Advanced Kubernetes/AKS Network & Infrastructure
- Description
- Curriculum
- FAQ
- Reviews
You started your journey learning Kubernetes ?
You have been learning the fundamentals of a Kubernetes cluster ?
And now you want to make sure your cluster is production ready in terms of security ?
If you are looking for how to secure your Kubernetes cluster then this course is for you.
Let us face it, security is not an easy task. And Kubernetes is not an exception.
Securing a Kubernetes cluster requires thinking about all these aspects:
-
Network security: through private cluster access to API Server with Private Endpoint.
-
Secure egress traffic: all egress traffic should be filtered using Firewall.
-
Secure ingress traffic: using TLS and HTTPS on the ingress controller.
-
Secure inter-pod communication: secure traffic between pods using TLS or mTLS.
-
Controlling traffic between pods: using Network Policy tools like Calico.
-
Securing access to Managed Identities: by restricting access to IMDS endpoint (169.254.169.254).
-
Implementing a Landing Zone: with integration into the Hub an Spoke model
-
Customize logging and metrics collection
-
Reduce the cost of the cluster infrastructure
Microsoft provides the following recommendations to secure an AKS cluster and this course will try to go deeper with demonstration.
Recommendation 1: To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Compared to an Azure load balancer, ingress controllers provide extra features and can be managed as native Kubernetes resources.
Recommendation 2: To scan incoming traffic for potential attacks, use a web application firewall (WAF) such as Barracuda WAF for Azure or Azure Application Gateway. These more advanced network resources can also route traffic beyond just HTTP and HTTPS connections or basic TLS termination.
Recommendation 3: Use network policies to allow or deny traffic to pods. By default, all traffic is allowed between pods within a cluster. For improved security, define rules that limit pod communication.
Recommendation 4: Don’t expose remote connectivity to your AKS nodes. Create a bastion host, or jump box, in a management virtual network. Use the bastion host to securely route traffic into your AKS cluster to remote management tasks.
Disclaimer: This course uses Azure Kubernetes Service (AKS) for demonstrations. But most of the content is applicable to any Kubernetes cluster on any environment.
-
32
DNS configuration options for Private AKS -
33
Introduction to AKS Private DNS resolution at scale
-
34
[Demo] Resolving private endpoint using public FQDN
Lab files are available here: https://github.com/HoussemDellai/docker-kubernetes-course/tree/main/201_private_aks_no_private_dns_zone
-
35
[Demo] Centralized DNS resolution
-
36
[Demo] Decentralized DNS resolution
-
43
[Lightboard] Gateway API and Ingress API
-
44
[Lightboard] AGIC vs Application Gateway for Containers
-
45
Introduction to Application Gateway for Containers
-
46
[Demo] Part 1: Setup the demo environment
-
47
[Demo] Part 2: Installing the ALB Controller and its Managed Identity
-
48
[Demo] Part 3: Creating and configuring Application Gateway for Containers
-
49
[Demo] Part 4: Exposing an application using Gateway API and HttpRoute
-
50
[Lightboard] Introduction to AKS Application Routing
-
51
Introduction to Application Routing
-
52
[Demo] Creating Nginx Ingress Controller using Application Routing
-
53
[Demo] Creating Internal Nginx Ingress Controller
-
54
[Demo] Configuring custom domain name using External-DNS
-
55
[Demo] Configuring Private DNS Zone for an internal ingress
-
56
[Demo] Securing ingress with a TLS certificate from Key vault
-
57
[Demo] Exporting ingress controller metrics in Prometheus and Grafana
-
58
Exploring the roadmap for Application Routing
-
59
Introduction to AKS egress traffic and outbound types
-
60
Introduction to AKS Egress and Outbound Types (PPT)
-
61
AKS with Outbound Type Load Balancer
-
62
[Demo] AKS with Outbound Type Load Balancer
-
63
SNAT port exhaustion issue with Load Balancer
-
64
SNAT port exhaustion solutions
-
65
AKS with Outbound Type Managed NAT Gateway
-
66
[Demo] AKS with Outbound Type Managed NAT Gateway
-
67
AKS with Outbound Type user assigned NAT Gateway
-
68
[Demo] AKS with Outbound Type user assigned NAT Gateway
-
69
Important notes about NAT Gateway
-
70
AKS with Outbound Type user defined routing (UDR)
-
71
[Demo] AKS with Outbound Type user defined routing (UDR)
-
72
Ingress issues and options with UDR mode
-
73
Migrate from Load Balancer to NAT Gateway
-
77
Introduction to controlling egress traffic
-
78
Creating an AKS cluster with Calico enabled
-
79
Filtering egress traffic for an IP address using Calico
-
80
Logging egress and ingress traffic with Log action
-
81
Creating an AKS cluster and installing Cilium
-
82
Filtering egress traffic for an FQDN using Cilium Network Policy
-
83
Viewing denied traffic logs in Cilium pods
-
84
Using Hubble to monitor network and denied traffic
