Kubernetes and Docker - An Enterprise Guide

Kubernetes and Docker - An Enterprise Guide

by Scott Surovich, Marc Boorshtein
Released November 2020
Publisher(s): Packt Publishing
ISBN: 9781839213403

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Apply Kubernetes beyond the basics of Kubernetes clusters by implementing IAM using OIDC and Active Directory, Layer 4 load balancing using MetalLB, advanced service integration, security, auditing, and CI/CD

Key Features

  • Find out how to add enterprise features to a Kubernetes cluster with theory and exercises to guide you
  • Understand advanced topics including load balancing, externalDNS, IDP integration, security, auditing, backup, and CI/CD
  • Create development clusters for unique testing requirements, including running multiple clusters on a single server to simulate an enterprise environment

Book Description

Containerization has changed the DevOps game completely, with Docker and Kubernetes playing important roles in altering the flow of app creation and deployment. This book will help you acquire the knowledge and tools required to integrate Kubernetes clusters in an enterprise environment.

The book begins by introducing you to Docker and Kubernetes fundamentals, including a review of basic Kubernetes objects. You’ll then get to grips with containerization and understand its core functionalities, including how to create ephemeral multinode clusters using kind. As you make progress, you’ll learn about cluster architecture, Kubernetes cluster deployment, and cluster management, and get started with application deployment. Moving on, you’ll find out how to integrate your container to a cloud platform and integrate tools including MetalLB, externalDNS, OpenID connect (OIDC), pod security policies (PSPs), Open Policy Agent (OPA), Falco, and Velero. Finally, you will discover how to deploy an entire platform to the cloud using continuous integration and continuous delivery (CI/CD).

By the end of this Kubernetes book, you will have learned how to create development clusters for testing applications and Kubernetes components, and be able to secure and audit a cluster by implementing various open-source solutions including OpenUnison, OPA, Falco, Kibana, and Velero.

What you will learn

  • Create a multinode Kubernetes cluster using kind
  • Implement Ingress, MetalLB, and ExternalDNS
  • Configure a cluster OIDC using impersonation
  • Map enterprise authorization to Kubernetes
  • Secure clusters using PSPs and OPA
  • Enhance auditing using Falco and EFK
  • Back up your workload for disaster recovery and cluster migration
  • Deploy to a platform using Tekton, GitLab, and ArgoCD

Who this book is for

This book is for anyone interested in DevOps, containerization, and going beyond basic Kubernetes cluster deployments. DevOps engineers, developers, and system administrators looking to enhance their IT career paths will also find this book helpful. Although some prior experience with Docker and Kubernetes is recommended, this book includes a Kubernetes bootcamp that provides a description of Kubernetes objects to help you if you are new to the topic or need a refresher.

