Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Docker and Container Essentials
Technical requirements
Understanding the need for containerization
Understanding why Kubernetes is deprecating Docker
Introducing Docker
Understanding Docker
Containers are ephemeral
Docker images
Image layers
Persistent data
Accessing services running in containers
Installing Docker
Preparing to install Docker
Installing Docker on Ubuntu
Granting Docker permissions
Using the Docker CLI
docker help
docker run
docker ps
docker start and stop
docker attach
docker exec
docker logs
docker rm
Summary
Questions
Deploying Kubernetes Using KinD
Technical requirements
Introducing Kubernetes components and objects
Interacting with a cluster
Using development clusters
Why did we select KinD for this book?
Working with a base KinD Kubernetes cluster
Understanding the node image
KinD and Docker networking
Keeping track of the nesting dolls
Installing KinD
Installing KinD – prerequisites
Installing kubectl
Installing the KinD binary
Creating a KinD cluster
Creating a simple cluster
Deleting a cluster
Creating a cluster config file
Multi-node cluster configuration
Customizing the control plane and Kubelet options
Creating a custom KinD cluster
Installing Calico
Installing an Ingress controller
Reviewing your KinD cluster
KinD storage objects
Storage drivers
KinD storage classes
Using KinD's storage provisioner
Adding a custom load balancer for Ingress
Installation prerequisites
Creating the KinD cluster configuration
Deploying a custom HAProxy container
Understanding HAProxy traffic flow
Simulating a kubelet failure
Summary
Questions
Kubernetes Bootcamp
Technical requirements
An overview of Kubernetes components
Exploring the control plane
The Kubernetes API server
The Etcd database
kube-scheduler
kube-controller-manager
cloud-controller-manager
Understanding the worker node components
kubelet
kube-proxy
Container runtime
Interacting with the API server
Using the Kubernetes kubectl utility
Understanding the verbose option
General kubectl commands
Introducing Kubernetes resources
Kubernetes manifests
What are Kubernetes resources?
Reviewing Kubernetes resources
ConfigMaps
Endpoints
Events
Namespaces
Nodes
Persistent Volume Claims
PVs
Pods
Replication controllers
ResourceQuotas
Secrets
Service accounts
Services
CustomResourceDefinitions
DaemonSets
Deployments
ReplicaSets
StatefulSets
HorizontalPodAutoscalers
CronJobs
Jobs
Ingress
NetworkPolicies
PodSecurityPolicies
ClusterRoleBindings
ClusterRoles
RoleBindings
Roles
CSI drivers
CSI nodes
Storage classes
Summary
Questions
Services, Load Balancing, ExternalDNS, and Global Balancing
Technical requirements
Exposing workloads to requests
Understanding how services work
Creating a service
Using DNS to resolve services
Understanding different service types
The ClusterIP service
The NodePort service
The LoadBalancer service
The ExternalName service
Introduction to load balancers
Understanding the OSI model
Layer 7 load balancers
Name resolution and layer 7 load balancers
Using nip.io for name resolution
Creating Ingress rules
Layer 4 load balancers
Layer 4 load balancer options
Using MetalLB as a layer 4 load balancer
Installing MetalLB
Understanding MetalLB's configuration file
MetalLB components
Creating a LoadBalancer service
Adding multiple IP pools to MetalLB
Using multiple protocols
Multiple protocol issues
Using multiple protocols with MetalLB
Using shared-IPs
Enhancing load balancers for the enterprise
Making service names available externally
Setting up external-dns
Integrating external-dns and CoreDNS
Adding an ETCD zone to CoreDNS
Creating a LoadBalancer service with external-dns integration
Integrating CoreDNS with an enterprise DNS
Load balancing between multiple clusters
Introducing the Kubernetes Global Balancer
Requirements for K8GB
Deploying K8GB to a cluster
Understanding K8GB load balancing options
Customizing the Helm chart values
Using Helm to install K8GB
Deploying a highly available application using K8GB
Adding an application to K8GB using custom resources
Adding an application to K8GB using Ingress annotations
Understanding how K8GB provides global load balancing
Keeping the K8GB CoreDNS servers in sync
Summary
Questions
Integrating Authentication into Your Cluster
Technical requirements
Understanding how Kubernetes knows who you are
External users
Groups in Kubernetes
Service accounts
Understanding OpenID Connect
The OpenID Connect protocol
Following OIDC and the API's interaction
id_token
Other authentication options
Certificates
Service accounts
TokenRequest API
Custom authentication webhooks
Keystone
Configuring KinD for OpenID Connect
Addressing the requirements
Using LDAP and Active Directory with Kubernetes
Mapping Active Directory groups to RBAC RoleBindings
Kubernetes Dashboard access
Kubernetes CLI access
Enterprise compliance requirements
Pulling it all together
Deploying OpenUnison
Configuring the Kubernetes API to use OIDC
Verifying OIDC integration
Using your tokens with kubectl
Introducing impersonation to integrate authentication with cloud-managed clusters
What is Impersonation?
