DevOps Classroom notes 10/Feb/2024

Docker Compose

  • This is not used in Production
  • Docker compose is designed to run multiple containers with simple commands
  • Relevance
    • Developer: Uses to run, develop and debug application locally.
    • Operations: This is input for us to understand the relation between services and create k8s manifests.
  • Refer Here this article
  • Refer Here for docker compose yaml

Kubernetes RBAC

  • RBAC (Role Based Access Control)
  • Who will be the category of users of k8s clusters in an enterprises
    • human => user
      • x.509 certificates
      • oidc or SAML or jwt
      • basic authentication ( not recommended)
    • non-human => service account => it is stored in k8s cluster
      • application
      • bot
      • script
  • How can k8s handle users if it is not storing them.
  • What permissions should i give
    • Define Permissions
      • Role
      • ClusterRole
    • Assign permissions
      • RoleBinding
      • ClusterRoleBinding
        Preview
  • Refer Here
  • Refer Here for creating a user in kubeadm cluster
  • Refer Here for user creation in aks cluster and Refer Here for eks cluster user creation and Refer Here for gke
  • Lets create a role for full access lt-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: lt-admin
  namespace: dev
rules:
  - apiGroups:
      - ""
      - "apps"
    resources:
      - "\*"
    verbs:
      - "\*"
  • Lets create a cluster role for full acceess called as lt-cadmin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: lt-cadmin
rules:
  - apiGroups: 
      - "*"
    resources:
      - "\*"
    verbs:
      - "\*"
  • Lets create cluster role for read access
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: lt-creader
rules:
  - apiGroups: 
      - "*"
    resources:
      - "\*"
    verbs:
      - get
      - list
      - watch
  • Lets create a rolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ltadminrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: lt-admin
subjects:
  - apiGroup: "rbac.authorization.k8s.io"
    kind: User
    name: johndoe
  - apiGroup: ""
    kind: ServiceAccount
    name: admin-sa
  • Always disable automounting service account tokens refer automountServiceAccountToken in Pod Spec. Ensure they are always false.

NetworkPolicy

  • By default all the communications in k8s across namespaces is allowed.
  • Network Policy acts almost like
    • security group in AWS
    • Network Security group in Azure
  • Refer Here and also refer if your CNI plugin supports Network policy.
  • Search for a Network policy
    • to allow communications with in same namespace
    • to allow communications only with matching pods

Published
Categorized as Uncategorized Tagged

By continuous learner

devops & cloud enthusiastic learner

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube