book

Cloud Native DevOps with Kubernetes, 2nd Edition

by Justin Domingus, John Arundel

March 2022

Intermediate to advanced

356 pages

8h 44m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

What Will I Learn?Who Is This Book For?What Questions Does This Book Answer?Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
The Creation of the CloudBuying TimeInfrastructure as a ServiceThe Dawn of DevOpsImproving Feedback LoopsWhat Does DevOps Mean?Infrastructure as CodeLearning TogetherThe Coming of ContainersThe State of the ArtThinking Inside the BoxPutting Software in ContainersPlug and Play ApplicationsConducting the Container OrchestraKubernetesFrom Borg to KubernetesWhy Kubernetes?Will Kubernetes Disappear?Kubernetes Is Not a PanaceaCloud NativeThe Future of OperationsDistributed DevOpsSome Things Will Remain CentralizedDeveloper Productivity EngineeringYou Are the FutureSummary
Running Your First ContainerInstalling Docker DesktopWhat Is Docker?Running a Container ImageThe Demo ApplicationLooking at the Source CodeIntroducing GoHow the Demo App WorksBuilding a ContainerUnderstanding DockerfilesMinimal Container ImagesRunning Docker Image BuildNaming Your ImagesPort ForwardingContainer RegistriesAuthenticating to the RegistryNaming and Pushing Your ImageRunning Your ImageHello, KubernetesRunning the Demo AppIf the Container Doesn’t StartMinikubeSummary
Cluster ArchitectureThe Control PlaneNode ComponentsHigh AvailabilityThe Costs of Self-Hosting KubernetesIt’s More Work Than You ThinkIt’s Not Just About the Initial SetupTools Don’t Do All the Work for YouKubernetes the Hard WayKubernetes Is HardAdministration OverheadStart with Managed ServicesManaged Kubernetes ServicesGoogle Kubernetes Engine (GKE)Cluster AutoscalingAutopilotAmazon Elastic Kubernetes Service (EKS)Azure Kubernetes Service (AKS)IBM Cloud Kubernetes ServiceDigitalOcean KubernetesKubernetes InstallerskopsKubespraykubeadmRancher Kubernetes Engine (RKE)Puppet Kubernetes ModuleBuy or Build: Our RecommendationsRun Less SoftwareUse Managed Kubernetes if You CanBut What About Vendor Lock-in?Bare-Metal and On-PremMulticloud Kubernetes ClustersOpenShiftAnthosUse Standard Kubernetes Self-Hosting Tools if You MustClusterless Container ServicesAWS FargateAzure Container Instances (ACI)Google Cloud RunSummary
DeploymentsSupervising and SchedulingRestarting ContainersCreating DeploymentsPodsReplicaSetsMaintaining Desired StateThe Kubernetes SchedulerResource Manifests in YAML FormatResources Are DataDeployment ManifestsUsing kubectl applyService ResourcesQuerying the Cluster with kubectlTaking Resources to the Next LevelHelm: A Kubernetes Package ManagerInstalling HelmInstalling a Helm ChartCharts, Repositories, and ReleasesListing Helm ReleasesSummary
Understanding ResourcesResource UnitsResource RequestsResource LimitsQuality of ServiceManaging the Container Life CycleLiveness ProbesProbe Delay and FrequencyOther Types of ProbesReadiness ProbesStartup ProbesgRPC ProbesFile-Based Readiness ProbesminReadySecondsPod Disruption BudgetsUsing NamespacesWorking with NamespacesWhat Namespaces Should I Use?Service AddressesResource QuotasDefault Resource Requests and LimitsOptimizing Cluster CostsKubecostOptimizing DeploymentsOptimizing PodsVertical Pod AutoscalerOptimizing NodesOptimizing StorageCleaning Up Unused ResourcesChecking Spare CapacityUsing Reserved InstancesUsing Preemptible (Spot) InstancesKeeping Your Workloads BalancedSummary
Cluster Sizing and ScalingCapacity PlanningNodes and InstancesScaling the ClusterConformance CheckingCNCF CertificationConformance Testing with SonobuoyKubernetes Audit LoggingChaos TestingOnly Production Is Productionchaoskubekube-monkeyPowerfulSealSummary
Mastering kubectlShell AliasesUsing Short FlagsAbbreviating Resource TypesAuto-Completing kubectl CommandsGetting HelpGetting Help on Kubernetes ResourcesShowing More Detailed OutputWorking with JSON Data and jqWatching ObjectsDescribing ObjectsWorking with ResourcesImperative kubectl CommandsWhen Not to Use Imperative CommandsGenerating Resource ManifestsExporting ResourcesDiffing ResourcesWorking with ContainersViewing a Container’s LogsAttaching to a ContainerWatching Kubernetes Resources with kubespyForwarding a Container PortExecuting Commands on ContainersRunning Containers for TroubleshootingUsing BusyBox CommandsAdding BusyBox to Your ContainersInstalling Programs on a ContainerContexts and Namespaceskubeconfig fileskubectx and kubenskube-ps1Kubernetes Shells and Toolskube-shellClickkubed-shSternKubernetes IDEsLensVS Code Kubernetes ExtensionBuilding Your Own Kubernetes ToolsSummary

