From 9e877aa38f870b7e5f1fb63a660abde7f88a5ae0 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Mon, 13 Nov 2023 04:30:55 +0100 Subject: [PATCH] chore: placeholders for kubernetes applications --- .gitignore | 2 ++ knowledge base/kubernetes/README.md | 31 ++++++++++++++++---- knowledge base/kubernetes/cert-manager.md | 35 +++++++++++++++++++++++ knowledge base/kubernetes/external-dns.md | 33 +++++++++++++++++++++ knowledge base/kubernetes/kustomize.md | 35 +++++++++++++++++++++++ 5 files changed, 130 insertions(+), 6 deletions(-) create mode 100644 knowledge base/kubernetes/cert-manager.md create mode 100644 knowledge base/kubernetes/external-dns.md create mode 100644 knowledge base/kubernetes/kustomize.md diff --git a/.gitignore b/.gitignore index f68c48e..278c407 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,8 @@ !.vscode/extensions.json !.vscode/settings.json +.obsidian/ + .vagrant/ .terraform/ diff --git a/knowledge base/kubernetes/README.md b/knowledge base/kubernetes/README.md index 55313d1..9556afe 100644 --- a/knowledge base/kubernetes/README.md +++ b/knowledge base/kubernetes/README.md @@ -191,24 +191,24 @@ Also see [configuration best practices] and the [production best practices check - Avoid workloads and nodes fail due limited resources being available.
Set [resource requests and limits][resource management for pods and containers] to reserve a minimum amount of resources for pods and limit their hogging abilities. - Prefer smaller container images. -- Prioritize critical workloads. +- Prioritize critical workloads.
Quality of service. - Instrument applications to detect and respond to the SIGTERM signal. - Avoid using bare pods.
Prefer defining them as part of a replica-based resource, like Deployments, StatefulSets, ReplicaSets or DaemonSets. -- Restrict traffic between objects in the cluster. - Network policies. +- Restrict traffic between objects in the cluster.
+ [Network policies]. - Reduce container privileges. - Leverage autoscalers. - Pod disruption budgets. -- Try to use all nodes possible. +- Try to use all nodes possible.
Affinities, taint and tolerations. -- Push for automation. +- Push for automation.
GitOps. - Apply the principle of least privilege.
Role-based access control (RBAC). - Continuously audit events and logs regularly, also for control plane components. -- Protect the cluster's ingress points. +- Protect the cluster's ingress points.
Firewalls, web application firewalls, application gateways. ## Quality of service @@ -519,18 +519,29 @@ Concepts: - [Container capabilities in Kubernetes] - [Kubernetes SecurityContext Capabilities Explained] - [Best practices for pod security in Azure Kubernetes Service (AKS)] +- [Network policies] Tools: - [`kubectl`][kubectl] - [`helm`][helm] - [`helmfile`][helmfile] +- [`kustomize`][kustomize] - [`kubeval`][kubeval] - `kube-score` - [`kubectx`+`kubens`][kubectx+kubens] (alternative to [`kubie`][kubie]) - [`kube-ps1`][kube-ps1] - [`kubie`][kubie] (alternative to [`kubectx`+`kubens`][kubectx+kubens] and [`kube-ps1`][kube-ps1]) - [k3s] +- [minikube] + +Applications: + +- [cert-manager] +- [external-dns] +- [flux] +- [istio] +- [keda] Others: @@ -589,12 +600,20 @@ All the references in the [further readings] section, plus the following: [azure kubernetes service]: ../azure/aks.md +[cert-manager]: cert-manager.md [create an admission webhook]: ../../examples/kubernetes/create%20an%20admission%20webhook/README.md +[external-dns]: external-dns.md +[flux]: flux.md [helm]: helm.md [helmfile]: helmfile.md +[istio]: istio.md [k3s]: k3s.md +[keda]: keda.md [kubectl]: kubectl.md [kubeval]: kubeval.md +[kustomize]: kustomize.md +[minikube]: minikube.md +[network policies]: network%20policies.md [prometheus on kubernetes using helm]: ../../examples/kubernetes/prometheus%20on%20k8s%20using%20helm.md [terraform]: ../terraform.md [velero]: velero.md diff --git a/knowledge base/kubernetes/cert-manager.md b/knowledge base/kubernetes/cert-manager.md new file mode 100644 index 0000000..246a5df --- /dev/null +++ b/knowledge base/kubernetes/cert-manager.md @@ -0,0 +1,35 @@ +# cert-manager + +FIXME + +## Table of contents + +1. [TL;DR](#tldr) +1. [Further readings](#further-readings) +1. [Sources](#sources) + +## TL;DR + +## Further readings + +- [Website] +- [Github] + +## Sources + +All the references in the [further readings] section, plus the following: + + + + +[github]: https://github.com/cert-manager/cert-manager +[website]: https://cert-manager.io/ + + +[further readings]: #further-readings + + + + diff --git a/knowledge base/kubernetes/external-dns.md b/knowledge base/kubernetes/external-dns.md new file mode 100644 index 0000000..e33ec14 --- /dev/null +++ b/knowledge base/kubernetes/external-dns.md @@ -0,0 +1,33 @@ +# ExternalDNS + +FIXME + +## Table of contents + +1. [TL;DR](#tldr) +1. [Further readings](#further-readings) +1. [Sources](#sources) + +## TL;DR + +## Further readings + +- [Github] + +## Sources + +All the references in the [further readings] section, plus the following: + + + + +[github]: https://github.com/kubernetes-sigs/external-dns + + +[further readings]: #further-readings + + + + diff --git a/knowledge base/kubernetes/kustomize.md b/knowledge base/kubernetes/kustomize.md new file mode 100644 index 0000000..c50b9f4 --- /dev/null +++ b/knowledge base/kubernetes/kustomize.md @@ -0,0 +1,35 @@ +# Kustomize + +FIXME + +## Table of contents + +1. [TL;DR](#tldr) +1. [Further readings](#further-readings) +1. [Sources](#sources) + +## TL;DR + +## Further readings + +- [Website] +- [Github] + +## Sources + +All the references in the [further readings] section, plus the following: + + + + +[github]: https://github.com/kubernetes-sigs/kustomize +[website]: https://kustomize.io/ + + +[further readings]: #further-readings + + + +