book

Kubernetes Best Practices

by Brendan Burns, Eddie Villalba, Dave Strebel, Lachlan Evenson

November 2019

Intermediate to advanced

265 pages

6h 44m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who Should Read This BookWhy We Wrote This BookNavigating This BookConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Setting Up a Basic Service
Application OverviewManaging Configuration FilesCreating a Replicated Service Using DeploymentsBest Practices for Image ManagementCreating a Replicated ApplicationSetting Up an External Ingress for HTTP TrafficConfiguring an Application with ConfigMapsManaging Authentication with SecretsDeploying a Simple Stateful DatabaseCreating a TCP Load Balancer by Using ServicesUsing Ingress to Route Traffic to a Static File ServerParameterizing Your Application by Using HelmDeploying Services Best PracticesSummary
2. Developer Workflows
GoalsBuilding a Development ClusterSetting Up a Shared Cluster for Multiple DevelopersOnboarding UsersCreating and Securing a NamespaceManaging NamespacesCluster-Level ServicesEnabling Developer WorkflowsInitial SetupEnabling Active DevelopmentEnabling Testing and DebuggingSetting Up a Development Environment Best PracticesSummary
3. Monitoring and Logging in Kubernetes
Metrics Versus LogsMonitoring TechniquesMonitoring PatternsKubernetes Metrics OverviewcAdvisorMetrics Serverkube-state-metricsWhat Metrics Do I Monitor?Monitoring ToolsMonitoring Kubernetes Using PrometheusLogging OverviewTools for LoggingLogging by Using an EFK StackAlertingBest Practices for Monitoring, Logging, and AlertingMonitoringLoggingAlertingSummary
4. Configuration, Secrets, and RBAC
Configuration Through ConfigMaps and SecretsConfigMapsSecretsCommon Best Practices for the ConfigMap and Secrets APIsRBACRBAC PrimerRBAC Best PracticesSummary
5. Continuous Integration, Testing, and Deployment
Version ControlContinuous IntegrationTestingContainer BuildsContainer Image TaggingContinuous DeploymentDeployment StrategiesTesting in ProductionSetting Up a Pipeline and Performing a Chaos ExperimentSetting Up CISetting Up CDPerforming a Rolling UpgradeA Simple Chaos ExperimentBest Practices for CI/CDSummary
6. Versioning, Releases, and Rollouts
VersioningReleasesRolloutsPutting It All TogetherBest Practices for Versioning, Releases, and RolloutsSummary
7. Worldwide Application Distribution and Staging
Distributing Your ImageParameterizing Your DeploymentLoad-Balancing Traffic Around the WorldReliably Rolling Out Software Around the WorldPre-Rollout ValidationCanary RegionIdentifying Region TypesConstructing a Global RolloutWhen Something Goes WrongWorldwide Rollout Best PracticesSummary
8. Resource Management
Kubernetes SchedulerPredicatesPrioritiesAdvanced Scheduling TechniquesPod Affinity and Anti-AffinitynodeSelectorTaints and TolerationsPod Resource ManagementResource RequestResource Limits and Pod Quality of ServicePodDisruptionBudgetsManaging Resources by Using NamespacesResourceQuotaLimitRangeCluster ScalingApplication ScalingScaling with HPAHPA with Custom MetricsVertical Pod AutoscalerResource Management Best PracticesSummary
9. Networking, Network Security, and Service Mesh
Kubernetes Network PrinciplesNetwork Plug-insKubenetKubenet Best PracticesThe CNI Plug-inCNI Best PracticesServices in KubernetesService Type ClusterIPService Type NodePortService Type ExternalNameService Type LoadBalancerIngress and Ingress ControllersServices and Ingress Controllers Best PracticesNetwork Security PolicyNetwork Policy Best PracticesService MeshesService Mesh Best PracticesSummary

