book

The Kubernetes Bible - Second Edition

Name: The Kubernetes Bible - Second Edition
ISBN: 9781835464717

by Gineesh Madapparambath, Russ McKendrick

November 2024

Intermediate to advanced

720 pages

19h 47m

English

Packt Publishing

Read now

Unlock full access

Preface
Who this book is forWhat this book coversTo get the most out of this bookGet in touchLeave a Review!
Kubernetes Fundamentals
Understanding monoliths and microservicesUnderstanding the growth of the internet since the late 1990sUnderstanding the need for more frequent software releasesUnderstanding the organizational shift to agile methodologiesUnderstanding the shift from on-premises to the cloudUnderstanding why the cloud is well suited for scalabilityExploring the monolithic architectureExploring the microservices architectureChoosing between monolithic and microservices architecturesUnderstanding containersUnderstanding why containers are good for microservicesUnderstanding the benefits of container isolationContainer enginesThe basics of containers Container imageContainerContainer registryDockerfile or ContainerfileDocker Compose or Podman ComposeHow can Kubernetes help you to manage your containers?Kubernetes – designed to run workloads in productionKubeVirt – a bridge between containers and VMsUnderstanding the history of KubernetesUnderstanding how and where Kubernetes startedWho manages Kubernetes today?Where is Kubernetes today?Where is Kubernetes going?Exploring the problems that Kubernetes solvesEnsuring high availabilityRelease management and container deploymentAutoscaling containersNetwork isolationRole-Based Access Control (RBAC)Stateful workloads Resource managementWhen and where is Kubernetes not the solution?SummaryFurther reading
Kubernetes Architecture – from Container Images to Running Pods
Technical requirementsThe name – KubernetesUnderstanding the difference between the control plane nodes and compute nodesThe master and worker nodesLinux and Windows containersKubernetes componentsControl plane componentsCompute node componentsAdd-on componentsControl plane in managed Kubernetes clustersThe Control Plane Componentskube-apiserverThe role of kube-apiserverHow do you run kube-apiserver?Where do you run kube-apiserver?The etcd datastoreWhere do you run etcd?Operating etcd clusters for KubernetesLearning more about etcdkube-schedulerWhere do you install kube-scheduler?kube-controller-managerWhere do you run kube-controller-manager?cloud-controller-managerWhere do you run cloud-controller-manager?The compute node componentsContainer engine and container runtimeContainer Runtime InterfacekubeletThe kube-proxy componentExploring the kubectl command-line tool and YAML syntaxInstalling the kubectl command-line toolKubernetes Legacy Package RepositoriesInstalling kubectl on LinuxInstalling kubectl on macOSInstalling kubectl on WindowsThe role of kubectlHow does kubectl work?kubectl auto-completionThe imperative syntaxThe declarative syntaxHow to make Kubernetes highly availableThe single-node clusterThe single-master clusterThe multi-master multi-node clusterManaging etcd in Kubernetes with multiple control plane nodesSummaryFurther reading
Installing Your First Kubernetes Cluster
Technical requirementsInstalling a Kubernetes cluster with minikubeInstalling minikubeInstalling minikube on LinuxInstalling minikube on macOSInstalling minikube on Windowsminikube configurationsDrivers for minikubeLaunching a single-node Kubernetes cluster using minikubeSetting up minikube using VMsSetting up minikube using a containerAccessing the Kubernetes cluster created by minikubeStopping and deleting the local minikube clusterMulti-node Kubernetes cluster using minikubeMulti-master Kubernetes cluster using minikubeMultiple Kubernetes clusters using minikubeMulti-node Kubernetes cluster with kindInstalling kind onto your local systemCreating a Kubernetes cluster with kindStopping and deleting the local kind clusterAlternative Kubernetes learning environmentsPlay with KubernetesKillercoda Kubernetes playgroundProduction-grade Kubernetes clustersManaged Kubernetes clusters using cloud servicesKubernetes distributionsKubernetes installation toolsHybrid and multi-cloud solutionsChoosing the right environmentRunning Kubernetes On-Premises: Challenges and ConsiderationsSummaryFurther reading
