SlideShare a Scribd company logo

Best practises for using Kubernetes and GKE in production

Sreenivas Makam
Sreenivas Makam

Kubernetes has become the de facto Container orchestration platform over the last few years. For all the power and the scale that Kubernetes provides, it's still a complex platform to configure and manage. Managed Kubernetes service like GKE takes a lot of the pain out in managing Kubernetes. When we are using Kubernetes in production, it makes sense to follow the best practises around distributed system development targeted towards Kubernetes. In this session, I will talk about Kubernetes and GKE best practices around infrastructure, security and applications with specific focus on day-2 operations.

Technology
1 of 41
Download to read offline
Best practises for using Kubernetes in production Sreenivas Makam August 2, 2020
About myself ● Application modernization specialist at Google Cloud. Previously at Cisco and few startups ● Interest areas - Containers, Kubernetes, Networking, Cloud native technologies ● Author of “Mastering CoreOS”, published 2016. Reviewed many technology books ● Docker Captain from Oct 15 - Mar 18 ● Active blogger and Community speaker
Agenda ● What is Kubernetes? ● What makes Kubernetes unique? ● Kubernetes day 2 operations ○ Cluster Management ○ Application Design ○ Security ● Kubernetes ecosystem and tools
What is Kubernetes?
What is Kubernetes Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
Kubernetes market share https://sysdig.com/blog/sysdig-2019-container-usage-report/
https://kubernetes.io/docs/concepts/overview/components/ Kubernetes Architecture
What makes Kubernetes unique?
Kubernetes Uniqueness ● Declarative rather than imperative ● Extensible - custom resource, controllers, schedulers ● Meet the user where they are - (eg) read config, secrets from applications ● Decouple distributed system application development ● Open source ecosystem friendly
Borrowed from: https://www.digitalocean.com/communit y/tutorials/imperative-vs-declarative-ku bernetes-management-a-digitalocean-c omic
Custom authorization , admission control Custom resource(operator pattern. eg: etcd, prometheus) Custom scheduler Custom controller, works with custom resource Network plugin Storage plugin Extend kubectl Kubernetes extensions
Controller(Standard, custom) (Standard eg: Replica set controller, Deployment controller) API server Standard Kubernetes resources Desired State Current State Kubernetes controller
Kubernetes operator (eg: prometheus, etcd, Spark, Airflow) API server Custom resources Desired State Current State Operators manage the lifecycle of the custom application Extensions -Kubernetes Operator
https://coreos.com/blog/the-prometheus-operator.html Prometheus Operator
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never Use Mount paths Use environment variables Applications can consume config/secrets without knowledge of Kubernetes Meet user where they are -Consume secrets in App
https://itnext.io/tutorial-basics-of-kubernetes-volumes-part-2-b2ea6f397402 Kubernetes provides portability by decoupling infrastructure(Storage, networking) from the application manifest Decouple distributed system -Storage provisioning
Init container (Clone git repo and generate config) App container (Web server) Pod Execution sequence Specialized containers that runs to completion before application containers in a pod can get started. This enforces sequence. Pod patterns -Init Containers
Pod patterns -Sidecar Sidecar containers extend and enhance the “main” container Other examples: Istio envoy proxy Monitoring Database config
Pod patterns -Adapter Adapter containers standardize and normalize output so that external services can access interface in a standard way(eg: Prometheus adapter)
Pod patterns - Ambassador Ambassador containers proxies a local connection to the world and hides the complexity to access external service. Examples: Accessing different kinds of cache based on environment Client side service discovery using different mechanisms
Single app defined using Dockerfile and multiple apps done using deployment Config map and secrets Service abstraction and discovery Stateless containers, stateful dataset where needed Services provides different options for port bindings Autoscaler support is comprehensive Centralized log management with third party integrations possible Autohealing Many ways to create and manage clusters(cloud provider, kops, kubeadm) Map Twelve factor apps to Kubernetes
