Book Image

Kubernetes and Docker - An Enterprise Guide

By : Scott Surovich, Marc Boorshtein
Book Image

Kubernetes and Docker - An Enterprise Guide

By: Scott Surovich, Marc Boorshtein

Overview of this book

Containerization has changed the DevOps game completely, with Docker and Kubernetes playing important roles in altering the flow of app creation and deployment. This book will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment. The book begins by introducing you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You’ll then get to grips with containerization and understand its core functionalities, including how to create ephemeral multinode clusters using kind. As you make progress, you’ll learn about cluster architecture, Kubernetes cluster deployment, and cluster management, and get started with application deployment. Moving on, you’ll find out how to integrate your container to a cloud platform and integrate tools including MetalLB, externalDNS, OpenID connect (OIDC), pod security policies (PSPs), Open Policy Agent (OPA), Falco, and Velero. Finally, you will discover how to deploy an entire platform to the cloud using continuous integration and continuous delivery (CI/CD). By the end of this Kubernetes book, you will have learned how to create development clusters for testing applications and Kubernetes components, and be able to secure and audit a cluster by implementing various open-source solutions including OpenUnison, OPA, Falco, Kibana, and Velero.

Related Content you might be interested in

Current Title:

Small book image
Kubernetes and Docker - An Enterprise Guide
Scott Surovich | Marc Boorshtein
Nov, 2020 | 526 pages
Small book image
The Kubernetes Workshop
Mohammed Abu Taleb | Zachary Arnold | Wei Huang | Sahil Dua | Meacutelony Qin | Faisal Masood
Sep, 2020 | 780 pages
Small book image
Certified Kubernetes Administrator (CKA) Exam Guide
Meacutelony Qin
Nov, 2022 | 322 pages
Small book image
The Kubernetes Bible
Nassim Kebbani | Russ McKendrick | Piotr Tylenda
Feb, 2022 | 680 pages
Table of Contents (20 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Docker and Container Fundamentals
Section 1: Docker and Container Fundamentals
Free Chapter
2
Chapter 1: Docker and Container Essentials
Chapter 1: Docker and Container Essentials
Technical requirements
Understanding the need for containerization
Understanding Docker
Installing Docker
Using the Docker CLI
Summary
Questions
3
Chapter 2: Working with Docker Data
Chapter 2: Working with Docker Data
Technical requirements
Why you need persistent data
Docker volumes
Docker bind mounts
Docker tmpfs mounts
Summary
Questions
4
Chapter 3: Understanding Docker Networking
Chapter 3: Understanding Docker Networking
Technical requirements
Exploring Docker networking
Creating user-defined bridge networks
Summary
Questions
5
Section 2: Creating Kubernetes Development Clusters, Understanding objects, and Exposing Services
Section 2: Creating Kubernetes Development Clusters, Understanding objects, and Exposing Services
6
Chapter 4: Deploying Kubernetes Using KinD
Chapter 4: Deploying Kubernetes Using KinD
Technical requirements
Introducing Kubernetes components and objects
Using development clusters
Installing KinD
Creating a KinD cluster
Reviewing your KinD cluster
Adding a custom load balancer for Ingress
Summary
Questions
7
Chapter 5: Kubernetes Bootcamp
Chapter 5: Kubernetes Bootcamp
Technical requirements
An overview of Kubernetes components
Exploring the control plane
Understanding the worker node components
Interacting with the API server
Introducing Kubernetes objects
Summary
Questions
8
Chapter 6: Services, Load Balancing, and External DNS
Chapter 6: Services, Load Balancing, and External DNS
Technical requirements
Exposing workloads to requests
Introduction to load balancers
Layer 7 load balancers
Layer 4 load balancers
Making service names available externally
Summary
Questions
9
Section 3: Running Kubernetes in the Enterprise
Section 3: Running Kubernetes in the Enterprise
10
Chapter 7: Integrating Authentication into Your Cluster
Chapter 7: Integrating Authentication into Your Cluster
Technical requirements
Understanding how Kubernetes knows who you are
Understanding OpenID Connect
Configuring KinD for OpenID Connect
Introducing impersonation to integrate authentication with cloud-managed clusters
Configuring your cluster for impersonation
Configuring Impersonation without OpenUnison
Summary
11
Chapter 8: RBAC Policies and Auditing
Chapter 8: RBAC Policies and Auditing
Technical requirements
Introduction to RBAC
What's a Role?
Mapping enterprise identities to Kubernetes to authorize access to resources
Implementing namespace multi-tenancy
Kubernetes auditing
Using audit2rbac to debug policies
Summary
Questions
12
Chapter 9: Deploying a Secured Kubernetes Dashboard
Chapter 9: Deploying a Secured Kubernetes Dashboard
Technical requirements
How does the dashboard know who you are?
Understanding dashboard security risks
Deploying the dashboard with a reverse proxy
Integrating the dashboard with OpenUnison
Summary
Questions
13
Chapter 10: Creating PodSecurityPolicies
Chapter 10: Creating PodSecurityPolicies
Technical requirements
What is a PodSecurityPolicy?
Aren't they going away?
Enabling PSPs
Alternatives to PSPs
Summary
Questions
14
Chapter 11: Extending Security Using Open Policy Agent
Chapter 11: Extending Security Using Open Policy Agent
Technical requirements
Introduction to dynamic admission controllers
What is OPA and how does it work?
Using Rego to write policies
Enforcing memory constraints
Enforcing Pod Security Policies using OPA
Summary
Questions
15
Chapter 12: Auditing using Falco and EFK
Chapter 12: Auditing using Falco and EFK
Technical requirements
Exploring auditing
Introducing Falco
Exploring Falco's configuration files
Deploying Falco
Falco kernel module
Summary
Questions
16
Chapter 13: Backing Up Workloads
Chapter 13: Backing Up Workloads
Technical requirements
Understanding Kubernetes backups
Performing an etcd backup
Introducing and setting up Heptio's Velero
Using Velero to back up workloads
Managing Velero using the CLI
Restoring from a backup
Summary
Questions
17
Chapter 14: Provisioning a Platform
Chapter 14: Provisioning a Platform
Technical requirements
Designing a pipeline
Preparing our cluster
Deploying GitLab
Deploying Tekton
Deploying ArgoCD
Automating project onboarding using OpenUnison
Summary
Questions
18
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Chapter 14
19
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Configuring Impersonation without OpenUnison

The OpenUnison operator automated a couple of key steps to get impersonation working. There are other projects designed specifically for Kubernetes, such as JetStack's OIDC Proxy (https://github.com/jetstack/kube-oidc-proxy), that are designed to make using impersonation easier. You can use any reverse proxy that can generate the correct headers. There are two critical items to understand when doing this on your own.

Impersonation RBAC policies

RBAC will be covered in the next chapter, but for now, the correct policy to authorize a service account for impersonation is as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonator
rules:
- apiGroups:
  - ""
  resources:
  - users
  - groups
  verbs:
  - impersonate

To constrain what accounts can be impersonated, add resourceNames to your rule.

Default...

Previous Section
End of Section 8
Next Section