SlideShare ist ein Scribd-Unternehmen logo

K8s hard-way on DigitalOcean

CloudYuga
CloudYuga

CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .

Technologie
1 von 25
Downloaden Sie, um offline zu lesen
Kubernetes - Hardway K8s Meetup, BLR Neependa Khare @neependra Vishal Ghule @theVishalGhule
Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Certified Kubernetes Administrator ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 5 years now
Vishal Ghule ● Software Engineer and Corporate Trainer @ CloudYuga ● Certified Kubernetes Administrator
Tutorial Content and Tool Details ● Tutorial Content ○ https://github.com/cloudyuga/k8s-hard-way ● CloudYuga’s tool to access the above content in easier way ○ Sign up : https://pilot.cloudyuga.guru/
Security Certificates A security certificate is a data file through which the identity, authenticity and reliability of a communicating parties is established. https://blog.cloudflare.com/content/images/2015/06/anatomy-of-a-certificate.png
Certificate Authority (CA) https://www.jscape.com/hubfs/images/csr-ca-signed-server-certificate.png
Certificate Generation Demo
Server and Client Certificate Server Certificate Client Certificates Server certificates are used to authenticate server identity to the client(s). Client certificates are used to authenticate the client (user) identity to the server. Server Certificates are based on Public Key Infrastructure. Client certificates are based on Public Key Infrastructure. Example: API Server Certificates Example: Admin User Certificate. https://cheapsslsecurity.com/blog/client-certificate-vs-server-certificate-simplifying-the-difference/
PKI
PKI In K8s ➢ Kubernetes requires PKI certificates for authentication over TLS ➢ CA is used by cluster components to validate the API server’s certificate and by the API server to validate kubelet client certificates. ➢ CA is used to generate different certificates that you’ll distribute to components of the Kubernetes infrastructure.
Kubernetes Server and Client Certificate list Client Certificates. [Private key and certificates signed by CA] ➢ The Admin Client Certificate ➢ The Kubelet Client Certificates (For each worker node) ➢ The Controller Manager Client Certificate ➢ The Kube Proxy Client Certificate ➢ The Scheduler Client Certificate Server Certificates. [Private key and certificates signed by CA] ➢ The Kubernetes API Server Certificate In this certificate, static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. These certificates are used to authenticate server identity to the client {. -hostname=10.32.0.1,${MASTER_1_PRIVATE_IP},${MASTER_2_PRIVATE_IP},${MASTER_1_PUBLIC_IP},${MASTER_2_PUBLIC_IP},${KUBERNETES_PUBLIC_AD DRESS},127.0.0.1,kubernetes.default -profile=kubernetes }
$ openssl x509 -in kube-controller-manager.pem -text -noout { Certificate: Data: Version: 3 (0x2) Serial Number: 52:f3:73:9b:fd:13:14:50:f8:36:9e:1f:36:4c:17:fa:b7:3a:fe:18 Signature Algorithm: sha256WithRSAEncryption Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Kubernetes, OU=CA, CN=Kubernetes Validity { ……… } Subject: C=IN, ST=Karnataka, L=Bangalore, O=system:kube-controller-manager, OU=Kubernetes The Hard Way, CN=system:kube-controller-manager Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 96:78:B4:5A:8C:AD:F6:9D:95:D5:86:35:F2:19:9E:79:62:C7:BD:63 X509v3 Authority Key Identifier: keyid:1E:40:B9:6B:A7:49:E1:CD:B7:3C:AC:52:62:84:2B:95:8F:1B:CE:4D
Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
K8s-Hardway Cluster Specifications: ➢ Kubernetes v1.12 ➢ containerd Container Runtime v1.1.0 ➢ CNI Container Networking 0.7.1 ➢ etcd v3.3.5 ➢ Kube-DNS
Kubernetes One or Many CA’s ➢ Every Kubernetes cluster has a cluster root Certificate Authority (CA) ➢ This CA is used by cluster components to validate each others. ➢ This root CA can then create multiple intermediate CAs, and delegate all further creation to Kubernetes itself.
The kubelet Kubernetes Configuration File When generating kubeconfig files for Kubelets the client certificate matching the Kubelet node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes Node Authorizer. Worker Node-1 Kubelet API Server Worker Node-2 Kubelet
The kube-proxy Kubernetes Configuration File ➢ The kube-proxy Kubernetes Configuration will enable kube-proxy to locate and authenticate to the Kubernetes API Servers. ➢ This Configuration file is configured in Kube-proxy service so it can talk to API servers. Worker Node API ServerWorker Node-1 API Server Worker Node-2 Kube-Proxy Kube-Proxy
The kube-controller-manager Kubeconfig File ➢ This Kubernetes Configuration will enable kube-controller-manager to locate and authenticate to the Kubernetes API Servers. ➢ kube-controller-manager Kubeconfig File must be added to kube-controller-manager service API ServersKube-Controllers
The kube-scheduler Kubeconfig File ➢ The kube-scheduler Kubeconfig file will allow kube-scheduler to locate and authenticate to the Kubernetes API Servers. ➢ Must be added to manifest in kube-scheduler.yaml API ServersKube-Scheduler
The Service Account Key Pair The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as describe in the managing service accounts documentation.
The admin user Kubernetes Configuration File ➢ This Kubeconfig file will allow admin user to locate and authenticate to the Kubernetes API Servers. ➢ Configures administrator user for the cluster Admin User kubectl Load Balancer API Server API Server Master Node Master Node
Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
Kubectl Load Balancer Master-1 Controller API Server Scheduler Master-2 Controller API Server Scheduler ETCD ETCD
Refercnes ● https://github.com/kelseyhightower/kubernetes-the-hard-way ● https://kubernetes.io/docs/setup/certificates/ ● https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/ ●
THANK YOU !!!

