{"id":5757,"date":"2020-10-13T09:00:54","date_gmt":"2020-10-13T03:30:54","guid":{"rendered":"https:\/\/www.upnxtblog.com\/?p=5757"},"modified":"2024-09-16T12:16:16","modified_gmt":"2024-09-16T06:46:16","slug":"10-best-practices-worth-implementing-to-adopt-kubernetes","status":"publish","type":"post","link":"https:\/\/www.upnxtblog.com\/index.php\/2020\/10\/13\/10-best-practices-worth-implementing-to-adopt-kubernetes\/","title":{"rendered":"Kubernetes Adoption in 2024: Key Statistics"},"content":{"rendered":"<div class='booster-block booster-read-block'><\/div><p>We already know that\u00a0<a href=\"https:\/\/kubernetes.io\/\" target=\"_blank\" rel=\"noopener\">Kubernetes<\/a> is the No. 1 orchestration platform for container-based applications, automating the deployment and scaling of these apps, and streamlining maintenance operations. However, Kubernetes comes with its own complexity challenges. So how can an enterprise take advantage of containerization to tackle complexity and not end up with even more complexity? This article provides some of the best practices that you can implement to adopt Kubernetes.<\/p>\n<p><em>Cross Posted from <a href=\"https:\/\/containerjournal.com\/topics\/container-management\/10-best-practices-worth-implementing-to-adopt-kubernetes\/\" target=\"_blank\" rel=\"noopener\">Container Journal<\/a><\/em><\/p>\n<h2>#1.Keep a tab on policies<\/h2>\n<p>Define appropriate policies for cluster access controls, service access controls, resource utilization controls, and secret access controls. By default, containers run with unbounded compute resources on a Kubernetes cluster. To limit or restrict you have to implement appropriate policies<\/p>\n<ul>\n<li>Use <em>NetworkPolicy<\/em> resources labels to select pods and define rules that specify what traffic is allowed to the selected pods.<\/li>\n<li>Kubernetes scheduler has default limits on the number of volumes that can be attached to a Node. To define the maximum number of volumes that can be attached to a Node for various cloud providers, use <em>Node-specific Volume Limits<\/em>.<\/li>\n<li>To enforce constraints on resource usage, use <em>Limit Range option<\/em> for appropriate resource in the namespace<\/li>\n<li>To limit aggregate resource consumption per namespace, use below Resource Quotas\n<ul>\n<li>Compute Resource Quota<\/li>\n<li>Storage Resource Quota<\/li>\n<li>Object Count Quota<\/li>\n<li>Limits the number of resources based on scope defined in Quota Scopes option<\/li>\n<li>Requests vs Limits &#8211; Each container can specify a request and a limit value for either CPU or memory.<\/li>\n<li>Quota and cluster capacity \u2013 Expressed in absolute units<\/li>\n<li>Limit Priority Class consumption by default \u2013 For example, restrict usage of certain high priority pods<\/li>\n<\/ul>\n<\/li>\n<li>To allow\/deny fine-grained permissions, use RBAC (Role-Based Access Control) and rules can be defined to allow\/deny fine-grained permissions.<\/li>\n<li>To define &amp; control security aspects of Pods, use Pod Security Policy (available from v1.15) to enable fine-grained authorization of pod creation and updates.\n<ul>\n<li>Running of privileged containers<\/li>\n<li>Usage of host namespaces<\/li>\n<li>Usage of host networking and ports<\/li>\n<li>Usage of volume types<\/li>\n<li>Usage of the host filesystem<\/li>\n<li>Restricting escalation to root privileges<\/li>\n<li>The user and group IDs of the container<\/li>\n<li>AppArmor or seccomp or sysctl profile used by containers<\/li>\n<\/ul>\n<\/li>\n<li>Use any of the tools like <a href=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/\"><strong>Open Policy Agent Gatekeeper<\/strong><\/a> policy engine to manage, author the policies.<\/li>\n<\/ul>\n<h2><span style=\"font-family: Poppins, sans-serif; font-size: 32px; font-style: inherit; letter-spacing: -1px;\">#2.Manage Resources wisely<\/span><i style=\"font-family: Poppins, sans-serif; font-size: 32px; letter-spacing: -1px;\">\u00a0<\/i><\/h2>\n<p>Use resource utilization (resource quota) guidelines to ensure the containerized applications co-exist without being eliminated due to resource violations at runtime. <span style=\"font-family: inherit; font-style: inherit; font-weight: inherit;\">To enforce constraints on resource usage, use <\/span><em style=\"font-size: 18px;\">Limit Range option<\/em><span style=\"font-family: inherit; font-style: inherit; font-weight: inherit;\"> for appropriate resources in the namespace.