toggle
People Speak

Five thoughts you should embrace before Adapting to Kubernetes.

Digvijay Singh

Nov 06, 2022

6 min read

Copy link

“Kubernetes is often called container orchestration ,but it’s more like improvisational jazz.” — Joe Beda

Hello Folks, Lot more to go, as this year wraps up, some articles are already in my medium draft, and I wanted to share light on Kubernetes features and how we can utilize most of them. With the tool chain developed around it, its journey is growing steadily fast. Let’s discuss five things to consider before proceeding with your K8s Journey.

1. It’s an Ops Problem!

  • kubectl get pods -n kube-system --watch
  • kubectl get nodes -l dedicated=production

It is a hefty task to manage the scalability of nodes, micro-services, ingresses, and node pools. Every time the stack grows, there is friction to land into ops issues—certainly, an ops issue where developers can complain about application scalability. Scaling objects like HPA, VPA, and cluster-autoscaler came to the rescue anyway. Still, setting things initially with bench-marking, and scale factor/metric computation will be tricky in managing cost situations. Features like Metrics based scaling, and Ingress RPS-based scaling are some solutions around it. But finally, it is all about minimizing the ops problem and increasing site reliability.

2. Why does CI-CD in Micro-service matter?

docker build -t package-v0.1.1 .
helm upgrade [release] [chart] --version [version-number]
helm install $HELM_CHARTS/package/ \
--set image.tag=0.1.0 \
--set image.repository=package \
--set dockerregistry=$REGISTRY_NAME \
--namespace backend \
--name package-v0.1.0

Right from packaging an app into a docker container to spinning apps into integration, staging environment where we should put effort into. By choosing minimal docker images, unit, integration, and testing suites in place, the CI pitfalls problem can be resolved. Helm can be one of the packaging tools to cater to deployment needs to promote the application versions and also provide rollback functionality.

$ docker scan --help
Usage: docker scan [OPTIONS] IMAGE A tool to scan your images
$ cat > helm-vault-raft-values.yml
server:
affinity: ""
ha:
enabled: true
raft:
enabled: true
EOF
$ helm install vault hashicorp/vault --values helm-vault-raft-values.yml
$ helm template charts/v1 | pluto detect --target-versions k8s=v1.20.0 -

Security is one of the critical parts of your Kubernetes story and we should have security scanning in place not only for containers using tools like Synk, Twist-lock, etc but also using code coverage tools like SonarQube, Code-smells, etc.

We can also bundle application secrets API keys to be engrossed by Hashicorp’s Vault which eliminates the need for hard-coded secrets with its Shamir’s Secret Sharing algorithm. Also, Bitnami’s sealed secrets is a good alternative.

We should keep track of depreciated APIs using Pluto, scanning policies, and configuration with Datree, Checkov becomes handy.

We can also put guardrails to inter-service communication using mTLS and authorization services by powering apps with Service mesh like Istio and Linkerd.

4. Monitor your application wisely!

kubectl logs -l app.kubernetes.io/name=prometheus --follow

We should invest in monitoring tools like centralized logging such as Sentry to achieve the application error logging. Observability can only be completed with Synthetic dashboards and service monitor alerts in place. Prometheus and Grafana are popular choices here. We can also monitor the K8s platform with the help of Falco or any cloud firewalls, or WAF to audit external hacks. Tools like Robusta can add troubleshooting analysis and remediation steps if necessary. I found Robusta very friendly and its Python-based action and playbooks make life easier.

Leverage Cloud-native advantage!

kubectl annotate microservice-namespace "linkerd.io/inject=enabled"
helm template charts/v1 | pluto detect --target-versions k8s=v1.20.0 -

Taking advantage of what you have is an abundance of Kubernetes APIs such as Cron, Jobs, and Sidecar patterns using Linkerd Service mesh will be a much more valuable addition to your K8s Cluster. Introducing tools like flux-cd, and Argo-CD will be an added advantage to your cloud-native workflow severs the purpose of having canary deployments. Application Health probes, Helm test hooks, checksum annotations for helm releases, use of scaffolding tools like Cookiecutter to initialize micro-service templates, and keeping services internal using ingress annotation are some gotchas we have implemented so far. Embracing this journey in K8s was not an easy task, with collaboration with developers and bringing passion toward Efficient infrastructure was always rewarding.

That being said, Keep reading and Keep being Awesome !!.

TechTalk

15

People Speak

15

USA - Headquarters
4000 Executive Parkway, Suite 264
San Ramon, CA 94583

India - Hyderabad
‍4th Floor, Sy 41&42, Opp. Best Western
Jubilee Ridge, 17, Madhapur Rd, Kavuri Hills,
Hyderabad, Telangana 500033

See more