Table of contents

  1. Kubernetes and Docker – An Enterprise Guide
  2. Why subscribe?
  3. Foreword
  4. Contributors
  5. About the authors
  6. About the reviewer
  7. Packt is searching for authors like you
  8. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  9. Section 1: Docker and Container Fundamentals
  10. Chapter 1: Docker and Container Essentials
    1. Technical requirements
    2. Understanding the need for containerization
      1. Introducing Docker
    3. Understanding Docker
      1. Containers are ephemeral
      2. Docker images
      3. Image layers
      4. Persistent data
      5. Accessing services running in containers
    4. Installing Docker
      1. Preparing to install Docker
      2. Installing Docker on Ubuntu
      3. Granting Docker permissions
    5. Using the Docker CLI
      1. docker help
      2. docker run
      3. docker ps
      4. docker start and stop
      5. docker attach
      6. docker exec
      7. docker logs
      8. docker rm
    6. Summary
    7. Questions
  11. Chapter 2: Working with Docker Data
    1. Technical requirements
    2. Why you need persistent data
    3. Docker volumes
      1. Creating a volume using the CLI
      2. Mounting a volume in a container
      3. Mounting an existing volume
      4. Mounting a volume in multiple containers
      5. Listing Docker volumes
      6. Cleaning up volumes
    4. Docker bind mounts
    5. Docker tmpfs mounts
      1. Using a tmpfs mount in a container
    6. Summary
    7. Questions
  12. Chapter 3: Understanding Docker Networking
    1. Technical requirements
    2. Exploring Docker networking
      1. A quick TCP/IP port refresher
      2. Binding a port to a service
      3. Docker networking drivers
      4. The default bridge network
      5. Viewing the available networks
      6. Retrieving details on a network
    3. Creating user-defined bridge networks
      1. Connecting a container to a user-defined network
      2. Changing the network on a running container
      3. Removing a network
      4. Running a container without networking
      5. Exposing container services
      6. Exposing ports using a host network
      7. Exposing ports using a bridge network
    4. Summary
    5. Questions
  13. Section 2: Creating Kubernetes Development Clusters, Understanding objects, and Exposing Services
  14. Chapter 4: Deploying Kubernetes Using KinD
    1. Technical requirements
    2. Introducing Kubernetes components and objects
      1. Interacting with a cluster
    3. Using development clusters
      1. Why did we select KinD for this book?
      2. Working with a base KinD Kubernetes cluster
      3. Understanding the node image
      4. KinD and Docker networking
        1. Keeping track of the nesting dolls
    4. Installing KinD
      1. Installing KinD – prerequisites
        1. Installing Kubectl
        2. Installing Go
      2. Installing the KinD binary
    5. Creating a KinD cluster
      1. Creating a simple cluster
      2. Deleting a cluster
      3. Creating a cluster config file
      4. Multi-node cluster configuration
      5. Customizing the control plane and Kubelet options
      6. Creating a custom KinD cluster
      7. Installing Calico
      8. Installing an Ingress controller
    6. Reviewing your KinD cluster
      1. KinD storage objects
      2. Storage drivers
      3. KinD storage classes
      4. Using KinD's storage provisioner
    7. Adding a custom load balancer for Ingress
      1. Installation prerequisites
      2. Creating the KinD cluster configuration
      3. Deploying a custom HAProxy container
      4. Understanding HAProxy traffic flow
      5. Simulating a Kubelet failure
      6. Deleting the HAProxy container
    8. Summary
    9. Questions
  15. Chapter 5: Kubernetes Bootcamp
    1. Technical requirements
    2. An overview of Kubernetes components
    3. Exploring the control plane
      1. The Kubernetes API server
      2. The Etcd database
      3. kube-scheduler
      4. kube-controller-manager
      5. cloud-controller-manager
    4. Understanding the worker node components
      1. kubelet
      2. kube-proxy
      3. Container runtime
    5. Interacting with the API server
      1. Using the Kubernetes kubectl utility
      2. Understanding the verbose option
      3. General kubectl commands
    6. Introducing Kubernetes objects
      1. Kubernetes manifests
      2. What are Kubernetes objects?
      3. Reviewing Kubernetes objects
        1. ConfigMaps
        2. Endpoints
        3. Events
        4. Namespaces
        5. Nodes
        6. Persistent Volume Claims
        7. PVs
        8. Pods
        9. Replication controllers
        10. ResourceQuotas
        11. Secrets
        12. Service accounts
        13. Services
        14. CustomResourceDefinitions
