book

Kubernetes Best Practices

by Brendan Burns, Eddie Villalba, Dave Strebel, Lachlan Evenson

November 2019

Intermediate to advanced

265 pages

6h 44m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who Should Read This BookWhy We Wrote This BookNavigating This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Application OverviewManaging Configuration FilesCreating a Replicated Service Using DeploymentsBest Practices for Image ManagementCreating a Replicated ApplicationSetting Up an External Ingress for HTTP TrafficConfiguring an Application with ConfigMapsManaging Authentication with SecretsDeploying a Simple Stateful DatabaseCreating a TCP Load Balancer by Using ServicesUsing Ingress to Route Traffic to a Static File ServerParameterizing Your Application by Using HelmDeploying Services Best PracticesSummary
GoalsBuilding a Development ClusterSetting Up a Shared Cluster for Multiple DevelopersOnboarding UsersCreating and Securing a NamespaceManaging NamespacesCluster-Level ServicesEnabling Developer WorkflowsInitial SetupEnabling Active DevelopmentEnabling Testing and DebuggingSetting Up a Development Environment Best PracticesSummary
Metrics Versus LogsMonitoring TechniquesMonitoring PatternsKubernetes Metrics OverviewcAdvisorMetrics Serverkube-state-metricsWhat Metrics Do I Monitor?Monitoring ToolsMonitoring Kubernetes Using PrometheusLogging OverviewTools for LoggingLogging by Using an EFK StackAlertingBest Practices for Monitoring, Logging, and AlertingMonitoringLoggingAlertingSummary
Configuration Through ConfigMaps and SecretsConfigMapsSecretsCommon Best Practices for the ConfigMap and Secrets APIsRBACRBAC PrimerRBAC Best PracticesSummary
Version ControlContinuous IntegrationTestingContainer BuildsContainer Image TaggingContinuous DeploymentDeployment StrategiesTesting in ProductionSetting Up a Pipeline and Performing a Chaos ExperimentSetting Up CISetting Up CDPerforming a Rolling UpgradeA Simple Chaos ExperimentBest Practices for CI/CDSummary
VersioningReleasesRolloutsPutting It All TogetherBest Practices for Versioning, Releases, and RolloutsSummary
Distributing Your ImageParameterizing Your DeploymentLoad-Balancing Traffic Around the WorldReliably Rolling Out Software Around the WorldPre-Rollout ValidationCanary RegionIdentifying Region TypesConstructing a Global RolloutWhen Something Goes WrongWorldwide Rollout Best PracticesSummary
Kubernetes SchedulerPredicatesPrioritiesAdvanced Scheduling TechniquesPod Affinity and Anti-AffinitynodeSelectorTaints and TolerationsPod Resource ManagementResource RequestResource Limits and Pod Quality of ServicePodDisruptionBudgetsManaging Resources by Using NamespacesResourceQuotaLimitRangeCluster ScalingApplication ScalingScaling with HPAHPA with Custom MetricsVertical Pod AutoscalerResource Management Best PracticesSummary
Kubernetes Network PrinciplesNetwork Plug-insKubenetKubenet Best PracticesThe CNI Plug-inCNI Best PracticesServices in KubernetesService Type ClusterIPService Type NodePortService Type ExternalNameService Type LoadBalancerIngress and Ingress ControllersServices and Ingress Controllers Best PracticesNetwork Security PolicyNetwork Policy Best PracticesService MeshesService Mesh Best PracticesSummary

PodSecurityPolicy APIEnabling PodSecurityPolicyAnatomy of a PodSecurityPolicyPodSecurityPolicy ChallengesPodSecurityPolicy Best PracticesPodSecurityPolicy Next StepsWorkload Isolation and RuntimeClassUsing RuntimeClassRuntime ImplementationsWorkload Isolation and RuntimeClass Best PracticesOther Pod and Container Security ConsiderationsAdmission ControllersIntrusion and Anomaly Detection ToolingSummary
Why Policy and Governance Are ImportantHow Is This Policy Different?Cloud-Native Policy EngineIntroducing GatekeeperExample PoliciesGatekeeper TerminologyDefining Constraint TemplatesDefining ConstraintsData ReplicationUXAuditBecoming Familiar with GatekeeperGatekeeper Next StepsPolicy and Governance Best PracticesSummary
Why Multiple Clusters?Multicluster Design ConcernsManaging Multiple Cluster DeploymentsDeployment and Management PatternsThe GitOps Approach to Managing ClustersMulticluster Management ToolsKubernetes FederationManaging Multiple Clusters Best PracticesSummary
Importing Services into KubernetesSelector-Less Services for Stable IP AddressesCNAME-Based Services for Stable DNS NamesActive Controller-Based ApproachesExporting Services from KubernetesExporting Services by Using Internal Load BalancersExporting Services on NodePortsIntegrating External Machines and KubernetesSharing Services Between KubernetesThird-Party ToolsConnecting Cluster and External Services Best PracticesSummary
Why Is Kubernetes Great for Machine Learning?Machine Learning WorkflowMachine Learning for Kubernetes Cluster AdminsModel Training on KubernetesDistributed Training on KubernetesResource ConstraintsSpecialized HardwareLibraries, Drivers, and Kernel ModulesStorageNetworkingSpecialized ProtocolsData Scientist ConcernsMachine Leaning on Kubernetes Best PracticesSummary
Approaches to Developing Higher-Level AbstractionsExtending KubernetesExtending Kubernetes ClustersExtending the Kubernetes User ExperienceDesign Considerations When Building PlatformsSupport Exporting to a Container ImageSupport Existing Mechanisms for Service and Service DiscoveryBuilding Application Platforms Best PracticesSummary
Volumes and Volume MountsVolume Best PracticesKubernetes StoragePersistentVolumePersistentVolumeClaimsStorage ClassesKubernetes Storage Best PracticesStateful ApplicationsStatefulSetsOperatorsStatefulSet and Operator Best PracticesSummary
Admission ControlWhat Are They?Why Are They Important?Admission Controller TypesConfiguring Admission WebhooksAdmission Control Best PracticesAuthorizationAuthorization ModulesAuthorization Best PracticesSummary

Content preview from Kubernetes Best Practices

Chapter 4. Configuration, Secrets, and RBAC

The composable nature of containers allows us as operators to introduce configuration data into a container at runtime. This makes it possible for us to decouple an application’s function from the environment it runs in. By means of the conventions allowed in the container runtime to pass through either environment variables or mount external volumes into a container at runtime, you can effectively change the configuration of the application upon its instantiation. As a developer, it is important to take into consideration the dynamic nature of this behavior and allow for the use of environment variables or the reading of configuration data from a specific path available to the application runtime user.

When moving sensitive data such as secrets into a native Kubernetes API object, it is important to understand how Kubernetes secures access to the API. The most commonly implemented security method in use in Kubernetes is Role-Based Access Control (RBAC) to implement a fine-grained permission structure around actions that can be taken against the API by specific users or groups. This chapter covers some of the best practices regarding RBAC and also provides a small primer.

Configuration Through ConfigMaps and Secrets

Kubernetes allows you to natively provide configuration information to our applications through ConfigMaps or secret resources. The main differentiator between the two is the way a pod stores the receiving information and ...