Learn how to Secure a Kubernetes Cluster — CKA Exam Preparation Series

This is one of the numerous posts by TechCommanders in a series for studying for the Certified Kubernetes Administrator (CKA) Exam.

Become a Certified Kubernetes Administrator (CKA)!

Before learning how to secure a Kubernetes Cluster. Let’s read about why it is important to secure a Kubernetes cluster. Last year, somewhere around January the world’s biggest orchestration system, experienced a major security vulnerability that hit the project ecosystem hard.

We won’t get much into the vulnerability but would like to provide you with an overview. Using this vulnerability attackers can compromise clusters using an API server. This allows them to execute malicious code and put in malware.

The other case that we had come across was because of the wrong configuration of the Kubernetes cluster which led to the installation of cryptocurrency mining software on tesla resources.

One attacker took the advantage of a non-protected Kubernetes Panel by which they were allowed to access the pods and make changes in a larger part of Tesla on AWS.

So, the organizations which are using this orchestration system or shifting to this should be aware of the best security practice to support customer data. Follow the following advice to protect your infrastructure.

#cka-training #kubernetes-cluster #kubernetes #cka #ckad

What is GEEK

Buddha Community

Learn how to Secure a Kubernetes Cluster — CKA Exam Preparation Series
Christa  Stehr

Christa Stehr

1602964260

50+ Useful Kubernetes Tools for 2020 - Part 2

Introduction

Last year, we provided a list of Kubernetes tools that proved so popular we have decided to curate another list of some useful additions for working with the platform—among which are many tools that we personally use here at Caylent. Check out the original tools list here in case you missed it.

According to a recent survey done by Stackrox, the dominance Kubernetes enjoys in the market continues to be reinforced, with 86% of respondents using it for container orchestration.

(State of Kubernetes and Container Security, 2020)

And as you can see below, more and more companies are jumping into containerization for their apps. If you’re among them, here are some tools to aid you going forward as Kubernetes continues its rapid growth.

(State of Kubernetes and Container Security, 2020)

#blog #tools #amazon elastic kubernetes service #application security #aws kms #botkube #caylent #cli #container monitoring #container orchestration tools #container security #containers #continuous delivery #continuous deployment #continuous integration #contour #developers #development #developments #draft #eksctl #firewall #gcp #github #harbor #helm #helm charts #helm-2to3 #helm-aws-secret-plugin #helm-docs #helm-operator-get-started #helm-secrets #iam #json #k-rail #k3s #k3sup #k8s #keel.sh #keycloak #kiali #kiam #klum #knative #krew #ksniff #kube #kube-prod-runtime #kube-ps1 #kube-scan #kube-state-metrics #kube2iam #kubeapps #kubebuilder #kubeconfig #kubectl #kubectl-aws-secrets #kubefwd #kubernetes #kubernetes command line tool #kubernetes configuration #kubernetes deployment #kubernetes in development #kubernetes in production #kubernetes ingress #kubernetes interfaces #kubernetes monitoring #kubernetes networking #kubernetes observability #kubernetes plugins #kubernetes secrets #kubernetes security #kubernetes security best practices #kubernetes security vendors #kubernetes service discovery #kubernetic #kubesec #kubeterminal #kubeval #kudo #kuma #microsoft azure key vault #mozilla sops #octant #octarine #open source #palo alto kubernetes security #permission-manager #pgp #rafay #rakess #rancher #rook #secrets operations #serverless function #service mesh #shell-operator #snyk #snyk container #sonobuoy #strongdm #tcpdump #tenkai #testing #tigera #tilt #vert.x #wireshark #yaml

Learn how to Secure a Kubernetes Cluster — CKA Exam Preparation Series

This is one of the numerous posts by TechCommanders in a series for studying for the Certified Kubernetes Administrator (CKA) Exam.

Become a Certified Kubernetes Administrator (CKA)!

Before learning how to secure a Kubernetes Cluster. Let’s read about why it is important to secure a Kubernetes cluster. Last year, somewhere around January the world’s biggest orchestration system, experienced a major security vulnerability that hit the project ecosystem hard.

We won’t get much into the vulnerability but would like to provide you with an overview. Using this vulnerability attackers can compromise clusters using an API server. This allows them to execute malicious code and put in malware.

The other case that we had come across was because of the wrong configuration of the Kubernetes cluster which led to the installation of cryptocurrency mining software on tesla resources.

One attacker took the advantage of a non-protected Kubernetes Panel by which they were allowed to access the pods and make changes in a larger part of Tesla on AWS.

So, the organizations which are using this orchestration system or shifting to this should be aware of the best security practice to support customer data. Follow the following advice to protect your infrastructure.

#cka-training #kubernetes-cluster #kubernetes #cka #ckad

Loma  Baumbach

Loma Baumbach

1600524480

How to Configure Storage on a Kubernetes Cluster- CKA Exam Preparation Series

This is one of the numerous posts by TechCommanders in a series for studying for the Certified Kubernetes Administrator (CKA) Exam.

