book

Certified Kubernetes Application Developer (CKAD) Study Guide, 2nd Edition

by Benjamin Muschko

May 2024

Intermediate to advanced

366 pages

7h 43m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Has Sandbox

Who This Book Is ForWhat You Will LearnWhat’s New in the Second EditionConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Kubernetes Certification Learning PathKubernetes and Cloud Native Associate (KCNA)Kubernetes and Cloud Native Security Associate (KCSA)Certified Kubernetes Application Developer (CKAD)Certified Kubernetes Administrator (CKA)Certified Kubernetes Security Specialist (CKS)Exam ObjectivesCurriculumApplication Design and BuildApplication DeploymentApplication Observability and MaintenanceApplication Environment, Configuration, and SecurityServices and NetworkingInvolved Kubernetes PrimitivesDocumentationExam Environment and TipsCandidate SkillsTime ManagementCommand-Line Tips and TricksSetting a Context and NamespaceUsing the Alias for kubectlUsing kubectl Command Auto-CompletionInternalize Resource Short NamesPracticing and Practice ExamsSummary
What Is Kubernetes?FeaturesHigh-Level ArchitectureControl Plane Node ComponentsCommon Node ComponentsAdvantagesSummary
API Primitives and ObjectsUsing kubectlManaging ObjectsImperative Object ManagementDeclarative Object ManagementHybrid ApproachWhich Approach to Use?Summary
Container TerminologyContainerizing a Java-Based ApplicationWriting a DockerfileBuilding the Container ImageListing Container ImagesRunning the ContainerListing ContainersInteracting with the ContainerPublishing the Container ImageSaving and Loading a Container ImageGoing FurtherSummaryExam EssentialsSample Exercises
Working with PodsCreating PodsListing PodsPod Life Cycle PhasesRendering Pod DetailsAccessing Logs of a PodExecuting a Command in ContainerCreating a Temporary PodUsing a Pod’s IP Address for Network CommunicationConfiguring PodsDeleting a PodWorking with NamespacesListing NamespacesCreating and Using a NamespaceSetting a Namespace PreferenceDeleting a NamespaceSummaryExam EssentialsSample Exercises
Working with JobsCreating and Inspecting JobsJob Operation TypesRestart BehaviorWorking with CronJobsCreating and Inspecting CronJobsConfiguring Retained Job HistorySummaryExam EssentialsSample Exercises

