├── .bashrc
├── .devcontainer
    ├── Dockerfile
    └── devcontainer.json
├── Dockerfile
├── LICENSE
├── README.md
├── WIP
    └── storage-replication-with-rook
    │   └── code.md
├── advance-application-routing-with-istio
    ├── code.md
    └── script.sh
├── advance-deploy-kubernetes-on-azure
    ├── code.md
    └── install.sh
├── deploying-a-public-chart
    └── code.md
├── deploying-kubernetes-on-azure
    └── code.md
├── deploying-supergloo
    └── code.md
├── hack
    └── hey
    │   └── Dockerfile
├── ingress-controller
    ├── code.md
    └── deploy.sh
├── ingress-with-traefik
    └── code.md
├── installing-helm-on-kubernetes
    └── code.md
├── istio-with-supergloo
    └── code.md
├── keda
    └── code.md
├── mTLS-with-istio
    └── code.md
├── network-policies
    └── code.md
├── pod-security-policy
    └── code.md
├── pods-services-deployments
    └── code.md
├── rbac-roles-service-accounts
    ├── cleanup.sh
    ├── code.md
    └── script.sh
├── service-mesh-with-linkerd
    └── code.md
├── slides
    ├── ingress-controller
    │   ├── Slide1.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   └── Slide5.jpg
    ├── intro
    │   ├── Slide1.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   ├── Slide5.jpg
    │   ├── Slide6.jpg
    │   └── code.md
    ├── introduction-to-kubernetes
    │   ├── Slide1.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   └── code.md
    ├── kubernetes-components
    │   ├── Slide1.jpg
    │   ├── Slide10.jpg
    │   ├── Slide11.jpg
    │   ├── Slide12.jpg
    │   ├── Slide13.jpg
    │   ├── Slide14.jpg
    │   ├── Slide15.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   ├── Slide5.jpg
    │   ├── Slide6.jpg
    │   ├── Slide7.jpg
    │   ├── Slide8.jpg
    │   ├── Slide9.jpg
    │   └── code.md
    ├── pods-services-deployments
    │   ├── Slide1.jpg
    │   ├── Slide10.jpg
    │   ├── Slide11.jpg
    │   ├── Slide12.jpg
    │   ├── Slide13.jpg
    │   ├── Slide14.jpg
    │   ├── Slide15.jpg
    │   ├── Slide16.jpg
    │   ├── Slide17.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   ├── Slide5.jpg
    │   ├── Slide6.jpg
    │   ├── Slide7.jpg
    │   ├── Slide8.jpg
    │   └── Slide9.jpg
    ├── rbac-roles-service-accounts
    │   ├── Slide1.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   ├── Slide5.jpg
    │   ├── Slide6.jpg
    │   └── Slide7.jpg
    └── statefull-sets
    │   ├── Slide1.jpg
    │   ├── Slide2.jpg
    │   ├── Slide3.jpg
    │   ├── Slide4.jpg
    │   └── Slide5.jpg
├── statefull-sets
    └── code.md
├── virtual-kubelet
    └── code.md
├── virtual-node-with-virtual-kubelet
    └── code.md
└── writing-our-own-chart
    └── code.md


/.bashrc:
--------------------------------------------------------------------------------
 1 | # Use bash-completion
 2 | [[ -f /usr/share/bash-completion/bash_completion ]] && \
 3 |     . /usr/share/bash-completion/bash_completion
 4 | # Source kubectl
 5 | [[ -f /usr/local/bin/kubectl ]] && \
 6 |     source <(kubectl completion bash)
 7 | # Source azure-cli
 8 | [[ -f /usr/bin/az.completion.sh ]] && \
 9 |     source /usr/bin/az.completion.sh
10 | # Change Prompt
11 | export PS1="\w \$ "
12 | 
13 | 


--------------------------------------------------------------------------------
/.devcontainer/Dockerfile:
--------------------------------------------------------------------------------
 1 | 
 2 | #-------------------------------------------------------------------------------------------------------------
 3 | # Copyright (c) Microsoft Corporation. All rights reserved.
 4 | # Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
 5 | #-------------------------------------------------------------------------------------------------------------
 6 | 
 7 | # Note: You can use any Debian/Ubuntu based image you want. 
 8 | FROM debian:9
 9 | 
10 | # Avoid warnings by switching to noninteractive
11 | ENV DEBIAN_FRONTEND=noninteractive
12 | 
13 | # Docker Compose version
14 | ARG COMPOSE_VERSION=1.24.0
15 | 
16 | # Helm version
17 | ENV HELM_VER 2.12.3
18 | 
19 | # This Dockerfile adds a non-root user with sudo access. Use the "remoteUser"
20 | # property in devcontainer.json to use it. On Linux, the container user's GID/UIDs
21 | # will be updated to match your local UID/GID (when using the dockerFile property).
22 | # See https://aka.ms/vscode-remote/containers/non-root-user for details.
23 | ARG USERNAME=vscode
24 | ARG USER_UID=1000
25 | ARG USER_GID=$USER_UID
26 | 
27 | # Configure apt and install packages
28 | RUN apt-get update \
29 |     && apt-get -y install --no-install-recommends apt-utils dialog 2>&1 \
30 |     #
31 |     # Verify git, process tools installed
32 |     && apt-get -y install curl git jq iproute2 procps \
33 |     #
34 |     # Install Docker CE CLI
35 |     && apt-get install -y apt-transport-https ca-certificates curl gnupg-agent software-properties-common lsb-release \
36 |     && curl -fsSL https://download.docker.com/linux/$(lsb_release -is | tr '[:upper:]' '[:lower:]')/gpg | (OUT=$(apt-key add - 2>&1) || echo $OUT) \
37 |     && add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/$(lsb_release -is | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable" \
38 |     && apt-get update \
39 |     && apt-get install -y docker-ce-cli \
40 |     #
41 |     # Install Docker Compose
42 |     && curl -sSL "https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose \
43 |     && chmod +x /usr/local/bin/docker-compose \
44 |     #
45 |     # Install Helm
46 |     && curl -o helm.tgz https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VER}-linux-amd64.tar.gz  \
47 |     && tar -xzf helm.tgz  \
48 |     && mv linux-amd64/helm /usr/local/bin  \
49 |     && rm helm.tgz  \
50 |     && helm init --client-only \
51 |     #
52 |     # Install kubectl 
53 |     && curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl \
54 |     && chmod +x ./kubectl \
55 |     && mv ./kubectl /usr/local/bin/kubectl \
56 |     # Install az cli
57 |     && curl -sL https://aka.ms/InstallAzureCLIDeb | bash \
58 |     # install kubectx
59 |     && git clone https://github.com/ahmetb/kubectx.git ~/.kubectx \
60 |     && ln -sf ~/.kubectx/kubectx /usr/local/bin/kubectx \
61 |     # Create a non-root user to use if preferred - see https://aka.ms/vscode-remote/containers/non-root-user.
62 |     && groupadd --gid $USER_GID $USERNAME \
63 |     && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME \
64 |     # [Optional] Add sudo support for the non-root user
65 |     && apt-get install -y sudo \
66 |     && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME\
67 |     && chmod 0440 /etc/sudoers.d/$USERNAME \
68 |     #
69 |     # Clean up
70 |     && apt-get autoremove -y \
71 |     && apt-get clean -y \
72 |     && rm -rf /var/lib/apt/lists/*
73 | 
74 | # Switch back to dialog for any ad-hoc use of apt-get
75 | ENV DEBIAN_FRONTEND=dialog
76 | 


--------------------------------------------------------------------------------
/.devcontainer/devcontainer.json:
--------------------------------------------------------------------------------
 1 | // For format details, see https://aka.ms/vscode-remote/devcontainer.json or the definition README at
 2 | // https://github.com/microsoft/vscode-dev-containers/tree/master/containers/docker-in-docker
 3 | {
 4 | 	"name": "Docker in Docker",
 5 | 	"dockerFile": "Dockerfile",
 6 | 	"mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
 7 | 
 8 | 	// Use 'settings' to set *default* container specific settings.json values on container create. 
 9 | 	// You can edit these settings after create using File > Preferences > Settings > Remote.
10 | 	"settings": { 
11 | 		"terminal.integrated.shell.linux": "/bin/bash"
12 | 	},
13 | 
14 | 	// Use 'appPort' to create a container with published ports. If the port isn't working, be sure
15 | 	// your server accepts connections from all interfaces (0.0.0.0 or '*'), not just localhost.
16 | 	// "appPort": [],
17 | 
18 | 	// Uncomment the next line to run commands after the container is created.
19 | 	// "postCreateCommand": "docker --version",
20 | 
21 | 	// Uncomment the next line if you will use a ptrace-based debugger like C++, Go, and Rust
22 | 	// "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ],
23 | 
24 | 	// Uncomment the next line to have VS Code connect as an existing non-root user in the container. 
25 | 	// On Linux, by default, the container user's UID/GID will be updated to match your local user. See
26 | 	// https://aka.ms/vscode-remote/containers/non-root for details on adding a non-root user if none exist.
27 | 	// "remoteUser": "vscode",
28 | 
29 | 	// Add the IDs of extensions you want installed when the container is created in the array below.
30 | 	"extensions": [
31 | 		"ms-azuretools.vscode-docker"
32 | 	]
33 | }


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM docker:dind
 2 | 
 3 | RUN apk add bash \
 4 |             git \
 5 |             tmux \
 6 |             curl \ 
 7 |             bash-completion \ 
 8 |             jq \
 9 |             python \
10 |             py-pip \
11 |             gcc \
12 |             libffi-dev \
13 |             musl-dev \
14 |             openssl \
15 |             openssl-dev \
16 |             python-dev \
17 |             make \
18 |             coreutils \
19 |             ca-certificates && \
20 |     curl -o kubectl https://storage.googleapis.com/kubernetes-release/release/v1.15.7/bin/linux/amd64/kubectl && \
21 |     mv kubectl /usr/local/bin && \
22 |     chmod a+x /usr/local/bin/kubectl && \
23 |     curl -o helm.tgz https://get.helm.sh/helm-v3.0.2-linux-amd64.tar.gz && \
24 |     tar -xzf helm.tgz && \
25 |     mv linux-amd64/helm /usr/local/bin && \
26 |     rm helm.tgz && \
27 |     #helm init --client-only && \
28 |     curl https://deislabs.blob.core.windows.net/porter/latest/install-linux.sh | bash && \
29 |     pip --no-cache-dir install -U pip && \
30 |     pip --no-cache-dir install azure-cli && \
31 |     curl -L -o /usr/local/bin/kubectx https://raw.githubusercontent.com/ahmetb/kubectx/v0.6.3/kubectx && \
32 |     chmod +x /usr/local/bin/kubectx && \
33 |     curl -sL https://run.linkerd.io/install | sh && \
34 |     curl -sL https://run.solo.io/supergloo/install | sh && \
35 |     mkdir -p /workshop
36 | 
37 | ENV PATH="$PATH:/root/.porter"
38 | ENV PATH="$PATH:/root/.linkerd2/bin"   
39 | ENV PATH="$PATH:/root/.supergloo/bin"  
40 | 
41 | ADD .bashrc /root/.bashrc
42 | 
43 | WORKDIR /workshop
44 | 
45 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 Scott Coulton
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Kubernetes on Azure
  2 | 
  3 | This is the repo that contains multiple workshops for Kubernetes on Azure and the supporting code examples.
  4 | Note This repo is under a refresh. Some of the new modules dont have slides yet.
  5 | 
  6 | ## Prerequisites
  7 | 
  8 | ### Prior knowledge 
  9 | To be successful at getting the most out of these workshops you will need the following prior knowledge
 10 | 
 11 | * A basic understanding of Linux
 12 | * Be able to read bash scripts
 13 | * Have a basic knowledge of what a container is 
 14 | 
 15 | ### Equipment
 16 | To be able to run the labs in the workshops you will need the following 
 17 | 
 18 | * An Azure account that has access to create service principals
 19 | 
 20 | If you dont have an Azure account and want to run the workshops, you can sign up for an [Azure trial](https://azure.microsoft.com/offers/ms-azr-0044p/?WT.mc_id=opensource-0000-sccoulto) that will give you free credit to complete the workshop.
 21 | 
 22 | ### Installed software
 23 | There are a few packages we will need to run the labs so we will need to install the following
 24 | 
 25 | * [Docker](https://www.docker.com/)
 26 | 
 27 | There is a pre built docker image with all the software that you need.
 28 |  
 29 | ## How to use the workshops
 30 | 
 31 | Pull and run the docker image  
 32 |  ```
 33 |  docker run -d --privileged --name workshop scottyc/workshop && docker exec -it workshop sh
 34 |  ```  
 35 | if you want to keep the data from the workshop persistent, you can use the following  
 36 | ```  
 37 | docker run -d --privileged -v {SOME_DIR}:/workshop --name workshop scottyc/workshop && docker exec -it workshop sh
 38 | ```   
 39 | git clone the workshop 
 40 | ```git clone https://github.com/scotty-c/kubernetes-on-azure-workshop.git```  
 41 | Now from inside the containers shell login to the az cli with `az login` and follow the prompts.
 42 | 
 43 | Each folder is named after a corresponding module in the workshop. Inside that folder is all the code examples for that module.
 44 | 
 45 | Alternatively if you are running vscode and have the [remote container extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers%2F%3FWT.mc_id%3Daksworkshop-github-sccoulto&WT.mc_id=opensource-0000-sccoulto) you can just open up a folder in the remote container.
 46 | 
 47 | ## Workshops 
 48 | 
 49 | At present there are four workshops in this repo. Each of them are designed for different lengths of time depending how long your time slot is to give the workshop.
 50 | 
 51 | ### Kubernetes on Azure full workshop
 52 | This is the full workshop that covers Kubernetes 101, Helm, virtual kubelet and some basic istio topic. Below are the full list of topics
 53 | 
 54 |  Kubernetes 101
 55 | 
 56 | * [Agenda](slides/intro/code.md) 
 57 | * [Introduction into Kubernetes](slides/introduction-into-kubernetes/code.md)
 58 | * [Kubernetes components](slides/kubernetes-components/code.md) 
 59 | * [Deploying Kubernetes on Azure](deploying-kubernetes-on-azure/code.md)
 60 | * [Pods, services and deployments](pods-services-deployments/code.md)
 61 | * [Rabc, roles and service accounts](rbac-roles-service-accounts/code.md) 
 62 | * [Stateful sets](statefull-sets/code.md)
 63 | * Kubernetes networking and service discovery
 64 | * [Load balancing and ingress control](ingress-controller/code.md)
 65 | 
 66 |  Helm
 67 | 
 68 | * Introduction into Helm
 69 | * Understanding charts
 70 | * [Deploying Helm on Kubernetes](installing-helm-on-kubernetes/code.md)
 71 | * Helm cli
 72 | * [Deploying a public chart](deploying-a-public-chart/code.md)
 73 | * [Writing our own chart](writing-our-own-chart/code.md)
 74 | * Helm and CNAB
 75 | 
 76 |  Kubernetes advanced topics
 77 | 
 78 | * [Virtual kubelet](virtual-node-with-virtual-kubelet/code.md)
 79 | * [Pod security context](pod-security-policy/code.md) 
 80 | * Introduction to istio
 81 | * Advanced application routing with istio(advanced-application-routing-with-istio/code.md)
 82 | * [Setting mTLS between application services with istio](mTLS-with-istio/code.md) 
 83 | 
 84 | This workshop takes about 6hrs to give as instructor lead workshop.  
 85 | 
 86 | 
 87 | ### Kubernetes 101
 88 | This workshop is the entry level into Azure Kubernetes service. In the workshop we will cover the topics listed above in the kubernetes 101 section. This will take approx 2hrs for an instructor to give.  
 89 | 
 90 | ### Kubernetes and Helm 
 91 | This workshop covers the kubernetes 101 workshop and adds all the Helm modules listed above. 
 92 | The slides can be found [here](slides/kubernetes-helm/Kubernetes-helm.pdf).  
 93 | This workshop will take about 4hrs to complete  
 94 | 
 95 | ### Advanced Kubernetes
 96 | This workshop adds the Kubernetes 101 modules with the advanced Kubernetes topics.  
 97 | The slides can be found [here](slides/kubernetes-advanced/Kubernetes-advanced.pdf)  
 98 | This workshop will take about 4hrs   
 99 | 
100 | ## Further reading
101 | I have done a few blog posts on topics covered by this workshop for further . This list will continue to be updated.
102 | * [Choosing the right container base image](https://dev.to/scottyc/i-cho-cho-chose-you-container-image-part-1-227p)
103 | * [Pod security 101](https://medium.com/devopslinks/kubernetes-pod-security-101-15fe8cda829e)
104 | * [Understading application routing with istio](https://itnext.io/understanding-application-routing-in-istio-aade30d594f4)
105 | 
106 | If there is something that is not covered in the workshops and you would like it to be. Please raise an issue on this repo and I will do my best to add it in where possible
107 | 
108 | 


