Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker & Kubernetes Practices for Java Developers

Docker & Kubernetes Practices for Java Developers

A collection of practices, tips & tricks, for constructing Docker Containers and using Kubernetes for Java developers.

This slide is based on materials from:

Docker Tips and Tricks for Java Developers (Ray Tsang @saturnism)
https://speakerdeck.com/saturnism/2017-devnexus-docker-tips-and-tricks-for-java-developers

Kubernetes Best Practices (Sandeep Dinesh @sandeepdinesh)
https://speakerdeck.com/thesandlord/kubernetes-best-practices

Kubernetes Security Best Practices (Ian Lewis @ianmlewis)
https://speakerdeck.com/ianlewis/kubernetes-security-best-practices

Ray Tsang

April 26, 2018
Tweet

More Decks by Ray Tsang

Other Decks in Technology

Transcript

  1. for Java Developers
    Docker & Kubernetes Practices

    View full-size slide

  2. 2
    @saturnism @googlecloud @kubernetesio
    Ray Tsang
    Developer Advocate
    Google Cloud Platform
    Spring Cloud GCP
    cloud.spring.io/spring-cloud-gcp/
    @saturnism | +RayTsang

    View full-size slide

  3. 3
    @saturnism @googlecloud @kubernetesio
    Ray Tsang
    Developer
    Architect
    Traveler
    Photographer
    flickr.com/saturnism

    View full-size slide

  4. 4
    @saturnism @googlecloud @kubernetesio 4
    A Short Recap

    View full-size slide

  5. 5
    @saturnism @googlecloud @kubernetesio
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
    name: work-server-v1
    ...
    spec:
    replicas: 2
    template:
    ...
    spec:
    containers:
    - name: work-server
    image: saturnism/work-server-istio:v1

    View full-size slide

  6. 6
    @saturnism @googlecloud @istiomesh @kubernetesio
    web browsers
    Scheduler
    kubectl web browsers
    scheduler
    Kubelet Kubelet Kubelet Kubelet
    Config
    file
    Kubernetes Master
    Container
    Image

    View full-size slide

  7. 7
    @saturnism @googlecloud @istiomesh @kubernetesio
    Let's see it...

    View full-size slide

  8. 8
    @saturnism @googlecloud @istiomesh @kubernetesio
    Let's see some practices...
    Based on materials from:
    ● Docker Tips and Tricks for Java Developers (Ray Tsang)
    ● Kubernetes Best Practices (Sandeep Dinesh)
    ● Kubernetes Security Best Practices (Ian Lewis)

    View full-size slide

  9. 9
    @saturnism @googlecloud @kubernetesio 9
    Building Containers

    View full-size slide

  10. 10
    @saturnism @googlecloud @kubernetesio
    Tag your containers!
    What do these containers have in common?
    helloworld-service:latest
    debian:9
    openjdk:8

    View full-size slide

  11. 11
    @saturnism @googlecloud @kubernetesio
    Pin Your Versions!
    RUN apt-get update
    RUN apt-get install curl ← which version??

    View full-size slide

  12. 12
    @saturnism @googlecloud @kubernetesio
    Combine Run Commands
    RUN apt-get update
    RUN apt-get install -y --no-install-recommends ...
    RUN rm -rf /var/lib/apt/lists/*
    vs.
    RUN apt-get update && \
    apt-get install -y --no-install-recommends ... && \
    rm -rf /var/lib/apt/lists/*

    View full-size slide

  13. 13
    @saturnism @googlecloud @kubernetesio
    Avoid Saving Files
    RUN curl http://.../apache-tomcat-8.5.20.tar.gz | tar xz -C /opt/

    View full-size slide

  14. 14
    @saturnism @googlecloud @kubernetesio
    Don’t Log to Container
    Filesystem!
    Log to a volume… docker -v /tmp/log:/log
    Or, better yet,
    Send it elsewhere! I prefer STDOUT

    View full-size slide

  15. 15
    @saturnism @googlecloud @kubernetesio
    One Container, One Process
    Don't start multiple processes in daemon

    View full-size slide

  16. 16
    @saturnism @googlecloud @kubernetesio
    Don't run as root!
    It's default… :(
    Specify via USER directive and switch users

    View full-size slide

  17. 17
    @saturnism @googlecloud @kubernetesio
    What's in that public container?
    Vulnerabilities

    View full-size slide

  18. 18
    @saturnism @googlecloud @kubernetesio
    Don't Run as root
    But I think we all do...

    View full-size slide

  19. 19
    @saturnism @googlecloud @kubernetesio 19
    Specifically, Java Applications

    View full-size slide

  20. 20
    @saturnism @googlecloud @kubernetesio
    Use JDK 8u131 or Newer
    -XX:+UnlockExperimentalVMOptions
    -XX:+UseCGroupMemoryLimitForHeap

    View full-size slide

  21. 21
    @saturnism @googlecloud @kubernetesio
    Heap vs Native Memory
    Set -Xmx to percentage of memory limit
    Use a Startup Script

    View full-size slide

  22. 22
    @saturnism @googlecloud @kubernetesio
    Build Thin Layers
    Use Multi-Stage Build
    Extract Dependencies to a Layer

    View full-size slide

  23. 23
    @saturnism @googlecloud @kubernetesio
    Avoid Multi-Module Project
    When you have independent services,
    Don't put in the same multi-module project...

