Book Image

Kubernetes – An Enterprise Guide - Second Edition

By : Marc Boorshtein, Scott Surovich
Book Image

Kubernetes – An Enterprise Guide - Second Edition

By: Marc Boorshtein, Scott Surovich

Overview of this book

Kubernetes has taken the world by storm, becoming the standard infrastructure for DevOps teams to develop, test, and run applications. With significant updates in each chapter, this revised edition will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment. The book introduces you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You’ll get to grips with containerization and understand its core functionalities such as creating ephemeral multinode clusters using KinD. The book has replaced PodSecurityPolicies (PSP) with OPA/Gatekeeper for PSP-like enforcement. You’ll integrate your container into a cloud platform and tools including MetalLB, externalDNS, OpenID connect (OIDC), Open Policy Agent (OPA), Falco, and Velero. After learning to deploy your core cluster, you’ll learn how to deploy Istio and how to deploy both monolithic applications and microservices into your service mesh. Finally, you will discover how to deploy an entire GitOps platform to Kubernetes using continuous integration and continuous delivery (CI/CD).

Related Content you might be interested in

Current Title:

Small book image
Kubernetes – An Enterprise Guide - Second Edition
Marc Boorshtein | Scott Surovich
Dec, 2021 | 578 pages
Small book image
Cloud Native with Kubernetes
Alexander Raul
Jan, 2021 | 446 pages
Small book image
Certified Kubernetes Administrator (CKA) Exam Guide
Meacutelony Qin
Nov, 2022 | 322 pages
Small book image
The Kubernetes Bible
Nassim Kebbani | Russ McKendrick | Piotr Tylenda
Feb, 2022 | 680 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
Docker and Container Essentials
Docker and Container Essentials
Technical requirements
Understanding the need for containerization
Understanding Docker
Installing Docker
Using the Docker CLI
Summary
Questions
2
Deploying Kubernetes Using KinD
Deploying Kubernetes Using KinD
Technical requirements
Introducing Kubernetes components and objects
Using development clusters
Installing KinD
Creating a KinD cluster
Reviewing your KinD cluster
Adding a custom load balancer for Ingress
Summary
Questions
3
Kubernetes Bootcamp
Kubernetes Bootcamp
Technical requirements
An overview of Kubernetes components
Exploring the control plane
Understanding the worker node components
Interacting with the API server
Introducing Kubernetes resources
Summary
Questions
4
Services, Load Balancing, ExternalDNS, and Global Balancing
Services, Load Balancing, ExternalDNS, and Global Balancing
Technical requirements
Exposing workloads to requests
Introduction to load balancers
Layer 7 load balancers
Layer 4 load balancers
Enhancing load balancers for the enterprise
Making service names available externally
Load balancing between multiple clusters
Summary
Questions
5
Integrating Authentication into Your Cluster
Integrating Authentication into Your Cluster
Technical requirements
Understanding how Kubernetes knows who you are
Understanding OpenID Connect
Configuring KinD for OpenID Connect
Introducing impersonation to integrate authentication with cloud-managed clusters
Configuring your cluster for impersonation
Configuring Impersonation without OpenUnison
Authenticating from pipelines
Summary
Questions
6
RBAC Policies and Auditing
RBAC Policies and Auditing
Technical requirements
Introduction to RBAC
What's a Role?
Mapping enterprise identities to Kubernetes to authorize access to resources
Implementing namespace multi-tenancy
Kubernetes auditing
Using audit2rbac to debug policies
Summary
Questions
7
Deploying a Secured Kubernetes Dashboard
Deploying a Secured Kubernetes Dashboard
Technical requirements
How does the dashboard know who you are?
Understanding dashboard security risks
Deploying the dashboard with a reverse proxy
Integrating the dashboard with OpenUnison
Summary
Questions
8
Extending Security Using Open Policy Agent
Extending Security Using Open Policy Agent
Technical requirements
Introduction to dynamic admission controllers
What is OPA and how does it work?
Using Rego to write policies
Enforcing memory constraints
Mutating objects and default values
Summary
Questions
9
Node Security with GateKeeper
Node Security with GateKeeper
Technical requirements
What is node security?
Enforcing node security with GateKeeper
Summary
Questions
10
Auditing Using Falco, DevOps AI, and ECK
Auditing Using Falco, DevOps AI, and ECK
Technical requirements
Exploring auditing
Introducing Falco
Exploring Falco's configuration files
Deploying Falco
Introducing DevOPs AI
Summary
Questions
11
Backing Up Workloads
Backing Up Workloads
Technical requirements
Understanding Kubernetes backups
Performing an etcd backup
Introducing and setting up VMware's Velero
Using Velero to back up workloads
Managing Velero using the CLI
Restoring from a backup
Summary
Questions
12
An Introduction to Istio
An Introduction to Istio
Technical requirements
Why should you care about a service mesh?
Introduction to Istio concepts
Understanding the Istio components
Installing Istio
Introducing Istio resources
Deploying add-on components to provide observability
Deploying an application into the service mesh
Summary
Questions
13
Building and Deploying Applications on Istio
Building and Deploying Applications on Istio
Technical requirements
Comparing microservices and monoliths
Deploying a monolith
Building a microservice
Do I need an API gateway?
Summary
Questions
14
Provisioning a Platform
Provisioning a Platform
Technical requirements
Designing a pipeline
Preparing our cluster
Deploying GitLab
Deploying Tekton
Deploying ArgoCD
Automating project onboarding using OpenUnison
Deploying an application
Summary
Questions
15
Other Books You May Enjoy
Other Books You May Enjoy
16
Index
Index

Configuring Impersonation without OpenUnison

The OpenUnison operator automated a couple of key steps to get impersonation working. There are other projects designed specifically for Kubernetes, such as Jetstack's OIDC proxy (https://github.com/jetstack/kube-oidc-proxy), that are designed to make using Impersonation easier. You can use any reverse proxy that can generate the correct headers. There are two critical items to understand when doing this on your own.

Impersonation RBAC policies

RBAC will be covered in the next chapter, but for now, the correct policy to authorize a service account for Impersonation is as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonator
rules:
- apiGroups:
  - ""
  resources:
  - users
  - groups
  verbs:
  - impersonate

To constrain what accounts can be impersonated, add resourceNames to your rule.

Default groups

When impersonating a user, Kubernetes does not add the...

Previous Section
End of Section 8
Next Section