Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Preventing Kubernetes Misconfigurations

Komodor
April 24, 2022
Technology
0
69

Preventing Kubernetes Misconfigurations

Joint webinar co-hosted by Datree and Komodor, featuring Komodor's CTO Itiel Shwartz and CEO of Datree Shimon Tolts

Komodor

April 24, 2022
Tweet

More Decks by Komodor

See All by Komodor
The True Cost of Moving Fast & Breaking Things
komodor
0
6
GenAI Meets K8s
komodor
0
8
Workshop: Hidden Signals in K8s Clusters: A Data-Driven Approach to Reliability
komodor
0
16
Reliability-Driven Kubernetes Fleet Management
komodor
0
30
How to Ensure Continuous Kubernetes Reliability in 2024 with Marino Wijay
komodor
0
37
Nemlig.com's Multi-Cluster DNS Setup
komodor
0
84
Making Kubernetes Dev-Friendly with Komodor & Okteto
komodor
1
130
Unlocking Developer's Efficiency with Komodor & Loft
komodor
0
86
May the Fork Be with You: Community Contributed Open Source Projects FTW!
komodor
0
110

Other Decks in Technology

See All in Technology
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
2
230
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
540
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
270
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.9k
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
Platform Engineering for Software Developers and Architects
syntasso
1
520
アジャイルチームがらしさを発揮するための目標づくり / Making the goal and enabling the team
kakehashi
3
160
AIチャットボット開発への生成AI活用
ryomrt
0
170
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
160
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
アジャイルでの品質の進化 Agile in Motion vol.1/20241118 Hiroyuki Sato
shift_evolve
0
180

Featured

See All Featured
KATA
mclloyd
29
14k
The World Runs on Bad Software
bkeepers
PRO
65
11k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
It's Worth the Effort
3n
183
27k
What's new in Ruby 2.0
geeforr
343
31k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Fireside Chat
paigeccino
34
3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
The Cult of Friendly URLs
andyhume
78
6k
Adopting Sorbet at Scale
ufuk
73
9.1k

Transcript

  1. None
  2. None

  3. 3

  4. Prevent Kubernetes misconfigurations from reaching production https://github.com/datreeio/datree

  5. None

  6. Agenda 3. Why policies are important 4. Cool tools you

    can use to prevent it from happening to you 1. Kubernetes failures stories 2. Post mortems & Lessons learned

  7. Top Kubernetes failures | EVENT 1 failing CronJob created 4320

    “Restarting” pods X LESSON Verify concurrencyPolicy is always set to either “Forbid” or “Replace” ✓ TARGET 5 #4 apiVersion: batch/v1beta1 kind: CronJob metadata: name: gke-cron-job spec: schedule: '*/1 * * * *' startingDeadlineSeconds: 10 concurrencyPolicy: Allow

  8. Top Kubernetes failures | EVENT Their API server was down

    due to OOM issues X LESSON Always ensure that Kubernetes YAML structure is valid, ideally through automated checks. ✓ concurrencyPolicy: Forbid successfulJobsHistoryLimit: 1 failedJobsHistoryLimit: 1 ZALANDO 5 #3

  9. Top Kubernetes failures | EVENT Entire cluster was down due

    to OOM issues and high memory usage X LESSON Specify requests and limits. Especially for third-party services and apps ✓ BLUE MATADOR 5 #2

  10. Top Kubernetes failures | EVENT An entire cluster was down

    due to Ingress misconfiguration X LESSON Prevent users from specifying host as “*” ✓ TARGET 5 #1

  11. Top Kubernetes failures | Lessons learned 1 Missing YAML structure

    validation Zalando 2 Enforce policy on requests and limits Blue Matador Enforce concurrencyPolicy set to Allow Target 3 Conclusions Enforce ‘*’ in ingress resource Target 4

  12. Top Kubernetes failures |

  13. Cool tools that you can use | Where in the

    pipeline? datree gatekeeper confTest

  14. Cool tools that you can use | Where in the

    pipeline? datree confTest gatekeeper

  15. Cool tools that you can use | Conftest Helps writing

    tests against structured files It’s specially designed to be used with CI or local testing. Built on top of OPA so all the policies should be written in Rego.

  16. Datree CLI solution for policies enforcement It’s specially designed to

    be used with CI or local testing or even as a pre-commit hook Built in policies & Best practices It’s comes with built-in policies ansl enables K8s admis create their own policies and centralized management.

  17. Datree

  18. Datree

  19. Datree

  20. Cool tools that you can use | Datree Open source

    It’s free, and open for PRs 😎

  21. Summary

  22. 22