Skip to content

Latest commit

 

History

History
222 lines (160 loc) · 9.09 KB

kubernetes.md

File metadata and controls

222 lines (160 loc) · 9.09 KB
Raw

Kubernetes

Getting started with Kubernetes

Name Comments
kubernetes.io Official Kubernetes site by Google
Kubernetes 101 Great beginner article on Kubernetes fundamental concepts
Kubernetes Tutorial for Beginners Full video of 4 hours on Kubernetes (2020)
Learning Path: Kubernetes From basic to advanced Kubernetes learning series
Kubernetes 101 - Concepts and Why It Matters
kubernetes-workshop
Kubernetes Deployment Tutorial
Katacoda Learn Kubernetes using Interactive Browser-Based Scenarios
Kubernetes Scheduler How does the Kubernetes scheduler work?

Kubernetes - Deep Dive

Name Comments
Kubernetes Networking Kubernetes Networking Resources
Liveness and Readiness Probes

Kubernetes - Troubleshooting

Name Comments
troubleshoot.sh "A kubectl plugin providing diagnostic tools for Kubernetes applications"
Kubernetes Troubleshooting Visual Guide

Kubernetes - Security

Name Comments
Kubescape "Kubescape is the first tool for testing if Kubernetes is deployed securely as defined in Kubernetes Hardening Guidance by NSA and CISA"
Falco "Falco...is the de facto Kubernetes threat detection engine"

Kubernetes - Misc

Name Comments
confTest "Conftest is a utility to help you write tests against structured configuration data" (Used in the development phase)
datree "Prevent Kubernetes Misconfigurations From Reaching Production" (Used in development phase)
gatekeeper Used in the production
telepresence "FAST, LOCAL DEVELOPMENT FOR KUBERNETES AND OPENSHIFT MICROSERVICES"
Kubernetes CheatSheet
OperatiorHub.io Kubernetes native applications
YAML templates
Kubesort "kubesort helps you sort the results from kubectl get in an easy way"
IngressMonitorController "A Kubernetes controller to watch ingresses and create liveness alerts for your apps/microservices"

Kubernetes - SRE

Name Comments
KubeInvaders "Chaos Engineering Tool for Kubernetes and Openshift"

Kubernetes - Certificates

Name Comments
CKAD-Practice-Questions "a consolidated list for CKAD practice questions"
CKAD Prep Exam Video A video of doing a CKAD prep exam (2020)
CKA Complete Prep Exam CKA prep exam (2021)
CKAD Complete Prep Exam CKAD prep exam (2021)
CKS Complete Prep Exam CKA prep exam (2021)

Kubernetes - Labs

Name Comments
Building a Kubernetes 1.23 Cluster with Kubeadm "Labs CKA - Build a Kubernetes cluster 1.23"

Best Practices

Security Best Practices

  • Secure inter-service communication (one way is to use Istio to provide mutual TLS)
  • Isolate different resources into separate namespaces based on some logical groups
  • Use supported container runtime (if you use Docker then drop it because it's deprecated. You might want to CRI-O as an engine and podman for CLI)
  • Test properly changes to the cluster (e.g. consider using Datree to prevent kubernetes misconfigurations)
  • Limit who can do what (by using for example OPA gatekeeper) in the cluster
  • Use NetworkPolicy to apply network security
  • Consider using tools (e.g. Falco) for monitoring threats

CheatSheet

Minikube

  • Minikube version: minikube version
  • Start cluster: minikube start
  • Delete cluster: minikube delete

Common Kubectl Operations

  • Create objects defined in a YAML: kubectl apply -f rs.yaml

Service Accounts

  • List service accounts: kubectl get serviceaccounts

Cluster

  • Cluster version: kubectl version
  • Cluster information: kubectl cluster-info
  • List nodes: kubectl get nodes

Images

  • List all containers images from all namespaces:
kubectl get pods --all-namespaces -o jsonpath="{.items[*].spec.containers[*].image}" |\
tr -s '[[:space:]]' '\n' |\
sort |\
uniq -c

