This section is a summary, a cheat sheet, of good practices for Kubernetes. It is mostly a summary of previous sections.
In no particular order:
Do not use root user in containers
The container paradigm, and how it is implemented on linux, was not built with security in mind. It’s only to restrict resources, think CPU and RAM. The documentation of Docker explains this in more detail.
This implies that your container should not use the user “root” to run commands, to the why see here.
So on all your images add those two lines to make your application run with a dedicated user. Replace
algolia with a name more relevant for you.
RUN groupadd -g 999 algolia && useradd -r -u 999 -g algolia algolia USER algolia
YAML can be a tricky format.
In Kubernetes 1.13 the option
--dry-run appeared on “kubectl”. You could also use this feature to know if your YAML are valid for Kubernetes.
Same as above but for Dockerfiles, use a linter hadolint seems a good choice.
SIGTERM signal in your applications
Kubernetes sends this signal when it wants to stop a container. You should listen to it and react accordingly to your application (close connections, save a state, etc.).
Define liveness and readiness probes for your containers.
Resources request and limits
Define resources for your containers.
Specify an anti-affinity for the pods of your deployements.
Specify a PDB for your deployments.
Other good practices
Not directly related to Kubernetes, but still usefull:
- If you are in the cloud, use
terraformto configure your clusters.