Working with StorageVolume TypesEphemeral VolumesPersistent VolumesStorage ClassesSummaryExam EssentialsSample Exercises
Working with Multiple Containers in a PodInit ContainersThe Sidecar PatternThe Adapter PatternThe Ambassador PatternSummaryExam EssentialsSample Exercises
Working with LabelsDeclaring LabelsInspecting LabelsModifying Labels for a Live ObjectUsing Label SelectorsRecommended LabelsWorking with AnnotationsDeclaring AnnotationsInspecting AnnotationsModifying Annotations for a Live ObjectReserved AnnotationsSummaryExam EssentialsSample Exercises
Working with DeploymentsCreating DeploymentsListing Deployments and Their PodsRendering Deployment DetailsDeleting a DeploymentPerforming Rolling Updates and RollbacksUpdating a Deployment’s Pod TemplateRolling Out a New RevisionAdding a Change Cause for a RevisionRolling Back to a Previous RevisionScaling WorkloadsManually Scaling a DeploymentAutoscaling a DeploymentCreating Horizontal Pod AutoscalersListing Horizontal Pod AutoscalersRendering Horizontal Pod Autoscaler DetailsDefining Multiple Scaling MetricsSummaryExam EssentialsSample Exercises
Rolling Deployment StrategyImplementationUse Cases and Trade-OffsFixed Deployment StrategyImplementationUse Cases and Trade-OffsBlue-Green Deployment StrategyImplementationUse Cases and Trade-OffsCanary Deployment StrategyImplementationUse Cases and Trade-OffsSummaryExam EssentialsSample Exercises
Managing an Existing ChartIdentifying a ChartAdding a Chart RepositorySearching for a Chart in a RepositoryInstalling a ChartListing Installed ChartsUpgrading an Installed ChartUninstalling a ChartSummaryExam EssentialsSample Exercises
Understanding the Deprecation PolicyListing Available API VersionsHandling Deprecation WarningsHandling a Removed or Replaced APISummaryExam EssentialsSample Exercises
Working with ProbesProbe TypesHealth Verification MethodsHealth Check AttributesThe Readiness ProbeThe Liveness ProbeThe Startup ProbeSummaryExam EssentialsSample Exercises
Troubleshooting PodsRetrieving High-Level InformationInspecting EventsUsing Port ForwardingTroubleshooting ContainersInspecting LogsOpening an Interactive ShellInteracting with a Distroless ContainerInspecting Resource MetricsSummaryExam EssentialsSample Exercises
Working with CRDsExample CRDImplementing a CRD SchemaInstantiating an Object for the CRDDiscovering CRDsImplementing a ControllerSummaryExam EssentialsSample Exercises
Processing a RequestAuthentication with kubectlThe KubeconfigManaging Kubeconfig Using kubectlAuthorization with Role-Based Access ControlRBAC OverviewUnderstanding RBAC API PrimitivesDefault User-Facing RolesCreating RolesListing RolesRendering Role DetailsCreating RoleBindingsListing RoleBindingsRendering RoleBinding DetailsSeeing the RBAC Rules in EffectNamespace-Wide and Cluster-Wide RBACWorking with Service AccountsThe Default Service AccountCreating a Service AccountSetting Permissions for a Service AccountAdmission ControlSummaryExam EssentialsSample Exercises
Working with Resource RequirementsDefining Container Resource RequestsDefining Container Resource LimitsDefining Container Resource Requests and LimitsWorking with Resource QuotasCreating ResourceQuotasRendering ResourceQuota DetailsExploring a ResourceQuota’s Runtime BehaviorWorking with Limit RangesCreating LimitRangesRendering LimitRange DetailsExploring a LimitRange’s Runtime BehaviorSummaryExam EssentialsSample Exercises
Working with ConfigMapsCreating a ConfigMapConsuming a ConfigMap as Environment VariablesMounting a ConfigMap as a VolumeWorking with SecretsCreating a SecretConsuming a Secret as Environment VariablesMounting a Secret as a VolumeSummaryExam EssentialsSample Exercises
Working with Security ContextsDefining a Security Context on the Pod LevelDefining a Security Context on the Container LevelDefining a Security Context on the Pod and Container LevelSummaryExam EssentialsSample Exercises
Working with ServicesService TypesPort MappingCreating ServicesListing ServicesRendering Service DetailsThe ClusterIP Service TypeCreating and Inspecting the ServiceAccessing the ServiceThe NodePort Service TypeCreating and Inspecting the ServiceAccessing the ServiceThe LoadBalancer Service TypeCreating and Inspecting the ServiceAccessing the ServiceSummaryExam EssentialsSample Exercises
Working with IngressesInstalling an Ingress ControllerDeploying Multiple Ingress ControllersConfiguring Ingress RulesCreating IngressesDefining Path TypesListing IngressesRendering Ingress DetailsAccessing an IngressSummaryExam EssentialsSample Exercises
Working with Network PoliciesInstalling an Network Policy ControllerCreating a Network PolicyListing Network PoliciesRendering Network Policy DetailsApplying Default Network PoliciesRestricting Access to Specific PortsSummaryExam EssentialsSample Exercises
Chapter 4, ContainersChapter 5, Pods and NamespacesChapter 6, Jobs and CronJobsChapter 7, VolumesChapter 8, Multi-Container PodsChapter 9, Labels and AnnotationsChapter 10, DeploymentsChapter 11, Deployment StrategiesChapter 12, HelmChapter 13, API DeprecationsChapter 14, Container ProbesChapter 15, Troubleshooting Pods and ContainersChapter 16, Custom Resource Definitions (CRDs)Chapter 17, Authentication, Authorization, and Admission ControlChapter 18, Resource Requirements, Limits, and QuotasChapter 19, ConfigMaps and SecretsChapter 20, Security ContextsChapter 21, ServicesChapter 22, IngressesChapter 23, Network Policies
Application Design and BuildApplication DeploymentApplication Observability and MaintenanceApplication Environment, Configuration, and SecurityServices and Networking

Content preview from Certified Kubernetes Application Developer (CKAD) Study Guide, 2nd Edition

Chapter 20. Security Contexts

Running a Pod in Kubernetes without implementing more restrictive security measures can pose a security risk. Without these measures, an attacker can potentially gain access to the host system or perform malicious activities, such as accessing files containing sensitive data. A security context defines privilege and access control settings for containers as part of a Pod specification. The following list provides some examples for security-related parameters:

The user ID that should be used to run the Pod and/or container
The group ID that should be used for filesystem access
Granting a running process inside the container some privileges of the root user but not all of them

This chapter will give you an overview of defining security contexts and seeing their runtime effects in practice. Given the wide range of security settings, we won’t be able to discuss all of them. You will find additional use cases and configuration options in the Kubernetes documentation.

Working with Security Contexts

The security context is not a Kubernetes primitive. It is modeled as a set of attributes under the directive securityContext within the Pod specification. Security settings defined on the Pod level apply to all containers running in the Pod. When applied to a single container, it will have no effects on other containers running ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Certified Kubernetes Application Developer (CKAD) Study Guide

Publisher Resources

ISBN: 9781098152857Errata Page Supplemental Content

Certified Kubernetes Application Developer (CKAD) Study Guide, 2nd Edition

by Benjamin Muschko

Chapter 20. Security Contexts

Working with Security Contexts

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like