Implementing Kubernetes: Best Practices For Getting It Right

Table of Contents

Congratulations, after much pain and effort you finally have Kubernetes working. You may even have it working in production. But how do you know you’ve done everything right? How can you be sure your environment reflects best practices and is completely secure?

Here are just a few of the many questions to ask yourself to make sure you’re covering all of your bases.

Do your applications work and play well with others?

Kubernetes assumes you can start application components in any order, which is difficult to test. In another example, you may not know what to set for application CPU and memory limits (or if you should set them at all).

It may take running the Vertical Pod Autoscaler with ‘recommendation’ mode enabled so you can get recommendations from the profiler. Or maybe you’d rather set values for everything via the LimitRange parameter on your namespaces. 

Is your environment hackable? 

Then, there’s the biggest worry of them all: Security.

Take ServiceAccount for example, by default it is auto-mounted into the file system of all Pods. Do you want that, or would you rather disable it and provide more granular policies? Similarly, Role-Based Access Control (RBAC) rules are difficult to set up. What RBAC design philosophy should you implement? Will it work for all your users?

Can you prove your Kubernetes is implemented correctly?

Where to begin if you want to ensure your implementation is a good one? 

First you’ll need to do an analysis of all your YAML configuration files (as well as Dockerfiles). Look for things such as containers running in privileged mode or anti-affinity rules being set incorrectly (again, this is just a small sample of the possible things to consider)

Then, you’ll need to do lots of displays via kubectl to get dynamic information like node status and resource quotas. Lastly, query the logs for errors on nodes, the control plane and general auditing. 

At each of the above steps, validate your findings with known best practices. 

An easy way to assess your risks

As early adopters of Kubernetes, and maintainers of kOps, we know all the places where Kubernetes implementation can fall down. On the strength of that knowledge, we’ve assembled a free 1-day assessment of your Kubernetes clusters to help you determine the relative robustness of your Kubernetes implementation. 

The assessment measures and mitigates your Kubernetes risks against the checklist of priorities identified in the current CIS Kubernetes Benchmark:

  • Master Node Configuration
    • Control Plane Components & Configuration
    • ETCD Datastore
    • Worker Node Kubelet Configuration
    • RBAC Policies
    • Pod Security
    • Default Network Policies
    • General Cluster Policies

After a single-day audit of your clusters carried out by one of our expert architects, you’ll receive a PDF of the results along with actionable insights on how to harden your security posture.

By working together, we can ensure you have the best possible Kubernetes configuration.

About Appvia

Appvia enables businesses to solve complex cloud challenges with products and services that make Kubernetes secure, cost-effective and scalable.

Our founders have worked with Kubernetes in highly regulated, highly secure environments since 2016, contributing heavily to innovative projects such as Kops and fully utilizing Kubernetes ahead of the curve. We’ve mastered Kubernetes, and experienced its complexities, so our customers don’t have to. 

Share this article
Twitter
LinkedIn
Facebook
profile-112x112-crop-1 (6)
Tennis Smith
HEAD OF US PRE-SALES
Tennis has spent over 40 years in the business, starting from a stint in the US Air Force he’s worked in various capacities from equipment installation, software QA, app development and DevOps. During his 30 years in Silicon Valley, he worked for the likes of Apple, Cisco and Visa International. On the personal front, he’s been married for 25 years, is an enthusiastic martial artist and spends too much money on his cats.

The podcast that takes a lighthearted look at the who, what, when, where, why, how and OMGs of cloud computing

Related insights

Managing Kubernetes Secrets with HashiCorp Vault vs. Azure Key Vault Keeping secrets secure...
Namespaces are a vital feature of Kubernetes. They allow you to separate uniquely named...
DevOps teams have rapidly adopted Kubernetes as the standard way to deploy and...
Once you start working with Kubernetes, it’s natural to think about how you...
Self-service of cloud resources Kubernetes has been brilliant at delivering an ecosystem for...
Pods, deployments, and services are just some of the concepts that you need to understand in...
Last week I published a blog, “How to spot gaps in your Public Cloud...
Breaking down the core areas that you should be aware of when considering...
5 tips to help you manage more with less Not every manager of...
Public cloud has provided huge benefits in getting infrastructure and services to people...
This is the story of how three Appvia Engineers contributed so much to...
Overview The UK Home Office is a large government organisation, whose projects and...