Running Your Containers in Kubernetes
Technical requirementsLet’s explain the notion of PodsWhat are Pods?Each Pod gets an IP addressHow should you design your Pods?Launching your first PodsCreating a Pod with imperative syntaxTags versus digests – ensuring image consistencyCreating a Pod with declarative syntaxNamespaces in KubernetesReading the Pod’s information and metadataListing the objects in JSON or YAMLBacking up your resource using the list operationGetting more information from the list operationAccessing a Pod from the outside worldEntering a container inside a PodDeleting a PodLabeling and annotating the PodsWhat are labels and why do we need them?What are annotations and how do they differ from labels?Adding a labelListing labels attached to a PodAdding or updating a label to/of a running PodDeleting a label attached to a running PodAdding an annotationLaunching your first JobWhat are Jobs?Creating a job with restartPolicyUnderstanding the job’s backoffLimitRunning a task multiple times using completionsRunning a task multiple times in parallelTerminating a job after a specific amount of timeWhat happens if a job succeeds?Deleting a jobLaunching your first CronJobWhat are CronJobs?Preparing your first CronJobUnderstanding the schedule keyUnderstanding the role of the jobTemplate sectionControlling the CronJob execution deadlineManaging the history limits of jobsCreating a CronJobDeleting a CronJobSummaryFurther reading
Using Multi-Container Pods and Design Patterns
Technical requirementsUnderstanding what multi-container Pods areConcrete scenarios where you need multi-container PodsCreating a Pod made up of two containersWhat happens when Kubernetes fails to launch one container in a Pod?Deleting a multi-container PodUnderstanding the Pod deletion grace periodAccessing a specific container inside a multi-container PodRunning commands in containersOverriding the default commands run by the containersIntroducing initContainersAccessing the logs of a specific containerSharing volumes between containers in the same PodWhat are Kubernetes volumes?Creating and mounting an emptyDir volumeCreating and mounting a hostPath volumeThe ambassador design patternWhat is the ambassador design pattern?Ambassador multi-container Pod – an exampleThe sidecar design patternWhat is the sidecar design pattern?When to use a Sidecar design pattern?Sidecar multi-container Pod – an exampleThe adapter design patternAdapter multi-container Pod – an exampleSidecars versus Kubernetes Native SidecarsSummaryFurther reading
Namespaces, Quotas, and Limits for Multi-Tenancy in Kubernetes
Technical requirementsIntroduction to Kubernetes namespacesThe importance of namespaces in KubernetesHow namespaces are used to split resources into chunksUnderstanding default namespacesHow namespaces impact your resources and servicesListing namespaces inside your clusterRetrieving the data of a specific namespaceCreating a namespace using imperative syntaxCreating a namespace using declarative syntaxDeleting a namespaceCreating a resource inside a namespaceListing resources inside a specific namespaceSetting the current namespace using kubectl config set-contextListing all the resources inside a specific namespaceRecognizing how names are scoped within a namespaceUnderstanding that not all resources are in a namespaceResolving a service using namespacesBest practices for Kubernetes namespacesConfiguring ResourceQuota and Limit at the namespace levelUnderstanding the need to set ResourceQuotasUnderstanding how Pods consume these resourcesUnderstanding how Pods can require computing resourcesBut what do these metrics mean?Understanding how you can limit resource consumptionUnderstanding why you need ResourceQuotaCreating a ResourceQuotaStorage resource quotasListing ResourceQuotaDeleting ResourceQuotaIntroducing LimitRangeListing LimitRangesDeleting LimitRangeSummaryFurther reading
Configuring Your Pods Using ConfigMaps and Secrets
