We've been working hard behind the scenes in the past few weeks to enhance two of our most popular Kubernetes courses. Both of these courses attract scores of students each month, driven by their distinct focus and strong alignment with industry needs.
The courses in focus are:
- The Core Kubernetes Master Class, designed for cluster users and developers, and
- The Kubernetes Administration & Configuration, targeted towards those involved in setting up and configuring clusters, especially on-prem clusters.
Our students' feedback has been extraordinary with an impressive average score of 9.4 out of 10 for course content, relevance, and lab experience. Our primary objective at edc4it is to equip our students to become indispensable, collaborative, and satisfied team members in their respective company projects. With this in mind, we have realigned our courses to better meet this objective, in light of recent industry developments. We've also incorporated insightful suggestions from our students, especially the addition of [Ansible Playbooks] for solutions in our Kubernetes Administration Course.
We're incredibly excited to share these vital enhancements with you. Read on for an overview of the key updates we've implemented.
MetalLB
While not limited to, our Kubernetes Administration course is geared towards on-prem clusters. On these kind of clusters the use of MetalLB as a cloud-native load balancer is very popular. For this reason we added a section and lab on this popular component. Students will understand the architecture and decide between different configuration options (such as choosing between Layer-2 or BGP)
We're delighted to also announce that our Core Kubernetes course now incorporates MetalLB, a strategic move that not only facilitates a hands-on understanding of LoadBalancing services but also simplifies the lab experience for our students. With deterministic IP addresses for the Ingress Controller, the course becomes more accessible and comprehensible. Certain instructions, such as setting up an SSH-tunnel, are made simpler and more transparent, improving the overall learning experience. This course adaptation reaffirms our commitment to offering an intuitive, practical, and engaging journey into Kubernetes.
Private Registry
In a quest to render our Kubernetes Administration course even more practical and reflective of real-world, on-premises clusters, we have introduced the use of a private container registry across all lab exercises. The decision aligns with common practices in most, if not all, environments where network-bound private registries, such as Nexus, Harbor, Quay, and Artifactory, are a standard. Beyond bolstering security through trusted container image sources and vulnerability tracking, this change enhances lab efficiency since most images are readily accessible on the local network. Our course setup now includes a Nexus installation that serves as the registry, stocking all images required for the control plane.
Additionally, although somewhat tangential, we have integrated a Squid Proxy to streamline machine provisioning and cluster setup, effectively curbing unnecessary wait times related to downloads of OS packages and container images. Combined with the private container registry, this adjustment greatly optimizes the use of time and resources, making your learning journey more seamless and enjoyable.
External Authentication for Cluster Access (LDAP)
While Kubernetes comes equipped with RBAC and defaults to user identity authentication via a key pair, real-world on-premises clusters often necessitate integration with established security infrastructures, such as LDAP, Keycloak, Microsoft Active Directory, and other Identity Providers (IdPs). This integration can be achieved through the use of OpenID Connect (OIDC) systems like Dex, Keycloak, and Okta. In recognition of this crucial component of modern Kubernetes administration, we've added a comprehensive section and hands-on lab centered around the integration of LDAP and OIDC (Dex) with Kubernetes cluster users. This addition ensures students gain proficiency in managing access to Kubernetes tools like kubectl through an external IdP.
In addition, we've expanded our Core Kubernetes course to include OIDC for application security. Further details on this exciting update can be found in the Ingress section below. Through these enhancements, we continue to bridge the gap between course content and real-world applications, providing learners with the most practical and applicable Kubernetes training.
Solution Playbooks on the Admin course
Navigating inter-lab dependencies is a common challenge encountered in courses. This is particularly relevant for students in administrative roles, who might be called away to address system failures at their workplace, thus disrupting their learning progress. We understand the need for flexibility and, wherever possible, we avoid making our labs dependent on each other.
However, for a Kubernetes Administration course, eliminating all interdependencies is unrealistic. The set-up of a specific cluster type (e.g., stacked or external etcd) and the configuration of key cluster components (such as storage drivers, monitoring, etc.) are often created in one lab and utilized in subsequent ones.
To counteract this, we have provided solutions for each lab in the form of Ansible Playbooks. These resources ensure that no student falls behind due to missed lab sessions, and they provide an additional learning layer by exposing students to the utility of Ansible in automating tasks such as cluster set-up, tear-down, and configuration. We believe these enhancements greatly improve the learning experience and equip our students with a more rounded understanding of Kubernetes administration.
Ingress Additions
Students engaging with our Core Kubernetes course often find themselves grappling with the complexities of creating cloud-native solutions. Amidst development and project pressures, finding time to understand the broader cloud ecosystem can be challenging. As we navigate towards a cloud-based application paradigm, the practice of shifting non-functional requirements or systemic qualities from the application code to reusable cloud components becomes increasingly critical.
Throughout our Docker/Podman and Kubernetes courses, we delve into how systemic qualities such as retry-logic, circuit breakers, and mTLS are deftly managed by sidecars and operators. Beyond that, we also facilitate a transition from embedding fundamental technical requirements within applications, towards leveraging flexible, scalable cloud components. This encompasses crucial application security measures (authentication, authorization), Cross-Origin Resource Sharing (CORS), and Denial-of-Service (DoS) protection.
The application of these requirements through reverse proxies embodies a successful "Separation of Concerns". This strategic shift simplifies application testing and development, promoting less dependency on specific environments.
In the initial iteration of our course, we primarily emphasized the specifics of Ingress routing. However, configuring reverse proxies is no longer a sole responsibility of IT or Infrastructure - developers also configure these network components in a collaborative manner.
In response to this, we have enhanced our course with in-depth content and hands-on labs on Ingress configuration. We've expanded beyond the basics to include CORS, DoS Protection, and more, with a significant emphasis on leveraging Ingress for authentication. Rather than merely sticking with basic authentication, we delve into using OpenID Connect (OIDC) via Dex to integrate with an external Identity Provider (LDAP) for role-based application authentication and authorization. This approach not only amplifies application security but also gives students valuable hands-on experience in this essential aspect of cloud-native development.
Other, smaller updates
Before we conclude, there are a handful of additional updates we'd like to spotlight.
We've enhanced the course with updated software versions, including Kubernetes (versions 1.26 and 1.27), and the most recent iterations of Rook/Ceph, Prometheus, Grafana, and Loki.
A significant update is our switch to KVM and libvirt. At edc4it, our passion for open-source is undeniable, and we're thrilled to incorporate KVM and libvirt into our cloud-based lab environment for relevant courses like Kubernetes Administration and Ansible Masterclass. We've observed marked improvements in stability and performance since this transition. Note that this change impacts only the remote cloud-based lab machines provided to our students and does not affect their local desktop environments.
Given the addition of new content and hands-on labs, we've had to meticulously manage our time. Our Core Kubernetes course, already a comprehensive 5-day program, now includes even more valuable content. As a result, we've made the strategic decision to remove the Nexus lab from the Core Kubernetes course. The setup of a Nexus repository typically falls outside the remit of cluster users and developers, our primary audience for this course. For the lab focusing on the management of container image pull-secrets, we've switched to using our proprietary Nexus repository.