SlideShare a Scribd company logo

Best practises for using Kubernetes and GKE in production

Sreenivas Makam
Sreenivas Makam

Kubernetes has become the de facto Container orchestration platform over the last few years. For all the power and the scale that Kubernetes provides, it's still a complex platform to configure and manage. Managed Kubernetes service like GKE takes a lot of the pain out in managing Kubernetes. When we are using Kubernetes in production, it makes sense to follow the best practises around distributed system development targeted towards Kubernetes. In this session, I will talk about Kubernetes and GKE best practices around infrastructure, security and applications with specific focus on day-2 operations.

Technology
1 of 41
Download to read offline
Best practises for using Kubernetes in production Sreenivas Makam August 2, 2020
About myself ● Application modernization specialist at Google Cloud. Previously at Cisco and few startups ● Interest areas - Containers, Kubernetes, Networking, Cloud native technologies ● Author of “Mastering CoreOS”, published 2016. Reviewed many technology books ● Docker Captain from Oct 15 - Mar 18 ● Active blogger and Community speaker
Agenda ● What is Kubernetes? ● What makes Kubernetes unique? ● Kubernetes day 2 operations ○ Cluster Management ○ Application Design ○ Security ● Kubernetes ecosystem and tools
What is Kubernetes?
What is Kubernetes Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
Kubernetes market share https://sysdig.com/blog/sysdig-2019-container-usage-report/
https://kubernetes.io/docs/concepts/overview/components/ Kubernetes Architecture
What makes Kubernetes unique?
Kubernetes Uniqueness ● Declarative rather than imperative ● Extensible - custom resource, controllers, schedulers ● Meet the user where they are - (eg) read config, secrets from applications ● Decouple distributed system application development ● Open source ecosystem friendly
Borrowed from: https://www.digitalocean.com/communit y/tutorials/imperative-vs-declarative-ku bernetes-management-a-digitalocean-c omic
Custom authorization , admission control Custom resource(operator pattern. eg: etcd, prometheus) Custom scheduler Custom controller, works with custom resource Network plugin Storage plugin Extend kubectl Kubernetes extensions
Controller(Standard, custom) (Standard eg: Replica set controller, Deployment controller) API server Standard Kubernetes resources Desired State Current State Kubernetes controller
Kubernetes operator (eg: prometheus, etcd, Spark, Airflow) API server Custom resources Desired State Current State Operators manage the lifecycle of the custom application Extensions -Kubernetes Operator
https://coreos.com/blog/the-prometheus-operator.html Prometheus Operator
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never Use Mount paths Use environment variables Applications can consume config/secrets without knowledge of Kubernetes Meet user where they are -Consume secrets in App
https://itnext.io/tutorial-basics-of-kubernetes-volumes-part-2-b2ea6f397402 Kubernetes provides portability by decoupling infrastructure(Storage, networking) from the application manifest Decouple distributed system -Storage provisioning
Init container (Clone git repo and generate config) App container (Web server) Pod Execution sequence Specialized containers that runs to completion before application containers in a pod can get started. This enforces sequence. Pod patterns -Init Containers
Pod patterns -Sidecar Sidecar containers extend and enhance the “main” container Other examples: Istio envoy proxy Monitoring Database config
Pod patterns -Adapter Adapter containers standardize and normalize output so that external services can access interface in a standard way(eg: Prometheus adapter)
Pod patterns - Ambassador Ambassador containers proxies a local connection to the world and hides the complexity to access external service. Examples: Accessing different kinds of cache based on environment Client side service discovery using different mechanisms
Single app defined using Dockerfile and multiple apps done using deployment Config map and secrets Service abstraction and discovery Stateless containers, stateful dataset where needed Services provides different options for port bindings Autoscaler support is comprehensive Centralized log management with third party integrations possible Autohealing Many ways to create and manage clusters(cloud provider, kops, kubeadm) Map Twelve factor apps to Kubernetes
Kubernetes day 2 Operations