Technical requirementsUnderstanding what ConfigMaps and Secrets areDecoupling your application and your configurationUnderstanding how Pods consume ConfigMaps and SecretsConfiguring your Pods using ConfigMapsListing ConfigMapsCreating a ConfigMapCreating a ConfigMap from literal valuesStoring entire configuration files in a ConfigMapCreating a ConfigMap from an env fileReading values inside a ConfigMapLinking ConfigMaps as environment variablesUsing kubectl port-forwardMounting a ConfigMap as a volume mountDeleting a ConfigMapUpdating a ConfigMapImmutable ConfigMapsManaging sensitive configuration with the Secret objectListing SecretsCreating a Secret imperatively with --from-literalCreating a Secret declaratively with a YAML fileCreating a Secret with content from a fileReading a SecretConsuming a Secret as an environment variableConsuming a Secret as a volume mountDeleting a SecretUpdating a SecretSummaryFurther reading
Exposing Your Pods with Services
Technical requirementsWhy would you want to expose your Pods?Cluster networking in KubernetesIP address management in KubernetesLearning about network pluginsWhat is a service mesh?Understanding Pod IP assignmentUnderstanding the dynamics of Pod IP assignment in KubernetesNot hardcoding the Pod’s IP address in application developmentUnderstanding how Services route traffic to PodsUnderstanding round-robin load balancing in KubernetesUnderstanding how to call a Service in KubernetesUnderstanding how DNS names are generated for ServicesHow Services discover and route traffic to Pods in KubernetesUsing a utility Pod for debugging your ServicesUnderstanding the drawbacks of direct kubectl expose in KubernetesUnderstanding how DNS names are generated for ServicesUnderstanding the different types of ServicesThe NodePort ServiceWhy do you need NodePort Services?Creating two containous/whoami PodsUnderstanding NodePort YAML definitionMaking sure NodePort works as expectedIs this setup production-ready?Listing NodePort ServicesAdding more Pods to NodePort ServicesDescribing NodePort ServicesDeleting ServicesNodePort or kubectl port-forward?The ClusterIP ServiceWhy do you need ClusterIP Services?How do I know if I need NodePort or ClusterIP Services to expose my Pods?Listing ClusterIP ServicesCreating ClusterIP Services using the imperative wayDescribing ClusterIP ServicesCreating ClusterIP Services using the declarative wayUnderstanding headless ServicesThe LoadBalancer ServiceSupported cloud providers for the LoadBalancer Service typeShould the LoadBalancer Service type be used?The ExternalName Service typeImplementing Service readiness using probesWhat is ReadinessProbe and why do you need it?Implementing ReadinessProbeWhat is LivenessProbe and why do you need it?Implementing LivenessProbeHTTP livenessProbeCommand livenessProbeTCP livenessProbeUsing named Port with TCP and HTTP livenessProbeUsing startupProbeUsing ReadinessProbe and LivenessProbe togetherSummaryFurther reading
Persistent Storage in Kubernetes
Technical requirementsWhy use persistent storage?Introducing VolumesIntroducing PersistentVolumesIntroducing PersistentVolume typesBenefits brought by PersistentVolumeIntroducing PersistentVolume access modesCreating our first PersistentVolume objectHow does Kubernetes PersistentVolumes handle storage?Creating PersistentVolume with raw block volumeCan Kubernetes handle the provisioning or creation of the resource itself?Understanding how to mount a PersistentVolume to your PodIntroducing PersistentVolumeClaimSplitting storage creation and storage consumptionUnderstanding the PersistentVolume workflowCreating a Pod with a PersistentVolumeClaim objectUnderstanding the life cycle of a PersistentVolume object in KubernetesUnderstanding why PersistentVolume objects are not bound to namespacesReclaiming a PersistentVolume objectUpdating a reclaim policyUnderstanding PersistentVolume and PersistentVolumeClaim statusesUnderstanding static and dynamic PersistentVolume provisioningStatic versus dynamic provisioningIntroducing dynamic provisioningIntroduction to CSIIntroducing StorageClassesUnderstanding the role of PersistentVolumeClaim for dynamic storage provisioningAdvanced storage topicsEphemeral volumes for temporary storage in KubernetesCSI volume cloning and volume snapshotsLearning how to expand PersistentVolumeClaimSummaryFurther reading