    View full-size slide

  24. 24
    @saturnism @googlecloud @kubernetesio 24
    Running in Kubernetes

    View full-size slide

  25. 25
    @saturnism @googlecloud @kubernetesio
    Label, label, label!
    app=helloworld-service
    version=2.0
    serving=true

    View full-size slide

  26. 26
    @saturnism @googlecloud @kubernetesio
    Let it crash
    Let Kubernetes restart for you

    View full-size slide

  27. 27
    @saturnism @googlecloud @kubernetesio
    Assume Unreliable Services
    Don't sequence/orchestrate startups
    Handle failures, or let it crash

    View full-size slide

  28. 28
    @saturnism @googlecloud @kubernetesio
    L4 vs L7
    Know the differences, especially for gRPC

    View full-size slide

  29. 29
    @saturnism @googlecloud @kubernetesio
    kubectl apply --record
    Record the command line, shows in history:
    kubectl rollout history deployments ...

    View full-size slide

  30. 30
    @saturnism @googlecloud @kubernetesio
    Readiness Probe, Liveness Probe
    If feeling lazy, always have Readiness Probe!

    View full-size slide

  31. 31
    @saturnism @googlecloud @kubernetesio
    External Service
    kind: Service
    apiVersion: v1
    metadata:
    name: mydatabase
    namespace: prod
    spec:
    type: ExternalName
    externalName: my.db.example.com
    kind: Service
    apiVersion: v1
    metadata:
    name: mydatabase
    spec:
    ports:
    - protocol: TCP
    port: 80
    targetPort: 12345
    Then add your own endpoints!

    View full-size slide

  32. 32
    @saturnism @googlecloud @kubernetesio
    Graceful Shutdown
    Lifecycle Hooks
    Shutdown hooks, or listen to SIGTERM

    View full-size slide

  33. 33
    @saturnism @googlecloud @kubernetesio 33
    More on Security...

    View full-size slide

  34. 34
    @saturnism @googlecloud @kubernetesio
    Don't Run as root!
    apiVersion: v1
    kind: Pod
    metadata:
    name: hello-world
    spec:
    securityContext:
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    runAsUser: 1000
    fsGroup: 2000
    containers:
    # specification of the pod’s containers
    # ...

    View full-size slide

  35. 35
    @saturnism @googlecloud @kubernetesio
    Read Only Filesystem
    apiVersion: v1
    kind: Pod
    metadata:
    name: hello-world
    spec:
    securityContext:
    readOnlyRootFilesystem: true
    ...
    containers:
    ...

    View full-size slide

  36. 36
    @saturnism @googlecloud @kubernetesio
    Containing Breakouts
    Containers are are not security boundaries!
    We can try seccomp, apparmor, selinux, but still!
    annotations:
    seccomp.security.alpha.kubernetes.io/pod: ...
    container.apparmor.security.beta.kubernetes.io/hello: ...

    View full-size slide

  37. 37
    @saturnism @googlecloud @kubernetesio
    PodSecurityPolicy
    Enforce Security Policy cluster-wide
    apiVersion: extensions/v1beta1
    kind: PodSecurityPolicy
    metadata:
    name: example
    spec:
    privileged: false # Don't allow privileged pods!
    # The rest fills in some required fields.
    seLinux:
    rule: RunAsAny
    supplementalGroups:
    rule: RunAsAny
    runAsUser:
    rule: 1000
    fsGroup:
    rule: RunAsAny

    View full-size slide

  38. 38
    @saturnism @googlecloud @kubernetesio
    Service Accounts & RBAC
    Who can access which Kubernetes API to do what?

    View full-size slide

  39. 39
    @saturnism @googlecloud @kubernetesio
    Use use transient credentials
    Google Kubernetes Engine uses OAuth token

    View full-size slide

  40. 40
    @saturnism @googlecloud @kubernetesio
    Better yet, tied to user directory
    Google Kubernetes Engine ties to Identity Access Manager

    View full-size slide

  41. 41
    @saturnism @googlecloud @kubernetesio
    And, don't expose API Server
    If it's on public internet, make sure it's firewalled
    gcloud container clusters create
    --enable-master-authorized-networks
    --master-authorized-networks=...

    View full-size slide

  42. 42
    @saturnism @googlecloud @kubernetesio
    Network Policy
    Which pod can establish connections to which pod?
    gcloud container clusters create ...
    --enable-network-policy

    View full-size slide

  43. 43
    @saturnism @googlecloud @kubernetesio
    Mutual TLS
    Stronger than Network Policy
    Use a Service Mesh, like Istio
    Automatic certificate generation and rotation

    View full-size slide

  44. 44
    @saturnism @googlecloud @kubernetesio 44
    CI/CD

    View full-size slide

  45. 45
    @saturnism @googlecloud @kubernetesio
    Pull Base Layer
    Because you are probably using :latest tag

    View full-size slide

  46. 46
    @saturnism @googlecloud @kubernetesio
    Build without Cache
    Because you probably install w/o pinning
    RUN apt-get update && apt-get install ...

    View full-size slide

  47. 47
    @saturnism @googlecloud @kubernetesio
    Check-in YAMLs!
    If you didn't remember anything else, do this!!
    If you use a template and don't check-in YAMLs,
    Must have template + variables values, so you can regenerate it.

    View full-size slide

  48. 48
    @saturnism @googlecloud @kubernetesio 48
    Microservices

    View full-size slide

  49. 49
    @saturnism @googlecloud @kubernetesio
    Observability is not a hindsight!
    Don't wait until something went wrong...

    View full-size slide

  50. 50
    @saturnism @googlecloud @kubernetesio
    Trace
    Log
    Debug

    View full-size slide

  51. 51
    @saturnism @googlecloud @kubernetesio 51
    Finally...

    View full-size slide

  52. 52
    @saturnism @googlecloud @kubernetesio
    Don't manage your own cluster...
    Use a managed service, like Google Kubernetes Engine!

    View full-size slide

  53. 53
    @saturnism @googlecloud @kubernetesio 53
    Thanks!
    http://saturnism.me
    @saturnism

    View full-size slide