KubeCon + CloudNativeCon North America 2018

Using a Managed Kubernetes Service in the Enterprise

1. Managed Kubernetes Service in the Enterprise Daniel Selman- Kubernetes Consultant- Daniel.Selman@microsoft.com Sujit D’Mello- Principal Consultant- Sujit.DMello@microsoft.com
2. Agenda 1. Managed K8s- Best Practices 2. Monitoring 3. Security 4. Startup Scripts 5. Demo’s
3. Managed K8s- Best Practices • Projects with heavy dependencies ought to be packaged and deployed using Helm • Leverage Pipeline variables to deploy YAML to different environments • Deploy and Administrate your clusters through the API (or kubectl) - no SSH! • Establish naming conventions for all artifacts • Image pulls should be from private, managed container registries • Use managed databases for any back-end services
4. Monitoring • Logging • Configure verbose logging to stdout and stderr when developing your containerized applications • Log Rotation • Managed Kubernetes Services typically have defaults for log rolling • Custom tools can be used to configure log rolling for your requirements • Splunk • Daemonset that is built using the Splunk Universal Forwarder • Mounts the directory of container logs (stderr, stdout) • Forwards logs to Splunk Tenant
5. Security • Problem- Enterprises have requirements to install custom anti-malware on all Linux machines • How do you install custom software when you don’t have access to the nodes…? • You get creative with Kubernetes constructs
6. Anti-Malware DaemonSet • Solution Design • DaemonSets create a pod on each worker node in the cluster • Pods can mount Volumes on the host using the “hostPath” parameter • The init.d directory in /etc/ on the node tells the node what programs need to be run • Implementation • Create a DaemonSet mounting the root directory on the node to copy the antimalware program & modify init.d to install and run it •Useful for other utilities that aren't easily deployed using a container
7. Anti-Malware DaemonSet
8. Startup Scripts • Many Enterprises have a bootstrapping process that must be configured on each image at runtime • Implementation 1. Store startup script (.sh or .cmd) in cloud storage 2. All applications include a small script which loads and runs this startup script before handing off control to the application entry point 3. Use secrets to store the URLs to the startup script
9. Bootstrapping Use Cases 1. External App Configuration 2. SSL enforcement for Cluster Traffic 3. Custom Host Files
10. Demos 1. Splunk 2. Log Rotate 3. Anti-Malware