Hands-On Kubernetes, Service Mesh and Zero-Trust: Build and manage secure applications using Kubernetes and Istio

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Building and managing secure applications is a crucial aspect of modern software development, especially in distributed environments. Kubernetes and Istio, when combined, provide a powerful platform for achieving application security and managing it effectively. If you want to build and manage secure applications with ease, then this book is an ideal resource for you. The book extensively covers the building blocks of the Kubernetes orchestration engine, providing in-depth insights into key Kubernetes objects that can be effectively used for deploying containerized applications. It then focuses on all major Kubernetes constructs, offering guidance on their appropriate utilization in different scenarios, while emphasizing the significance of a Zero Trust architecture. Additionally, the book addresses important aspects such as service discovery, optimized logging, and monitoring, which play a critical role in managing distributed applications. It also incorporates essential concepts from Site Reliability Engineering and enabling engineering teams, to proactively meeting Service Level Agreements and attaining operational readiness. In the final section, the book takes a deep dive into Service Mesh, with a special focus on harnessing the strength of Istio as a powerful tool. By the end of the book, you will have the knowledge and skills to effectively build, deploy, and manage secure applications using Kubernetes and Istio. The objective of this book is to streamline the creating and operating workloads on Kubernetes. This book will guide and train software teams to run Kubernetes clusters directly (with or without EKS/GKS), use API gateways in production, and utilise Istio Service mesh, thereby having smooth, agile, and error-free delivery of business applications. The reader masters the use of service mesh and Kubernetes, by delving into complexities and getting used to the best practices of these tools/approaches. While one runs hundreds of microservices and Kubernetes clusters, security is highly prone to be breached and that is where zero trust architecture would be kept in mind throughout the software development cycle. The book also makes use of some of the great observability tools to provide a robust, yet clean set of monitoring metrics such as Latency, traffic, errors, and saturation to get a single performance dashboard for all microservices. After reading this book, challenges around application deployment in production, application reliability, application security and observability will be better understood, managed, and handled by the audience.

Author(s): Swapnil Dubey, Mandar J. Kulkarni
Publisher: BPB Publications
Year: 2023

