Hands-On Kubernetes, Service Mesh and Zero-Trust Build and manage secure applications using Kubernetes and Istio (Swapnil Dubey, Mandar J. Kulkarni) (Z-Library)

📄 File Format: PDF

💾 File Size: 29.4 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

 i

📄 Page 3

 i Hands-On Kubernetes, Service Mesh and Zero-Trust Build and manage secure applications using Kubernetes and Istio Swapnil Dubey Mandar J. Kulkarni www.bpbonline.com

📄 Page 4

ii  Copyright © 2023 BPB Online All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor BPB Online or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. BPB Online has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, BPB Online cannot guarantee the accuracy of this information. First published: 2023 Published by BPB Online WeWork 119 Marylebone Road London NW1 5PU UK | UAE | INDIA | SINGAPORE ISBN 978-93-55518-675 www.bpbonline.com

📄 Page 5

 iii Dedicated to To my ‘partners in Crime’ (since childhood) : Sneha, Shivam & Shubhanshu – Swapnil Dubey **** My beloved wife: Tejashri & My Daughters Rucha and Shreya – Mandar J. Kulkarni

📄 Page 6

iv  About the Authors l Swapnil Dubey has been working as an Architect at SLB since 2019, with a IT total experience of more that 14 years with enterpireses like Snapdeal, Pubmatic and Schlumberger. His current role at SLB involves designing and guiding technical teams implement data intensive workloads using Microservices and distributing computing architectural patterns hosted on public cloud (GCP & Azure) and On premise. In the past, he has served as Trainers for BigData technologies like Hadoop and Spark (Certified Trainer with Cloudera), and facilitated approximately 20 batches of people to kickstart their journey of Distributed computing. Moreover, he has spoken in multiple national & international conferences, where the key topic to talk was about containers and their management using Kubernetes. He completed his Masters from BITS Pilani in Data Analytics, and also holds Professional Architect Certifications in GCP and Microsoft Azure. This is his second book. Before this one, he has authored a book Scaling Google Cloud Platform with BPB Publications. l Mandar J. Kulkarni has been working in software development and design for more than 16 years, and has played multiple roles such as Software Engineer, Senior Software Engineer, Technical Leader, Project manager and Software Architect. Currently, he is an architect in SLB building data products on top of Open Subsurface Data Universe (OSDU) Data Platform. He has also contributed to OSDU Data Platform with multiple architectural modifications and improvements. He has acquired Professional Cloud Architect certification from Google Cloud and also holds a Masters degree from BITS Pilani in Software Engineering. He has been a technical blogger for a while and this is first foray into writing a complete book.

📄 Page 7

 v About the Reviewer Mahesh Chandrashekhar Erande has played the software architect role in the healthcare, telecom, and energy domains. For the past 19 years, he did end-to- end solution designing, programming and operationally supporting scalable enterprise apps. He is currently constructing the poly-cloud products for the SLB.

📄 Page 8

vi  Acknowledgements m Any accomplishment requires the effort of many people, and this work is no different. First and foremost, I would like to thank my family, (especially my father figure, mentor and guardian , Mr. N.R. Tiwari and My Mother – Sushma & Wife - Vartika) for continuously encouraging and supporting me in writing the book. I could have never completed this book without their support. Big thanks to the Energy which keeps pushing me everyday for my side hustles (apart from work). I gratefully acknowledge Mr. Mahesh Erande for his kind technical scrutiny of this book. My sincere thanks to the co author of the book, Mr. Mandar J. Kulkarni, whose constant enthusiasm and quality inspired me to bring out my best. My gratitude also goes to the team at BPB Publication for being supportive and patient during the editorial review of the book. A big thank you to SLB team for allowing me do this work. - Swapnil Dubey m This book would not have been possible without continuous support from my family and friends. I thank them for their unconditional support and encouragement throughout this book's writing, especially my wife Tejashri and my brother Kedar. I am also grateful to the BPB Publications team for giving me the opportunity to author the book, and also for their support, guidance and expertise in making this book a reality. The participation and collaboration of reviewers, technical experts, and editors from team BPB has been very valuable for me as well as the book. Collaborating with author Mr. Swapnil Dubey has been an invaluable experience, and the learnings I gained, will guide me forever. I also want to thank Mr. Mahesh Erande for his technical reviews and feedback on the book content.

