Kubernetes

Terminology

Kubelets : its job is to run the pods and keep them running. Kubelets check for the manifest files in the watched directory and creates/destroys pods accordingly. Kubelets serve a read-only view at the port 10255 and also has /healthz endpoint to know the health status.

Pod : collection of containers that have the same IP and can share volume.

API Server : Kubernetes stores all its cluster state in etcd and API server only can access it. All other components must pass through API server to access the state.

Security context: Using this we can configure the security settings of the containers and the apps running in it. Some features are running the apps in the pods as a non-root user, giving certain capabilities without granting root access,

Kubernetes on GCP:

To get all the nodes:

1

kubectl get nodes

To SSH into nodes:

1

gcloud compute ssh <node-name> --zone <zone>

Create k8s cluster via commandline:

1

gcloud container clusters create <cluster-name> --num-nodes 2 --region us-central1-a

To configure the local kubectl with the creds to access the k8s:

1

gcloud container clusters get-credentials <cluster-name> --zone us-central1-a --project <project-name>

To get the manifest file of existing pod:

1

kubectl get pods <pod-name> -o yaml

To edit the manifest file of existing pod:

1

kubectl edit pods <pod-name>

To view the secrets in the kubernetes cluster:

1

kubectl get secrets

To get the secrets in the kubernetes cluster:

1

kubectl describe secrets <secret-name>

To delete a secret:

1

kubectl delete secret <secret-name>

To get the security context of the pods: (Please install yq using pip install yq)

1

kubectl get pods <pod-name> -o yaml | yq '.spec.securityContext, .spec.containers[].securityContext'

StackDriver Logging filters:

To see all the failed authentication attempts :

1
2

resource.type="k8s_cluster"
protoPayload.authenticationInfo.principalEmail="system:anonymous"

Get all the requests which k8s decided to forbid:

1
2

resource.type="k8s_cluster"
labels."authorization.k8s.io/decision"="forbid"

Get all the requests which were forbidden:

1
2

resource.type="k8s_cluster"
protoPayload.status.message="Forbidden"

GCP Audit Logging Notes

k8s_cluster – Kubernetes Cluster (k8s API server – pods, deployments, secrets)

gke_cluster – GKE Cluster Operations (k8s engine API server – cluster creation and deletion)

Others:

Helm is a package manager for k8s. Watch the following video for more details:

References:

• http://kamalmarhubi.com/blog/2015/08/27/what-even-is-a-kubelet/
• http://kamalmarhubi.com/blog/2015/09/06/kubernetes-from-the-ground-up-the-api-server/
• Kubernetes Auditing Official docs : https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
• K8s Secrets : https://kubernetes.io/docs/concepts/configuration/secret/
• K8s Security context of pod : https://kubernetes.io/docs/tasks/configure-pod-container/security-context/