Empfohlen

Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure Kubernetes
Hussein Salman
 
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
SlideTeam
 
Jenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downJenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way down
Steve Mactaggart
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challenges
Wojciech Barczyński
 
SQL Bits: Containers and Clones
SQL Bits: Containers and ClonesSQL Bits: Containers and Clones
SQL Bits: Containers and Clones
Alex Yates
 
DevOps with Kubernetes and Helm - OSCON 2018
DevOps with Kubernetes and Helm - OSCON 2018DevOps with Kubernetes and Helm - OSCON 2018
DevOps with Kubernetes and Helm - OSCON 2018
Jessica Deen
 
Kubernetes VS. App Service: When the orchestrator challenges the platform
Kubernetes VS. App Service: When the orchestrator challenges the platformKubernetes VS. App Service: When the orchestrator challenges the platform
Kubernetes VS. App Service: When the orchestrator challenges the platform
Lorenzo Barbieri
 

Empfohlen

Ultimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on KubernetesUltimate Guide to Microservice Architecture on Kubernetes
Ultimate Guide to Microservice Architecture on Kubernetes
kloia
 
Moving Applications into Azure Kubernetes
Moving Applications into Azure KubernetesMoving Applications into Azure Kubernetes
Moving Applications into Azure Kubernetes
Hussein Salman
 
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
Kubernetes Docker Container Implementation Ppt PowerPoint Presentation Slide ...
SlideTeam
 
Jenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way downJenkins as a Service - Code all the way down
Jenkins as a Service - Code all the way down
Steve Mactaggart
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challenges
Wojciech Barczyński
 
SQL Bits: Containers and Clones
SQL Bits: Containers and ClonesSQL Bits: Containers and Clones
SQL Bits: Containers and Clones
Alex Yates
 
DevOps with Kubernetes and Helm - OSCON 2018
DevOps with Kubernetes and Helm - OSCON 2018DevOps with Kubernetes and Helm - OSCON 2018
DevOps with Kubernetes and Helm - OSCON 2018
Jessica Deen
 
