book

The Kubernetes Workshop

Name: The Kubernetes Workshop
ISBN: 9781838820756

by Zachary Arnold, Sahil Dua, Wei Huang, Faisal Masood, Mélony Qin, Mohammed Abu Taleb, Cordell Tech, LLC, Simon Krenger, Alok Malakar, Craig Newton, Swati Bawankule, Saibal Ghosh

September 2020

Intermediate to advanced

780 pages

14h 22m

English

Packt Publishing

Read now

Unlock full access

The Kubernetes Workshop
Preface
About the BookAudienceAbout the ChaptersConventionsSetting Up Your EnvironmentHardware RequirementsOperating System RequirementsVirtualizationInstallation and SetupUpdating Your Package ListsInstalling GitjqTreeThe AWS CLIMinikube and kubectlVirtualBoxDockerGokopsDual-Booting Ubuntu for Windows UsersResizing PartitionsCreating a Bootable USB Drive to Install UbuntuInstalling UbuntuOther RequirementsAccessing the Code Files
1. Introduction to Kubernetes and Containers
IntroductionThe Evolution of Software DevelopmentVirtual Machines versus ContainersDocker BasicsWhat's behind docker run?Dockerfiles and Docker ImagesExercise 1.01: Creating a Docker Image and Uploading It to Docker HubExercise 1.02: Running Your First Application in DockerThe Essence of Linux Container TechnologyNamespaceExercise 1.03: Joining a Container to the Network Namespace of Another ContainerCgroupsContainerization: The Mindset ChangeSeveral Applications in One ContainerOne Application in One ContainerA Comparison of These ApproachesThe Need for Container OrchestrationContainer InteractionsNetwork and StorageResource Management and SchedulingFailover and RecoveryScalabilityService ExposureDelivery PipelineOrchestrator: Putting All the Things TogetherWelcome to the Kubernetes WorldActivity 1.01: Creating a Simple Page Count ApplicationSummary
2. An Overview of Kubernetes
IntroductionSetting up KubernetesAn Overview of MinikubeExercise 2.01: Getting Started with Minikube and Kubernetes ClustersKubernetes Components OverviewetcdAPI ServerSchedulerController ManagerWhere Is the kubelet?kube-proxyKubernetes ArchitectureContainer Network InterfaceMigrating Containerized Application to KubernetesPod SpecificationApplying a YAML ManifestExercise 2.02: Running a Pod in KubernetesService SpecificationExercise 2.03: Accessing a Pod via a ServiceServices and PodsDelivering Kubernetes-Native ApplicationsExercise 2.04: Scaling a Kubernetes ApplicationPod Life Cycle and Kubernetes ComponentsExercise 2.05: How Kubernetes Manages a Pod's Life CycleActivity 2.01: Running the Pageview App in KubernetesA Glimpse into the Advantages of Kubernetes for Multi-Node ClustersSummary
3. kubectl – Kubernetes Command Center
IntroductionHow kubectl Communicates with KubernetesSetting up Environments with Autocompletion and ShortcutsExercise 3.01: Setting up AutocompletionSetting up the kubeconfig Configuration File Common kubectl CommandsFrequently Used kubectl Commands to Create, Manage, and Delete Kubernetes ObjectsWalkthrough of Some Simple kubectl CommandsSome Useful Flags for the get CommandPopulating Deployments in KubernetesExercise 3.02: Creating a DeploymentExercise 3.03: Updating a DeploymentExercise 3.04: Deleting a Deployment Activity 3.01: Editing a Live Deployment for a Real-Life ApplicationSummary
4. How to Communicate with Kubernetes (API Server)
IntroductionThe Kubernetes API ServerKubernetes HTTP Request FlowAuthenticationAuthorizationAdmission ControlExercise 4.01: Starting Minikube with a Custom Set of ModulesValidationThe Kubernetes APITracing kubectl HTTP RequestsAPI Resource Type Scope of API ResourcesNamespace-Scoped ResourcesCluster-Scoped ResourcesAPI GroupsCore GroupNamed GroupSystem-WideAPI VersionsExercise 4.02: Getting Information about API ResourcesHow to Enable/Disable API Resources, Groups, or VersionsExercise 4.03: Enabling and Disabling API Groups and Versions on a Minikube ClusterInteracting with Clusters Using the Kubernetes APIAccessing the Kubernetes API Server Using kubectl as a ProxyCreating Objects Using curlExercise 4.04: Creating and Verifying a Deployment Using kubectl proxy and curlDirect Access to the Kubernetes API Using Authentication CredentialsMethod 1: Using Client Certificate AuthenticationMethod 2: Using a ServiceAccount Bearer TokenActivity 4.01: Creating a Deployment Using a ServiceAccount IdentitySummary