📄 Page 9

 vii I would also like to acknowledge SLB for giving me the opportunities to work on the interesting technologies during my career and also for allowing me to write the book. Finally, I would like to thank all the readers who keep taking interest in reading technical books. The appreciation and feedback from the readers is the biggest motivation for authors to create better content. - Mandar J. Kulkarni

📄 Page 10

viii  Preface The objective of this book is to streamline the creating and operating workloads on Kubernetes. This book will guide and train software teams to run Kubernetes clusters directly (with or without EKS/GKS), use API gateways in production, and utilise Istio Service mesh, thereby having smooth, agile, and error-free delivery of business applications. The reader masters the use of service mesh and Kubernetes, by delving into complexities and getting used to the best practices of these tools/approaches. While one runs hundreds of microservices and Kubernetes clusters, security is highly prone to be breached and that is where zero trust architecture would be kept in mind throughout the software development cycle. The book also makes use of some of the great observability tools to provide a robust, yet clean set of monitoring metrics such as Latency, traffic, errors, and saturation to get a single performance dashboard for all microservices. After reading this book, challenges around application deployment in production, application reliability, application security and observability will be better understood, managed, and handled by the audience. Chapter 1: Docker and Kubernetes 101 - This chapter will introduce the audience to the basics of Dockers and Kubernetes. In the docker section, the audience will get concepts to write and push images to container registries. We will give a walk through of an already developed application and package it in a docker container. There will be a discussion around practices which induce security vulnerabilities and their resolution. In the later part of the chapter, the audience will get introduced to Kubernetes, such as the why, what, and how of Kubernetes, followed by an in-depth understanding of architecture. There will be discussion around basic principles of Immutability, declarative and Self-healing way of assigning infrastructure in Kubernetes cluster. Chapter 2: PODs – discusses the foundational block of Kubernetes called Pod. The chapter discusses the lifecycle of the pods along with health checks. The chapter also explains the resources requirements for Pod such as CPU, Memory as well as storage required for persisting data, along with security aspects like pod security standards and admissions.

📄 Page 11

 ix Chapter 3: HTTP Load Balancing with Ingress - This chapter will discuss concepts of bringing the data in and out of an application deployed in Kubernetes. Ingress is a Kubernetes-native way to implement the “virtual hosting” pattern. This chapter will talk about exposing services deployed in Kubernetes to the outside world. AI gateways will also be discussed in this chapter taking example of open source API gateways like Gloo,Tyk and Kong. Apart from discussing the details around networking, readers will get the feel of security issues and loopholes which should be taken care of while configuring networking. Chapter 4: Kubernetes Workload Resources – takes readers towards more practical examples of using Kubernetes in enterprise applications, by showing hands-on examples of creating workload resources such as deployments, replicasets, jobs and daemon sets. The chapter discusses the life cycle of each of these workload resources and explains which workload resource should be used for which use case while building scalable applications. Chapter 5: ConfigMap, Secrets, and Labels - In this chapter, the concept of labels and secrets will be discussed. Labels can be used to select objects and to find collections of objects that satisfy certain conditions. In contrast, annotations are not used to identify and select objects. This chapter will help the audience to in- depth understanding of Annotations & Labels and strategies around how to use them effectively in real environments. This chapter will also help you understand the concepts of config map and a Secret better. Chapter 6: Configuring Storage with Kubernetes – focuses on storage patterns with Kubernetes. The chapter discusses Volumes, Persistent volumes and stateful sets in details followed by a practical example of MongoDB installation. Furthermore, the chapter discusses disaster recovery of content stored using configured storage and the extesibility of Kubernetes architecture using container storage interface. Chapter 7: Introduction to Service Discovery - Service discovery tools help solve the problem of finding which processes are listening at which addresses for which services. This chapter audience will get insight about various ways of discovering service in Kubernetes cluster. This chapter will act as a building block for section 3, where conceptual discussion will happen around how to achieve service discovery using Istio. The audience will also get insights into the various patterns of discovery and registration and the same will be showcased as hands- on exercises in the chapter.