Running Production-Grade Kubernetes Workloads
Technical requirementsEnsuring High Availability and Fault Tolerance on KubernetesHigh availabilityFault toleranceHA and FT for Kubernetes applicationsWhat is ReplicationController?What is ReplicaSet?How does ReplicaSet differ from ReplicationController?Creating a ReplicaSet objectTesting the behavior of ReplicaSetTesting HA and FT with a ReplicaSetScaling ReplicaSetUsing Pod liveness probes together with ReplicaSetDeleting a ReplicaSet objectSummaryFurther reading
Using Kubernetes Deployments for Stateless Workloads
Technical requirementsIntroducing the Deployment objectCreating a Deployment objectExposing Deployment Pods using Service objectsCreating a Service declarativelyCreating a Service imperativelyRole of readiness, liveness, and startup probesScaling a Deployment objectDeleting a Deployment objectHow Kubernetes Deployments seamlessly handle revisions and version rolloutsUpdating a Deployment objectRolling back a Deployment objectCanary deployment strategyDeployment object best practicesUse declarative object management for DeploymentsDo not use the Recreate strategy for production workloadsDo not create Pods that match an existing Deployment label selectorCarefully set up your container probesUse meaningful and semantic image tagsMigrate from older versions of KubernetesInclude resource management in the DeploymentScaling and replica managementSecurity considerationsSummaryFurther reading
StatefulSet – Deploying Stateful Applications
Technical requirementsIntroducing the StatefulSet objectManaging state in containersManaging state in Kubernetes PodsStatefulSet and how it differs from a Deployment objectExploring the limitations of StatefulSetData management in StatefulsetReplication managementManaging StatefulSetCreating a StatefulSetUsing the headless Service and stable network identitiesState persistenceScaling StatefulSetDeleting a StatefulSetReleasing a new version of an app deployed as a StatefulSetUpdating StatefulSetRolling back StatefulSetStatefulSet best practicesUse declarative object management for StatefulSetsDo not use the TerminationGracePeriodSeconds Pod with a 0 value for StatefulSetsScale down StatefulSets before deletingEnsure state compatibility during StatefulSet rollbacksDo not create Pods that match an existing StatefulSet label selectorUse Remote Storage for the PVDefine liveness and readiness probesMonitor your StatefulSetsSummaryFurther reading
DaemonSet – Maintaining Pod Singletons on Nodes
Technical requirementsIntroducing the DaemonSet objectHow DaemonSet Pods are scheduledChecking DaemonSetsCreating and managing DaemonSetsCreating a DaemonSetPrioritizing critical DaemonSets in KubernetesModifying a DaemonSetRolling back the DaemonSetDeleting a DaemonSetCommon use cases for DaemonSetsDaemonSet best practicesAlternatives to DaemonSetsSummaryFurther reading
Working with Helm Charts and Operators
Technical requirementsUnderstanding HelmReleasing software to Kubernetes using HelmInstalling Helm on LinuxInstalling Helm on WindowsInstalling Helm on macOSInstalling from the binary releasesDeploying an example chart – WordPressDeleting a Helm releaseHelm chart anatomyInstalling Kubernetes Dashboard using Helm ChartsSecure access to the Kubernetes DashboardAccessing Dashboard WEBUIInstalling other popular solutions using Helm chartsElasticsearch with KibanaPrometheus with GrafanaSecurity considerations for Helm ChartsIntroducing Kubernetes OperatorsFrom humans to softwareHelm Charts versus Kubernetes OperatorsHow can the Operators help in the application deployment?Reusability of the automationHow Operators ensure the application stateCustom resource definitions – building blocks for OperatorsBenefits of CRDsOperator distribution mechanismBuilding your own OperatorOperator Lifecycle Manager (OLM)Enabling Kubernetes monitoring using Prometheus and GrafanaInstalling Operator Lifecycle ManagerInstalling Prometheus and Grafana Operators using OLMConfiguring Prometheus and Grafana instances using OperatorsSummaryFurther reading