5. Pods
IntroductionPod ConfigurationExercise 5.01: Creating a Pod with a Single ContainerNameNamespaceExercise 5.02: Creating a Pod in a Different Namespace by Specifying the Namespace in the CLIExercise 5.03: Creating a Pod in a Different Namespace by Specifying the Namespace in the Pod Configuration YAML fileExercise 5.04: Changing the Namespace for All Subsequent kubectl CommandsNodeStatusContainersExercise 5.05: Using CLI Commands to Create a Pod Running a ContainerExercise 5.06: Creating a Pod Running a Container That Exposes a PortExercise 5.07: Creating a Pod Running a Container with Resource RequirementsExercise 5.08: Creating a Pod with Resource Requests That Can't Be Met by Any of the NodesExercise 5.09: Creating a Pod with Multiple Containers Running inside ItLife Cycle of a PodPhases of a PodProbes/Health ChecksTypes of ProbesLiveness ProbeReadiness ProbeConfiguration of ProbesImplementation of ProbesCommand ProbeHTTP Request ProbeTCP Socket ProbeRestart PolicyExercise 5.10: Creating a Pod Running a Container with a Liveness Probe and No Restart PolicyExercise 5.11: Creating a Pod Running a Container with a Liveness Probe and a Restart PolicyExercise 5.12: Creating a Pod Running a Container with a Readiness ProbeBest Practices While Using ProbesActivity 5.01: Deploying an Application in a PodSummary
6. Labels and Annotations
IntroductionLabelsConstraints for LabelsLabel KeysLabel ValuesWhy Do We Need Labels?Organizing Pods by Organization/Team/ProjectRunning Selective Pods on Specific NodesExercise 6.01: Creating a Pod with LabelsExercise 6.02: Adding Labels to a Running PodExercise 6.03: Modifying And/Or Deleting Existing Labels for a Running PodSelecting Kubernetes Objects Using Label SelectorsEquality-Based SelectorsExercise 6.04: Selecting Pods Using Equality-Based Label SelectorsSet-Based SelectorsExercise 6.05: Selecting Pods Using Set-Based Label SelectorsExercise 6.06: Selecting Pods Using a Mix of Label SelectorsAnnotationsConstraints for AnnotationsAnnotation KeysAnnotation ValuesUse Case for AnnotationsExercise 6.07: Adding Annotations to Help with Application DebuggingWorking with AnnotationsActivity 6.01: Creating Pods with Labels/Annotations and Grouping Them as per Given CriteriaSummary
7. Kubernetes Controllers
IntroductionReplicaSetsReplicaSet ConfigurationReplicasPod TemplatePod SelectorExercise 7.01: Creating a Simple ReplicaSet with nginx ContainersLabels on the ReplicaSetSelectors for the ReplicaSetReplicasPods StatusPods TemplateEventsExercise 7.02: Deleting Pods Managed by a ReplicaSetExercise 7.03: Creating a ReplicaSet Given That a Matching Pod Already ExistsExercise 7.04: Scaling a ReplicaSet after It Is CreatedDeploymentDeployment ConfigurationStrategyExercise 7.05: Creating a Simple Deployment with Nginx ContainersLabels and Annotations on the DeploymentSelectors for the DeploymentReplicasRolling Back a DeploymentExercise 7.06: Rolling Back a DeploymentStatefulSetsStatefulSet ConfigurationUse Cases for StatefulSetsDaemonSetsUse Cases for DaemonSetsDaemonSet ConfigurationJobsJob ConfigurationA Use Case for Jobs in Machine LearningExercise 7.07: Creating a Simple Job That Finishes in Finite TimeActivity 7.01: Creating a Deployment Running an ApplicationSummary
8. Service Discovery
IntroductionServiceService ConfigurationTypes of ServicesNodePort ServiceExercise 8.01: Creating a Simple NodePort Service with Nginx ContainersClusterIP ServiceService ConfigurationExercise 8.02: Creating a Simple ClusterIP Service with Nginx ContainersChoosing a Custom IP Address for the ServiceExercise 8.03: Creating a ClusterIP Service with a Custom IPLoadBalancer ServiceExternalName ServiceIngressActivity 8.01: Creating a Service to Expose the Application Running on a PodSummary

