book

Production Kubernetes

by Josh Rosso, Rich Lander, Alex Brand, John Harris

March 2021

Intermediate to advanced

506 pages

14h 24m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Foreword
Preface
Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. A Path to Production
Defining KubernetesThe Core ComponentsBeyond Orchestration—Extended FunctionalityKubernetes InterfacesSummarizing KubernetesDefining Application PlatformsThe Spectrum of ApproachesAligning Your Organizational NeedsSummarizing Application PlatformsBuilding Application Platforms on KubernetesStarting from the BottomThe Abstraction SpectrumDetermining Platform ServicesThe Building BlocksSummary
2. Deployment Models
Managed Service Versus Roll Your OwnManaged ServicesRoll Your OwnMaking the DecisionAutomationPrebuilt InstallerCustom AutomationArchitecture and Topologyetcd Deployment ModelsCluster TiersNode PoolsCluster FederationInfrastructureBare Metal Versus VirtualizedCluster SizingCompute InfrastructureNetworking InfrastructureAutomation StrategiesMachine InstallationsConfiguration ManagementMachine ImagesWhat to InstallContainerized ComponentsAdd-onsUpgradesPlatform VersioningPlan to FailIntegration TestingStrategiesTriggering MechanismsSummary
3. Container Runtime
The Advent of ContainersThe Open Container InitiativeOCI Runtime SpecificationOCI Image SpecificationThe Container Runtime InterfaceStarting a PodChoosing a RuntimeDockercontainerdCRI-OKata ContainersVirtual KubeletSummary
4. Container Storage
Storage ConsiderationsAccess ModesVolume ExpansionVolume ProvisioningBackup and RecoveryBlock Devices and File and Object StorageEphemeral DataChoosing a Storage ProviderKubernetes Storage PrimitivesPersistent Volumes and ClaimsStorage ClassesThe Container Storage Interface (CSI)CSI ControllerCSI NodeImplementing Storage as a ServiceInstallationExposing Storage OptionsConsuming StorageResizingSnapshotsSummary
5. Pod Networking
Networking ConsiderationsIP Address ManagementRouting ProtocolsEncapsulation and TunnelingWorkload RoutabilityIPv4 and IPv6Encrypted Workload TrafficNetwork PolicySummary: Networking ConsiderationsThe Container Networking Interface (CNI)CNI InstallationCNI Plug-insCalicoCiliumAWS VPC CNIMultusAdditional Plug-insSummary
6. Service Routing
Kubernetes ServicesThe Service AbstractionEndpointsService Implementation DetailsService DiscoveryDNS Service PerformanceIngressThe Case for IngressThe Ingress APIIngress Controllers and How They WorkIngress Traffic PatternsChoosing an Ingress ControllerIngress Controller Deployment ConsiderationsDNS and Its Role in IngressHandling TLS CertificatesService MeshWhen (Not) to Use a Service MeshThe Service Mesh Interface (SMI)The Data Plane ProxyService Mesh on KubernetesData Plane ArchitectureAdopting a Service MeshSummary
7. Secret Management
Defense in DepthDisk EncryptionTransport SecurityApplication EncryptionThe Kubernetes Secret APISecret Consumption ModelsSecret Data in etcdStatic-Key EncryptionEnvelope EncryptionExternal ProvidersVaultCyberarkInjection IntegrationCSI IntegrationSecrets in the Declarative WorldSealing SecretsSealed Secrets ControllerKey RenewalMulticluster ModelsBest Practices for SecretsAlways Audit Secret InteractionDon’t Leak SecretsPrefer Volumes Over Environment VariablesMake Secret Store Providers Unknown to Your ApplicationSummary
8. Admission Control
The Kubernetes Admission ChainIn-Tree Admission ControllersWebhooksConfiguring Webhook Admission ControllersWebhook Design ConsiderationsWriting a Mutating WebhookPlain HTTPS HandlerController RuntimeCentralized Policy SystemsSummary

