DEV Community: bismaakram

kubectl Made Simple: Using Imperative Commands in Kubernetes

bismaakram — Sat, 13 Dec 2025 18:04:07 +0000

Kubernetes can feel overwhelming at first, but kubectl makes interacting with your cluster simple and powerful. In this post, we’ll explore imperative commands in Kubernetes—hands-on instructions you run directly with kubectl to create, update, and manage resources.

Fundamentals of Kubernetes

Cluster – A set of machines (nodes) that run containerized applications managed by Kubernetes.
Node – A worker machine (virtual or physical) where containers are executed.
Pod – The smallest deployable unit in Kubernetes. A Pod represents one or more containers that share networking and storage.
Replica set – Maintains a stable set of replica pods running at any given time. It is often used to guarantee the availability of a specified number of identical pods.
Service – A stable networking abstraction that exposes Pods and enables communication within or outside the cluster.
Deployment – A controller that manages Pods and ensures the desired number of replicas are running.

Get Worker Nodes status
You can refer to my previous tutorial on how to create a eksctl cluter and managed node group.

kubectl get nodes -o wide

Create a Pod

kubectl run my-first-pod --image stacksimplify/kubenginx:1.0.0

In order to access the application externally from the internet, we need to expose the Pod with a NodePort Service.

kubectl expose pod my-first-pod  --type=NodePort --port=80 --name=my-first-service
kubectl get svc

Access the application using public IP

Connect to Container in a Pod

kubectl exec -it my-first-pod -- /bin/bash

Clean-Up

kubectl get all
kubectl delete svc my-first-service
kubectl delete pod my-first-pod
kubectl get all

Thank you!! 🙌

Amazon EKS Tutorial: Create an EKS Cluster and Managed Node Group (Complete Guide)

bismaakram — Thu, 11 Dec 2025 15:01:23 +0000

🚀 Introduction to Amazon EKS

In this blog, we’ll take a simple, high-level look at how an Amazon EKS cluster works and the key components behind it. An EKS cluster is built on four main pieces: the control plane, worker nodes (node groups), Fargate profiles, and the VPC.

The control plane is fully managed by AWS—it runs the Kubernetes API server and controllers, and automatically handles availability and health. Your workloads run on worker nodes, which are EC2 instances grouped together as node groups, or on Fargate, where pods run serverlessly without managing any EC2 instances.

Finally, the VPC is what connects everything. Your subnets, routing, and security groups decide how your nodes communicate with the control plane and how securely your applications run.

In the next sections, we’ll break down each of these components step-by-step and see how they come together when you build an EKS cluster.

Let’s dive in! 🌟🌟

We will be running this on Windows machine, you can find similar steps for MacOS and Linux in AWS official documentation.

Step 1 - Install AWS CLI.

Download Binary and install it. https://awscli.amazonaws.com/AWSCLIV2.msi

Step 2 - Install kubectl CLI.

Install kubectl on Windows 10

mkdir kubectlbinary
cd kubectlbinary
curl -o kubectl.exe https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/windows/amd64/kubectl.exe

Update the system Path environment variable

C:\Users\bisma\Documents\kubectlbinary

Verify the kubectl client version

kubectl version --short --client
kubectl version --client

Step 3 - Install eksctl CLI

Install AMD64_x86/64 zip file from https://docs.aws.amazon.com/eks/latest/eksctl/installation.html.
Make sure to unzip the archive to a folder in the PATH variable.

Amazon EKS is a paid service, and not included in free tier. There is a 0.10 USD per hour charge for the EKS cluster and 0.0416 USD per hour for EKS Worker nodes T3 Medium server in N.Virginia.

Next, lets create an EKS cluster using the command.

eksctl create cluster --name=eksdemo1 \
                      --region=us-east-1 \
                      --zones=us-east-1a,us-east-1b \
                      --without-nodegroup 
eksctl get cluster

To follow best practices, we should create and associate an IAM OIDC identity provider, which allows your EKS cluster to securely use IAM roles for Kubernetes service accounts.

eksctl utils associate-iam-oidc-provider \
    --region us-east-1 \
    --cluster eksdemo1 \
    --approve

Create a new EC2 Key Pair with name eks-demo. This key pair will help to the connect with EKS worker nodes from terminal.

