Kubernetes – An Enterprise Guide - Second Edition

Kubernetes – An Enterprise Guide - Second Edition

by Marc Boorshtein, Scott Surovich
Released December 2021
Publisher(s): Packt Publishing
ISBN: 9781803230030

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Master core Kubernetes concepts important to enterprises from security, policy, and management point-of-view. Learn to deploy a service mesh using Istio, build a CI/CD platform, and provide enterprise security to your clusters.

Key Features

  • Extensively revised edition to cover the latest updates and new releases along with two new chapters to introduce Istio
  • Get a firm command of Kubernetes from a dual perspective of an admin as well as a developer
  • Understand advanced topics including load balancing, externalDNS, global load balancing, authentication integration, policy, security, auditing, backup, Istio and CI/CD

Book Description

Kubernetes has taken the world by storm, becoming the standard infrastructure for DevOps teams to develop, test, and run applications. With significant updates in each chapter, this revised edition will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment.

The book introduces you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You'll get to grips with containerization and understand its core functionalities such as creating ephemeral multinode clusters using KinD. The book has replaced PodSecurityPolicies (PSP) with OPA/Gatekeeper for PSP-like enforcement. You'll integrate your container into a cloud platform and tools including MetalLB, externalDNS, OpenID connect (OIDC), Open Policy Agent (OPA), Falco, and Velero. After learning to deploy your core cluster, you'll learn how to deploy Istio and how to deploy both monolithic applications and microservices into your service mesh. Finally, you will discover how to deploy an entire GitOps platform to Kubernetes using continuous integration and continuous delivery (CI/CD).

What you will learn

  • Create a multinode Kubernetes cluster using KinD
  • Implement Ingress, MetalLB, ExternalDNS, and the new sandbox project, K8GBConfigure a cluster OIDC and impersonation
  • Deploy a monolithic application in Istio service mesh
  • Map enterprise authorization to Kubernetes
  • Secure clusters using OPA and GateKeeper
  • Enhance auditing using Falco and ECK
  • Back up your workload for disaster recovery and cluster migration
  • Deploy to a GitOps platform using Tekton, GitLab, and ArgoCD

Who this book is for

This book is for anyone interested in DevOps, containerization, and going beyond basic Kubernetes cluster deployments. DevOps engineers, developers, and system administrators looking to enhance their IT career paths will also find this book helpful.

Although some prior experience with Docker and Kubernetes is recommended, this book includes a Kubernetes bootcamp that provides a description of Kubernetes objects to help you if you are new to the topic or need a refresher.

