SlideShare a Scribd company logo

Kubernetes best practices.odf

Download as ODP, PDF
Akash Agrawal
Akash Agrawal

Kubernetes Best Practices (Application Developer's View)

Technology
1 of 20
Kubernetes Best Practices Akash Agrawal Twitter: @akkiagrawal29 LinkedIn: www.linkedin.com/in/akash-agrawal-58a97813
2 Kubernetes Best Practices ● Container Best Practices ● Kubernetes Best Practices ● Application Design & Architecture Best Practices/Considerations
Container Best Practices
4 Building Container Images ● Keep your Container Images Small & Secure ● Why: Performance (Time to Build/Push/Pull Container Images) Security (Less Attack Surface Area for Vulnerabilities) ● How: Use Small Base Images Follow Docker Best Practices for writing Docker Files Don't blindly use Arbitrary Images from Docker Hub Builder Pattern/Docker Multi Stage Builds Vulnerability Scanning ● Impact: Think about Micro Service Environment, CI/CD Pipelines, Build Frequencies (Daily/Hourly) etc.
5 Container Internals ● Use a Non-Root User Inside the Container ● Why: Extra Layer of Security, avoiding disaster in case of Container Escape ● How: PodSpec ---> SecurityContext ---> runAsNonRoot ● Impact: Extra Layer of Security ● Explore: https://medium.com/@mccode/processes-in-containers-should-not- run-as-root-2feae3f0df3b
Kubernetes Best Practices
7 Organizing Kubernetes Workloads ● Organize K8S workloads with Namespaces ● Why: Organizing workloads Helpful in Resource Utilization Security ● How: Designed to keep different project environments like Dev/QA/UAT/Build/Prod etc Consider Namespace Granularity based on (Small Team/Rapidly Growing Team/Large Company/Large Enterprises/Number of Projects/Project Environments/Services/MicroServices/Resource Quota/Access Control) ● Impact: Think about a Project with multiple environments separated in different namespaces (K8S Artifects Isolation/Resource Isolation/Access Control & Policies)
8 Setting up Health Checks ● Health check is the simple way, to let the system know, that instance of your app is working or not. ● Goal: Send the traffic to only those instances, who are live & ready. ● Using Liveness & Readiness Probes
9 Setting up Health Checks .. cont. ● Why: Think about your Application takes minute to warm up Think about the Use-Cases Pod Re-scheduling, Scaling Out/In etc. ● How: 3 Types of Probes: HTTP/TCP/Command Ways to Configure Probes: initialDelaySeconds, periodSeconds, timeoutSeconds etc. ● Impact: Designing Robust & Smart System ● Explore: https://kubernetes.io/docs/tasks/configure-pod-container/configure- liveness-readiness-probes/
10 Setting Resource "Requests" & "Limits" ● Control Node Resource Allocation (like CPU/Memory) to the Containers ● Why: For Scheduling Requirements ● How: define this at Container/Pod Level & Namespace Level requests.cpu, requests.memory, limits.cpu, limits.memory also explore Resource Quota & Limit Range
11 Setting Resource "Requests" & "Limits" ● Impact: Tuning the Node & Cluster Resource Allocation for Applications ● Explore: https://kubernetes.io/docs/concepts/configuration/manage-compute- resources-container/ https://kubernetes.io/docs/concepts/policy/resource-quotas/
12 Graceful Termination of Applications ● Handling Graceful Termination (e.g. Closing Connections/Writing Data etc) is Key for any distributed system. ● Why: K8S terminates pods in various scenarios (e.g. in case of Rolling Updates, Node Draining, Resource Outage on the Worker Node, Scaling In etc.) ……. so make sure your application terminates gracefully. ● How: terminationGracePeriodSeconds preStop Hook
13 Graceful Termination of Applications ● Impact: Graceful Termination of Applications ● Explore: https://pracucci.com/graceful-shutdown-of-kubernetes-pods.html
14 Kubernetes Cluster Environment ● Create Administrative Boundaries Namespaces AccessControl / RBAC Resource Quota & Limit Range Pod Security Policy / Pod Security Context Network Policy ● Secrets: Pay attention (if Secrets are stored or accessible in plain text/who can access which secrets/expiry or rotation of secrets etc.) ● Access: Limit SSH access to K8S Nodes Limit Access/Audit to K8S Dashboard / Kubectl / K8S API Access
Application Design & Architecture Best Practices/Considerations
16 Application Design & Architecture ● Follow “One Process Per Container” Principle ● Multi Container Pods (e.g. for Watchers/Proxy etc.) ● Use Labels & Selectors Carefully ● Follow "Least Privileges" Principle ● Don't focus on "application restart" in case of failures, instead focus on "Crashing it Clean"
17 Application Design & Architecture ● Don't use ServiceType=LoadBalancer blindly, in most cases "Ingress" is good enough. ● Use “Init Containers” for bootstrapping instead of Sidecar design pattern ● Use the “record” option for easier rollbacks ● Don’t use :latest or no tag for images ● Always use Deployments instead bare pods
18 Application Design & Architecture ● Explore: https://matthewpalmer.net/kubernetes-app- developer/articles/multi-container-pod-design- patterns.html
19 Others ● In Cloud – look for Regional & Zonal Clusters ● Look for Service Mesh in MicroService Environment (e.g. Istio) ● Look for Managed K8S Platforms features ● Explore CNCF Projects e.g. FluentD/OpenTracing/Promotheous etc.
Thanks