Kubernetes VS. App Service: When the orchestrator challenges the platform
Kubernetes VS. App Service: When the orchestrator challenges the platformKubernetes VS. App Service: When the orchestrator challenges the platform
Kubernetes VS. App Service: When the orchestrator challenges the platform
Lorenzo Barbieri
 
Best Practices with Azure & Kubernetes
Best Practices with Azure & KubernetesBest Practices with Azure & Kubernetes
Best Practices with Azure & Kubernetes
Microsoft Tech Community
 
Deploying Containers on Azure
Deploying Containers on AzureDeploying Containers on Azure
Deploying Containers on Azure
Hussein Salman
 
Chef and PowerShell Desired State Configuration
Chef and PowerShell Desired State ConfigurationChef and PowerShell Desired State Configuration
Chef and PowerShell Desired State Configuration
Julian Dunn
 
Continuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and HelmContinuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and Helm
David Currie
 
Continuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and HelmContinuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and Helm
David Currie
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Tobias Schneck
 
6 Things You Need to Know to Safely Run Kubernetes
6 Things You Need to Know to Safely Run Kubernetes6 Things You Need to Know to Safely Run Kubernetes
6 Things You Need to Know to Safely Run Kubernetes
VMware Tanzu
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
Elad Hirsch
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 beta
Giragadurai Vallirajan
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
Ramit Surana
 
Running containerized application in AWS ECS
Running containerized application in AWS ECSRunning containerized application in AWS ECS
Running containerized application in AWS ECS
DevOps Indonesia
 
Building A CICD Pipeline for Deploying to Containers
Building A CICD Pipeline for Deploying to ContainersBuilding A CICD Pipeline for Deploying to Containers
Building A CICD Pipeline for Deploying to Containers
Amazon Web Services
 
Microservices with containers in the cloud
Microservices with containers in the cloudMicroservices with containers in the cloud
Microservices with containers in the cloud
Eugene Fedorenko
 
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
InfluxData
 
DCEU 18: App-in-a-Box with Docker Application Packages
DCEU 18: App-in-a-Box with Docker Application PackagesDCEU 18: App-in-a-Box with Docker Application Packages
DCEU 18: App-in-a-Box with Docker Application Packages
Docker, Inc.
 
GIDS 2019: Developing Apps with Containers, Functions and Cloud Services
GIDS 2019: Developing Apps with Containers, Functions and Cloud ServicesGIDS 2019: Developing Apps with Containers, Functions and Cloud Services
GIDS 2019: Developing Apps with Containers, Functions and Cloud Services
Patrick Chanezon
 
How kubernetes works community, velocity, and contribution - osls 2017 (1)
How kubernetes works community, velocity, and contribution - osls 2017 (1)How kubernetes works community, velocity, and contribution - osls 2017 (1)
How kubernetes works community, velocity, and contribution - osls 2017 (1)
Brian Grant
 
You Might Just be a Functional Programmer Now
You Might Just be a Functional Programmer NowYou Might Just be a Functional Programmer Now
You Might Just be a Functional Programmer Now
cornelia davis
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
KCDItaly
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
Neependra Khare
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
Jose Manuel Ortega Candel
 

Weitere ähnliche Inhalte

Was ist angesagt?

Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
SlideTeam
 
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Tobias Schneck
 
6 Things You Need to Know to Safely Run Kubernetes
6 Things You Need to Know to Safely Run Kubernetes6 Things You Need to Know to Safely Run Kubernetes
6 Things You Need to Know to Safely Run Kubernetes
VMware Tanzu
 
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
InfluxData
 
DCEU 18: App-in-a-Box with Docker Application Packages
DCEU 18: App-in-a-Box with Docker Application PackagesDCEU 18: App-in-a-Box with Docker Application Packages
DCEU 18: App-in-a-Box with Docker Application Packages
Docker, Inc.
 
