From 161b8aed7dd2abc08954d38d28d95623f87ed27f Mon Sep 17 00:00:00 2001 From: AJ Bowen Date: Sun, 9 Jun 2019 15:59:22 -0700 Subject: [PATCH] wording tweaks --- slides/k8s/authn-authz.md | 42 +++++++++++++++++----------------- slides/k8s/cni.md | 4 ++-- slides/k8s/csr-api.md | 12 +++++----- slides/k8s/kubercoins.md | 2 +- slides/k8s/logs-centralized.md | 4 ++-- slides/k8s/logs-cli.md | 8 +++---- slides/shared/sampleapp.md | 2 +- 7 files changed, 37 insertions(+), 37 deletions(-) diff --git a/slides/k8s/authn-authz.md b/slides/k8s/authn-authz.md index 30c77d3c..a2c0c431 100644 --- a/slides/k8s/authn-authz.md +++ b/slides/k8s/authn-authz.md @@ -22,7 +22,7 @@ - When the API server receives a request, it tries to authenticate it - (it examines headers, certificates ... anything available) + (it examines headers, certificates... anything available) - Many authentication methods are available and can be used simultaneously @@ -34,7 +34,7 @@ - the user ID - a list of groups -- The API server doesn't interpret these; it'll be the job of *authorizers* +- The API server doesn't interpret these; that'll be the job of *authorizers* --- @@ -50,7 +50,7 @@ - [HTTP basic auth](https://en.wikipedia.org/wiki/Basic_access_authentication) - (carrying user and password in a HTTP header) + (carrying user and password in an HTTP header) - Authentication proxy @@ -88,7 +88,7 @@ (i.e. they are not stored in etcd or anywhere else) -- Users can be created (and given membership to groups) independently of the API +- Users can be created (and added to groups) independently of the API - The Kubernetes API can be set up to use your custom CA to validate client certs @@ -193,7 +193,7 @@ class: extra-details (the kind that you can view with `kubectl get secrets`) -- Service accounts are generally used to grant permissions to applications, services ... +- Service accounts are generally used to grant permissions to applications, services... (as opposed to humans) @@ -217,7 +217,7 @@ class: extra-details .exercise[ -- The resource name is `serviceaccount` or `sa` in short: +- The resource name is `serviceaccount` or `sa` for short: ```bash kubectl get sa ``` @@ -309,7 +309,7 @@ class: extra-details - The API "sees" us as a different user -- But neither user has any right, so we can't do nothin' +- But neither user has any rights, so we can't do nothin' - Let's change that! @@ -339,9 +339,9 @@ class: extra-details - A rule is a combination of: - - [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb) like create, get, list, update, delete ... + - [verbs](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb) like create, get, list, update, delete... - - resources (as in "API resource", like pods, nodes, services ...) + - resources (as in "API resource," like pods, nodes, services...) - resource names (to specify e.g. one specific pod instead of all pods) @@ -375,13 +375,13 @@ class: extra-details - We can also define API resources ClusterRole and ClusterRoleBinding -- These are a superset, allowing to: +- These are a superset, allowing us to: - specify actions on cluster-wide objects (like nodes) - operate across all namespaces -- We can create Role and RoleBinding resources within a namespaces +- We can create Role and RoleBinding resources within a namespace - ClusterRole and ClusterRoleBinding resources are global @@ -389,13 +389,13 @@ class: extra-details ## Pods and service accounts -- A pod can be associated to a service account +- A pod can be associated with a service account - - by default, it is associated to the `default` service account + - by default, it is associated with the `default` service account - - as we've seen earlier, this service account has no permission anyway + - as we saw earlier, this service account has no permissions anyway -- The associated token is exposed into the pod's filesystem +- The associated token is exposed to the pod's filesystem (in `/var/run/secrets/kubernetes.io/serviceaccount/token`) @@ -460,7 +460,7 @@ class: extra-details ] -It's important to note a couple of details in these flags ... +It's important to note a couple of details in these flags... --- @@ -493,13 +493,13 @@ It's important to note a couple of details in these flags ... - again, the command would have worked fine (no error) - - ... but our API requests would have been denied later + - ...but our API requests would have been denied later - What's about the `default:` prefix? - that's the namespace of the service account - - yes, it could be inferred from context, but ... `kubectl` requires it + - yes, it could be inferred from context, but... `kubectl` requires it --- @@ -590,7 +590,7 @@ class: extra-details *In many situations, these roles will be all you need.* -*You can also customize them if needed!* +*You can also customize them!