Kubernetes day 2 Operations
Kubernetes Day 2 operations -Best practises ● Cluster management ○ Multi-tenant design(clusters/namespaces, multi-cluster handling, zonal/regional), Upgrade policy(node and containers, pod disruption budget), Ingress(load balancers), External service access policy(db, cache etc) ● Application design ○ Pod design(using pod design patterns), Lifecycle(health check, graceful termination), Scaling(resource request, autoscaling), Application types(stateful/stateless/batch/Big Data/ML), Service mesh ● Security ○ Access control(rbac), Image validation(binary authorization, vulnerability scanning), Secure clusters(private cluster, firewall)
Kubernetes day 2 Operations Cluster management
Use Namespaces and RBAC for isolation https://cloud.google.com/solutions/prep-kubernetes-engine-for-prod
Multicluster handling Need for multiple clusters - Different applications, teams, environments, regions Central policy management using Anthos config management(ACM) Proximity based cluster routing
4 wayAutoscaling in GKE HPA Autoscales pool of workers on custom metrics VPA Recommends podspec Actuates the adjustment CA NAP+ Scale Nodepools Create right nodes for the job Gate changes by HPA + NAP Workload Infrastructure
Kubernetes day 2 Operations Application design
Readiness and Liveness probe https://cloud.google.com/blog/products/gcp/k ubernetes-best-practices-setting-up-health-ch ecks-with-readiness-and-liveness-probes
Graceful shutdown handling Best practises ● Have handler for Prestop hooks or SIGTERM and handle shutdown gracefully ● Keep readiness check interval aggressive ● Have client retry failed requests https://dzone.com/articles/kubernetes-lifecycle-of-a-pod
Big Data on Kubernetes ● Kubernetes as a replacement for YARN for Big data workloads ● Spark and Flink operators for Kubernetes are available as beta ● Dataproc on GKE is available as beta ● Advantages ○ Single orchestrator for applications and Big Data ○ Better use of cluster resources ○ Big Data application dependency handled through containers ○ Use Kubernetes ecosystem for Big Data
MLworkloads with Kubeflow ● Deploying and managing ML models at scale using Kubernetes ● Build, train and serve models ● Components - Notebooks, UI, training, Serving, Pipelines ● Multiple frameworks supported for training as well as serving ● Advantages ○ Portable ML pipelines ○ Best of Kubernetes features used for Machine learning
Kubernetes day 2 Operations Security
Private Clusters in GKE
Secure Image pipeline
Kubernetes Network policies Topology Defined with Network Policy API: ● A first-class Kubernetes API ● Defines allowed traffic patterns How does it work: ● K8s defines the API. ● User applies a policy. ● Network policy agents watch and enforce. ● Restricts pod to pod traffic. K8sMaster etcd policy.yaml spec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access Frontend Service A Service B Policy Agent K8sNode
Kubernetes ecosystem and Tools
Kubernetes ecosystem CI/CD (Tekton, Argo) Monitoring (Prometheus) Logging (Fluentd) Service Mesh (Istio, Linkerd) Packaging (Helm, kpt) Infra (Network, storage plugin) Service Discovery (CoreDNS) Serverless (knative, Virtual kubelet) ML (Kubeflow) Registry (Harbor) Security (Falco, Open policy) VM (Kubevirt, Config connector)
Helpers Kubectx kubens Config Mgmt Kustomize Pkg Mgmt Helm Build Dockerfile Kaniko Jib CI/CD Skaffold IDE Cloud code for VSCODE Kubernetes tools(my favorites)
Practical Experiences ● Networking and security for clusters has to be pre-planned. These cannot be changed later. ● Plan IP addresses before-hand. Kubernetes needs lot of addresses(Node, Pod, Service) ● Use managed services when possible ● Keep separate environments for Dev, staging and production ● Isolate helper applications(CI/CD, Monitoring) from primary workloads ● Start with stateless workloads and then expand to stateful, big data and ML ● Invest in monitoring/logging/secret management solution ● Backup and DR is important for Kubernetes ● Make sure that every container has resource requests
References ● Kubernetes design principles video ● Kubernetes patterns video ● Kubernetes patterns slides ● Building Cloud native applications with Kubernetes and Istio - Kelsey ● Designing cloud native applications ● Extending Kubernetes

