Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deploying Rock Solid Applications with Kubernetes

Deploying Rock Solid Applications with Kubernetes

Kubernetes has made it easy to deploy applications to the cloud. It’s even made it easy to deploy the same application across several instances. This, however, does not mean that your application will be highly available by default. To achieve high availability for your applications, there's a lot more involved.

In this talk we'll look at:
- creating secure Docker images and enforcing this at the cluster level with Pod Security Policies;
- configuring Health Checks and possible caveats like Circular Dependencies;
- limiting traffic between services with Network Policies;
- tolerating node failure by implementing correct Anti-Affinity rules;
- rescheduling pods onto new available nodes after node failure with Disruption Budgets;
- setting up correct deployment strategies;
- how to automate this with Custom Resource Definitions;

3f4444967dfc7a5a2a71d24175d94c3c?s=128

Jelmer Snoeck

December 12, 2018
Tweet

Transcript

  1. Deploying Rock Solid Applications with Kubernetes https://bit.ly/2LafjmT @jelmersnoeck

  2. FIND ME github.com/jelmersnoeck twitter.com/jelmersnoeck Jelmer Snoeck ABOUT ME - Tech

    Lead at manifold.co - <3 Kubernetes - <3 Golang
  3. What even are Rock Solid Applications? @jelmersnoeck

  4. Secure Applications @jelmersnoeck

  5. Highly Available Applications @jelmersnoeck

  6. @jelmersnoeck

  7. Disclaimer: simplified YAML for demo purposes @jelmersnoeck

  8. @jelmersnoeck

  9. @jelmersnoeck

  10. Security @jelmersnoeck

  11. @jelmersnoeck

  12. Pod Security Policies @jelmersnoeck

  13. @jelmersnoeck

  14. @jelmersnoeck

  15. RBAC @jelmersnoeck

  16. @jelmersnoeck

  17. @jelmersnoeck

  18. @jelmersnoeck

  19. @jelmersnoeck

  20. @jelmersnoeck

  21. @jelmersnoeck

  22. @jelmersnoeck

  23. or… @jelmersnoeck

  24. @jelmersnoeck

  25. @jelmersnoeck

  26. Network Policies @jelmersnoeck

  27. @jelmersnoeck

  28. @jelmersnoeck

  29. @jelmersnoeck

  30. Caveat: availability depends on your networking plugin @jelmersnoeck

  31. Security @jelmersnoeck

  32. High Availability @jelmersnoeck

  33. What even is High Availability? @jelmersnoeck

  34. This talk is not about High Availability for nodes @jelmersnoeck

  35. @jelmersnoeck

  36. @jelmersnoeck

  37. @jelmersnoeck

  38. Deployments @jelmersnoeck

  39. Replicas + UpdateStrategy @jelmersnoeck

  40. @jelmersnoeck

  41. @jelmersnoeck

  42. @jelmersnoeck

  43. @jelmersnoeck

  44. @jelmersnoeck

  45. @jelmersnoeck

  46. @jelmersnoeck

  47. @jelmersnoeck

  48. @jelmersnoeck

  49. @jelmersnoeck

  50. @jelmersnoeck

  51. @jelmersnoeck

  52. (Anti)Affinity @jelmersnoeck

  53. @jelmersnoeck

  54. @jelmersnoeck

  55. @jelmersnoeck

  56. @jelmersnoeck

  57. @jelmersnoeck

  58. Probes @jelmersnoeck

  59. @jelmersnoeck

  60. Caveat: Circular Dependencies @jelmersnoeck

  61. Caveat: Circular Dependencies @jelmersnoeck

  62. Caveat: Circular Dependencies @jelmersnoeck

  63. Caveat: Circular Dependencies @jelmersnoeck

  64. Caveat: Circular Dependencies @jelmersnoeck

  65. PodDisruptionBudget @jelmersnoeck

  66. @jelmersnoeck

  67. @jelmersnoeck

  68. @jelmersnoeck

  69. @jelmersnoeck

  70. @jelmersnoeck

  71. @jelmersnoeck

  72. Prevent misconfiguration @jelmersnoeck

  73. Linting?

  74. Webhooks!

  75. @jelmersnoeck

  76. @jelmersnoeck

  77. @jelmersnoeck

  78. @jelmersnoeck

  79. @jelmersnoeck

  80. @jelmersnoeck

  81. Webhooks - Barbossa - Azure Kubernetes Policy Controller (OPA) -

    Anchore Engine - … @jelmersnoeck
  82. We’re hiring… <3 @jelmersnoeck

  83. Thanks I’ll be around for questions FIND ME github.com/jelmersnoeck twitter.com/jelmersnoeck

    SPECIAL THANKS TO twitter.com/megthesmith
  84. Resources - https://hackernoon.com/deploying-rock-solid-applications-with-kubernetes-2 30fd9bb61f4 - https://thenewstack.io/myth-cloud-native-portability - https://kubernetes.io/docs/concepts/policy/pod-security-policy/ - https://kubernetes.io/docs/reference/access-authn-authz/rbac/

    - https://kubernetes.io/docs/concepts/services-networking/network-policies/ - https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ - https://container-solutions.com/kubernetes-deployment-strategies/ - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinit y-and-anti-affinity - https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ - https://kubernetes.io/docs/tasks/configure-pod-container/configure-livenes s-readiness-probes/ - https://banzaicloud.com/blog/k8s-admission-webhooks/ - https://github.com/jelmersnoeck/barbossa - https://github.com/Azure/kubernetes-policy-controller @jelmersnoeck