Kubernetes Day 2 operations -Best practises ● Cluster management ○ Multi-tenant design(clusters/namespaces, multi-cluster handling, zonal/regional), Upgrade policy(node and containers, pod disruption budget), Ingress(load balancers), External service access policy(db, cache etc) ● Application design ○ Pod design(using pod design patterns), Lifecycle(health check, graceful termination), Scaling(resource request, autoscaling), Application types(stateful/stateless/batch/Big Data/ML), Service mesh ● Security ○ Access control(rbac), Image validation(binary authorization, vulnerability scanning), Secure clusters(private cluster, firewall)
Kubernetes day 2 Operations Cluster management
Use Namespaces and RBAC for isolation https://cloud.google.com/solutions/prep-kubernetes-engine-for-prod
Multicluster handling Need for multiple clusters - Different applications, teams, environments, regions Central policy management using Anthos config management(ACM) Proximity based cluster routing
4 wayAutoscaling in GKE HPA Autoscales pool of workers on custom metrics VPA Recommends podspec Actuates the adjustment CA NAP+ Scale Nodepools Create right nodes for the job Gate changes by HPA + NAP Workload Infrastructure
Kubernetes day 2 Operations Application design
Readiness and Liveness probe https://cloud.google.com/blog/products/gcp/k ubernetes-best-practices-setting-up-health-ch ecks-with-readiness-and-liveness-probes
Graceful shutdown handling Best practises ● Have handler for Prestop hooks or SIGTERM and handle shutdown gracefully ● Keep readiness check interval aggressive ● Have client retry failed requests https://dzone.com/articles/kubernetes-lifecycle-of-a-pod
Big Data on Kubernetes ● Kubernetes as a replacement for YARN for Big data workloads ● Spark and Flink operators for Kubernetes are available as beta ● Dataproc on GKE is available as beta ● Advantages ○ Single orchestrator for applications and Big Data ○ Better use of cluster resources ○ Big Data application dependency handled through containers ○ Use Kubernetes ecosystem for Big Data
MLworkloads with Kubeflow ● Deploying and managing ML models at scale using Kubernetes ● Build, train and serve models ● Components - Notebooks, UI, training, Serving, Pipelines ● Multiple frameworks supported for training as well as serving ● Advantages ○ Portable ML pipelines ○ Best of Kubernetes features used for Machine learning
Kubernetes day 2 Operations Security
Private Clusters in GKE
Secure Image pipeline
Kubernetes Network policies Topology Defined with Network Policy API: ● A first-class Kubernetes API ● Defines allowed traffic patterns How does it work: ● K8s defines the API. ● User applies a policy. ● Network policy agents watch and enforce. ● Restricts pod to pod traffic. K8sMaster etcd policy.yaml spec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access Frontend Service A Service B Policy Agent K8sNode
Kubernetes ecosystem and Tools
Kubernetes ecosystem CI/CD (Tekton, Argo) Monitoring (Prometheus) Logging (Fluentd) Service Mesh (Istio, Linkerd) Packaging (Helm, kpt) Infra (Network, storage plugin) Service Discovery (CoreDNS) Serverless (knative, Virtual kubelet) ML (Kubeflow) Registry (Harbor) Security (Falco, Open policy) VM (Kubevirt, Config connector)
Helpers Kubectx kubens Config Mgmt Kustomize Pkg Mgmt Helm Build Dockerfile Kaniko Jib CI/CD Skaffold IDE Cloud code for VSCODE Kubernetes tools(my favorites)
Practical Experiences ● Networking and security for clusters has to be pre-planned. These cannot be changed later. ● Plan IP addresses before-hand. Kubernetes needs lot of addresses(Node, Pod, Service) ● Use managed services when possible ● Keep separate environments for Dev, staging and production ● Isolate helper applications(CI/CD, Monitoring) from primary workloads ● Start with stateless workloads and then expand to stateful, big data and ML ● Invest in monitoring/logging/secret management solution ● Backup and DR is important for Kubernetes ● Make sure that every container has resource requests
References ● Kubernetes design principles video ● Kubernetes patterns video ● Kubernetes patterns slides ● Building Cloud native applications with Kubernetes and Istio - Kelsey ● Designing cloud native applications ● Extending Kubernetes

Recommended

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringSreenivas Makam
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run Sreenivas Makam
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemSreenivas Makam
 
My kubernetes toolkit
My kubernetes toolkitMy kubernetes toolkit
My kubernetes toolkitSreenivas Makam
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps DevopsSreenivas Makam
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsSreenivas Makam
 

