Production Kubernetes

Production Kubernetes

by Josh Rosso, Rich Lander, Alex Brand, John Harris
Released March 2021
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781492092308

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

Kubernetes has become the dominant container orchestrator, but many organizations that have recently adopted this system are still struggling to run actual production workloads. In this practical book, four software engineers from VMware bring their shared experiences running Kubernetes in production and provide insight on key challenges and best practices.

The brilliance of Kubernetes is how configurable and extensible the system is, from pluggable runtimes to storage integrations. For platform engineers, software developers, infosec, network engineers, storage engineers, and others, this book examines how the path to success with Kubernetes involves a variety of technology, pattern, and abstraction considerations.

With this book, you will:

  • Understand what the path to production looks like when using Kubernetes
  • Examine where gaps exist in your current Kubernetes strategy
  • Learn Kubernetes's essential building blocks--and their trade-offs
  • Understand what's involved in making Kubernetes a viable location for applications
  • Learn better ways to navigate the cloud native landscape

Publisher resources

View/Submit Errata

Table of contents

  1. Foreword
  2. Preface
    1. Conventions Used in This Book
    2. Using Code Examples
    3. O’Reilly Online Learning
    4. How to Contact Us
    5. Acknowledgments
  3. 1. A Path to Production
    1. Defining Kubernetes
      1. The Core Components
      2. Beyond Orchestration—Extended Functionality
      3. Kubernetes Interfaces
      4. Summarizing Kubernetes
    2. Defining Application Platforms
      1. The Spectrum of Approaches
      2. Aligning Your Organizational Needs
      3. Summarizing Application Platforms
    3. Building Application Platforms on Kubernetes
      1. Starting from the Bottom
      2. The Abstraction Spectrum
      3. Determining Platform Services
      4. The Building Blocks
    4. Summary
  4. 2. Deployment Models
    1. Managed Service Versus Roll Your Own
      1. Managed Services
      2. Roll Your Own
      3. Making the Decision
    2. Automation
      1. Prebuilt Installer
      2. Custom Automation
    3. Architecture and Topology
      1. etcd Deployment Models
      2. Cluster Tiers
      3. Node Pools
      4. Cluster Federation
    4. Infrastructure
      1. Bare Metal Versus Virtualized
      2. Cluster Sizing
      3. Compute Infrastructure
      4. Networking Infrastructure
      5. Automation Strategies
    5. Machine Installations
      1. Configuration Management
      2. Machine Images
      3. What to Install
    6. Containerized Components
    7. Add-ons
    8. Upgrades
      1. Platform Versioning
      2. Plan to Fail
      3. Integration Testing
      4. Strategies
    9. Triggering Mechanisms
    10. Summary
  5. 3. Container Runtime
    1. The Advent of Containers
    2. The Open Container Initiative
      1. OCI Runtime Specification
      2. OCI Image Specification
    3. The Container Runtime Interface
      1. Starting a Pod
    4. Choosing a Runtime
      1. Docker
      2. containerd
      3. CRI-O
      4. Kata Containers
      5. Virtual Kubelet
    5. Summary
  6. 4. Container Storage
    1. Storage Considerations
      1. Access Modes
      2. Volume Expansion
      3. Volume Provisioning
      4. Backup and Recovery
      5. Block Devices and File and Object Storage
      6. Ephemeral Data
      7. Choosing a Storage Provider
    2. Kubernetes Storage Primitives
      1. Persistent Volumes and Claims
      2. Storage Classes
    3. The Container Storage Interface (CSI)
      1. CSI Controller
      2. CSI Node
    4. Implementing Storage as a Service
      1. Installation
      2. Exposing Storage Options
      3. Consuming Storage
      4. Resizing
      5. Snapshots
    5. Summary
  7. 5. Pod Networking
    1. Networking Considerations
      1. IP Address Management
      2. Routing Protocols
      3. Encapsulation and Tunneling
      4. Workload Routability
      5. IPv4 and IPv6
      6. Encrypted Workload Traffic
      7. Network Policy
      8. Summary: Networking Considerations
    2. The Container Networking Interface (CNI)
      1. CNI Installation
    3. CNI Plug-ins
      1. Calico
      2. Cilium
      3. AWS VPC CNI
      4. Multus
      5. Additional Plug-ins
    4. Summary
  8. 6. Service Routing
    1. Kubernetes Services
      1. The Service Abstraction
      2. Endpoints
      3. Service Implementation Details
      4. Service Discovery
      5. DNS Service Performance
    2. Ingress
      1. The Case for Ingress
      2. The Ingress API
      3. Ingress Controllers and How They Work
      4. Ingress Traffic Patterns
      5. Choosing an Ingress Controller
      6. Ingress Controller Deployment Considerations
      7. DNS and Its Role in Ingress
      8. Handling TLS Certificates
    3. Service Mesh
      1. When (Not) to Use a Service Mesh
      2. The Service Mesh Interface (SMI)
      3. The Data Plane Proxy
      4. Service Mesh on Kubernetes
      5. Data Plane Architecture
      6. Adopting a Service Mesh
    4. Summary
  9. 7. Secret Management
    1. Defense in Depth
      1. Disk Encryption
      2. Transport Security
      3. Application Encryption
    2. The Kubernetes Secret API
      1. Secret Consumption Models