GIDS 2019: Developing Apps with Containers, Functions and Cloud Services
GIDS 2019: Developing Apps with Containers, Functions and Cloud ServicesGIDS 2019: Developing Apps with Containers, Functions and Cloud Services
GIDS 2019: Developing Apps with Containers, Functions and Cloud Services
Patrick Chanezon
 
You Might Just be a Functional Programmer Now
You Might Just be a Functional Programmer NowYou Might Just be a Functional Programmer Now
You Might Just be a Functional Programmer Now
cornelia davis
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
KCDItaly
 

Was ist angesagt? (20)

Best Practices with Azure & Kubernetes
Best Practices with Azure & KubernetesBest Practices with Azure & Kubernetes
Best Practices with Azure & Kubernetes
 
Deploying Containers on Azure
Deploying Containers on AzureDeploying Containers on Azure
Deploying Containers on Azure
 
Chef and PowerShell Desired State Configuration
Chef and PowerShell Desired State ConfigurationChef and PowerShell Desired State Configuration
Chef and PowerShell Desired State Configuration
 
Continuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and HelmContinuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and Helm
 
Continuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and HelmContinuous Delivery to Kubernetes with Jenkins and Helm
Continuous Delivery to Kubernetes with Jenkins and Helm
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
Kubernetes Cluster API - managing the infrastructure of multi clusters (k8s ...
 
6 Things You Need to Know to Safely Run Kubernetes
6 Things You Need to Know to Safely Run Kubernetes6 Things You Need to Know to Safely Run Kubernetes
6 Things You Need to Know to Safely Run Kubernetes
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
New Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 betaNew Features of Kubernetes v1.2.0 beta
New Features of Kubernetes v1.2.0 beta
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
 
Running containerized application in AWS ECS
Running containerized application in AWS ECSRunning containerized application in AWS ECS
Running containerized application in AWS ECS
 
Building A CICD Pipeline for Deploying to Containers
Building A CICD Pipeline for Deploying to ContainersBuilding A CICD Pipeline for Deploying to Containers
Building A CICD Pipeline for Deploying to Containers
 
Microservices with containers in the cloud
Microservices with containers in the cloudMicroservices with containers in the cloud
Microservices with containers in the cloud
 
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
What Does Kubernetes Look Like?: Performance Monitoring & Visualization with ...
 
DCEU 18: App-in-a-Box with Docker Application Packages
DCEU 18: App-in-a-Box with Docker Application PackagesDCEU 18: App-in-a-Box with Docker Application Packages
DCEU 18: App-in-a-Box with Docker Application Packages
 
GIDS 2019: Developing Apps with Containers, Functions and Cloud Services
GIDS 2019: Developing Apps with Containers, Functions and Cloud ServicesGIDS 2019: Developing Apps with Containers, Functions and Cloud Services
GIDS 2019: Developing Apps with Containers, Functions and Cloud Services
 
How kubernetes works community, velocity, and contribution - osls 2017 (1)
How kubernetes works community, velocity, and contribution - osls 2017 (1)How kubernetes works community, velocity, and contribution - osls 2017 (1)
How kubernetes works community, velocity, and contribution - osls 2017 (1)
 
You Might Just be a Functional Programmer Now
You Might Just be a Functional Programmer NowYou Might Just be a Functional Programmer Now
You Might Just be a Functional Programmer Now
 
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio CastelliKubernetes Policy As Code usando WebAssembly | Flavio Castelli
Kubernetes Policy As Code usando WebAssembly | Flavio Castelli
 

Ähnlich wie K8s hard-way on DigitalOcean

Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
Jose Manuel Ortega Candel
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...
Jimmy Lu
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
Kublr
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019
Laurent Bernaille
 
Production sec ops with kubernetes in docker
Production sec ops with kubernetes in dockerProduction sec ops with kubernetes in docker
Production sec ops with kubernetes in docker
Docker, Inc.
 
