20180504_talk_2
20180504_talk_2
- What “production ready” does really mean ?
- 1 - Production ready def
- 2 - Prod ready factors
- 3 - HA
- 4 - Security
- 5 - Deny by default (sec Bestpractices)
- 6 - Kubeadm
- 7 - ClusterAPI
- Recap
What “production ready” does really mean ?
Note: This talk is focused on k8s layer, not provision, not app deployment
1 - Production ready def
Good enought for user to server real-world traffic
Your offering is prod ready whent it exceed what your users expect
- Google def
It is all about tradeoffs
2 - Prod ready factors
- Reasonable secure (you can spend a lifetime trying to secure your cluster)
- HA enought for the usage
- Every components are declaratively controlled
- Changes to the cluster state can be safely applied
- Cluster pass e2e tests from CNCF
3 - HA
- k8s components can fail without causing the cluster to fail
- Mahines can fail without causing the cluster to fail
4 - Security
TLS communication everywhere
* Use anexternal PKI provider
API AuthN & AuthZ
* Disable anonymous auth on localhost
* Enforce RBAC and NodeAuthorizers
Kueblet lockdown
* Kueblet should have uniq ID
* Disable readonly, public and cAdvisor ports
-> Should be disabled in 1.11
Dashboard & Helm
* Whitelist explict operations for tiler
* Don’t give cluster-admin to everyones
-> Has auth since 1.7
5 - Deny by default (sec Bestpractices)
Deny by default
* RBAC
* NetworkPolicy
* restrictive PodSecurityPoicy
6 - Kubeadm
HA with Kubeadm
* kubeadm init on each Master node + LB for API servers
* kubeadm join on each Worker node
Tips:
* Hosts admin and controlPlan resources on the masters nodes
* Use Pod anti-affinity
* Prometheus kube-state-metrics
* Define SLI, SLO and SLA
7 - ClusterAPI
Features:
* Upgrade
* Auto-repair
* Cluster autoscale
Recap
- Pay attention to your need
- HA != MultiMaster
- PKI is important
- Declarative control is better