Explore Kubernetes architecture, frameworks, and interfaces. Gain insights into deployment, scaling, and management of containerized applications. Discover extensibilities and get hands-on customizing Kubernetes.

k8s-go.tar.gz

k8s-go-v2

go-env-v2

Kubernetes is a popular open-source container orchestration system that automates the deployment, scaling, and management of containerized applications. This course is designed to provide a comprehensive understanding of Kubernetes and its programming concepts. You’ll dive deep into advanced topics of Kubernetes.

This course will cover topics such as Kubernetes architecture, frameworks, plugins, and interfaces. You’ll also learn the powerful extensibilities of Kubernetes and make full use of these built-in capabilities to build your customized Kubernetes.

This course is ideal for developers, DevOps engineers, and system administrators who want to learn how to master Kubernetes. By the end of the course, you’ll have a solid understanding of Kubernetes, its programming concepts, and be able to deploy, scale, and manage containerized customizations on Kubernetes. You will also get hands-on experience extending Kubernetes to meet your requirements.

Programming with Kubernetes

# The security center of Kubernetes

The `kube-apiserver` is the heart of a Kubernetes cluster. All the system-level authentications (`AuthN`) and authorizations (`AuthZ`) are handled by it. `AuthX` usually refers to both `AuthN` and `AuthZ`. We can also say that the `kube-apiserver` is the security center of Kubernetes.

We could run the `kube-apiserver` with insecure settings, but that isn't suggested, especially in production environments. It's strongly suggested to enable transport layer security (TLS) between all the Kubernetes components. This helps improve the whole cluster's security.

Just as the graph below shows, all the requests that are being sent to the `kube-apiserver` need to pass through the authentication, authorization, and admission control stages, and then come to the final resource validation and persistent storing stages.

## Authentication

In Kubernetes, the `kube-apiserver` needs to authenticate every received request to validate the user identity. Such a request may be sent out by either a user or a program. We can think of it as a login process.

The simplest authentication method is using a user name, password, and tokens. The `kube-apiserver` does provide the flag  `--token-auth-file` to use a static file that stores all these credentials. However, this method isn't recommended in any production environment. Every time a user is added, updated, and deleted, we need to modify this file and restart the `kube-apiserver` in order for the changes to take effect. Maintaining such a static file is a dangerous and painstaking task. We need to update all the `kube-apiserver` replicas. Inconsistent settings may throw the authentication process into chaos.

Instead of the static tokens above, Kubernetes provides built-in Bootstrap and ServiceAccount tokens. These two kinds of tokens are managed by Kubernetes directly. We can mount the ServiceAccount tokens into Pods so that in-cluster processes can use it to talk to the `kube-apiserver`. It's easy to bind permissions to a ServiceAccount by `RoleBinding` and `ClusterRoleBinding`.

The x509 method is another widely used authentication method in Kubernetes. Any request that presents a valid certificate signed by the CA (certificate authority) of our cluster is considered to be valid. Every certificate has the attribute `subject`, where the `kube-apiserver` gets user info. The `CN` (common name) field can be used for the user name. The group name that the user belongs to can be set in the `O` (organization name) field. For example, if we create the certificate with `Subject: O=system:nodes, CN=system:node:master`, this certificate will be interpreted to the user `system:node:master` of the group `system:nodes` by the `kube-apiserver`.  

If we've got self-hosted authentication services like LDAP or Kerberos, the authentication methods above don't meet our requirements. However, Kubernetes does provide us ways to integrate. Using the authentication webhook is an excellent option for such scenarios. The webhook allows us to generate and use user-defined tokens.

The authentication methods given above will be invoked one by one. If none of them can verify the identity of the user, the request is unauthorized and a status code of `401` is returned. After passing the authentication stage, the `kube-apiserver` will pass the user info (including user name, group name, etc.) down to the following authorization stage.

Get introduced to authentication and authorization in Kubernetes.

Before Getting Started

Kubernetes Architecture

Customizing AuthX

Dynamic Admission Control

Customizing Schedulers

Extending APIs with CustomResourceDefinition (CRD)

Extending APIs with Aggregated APIServer

Container Network Interface

Container Runtime Interface

Extend kubectl

How to Write Good Kubernetes Operators

Assessment of Programming with Kubernetes

Wrap Up

Introduction to AuthX

The security center of Kubernetes