Language: English
Pages: 376

Book Title
Inner title
Copyright
Dedicated
About the Authors
About the Reviewer
Acknowledgements
Preface
Code Bundle and Coloured Images
Piracy
Table of Contents
Chapter 1: Docker and
Kubernetes 101
Introduction
Structure
Objectives
Introduction to Docker
Introduction to Kubernetes
Kubernetes architecture
Principles of immutability, declarative and self-healing
Installing Kubernetes
Installing Kubernetes locally using Minikube
Installing Kubernetes in Docker
Kubernetes client
Checking the version
Checking the status of Kubernetes Master Daemons
Listing all worker nodes and describing the worker node
Strategies to validate cluster quality
Cost-efficiency as measure of quality
Conclusion
Points to remember
Multiple choice questions
Answers
Chapter 2: PODs
Introduction
Structure
Objectives
Concept of Pods
CRUD operations on Pods
Creating and running Pods
Listing Pods
Deleting Pods
Accessing PODs
Accessing via port forwarding
Running commands inside PODs using exec
Accessing logs
Managing resources
Resource requests: Minimum and maximum limits to PODs
Data persistence
Internal: Using data volumes with PODs
External: Data on remote disks
Health checks
Startup probe
Liveness probe
Readiness probe
POD security
Pod Security Standards
Pod Security Admissions
Conclusion
Points to remember
Questions
Answers
Chapter 3: HTTP Load Balancing with
Ingress
Introduction
Structure
Objectives
Networking 101
Configuring Kubeproxy
Configuring container network interfaces
Ingress specifications and Ingress controller
Effective Ingress usage
Utilizing hostnames
Utilizing paths
Advanced Ingress
Running and managing multiple Ingress controllers
Ingress and namespaces
Path rewriting
Serving TLS
Alternate implementations
API gateways
Need for API gateways
Securing network
Securing via network policies
Securing via third-party tool
Best practices for securing a network
Conclusion
Points to remember
Multiple choice questions
Answers
Questions
Chapter 4: Kubernetes Workload Resources
Introduction
Structure
Objectives
ReplicaSets
Designing ReplicaSets
Creating ReplicaSets
Inspecting ReplicaSets
Scaling ReplicaSets
Deleting ReplicaSets
Deployments
Creating deployments
Managing deployments
Updating deployments
Deployment strategies
Monitoring deployment status
Deleting deployments
DaemonSets
Creating DaemonSets
Restricting DaemonSets to specific nodes
Updating DaemonSets
Deleting DaemonSets
Kubernetes Jobs
Jobs
Job patterns
Pod and container failures
Cleaning up finished jobs automatically
CronJobs
Conclusion
Points to remember
Questions
Answers
Chapter 5: ConfigMap, Secrets, and
Labels
Introduction
Structure
Objectives
ConfigMap
Creating ConfigMap
Consuming ConfigMaps
Secrets
Creating Secrets
Consuming Secrets
Managing ConfigMaps and Secrets
Listing
Creating
Updating
Applying and modifying labels
Labels selectors
Equality-based selector
Set-based selectors
Role of labels in Kubernetes architecture
Defining annotations
Conclusion
Points to remember
Questions
Answers
Chapter 6: Configuring Storage with
Kubernetes
Introduction
Structure
Objectives
Storage provisioning in Kubernetes
Volumes
Persistent Volumes and Persistent Volume claims
Storage class
Using StorageClass for dynamic provisioning
StatefulSets
Properties of StatefulSets
Volume claim templates
Headless service
Installing MongoDB on Kubernetes using StatefulSets
Disaster recovery
Container storage interface
Conclusion
Points to remember
Questions
Answers
Chapter 7: Introduction to Service
Discovery
Introduction
Structure
Objectives
What is service discovery?
Client-side discovery pattern
Server-side discovery pattern
Service registry
Registration patterns
Self-registration pattern
Third-party registration
Service discovery in Kubernetes
Service discovery using etcd
Service discovery in Kubernetes via Kubeproxy and DNS
Advance details
Endpoints
Manual service discovery
Cluster IP environment variables
Kubeproxy and cluster IPs
Conclusion
Points to remember
Questions
Answers
Chapter 8: Zero Trust Using Kubernetes
Introduction
Structure
Objectives
Kubernetes security challenges
Role-based access control (RBAC)
Identity
Role and role bindings
Managing RBAC
Aggregating cluster roles
User groups for bindings
Introduction to Zero Trust Architecture
Recommendations for Kubernetes Pod security
Recommendations for Kubernetes network security
Recommendations for authentication and authorization
Recommendations for auditing and threat detection
Recommendation for application security practices
Zero trust in Kubernetes
Identity-based service to service accesses and communication
Include secret and certificate management and hardened Kubernetes encryption
Enable observability with audits and logging
Conclusion
Points to remember
Questions
Answers
Chapter 9: Monitoring, Logging and
Observability
Introduction
Structure
Objectives
Kubernetes observability deep dive
Selecting metrics for SLIs
Setting SLO
Tracking error budgets
Creating alerts
Probes and uptime checks
Pillars of Kubernetes observability
Challenges in observability
Exploring metrics using Prometheus and Grafana
Installing Prometheus and Grafana
Pushing custom metrics to Prometheus
Creating dashboard on the metrics using Grafana
Logging and tracing
Logging using Fluentd
Tracing with Open Telemetry using Jae
Defining a typical SRE process
Responsibilities of SRE
Incident management
Playbook maintenance
Drills
Selecting monitoring, metrics and visualization tools
Conclusion
Points to remember
Questions
Answers
Chapter 10: Effective
Scaling
Introduction
Structure
Objectives
Needs of scaling microservices individually
Principles of scaling
Challenges of scaling
Introduction to auto scaling
Types of scaling in K8s
Horizontal pod scaling
Vertical pod scaling
Cluster autoscaling
Standard metric scaling
Custom Metric scaling
Best practices of scaling
Conclusion
Points to remember
Questions
Answers
Chapter 11: Introduction to Service Mesh and Istio
Introduction
Structure
Objectives
Why do you need a Service Mesh?
Service discovery
Load balancing the traffic
Monitoring the traffic between services
Collecting metrics
Recovering from failure
What is a Service Mesh?
What is Istio?
Istio architecture
Data plane
Control plane
Installing Istio
Installation using istioctl
Cost of using a Service Mesh
Data plane performance and resource consumption
Control plane performance and resource consumption
Customizing the Istio setup
Conclusion
Points to remember
Questions
Answers
Chapter 12: Traffic Management Using Istio
Introduction
Structure
Objectives
Traffic management via gateways
Virtual service and destination rule
Controlling Ingress and Egress traffic
Shifting traffic between versions
Injecting faults for testing
Timeouts and retries
Circuit breaking
Conclusion
Points to remember
Questions
Answers
Chapter 13: Observability Using Istio
Introduction
Structure
Objectives
Understanding the telemetry flow
Sample application and proxy logs
Visualizing Service Mesh with Kiali
Querying Istio Metrics with Prometheus
Monitoring dashboards with Grafana
Distributed tracing
Conclusion
Points to remember
Questions
Answers
Chapter 14: Securing Your Services Using Istio
Introduction
Structure
Objectives
Identity Management with Istio
Identity verification in TLS
Certificate generation process in Istio
Authentication with Istio
Mutual TLS authentication
Secure naming
Peer authentication with a sample application
Authorization with Istio
Service authorization
End user authorization
Security architecture of Istio
Conclusion
Points to remember
Questions
Answers
Index
Back title