Security considerations
Configuring your cluster for impersonation
Testing Impersonation
Configuring Impersonation without OpenUnison
Impersonation RBAC policies
Default groups
Authenticating from pipelines
Using tokens
Using certificates
Avoiding anti-patterns
Summary
Questions
RBAC Policies and Auditing
Technical requirements
Introduction to RBAC
What's a Role?
Identifying a Role
Roles versus ClusterRoles
Negative Roles
Aggregated ClusterRoles
RoleBindings and ClusterRoleBindings
Combining ClusterRoles and RoleBindings
Mapping enterprise identities to Kubernetes to authorize access to resources
Implementing namespace multi-tenancy
Kubernetes auditing
Creating an audit policy
Enabling auditing on a cluster
Using audit2rbac to debug policies
Summary
Questions
Deploying a Secured Kubernetes Dashboard
Technical requirements
How does the dashboard know who you are?
Dashboard architecture
Authentication methods
Understanding dashboard security risks
Deploying an insecure dashboard
Using a token to log in
Deploying the dashboard with a reverse proxy
Local dashboards
Other cluster-level applications
Integrating the dashboard with OpenUnison
Summary
Questions
Extending Security Using Open Policy Agent
Technical requirements
Introduction to dynamic admission controllers
What is OPA and how does it work?
OPA architecture
Rego, the OPA policy language
Gatekeeper
Deploying Gatekeeper
Automated testing framework
Using Rego to write policies
Developing an OPA policy
Testing an OPA policy
Deploying policies to Gatekeeper
Building dynamic policies
Debugging Rego
Using existing policies
Enforcing memory constraints
Enabling the Gatekeeper cache
Mocking up test data
Building and deploying our policy
Mutating objects and default values
Summary
Questions
Node Security with GateKeeper
Technical requirements
What is node security?
Understanding the difference between containers and VMs
Container breakouts
Properly designing containers
Enforcing node security with GateKeeper
What about Pod security policies?
What are the differences between PSPs and GateKeeper?