Recommended

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage Metering
Sreenivas Makam
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
Sreenivas Makam
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
Sreenivas Makam
 
My kubernetes toolkit
My kubernetes toolkitMy kubernetes toolkit
My kubernetes toolkit
Sreenivas Makam
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps Devops
Sreenivas Makam
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing options
Sreenivas Makam
 

Recommended

GKE Tip Series - Usage Metering
GKE Tip Series - Usage MeteringGKE Tip Series - Usage Metering
GKE Tip Series - Usage Metering
Sreenivas Makam
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
Sreenivas Makam
 
Kubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystemKubernetes design principles, patterns and ecosystem
Kubernetes design principles, patterns and ecosystem
Sreenivas Makam
 
My kubernetes toolkit
My kubernetes toolkitMy kubernetes toolkit
My kubernetes toolkit
Sreenivas Makam
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
How Kubernetes helps Devops
How Kubernetes helps DevopsHow Kubernetes helps Devops
How Kubernetes helps Devops
Sreenivas Makam
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Docker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing optionsDocker Networking Tip - Load balancing options
Docker Networking Tip - Load balancing options
Sreenivas Makam
 
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
Sreenivas Makam
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
Sreenivas Makam
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
Sreenivas Makam
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloud
Sreenivas Makam
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
Sreenivas Makam
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in Networking
Sreenivas Makam
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
Sreenivas Makam
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
Sreenivas Makam
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
Sreenivas Makam
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
Sreenivas Makam
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature Overview
Sreenivas Makam
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
Sreenivas Makam
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

More Related Content

More from Sreenivas Makam

More from Sreenivas Makam (14)

Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driverDocker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
 
Docker Networking Overview
Docker Networking OverviewDocker Networking Overview
Docker Networking Overview
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Compare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloudCompare Docker deployment options in the public cloud
Compare Docker deployment options in the public cloud
 
Docker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
 
Devops in Networking
Devops in NetworkingDevops in Networking
Devops in Networking
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
 
Service Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and KubernetesService Discovery using etcd, Consul and Kubernetes
Service Discovery using etcd, Consul and Kubernetes
 
CoreOS Overview and Current Status
CoreOS Overview and Current StatusCoreOS Overview and Current Status
CoreOS Overview and Current Status
 
Container Monitoring with Sysdig
Container Monitoring with SysdigContainer Monitoring with Sysdig
Container Monitoring with Sysdig
 
CI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and TutumCI, CD with Docker, Jenkins and Tutum
CI, CD with Docker, Jenkins and Tutum
 
Docker 1.9 Feature Overview
Docker 1.9 Feature OverviewDocker 1.9 Feature Overview
Docker 1.9 Feature Overview
 
Docker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental NetworkingDocker Networking - Current Status and goals of Experimental Networking
Docker Networking - Current Status and goals of Experimental Networking
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Best practises for using Kubernetes and GKE in production

