book

Production Kubernetes

by Josh Rosso, Rich Lander, Alex Brand, John Harris

March 2021

Intermediate to advanced

506 pages

14h 24m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Defining KubernetesThe Core ComponentsBeyond Orchestration—Extended FunctionalityKubernetes InterfacesSummarizing KubernetesDefining Application PlatformsThe Spectrum of ApproachesAligning Your Organizational NeedsSummarizing Application PlatformsBuilding Application Platforms on KubernetesStarting from the BottomThe Abstraction SpectrumDetermining Platform ServicesThe Building BlocksSummary
Managed Service Versus Roll Your OwnManaged ServicesRoll Your OwnMaking the DecisionAutomationPrebuilt InstallerCustom AutomationArchitecture and Topologyetcd Deployment ModelsCluster TiersNode PoolsCluster FederationInfrastructureBare Metal Versus VirtualizedCluster SizingCompute InfrastructureNetworking InfrastructureAutomation StrategiesMachine InstallationsConfiguration ManagementMachine ImagesWhat to InstallContainerized ComponentsAdd-onsUpgradesPlatform VersioningPlan to FailIntegration TestingStrategiesTriggering MechanismsSummary
The Advent of ContainersThe Open Container InitiativeOCI Runtime SpecificationOCI Image SpecificationThe Container Runtime InterfaceStarting a PodChoosing a RuntimeDockercontainerdCRI-OKata ContainersVirtual KubeletSummary
Storage ConsiderationsAccess ModesVolume ExpansionVolume ProvisioningBackup and RecoveryBlock Devices and File and Object StorageEphemeral DataChoosing a Storage ProviderKubernetes Storage PrimitivesPersistent Volumes and ClaimsStorage ClassesThe Container Storage Interface (CSI)CSI ControllerCSI NodeImplementing Storage as a ServiceInstallationExposing Storage OptionsConsuming StorageResizingSnapshotsSummary
Networking ConsiderationsIP Address ManagementRouting ProtocolsEncapsulation and TunnelingWorkload RoutabilityIPv4 and IPv6Encrypted Workload TrafficNetwork PolicySummary: Networking ConsiderationsThe Container Networking Interface (CNI)CNI InstallationCNI Plug-insCalicoCiliumAWS VPC CNIMultusAdditional Plug-insSummary
Kubernetes ServicesThe Service AbstractionEndpointsService Implementation DetailsService DiscoveryDNS Service PerformanceIngressThe Case for IngressThe Ingress APIIngress Controllers and How They WorkIngress Traffic PatternsChoosing an Ingress ControllerIngress Controller Deployment ConsiderationsDNS and Its Role in IngressHandling TLS CertificatesService MeshWhen (Not) to Use a Service MeshThe Service Mesh Interface (SMI)The Data Plane ProxyService Mesh on KubernetesData Plane ArchitectureAdopting a Service MeshSummary
Defense in DepthDisk EncryptionTransport SecurityApplication EncryptionThe Kubernetes Secret APISecret Consumption ModelsSecret Data in etcdStatic-Key EncryptionEnvelope EncryptionExternal ProvidersVaultCyberarkInjection IntegrationCSI IntegrationSecrets in the Declarative WorldSealing SecretsSealed Secrets ControllerKey RenewalMulticluster ModelsBest Practices for SecretsAlways Audit Secret InteractionDon’t Leak SecretsPrefer Volumes Over Environment VariablesMake Secret Store Providers Unknown to Your ApplicationSummary
The Kubernetes Admission ChainIn-Tree Admission ControllersWebhooksConfiguring Webhook Admission ControllersWebhook Design ConsiderationsWriting a Mutating WebhookPlain HTTPS HandlerController RuntimeCentralized Policy SystemsSummary