Table of contents

  1. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Get in touch
  2. Docker and Container Essentials
    1. Technical requirements
    2. Understanding the need for containerization
      1. Understanding why Kubernetes is deprecating Docker
      2. Introducing Docker
    3. Understanding Docker
      1. Containers are ephemeral
      2. Docker images
      3. Image layers
      4. Persistent data
      5. Accessing services running in containers
    4. Installing Docker
      1. Preparing to install Docker
      2. Installing Docker on Ubuntu
      3. Granting Docker permissions
    5. Using the Docker CLI
      1. docker help
      2. docker run
      3. docker ps
      4. docker start and stop
      5. docker attach
      6. docker exec
      7. docker logs
      8. docker rm
    6. Summary
    7. Questions
  3. Deploying Kubernetes Using KinD
    1. Technical requirements
    2. Introducing Kubernetes components and objects
      1. Interacting with a cluster
    3. Using development clusters
      1. Why did we select KinD for this book?
      2. Working with a base KinD Kubernetes cluster
      3. Understanding the node image
      4. KinD and Docker networking
        1. Keeping track of the nesting dolls
    4. Installing KinD
      1. Installing KinD – prerequisites
        1. Installing kubectl
      2. Installing the KinD binary
    5. Creating a KinD cluster
      1. Creating a simple cluster
      2. Deleting a cluster
      3. Creating a cluster config file
      4. Multi-node cluster configuration
      5. Customizing the control plane and Kubelet options
      6. Creating a custom KinD cluster
      7. Installing Calico
      8. Installing an Ingress controller
    6. Reviewing your KinD cluster
      1. KinD storage objects
      2. Storage drivers
      3. KinD storage classes
      4. Using KinD's storage provisioner
    7. Adding a custom load balancer for Ingress
      1. Installation prerequisites
      2. Creating the KinD cluster configuration
      3. Deploying a custom HAProxy container
      4. Understanding HAProxy traffic flow
      5. Simulating a kubelet failure
    8. Summary
    9. Questions
  4. Kubernetes Bootcamp
    1. Technical requirements
    2. An overview of Kubernetes components
    3. Exploring the control plane
      1. The Kubernetes API server
      2. The Etcd database
      3. kube-scheduler
      4. kube-controller-manager
      5. cloud-controller-manager
    4. Understanding the worker node components
      1. kubelet
      2. kube-proxy
      3. Container runtime
    5. Interacting with the API server
      1. Using the Kubernetes kubectl utility
      2. Understanding the verbose option
      3. General kubectl commands
    6. Introducing Kubernetes resources
      1. Kubernetes manifests
      2. What are Kubernetes resources?
      3. Reviewing Kubernetes resources
        1. ConfigMaps
        2. Endpoints
        3. Events
        4. Namespaces
        5. Nodes
        6. Persistent Volume Claims
        7. PVs
        8. Pods
        9. Replication controllers
        10. ResourceQuotas
        11. Secrets
        12. Service accounts
        13. Services
        14. CustomResourceDefinitions
        15. DaemonSets
        16. Deployments
        17. ReplicaSets
        18. StatefulSets
        19. HorizontalPodAutoscalers
        20. CronJobs
        21. Jobs
        22. Ingress
        23. NetworkPolicies
        24. PodSecurityPolicies
        25. ClusterRoleBindings
        26. ClusterRoles
        27. RoleBindings
        28. Roles
        29. CSI drivers
        30. CSI nodes
        31. Storage classes
    7. Summary
    8. Questions
  5. Services, Load Balancing, ExternalDNS, and Global Balancing
    1. Technical requirements
    2. Exposing workloads to requests
      1. Understanding how services work
        1. Creating a service
        2. Using DNS to resolve services
      2. Understanding different service types
        1. The ClusterIP service
        2. The NodePort service
        3. The LoadBalancer service
        4. The ExternalName service
    3. Introduction to load balancers
      1. Understanding the OSI model
    4. Layer 7 load balancers
      1. Name resolution and layer 7 load balancers
      2. Using nip.io for name resolution
      3. Creating Ingress rules
    5. Layer 4 load balancers
      1. Layer 4 load balancer options
      2. Using MetalLB as a layer 4 load balancer
        1. Installing MetalLB
        2. Understanding MetalLB's configuration file
        3. MetalLB components
      3. Creating a LoadBalancer service
      4. Adding multiple IP pools to MetalLB
        1. Using multiple protocols
      5. Multiple protocol issues
      6. Using multiple protocols with MetalLB
      7. Using shared-IPs
    6. Enhancing load balancers for the enterprise
    7. Making service names available externally
      1. Setting up external-dns
      2. Integrating external-dns and CoreDNS
      3. Adding an ETCD zone to CoreDNS
      4. Creating a LoadBalancer service with external-dns integration
        1. Integrating CoreDNS with an enterprise DNS
    8. Load balancing between multiple clusters
      1. Introducing the Kubernetes Global Balancer
      2. Requirements for K8GB
      3. Deploying K8GB to a cluster
        1. Understanding K8GB load balancing options
        2. Customizing the Helm chart values
        3. Using Helm to install K8GB
      4. Deploying a highly available application using K8GB
        1. Adding an application to K8GB using custom resources
        2. Adding an application to K8GB using Ingress annotations
