Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 05_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Microservices Vs. Docker Monolithic applicat...

Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Microservices Vs. Docker Monolithic applications are broken down into cloud-hosted sub-applications called microservices that work = together, each performing a unique task a As each microservice is packaged into the Docker container along with the required libraries, frameworks, and ® configuration files, microservices belonging to a single application can be developed and managed using multiple platforms User Interface Monolithic Microservices Application App1 App 2 Application -.@}6} Business Logic E... DataAccess Layer = 3 Microservice Mi:mservice croservice Microservice ffl fifl Cfl m Microservices Vs. Docker Monolithic applications are broken down into cloud-hosted sub-applications, called microservices, that work together, each performing a unique task. Microservices divide and distribute the application workload, providing stable, seamless, and scalable services by interacting with each other. Monolithic applications are decomposed around business capabilities supporting cross-functional teams to develop, support, and deploy microservices. Compared to traditional data storage models used by monolithic applications, microservices decentralize the data storage by managing their own data stores. Developers create a Docker container for each microservice. As each microservice is packaged into the container along with the required libraries, frameworks, and configuration files, microservices belonging to a single application can be developed and managed using multiple platforms. Monolithic Application Microservices Application User Interface App1 App2 ok _@5 Business Logic. - [ Microservice Microservice Microservice Microservice ~y ) ' Figure 10.10: Monolithic application vs. microservices application Module 10 Page 1263 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Docker Networking O Docker connects multiple containers and services or other non-Docker workloads together O The Docker networking architecture is developed on a set of interfaces known as the Container Network Model (CNM) O The CNM provides application portability across heterogeneous infrastructures r T r T r al. N k Sandbox Network Sandbox Ngrwork San(_ibox | r =. < ~ Container g Container Container g T "endpoint | “Endpoint | Endpoint " endpoint | L - b N W | |- < 4 Network \‘g'/ ' Network § g: Network Driver \ IPAM Driver B ¥ 4 [—— §3 § Docker Networking Docker allows connecting multiple containers and services or other non-Docker workloads together. The Docker networking architecture is developed on a set of interfaces known as container network model (CNM). CNM provides application portability across heterogeneous infrastructures. CNM consists of the following five objects: = Sandbox: This contains the configuration of a container’s network stack such as routing table, management of container’s interfaces, and DNS settings. It may have multiple endpoints from various networks. CNM sandbox can be implemented for Windows HNS, Linux network namespace, or a FreeBSD jail. = Endpoint: This connects a sandbox to a network and abstracts the actual connection to the network from the application. An endpoint aids in maintaining portability, to enable the service to utilize various types of network drivers. = Network: A network is a collection of endpoints that have connectivity between them. When a network is created or updated, the corresponding driver is notified. A CNM network can be used to implement a Linux bridge, VLAN, etc. = CNM Driver Interfaces: CNM has two pluggable and open interfaces for the users, vendors, community, etc. to drive additional functionality, visibility, and control in the network. The following are the drivers in the CNM model: o Network Drivers: These are pluggable and provide the actual implementation for the functioning of the network. Multiple network drivers can be simultaneously used on a Docker engine or cluster, but each Docker network is represented by a single driver. Module 10 Page 1264 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing There are two types of CNM network drivers. e Native Network Driver: These drivers are provided by Docker. e Remote Driver: These drivers are created Network by the community and vendors based on their requirements. Oo IPAM Drivers: IP address management (IPAM) drivers in Docker provide default subnets or IP addressing to the network and the endpoints. A user can also assign an IP address manually through the network, container, and service create commands. = Docker Native Network Drivers: These are native drivers in the Docker engine and can be used through Docker network commands. The following are the various Docker native network drivers. Oo Host: The host driver enables the container to use the host networking stack. Oo Bridge: With the bridge driver, a Linux bridge is created on the host, which is managed by the Docker. o Overlay: An overlay network is created with the overlay driver and enables container-to-container communication over the physical network infrastructure. o MACVLAN: With the MACVLAN driver, a network connection is created between container interfaces and its parent host interface (or sub-interfaces). o None: The none driver enables the container to implement its own networking stack and is isolated from the host networking stack. Network Sandbox | Network Sandbox ; Network Sandbox ' Container EJ Contamer | Containe r | Contame r [Contalner [Conta mer Q gi]\ | ' ‘ Endpomt l| |Endpomt Endpoint ' | & b Network IPAM IPAM Driver 'I’. ' ' Network Infrastrulcturell' Infrastructure ' I'I Figure 10.11: Docker Networking Module 10 Page 1265 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing Kubernetes 8 O Kubernetes, also known as K8s, is an open-source, portable, extensible, orchestration platform developed by Google for managing containerized applications and microservices O Kubernetes provides a resilient framework for managing distributed containers, generating deployment patterns, and performing failover and redundancy for the applications Kubernetes Cluster Arxchitecture Kubernetes Master kube-controller- cloud-controller- ,,.,, N > Cloud v manager manager —_— —_— —_— ——— (...-.. ~ gooneed | Kube-apiserver feetd] kubelet || kubelet | | kubelet | : g ;......>[ kube-proxy I [ kube-proxy I l kube-ploxyl 4.......‘ _— scheduler = ’ = - Kubernetes Nodes J = == = ) Copyright © by AL All Rights Reserved. Reproduction is Strictly Prohibited Kubernetes Kubernetes, also known as K8s, is an open-source, portable, extensible, orchestration platform developed by Google for managing containerized applications and microservices. Kubernetes provides a resilient framework to manage distributed containers, generate deployment patterns, and perform failover and redundancy for the applications. Kubernetes Cluster Architecture In the Kubernetes cluster, the Kubernetes nodes are worker machines, which run the containerized applications. There should be at least one worker node in a cluster. The worker nodes host the pods, which refer to groups of containers that are deployed together on the same host. The components of a Kubernetes cluster are as follows: = Control Plane Components The components of the control plane perform decisions for the Kubernetes cluster such as scheduling or staring a new pod. The following are the control plane components of the cluster: o Kube-apiserver: The Kubernetes control plane has an API server in its front end. Kube-apiserver is the implementation of the Kubernetes API server. The user can run multiple instances of kube-apiserver to facilitate the maintenance of the traffic between the instances. o etcd: This is a backing store for the data in the Kubernetes cluster. For example, if the user specifies that three instances of a specific pod should be executed, this information is stored in etcd. The data stored in etcd is used to determine the Module 10 Page 1266 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing number of instances that are running. If an instance is not working, Kubernetes creates an additional instance of the same pod. Kube-scheduler: The kube-scheduler monitors newly created pods that do not have any assigned nodes, and assigns each of them a node to run on. kube-controller-manager: Kube-controller-manager runs the controller processes. It consists of a node controller, replication controller, endpoints controller, service account, and token controllers. To minimize complexity, all these controllers are compiled and run as a single process. cloud-controller-manager: This runs the controller that communicates with the cloud providers. The cloud-provider-specific controller loops are run by cloud- controller-manager. When a kube-controller-manager is initialized, the user can disable the controller loops by setting the -cloud-provider flag to external. The controllers with cloud provider dependencies are node controller, route controller, service controller, and volume controller. Kubernetes Node A Kubernetes node is a worker machine that contains the services required to run the pods, and is managed by master components. The services on Kubernetes nodes are as follows: (o] Kubelet: This is a node agent that ensures that the containers are running in a pod. A pod contains a PodSpec, which is a YAML or JSON object. The kubelet ensures that the containers mentioned in the PodSpecs are running and healthy. Kube-proxy: This is a network proxy that runs and maintains network rules on each node. Container Runtime: This is a software that downloads the images and runs the containers. Kubernetes supports container runtimes such as Docker, CRI-O, and the Kubernetes container runtime interface (CRI). Kubernetes Features (o] Service Discovery and Load Balancing: Kubernetes represent a container using the DNS or its own IP address. In case the network traffic to the container is high, Kubernetes utilizes load balancing to distribute the traffic. Storage Orchestration: Kubernetes enables the user to choose between storage systems such as local storage, public cloud providers (AWS or GCP), or a network storage system. (o] Automated Rollouts and Rollbacks: Kubernetes enables the user to change the actual state of the container to the desired state of the container at a controlled rate. (o] Automatic bin packing: To utilize resources effectively, Kubernetes fits the containers into nodes depending on the specifications provided by the user. Module 10 Page 1267 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Virtualization and Cloud Computing o Self-healing: Kubernetes self-heal the containers by restarting failed containers. If a node is dead, Kubernetes replaces and reschedules the containers. When a container fails to respond to user-defined health checks, Kubernetes kills the container. Kubernetes also advertises the containers that are in working condition. o Secret and Configuration Management: Kubernetes enables users to store and manage confidential information such as passwords, OAuth tokens, and SSH keys. Kubernetes Master kube-controller- kube-controller- cloud-controller- cloud-controller................ >> H,esfssessnsssssesssssssonosssss Cloud Cloud manager manager manager manager ~-_—/\..._/'—\ ‘f.h—/—\ \_4_\ \_4“ 4> kubelet el

Use Quizgecko on...
Browser
Browser