Recommended

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringSreenivas Makam
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run Sreenivas Makam
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemSreenivas Makam
 
My kubernetes toolkit
My kubernetes toolkitMy kubernetes toolkit
My kubernetes toolkitSreenivas Makam
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps DevopsSreenivas Makam
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingSreenivas Makam
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsSreenivas Makam
 
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverSreenivas Makam
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking OverviewSreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudSreenivas Makam
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in NetworkingSreenivas Makam
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature OverviewSreenivas Makam
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingSreenivas Makam
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 

More Related Content

More from Sreenivas Makam

Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverSreenivas Makam
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking OverviewSreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudSreenivas Makam
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesSreenivas Makam
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 PresentationSreenivas Makam
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesSreenivas Makam
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current StatusSreenivas Makam
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with SysdigSreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumSreenivas Makam
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature OverviewSreenivas Makam
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingSreenivas Makam
 

More from Sreenivas Makam (14)

Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloud
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in Networking
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature Overview
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
 

Recently uploaded

Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPTiSEO AI
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024Stephen Perrenod
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastUXDXConf
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 

Recently uploaded (20)

Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 

Best practises for using Kubernetes and GKE in production

  • 1. Best practises for using Kubernetes in production Sreenivas Makam August 2, 2020
  • 2. About myself ● Application modernization specialist at Google Cloud. Previously at Cisco and few startups ● Interest areas - Containers, Kubernetes, Networking, Cloud native technologies ● Author of “Mastering CoreOS”, published 2016. Reviewed many technology books ● Docker Captain from Oct 15 - Mar 18 ● Active blogger and Community speaker
  • 3. Agenda ● What is Kubernetes? ● What makes Kubernetes unique? ● Kubernetes day 2 operations ○ Cluster Management ○ Application Design ○ Security ● Kubernetes ecosystem and tools
  • 5. What is Kubernetes Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
  • 9. Kubernetes Uniqueness ● Declarative rather than imperative ● Extensible - custom resource, controllers, schedulers ● Meet the user where they are - (eg) read config, secrets from applications ● Decouple distributed system application development ● Open source ecosystem friendly
  • 11. Custom authorization , admission control Custom resource(operator pattern. eg: etcd, prometheus) Custom scheduler Custom controller, works with custom resource Network plugin Storage plugin Extend kubectl Kubernetes extensions
  • 12. Controller(Standard, custom) (Standard eg: Replica set controller, Deployment controller) API server Standard Kubernetes resources Desired State Current State Kubernetes controller
  • 13. Kubernetes operator (eg: prometheus, etcd, Spark, Airflow) API server Custom resources Desired State Current State Operators manage the lifecycle of the custom application Extensions -Kubernetes Operator
  • 15. apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never Use Mount paths Use environment variables Applications can consume config/secrets without knowledge of Kubernetes Meet user where they are -Consume secrets in App
  • 16. https://itnext.io/tutorial-basics-of-kubernetes-volumes-part-2-b2ea6f397402 Kubernetes provides portability by decoupling infrastructure(Storage, networking) from the application manifest Decouple distributed system -Storage provisioning
  • 17. Init container (Clone git repo and generate config) App container (Web server) Pod Execution sequence Specialized containers that runs to completion before application containers in a pod can get started. This enforces sequence. Pod patterns -Init Containers
  • 18. Pod patterns -Sidecar Sidecar containers extend and enhance the “main” container Other examples: Istio envoy proxy Monitoring Database config