Logging MechanicsContainer Log ProcessingKubernetes Audit LogsKubernetes EventsAlerting on LogsSecurity ImplicationsMetricsPrometheusLong-Term StoragePushing MetricsCustom MetricsOrganization and FederationAlertsShowback and ChargebackMetrics ComponentsDistributed TracingOpenTracing and OpenTelemetryTracing ComponentsApplication InstrumentationService MeshesSummary
User IdentityAuthentication MethodsImplementing Least Privilege Permissions for UsersApplication/Workload IdentityShared SecretsNetwork IdentityService Account Tokens (SAT)Projected Service Account Tokens (PSAT)Platform Mediated Node IdentitySummary
Points of ExtensionPlug-in ExtensionsWebhook ExtensionsOperator ExtensionsThe Operator PatternKubernetes ControllersCustom ResourcesOperator Use CasesPlatform UtilitiesGeneral-Purpose Workload OperatorsApp-Specific OperatorsDeveloping OperatorsOperator Development ToolingData Model DesignLogic ImplementationExtending the SchedulerPredicates and PrioritiesScheduling PoliciesScheduling ProfilesMultiple SchedulersCustom SchedulerSummary
Degrees of IsolationSingle-Tenant ClustersMultitenant ClustersThe Namespace BoundaryMultitenancy in KubernetesRole-Based Access Control (RBAC)Resource QuotasAdmission WebhooksResource Requests and LimitsNetwork PoliciesPod Security PoliciesMultitenant Platform ServicesSummary
Types of ScalingApplication ArchitectureWorkload AutoscalingHorizontal Pod AutoscalerVertical Pod AutoscalerAutoscaling with Custom MetricsCluster Proportional AutoscalerCustom AutoscalingCluster AutoscalingCluster OverprovisioningSummary
Deploying Applications to KubernetesTemplating Deployment ManifestsPackaging Applications for KubernetesIngesting Configuration and SecretsKubernetes ConfigMaps and SecretsObtaining Configuration from External SystemsHandling Rescheduling EventsPre-stop Container Life Cycle HookGraceful Container ShutdownSatisfying Availability RequirementsState ProbesLiveness ProbesReadiness ProbesStartup ProbesImplementing ProbesPod Resource Requests and LimitsResource RequestsResource LimitsApplication LogsWhat to LogUnstructured Versus Structured LogsContextual Information in LogsExposing MetricsInstrumenting ApplicationsUSE MethodRED MethodThe Four Golden SignalsApp-Specific MetricsInstrumenting Services for Distributed TracingInitializing the TracerCreating SpansPropagate ContextSummary
Building Container ImagesThe Golden Base Images AntipatternChoosing a Base ImageRuntime UserPinning Package VersionsBuild Versus Runtime ImageCloud Native BuildpacksImage RegistriesVulnerability ScanningQuarantine WorkflowImage SigningContinuous DeliveryIntegrating Builds into a PipelinePush-Based DeploymentsRollout PatternsGitOpsSummary
Platform ExposureSelf-Service OnboardingThe Spectrum of AbstractionCommand-Line ToolingAbstraction Through TemplatingAbstracting Kubernetes PrimitivesMaking Kubernetes InvisibleSummary

Overview

Kubernetes has become the dominant container orchestrator, but many organizations that have recently adopted this system are still struggling to run actual production workloads. In this practical book, four software engineers from VMware bring their shared experiences running Kubernetes in production and provide insight on key challenges and best practices.

The brilliance of Kubernetes is how configurable and extensible the system is, from pluggable runtimes to storage integrations. For platform engineers, software developers, infosec, network engineers, storage engineers, and others, this book examines how the path to success with Kubernetes involves a variety of technology, pattern, and abstraction considerations.

With this book, you will:

Understand what the path to production looks like when using Kubernetes
Examine where gaps exist in your current Kubernetes strategy
Learn Kubernetes's essential building blocks--and their trade-offs
Understand what's involved in making Kubernetes a viable location for applications
Learn better ways to navigate the cloud native landscape