Try   HackMD

DevOps Training Session 14+15: Cloud - K8s Networking, Configuration, Security && Storage

tags: devops reliable research

Hello BTB again. On this session, i will refer to anything i know about k8s during intership. I will cost you time but i think it will not completely and have error but i will do with best possibility.Let implement > :small_airplane: && :balloon:

Overview

This session have whole a bunch of thing to talk. Let go with:

  1. Networking:
  • This part is talk how to we point the the public IP for pods inside cluster
  • How to setup the thing to do the above job
  1. Configuration:
  • This part is talk how to mounting configuration inside the pods like nginx config
  • How to setup above and what thing effect into workload

  1. Security
  • About RBAC for restrict the resource inside cluster for user group or service account
  1. Storage
  • About using PVC, PV and Storage class to mounting data inside the pods
  • How to prevent erase the data and lost data by usin pvc.
    Go to k8s for more information K8s document

Implement

1.Networking

  • Like i said this networking is how i do pointing the target for purpose pods so we had the service
  • service will work to 2 side, sidein with point into pods with private inside and expose that via serivce port
  • You can image it will be like that
# app1.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Chart.Name }}
  labels:
    app: {{ .Chart.Name }}
  namespace: {{ .Values.namespace }}
spec:
  replicas: {{ .Values.replicasCount }}
  selector:
    matchLabels:
      app: {{ .Chart.Name }}
  template:
    metadata:
      labels:
        app: {{ .Chart.Name }}
    spec:
      serviceAccountName: {{ .Values.serviceAccountName }}
      containers:
      - name: {{ .Values.image.name }}
        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
        ports:
        - containerPort: {{ .Values.image.containerPort }}
        resources:
          limits: 
            memory: {{ .Values.resources.memory }}
            cpu: {{ .Values.resources.cpu }}
        env:
          - name: MESSAGE
            value: '{{ .Values.env.valueMessage }}'
          - name: PORT
            value: '{{ .Values.env.valuePort }}'

# service.yaml
apiVersion: v1
kind: Service
metadata:
  name: {{ .Chart.Name }}
  namespace: {{ .Values.namespace }}
spec:
  selector:
    app: {{ .Chart.Name }}
  type: ClusterIP
  sessionAffinity: None
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800
  ports:
  - name: {{ .Values.image.name }}
    protocol: {{ .Values.service.protocol }}
    port: {{ .Values.service.portExpose }}
    targetPort: {{ .Values.service.portTarget }}

If you point it via serive work it will deploy for u a service point to app1 and port. So if any IP of ALB or Public Ip point into serive with app1:80. It can access inside that pods.

So for doing with multiple pods we got ALB and the represent for it will nginx. And nginx have a thing can using for more purpose is NGINX Ingress Controller, so u understand this thing will point LoadBalancer IP to your service for and move traffic into pods throught Load Balancer Gateway. So NGINX have method is Load Balancer so we can do it will create something internal and outernal but i will not refer on this session. So we just put ingress, the pressent to load traffic inside the pods in cluster with private IP

  • So for setup that we need create ingress first and after that we will point the ingress with ingress class Nginx because it will easy deliver for us to manage.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ .Chart.Name }}
  namespace: {{ .Values.namespace }}
spec:
  ingressClassName: {{ .Values.spec.ingressClassName }}
  rules:
    - http:
        paths:
        - pathType: {{ .Values.spec.rules.routeType }}
          path: '{{ .Values.spec.rules.path }}'
          backend:
            service:
              name: {{ .Values.spec.service.name }}
              port:
                number: {{ .Values.spec.service.port }}
  • you see ingressClassName > this must be nginx (lowercase). When you deploy ingress you need ingress controller by nginx. So you can use the helm-release to deliver that don't meet some err
  • So with terraform u can implement like this
resource "kubernetes_namespace" "ingress" {
    metadata {
      name = var.metadata-namespace
    }
}

resource "helm_release" "nginx-ingress-controller" {
  name = "nginx-ingress-controller"
  namespace = kubernetes_namespace.ingress.metadata[0].name
  repository = "https://charts.bitnami.com/bitnami"
  chart      = "nginx-ingress-controller"

  set {
    name  = "service.type"
    value = "ClusterIP"
  }

  set {
    name = "scope.namespace"
    value = var.metadata-namespace
  }

  depends_on = [
    kubernetes_namespace.ingress
  ]
}
  • Put that with your name space you want but need to configure namespace in scope and change it. If not i will err.
  • After that you can understand point it with ingress you create and boom you got the website with public IP

Reference

Last changed by 
XeusNguyen
Stay humble and enthusiastic with passion. Follow me more on: https://wiki.xeusnguyen.xyz
0
71

Read more

LFI and Path Traversal

In some scenarios, web applications are written to request access to files on a given system, including images, static text, and so on via parameters. Parameters are query parameter strings attached to the URL that could be used to retrieve data or perform actions based on user input. The following graph explains and breaking down the essential parts of the URL.

Mar 2, 2025
Snyk vs Sonarqube - Securing your code

Đây là công đoạn yêu cầu nhiều tài nguyên và cách tiếp cận khác nhau để khai thác trong suốt quá trình phát triển của sản phẩm phần mềm (SDLC)(Hình ảnh của Topdev)

Dec 21, 2024
Devops Training Session 16: Setup Observability for Kubernetes

helm-chart-grafana-values

Dec 21, 2024
Hackwekend Session 5 - Cloud Security (AWS IAM Policy)

First solve

May 5, 2024
Read more from XeusNguyen
Published on HackMD