Recommended

MicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMeshMicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMeshAkash Agrawal
 
MicroService architecture_&_Kubernetes
MicroService architecture_&_KubernetesMicroService architecture_&_Kubernetes
MicroService architecture_&_KubernetesAkash Agrawal
 
Stateful applications on kubernetes
Stateful applications on kubernetesStateful applications on kubernetes
Stateful applications on kubernetesAkash Agrawal
 
Cloud Native and CNCF
Cloud Native and CNCFCloud Native and CNCF
Cloud Native and CNCFAkash Agrawal
 
Google cloud infrastructure workshop
Google cloud infrastructure workshopGoogle cloud infrastructure workshop
Google cloud infrastructure workshopAkash Agrawal
 
Kubernetes for machine learning
Kubernetes for machine learningKubernetes for machine learning
Kubernetes for machine learningAkash Agrawal
 
Google Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep diveGoogle Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep diveAkash Agrawal
 
Google kubernetes Engine with Google CI/CD Implementation
Google kubernetes Engine with Google CI/CD ImplementationGoogle kubernetes Engine with Google CI/CD Implementation
Google kubernetes Engine with Google CI/CD ImplementationPiyushKamboj6
 

Recommended

MicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMeshMicroServices with Containers, Kubernetes & ServiceMesh
MicroServices with Containers, Kubernetes & ServiceMeshAkash Agrawal
 
MicroService architecture_&_Kubernetes
MicroService architecture_&_KubernetesMicroService architecture_&_Kubernetes
MicroService architecture_&_KubernetesAkash Agrawal
 
Stateful applications on kubernetes
Stateful applications on kubernetesStateful applications on kubernetes
Stateful applications on kubernetesAkash Agrawal
 
Cloud Native and CNCF
Cloud Native and CNCFCloud Native and CNCF
Cloud Native and CNCFAkash Agrawal
 
Google cloud infrastructure workshop
Google cloud infrastructure workshopGoogle cloud infrastructure workshop
Google cloud infrastructure workshopAkash Agrawal
 
Kubernetes for machine learning
Kubernetes for machine learningKubernetes for machine learning
Kubernetes for machine learningAkash Agrawal
 
Google Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep diveGoogle Kubernetes Engine (GKE) deep dive
Google Kubernetes Engine (GKE) deep diveAkash Agrawal
 
Google kubernetes Engine with Google CI/CD Implementation
Google kubernetes Engine with Google CI/CD ImplementationGoogle kubernetes Engine with Google CI/CD Implementation
Google kubernetes Engine with Google CI/CD ImplementationPiyushKamboj6
 
Google Cloud platform: GKE with CI/CD using CircleCI and Flux
Google Cloud platform: GKE with CI/CD using CircleCI and FluxGoogle Cloud platform: GKE with CI/CD using CircleCI and Flux
Google Cloud platform: GKE with CI/CD using CircleCI and Fluxkomaldevg
 
Get started with Kubernetes on GKE
Get started with Kubernetes on GKEGet started with Kubernetes on GKE
Get started with Kubernetes on GKEZachary Russell
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Akash Agrawal
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)Akash Agrawal
 
