GKE_Deep_Dive__Part_1.pdf

Transcript

1. GKE Deep Dive Part 1: Kubernetes, components, and magic JonPulsifer

2. $ whoami Production Security @ Certified Kubernetes Administrator jonpulsifer Previously:

   SIGINT cyber sailor ⚓ at CFNOC Instructor @ SANS and CFSCE JonPulsifer

3. Agenda • Containers & Kubernetes • GKE Components • Infrastructure

   as code • ??? •

4. Containers (for k8s)

5. Containers for Kubernetes Here is an example of a trusted

   base image → • OS level virtualization popularized by Docker ◦ Governed by the Open Container Initiative ◦ https://www.opencontainers.org/ • Don’t actually exist ◦ Are just kernel features duct taped together: ▪ Linux capabilities, control groups, namespaces, and LSMs • A Kubernetes Pod is smallest unit that we describe, and it’s pretty much just shared namespaces and containers ◦ Network, IPC, PID, user, etc ◦ One pod has n containers # ubuntu/bionic FROM ubuntu@sha256:5f4bdc346cbbe56[snip]3e8314b0939c4592d67b6d # labels help add context LABEL maintainer="[email protected]" \ ca.pulsifer.ubuntu-release="bionic" # defaults are neat ARG LINUX_USER=${LINUX_USER:-alicebot} ARG UID=${UID:-1337} # add a non privileged user RUN adduser \ --disabled-password \ --GECOS '' \ --uid ${UID} \ ${LINUX_USER} # upgrade packages and clean up RUN apt-get -qqy update \ && apt-get -qqy upgrade \ && apt-get -qqy autoremove \ && apt-get -qqy clean # drop privileges USER ${UID}

6. Kubernetes

7. By Khtan66 - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=53571935

8. By Khtan66 - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=53571935 Hosted

   master(s) GCE VMs VPC network

9. GKE Components

10. None

11. VM instances Instance group manager Instance template VPC firewall VPC

    subnetwork VPC network (not pictured) IAM (not pictured) Project / folder / organization

12. Infrastructure as code Terraform is a tool for building, changing,

    and versioning infrastructure safely and efficiently

13. Terraform Here is an example of terraform for GKE →

    • Open source ◦ Google has a dedicated team working on the provider ◦ https://github.com/terraform-providers/ter raform-provider-google • Expressive ◦ I mean look at it → • Stateful ◦ Remote (encrypted) state storage • Repeatable ◦ Modular ◦ Abstractions are hard # create and configure a GKE cluster resource "google_container_cluster" "lab" { # GKE requires a network, subnet, and service account depends_on = ["google_service_account.nodes","stuff", "things"] # name and descriptiom name = "sweet demo cluster" description = "omg i'm version controlled" # The zone where the master will be hosted zone = "${var.gcp_config["zone"]}" # Use the latest GKE release for the master and worker nodes min_master_version = "1.10.4-gke.0" node_version = "${data.dynamic.variable.latest_node_version}" # inherit the network from terraform network = "my-subnet" subnetwork = "${google_compute_subnetwork.nodes.self_link}" initial_node_count = "${var.gke_config["node_count"]}" # configure the GCE instances node_config { disk_size_gb = "${var.gke_config["disk_size_gb"]}" machine_type = "${var.gke_config["machine_type"]}" service_account = "${google_service_account.nodes.email}" oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

14. Demo time! code: github.com/jonpulsifer/terraform-lab

15. Thanks JonPulsifer jonpulsifer [email protected] slides: goo.gl/Lpmqa7