DEV Community: Ferdous Azad

A beginners guide to Kubernetes with Docker

Ferdous Azad — Sun, 16 Jun 2024 15:31:42 +0000

Kubernetes (often abbreviated as K8s) is an open-source platform for automating the deployment, scaling, and operation of application containers. It works with various container runtimes, including Docker, to orchestrate containerized applications across clusters of machines.

Here’s a brief tutorial on Kubernetes and how it works with Docker containers:

1. Basic Concepts in Kubernetes

Cluster: A set of nodes (machines) running containerized applications managed by Kubernetes.
Node:A single machine in a Kubernetes cluster. It can be a physical or virtual machine.
Pod: The smallest deployable unit in Kubernetes, which can contain one or more containers.
Service:*An abstraction that defines a logical set of pods and a policy by which to access them.
Deployment: Manages a set of identical pods, ensuring the correct number of replicas and allowing updates.
ConfigMap and Secret:Objects for managing configuration data and sensitive information, respectively.

2. Installing Kubernetes

You can install Kubernetes locally using tools like Minikube or kind (Kubernetes in Docker). For production, you’d typically use a cloud provider’s managed Kubernetes service, such as GKE (Google Kubernetes Engine), EKS (Amazon Elastic Kubernetes Service), or AKS (Azure Kubernetes Service).

Install Minikube

Follow the installation guide for your operating system on the Minikube website

Start Minikube:

minikube start

Install kubectl:

Follow the installation guide on the Kubernetes website

3. Creating a Simple Kubernetes Application

Step 1: Create a Deployment

Create a Docker image:
Dockerfile:

`FROM node:14

WORKDIR /usr/src/app

COPY package*.json ./

RUN npm install

COPY . .

EXPOSE 3000

CMD ["node", "app.js"]`

Build the Docker image:

docker build -t node-app:latest .

Push the image to a container registry (e.g., Docker Hub):

docker tag node-app:latest <your-dockerhub-username>/node-app:latest

docker push <your-dockerhub-username>/node-app:latest

Create a Kubernetes Deployment YAML file (deployment.yaml):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: node-app-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: node-app
  template:
    metadata:
      labels:
        app: node-app
    spec:
      containers:
      - name: node-app
        image: <your-dockerhub-username>/node-app:latest
        ports:
        - containerPort: 3000

Apply the deployment:

kubectl apply -f deployment.yaml

Check the deployment and pods:

kubectl get deployments
kubectl get pods

Step 2: Create a Service

Create a Service YAML file (service.yaml):

apiVersion: v1
kind: Service
metadata:
  name: node-app-service
spec:
  selector:
    app: node-app
  ports:
  - protocol: TCP
    port: 80
    targetPort: 3000
  type: LoadBalancer

Apply the service:

kubectl apply -f service.yaml

Check the service:

kubectl get services

Access the application:

Use the external IP provided by the service (in Minikube, use minikube service node-app-service – url).

Communicating Between Services

step 1: Set Up a Database Service

Create a PostgreSQL Deployment and Service:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
      - name: postgres
        image: postgres:latest
        env:
        - name: POSTGRES_DB
          value: mydatabase
        - name: POSTGRES_USER
          value: postgres
        - name: POSTGRES_PASSWORD
          value: mysecretpassword
        ports:
        - containerPort: 5432

---
apiVersion: v1
kind: Service
metadata:
  name: postgres-service
spec:
  selector:
    app: postgres
  ports:
  - protocol: TCP
    port: 5432
    targetPort: 5432

Apply the deployment and service:

kubectl apply -f postgres.yaml

Step 2: Update Node.js Application to Use Database

Modify app.js to connect to PostgreSQL:

const express = require('express');
const { Pool } = require('pg');
const app = express();
const PORT = 3000;

const pool = new Pool({
  user: 'postgres',
  host: 'postgres-service',
  database: 'mydatabase',
  password: 'mysecretpassword',
  port: 5432,
});

app.get('/', async (req, res) => {
  const result = await pool.query('SELECT NOW()');
  res.send(`PostgreSQL time: ${result.rows[0].now}`);
});

app.listen(PORT, () => {
  console.log(`Server is running on port ${PORT}`);
});

