book

Kubernetes: Up and Running, 3rd Edition

by Brendan Burns, Joe Beda, Kelsey Hightower, Lachlan Evenson

August 2022

Intermediate to advanced

328 pages

8h 22m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Includes

Quizzes

Sandbox

Preface
Who Should Read This BookWhy We Wrote This BookWhy We Updated This BookA Word on Cloud Native Applications TodayNavigating This BookOnline ResourcesConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Introduction
VelocityThe Value of ImmutabilityDeclarative ConfigurationSelf-Healing SystemsScaling Your Service and Your TeamsDecouplingEasy Scaling for Applications and ClustersScaling Development Teams with MicroservicesSeparation of Concerns for Consistency and ScalingAbstracting Your InfrastructureEfficiencyCloud Native EcosystemSummary
2. Creating and Running Containers
Container ImagesBuilding Application Images with DockerDockerfilesOptimizing Image SizesImage SecurityMultistage Image BuildsStoring Images in a Remote RegistryThe Container Runtime InterfaceRunning Containers with DockerExploring the kuard ApplicationLimiting Resource UsageCleanupSummary
3. Deploying a Kubernetes Cluster
Installing Kubernetes on a Public Cloud ProviderInstalling Kubernetes with Google Kubernetes EngineInstalling Kubernetes with Azure Kubernetes ServiceInstalling Kubernetes on Amazon Web ServicesInstalling Kubernetes Locally Using minikubeRunning Kubernetes in DockerThe Kubernetes ClientChecking Cluster StatusListing Kubernetes NodesCluster ComponentsKubernetes ProxyKubernetes DNSKubernetes UISummary
4. Common kubectl Commands
NamespacesContextsViewing Kubernetes API ObjectsCreating, Updating, and Destroying Kubernetes ObjectsLabeling and Annotating ObjectsDebugging CommandsCluster ManagementCommand AutocompletionAlternative Ways of Viewing Your ClusterSummary
5. Pods
Pods in KubernetesThinking with PodsThe Pod ManifestCreating a PodCreating a Pod ManifestRunning PodsListing PodsPod DetailsDeleting a PodAccessing Your PodGetting More Information with LogsRunning Commands in Your Container with execCopying Files to and from ContainersHealth ChecksLiveness ProbeReadiness ProbeStartup ProbeAdvanced Probe ConfigurationOther Types of Health ChecksResource ManagementResource Requests: Minimum Required ResourcesCapping Resource Usage with LimitsPersisting Data with VolumesUsing Volumes with PodsDifferent Ways of Using Volumes with PodsPutting It All TogetherSummary
6. Labels and Annotations
LabelsApplying LabelsModifying LabelsLabel SelectorsLabel Selectors in API ObjectsLabels in the Kubernetes ArchitectureAnnotationsCleanupSummary
7. Service Discovery
What Is Service Discovery?The Service ObjectService DNSReadiness ChecksLooking Beyond the ClusterLoad Balancer IntegrationAdvanced DetailsEndpointsManual Service Discoverykube-proxy and Cluster IPsCluster IP Environment VariablesConnecting with Other EnvironmentsConnecting to Resources Outside of a ClusterConnecting External Resources to Services Inside a ClusterCleanupSummary
8. HTTP Load Balancing with Ingress
Ingress Spec Versus Ingress ControllersInstalling ContourConfiguring DNSConfiguring a Local hosts FileUsing IngressSimplest UsageUsing HostnamesUsing PathsCleanupAdvanced Ingress Topics and GotchasRunning Multiple Ingress ControllersMultiple Ingress ObjectsIngress and NamespacesPath RewritingServing TLSAlternate Ingress ImplementationsThe Future of IngressSummary
9. ReplicaSets
Reconciliation LoopsRelating Pods and ReplicaSetsAdopting Existing ContainersQuarantining ContainersDesigning with ReplicaSetsReplicaSet SpecPod TemplatesLabelsCreating a ReplicaSetInspecting a ReplicaSetFinding a ReplicaSet from a PodFinding a Set of Pods for a ReplicaSetScaling ReplicaSetsImperative Scaling with kubectl scaleDeclaratively Scaling with kubectl applyAutoscaling a ReplicaSetDeleting ReplicaSetsSummary