<\/span><\/p>\n<p>To limit aggregate resource consumption per namespace, use below Resource Quotas<\/p>\n<ul>\n<li>Compute Resource Quota<\/li>\n<li>Storage Resource Quota<\/li>\n<li>Object Count Quota<\/li>\n<li>Limits the number of resources based on scope defined in Quota Scopes option<\/li>\n<li>Requests vs Limits &#8211; Each container can specify a request and a limit value for either CPU or memory.<\/li>\n<li>Quota and cluster capacity \u2013 Expressed in absolute units<\/li>\n<li>Limit Priority Class consumption by default \u2013 For example, restrict usage of certain high priority pods<\/li>\n<\/ul>\n<h2>#3.Focus on comprehensive observability of the cluster<\/h2>\n<p>Currently, the Kubernetes ecosystem provides two add-ons for aggregating and reporting monitoring data from your cluster: <strong>(1) Metrics Server and (2) kube-state-metrics.<\/strong><\/p>\n<p><strong><a href=\"https:\/\/github.com\/kubernetes\/community\/blob\/master\/contributors\/design-proposals\/instrumentation\/metrics-server.md\" target=\"_blank\" rel=\"noopener\">Metrics <\/a>Server is<\/strong>\u00a0a cluster add-on that collects resource usage data from each node and provides aggregated metrics through\u00a0<a href=\"https:\/\/github.com\/kubernetes\/metrics\" target=\"_blank\" rel=\"noopener\">the Metrics API<\/a>.<strong>kube-state-metrics<\/strong>\u00a0service provides additional cluster information that Metrics Server does not.<\/p>\n<p>Below are the key metrics and alerts that are required to monitor your Kubernetes cluster.<\/p>\n<table style=\"border-collapse: collapse; width: 100%; height: 3322px;\">\n<tbody>\n<tr style=\"height: 27px;\">\n<td style=\"width: 33.3333%; height: 27px;\"><strong>What to monitor?<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 27px;\"><strong>\u00a0Metrics to monitor\u00a0<\/strong><\/td>\n<td style=\"width: 16.6667%; height: 27px;\"><strong>\u00a0Alert Criteria<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 299px;\">\n<td style=\"width: 33.3333%; height: 299px;\"><strong>Cluster state<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 299px;\">Monitor the aggregated resources usage across all nodes in your cluster.<\/p>\n<ul>\n<li>Node status<\/li>\n<li>Desired pods<\/li>\n<li>Current pods<\/li>\n<li>Available pods<\/li>\n<li>Unavailable pods<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 299px;\">\n<ul>\n<li>Node status<\/li>\n<li>Desired vs. current pods<\/li>\n<li>Available and unavailable pods<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr style=\"height: 697px;\">\n<td style=\"width: 33.3333%; height: 697px;\"><strong>Node resources<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 697px;\">For each of the node monitor :<\/p>\n<ul>\n<li>Memory requests<\/li>\n<li>Memory limits<\/li>\n<li>Allocatable memory<\/li>\n<li>Memory utilization<\/li>\n<li>CPU requests<\/li>\n<li>CPU limits<\/li>\n<li>Allocatable CPU<\/li>\n<li>CPU utilization<\/li>\n<li>Disk utilization<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 697px;\">If the node\u2019s CPU or memory usage drops below a desired threshold.<\/p>\n<ul>\n<li>Memory limits per pod vs. memory utilization per pod<\/li>\n<li>Memory utilization<\/li>\n<li>Memory requests per node vs. allocatable memory per node<\/li>\n<li>Disk utilization<\/li>\n<li>CPU requests per node vs. allocatable CPU per node<\/li>\n<li>CPU limits per pod vs. CPU utilization per pod<\/li>\n<li>CPU utilization<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr style=\"height: 189px;\">\n<td style=\"width: 33.3333%; height: 189px;\"><strong>Missing pod<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 189px;\">Health and availability of your pod deployments.<\/p>\n<ul>\n<li>Available pods<\/li>\n<li>Unavailable pods<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 189px;\">If the number of available pods for a deployment falls below the number of pods you specified when you created the deployment.<\/td>\n<\/tr>\n<tr style=\"height: 205px;\">\n<td style=\"width: 33.3333%; height: 205px;\"><strong>Pods that are not running<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 205px;\">If a pod isn\u2019t running or even scheduled, there could be an issue with either the pod or the cluster, or with your entire Kubernetes deployment.