- Understanding the verbose option
- General kubectl commands
- Introducing Kubernetes resources
- Kubernetes manifests
- What are Kubernetes resources?
- Reviewing Kubernetes resources
- ConfigMaps
- Endpoints
- Events
- Namespaces
- Nodes
- Persistent Volume Claims
- PVs
- Pods
- Replication controllers
- ResourceQuotas
- Secrets
- Service accounts
- Services
- CustomResourceDefinitions
- DaemonSets
- Deployments
- ReplicaSets
- StatefulSets
- HorizontalPodAutoscalers
- CronJobs
- Jobs
- Ingress
- NetworkPolicies
- PodSecurityPolicies
- ClusterRoleBindings
- ClusterRoles
- RoleBindings
- Roles
- CSI drivers
- CSI nodes
- Storage classes
- Summary
- Questions
- Services, Load Balancing, ExternalDNS, and Global Balancing
- Technical requirements
- Exposing workloads to requests
- Understanding how services work
- Creating a service
- Using DNS to resolve services
- Understanding different service types
- The ClusterIP service
- The NodePort service
- The LoadBalancer service
- The ExternalName service
- Understanding how services work
- Introduction to load balancers
- Understanding the OSI model
- Layer 7 load balancers
- Name resolution and layer 7 load balancers
- Using nip.io for name resolution
- Creating Ingress rules
- Layer 4 load balancers
- Layer 4 load balancer options
- Using MetalLB as a layer 4 load balancer
- Installing MetalLB
- Understanding MetalLB's configuration file
- MetalLB components
- Creating a LoadBalancer service
- Adding multiple IP pools to MetalLB
- Using multiple protocols
- Multiple protocol issues
- Using multiple protocols with MetalLB
- Using shared-IPs
- Enhancing load balancers for the enterprise
- Making service names available externally
- Setting up external-dns
- Integrating external-dns and CoreDNS
- Adding an ETCD zone to CoreDNS
- Creating a LoadBalancer service with external-dns integration
- Integrating CoreDNS with an enterprise DNS
- Load balancing between multiple clusters
- Introducing the Kubernetes Global Balancer
- Requirements for K8GB
- Deploying K8GB to a cluster
- Understanding K8GB load balancing options
- Customizing the Helm chart values
- Using Helm to install K8GB
- Deploying a highly available application using K8GB
- Adding an application to K8GB using custom resources
- Adding an application to K8GB using Ingress annotations
- Understanding how K8GB provides global load balancing
- Keeping the K8GB CoreDNS servers in sync
- Summary
- Questions
- Integrating Authentication into Your Cluster
- Technical requirements
- Understanding how Kubernetes knows who you are
- External users
- Groups in Kubernetes
- Service accounts
- Understanding OpenID Connect
- The OpenID Connect protocol
- Following OIDC and the API's interaction
- id_token
- Other authentication options
- Certificates
- Service accounts
- TokenRequest API
- Custom authentication webhooks
- Keystone
- Configuring KinD for OpenID Connect
- Addressing the requirements
- Using LDAP and Active Directory with Kubernetes
- Mapping Active Directory groups to RBAC RoleBindings
- Kubernetes Dashboard access
- Kubernetes CLI access
- Enterprise compliance requirements
- Pulling it all together
- Deploying OpenUnison
- Configuring the Kubernetes API to use OIDC
- Verifying OIDC integration
- Using your tokens with kubectl
- Addressing the requirements
- Introducing impersonation to integrate authentication with cloud-managed clusters
- What is Impersonation?
- Security considerations
- Configuring your cluster for impersonation
- Testing Impersonation
- Configuring Impersonation without OpenUnison
- Impersonation RBAC policies
- Default groups
- Authenticating from pipelines
- Using tokens
- Using certificates
- Avoiding anti-patterns
- Summary
- Questions
- RBAC Policies and Auditing
- Technical requirements
- Introduction to RBAC
- What's a Role?
- Identifying a Role
- Roles versus ClusterRoles
- Negative Roles
- Aggregated ClusterRoles
- RoleBindings and ClusterRoleBindings
- Combining ClusterRoles and RoleBindings
- Mapping enterprise identities to Kubernetes to authorize access to resources
- Implementing namespace multi-tenancy
- Kubernetes auditing
- Creating an audit policy
- Enabling auditing on a cluster
- Using audit2rbac to debug policies
- Summary
- Questions
- Deploying a Secured Kubernetes Dashboard
- Technical requirements
- How does the dashboard know who you are?
- Dashboard architecture
- Authentication methods
- Understanding dashboard security risks
- Deploying an insecure dashboard
- Using a token to log in
- Deploying the dashboard with a reverse proxy
- Local dashboards
- Other cluster-level applications
- Integrating the dashboard with OpenUnison
- Summary
- Questions
- Extending Security Using Open Policy Agent
- Technical requirements
- Introduction to dynamic admission controllers
- What is OPA and how does it work?
- OPA architecture
- Rego, the OPA policy language
- Gatekeeper
- Deploying Gatekeeper
- Automated testing framework
- Using Rego to write policies
- Developing an OPA policy
- Testing an OPA policy
- Deploying policies to Gatekeeper
- Building dynamic policies
- Debugging Rego
- Using existing policies
- Enforcing memory constraints
- Enabling the Gatekeeper cache
- Mocking up test data
- Building and deploying our policy
- Mutating objects and default values
- Summary
- Questions
- Node Security with GateKeeper
- Technical requirements
- What is node security?
- Understanding the difference between containers and VMs
- Container breakouts
- Properly designing containers
- Enforcing node security with GateKeeper
- What about Pod security policies?
- What are the differences between PSPs and GateKeeper?
