Apply Kubernetes beyond the basics of Kubernetes clusters by implementing IAM using OIDC and Active Directory, Layer 4 load balancing using MetalLB, advanced service integration, security, auditing, and CI/CD
▶Book Description
Containerization has changed the DevOps game completely, with Docker and Kubernetes playing important roles in altering the flow of app creation and deployment. This book will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment.
The book begins by introducing you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You'll then get to grips with containerization and understand its core functionalities, including how to create ephemeral multinode clusters using kind. As you make progress, you'll learn about cluster architecture, Kubernetes cluster deployment, and cluster management, and get started with application deployment. Moving on, you'll find out how to integrate your container to a cloud platform and integrate tools including MetalLB, externalDNS, OpenID connect (OIDC), pod security policies (PSPs), Open Policy Agent (OPA), Falco, and Velero. Finally, you will discover how to deploy an entire platform to the cloud using continuous integration and continuous delivery (CI/CD).
By the end of this Kubernetes book, you will have learned how to create development clusters for testing applications and Kubernetes components, and be able to secure and audit a cluster by implementing various open-source solutions including OpenUnison, OPA, Falco, Kibana, and Velero.
▶What You Will Learn
⦁ Create a multinode Kubernetes cluster using kind
⦁ Implement Ingress, MetalLB, and ExternalDNS
⦁ Configure a cluster OIDC using impersonation
⦁ Map enterprise authorization to Kubernetes
⦁ Secure clusters using PSPs and OPA
⦁ Enhance auditing using Falco and EFK
⦁ Back up your workload for disaster recovery and cluster migration
⦁ Deploy to a platform using Tekton, GitLab, and ArgoCD
▶Key Features
⦁ Find out how to add enterprise features to a Kubernetes cluster with theory and exercises to guide you
⦁ Understand advanced topics including load balancing, externalDNS, IDP integration, security, auditing, backup, and CI/CD
⦁ Create development clusters for unique testing requirements, including running multiple clusters on a single server to simulate an enterprise environment
▶Who This Book Is For
This book is for anyone interested in DevOps, containerization, and going beyond basic Kubernetes cluster deployments. DevOps engineers, developers, and system administrators looking to enhance their IT career paths will also find this book helpful. Although some prior experience with Docker and Kubernetes is recommended, this book includes a Kubernetes bootcamp that provides a description of Kubernetes objects to help you if you are new to the topic or need a refresher.
▶What this book covers
⦁Chapter 1, Understanding Docker and Containers Essentials, helps you learn what problems Docker and Kubernetes address for developers. You will be introduced to different aspects of Docker including the Docker daemon, data, installation, and using the Docker CLI.
⦁Chapter 2, Working with Docker Data, discusses how containers need to store data, with some use cases only requiring ephemeral disks, while others require persistent disks. In this chapter, you will learn about persistent data and how Docker can be used with volumes, bind mounts, and tmpfs to store data.
⦁Chapter 3, Understanding Docker Networking, introduces you to networking in Docker. It will cover creating different network types, adding and removing container networks, and exposing container services.
⦁Chapter 4, Deploying Kubernetes Using KinD, shows how KinD is a powerful tool that allows you to create a Kubernetes cluster ranging from a single node cluster to a full multi-node cluster. The chapter goes beyond a basic KinD cluster explaining how to use a load balancer running HAproxy to load-balance worker nodes. By the end of this chapter, you will understand how KinD works and how to create a custom multi-node cluster, which will be used for the exercises in the following chapters.
⦁Chapter 5, Kubernetes Bootcamp, covers most of the objects that a cluster includes, whether you need a refresher on Kubernetes, or are if you are newer to the platform. It explains the objects with a description of what each object does and its function in a cluster. This chapter is meant to be a refresher, or a "pocket guide" to objects – it does not contain exhaustive details for each object, as that would require a second book.
⦁Chapter 6, Services, Load Balancing, and External-DNS, teaches you how to expose a Kubernetes deployment using services. Each service type is explained with examples, and you will learn how to expose them using both a Layer-7 and a Layer-4 load balancer. In this chapter, you will go beyond the basics of a simple Ingress controller, installing MetalLB, to provide Layer-4 access to services. You will also install an incubator project called external-dns to provide dynamic name resolution for the services exposed by MetalLB.
⦁Chapter 7, Integrating Authentication into Your Cluster, considers the question of how users will access your cluster once it is built. In this chapter, we'll detail how OpenID Connect works and why you should use it for accessing your cluster. We'll also cover several anti-patterns that should be avoided and why they should be avoided.
⦁Chapter 8, RBAC Policies and Auditing, demonstrates how, once users have access to a cluster, you need to be able to limit their access. Whether you are providing an entire cluster to your users or just a namespace, you'll need to know how Kubernetes authorizes access via its role-based access control system, or RBAC. In this chapter, we'll detail how to design RBAC policies, how to debug them, and different strategies for multi-tenancy.
⦁Chapter 9, Securing the Kubernetes Dashboard, looks at the Kubernetes Dashboard, which is often the first thing users try to launch once a cluster is up and running. There's quite a bit of mythology around the security (or lack thereof). Your cluster will be made of other web applications too, such as network dashboards, logging systems, and monitoring dashboards too. This chapter looks at how the dashboard is architected, how to properly secure it, and examples of how not to deploy it with details as to why.
⦁Chapter 10, Creating Pod Security Policies, deals with the security of the nodes that run your Pod instances. We will discuss how to securely design your containers so they are harder to abuse and how to build policies to constrain your containers from accessing resources they don't need. We'll also cover the deprecation of the PodSecurityPolicy API and how to handle it.
⦁Chapter 11, Extending Security using Open Policy Agent, provides you with the guidance you need to deploy OpenPolicyAgent and GateKeeper to enable policies that can't be implemented using RBAC or PodSecurityPolicies. We'll cover how to deploy GateKeeper, how to write policies in Rego, and how to test your policies using OPA's built-in testing framework.
⦁Chapter 12, Auditing Using Falco and EFK, discusses how Kubernetes includes event logging for API access, but it doesn't have the ability to log events that may be executed inside a Pod. To address this limitation, we will install a project that was donated to the CNCF called Falco. You will also learn how to present the data that is captured by Falco using FalcoSideKick and the EFK stack (ElasticSearch, FluentD, and Kibana). You will get hands-on experience by looking for events in Kibana and creating a custom dashboard that contains important events.
⦁Chapter 13, Backing Up Workloads, teaches you how to create a backup of your cluster workloads for disaster recovery, or cluster migrations, using Velero. You will go hands-on and create a backup of example workloads and restore the backup to a brand-new cluster to simulate a cluster migration.
⦁Chapter 14, Provisioning a Platform, has you building a platform for automating a multi-tenant cluster with GitLab, Tekton, ArgoCD, and OpenUnison. We'll explore how to build pipelines and how to automate their creation. We'll explore how the objects that are used to drive pipelines are related to each other, how to build relationships between systems, and finally, how to create a self-service workflow for automating the deployment of pipelines.