Azure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえりAzure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえり
Toru Makabe
 
kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...
kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...
kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...
ssuser92b4be
 

Ähnlich wie K8s hard-way on DigitalOcean (20)

User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Extending kubernetes
Extending kubernetesExtending kubernetes
Extending kubernetes
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...All the troubles you get into when setting up a production ready Kubernetes c...
All the troubles you get into when setting up a production ready Kubernetes c...
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Consolidating Infrastructure with Azure Kubernetes Service
Consolidating Infrastructure with Azure Kubernetes ServiceConsolidating Infrastructure with Azure Kubernetes Service
Consolidating Infrastructure with Azure Kubernetes Service
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019
 
K8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals TrainingK8s in 3h - Kubernetes Fundamentals Training
K8s in 3h - Kubernetes Fundamentals Training
 
Production sec ops with kubernetes in docker
Production sec ops with kubernetes in dockerProduction sec ops with kubernetes in docker
Production sec ops with kubernetes in docker
 
Kube Overview and Kube Conformance Certification OpenSource101 Raleigh
Kube Overview and Kube Conformance Certification OpenSource101 RaleighKube Overview and Kube Conformance Certification OpenSource101 Raleigh
Kube Overview and Kube Conformance Certification OpenSource101 Raleigh
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Azure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえりAzure Kubernetes Service 2019 ふりかえり
Azure Kubernetes Service 2019 ふりかえり
 
Getting started with kubernetes
Getting started with kubernetesGetting started with kubernetes
Getting started with kubernetes
 
kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...
kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...
kubeadm Cluster Creation Internals_ From Self-Hosting to Upgradability and HA...
 
Pro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-finalPro2516 10 things about oracle and k8s.pptx-final
Pro2516 10 things about oracle and k8s.pptx-final
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