      5. Understanding how K8GB provides global load balancing
        1. Keeping the K8GB CoreDNS servers in sync
    9. Summary
    10. Questions
  6. Integrating Authentication into Your Cluster
    1. Technical requirements
    2. Understanding how Kubernetes knows who you are
      1. External users
      2. Groups in Kubernetes
      3. Service accounts
    3. Understanding OpenID Connect
      1. The OpenID Connect protocol
      2. Following OIDC and the API's interaction
        1. id_token
      3. Other authentication options
        1. Certificates
        2. Service accounts
        3. TokenRequest API
        4. Custom authentication webhooks
        5. Keystone
    4. Configuring KinD for OpenID Connect
      1. Addressing the requirements
        1. Using LDAP and Active Directory with Kubernetes
        2. Mapping Active Directory groups to RBAC RoleBindings
        3. Kubernetes Dashboard access
        4. Kubernetes CLI access
        5. Enterprise compliance requirements
        6. Pulling it all together
        7. Deploying OpenUnison
        8. Configuring the Kubernetes API to use OIDC
        9. Verifying OIDC integration
        10. Using your tokens with kubectl
    5. Introducing impersonation to integrate authentication with cloud-managed clusters
      1. What is Impersonation?
      2. Security considerations
    6. Configuring your cluster for impersonation
      1. Testing Impersonation
    7. Configuring Impersonation without OpenUnison
      1. Impersonation RBAC policies
      2. Default groups
    8. Authenticating from pipelines
      1. Using tokens
      2. Using certificates
      3. Avoiding anti-patterns
    9. Summary
    10. Questions
  7. RBAC Policies and Auditing
    1. Technical requirements
    2. Introduction to RBAC
    3. What's a Role?
      1. Identifying a Role
      2. Roles versus ClusterRoles
      3. Negative Roles
      4. Aggregated ClusterRoles
      5. RoleBindings and ClusterRoleBindings
        1. Combining ClusterRoles and RoleBindings
    4. Mapping enterprise identities to Kubernetes to authorize access to resources
    5. Implementing namespace multi-tenancy
    6. Kubernetes auditing
      1. Creating an audit policy
      2. Enabling auditing on a cluster
    7. Using audit2rbac to debug policies
    8. Summary
    9. Questions
  8. Deploying a Secured Kubernetes Dashboard
    1. Technical requirements
    2. How does the dashboard know who you are?
      1. Dashboard architecture
      2. Authentication methods
    3. Understanding dashboard security risks
      1. Deploying an insecure dashboard
      2. Using a token to log in
    4. Deploying the dashboard with a reverse proxy
      1. Local dashboards
      2. Other cluster-level applications
    5. Integrating the dashboard with OpenUnison
    6. Summary
    7. Questions
  9. Extending Security Using Open Policy Agent
    1. Technical requirements
    2. Introduction to dynamic admission controllers
    3. What is OPA and how does it work?
      1. OPA architecture
      2. Rego, the OPA policy language
      3. Gatekeeper
        1. Deploying Gatekeeper
      4. Automated testing framework
    4. Using Rego to write policies
      1. Developing an OPA policy
      2. Testing an OPA policy
      3. Deploying policies to Gatekeeper
      4. Building dynamic policies
      5. Debugging Rego
      6. Using existing policies
    5. Enforcing memory constraints
      1. Enabling the Gatekeeper cache
      2. Mocking up test data
      3. Building and deploying our policy
    6. Mutating objects and default values
    7. Summary
    8. Questions
  10. Node Security with GateKeeper
    1. Technical requirements
    2. What is node security?
      1. Understanding the difference between containers and VMs
      2. Container breakouts
      3. Properly designing containers
    3. Enforcing node security with GateKeeper
      1. What about Pod security policies?
      2. What are the differences between PSPs and GateKeeper?
      3. Authorizing node security policies
      4. Deploying and debugging node security policies
        1. Generating security context defaults
        2. Enforcing cluster policies
        3. Debugging constraint violations
        4. Scaling policy deployment in multi-tenant clusters
    4. Summary
    5. Questions
  11. Auditing Using Falco, DevOps AI, and ECK
    1. Technical requirements
    2. Exploring auditing
    3. Introducing Falco
    4. Exploring Falco's configuration files
      1. The Helm Values file
        1. Customizing the Helm Values
      2. Falco rules config files
        1. Understanding rules
        2. Understanding conditions (fields and values)
        3. Using macros
        4. Understanding lists
      3. Creating and appending to custom rules
        1. Editing an existing rule
        2. Creating a new rule
    5. Deploying Falco
      1. Introducing Falcosidekick
      2. Installing Falcosidekick
      3. Understanding Kubeless
      4. Installing Kubeless
      5. Deploying a function using Kubeless
    6. Introducing DevOPs AI
      1. Understand automatic responses to events
        1. Deploy the NGINX server and test connectivity
        2. Simulating an attack on the Pod
      2. Observing Falco events
        1. Using Falcosidekick-ui
      3. Deploying our logging system
        1. Creating a new namespace
        2. Deploying the ECK operator
        3. Deploying Elasticsearch, Filebeat, and Kibana
      4. Using the components ECK to view logs
        1. Creating a Kibana index
        2. Browsing for events
        3. Visualizations