--------------------------------------------------------------------------------
/WIP/storage-replication-with-rook/code.md:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | ## Stop istio injection
  4 | `kubectl label namespace default istio-injection-`
  5 | 
  6 | ## Deploy the operator
  7 | `kubectl create -f https://raw.githubusercontent.com/rook/rook/release-0.9/cluster/examples/kubernetes/ceph/operator.yaml`
  8 | 
  9 | `kubectl -n rook-ceph-system get pod`
 10 | 
 11 | ## Create a rook cluster
 12 | ```
 13 | cat <<EOF | kubectl apply -f -
 14 | apiVersion: v1
 15 | kind: Namespace
 16 | metadata:
 17 |   name: rook-ceph
 18 | ---
 19 | apiVersion: v1
 20 | kind: ServiceAccount
 21 | metadata:
 22 |   name: rook-ceph-osd
 23 |   namespace: rook-ceph
 24 | ---
 25 | apiVersion: v1
 26 | kind: ServiceAccount
 27 | metadata:
 28 |   name: rook-ceph-mgr
 29 |   namespace: rook-ceph
 30 | ---
 31 | kind: Role
 32 | apiVersion: rbac.authorization.k8s.io/v1beta1
 33 | metadata:
 34 |   name: rook-ceph-osd
 35 |   namespace: rook-ceph
 36 | rules:
 37 | - apiGroups: [""]
 38 |   resources: ["configmaps"]
 39 |   verbs: [ "get", "list", "watch", "create", "update", "delete" ]
 40 | ---
 41 | # Aspects of ceph-mgr that require access to the system namespace
 42 | kind: Role
 43 | apiVersion: rbac.authorization.k8s.io/v1beta1
 44 | metadata:
 45 |   name: rook-ceph-mgr-system
 46 |   namespace: rook-ceph
 47 | rules:
 48 | - apiGroups:
 49 |   - ""
 50 |   resources:
 51 |   - configmaps
 52 |   verbs:
 53 |   - get
 54 |   - list
 55 |   - watch
 56 | ---
 57 | # Aspects of ceph-mgr that operate within the cluster's namespace
 58 | kind: Role
 59 | apiVersion: rbac.authorization.k8s.io/v1beta1
 60 | metadata:
 61 |   name: rook-ceph-mgr
 62 |   namespace: rook-ceph
 63 | rules:
 64 | - apiGroups:
 65 |   - ""
 66 |   resources:
 67 |   - pods
 68 |   - services
 69 |   verbs:
 70 |   - get
 71 |   - list
 72 |   - watch
 73 | - apiGroups:
 74 |   - batch
 75 |   resources:
 76 |   - jobs
 77 |   verbs:
 78 |   - get
 79 |   - list
 80 |   - watch
 81 |   - create
 82 |   - update
 83 |   - delete
 84 | - apiGroups:
 85 |   - ceph.rook.io
 86 |   resources:
 87 |   - "*"
 88 |   verbs:
 89 |   - "*"
 90 | ---
 91 | # Allow the operator to create resources in this cluster's namespace
 92 | kind: RoleBinding
 93 | apiVersion: rbac.authorization.k8s.io/v1beta1
 94 | metadata:
 95 |   name: rook-ceph-cluster-mgmt
 96 |   namespace: rook-ceph
 97 | roleRef:
 98 |   apiGroup: rbac.authorization.k8s.io
 99 |   kind: ClusterRole
100 |   name: rook-ceph-cluster-mgmt
101 | subjects:
102 | - kind: ServiceAccount
103 |   name: rook-ceph-system
104 |   namespace: rook-ceph-system
105 | ---
106 | # Allow the osd pods in this namespace to work with configmaps
107 | kind: RoleBinding
108 | apiVersion: rbac.authorization.k8s.io/v1beta1
109 | metadata:
110 |   name: rook-ceph-osd
111 |   namespace: rook-ceph
112 | roleRef:
113 |   apiGroup: rbac.authorization.k8s.io
114 |   kind: Role
115 |   name: rook-ceph-osd
116 | subjects:
117 | - kind: ServiceAccount
118 |   name: rook-ceph-osd
119 |   namespace: rook-ceph
120 | ---
121 | # Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
122 | kind: RoleBinding
123 | apiVersion: rbac.authorization.k8s.io/v1beta1
124 | metadata:
125 |   name: rook-ceph-mgr
126 |   namespace: rook-ceph
127 | roleRef:
128 |   apiGroup: rbac.authorization.k8s.io
129 |   kind: Role
130 |   name: rook-ceph-mgr
131 | subjects:
132 | - kind: ServiceAccount
133 |   name: rook-ceph-mgr
134 |   namespace: rook-ceph
135 | ---
136 | # Allow the ceph mgr to access the rook system resources necessary for the mgr modules
137 | kind: RoleBinding
138 | apiVersion: rbac.authorization.k8s.io/v1beta1
139 | metadata:
140 |   name: rook-ceph-mgr-system
141 |   namespace: rook-ceph-system
142 | roleRef:
143 |   apiGroup: rbac.authorization.k8s.io
144 |   kind: Role
145 |   name: rook-ceph-mgr-system
146 | subjects:
147 | - kind: ServiceAccount
148 |   name: rook-ceph-mgr
149 |   namespace: rook-ceph
150 | ---
151 | # Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
152 | kind: RoleBinding
153 | apiVersion: rbac.authorization.k8s.io/v1beta1
154 | metadata:
155 |   name: rook-ceph-mgr-cluster
156 |   namespace: rook-ceph
157 | roleRef:
158 |   apiGroup: rbac.authorization.k8s.io
159 |   kind: ClusterRole
160 |   name: rook-ceph-mgr-cluster
161 | subjects:
162 | - kind: ServiceAccount
163 |   name: rook-ceph-mgr
164 |   namespace: rook-ceph
165 | ---
166 | apiVersion: ceph.rook.io/v1
167 | kind: CephCluster
168 | metadata:
169 |   name: rook-ceph
170 |   namespace: rook-ceph
171 | spec:
172 |   cephVersion:
173 |     image: ceph/ceph:v13.2.4-20190109
174 |   dataDirHostPath: /var/lib/rook
175 |   dashboard:
176 |     enabled: true
177 |   mon:
178 |     count: 3
179 |     allowMultiplePerNode: true
180 |   storage:
181 |     useAllNodes: true
182 |     useAllDevices: false
183 |     config:
184 |       databaseSizeMB: "1024"
185 |       journalSizeMB: "1024"
186 | 
187 | EOF
188 | ```   
189 | `kubectl -n rook-ceph get pod`
190 | 
191 | ## Create a storage class
192 | 
193 | ```
194 | cat <<EOF | kubectl apply -f -
195 | apiVersion: ceph.rook.io/v1
196 | kind: CephBlockPool
197 | metadata:
198 |   name: replicapool
199 |   namespace: rook-ceph
200 | spec:
201 |   failureDomain: host
202 |   replicated:
203 |     size: 3
204 | ---
205 | apiVersion: storage.k8s.io/v1
206 | kind: StorageClass
207 | metadata:
208 |    name: rook-ceph-block
209 | provisioner: ceph.rook.io/block
210 | parameters:
211 |   blockPool: replicapool
212 |   clusterNamespace: rook-ceph
213 |   fstype: xfs
214 | reclaimPolicy: Retain
215 | EOF
216 | ```
217 | `kubectl get sc`
218 | 
219 | ## Deploy and app
220 | ` helm install --name consul --set StorageClass=rook-ceph-block,Storage=10Gi stable/consul`
221 | 


--------------------------------------------------------------------------------
/advance-application-routing-with-istio/code.md:
--------------------------------------------------------------------------------
  1 | # Advanced application routing with istio
  2 | 
  3 | ## Install istio
  4 | 
  5 | To install istio run the following from the root of the repo that you have cloned
  6 | 
  7 | `./advance-application-routing-with-istio/script.sh`
  8 | 
  9 | Below is a copy of what the script
 10 | 
 11 | ```
 12 | !/bin/bash
 13 | 
 14 | if [[ "$OSTYPE" == "linux-gnu" ]]; then
 15 | 	OS="linux"
 16 |     ARCH="linux-amd64"
 17 | elif [[ "$OSTYPE" == "darwin"* ]]; then
 18 | 	OS="osx"
 19 |     ARCH="darwin-amd64"
 20 | fi	
 21 | 
 22 | ISTIO_VERSION=1.0.4
 23 | HELM_VERSION=2.11.0
 24 | 
 25 | check_tiller () {
 26 | POD=$(kubectl get pods --all-namespaces|grep tiller|awk '{print $2}'|head -n 1)
 27 | kubectl get pods -n kube-system $POD -o jsonpath="Name: {.metadata.name} Status: {.status.phase}" > /dev/null 2>&1 | grep Running
 28 | }
 29 | 
 30 | pre_reqs () {
 31 | curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-$OS.tar.gz" | tar xz
 32 | if [ ! -f /usr/local/bin/istioctl ]; then  
 33 | 	echo "Installing istioctl binary"
 34 |     chmod +x ./istio-$ISTIO_VERSION/bin/istioctl
 35 |     sudo mv ./istio-$ISTIO_VERSION/bin/istioctl /usr/local/bin/istioctl
 36 | fi       	
 37 | 
 38 | if [ ! -f /usr/local/bin/helm ]; then  
 39 | 	echo "Installing helm binary"
 40 |     curl -sL "https://storage.googleapis.com/kubernetes-helm/helm-v$HELM_VERSION-$ARCH.tar.gz" | tar xz
 41 |     chmod +x $ARCH/helm 
 42 |     sudo mv linux-amd64/helm /usr/local/bin/
 43 | fi    
 44 | }    
 45 |  
 46 | install_tiller () {
 47 | echo "Checking if tiller is running"
 48 | check_tiller
 49 | if [ $? -eq 0 ]; then
 50 |     echo "Tiller is installed and running"
 51 | else
 52 | echo "Deploying tiller to the cluster"
 53 | cat <<EOF | kubectl apply -f -
 54 | apiVersion: v1
 55 | kind: ServiceAccount
 56 | metadata:
 57 |   name: tiller
 58 |   namespace: kube-system
 59 | ---
 60 | apiVersion: rbac.authorization.k8s.io/v1beta1
 61 | kind: ClusterRoleBinding
 62 | metadata:
 63 |   name: tiller
 64 | roleRef:
 65 |   apiGroup: rbac.authorization.k8s.io
 66 |   kind: ClusterRole
 67 |   name: cluster-admin
 68 | subjects:
 69 |   - kind: ServiceAccount
 70 |     name: tiller
 71 |     namespace: kube-system
 72 | EOF
 73 | helm init --service-account tiller
 74 | fi       	
 75 | check_tiller
 76 | while [ $? -ne 0 ]; do
 77 |   echo "Waiting for tiller to be ready"
 78 |   sleep 30
 79 | done
 80 | 
 81 | }
 82 | 
 83 | install () {
 84 | echo "Deplying istio"
 85 | 
 86 | helm install istio-$ISTIO_VERSION/install/kubernetes/helm/istio --name istio --namespace istio-system \
 87 |     --set global.controlPlaneSecurityEnabled=true \
 88 |     --set grafana.enabled=true \
 89 |     --set tracing.enabled=true \
 90 |     --set kiali.enabled=true
 91 |         
 92 | if [ -d istio-$ISTIO_VERSION ]; then 
 93 |     rm -rf istio-$ISTIO_VERSION
 94 |   fi    
 95 | }
 96 | 
 97 | pre_reqs
 98 | install_tiller
 99 | install
100 | ```
101 | 
102 | 
103 | Next we are going to 
104 | `kubectl label namespace default istio-injection=enabled`
105 | 
106 | ## Deploy the service and webapp
107 | ```
108 | cat <<EOF | kubectl apply -f - 
109 | apiVersion: v1
110 | kind: Service
111 | metadata:
112 |   name: webapp
113 |   labels:
114 |     app: webapp
115 | spec:
116 |   ports:
117 |   - port: 3000
118 |     name: http
119 |   selector:
120 |     app: webapp
121 | ---
122 | apiVersion: extensions/v1beta1
123 | kind: Deployment
124 | metadata:
125 |   name: webapp-v1
126 | spec:
127 |   replicas: 1
128 |   template:
129 |     metadata:
130 |       labels:
131 |         app: webapp
132 |         version: v1
133 |     spec:
134 |       containers:
135 |       - name: webapp
136 |         image: scottyc/webapp:v1
137 |         imagePullPolicy: IfNotPresent
138 |         ports:
139 |         - containerPort: 3000
140 | ---
141 | apiVersion: extensions/v1beta1
142 | kind: Deployment
143 | metadata:
144 |   name: webapp-v2
145 | spec:
146 |   replicas: 1
147 |   template:
148 |     metadata:
149 |       labels:
150 |         app: webapp
151 |         version: v2
152 |     spec:
153 |       containers:
154 |       - name: webapp
155 |         image: scottyc/webapp:v2
156 |         imagePullPolicy: IfNotPresent
157 |         ports:
158 |         - containerPort: 3000
159 | EOF
160 | ```
161 | ## Deploying our Destination rule
162 | ```
163 | cat <<EOF | kubectl apply -f -
164 | apiVersion: networking.istio.io/v1alpha3
165 | kind: DestinationRule
166 | metadata:
167 |   name: webapp
168 | spec:
169 |   host: webapp
170 |   subsets:
171 |   - name: v1
172 |     labels:
173 |       version: v1
174 |   - name: v2
175 |     labels:
176 |       version: v2
177 | EOF
178 | ```
179 | 
180 | ## Create our gateway
181 | ```
182 | cat <<EOF | kubectl apply -f -
183 | apiVersion: networking.istio.io/v1alpha3
184 | kind: Gateway
185 | metadata:
186 |   name: webapp-gateway
187 | spec:
188 |   selector:
189 |     istio: ingressgateway # use istio default controller
190 |   servers:
191 |   - port:
192 |       number: 80
193 |       name: http
194 |       protocol: HTTP
195 |     hosts:
196 |     - "*"
197 | ---
198 | apiVersion: networking.istio.io/v1alpha3
199 | kind: VirtualService
200 | metadata:
201 |   name: webapp
202 | spec:
203 |   hosts:
204 |   - "*"
205 |   gateways:
206 |   - webapp-gateway
207 |   http:
208 |   - route:
209 |     - destination:
210 |         host: webapp
211 |         subset: v1
212 |       weight: 50 
213 |     - destination:
214 |         host: webapp
215 |         subset: v2
216 |       weight: 50
217 | EOF
218 | ```
219 | 
220 | ## Get your ingress ip
221 | `kubectl get svc istio-ingressgateway -n istio-system -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
222 | 


--------------------------------------------------------------------------------
/advance-application-routing-with-istio/script.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [[ "$OSTYPE" == "linux-gnu" ]]; then
 4 | 	OS="linux"
 5 |     ARCH="linux-amd64"
 6 | elif [[ "$OSTYPE" == "darwin"* ]]; then
 7 | 	OS="osx"
 8 |     ARCH="darwin-amd64"
 9 | fi
10 | 	
11 | ISTIO_VERSION=1.0.4
12 | HELM_VERSION=2.11.0
13 | 
14 | check_tiller () {
15 | POD=$(kubectl get pods --all-namespaces|grep tiller|awk '{print $2}'|head -n 1)
16 | kubectl get pods -n kube-system $POD -o jsonpath="Name: {.metadata.name} Status: {.status.phase}" > /dev/null 2>&1 | grep Running
17 | }
18 | 
19 | pre_reqs () {
20 | curl -sL "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-$OS.tar.gz" | tar xz
21 | if [ ! -f /usr/local/bin/istioctl ]; then  
22 | 	echo "Installing istioctl binary"
23 |     chmod +x ./istio-$ISTIO_VERSION/bin/istioctl
24 |     sudo mv ./istio-$ISTIO_VERSION/bin/istioctl /usr/local/bin/istioctl
25 | fi       	
26 | 
27 | if [ ! -f /usr/local/bin/helm ]; then  
28 | 	echo "Installing helm binary"
29 |     curl -sL "https://storage.googleapis.com/kubernetes-helm/helm-v$HELM_VERSION-$ARCH.tar.gz" | tar xz
30 |     chmod +x $ARCH/helm 
31 |     sudo mv linux-amd64/helm /usr/local/bin/
32 | fi    
33 | }    
34 |  
35 | install_tiller () {
36 | echo "Checking if tiller is running"
37 | check_tiller
38 | if [ $? -eq 0 ]; then
39 |     echo "Tiller is installed and running"
40 | else
41 | echo "Deploying tiller to the cluster"
42 | cat <<EOF | kubectl apply -f -
43 | apiVersion: v1
44 | kind: ServiceAccount
45 | metadata:
46 |   name: tiller
47 |   namespace: kube-system
48 | ---
49 | apiVersion: rbac.authorization.k8s.io/v1beta1
50 | kind: ClusterRoleBinding
51 | metadata:
52 |   name: tiller
53 | roleRef:
54 |   apiGroup: rbac.authorization.k8s.io
55 |   kind: ClusterRole
56 |   name: cluster-admin
57 | subjects:
58 |   - kind: ServiceAccount
59 |     name: tiller
60 |     namespace: kube-system
61 | EOF
62 | helm init --service-account tiller
63 | fi       	
64 | check_tiller
65 | while [ $? -ne 0 ]; do
66 |   echo "Waiting for tiller to be ready"
67 |   sleep 30
68 | done
69 | 
70 | }
71 | 
72 | install () {
73 | echo "Deplying istio"
74 | 
75 | helm install istio-$ISTIO_VERSION/install/kubernetes/helm/istio --name istio --namespace istio-system \
76 |     --set global.controlPlaneSecurityEnabled=true \
77 |     --set grafana.enabled=true \
78 |     --set tracing.enabled=true \
79 |     --set kiali.enabled=true
80 | }
81 | 
82 | pre_reqs
83 | install_tiller
84 | install