Kubernetes Clusters on Google Kubernetes Engine
Technical requirementsWhat are Google Cloud Platform and Google Kubernetes Engine?Google Cloud PlatformGoogle Kubernetes EnginePreparing your local environmentCreating a projectInstalling the GCP command-line interfaceInstalling on macOSInstalling on WindowsInstalling on LinuxCloud ShellInitializationLaunching your first Google Kubernetes Engine clusterDeploying a workload and interacting with your clusterConfiguring your local clientLaunching an example workloadExploring Google Cloud ConsoleWorkloadsGateways, Services, and IngressOther GKE featuresDeleting your clusterMore about cluster nodesSummaryFurther reading
Launching a Kubernetes Cluster on Amazon Web Services with Amazon Elastic Kubernetes Service
Technical requirementsWhat are Amazon Web Services and Amazon Elastic Kubernetes Service?Amazon Web ServicesAmazon Elastic Kubernetes ServicePreparing your local environmentSigning up for an AWS accountInstalling the AWS command-line interfaceInstalling on macOSInstalling on LinuxInstalling on WindowsAWS CLI configurationInstalling eksctl, the official CLI for Amazon EKSLaunching your Amazon Elastic Kubernetes Service clusterDeploying a workload and interacting with your clusterDeploying the workloadExploring the AWS consoleDeleting your Amazon Elastic Kubernetes Service clusterSummaryFurther reading
Kubernetes Clusters on Microsoft Azure with Azure Kubernetes Service
Technical requirementsWhat are Microsoft Azure and Azure Kubernetes Service?Microsoft AzureAzure Kubernetes ServicePreparing your local environmentCreating a free Microsoft Azure accountThe Azure CLIInstalling on macOSInstalling on LinuxInstalling on WindowsConfiguring the Azure CLIAccessing Azure Cloud ShellLaunching your Azure Kubernetes Service clusterDeploying a workload and interacting with your clusterLaunching the workloadExploring the Azure portalNamespaces (Kubernetes resources)Workloads (Kubernetes resources)Services and ingresses (Kubernetes resources)Storage (Kubernetes resources)Configuration (Kubernetes resources)Custom resources (Kubernetes resources)Events (Kubernetes resources)Run command (Kubernetes resources)Node pools (Settings)Cluster configuration (Settings)Application scaling (Settings)Networking (Settings)Extensions + applications (Settings)Backup (Settings)Other options (Settings)Insights (Monitoring)Deleting your Azure Kubernetes Service clusterComparing the three public cloud offeringsSummaryFurther reading
Security in Kubernetes
Technical RequirementsAuthentication and Authorization – User Access ControlAuthentication and User ManagementThe authentication workflow in KubernetesAuthentication to the Kubernetes APIAuthentication Methods in KubernetesAuthorization and introduction to RBACRBAC mode in KubernetesAdmission Control – Security Policies and ChecksThe Two-Phase Admission ProcessMutation PhaseValidation PhaseEnabling and disabling Admission controllersCommon Admission ControllersBenefits of Admission ControllersSecuring Pods and ContainersSecuring Pods and Containers in Kubernetes Using Security ContextKey Components of SecurityContextApplying SecurityContext at Pod and Container LevelsApplying Security Context to a PodSecuring Pods using the NetworkPolicy objectWhy do you need NetworkPolicy?Understanding Pods are not isolated by defaultConfiguring NetworkPolicy with labels and selectorsSecuring Communication – TLS Certificates Between Kubernetes ComponentsContainer Security – gVisor and Kata ContainersgVisor (Guest Virtual Machine Supervisor)Kata ContainersUsing RuntimeClass for Security ProfilesManaging Secrets and Registry CredentialsUsing kubectl to create a Docker registry secretSummaryFurther reading