10. Deployments
Your First DeploymentCreating DeploymentsManaging DeploymentsUpdating DeploymentsScaling a DeploymentUpdating a Container ImageRollout HistoryDeployment StrategiesRecreate StrategyRollingUpdate StrategySlowing Rollouts to Ensure Service HealthDeleting a DeploymentMonitoring a DeploymentSummary
11. DaemonSets
DaemonSet SchedulerCreating DaemonSetsLimiting DaemonSets to Specific NodesAdding Labels to NodesNode SelectorsUpdating a DaemonSetDeleting a DaemonSetSummary
12. Jobs
The Job ObjectJob PatternsOne ShotParallelismWork QueuesCronJobsSummary
13. ConfigMaps and Secrets
ConfigMapsCreating ConfigMapsUsing a ConfigMapSecretsCreating SecretsConsuming SecretsPrivate Container RegistriesNaming ConstraintsManaging ConfigMaps and SecretsListingCreatingUpdatingSummary
14. Role-Based Access Control for Kubernetes
Role-Based Access ControlIdentity in KubernetesUnderstanding Roles and Role BindingsRoles and Role Bindings in KubernetesTechniques for Managing RBACTesting Authorization with can-iManaging RBAC in Source ControlAdvanced TopicsAggregating ClusterRolesUsing Groups for BindingsSummary
15. Service Meshes
Encryption and Authentication with Mutal TLSTraffic ShapingIntrospectionDo You Really Need a Service Mesh?Introspecting a Service Mesh ImplementationService Mesh LandscapeSummary
16. Integrating Storage Solutions and Kubernetes
Importing External ServicesServices Without SelectorsLimitations of External Services: Health CheckingRunning Reliable SingletonsRunning a MySQL SingletonDynamic Volume ProvisioningKubernetes-Native Storage with StatefulSetsProperties of StatefulSetsManually Replicated MongoDB with StatefulSetsAutomating MongoDB Cluster CreationPersistent Volumes and StatefulSetsOne Final Thing: Readiness ProbesSummary
17. Extending Kubernetes
What It Means to Extend KubernetesPoints of ExtensibilityPatterns for Custom ResourcesJust DataCompilersOperatorsGetting StartedSummary
18. Accessing Kubernetes from Common Programming Languages
The Kubernetes API: A Client’s PerspectiveOpenAPI and Generated Client LibrariesBut What About kubectl x?Programming the Kubernetes APIInstalling the Client LibrariesAuthenticating to the Kubernetes APIAccessing the Kubernetes APIPutting It All Together: Listing and Creating Pods in Python, Java, and .NETCreating and Patching ObjectsWatching Kubernetes APIs for ChangesInteracting with PodsSummary
19. Securing Applications in Kubernetes
Understanding SecurityContextSecurityContext ChallengesPod SecurityWhat Is Pod Security?Applying Pod Security StandardsService Account ManagementRole-Based Access ControlRuntimeClassNetwork PolicyService MeshSecurity Benchmark ToolsImage SecuritySummary
20. Policy and Governance for Kubernetes Clusters
Why Policy and Governance MatterAdmission FlowPolicy and Governance with GatekeeperWhat Is Open Policy Agent?Installing GatekeeperConfiguring PoliciesUnderstanding Constraint TemplatesCreating ConstraintsAuditMutationData ReplicationMetricsPolicy LibrarySummary
21. Multicluster Application Deployments
Before You Even BeginStarting at the Top with a Load-Balancing ApproachBuilding Applications for Multiple ClustersReplicated Silos: The Simplest Cross-Regional ModelSharding: Regional DataBetter Flexibility: Microservice RoutingSummary
22. Organizing Your Application
Principles to Guide UsFilesystems as the Source of TruthThe Role of Code ReviewFeature GatesManaging Your Application in Source ControlFilesystem LayoutManaging Periodic VersionsStructuring Your Application for Development, Testing, and DeploymentGoalsProgression of a ReleaseParameterizing Your Application with TemplatesParameterizing with Helm and TemplatesFilesystem Layout for ParameterizationDeploying Your Application Around the WorldArchitectures for Worldwide DeploymentImplementing Worldwide DeploymentDashboards and Monitoring for Worldwide DeploymentsSummary
A. Building Your Own Kubernetes Cluster
Parts ListFlashing ImagesFirst BootSetting Up NetworkingInstalling a Container RuntimeInstalling KubernetesSetting Up the ClusterSetting Up Cluster NetworkingSummary
Index
About the Authors

Content preview from Kubernetes: Up and Running, 3rd Edition

Chapter 19. Securing Applications in Kubernetes

Providing a secure platform to run your workloads is critical for Kubernetes to be broadly used in production. Thankfully, Kubernetes ships with many different security-focused APIs that allow you to construct a secure operating environment. The challenge is that there are many different security APIs, and you have to declaratively opt-in to use them. Using these security-focused APIs can be cumbersome and convoluted, which makes it difficult to achieve your desired security goals.

It’s important to understand the following two concepts when securing Pods in Kubernetes: defense in depth and principle of least privilege. Defense in depth is a concept where you use multiple layers of security controls across your computing systems that include Kubernetes. The principle of least privilege means giving your workloads access only to resources that are required for them to operate. Both these concepts are not destinations, but constantly applied to the ever-changing computing system landscape.

In this chapter, we will take a look at security-focused Kubernetes APIs that can be incrementally applied to help secure your workloads at the Pod level.

Understanding SecurityContext

At the core of securing Pods is SecurityContext, which is an aggregation of all security-focused fields that may be applied at both the Pod and container specification level. Here are some example security controls covered by SecurityContext:

User permissions and ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098110192Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Kubernetes: Up and Running, 3rd Edition

by Brendan Burns, Joe Beda, Kelsey Hightower, Lachlan Evenson

Chapter 19. Securing Applications in Kubernetes

Understanding SecurityContext

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.