Ultimate Kubernetes Security Guide
Part 1 — Introduction to Kubernetes for those STARTING TODAY!
In Part 2 we shared the technical reasons for why we need Kubernets and we dive into components in a Kubernetes Architecture.
In Part 3 we learn security the way everyone learns best how you can Attack Kubernetes Cluster and then we build defences for our Cluster.
This 4 part SERIES is for you if today is the first time you heard about Kubernetes or have hear others talk about it but are not sure what it is.
This Guide is a Multi-part series written for Cloud Security Podcast, a weekly video podcast where I interview Cloud Security experts on how they keep their Public Cloud environment secure whether it’s running on Cloud Native services, containers, Kubernetes or Serverless.
Part 1 — Introduction to Kubernetes for Beginners
Prior Experience
Prior Knowledge that would be helpful before going through this guide:
- What is a Container, Container Registry, Docker, DockerHub?
- What is Infrastructure as Code?
- What is Compute, Public Cloud?
- Some exposure to components required to run application e.g networking, firewall, application code, source repository,
If you prefer listening to the audio, Click on the image below to hear the audio version of this post:
What is Kubernetes?
Kubernetes is an open-source platform for managing and orchestrating containerized workload and services in a repeatable, reliable, scalable and distributed fashion utilising over 15yrs of Google’s knowledge of distributed system.
Kubernetes comes with set of services that orchestrate and helps reliably maintain an Application state based on what the user declared. Keyword to note here is STATE & RELIABLY MAINTAINS.
To put simply as a USER you will define a STATE for your application (how much memory, how many replications, Should it have a Public IP etc) and Kubernetes will use that definitions to create and manage the workload for the Application that the user Declared, until you as a User change the state.
In a true distributed fashion the services within a Kubernetes Cluster will work to maintain the Application state in the most efficient way possible based on the User declaration.
Kubernetes is a platform created with the USER in mind.
Why Kubernetes is the next Checkpoint in Compute Capability for Cloud and On-Premise?
- Use of Declarative over imperative definition for state of Application
- Killing a container to make any changes or deploy a new package is not a thing. Changing the declaration sends the instruction for the Cluster to update itself with the least disruption.
- The system is driving towards maintaining a state which mean auto-recovery, self healing, immutable or reportable without added complexity of possibly loosing state and be in limboland which is what used to happen in the traditional world of Server/Client - Breaking the Master/Slave model from event triggered to level triggered
- Instead of server managing the state every x mins/secs for the deployed application, the client monitors the defined state
- Instead of the Master trying to maintain a state to make changes based on an event, the nodes in a Kubernetes cluster are driving to maintain the User defined declared state. Now we don’t have a single point of failure.
- If Server goes down, the client(cluster) retains it’s last known state.
- - Workload portability —
- 1 Transparent API for all services in Kubernetes
Similar to Windows/Linux/MacOS operating system (OS), Kubernetes is the OS for distributed systems. It has API that connects Users and internal systems for users to define a state. All interactions happen through this API so a user can also create functions and further abstraction over the Kubernetes API to extend it’s capabilities for more complex use cases across any platform.
Types of Kubernetes
Kubernetes can be deployed as Managed or UnManaged.
Example of Managed Kubernetes are Kubernetes services offered by AWS EKS, Azure AKS , Google Cloud GKE.
Example of an UnManaged Kubernetes would be a self hosted Kubernetes deployment.
What Kubernetes is not?
It is a not a PaaS, it is not a CI/CD pipeline, it does not build applications, provide application level services like — middleware, data processing framework, database, etc.