  • 19. Pod patterns -Adapter Adapter containers standardize and normalize output so that external services can access interface in a standard way(eg: Prometheus adapter)
  • 20. Pod patterns - Ambassador Ambassador containers proxies a local connection to the world and hides the complexity to access external service. Examples: Accessing different kinds of cache based on environment Client side service discovery using different mechanisms
  • 21. Single app defined using Dockerfile and multiple apps done using deployment Config map and secrets Service abstraction and discovery Stateless containers, stateful dataset where needed Services provides different options for port bindings Autoscaler support is comprehensive Centralized log management with third party integrations possible Autohealing Many ways to create and manage clusters(cloud provider, kops, kubeadm) Map Twelve factor apps to Kubernetes
  • 22. Kubernetes day 2 Operations
  • 23. Kubernetes Day 2 operations -Best practises ● Cluster management ○ Multi-tenant design(clusters/namespaces, multi-cluster handling, zonal/regional), Upgrade policy(node and containers, pod disruption budget), Ingress(load balancers), External service access policy(db, cache etc) ● Application design ○ Pod design(using pod design patterns), Lifecycle(health check, graceful termination), Scaling(resource request, autoscaling), Application types(stateful/stateless/batch/Big Data/ML), Service mesh ● Security ○ Access control(rbac), Image validation(binary authorization, vulnerability scanning), Secure clusters(private cluster, firewall)
  • 24. Kubernetes day 2 Operations Cluster management
  • 25. Use Namespaces and RBAC for isolation https://cloud.google.com/solutions/prep-kubernetes-engine-for-prod
  • 26. Multicluster handling Need for multiple clusters - Different applications, teams, environments, regions Central policy management using Anthos config management(ACM) Proximity based cluster routing
  • 27. 4 wayAutoscaling in GKE HPA Autoscales pool of workers on custom metrics VPA Recommends podspec Actuates the adjustment CA NAP+ Scale Nodepools Create right nodes for the job Gate changes by HPA + NAP Workload Infrastructure
  • 28. Kubernetes day 2 Operations Application design
  • 29. Readiness and Liveness probe https://cloud.google.com/blog/products/gcp/k ubernetes-best-practices-setting-up-health-ch ecks-with-readiness-and-liveness-probes
  • 30. Graceful shutdown handling Best practises ● Have handler for Prestop hooks or SIGTERM and handle shutdown gracefully ● Keep readiness check interval aggressive ● Have client retry failed requests https://dzone.com/articles/kubernetes-lifecycle-of-a-pod
  • 31. Big Data on Kubernetes ● Kubernetes as a replacement for YARN for Big data workloads ● Spark and Flink operators for Kubernetes are available as beta ● Dataproc on GKE is available as beta ● Advantages ○ Single orchestrator for applications and Big Data ○ Better use of cluster resources ○ Big Data application dependency handled through containers ○ Use Kubernetes ecosystem for Big Data
  • 32. MLworkloads with Kubeflow ● Deploying and managing ML models at scale using Kubernetes ● Build, train and serve models ● Components - Notebooks, UI, training, Serving, Pipelines ● Multiple frameworks supported for training as well as serving ● Advantages ○ Portable ML pipelines ○ Best of Kubernetes features used for Machine learning
  • 33. Kubernetes day 2 Operations Security
  • 36. Kubernetes Network policies Topology Defined with Network Policy API: ● A first-class Kubernetes API ● Defines allowed traffic patterns How does it work: ● K8s defines the API. ● User applies a policy. ● Network policy agents watch and enforce. ● Restricts pod to pod traffic. K8sMaster etcd policy.yaml spec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access Frontend Service A Service B Policy Agent K8sNode
  • 38. Kubernetes ecosystem CI/CD (Tekton, Argo) Monitoring (Prometheus) Logging (Fluentd) Service Mesh (Istio, Linkerd) Packaging (Helm, kpt) Infra (Network, storage plugin) Service Discovery (CoreDNS) Serverless (knative, Virtual kubelet) ML (Kubeflow) Registry (Harbor) Security (Falco, Open policy) VM (Kubevirt, Config connector)
  • 40. Practical Experiences ● Networking and security for clusters has to be pre-planned. These cannot be changed later. ● Plan IP addresses before-hand. Kubernetes needs lot of addresses(Node, Pod, Service) ● Use managed services when possible ● Keep separate environments for Dev, staging and production ● Isolate helper applications(CI/CD, Monitoring) from primary workloads ● Start with stateless workloads and then expand to stateful, big data and ML ● Invest in monitoring/logging/secret management solution ● Backup and DR is important for Kubernetes ● Make sure that every container has resource requests
  • 41. References ● Kubernetes design principles video ● Kubernetes patterns video ● Kubernetes patterns slides ● Building Cloud native applications with Kubernetes and Istio - Kelsey ● Designing cloud native applications ● Extending Kubernetes