- Authorizing node security policies
- Deploying and debugging node security policies
- Generating security context defaults
- Enforcing cluster policies
- Debugging constraint violations
- Scaling policy deployment in multi-tenant clusters
- Summary
- Questions
- Auditing Using Falco, DevOps AI, and ECK
- Technical requirements
- Exploring auditing
- Introducing Falco
- Exploring Falco's configuration files
- The Helm Values file
- Customizing the Helm Values
- Falco rules config files
- Understanding rules
- Understanding conditions (fields and values)
- Using macros
- Understanding lists
- Creating and appending to custom rules
- Editing an existing rule
- Creating a new rule
- The Helm Values file
- Deploying Falco
- Introducing Falcosidekick
- Installing Falcosidekick
- Understanding Kubeless
- Installing Kubeless
- Deploying a function using Kubeless
- Introducing DevOPs AI
- Understand automatic responses to events
- Deploy the NGINX server and test connectivity
- Simulating an attack on the Pod
- Observing Falco events
- Using Falcosidekick-ui
- Deploying our logging system
- Creating a new namespace
- Deploying the ECK operator
- Deploying Elasticsearch, Filebeat, and Kibana
- Using the components ECK to view logs
- Creating a Kibana index
- Browsing for events
- Visualizations
- Creating a dashboard
- Creating a visualization for Falco event types
- Understand automatic responses to events
- Summary
- Questions
- Backing Up Workloads
- Technical requirements
- Understanding Kubernetes backups
- Performing an etcd backup
- Backing up the required certificates
- Backing up the etcd database
- Introducing and setting up VMware's Velero
- Velero requirements
- Installing the Velero CLI
- Installing Velero
- Backup storage location
- Deploying MinIO
- Exposing MinIO and the console
- Creating the S3 target configuration
- Using Velero to back up workloads
- Running a one-time cluster backup
- Scheduling a cluster backup
- Creating a custom backup
- Managing Velero using the CLI
- Using common Velero commands
- Listing Velero objects
- Retrieving details for a Velero object
- Creating and deleting objects
- Using common Velero commands
- Restoring from a backup
- Restoring in action
- Restoring a deployment from a backup
- Backing up the namespace
- Simulating a failure
- Restoring a namespace
- Using a backup to create workloads in a new cluster
- Backing up the cluster
- Building a new cluster
- Restoring a backup to the new cluster
- Installing Velero in the new cluster
- Restoring a backup in a new cluster
- Deleting the new cluster
- Restoring in action
- Summary
- Questions
- An Introduction to Istio
- Technical requirements
- Why should you care about a service mesh?
- Workload observability
- Traffic management
- Blue/Green Deployments
- Canary Deployments
- Finding issues before they happen
- Security
- Introduction to Istio concepts
- Understanding the Istio components
- Making the Control Plane Simple with Istiod
- Breaking down the istiod pod
- Understanding the istio-ingressgateway
- Understanding the istio-egressgateway
- Making the Control Plane Simple with Istiod
- Installing Istio
- Downloading Istio
- Installing Istio using a Profile
- Introducing Istio resources
- Authorization policies
- Example 1: Denying and allowing all access
- Example 2: Allowing only GET methods to a workload
- Example 3: Allowing requests from a specific source
- Gateways
- Virtual Services
- Destination rules
- Peer authentications
- Request authentication
- Service entries
- Sidecars
- Envoy filters
- Authorization policies
- Deploying add-on components to provide observability
- Installing Prometheus
- Installing Jaeger
- Installing Kiali
- Deploying an application into the service mesh
- Deploying your first application into the mesh
- Using Kiali to observe mesh workloads
- The Kiali overview screen
- Using the Graph view
- Using the Application view
- Using the Workloads view
- Using the Services view
- The Istio config view
- Summary
- Questions
- Building and Deploying Applications on Istio
- Technical requirements
- Comparing microservices and monoliths
- My history with microservices versus monolithic architecture
- Comparing architectures in an application
- Monolithic application design
- Microservices design
- Choosing between monoliths and microservices
- Using Istio to help manage microservices
- Deploying a monolith
- Exposing our monolith outside our cluster
- Configuring sticky sessions
- Integrating Kiali and OpenUnison
- Building a microservice
- Deploying Hello World
- Integrating authentication into our service
- Authorizing access to our service
- Telling your service who's using it
- Authorizing user entitlements
- Authorizing in service
- Using OPA with Istio
- Calling other services
- Using OAuth2 Token Exchange
- Passing tokens between services
- Using simple impersonation
- Do I need an API gateway?
- Summary
- Questions
- Provisioning a Platform
- Technical requirements
- Designing a pipeline
- Opinionated platforms
- Securing your pipeline
- Building our platform's requirements
- Choosing our technology stack
- Preparing our cluster
- Deploying cert-manager
- Deploying the Docker container registry
- Deploying OpenUnison and GateKeeper
- Deploying GitLab
- Creating example projects
- Deploying Tekton
- Building Hello World
- Building automatically
- Deploying ArgoCD
- Automating project onboarding using OpenUnison
- Designing a GitOps strategy
- Integrating GitLab
- Integrating the TektonCD dashboard
- Integrating ArgoCD
- Updating OpenUnison
- Deploying an application
- Creating the application in Kubernetes
- Getting access to developers
- Deploying dev manifests
- Deploying a Tekton pipeline
- Running our pipeline
- Promoting to production
- Summary
- Questions
- Other Books You May Enjoy
- Index
- Tytuły: Kubernetes - An Enterprise Guide - Second Edition
- Autor: Marc Boorshtein, Scott Surovich
- Tytuł oryginału: Kubernetes - An Enterprise Guide - Second Edition
- ISBN Ebooka: 9781803236094, 9781803236094
- Data wydania: 2021-12-22
- Identyfikator pozycji: e_2t2x
- Kategorie: