Kubernetes – An Enterprise Guide, 2nd Edition
- Length: 576 pages
- Edition: 1
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2022-01-11
- ISBN-10: 1803230037
- ISBN-13: 9781803230030
- Sales Rank: #0 (See Top 100 Books)
Master core Kubernetes concepts important to enterprises from security, policy, and management point-of-view. Learn to deploy a service mesh using Istio, build a CI/CD platform, and provide enterprise security to your clusters.
Key Features
- Extensively revised edition to cover the latest updates and new releases along with two new chapters to introduce Istio
- Get a firm command of Kubernetes from a dual perspective of an admin as well as a developer
- Understand advanced topics including load balancing, externalDNS, global load balancing, authentication integration, policy, security, auditing, backup, Istio and CI/CD
Book Description
Kubernetes has taken the world by storm, becoming the standard infrastructure for DevOps teams to develop, test, and run applications. With significant updates in each chapter, this revised edition will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment.
The book introduces you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You’ll get to grips with containerization and understand its core functionalities such as creating ephemeral multinode clusters using KinD. The book has replaced PodSecurityPolicies (PSP) with OPA/Gatekeeper for PSP-like enforcement. You’ll integrate your container into a cloud platform and tools including MetalLB, externalDNS, OpenID connect (OIDC), Open Policy Agent (OPA), Falco, and Velero. After learning to deploy your core cluster, you’ll learn how to deploy Istio and how to deploy both monolithic applications and microservices into your service mesh. Finally, you will discover how to deploy an entire GitOps platform to Kubernetes using continuous integration and continuous delivery (CI/CD).
What you will learn
- Create a multinode Kubernetes cluster using KinD
- Implement Ingress, MetalLB, ExternalDNS, and the new sandbox project, K8GBConfigure a cluster OIDC and impersonation
- Deploy a monolithic application in Istio service mesh
- Map enterprise authorization to Kubernetes
- Secure clusters using OPA and GateKeeper
- Enhance auditing using Falco and ECK
- Back up your workload for disaster recovery and cluster migration
- Deploy to a GitOps platform using Tekton, GitLab, and ArgoCD
Who This Book Is For
This book is for anyone interested in DevOps, containerization, and going beyond basic Kubernetes cluster deployments. DevOps engineers, developers, and system administrators looking to enhance their IT career paths will also find this book helpful.
Although some prior experience with Docker and Kubernetes is recommended, this book includes a Kubernetes bootcamp that provides a description of Kubernetes objects to help you if you are new to the topic or need a refresher.
Table of Contents
- Docker and Container Essentials
- Deploying Kubernetes using KinD
- Kubernetes Bootcamp
- Services, Load Balancing, and External DNS
- Integrating Authentication into Your Cluster
- RBAC Policies and Auditing
- Deploying a Secured Kubernetes Dashboard
- Extending Security Using Open Policy Agent
- Node Security with Gatekeeper
- Auditing using Falco and EFK
- Backing up Workloads
- Istio Deployment
- Building and Deploying Applications on Istio
- Provisioning a Platform
Preface Who this book is for What this book covers To get the most out of this book Get in touch Docker and Container Essentials Technical requirements Understanding the need for containerization Understanding why Kubernetes is deprecating Docker Introducing Docker Understanding Docker Containers are ephemeral Docker images Image layers Persistent data Accessing services running in containers Installing Docker Preparing to install Docker Installing Docker on Ubuntu Granting Docker permissions Using the Docker CLI docker help docker run docker ps docker start and stop docker attach docker exec docker logs docker rm Summary Questions Deploying Kubernetes Using KinD Technical requirements Introducing Kubernetes components and objects Interacting with a cluster Using development clusters Why did we select KinD for this book? Working with a base KinD Kubernetes cluster Understanding the node image KinD and Docker networking Keeping track of the nesting dolls Installing KinD Installing KinD – prerequisites Installing kubectl Installing the KinD binary Creating a KinD cluster Creating a simple cluster Deleting a cluster Creating a cluster config file Multi-node cluster configuration Customizing the control plane and Kubelet options Creating a custom KinD cluster Installing Calico Installing an Ingress controller Reviewing your KinD cluster KinD storage objects Storage drivers KinD storage classes Using KinD's storage provisioner Adding a custom load balancer for Ingress Installation prerequisites Creating the KinD cluster configuration Deploying a custom HAProxy container Understanding HAProxy traffic flow Simulating a kubelet failure Summary Questions Kubernetes Bootcamp Technical requirements An overview of Kubernetes components Exploring the control plane The Kubernetes API server The Etcd database kube-scheduler kube-controller-manager cloud-controller-manager Understanding the worker node components kubelet kube-proxy