book

Production Kubernetes

by Josh Rosso, Rich Lander, Alex Brand, John Harris

March 2021

Intermediate to advanced

506 pages

14h 24m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Foreword
Preface
Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. A Path to Production
Defining KubernetesThe Core ComponentsBeyond Orchestration—Extended FunctionalityKubernetes InterfacesSummarizing KubernetesDefining Application PlatformsThe Spectrum of ApproachesAligning Your Organizational NeedsSummarizing Application PlatformsBuilding Application Platforms on KubernetesStarting from the BottomThe Abstraction SpectrumDetermining Platform ServicesThe Building BlocksSummary
2. Deployment Models
Managed Service Versus Roll Your OwnManaged ServicesRoll Your OwnMaking the DecisionAutomationPrebuilt InstallerCustom AutomationArchitecture and Topologyetcd Deployment ModelsCluster TiersNode PoolsCluster FederationInfrastructureBare Metal Versus VirtualizedCluster SizingCompute InfrastructureNetworking InfrastructureAutomation StrategiesMachine InstallationsConfiguration ManagementMachine ImagesWhat to InstallContainerized ComponentsAdd-onsUpgradesPlatform VersioningPlan to FailIntegration TestingStrategiesTriggering MechanismsSummary
3. Container Runtime
The Advent of ContainersThe Open Container InitiativeOCI Runtime SpecificationOCI Image SpecificationThe Container Runtime InterfaceStarting a PodChoosing a RuntimeDockercontainerdCRI-OKata ContainersVirtual KubeletSummary
4. Container Storage
Storage ConsiderationsAccess ModesVolume ExpansionVolume ProvisioningBackup and RecoveryBlock Devices and File and Object StorageEphemeral DataChoosing a Storage ProviderKubernetes Storage PrimitivesPersistent Volumes and ClaimsStorage ClassesThe Container Storage Interface (CSI)CSI ControllerCSI NodeImplementing Storage as a ServiceInstallationExposing Storage OptionsConsuming StorageResizingSnapshotsSummary
5. Pod Networking
Networking ConsiderationsIP Address ManagementRouting ProtocolsEncapsulation and TunnelingWorkload RoutabilityIPv4 and IPv6Encrypted Workload TrafficNetwork PolicySummary: Networking ConsiderationsThe Container Networking Interface (CNI)CNI InstallationCNI Plug-insCalicoCiliumAWS VPC CNIMultusAdditional Plug-insSummary
6. Service Routing
Kubernetes ServicesThe Service AbstractionEndpointsService Implementation DetailsService DiscoveryDNS Service PerformanceIngressThe Case for IngressThe Ingress APIIngress Controllers and How They WorkIngress Traffic PatternsChoosing an Ingress ControllerIngress Controller Deployment ConsiderationsDNS and Its Role in IngressHandling TLS CertificatesService MeshWhen (Not) to Use a Service MeshThe Service Mesh Interface (SMI)The Data Plane ProxyService Mesh on KubernetesData Plane ArchitectureAdopting a Service MeshSummary
7. Secret Management
Defense in DepthDisk EncryptionTransport SecurityApplication EncryptionThe Kubernetes Secret APISecret Consumption ModelsSecret Data in etcdStatic-Key EncryptionEnvelope EncryptionExternal ProvidersVaultCyberarkInjection IntegrationCSI IntegrationSecrets in the Declarative WorldSealing SecretsSealed Secrets ControllerKey RenewalMulticluster ModelsBest Practices for SecretsAlways Audit Secret InteractionDon’t Leak SecretsPrefer Volumes Over Environment VariablesMake Secret Store Providers Unknown to Your ApplicationSummary
8. Admission Control
The Kubernetes Admission ChainIn-Tree Admission ControllersWebhooksConfiguring Webhook Admission ControllersWebhook Design ConsiderationsWriting a Mutating WebhookPlain HTTPS HandlerController RuntimeCentralized Policy SystemsSummary

