book

Managing Kubernetes

by Brendan Burns, Craig Tracey

November 2018

Intermediate to advanced

185 pages

4h 39m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who should read This BookWhy we wrote This BookNavigating This BookConventions Used in This BookUsing Code ExamplesO’Reilly SafariHow to Contact UsAcknowledgments
How the Cluster OperatesAdjust, Secure, and Tune the ClusterResponding When Things Go WrongExtending the System with New and Custom FunctionalitySummary
ContainersContainer OrchestrationThe Kubernetes APIBasic Objects: Pods, ReplicaSets, and ServicesOrganizing Your Cluster with Namespaces, Labels, and AnnotationsAdvanced Concepts: Deployments, Ingress, and StatefulSetsBatch Workloads: Job and ScheduledJobCluster Agents and Utilities: DaemonSetsSummary
ConceptsDeclarative ConfigurationReconciliation or ControllersImplicit or Dynamic GroupingStructureUnix Philosophy of Many ComponentsAPI-Driven InteractionsComponentsHead Node ComponentsComponents On All NodesScheduled ComponentsSummary
Basic Characteristics for ManageabilityPieces of the API ServerAPI ManagementAPI PathsAPI DiscoveryOpenAPI Spec ServingAPI TranslationRequest ManagementTypes of RequestsLife of a RequestAPI Server InternalsCRD Control LoopDebugging the API ServerBasic LogsAudit LogsActivating Additional LogsDebugging kubectl RequestsSummary
An Overview of SchedulingScheduling ProcessPredicatesPrioritiesHigh-Level AlgorithmConflictsControlling Scheduling with Labels, Affinity, Taints, and TolerationsNode SelectorsNode AffinityTaints and TolerationsSummary
kubeadmRequirementskubeletInstalling the Control Planekubeadm ConfigurationPreflight ChecksCertificatesetcdkubeconfigTaintsInstalling Worker NodesAdd-OnsPhasesHigh AvailabilityUpgradesSummary
UsersAuthenticationkubeconfigService AccountsSummary
RESTAuthorizationRole-Based Access ControlRole and ClusterRoleRoleBinding and ClusterRoleBindingTesting AuthorizationSummary
ConfigurationCommon ControllersPodSecurityPoliciesResourceQuotaLimitRangeDynamic Admission ControllersValidating Admission ControllersMutating Admission ControllersSummary

Container Network InterfaceChoosing a Plug-inkube-proxyService DiscoveryDNSEnvironment VariablesNetwork PolicyService MeshSummary
Goals for MonitoringDifferences Between Logging and MonitoringBuilding a Monitoring StackGetting Data from Your Cluster and ApplicationsAggregating Metrics and Logs from Multiple SourcesStoring Data for Retrieval and QueryingVisualizing and Interacting with Your DataWhat to Monitor?Monitoring MachinesMonitoring KubernetesMonitoring ApplicationsBlackbox MonitoringStreaming LogsAlertingSummary
High AvailabilityStateApplication DataPersistent VolumesLocal DataWorker NodesetcdArkSummary
Kubernetes Extension PointsCluster DaemonsUse Cases for Cluster DaemonsInstalling a Cluster DaemonOperational Considerations for Cluster DaemonsHands-On: Example of Creating a Cluster DaemonCluster AssistantsUse Cases for Cluster AssistantsInstalling a Cluster AssistantOperational Considerations for Cluster AssistantsHands-On: Example of Cluster AssistantsExtending the Life Cycle of the API ServerUse Cases for Extending the API Life CycleInstalling API Life Cycle ExtensionsOperational Considerations for Life Cycle ExtensionsHands-On: Example of Life Cycle ExtensionsAdding Custom APIs to KubernetesUse Cases for Adding New APIsCustom Resource Definitions and Aggregated API ServersArchitecture for Custom Resource DefinitionsInstalling Custom Resource DefinitionsOperational Considerations for Custom ResourcesSummary

Content preview from Managing Kubernetes

Chapter 8. Authorization

Authentication is only the first challenge for a Kubernetes API request. As we introduced in Chapter 7, there are two additional tests for every request: access control and admission control. Although authentication is a critical component for ensuring that only trusted users can effect change on a cluster, as we explore in this chapter, authentication also becomes the enabler for fine-grained control concerning what those users may do.

Beyond just verifying a user’s authenticity and determining levels of access, we also want to be sure that every request conforms to our business needs. Every organization has a number of implemented standards. These policies and procedures help us make sense of the complex infrastructures that are required to bring applications to production environments. In this chapter, we take a look at how Kubernetes stands in support of this with admission controllers.

REST

As we have already covered, the Kubernetes API is a RESTful API. The advantageous properties of a RESTful APIs are many (e.g., scalability and portability), but its simple structure is what enables us to determine levels of access within Kubernetes.

For readers who may not be familiar with REST, the semantics are straightforward: resources are manipulated using verbs. As in traditional languages, if we ask someone to “delete the Pod,” we do so with a noun and a verb. REST APIs function in the same way.

To illustrate this concept, let’s look precisely at how