  • 1. Best practises for using Kubernetes in production Sreenivas Makam August 2, 2020
  • 2. About myself ● Application modernization specialist at Google Cloud. Previously at Cisco and few startups ● Interest areas - Containers, Kubernetes, Networking, Cloud native technologies ● Author of “Mastering CoreOS”, published 2016. Reviewed many technology books ● Docker Captain from Oct 15 - Mar 18 ● Active blogger and Community speaker
  • 3. Agenda ● What is Kubernetes? ● What makes Kubernetes unique? ● Kubernetes day 2 operations ○ Cluster Management ○ Application Design ○ Security ● Kubernetes ecosystem and tools
  • 5. What is Kubernetes Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/
  • 9. Kubernetes Uniqueness ● Declarative rather than imperative ● Extensible - custom resource, controllers, schedulers ● Meet the user where they are - (eg) read config, secrets from applications ● Decouple distributed system application development ● Open source ecosystem friendly
  • 11. Custom authorization , admission control Custom resource(operator pattern. eg: etcd, prometheus) Custom scheduler Custom controller, works with custom resource Network plugin Storage plugin Extend kubectl Kubernetes extensions
  • 12. Controller(Standard, custom) (Standard eg: Replica set controller, Deployment controller) API server Standard Kubernetes resources Desired State Current State Kubernetes controller
  • 13. Kubernetes operator (eg: prometheus, etcd, Spark, Airflow) API server Custom resources Desired State Current State Operators manage the lifecycle of the custom application Extensions -Kubernetes Operator
  • 15. apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: mypod image: redis volumeMounts: - name: foo mountPath: "/etc/foo" readOnly: true volumes: - name: foo secret: secretName: mysecret apiVersion: v1 kind: Pod metadata: name: secret-env-pod spec: containers: - name: mycontainer image: redis env: - name: SECRET_USERNAME valueFrom: secretKeyRef: name: mysecret key: username - name: SECRET_PASSWORD valueFrom: secretKeyRef: name: mysecret key: password restartPolicy: Never Use Mount paths Use environment variables Applications can consume config/secrets without knowledge of Kubernetes Meet user where they are -Consume secrets in App
  • 16. https://itnext.io/tutorial-basics-of-kubernetes-volumes-part-2-b2ea6f397402 Kubernetes provides portability by decoupling infrastructure(Storage, networking) from the application manifest Decouple distributed system -Storage provisioning
  • 17. Init container (Clone git repo and generate config) App container (Web server) Pod Execution sequence Specialized containers that runs to completion before application containers in a pod can get started. This enforces sequence. Pod patterns -Init Containers
  • 18. Pod patterns -Sidecar Sidecar containers extend and enhance the “main” container Other examples: Istio envoy proxy Monitoring Database config
  • 19. Pod patterns -Adapter Adapter containers standardize and normalize output so that external services can access interface in a standard way(eg: Prometheus adapter)
  • 20. Pod patterns - Ambassador Ambassador containers proxies a local connection to the world and hides the complexity to access external service. Examples: Accessing different kinds of cache based on environment Client side service discovery using different mechanisms
  • 21. Single app defined using Dockerfile and multiple apps done using deployment Config map and secrets Service abstraction and discovery Stateless containers, stateful dataset where needed Services provides different options for port bindings Autoscaler support is comprehensive Centralized log management with third party integrations possible Autohealing Many ways to create and manage clusters(cloud provider, kops, kubeadm) Map Twelve factor apps to Kubernetes
  • 22. Kubernetes day 2 Operations
  • 23. Kubernetes Day 2 operations -Best practises ● Cluster management ○ Multi-tenant design(clusters/namespaces, multi-cluster handling, zonal/regional), Upgrade policy(node and containers, pod disruption budget), Ingress(load balancers), External service access policy(db, cache etc) ● Application design ○ Pod design(using pod design patterns), Lifecycle(health check, graceful termination), Scaling(resource request, autoscaling), Application types(stateful/stateless/batch/Big Data/ML), Service mesh ● Security ○ Access control(rbac), Image validation(binary authorization, vulnerability scanning), Secure clusters(private cluster, firewall)
  • 24. Kubernetes day 2 Operations Cluster management
  • 25. Use Namespaces and RBAC for isolation https://cloud.google.com/solutions/prep-kubernetes-engine-for-prod
  • 26. Multicluster handling Need for multiple clusters - Different applications, teams, environments, regions Central policy management using Anthos config management(ACM) Proximity based cluster routing
  • 27. 4 wayAutoscaling in GKE HPA Autoscales pool of workers on custom metrics VPA Recommends podspec Actuates the adjustment CA NAP+ Scale Nodepools Create right nodes for the job Gate changes by HPA + NAP Workload Infrastructure
  • 28. Kubernetes day 2 Operations Application design
  • 29. Readiness and Liveness probe https://cloud.google.com/blog/products/gcp/k ubernetes-best-practices-setting-up-health-ch ecks-with-readiness-and-liveness-probes
  • 30. Graceful shutdown handling Best practises ● Have handler for Prestop hooks or SIGTERM and handle shutdown gracefully ● Keep readiness check interval aggressive ● Have client retry failed requests https://dzone.com/articles/kubernetes-lifecycle-of-a-pod
  • 31. Big Data on Kubernetes ● Kubernetes as a replacement for YARN for Big data workloads ● Spark and Flink operators for Kubernetes are available as beta ● Dataproc on GKE is available as beta ● Advantages ○ Single orchestrator for applications and Big Data ○ Better use of cluster resources ○ Big Data application dependency handled through containers ○ Use Kubernetes ecosystem for Big Data
  • 32. MLworkloads with Kubeflow ● Deploying and managing ML models at scale using Kubernetes ● Build, train and serve models ● Components - Notebooks, UI, training, Serving, Pipelines ● Multiple frameworks supported for training as well as serving ● Advantages ○ Portable ML pipelines ○ Best of Kubernetes features used for Machine learning
  • 33. Kubernetes day 2 Operations Security
  • 36. Kubernetes Network policies Topology Defined with Network Policy API: ● A first-class Kubernetes API ● Defines allowed traffic patterns How does it work: ● K8s defines the API. ● User applies a policy. ● Network policy agents watch and enforce. ● Restricts pod to pod traffic. K8sMaster etcd policy.yaml spec: podSelector: matchLabels: run: nginx ingress: - from: - podSelector: matchLabels: run: access Frontend Service A Service B Policy Agent K8sNode
  • 38. Kubernetes ecosystem CI/CD (Tekton, Argo) Monitoring (Prometheus) Logging (Fluentd) Service Mesh (Istio, Linkerd) Packaging (Helm, kpt) Infra (Network, storage plugin) Service Discovery (CoreDNS) Serverless (knative, Virtual kubelet) ML (Kubeflow) Registry (Harbor) Security (Falco, Open policy) VM (Kubevirt, Config connector)
  • 40. Practical Experiences ● Networking and security for clusters has to be pre-planned. These cannot be changed later. ● Plan IP addresses before-hand. Kubernetes needs lot of addresses(Node, Pod, Service) ● Use managed services when possible ● Keep separate environments for Dev, staging and production ● Isolate helper applications(CI/CD, Monitoring) from primary workloads ● Start with stateless workloads and then expand to stateful, big data and ML ● Invest in monitoring/logging/secret management solution ● Backup and DR is important for Kubernetes ● Make sure that every container has resource requests
  • 41. References ● Kubernetes design principles video ● Kubernetes patterns video ● Kubernetes patterns slides ● Building Cloud native applications with Kubernetes and Istio - Kelsey ● Designing cloud native applications ● Extending Kubernetes