Docker & Kubernetes Practices for Java Developers

for Java Developers
Docker & Kubernetes Practices

View Slide

2
@saturnism @googlecloud @kubernetesio
Ray Tsang
Developer Advocate
Google Cloud Platform
Spring Cloud GCP
cloud.spring.io/spring-cloud-gcp/
@saturnism | +RayTsang

View Slide

3
Ray Tsang
Developer
Architect
Traveler
Photographer
flickr.com/saturnism

View Slide

4
@saturnism @googlecloud @kubernetesio 4
A Short Recap

View Slide

5
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: work-server-v1
...
spec:
replicas: 2
template:
...
spec:
containers:
- name: work-server
image: saturnism/work-server-istio:v1

View Slide

6
@saturnism @googlecloud @istiomesh @kubernetesio
web browsers
Scheduler
kubectl web browsers
scheduler
Kubelet Kubelet Kubelet Kubelet
Config
file
Kubernetes Master
Container
Image

View Slide

7
Let's see it...

View Slide

8
Let's see some practices...
Based on materials from:
● Docker Tips and Tricks for Java Developers (Ray Tsang)
● Kubernetes Best Practices (Sandeep Dinesh)
● Kubernetes Security Best Practices (Ian Lewis)

View Slide

9
Building Containers

View Slide

10
Tag your containers!
What do these containers have in common?
helloworld-service:latest
debian:9
openjdk:8

View Slide

11
Pin Your Versions!
RUN apt-get update
RUN apt-get install curl ← which version??

View Slide

12
Combine Run Commands
RUN apt-get update
RUN apt-get install -y --no-install-recommends ...
RUN rm -rf /var/lib/apt/lists/*
vs.
RUN apt-get update && \
apt-get install -y --no-install-recommends ... && \
rm -rf /var/lib/apt/lists/*

View Slide

13
Avoid Saving Files
RUN curl http://.../apache-tomcat-8.5.20.tar.gz | tar xz -C /opt/

View Slide

14
Don’t Log to Container
Filesystem!
Log to a volume… docker -v /tmp/log:/log
Or, better yet,
Send it elsewhere! I prefer STDOUT

View Slide

15
One Container, One Process
Don't start multiple processes in daemon

View Slide

16
Don't run as root!
It's default… :(
Specify via USER directive and switch users

View Slide

17
What's in that public container?
Vulnerabilities

View Slide

18
Don't Run as root
But I think we all do...

View Slide

19
Specifically, Java Applications

View Slide

20
Use JDK 8u131 or Newer
-XX:+UnlockExperimentalVMOptions
-XX:+UseCGroupMemoryLimitForHeap

View Slide

21
Heap vs Native Memory
Set -Xmx to percentage of memory limit
Use a Startup Script

View Slide

22
Build Thin Layers
Use Multi-Stage Build
Extract Dependencies to a Layer

View Slide

23
Avoid Multi-Module Project
When you have independent services,
Don't put in the same multi-module project...

View Slide

24
Running in Kubernetes

View Slide

25
Label, label, label!
app=helloworld-service
version=2.0
serving=true

View Slide

26
Let it crash
Let Kubernetes restart for you

View Slide

27
Assume Unreliable Services
Don't sequence/orchestrate startups
Handle failures, or let it crash

View Slide

28
L4 vs L7
Know the differences, especially for gRPC

View Slide

29
kubectl apply --record
Record the command line, shows in history:
kubectl rollout history deployments ...

View Slide

30
Readiness Probe, Liveness Probe
If feeling lazy, always have Readiness Probe!

View Slide

31
External Service
kind: Service
apiVersion: v1
metadata:
name: mydatabase
namespace: prod
spec:
type: ExternalName
externalName: my.db.example.com
kind: Service
apiVersion: v1
metadata:
name: mydatabase
spec:
ports:
- protocol: TCP
port: 80
targetPort: 12345
Then add your own endpoints!

View Slide

32
Graceful Shutdown
Lifecycle Hooks
Shutdown hooks, or listen to SIGTERM

View Slide

33
More on Security...

View Slide

34
Don't Run as root!
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
runAsUser: 1000
fsGroup: 2000
containers:
# specification of the pod’s containers
# ...

View Slide

35
Read Only Filesystem
apiVersion: v1
kind: Pod
metadata:
name: hello-world
spec:
securityContext:
readOnlyRootFilesystem: true
...
containers:
...

View Slide

36
Containing Breakouts
Containers are are not security boundaries!
We can try seccomp, apparmor, selinux, but still!
annotations:
seccomp.security.alpha.kubernetes.io/pod: ...
container.apparmor.security.beta.kubernetes.io/hello: ...

View Slide

37
PodSecurityPolicy
Enforce Security Policy cluster-wide
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: example
spec:
privileged: false # Don't allow privileged pods!
# The rest fills in some required fields.
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: 1000
fsGroup:
rule: RunAsAny

View Slide

38
Service Accounts & RBAC
Who can access which Kubernetes API to do what?

View Slide

39
Use use transient credentials
Google Kubernetes Engine uses OAuth token

View Slide

40
Better yet, tied to user directory
Google Kubernetes Engine ties to Identity Access Manager

View Slide

41
And, don't expose API Server
If it's on public internet, make sure it's firewalled
gcloud container clusters create
--enable-master-authorized-networks
--master-authorized-networks=...

View Slide

42
Network Policy
Which pod can establish connections to which pod?
gcloud container clusters create ...
--enable-network-policy

View Slide

43
Mutual TLS
Stronger than Network Policy
Use a Service Mesh, like Istio
Automatic certificate generation and rotation

View Slide

44
CI/CD

View Slide

45
Pull Base Layer
Because you are probably using :latest tag

View Slide

46
Build without Cache
Because you probably install w/o pinning
RUN apt-get update && apt-get install ...

View Slide

47
Check-in YAMLs!
If you didn't remember anything else, do this!!
If you use a template and don't check-in YAMLs,
Must have template + variables values, so you can regenerate it.

View Slide

48
Microservices

View Slide

49
Observability is not a hindsight!
Don't wait until something went wrong...

View Slide

50
Trace
Log
Debug

View Slide

51
Finally...

View Slide

52
Don't manage your own cluster...
Use a managed service, like Google Kubernetes Engine!

View Slide

53
Thanks!
http://saturnism.me
@saturnism

View Slide

Docker & Kubernetes Practices for Java Developers

Docker & Kubernetes Practices for Java Developers

Ray Tsang

More Decks by Ray Tsang

Other Decks in Technology

Featured

Transcript