--------------------------------------------------------------------------------
/advance-deploy-kubernetes-on-azure/code.md:
--------------------------------------------------------------------------------
  1 | # Deploying Kubernetes on Azure
  2 | 
  3 | In this module we are going to create an aks cluster with the following addons
  4 | * Azure CNI
  5 | * Virtual node
  6 | * Calico network policy
  7 | 
  8 | To make the cluster creation easier there has been a [script](install.sh)
  9 | 
 10 | The cluster will now create a [service principal](https://docs.microsoft.com/azure/active-directory/develop/app-objects-and-service-principals?WT.mc_id=workshop-github-sccoulto) then a 3 node AKS cluster using  
 11 | the [Azure cni plugin](https://docs.microsoft.com/azure/aks/configure-azure-cni?WT.mc_id=workshop-github-sccoulto) using Calico as the provider. 
 12 | 
 13 | ## To run the script 
 14 | First make sure you have downloaded the workshop container #TODO add link when merged to master   
 15 | Once you are in the containers shell git clone the repo ` git clone https://github.com/scotty-c/kubernetes-on-azure-workshop.git`    
 16 | Then `cd advance-deploy-kubernetes-on-azure && chmod +x install.sh`  
 17 | We can then run the script `./install.sh`  
 18 | 
 19 | 
 20 | ## Lets breakdown what the script is doing
 21 | 
 22 | The first thing the script will do is ask you two questions
 23 | ```bash
 24 | read -p "Enter the subscription to use: "  SUB
 25 | read -p "Enter region to deploy the cluster: "  LOCATION
 26 | ```
 27 | 
 28 | To get your subscription name you can use the following command `az account list -o table`  
 29 | To get the region name use the following 
 30 | ```bash
 31 | $ az account list-locations -o table
 32 | DisplayName          Latitude    Longitude    Name
 33 | -------------------  ----------  -----------  ------------------
 34 | East Asia            22.267      114.188      eastasia
 35 | Southeast Asia       1.283       103.833      southeastasia
 36 | Central US           41.5908     -93.6208     centralus
 37 | East US              37.3719     -79.8164     eastus
 38 | East US 2            36.6681     -78.3889     eastus2
 39 | West US              37.783      -122.417     westus
 40 | North Central US     41.8819     -87.6278     northcentralus
 41 | South Central US     29.4167     -98.5        southcentralus
 42 | North Europe         53.3478     -6.2597      northeurope
 43 | West Europe          52.3667     4.9          westeurope
 44 | Japan West           34.6939     135.5022     japanwest
 45 | Japan East           35.68       139.77       japaneast
 46 | Brazil South         -23.55      -46.633      brazilsouth
 47 | Australia East       -33.86      151.2094     australiaeast
 48 | Australia Southeast  -37.8136    144.9631     australiasoutheast
 49 | South India          12.9822     80.1636      southindia
 50 | Central India        18.5822     73.9197      centralindia
 51 | West India           19.088      72.868       westindia
 52 | Canada Central       43.653      -79.383      canadacentral
 53 | Canada East          46.817      -71.217      canadaeast
 54 | UK South             50.941      -0.799       uksouth
 55 | UK West              53.427      -3.084       ukwest
 56 | West Central US      40.890      -110.234     westcentralus
 57 | West US 2            47.233      -119.852     westus2
 58 | Korea Central        37.5665     126.9780     koreacentral
 59 | Korea South          35.1796     129.0756     koreasouth
 60 | France Central       46.3772     2.3730       francecentral
 61 | France South         43.8345     2.1972       francesouth
 62 | Australia Central    -35.3075    149.1244     australiacentral
 63 | Australia Central 2  -35.3075    149.1244     australiacentral2
 64 | South Africa North   -25.731340  28.218370    southafricanorth
 65 | South Africa West    -34.075691  18.843266    southafricawest
 66 | ```
 67 | 
 68 | The script will then create a resource group called `vk-k8s` and the make sure you have the networking policy feature enabled for Calico. 
 69 | ```bash
 70 | az feature register --name EnableNetworkPolicy --namespace Microsoft.ContainerService
 71 | az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableNetworkPolicy')].{Name:name,State:properties.state}"
 72 | az provider register --namespace Microsoft.ContainerService
 73 | RG_THERE=$(az group exists --name $AKS_CLUSTER_RG)
 74 | echo "Checking if the resource group exisits"
 75 | if [ $RG_THERE == true ]
 76 | then 
 77 |     echo "The resource group has already been created"
 78 | else
 79 |     echo "Creating the resource group"
 80 |     az group create -l $LOCATION -n $AKS_CLUSTER_RG
 81 | fi
 82 | 
 83 | SP_THERE=$(az ad sp list --display-name $SP_NAME -o table )
 84 | echo "Checking for pre created service principal"
 85 | if [ -z "$SP_THERE" ]
 86 | then
 87 |       echo "The service principal does not exsist"
 88 | else
 89 |       echo "Deleting service principal, we will recreate it later in the script"
 90 |       az ad sp delete --id http://$SP_NAME
 91 | 
 92 | fi
 93 | ```
 94 | Next the script creates a vnet and a subnet  
 95 | ```bash
 96 | az network vnet create \
 97 |     --resource-group $AKS_CLUSTER_RG \
 98 |     --name $VNET_NAME \
 99 |     --address-prefixes $VNET_RANGE \
100 |     --subnet-name $CLUSTER_SUBNET_NAME \
101 |     --subnet-prefix $CLUSTER_SUBNET_RANGE
102 | 
103 | az network vnet subnet create \
104 |     --resource-group $AKS_CLUSTER_RG \
105 |     --vnet-name $VNET_NAME \
106 |     --name $VN_SUBNET_NAME \
107 |     --address-prefix $VN_SUBNET_RANGE
108 | ```
109 | 
110 | The next step is to a service principal for the cluster and assign a role
111 | ```bash
112 | VNETID=$(az network vnet show --resource-group $AKS_CLUSTER_RG --name $VNET_NAME --query id -o tsv)
113 | AZURE_CLIENT_SECRET=$(az ad sp create-for-rbac --name $SP_NAME --role Contributor | jq -r .password)
114 | AZURE_CLIENT_ID=$(az ad sp show --id http://$SP_NAME --query appId --output tsv)
115 | AZURE_TENANT_ID=$(az ad sp show --id http://$SP_NAME --query appOwnerTenantId --output tsv )
116 | VNET_SUBNET_ID=$(az network vnet subnet show --resource-group $AKS_CLUSTER_RG --vnet-name $VNET_NAME --name $CLUSTER_SUBNET_NAME --query id -o tsv)
117 | az role assignment create --assignee $AZURE_CLIENT_ID --scope $VNETID --role Contributor
118 | ```
119 | 
120 | Then we create our cluster 
121 | ```bash
122 | az aks create \
123 |     --resource-group $AKS_CLUSTER_RG \
124 |     --name vk-k8s \
125 |     --node-count 3 \
126 |     --kubernetes-version 1.14.0 \
127 |     --network-plugin azure \
128 |     --service-cidr 10.0.0.0/16 \
129 |     --dns-service-ip $KUBE_DNS_IP \
130 |     --docker-bridge-address 172.17.0.1/16 \
131 |     --vnet-subnet-id $VNET_SUBNET_ID \
132 |     --service-principal $AZURE_CLIENT_ID \
133 |     --client-secret $AZURE_CLIENT_SECRET \
134 |     --network-policy calico
135 | ```
136 | 
137 | Next we install helm which is a dependancy for virtual node
138 | ```bash
139 | cat <<EOF | kubectl apply -f -
140 | apiVersion: v1
141 | kind: ServiceAccount
142 | metadata:
143 |   name: tiller
144 |   namespace: kube-system
145 | ---
146 | apiVersion: rbac.authorization.k8s.io/v1beta1
147 | kind: ClusterRoleBinding
148 | metadata:
149 |   name: tiller
150 | roleRef:
151 |   apiGroup: rbac.authorization.k8s.io
152 |   kind: ClusterRole
153 |   name: cluster-admin
154 | subjects:
155 |   - kind: ServiceAccount
156 |     name: tiller
157 |     namespace: kube-system
158 |  ```
159 | 
160 | Lastly we will enable the virtual node feature to our cluster
161 | ```bash
162 | az aks enable-addons \
163 |     --resource-group $AKS_CLUSTER_RG \
164 |     --name vk-k8s \
165 |     --addons $SP_NAME \
166 |     --subnet-name $VN_SUBNET_NAME
167 | ```
168 | 


--------------------------------------------------------------------------------
/advance-deploy-kubernetes-on-azure/install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | set -e
  4 | set -o pipefail
  5 | 
  6 | read -p "Enter the subscription to use: "  SUB
  7 | read -p "Enter region to deploy the cluster: "  LOCATION
  8 | 
  9 | az account set --subscription "$SUB"
 10 | 
 11 | VNET_RANGE=10.0.0.0/8  
 12 | CLUSTER_SUBNET_RANGE=10.240.0.0/16 
 13 | VN_SUBNET_RANGE=10.241.0.0/16 
 14 | VNET_NAME=k8sVNet
 15 | CLUSTER_SUBNET_NAME=k8sSubnet 
 16 | VN_SUBNET_NAME=VNSubnet 
 17 | AKS_CLUSTER_RG=vk-k8s
 18 | KUBE_DNS_IP=10.0.0.10
 19 | SP_NAME=virtual-node
 20 | 
 21 | 
 22 | pre_checks () {
 23 | az feature register --name EnableNetworkPolicy --namespace Microsoft.ContainerService
 24 | az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableNetworkPolicy')].{Name:name,State:properties.state}"
 25 | az provider register --namespace Microsoft.ContainerService
 26 | RG_THERE=$(az group exists --name $AKS_CLUSTER_RG)
 27 | echo "Checking if the resource group exisits"
 28 | if [ $RG_THERE == true ]
 29 | then 
 30 |     echo "The resource group has already been created"
 31 | else
 32 |     echo "Creating the resource group"
 33 |     az group create -l $LOCATION -n $AKS_CLUSTER_RG
 34 | fi
 35 | 
 36 | SP_THERE=$(az ad sp list --display-name $SP_NAME -o table )
 37 | echo "Checking for pre created service principal"
 38 | if [ -z "$SP_THERE" ]
 39 | then
 40 |       echo "The service principal does not exsist"
 41 | else
 42 |       echo "Deleting service principal, we will recreate it later in the script"
 43 |       az ad sp delete --id http://$SP_NAME
 44 | 
 45 | fi
 46 | }
 47 | 
 48 | create_vnet () { 
 49 | az network vnet create \
 50 |     --resource-group $AKS_CLUSTER_RG \
 51 |     --name $VNET_NAME \
 52 |     --address-prefixes $VNET_RANGE \
 53 |     --subnet-name $CLUSTER_SUBNET_NAME \
 54 |     --subnet-prefix $CLUSTER_SUBNET_RANGE
 55 | }
 56 | 
 57 | create_subnet () {
 58 | az network vnet subnet create \
 59 |     --resource-group $AKS_CLUSTER_RG \
 60 |     --vnet-name $VNET_NAME \
 61 |     --name $VN_SUBNET_NAME \
 62 |     --address-prefix $VN_SUBNET_RANGE
 63 | }
 64 | 
 65 | create_aks () {
 66 | VNETID=$(az network vnet show --resource-group $AKS_CLUSTER_RG --name $VNET_NAME --query id -o tsv)
 67 | AZURE_CLIENT_SECRET=$(az ad sp create-for-rbac --name $SP_NAME --role Contributor | jq -r .password)
 68 | AZURE_CLIENT_ID=$(az ad sp show --id http://$SP_NAME --query appId --output tsv)
 69 | AZURE_TENANT_ID=$(az ad sp show --id http://$SP_NAME --query appOwnerTenantId --output tsv )
 70 | export AZURE_CLIENT_ID
 71 | export AZURE_TENANT_ID
 72 | export AZURE_CLIENT_SECRET
 73 | echo ""
 74 | echo "The client secret is $AZURE_CLIENT_SECRET"
 75 | VNET_SUBNET_ID=$(az network vnet subnet show --resource-group $AKS_CLUSTER_RG --vnet-name $VNET_NAME --name $CLUSTER_SUBNET_NAME --query id -o tsv)
 76 | az role assignment create --assignee $AZURE_CLIENT_ID --scope $VNETID --role Contributor
 77 | az aks create \
 78 |     --resource-group $AKS_CLUSTER_RG \
 79 |     --name vk-k8s \
 80 |     --node-count 3 \
 81 |     --kubernetes-version 1.14.0 \
 82 |     --network-plugin azure \
 83 |     --service-cidr 10.0.0.0/16 \
 84 |     --dns-service-ip $KUBE_DNS_IP \
 85 |     --docker-bridge-address 172.17.0.1/16 \
 86 |     --vnet-subnet-id $VNET_SUBNET_ID \
 87 |     --service-principal $AZURE_CLIENT_ID \
 88 |     --client-secret $AZURE_CLIENT_SECRET \
 89 |     --network-policy calico
 90 | 
 91 | az aks get-credentials --resource-group $AKS_CLUSTER_RG --name vk-k8s --admin --overwrite-existing 
 92 | kubectx $SP_NAME=vk-k8s-admin
 93 | }
 94 | 
 95 | install_helm() {
 96 | cat <<EOF | kubectl apply -f -
 97 | apiVersion: v1
 98 | kind: ServiceAccount
 99 | metadata:
100 |   name: tiller
101 |   namespace: kube-system
102 | ---
103 | apiVersion: rbac.authorization.k8s.io/v1beta1
104 | kind: ClusterRoleBinding
105 | metadata:
106 |   name: tiller
107 | roleRef:
108 |   apiGroup: rbac.authorization.k8s.io
109 |   kind: ClusterRole
110 |   name: cluster-admin
111 | subjects:
112 |   - kind: ServiceAccount
113 |     name: tiller
114 |     namespace: kube-system
115 | EOF
116 | helm init --service-account tiller
117 | echo "Waiting for Tiller to be available"
118 | sleep 60
119 | }
120 | 
121 | 
122 | create_virtual_node () {
123 | az aks enable-addons \
124 |     --resource-group $AKS_CLUSTER_RG \
125 |     --name vk-k8s \
126 |     --addons $SP_NAME \
127 |     --subnet-name $VN_SUBNET_NAME
128 | }
129 | 
130 | pre_checks
131 | create_vnet
132 | create_subnet
133 | create_aks
134 | install_helm
135 | create_virtual_node


--------------------------------------------------------------------------------
/deploying-a-public-chart/code.md:
--------------------------------------------------------------------------------
 1 | # Deploying a public chart
 2 | 
 3 | ## Deploying Consul
 4 | 
 5 | In this module we are going to deploy a public chart that use pvc's and replication
 6 | That chart is hashicorp's consul.
 7 | 
 8 | To deploy the chart
 9 | 
10 | ```
11 | helm install --name consul --set StorageClass=default stable/consul
12 | ```
13 | 
14 | To watch the chart being deployed
15 | 
16 | ```
17 | kubectl get pods --namespace=default -w
18 | ```
19 | 
20 | To check the state of the stateful set
21 | 
22 | ```
23 | kubectl get pvc
24 | ```
25 | 


