As more and more applications are built on the cloud, Kubernetes has rapidly become one of the most popular open-source technologies. Containerization is now standard practice in cloud-native development, and as a cluster orchestration tool, Kubernetes (K8s) simplifies the definition and operation of your containerized infrastructure.
K8s is extremely powerful, and once set up, it will unlock many benefits for your team. K8s can make your infrastructure easier to develop and scale. It can improve your product’s ability to withstand and recover from failures. It can simplify organizational challenges when it comes to maintaining infrastructure.
On the other hand, Kubernetes itself is complex and has a steep learning curve. If you’re looking for information about whether Kubernetes is right for your team, check out our in-depth exploration of the pros and cons of K8s.
To help you reduce the complexity and avoid failures, we’ve identified the seven best practices you can apply to your job when using Kubernetes. These will be helpful whether your team has recently decided to start its Kubernetes journey or if you’ve already traveled far down the path.
Upgrade your Kubernetes version
Running the latest version of Kubernetes will ensure you have access to new features, bug fixes, and security patches. Outdated versions of Kubernetes may open up vulnerabilities in your system, and you may find it harder to receive support for older versions. Unless you have a reason to maintain an old version, you should upgrade to the latest stable release–available from Kubernetes here.
Namespaces allow you to organize your cluster and set up logical divisions between domains or functions. Once your namespaces are set up, you can define policies and access rules for each. Namespaces simplify container management and reduce the risk of large-scale failure.
To minimize risk, you should practice the principle of least privilege: everyone should have only the permissions required to perform their function. For instance, to increase security and prevent accidents, you should ensure that developers only have access to namespaces related to their work. That way, if someone’s account were compromised, malicious agents couldn’t wreak havoc all across your infrastructure. Similarly, a developer couldn’t accidentally overwrite parts of your system that reside in other namespaces.
For a deeper dive into namespaces and how to set them up, you can read through the K8s docs.
Set up role-based access control (RBAC)
To make implementing the principle of least privilege easier, use role-based access control.
RBAC makes it simpler to manage the permissions and access granted to your users or service accounts, reducing the possibility of mistakes. Kubernetes allows you to set up roles within namespaces or across the cluster and define their permissions. Accounts can then be linked to those roles, ensuring they only have the permissions granted by those roles.
In the example above, to restrict developers to particular namespaces, developers would be given roles in just those namespaces. The permissions granted by these roles would allow them to deploy their code but not to change the broader operations of the cluster.
Regular maintenance of your organization's roles and permissions is important to ensure only proper access is being granted. Roles make this maintenance much simpler and safer than managing permissions individually for every account.
Organize your cluster with labels
Labels in Kubernetes allow you to attach key-value pairs to K8s objects. As an orchestration platform, Kubernetes lets you define objects to maintain an abstraction layer around your individual clusters and their states. As your infrastructure grows, you’ll end up with a growing number of objects as well. Labels make it easier to manage these objects. At a base level, you can use them to define and track metadata. For instance, you could use a label to track who a pod’s owner is.
Even better, you can query labels and manage objects in bulk using selectors. For instance, if you include a label that tracks which environment each pod is designated for, you could query all of your QA objects through the command line with a command like this:
$kubectl get pods -l “environment=QA” --show-labels
More information on labels and examples of how to set up selectors can be found in the Kubernetes docs.
Use a Git-based workflow
Kubernetes deployment can be complicated, so having an automated workflow will reduce hassles and errors. Setting up a Git-based workflow and a CI/CD pipeline allows you to maintain a single source of truth for your deployment; with automated deployment, your system will automatically reflect what’s in your repo. GitOps is a commonly used framework for organizing and supporting your workflow.
If any issues arise during your system's operation, a Git-based workflow will also make it simpler to roll back or redeploy.
Set up automated monitoring
Monitoring your cluster is critical for identifying issues and controlling resource usage. Issues with your cluster can worsen your product’s performance, increase your operational costs, and in the worst case, cause outages. Monitoring will allow you to identify these problems more quickly and understand their causes.
You should set up automated monitoring to help you make sense of Kubernetes alerts. Tools like Prometheus and Grafana will help you pull insights out of your data, allowing you to focus on what’s most important and make more informed decisions about your operations.
Set up network policies
Though it may seem safe enough to allow your containers to communicate with any other service behind your firewall, this can pose a risk if malicious actors gain entry into your system.
By default, your containers should deny any traffic unless it is from specifically allowed sources. The K8s docs provide further information on how to set up network policies.
Continue refining your practices
As your team gets more comfortable with Kubernetes, continue to refine how you incorporate these best practices. You should also develop your own. Every team has different needs, but setting up standards for your organization can reduce unnecessary complexity and prevent mistakes.
And here’s one last tip: if you’re deploying an open-source application on the cloud, try using Plural.
Join us on our Discord channel for questions, discussions, and to meet the rest of the community.
Be the first to know when we drop something new.