We already know that Kubernetes is the No. 1 orchestration platform for container-based applications, automating the deployment and scaling of these apps, and streamlining maintenance operations. However, Kubernetes comes with its own complexity challenges. So how can an enterprise take advantage of containerization to tackle complexity and not end up with even more complexity? This article provides some of the best practices that you can implement to adopt Kubernetes.
Cross Posted from Container Journal
Define appropriate policies for cluster access controls, service access controls, resource utilization controls, and secret access controls. By default, containers run with unbounded compute resources on a Kubernetes cluster. To limit or restrict you have to implement appropriate policies
Use resource utilization (resource quota) guidelines to ensure the containerized applications co-exist without being eliminated due to resource violations at runtime. To enforce constraints on resource usage, use Limit Range option for appropriate resources in the namespace.
To limit aggregate resource consumption per namespace, use below Resource Quotas
Currently, the Kubernetes ecosystem provides two add-ons for aggregating and reporting monitoring data from your cluster: (1) Metrics Server and (2) kube-state-metrics.
Metrics Server is a cluster add-on that collects resource usage data from each node and provides aggregated metrics through the Metrics API.kube-state-metrics service provides additional cluster information that Metrics Server does not.
Below are the key metrics and alerts that are required to monitor your Kubernetes cluster.
What to monitor? | Metrics to monitor | Alert Criteria |
Cluster state | Monitor the aggregated resources usage across all nodes in your cluster.
|
|
Node resources | For each of the node monitor :
| If the node’s CPU or memory usage drops below a desired threshold.
|
Missing pod | Health and availability of your pod deployments.
| If the number of available pods for a deployment falls below the number of pods you specified when you created the deployment. |
Pods that are not running | If a pod isn’t running or even scheduled, there could be an issue with either the pod or the cluster, or with your entire Kubernetes deployment.
| Alerts should be based on the status of your pods (“Failed,” ”Pending,” or “Unknown” for the period of time you specify) |
Container restarts | Container restarts could happen when you’re hitting a memory limit (ex.Out of Memory kills) in your containers. Also, there could be an issue with either the container itself or its host. | Kubernetes automatically restarts containers, but setting up an alert will give you an immediate notification later you can analyze and set the proper limits |
Container resource usage | Monitor container resource usage for containers in case you’re hitting resource limits, spikes in resource consumption, | Alerts to check if container CPU and memory usage and on limits are based on thresholds. |
Storage volumes | Monitor storage to
| Alerts to check if available bytes, capacity crosses your thresholds. Identify persistent volumes and apply a different alert threshold or notification for these volumes, which likely hold important application data. |
Control Plane – Etcd | Monitor etcd for the below parameters:
| Alerts to check if any pending or failed proposals or reach inappropriate thresholds. |
Control Plane – API Server | Monitor the API server for below parameters :
| Alerts to check if the rate or number of HTTP requests crosses a desired threshold. |
Control Plane – Scheduler | Monitor the scheduler for the below parameters
| Alerts to check if the rate or number of HTTP requests crosses a desired threshold. |
Control Plane – Controller Manager | Monitor the scheduler for the below parameters:
| Alerts to check if requests to the work queue exceed a maximum threshold. |
Kubernetes events | Collecting events from Kubernetes and from the container engine (such as Docker) allows you to see how pod creation, destruction, starting, or stopping affects the performance of your infrastructure. | Any failure or exception should need to be alerted. |
Consider integrating with any of the commercial monitoring tools to consume probe-generated metrics and platform-generated metrics to have comprehensive observability of the cluster.
Continuous security must be included as part of the DevOps pipeline to ensure containers are well-managed. Use any of the below static analysis tools to identify vulnerabilities in application containers while building images for containers.
Routinely audit the platform for Kubernetes patch levels, secret stores, compliance against the security vulnerabilities, encryption of secret stores, storage volumes, cluster policies, role binding policies, RBAC, and user management controls.
Proactively chaos tests your platform to ensure the robustness of the cluster. It also helps to test the stability of the containerized applications and the impact of crashing these containers. There are a wide range of the open-source tools + commercial that can be used, few of them are listed below
Kubernetes uses etcd
as its internal metadata management store to manage the objects across clusters. It is necessary to define a backup strategy for etcd
and any other dependent persistent stores used within the Kubernetes clusters.
Use Velero or any of the open-source tools to backup Kubernetes resources and application data so that in cases of recovery from disaster, it can reduce the time for recovery.
Kubernetes follows declaration-based management hence every object or resource or instruction is described only through YAML declarative manifests. It is necessary to leverage SCM tools or create custom utilities to manage these manifests.
kubectl
style of deployments would not be possible in a large-scale production setup. Instead, you have to use some of the established open-source frameworks For e.g., Helm is specifically built for Kubernetes to manage seamless deployments via the CI-CD pipeline.
Helm uses Charts that define the set of Kubernetes resources that together define an application. You can think of charts as packages of pre-configured Kubernetes resources. Charts help you to define, install, and upgrade even the most complex Kubernetes application. These charts can describe a single resource, such as a Redis pod, or a full stack of a web application: HTTP servers, databases, and caches.
In the recent release of Helm, Releases will be managed inside of Kubernetes using Release Objects and Kubernetes Secrets. All modifications such as installing, upgrading, downgrading releases will end in having a new version of that Kubernetes Secret.
Service mesh offers consistent discovery, security, tracing, monitoring, and failure handling without the need for a shared asset such as an API gateway. So if you have service mesh on your cluster, you can achieve all the below items without making changes to your application code.
Currently, service mesh is being offered by Linkerd, Istio, and Conduit providers.
It is necessary to choose an appropriate service mesh that is compatible with the Kubernetes cluster as well as the underlying infrastructure.
This article covers the key best practices that you can implement for Kubernetes adoption. However, operating Kubernetes clusters is not without its challenges.
62% of UX designers now use AI to enhance their workflows. Artificial intelligence (AI) rapidly…
The integration of artificial intelligence into graphic design through tools like Adobe Photoshop can save…
The cryptocurrency trading world has grown significantly in recent years, with automation playing a key…
The non-fungible token (NFT) market has witnessed explosive growth over the past few years, transforming…
There are few things as valuable to a business as well-designed software. Organizations today rely…
The cryptocurrency industry is being reshaped by the fusion of blockchain technology and artificial intelligence…
This website uses cookies.