Container runtime Interacting with the API server Using the Kubernetes kubectl utility Understanding the verbose option General kubectl commands Introducing Kubernetes resources Kubernetes manifests What are Kubernetes resources? Reviewing Kubernetes resources ConfigMaps Endpoints Events Namespaces Nodes Persistent Volume Claims PVs Pods Replication controllers ResourceQuotas Secrets Service accounts Services CustomResourceDefinitions DaemonSets Deployments ReplicaSets StatefulSets HorizontalPodAutoscalers CronJobs Jobs Ingress NetworkPolicies PodSecurityPolicies ClusterRoleBindings ClusterRoles RoleBindings Roles CSI drivers CSI nodes Storage classes Summary Questions Services, Load Balancing, ExternalDNS, and Global Balancing Technical requirements Exposing workloads to requests Understanding how services work Creating a service Using DNS to resolve services Understanding different service types The ClusterIP service The NodePort service The LoadBalancer service The ExternalName service Introduction to load balancers Understanding the OSI model Layer 7 load balancers Name resolution and layer 7 load balancers Using nip.io for name resolution Creating Ingress rules Layer 4 load balancers Layer 4 load balancer options Using MetalLB as a layer 4 load balancer Installing MetalLB Understanding MetalLB's configuration file MetalLB components Creating a LoadBalancer service Adding multiple IP pools to MetalLB Using multiple protocols Multiple protocol issues Using multiple protocols with MetalLB Using shared-IPs Enhancing load balancers for the enterprise Making service names available externally Setting up external-dns Integrating external-dns and CoreDNS Adding an ETCD zone to CoreDNS Creating a LoadBalancer service with external-dns integration Integrating CoreDNS with an enterprise DNS Load balancing between multiple clusters Introducing the Kubernetes Global Balancer Requirements for K8GB Deploying K8GB to a cluster Understanding K8GB load balancing options Customizing the Helm chart values Using Helm to install K8GB Deploying a highly available application using K8GB Adding an application to K8GB using custom resources Adding an application to K8GB using Ingress annotations Understanding how K8GB provides global load balancing Keeping the K8GB CoreDNS servers in sync Summary Questions Integrating Authentication into Your Cluster Technical requirements Understanding how Kubernetes knows who you are External users Groups in Kubernetes Service accounts Understanding OpenID Connect The OpenID Connect protocol Following OIDC and the API's interaction id_token Other authentication options Certificates Service accounts TokenRequest API Custom authentication webhooks Keystone Configuring KinD for OpenID Connect Addressing the requirements Using LDAP and Active Directory with Kubernetes Mapping Active Directory groups to RBAC RoleBindings Kubernetes Dashboard access Kubernetes CLI access Enterprise compliance requirements Pulling it all together Deploying OpenUnison Configuring the Kubernetes API to use OIDC Verifying OIDC integration Using your tokens with kubectl Introducing impersonation to integrate authentication with cloud-managed clusters What is Impersonation? Security considerations Configuring your cluster for impersonation Testing Impersonation Configuring Impersonation without OpenUnison Impersonation RBAC policies Default groups Authenticating from pipelines Using tokens Using certificates Avoiding anti-patterns Summary Questions RBAC Policies and Auditing Technical requirements Introduction to RBAC What's a Role? Identifying a Role Roles versus ClusterRoles Negative Roles Aggregated ClusterRoles RoleBindings and ClusterRoleBindings Combining ClusterRoles and RoleBindings Mapping enterprise identities to Kubernetes to authorize access to resources Implementing namespace multi-tenancy Kubernetes auditing Creating an audit policy Enabling auditing on a cluster Using audit2rbac to debug policies Summary Questions Deploying a Secured Kubernetes Dashboard Technical requirements How does the dashboard know who you are? Dashboard architecture Authentication methods Understanding dashboard security risks Deploying an insecure dashboard Using a token to log in Deploying the dashboard with a reverse proxy Local dashboards Other cluster-level applications Integrating the dashboard with OpenUnison Summary Questions Extending Security Using Open Policy Agent Technical requirements Introduction to dynamic admission controllers What is OPA and how does it work? OPA architecture Rego, the OPA policy language Gatekeeper Deploying Gatekeeper Automated testing framework Using Rego to write policies Developing an OPA policy Testing an OPA policy Deploying policies to Gatekeeper Building dynamic policies Debugging Rego Using existing policies Enforcing memory constraints Enabling the Gatekeeper cache Mocking up test data Building and deploying our policy Mutating objects and default values Summary Questions Node Security with GateKeeper Technical requirements What is node security? Understanding the difference between containers and VMs Container breakouts Properly designing containers Enforcing node security with GateKeeper What about Pod security policies? What are the differences between PSPs and GateKeeper? Authorizing node security policies Deploying and debugging