Getting started with google kubernetes engine
- 1. Getting started with Google Kubernetes Engine By: Shreya Pohekar
- 2. Who am I??? Chapter lead Infosec girls | Null bhopal About Me Developer Penetration tester I blog at shreyapohekar.com Follow me Twitter - @shreyapohekar LinkedIn - Shreya Pohekar
- 3. Today's Presentation Discussion Points Concept of virtualization and containerization Docker Docker commands Kubernetes Google kubernetes Engine
- 4. What is Kubernetes?? Kubernetes is an open source platform that helps you orchestrate and manage your container infrastructure On-premises or in the Cloud.
- 5. Let's start from the beginning! Virrtualization and containerization
- 7. Cloud customers pay for only what they use or reserve as they go. on-demand and self-service resources are accessible over a network You pay for what you use. The resources made available are elastic. i.e it can be easily scaled up or scaled down. The cloud resources and services are available on demain to the end users. Users just need an internet connection to access their resources, from anyhere round the world
- 8. What is Docker?? Flexible Even the most complex applications can be containerized. Scalable You can increase and automatically distribute container replicas across a datacenter. Portable You can build locally, deploy to the cloud, and run anywhere. LightWeight Containers leverage and share the host kernel, making them much more efficient in terms of system resources. Secure Containers apply aggressive constraints and isolations to processes without any configuration required on the part of the user. Loosely coupled Containers are highly self sufficient and encapsulated, allowing you to replace or upgrade one without disrupting others. Docker is a platform for developers and sysadmins to build, run, and share applications with containers. The use of containers to deploy applications is called containerization.
- 9. Docker Daemon The background service running on the host that manages building, running and distributing Docker containers. The daemon is the process that runs in the operating system which clients talk to. Docker Client The command line tool that allows the user to interact with the daemon. Docker hub A registry of Docker images. You can think of the registry as a directory of all available Docker images. If required, one can host their own Docker registries and can use them for pulling images. A Few more Docker terms
- 10. You have embraced container technology, but managing them at scale is indeed a bigger challenge So what can you do to better manage your container infrastructure?????
- 11. Yes, You guessed it Right!!! Its Kubernetes :)
- 12. 1 2 3 4 18 orchestrate and manage your container infrastructure It can be on-premise or on the cloud Supports declarative configurations you describe the desired state you want to achieve instead of issuing a series of commands to achieve that desired state. Automation deployment scaling, load balancing, logging, monitoring Imperative configuration admins can issue commands to change state What is Kubernetes? Its more than what you think
- 13. 25 Features! Support of stateless and stateful applications Easy scale in and scale out Workload portability
- 14. Architecture Elements The user define the desired state and the kubernetes manages the state of the object Pods Pods are the basic building blocks (smallest deployable unit). A Pod is a Kubernetes abstraction that represents a group of one or more application containers (such as Docker), and some shared resources for those containers. Example Usecase three instances of the nginx web server.in different pods. Kubernetes control plane will continuously monitor the state of the cluster and will maintain it in the desired state. Credits: google
- 15. Kube-API server- It authenticates incoming requests, determines whether they are authorized and valid, and manages admission control. ETCD is the cluster's database Kube-scheduler is responsible for scheduling pods onto the nodes Kube-controller manager continuously monitors the state of a cluster through Kube- APIserver Kube-cloud-manager manages controllers that interact with underlying cloud providers. Kubernetes control plane
- 16. 1 2 3 4 5 Replica Sets ensures that population of identical pods is running at the same time Deployments Lets you create update, rollback and scale pods using replica sets Stateful sets Pods use same container spec and are persistent identities with stable network identity and persistent disk storage. Deamon Set ensures that a specific Pod is always running on all or some subset of the nodes. Job controller creates one or more Pods required to run a task. Cron-job run pods based on time-schedule. Kubernetes Controller objects All you need to know
- 17. Service A Service in Kubernetes is an abstraction which defines a logical set of Pods and a policy by which to access them. ClusterIP: Exposes the service on an IP address that is only accessible from within this cluster NodePort: Exposes the service on the IP address of each node in the cluster, at a specific port number. Can be accessed using <NodeIP>:<NodePort> LoadBalancer: Creates an external load balancer in the current cloud (if supported) and assigns a fixed, external IP to the Service..
- 19. DEMO!!!!
- 21. Security Pod Security Policy define a set of conditions that a pod must run with in order to be accepted into the system Authorization The Kubernetes API server may authorize a request using one of several authorization modes Network policy Allows to control traffic flow at the IP address or port level
- 22. Security Best Practices Factors for Success Download from official source of image Use latest image and update periodically Use image scanning tools for any CVEs or vulnerabilities. Clair : https://github.com/arminc/clair- scanner
- 23. Security context for pod/container A security context defines privilege and access control settings for a Pod or Container. - UID / GID - Selinuxx - Linux capabilities - Apparmor - AllowPrivilegeEscalation - ReadOnlyRootFIleSystem
- 24. Secure pesistent key- value store # kubectl create secret Use kubernetes built in secret manager. Pods can use secrets via a file mounted as a volume or by the kubelet when pulling images for the pod.
- 25. References Coursera : Architecting with Kubernetes Workloads and fundamentals of kubernetes https://kubernetes.io/
- 26. Thankyou!!!