--------------------------------------------------------------------------------
/deploying-kubernetes-on-azure/code.md:
--------------------------------------------------------------------------------
 1 | # Deploying Kubernetes on Azure
 2 | 
 3 | In this module we are going to install Kubernetes on Azure. The first thing we  
 4 | need to do is create a resource group.  
 5 | 
 6 | Please note you do not need to use `eastus` you can create a resource group in an region. 
 7 | If you are in Australaia I would suggest `australiaeast` 
 8 | 
 9 | ## Create a resource group
10 | `az group create --name k8s --location eastus`
11 | 
12 | Next we are going to create the AKS cluster. If you are using a trial account you will need to change the machine size `v1`
13 | 
14 | ## Create your cluster
15 | ```
16 | az aks create --resource-group k8s \
17 |     --name k8s \
18 |     --generate-ssh-keys \
19 |     --kubernetes-version 1.15.7 \
20 |     --enable-rbac \
21 |     --node-vm-size Standard_DS2_v2
22 | ```
23 | 
24 | Next install the `kubectl` binary if you dont already have it installed. Now if you are using cloud shell you can skip this step as it is already installed.
25 | 
26 | ## If you dont have the kubectl binary installed
27 | `az aks install-cli`
28 | 
29 | ## Get your cluster credentials
30 | This command will download the credentials from your cluster. These credentials are the admin credentials for the cluster.
31 | So in a production cluster be careful with who has these.  
32 | `az aks get-credentials --resource-group k8s --name k8s`
33 | 
34 | ## Test your cluster
35 | Now our cluster is up and running let's run a few commands that will show use what we have deployed so far.  
36 | To look at our nodes we will issue the following command  
37 | `kubectl get nodes`   
38 | Then to look at the pods we have issues the following  
39 | `kubectl get pods --all-namespaces`
40 | 
41 | Now we move onto the next module [here](../pods-services-deployments/code.md)


--------------------------------------------------------------------------------
/deploying-supergloo/code.md:
--------------------------------------------------------------------------------
  1 | # Deploying Super Gloo
  2 | 
  3 | In this module we deploy [super gloo](https://supergloo.solo.io/). Super gloo is a super powerful tool that allows you to orchestrate service meshes on top of Kubernetes. Super Gloo has two main interfaces to install meshes on Kubernetes, a cli or a web front end. In this module we will install both.
  4 | 
  5 | ##cli
  6 | To install the cli you need to chose one of the following depending on your OS type.
  7 | 
  8 | If your using the pre built Docker container you can skip the install as the container already has the binary for you.
  9 | 
 10 | For MacOS
 11 | ```
 12 | brew install solo-io/tap/supergloo
 13 | ```
 14 | 
 15 | For Linux/WSL/Cloud shell
 16 | ```
 17 | curl -sL https://run.solo.io/supergloo/install | sh
 18 | ```
 19 | 
 20 | Then we need to add the binary to our path
 21 | ```
 22 | export PATH=$HOME/.supergloo/bin:$PATH
 23 | ```
 24 | 
 25 | We can test that everything is working buy just issuing the command `supergloo` and you will get the following out put.
 26 | 
 27 | ```
 28 | 16:23 $ supergloo
 29 | supergloo configures resources watched by the Supergloo Controller.
 30 | 	Find more information at https://solo.io
 31 | 
 32 | Usage:
 33 |   supergloo [command]
 34 | 
 35 | Available Commands:
 36 |   apply       apply a rule to a mesh
 37 |   completion  generate auto completion for your shell
 38 |   create      commands for creating resources used by SuperGloo
 39 |   get         get information about supergloo objects
 40 |   help        Help about any command
 41 |   init        install SuperGloo to a Kubernetes cluster
 42 |   install     install a service mesh using Supergloo
 43 |   register    commands for registering meshes with SuperGloo
 44 |   set         update an existing resource with one or more config options
 45 |   uninstall   uninstall a service mesh using Supergloo
 46 |   upgrade     upgrade your supergloo cli binary to the latest version
 47 | 
 48 | Flags:
 49 |   -h, --help      help for supergloo
 50 |       --version   version for supergloo
 51 | 
 52 | Use "supergloo [command] --help" for more information about a command.
 53 | ```
 54 | 
 55 | Now let's initialise Super Gloo on our cluster. To do that we issue the following command
 56 | ```
 57 | supergloo init
 58 | ```
 59 | 
 60 | You will get an output like the one listed below
 61 | ```
 62 | 16:08 $ supergloo init
 63 | installing supergloo version 0.3.22
 64 | using chart uri https://storage.googleapis.com/supergloo-helm/charts/supergloo-0.3.22.tgz
 65 | configmap/sidecar-injection-resources created
 66 | serviceaccount/supergloo created
 67 | serviceaccount/discovery created
 68 | serviceaccount/mesh-discovery created
 69 | clusterrole.rbac.authorization.k8s.io/discovery created
 70 | clusterrole.rbac.authorization.k8s.io/mesh-discovery created
 71 | clusterrolebinding.rbac.authorization.k8s.io/supergloo-role-binding created
 72 | clusterrolebinding.rbac.authorization.k8s.io/discovery-role-binding created
 73 | clusterrolebinding.rbac.authorization.k8s.io/mesh-discovery-role-binding created
 74 | deployment.extensions/supergloo created
 75 | deployment.extensions/discovery created
 76 | deployment.extensions/mesh-discovery created
 77 | install successful!
 78 | ```
 79 | Then we can make sure our pods are deployed with `kubectl get pods --all-namespaces`
 80 | 
 81 | ```
 82 | NAMESPACE          NAME                                    READY   STATUS    RESTARTS   AGE
 83 | kube-system        coredns-76b964fdc6-2kjp9                1/1     Running   0          41m
 84 | kube-system        coredns-76b964fdc6-k7ktf                1/1     Running   0          37m
 85 | kube-system        coredns-autoscaler-86849d9999-pdlt6     1/1     Running   0          40m
 86 | kube-system        kube-proxy-2ps6g                        1/1     Running   0          37m
 87 | kube-system        kube-proxy-46vkd                        1/1     Running   0          37m
 88 | kube-system        kube-proxy-lzknd                        1/1     Running   0          38m
 89 | kube-system        kube-svc-redirect-2kfjf                 2/2     Running   0          38m
 90 | kube-system        kube-svc-redirect-xdtzd                 2/2     Running   0          37m
 91 | kube-system        kube-svc-redirect-zc4bk                 2/2     Running   0          37m
 92 | kube-system        kubernetes-dashboard-6975779c8c-kfpgc   1/1     Running   1          41m
 93 | kube-system        metrics-server-5dd76855f9-d2jf8         1/1     Running   1          41m
 94 | kube-system        tunnelfront-6ddfcfb7b9-6k2lf            1/1     Running   0          40m
 95 | supergloo-system   discovery-58fdbb95dd-t7b5x              1/1     Running   0          28m
 96 | supergloo-system   mesh-discovery-85d655f99d-klcq2         1/1     Running   0          28m
 97 | supergloo-system   supergloo-688ff566-t8tkr                1/1     Running   0          28m
 98 | ```
 99 | 
100 | 
101 | 
102 | ## Web ui
103 | As I mentioned earlier Super Gloo also has a web front called service mesh hub. So let's install that now have a look at the features available to us. To install the dashboard run the following command
104 | ```
105 | kubectl apply -f https://raw.githubusercontent.com/solo-io/service-mesh-hub/master/install/service-mesh-hub.yaml
106 | ```
107 | 
108 | Then we will check to make sure all the pods for the application have started with `kubectl get pods --all-namespaces`
109 | 
110 | ```
111 | NAMESPACE          NAME                                    READY   STATUS    RESTARTS   AGE
112 | kube-system        coredns-76b964fdc6-2kjp9                1/1     Running   0          45m
113 | kube-system        coredns-76b964fdc6-k7ktf                1/1     Running   0          41m
114 | kube-system        coredns-autoscaler-86849d9999-pdlt6     1/1     Running   0          45m
115 | kube-system        kube-proxy-2ps6g                        1/1     Running   0          42m
116 | kube-system        kube-proxy-46vkd                        1/1     Running   0          42m
117 | kube-system        kube-proxy-lzknd                        1/1     Running   0          42m
118 | kube-system        kube-svc-redirect-2kfjf                 2/2     Running   0          42m
119 | kube-system        kube-svc-redirect-xdtzd                 2/2     Running   0          42m
120 | kube-system        kube-svc-redirect-zc4bk                 2/2     Running   0          42m
121 | kube-system        kubernetes-dashboard-6975779c8c-kfpgc   1/1     Running   1          45m
122 | kube-system        metrics-server-5dd76855f9-d2jf8         1/1     Running   1          45m
123 | kube-system        tunnelfront-6ddfcfb7b9-6k2lf            1/1     Running   0          45m
124 | sm-marketplace     discovery-58fdbb95dd-gvbfq              1/1     Running   0          18s
125 | sm-marketplace     mesh-discovery-7d58964d-7vxkn           1/1     Running   0          17s
126 | sm-marketplace     smm-apiserver-6fff94f645-7fvl9          3/3     Running   0          16s
127 | sm-marketplace     smm-operator-797b557cbd-jb4xp           1/1     Running   0          17s
128 | sm-marketplace     supergloo-789cc877b-cbvpj               1/1     Running   0          19s
129 | supergloo-system   discovery-58fdbb95dd-t7b5x              1/1     Running   0          33m
130 | supergloo-system   mesh-discovery-85d655f99d-klcq2         1/1     Running   0          33m
131 | supergloo-system   supergloo-688ff566-t8tkr                1/1     Running   0          33m
132 | ```
133 | 
134 | 
135 | Now as this dashboard can deploy into your cluster it is not a good idea to have it exposed outside the cluster.  
136 | We will forward the port to our local `kubectl` client and access it on `localhost:8080`
137 | ```
138 | kubectl port-forward -n sm-marketplace deploy/smm-apiserver 8080
139 | ```
140 | 
141 | Now that we have forwarded the port we can access the webpage on `localhost:8080`


--------------------------------------------------------------------------------
/hack/hey/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM golang:1.12.7-alpine3.10 as build
 2 | 
 3 | RUN apk add --no-cache git && \
 4 |     go get -u github.com/rakyll/hey
 5 | 
 6 | FROM alpine:3.10
 7 | 
 8 | COPY --from=build /go/bin/hey /usr/bin/hey
 9 | 
10 | ENTRYPOINT [ "hey" ]
11 | 


--------------------------------------------------------------------------------
/ingress-controller/code.md:
--------------------------------------------------------------------------------
 1 | # Ingress controller
 2 | 
 3 | In this module we are going to deploy the Azure ingress control that Azure has out of the box.    
 4 | This is not meant to be used for a production use as it is a single pod. To learn more about the restrictions    
 5 | please read [here](https://docs.microsoft.com/en-us/azure/aks/http-application-routing/?WT.mc_id=aksworkshop-github-sccoulto)  
 6 | 
 7 | To enable the add on 
 8 | 
 9 | ## Enable the addon
10 | `az aks enable-addons --resource-group k8s --name k8s --addons http_application_routing`
11 | 
12 | Now the addon is going to create a public DNS name to access the ingress control rules to get that DNS name  
13 | 
14 | ## Get DNS name
15 | ```
16 | az aks show --resource-group k8s --name k8s --query addonProfiles.httpApplicationRouting.config.HTTPApplicationRoutingZoneName -o tsv
17 | ```
18 | 
19 | Now we deploy our deployments with the ingress DNS name
20 | 
21 | ## Deploying our application
22 | ```
23 | #!/bin/bash
24 | 
25 | cat <<EOF | kubectl apply -f -
26 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
27 | kind: Deployment
28 | metadata:
29 |   name: webapp-deployment
30 | spec:
31 |   selector:
32 |     matchLabels:
33 |       app: webapp
34 |   replicas: 1
35 |   template:
36 |     metadata:
37 |       labels:
38 |         app: webapp
39 |     spec:
40 |       containers:
41 |       - name: webapp
42 |         image: scottyc/webapp:latest
43 |         ports:
44 |         - containerPort: 3000
45 |           hostPort: 3000
46 | EOF
47 | cat <<EOF | kubectl apply -f -
48 | apiVersion: v1
49 | kind: Service
50 | metadata:
51 |   name: webapp
52 | spec:
53 |   ports:
54 |   - port: 80
55 |     protocol: TCP
56 |     targetPort: 3000
57 |   selector:
58 |     app: webapp
59 |   type: ClusterIP
60 | EOF
61 | 
62 | DNS=$(az aks show --resource-group k8s --name k8s --query addonProfiles.httpApplicationRouting.config.HTTPApplicationRoutingZoneName -o tsv)
63 | 
64 | cat <<EOF | kubectl apply -f -
65 | apiVersion: extensions/v1beta1
66 | kind: Ingress
67 | metadata:
68 |   name: webapp
69 |   annotations:
70 |     kubernetes.io/ingress.class: addon-http-application-routing
71 | spec:
72 |   rules:
73 |   - host: webapp.$DNS
74 |     http:
75 |       paths:
76 |       - backend:
77 |           serviceName: webapp
78 |           servicePort: 80
79 |         path: /
80 | EOF
81 | ```
82 | 
83 | 
84 | Now check your browser using http://webapp.$DNS
85 | 


--------------------------------------------------------------------------------
/ingress-controller/deploy.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat <<EOF | kubectl apply -f -
 4 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 5 | kind: Deployment
 6 | metadata:
 7 |   name: webapp-deployment
 8 | spec:
 9 |   selector:
10 |     matchLabels:
11 |       app: webapp
12 |   replicas: 1
13 |   template:
14 |     metadata:
15 |       labels:
16 |         app: webapp
17 |     spec:
18 |       containers:
19 |       - name: webapp
20 |         image: scottyc/webapp:latest
21 |         ports:
22 |         - containerPort: 3000
23 |           hostPort: 3000
24 | EOF
25 | 
26 | cat <<EOF | kubectl apply -f -
27 | apiVersion: v1
28 | kind: Service
29 | metadata:
30 |   name: webapp
31 | spec:
32 |   ports:
33 |   - port: 80
34 |     protocol: TCP
35 |     targetPort: 3000
36 |   selector:
37 |     app: webapp
38 |   type: ClusterIP
39 | EOF
40 | 
41 | DNS=$(az aks show --resource-group k8s --name k8s --query addonProfiles.httpApplicationRouting.config.HTTPApplicationRoutingZoneName -o tsv)
42 | 
43 | cat <<EOF | kubectl apply -f -
44 | apiVersion: extensions/v1beta1
45 | kind: Ingress
46 | metadata:
47 |   name: webapp
48 |   annotations:
49 |     kubernetes.io/ingress.class: addon-http-application-routing
50 | spec:
51 |   rules:
52 |   - host: webapp.$DNS
53 |     http:
54 |       paths:
55 |       - backend:
56 |           serviceName: webapp
57 |           servicePort: 80
58 |         path: /
59 | EOF
60 | 