Become a Certified Kubernetes Administrator (CKA)!

Before starting with how we can configure storage I would like to explain to you the need for this. Let’s start by taking an example: Imagine you have a PHP application deployed which generates a PDF file and updates the status on the database with generated and then renders it.

Now, I am increasing the instances of my PHP application. So, now if I ask them to create a pdf file one instance will update the status to generate whereas the other instance tries to find the file for rendering, but it wasn’t uploaded to the database yet. Getting my point here? This is the general scenario we also see at the time of deadlock. It’s not a complete deadlock but can be related to it.

This issue can’t be understood easily. For understanding the gravity of the issue, you need to deploy the application and scale it up. To resolve these kinds of issues Kubernetes came up with CSI, Container Storage Interface.

We need to design applications and decouple the logic and static files to get this point. Assume there are some files that need to be saved on a shared space so that it can be accessible by all the possible replicas of the application.

Image for post

In this image, we have figured out the nodes we need to scale up the environment, but storage is still a question. At least, by this image, we can see that we need a shared storage for all of our replicas. In Kubernetes, we have storage in 2 parts.

The storage service can be on its own or on the same server the K8s cluster is put on and the provisioner. The provisioner is a piece of software that respects the Container Storage Interface and is deployed to Kubernetes.

The provisioner is important as it handles the creation of Persistent Volumes and their deletion. Depending on this storage service, you can find a suitable provisioner. There are different provisioners available and the choice depends mostly on the two factors where you are deploying and what you want to achieve.

#kubernetes #devops #cka #kubernetes-cluster #google-cloud-platform

Arvel  Miller

Arvel Miller

1600434720

How to Configure Network on a Kubernetes Cluster — CKA Exam Preparation Series

In this post, we will learn how to configure a network on a Kubernetes cluster. We will learn about Kubernetes networking and will also read about the brief overview of Kubernetes pods and Kubernetes service.

This is one of the numerous posts by TechCommanders in a series for studying for the Certified Kubernetes Administrator (CKA) Exam.

What are Kubernetes Pods?

The pod is the smallest building block in a cluster. It represents the system that is running. The inside of a pod may have one or greater containers. A single pod has a-

  • A unique network IP
  • Storage
  • Network
  • Any other specification which you might have configured.

In simple words, the pod can be described as a logical host that is specific to your application and holds one or more tightly contained containers. The pod can also act as a constructor that calls or initializes a second container and as soon as the second container is up and running the first one stops its job.

What is the Kubernetes Service?

Kubernetes starts with a pod as earlier we had read that pod is the smallest building block thus it contains all the storage resources which are required to run a container application, multiple containers, or also as a singular network IP and operation options.

Image for post

This gives more flexibility, but Pods don’t live forever. Even though every pod has a single IP, those can’t provide network stability over a long period of time.

We need to make sure that the application’s backend pods, as well as front-end pods, remain functional. This is where Kubernetes as a service also known as KAAS comes into play.

This is the method of how your team should organize, or service, pods, and therefore the policy by which your team accesses them. Often called a microservice, this organization depends on the spread of unique variables.

From the dimensions of your team to the traffic your application services, KaaS processes are often flexibly designed to fit your team’s needs.

So, now we are aware of Kubernetes pods as well as of service. Let’s jump into the working of networking in Kubernetes and how we can configure this.

Image for post

Before we deep dive into the details of networking, we should go through the points which are covered in this post and the problems we are trying to solve. Majorly, there are three issues that we need to solve in the Kubernetes cluster

  • Container to container communication
  • Pod to pod communication
  • Pod to service communication

#cka #development #kubernetes #devops #kubernetes-cluster

Implement etcd backup and restore — CKA Exam Preparation Series

This is one of the numerous posts by TechCommanders in a series for studying for the Certified Kubernetes Administrator (CKA) Exam.

Become a Certified Kubernetes Administrator (CKA)!

Etcd is a vital component of Kubernetes cluster. The Etcd nodes exchange the information through the Raft distributed consensus algorithm. For this tutorial we will be using Rancher’s RKE clusters and learn how we can back up etcd from one cluster and restore it to another. This concept will help you in scenarios like when your running cluster goes wrong due to any reason and you need to transfer it to a new one or the spare one.

So, before getting started with backup and restoration, let’s get a brief idea about Rancher’s RKE.

What is RKE?

It is a CNCF-certified Kubernetes distribution that runs entirely within docker containers. RKE is managed by a company named Rancher Labs. It is a management platform for Kubernetes which also gives us liability to manage many clusters within the same interface. It covers cluster provisioning, user access control, workload deployment, and many more things.

This is also well-known in an open-source environment and the binary file for the installation on different OS is available here. Once installed, we can list all the available commands in a terminal like this.

#cka #kubernetes #cka-training #kubernetes-cluster #ckad