        15. DaemonSets
        16. Deployments
        17. ReplicaSets
        18. StatefulSets
        19. HorizontalPodAutoscalers
        20. CronJobs
        21. Jobs
        22. Events
        23. Ingresses
        24. NetworkPolicies
        25. PodSecurityPolicies
        26. ClusterRoleBindings
        27. ClusterRoles
        28. RoleBindings
        29. Roles
        30. CsiDrivers
        31. CsiNodes
        32. StorageClasses
    7. Summary
    8. Questions
  16. Chapter 6: Services, Load Balancing, and External DNS
    1. Technical requirements
    2. Exposing workloads to requests
      1. Understanding how services work
        1. Creating a service
        2. Using DNS to resolve services
      2. Understanding different service types
        1. The ClusterIP service
        2. The NodePort service
        3. The LoadBalancer service
        4. The ExternalName service
    3. Introduction to load balancers
      1. Understanding the OSI model
    4. Layer 7 load balancers
      1. Name resolution and layer 7 load balancers
      2. Using nip.io for name resolution
      3. Creating an Ingress rules
    5. Layer 4 load balancers
      1. Layer 4 load balancer options
      2. Using MetalLB as a layer 4 load balancer
        1. Installing MetalLB
        2. Understanding MetalLB's configuration file
        3. MetalLB components
      3. Creating a LoadBalancer service
      4. Adding multiple IP pools to MetalLB
        1. Using multiple protocols
      5. Multiple protocol issues
      6. Using multiple protocols with MetalLB
      7. Using shared-IPs
    6. Making service names available externally
      1. Setting up external-dns
      2. Integrating external-dns and CoreDNS
      3. Adding an ETCD zone to CoreDNS
      4. Creating a LoadBalancer service with external-dns integration
        1. Integrating CoreDNS with an enterprise DNS
    7. Summary
    8. Questions
  17. Section 3: Running Kubernetes in the Enterprise
  18. Chapter 7: Integrating Authentication into Your Cluster
    1. Technical requirements
    2. Understanding how Kubernetes knows who you are
      1. External users
      2. Groups in Kubernetes
      3. Service accounts
    3. Understanding OpenID Connect
      1. The OpenID Connect protocol
      2. Following OIDC and the API's interaction
        1. id_token
      3. Other authentication options
        1. Certificates
        2. Service accounts
        3. TokenRequest API
        4. Custom authentication webhooks
        5. Keystone
    4. Configuring KinD for OpenID Connect
      1. Addressing the requirements
        1. Use Active Directory Federation Services
        2. Mapping Active Directory Groups to RBAC RoleBindings
        3. Kubernetes Dashboard access
        4. Kubernetes CLI access
        5. Enterprise compliance requirements
        6. Pulling it all together
      2. Deploying OIDC
        1. Deploying OpenUnison
        2. Configuring the Kubernetes API to use OIDC
        3. Verifying OIDC integration
        4. Using your tokens with kubectl
    5. Introducing impersonation to integrate authentication with cloud-managed clusters
      1. What is Impersonation?
      2. Security considerations
    6. Configuring your cluster for impersonation
      1. Testing impersonation
    7. Configuring Impersonation without OpenUnison
      1. Impersonation RBAC policies
      2. Default groups
    8. Summary
      1. Questions
  19. Chapter 8: RBAC Policies and Auditing
    1. Technical requirements
    2. Introduction to RBAC
    3. What's a Role?
      1. Identifying a Role
      2. Roles versus ClusterRoles
      3. Negative Roles
      4. Aggregated ClusterRoles
      5. RoleBindings and ClusterRoleBindings
        1. Combining ClusterRoles and RoleBindings
    4. Mapping enterprise identities to Kubernetes to authorize access to resources
    5. Implementing namespace multi-tenancy
    6. Kubernetes auditing
      1. Creating an audit policy
      2. Enabling auditing on a cluster
    7. Using audit2rbac to debug policies
    8. Summary
    9. Questions
  20. Chapter 9: Deploying a Secured Kubernetes Dashboard
    1. Technical requirements
    2. How does the dashboard know who you are?
      1. Dashboard architecture
      2. Authentication methods
    3. Understanding dashboard security risks
      1. Deploying an insecure dashboard
      2. Using a token to log in
    4. Deploying the dashboard with a reverse proxy
      1. Local dashboards
      2. Other cluster-level applications
    5. Integrating the dashboard with OpenUnison
    6. Summary
    7. Questions
  21. Chapter 10: Creating PodSecurityPolicies
    1. Technical requirements
    2. What is a PodSecurityPolicy?
      1. Understanding the difference between containers and VMs
      2. Container breakouts
