Kubernetes Best Practices: Blueprints for Building Successful Applications on Kubernetes, 2nd Edition (Third Early Release)
9781492056478, 9781098142117
In this practical guide, four Kubernetes professionals with deep experience in distributed systems, enterprise applicati
359
78
5MB
English
Pages 287
Year 2023
Report DMCA / Copyright
DOWNLOAD EPUB FILE
Table of contents :
1. Setting Up a Basic Service
Application Overview
Managing Configuration Files
Creating a Replicated Service Using Deployments
Best Practices for Image Management
Creating a Replicated Application
Setting Up an External Ingress for HTTP Traffic
Configuring an Application with ConfigMaps
Managing Authentication with Secrets
Deploying a Simple Stateful Database
Creating a TCP Load Balancer by Using Services
Using Ingress to Route Traffic to a Static File Server
Parameterizing Your Application by Using Helm
Deploying Services Best Practices
Summary
2. Developer Workflows
Goals
Building a Development Cluster
Setting Up a Shared Cluster for Multiple Developers
Onboarding Users
Creating and Securing a Namespace
Managing Namespaces
Cluster-Level Services
Enabling Developer Workflows
Initial Setup
Enabling Active Development
Enabling Testing and Debugging
Setting Up a Development Environment Best Practices
Summary
3. Monitoring and Logging in Kubernetes
Metrics Versus Logs
Monitoring Techniques
Monitoring Patterns
Kubernetes Metrics Overview
cAdvisor
Metrics Server
kube-state-metrics
What Metrics Do I Monitor?
Monitoring Tools
Monitoring Kubernetes Using Prometheus
Logging Overview
Tools for Logging
Logging by Using a Loki-Stack
Alerting
Best Practices for Monitoring, Logging, and Alerting
Monitoring
Logging
Alerting
Summary
4. Configuration, Secrets, and RBAC
Configuration Through ConfigMaps and Secrets
ConfigMaps
Secrets
Common Best Practices for the ConfigMap and Secrets APIs
Best practices specific to secrets
RBAC
RBAC Primer
Subjects
Rules
Roles
RoleBindings
RBAC Best Practices
Summary
5. Continuous Integration, Testing, and Deployment
Version Control
Continuous Integration
Testing
Container Builds
Container Image Tagging
Continuous Deployment
Deployment Strategies
Testing in Production
Setting Up a Pipeline and Performing a Chaos Experiment
Setting Up CI
Setting Up CD
Performing a Rolling Upgrade
A Simple Chaos Experiment
Best Practices for CI/CD
Summary
6. Versioning, Releases, and Rollouts
Versioning
Releases
Rollouts
Putting It All Together
Best Practices for Versioning, Releases, and Rollouts
Summary
7. Worldwide Application Distribution and Staging
Distributing Your Image
Parameterizing Your Deployment
Load-Balancing Traffic Around the World
Reliably Rolling Out Software Around the World
Pre-Rollout Validation
Canary Region
Identifying Region Types
Constructing a Global Rollout
When Something Goes Wrong
Worldwide Rollout Best Practices
Summary
8. Networking, Network Security, and Service Mesh
Kubernetes Network Principles
Network Plug-ins
Kubenet
Kubenet Best Practices
The CNI Plug-in
CNI Best Practices
Services in Kubernetes
Service Type ClusterIP
Service Type NodePort
Service Type ExternalName
Service Type LoadBalancer
Ingress and Ingress Controllers
Gateway API
Services and Ingress Controllers Best Practices
Network Security Policy
Network Policy Best Practices
Service Meshes
Service Mesh Best Practices
Summary
9. Policy and Governance for Your Cluster
Why Policy and Governance Are Important
How Is This Policy Different?
Cloud-Native Policy Engine
Introducing Gatekeeper
Example Policies
Gatekeeper Terminology
Constraint
Rego
Constraint template
Defining Constraint Templates
Defining Constraints
Data Replication
UX
Using Enforcement Action and Audit
Mutation
Testing Policies
Becoming Familiar with Gatekeeper
Policy and Governance Best Practices
Summary
10. Admission Control and Authorization
Admission Control
What Are They?
Why Are They Important?
Admission Controller Types
Configuring Admission Webhooks
Admission Control Best Practices
Admission plug-in ordering doesn’t matter
Don’t mutate the same fields
Mutating admission webhooks must be idempotent
Fail open/fail closed
Admission webhooks must respond quickly
Always deploy in a separate namespace use NamespaceSelector
Don’t touch the kube-system namespace
Lock down admission webhook configurations with RBAC
Don’t send sensitive data
Authorization
Authorization Modules
ABAC
RBAC
Webhook
Authorization Best Practices
Don’t use ABAC on multi control plane clusters
Don’t use webhook modules
Summary