Google container engine (GKE)
Google container engine (GKE)Google container engine (GKE)
Google container engine (GKE)Md. Sadhan Sarker
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Opsta
 
Scalable Clusters On Demand
Scalable Clusters On DemandScalable Clusters On Demand
Scalable Clusters On DemandBogdan Kyryliuk
 
CD, docker and kubernetes
CD, docker and kubernetesCD, docker and kubernetes
CD, docker and kubernetesMartin Podval
 
Kubernetes
KubernetesKubernetes
KubernetesMartin Podval
 
The evolving container landscape
The evolving container landscapeThe evolving container landscape
The evolving container landscapeNilesh Trivedi
 
Dynamic management of kubernetes
Dynamic management of kubernetesDynamic management of kubernetes
Dynamic management of kubernetesMartin Podval
 
Intro to creating kubernetes operators
Intro to creating kubernetes operators Intro to creating kubernetes operators
Intro to creating kubernetes operators Juraj Hantak
 
Cncf storage-final-filip
Cncf storage-final-filipCncf storage-final-filip
Cncf storage-final-filipJuraj Hantak
 
[WSO2Con USA 2018] Deploying Applications in K8S and Docker
[WSO2Con USA 2018] Deploying Applications in K8S and Docker[WSO2Con USA 2018] Deploying Applications in K8S and Docker
[WSO2Con USA 2018] Deploying Applications in K8S and DockerWSO2
 
Introducing MagnetoDB, a key-value storage sevice for OpenStack
Introducing MagnetoDB, a key-value storage sevice for OpenStackIntroducing MagnetoDB, a key-value storage sevice for OpenStack
Introducing MagnetoDB, a key-value storage sevice for OpenStackMirantis
 
Kubernetes in Production: Lessons Learnt
Kubernetes in Production: Lessons LearntKubernetes in Production: Lessons Learnt
Kubernetes in Production: Lessons LearntArunvel Sriram
 
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...CodiLime
 
Scaling a conventional CI infrastructure in the public cloud
Scaling a conventional CI infrastructure in the public cloudScaling a conventional CI infrastructure in the public cloud
Scaling a conventional CI infrastructure in the public cloudMikhail Advani
 
High Performance Cloud-Native Microservices With Distributed Caching
High Performance Cloud-Native Microservices With Distributed CachingHigh Performance Cloud-Native Microservices With Distributed Caching
High Performance Cloud-Native Microservices With Distributed CachingMesut Celik
 
Container basics
Container basicsContainer basics
Container basicsManoj Chandran
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risksGlib Pakharenko
 

More Related Content

What's hot

Google Cloud platform: GKE with CI/CD using CircleCI and Flux
Google Cloud platform: GKE with CI/CD using CircleCI and FluxGoogle Cloud platform: GKE with CI/CD using CircleCI and Flux
Google Cloud platform: GKE with CI/CD using CircleCI and Fluxkomaldevg
 
Get started with Kubernetes on GKE
Get started with Kubernetes on GKEGet started with Kubernetes on GKE
Get started with Kubernetes on GKEZachary Russell
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Akash Agrawal
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)Akash Agrawal
 
Google container engine (GKE)
Google container engine (GKE)Google container engine (GKE)
Google container engine (GKE)Md. Sadhan Sarker
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Opsta
 
Scalable Clusters On Demand
Scalable Clusters On DemandScalable Clusters On Demand
Scalable Clusters On DemandBogdan Kyryliuk
 
CD, docker and kubernetes
CD, docker and kubernetesCD, docker and kubernetes
CD, docker and kubernetesMartin Podval
 
The evolving container landscape
The evolving container landscapeThe evolving container landscape
The evolving container landscapeNilesh Trivedi
 
Dynamic management of kubernetes
Dynamic management of kubernetesDynamic management of kubernetes
Dynamic management of kubernetesMartin Podval
 
Intro to creating kubernetes operators
Intro to creating kubernetes operators Intro to creating kubernetes operators
Intro to creating kubernetes operators Juraj Hantak
 
Cncf storage-final-filip
Cncf storage-final-filipCncf storage-final-filip
Cncf storage-final-filipJuraj Hantak
 
[WSO2Con USA 2018] Deploying Applications in K8S and Docker
[WSO2Con USA 2018] Deploying Applications in K8S and Docker[WSO2Con USA 2018] Deploying Applications in K8S and Docker
[WSO2Con USA 2018] Deploying Applications in K8S and DockerWSO2
 