Containers and PodsWhat Is a Container?Container Runtimes in KubernetesWhat Belongs in a Container?What Belongs in a Pod?Container ManifestsImage IdentifiersThe latest TagContainer DigestsBase Image TagsPortsResource Requests and LimitsImage Pull PolicyEnvironment VariablesContainer SecurityRunning Containers as a Non-Root UserBlocking Root ContainersSetting a Read-Only FilesystemDisabling Privilege EscalationCapabilitiesPod Security ContextsPod Service AccountsVolumesemptyDir VolumesPersistent VolumesRestart PoliciesImage Pull SecretsInit ContainersSummary
LabelsWhat Are Labels?SelectorsMore Advanced SelectorsOther Uses for LabelsLabels and AnnotationsNode AffinitiesHard AffinitiesSoft AffinitiesPod Affinities and Anti-AffinitiesKeeping Pods TogetherKeeping Pods ApartSoft Anti-AffinitiesWhen to Use Pod AffinitiesTaints and TolerationsPod ControllersDaemonSetsStatefulSetsJobsCronJobsHorizontal Pod AutoscalersOperators and Custom Resource Definitions (CRDs)IngressIngress ControllersIngress RulesTerminating TLS with IngressService MeshIstioLinkerdConsul ConnectNGINX Service MeshSummary
ConfigMapsCreating ConfigMapsSetting Environment Variables from ConfigMapsSetting the Whole Environment from a ConfigMapUsing Environment Variables in Command ArgumentsCreating Config Files from ConfigMapsUpdating Pods on a Config ChangeKubernetes SecretsUsing Secrets as Environment VariablesWriting Secrets to FilesReading SecretsAccess to SecretsEncryption at RestKeeping Secrets and ConfigMapsSecrets Management StrategiesEncrypt Secrets in Version ControlUse a Dedicated Secrets Management ToolEncrypting Secrets with SopsEncrypting a File with SopsUsing a KMS BackendSealed SecretsSummary
Access Control and PermissionsManaging Access by ClusterIntroducing Role-Based Access Control (RBAC)Understanding RolesBinding Roles to UsersWhat Roles Do I Need?Guard Access to cluster-adminApplications and DeploymentRBAC TroubleshootingCluster Security ScanningGatekeeper/OPAkube-benchKubescapeContainer Security ScanningClairAquaAnchore EngineSynkBackupsDo I Need to Back Up Kubernetes?Backing Up etcdBacking Up Resource StateBacking Up Cluster StateLarge and Small DisastersVeleroMonitoring Cluster StatuskubectlCPU and Memory UtilizationCloud Provider ConsoleKubernetes DashboardWeave Scopekube-ops-viewnode-problem-detectorFurther ReadingSummary
Building Manifests with HelmWhat’s Inside a Helm Chart?Helm TemplatesInterpolating VariablesQuoting Values in TemplatesSpecifying DependenciesDeploying Helm ChartsSetting VariablesSpecifying Values in a Helm ReleaseUpdating an App with HelmRolling Back to Previous VersionsCreating a Helm Chart RepoManaging Helm Chart Secrets with SopsManaging Multiple Charts with HelmfileWhat’s in a Helmfile?Chart MetadataApplying the HelmfileAdvanced Manifest Management ToolskustomizeTankaKapitankomposeAnsiblekubevalSummary
Development ToolsSkaffoldTelepresenceWaypointKnativeOpenFaaSCrossplaneDeployment StrategiesRolling UpdatesRecreatemaxSurge and maxUnavailableBlue/Green DeploymentsRainbow DeploymentsCanary DeploymentsHandling Migrations with HelmHelm HooksHandling Failed HooksOther HooksChaining HooksSummary