📄 Page 12

x  Chapter 8: Zero Trust Using Kubernetes - This chapter will introduce the audience to the aspects of modelling and application with Zero trust principles in place. Lot of security aspects are already discussed in the previous chapters. For example, in Chapter 3, HTTP Load Balancing With Ingress, we will be talking about POD security. Similarly in Chapter 4, Kubernetes Worklad Resources, we plan to talk about security aspects when it comes to creation of networks. This chapter will give the audience a hands-on insight of how to achieve the aspects of this zero- trust security model using the individual building blocks discussed in the previous chapters. Chapter 9: Monitoring, Logging and Observability - This chapter will talk about aspects of logging and monitoring of applications deployed in the Kubernetes cluster. This chapter will further discuss ways to implement basic SRE concepts and how the observability aspects are supported. Hands on exercises will demonstrate each of the concepts of logging, monitoring and SRE by enhancing the micro service application written and developed in earlier chapters. Chapter 10: Effective Scaling - One of the key advantages of using Microservice deployed on Kubernetes is the power scaling mechanism. This chapter will help the audience understand the aspects of scaling in Kubernetes which includes horizontal & vertical pod scaling. Not only can we configure auto scaling on out of the box metrics, but also based on custom metric and combination of metrics. All the hands-on aspects will involve the three micro services which we created in earlier chapters. One Micro service will be planned to scale horizontally and vertically. Others will scale based on custom metrics, and third will showcase scaling based on a combination of two metrics. Chapter 11: Introduction to Service Mesh and Istio – starts with the basics about microservices and then talks in details about the what, why and how of the service mesh concepts. The chapter discusses pros and cons of the service mesh as a concept and uses Isio as an example. The chapter then discusses Istio architecture, installation techniques and the customizations of Istio steup. Chapter 12: Traffic Management Using Istio – is all about how to take the traffic management logic out of service code into the declarative yamls. The chapter discusses controlling ingress traffic, egress traffic and gateways. The chapter introduces Kubernetes’s custom resources like VirtualService, DestinationRule, ServiceEntry and how to make use of them for achieving traffic management strategies like canary deployment, blue-green deployment. The chapter also

📄 Page 13

 xi explains with examples how to implement design patterns like circuit breaking, timeouts, retries and fault injection using service mesh like Istio. This chapter introduces and uses a sample application to explain the traffic management patterns. Chapter 13: Observability Using Istio – talks about how different open source observability tools like Kiali, Grafana, Prometheus, Jaeger can be used alongside Istio to improve the observability. The sample application introduced in earlier chapters is used here again to show how to manage traffic patterns between different microservices, how to observe the scalability, how to monitor and search the logs, and how and where to view and search different metrics. The chapter also explains with examples how to use distributed tracing to debug latency issues in the application. Chapter 14: Securing Your Services Using Istio – revolves around identity management, authorization and authentication using the built-in support that Istio provides. The chapter briefly introduces what is secure communication and then explains how Istio helps with Certificate management to make the intra- cluster communication secure by default. The chapter builds on top of the existing sample application used in previous chapters to explain concepts like permissive mode of Istio, Secure naming, Peer authentication, Service authorization, End- user authorization and so on. The chapter concludes by bringing it all together by explaining security architecture of Istio.

