You’ve been developing software for years and now your team is ready to take the plunge into orchestrated containers and Kubernetes. You’ve learned about containers, images, and Dockerfiles, but standing up a Kubernetes cluster and actually running your app in it seems like a daunting task.
In this session, we’ll go over the basics to get your app up and running in Kubernetes right on your own workstation using Docker Desktop. On the way, we’ll cover some of the security aspects you need to keep in mind and show you how to implement them in your Kubernetes manifests.
We’ll go over:
1.) Kubernetes basics, including pods, deployments, and services
2.) Moving a legacy app into a container and running it in Kubernetes
3.) Some security best practices to watch out for — and what can happen if you don’t
4.) Implementing those best practices to defend against and limit the blast radius of an attack
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
1. From legacy to Kubernetes, securely & quickly
Using Docker Desktop to get your applications into Kubernetes right on your
desktop
Eric Smalling
Sr. Developer Advocate, Snyk
@ericsmalling
4. Kubernetes in 10 minutes
“… Kubernetes provides a way for us to run and
schedule containerized workloads on multiple hosts.”
Production Kubernetes, Chapter 1
Josh Rosso, Rich Lander, Alexander Brand, John Harris
5. Kubernetes in 10 Minutes
Core concepts & types
● Pod
○ Smallest deployable computing unit you can
create and manage
○ Manages one or more containers that will all
run on the same host
○ Containers in the same pod share a network
namespace
○ Every pod get’s a unique IP address
○ By default, every pod can communicate with
every other pod in a cluster w/out NAT
■ Restrictions can be placed on this
pod: webapp
10.9.1.100
container:
log-watcher
volume: logvol
container:
ecommerce-app
apiVersion: v1
kind: Pod
metadata:
name: webapp
spec:
containers:
- name: ecommerce-app
image: mycorp/ecom:1.0
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /logs
name: logvol
9. Kubernetes in 10 Minutes
Core concepts & types
● Service
○ Provides logical grouping of pods
■ Selector based*
○ Exposes pods behind a single IP address and
DNS Name
■ Kubernetes service discovery = DNS
○ Provides load balancing across pods
apiVersion: v1
kind: Service
metadata:
name: ecom
spec:
selector:
app: webapp
tier: frontend
ports:
- protocol: TCP
port: 80
targetPort: 8080
pod:webapp pod:webapp pod:webapp
service:
ecom
app:
webapp
app:
webapp
app:
webapp
t
i
e
r
:
f
r
o
n
t
e
n
d
t
i
e
r
:
f
r
o
n
t
e
n
d
t
i
e
r
:
f
r
o
n
t
e
n
d
ecom.default.svc.cluster.local
ecom.default
ecom
10. Demo time: Moving a legacy app into Kubernetes
• Simple J2EE application
• Runs on Tomcat
• Containerized already
• Want to run on k8s but need a
faster, more iterative place to
experiment
• Docker Desktop k8s to the rescue!
11. Demo time: Moving a legacy app into Kubernetes
• Simple J2EE application
• Runs on Tomcat
• Containerized already
• Want to run on k8s but need a
faster, more iterative place to
experiment
• Docker Desktop k8s to the rescue!
pod:db
pod:app
pod:app
pod:app
svc:
app
svc:
db
LoadBalancer
12. Demo time: Moving a legacy app into Kubernetes
• Simple J2EE application
• Runs on Tomcat
• Containerized already
• Want to run on k8s but need a
faster, more iterative place to
experiment
• Docker Desktop k8s to the rescue!
pod:db
pod:app
svc:
app
svc:
db
LoadBalancer
hostPath