<\/p>\n<ul>\n<li>Pod status<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 205px;\">Alerts should be based on the status of your pods (\u201cFailed,\u201d \u201dPending,\u201d or \u201cUnknown\u201d for the period of time you specify)<\/td>\n<\/tr>\n<tr style=\"height: 243px;\">\n<td style=\"width: 33.3333%; height: 243px;\"><strong>Container restarts<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 243px;\">Container restarts could happen when you&#8217;re hitting a memory limit (ex.Out of Memory kills) in your containers.<\/p>\n<p>Also, there could be an issue with either the container itself or its host.<\/td>\n<td style=\"width: 16.6667%; height: 243px;\">Kubernetes automatically restarts containers,\u00a0 but setting up an alert will give you an immediate notification later you can analyze and set the proper limits<\/td>\n<\/tr>\n<tr style=\"height: 135px;\">\n<td style=\"width: 33.3333%; height: 135px;\"><strong>Container resource usage<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 135px;\">Monitor container resource usage for containers in case you&#8217;re hitting resource limits, spikes in resource consumption,<\/td>\n<td style=\"width: 16.6667%; height: 135px;\">\u00a0Alerts to check if container CPU and memory usage and on limits are based on thresholds.<\/td>\n<\/tr>\n<tr style=\"height: 421px;\">\n<td style=\"width: 33.3333%; height: 421px;\"><strong>Storage volumes<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 421px;\">Monitor storage to<\/p>\n<ul>\n<li>Ensure your application has enough disk space so pods don\u2019t run out of space.<\/li>\n<li>Volume usage and adjust either the amount of data generated by the application or the size of the volume according to usage.<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 421px;\">Alerts to check if available bytes, capacity crosses your thresholds.<\/p>\n<p>Identify persistent volumes and apply a different alert threshold or notification for these volumes, which likely hold important application data.<\/td>\n<\/tr>\n<tr style=\"height: 225px;\">\n<td style=\"width: 33.3333%; height: 225px;\"><strong>Control Plane &#8211; Etcd<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 225px;\">Monitor etcd for the below parameters:<\/p>\n<ul>\n<li>Leader existence and change rate<\/li>\n<li>Committed, applied, pending, and failed proposals.<\/li>\n<li>gRPC performance.<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 225px;\">Alerts to check if any pending or failed proposals or reach inappropriate thresholds.<\/td>\n<\/tr>\n<tr style=\"height: 188px;\">\n<td style=\"width: 33.3333%; height: 188px;\"><strong>Control Plane &#8211; API Server<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 188px;\">Monitor the API server for below parameters :<\/p>\n<ul>\n<li>Rate \/ number of HTTP requests<\/li>\n<li>Rate\/number of apiserver requests<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 188px;\">Alerts to check if the rate or number of HTTP requests crosses a desired threshold.<\/td>\n<\/tr>\n<tr style=\"height: 316px;\">\n<td style=\"width: 33.3333%; height: 316px;\"><strong>Control Plane &#8211; Scheduler<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 316px;\">Monitor the scheduler for the below parameters<\/p>\n<ul>\n<li>Rate, number, and latency of HTTP requests.<\/li>\n<li>Scheduling latency.<\/li>\n<li>Scheduling attempts by result.<\/li>\n<li>End-to-end scheduling latency (sum of scheduling).<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 316px;\">Alerts to check if the rate or number of HTTP requests crosses a desired threshold.<\/td>\n<\/tr>\n<tr style=\"height: 215px;\">\n<td style=\"width: 33.3333%; height: 215px;\"><strong>Control Plane &#8211; Controller Manager<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 215px;\">Monitor the scheduler for the below parameters:<\/p>\n<ul>\n<li>Work queue depth<\/li>\n<li>Number of retries handled by the work queue<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 16.6667%; height: 215px;\">Alerts to check if requests to the work queue exceed a maximum threshold.<\/td>\n<\/tr>\n<tr style=\"height: 162px;\">\n<td style=\"width: 33.3333%; height: 162px;\"><strong>Kubernetes events<\/strong><\/td>\n<td style=\"width: 33.3333%; height: 162px;\">Collecting events from Kubernetes and from the container engine (such as Docker) allows you to see how pod creation, destruction, starting, or stopping affects the performance of your infrastructure.<\/td>\n<td style=\"width: 16.6667%; height: 162px;\">Any failure or exception should need to be alerted.