* --- @@ -652,7 +652,7 @@ class: extra-details kubectl describe clusterrolebinding cluster-admin ``` -- This binding associates `system:masters` to the cluster role `cluster-admin` +- This binding associates `system:masters` with the cluster role `cluster-admin` - And the `cluster-admin` is, basically, `root`: ```bash @@ -667,7 +667,7 @@ class: extra-details - For auditing purposes, sometimes we want to know who can perform an action -- Here is a proof-of-concept tool by Aqua Security, doing exactly that: +- There is a proof-of-concept tool by Aqua Security which does exactly that: https://github.com/aquasecurity/kubectl-who-can diff --git a/slides/k8s/cni.md b/slides/k8s/cni.md index 78ef9f06..3970f119 100644 --- a/slides/k8s/cni.md +++ b/slides/k8s/cni.md @@ -489,8 +489,8 @@ What does that mean? - First, get the container ID, with `docker ps` or like this: ```bash - CID=$(docker ps - --filter label=io.kubernetes.pod.namespace=kube-system + CID=$(docker ps -q \ + --filter label=io.kubernetes.pod.namespace=kube-system \ --filter label=io.kubernetes.container.name=kube-router) ``` diff --git a/slides/k8s/csr-api.md b/slides/k8s/csr-api.md index aec66fdc..f0ea0d59 100644 --- a/slides/k8s/csr-api.md +++ b/slides/k8s/csr-api.md @@ -46,7 +46,7 @@ (and vice versa) -- If I use someone's public key to encrypt / decrypt their messages, +- If I use someone's public key to encrypt/decrypt their messages,
I can be certain that I am talking to them / they are talking to me @@ -60,7 +60,7 @@ This is what I do if I want to obtain a certificate. 1. Create public and private key. -2. Create a Certificate Signing Request (CSR). +2. Create a Certificate Signing Request (CSR) using this private key. (The CSR contains the identity that I claim and an expiration date.) @@ -84,7 +84,7 @@ The CA (or anyone else) never needs to know my private key. (= upload a CSR to the Kubernetes API) -- Then, using the Kubernetes API, we can approve / deny the request +- Then, using the Kubernetes API, we can approve/deny the request - If we approve the request, the Kubernetes API generates a certificate @@ -122,7 +122,7 @@ The CA (or anyone else) never needs to know my private key. - Users can then retrieve their certificate from their CSR object -- ... And use that certificate for subsequent interactions +- ...And use that certificate for subsequent interactions --- @@ -387,7 +387,7 @@ The command above generates: ## What's missing? -We shown, step by step, a method to issue short-lived certificates for users. +We have just shown, step by step, a method to issue short-lived certificates for users. To be usable in real environments, we would need to add: @@ -417,7 +417,7 @@ To be usable in real environments, we would need to add: - This provides enhanced security: - - the long-term credentials can use long passphrases, 2FA, HSM ... + - the long-term credentials can use long passphrases, 2FA, HSM... - the short-term credentials are more convenient to use diff --git a/slides/k8s/kubercoins.md b/slides/k8s/kubercoins.md index 4d05f031..3220f5fa 100644 --- a/slides/k8s/kubercoins.md +++ b/slides/k8s/kubercoins.md @@ -209,7 +209,7 @@ https://@@GITREPO@@/blob/8279a3bce9398f7c1a53bdd95187c53eda4e6435/dockercoins/wo ## Our application at work -- We can check the logs our application pods +- We can check the logs of our application's pods .exercise[ diff --git a/slides/k8s/logs-centralized.md b/slides/k8s/logs-centralized.md index 6cdddda8..07af0ce3 100644 --- a/slides/k8s/logs-centralized.md +++ b/slides/k8s/logs-centralized.md @@ -73,12 +73,12 @@ and a few roles and role bindings (to give fluentd the required permissions). - Fluentd runs on each node (thanks to a daemon set) -- It binds-mounts `/var/log/containers` from the host (to access these files) +- It bind-mounts `/var/log/containers` from the host (to access these files) - It continuously scans this directory for new files; reads them; parses them - Each log line becomes a JSON object, fully annotated with extra information: -
container id, pod name, Kubernetes labels ... +
container id, pod name, Kubernetes labels... - These JSON objects are stored in ElasticSearch diff --git a/slides/k8s/logs-cli.md b/slides/k8s/logs-cli.md index aa7ffdc2..fe12f466 100644 --- a/slides/k8s/logs-cli.md +++ b/slides/k8s/logs-cli.md @@ -1,6 +1,6 @@ # Accessing logs from the CLI -- The `kubectl logs` commands has limitations: +- The `kubectl logs` command has limitations: - it cannot stream logs from multiple pods at a time @@ -12,7 +12,7 @@ ## Doing it manually -- We *could* (if we were so inclined), write a program or script that would: +- We *could* (if we were so inclined) write a program or script that would: - take a selector as an argument @@ -72,11 +72,11 @@ Exactly what we need! ## Using Stern -- There are two ways to specify the pods for which we want to see the logs: +- There are two ways to specify the pods whose logs we want to see: - `-l` followed by a selector expression (like with many `kubectl` commands) - - with a "pod query", i.e. a regex used to match pod names + - with a "pod query," i.e. a regex used to match pod names - These two ways can be combined if necessary diff --git a/slides/shared/sampleapp.md b/slides/shared/sampleapp.md index 8b001b4c..0636d2de 100644 --- a/slides/shared/sampleapp.md +++ b/slides/shared/sampleapp.md @@ -80,7 +80,7 @@ and displays aggregated logs. - DockerCoins is *not* a cryptocurrency - (the only common points are "randomness", "hashing", and "coins" in the name) + (the only common points are "randomness," "hashing," and "coins" in the name) ---