Chapter 1 Introduction to Oracle Cloud Infrastructure 1 Realms, Regions, and Availability Domains 2 Tenancies and Compartments 4 Controlling Access to Resources 5 Cloud Guard and Security Zones 10 Service Limits and Cost Management 11 Getting Started with Your Tenancy 14 Setting Up Users and Groups 14 Setting Up API Keys and Auth Tokens 15 Planning How Your Teams Will Use OCI 16 Summary 18 References 18 Chapter 2 Infrastructure Automation and Management 19 One Set of APIs, Different Ways to Call Them 19 A Quick Terraform Primer 20 A Basic Introduction to the Terraform Language 23 Terraform State Tracking 25 The OCI Terraform Provider 26 Setting Up the OCI Terraform Provider 26 Managing OCI Resources with Terraform 29 Simplifying Infrastructure Management with the Resource Manager Service 31 Helm and Kubernetes Providers 33 Generating Resource Manager Stacks 36 Resource Discovery 36 Drift Detection 38 Generating a User Interface from Terraform Configurations with a Custom Schema 38 Publishing Your Stacks with Deploy Buttons 49 Managing Multiregion and Multicloud Configurations 51 Summary 53 References 54 Chapter 3 Cloud Native Services on Oracle Cloud Infrastructure 55 Oracle Container Image Registry 56 Working with OCIR 58 Image Signing 59 Image Scanning 60 Creating Containers from Images 61 Compute Instances 62 Container Instances 63 Container Engine for Kubernetes 65 Service Mesh 69 Serverless Functions 71 API Gateways 73 Components of an API Gateway 74 Working with the API Gateway Service 75 Messaging Systems 79 Streaming 80 Understanding the Streaming Service 81 Working with the OCI Streaming Service 82 OCI Events Service 88 Summary 91 References 91 Chapter 4 Understanding Container Engine for Kubernetes 93 Monoliths and Microservices 93 Containers 94 Container Orchestration and Kubernetes 95 Oracle Container Engine for Kubernetes 96 OCI-Managed Components and Customer-Managed Components 97 Control Plane 97 Data Plane 98 Billable Components 99 Kubernetes Concepts 100 Cloud Controller Manager 101 Nodes and Node Pools 102 Node Pool Properties 103 Worker Node Images and Shapes 103 Kubernetes Labels 108 SSH Keys 109 Tagging Your Resources 110 Creating a Cluster 110 Quick Create Cluster Workflow 111 Custom Create Cluster Workflow 113 Using the OCI Command-Line Interface 117 Using the Terraform Provider and Modules 122 Automation and Terraform Code Generation 123 Asynchronous Cluster Creation 124 Cluster Topology Considerations 124 Using Multiple Node Pools 124 Scheduling Workloads on Specific Nodes 125 Kubernetes Networking 127 Container Network Interface (CNI) 127 OCI VCN-Native Pod Networking CNI 129 Flannel CNI 130 Kubernetes Storage 130 StorageClass: Flex Volume and CSI Plug-ins 131 Updating the Default Storage Class 131 File System Storage 133 Kubernetes Load Balancer Support 137 Working with the OCI Load Balancer Service 137 SSL Termination with OCI Load Balancer 140 Working with the OCI Network Load Balancer Service 142 Specifying Reserved Public IP Addresses 144 Commonly Used Annotations 144 Understanding Security List Management Modes 146 Using Node Label Selectors 147 Security Considerations for Your Cluster 149 Cluster Topology and Configuration Security Considerations 150 Authorization Using Workload Identity and Instance Principls 156 Securing Access to the Cluster 160 OCI IAM and Kubernetes RBAC 161 Federation with an IDP 162 Summary 162 References 163 Chapter 5 Container Engine for Kubernetes in Practice 165 Kubernetes Version Support 166 Upgrading the Control Plane 167 Upgrading the Data Plane 169 Upgrading an Existing Node Pool 170 Upgrading by Adding a Node Pool 173 Alternative Host OS (Not Kubernetes Version) Upgrade Options 175 Scaling a Cluster 175 Manual Scaling 175 Autoscaling 176 Scaling Workloads and Infrastructure