Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing Kubernetes Misconfigurations

Komodor
April 24, 2022
Technology
0
69

Preventing Kubernetes Misconfigurations

Joint webinar co-hosted by Datree and Komodor, featuring Komodor's CTO Itiel Shwartz and CEO of Datree Shimon Tolts

Komodor

April 24, 2022
Tweet

More Decks by Komodor

See All by Komodor
The True Cost of Moving Fast & Breaking Things
komodor
0
6
GenAI Meets K8s
komodor
0
8
Workshop: Hidden Signals in K8s Clusters: A Data-Driven Approach to Reliability
komodor
0
16
Reliability-Driven Kubernetes Fleet Management
komodor
0
30
How to Ensure Continuous Kubernetes Reliability in 2024 with Marino Wijay
komodor
0
35
Nemlig.com's Multi-Cluster DNS Setup
komodor
0
84
Making Kubernetes Dev-Friendly with Komodor & Okteto
komodor
1
130
Unlocking Developer's Efficiency with Komodor & Loft
komodor
0
85
May the Fork Be with You: Community Contributed Open Source Projects FTW!
komodor
0
110

Other Decks in Technology

See All in Technology
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
QAEチームが辿った3年 ボクらが改善業務にスクラムを選んだワケ / 20241108_cloudsign_ques23
bengo4com
0
590
SREの前に
nwiizo
11
2.7k
dev 補講: プロダクトセキュリティ / Product security overview
wa6sn
0
1.6k
SREの組織類型に応じた リーダシップの考察
kenta_hi
PRO
1
620
ジョブマッチングサービスにおける相互推薦システムの応用事例と課題
hakubishin3
3
620
AI長期記憶システム構築のための LLMマルチエージェントの取り組み / Awarefy-LLM-Multi-Agent
iktakahiro
2
350
組み込みLinuxの時系列
puhitaku
4
1k
私はこうやってマインドマップでテストすることを出す!
mineo_matsuya
0
200
GraphRAGを用いたLLMによるパーソナライズド推薦の生成
naveed92
0
190
FOSS4G 2024 Japan コアデイ 一般発表25 PythonでPLATEAUのデータを手軽に扱ってみる
ra0kley
1
130
フルカイテン株式会社 採用資料
fullkaiten
0
40k

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Happy Clients
brianwarren
97
6.7k
For a Future-Friendly Web
brad_frost
175
9.4k
Scaling GitHub
holman
458
140k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Visualization
eitanlees
145
15k
A Philosophy of Restraint
colly
203
16k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
231
17k

Transcript

  1. None
  2. None

  3. 3

  4. Prevent Kubernetes misconfigurations from reaching production https://github.com/datreeio/datree

  5. None

  6. Agenda 3. Why policies are important 4. Cool tools you

    can use to prevent it from happening to you 1. Kubernetes failures stories 2. Post mortems & Lessons learned

  7. Top Kubernetes failures | EVENT 1 failing CronJob created 4320

    “Restarting” pods X LESSON Verify concurrencyPolicy is always set to either “Forbid” or “Replace” ✓ TARGET 5 #4 apiVersion: batch/v1beta1 kind: CronJob metadata: name: gke-cron-job spec: schedule: '*/1 * * * *' startingDeadlineSeconds: 10 concurrencyPolicy: Allow

  8. Top Kubernetes failures | EVENT Their API server was down

    due to OOM issues X LESSON Always ensure that Kubernetes YAML structure is valid, ideally through automated checks. ✓ concurrencyPolicy: Forbid successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 ZALANDO 5 #3

  9. Top Kubernetes failures | EVENT Entire cluster was down due

    to OOM issues and high memory usage X LESSON Specify requests and limits. Especially for third-party services and apps ✓ BLUE MATADOR 5 #2

  10. Top Kubernetes failures | EVENT An entire cluster was down

    due to Ingress misconfiguration X LESSON Prevent users from specifying host as “*” ✓ TARGET 5 #1

  11. Top Kubernetes failures | Lessons learned 1 Missing YAML structure

    validation Zalando 2 Enforce policy on requests and limits Blue Matador Enforce concurrencyPolicy set to Allow Target 3 Conclusions Enforce ‘*’ in ingress resource Target 4

  12. Top Kubernetes failures |

  13. Cool tools that you can use | Where in the

    pipeline? datree gatekeeper confTest

  14. Cool tools that you can use | Where in the

    pipeline? datree confTest gatekeeper

  15. Cool tools that you can use | Conftest Helps writing

    tests against structured files It’s specially designed to be used with CI or local testing. Built on top of OPA so all the policies should be written in Rego.

  16. Datree CLI solution for policies enforcement It’s specially designed to

    be used with CI or local testing or even as a pre-commit hook Built in policies & Best practices It’s comes with built-in policies ansl enables K8s admis create their own policies and centralized management.

  17. Datree

  18. Datree

  19. Datree

  20. Cool tools that you can use | Datree Open source

    It’s free, and open for PRs 😎

  21. Summary

  22. 22