        4. Creating a dashboard
        5. Creating a visualization for Falco event types
    7. Summary
    8. Questions
  12. Backing Up Workloads
    1. Technical requirements
    2. Understanding Kubernetes backups
    3. Performing an etcd backup
      1. Backing up the required certificates
      2. Backing up the etcd database
    4. Introducing and setting up VMware's Velero
      1. Velero requirements
      2. Installing the Velero CLI
      3. Installing Velero
        1. Backup storage location
        2. Deploying MinIO
        3. Exposing MinIO and the console
        4. Creating the S3 target configuration
    5. Using Velero to back up workloads
      1. Running a one-time cluster backup
      2. Scheduling a cluster backup
      3. Creating a custom backup
    6. Managing Velero using the CLI
      1. Using common Velero commands
        1. Listing Velero objects
        2. Retrieving details for a Velero object
        3. Creating and deleting objects
    7. Restoring from a backup
      1. Restoring in action
        1. Restoring a deployment from a backup
        2. Backing up the namespace
        3. Simulating a failure
      2. Restoring a namespace
      3. Using a backup to create workloads in a new cluster
        1. Backing up the cluster
        2. Building a new cluster
      4. Restoring a backup to the new cluster
        1. Installing Velero in the new cluster
        2. Restoring a backup in a new cluster
        3. Deleting the new cluster
    8. Summary
    9. Questions
  13. An Introduction to Istio
    1. Technical requirements
    2. Why should you care about a service mesh?
      1. Workload observability
      2. Traffic management
        1. Blue/Green Deployments
        2. Canary Deployments
      3. Finding issues before they happen
      4. Security
    3. Introduction to Istio concepts
    4. Understanding the Istio components
      1. Making the Control Plane Simple with Istiod
        1. Breaking down the istiod pod
      2. Understanding the istio-ingressgateway
      3. Understanding the istio-egressgateway
    5. Installing Istio
      1. Downloading Istio
      2. Installing Istio using a Profile
    6. Introducing Istio resources
      1. Authorization policies
        1. Example 1: Denying and allowing all access
        2. Example 2: Allowing only GET methods to a workload
        3. Example 3: Allowing requests from a specific source
        4. Gateways
        5. Virtual Services
      2. Destination rules
        1. Peer authentications
        2. Request authentication
        3. Service entries
        4. Sidecars
        5. Envoy filters
    7. Deploying add-on components to provide observability
      1. Installing Prometheus
      2. Installing Jaeger
      3. Installing Kiali
    8. Deploying an application into the service mesh
      1. Deploying your first application into the mesh
      2. Using Kiali to observe mesh workloads
        1. The Kiali overview screen
        2. Using the Graph view
        3. Using the Application view
        4. Using the Workloads view
        5. Using the Services view
        6. The Istio config view
    9. Summary
    10. Questions
  14. Building and Deploying Applications on Istio
    1. Technical requirements
    2. Comparing microservices and monoliths
      1. My history with microservices versus monolithic architecture
      2. Comparing architectures in an application
        1. Monolithic application design
        2. Microservices design
        3. Choosing between monoliths and microservices
        4. Using Istio to help manage microservices
    3. Deploying a monolith
      1. Exposing our monolith outside our cluster
      2. Configuring sticky sessions
      3. Integrating Kiali and OpenUnison
    4. Building a microservice
      1. Deploying Hello World
      2. Integrating authentication into our service
      3. Authorizing access to our service
      4. Telling your service who's using it
      5. Authorizing user entitlements
        1. Authorizing in service
        2. Using OPA with Istio
      6. Calling other services
        1. Using OAuth2 Token Exchange
        2. Passing tokens between services
        3. Using simple impersonation
    5. Do I need an API gateway?
    6. Summary
    7. Questions
  15. Provisioning a Platform
    1. Technical requirements
    2. Designing a pipeline
      1. Opinionated platforms
      2. Securing your pipeline
      3. Building our platform's requirements
      4. Choosing our technology stack
    3. Preparing our cluster
      1. Deploying cert-manager
      2. Deploying the Docker container registry
      3. Deploying OpenUnison and GateKeeper
    4. Deploying GitLab
      1. Creating example projects
    5. Deploying Tekton
      1. Building Hello World
      2. Building automatically
    6. Deploying ArgoCD
    7. Automating project onboarding using OpenUnison
      1. Designing a GitOps strategy
      2. Integrating GitLab
      3. Integrating the TektonCD dashboard
      4. Integrating ArgoCD
      5. Updating OpenUnison
    8. Deploying an application
      1. Creating the application in Kubernetes
      2. Getting access to developers
      3. Deploying dev manifests
      4. Deploying a Tekton pipeline
      5. Running our pipeline
      6. Promoting to production
    9. Summary
    10. Questions
  16. Other Books You May Enjoy
  17. Index

Product information

  • Title: Kubernetes – An Enterprise Guide - Second Edition
  • Author(s): Marc Boorshtein, Scott Surovich
  • Release date: December 2021
  • Publisher(s): Packt Publishing
  • ISBN: 9781803230030