Kubernetes Notes

Kubelets : its job is to run the pods and keep them running. Kubelets check for the manifest files in the watched directory and creates/destroys pods accordingly. Kubelets serve a read-only view at the port 10255 and also has /healthz endpoint to know the health status.

Pod : collection of containers that have the same IP and can share volume.

API Server : Kubernetes stores all its cluster state in etcd and API server only can access it. All other components must pass through API server to access the state.

Security context: Using this we can configure the security settings of the containers and the apps running in it. Some features are running the apps in the pods as a non-root user, giving certain capabilities without granting root access,

Kubernetes on GCP:

To get all the nodes:

kubectl get nodes

To SSH into nodes:

gcloud compute ssh <node-name> --zone <zone>

Create k8s cluster via commandline:

gcloud container clusters create <cluster-name> --num-nodes 2 --region us-central1-a

To configure the local kubectl with the creds to access the k8s:

gcloud container clusters get-credentials <cluster-name> --zone us-central1-a --project <project-name>

To get the manifest file of existing pod:

kubectl get pods <pod-name> -o yaml

To edit the manifest file of existing pod:

kubectl edit pods <pod-name>

To view the secrets in the kubernetes cluster:

kubectl get secrets

To get the secrets in the kubernetes cluster:

kubectl describe secrets <secret-name>

To delete a secret:

kubectl delete secret <secret-name>

To get the security context of the pods: (Please install yq using pip install yq)

kubectl get pods <pod-name> -o yaml | yq '.spec.securityContext, .spec.containers[].securityContext'

StackDriver Logging filters:

To see all the failed authentication attempts :

resource.type="k8s_cluster"
protoPayload.authenticationInfo.principalEmail="system:anonymous"

Get all the requests which k8s decided to forbid:

resource.type="k8s_cluster"
labels."authorization.k8s.io/decision"="forbid"

Get all the requests which were forbidden:

resource.type="k8s_cluster"
protoPayload.status.message="Forbidden"

GCP Audit Logging Notes

k8s_cluster – Kubernetes Cluster (k8s API server – pods, deployments, secrets)

gke_cluster – GKE Cluster Operations (k8s engine API server – cluster creation and deletion)

Others:

Helm is a package manager for k8s – https://www.youtube.com/watch?v=Jj1Ueq_Lz6A

References: