I am very new to Kubernetes. I intend on using to help me with CI/CD pipelines, which means my master node will need to catch git webhooks (with Spinnaker, much like Jenkins).
I imagine running a Kubernetes master on remote server, but 9/10 articles about installing things like Dashboard do it locally (which do not work in production, do not take into account SSL, and use things like kubectl proxy
which you should not do in production, require anonymous auth without tokens and instead user username and password, etc, etc, etc...).
Bottom line: almost every tutorial and piece of documentation I've seen can hardly be applied to production from my point of view.
Am I missing something here?
you can deploy your kubernetes cluster in a private subnet and expose it using revers-proxy(e.g NGINX) in public subnet, for authentication you can create SSL certificate(https://github.com/kubernetes/dashboard/wiki/Certificate-management).
You can connect to kubernetes cluster from Spinnaker/jenkins/gitCI using the conf file where you can provide the certificate you have created.
Kubernetes provides a lot of capabilities to adapt applications by serving security and reliable access, or even exposing web resources externally and make it accessible from the globe network. Although Kubernetes is popular as a platform for large-scale deployments and provides a wide set of features, it consists of some significant resources and system components as per architecture Design. One of the fundamental resources of Kubernetes is a Service, actually it's an abstraction layer of network communication between Pods in the cluster. Once we had a Kubernetes cluster up and running, we could deploy an application and create a service as the main entry point for network connection to this application container inside the particular Pod.
I admit that using kubectl proxy
is only the one way to expose relevant application port on the particular Node. However, when you consider making the application accessible outside the cluster NodePort
and LoadBalancer
services can do that by sharing application port on the host machine or via External IP address provided by the outward Load Balancer. But, it is only the part of the Kubernetes functionality as you can implement Ingress in order to pass through HTTP and HTTPS traffic and manage routing traffic and SSL/TLS termination as an edge device for connection to the nested application(Pod) services.
There are some more comprehensive Open source Ingress
resources like Nginx Ingress Controller, Traefik etc. with more advanced feature set for Traffic management, routing and securing connections to the target microservices. However, some of the cloud providers offer their own Ingress
resources that perform load balancing and routing HTTP[s] traffic to different endpoints within the cluster like AWS ALB Ingress Controller in AWS.