K8s hard-way on DigitalOcean

  • 1. Kubernetes - Hardway K8s Meetup, BLR Neependa Khare @neependra Vishal Ghule @theVishalGhule
  • 2. Neependra Khare ● Founder and Principal Consultant at CloudYuga ● Certified Kubernetes Administrator ● Author of Docker Cookbook - 2015 ● Author of “Introduction to Kubernetes” course on Edx ● Running Docker Meetup Group in Bangalore, India for more than 5 years now
  • 3. Vishal Ghule ● Software Engineer and Corporate Trainer @ CloudYuga ● Certified Kubernetes Administrator
  • 4. Tutorial Content and Tool Details ● Tutorial Content ○ https://github.com/cloudyuga/k8s-hard-way ● CloudYuga’s tool to access the above content in easier way ○ Sign up : https://pilot.cloudyuga.guru/
  • 5. Security Certificates A security certificate is a data file through which the identity, authenticity and reliability of a communicating parties is established. https://blog.cloudflare.com/content/images/2015/06/anatomy-of-a-certificate.png
  • 8. Server and Client Certificate Server Certificate Client Certificates Server certificates are used to authenticate server identity to the client(s). Client certificates are used to authenticate the client (user) identity to the server. Server Certificates are based on Public Key Infrastructure. Client certificates are based on Public Key Infrastructure. Example: API Server Certificates Example: Admin User Certificate. https://cheapsslsecurity.com/blog/client-certificate-vs-server-certificate-simplifying-the-difference/
  • 9. PKI
  • 10. PKI In K8s ➢ Kubernetes requires PKI certificates for authentication over TLS ➢ CA is used by cluster components to validate the API server’s certificate and by the API server to validate kubelet client certificates. ➢ CA is used to generate different certificates that you’ll distribute to components of the Kubernetes infrastructure.
  • 11. Kubernetes Server and Client Certificate list Client Certificates. [Private key and certificates signed by CA] ➢ The Admin Client Certificate ➢ The Kubelet Client Certificates (For each worker node) ➢ The Controller Manager Client Certificate ➢ The Kube Proxy Client Certificate ➢ The Scheduler Client Certificate Server Certificates. [Private key and certificates signed by CA] ➢ The Kubernetes API Server Certificate In this certificate, static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. These certificates are used to authenticate server identity to the client {. -hostname=10.32.0.1,${MASTER_1_PRIVATE_IP},${MASTER_2_PRIVATE_IP},${MASTER_1_PUBLIC_IP},${MASTER_2_PUBLIC_IP},${KUBERNETES_PUBLIC_AD DRESS},127.0.0.1,kubernetes.default -profile=kubernetes }
  • 12. $ openssl x509 -in kube-controller-manager.pem -text -noout { Certificate: Data: Version: 3 (0x2) Serial Number: 52:f3:73:9b:fd:13:14:50:f8:36:9e:1f:36:4c:17:fa:b7:3a:fe:18 Signature Algorithm: sha256WithRSAEncryption Issuer: C=IN, ST=Karnataka, L=Bangalore, O=Kubernetes, OU=CA, CN=Kubernetes Validity { ……… } Subject: C=IN, ST=Karnataka, L=Bangalore, O=system:kube-controller-manager, OU=Kubernetes The Hard Way, CN=system:kube-controller-manager Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 96:78:B4:5A:8C:AD:F6:9D:95:D5:86:35:F2:19:9E:79:62:C7:BD:63 X509v3 Authority Key Identifier: keyid:1E:40:B9:6B:A7:49:E1:CD:B7:3C:AC:52:62:84:2B:95:8F:1B:CE:4D
  • 13. Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API
  • 14. K8s-Hardway Cluster Specifications: ➢ Kubernetes v1.12 ➢ containerd Container Runtime v1.1.0 ➢ CNI Container Networking 0.7.1 ➢ etcd v3.3.5 ➢ Kube-DNS
  • 15. Kubernetes One or Many CA’s ➢ Every Kubernetes cluster has a cluster root Certificate Authority (CA) ➢ This CA is used by cluster components to validate each others. ➢ This root CA can then create multiple intermediate CAs, and delegate all further creation to Kubernetes itself.
  • 16. The kubelet Kubernetes Configuration File When generating kubeconfig files for Kubelets the client certificate matching the Kubelet node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes Node Authorizer. Worker Node-1 Kubelet API Server Worker Node-2 Kubelet
  • 17. The kube-proxy Kubernetes Configuration File ➢ The kube-proxy Kubernetes Configuration will enable kube-proxy to locate and authenticate to the Kubernetes API Servers. ➢ This Configuration file is configured in Kube-proxy service so it can talk to API servers. Worker Node API ServerWorker Node-1 API Server Worker Node-2 Kube-Proxy Kube-Proxy
  • 18. The kube-controller-manager Kubeconfig File ➢ This Kubernetes Configuration will enable kube-controller-manager to locate and authenticate to the Kubernetes API Servers. ➢ kube-controller-manager Kubeconfig File must be added to kube-controller-manager service API ServersKube-Controllers
  • 19. The kube-scheduler Kubeconfig File ➢ The kube-scheduler Kubeconfig file will allow kube-scheduler to locate and authenticate to the Kubernetes API Servers. ➢ Must be added to manifest in kube-scheduler.yaml API ServersKube-Scheduler
  • 20. The Service Account Key Pair The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as describe in the managing service accounts documentation.
  • 21. The admin user Kubernetes Configuration File ➢ This Kubeconfig file will allow admin user to locate and authenticate to the Kubernetes API Servers. ➢ Configures administrator user for the cluster Admin User kubectl Load Balancer API Server API Server Master Node Master Node
  • 22. Kubernetes Architecture Controller Scheduler API Server key/value store Master Node Node Kubelet kube-proxy Node Kubelet kube-proxy Node Kubelet kube-proxy CLI/API