6 Important Things You Need to Run Kubernetes in Production | by Hijmen Fokker | Mar, 2022

Get your cluster to the subsequent degree

Photograph by Thomas Millot on Unsplash

Kubernetes adoption is at an all-time high. Nearly each main IT group invests in a container technique and Kubernetes is by far essentially the most used and hottest container orchestration know-how.

Whereas there are lots of flavors of Kubernetes, managed options like AKS, EKS and GKE are by far the preferred. Kubernetes is a really advanced platform, however organising a Kubernetes cluster is pretty simple so long as you select a managed cloud answer. I might by no means advise self-managing a Kubernetes cluster until you’ve gotten an excellent motive to take action.

Operating Kubernetes comes with many advantages, however organising a strong platform your self with out robust Kubernetes data takes time. Establishing a Kubernetes stack based on greatest practices requires experience, and is critical to arrange a steady cluster that’s future-proof. Merely operating a manged cluster and deploying your utility is just not sufficient.

Some further issues are wanted to run a production-ready Kubernetes cluster. Kubernetes setup makes the lifetime of builders loads simpler and provides them time to concentrate on delivering enterprise worth. On this article, I’ll share a very powerful issues you must run a Kubernetes stack in manufacturing.

Initially, managing your cloud infrastructure utilizing Desired State configuration (Infrastructure as Code — IaC) comes with a variety of advantages and is a basic cloud infrastructure greatest apply.

Specifying it declarative as code will allow you to check your infrastructure (modifications) in non-production environments. It discourages or prevents guide deployments, making your infrastructure deployments extra constant, dependable, and repeatable.

Groups implementing IaC ship extra steady environments quickly and at scale. IaC instruments like Terraform or Pulumi work nice to deploy your complete Kubernetes cluster in your cloud of alternative along with networking, load balancers, DNS configuration, and naturally an built-in Container Registry.

Kubernetes is a really steady platform. Its self-healing capabilities will remedy many points and when you don’t know the place to look you wouldn’t even discover. Nonetheless, that doesn’t imply monitoring is unimportant. I’ve seen groups operating manufacturing with out correct monitoring, and out of the blue a certificates expired, or a node reminiscence overcommit induced an outage.

You’ll be able to simply stop these failures with correct monitoring in place. Prometheus and Grafana are Kubernetes’ most used monitoring options and can be utilized to watch each your platform and purposes. Alerting (e.g. utilizing the Alertmanager) ought to be arrange for vital points along with your Kubernetes cluster, so to stop downtime, failures and even knowledge loss.

Aside from monitoring utilizing metrics, it’s also necessary to run centralized elements like Fluentd or Filebeat to gather logging and ship them to a centralized logging platform like ElasticSearch in order that utility error logs and log occasions could be traced and in a central place. These instruments could be arrange centrally, so commonplace monitoring is robotically in place for all apps with out developer effort.

Kubernetes has an idea of Ingress. A easy configuration that describes how visitors ought to stream from exterior of Kubernetes to your utility. A central Ingress Controller (e.g. Nginx) could be put in within the cluster to handle all incoming visitors for each utility. When an Ingress Controller is linked to a public Cloud LoadBalancer, all visitors is robotically load-balanced amongst Nodes, and despatched to the correct pods IP Addresses.

A Ingress Controller provides many advantages, due to its Centralization. It might probably additionally care for HTTPS and SSL. An built-in part known as cert-manager is a centrally deployed utility in Kubernetes that takes care of HTTPS certificates.

It may be configured utilizing Let’s Encrypt, wildcard certificates or perhaps a non-public Certification Authority for inner company-trusted certificates. All incoming visitors will likely be robotically encrypted utilizing the HTTPS certificates and forwarded to the right Kubernetes pods. One other factor builders received’t want to fret about.

Not everybody ought to be a Kubernetes Administrator. We must always at all times apply the precept of Least Privilege in the case of Kubernetes entry. Position-Primarily based Entry Management ought to be utilized to the entire Kubernetes stack (Kubernetes API, deployment instruments, dashboards, and many others.).

After we combine Kubernetes with an IAM answer like Keycloak, Azure AD or AWS Cognito, we are able to centrally handle authentication and authorization utilizing OAuth2 / OIDC for each platform instruments and purposes. Roles and teams could be outlined to present customers entry to the sources they should entry primarily based on their group or function.

Everybody who works with Kubernetes makes use of kubectl a method or one other. However manually deploying to Kubernetes utilizing the kubectl apply command is just not a greatest apply, most actually not in manufacturing.

Kubernetes desired state configuration ought to be current in GIT, and we’d like a deployment platform that rolls out to Kubernetes. ArgoCD and Flux are the 2 main GitOps platforms for Kubernetes deployments. Each work very nicely for dealing with real-time declarative state administration, ensuring that Git is the one supply of fact for the Kubernetes state.

Even when a rogue developer tries to manually change one thing in manufacturing, the GitOps platform will instantly roll again the change to the specified change. With a GitOps bootstrapping approach we are able to handle environments, groups, initiatives, roles, insurance policies, namespaces, clusters, appgroups, and purposes. With Git solely. GitOps makes certain that each one modifications to all Kubernetes environments are 100% traceable, simply automated, and manageable.

Kubernetes secret manifests are used to inject secrets and techniques into your containers, both as setting variables or file mappings. Ideally, not everybody ought to have the ability to entry all secrets and techniques, particularly in manufacturing. Utilizing Position-Primarily based Entry Management on secrets and techniques for group members and purposes is a safety greatest apply.

Secrets and techniques could be injected into Kubernetes utilizing a CI / CD tooling or (worse) through an area improvement setting, however this may end up in configuration state drift. This isn’t traceable, and never simply manageable. One of the simplest ways to sync secrets and techniques is utilizing a central vault, like Azure Key Vault, Hashicorp Vault, AWS Secrets and techniques Supervisor with a central secrets and techniques operator like External Secrets Operator.

This fashion, secret references could be saved in GIT, pointing to an entry in an exterior secrets and techniques Vault. For extra security-focused firms it’s also an choice to lock out all builders from secrets and techniques in Kubernetes utilizing RBAC. They may have the ability to reference secrets and techniques, and use them in containers, however won’t ever have the ability to straight entry them.

Spinning-up a managed Kubernetes cluster is straightforward, however setting it up appropriately takes time when you don’t have the experience. It is extremely necessary to have Infrastructure as a Code answer, correct monitoring, RBAC, and Deployment mechanisms which are safe, manageable, and traceable. The sooner, the higher. Establishing your Kubernetes cluster based on greatest practices utilizing standardized open supply tooling will show you how to save time, failures and complications, particularly in the long term. After all, these are essentially the most primary necessities to your Kubernetes stack, particularly for enterprise-level firms. Different necessary issues that haven’t been talked about are ServiceMesh, Safety scanning/compliance, and end-to-end traceability, which will likely be mentioned in a future article.

The Pionative Kubernetes QuickStart package provides you with all of the fundamentals and foundations you want based on the most recent open-source requirements / greatest practices and can prevent money and time. If you happen to ever want a hand, some recommendation or only a fast chat, I’m at all times glad to assist. Be happy to attach with me on LinkedIn!

More Posts