Build and push the updated Docker image:

docker build -t <your-dockerhub-username>/node-app:latest .
docker push <your-dockerhub-username>/node-app:latest

Update the deployment:

kubectl set image deployment/node-app-deployment node-app=<your-dockerhub-username>/node-app:latest

Scaling and Updating Applications

Scale the deployment:

kubectl scale deployment node-app-deployment – replicas=5

Update the deployment with a new image:

kubectl set image deployment/node-app-deployment node-app=<your-dockerhub-username>/node-app:new-version

Managing Configurations with ConfigMaps and Secrets

Create a ConfigMap:

configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: app-config
data:
  DATABASE_HOST: postgres-service
  DATABASE_USER: postgres
  DATABASE_PASSWORD: mysecretpassword
  DATABASE_NAME: mydatabase
Applying the ConfigMap:

kubectl apply -f configmap.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: node-app-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: node-app
  template:
    metadata:
      labels:
        app: node-app
    spec:
      containers:
      - name: node-app
        image: <your-dockerhub-username>/node-app:latest
        ports:
        - containerPort: 3000
        env:
        - name: DATABASE_HOST
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DATABASE_HOST
        - name: DATABASE_USER
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DATABASE_USER
        - name: DATABASE_PASSWORD
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DATABASE_PASSWORD
        - name: DATABASE_NAME
          valueFrom:
            configMapKeyRef:
              name: app-config
              key: DATABASE_NAME

Make sure to replace with your actual Docker Hub username.

The ConfigMap provides database configuration information that the node-app container in the Deployment uses through environment variables. The kubectl apply -f configmap.yaml command applies the ConfigMap configuration to your Kubernetes cluster.

This tutorial covers the basics of Kubernetes, deploying and managing Docker containers, and communicating between services. For more advanced topics, consider exploring Kubernetes documentation and other resources.

Docker a beginners guide

Ferdous Azad — Sun, 16 Jun 2024 15:15:36 +0000

Docker is a platform for developing, shipping, and running applications in containers. Containers are lightweight and contain everything needed to run an application, making them portable and consistent across environments.

Here’s a brief tutorial on Docker, including creating containers, networking between containers, and setting up a simple multi-container application involving a database, cache, and services written in Node.js and Go.

1. Install Docker

Install Docker from Docker’s official website

2. Basic Docker Commands

Pull an image:

docker pull <image-name>

Example:

docker pull node:14

Run a container:

docker run -d – name <container-name> <image-name>

Example:

docker run -d – name my-node-container node:14

List running containers:

docker ps

Stop a container:

docker stop <container-name>

Remove a container:

docker rm <container-name>

3. Creating a Node.js Application Container

Create a simple Node.js application:

mkdir node-app
cd node-app
npm init -y
npm install express

2. Create app.js:

const express = require(‘express’);
const app = express();
const PORT = 3000;

app.get('/', (req, res) => {
  res.send('Hello from Node.js!');
});

app.listen(PORT, () => {
  console.log(`Server is running on port ${PORT}`);
});

3. Create `Dockerfile:

Dockerfile

`
FROM node:14

WORKDIR /usr/src/app

COPY package.json ./

RUN npm install

COPY . .

EXPOSE 3000

CMD ["node", "app.js"]
`

4. Build the Docker image:

docker build -t node-app .

5. Run the container:

docker run -d – name node-app-container -p 3000:3000 node-app

Creating a Go Application Container

Create a simple Go application:

mkdir go-app cd go-app

2. Create main.go:

`
package main

import (
"fmt"
"net/http"
)

func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello from Go!")
}

func main() {
http.HandleFunc("/", handler)
http.ListenAndServe(":8080", nil)
}
`

3. Create Dockerfile:

Dockerfile

`
FROM golang:1.16

WORKDIR /app

COPY . .

RUN go build -o main .

EXPOSE 8080

CMD ["./main"]
`

4. Build the Docker image:

docker build -t go-app .

