Production Kubernetes: Building Successful Application Platforms
- Length: 496 pages
- Edition: 1
- Language: English
- Publisher: O'Reilly Media
- Publication Date: 2021-08-17
- ISBN-10: 1492092304
- ISBN-13: 9781492092308
- Sales Rank: #1398219 (See Top 100 Books)
Kubernetes has become the dominant container orchestrator, but many organizations that have recently adopted this system are still struggling to run actual production workloads. In this practical book, four software engineers from VMware bring their shared experiences running Kubernetes in production and provide insight on key challenges and best practices.
The brilliance of Kubernetes is how configurable and extensible the system is, from pluggable runtimes to storage integrations. For platform engineers, software developers, infosec, network engineers, storage engineers, and others, this book examines how the path to success with Kubernetes involves a variety of technology, pattern, and abstraction considerations.
With this book, you will:
- Understand what the path to production looks like when using Kubernetes
- Examine where gaps exist in your current Kubernetes strategy
- Learn Kubernetes’s essential building blocks–and their trade-offs
- Understand what’s involved in making Kubernetes a viable location for applications
- Learn better ways to navigate the cloud native landscape
Foreword Preface Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments 1. A Path to Production Defining Kubernetes The Core Components Beyond Orchestration—Extended Functionality Kubernetes Interfaces Summarizing Kubernetes Defining Application Platforms The Spectrum of Approaches Aligning Your Organizational Needs Summarizing Application Platforms Building Application Platforms on Kubernetes Starting from the Bottom The Abstraction Spectrum Determining Platform Services The Building Blocks IAAS/datacenter and Kubernetes Container runtime Container networking Storage integration Service routing Secret management Identity Authorization/admission control Software supply chain Observability Developer abstractions Summary 2. Deployment Models Managed Service Versus Roll Your Own Managed Services Roll Your Own Making the Decision Automation Prebuilt Installer Custom Automation Architecture and Topology etcd Deployment Models Network considerations Dedicated versus colocated Containerized versus on host Cluster Tiers Node Pools Cluster Federation Management clusters Observability Federated software deployment Infrastructure Bare Metal Versus Virtualized Cluster Sizing Compute Infrastructure Networking Infrastructure Routability Redundancy Load balancing Automation Strategies Infra management tools Kubernetes operators Machine Installations Configuration Management Machine Images What to Install Containerized Components Add-ons Upgrades Platform Versioning Plan to Fail Integration Testing Strategies Cluster replacement Node replacement In-place upgrades Triggering Mechanisms Summary 3. Container Runtime The Advent of Containers The Open Container Initiative OCI Runtime Specification OCI Image Specification The Container Runtime Interface Starting a Pod Choosing a Runtime Docker containerd CRI-O Kata Containers Virtual Kubelet Summary 4. Container Storage Storage Considerations Access Modes Volume Expansion Volume Provisioning Backup and Recovery Block Devices and File and Object Storage Ephemeral Data Choosing a Storage Provider Kubernetes Storage Primitives Persistent Volumes and Claims Storage Classes The Container Storage Interface (CSI) CSI Controller CSI Node Implementing Storage as a Service Installation Exposing Storage Options Consuming Storage Resizing Snapshots Summary 5. Pod Networking Networking Considerations IP Address Management Routing Protocols Encapsulation and Tunneling Workload Routability IPv4 and IPv6 Encrypted Workload Traffic Network Policy Summary: Networking Considerations The Container Networking Interface (CNI) CNI Installation CNI Plug-ins Calico Cilium AWS VPC CNI Multus Additional Plug-ins Summary 6. Service Routing Kubernetes Services The Service Abstraction Service IP Address Management The Service resource Service types ClusterIP NodePort LoadBalancer ExternalName Headless Service Supported communication protocols Endpoints The Endpoints resource The Endpoints controller Pod readiness and readiness probes The EndpointSlices resource Service Implementation Details Kube-proxy Kube-proxy: iptables mode ClusterIP Services NodePort and LoadBalancer Services Connection tracking (conntrack) Masquerade Performance concerns Kube-proxy: IP Virtual Server (IPVS) mode ClusterIP Services NodePort and LoadBalancer Services Running without kube-proxy Service Discovery Using DNS Using the Kubernetes API Using environment variables DNS Service Performance DNS cache on each node Auto-scaling the DNS server deployment Ingress The Case for Ingress The Ingress API Ingress Controllers and How They Work Ingress Traffic Patterns HTTP proxying HTTP proxying with TLS Layer 3/4 proxying Choosing an Ingress Controller Ingress Controller Deployment Considerations Dedicated Ingress nodes Binding to the host network Ingress controllers and external traffic policy Spread Ingress controllers across failure domains DNS and Its Role in Ingress Wildcard DNS record Kubernetes and DNS integration Handling TLS Certificates Service Mesh When (Not) to Use a Service Mesh The Service Mesh Interface (SMI) The Data Plane Proxy Service Mesh on Kubernetes Data Plane Architecture Sidecar proxy Node proxy Adopting a