9. Observability
Logging MechanicsContainer Log ProcessingKubernetes Audit LogsKubernetes EventsAlerting on LogsSecurity ImplicationsMetricsPrometheusLong-Term StoragePushing MetricsCustom MetricsOrganization and FederationAlertsShowback and ChargebackMetrics ComponentsDistributed TracingOpenTracing and OpenTelemetryTracing ComponentsApplication InstrumentationService MeshesSummary
10. Identity
User IdentityAuthentication MethodsImplementing Least Privilege Permissions for UsersApplication/Workload IdentityShared SecretsNetwork IdentityService Account Tokens (SAT)Projected Service Account Tokens (PSAT)Platform Mediated Node IdentitySummary
11. Building Platform Services
Points of ExtensionPlug-in ExtensionsWebhook ExtensionsOperator ExtensionsThe Operator PatternKubernetes ControllersCustom ResourcesOperator Use CasesPlatform UtilitiesGeneral-Purpose Workload OperatorsApp-Specific OperatorsDeveloping OperatorsOperator Development ToolingData Model DesignLogic ImplementationExtending the SchedulerPredicates and PrioritiesScheduling PoliciesScheduling ProfilesMultiple SchedulersCustom SchedulerSummary
12. Multitenancy
Degrees of IsolationSingle-Tenant ClustersMultitenant ClustersThe Namespace BoundaryMultitenancy in KubernetesRole-Based Access Control (RBAC)Resource QuotasAdmission WebhooksResource Requests and LimitsNetwork PoliciesPod Security PoliciesMultitenant Platform ServicesSummary
13. Autoscaling
Types of ScalingApplication ArchitectureWorkload AutoscalingHorizontal Pod AutoscalerVertical Pod AutoscalerAutoscaling with Custom MetricsCluster Proportional AutoscalerCustom AutoscalingCluster AutoscalingCluster OverprovisioningSummary
14. Application Considerations
Deploying Applications to KubernetesTemplating Deployment ManifestsPackaging Applications for KubernetesIngesting Configuration and SecretsKubernetes ConfigMaps and SecretsObtaining Configuration from External SystemsHandling Rescheduling EventsPre-stop Container Life Cycle HookGraceful Container ShutdownSatisfying Availability RequirementsState ProbesLiveness ProbesReadiness ProbesStartup ProbesImplementing ProbesPod Resource Requests and LimitsResource RequestsResource LimitsApplication LogsWhat to LogUnstructured Versus Structured LogsContextual Information in LogsExposing MetricsInstrumenting ApplicationsUSE MethodRED MethodThe Four Golden SignalsApp-Specific MetricsInstrumenting Services for Distributed TracingInitializing the TracerCreating SpansPropagate ContextSummary
15. Software Supply Chain
Building Container ImagesThe Golden Base Images AntipatternChoosing a Base ImageRuntime UserPinning Package VersionsBuild Versus Runtime ImageCloud Native BuildpacksImage RegistriesVulnerability ScanningQuarantine WorkflowImage SigningContinuous DeliveryIntegrating Builds into a PipelinePush-Based DeploymentsRollout PatternsGitOpsSummary
16. Platform Abstractions
Platform ExposureSelf-Service OnboardingThe Spectrum of AbstractionCommand-Line ToolingAbstraction Through TemplatingAbstracting Kubernetes PrimitivesMaking Kubernetes InvisibleSummary
Index

Content preview from Production Kubernetes

Chapter 1. A Path to Production

Over the years, the world has experienced wide adoption of Kubernetes within organizations. Its popularity has unquestionably been accelerated by the proliferation of containerized workloads and microservices. As operations, infrastructure, and development teams arrive at this inflection point of needing to build, run, and support these workloads, several are turning to Kubernetes as part of the solution. Kubernetes is a fairly young project relative to other, massive, open source projects such as Linux. Evidenced by many of the clients we work with, it is still early days for most users of Kubernetes. While many organizations have an existing Kubernetes footprint, there are far fewer that have reached production and even less operating at scale. In this chapter, we are going to set the stage for the journey many engineering teams are on with Kubernetes. Specifically, we are going to chart out some key considerations we look at when defining a path to production.

Defining Kubernetes

Is Kubernetes a platform? Infrastructure? An application? There is no shortage of thought leaders who can provide you their precise definition of what Kubernetes is. Instead of adding to this pile of opinions, let’s put our energy into clarifying the problems Kubernetes solves. Once defined, we will explore how to build atop this feature set in a way that moves us toward production outcomes. The ideal state of “Production Kubernetes” implies that we have reached a state ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492092292Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Production Kubernetes

by Josh Rosso, Rich Lander, Alex Brand, John Harris

Chapter 1. A Path to Production

Defining Kubernetes

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.