9. Storing and Reading Data on Disk
IntroductionVolumesHow to Use VolumesDefining VolumesMounting VolumesTypes of VolumesemptyDirhostPathExercise 9.01: Creating a Pod with an emptyDir VolumeExercise 9.02: Creating a Pod with an emptyDir Volume Shared by Three ContainersPersistent VolumesPersistentVolume ConfigurationstorageClassNamecapacityvolumeModeaccessModespersistentVolumeReclaimPolicyPV StatusPersistentVolumeClaim ConfigurationstorageClassNameresourcesvolumeModeaccessModeselectorsHow to Use Persistent VolumesStep 1 – Provisioning the VolumeStep 2 – Binding the Volume to a ClaimStep 3 – Using the ClaimExercise 9.03: Creating a Pod That Uses PersistentVolume for StorageDynamic ProvisioningActivity 9.01: Creating a Pod That Uses a Dynamically Provisioned PersistentVolumeSummary
10. ConfigMaps and Secrets
IntroductionWhat Is a ConfigMap?Exercise 10.01: Creating a ConfigMap from Literal Values and Mounting It on a Pod Using Environment VariablesDefining a ConfigMap from a File and Loading It onto a PodExercise 10.02: Creating a ConfigMap from a FileExercise 10.03: Creating a ConfigMap from a FolderWhat Is a Secret?Secret versus ConfigMapExercise 10.04: Defining a Secret from Literal Values and Loading the Values onto the Pod as an Environment VariableExercise 10.05: Defining a Secret from a File and Loading the Values onto the Pod as a FileExercise 10.06: Creating a TLS SecretExercise 10.07: Creating a docker-registry SecretActivity 10.01: Using a ConfigMap and Secret to Promote an Application through Different StagesSummary
11. Build Your Own HA Cluster
IntroductionHow the Components of Kubernetes Work Together to Achieve High AvailabilityetcdNetworking and DNSNodes' and Master Servers' Locations and ResourcesContainer Network Interface and Cluster DNSContainer Runtime InterfacesContainer Storage InterfacesBuilding a High-Availability Focused Kubernetes ClusterSelf-Managed versus Vendor-Managed Kubernetes SolutionskopsOther Commonly Used ToolsAuthentication and Identity in KubernetesExercise 11.01: Setting up Our Kubernetes ClusterKubernetes Service AccountsExercise 11.02: Deploying an Application on Our HA ClusterActivity 11.01: Testing the Resilience of a Highly Available ClusterDeleting Our ClusterSummary
12. Your Application and HA
IntroductionAn Overview of Infrastructure Life Cycle ManagementTerraformExercise 12.01: Creating an S3 Bucket with TerraformExercise 12.02: Creating a Cluster with EKS Using TerraformKubernetes IngressHighly Available Applications Running on Top of Kubernetes Exercise 12.03: Deploying a Multi-Replica Non-HA Application in KubernetesWorking with Stateful ApplicationsThe CI/CD PipelineExercise 12.04: Deploying an Application with State ManagementActivity 12.01: Expanding the State Management of Our ApplicationSummary
13. Runtime and Network Security in Kubernetes
IntroductionThreat ModelingThe 4Cs of Cloud Native SecurityCluster SecurityKubernetes RBACRoleRoleBindingClusterRoleClusterRoleBindingSome Important Notes about RBAC PoliciesServiceAccountExercise 13.01: Creating a Kubernetes RBAC ClusterRoleNetworkPoliciesExercise 13.02: Creating a NetworkPolicyPodSecurityPolicyExercise 13.03: Creating and Testing a PodSecurityPolicyActivity 13.01: Securing Our AppSummary
14. Running Stateful Components in Kubernetes
IntroductionStateful AppsUnderstanding StatefulSetsDeployments versus StatefulSetsFurther Refactoring Our ApplicationExercise 14.01: Deploying a Counter App with a MySQL BackendExercise 14.02: Testing the Resilience of StatefulSet Data in PersistentVolumesHelmExercise 14.03: Chart-ifying Our Redis-Based Counter ApplicationActivity 14.01: Chart-ifying Our StatefulSet DeploymentSummary
15. Monitoring and Autoscaling in Kubernetes
IntroductionKubernetes MonitoringKubernetes Metrics API/Metrics ServerPrometheusGrafanaMonitoring Your ApplicationsExercise 15.01: Setting up the Metrics Server and Observing Kubernetes ObjectsAutoscaling in KubernetesHorizontalPodAutoscalerExercise 15.02: Scaling Workloads in KubernetesClusterAutoscalerExercise 15.03: Configuring the ClusterAutoscalerActivity 15.01: Autoscaling Our Cluster Using ClusterAutoscalerDeleting Your Cluster ResourcesSummary
