Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Docker & Kubernetes Practices for Java Developers

Docker & Kubernetes Practices for Java Developers

A collection of practices, tips & tricks, for constructing Docker Containers and using Kubernetes for Java developers.

This slide is based on materials from:

Docker Tips and Tricks for Java Developers (Ray Tsang @saturnism)
https://speakerdeck.com/saturnism/2017-devnexus-docker-tips-and-tricks-for-java-developers

Kubernetes Best Practices (Sandeep Dinesh @sandeepdinesh)
https://speakerdeck.com/thesandlord/kubernetes-best-practices

Kubernetes Security Best Practices (Ian Lewis @ianmlewis)
https://speakerdeck.com/ianlewis/kubernetes-security-best-practices

Ray Tsang

April 26, 2018
Tweet

More Decks by Ray Tsang

Other Decks in Technology

Transcript

  1. 2 @saturnism @googlecloud @kubernetesio Ray Tsang Developer Advocate Google Cloud

    Platform Spring Cloud GCP cloud.spring.io/spring-cloud-gcp/ @saturnism | +RayTsang
  2. 5 @saturnism @googlecloud @kubernetesio apiVersion: extensions/v1beta1 kind: Deployment metadata: name:

    work-server-v1 ... spec: replicas: 2 template: ... spec: containers: - name: work-server image: saturnism/work-server-istio:v1
  3. 6 @saturnism @googlecloud @istiomesh @kubernetesio web browsers Scheduler kubectl web

    browsers scheduler Kubelet Kubelet Kubelet Kubelet Config file Kubernetes Master Container Image
  4. 8 @saturnism @googlecloud @istiomesh @kubernetesio Let's see some practices... Based

    on materials from: • Docker Tips and Tricks for Java Developers (Ray Tsang) • Kubernetes Best Practices (Sandeep Dinesh) • Kubernetes Security Best Practices (Ian Lewis)
  5. 10 @saturnism @googlecloud @kubernetesio Tag your containers! What do these

    containers have in common? helloworld-service:latest debian:9 openjdk:8
  6. 12 @saturnism @googlecloud @kubernetesio Combine Run Commands RUN apt-get update

    RUN apt-get install -y --no-install-recommends ... RUN rm -rf /var/lib/apt/lists/* vs. RUN apt-get update && \ apt-get install -y --no-install-recommends ... && \ rm -rf /var/lib/apt/lists/*
  7. 14 @saturnism @googlecloud @kubernetesio Don’t Log to Container Filesystem! Log

    to a volume… docker -v /tmp/log:/log Or, better yet, Send it elsewhere! I prefer STDOUT
  8. 21 @saturnism @googlecloud @kubernetesio Heap vs Native Memory Set -Xmx

    to percentage of memory limit Use a Startup Script
  9. 23 @saturnism @googlecloud @kubernetesio Avoid Multi-Module Project When you have

    independent services, Don't put in the same multi-module project...
  10. 29 @saturnism @googlecloud @kubernetesio kubectl apply --record Record the command

    line, shows in history: kubectl rollout history deployments ...
  11. 31 @saturnism @googlecloud @kubernetesio External Service kind: Service apiVersion: v1

    metadata: name: mydatabase namespace: prod spec: type: ExternalName externalName: my.db.example.com kind: Service apiVersion: v1 metadata: name: mydatabase spec: ports: - protocol: TCP port: 80 targetPort: 12345 Then add your own endpoints!
  12. 34 @saturnism @googlecloud @kubernetesio Don't Run as root! apiVersion: v1

    kind: Pod metadata: name: hello-world spec: securityContext: runAsNonRoot: true allowPrivilegeEscalation: false runAsUser: 1000 fsGroup: 2000 containers: # specification of the pod’s containers # ...
  13. 35 @saturnism @googlecloud @kubernetesio Read Only Filesystem apiVersion: v1 kind:

    Pod metadata: name: hello-world spec: securityContext: readOnlyRootFilesystem: true ... containers: ...
  14. 36 @saturnism @googlecloud @kubernetesio Containing Breakouts Containers are are not

    security boundaries! We can try seccomp, apparmor, selinux, but still! annotations: seccomp.security.alpha.kubernetes.io/pod: ... container.apparmor.security.beta.kubernetes.io/hello: ...
  15. 37 @saturnism @googlecloud @kubernetesio PodSecurityPolicy Enforce Security Policy cluster-wide apiVersion:

    extensions/v1beta1 kind: PodSecurityPolicy metadata: name: example spec: privileged: false # Don't allow privileged pods! # The rest fills in some required fields. seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: 1000 fsGroup: rule: RunAsAny
  16. 40 @saturnism @googlecloud @kubernetesio Better yet, tied to user directory

    Google Kubernetes Engine ties to Identity Access Manager
  17. 41 @saturnism @googlecloud @kubernetesio And, don't expose API Server If

    it's on public internet, make sure it's firewalled gcloud container clusters create --enable-master-authorized-networks --master-authorized-networks=...
  18. 42 @saturnism @googlecloud @kubernetesio Network Policy Which pod can establish

    connections to which pod? gcloud container clusters create ... --enable-network-policy
  19. 43 @saturnism @googlecloud @kubernetesio Mutual TLS Stronger than Network Policy

    Use a Service Mesh, like Istio Automatic certificate generation and rotation
  20. 46 @saturnism @googlecloud @kubernetesio Build without Cache Because you probably

    install w/o pinning RUN apt-get update && apt-get install ...
  21. 47 @saturnism @googlecloud @kubernetesio Check-in YAMLs! If you didn't remember

    anything else, do this!! If you use a template and don't check-in YAMLs, Must have template + variables values, so you can regenerate it.
  22. 52 @saturnism @googlecloud @kubernetesio Don't manage your own cluster... Use

    a managed service, like Google Kubernetes Engine!