Authorizing node security policies
Deploying and debugging node security policies
Generating security context defaults
Enforcing cluster policies
Debugging constraint violations
Scaling policy deployment in multi-tenant clusters
Summary
Questions
Auditing Using Falco, DevOps AI, and ECK
Technical requirements
Exploring auditing
Introducing Falco
Exploring Falco's configuration files
The Helm Values file
Customizing the Helm Values
Falco rules config files
Understanding rules
Understanding conditions (fields and values)
Using macros
Understanding lists
Creating and appending to custom rules
Editing an existing rule
Creating a new rule
Deploying Falco
Introducing Falcosidekick
Installing Falcosidekick
Understanding Kubeless
Installing Kubeless
Deploying a function using Kubeless
Introducing DevOPs AI
Understand automatic responses to events
Deploy the NGINX server and test connectivity
Simulating an attack on the Pod
Observing Falco events
Using Falcosidekick-ui
Deploying our logging system
Creating a new namespace
Deploying the ECK operator
Deploying Elasticsearch, Filebeat, and Kibana
Using the components ECK to view logs
Creating a Kibana index
Browsing for events
Visualizations
Creating a dashboard
Creating a visualization for Falco event types
Summary
Questions
Backing Up Workloads
Technical requirements
Understanding Kubernetes backups
Performing an etcd backup
Backing up the required certificates
Backing up the etcd database
Introducing and setting up VMware's Velero
Velero requirements
Installing the Velero CLI
Installing Velero
Backup storage location
Deploying MinIO
Exposing MinIO and the console
Creating the S3 target configuration
Using Velero to back up workloads
Running a one-time cluster backup
Scheduling a cluster backup
Creating a custom backup
Managing Velero using the CLI
Using common Velero commands
Listing Velero objects
Retrieving details for a Velero object
Creating and deleting objects
Restoring from a backup
Restoring in action
Restoring a deployment from a backup
Backing up the namespace
Simulating a failure
Restoring a namespace
Using a backup to create workloads in a new cluster
Backing up the cluster
Building a new cluster
Restoring a backup to the new cluster
Installing Velero in the new cluster
Restoring a backup in a new cluster
Deleting the new cluster
Summary
Questions
An Introduction to Istio
Technical requirements
Why should you care about a service mesh?
Workload observability
Traffic management
Blue/Green Deployments
Canary Deployments
Finding issues before they happen
Security
Introduction to Istio concepts
Understanding the Istio components
Making the Control Plane Simple with Istiod
Breaking down the istiod pod
Understanding the istio-ingressgateway
Understanding the istio-egressgateway
Installing Istio
Downloading Istio
Installing Istio using a Profile
Introducing Istio resources
Authorization policies
Example 1: Denying and allowing all access
Example 2: Allowing only GET methods to a workload
Example 3: Allowing requests from a specific source
Gateways
Virtual Services
Destination rules
Peer authentications
Request authentication
Service entries
Sidecars
Envoy filters
Deploying add-on components to provide observability
Installing Prometheus
Installing Jaeger
Installing Kiali
Deploying an application into the service mesh
Deploying your first application into the mesh
Using Kiali to observe mesh workloads
The Kiali overview screen
Using the Graph view
Using the Application view
Using the Workloads view
Using the Services view
The Istio config view
Summary
Questions
Building and Deploying Applications on Istio
Technical requirements
Comparing microservices and monoliths
My history with microservices versus monolithic architecture
Comparing architectures in an application
Monolithic application design
Microservices design
Choosing between monoliths and microservices
Using Istio to help manage microservices
Deploying a monolith
Exposing our monolith outside our cluster
Configuring sticky sessions
Integrating Kiali and OpenUnison
Building a microservice
Deploying Hello World
Integrating authentication into our service
Authorizing access to our service
Telling your service who's using it
Authorizing user entitlements
Authorizing in service
Using OPA with Istio
Calling other services
Using OAuth2 Token Exchange
Passing tokens between services
Using simple impersonation
Do I need an API gateway?
Summary
Questions
Provisioning a Platform
Technical requirements
Designing a pipeline
Opinionated platforms
Securing your pipeline
Building our platform's requirements
Choosing our technology stack
Preparing our cluster
Deploying cert-manager
Deploying the Docker container registry
Deploying OpenUnison and GateKeeper
Deploying GitLab
Creating example projects
Deploying Tekton
Building Hello World
Building automatically
Deploying ArgoCD
Automating project onboarding using OpenUnison
Designing a GitOps strategy
Integrating GitLab
Integrating the TektonCD dashboard
Integrating ArgoCD
Updating OpenUnison
Deploying an application
Creating the application in Kubernetes
Getting access to developers
Deploying dev manifests
Deploying a Tekton pipeline
Running our pipeline
Promoting to production
Summary
Questions
Other Books You May Enjoy
Index
← Prev
Back
Next →
← Prev
Back
Next →