--------------------------------------------------------------------------------
/ingress-with-traefik/code.md:
--------------------------------------------------------------------------------
  1 | # Traefik
  2 | 
  3 | 
  4 | ## Create rbac roles
  5 | ```
  6 | cat <<EOF | kubectl apply -f -
  7 | kind: ClusterRole
  8 | apiVersion: rbac.authorization.k8s.io/v1beta1
  9 | metadata:
 10 |   name: traefik-ingress-controller
 11 | rules:
 12 |   - apiGroups:
 13 |       - ""
 14 |     resources:
 15 |       - services
 16 |       - endpoints
 17 |       - secrets
 18 |     verbs:
 19 |       - get
 20 |       - list
 21 |       - watch
 22 |   - apiGroups:
 23 |       - extensions
 24 |     resources:
 25 |       - ingresses
 26 |     verbs:
 27 |       - get
 28 |       - list
 29 |       - watch
 30 | ---
 31 | kind: ClusterRoleBinding
 32 | apiVersion: rbac.authorization.k8s.io/v1beta1
 33 | metadata:
 34 |   name: traefik-ingress-controller
 35 | roleRef:
 36 |   apiGroup: rbac.authorization.k8s.io
 37 |   kind: ClusterRole
 38 |   name: traefik-ingress-controller
 39 | subjects:
 40 | - kind: ServiceAccount
 41 |   name: traefik-ingress-controller
 42 |   namespace: kube-system
 43 | EOF
 44 | ```
 45 | 
 46 | 
 47 | ## Deployment
 48 | 
 49 | ```
 50 | cat <<EOF | kubectl apply -f -
 51 | apiVersion: v1
 52 | kind: ServiceAccount
 53 | metadata:
 54 |   name: traefik-ingress-controller
 55 |   namespace: kube-system
 56 | ---
 57 | kind: Deployment
 58 | apiVersion: extensions/v1beta1
 59 | metadata:
 60 |   name: traefik-ingress-controller
 61 |   namespace: kube-system
 62 |   labels:
 63 |     k8s-app: traefik-ingress-lb
 64 | spec:
 65 |   replicas: 1
 66 |   selector:
 67 |     matchLabels:
 68 |       k8s-app: traefik-ingress-lb
 69 |   template:
 70 |     metadata:
 71 |       labels:
 72 |         k8s-app: traefik-ingress-lb
 73 |         name: traefik-ingress-lb
 74 |     spec:
 75 |       serviceAccountName: traefik-ingress-controller
 76 |       terminationGracePeriodSeconds: 60
 77 |       containers:
 78 |       - image: traefik
 79 |         name: traefik-ingress-lb
 80 |         ports:
 81 |         - name: http
 82 |           containerPort: 80
 83 |         - name: admin
 84 |           containerPort: 8080
 85 |         args:
 86 |         - --api
 87 |         - --kubernetes
 88 |         - --logLevel=INFO
 89 | ---
 90 | kind: Service
 91 | apiVersion: v1
 92 | metadata:
 93 |   name: traefik-ingress-service
 94 |   namespace: kube-system
 95 | spec:
 96 |   selector:
 97 |     k8s-app: traefik-ingress-lb
 98 |   ports:
 99 |     - protocol: TCP
100 |       port: 80
101 |       name: web
102 |     - protocol: TCP
103 |       port: 8080
104 |       name: admin
105 |   type: LoadBalancer
106 | EOF
107 | ```
108 | 
109 | ## Traefik ui
110 | ```
111 | cat <<EOF | kubectl apply -f -
112 | apiVersion: v1
113 | kind: Service
114 | metadata:
115 |   name: traefik-web-ui
116 |   namespace: kube-system
117 | spec:
118 |   selector:
119 |     k8s-app: traefik-ingress-lb
120 |   ports:
121 |   - name: web
122 |     port: 80
123 |     targetPort: 8080
124 | EOF
125 | ```
126 | 
127 | Check the ui with 
128 | `kubectl -n kube-system  port-forward traefik-ingress-controller-7cc5c78dfd-bhrgk 8080`
129 | 


--------------------------------------------------------------------------------
/installing-helm-on-kubernetes/code.md:
--------------------------------------------------------------------------------
 1 | # Installing helm on Kubernetes
 2 | 
 3 | ## Installing helm
 4 | 
 5 | In this module we are going to deploy Helm on Kubernetes.  
 6 | There is a script below to install the Helm binary 
 7 | 
 8 | ```
 9 | #!/bin/bash
10 | 
11 | if [[ "$OSTYPE" == "linux-gnu" ]]; then
12 |     OS="linux"
13 |     ARCH="linux-amd64"
14 | elif [[ "$OSTYPE" == "darwin"* ]]; then
15 |     OS="osx"
16 |     ARCH="darwin-amd64"
17 | fi    
18 | HELM_VERSION=2.11.0
19 | curl -sL "https://storage.googleapis.com/kubernetes-helm/helm-v$HELM_VERSION-$ARCH.tar.gz" | tar xz
20 | chmod +x $ARCH/helm 
21 | sudo mv $ARCH/helm /usr/local/bin/
22 | ```
23 | 
24 | Now we will set up the service account and role binding to give Helm the permissions that it needs.  
25 | 
26 | ## Installing Tiller
27 | ```
28 | cat <<EOF | kubectl apply -f -
29 | apiVersion: v1
30 | kind: ServiceAccount
31 | metadata:
32 |   name: tiller
33 |   namespace: kube-system
34 | ---
35 | apiVersion: rbac.authorization.k8s.io/v1beta1
36 | kind: ClusterRoleBinding
37 | metadata:
38 |   name: tiller
39 | roleRef:
40 |   apiGroup: rbac.authorization.k8s.io
41 |   kind: ClusterRole
42 |   name: cluster-admin
43 | subjects:
44 |   - kind: ServiceAccount
45 |     name: tiller
46 |     namespace: kube-system
47 | EOF
48 | ```
49 | 
50 | Lastly we will connect our Helm client to tiller
51 | 
52 | `helm init --service-account tiller`
53 | 
54 | 
55 | 
56 | 
57 | 
58 | 


--------------------------------------------------------------------------------
/istio-with-supergloo/code.md:
--------------------------------------------------------------------------------
  1 | # Istio with Supergloo
  2 | 
  3 | In another [module](../advance-application-routing-with-istio/code.md) we look at installing manually. In this module we are going to look at doing the same with [Supergloo](https://supergloo.solo.io/) Now you may ask why?  
  4 | Supergloo gives us a really nice ux to work with Istio. 
  5 | 
  6 | ## Installing istio
  7 | To install istio with Supergloo you issue the following command  
  8 | ```
  9 | supergloo install istio --name istio --installation-namespace istio-system --mtls=true --auto-inject=true --ingress=true
 10 | ```  
 11 | You will notice we are going to set the flags to enable mTLS and auto injection.  
 12 | After you issue the command you will get the following output
 13 | ```
 14 | +---------+------------+---------+---------------------------+
 15 | | INSTALL |    TYPE    | STATUS  |          DETAILS          |
 16 | +---------+------------+---------+---------------------------+
 17 | | istio   | Istio Mesh | Pending | enabled: true             |
 18 | |         |            |         | version: 1.0.6            |
 19 | |         |            |         | namespace: istio-system   |
 20 | |         |            |         | mtls enabled: true        |
 21 | |         |            |         | auto inject enabled: true |
 22 | |         |            |         | grafana enabled: false    |
 23 | |         |            |         | prometheus enabled: false |
 24 | |         |            |         | jaeger enabled: false     |
 25 | |         |            |         | ingress enabled: true     |
 26 | |         |            |         | egress enabled: false     |
 27 | +---------+------------+---------+---------------------------+
 28 | ```
 29 | 
 30 | ## Testing out mTLS
 31 | We will now deploy a new namespace with and allow istio to auto inject the envoy proxy.  
 32 | ```
 33 | kubectl create namespace istio-app
 34 | kubectl label namespace istio-app istio-injection=enabled
 35 | ```
 36 | 
 37 | Next we will deploy our demo application in our new namespace  
 38 | ```
 39 | kubectl --namespace istio-app apply --filename \
 40 |     https://raw.githubusercontent.com/solo-io/supergloo/master/test/e2e/files/bookinfo.yaml
 41 | ```  
 42 | 
 43 | Then we will deploy our virtual service fot routing
 44 | ```
 45 | cat <<EOF | kubectl apply -f -
 46 | apiVersion: networking.istio.io/v1alpha3
 47 | kind: VirtualService
 48 | metadata:
 49 |   name: bookinfo
 50 |   namespace: istio-app
 51 | spec:
 52 |   gateways:
 53 |   - bookinfo-gateway
 54 |   hosts:
 55 |   - '*'
 56 |   http:
 57 |   - match:
 58 |     - uri:
 59 |         exact: /productpage
 60 |     - uri:
 61 |         exact: /login
 62 |     - uri:
 63 |         exact: /logout
 64 |     - uri:
 65 |         prefix: /api/v1/products
 66 |     route:
 67 |     - destination:
 68 |         host: productpage
 69 |         port:
 70 |           number: 9080
 71 | EOF
 72 | ```
 73 | 
 74 | Then bind the routes to our istio gateway
 75 | ```
 76 | cat <<EOF | kubectl apply -f -
 77 | apiVersion: networking.istio.io/v1alpha3
 78 | kind: Gateway
 79 | metadata:
 80 |   name: bookinfo-gateway
 81 |   namespace: istio-app
 82 | spec:
 83 |   selector:
 84 |     istio: ingressgateway # use istio default controller
 85 |   servers:
 86 |   - port:
 87 |       number: 80
 88 |       name: http
 89 |       protocol: HTTP
 90 |     hosts:
 91 |     - "*"
 92 | EOF
 93 | ```
 94 | 
 95 | You can now get the public ip of the ingress gateway
 96 | ```
 97 | kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'
 98 | ```
 99 | 
100 | Then to check you application open a browser and use the public ip listed in the command above and add `/productpage` for example my ip is `40.121.151.134` so in the browser I would use `http://40.121.151.134/productpage`
101 | 
102 | Now we have our application we can test out the mTLS communication. We will do that with [tcpdump](https://www.tcpdump.org/manpages/tcpdump.1.html) via the envoy sidecar. To get shell access to that pod we will issue the following      
103 | ```
104 | export POD_NAME=$(kubectl get pods --namespace=istio-app | grep details | cut -d' ' -f1)
105 | kubectl exec -n istio-app -it $POD_NAME -c istio-proxy /bin/bash
106 | ```
107 | 
108 | From inside that terminal we will try to hit a service internally 
109 | `curl -k -v http://details:9080/details/0`
110 | 
111 | We should get a connection refused  
112 | ```
113 | *   Trying 10.0.70.13...
114 | * Connected to details (10.0.70.13) port 9080 (#0)
115 | > GET /details/0 HTTP/1.1
116 | > Host: details:9080
117 | > User-Agent: curl/7.47.0
118 | > Accept: */*
119 | > 
120 | * Recv failure: Connection reset by peer
121 | * Closing connection 0
122 | curl: (56) Recv failure: Connection reset by peer
123 | ```
124 | 
125 | Now lets use tcp dump  
126 | ```
127 | IP=$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)
128 | echo $IP
129 | sudo tcpdump -vvv -A -i eth0 '((dst port 9080) and (net <Use ip from above>))'
130 | ```
131 | Make sure to replace `<Use ip from above>` with the output of `echo $IP`  
132 | 
133 | Now open a new terminal not inside the proxy and hit the public end point
134 | ```
135 | curl -o /dev/null -s -w "%{http_code}\n" http://$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')/productpage
136 | ```
137 | 
138 | And tcpdump will show you the traffic is encrypted 
139 | ```
140 | tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
141 | 01:44:26.321505 IP (tos 0x0, ttl 62, id 29808, offset 0, flags [DF], proto TCP (6), length 985)
142 |     10-244-2-10.productpage.istio-app.svc.cluster.local.56608 > details-v1-68b96b8855-8gz6d.9080: Flags [P.], cksum 0xcb35 (correct), seq 2023992897:2023993830, ack 3234861546, win 309, options [nop,nop,TS val 921785932 ecr 2584296252], length 933
143 | E...tp@.>...
144 | ..
145 | 
146 | ..	. #xx..A.......5.5.....
147 | 6.VL.	;<..............Z...n.L..;7c.......D+M+......z![..b......o.O.ST.8...+>.h....8.V..;....n.jB..FB	t.
148 | .|.../.2...D.y<....s......y.D:.<..,.Q.6..<T7W[...._..HO.
149 | ........*rm"O......^u....3....w.....f.............n..0............i............!/.}(].Y.y^f....f.... .0..J..g..h..K.b.o...F..F.^../.%..N..@.x..L....?....f..y..tr..[.K...X.Z.F.........vK0...Jp.@..6.li.wZMT.. 9K.............._..."'Q........:...2{....F?i1M.#<05....I. 
150 | Cy.[........B.i{bi.,/..-..$J..`..%.2..?,.g.......-......o...;...... .^....;.`.}.tL.-...4...$.T..3..8..sR.?1...\Kd.B...Is8_.W...j-h....|.h.T...W..	...X.[..x..#|...~t.....x.......8....B..Yo.....K.....#E....p|.H....aUsw......\.!.=;....!...b..<...M..(i9......../......f..5.t8f#}...r{..S...4.P.P...q../.........=.!!....r...
151 | ...D./>..^S....u.(.x_N..j..R...;M........hf.!..f..Z@...}.;....`.....(.....[....+.b...U....	.....IpB.ZU.	O:..A...`..D.:mB..c.I....U.~..
152 | .....\.B..R.z.BT.......G........G.*w|.B	Me...<.7..;.........
153 | 01:44:26.370014 IP (tos 0x0, ttl 62, id 29809, offset 0, flags [DF], proto TCP (6), length 52)
154 |     10-244-2-10.productpage.istio-app.svc.cluster.local.56608 > details-v1-68b96b8855-8gz6d.9080: Flags [.], cksum 0x74ec (correct), seq 933, ack 366, win 329, options [nop,nop,TS val 921785981 ecr 2584854722], length 0
155 | E..4tq@.>..X
156 | ..
157 | 
158 | ..	. #xx......W...It......
159 | 6.V}....
160 | 01:44:51.719390 IP (tos 0x0, ttl 64, id 30975, offset 0, flags [DF], proto TCP (6), length 60)
161 |     10.244.1.3.52284 > details-v1-68b96b8855-8gz6d.9080: Flags [S], cksum 0x1822 (incorrect -> 0x0b29), seq 590050211, win 29200, options [mss 1460,sackOK,TS val 1051389349 ecr 0,nop,wscale 7], length 0
162 | E..<x.@.@...
163 | ...
164 | ..	.<#x#+s.......r..".........
165 | >...........
166 | 01:44:51.719440 IP (tos 0x0, ttl 64, id 30976, offset 0, flags [DF], proto TCP (6), length 52)
167 |     10.244.1.3.52284 > details-v1-68b96b8855-8gz6d.9080: Flags [.], cksum 0x181a (incorrect -> 0xaf81), seq 590050212, ack 3111167789, win 229, options [nop,nop,TS val 1051389349 ecr 2269647784], length 0
168 | E..4y.@.@...
169 | ...
170 | ..	.<#x#+s..p.-...........
171 | >....H..
172 | 01:44:51.720032 IP (tos 0x0, ttl 64, id 30977, offset 0, flags [DF], proto TCP (6), length 76)
173 |     10.244.1.3.52284 > details-v1-68b96b8855-8gz6d.9080: Flags [P.], cksum 0x1832 (incorrect -> 0x6a52), seq 0:24, ack 1, win 229, options [nop,nop,TS val 1051389349 ecr 2269647784], length 24
174 | E..Ly.@.@...
175 | ...
176 | ..	.<#x#+s..p.-.....2.....
177 | >....H..PRI * HTTP/2.0
178 | 
179 | SM
180 | 
181 | 
182 | 01:44:51.720164 IP (tos 0x0, ttl 64, id 30978, offset 0, flags [DF], proto TCP (6), length 61)
183 |     10.244.1.3.52284 > details-v1-68b96b8855-8gz6d.9080: Flags [P.], cksum 0x1823 (incorrect -> 0xaf54), seq 24:33, ack 1, win 229, options [nop,nop,TS val 1051389349 ecr 2269647784], length 9
184 | E..=y.@.@...
185 | ...
186 | ..	.<#x#+s..p.-.....#.....
187 | >....H...........
188 | 01:44:51.720191 IP (tos 0x0, ttl 64, id 30979, offset 0, flags [DF], proto TCP (6), length 52)
189 |     10.244.1.3.52284 > details-v1-68b96b8855-8gz6d.9080: Flags [.], cksum 0x181a (incorrect -> 0xaf59), seq 33, ack 8, win 229, options [nop,nop,TS val 1051389349 ecr 2269647784], length 0
190 | E..4y.@.@...
191 | ...
192 | ..	.<#x#+s..p.4...........
193 | >....H..
194 | 01:46:14.077221 IP (tos 0x0, ttl 64, id 26455, offset 0, flags [DF], proto TCP (6), length 60)
195 |     10.244.1.3.52922 > details-v1-68b96b8855-8gz6d.9080: Flags [S], cksum 0x1822 (incorrect -> 0xc5ac), seq 1534606494, win 29200, options [mss 1460,sackOK,TS val 1051471706 ecr 0,nop,wscale 7], length 0
196 | E..<gW@.@..q
197 | ...
198 | ..	..#x[x<.......r..".........
199 | >./Z........
200 | 01:46:14.077300 IP (tos 0x0, ttl 64, id 26456, offset 0, flags [DF], proto TCP (6), length 52)
201 |     10.244.1.3.52922 > details-v1-68b96b8855-8gz6d.9080: Flags [.], cksum 0x181a (incorrect -> 0xfc83), seq 1534606495, ack 1446327858, win 229, options [nop,nop,TS val 1051471707 ecr 2269730142], length 0
202 | E..4gX@.@..x
203 | ...
204 | ..	..#x[x<.V562...........
205 | >./[.IU^
206 | 01:46:14.078164 IP (tos 0x0, ttl 64, id 26457, offset 0, flags [DF], proto TCP (6), length 76)
207 |     10.244.1.3.52922 > details-v1-68b96b8855-8gz6d.9080: Flags [P.], cksum 0x1832 (incorrect -> 0xb754), seq 0:24, ack 1, win 229, options [nop,nop,TS val 1051471707 ecr 2269730142], length 24
208 | E..LgY@.@.._
209 | ...
210 | ..	..#x[x<.V562.....2.....
211 | >./[.IU^PRI * HTTP/2.0
212 | 
213 | SM
214 | 
215 | 
216 | 01:46:14.078204 IP (tos 0x0, ttl 64, id 26458, offset 0, flags [DF], proto TCP (6), length 61)
217 |     10.244.1.3.52922 > details-v1-68b96b8855-8gz6d.9080: Flags [P.], cksum 0x1823 (incorrect -> 0xfc56), seq 24:33, ack 1, win 229, options [nop,nop,TS val 1051471707 ecr 2269730142], length 9
218 | E..=gZ@.@..m
219 | ...
220 | ..	..#x[x<.V562.....#.....
221 | >./[.IU^.........
222 | 01:46:14.078288 IP (tos 0x0, ttl 64, id 26459, offset 0, flags [DF], proto TCP (6), length 52)
223 |     10.244.1.3.52922 > details-v1-68b96b8855-8gz6d.9080: Flags [.], cksum 0x181a (incorrect -> 0xfc59), seq 33, ack 8, win 229, options [nop,nop,TS val 1051471708 ecr 2269730143], length 0
224 | E..4g[@.@..u
225 | ...
226 | ..	..#x[x<.V569...........
227 | >./\.IU_
228 | 
229 | ^C
230 | 12 packets captured
231 | 12 packets received by filter
232 | 0 packets dropped by kernel
233 | ```
234 | 
235 | ## Clean up
236 | Now let's cleanup our environment.
237 | 
238 | Delete our test app
239 | ```
240 | kubectl --namespace istio-app delete --filename \
241 |     https://raw.githubusercontent.com/solo-io/supergloo/master/test/e2e/files/bookinfo.yaml
242 | ```
243 | 
244 | and delete istio 
245 | ```
246 | supergloo uninstall --name istio
247 | ```