Together 194 Autoscaler Best Practices 195 Cluster Access and Token Generation 196 Service Account Authentication 197 Configuring DNS 199 Configuring Node Local DNS Cache 201 Configuring ExternalDNS 202 Cluster Add-ons 203 Configuring Add-ons 203 Disabling Add-ons 205 Observability: Prometheus and Grafana 205 Monitoring Stack Components 205 Installing the kube-prometheus-stack 205 Operators and OCI Service Operator for Kubernetes 208 Getting Started with Operators on OKE 209 Operators for OCI, Oracle Database, and Oracle WebLogic 210 Troubleshooting Nodes with Node Doctor 214 Configuring SR-IOV Interfaces for Pods on OKE Using Multus 218 Using Bare Metal Nodes 218 Using Virtual Machine Nodes 226 Summary 238 References 239 Chapter 6 Securing Your Workloads and Infrastructure 241 Kubernetes Security Challenges 241 Concepts of Kubernetes Security 242 4Cs of Kubernetes Security 242 Securing Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) 243 Private Clusters 244 Kubernetes Role-Based Access Control (RBAC) with OCI IAM Groups 248 Data Encryption and Key Management Service 250 Audit Logging 253 Security Zones 255 Network Security Groups (NSGs) 256 Web Application Firewall (WAF) 257 Network Firewall 262 Allowed Registries 264 Cloud Guard 266 Hardening Containers and OKE Worker Nodes 267 Container Scanning 268 Container Image Signing 270 Center for Internet Security (CIS) Kubernetes Benchmarks 270 Using SELinux with OKE 272 Worker Nodes Limited Access 275 Securing Your Workloads 275 Security Context 275 syscalls and seccomp 278 Open Policy Agent (OPA) 280 OPA Gatekeeper 283 Open Web Application Security Project (OWASP) 285 Supporting Tools 287 External Container Scanning Tools 287 CIS-CAT Pro Assessor 287 Kube-bench 289 AppArmor 291 Falco 293 Tracee 293 Trivy 294 National Institute of Standards and Technology (NIST) Kubernetes Benchmarks 294 NIST Kubernetes Benchmarks 295 National Checklist Program Repository 296 National Vulnerability Database 296 NIST SP 800-190 Application Container Security Guide 296 Summary 296 References 297 Chapter 7 Serverless Platforms and Applications 299 Container Instances 300 Architecture 300 Using Container Instances 301 Serverless Functions 305 OCI Functions 306 Using OCI Functions 306 Building Your First Function 308 Adding an API Gateway 314 Function Logs and Distributed Tracing 315 Service Mesh 319 Using the Service Mesh 320 Adding a Service Mesh to an Application 321 Summary 330 References 330 Chapter 8 Observability 331 OCI Monitoring 331 Alarms 336 OCI Logging 338 Service Logs 340 Custom Logs 341 Audit Logs 343 Auditing OKE Activity 345 Advanced Observability in OCI 347 Logging Analytics 347 Enabling and Using Logging Analytics 349 Prometheus and Grafana with OKE 349 Using the OCI DataSource Plug-ins for Grafana 353 eBPF-Based Monitoring with Tetragon on OKE 353 Tetragon: eBPF-Based Security Observability and Enforcement 354 Running Tetragon on Oracle Container Engine for Kubernetes (OKE) 355 Summary 359 References 360 Chapter 9 DevOps and Deployment Automation 361 OCI DevOps Service 362 Code Repositories 363 Triggers 364 Build Pipelines 364 Artifacts 368 Environments 370 Deployment Pipelines 370 Elastically Scaling Jenkins on Kubernetes 376 Setting Up Jenkins on OKE 377 GitOps with ArgoCD 380 Setting Up Argo CD on OKE 381 Summary 384 References 384 Chapter 10 Bringing It Together: MuShop 385 Architecture 386 Source Code Structure 388 Services 390 Storefront 390 API 391 Catalog 391 Carts 392 User 392 Orders 393 Fulfillment 393 Payment 394 Assets 394 DBTools 394 Edge Router 394 Events 395 Newsletter Subscription 395 Load 395 Building the Services 395 Infrastructure Automation 398 Helm Charts 399 Utilities and Supporting Components 402 Deploying MuShop 403 Summary 405 References 406 9780137902538 TOC 10/30/2023.