node security policies Generating security context defaults Enforcing cluster policies Debugging constraint violations Scaling policy deployment in multi-tenant clusters Summary Questions Auditing Using Falco, DevOps AI, and ECK Technical requirements Exploring auditing Introducing Falco Exploring Falco's configuration files The Helm Values file Customizing the Helm Values Falco rules config files Understanding rules Understanding conditions (fields and values) Using macros Understanding lists Creating and appending to custom rules Editing an existing rule Creating a new rule Deploying Falco Introducing Falcosidekick Installing Falcosidekick Understanding Kubeless Installing Kubeless Deploying a function using Kubeless Introducing DevOPs AI Understand automatic responses to events Deploy the NGINX server and test connectivity Simulating an attack on the Pod Observing Falco events Using Falcosidekick-ui Deploying our logging system Creating a new namespace Deploying the ECK operator Deploying Elasticsearch, Filebeat, and Kibana Using the components ECK to view logs Creating a Kibana index Browsing for events Visualizations Creating a dashboard Creating a visualization for Falco event types Summary Questions Backing Up Workloads Technical requirements Understanding Kubernetes backups Performing an etcd backup Backing up the required certificates Backing up the etcd database Introducing and setting up VMware's Velero Velero requirements Installing the Velero CLI Installing Velero Backup storage location Deploying MinIO Exposing MinIO and the console Creating the S3 target configuration Using Velero to back up workloads Running a one-time cluster backup Scheduling a cluster backup Creating a custom backup Managing Velero using the CLI Using common Velero commands Listing Velero objects Retrieving details for a Velero object Creating and deleting objects Restoring from a backup Restoring in action Restoring a deployment from a backup Backing up the namespace Simulating a failure Restoring a namespace Using a backup to create workloads in a new cluster Backing up the cluster Building a new cluster Restoring a backup to the new cluster Installing Velero in the new cluster Restoring a backup in a new cluster Deleting the new cluster Summary Questions An Introduction to Istio Technical requirements Why should you care about a service mesh? Workload observability Traffic management Blue/Green Deployments Canary Deployments Finding issues before they happen Security Introduction to Istio concepts Understanding the Istio components Making the Control Plane Simple with Istiod Breaking down the istiod pod Understanding the istio-ingressgateway Understanding the istio-egressgateway Installing Istio Downloading Istio Installing Istio using a Profile Introducing Istio resources Authorization policies Example 1: Denying and allowing all access Example 2: Allowing only GET methods to a workload Example 3: Allowing requests from a specific source Gateways Virtual Services Destination rules Peer authentications Request authentication Service entries Sidecars Envoy filters Deploying add-on components to provide observability Installing Prometheus Installing Jaeger Installing Kiali Deploying an application into the service mesh Deploying your first application into the mesh Using Kiali to observe mesh workloads The Kiali overview screen Using the Graph view Using the Application view Using the Workloads view Using the Services view The Istio config view Summary Questions Building and Deploying Applications on Istio Technical requirements Comparing microservices and monoliths My history with microservices versus monolithic architecture Comparing architectures in an application Monolithic application design Microservices design Choosing between monoliths and microservices Using Istio to help manage microservices Deploying a monolith Exposing our monolith outside our cluster Configuring sticky sessions Integrating Kiali and OpenUnison Building a microservice Deploying Hello World Integrating authentication into our service Authorizing access to our service Telling your service who's using it Authorizing user entitlements Authorizing in service Using OPA with Istio Calling other services Using OAuth2 Token Exchange Passing tokens between services Using simple impersonation Do I need an API gateway? Summary Questions Provisioning a Platform Technical requirements Designing a pipeline Opinionated platforms Securing your pipeline Building our platform's requirements Choosing our technology stack Preparing our cluster Deploying cert-manager Deploying the Docker container registry Deploying OpenUnison and GateKeeper Deploying GitLab Creating example projects Deploying Tekton Building Hello World Building automatically Deploying ArgoCD Automating project onboarding using OpenUnison Designing a GitOps strategy Integrating GitLab Integrating the TektonCD dashboard Integrating ArgoCD Updating OpenUnison Deploying an application Creating the application in Kubernetes Getting access to developers Deploying dev manifests Deploying a Tekton pipeline Running our pipeline Promoting to production Summary Questions Other Books You May Enjoy Index
Donate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Kubernetes – An Enterprise Guide, 2nd Edition
, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.