--------------------------------------------------------------------------------
/keda/code.md:
--------------------------------------------------------------------------------
  1 | # Keda 
  2 | 
  3 | ## Installing Keda
  4 | 
  5 | #### Add Helm repo
  6 | ```
  7 | helm repo add kedacore https://kedacore.azureedge.net/helm
  8 | ```
  9 | 
 10 | #### Update Helm repo
 11 | ```
 12 | helm repo update
 13 | ```
 14 | 
 15 | #### Install keda-edge chart
 16 | ```
 17 | helm install kedacore/keda-edge --devel --set logLevel=debug --namespace keda --name keda
 18 | ```
 19 | 
 20 | #### Install rabbitmq
 21 | ```
 22 | helm install --name rabbitmq --set rabbitmq.username=user,rabbitmq.password=PASSWORD stable/rabbitmq
 23 | ```
 24 | 
 25 | #### Install consumer
 26 | ```
 27 | cat <<EOF | kubectl apply -f -
 28 | apiVersion: apps/v1
 29 | kind: Deployment
 30 | metadata:
 31 |   name: rabbitmq-consumer
 32 |   namespace: default
 33 |   labels:
 34 |     app: rabbitmq-consumer
 35 | spec:
 36 |   selector:
 37 |     matchLabels:
 38 |       app: rabbitmq-consumer
 39 |   template:
 40 |     metadata:
 41 |       labels:
 42 |         app: rabbitmq-consumer
 43 |     spec:
 44 |       containers:
 45 |       - name: rabbitmq-consumer
 46 |         image: jeffhollan/rabbitmq-client:dev
 47 |         imagePullPolicy: Always
 48 |         command:
 49 |           - receive
 50 |         args:
 51 |           - 'amqp://user:PASSWORD@rabbitmq.default.svc.cluster.local:5672'
 52 |       dnsPolicy: ClusterFirst
 53 |       nodeSelector:
 54 |         kubernetes.io/role: agent
 55 |         beta.kubernetes.io/os: linux
 56 |         type: virtual-kubelet
 57 |       tolerations:
 58 |       - key: virtual-kubelet.io/provider
 59 |         operator: Exists
 60 |       - key: azure.com/aci
 61 |         effect: NoSchedule      
 62 | ---
 63 | apiVersion: keda.k8s.io/v1alpha1
 64 | kind: ScaledObject
 65 | metadata:
 66 |   name: rabbitmq-consumer
 67 |   namespace: default
 68 |   labels:
 69 |     deploymentName: rabbitmq-consumer
 70 | spec:
 71 |   scaleTargetRef:
 72 |     deploymentName: rabbitmq-consumer
 73 |   pollingInterval: 5   # Optional. Default: 30 seconds
 74 |   cooldownPeriod: 30   # Optional. Default: 300 seconds
 75 |   maxReplicaCount: 30  # Optional. Default: 100
 76 |   triggers:
 77 |   - type: rabbitmq
 78 |     metadata:
 79 |       queueName: hello
 80 |       host: 'amqp://user:PASSWORD@rabbitmq.default.svc.cluster.local:5672'
 81 |       queueLength  : '5'
 82 | EOF
 83 | ```
 84 | 
 85 | #### Set up our terminal
 86 | Before we deploy our consumer we will need to open up a couple of terminals to see how the horizontal pod autoscaler is going to scale our workloads across to ACI using virtual node. As we are working in a container we will use tmux to help us. First step if you have not already done so open tmux by typing `tmux`
 87 | 
 88 | Next we will create a new window by pressing `ctrl+b c`  
 89 | Then split that window with `ctrl+b %`  
 90 | 
 91 | you can now move around the windows with `ctrl+b ->` (Arrow keys)  
 92 | 
 93 | In one window enter `kubectl get hpa -w` to watch the horizontal pod autoscaler  
 94 | In the other enter `kubectl get pods -o wide` to make sure our pods are being scheduled on virtual node.  
 95 | 
 96 | now switch back to our first window with `ctrl+b n`
 97 | 
 98 | #### Install the publisher
 99 | ```
100 | cat <<EOF | kubectl apply -f -
101 | apiVersion: batch/v1
102 | kind: Job
103 | metadata:
104 |   name: rabbitmq-publish
105 | spec:
106 |   template:
107 |     spec:
108 |       containers:
109 |       - name: rabbitmq-client
110 |         image: jeffhollan/rabbitmq-client:dev
111 |         imagePullPolicy: Always
112 |         command: ["send",  "amqp://user:PASSWORD@rabbitmq.default.svc.cluster.local:5672", "300"]
113 |       restartPolicy: Never
114 |   backoffLimit: 4
115 | EOF
116 | ```
117 | 
118 | Now let's switch back to our second window to watch the scaling events `ctrl+b n`
119 | 
120 | 
121 | ## Clean up
122 | This is super important for the next modules not to have any resources left over.
123 | ```
124 | kubectl delete job rabbitmq-publish
125 | kubectl delete ScaledObject rabbitmq-consumer
126 | kubectl delete deploy rabbitmq-consumer
127 | helm delete --purge rabbitmq
128 | ```


--------------------------------------------------------------------------------
/mTLS-with-istio/code.md:
--------------------------------------------------------------------------------
  1 | # mTLS with istio
  2 | 
  3 | ## Create our namespace
  4 | `kubectl create namespace istio-app`  
  5 | `kubectl label namespace istio-app istio-injection=enabled`
  6 | 
  7 | ## Enbale mTLS across our namespace
  8 | ```
  9 | cat <<EOF | istioctl create -f -
 10 | apiVersion: authentication.istio.io/v1alpha1
 11 | kind: Policy
 12 | metadata:
 13 |   name: default
 14 |   namespace: istio-app
 15 | spec:
 16 |   peers:
 17 |   - mtls:
 18 | EOF
 19 | ```
 20 | 
 21 | ## Create a destination rule
 22 | ```
 23 | cat <<EOF | istioctl create -f -
 24 | apiVersion: networking.istio.io/v1alpha3
 25 | kind: DestinationRule
 26 | metadata:
 27 |   name: default
 28 |   namespace: istio-app
 29 | spec:
 30 |   host: "*"
 31 |   trafficPolicy:
 32 |     tls:
 33 |       mode: ISTIO_MUTUAL
 34 | EOF
 35 | ```
 36 | 
 37 | ## Deploy our application
 38 | `kubectl create -n istio-app -f istio-1.0.4/samples/bookinfo/platform/kube/bookinfo.yaml`
 39 | 
 40 | ## Create our virtual service
 41 | ```
 42 | cat <<EOF | kubectl apply -f -
 43 | apiVersion: networking.istio.io/v1alpha3
 44 | kind: VirtualService
 45 | metadata:
 46 |   name: bookinfo
 47 |   namespace: istio-app
 48 | spec:
 49 |   gateways:
 50 |   - bookinfo-gateway
 51 |   hosts:
 52 |   - '*'
 53 |   http:
 54 |   - match:
 55 |     - uri:
 56 |         exact: /productpage
 57 |     - uri:
 58 |         exact: /login
 59 |     - uri:
 60 |         exact: /logout
 61 |     - uri:
 62 |         prefix: /api/v1/products
 63 |     route:
 64 |     - destination:
 65 |         host: productpage
 66 |         port:
 67 |           number: 9080
 68 | EOF
 69 | ```
 70 | 
 71 | ## Create our gateway 
 72 | ```
 73 | cat <<EOF | kubectl apply -f -
 74 | apiVersion: networking.istio.io/v1alpha3
 75 | kind: Gateway
 76 | metadata:
 77 |   name: bookinfo-gateway
 78 |   namespace: istio-app
 79 | spec:
 80 |   selector:
 81 |     istio: ingressgateway # use istio default controller
 82 |   servers:
 83 |   - port:
 84 |       number: 80
 85 |       name: http
 86 |       protocol: HTTP
 87 |     hosts:
 88 |     - "*"
 89 | EOF
 90 | ```
 91 | `kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
 92 | 
 93 | ## Check out your mTLS status
 94 | `istioctl authn tls-check | grep .istio-app.svc.cluster.local`
 95 | 
 96 | ```
 97 | export POD_NAME=$(kubectl get pods --namespace=istio-app | grep details | cut -d' ' -f1)
 98 | kubectl exec -n istio-app -it $POD_NAME -c istio-proxy /bin/bash
 99 | ```
100 | 
101 | ## Hit a service internally 
102 | `curl -k -v http://details:9080/details/0` 
103 | 
104 | ## Let's capture traffic with tcpdump
105 | ```
106 | IP=$(ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1)
107 | sudo tcpdump -vvv -A -i eth0 '((dst port 9080) and (net $IP))'
108 | ```
109 | 
110 | ## From another terminal
111 | ```
112 | curl -o /dev/null -s -w "%{http_code}\n" http://$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')/productpage
113 | ```
114 | 


--------------------------------------------------------------------------------
/network-policies/code.md:
--------------------------------------------------------------------------------
  1 | # Network policies
  2 | 
  3 | In this module we are going to set up a simple webservice that will act as our backend.  
  4 | Then we are going to set up network policies to restrict access to the service.
  5 | 
  6 | The first thing that we are going to do is create a namespace called development.
  7 | 
  8 | `kubectl create namespace development`
  9 | 
 10 | We will then label our namespace so we can use that in our network policies later.
 11 | 
 12 | `kubectl label namespace/development purpose=development`
 13 | 
 14 | We will then deploy our application   
 15 | 
 16 | ```
 17 | cat <<EOF | kubectl apply -f -
 18 | apiVersion: apps/v1
 19 | kind: Deployment
 20 | metadata:
 21 |   name: webapp
 22 |   namespace: development
 23 | spec:
 24 |   selector:
 25 |     matchLabels:
 26 |       app: webapp
 27 |   replicas: 1
 28 |   template:
 29 |     metadata:
 30 |       labels:
 31 |         app: webapp
 32 |         role: backend
 33 |     spec:
 34 |       containers:
 35 |       - name: webapp
 36 |         image: scottyc/webapp:latest
 37 |         ports:
 38 |         - containerPort: 3000
 39 |           hostPort: 3000
 40 | EOF
 41 | ```
 42 | 
 43 | The next task is to create a service to expose our application
 44 | 
 45 | ```
 46 | cat <<EOF | kubectl apply -f -
 47 | apiVersion: v1
 48 | kind: Service
 49 | metadata:
 50 |   name: webapp-service
 51 |   namespace: development
 52 | spec:
 53 |   type: ClusterIP
 54 |   selector:
 55 |     app: webapp
 56 |     role: backend
 57 |   ports:
 58 |   - protocol: TCP
 59 |     port: 80
 60 |     targetPort: 3000
 61 | EOF    
 62 | ```
 63 | 
 64 | We will then create a pod and exec into that pods shell.  
 65 | `kubectl run --rm -it --image=alpine network-policy --namespace development --generator=run-pod/v1`  
 66 | Once we are in the shell lets hit the backend service with the below `wget` command  
 67 | `wget -qO- http://webapp-service`
 68 | 
 69 | Once you have hit the service you can exit that pods shell with the `exit` command in that terminal session.
 70 | 
 71 | Now lets create a network policy that blocks all ingress to our application  
 72 | ```
 73 | cat <<EOF | kubectl apply -f -
 74 | kind: NetworkPolicy
 75 | apiVersion: networking.k8s.io/v1
 76 | metadata:
 77 |   name: backend-policy
 78 |   namespace: development
 79 | spec:
 80 |   podSelector:
 81 |     matchLabels:
 82 |       app: webapp
 83 |       role: backend
 84 |   ingress: []
 85 | EOF
 86 | ```
 87 | Now we can test that our policy works by creating our test pod and again get shell access.  
 88 | `kubectl run --rm -it --image=alpine network-policy --namespace development --generator=run-pod/v1`  
 89 | Once we are in the shell lets hit the backend service with the below `wget` command  
 90 | `wget -qO- --timeout=2 http://webapp-service`
 91 | 
 92 | If all goes well you should have got the following output `wget: download timed out` which is what we were expecting as we blocked all ingress to our service.  
 93 | 
 94 | Once you have hit the service you can exit that pods shell with the `exit` command in that terminal session.  
 95 | 
 96 | Now blocking all traffic to our applications is not the most suitable approach in the real world. So let's look at applying network policies to labels on pods. We will now make changes to our policy to only allow traffic from our frontend.
 97 | 
 98 | ```
 99 | cat <<EOF | kubectl apply -f -
100 | kind: NetworkPolicy
101 | apiVersion: networking.k8s.io/v1
102 | metadata:
103 |   name: backend-policy
104 |   namespace: development
105 | spec:
106 |   podSelector:
107 |     matchLabels:
108 |       app: webapp
109 |       role: backend
110 |   ingress:
111 |   - from:
112 |     - namespaceSelector: {}
113 |       podSelector:
114 |         matchLabels:
115 |           app: webapp
116 |           role: frontend
117 | EOF
118 | ```          
119 | 
120 | So lets test this policy the same way we have in the past.  
121 | `kubectl run --rm -it --image=alpine network-policy --namespace development --generator=run-pod/v1`  
122 | 
123 | `wget -qO- --timeout=2 http://webapp-service`
124 | 
125 | Let's close that shell with the `exit` command
126 | 
127 | Now that didn't work. The reason for that are we are working on labels to allow traffic. With our pod that we just created we did not have the correct labels. Only a pod tagged with the label of `frontend` will have access to the backend service. Let's try again with the correct labels.  
128 | `kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace development --generator=run-pod/v1`  
129 | 
130 | `wget -qO- --timeout=2 http://webapp-service`
131 | 
132 | Now that `wget` call is successful. Let's close that shell with the `exit` command.  
133 | 
134 | The next thing that we need to look at is cross namespace traffic. As we know networking is not name spaced.  
135 | 
136 | Now let's create a namespace called production
137 | `kubectl create namespace production`  
138 | `kubectl label namespace/production purpose=production`  
139 | 
140 | If we run our frontend pod from the production namespace will we be able to hit the development backend? Let's try it out.
141 | 
142 | `kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace production --generator=run-pod/v1`  
143 | 
144 | `wget -qO- http://webapp-service.development`
145 | 
146 | Let's close that shell with the `exit` command. 
147 | 
148 | So we could hit the development backend service from the production namespace due to our network policy only filtering on labels, remembering that networking is not namespaced.
149 | 
150 | Let's make a change to our policy to make sure only services in side the development namespace is are allowed to talk to our backend service.
151 | 
152 | 
153 | ```
154 | cat <<EOF | kubectl apply -f -
155 | kind: NetworkPolicy
156 | apiVersion: networking.k8s.io/v1
157 | metadata:
158 |   name: backend-policy
159 |   namespace: development
160 | spec:
161 |   podSelector:
162 |     matchLabels:
163 |       app: webapp
164 |       role: backend
165 |   ingress:
166 |   - from:
167 |     - namespaceSelector:
168 |         matchLabels:
169 |           purpose: development
170 |       podSelector:
171 |         matchLabels:
172 |           app: webapp
173 |           role: frontend
174 | EOF
175 | ```
176 | 
177 | Again we will spin up our front end pod in the production namespace and test again if we can hit our backend in the development namespace.
178 | `kubectl run --rm -it frontend --image=alpine --labels app=webapp,role=frontend --namespace production --generator=run-pod/v1`  
179 | 
180 | `wget -qO- --timeout=2 http://webapp-service.development`  
181 | 
182 | If we have done everything correctly we should get our `wget: download timed out` error