Introducing MagnetoDB, a key-value storage sevice for OpenStack
Introducing MagnetoDB, a key-value storage sevice for OpenStackIntroducing MagnetoDB, a key-value storage sevice for OpenStack
Introducing MagnetoDB, a key-value storage sevice for OpenStackMirantis
 
Kubernetes in Production: Lessons Learnt
Kubernetes in Production: Lessons LearntKubernetes in Production: Lessons Learnt
Kubernetes in Production: Lessons LearntArunvel Sriram
 
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...CodiLime
 
Scaling a conventional CI infrastructure in the public cloud
Scaling a conventional CI infrastructure in the public cloudScaling a conventional CI infrastructure in the public cloud
Scaling a conventional CI infrastructure in the public cloudMikhail Advani
 
High Performance Cloud-Native Microservices With Distributed Caching
High Performance Cloud-Native Microservices With Distributed CachingHigh Performance Cloud-Native Microservices With Distributed Caching
High Performance Cloud-Native Microservices With Distributed CachingMesut Celik
 

What's hot (20)

Google Cloud platform: GKE with CI/CD using CircleCI and Flux
Google Cloud platform: GKE with CI/CD using CircleCI and FluxGoogle Cloud platform: GKE with CI/CD using CircleCI and Flux
Google Cloud platform: GKE with CI/CD using CircleCI and Flux
 
Get started with Kubernetes on GKE
Get started with Kubernetes on GKEGet started with Kubernetes on GKE
Get started with Kubernetes on GKE
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
 
Azure kubernetes service (aks)
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
 
Google container engine (GKE)
Google container engine (GKE)Google container engine (GKE)
Google container engine (GKE)
 
Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)
 
Scalable Clusters On Demand
Scalable Clusters On DemandScalable Clusters On Demand
Scalable Clusters On Demand
 
CD, docker and kubernetes
CD, docker and kubernetesCD, docker and kubernetes
CD, docker and kubernetes
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
The evolving container landscape
The evolving container landscapeThe evolving container landscape
The evolving container landscape
 
Dynamic management of kubernetes
Dynamic management of kubernetesDynamic management of kubernetes
Dynamic management of kubernetes
 
Intro to creating kubernetes operators
Intro to creating kubernetes operators Intro to creating kubernetes operators
Intro to creating kubernetes operators
 
Cncf storage-final-filip
Cncf storage-final-filipCncf storage-final-filip
Cncf storage-final-filip
 
[WSO2Con USA 2018] Deploying Applications in K8S and Docker
[WSO2Con USA 2018] Deploying Applications in K8S and Docker[WSO2Con USA 2018] Deploying Applications in K8S and Docker
[WSO2Con USA 2018] Deploying Applications in K8S and Docker
 
Introducing MagnetoDB, a key-value storage sevice for OpenStack
Introducing MagnetoDB, a key-value storage sevice for OpenStackIntroducing MagnetoDB, a key-value storage sevice for OpenStack
Introducing MagnetoDB, a key-value storage sevice for OpenStack
 
Kubernetes in Production: Lessons Learnt
Kubernetes in Production: Lessons LearntKubernetes in Production: Lessons Learnt
Kubernetes in Production: Lessons Learnt
 
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...
 
Scaling a conventional CI infrastructure in the public cloud
Scaling a conventional CI infrastructure in the public cloudScaling a conventional CI infrastructure in the public cloud
Scaling a conventional CI infrastructure in the public cloud
 
High Performance Cloud-Native Microservices With Distributed Caching
High Performance Cloud-Native Microservices With Distributed CachingHigh Performance Cloud-Native Microservices With Distributed Caching
High Performance Cloud-Native Microservices With Distributed Caching
 
Container basics
Container basicsContainer basics
Container basics
 

Similar to Kubernetes best practices.odf

Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsSuraj Deshmukh
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risksGlib Pakharenko
 
The Kubernetes Effect
The Kubernetes EffectThe Kubernetes Effect
The Kubernetes EffectBilgin Ibryam
 
Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Steve Wong
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...Docker, Inc.
 
