- Kubernetes by example
- Istio
- Using NodeSelector to Schedule Deployments with large volumes of Stateful Data on Kubernetes
- Scalable microservices with Kubernetes
- Kubernetes cheat sheet
- SkyDNS
- Single master cluster with kubeadm
- HA Kubernetes cluster on bare metal
- Encryption of Kubernetes persistent local volumes
- Static provisioner of local volumes
- OpenEBS - Creating and attaching disk on GKE node
- Kubespray - Deploy a production ready Kubernetes cluster
- Ingress basic auth
- Generate RBAC policies based on Kubernetes audit logs
- Awesome Kubernetes
- stern - tail multiple pods on Kubernetes and multiple containers within the pod
- Kubernetes SIG
- 12 Kubernetes configuration best practices
- 10 most important differences between OpenShift and Kubernetes
- Copy files from Kubernetes to S3 and back
- Kubernetes shared storage with S3 backend
- Kubernetes Examples - Minimal self-contained examples of standard Kubernetes features and patterns in YAML
- AWS Controllers for Kubernetes (ACK) - project enabling you to manage AWS services from Kubernetes
- Alex Ellis
- IMTI - Architecting, Developing, nixCraft, DevOps, AI/ML, Blockchain
- Cloud Native Architect Blog
- Igor Cicimov
MetalLB - load-balancer implementation for bare metal Kubernetes Fabio is a fast, modern, zero-conf load balancing HTTPS and TCP router
- Kompose - translate docker-compose files to Kubernetes resources
- kuberhealthy - synthetic testing
- Keel - Kubernetes Operator to automate Helm, DaemonSet, StatefulSet & Deployment updates
- M3 - Uber’s large-scale metrics platform for Prometheus
- kubectx & kubens - Switch faster between clusters and namespaces
- kubeone - Lifecycle management tool for highly available Kubernetes clusters
- TK8 - Multi-cloud, multi-cluster Kubernetes platform installation and integration tool
- webkubectl - kubectl in web browser
- Skbn - tool for copying files and directories between Kubernetes and cloud storage providers
- kubenav - desktop and mobile navigator for your Kubernetes clusters
- Kube-Scan - Kubernetes risk assessment tool
- Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management
- KubeCarrier - open source system for managing applications and services across multiple Kubernetes Clusters
- Kubeapps - web-based UI for deploying and managing applications in Kubernetes clusters
- Delete stale feature branches in your Kubernetes cluster
- Kyverno - Kubernetes Native Policy Management
- KubiScan - tool to scan Kubernetes cluster for risky permissions
- version-checker - Kubernetes utility for observing the current versions of images running in the cluster
- kubeval - tool for validating a Kubernetes YAML file
- conftest uses the Rego language from Open Policy Agent for writing assertions
- Tekton Pipelines
- Skaffold
- How to use Knative Pipelining Component to automate an Application Build and Deployment on Kubernetes
- Build cloud native CI/CD build pipeline from GIT webhook
- kontinuous - Kubernetes Continuous Integration & Delivery Platform
- GitOps with Tekton and ArgoCD
- Velero (formerly Ark) - Backup and migrate Kubernetes applications and their persistent volumes
- How To Back Up and Restore Kubernetes Cluster using Ark
- Backup etcd cluster
- Helm hub
- Charts
- Solr
- Portus
- Plugins
- Template developer’s guide
- Helmfile - deploy Kubernetes Helm Charts
- Helmfile - chart deployment tool
- helmfile - it’s like a Helm for Helm
- 15+ useful Helm Charts tools
- ChartMuseum - host your own Helm chart repository
- Using incubator/raw chart
- incubator/raw - chart for kubectl declarations
- Awesome Helm
- Helm Chart starter - better Helm chart boilerplate
- Creating a better chart
- helm-docs - generates automatic documentation from helm charts into a markdown file
- Frigate - documentation generation tool for Kubernetes Helm Charts
- How to host your Helm chart repository on GitHub
- Using custom domain for GitHub pages
- kubeval - plugin for validating Helm charts against the Kubernetes schemas using kubeval
- conftest - plugin for testing Helm charts with Open Policy Agent using conftest
- Accessing Kubernetes CRDs from client-go package
- Extending Kubernetes APIs with Custom Resource Definitions
- Unit testing
- Code Generation for CustomResources
- How to generate client codes for Kubernetes Custom Resource Definitions
- Writing Kubernetes Custom Controllers
- How did that sidecar get there?
- k8s-sidecar-injector
- Controller to manage databases
- KUDO
- How to Build a Custom Kubernetes Ingress Controller in Go
- Programmatically Kubernetes port forward in Go
- Kubernetes Security Practices You Should Follow
- Sealed Secrets
- Vault
- Advanced Persistence Threats: The Future of Kubernetes Attacks
- Rego policies collection
- Kubernetes secrets store CSI driver
- Prevent access to metadata - AWS
- Prevent access to metadata - Hetzner Cloud
- kube-bench
- Using Kubelet Client to Attack the Kubernetes Cluster
- Sysctl configuration for high performance
- Installing kubernetes cluster with wireguard
- Install a Kubernetes cluster on cloud servers
- Load balancer Helm chart
- Install hcloud-cloud-controller-manager with network support
- Creating a single control-plane cluster with kubeadm
- Installing a pod network add-on
- Install Cilium
- Kubernetes without kube-proxy
- hcloud-k8s - Ansible playbook to install Kubernetes on Hetzner Cloud
- IP Address Range
- Turn on autocomplete in the current shell
source <(kubectl completion bash)- Turn on autocomplete permanently
echo "source <(kubectl completion bash)" >> ~/.bashrc- Make alias k and autocomplete for it
alias k=kubectl
complete -F __start_kubectl kgpg --gen-key
gpg --export-secret-keys > ~/.gnupg/pubring.gpg
helm package --sign --key 'John Doe' chart
curl -u "username:password" -F "chart=@chart-0.2.7.tgz" -F "prov=@chart-0.2.7.tgz.prov" https://your-charts-repo.domain/api/chartscat > ~/.gnupg/pubring.gpg | base64 > private.key
Create GPG_SIGNING_KEY secret in GitHub and paste the contents of the private.key.
Add step:
- name: Configure GPG key
env:
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
run: |
mkdir -p ~/.gnupg/
printf "${GPG_SIGNING_KEY}" | base64 -d > ~/.gnupg/pubring.gpgYou may or may not want to also add the following line:
gpg --import ~/.gnupg/pubring.gpg
However, this is not needed for Helm signing.
- setup firewall on the instance
- prevent access to instance metadata
- introduce network policy to allow just necessary traffic
- run kube-bench and fix all problems
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
curl https://secure-ingress.com:31047/service2 -kv --resolve secure-ingress.com:31047:34.105.246.174
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-instance-metadata
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32Create CertificateSigningRequest:
openssl genrsa -out jane.key 2048
openssl req -new -key jane.key -out jane.csr # set only Common Name = jane
cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: jane
spec:
groups:
- system:authenticated
request: $(cat jane.csr | base64 -w 0)
signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth
EOFConfigure KUBECONFIG for user jane:
kubectl config set-credentials jane --client-key=jane.key --client-certificate=jane.crt
kubectl config set-context jane --cluster=kubernetes --user=jane
kubectl config view
kubectl config get-contexts
kubectl config use-context janecurl https://kubernetes.default -k -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)"
apiVersion: v1
kind: ServiceAccount
metadata:
name: build-robot
automountServiceAccountToken: falseor:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
serviceAccountName: build-robot
automountServiceAccountToken: falsecd /etc/kubernetes/pki
openssl x509 -in apiserver.crt -text