What this book covers
Chapter 1, Docker and Container Essentials, covers the problems Docker and Kubernetes address for developers. You will be introduced to Docker, including the Docker daemon, data, installation, and using the Docker CLI.
Chapter 2, Deploying Kubernetes Using KinD, helps with creating development clusters using KinD, a powerful tool that allows you to create clusters ranging from a single-node cluster to a full multi-node cluster. The chapter goes beyond a basic KinD cluster, explaining how to use a load balancer running HAProxy to load-balance worker nodes. By the end of the chapter, you will understand how KinD works and how to create a custom multi-node cluster, which will be used for the exercises in the chapters.
Chapter 3, Kubernetes Bootcamp, provides a refresher on Kubernetes. This chapter will cover most of the objects that a cluster includes , which will be helpful if you are new to Kubernetes. It will explain each object with a description of what each object does and its function in a cluster. It is meant to be a refresher, or a “pocket guide” to objects. It does not contain exhaustive details for each object (that would require a second book).
Chapter 4, Services, Load Balancing, and Network Policies, explains how to expose a Kubernetes Deployment using services. Each service type will be explained with examples, and you will learn how to expose them using both a layer 7 and layer 4 load balancer. In this chapter, you will go beyond the basics of a simple Ingress controller, installing MetalLB, to provide layer 4 access to services. Finally, you will learn how to provide fine-grained control over the communication between pods, enhancing security and compliance within your cluster by using Kubernetes network policies.
Chapter 5, External DNS and Global Load Balancing, will make you learn about two add-ons that benefit enterprise clusters by installing an incubator project called external-dns to provide dynamic name resolution for the services exposed by MetalLB. You will also learn how to add a Global Load Balancer to your cluster, using a project called K8GB, which provides native Kubernetes Global Load Balancing.
Chapter 6, Integrating Authentication into Your Cluster, answers the question, “Once your cluster is built, how will users access it?” In this chapter we’ll detail how OpenID Connect works and why you should use it to access your cluster. You’ll also learn how to authenticate your pipelines, and finally, we’ll also cover several anti-patterns that should be avoided and explain why they should be avoided.
Chapter 7, RBAC Policies and Auditing, explains that once users have access to a cluster, you need to know how to limit their access. Whether you are providing an entire cluster to your users or just a namespace, you’ll need to know how Kubernetes authorizes access via its role-based access control (RBAC) system. In this chapter, we’ll detail how to design RBAC policies, how to debug them, and different strategies for multi-tenancy.
Chapter 8, Managing Secrets, puts the focus on one of the hardest to implement issues in the Kubernetes world: how to manage secret data. First, we’ll look at the challenges of managing Secrets in Kubernetes. Then we’ll learn about HashiCorp’s Vault for secret management. Finally, we’ll integrate our clusters with Vault using both the Vault sidecar and the popular External Secrets Operator.
Chapter 9, Building Multitenant Clusters with vClusters, moves out of a single cluster toward breaking up clusters into tenants using the vCluster project from Loft. You’ll learn how vClusters work, how they interact with host clusters, how to securely access them, and how to automate their rollout for your tenants. We’ll also build off what we learned in Chapter 8 to integrate managed Secrets into our vClusters too!
Chapter 10, Deploying a Secured Kubernetes Dashboard, covers Kubernetes Dashboard, which is often the first thing users try to launch once a cluster is up and running. There’s quite a bit of mythology around security (or lack thereof). Your cluster will be made of other web applications too, such as network dashboards, logging systems, and monitoring dashboards. This chapter looks at how the dashboard is architected, how to properly secure it, and examples of how not to deploy it with details as to why.
Chapter 11, Extending Security Using Open Policy Agent, provides you with the guidance you need to deploy Open Policy Agent and GateKeeper to enable policies that can’t be implemented using RBAC. We’ll cover how to deploy Gatekeeper, how to write policies in Rego, and how to test your policies using OPA’s built-in testing framework.
Chapter 12, Node Security with Gatekeeper, deals with the security of the nodes that run your pods. We will discuss how to securely design your containers so they are harder to abuse and how to build policies using GateKeeper that prevent your containers from accessing resources they don’t need.
Chapter 13, KubeArmor Securing Your Runtime, presents security, which is the job of everyone, and providing tools to address attack vectors is key to running a secure and resilient cluster. In this chapter, you will learn how to secure your containers runtime by using a CNCF project called KubeArmor. KubeArmor provides an easy way to lock down containers using easy to understand policies.
Chapter 14, Backing Up Workloads, explains how to create a backup of your cluster workloads for disaster recovery or cluster migrations, using Velero. You will work hands-on to create an S3-compatible storage location using MinIO to create a backup of example workloads and persistent storage. You will then restore the backup to a brand-new cluster to simulate a cluster migration.
Chapter 15, Monitoring Clusters and Workloads, explores how to know how healthy your cluster is using Prometheus and OpenSearch. You’ll start with understanding how Kubernetes and Prometheus handle metrics, then we’ll deploy the Prometheus stack with Alertmanager and Grafana. You’ll learn how to secure the stack and how to extend it to monitor additional workloads. After we’re done with monitoring, we will move on to log aggregation with OpenSearch. We will start with exploring how logging in Kubernetes works, move on to integrating OpenSearch, and wrap up with securing access to OpenSearch with OpenUnison.
Chapter 16, An Introduction to Istio, explains that many enterprises use a service mesh to provide advanced features such as security, traffic routing, authentication, tracing, and observability to a cluster. This chapter will introduce you to Istio, a popular open-source mesh, and its architecture, along with the most commonly used resources it provides. You will deploy Istio to your KinD cluster with an example application and learn how to observe the behavior of an application using an observability tool called Kiali.
Chapter 17, Building and Deploying Applications on Istio, acknowledges that once you’ve deployed Istio, you’ll want to develop and deploy applications that use it! This chapter starts with a walk-through of the differences between monoliths and microservices and how they’re deployed. Next, we’ll step through building a micro-service to run in Istio and get into advanced topics like authentication, authorization, and service-to-service authentication for your services. You will also learn how to secure Kiali access by leveraging existing roles in Kubernetes using an OIDC provider and JSON Web Tokens. You’ll also learn how to secure Istio services using JWTs, along with how to use token exchanges to gain access to different services, securely moving from one service to another. Finally, we use OPA to create a custom authorization rule we configure with Istio.
Chapter 18, Provisioning a Multitenant Platform, explores how to build pipelines, how to automate their creation, and how they relate to GitOps. We’ll explore how the objects that are used to drive pipelines are related to each other, how to build relationships between systems, and finally, design a self-service workflow for automating the Deployment of pipelines.
Chapter 19, Building a Developer Portal, builds off of our designs in Chapter 18 to build out a multitenant platform with many of the tools we used throughout this book. We’ll start with talking about building a lab to run our multitenant cluster in. Next we’ll roll out Kubernetes to three clusters and integrate them with GitLab, Vault, Argo CD, Harbor, and OpenUnison. Finally we’ll walk through onboarding a new vCluster based tenant using OpenUnison’s self-service portal.
