Skip to content

Latest commit

 

History

History
138 lines (100 loc) · 6.08 KB

kubernetes.md

File metadata and controls

138 lines (100 loc) · 6.08 KB

Kubernetes

Getting started with Kubernetes

Name Comments
kubernetes.io Official Kubernetes site by Google
Kubernetes 101 Great beginner article on Kubernetes fundamental concepts
Kubernetes Tutorial for Beginners Full video of 4 hours on Kubernetes (2020)
Learning Path: Kubernetes From basic to advanced Kubernetes learning series
Kubernetes 101 - Concepts and Why It Matters
kubernetes-workshop
Kubernetes Deployment Tutorial
Katacoda Learn Kubernetes using Interactive Browser-Based Scenarios

Kubernetes - Deep Dive

Name Comments
Kubernetes Networking Kubernetes Networking Resources
Liveness and Readiness Probes

Kubernetes - Troubleshooting

Name Comments
troubleshoot.sh "A kubectl plugin providing diagnostic tools for Kubernetes applications"
Kubernetes Troubleshooting Visual Guide

Kubernetes - Security

Name Comments
Kubescape "Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA"
Falco "Falco...is the de facto Kubernetes threat detection engine"

Kubernetes - Misc

Name Comments
confTest "Conftest is a utility to help you write tests against structured configuration data" (Used in the development phase)
datree "Prevent Kubernetes Misconfigurations From Reaching Production" (Used in development phase)
gatekeeper Used in the production
telepresence "FAST, LOCAL DEVELOPMENT FOR KUBERNETES AND OPENSHIFT MICROSERVICES"
Kubernetes CheatSheet
OperatiorHub.io Kubernetes native applications
YAML templates
Kubesort "kubesort helps you sort the results from kubectl get in an easy way"
IngressMonitorController "A Kubernetes controller to watch ingresses and create liveness alerts for your apps/microservices"

Kubernetes - SRE

Name Comments
KubeInvaders "Chaos Engineering Tool for Kubernetes and Openshift"

Kubernetes - Certificates

Name Comments
CKAD-Practice-Questions "a consolidated list for CKAD practice questions"
CKAD Prep Exam Video A video of doing a CKAD prep exam (2020)

Best Practices

Security Best Practices

  • Secure inter-service communication (one way is to use Istio to provide mutual TLS)
  • Isolate different resources into separate namespaces based on some logical groups
  • Use supported container runtime (if you use Docker then drop it because it's deprecated. You might want to CRI-O as an engine and podman for CLI)
  • Test properly changes to the cluster (e.g. consider using Datree to prevent kubernetes misconfigurations)
  • Limit who can do what (by using for example OPA gatekeeper) in the cluster
  • Use NetworkPolicy to apply network security
  • Consider using tools (e.g. Falco) for monitoring threats

CheatSheet

Minikube

  • Minikube version: minikube version
  • Start cluster: minikube start
  • Delete cluster: minikube delete

Common Kubectl Operations

  • Create objects defined in a YAML: kubectl apply -f rs.yaml

Service Accounts

  • List service accounts: kubectl get serviceaccounts

Cluster

  • Cluster version: kubectl version
  • Cluster information: kubectl cluster-info
  • List nodes: kubectl get nodes

Pods

  • List of Pods in current namespace: kubectl get po

  • List of Pods in all amespaces: kubectl get po --all-namespaces

  • Get containers names: kubectl get po <POD_NAME> -o jsonpath="{.spec.containers[*].name}"

  • Create a Pod from file: kubectl create -f pod_definition.yaml

  • Delete a Pod using a YAML definition: kubectl delete -f pod_definition.yaml

  • Delete a Pod using the Pod name: kubectl delete <POD_NAME>

  • Delete a Pod instantly: kubectl delete <POD_NAME> --grace-period=0 --force

  • Execute commands inside a container: kubectl exec -it -c <CONTAINER_NAME> <POD_NAME> ls

  • Display logs of a Pod: kubectl logs <POD_NAME>

  • Display logs of a specific container in a Pod: kubectl logs <POD_NAME> -c <CONTAINER_NAME>

  • Get Pod name based on specific labels

POD_NAME=$(kubectl get pod \
--no-headers \
-o=custom-columns=NAME:.metadata.name \
-l type=api,service=some-service \
| tail -1)

User

  • Creating a new user
openssl genrsa -out user.key 2048 # create key
openssl req key user.key user.csr -subj "/CN=user /O=sgroup" # create csr
openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateseral -out user.crt -days 365
kubectl config set-credentials myuser --client-certificates=$PWD/user.crt --client-key=$PWD/user.key
kubectl config set-context myuser-context --cluster=k8s-cluster --user=user

Service

  • Expose a ReplicaSet: kubectl expose rs REPLICASET_NAME --name=SERVICE_NAME --target-port=PORT --type=NodePort/SOME_OTHER_SERVICE_TYPE