📄 Page 14

xii  Code Bundle and Coloured Images Please follow the link to download the Code Bundle and the Coloured Images of the book: https://rebrand.ly/l14igmh The code bundle for the book is also hosted on GitHub at https://github.com/bpbpublications/Hands-On-Kubernetes-Service-Mesh-and- Zero-Trust. In case there's an update to the code, it will be updated on the existing GitHub repository. We have code bundles from our rich catalogue of books and videos available at https://github.com/bpbpublications. Check them out! Errata We take immense pride in our work at BPB Publications and follow best practices to ensure the accuracy of our content to provide with an indulging reading experience to our subscribers. Our readers are our mirrors, and we use their inputs to reflect and improve upon human errors, if any, that may have occurred during the publishing processes involved. To let us maintain the quality and help us reach out to any readers who might be having difficulties due to any unforeseen errors, please write to us at : errata@bpbonline.com Your support, suggestions and feedbacks are highly appreciated by the BPB Publications’ Family. Did you know that BPB offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.bpbonline.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at : business@bpbonline.com for more details. At www.bpbonline.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on BPB books and eBooks.

📄 Page 15

 xiii Piracy If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at business@bpbonline.com with a link to the material. If you are interested in becoming an author If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit www.bpbonline.com. We have worked with thousands of developers and tech professionals, just like you, to help them share their insights with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions. We at BPB can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about BPB, please visit www.bpbonline.com. Join our book's Discord space Join the book's Discord Workspace for Latest updates, Offers, Tech happenings around the world, New Release and Sessions with the Authors: https://discord.bpbonline.com

📄 Page 16

xiv  Table of Contents 1. Docker and Kubernetes 101....................................................................................... 1 Introduction ............................................................................................................ 1 Structure .................................................................................................................. 2 Objectives ................................................................................................................ 2 Introduction to Docker .......................................................................................... 2 Introduction to Kubernetes .................................................................................. 8 Kubernetes architecture ................................................................................... 10 Kubernetes Master ................................................................................................ 11 Kubernetes Worker ................................................................................................ 14 Principles of immutability, declarative and self-healing ................................. 16 Principle of immutability ...................................................................................... 16 Declarative configurations .................................................................................... 16 Self-healing systems .............................................................................................. 17 Installing Kubernetes .......................................................................................... 17 Installing Kubernetes locally using Minikube ................................................ 18 Installing Kubernetes in Docker ...................................................................... 19 Kubernetes client ................................................................................................. 19 Checking the version ........................................................................................ 20 Checking the status of Kubernetes Master Daemons ...................................... 20 Listing all worker nodes and describing the worker node................................ 21 Strategies to validate cluster quality ................................................................. 23 Cost-efficiency as measure of quality ............................................................... 23 Right nodes ............................................................................................................ 24 Request and restrict specifications for pod CPU and memory resources .............. 24 Persistent volumes ................................................................................................ 24 Data transfer costs and network costs................................................................... 24 Security as a measure of quality ............................................................................ 25

📄 Page 17

 xv Conclusion ............................................................................................................ 25 Points to remember ............................................................................................. 25 Multiple choice questions ................................................................................... 26 Answers ........................................................................................................... 26 2. PODs ............................................................................................................................ 27 Introduction .......................................................................................................... 27 Structure ................................................................................................................ 28 Objectives .............................................................................................................. 28 Concept of Pods ................................................................................................... 29 CRUD operations on Pods ................................................................................. 30 Creating and running Pods ............................................................................. 30 Listing Pods ..................................................................................................... 31 Deleting Pods ................................................................................................... 33 Accessing PODs ................................................................................................... 34 Accessing via port forwarding ......................................................................... 34 Running commands inside PODs using exec ................................................. 35 Accessing logs .................................................................................................. 36 Managing resources ............................................................................................ 36 Resource requests: Minimum and maximum limits to PODs ........................ 36 Data persistence ................................................................................................... 38 Internal: Using data volumes with PODs ....................................................... 39 External: Data on remote disks ........................................................................ 41 Health checks ....................................................................................................... 42 Startup probe ................................................................................................... 42 Liveness probe .................................................................................................. 43 Readiness probe ................................................................................................ 43 POD security ........................................................................................................ 44 Pod Security Standards ................................................................................... 45 Pod Security Admissions ................................................................................. 46