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Consider integrating with any of the commercial monitoring tools to consume probe-generated metrics and platform-generated metrics to have comprehensive observability of the cluster.<\/p>\n<h2>#4.Container security management must be part of your DevOps pipeline<\/h2>\n<p>Continuous security must be included as part of the DevOps pipeline to ensure containers are well-managed. Use any of the below static analysis tools to identify vulnerabilities in application containers while building images for containers.<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/quay\/clair\" target=\"_blank\" rel=\"noopener\">Clair<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/aquasecurity\/trivy\" target=\"_blank\" rel=\"noopener\">Trivy<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/aquasecurity\/kube-bench\" target=\"_blank\" rel=\"noopener\">kube-bench<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/falcosecurity\/falco\" target=\"_blank\" rel=\"noopener\">Falco<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/theupdateframework\/notary\" target=\"_blank\" rel=\"noopener\">Notary<\/a><\/li>\n<\/ul>\n<h2>#5.Audit and compliance your cluster routinely<\/h2>\n<p>Routinely audit the platform for Kubernetes patch levels, secret stores, compliance against the security vulnerabilities, encryption of secret stores, storage volumes, cluster policies, role binding policies, RBAC, and user management controls.<\/p>\n<h2>#6.Chaos test your cluster<\/h2>\n<p>Proactively chaos tests your platform to ensure the robustness of the cluster. It also helps to test the stability of the containerized applications and the impact of crashing these containers. There are a wide range of the open-source tools + commercial that can be used, few of them are listed below<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/chaosblade-io\/chaosblade\" target=\"_blank\" rel=\"noopener\">Chaosblade<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/pingcap\/chaos-mesh\" target=\"_blank\" rel=\"noopener\">Chaos Mesh<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/bloomberg\/powerfulseal\" target=\"_blank\" rel=\"noopener\">PowerfulSeal<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/linki\/chaoskube\" target=\"_blank\" rel=\"noopener\">chaoskube<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/chaostoolkit\/chaostoolkit\" target=\"_blank\" rel=\"noopener\">Chaos Toolkit<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/litmuschaos\/litmus\" target=\"_blank\" rel=\"noopener\">Litmus<\/a><\/li>\n<li><a href=\"https:\/\/www.gremlin.com\/chaos-engineering\/\" target=\"_blank\" rel=\"noopener\">Gremlin<\/a><\/li>\n<\/ul>\n<h2>#7.Archive and backup your cluster<\/h2>\n<p>Kubernetes uses <code>etcd<\/code> as its internal metadata management store to manage the objects across clusters. It is necessary to define a backup strategy for <code>etcd<\/code> and any other dependent persistent stores used within the Kubernetes clusters.<\/p>\n<p>Use <a href=\"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/16\/how-to-back-up-and-restore-your-kubernetes-cluster-resources-and-persistent-volumes\/\">Velero\u00a0<\/a>or any of the open-source tools to backup <strong>Kubernetes resources<\/strong> and <strong>application data\u00a0<\/strong>so that in cases of <strong>recovery from disaster<\/strong>, it can reduce the time for recovery.<\/p>\n<h2>#8.Manage your deployment manifests<\/h2>\n<p>Kubernetes follows declaration-based management hence every object or resource or instruction is described only through YAML declarative manifests. It is necessary to leverage SCM tools or create custom utilities to manage these manifests.<\/p>\n<h2>#9.Continuous deployment of services<\/h2>\n<p><code>kubectl<\/code> style of deployments would not be possible in a large-scale production setup. Instead, you have to use some of the established open-source frameworks For e.g., <a href=\"https:\/\/helm.sh\/\" target=\"_blank\" rel=\"noopener\"><strong>Helm<\/strong> <\/a>is specifically built for Kubernetes to manage seamless deployments via the CI-CD pipeline.<\/p>\n<p>Helm uses <em><strong>Charts<\/strong> <\/em>that define the set of Kubernetes resources that together define an application. You can think of charts as packages of pre-configured Kubernetes resources. Charts help you to define, install, and upgrade even the most complex Kubernetes application. These charts can describe a single resource, such as a Redis pod, or a full stack of a web application: HTTP servers, databases, and caches.