--------------------------------------------------------------------------------
/pod-security-policy/code.md:
--------------------------------------------------------------------------------
  1 | 
  2 | ## The hack 
  3 | 
  4 | `kubectl exec -it <pod name> sh`  
  5 | `cd static`  
  6 | `vim index.html`  
  7 | `https://media.giphy.com/media/DBfYJqH5AokgM/giphy.gif`  
  8 | 
  9 | ## run as user 1000
 10 | 
 11 | ```
 12 | cat <<EOF | kubectl apply -f -
 13 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 14 | kind: Deployment
 15 | metadata:
 16 |   name: webapp-deployment
 17 | spec:
 18 |   selector:
 19 |     matchLabels:
 20 |       app: webapp
 21 |   replicas: 1
 22 |   template:
 23 |     metadata:
 24 |       labels:
 25 |         app: webapp
 26 |     spec:
 27 |       containers:
 28 |       - name: webapp
 29 |         image: scottyc/webapp:latest
 30 |         ports:
 31 |         - containerPort: 3000
 32 |           hostPort: 3000
 33 |         securityContext:
 34 |           runAsUser: 1000
 35 | EOF
 36 | ```
 37 | 
 38 | `kubectl delete deployments.apps webapp-deployment`
 39 | 
 40 | ## read only file system
 41 | 
 42 | ```
 43 | cat <<EOF | kubectl apply -f -
 44 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 45 | kind: Deployment
 46 | metadata:
 47 |   name: webapp-deployment
 48 | spec:
 49 |   selector:
 50 |     matchLabels:
 51 |       app: webapp
 52 |   replicas: 1
 53 |   template:
 54 |     metadata:
 55 |       labels:
 56 |         app: webapp
 57 |     spec:
 58 |       containers:
 59 |       - name: webapp
 60 |         image: scottyc/webapp:latest
 61 |         ports:
 62 |         - containerPort: 3000
 63 |           hostPort: 3000
 64 |         securityContext:
 65 |           readOnlyRootFilesystem: true
 66 | EOF
 67 | ```
 68 | 
 69 | ## allowPrivilegeEscalation
 70 | 
 71 | ```
 72 | cat <<EOF | kubectl apply -f -
 73 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 74 | kind: Deployment
 75 | metadata:
 76 |   name: webapp-deployment
 77 | spec:
 78 |   selector:
 79 |     matchLabels:
 80 |       app: webapp
 81 |   replicas: 1
 82 |   template:
 83 |     metadata:
 84 |       labels:
 85 |         app: webapp
 86 |     spec:
 87 |       containers:
 88 |       - name: webapp
 89 |         image: scottyc/webapp:latest
 90 |         ports:
 91 |         - containerPort: 3000
 92 |           hostPort: 3000
 93 |         securityContext:
 94 |           allowPrivilegeEscalation: false
 95 | EOF
 96 | ```
 97 | 
 98 | ## All three
 99 | 
100 | ```
101 | cat <<EOF | kubectl apply -f -
102 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
103 | kind: Deployment
104 | metadata:
105 |   name: webapp-deployment
106 | spec:
107 |   selector:
108 |     matchLabels:
109 |       app: webapp
110 |   replicas: 1
111 |   template:
112 |     metadata:
113 |       labels:
114 |         app: webapp
115 |     spec:
116 |       containers:
117 |       - name: webapp
118 |         image: scottyc/webapp:latest
119 |         ports:
120 |         - containerPort: 3000
121 |           hostPort: 3000
122 |         securityContext:
123 |           runAsUser: 1000
124 |           readOnlyRootFilesystem: true
125 |           allowPrivilegeEscalation: false
126 | EOF
127 | ```
128 | 


--------------------------------------------------------------------------------
/pods-services-deployments/code.md:
--------------------------------------------------------------------------------
 1 | # Pods, services and deployments
 2 | 
 3 | ![slide 1](../slides/pods-services-deployments/Slide1.jpg)
 4 | ![slide 2](../slides/pods-services-deployments/Slide2.jpg)
 5 | ![slide 3](../slides/pods-services-deployments/Slide3.jpg)
 6 | ![slide 4](../slides/pods-services-deployments/Slide4.jpg)
 7 | ![slide 5](../slides/pods-services-deployments/Slide5.jpg)
 8 | ![slide 6](../slides/pods-services-deployments/Slide6.jpg)
 9 | ![slide 7](../slides/pods-services-deployments/Slide7.jpg)
10 | ![slide 8](../slides/pods-services-deployments/Slide8.jpg)
11 | ![slide 9](../slides/pods-services-deployments/Slide9.jpg)
12 | ![slide 10](../slides/pods-services-deployments/Slide10.jpg)
13 | ![slide 11](../slides/pods-services-deployments/Slide11.jpg)
14 | 
15 | ## Our Deployment
16 | ```
17 | cat <<EOF | kubectl apply -f -
18 | apiVersion: apps/v1 
19 | kind: Deployment
20 | metadata:
21 |   name: webapp-deployment
22 | spec:
23 |   selector:
24 |     matchLabels:
25 |       app: webapp
26 |   replicas: 3
27 |   template:
28 |     metadata:
29 |       labels:
30 |         app: webapp
31 |     spec:
32 |       containers:
33 |       - name: webapp
34 |         image: scottyc/webapp:latest
35 |         ports:
36 |         - containerPort: 3000
37 |           hostPort: 3000
38 | EOF
39 | ```
40 | 
41 | ## Now check our deployment
42 | 
43 | ```
44 | kubectl get deployments
45 | kubectl get pods
46 | kubectl get services
47 | ```
48 | 
49 | ![slide 14](../slides/pods-services-deployments/Slide14.jpg)
50 | ![slide 15](../slides/pods-services-deployments/Slide15.jpg)
51 | 
52 | ## Expose our service
53 | `kubectl expose deployment webapp-deployment --type=LoadBalancer`  
54 | `kubectl get service`
55 | 
56 | 
57 | `kubectl get service` will give you the public ip address for the application. It will then be available  
58 | 
59 | ![slide 17](../slides/pods-services-deployments/Slide17.jpg)
60 | 
61 | Now we move onto the next module [here](../rbac-roles-service-accounts/code.md)


--------------------------------------------------------------------------------
/rbac-roles-service-accounts/cleanup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | set -ex
4 | 
5 | kubectl delete -n webapp-namespace deployments.apps webapp-deployment
6 | kubectl delete -n webapp-namespace rolebindings.rbac.authorization.k8s.io webapp-role-binding
7 | kubectl delete -n webapp-namespace roles.rbac.authorization.k8s.io webapp-role 
8 | kubectl delete -n webapp-namespace serviceaccounts webapp-service-account 
9 | 


--------------------------------------------------------------------------------
/rbac-roles-service-accounts/code.md:
--------------------------------------------------------------------------------
  1 | # Rbac roles and service accounts
  2 | 
  3 | ![slide 1](../slides/rbac-roles-service-accounts/Slide1.jpg)
  4 | ![slide 2](../slides/rbac-roles-service-accounts/Slide2.jpg)
  5 | ![slide 3](../slides/rbac-roles-service-accounts/Slide3.jpg)
  6 | ![slide 4](../slides/rbac-roles-service-accounts/Slide4.jpg)
  7 | ![slide 5](../slides/rbac-roles-service-accounts/Slide5.jpg)
  8 | 
  9 | ## Namespaces
 10 | 
 11 | Lets look at the default namespaces available to us.  
 12 | We do this by issuing `kubectl get namespaces`
 13 | In the last lab we deployed our deployment to the default namespace as we did not define anything.
 14 | Kubernetes will place any pods in the default namespace unless another one is specified.
 15 | 
 16 | For the next part of the lab we will create a namespace to use for the rest of the lab. We will do that by issuing  
 17 | ```
 18 | cat <<EOF | kubectl apply -f -
 19 | apiVersion: v1
 20 | kind: Namespace
 21 | metadata:
 22 |   name: webapp-namespace
 23 | EOF
 24 | ```
 25 | 
 26 | Then if we check our namespaces again via `kubectl get namespaces` if we were successful then we should see the new namespace.
 27 | 
 28 | ## Cluster roles, Service accounts and Role bindings
 29 | 
 30 | Now we have our namespace set up we are going to create a service account and give it full access to that namespace only.
 31 | 
 32 | We are now going to create a service account for the namespace that we created earlier.
 33 | 
 34 | ```
 35 | cat <<EOF | kubectl apply -f -
 36 | apiVersion: v1
 37 | kind: ServiceAccount
 38 | metadata:
 39 |   name: webapp-service-account
 40 |   namespace: webapp-namespace
 41 | EOF
 42 | ```
 43 | Then we will create a role giving us full permissions to the namespace
 44 | 
 45 | ```
 46 | cat <<EOF | kubectl apply -f -
 47 | kind: Role
 48 | apiVersion: rbac.authorization.k8s.io/v1
 49 | metadata:
 50 |   name: webapp-role
 51 |   namespace: webapp-namespace
 52 | rules:
 53 |   - apiGroups: [""]
 54 |     resources: ["pods", "pods/log"]
 55 |     verbs: ["get", "list", "watch"]
 56 | EOF
 57 | ```
 58 | Then we will create a role binding to tie it all together
 59 | 
 60 | ```
 61 | cat <<EOF | kubectl apply -f -
 62 | kind: RoleBinding
 63 | apiVersion: rbac.authorization.k8s.io/v1
 64 | metadata:
 65 |   name: webapp-role-binding
 66 |   namespace: webapp-namespace
 67 | subjects:
 68 |   - kind: ServiceAccount
 69 |     name: webapp-service-account
 70 |     namespace: webapp-namespace
 71 | roleRef:
 72 |   kind: Role
 73 |   name: webapp-role
 74 |   apiGroup: rbac.authorization.k8s.io
 75 | EOF
 76 | ```
 77 | 
 78 | Now lets deploy our application into our new namespace.
 79 | 
 80 | ```
 81 | cat <<EOF | kubectl apply -f -
 82 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 83 | kind: Deployment
 84 | metadata:
 85 |   name: webapp-deployment
 86 |   namespace: webapp-namespace
 87 | spec:
 88 |   selector:
 89 |     matchLabels:
 90 |       app: webapp
 91 |   replicas: 1
 92 |   template:
 93 |     metadata:
 94 |       labels:
 95 |         app: webapp
 96 |     spec:
 97 |       containers:
 98 |       - name: webapp
 99 |         image: scottyc/webapp:latest
100 |         ports:
101 |         - containerPort: 3000
102 |           hostPort: 3000
103 | EOF
104 | ```
105 | 
106 | Please read through the next section and use the script provided. 
107 | 
108 | Then we can check our pods simulating the privileges of the service-account we will set up our kubeconfig to only use our service account
109 | We will first get the secret for that service account  
110 | `SECRET_NAME=$(kubectl get sa webapp-service-account --namespace webapp-namespace -o json | jq -r .secrets[].name)`  
111 | 
112 | Then create a ca certificate 
113 | `kubectl get secret --namespace webapp-namespace "${SECRET_NAME}" -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt`
114 | 
115 | Then get the user token from our secret
116 | `USER_TOKEN=$(kubectl get secret --namespace webapp-namespace "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 --decode)`
117 | 
118 | Now will will setup our kubeconfig file
119 | ```
120 | SERVICE_ACCOUNT_NAME="webapp-service-account"
121 | NAMESPACE="webapp-namespace"
122 | KUBECFG_FILE_NAME="admin.conf"
123 | 
124 | context=$(kubectl config current-context)
125 | CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
126 | ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
127 | kubectl config set-cluster "${CLUSTER_NAME}" --kubeconfig=admin.conf --server="${ENDPOINT}" --certificate-authority=ca.crt --embed-certs=true
128 | kubectl config set-credentials "webapp-service-account-webapp-namespace-${CLUSTER_NAME}" --kubeconfig=admin.conf --token="${USER_TOKEN}"
129 | kubectl config set-context "webapp-service-account-webapp-namespace-${CLUSTER_NAME}" --kubeconfig=admin.conf --cluster="${CLUSTER_NAME}" --user="webapp-service-account-webapp-namespace-${CLUSTER_NAME}" --namespace webapp-namespace
130 | kubectl config use-context "webapp-service-account-webapp-namespace-${CLUSTER_NAME}" --kubeconfig="${KUBECFG_FILE_NAME}"
131 | ```
132 | Please use the script [here](script.sh)
133 | 
134 | We will then load the file in our terminal
135 | `export KUBECONFIG=admin.conf`
136 | 
137 | Now let's check our permissions by seeing if we can list pods in the default namespace
138 | `kubectl get pods`
139 | 
140 | Now let's check our namespace
141 | `kubectl get pods --namespace=webapp-namespace`
142 | 
143 | (Check [here](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects) for more info about rbac subjects)
144 | 
145 | Now we have limited the blast radius of our application to only the namespace that it resides in. 
146 | So there will be no way that we can leak configmaps or secrets from other applications that are not in this namespace.
147 | 
148 | Lastly and this is super IMPORTANT !!!! run the cleanup script before you move to the next module  
149 | `./cleanup.sh`
150 | 
151 | Now we move onto the next module [here](../statefull-sets/code.md)


--------------------------------------------------------------------------------
/rbac-roles-service-accounts/script.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -e
 4 | 
 5 | SERVICE_ACCOUNT_NAME="webapp-service-account"
 6 | NAMESPACE="webapp-namespace"
 7 | KUBECFG_FILE_NAME="admin.conf"
 8 | 
 9 | SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name)
10 | kubectl get secret --namespace="${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
11 | USER_TOKEN=$(kubectl get secret --namespace webapp-namespace "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -d)
12 | context=$(kubectl config current-context)
13 | CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
14 | ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
15 | kubectl config set-cluster "${CLUSTER_NAME}" --kubeconfig="${KUBECFG_FILE_NAME}" --server="${ENDPOINT}" --certificate-authority=ca.crt --embed-certs=true
16 | kubectl config set-credentials "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" --kubeconfig="${KUBECFG_FILE_NAME}" --token="${USER_TOKEN}"
17 | kubectl config set-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" --kubeconfig="${KUBECFG_FILE_NAME}" --cluster="${CLUSTER_NAME}" --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" --namespace="${NAMESPACE}"
18 | kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" --kubeconfig="${KUBECFG_FILE_NAME}"