📄 Page 18

xvi  Conclusion ............................................................................................................ 47 Points to remember ............................................................................................. 47 Questions .............................................................................................................. 47 Answers ........................................................................................................... 48 3. HTTP Load Balancing with Ingress ....................................................................... 49 Introduction .......................................................................................................... 49 Structure ................................................................................................................ 49 Objectives .............................................................................................................. 50 Networking 101 .................................................................................................... 50 Configuring Kubeproxy ................................................................................... 53 Configuring container network interfaces ....................................................... 54 Ingress specifications and Ingress controller ................................................... 55 Effective Ingress usage ........................................................................................ 62 Utilizing hostnames ......................................................................................... 62 Utilizing paths ................................................................................................. 63 Advanced Ingress ................................................................................................ 64 Running and managing multiple Ingress controllers ..................................... 64 Ingress and namespaces ................................................................................... 64 Path rewriting .................................................................................................. 64 Serving TLS ..................................................................................................... 65 Alternate implementations ................................................................................. 66 API gateways ........................................................................................................ 68 Need for API gateways .................................................................................... 68 Routing requests .................................................................................................... 69 Cross-cutting concerns .......................................................................................... 69 Translating different protocols .............................................................................. 69 Securing network ................................................................................................. 69 Securing via network policies .......................................................................... 69 Securing via third-party tool ........................................................................... 70

📄 Page 19

 xvii Best practices for securing a network ............................................................... 71 Conclusion ............................................................................................................ 72 Points to remember ............................................................................................. 72 Multiple choice questions ................................................................................... 73 Answers ........................................................................................................... 73 Questions .............................................................................................................. 73 4. Kubernetes Workload Resources ........................................................................... 75 Introduction .......................................................................................................... 75 Structure ................................................................................................................ 76 Objectives .............................................................................................................. 77 ReplicaSets ............................................................................................................ 77 Designing ReplicaSets ..................................................................................... 77 Creating ReplicaSets ........................................................................................ 78 Inspecting ReplicaSets ..................................................................................... 79 Scaling ReplicaSets .......................................................................................... 79 Deleting ReplicaSets ........................................................................................ 81 Deployments ........................................................................................................ 81 Creating deployments ...................................................................................... 82 Managing deployments ................................................................................... 83 Updating deployments ..................................................................................... 83 Deployment strategies ..................................................................................... 86 Monitoring deployment status ........................................................................ 86 Deleting deployments ...................................................................................... 87 DaemonSets .......................................................................................................... 87 Creating DaemonSets ...................................................................................... 87 Restricting DaemonSets to specific nodes ....................................................... 89 Updating DaemonSets ..................................................................................... 90 Deleting DaemonSets ...................................................................................... 91 Kubernetes Jobs.................................................................................................... 92

📄 Page 20

xviii  Jobs ................................................................................................................... 92 Job patterns ...................................................................................................... 94 Pod and container failures ............................................................................... 94 Cleaning up finished jobs automatically .......................................................... 94 CronJobs ........................................................................................................... 95 Conclusion ............................................................................................................ 96 Points to remember ............................................................................................. 97 Questions .............................................................................................................. 98 Answers ........................................................................................................... 98 5. ConfigMap, Secrets, and Labels ............................................................................ 99 Introduction .......................................................................................................... 99 Structure .............................................................................................................. 100 Objectives ............................................................................................................ 100 ConfigMap .......................................................................................................... 100 Creating ConfigMap ...................................................................................... 102 Consuming ConfigMaps ................................................................................ 104 Consume ConfigMap in the environment variables ........................................... 105 Set command-line arguments with ConfigMap .................................................. 106 Consuming ConfigMap via volume plugin ........................................................ 107 Secrets .................................................................................................................. 109 Creating Secrets ............................................................................................. 109 Consuming Secrets .........................................................................................111 Consuming Secrets mounted as volume ..............................................................111 Consuming Secrets as environment variables..................................................... 112 Private docker registries ...................................................................................... 112 Managing ConfigMaps and Secrets ................................................................ 113 Listing ............................................................................................................ 113 Creating ......................................................................................................... 114 Updating ........................................................................................................ 114