10. Pod and Container Security
PodSecurityPolicy APIEnabling PodSecurityPolicyAnatomy of a PodSecurityPolicyPodSecurityPolicy ChallengesPodSecurityPolicy Best PracticesPodSecurityPolicy Next StepsWorkload Isolation and RuntimeClassUsing RuntimeClassRuntime ImplementationsWorkload Isolation and RuntimeClass Best PracticesOther Pod and Container Security ConsiderationsAdmission ControllersIntrusion and Anomaly Detection ToolingSummary
11. Policy and Governance for Your Cluster
Why Policy and Governance Are ImportantHow Is This Policy Different?Cloud-Native Policy EngineIntroducing GatekeeperExample PoliciesGatekeeper TerminologyDefining Constraint TemplatesDefining ConstraintsData ReplicationUXAuditBecoming Familiar with GatekeeperGatekeeper Next StepsPolicy and Governance Best PracticesSummary
12. Managing Multiple Clusters
Why Multiple Clusters?Multicluster Design ConcernsManaging Multiple Cluster DeploymentsDeployment and Management PatternsThe GitOps Approach to Managing ClustersMulticluster Management ToolsKubernetes FederationManaging Multiple Clusters Best PracticesSummary
13. Integrating External Services and Kubernetes
Importing Services into KubernetesSelector-Less Services for Stable IP AddressesCNAME-Based Services for Stable DNS NamesActive Controller-Based ApproachesExporting Services from KubernetesExporting Services by Using Internal Load BalancersExporting Services on NodePortsIntegrating External Machines and KubernetesSharing Services Between KubernetesThird-Party ToolsConnecting Cluster and External Services Best PracticesSummary
14. Running Machine Learning in Kubernetes
Why Is Kubernetes Great for Machine Learning?Machine Learning WorkflowMachine Learning for Kubernetes Cluster AdminsModel Training on KubernetesDistributed Training on KubernetesResource ConstraintsSpecialized HardwareLibraries, Drivers, and Kernel ModulesStorageNetworkingSpecialized ProtocolsData Scientist ConcernsMachine Leaning on Kubernetes Best PracticesSummary
15. Building Higher-Level Application Patterns on Top of Kubernetes
Approaches to Developing Higher-Level AbstractionsExtending KubernetesExtending Kubernetes ClustersExtending the Kubernetes User ExperienceDesign Considerations When Building PlatformsSupport Exporting to a Container ImageSupport Existing Mechanisms for Service and Service DiscoveryBuilding Application Platforms Best PracticesSummary
16. Managing State and Stateful Applications
Volumes and Volume MountsVolume Best PracticesKubernetes StoragePersistentVolumePersistentVolumeClaimsStorage ClassesKubernetes Storage Best PracticesStateful ApplicationsStatefulSetsOperatorsStatefulSet and Operator Best PracticesSummary
17. Admission Control and Authorization
Admission ControlWhat Are They?Why Are They Important?Admission Controller TypesConfiguring Admission WebhooksAdmission Control Best PracticesAuthorizationAuthorization ModulesAuthorization Best PracticesSummary
18. Conclusion
Index

Content preview from Kubernetes Best Practices

Chapter 11. Policy and Governance for Your Cluster

Have you ever wondered how you can ensure that all containers running on a cluster come only from an approved container registry? Or maybe you’ve been asked to ensure that services are never exposed to the internet. These are precisely the problems that policy and governance for your cluster set out to answer. As Kubernetes matures and becomes adopted by more and more enterprises, the question of policy and governance is becoming increasingly frequent. Although this area is still relatively new and upcoming, in this chapter we share what you can do to make sure that your cluster is in compliance with the defined policies of your enterprise.

Why Policy and Governance Are Important

Whether you operate in a highly regulated environment—for example, health care or financial services—or you simply want to make sure that you maintain a level of control over what’s running on your clusters, you’re going to need a way to implement the stated policies of the enterprise. After these policies are defined, you will need to determine how to implement policy and maintain clusters that are compliant to these policies. These policies might be in place to meet regulatory compliance or simply to enforce best practices. Whatever the reason, you must be sure that you do not sacrifice developer agility and self-service when implementing these policies.

How Is This Policy Different?

In Kubernetes, policy is everywhere. Whether it be network policy ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492056461Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design