What Is Continuous Deployment?Which CD Tool Should I Use?Hosted CI/CD ToolsAzure PipelinesGoogle Cloud BuildCodefreshGitHub ActionsGitLab CISelf-Hosted CI/CD ToolsJenkinsDroneTektonConcourseSpinnakerArgoKeelA CI/CD Pipeline with Cloud BuildSetting Up Google Cloud and GKEForking the Demo RepositoryCreate Artifact Registry Container RepositoryConfiguring Cloud BuildBuilding the Test ContainerRunning the TestsBuilding the Application ContainerSubstitution VariablesGit SHA TagsValidating the Kubernetes ManifestsPublishing the ImageCreating the First Build TriggerTesting the TriggerDeploying from a CI/CD PipelineCreating a Deploy TriggerAdapting the Example PipelineGitOpsFluxSummary
What Is Observability?What Is Monitoring?Closed-Box MonitoringWhat Does “Up” Mean?LoggingIntroducing MetricsTracingObservabilityThe Observability PipelineMonitoring in KubernetesExternal Closed-Box ChecksInternal Health ChecksSummary
What Are Metrics, Really?Time-Series DataCounters and GaugesWhat Can Metrics Tell Us?Choosing Good MetricsServices: The RED PatternResources: The USE PatternBusiness MetricsKubernetes MetricsAnalyzing MetricsWhat’s Wrong with a Simple Average?Means, Medians, and OutliersDiscovering PercentilesApplying Percentiles to Metrics DataWe Usually Want to Know the WorstBeyond PercentilesGraphing Metrics with DashboardsUse a Standard Layout for All ServicesBuild an Information Radiator with Primary DashboardsDashboard Things That BreakAlerting on MetricsWhat’s Wrong with Alerts?On-Call Should Not Be HellUrgent, Important, and Actionable AlertsTrack Your Alerts, Out-of-Hours Pages, and Wake-UpsMetrics Tools and ServicesPrometheusGoogle Operations SuiteAWS CloudWatchAzure MonitorDatadogNew RelicSummary
Where to Go NextSecond Edition NotesWelcome Aboard

Content preview from Cloud Native DevOps with Kubernetes, 2nd Edition

Chapter 10. Configuration and Secrets

If you want to keep a secret, you must also hide it from yourself.

George Orwell, 1984

It’s very useful to be able to separate the logic of your Kubernetes application from its configuration: that is, any values or settings that might change over the life of the application. Configuration values commonly include things like environment-specific settings, DNS addresses of third-party services, and authentication credentials.

While you could simply put these values directly into your code, that’s not a very flexible approach. For one thing, changing a configuration value would require a complete rebuild and redeploy of the application. It’s much better to separate these values out from the code and read them in from a file, or from environment variables.

Kubernetes provides a few different ways to help you manage configuration. One is to pass values to the application via environment variables in the Pod spec (see “Environment Variables”). Another is to store configuration data directly in Kubernetes, using the ConfigMap and Secret objects.

In this chapter we’ll explore ConfigMaps and Secrets in detail, and look at some practical techniques for managing configuration and secrets in applications, using the demo application as an example.

ConfigMaps

The ConfigMap is the primary object for storing configuration data in Kubernetes. You can think of it as being a named set of key-value pairs that stores configuration data. Once you have a ConfigMap, ...