--------------------------------------------------------------------------------
/service-mesh-with-linkerd/code.md:
--------------------------------------------------------------------------------
  1 | # Service mesh with Linkerd
  2 | 
  3 | In this module we will install [Linkerd](https://linkerd.io/) and look at traffic going between meshed applications. 
  4 | 
  5 | ## Installing Linkerd 
  6 | 
  7 | To install Linkerd on your cluster you issue the following command  
  8 | 
  9 | ```
 10 | linkerd install | kubectl apply -f -
 11 | ```
 12 | Linkerd will install the following on your cluster  
 13 | 
 14 | ```
 15 | lusterrole.rbac.authorization.k8s.io/linkerd-linkerd-identity created
 16 | clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-identity created
 17 | serviceaccount/linkerd-identity created
 18 | clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-controller created
 19 | clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-controller created
 20 | serviceaccount/linkerd-controller created
 21 | serviceaccount/linkerd-web created
 22 | customresourcedefinition.apiextensions.k8s.io/serviceprofiles.linkerd.io created
 23 | customresourcedefinition.apiextensions.k8s.io/trafficsplits.split.smi-spec.io created
 24 | clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-prometheus created
 25 | clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-prometheus created
 26 | serviceaccount/linkerd-prometheus created
 27 | serviceaccount/linkerd-grafana created
 28 | clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector created
 29 | clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-proxy-injector created
 30 | serviceaccount/linkerd-proxy-injector created
 31 | secret/linkerd-proxy-injector-tls created
 32 | mutatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-proxy-injector-webhook-config created
 33 | clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-sp-validator created
 34 | clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-sp-validator created
 35 | serviceaccount/linkerd-sp-validator created
 36 | secret/linkerd-sp-validator-tls created
 37 | validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-sp-validator-webhook-config created
 38 | clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-tap created
 39 | clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-tap created
 40 | serviceaccount/linkerd-tap created
 41 | podsecuritypolicy.policy/linkerd-linkerd-control-plane created
 42 | role.rbac.authorization.k8s.io/linkerd-psp created
 43 | rolebinding.rbac.authorization.k8s.io/linkerd-psp created
 44 | configmap/linkerd-config created
 45 | secret/linkerd-identity-issuer created
 46 | service/linkerd-identity created
 47 | deployment.extensions/linkerd-identity created
 48 | service/linkerd-controller-api created
 49 | service/linkerd-destination created
 50 | deployment.extensions/linkerd-controller created
 51 | service/linkerd-web created
 52 | deployment.extensions/linkerd-web created
 53 | configmap/linkerd-prometheus-config created
 54 | service/linkerd-prometheus created
 55 | deployment.extensions/linkerd-prometheus created
 56 | configmap/linkerd-grafana-config created
 57 | service/linkerd-grafana created
 58 | deployment.extensions/linkerd-grafana created
 59 | deployment.apps/linkerd-proxy-injector created
 60 | service/linkerd-proxy-injector created
 61 | service/linkerd-sp-validator created
 62 | deployment.extensions/linkerd-sp-validator created
 63 | service/linkerd-tap created
 64 | deployment.extensions/linkerd-tap created
 65 | ```
 66 | We are going to take advantage of Linkerd's auto injection functionality to inject the envoy proxy into our application. Auto injections is done on the namespace, so we are going to create a new namespace. 
 67 | 
 68 | ```
 69 | kubectl create namespace mesh-app
 70 | ```
 71 | We are then going to add the label to tell Linkerd to auto inject on this namespace  
 72 | ```
 73 | kubectl annotate namespace mesh-app linkerd.io/inject=enabled
 74 | ```
 75 | 
 76 | Next we are going to deploy a web application ands use it as a mock service api
 77 | 
 78 | ```
 79 | cat <<EOF | kubectl apply -f -
 80 | apiVersion: apps/v1 
 81 | kind: Deployment
 82 | metadata:
 83 |   name: webapp-deployment
 84 |   namespace: mesh-app
 85 | spec:
 86 |   selector:
 87 |     matchLabels:
 88 |       app: webapp
 89 |   replicas: 1
 90 |   template:
 91 |     metadata:
 92 |       labels:
 93 |         app: webapp
 94 |     spec:
 95 |       containers:
 96 |       - name: webapp
 97 |         image: scottyc/webapp:latest
 98 |         ports:
 99 |         - containerPort: 3000
100 |           hostPort: 3000
101 | EOF
102 | ```
103 | 
104 | We will then expose the application using a service type
105 | 
106 | ```
107 | cat <<EOF | kubectl apply -f -
108 | apiVersion: v1
109 | kind: Service
110 | metadata:
111 |   name: webapp-service
112 |   namespace: mesh-app
113 | spec:
114 |   type: ClusterIP
115 |   selector:
116 |     app: webapp
117 |   ports:
118 |   - protocol: TCP
119 |     port: 80
120 |     targetPort: 3000
121 | EOF  
122 | ```
123 | In a new terminal let's open up the Linkerd dashboard
124 | ```
125 | linkerd dashboard &
126 | ```
127 | We should see our namespace 
128 | 
129 | 
130 | ```
131 | kubectl run --rm -it --image=alpine mesh-test --namespace mesh-app --generator=run-pod/v1
132 | 
133 | ```
134 | 
135 | ```
136 | wget -qO- http://webapp-service
137 | 
138 | ```
139 | ```
140 | <!DOCTYPE html>
141 | <html>
142 | <head>
143 | <title>
144 | </title>
145 | <meta name="viewport" content="width=device-width, initial-scale=1">
146 | <style type="text/css">
147 | body {background-color:ffffff;background-repeat:no-repeat;background-position:top left;background-attachment:fixed;}
148 | h1{text-align:center;font-family:Impact;color:000000;}
149 | p {text-align:center;font-family:Verdana;font-size:14px;font-style:normal;font-weight:normal;color:000000;}
150 | </style>
151 | </head>
152 | <body>
153 | <h1>Awesome Web App !!!!</h1>
154 | <p>....and the demo worked :)</p>
155 |  <p><img src="https://media.giphy.com/media/iPTTjEt19igne/giphy.gif" alt="gif"></p>
156 |  </body>
157 | </html>
158 | ```
159 | 
160 | ```
161 | cat <<EOF | kubectl apply -f -
162 | apiVersion: apps/v1 
163 | kind: Deployment
164 | metadata:
165 |   name: hey-deployment
166 |   namespace: mesh-app
167 | spec:
168 |   selector:
169 |     matchLabels:
170 |       app: hey
171 |   replicas: 1
172 |   template:
173 |     metadata:
174 |       labels:
175 |         app: hey
176 |     spec:
177 |       containers:
178 |       - name: hey
179 |         image: scottyc/hey:latest
180 |         args: ["-z", "20m", "http://webapp-service"]
181 | EOF
182 | ```
183 | 
184 | 
185 | ```
186 | kubectl delete -n mesh-app deployments.apps hey-deployment
187 | ```


--------------------------------------------------------------------------------
/slides/ingress-controller/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/ingress-controller/Slide1.jpg


--------------------------------------------------------------------------------
/slides/ingress-controller/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/ingress-controller/Slide2.jpg


--------------------------------------------------------------------------------
/slides/ingress-controller/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/ingress-controller/Slide3.jpg


--------------------------------------------------------------------------------
/slides/ingress-controller/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/ingress-controller/Slide4.jpg


--------------------------------------------------------------------------------
/slides/ingress-controller/Slide5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/ingress-controller/Slide5.jpg


--------------------------------------------------------------------------------
/slides/intro/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/intro/Slide1.jpg


--------------------------------------------------------------------------------
/slides/intro/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/intro/Slide2.jpg


--------------------------------------------------------------------------------
/slides/intro/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/intro/Slide3.jpg


--------------------------------------------------------------------------------
/slides/intro/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/intro/Slide4.jpg


--------------------------------------------------------------------------------
/slides/intro/Slide5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/intro/Slide5.jpg


--------------------------------------------------------------------------------
/slides/intro/Slide6.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/intro/Slide6.jpg


--------------------------------------------------------------------------------
/slides/intro/code.md:
--------------------------------------------------------------------------------
 1 | # Agenda
 2 | 
 3 | ![slide 1](Slide1.jpg)
 4 | ![slide 2](Slide2.jpg)
 5 | ![slide 3](Slide3.jpg)
 6 | ![slide 4](Slide4.jpg)
 7 | ![slide 5](Slide5.jpg)
 8 | ![slide 6](Slide6.jpg)
 9 | 
10 | Now we move onto the next module [here](../introduction-to-kubernetes/code.md)


--------------------------------------------------------------------------------
/slides/introduction-to-kubernetes/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/introduction-to-kubernetes/Slide1.jpg


--------------------------------------------------------------------------------
/slides/introduction-to-kubernetes/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/introduction-to-kubernetes/Slide2.jpg


--------------------------------------------------------------------------------
/slides/introduction-to-kubernetes/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/introduction-to-kubernetes/Slide3.jpg


--------------------------------------------------------------------------------
/slides/introduction-to-kubernetes/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/introduction-to-kubernetes/Slide4.jpg


--------------------------------------------------------------------------------
/slides/introduction-to-kubernetes/code.md:
--------------------------------------------------------------------------------
1 | # Introduction into Kubernetes
2 | 
3 | ![slide 1](Slide1.jpg)
4 | ![slide 2](Slide2.jpg)
5 | ![slide 3](Slide3.jpg)
6 | ![slide 4](Slide4.jpg)
7 | 
8 | Now we move onto the next module [here](../kubernetes-components/code.md)


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide1.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide10.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide10.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide11.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide11.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide12.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide12.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide13.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide13.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide14.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide14.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide15.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide15.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide2.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide3.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide4.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide5.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide6.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide6.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide7.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide7.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide8.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide8.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/Slide9.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/kubernetes-components/Slide9.jpg


--------------------------------------------------------------------------------
/slides/kubernetes-components/code.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes components
 2 | 
 3 | ![slide 1](Slide1.jpg)
 4 | ![slide 2](Slide2.jpg)
 5 | ![slide 3](Slide3.jpg)
 6 | ![slide 4](Slide4.jpg)
 7 | ![slide 5](Slide5.jpg)
 8 | ![slide 6](Slide6.jpg)
 9 | ![slide 7](Slide7.jpg)
10 | ![slide 8](Slide8.jpg)
11 | ![slide 9](Slide9.jpg)
12 | ![slide 10](Slide10.jpg)
13 | ![slide 11](Slide11.jpg)
14 | ![slide 12](Slide12.jpg)
15 | ![slide 13](Slide13.jpg)
16 | ![slide 14](Slide14.jpg)
17 | ![slide 15](Slide15.jpg)
18 | 
19 | Now we move onto the next module [here](../../deploying-kubernetes-on-azure/code.md)


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide1.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide10.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide10.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide11.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide11.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide12.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide12.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide13.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide13.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide14.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide14.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide15.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide15.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide16.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide16.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide17.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide17.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide2.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide3.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide4.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide5.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide6.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide6.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide7.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide7.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide8.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide8.jpg


--------------------------------------------------------------------------------
/slides/pods-services-deployments/Slide9.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/pods-services-deployments/Slide9.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide1.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide2.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide3.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide4.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide5.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide6.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide6.jpg


--------------------------------------------------------------------------------
/slides/rbac-roles-service-accounts/Slide7.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/rbac-roles-service-accounts/Slide7.jpg


--------------------------------------------------------------------------------
/slides/statefull-sets/Slide1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/statefull-sets/Slide1.jpg


--------------------------------------------------------------------------------
/slides/statefull-sets/Slide2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/statefull-sets/Slide2.jpg


--------------------------------------------------------------------------------
/slides/statefull-sets/Slide3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/statefull-sets/Slide3.jpg


--------------------------------------------------------------------------------
/slides/statefull-sets/Slide4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/statefull-sets/Slide4.jpg


--------------------------------------------------------------------------------
/slides/statefull-sets/Slide5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scotty-c/kubernetes-on-azure-workshop/cf6973f695c5c320b324f22b0c94f2ed592877ad/slides/statefull-sets/Slide5.jpg


--------------------------------------------------------------------------------
/statefull-sets/code.md:
--------------------------------------------------------------------------------
 1 | # Static claims
 2 | 
 3 | ![slide 1](../slides/statefull-sets/Slide1.jpg)
 4 | ![slide 2](../slides/statefull-sets/Slide2.jpg)
 5 | ![slide 3](../slides/statefull-sets/Slide3.jpg)
 6 | ![slide 4](../slides/statefull-sets/Slide4.jpg)
 7 | 
 8 | In this module we are going to look at creating a stateful set in Kubernetes.  
 9 | Stateful sets in Kubernetes attach a cloud disk to a pod. In this case we are using Azure disk.  
10 | 
11 | Azure ships with two disk types for stateful sets out of the box. You can see these by issuing the command  
12 | `kubectl get sc`
13 | 
14 | The next thing we need to do is create a pvc (persistent volume claim)
15 | 
16 | ## Creating a static claim
17 | ```
18 | cat <<EOF | kubectl apply -f -
19 | apiVersion: v1
20 | kind: PersistentVolumeClaim
21 | metadata:
22 |   name: aks-volume-claim
23 | spec:
24 |   accessModes:
25 |     - ReadWriteOnce
26 |   resources:
27 |     requests:
28 |       storage: 10Gi
29 | EOF
30 | ```
31 | 
32 | Once the pvc is created we can bind a pod to use it  
33 | Below we are going to mount a volume to the pod `/usr/share/nginx/html`
34 | 
35 | ## Using the claim
36 | ```
37 | cat <<EOF | kubectl apply -f -
38 | kind: Pod
39 | apiVersion: v1
40 | metadata:
41 |   name: nginx-pvc
42 | spec:
43 |   volumes:
44 |     - name: nginx-storage
45 |       persistentVolumeClaim:
46 |        claimName: aks-volume-claim
47 |   containers:
48 |     - name: task-pv-container
49 |       image: nginx
50 |       ports:
51 |         - containerPort: 80
52 |           name: "http-server"
53 |       volumeMounts:
54 |         - mountPath: "/usr/share/nginx/html"
55 |           name: nginx-storage
56 | EOF
57 | ```
58 | Now we move onto the next module [here](../ingress-controller/code.md)


--------------------------------------------------------------------------------
/virtual-kubelet/code.md:
--------------------------------------------------------------------------------
 1 | # Virtual node with virtual kubelet
 2 | 
 3 | ## Deploying virtual Kubeket
 4 | 
 5 | `az provider register -n Microsoft.ContainerInstance`
 6 | 
 7 | `az aks install-connector --resource-group k8s --name k8s --os-type both`
 8 | 
 9 | `kubectl get nodes`
10 | 
11 | 
12 | ```
13 | cat <<EOF | kubectl apply -f -
14 | apiVersion: v1
15 | kind: Pod
16 | metadata:
17 |   name: vk-webapp
18 | spec:
19 |   containers:
20 |   - image: scottyc/webapp
21 |     imagePullPolicy: Always
22 |     name: vk-webapp
23 |     resources:
24 |       requests:
25 |         memory: 1G
26 |         cpu: 1
27 |       limits:
28 |         memory: 1G
29 |         cpu: 1
30 |     ports:
31 |     - containerPort: 3000
32 |       name: http
33 |       protocol: TCP
34 |   dnsPolicy: ClusterFirst
35 |   nodeSelector:
36 |     kubernetes.io/role: agent
37 |     beta.kubernetes.io/os: linux
38 |     type: virtual-kubelet
39 |   tolerations:
40 |   - key: virtual-kubelet.io/provider
41 |     operator: Exists
42 |   - key: azure.com/aci
43 |     effect: NoSchedule
44 | EOF
45 | ```
46 | 


--------------------------------------------------------------------------------
/virtual-node-with-virtual-kubelet/code.md:
--------------------------------------------------------------------------------
 1 | # Virtual node with virtual kubelet
 2 | 
 3 | ## Deploying virtual Kubeket
 4 | 
 5 | `az provider register -n Microsoft.ContainerInstance`
 6 | 
 7 | `az aks install-connector --resource-group k8s --name k8s --os-type both`
 8 | 
 9 | `kubectl get nodes`
10 | 
11 | 
12 | ```
13 | cat <<EOF | kubectl apply -f -
14 | apiVersion: v1
15 | kind: Pod
16 | metadata:
17 |   name: vk-webapp
18 | spec:
19 |   containers:
20 |   - image: scottyc/webapp
21 |     imagePullPolicy: Always
22 |     name: vk-webapp
23 |     resources:
24 |       requests:
25 |         memory: 1G
26 |         cpu: 1
27 |       limits:
28 |         memory: 1G
29 |         cpu: 1
30 |     ports:
31 |     - containerPort: 3000
32 |       name: http
33 |       protocol: TCP
34 |   dnsPolicy: ClusterFirst
35 |   nodeSelector:
36 |     kubernetes.io/role: agent
37 |     beta.kubernetes.io/os: linux
38 |     type: virtual-kubelet
39 |   tolerations:
40 |   - key: virtual-kubelet.io/provider
41 |     operator: Exists
42 |   - key: azure.com/aci
43 |     effect: NoSchedule
44 | EOF
45 | ```
46 | 


--------------------------------------------------------------------------------
/writing-our-own-chart/code.md:
--------------------------------------------------------------------------------
 1 | # Writing our own chart
 2 | 
 3 | ## Writing our first chart 
 4 | 
 5 | In this module we are going to write our own helm chart.  
 6 | 
 7 | Let's create the chart  
 8 | `helm create mychart`
 9 | 
10 | Helm will now have created a working nginx chart for us  
11 | 
12 | We can actually test this chart with a dry run to see what it is going to deploy
13 | `helm install --dry-run --debug ./mychart`
14 | 
15 | 
16 | We can than deploy the chart  
17 | `helm install --name example ./mychart --set service.type=LoadBalancer`
18 | 
19 | 
20 | Now we can check the nginx install in our browser, to get the public ip  
21 | `kubectl get svc --namespace default example-mychart -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
22 | 
23 | 
24 | Some homework take the chart we have created today and then use it as a template to deploy your own application.  
25 | This is how I learnt to write custom Helm charts and I found it really rewarding  


--------------------------------------------------------------------------------