16. Kubernetes Admission Controllers
IntroductionHow Admission Controllers WorkCreating Controllers with Custom LogicThe Mutating Admission WebhookThe Validating Admission WebhookHow a Webhook WorksExercise 16.01: Modifying a ConfigMap Object through a PatchGuidelines for Building a Mutating Admission WebHook Exercise 16.02: Deploying a Webhook Configuring the Webhook to Work with KubernetesHow to Encode a Certificate in Base64 FormatActivity 16.01: Creating a Mutating Webhook That Adds an Annotation to a PodValidating a WebhookCoding a Simple Validating WebHookActivity 16.02: Creating a Validating Webhook That Checks for a Label in a PodControlling the Effect of a Webhook on Selected NamespacesExercise 16.03: Creating a Validating Webhook with the Namespace Selector DefinedSummary
17. Advanced Scheduling in Kubernetes
IntroductionThe Kubernetes SchedulerThe Pod Scheduling ProcessFilteringScoringAssigningTimeline of Pod SchedulingManaging the Kubernetes SchedulerNode Affinity and Anti-AffinityExercise 17.01: Running a Pod with Node AffinityPod Affinity and Anti-AffinityExercise 17.02: Running Pods with Pod AffinityPod PriorityExercise 17.03: Pod Priority and PreemptionTaints and TolerationsExercise 17.04: Taints and TolerationsUsing a Custom Kubernetes SchedulerActivity 17.01: Configuring a Kubernetes Scheduler to Schedule PodsSummary
18. Upgrading Your Cluster without Downtime
IntroductionThe Need to Upgrade Your Kubernetes ClusterKubernetes Components – RefresherA Word of CautionThe Upgrade ProcessSome Considerations for kopsAn overview of the Upgrade ProcessThe Importance of AutomationBacking up the etcd DatastoreExercise 18.01: Taking a Snapshot of the etcd DatastoreDraining a Node and Making It Non-SchedulableExercise 18.02: Draining All the Pods from the NodesUpgrading Kubernetes Master ComponentsExercise 18.03: Upgrading Kubernetes Master ComponentsUpgrading Kubernetes Worker NodesExercise 18.04: Upgrading the Worker NodesActivity 18.01: Upgrading the Kubernetes Platform from Version 1.15.7 to 1.15.10Summary
19. Custom Resource Definitions in Kubernetes
IntroductionWhat Is a Custom Controller?The Relationship between a CRD, a CR, and a ControllerStandard Kubernetes API ResourcesWhy We Need Custom Resources?Example Use Case 1Example Use Case 2Example Use Case 3How Our Custom Resources Are DefinedapiVersionkindspecnamespaceName and podLiveForThisMinutesThe Definition of a CRDExercise 19.01: Defining a CRDExercise 19.02: Defining a CR Using a CRD Writing the Custom ControllerThe Components of the Custom ControllerActivity 19.01: CRD and Custom Controller in ActionAdding Data to Our Custom ResourceExercise 19.03: Adding Custom Information to the CR List CommandSummary

Content preview from The Kubernetes Workshop

13. Runtime and Network Security in Kubernetes

Overview

In this chapter, we will look at various resources that we can use to secure workloads running in our cluster. We will also understand a rough threat model and apply it to architect a secure cluster so that we can defend our cluster and application against various types of threats. By the end of this chapter, you will be able to create Role and ClusterRole, as well as RoleBinding and ClusterRoleBinding to control the access of any process or user to the Kubernetes API server and objects. Then, you will learn how to create a NetworkPolicy to restrict communication between your application and the database. You will also learn how to create a PodSecurityPolicy to ensure that the running ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781838820756

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Kubernetes Workshop

by Zachary Arnold, Sahil Dua, Wei Huang, Faisal Masood, Mélony Qin, Mohammed Abu Taleb, Cordell Tech, LLC, Simon Krenger, Alok Malakar, Craig Newton, Swati Bawankule, Saibal Ghosh

13. Runtime and Network Security in Kubernetes

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.