5. Run the container:

docker run -d – name go-app-container -p 8080:8080 go-app

5. Setting Up a Database Container

Run a PostgreSQL container:

docker run -d – name postgres-container -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_DB=mydatabase -p 5432:5432 postgres

6. Setting Up a Redis Cache Container

Run a Redis container:
docker run -d – name redis-container -p 6379:6379 redis

7. Networking Between Containers

Docker provides several ways to network containers. The simplest way is to use Docker’s default bridge network.

Create a custom network:

docker network create my-network

2. Run containers in the same network:

docker run -d – name postgres-container – network my-network -e POSTGRES_PASSWORD=mysecretpassword -e POSTGRES_DB=mydatabase postgres docker run -d – name redis-container – network my-network redis docker run -d – name node-app-container – network my-network -p 3000:3000 node-app docker run -d – name go-app-container – network my-network -p 8080:8080 go-app

8. Connecting Services to Database and Cache

Example Node.js (app.js) connecting to PostgreSQL and Redis:

Install dependencies:

npm install pg redis

Modify app.js:

`
const express = require('express');
const { Pool } = require('pg');
const redis = require('redis');
const app = express();
const PORT = 3000;
const pool = new Pool({
user: 'postgres',
host: 'postgres-container',
database: 'mydatabase',
password: 'mysecretpassword',
port: 5432,
});

const client = redis.createClient({
host: 'redis-container',
port: 6379,
});

app.get('/', async (req, res) => {
const result = await pool.query('SELECT NOW()');

client.set('key', 'value');

client.get('key', (err, value) => {
res.send(PostgreSQL time: ${result.rows[0].now}, Redis value: ${value});
});

});

app.listen(PORT, () => {
console.log(Server is running on port ${PORT});
});
`

Example Go (main.go) connecting to PostgreSQL and Redis:

Install dependencies:

go get github.com/lib/pq go get github.com/go-redis/redis/v8

2. Modify main.go:

`
package main

import (
"context"
"database/sql"
"fmt"
"net/http"
"github.com/go-redis/redis/v8"
_ "github.com/lib/pq"
)

var ctx = context.Background()

func handler(w http.ResponseWriter, r *http.Request) {
connStr := "user=postgres password=mysecretpassword dbname=mydatabase host=postgres-container sslmode=disable"
db, err := sql.Open("postgres", connStr)

if err != nil {
panic(err)
}

defer db.Close()

var now string
err = db.QueryRow("SELECT NOW()").Scan(&now)

if err != nil {
panic(err)
}

rdb := redis.NewClient(&redis.Options{
Addr: "redis-container:6379",
})

err = rdb.Set(ctx, "key", "value", 0).Err()

if err != nil {
panic(err)
}

val, err := rdb.Get(ctx, "key").Result()

if err != nil {
panic(err)
}

fmt.Fprintf(w, "PostgreSQL time: %s, Redis value: %s", now, val)
}

func main() {
http.HandleFunc("/", handler)
http.ListenAndServe(":8080", nil)
}
`

9. Docker Compose

To simplify the process, you can use Docker Compose to define and run multi-container Docker applications.

Create docker-compose.yml:

`
version: '3'

services:
postgres:
image: postgres
environment:
POSTGRES_PASSWORD: mysecretpassword
POSTGRES_DB: mydatabase
networks:
- my-network

redis:
image: redis
networks:
- my-network

node-app:
build: ./node-app
ports:
- "3000:3000"
networks:
- my-network

go-app:
build: ./go-app
ports:
- "8080:8080"
networks:
- my-network

networks:
my-network:
driver: bridge
`

Run the application:

docker-compose up – build

By following this tutorial, you can set up a multi-container application with Docker, including networking between containers and connecting services to a database and cache.

Open Web Application Security Project OWASP Top Ten

Ferdous Azad — Sun, 16 Jun 2024 14:56:08 +0000

Web security is crucial for protecting applications and data from various threats. The OWASP (Open Web Application Security Project) Top Ten is a widely recognized list of the most critical web application security risks. Here’s a detailed explanation of common web security best practices, including those highlighted by the OWASP Top Ten:

1. Injection (OWASP A1)

Description:
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Best Practices:

Use parameterized queries and prepared statements.
Employ ORM (Object-Relational Mapping) libraries that provide automatic query parameterization.
Validate and sanitize all inputs.
Use ORM and avoid dynamically constructing queries.

