Posts

Kubernetes Security - TLS Keys and Certificates

Image
Transport Layer Security  (TLS) Basics   Early days it was called Secure Socket Layer (SSL) now it is renamed as TLS. In this post we will explore more TLS  certificate files. and their usage in different Kubernetes Cluster components.  TLS Certificates for Kubernetes Cluster components is basic thing to do a High Availability(HA) in Production configurations and troubleshoot various security for users, applications, and administration level issues. Public Key Infrastructure used in the Kubernetes Cluster Security Certificate files The certificate files are nothing but key pair that have private key, public key. And Public Key which we can consider as a Lock visible to public. The example certificate file can be having extension as .crt or .pem the files like server.crt, server.pem client.crt or client.pem. Whereas Private key it will be owned by the person who generated it. This file cannot be distributed, instead it will be used when Lock is visible to it uses...

Kubernetes Secrets

Image
Hello DevOps | DevSecOps teams, we are running into the new generation of microservices inside Pods where we need to focus on how we can protect them. And here this post is going with the Security rules imposing on the Kubernetes Cluster with Secret Objects which are specially designed to store the sensitive data in them to refer inside the Pod Containers. But they have limitation that they can hold up to 1MB size of data only.   Why Secret objects? We can store Password, keys, tokens, certificates etc Secrets will reduce the risk of exposing sensitive data Access secrets using volumes and environment variables Secrets object will be created outside pod/containers  When it is created there is NO clues where it will be injected All secrets resides in ETCD database on the K8s master This Kubernetes Secret Objects are similar to ConfigMaps Objects  Kubernetes Secret objects Using Volume, ENVIRONMENT variables Pre-check f irst we will check the Kubernetes Cluster is u...

Pod scheduling-2: Pod Affinity and Node Affinity

Here in this post we will be exploring in deep dive on the Node Affinity. Node Affinity is more capable alternative to node lables and selector on the Kubernetes cluster. There are three types of affinities in Kubernetes Node affinity Pod affinity Pod anti-affinity Node Affinit y meaning that the pod should only be scheduled on target nodes with specific lables, this is basically what the node selector does for example only schedule the db-pod on the size=large Then, We have Pod affinity for dictates that the pod should only be scheduled on nodes where other specific pods are already running. For example cache pod  scheduled only on nodes where the webserver pods already running. In generic way we could say "Schedule Pod X  ' only on where ' Pod Y". Its like Indian girl marrying boy she stay with him! This way we can reduce the network latency between the two pods which need to communication(think about web pod connects with db pods). Finally, the Pod anti-affinity ...

K8s Storage Volumes Part 4 - Dynamic Provisioning

Image
Hello guys! I am back with new learning on the Kubernetes Storage Volume section series of posts, We have already seen that how we can create a PV, And then claiming that with different PVC, then you can use the PVC in the Pod manifestation under volumes section, But, in this post we will be exploring the various options available for Dynamic Provisioning with StorageClass. StorageClass - PersistentVolumeClaim used in Pod Wanted to know Kubernetes StorageClasses in depth. Visited many blog posts with different cloud choices people are working. Initially I've gone through the Mumshadmohammad session and practice lab, triedout on GCP platform. Previous Storage related posts Kubernetes Storage - EmptyDir Kubernetes HostPath Kubernetes NFS Volume as PV Basically, Kubernetes maintains two types of StorageClasses: Default storage class (Standard Storage class) User-defined storage class (Additional which is created with kubectl ) The additional storage-class will depend on t...

Scheduling Pods 1: Taint and Tolerance

 Node in the Kubernetes cluster are schedule the pods as per the Node level Taints will control the Pod creation on the Node.  We can update the taints on one or more nodes with single command. The following are instructions from the kubectl label --help A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.  The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 253 characters.  Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.  The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters.   The effect must be NoSchedule, PreferNoSchedule or NoExecute.  Currently taint can only apply to node. How does Taint - Tolerance works in Kubernetes? Taints allow a node to repel a set of pods. Tolerati...

Kubernetes Labels - Selectors, Annotations

Image
What this post covers? In this post we will explore all possible options that can be used for Kubernetes Labels and selectors. Adding labels Show labels  Replace labels Deleting labels   Adding Labels to Pods Adding labels while you creating bare pods imperatively using 'kubectl run' command, here I'm using three different images httpd, redis, rabbitmq.   kubectl run web --image=httpd:2.4.54-alpine \ --labels="env=prod,author=pavandeverakonda,component=customer,tier=frontend" kubectl run db --image=redis:alpine \ --labels="env=prod,author=pavandeverakonda,component=customer,tier=backend" kubectl run web2 --image=httpd:2.4.54-alpine \ --labels="env=dev,author=pavandeverakonda,component=customer,tier=frontend" kubectl run db2 --image=redis:alpine \ --labels="env=dev,author=pavandeverakonda,component=customer,tier=backend" kubectl run msg-pod --image=rabbitmq \ --labels="env=prod,author=ranjan,component=customer,tier=integra...

Understanding the Kubernetes Pods

Image
Kubernetes pod  The Kubernetes pod is going to represent a running process on the Kubernetes cluster. It encapsulates an application container, storage resources, a unique network IP Address. Inside a pod, we can have one or more containers. The containers in a Pod are automatically co-located and co-scheduled on the same physical or virtual machine in the Kubernetes cluster. A Multi container pod is going to be very tightly coupled inside. The containers share access to their memory space. They can be connected to each other using localhost. That is if a web application running on a container can be accessed in a busybox container running in the same pod. Containers in the pod can share storage(volumes) disk space as well. What is a Pod in Kubernetes? A pod is an atomic unit of scheduling in the Kubernetes ecosystem. Pods are ephemeral they live in a short time span. On the master node, the different Controllers are running for monitoring and self-healing of the pods. Containers i...