9. Observability
Logging MechanicsContainer Log ProcessingKubernetes Audit LogsKubernetes EventsAlerting on LogsSecurity ImplicationsMetricsPrometheusLong-Term StoragePushing MetricsCustom MetricsOrganization and FederationAlertsShowback and ChargebackMetrics ComponentsDistributed TracingOpenTracing and OpenTelemetryTracing ComponentsApplication InstrumentationService MeshesSummary
10. Identity
User IdentityAuthentication MethodsImplementing Least Privilege Permissions for UsersApplication/Workload IdentityShared SecretsNetwork IdentityService Account Tokens (SAT)Projected Service Account Tokens (PSAT)Platform Mediated Node IdentitySummary
11. Building Platform Services
Points of ExtensionPlug-in ExtensionsWebhook ExtensionsOperator ExtensionsThe Operator PatternKubernetes ControllersCustom ResourcesOperator Use CasesPlatform UtilitiesGeneral-Purpose Workload OperatorsApp-Specific OperatorsDeveloping OperatorsOperator Development ToolingData Model DesignLogic ImplementationExtending the SchedulerPredicates and PrioritiesScheduling PoliciesScheduling ProfilesMultiple SchedulersCustom SchedulerSummary
12. Multitenancy
Degrees of IsolationSingle-Tenant ClustersMultitenant ClustersThe Namespace BoundaryMultitenancy in KubernetesRole-Based Access Control (RBAC)Resource QuotasAdmission WebhooksResource Requests and LimitsNetwork PoliciesPod Security PoliciesMultitenant Platform ServicesSummary
13. Autoscaling
Types of ScalingApplication ArchitectureWorkload AutoscalingHorizontal Pod AutoscalerVertical Pod AutoscalerAutoscaling with Custom MetricsCluster Proportional AutoscalerCustom AutoscalingCluster AutoscalingCluster OverprovisioningSummary
14. Application Considerations
Deploying Applications to KubernetesTemplating Deployment ManifestsPackaging Applications for KubernetesIngesting Configuration and SecretsKubernetes ConfigMaps and SecretsObtaining Configuration from External SystemsHandling Rescheduling EventsPre-stop Container Life Cycle HookGraceful Container ShutdownSatisfying Availability RequirementsState ProbesLiveness ProbesReadiness ProbesStartup ProbesImplementing ProbesPod Resource Requests and LimitsResource RequestsResource LimitsApplication LogsWhat to LogUnstructured Versus Structured LogsContextual Information in LogsExposing MetricsInstrumenting ApplicationsUSE MethodRED MethodThe Four Golden SignalsApp-Specific MetricsInstrumenting Services for Distributed TracingInitializing the TracerCreating SpansPropagate ContextSummary
15. Software Supply Chain
Building Container ImagesThe Golden Base Images AntipatternChoosing a Base ImageRuntime UserPinning Package VersionsBuild Versus Runtime ImageCloud Native BuildpacksImage RegistriesVulnerability ScanningQuarantine WorkflowImage SigningContinuous DeliveryIntegrating Builds into a PipelinePush-Based DeploymentsRollout PatternsGitOpsSummary
16. Platform Abstractions
Platform ExposureSelf-Service OnboardingThe Spectrum of AbstractionCommand-Line ToolingAbstraction Through TemplatingAbstracting Kubernetes PrimitivesMaking Kubernetes InvisibleSummary
Index

Content preview from Production Kubernetes

Chapter 8. Admission Control

We have written many times in this book about the flexible, modular design of Kubernetes being one of its great strengths. Sensible defaults can be replaced, augmented, or built upon to provide alternative or more fully featured experiences for platform consumers. Admission control is one area that particularly benefits from this flexible design goal. Admission control is concerned with validating and mutating requests to the Kubernetes API server before they are persisted in etcd. This ability to intercept objects with fine granularity and control opens up a number of interesting use cases. For example:

Ensuring that new objects cannot be created in a Namespace that is currently being deleted (in terminating state)
Enforcing that new Pods are not going to run as the root user
Making sure that the total sum of memory used by all the Pods in a Namespace does not exceed a user-defined limit
Ensuring that Ingress rules cannot be overwritten accidentally
Adding a sidecar container to every Pod (e.g., Istio)

First we’ll take a high-level look at the admission chain, which is the process all requests to the API server go through. Then we’ll move on to cover the in-tree controllers. These are built-in admission controllers that can be enabled and disabled via flags to the API server and enable some of the preceding use cases. Other use cases require more custom implementation and are integrated via a flexible webhook model. We’ll dedicate a lot ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492092292Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Production Kubernetes

by Josh Rosso, Rich Lander, Alex Brand, John Harris

Chapter 8. Admission Control

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.