Deploy your favorite apps on Kubernetes
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Similar to Kubernetes best practices (20)
More from Bill Liu (20)
Recently uploaded (20)
Kubernetes best practices
- 1. Sandeep Dinesh Developer Advocate @sandeepdinesh github.com/thesandlord Kubernetes Best Practices
- 2. Google Cloud Platform 2 Kubernetes is really flexible
- 3. Google Cloud Platform 3 But you might yourself in the
- 4. Building Containers
- 5. Google Cloud Platform 5 Don’t trust arbitrary base images!
- 6. 6Google Cloud Platform Static Analysis of Containers https://github.com/banyanops/collector https://github.com/coreos/clair
- 7. Google Cloud Platform 7 Use small base images
- 8. 8Google Cloud Platform Overhead Node.js App Your App → 5MB Your App’s Dependencies → 95MB Total App Size → 100MB Docker Base Images: node:8 → 667MB node:8-wheezy → 521MB node:8-slim → 225MB node:8-alpine → 63.7MB scratch → ~50MB
- 9. 9Google Cloud Platform Overhead Node.js App Your App → 5MB Your App’s Dependencies → 95MB Total App Size → 100MB Docker Base Images: node:8 → 667MB node:8-wheezy → 521MB node:8-slim → 225MB node:8-alpine → 63.7MB scratch → ~50MB ← 6.6x App Size!!
- 10. 10Google Cloud Platform Overhead Node.js App Your App → 5MB Your App’s Dependencies → 95MB Total App Size → 100MB Docker Base Images: node:8 → 667MB node:8-wheezy → 521MB node:8-slim → 225MB node:8-alpine → 63.7MB scratch → ~50MB ← 6.6x App Size!! ← 13.3x“min” overhead!!
- 11. 11Google Cloud Platform Overhead Node.js App Your App → 5MB Your App’s Dependencies → 95MB Total App Size → 100MB Docker Base Images: node:8 → 667MB node:8-wheezy → 521MB node:8-slim → 225MB node:8-alpine → 63.7MB scratch → ~50MB ← 6.6x App Size!! ← 13.3x“min” overhead!! Pros: Builds are faster Need less storage Cold starts (image pull) are faster Potentially less attack surface Cons: Less tooling inside container “Non-standard” environment
- 12. Google Cloud Platform 12 Use the “builder pattern”
- 13. 13Google Cloud Platform Code Build Container Compiler Dev Deps Unit Tests etc... Build Artifact(s) Runtime Container Runtime Env Debug/Monitor Tooling Binaries Static Files Bundles Transpiled Code
- 14. Google Cloud Platform 14 Docker bringing native support for multi-stage builds in Docker CE 17.05
- 15. Container Internals
- 16. Google Cloud Platform 16 Use a non-root user inside the container
- 17. 17Google Cloud Platform FROM node:alpine RUN apk update && apk add imagemagick RUN groupadd -r nodejs RUN useradd -m -r -g nodejs nodejs USER nodejs ADD package.json package.json RUN npm install ADD index.js index.js CMD npm start Example Dockerfile
- 18. 18Google Cloud Platform Enforce it! apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: runAsNonRoot: true
- 19. Google Cloud Platform 19 Make the filesystem read-only
- 20. 20Google Cloud Platform apiVersion: v1 kind: Pod metadata: name: hello-world spec: containers: # specification of the pod’s containers # ... securityContext: runAsNonRoot: true readOnlyRootFilesystem: true Enforce it!
- 21. Google Cloud Platform 21 One process per container
- 22. Google Cloud Platform 22 Don’t restart on failure. Crash cleanly instead.
- 23. Google Cloud Platform 23 Log to stdout and stderr
- 24. Google Cloud Platform 24 Add “dumb-init” to prevent zombie processes
- 25. 25Google Cloud Platform FROM node:alpine RUN apk update && apk add imagemagick RUN groupadd -r nodejs RUN useradd -m -r -g nodejs nodejs USER nodejs ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 /usr/local/bin/dumb-init RUN chmod +x /usr/local/bin/dumb-init ENTRYPOINT ["/usr/bin/dumb-init", "--"] ADD package.json package.json RUN npm install ADD index.js index.js CMD npm start Example Dockerfile
- 26. Google Cloud Platform 26 Good News: No need to do this in K8s 1.7
- 27. Deployments
- 28. Google Cloud Platform 28 Use the “record” option for easier rollbacks
- 29. 29Google Cloud Platform $ kubectl apply -f deployment.yaml --record … $ kubectl rollout history deployments my-deployment deployments "ghost-recorded" REVISION CHANGE-CAUSE 1 kubectl apply -f deployment.yaml --record 2 kubectl edit deployments my-deployment 3 kubectl set image deployment/my-deplyoment my-container=app:2.0
- 30. Google Cloud Platform 30 Use plenty of descriptive labels
- 31. 31Google Cloud Platform apiVersion: extensions/v1beta1 kind: Deployment metadata: name: web spec: replicas: 12 template: metadata: labels: name: web color: blue experimental: 'true' Labels
- 32. 32Google Cloud Platform App: Nifty Phase: Dev Role: FE App: Nifty Phase: Test Role: FE App: Nifty Phase: Dev Role: BE App: Nifty Phase: Test Role: BE Labels
- 33. 33Google Cloud Platform App: Nifty Phase: Dev Role: FE App: Nifty Phase: Test Role: FE App: Nifty Phase: Dev Role: BE App: Nifty Phase: Test Role: BE Labels App = Nifty
- 34. 34Google Cloud Platform App: Nifty Phase: Dev Role: FE App: Nifty Phase: Test Role: FE App: Nifty Phase: Dev Role: BE App: Nifty Phase: Test Role: BE Labels Role = BE
- 35. 35Google Cloud Platform App: Nifty Phase: Dev Role: FE App: Nifty Phase: Test Role: FE App: Nifty Phase: Dev Role: BE App: Nifty Phase: Test Role: BE Labels Phase = Dev
- 36. 36Google Cloud Platform App: Nifty Phase: Dev Role: FE App: Nifty Phase: Test Role: FE App: Nifty Phase: Dev Role: BE App: Nifty Phase: Test Role: BE Labels Phase = Dev Role = FE
- 37. Google Cloud Platform 37 Use sidecar containers for proxies, watchers, etc
- 38. 38Google Cloud Platform Examples App Database localhost App App Proxy Proxy Proxy secure connection
- 39. 39Google Cloud Platform Auth, Rate Limiting, etc. Examples App Incoming Requests localhost App App Proxy Proxy Proxy
- 40. Google Cloud Platform 40 Don’t use sidecars for bootstrapping!