Cloud Native Java Development Patterns
Cloud Native Java Development PatternsCloud Native Java Development Patterns
Cloud Native Java Development PatternsBilgin Ibryam
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examAhmed AbouZaid
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...NETWAYS
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesPrakarsh -
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfLiang Yan
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT AgilityAmazon Web Services
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Manideep Konakandla
 
Netflix Container Scheduling and Execution - QCon New York 2016
Netflix Container Scheduling and Execution - QCon New York 2016Netflix Container Scheduling and Execution - QCon New York 2016
Netflix Container Scheduling and Execution - QCon New York 2016aspyker
 
Scheduling a fuller house - Talk at QCon NY 2016
Scheduling a fuller house - Talk at QCon NY 2016Scheduling a fuller house - Talk at QCon NY 2016
Scheduling a fuller house - Talk at QCon NY 2016Sharma Podila
 
[WSO2Con EU 2018] Architecting for a Container Native Environment
[WSO2Con EU 2018] Architecting for a Container Native Environment[WSO2Con EU 2018] Architecting for a Container Native Environment
[WSO2Con EU 2018] Architecting for a Container Native EnvironmentWSO2
 
Container orchestration and microservices world
Container orchestration and microservices worldContainer orchestration and microservices world
Container orchestration and microservices worldKarol Chrapek
 
Kubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersKubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersinovex GmbH
 

Similar to Kubernetes best practices.odf (20)

Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Cloud orchestration risks
Cloud orchestration risksCloud orchestration risks
Cloud orchestration risks
 
The Kubernetes Effect
The Kubernetes EffectThe Kubernetes Effect
The Kubernetes Effect
 
Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018Production grade edge computing on Kubernetes OSS EU 2018
Production grade edge computing on Kubernetes OSS EU 2018
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
 
Cloud Native Java Development Patterns
Cloud Native Java Development PatternsCloud Native Java Development Patterns
Cloud Native Java Development Patterns
 
Kubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS examKubernetes Security Best Practices - With tips for the CKS exam
Kubernetes Security Best Practices - With tips for the CKS exam
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
 
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to MicroservicesThe ultimate Kubernetes Deployment Checklist - Infra to Microservices
The ultimate Kubernetes Deployment Checklist - Infra to Microservices
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdf
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
Breaking and fixing_your_dockerized_environments_owasp_appsec_usa2016
 
Code One 2018 maven
Code One 2018 mavenCode One 2018 maven
Code One 2018 maven
 
Netflix Container Scheduling and Execution - QCon New York 2016
Netflix Container Scheduling and Execution - QCon New York 2016Netflix Container Scheduling and Execution - QCon New York 2016
Netflix Container Scheduling and Execution - QCon New York 2016
 
Scheduling a fuller house - Talk at QCon NY 2016
Scheduling a fuller house - Talk at QCon NY 2016Scheduling a fuller house - Talk at QCon NY 2016
Scheduling a fuller house - Talk at QCon NY 2016
 
[WSO2Con EU 2018] Architecting for a Container Native Environment
[WSO2Con EU 2018] Architecting for a Container Native Environment[WSO2Con EU 2018] Architecting for a Container Native Environment
[WSO2Con EU 2018] Architecting for a Container Native Environment
 
Container orchestration and microservices world
Container orchestration and microservices worldContainer orchestration and microservices world
Container orchestration and microservices world
 
Kubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containersKubernetes - how to orchestrate containers
Kubernetes - how to orchestrate containers
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Kubernetes best practices.odf