<\/p>\n<p>In the recent release of Helm, Releases will be managed inside of Kubernetes using <a href=\"https:\/\/helm.sh\/docs\/chart_template_guide\/builtin_objects\/\" target=\"_blank\" rel=\"noopener\">Release Objects<\/a> and Kubernetes Secrets. All modifications such as installing, upgrading, downgrading releases will end in having a new version of that Kubernetes Secret.<\/p>\n<h2>#10.Use Service mesh<\/h2>\n<p><a href=\"https:\/\/www.upnxtblog.com\/index.php\/2018\/12\/17\/what-is-service-mesh-why-do-we-need-it-linkered-tutorial\/\">Service mesh<\/a> offers consistent discovery, security, tracing, monitoring, and failure handling without the need for a shared asset such as an API gateway. So if you have service mesh on your cluster, you can achieve all the below items without making changes to your application code.<\/p>\n<ul>\n<li>Automatic Load balancing<\/li>\n<li>Fine-grained control of traffic behavior with routing rules, retries, failovers, etc.,<\/li>\n<li>Pluggable policy layer<\/li>\n<li>Configuration API supporting access controls, rate limits, and quotas<\/li>\n<li>Service discovery<\/li>\n<li>Service monitoring with automatic metrics, logs, and traces for all traffic<\/li>\n<li>Secure service to service communication<\/li>\n<\/ul>\n<p>Currently, service mesh is being offered by <a href=\"https:\/\/github.com\/linkerd\/linkerd2\" target=\"_blank\" rel=\"noopener\">Linkerd<\/a>, <a href=\"https:\/\/github.com\/istio\/istio\" target=\"_blank\" rel=\"noopener\">Istio<\/a>, and <a href=\"http:\/\/www.conduit.io\/\" target=\"_blank\" rel=\"noopener\">Conduit<\/a> providers.<\/p>\n<p>It is necessary to choose an appropriate service mesh that is compatible with the Kubernetes cluster as well as the underlying infrastructure.<\/p>\n<h1>Conclusion<\/h1>\n<p>This article covers the key best practices that you can implement for Kubernetes adoption. However, operating Kubernetes clusters is not without its challenges.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We already know that\u00a0Kubernetes is the No. 1 orchestration platform for container-based applications, automating the deployment and scaling of these apps, and streamlining maintenance operations. However, Kubernetes comes with its own complexity challenges. So how can an enterprise take advantage of containerization to tackle complexity and not end up with even more complexity? This article [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5797,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[311],"tags":[149],"class_list":["post-5757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kubernetes","tag-kubernetes"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2020\/10\/Big-Idea.jpg?fit=770%2C330&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9fbQS-1uR","jetpack-related-posts":[{"id":4547,"url":"https:\/\/www.upnxtblog.com\/index.php\/2019\/12\/09\/implementing-policies-in-kubernetes\/","url_meta":{"origin":5757,"position":0},"title":"Implementing Policies in Kubernetes","author":"Karthik","date":"December 9, 2019","format":false,"excerpt":"Kubernetes, as we know, coordinates a highly available cluster of computers that are connected to work as a single unit. Kubernetes contains a number of abstractions that allow deployment of containerized applications to the cluster without attaching them to individual machines. In short, Kubernetes is - Portable: public, private, hybrid,\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":7416,"url":"https:\/\/www.upnxtblog.com\/index.php\/2023\/09\/27\/enforcing-policies-with-kubewarden-on-amazon-eks\/","url_meta":{"origin":5757,"position":1},"title":"Enforcing policies with Kubewarden on Amazon EKS","author":"Karthik","date":"September 27, 2023","format":false,"excerpt":"According to Red Hat's 2022 State of Kubernetes Security Report, respondents stated that exposures due to misconfigurations in their container and Kubernetes environments (46%) is nearly three times the level of concern over attacks (16%), with vulnerabilities as the second-leading cause of worry (28%). Important settings, such as role-based access\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":7300,"url":"https:\/\/www.upnxtblog.com\/index.php\/2023\/09\/20\/securing-kubernetes-workloads-with-opa-opa-gatekeeper-in-amazon-eks\/","url_meta":{"origin":5757,"position":2},"title":"Top