Advanced Kubernetes/AKS Network & Infrastructure
- Description
- Curriculum
- FAQ
- Reviews
You started your journey learning Kubernetes ?
You have been learning the fundamentals of a Kubernetes cluster ?
And now you want to make sure your cluster is production ready in terms of security ?
If you are looking for how to secure your Kubernetes cluster then this course is for you.
Let us face it, security is not an easy task. And Kubernetes is not an exception.
Securing a Kubernetes cluster requires thinking about all these aspects:
-
Network security: through private cluster access to API Server with Private Endpoint.
-
Secure egress traffic: all egress traffic should be filtered using Firewall.
-
Secure ingress traffic: using TLS and HTTPS on the ingress controller.
-
Secure inter-pod communication: secure traffic between pods using TLS or mTLS.
-
Controlling traffic between pods: using Network Policy tools like Calico.
-
Securing access to Managed Identities: by restricting access to IMDS endpoint (169.254.169.254).
Microsoft provides the following recommendations to secure an AKS cluster and this course will try to go deeper with demonstration.
Recommendation 1: To distribute HTTP or HTTPS traffic to your applications, use ingress resources and controllers. Compared to an Azure load balancer, ingress controllers provide extra features and can be managed as native Kubernetes resources.
Recommendation 2: To scan incoming traffic for potential attacks, use a web application firewall (WAF) such as Barracuda WAF for Azure or Azure Application Gateway. These more advanced network resources can also route traffic beyond just HTTP and HTTPS connections or basic TLS termination.
Recommendation 3: Use network policies to allow or deny traffic to pods. By default, all traffic is allowed between pods within a cluster. For improved security, define rules that limit pod communication.
Recommendation 4: Don’t expose remote connectivity to your AKS nodes. Create a bastion host, or jump box, in a management virtual network. Use the bastion host to securely route traffic into your AKS cluster to remote management tasks.
Disclaimer: This course uses Azure Kubernetes Service (AKS) for demonstrations. But most of the content is applicable to any Kubernetes cluster on any environment.
-
3How to setup an AKS clusterVideo lesson
-
4Cluster infrastructure resourcesVideo lesson
-
5Create PodVideo lesson
-
6Create deployment objectVideo lesson
-
7Exec into PodVideo lesson
-
8Scale podsVideo lesson
-
9Create private serviceVideo lesson
-
10Create public service using LoadBalancerVideo lesson
-
11View kubernetes objects in the Azure portalVideo lesson
-
12Introduction to clusters access modesVideo lesson
-
13Architecture of a public clusterVideo lesson
-
14Private cluster with Private EndpointVideo lesson
-
15Public cluster with VNET integrationVideo lesson
-
16Private cluster with VNET integrationVideo lesson
-
17Accessing a private clusterVideo lesson
-
18RecapVideo lesson
-
19IntroductionVideo lesson
-
20Kubenet (basic) network modeVideo lesson
-
21Azure CNI (advanced) network modeVideo lesson
-
22Kubenet vs Azure CNIVideo lesson
-
23Azure CNI Overlay modeVideo lesson
-
24Kubenet vs Azure CNI Overlay modeVideo lesson
-
25Bring Your Own (BYO) CNI pluginVideo lesson
-
26CIDR ranges overlapping considerationsVideo lesson
-
33[Lightboard] Gateway API and Ingress APIVideo lesson
-
34[Lightboard] AGIC vs Application Gateway for ContainersVideo lesson
-
35Introduction to Application Gateway for ContainersVideo lesson
-
36[Demo] Part 1: Setup the demo environmentVideo lesson
-
37[Demo] Part 2: Installing the ALB Controller and its Managed IdentityVideo lesson
-
38[Demo] Part 3: Creating and configuring Application Gateway for ContainersVideo lesson
-
39[Demo] Part 4: Exposing an application using Gateway API and HttpRouteVideo lesson
-
40Introduction to AKS egress traffic and outbound typesVideo lesson
-
41Introduction to AKS Egress and Outbound Types (PPT)Video lesson
-
42AKS with Outbound Type Load BalancerVideo lesson
-
43[Demo] AKS with Outbound Type Load BalancerVideo lesson
-
44SNAT port exhaustion issue with Load BalancerVideo lesson
-
45SNAT port exhaustion solutionsVideo lesson
-
46AKS with Outbound Type Managed NAT GatewayVideo lesson
-
47[Demo] AKS with Outbound Type Managed NAT GatewayVideo lesson
-
48AKS with Outbound Type user assigned NAT GatewayVideo lesson
-
49[Demo] AKS with Outbound Type user assigned NAT GatewayVideo lesson
-
50Important notes about NAT GatewayVideo lesson
-
51AKS with Outbound Type user defined routing (UDR)Video lesson
-
52[Demo] AKS with Outbound Type user defined routing (UDR)Video lesson
-
53Ingress issues and options with UDR modeVideo lesson
-
54Migrate from Load Balancer to NAT GatewayVideo lesson
-
55Introduction to controlling egress trafficVideo lesson
-
56Creating an AKS cluster with Calico enabledVideo lesson
-
57Filtering egress traffic for an IP address using CalicoVideo lesson
-
58Logging egress and ingress traffic with Log actionVideo lesson
-
59Creating an AKS cluster and installing CiliumVideo lesson
-
60Filtering egress traffic for an FQDN using Cilium Network PolicyVideo lesson
-
61Viewing denied traffic logs in Cilium podsVideo lesson
-
62Using Hubble to monitor network and denied trafficVideo lesson
-
67Introduction to Azure DiskVideo lesson
-
68Using Azure Disk with Local Redundent Storage (LRS)Video lesson
-
69[Demo] Creating Azure Disk with Local Redundent Storage (LRS)Video lesson
-
70Introduction to Azure Disk with Zone Redundant Storage (ZRS)Video lesson
-
71[Demo] Creating Azure Disk with Zone Redundant Storage (ZRS)Video lesson
-
72Introduction to Azure Shared Disk with Zone Redundant Storage (ZRS)Video lesson
-
73[Demo] Creating Azure Shared Disk with Zone Redundant Storage (ZRS)Video lesson
-
74Introduction to Azure Blob StorageVideo lesson
-
75[Demo] Creating an Azure Blob Storage for AKSVideo lesson
-
76Important notes on Blob StorageVideo lesson
-
77Securing access to Blob Fuse using Managed IdentityVideo lesson
-
78[Demo] Attaching a Blob Fuse to AKS using User Managed IdentityVideo lesson