Advanced Techniques for Scheduling Pods
Technical requirementsRefresher – What is kube-scheduler?Managing Node affinityUsing nodeName for PodsUsing nodeSelector for PodsUsing the nodeAffinity configuration for PodsUsing Node taints and tolerationsUnderstanding Static Pods in KubernetesExtended scheduler configurations in KubernetesScheduler configurationNode isolation and restrictionsTuning Kubernetes scheduler performanceSummaryFurther reading
Autoscaling Kubernetes Pods and Nodes
Technical requirementsPod resource requests and limitsAutoscaling Pods vertically using a VerticalPodAutoscalerEnabling InPlacePodVerticalScalingEnabling a VPA in GKEEnabling a VPA for other Kubernetes clustersUsing a VPAAutoscaling Pods horizontally using a HorizontalPodAutoscalerDeploying the app for HPA demonstrationImplementing an HPAAutoscaling Kubernetes Nodes using a Cluster AutoscalerCA limitationsEnabling the CA in GKEEnabling a CA in Amazon Elastic Kubernetes ServiceEnabling a CA in Azure Kubernetes ServiceUsing the CAAlternative autoscalers for KubernetesKEDAKarpenterSummaryFurther reading
Advanced Kubernetes: Traffic Management, Multi-Cluster Strategies, and More
Technical RequirementsAdvanced Traffic Routing with IngressRefresher – Kubernetes ServicesOverview of the Ingress objectUsing nginx as an Ingress ControllerDeploying the NGINX Ingress Controller in minikubeDeploying Ingress Resources in KubernetesingressClass and Multiple Ingress ControllersAzure Application Gateway Ingress Controller for AKSWhy Choose AGIC for AKS?Gateway APIUnderstanding Endpoints and EndpointSlices Modern Advancements with KubernetesServerless with Knative and OpenFaaSKubeflow – Machine Learning on KubernetesKubeVirt – Virtual Machines on KubernetesMaintaining Kubernetes Clusters – Day 2 TasksKubernetes Cluster Backup and RestoreTaking Backup of etcdetcd Snapshot Restore with etcdutlReconfiguring the Kubernetes API ServerLeveraging Infrastructure as Code (IaC) and Configuration as Code (CaC) for Resilient Cluster ManagementKubernetes Cluster UpgradesPre-Upgrade ChecklistUpgrade ProcessPost-Upgrade TasksRollback PlanAdditional TipsMulti-Cluster ManagementSecuring a Kubernetes Cluster – Best PracticesControlling Access to the Kubernetes APIControlling Access to the KubeletControlling Workload or User Capabilities at RuntimeRestricting Network AccessProtecting Cluster ComponentsTroubleshooting KubernetesGetting details about resourcesKubernetes Logs and Events for troubleshootingkubectl explain – the inline helperInteractive troubleshooting using kubectl execEphemeral Containers in KubernetesCommon troubleshooting tasks in KubernetesSummaryFurther reading
Other Books You May Enjoy
Leave a Review!
Index

Content preview from The Kubernetes Bible - Second Edition

18 Security in Kubernetes

Authentication and authorization are the cornerstones of modern software systems in terms of providing the necessary identity management and access management, respectively. Many people confuse these two terms, despite the fact that they are quite different processes. Authentication has to do with the verification of the identity of a user, normally through some kind of mechanism like usernames and passwords, while authorization is all about what an authenticated user can access or do within a system. Authentication always comes first, after which authorization would take place in order for the system to be interacted with by verified users. Kubernetes extends this further with another model called Role-Based Access ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781835464717

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Kubernetes Bible - Second Edition

by Gineesh Madapparambath, Russ McKendrick

18

Security in Kubernetes

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.