Kubernetes Security Best Practices: Securing Kubernetes Workloads with OPA &#038; OPA Gatekeeper in Amazon EKS","author":"Karthik","date":"September 20, 2023","format":false,"excerpt":"Introduction As the adoption of container orchestration platforms like Kubernetes increases, so does the need for robust security measures. Open Policy Agent (OPA) and OPA Gatekeeper are powerful tools that help enforce policy-based security and governance in Kubernetes clusters. In this blog post, we will explore what OPA and OPA\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2023\/08\/opa-gatekeeper-k8s.png?fit=840%2C480&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":7203,"url":"https:\/\/www.upnxtblog.com\/index.php\/2023\/05\/01\/choosing-the-right-container-orchestration-service-a-guide-to-apprunner-ecs-and-eks\/","url_meta":{"origin":5757,"position":3},"title":"Choosing the Right Container Orchestration Service: A Guide to AppRunner, ECS, and EKS","author":"Karthik","date":"May 1, 2023","format":false,"excerpt":"AWS provides several services for running containerized applications, including Amazon Elastic Container Service (ECS), Amazon Elastic Kubernetes Service (EKS), and the recently released Amazon AppRunner. Each service provides different levels of control, scalability, and flexibility, making it important to choose the right service for your business needs. In this blog,\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2021\/06\/k8s.png?fit=731%2C500&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2021\/06\/k8s.png?fit=731%2C500&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2021\/06\/k8s.png?fit=731%2C500&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2021\/06\/k8s.png?fit=731%2C500&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":5536,"url":"https:\/\/www.upnxtblog.com\/index.php\/2020\/05\/18\/how-to-author-and-enforce-policies-using-open-policy-agent-gatekeeper\/","url_meta":{"origin":5757,"position":4},"title":"How to author and enforce policies using Open Policy Agent Gatekeeper","author":"Karthik","date":"May 18, 2020","format":false,"excerpt":"As of this writing, there is NO single security configuration for Kubernetes. For example, to define what a specific user can do, the groups they belong to, the actions they can perform on various Kubernetes resources (pods, deployments, services, etc), the network and pod security policies that apply to the\u2026","rel":"","context":"In &quot;Kubernetes Guides&quot;","block_context":{"text":"Kubernetes Guides","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/kubernetes\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":845,"url":"https:\/\/www.upnxtblog.com\/index.php\/2017\/11\/13\/kubernetes-platform-intro-key-concepts\/","url_meta":{"origin":5757,"position":5},"title":"Kubernetes &#8211; Introduction &#038; key concepts","author":"Karthik","date":"November 13, 2017","format":false,"excerpt":"From the last post on containers, we know what are containers & its benefits. Just to recap, here are the points below : Uses OS Level virtualization Isolated from each of them and from the host Filesystems Processes Resources Increased ease and efficiency of container image creation compared to VM\u2026","rel":"","context":"In &quot;Cloud Computing&quot;","block_context":{"text":"Cloud Computing","link":"https:\/\/www.upnxtblog.com\/index.php\/category\/cloud\/"},"img":{"alt_text":"kubernetes logo","src":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.upnxtblog.com\/wp-content\/uploads\/2017\/11\/kubernetes.jpg?fit=722%2C612&ssl=1&resize=700%2C400 2x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts\/5757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=5757"}],"version-history":[{"count":4,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts\/5757\/revisions"}],"predecessor-version":[{"id":7828,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/posts\/5757\/revisions\/7828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/media\/5797"}],"wp:attachment":[{"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=5757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=5757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.upnxtblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=5757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}