Notes :: Kubernetes

Posted on by tmack
Banner Image used for notes

 Key topics include:

  • Traditional vs. Kubernetes Challenges: Comparing the challenges of managing applications in traditional virtual machine environments versus containerized Kubernetes environments.
  • Kubernetes Fundamentals: Defining Kubernetes, its origins, why it’s used, and key concepts like cluster architecture, API server, nodes, pods, and network policies.
  • Kubernetes Security Fundamentals: Discussing control plane and data plane protection, including API protection, encryption, network security, node and pod security, and additional security considerations like CI/CD security, cluster networking, and monitoring and logging.
  • Amazon EKS: An introduction to Amazon EKS, AWS’s managed Kubernetes service, including its shared responsibility model and different types of deployments (EC2, Fargate, Outposts, Anywhere).

Components of the Kubernetes control plane are:

  • kube-api server: The heart of the K8S service that is the single point of interaction to trigger a configuration or deployment event in worker nodes.
  • etcd: Key Value store that stores cluster information for what is in a K8S Cluster.
  • kube scheduler: Schedules any new pods to be assigned to a node.
  • kube-controller-manager: Runs the controller process for various K8S components e.g., Node Controller (noticing and responding when nodes go down).
  • cloud-controller-manager: This is cloud-specific Control logic to link a K8S cluster to cloud provider’s API.

Study Plan:  Kubernetes Security Fundamentals

Overall Goal: Understand the core concepts of Kubernetes security, especially within the context of Amazon EKS, shared responsibility, and additional security components.

Schedule: (Adjust the time as needed)

  • Session 1 (Day 1): Shared Responsibility and Compute Types (1 hour)
    • Focus on understanding the shared responsibility model between the cloud provider (AWS) and the customer, particularly in Amazon EKS.
    • Note the specific responsibilities of the customer regarding data, container images, network policies, RBAC, and worker node configurations.
    • Understand AWS’s responsibility for the Kubernetes control plane components (API server, controller manager, scheduler, ETCD).
  • Session 2 (Day 1): Security Architecture Example and Cloud Native Gaps (1 hour)
    • Examine the Amazon EKS Architecture and the general Kubernetes Architecture.
    • Pay attention to the Control Plane components.
    • Review the gaps of cloud-native integration for AWS EKS. Understand the limitations and vendor-specific dependencies.
  • Session 3 (Day 2): EKS Security Architecture (1.5 hours)
    • Study the EKS Security Architecture, covering cloud, Kubernetes, and application levels.
    • Take notes on security considerations for the cloud platform (IAM, Network Security, etc.) and the Kubernetes platform (Control Plane Security, Worker Node Security, etc.).
    • Dive deeper into specific security aspects like EKS IAM, Control Plane Security, Worker Node Security, Multi-Account Strategy, and Application Platform security.
  • Session 4 (Day 2): Additional Kubernetes Security Components (1 hour)
    • Explore the additional components to consider for Kubernetes security (Host Security, Source Code Repository, Infrastructure as Code, CI/CD Pipeline, etc.).
    • Focus on logging and monitoring with CloudWatch Container Insights and threat detection with Amazon GuardDuty and Amazon Detective.
  • Session 5 (Day 3): Review and Lab Preparation (1 hour)
    • Review all notes and highlight key concepts.
    • Understand the Lab’s focus on deploying an Amazon EKS Cluster using the AWS Well Architected Framework.
    • Prepare any prerequisites for the lab if specified.

Key Study Points:

  • Shared Responsibility Model: Understand the division of security responsibilities between the cloud provider and the user.
  • Kubernetes Control Plane: Know the components (API server, etcd, scheduler, controller manager) and their functions.
  • EKS Architecture: Familiarize yourself with the architecture and how security is implemented at the cloud, Kubernetes, and application levels.
  • IAM and Access Control: Study how IAM users, roles, and service accounts are used in EKS.
  • Networking and Security: Review network policies, firewalls, and other security measures.
  • Logging and Monitoring: Understand the importance of logging (Control Plane, Worker Node, Pods) and tools like CloudWatch.
  • Additional Components: Know the significance of security tools and practices like vulnerability management, CI/CD pipelines, and Infrastructure as Code.

Review:

  • After each session, summarize the key points in your own words.
  • Review your notes a day or two later to reinforce the information.
  • Before the lab, review all the essential concepts to ensure you’re well-prepared.