- 41. Google Cloud Platform 41 Use init containers instead!
- 42. 42Google Cloud Platform apiVersion: v1 kind: Pod metadata: name: awesomeapp-pod labels: app: awesomeapp annotations: pod.beta.kubernetes.io/init-containers: '[ { "name": "init-myapp", "image": "busybox", "command": ["sh", "-c", "until nslookup myapp; do echo waiting for myapp; sleep 2; done;"] }, { "name": "init-mydb", "image": "busybox", "command": ["sh", "-c", "until nslookup mydb; do echo waiting for mydb; sleep 2; done;"] } ]' spec: containers: - name: awesomeapp-container image: busybox command: ['sh', '-c', 'echo The app is running! && sleep 3600']
- 43. Google Cloud Platform 43 Don’t use :latest or no tag
- 44. Google Cloud Platform 44 Readiness and Liveness probes are your friend
- 45. 45Google Cloud Platform Readiness → Is the app ready to start serving traffic? ● Won’t be added to a service endpoint until it passes ● Required for a “production app” in my opinion Liveness → Is the app still running? ● Default is “process is running” ● Possible that the process can be running but not working correctly ● Good to define, might not be 100% necessary These can sometimes be the same endpoint, but not always Health Checks
- 46. Services
- 47. Google Cloud Platform 47 Don’t always use type: LoadBalancer
- 48. Google Cloud Platform 48 Ingress is great
- 49. 49Google Cloud Platform Ingress Service 1 Service 2 Service 3 websocket.mydomain.com mydomain.com /foo /bar
- 50. Google Cloud Platform 50 type: NodePort can be “good enough”
- 51. Google Cloud Platform 51 Use Static IPs. They are free* !
- 52. 52Google Cloud Platform apiVersion: v1 kind: Service metadata: name: myservice spec: type: LoadBalancer loadBalancerIP: QQQ.ZZZ.YYY.XXX ports: - port: 80 targetPort: 3000 protocol: TCP selector: name: myapp $ gcloud compute addresses create ingress --global … $ gcloud compute addresses create myservice --region=us-west1 Created … address: QQQ.ZZZ.YYY.XXX … $ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: myingress annotations: kubernetes.io/ingress.global-static-ip-name: "ingress" spec: backend: serviceName: myservice servicePort: 80
- 53. Google Cloud Platform 53 Map external services to internal ones
- 54. 54Google Cloud Platform External Services kind: Service apiVersion: v1 metadata: name: mydatabase namespace: prod spec: type: ExternalName externalName : my.database.example.com ports: - port: 12345 kind: Service apiVersion: v1 metadata: name: mydatabase spec: ports: - protocol: TCP port: 80 targetPort: 12345 kind: Endpoints apiVersion: v1 metadata: name: mydatabase subsets: - addresses: - ip: 10.128.0.2 ports: - port: 12345 Hosted Database Database outside cluster but inside network
- 55. Application Architecture
- 56. Google Cloud Platform 56 Use Helm Charts
- 57. Google Cloud Platform 57 ALL downstream dependencies are unreliable
- 58. Google Cloud Platform 58 Make sure your microservices aren’t too micro
- 59. Google Cloud Platform 59 Use a “Service Mesh”
- 60. 60Google Cloud Platform https://github.com/istio/istio https://github.com/linkerd/linkerd
- 61. Google Cloud Platform 61 Use a PaaS?
- 62. 62Google Cloud Platform
- 63. Cluster Management
- 64. Google Cloud Platform 64 Use Google Container Engine
- 65. Google Cloud Platform 65 Resources, Anti-Affinity, and Scheduling
- 66. 66Google Cloud Platform Node Affinity hostname zone region instance-type os arch custom!
- 67. 67Google Cloud Platform Node Taints / Tolerations special hardware dedicated hosts etc
- 68. 68Google Cloud Platform Pod Affinity / Anti-Affinity hostname zone region
- 69. Google Cloud Platform 69 Use Namespaces to split up your cluster
- 70. Google Cloud Platform 70 Role Based Access Control
- 71. Google Cloud Platform 71 Unleash the Chaos Monkey
- 72. 72Google Cloud Platform More Resources ● http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html ● https://github.com/gravitational/workshop/blob/master/k8sprod.md ● https://nodesource.com/blog/8-protips-to-start-killing-it-when-dockerizing-node-js/ ● https://www.ianlewis.org/en/using-kubernetes-health-checks ● https://www.linux.com/learn/rolling-updates-and-rollbacks-using-kubernetes-deployments ● https://kubernetes.io/docs/api-reference/v1.6/
- 73. Questions? What best practices do you have?