  • 1. Kubernetes Best Practices Akash Agrawal Twitter: @akkiagrawal29 LinkedIn: www.linkedin.com/in/akash-agrawal-58a97813
  • 2. 2 Kubernetes Best Practices ● Container Best Practices ● Kubernetes Best Practices ● Application Design & Architecture Best Practices/Considerations
  • 4. 4 Building Container Images ● Keep your Container Images Small & Secure ● Why: Performance (Time to Build/Push/Pull Container Images) Security (Less Attack Surface Area for Vulnerabilities) ● How: Use Small Base Images Follow Docker Best Practices for writing Docker Files Don't blindly use Arbitrary Images from Docker Hub Builder Pattern/Docker Multi Stage Builds Vulnerability Scanning ● Impact: Think about Micro Service Environment, CI/CD Pipelines, Build Frequencies (Daily/Hourly) etc.
  • 5. 5 Container Internals ● Use a Non-Root User Inside the Container ● Why: Extra Layer of Security, avoiding disaster in case of Container Escape ● How: PodSpec ---> SecurityContext ---> runAsNonRoot ● Impact: Extra Layer of Security ● Explore: https://medium.com/@mccode/processes-in-containers-should-not- run-as-root-2feae3f0df3b
  • 7. 7 Organizing Kubernetes Workloads ● Organize K8S workloads with Namespaces ● Why: Organizing workloads Helpful in Resource Utilization Security ● How: Designed to keep different project environments like Dev/QA/UAT/Build/Prod etc Consider Namespace Granularity based on (Small Team/Rapidly Growing Team/Large Company/Large Enterprises/Number of Projects/Project Environments/Services/MicroServices/Resource Quota/Access Control) ● Impact: Think about a Project with multiple environments separated in different namespaces (K8S Artifects Isolation/Resource Isolation/Access Control & Policies)
  • 8. 8 Setting up Health Checks ● Health check is the simple way, to let the system know, that instance of your app is working or not. ● Goal: Send the traffic to only those instances, who are live & ready. ● Using Liveness & Readiness Probes
  • 9. 9 Setting up Health Checks .. cont. ● Why: Think about your Application takes minute to warm up Think about the Use-Cases Pod Re-scheduling, Scaling Out/In etc. ● How: 3 Types of Probes: HTTP/TCP/Command Ways to Configure Probes: initialDelaySeconds, periodSeconds, timeoutSeconds etc. ● Impact: Designing Robust & Smart System ● Explore: https://kubernetes.io/docs/tasks/configure-pod-container/configure- liveness-readiness-probes/
  • 10. 10 Setting Resource "Requests" & "Limits" ● Control Node Resource Allocation (like CPU/Memory) to the Containers ● Why: For Scheduling Requirements ● How: define this at Container/Pod Level & Namespace Level requests.cpu, requests.memory, limits.cpu, limits.memory also explore Resource Quota & Limit Range
  • 11. 11 Setting Resource "Requests" & "Limits" ● Impact: Tuning the Node & Cluster Resource Allocation for Applications ● Explore: https://kubernetes.io/docs/concepts/configuration/manage-compute- resources-container/ https://kubernetes.io/docs/concepts/policy/resource-quotas/
  • 12. 12 Graceful Termination of Applications ● Handling Graceful Termination (e.g. Closing Connections/Writing Data etc) is Key for any distributed system. ● Why: K8S terminates pods in various scenarios (e.g. in case of Rolling Updates, Node Draining, Resource Outage on the Worker Node, Scaling In etc.) ……. so make sure your application terminates gracefully. ● How: terminationGracePeriodSeconds preStop Hook
  • 13. 13 Graceful Termination of Applications ● Impact: Graceful Termination of Applications ● Explore: https://pracucci.com/graceful-shutdown-of-kubernetes-pods.html
  • 14. 14 Kubernetes Cluster Environment ● Create Administrative Boundaries Namespaces AccessControl / RBAC Resource Quota & Limit Range Pod Security Policy / Pod Security Context Network Policy ● Secrets: Pay attention (if Secrets are stored or accessible in plain text/who can access which secrets/expiry or rotation of secrets etc.) ● Access: Limit SSH access to K8S Nodes Limit Access/Audit to K8S Dashboard / Kubectl / K8S API Access
  • 15. Application Design & Architecture Best Practices/Considerations
  • 16. 16 Application Design & Architecture ● Follow “One Process Per Container” Principle ● Multi Container Pods (e.g. for Watchers/Proxy etc.) ● Use Labels & Selectors Carefully ● Follow "Least Privileges" Principle ● Don't focus on "application restart" in case of failures, instead focus on "Crashing it Clean"
  • 17. 17 Application Design & Architecture ● Don't use ServiceType=LoadBalancer blindly, in most cases "Ingress" is good enough. ● Use “Init Containers” for bootstrapping instead of Sidecar design pattern ● Use the “record” option for easier rollbacks ● Don’t use :latest or no tag for images ● Always use Deployments instead bare pods
  • 18. 18 Application Design & Architecture ● Explore: https://matthewpalmer.net/kubernetes-app- developer/articles/multi-container-pod-design- patterns.html
  • 19. 19 Others ● In Cloud – look for Regional & Zonal Clusters ● Look for Service Mesh in MicroService Environment (e.g. Istio) ● Look for Managed K8S Platforms features ● Explore CNCF Projects e.g. FluentD/OpenTracing/Promotheous etc.