Create Node Group with additional add-ons in Public Subnet.

# Create Public Node Group   
eksctl create nodegroup --cluster=eksdemo1 \
                       --region=us-east-1 \
                       --name=eksdemo1-ng-public1 \
                       --node-type=t3.medium \
                       --nodes=2 \
                       --nodes-min=2 \
                       --nodes-max=4 \
                       --node-volume-size=20 \
                       --ssh-access \
                       --ssh-public-key=kube-demo \
                       --managed \
                       --asg-access \
                       --external-dns-access \
                       --full-ecr-access \
                       --appmesh-access \
                       --alb-ingress-access

Login to worker node using EC2 Key Pair.

# For MAC or Linux or Windows10
ssh -i kube-demo.pem ec2-user@<Public-IP-of-Worker-Node>

# For Windows 7
Use putty

Update worker nodes security group to allow all traffic.

Delete the cluster at the end of this exercise to make sure you dont incur additional charges.
Important: Revert security group rules prior to deleting the cluster.

# Delete Cluster
eksctl delete cluster eksdemo1

Thank you! 🌸

Secure your VPC with AWS Network Firewall

bismaakram — Thu, 04 Dec 2025 10:12:42 +0000

👋 Hello tech enthusiasts!

In this blog, we’ll walk through the implementation of AWS Network Firewall using a hands-on lab 🧪. Our objective is to understand how stateless and stateful rule groups work by building a simple yet practical setup 🛡️⚙️.

🎯 Lab Objectives

We will launch a simple web server on an EC2 instance.
Create a Stateless rule to block the inbound ICPM (ping request) traffic to the web server.
Create a Stateful rule to allow outbound traffic from the webserver to a particular domain name e.g aws.amazon.com over TLS and block all other outgoing traffic

We’ll use the following architecture diagram as the reference for our setup.

🖥️ Launch your webserver on an EC2 instance

SSH to EC2 instance and install HTTPD web server (In security group allow SSH, HTTP and ICMP traffic from anywhere 0.0.0.0/0). We need to make sure that the security group is not restricting any traffic.
Verify that you are able to access the web server over a browser using EC2 instances public IP or public DNS
Verify that you are able to ping to EC2 instance from your workstation

In VPC settings, enable DNS resolution and DNS hostnames, to ensure you can access your webserver using the public DNS.

I can also successfully ping the EC2 instance from my workstation.

Next steps, is to create a Network Firewall and associate with your VPC, and the Firewall subnet.

⚡ Stateless Rules

Drop all ICMP traffic from 0.0.0.0/0 to 0.0.0.0/0 (priority 10).
Forward all other traffic to Stateful rule group (priority 20).

⚡ Stateful Rules

pass tcp any any -> any 22 (msg:"Allow TCP 22"; sid:1000001; rev:1;)
pass http any any -> any any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"Permit HTTP access to the web server"; sid:1000002; rev:1;)
pass tls any any -> any any (tls.sni; content:"aws.amazon.com"; startswith; nocase; endswith; msg:"Permit HTTPS access to aws.amazon.com"; sid:1000003; rev:1;)
drop tcp any any -> any any (flow:established,to_server; msg:"Deny all other TCP traffic"; sid: 1000004; rev:1;)

Add Stateless and Stateful rule groups to the Firewall policy.

Next steps, lets modify the Route tables.

Add a route to Firewall endpoint to the Public subnet.

Add a route to Internet Gateway in the Firewall subnet.

Create a new route table for Internet Gateway.
Add route for traffic going to 10.100.0.0/24, it should go through the Firewall endpoint.

Go to edge associations and associate with the Internet Gateway.

🔍 Now, let's verify our Firewall rules.

We can ping the IP address of our EC2 machine, to see if it is working.

Perfect! It doesn't work 😅

Now, let's try the public DNS http://ec2-52-65-196-41.ap-southeast-2.compute.amazonaws.com/.

Excellent! 🎉 This is working, since we had a Stateful rule to allow the amazonaws.com domain name.

That’s all for today! 🙌 Thank you for following along! 😊