DevOps Training Session 14+15: Cloud - K8s Networking, Configuration, Security && Storage

# DevOps Training Session 14+15: Cloud - K8s Networking, Configuration, Security && Storage ###### tags: `devops` `reliable` `research` Hello BTB again. On this session, i will refer to anything i know about k8s during intership. I will cost you time but i think it will not completely and have error but i will do with best possibility.Let implement --> [:small_airplane:](https://docs.google.com/presentation/d/1jCnkbjxjL3fkQVVBh8L4jRpsr_EjzD3G224FFI9rSbQ/edit?usp=sharing) && [:balloon:](https://docs.google.com/presentation/d/1dWQQlyhV-tAxNo3wOftPEwJhznoizTxyY1FJhbJLAO4/edit?usp=sharing) ## Overview This session have whole a bunch of thing to talk. Let go with: 1. Networking: - This part is talk how to we point the the public IP for pods inside cluster ![](https://i.imgur.com/lpUHsGY.png) - How to setup the thing to do the above job ![](https://i.imgur.com/MB0IcWX.png) 2. Configuration: - This part is talk how to mounting configuration inside the pods like nginx config - How to setup above and what thing effect into workload ![](https://i.imgur.com/OKtof78.png) ![](https://i.imgur.com/q7YCUIb.png) 3. Security - About RBAC for restrict the resource inside cluster for user group or service account ![](https://i.imgur.com/d7xJ5Sw.png) 4. Storage - About using PVC, PV and Storage class to mounting data inside the pods ![](https://i.imgur.com/T1lQZlZ.png) - How to prevent erase the data and lost data by usin pvc. **Go to k8s for more information** [K8s document](https://kubernetes.io/docs/home/) ## Implement 1.Networking - Like i said this networking is how i do pointing the target for purpose pods so we had the service - service will work to 2 side, sidein with point into pods with private inside and expose that via serivce port - You can image it will be like that ``` # app1.yaml apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Chart.Name }} labels: app: {{ .Chart.Name }} namespace: {{ .Values.namespace }} spec: replicas: {{ .Values.replicasCount }} selector: matchLabels: app: {{ .Chart.Name }} template: metadata: labels: app: {{ .Chart.Name }} spec: serviceAccountName: {{ .Values.serviceAccountName }} containers: - name: {{ .Values.image.name }} image: {{ .Values.image.repository }}:{{ .Values.image.tag }} ports: - containerPort: {{ .Values.image.containerPort }} resources: limits: memory: {{ .Values.resources.memory }} cpu: {{ .Values.resources.cpu }} env: - name: MESSAGE value: '{{ .Values.env.valueMessage }}' - name: PORT value: '{{ .Values.env.valuePort }}' # service.yaml apiVersion: v1 kind: Service metadata: name: {{ .Chart.Name }} namespace: {{ .Values.namespace }} spec: selector: app: {{ .Chart.Name }} type: ClusterIP sessionAffinity: None sessionAffinityConfig: clientIP: timeoutSeconds: 10800 ports: - name: {{ .Values.image.name }} protocol: {{ .Values.service.protocol }} port: {{ .Values.service.portExpose }} targetPort: {{ .Values.service.portTarget }} ``` If you point it via serive work it will deploy for u a service point to app1 and port. So if any IP of ALB or Public Ip point into serive with app1:80. It can access inside that pods. So for doing with multiple pods we got ALB and the represent for it will nginx. And nginx have a thing can using for more purpose is NGINX Ingress Controller, so u understand this thing will point LoadBalancer IP to your service for and move traffic into pods throught Load Balancer Gateway. So NGINX have method is Load Balancer so we can do it will create something internal and outernal but i will not refer on this session. So we just put ingress, the pressent to load traffic inside the pods in cluster with private IP ![](https://i.imgur.com/WGWjby6.png) - So for setup that we need create ingress first and after that we will point the ingress with ingress class Nginx because it will easy deliver for us to manage. ``` apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ .Chart.Name }} namespace: {{ .Values.namespace }} spec: ingressClassName: {{ .Values.spec.ingressClassName }} rules: - http: paths: - pathType: {{ .Values.spec.rules.routeType }} path: '{{ .Values.spec.rules.path }}' backend: service: name: {{ .Values.spec.service.name }} port: number: {{ .Values.spec.service.port }} ``` - you see ingressClassName --> this must be nginx (lowercase). When you deploy ingress you need ingress controller by nginx. So you can use the helm-release to deliver that don't meet some err - So with terraform u can implement like this ``` resource "kubernetes_namespace" "ingress" { metadata { name = var.metadata-namespace } } resource "helm_release" "nginx-ingress-controller" { name = "nginx-ingress-controller" namespace = kubernetes_namespace.ingress.metadata[0].name repository = "https://charts.bitnami.com/bitnami" chart = "nginx-ingress-controller" set { name = "service.type" value = "ClusterIP" } set { name = "scope.namespace" value = var.metadata-namespace } depends_on = [ kubernetes_namespace.ingress ] } ``` - Put that with your name space you want but need to configure namespace in scope and change it. If not i will err. - After that you can understand point it with ingress you create and boom you got the website with public IP ![](https://i.imgur.com/wvWyeEE.png) ## Reference - [k8s-secret](https://kubernetes.io/docs/concepts/configuration/secret/) - [k8s-config service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) - [k8s-best-practice-ch4-secret-clusterole](https://www.oreilly.com/library/view/kubernetes-best-practices/9781492056461/ch04.html) - [k8s-abac](https://kubernetes.io/docs/reference/access-authn-authz/abac/) - [k8s-create-secret-using-manifest-file](https://spacelift.io/blog/kubernetes-secrets#creating-secrets-using-a-manifest-file) - [terraform-k8s](https://spacelift.io/blog/terraform-vs-kubernetes) - [Limiting access to Kubernetes resources with RBAC](https://learnk8s.io/rbac-kubernetes#scenario-2-role-and-rolebinding-in-a-different-namespace) - [Curl issue for access k8s-api](https://stackoverflow.com/questions/48311683/how-can-i-use-curl-to-access-the-kubernetes-api-from-within-a-pod) - [Good practice for K8s secrets](https://kubernetes.io/docs/concepts/security/secrets-good-practices/) - [k8s-rbac](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) - [rbac-for-cluster](https://lazyadmin.info/cau-hinh-rbac-cho-kubernetes-cluster/) - [example-cluster-role-binding](https://github.com/confluentinc/confluent-kubernetes-examples/blob/master/security/kubernetes-rbac/cluster-role-rolebinding.yaml) - [get list env in linux](https://www.cyberciti.biz/faq/linux-list-all-environment-variables-env-command/) - [helm-rbac](https://helm.sh/docs/topics/rbac/) - [k8s-object-management](https://kubernetes.io/docs/concepts/overview/working-with-objects/object-management/) - [k8s-access-cluster](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/) - [k8s-service-account-example](https://k8s-examples.container-solutions.com/examples/ServiceAccount/ServiceAccount.html) - [k8s-how-to-service-account-work](https://loft.sh/blog/kubernetes-service-account-what-it-is-and-how-to-use-it/) - [jq example](https://lindevs.com/install-jq-on-ubuntu)