2. Broken Authentication (OWASP A2)

Description:
This risk arises from incorrect implementation of authentication mechanisms, allowing attackers to compromise passwords, keys, or session tokens, or exploit other implementation flaws to assume other users’ identities.

Best Practices:

Implement multi-factor authentication (MFA).
Ensure session tokens are properly secured.
Use secure password storage methods (e.g., bcrypt).
Implement account lockout mechanisms and ensure secure password recovery processes.

3. Sensitive Data Exposure (OWASP A3)

Description:
**Sensitive data exposure occurs when applications do not adequately protect sensitive information such as credit cards, healthcare information, or personal identifiers.

Best Practices:

Use strong encryption for data at rest and in transit (e.g., TLS).
Implement strict access controls.
Avoid storing sensitive data unless absolutely necessary.
Ensure that data is masked or encrypted when displayed.

4. XML External Entities (XXE) (OWASP A4)

Description:
XXE vulnerabilities occur when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Best Practices:

Disable external entity processing in XML parsers.
Use less complex data formats such as JSON, if possible.
Validate and sanitize XML inputs.
Regularly update XML parsers and libraries.

5. Broken Access Control (OWASP A5)

Description:
Broken access control vulnerabilities arise when users are able to act outside of their intended permissions.

Best Practices:

Enforce least privilege: only give users access to what they need.
Implement role-based access control (RBAC).
Regularly review and test access controls.
Use access control mechanisms provided by the platform (e.g., frameworks, libraries).

6. Security Misconfiguration (OWASP A6)

Description:
Security misconfigurations occur when security settings are defined, implemented, and maintained as insecure defaults or are incomplete and ad-hoc.

Best Practices:

Implement a repeatable hardening process.
Regularly update and patch systems and software.
Remove or disable unnecessary features and services.
Apply security configurations across the entire software stack.

7. Cross-Site Scripting (XSS) (OWASP A7)

Description:
XSS vulnerabilities occur when an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.

Best Practices:

Use frameworks that automatically escape XSS by design.
Sanitize and validate input data.
Use Content Security Policy (CSP) to prevent the execution of malicious scripts.
Encode data on output.

8. Insecure Deserialization (OWASP A8)

Description:
Insecure deserialization flaws occur when applications deserialize untrusted data, allowing attackers to execute arbitrary code or conduct injection attacks.

Best Practices:

Avoid deserializing data from untrusted sources.
Implement integrity checks such as digital signatures on serialized objects.
Use a safe and secure serialization mechanism.
Restrict and monitor deserialization.

9. Using Components with Known Vulnerabilities (OWASP A9)

Description:
Applications that use libraries, frameworks, and other software modules with known vulnerabilities can undermine application defenses and enable various attacks.

Best Practices:

Regularly update and patch dependencies.
Use tools to scan for known vulnerabilities in dependencies.
Subscribe to security bulletins related to the components you use.
Prefer components that are actively maintained and have a strong security record.

10. Insufficient Logging & Monitoring (OWASP A10)

Description:
Inadequate logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to achieve their goals without being detected.

Best Practices:

Implement comprehensive logging of security-relevant events.
Ensure logs are generated in a format that can be easily consumed by centralized log management solutions.
Regularly monitor logs and establish an alerting mechanism for suspicious activities.
Conduct regular audits and reviews of logs.

Additional Best Practices:
Secure Development Practices: Follow secure coding standards and guidelines. Regularly train developers on security best practices.
Threat Modeling: Perform threat modeling to identify and mitigate potential security threats during the design phase.

Regular Security Testing: Conduct regular security testing, including code reviews, penetration testing, and automated security scans.
Secure DevOps (DevSecOps): Integrate security practices into the DevOps pipeline to ensure continuous security throughout the development lifecycle.

By implementing these best practices, you can significantly enhance the security of your web applications and protect them against common threats.