      3. Properly designing containers
        1. PSP details
        2. Assigning a PSP
    3. Aren't they going away?
    4. Enabling PSPs
    5. Alternatives to PSPs
    6. Summary
    7. Questions
  22. Chapter 11: Extending Security Using Open Policy Agent
    1. Technical requirements
    2. Introduction to dynamic admission controllers
    3. What is OPA and how does it work?
      1. OPA architecture
      2. Rego, the OPA policy language
      3. GateKeeper
        1. Deploying GateKeeper
      4. Automated testing framework
    4. Using Rego to write policies
      1. Developing an OPA policy
      2. Testing an OPA policy
      3. Deploying policies to GateKeeper
      4. Building dynamic policies
      5. Debugging Rego
      6. Using existing policies
    5. Enforcing memory constraints
      1. Enabling the GateKeeper cache
      2. Mocking up test data
      3. Building and deploying our policy
    6. Enforcing Pod Security Policies using OPA
    7. Summary
    8. Questions
  23. Chapter 12: Auditing using Falco and EFK
    1. Technical requirements
    2. Exploring auditing
    3. Introducing Falco
    4. Exploring Falco's configuration files
      1. The falco.yaml configuration file
      2. Falco rules config files
        1. Understanding rules
        2. Understanding conditions (fields and values)
        3. Using macros
        4. Understanding lists
      3. Creating and appending to custom rules
        1. Appending to an existing rule
        2. Creating a new rule
    5. Deploying Falco
    6. Falco kernel module
      1. Creating a kernel module using installed kernel headers
      2. Using headers to create the Falco module
      3. Creating a kernel module using driverkit
        1. Driverkit requirements
        2. Installing Falco's driverkit
        3. Creating the module and adding it to the host
      4. Using the module on a cluster
      5. Using the module in KinD
      6. Deploying the Falco Daemonset
        1. Creating the Falco service account and service
      7. Deploying EFK
        1. Creating a new namespace
        2. Adding chart repos to Helm
        3. Deploying the Elasticsearch chart
        4. Deploying Fluentd
        5. Deploying Falcosidekick
        6. Deploying Kibana
        7. Creating an ingress rule for Kibana
        8. Using the Kibana dashboard
    7. Summary
    8. Questions
  24. Chapter 13: Backing Up Workloads
    1. Technical requirements
    2. Understanding Kubernetes backups
    3. Performing an etcd backup
      1. Backing up the required certificates
      2. Backing up the etcd database
    4. Introducing and setting up Heptio's Velero
      1. Velero requirements
      2. Installing the Velero CLI
      3. Installing Velero
        1. Backup storage location
        2. Deploying MinIO
        3. Exposing the MinIO dashboard
        4. Creating the S3 target configuration
    5. Using Velero to back up workloads
      1. Running a one-time cluster backup
      2. Scheduling a cluster backup
      3. Creating a custom backup
    6. Managing Velero using the CLI
      1. Using common Velero commands
        1. Listing Velero objects
        2. Retrieving details for a Velero object
        3. Creating and deleting objects
    7. Restoring from a backup
      1. Restoring in action
        1. Restoring a deployment from a backup
        2. Backing up the namespace
        3. Simulating a failure
      2. Restoring a namespace
      3. Using a backup to create workloads in a new cluster
        1. Backing up the cluster
        2. Building a new cluster
      4. Restoring a backup to the new cluster
        1. Installing Velero in the new cluster
        2. Restoring a backup in a new cluster
        3. Deleting the new cluster
    8. Summary
    9. Questions
  25. Chapter 14: Provisioning a Platform
    1. Technical requirements
    2. Designing a pipeline
      1. Opinionated platforms
      2. Securing your pipeline
      3. Building our platform's requirements
      4. Choosing our technology stack
    3. Preparing our cluster
      1. Deploying cert-manager
      2. Deploying the Docker container registry
      3. Deploying OpenUnison
    4. Deploying GitLab
      1. Creating example projects
    5. Deploying Tekton
      1. Building Hello World
      2. Building automatically
    6. Deploying ArgoCD
    7. Automating project onboarding using OpenUnison
      1. Integrating GitLab
      2. Integrating ArgoCD
      3. Updating OpenUnison
    8. Summary
    9. Questions
  26. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
  27. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Kubernetes and Docker - An Enterprise Guide
  • Author(s): Scott Surovich, Marc Boorshtein
  • Release date: November 2020
  • Publisher(s): Packt Publishing
  • ISBN: 9781839213403