Container Orchestration with Kubernetes 1

Deploy MS application in K8S. Production & Security Best Practices

Deploy a complete system of Google’s sample microservice project into K8S.

Use a Message broker such as Redis or as a noSql database, and let Redis use the emptyDir Volume created with the pod.

Set the environment of each Service in the configuration file Variables are added to the Deployment configuration file for program calls.

Finally, all configuration files are created in the specified namespace.

Only Frontend’s Service uses NodePort to expose services outside the K8S cluster.

Best Practics(BPs):
BP1.Pinned (Tag) Version for each Container Image. :

The Application Version is unpredictable when we don’t use specific tag(Version) of image!

BP2.Liveness Probe for each container with specific period and command.:

We can make sure the container healthy status inside the pod, and check if app is healthy after container started. Not just pod status!

BP3.Readiness Probe for each container during starting up process.:

Without rediness probe, K8s assumes the app is ready to receive traffic as soon as the container starts.
Both Liveness Probe and Readiness Probe check application availability!

Readiness Probe: During application startup!
Liveness Probe: While application is running!

Probe Types:
a.Exec probes(Kubelet executes the command to check)
b.TCP probes(Kubelet makes probe connection at the node,not in the pod)
c.HTTP probes(Kubelet sends an HTTP request to specified path and port)

BP4.Resource Requests for each container:

BP5.Resource Limits for each container:

BP6.DON’T expose a Node Port(use LoadBalancer instead,make sure only one entrypoint for cluster)

BP7.More than 1 Replica for Deployment

BP8.More than 1 Worker Node in our cluster

BP9.Using Labels

BP10.Using Namespaces

3 Security Best Practices:
SBP1:Ensure Images are free of vulnerabilities

SBP2:No Root Access for containers!

SBP3:Update Kubernetes to the latest version(Update K8s Version Node by Node)

參考課程reference