Service Mesh Prioritize one of the pillars Deploy to a new or an existing cluster? Handling upgrades Resource overhead Certificate Authority for mutual TLS Multicluster service mesh Summary 7. Secret Management Defense in Depth Disk Encryption Transport Security Application Encryption The Kubernetes Secret API Secret Consumption Models Environment variables Volumes Client API Consumption Secret Data in etcd Static-Key Encryption Envelope Encryption External Providers Vault Cyberark Injection Integration CSI Integration Secrets in the Declarative World Sealing Secrets Sealed Secrets Controller Key Renewal Multicluster Models Best Practices for Secrets Always Audit Secret Interaction Don’t Leak Secrets Prefer Volumes Over Environment Variables Make Secret Store Providers Unknown to Your Application Summary 8. Admission Control The Kubernetes Admission Chain In-Tree Admission Controllers Webhooks Configuring Webhook Admission Controllers Webhook Design Considerations Writing a Mutating Webhook Plain HTTPS Handler Controller Runtime Centralized Policy Systems Summary 9. Observability Logging Mechanics Container Log Processing Application forwarding Sidecar processing Node agent forwarding Kubernetes Audit Logs Kubernetes Events Alerting on Logs Security Implications Metrics Prometheus Long-Term Storage Pushing Metrics Custom Metrics Organization and Federation Alerts Dead man’s switch Showback and Chargeback Showback by requests Showback by consumption Chargeback Network and storage Metrics Components Prometheus Operator Prometheus servers Alertmanager Grafana Node exporter kube-state-metrics Prometheus adapter Distributed Tracing OpenTracing and OpenTelemetry Tracing Components Agent Collector Storage API User interface Application Instrumentation Service Meshes Summary 10. Identity User Identity Authentication Methods Shared secrets Public key infrastructure OpenID Connect (OIDC) Implementing Least Privilege Permissions for Users Application/Workload Identity Shared Secrets Network Identity Calico Cilium Service Account Tokens (SAT) Projected Service Account Tokens (PSAT) Platform Mediated Node Identity AWS platform authentication methods/tooling kube2iam kiam IAM Roles for Service Accounts (IRSA) Cross-platform identity with SPIFFE and SPIRE Architecture and concepts Direct application access Sidecar proxy Service mesh (Istio) Other application integration methods Integration with secrets store (Vault) Integration with AWS Summary 11. Building Platform Services Points of Extension Plug-in Extensions Webhook Extensions Authentication extensions Admission control Operator Extensions The Operator Pattern Kubernetes Controllers Custom Resources Operator Use Cases Platform Utilities General-Purpose Workload Operators App-Specific Operators Developing Operators Operator Development Tooling Kubebuilder Metacontroller Operator Framework Data Model Design Logic Implementation Existing state Desired state Reconciliation Implementation details Admission webhooks Finalizers Extending the Scheduler Predicates and Priorities Scheduling Policies Scheduling Profiles Multiple Schedulers Custom Scheduler Summary 12. Multitenancy Degrees of Isolation Single-Tenant Clusters Multitenant Clusters The Namespace Boundary Multitenancy in Kubernetes Role-Based Access Control (RBAC) Resource Quotas Admission Webhooks Resource Requests and Limits Network Policies Pod Security Policies Multitenant Platform Services Summary 13. Autoscaling Types of Scaling Application Architecture Workload Autoscaling Horizontal Pod Autoscaler Vertical Pod Autoscaler Autoscaling with Custom Metrics Cluster Proportional Autoscaler Custom Autoscaling Cluster Autoscaling Cluster Overprovisioning Summary 14. Application Considerations Deploying Applications to Kubernetes Templating Deployment Manifests Packaging Applications for Kubernetes Ingesting Configuration and Secrets Kubernetes ConfigMaps and Secrets Obtaining Configuration from External Systems Handling Rescheduling Events Pre-stop Container Life Cycle Hook Graceful Container Shutdown Satisfying Availability Requirements State Probes Liveness Probes Readiness Probes Startup Probes Implementing Probes Pod Resource Requests and Limits Resource Requests Resource Limits Application Logs What to Log Unstructured Versus Structured Logs Contextual Information in Logs Exposing Metrics Instrumenting Applications USE Method RED Method The Four Golden Signals App-Specific Metrics Instrumenting Services for Distributed Tracing Initializing the Tracer Creating Spans Propagate Context Summary 15. Software Supply Chain Building Container Images The Golden Base Images Antipattern Choosing a Base Image Runtime User Pinning Package Versions Build Versus Runtime Image Cloud Native Buildpacks Image Registries Vulnerability Scanning Quarantine Workflow Image Signing Continuous Delivery Integrating Builds into a Pipeline Push-Based Deployments Rollout Patterns GitOps Summary 16. Platform Abstractions Platform Exposure Self-Service Onboarding The Spectrum of Abstraction Command-Line Tooling Abstraction Through Templating Helm Kustomize Abstracting Kubernetes Primitives Making Kubernetes Invisible Summary Index
Donate to keep this site alive
How to download source code?
1. Go to: https://www.oreilly.com/
2. Search the book title: Production Kubernetes: Building Successful Application Platforms
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Publisher resources
section, click Download Example Code
.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.