Pods

  • List of Pods in current namespace: kubectl get po

  • List of Pods in all amespaces: kubectl get po --all-namespaces

  • Get containers names: kubectl get po <POD_NAME> -o jsonpath="{.spec.containers[*].name}"

  • Create a Pod from file: kubectl create -f pod_definition.yaml

  • Delete a Pod using a YAML definition: kubectl delete -f pod_definition.yaml

  • Delete a Pod using the Pod name: kubectl delete <POD_NAME>

  • Delete a Pod instantly: kubectl delete <POD_NAME> --grace-period=0 --force

  • Execute commands inside a container: kubectl exec -it -c <CONTAINER_NAME> <POD_NAME> ls

  • Display logs of a Pod: kubectl logs <POD_NAME>

  • Display logs of a specific container in a Pod: kubectl logs <POD_NAME> -c <CONTAINER_NAME>

  • Get Pod name based on specific labels

POD_NAME=$(kubectl get pod \
--no-headers \
-o=custom-columns=NAME:.metadata.name \
-l type=api,service=some-service \
| tail -1)
  • Get pods sorted by time creation: kubectl get pods --sort-by='{.metadata.creationTimestamp}'
  • Run long/endless running container: kubectl run test --image ubuntu -- sleep 2000000000
  • Get a shell access to a container: kubectl exec --stdin --tty some-shell -- /bin/bash

User

  • Creating a new user
openssl genrsa -out user.key 2048 # create key
openssl req key user.key user.csr -subj "/CN=user /O=sgroup" # create csr
openssl x509 -req -in user.csr -CA ca.crt -CAkey ca.key -CAcreateseral -out user.crt -days 365
kubectl config set-credentials myuser --client-certificates=$PWD/user.crt --client-key=$PWD/user.key
kubectl config set-context myuser-context --cluster=k8s-cluster --user=user

Service

  • Expose a ReplicaSet: kubectl expose rs REPLICASET_NAME --name=SERVICE_NAME --target-port=PORT --type=NodePort/SOME_OTHER_SERVICE_TYPE

Deployment

  • Create and delete a deployment in one step:
$ kubectl create deployment demo --image=cloudnatived/demo:hello

$ kubectl get pods --selector app=demo

$ kubectl delete pods --selector app=demo

$ kubectl delete all --selector app=demo

Aliases

  • Use kubectl aliases to speed up and reduce typo errors, practice these alaises early at your work and study for the exam. some example aliases:
alias k='kubectl'
alias kg='kubectl get'
alias kgpo='kubectl get pod'
alias kcpyd='kubectl create pod -o yaml --dry-run=client'
alias ksysgpo='kubectl --namespace=kube-system get pod'

alias kd='kubectl delete'
alias kdf='kubectl delete -f'
## for quick deletes you can add --force --grace-period=0  **Not sure if it is a good idea if you are in a production cluster**
alias krmgf='kubectl delete --grace-period 0 --force'
alias kgsvcoyaml='kubectl get service -o=yaml'
alias kgsvcwn='watch kubectl get service --namespace'
alias kgsvcslwn='watch kubectl get service --show-labels --namespace'

#example usage of aliases
krmgf nginx-8jk71    # kill pod nginx-8jk71 using grace period 0 and force

Monitoring

  • Install metrics-server using Minikube: minikube addons enable metrics-server

Secrets

  • Install Bitnami Sealed secrets controller
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
helm repo update
helm install sealed-secrets-controller sealed-secrets/sealed-secrets

  • sealed-secrets binary: https://github.com/bitnami-labs/sealed-secrets/releases

  • encrypt secret in yaml or json format: kubeseal -n my-namespace <.db-creds.yml> db-creds.json

  • apply secret on the cluser: kubectl apply -f db-creds.json -n my-namespace

Kustomize

  • Generate customized YAML file(s): kustomize build name_of_application
  • Apply generated customized YAML file(s) to the cluster: kustomize build name_of_application