Posts

Introduction Authentik is an open-source identity provider that can be used to manage authentication and authorization for your applications. In this guide, I will explain how to install Authentik in a Kubernetes cluster to secure applications. Prerequisites A Kubernetes cluster with Traefik installed. Helm package manager installed and has required permissions to install and manage resources in the cluster. Cloudflare account with your domain configured. Already configured Cloudflare tunnel to use Traefik Ingress Controller. Installation Guide Step 1: Generate Secrets Before we prepare the Helm chart values file, we need to create a secretKey for Authentik to sign the JWT tokens and create a password for PostgreSQL database. ...

Introduction In this guide, we will explore how to secure public web applications running on Kubernetes using Authentik, a modern open-source identity provider. We will also leverage Cloudflare for additional security and performance enhancements. The setup will include Traefik as the ingress controller to manage incoming traffic to our applications. Prerequisites A Kubernetes cluster up and running. Helm installed for managing Kubernetes applications. Traefik installed as the ingress controller. Authentik installed in your Kubernetes cluster. Please check my previous posts for detailed instructions on how to set up Traefik and Authentik in Kubernetes. ...

Introduction In this guide, I will explain how to securely expose the Traefik dashboard in a Kubernetes cluster using Cloudflare. The Traefik dashboard provides insights into the traffic and routing within your cluster, but it should be secured to prevent unauthorized access. Prerequisites A Kubernetes cluster with Traefik installed. Helm package manager installed and has required permissions to install and manage resources in the cluster. Cloudflare account with your domain configured. Already configured Cloudflare tunnel to use Traefik Ingress Controller.

Introduction I am using Nginx Ingress Controller for my Kubernetes cluster, but I wanted to set up Traefik as well for specific use cases. This guide explains how I installed Traefik on my Kubernetes cluster using Helm. Why I want to use Traefik I want to use authentication features for my applications, and my Nginx Ingress Controller setup requires enabling allow-snippet-annotations and setting annotations-risk-level to Critical. This is because Nginx Ingress Controller uses annotations for advanced configurations, which can be risky if not managed properly. Traefik, on the other hand, does not require such risky configurations and provides a safer way to manage ingress rules and features. So I decided to switch to Traefik as my primary Ingress Controller. ...

Introduction Containerd is a core component of Kubernetes that manages container lifecycle. Upgrading containerd can bring performance improvements, bug fixes, and new features. This guide will walk you through the steps to upgrade Containerd on a Kubernetes node. Deployment Script CURRENT_VERSION="v2.1.3" ARCH="linux-amd64" DOWNLOAD_URL="https://github.com/containerd/containerd/releases/download/${CURRENT_VERSION}/containerd-${CURRENT_VERSION#v}-${ARCH}.tar.gz" echo "Draining node..." kubectl drain $(hostname) --ignore-daemonsets --delete-emptydir-data echo "Stopping containerd..." sudo systemctl stop containerd echo "Removing old containerd..." sudo apt remove -y containerd echo "Downloading containerd $CURRENT_VERSION..." wget -q $DOWNLOAD_URL -O containerd.tar.gz echo "Extracting and installing containerd..." tar -xvf containerd.tar.gz sudo cp bin/* /usr/local/bin/ echo "Setting up systemd service..." sudo systemctl unmask containerd sudo wget -q -O /etc/systemd/system/containerd.service https://raw.githubusercontent.com/containerd/containerd/main/containerd.service sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now containerd echo "Generating config and setting SystemdCgroup..." sudo mkdir -p /etc/containerd sudo bash -c "containerd config default > /etc/containerd/config.toml" sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml echo "Restarting containerd and kubelet..." sudo systemctl restart containerd sudo systemctl restart kubelet echo "Updated. Current containerd version:" containerd --version

Introduction In this guide, I will walk through the process of self-hosting JetBrains YouTrack, a powerful project management tool, in a Kubernetes environment. YouTrack is designed to help teams manage their projects efficiently with features like issue tracking, agile boards, and customizable workflows. It is also free for up to 10 users, making it an excellent choice for small teams or personal projects. Prerequisites Before we begin, ensure you have the following prerequisites: ...

Introduction This guide will help you identify if your public IP address has any open ports or services that could be unintentionally exposed to the internet. This is crucial for maintaining the security of your network and devices. Based on RFC1918, private IP addresses are not routable on the public internet. What is RFC1918? RFC1918 is a standard that defines private IP address ranges that are reserved for use within private networks. RFC1918 designates the following three ranges for private networks: 10.0.0.0 - 10.255.255.255: (10.0.0.0/8) 172.16.0.0 - 172.31.255.255: (172.16.0.0/12) 192.168.0.0 - 192.168.255.255: (192.168.0.0/16) Steps You can use online tools to scan your public IP address for open ports and services. Use a port scan tool like Censys to search for a public IP address. ...

Introduction In this guide, we will learn how to expose a Kubernetes application securely to the internet using Cloudflare Tunnel and Nginx Ingress. This setup allows you to leverage Cloudflare’s security features while managing your application traffic efficiently. We are going to use: Cloudflare Tunnel to expose our application securely to the internet. Kubernetes Nginx Ingress to route traffic to our application. Prerequisites A Cloudflare account with the domain added. A Kubernetes cluster set up with Nginx Ingress Controller installed. Root or sudo access to the Kubernetes cluster. Deployment Guide Step 1: Install Cloudflare Tunnel sudo mkdir -p --mode=0755 /usr/share/keyrings curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared any main" | sudo tee /etc/apt/sources.list.d/cloudflared.list sudo apt-get update && sudo apt-get install cloudflared Step 2: Authenticate Cloudflare Tunnel sudo cloudflared tunnel login Don’t worry, if you see a login url in the server terminal, just copy it and paste it in your personal browser. After logging in, you will see a success message in the server terminal. ...

Introduction Metrics Server is a cluster-wide aggregator of resource usage data in Kubernetes. It collects metrics from the kubelet on each node and provides them to the Kubernetes API server, which can be used for horizontal pod autoscaling and other purposes. Prerequisites A running Kubernetes cluster (version 1.8 or later). kubectl command-line tool installed and configured to communicate with your cluster. Installation Steps kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml Verification To verify that Metrics Server is running correctly, you can check the status of the Metrics Server pod: ...

Introduction This guide will walk you through the following steps to set up a 3-node Kubernetes cluster using kubeadm: Configure unique hostnames for each node. Set up networking and update the /etc/hosts file. Install required system packages and disable swap. Install and configure the container runtime (containerd) and enable IP forwarding. Install Kubernetes components: kubeadm, kubelet, and kubectl. Initialize the control plane node with kubeadm. Set up pod networking using Calico CNI. Join worker nodes to the cluster. Verify the cluster status and apply additional configurations. Prerequisites Create three VMs or physical servers with Ubuntu 22.04 LTS or later. Make sure all nodes can communicate with each other over the network and has internet access. Setup Step 1: Setup Hostnames on all nodes On each node, set a unique hostname using the following command: ...