      2. Secret Data in etcd
      3. Static-Key Encryption
      4. Envelope Encryption
    3. External Providers
      1. Vault
      2. Cyberark
      3. Injection Integration
      4. CSI Integration
    4. Secrets in the Declarative World
      1. Sealing Secrets
      2. Sealed Secrets Controller
      3. Key Renewal
      4. Multicluster Models
    5. Best Practices for Secrets
      1. Always Audit Secret Interaction
      2. Don’t Leak Secrets
      3. Prefer Volumes Over Environment Variables
      4. Make Secret Store Providers Unknown to Your Application
    6. Summary
  10. 8. Admission Control
    1. The Kubernetes Admission Chain
    2. In-Tree Admission Controllers
    3. Webhooks
      1. Configuring Webhook Admission Controllers
      2. Webhook Design Considerations
    4. Writing a Mutating Webhook
      1. Plain HTTPS Handler
      2. Controller Runtime
    5. Centralized Policy Systems
    6. Summary
  11. 9. Observability
    1. Logging Mechanics
      1. Container Log Processing
      2. Kubernetes Audit Logs
      3. Kubernetes Events
      4. Alerting on Logs
      5. Security Implications
    2. Metrics
      1. Prometheus
      2. Long-Term Storage
      3. Pushing Metrics
      4. Custom Metrics
      5. Organization and Federation
      6. Alerts
      7. Showback and Chargeback
      8. Metrics Components
    3. Distributed Tracing
      1. OpenTracing and OpenTelemetry
      2. Tracing Components
      3. Application Instrumentation
      4. Service Meshes
    4. Summary
  12. 10. Identity
    1. User Identity
      1. Authentication Methods
      2. Implementing Least Privilege Permissions for Users
    2. Application/Workload Identity
      1. Shared Secrets
      2. Network Identity
      3. Service Account Tokens (SAT)
      4. Projected Service Account Tokens (PSAT)
      5. Platform Mediated Node Identity
    3. Summary
  13. 11. Building Platform Services
    1. Points of Extension
      1. Plug-in Extensions
      2. Webhook Extensions
      3. Operator Extensions
    2. The Operator Pattern
      1. Kubernetes Controllers
      2. Custom Resources
    3. Operator Use Cases
      1. Platform Utilities
      2. General-Purpose Workload Operators
      3. App-Specific Operators
    4. Developing Operators
      1. Operator Development Tooling
      2. Data Model Design
      3. Logic Implementation
    5. Extending the Scheduler
      1. Predicates and Priorities
      2. Scheduling Policies
      3. Scheduling Profiles
      4. Multiple Schedulers
      5. Custom Scheduler
    6. Summary
  14. 12. Multitenancy
    1. Degrees of Isolation
      1. Single-Tenant Clusters
      2. Multitenant Clusters
    2. The Namespace Boundary
    3. Multitenancy in Kubernetes
      1. Role-Based Access Control (RBAC)
      2. Resource Quotas
      3. Admission Webhooks
      4. Resource Requests and Limits
      5. Network Policies
      6. Pod Security Policies
      7. Multitenant Platform Services
    4. Summary
  15. 13. Autoscaling
    1. Types of Scaling
    2. Application Architecture
    3. Workload Autoscaling
      1. Horizontal Pod Autoscaler
      2. Vertical Pod Autoscaler
      3. Autoscaling with Custom Metrics
      4. Cluster Proportional Autoscaler
      5. Custom Autoscaling
    4. Cluster Autoscaling
      1. Cluster Overprovisioning
    5. Summary
  16. 14. Application Considerations
    1. Deploying Applications to Kubernetes
      1. Templating Deployment Manifests
      2. Packaging Applications for Kubernetes
    2. Ingesting Configuration and Secrets
      1. Kubernetes ConfigMaps and Secrets
      2. Obtaining Configuration from External Systems
    3. Handling Rescheduling Events
      1. Pre-stop Container Life Cycle Hook
      2. Graceful Container Shutdown
      3. Satisfying Availability Requirements
    4. State Probes
      1. Liveness Probes
      2. Readiness Probes
      3. Startup Probes
      4. Implementing Probes
    5. Pod Resource Requests and Limits
      1. Resource Requests
      2. Resource Limits
    6. Application Logs
      1. What to Log
      2. Unstructured Versus Structured Logs
      3. Contextual Information in Logs
    7. Exposing Metrics
      1. Instrumenting Applications
      2. USE Method
      3. RED Method
      4. The Four Golden Signals
      5. App-Specific Metrics
    8. Instrumenting Services for Distributed Tracing
      1. Initializing the Tracer
      2. Creating Spans
      3. Propagate Context
    9. Summary
  17. 15. Software Supply Chain
    1. Building Container Images
      1. The Golden Base Images Antipattern
      2. Choosing a Base Image
      3. Runtime User
      4. Pinning Package Versions
      5. Build Versus Runtime Image
      6. Cloud Native Buildpacks
    2. Image Registries
      1. Vulnerability Scanning
      2. Quarantine Workflow
      3. Image Signing
    3. Continuous Delivery
      1. Integrating Builds into a Pipeline
      2. Push-Based Deployments
      3. Rollout Patterns
      4. GitOps
    4. Summary
  18. 16. Platform Abstractions
    1. Platform Exposure
    2. Self-Service Onboarding
    3. The Spectrum of Abstraction
      1. Command-Line Tooling
      2. Abstraction Through Templating
      3. Abstracting Kubernetes Primitives
      4. Making Kubernetes Invisible
    4. Summary
  19. Index

Product information

  • Title: Production Kubernetes
  • Author(s): Josh Rosso, Rich Lander, Alex Brand, John Harris
  • Release date: March 2021
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492092308