Kubernetes: Best Practices

Reading Time: 3 minutes

Kubernetes is an open source platform for automating deployments, scaling, and operations of application containers across clusters of hosts. It provides a platform for container­-centric infrastructure. It addresses all the challenges that were described above. Among its key features are:

  • Automated deployment and replication of containers
  • Online scale­-in and scale-­out of container clusters
  • Load balancing over groups of containers
  • Rolling upgrades of application containers
  • Resiliency, with automated rescheduling of failed containers (i.e., self­healing of container instance)
  • Controlled exposure of network ports to systems outside of the cluster

This open­source software project was started in 2014 by Google. It is build upon Google’s internal cluster management system, called Borg, that has been refined internally at Google for more than a decade. It is open and modular, you can run it on a VM or bare metal, on­premises or in the cloud.

Let us now discuss the best practices to follow in Kubernetes. 

  • Building large clusters.
  • Running in multiple zones
  • Validate node setup
  • PKI certificates and requirements

Building large Clusters:

 A cluster is a set of nodes running Kubernetes agents, managed by a master. It supports clusters with up to 5000 nodes. When setting up a large Kubernetes cluster, the following issues must be considered.

Quota Issues:

To avoid running into cloud provider quota issues, Increase the quota for things like CPU, IPs, etc.

ETCD storage:

To improve performance of large clusters, start and configure additional etcd instance and configure api-server to use it for storing events.

Size of master and master components

On GCE/Google Kubernetes Engine, and AWS, kube-up automatically configures the proper VM size for your master depending upon the number of nodes in the cluster. On other providers, you will need to configure it manually.

Running Kubernetes cluster in multiple zones:

Kubernetes is designed so that a single Kubernetes cluster can run across multiple failure zones. When you deploy a cluster, the control plane, place replicas of control plane components across multiple failure zones.  Kubernetes automatically spreads the Pods for workload resources (such as Deployment or StatefulSet) across different nodes in a cluster. This spreading helps reduce the impact of failures. You can specify a StorageClass for PersistentVolumeClaims that specifies the failure domains (zones) that the storage in that class may use. You can use a network plugin to configure cluster networking, and that network solution might have zone-specific elements. 

Validate node setup in Kubernetes:

Node conformance test is a containerized test framework that provides a system verification and functionality test for a node. The node should have the following daemons installed:
1. Container Runtime (Docker)
2. Kubelet
Run node conformance test in the node. This test validates whether the node meets the minimum requirements for Kubernetes. A node that passes the test is qualified to join a Kubernetes cluster.

PKI certificates and requirements:

PKI(Public Key Infrastructure) is a hierarchy of trust that uses digital certificates to authenticate the party they’ve been issued to. Therefore, it serves as the cybersecurity and encryption framework that protects data transmissions between clients and your server. Kubernetes requires PKI certificates for authentication over TLS. 

Kubernetes requires PKI for the following operations:

  1. The kubelet to authenticate to the API server
  2. Server certificate for the API server endpoint
  3. Administrators of the cluster to authenticate to the API server
  4. The API server to talk to the kubelets
  5. The API server to talk to etcd
  6. Controller manager to talk to the API server
  7. Scheduler to talk to the API server.
  8. Client and server certificates for the front-proxy

References:

https://kubernetes.io/docs/home/