This article is about the safety Kubernetes series of three articles in the last one. In the first article , we share how to ensure companies Kubernetes clusters from external ***; second article describes three methods to protect Kubernetes from internal threats. In this article, we will describe how to handle the resource consumption or noisy neighbor problems.
For those who set up a multi-tenant cluster administrator Kubernetes cluster, it is an issue of great concern and worry they are, how to prevent joint tenants become "noisy neighbor", that is a monopoly of people CPU, memory, storage, and other resources. Performance for other users will share resources infrastructure Noisy neighbor produce a very bad effect.
As a result, track resource usage Kubernetes container and Pod are very important for cluster management, because it not only can keep the container filing system is running optimally, reduce operating costs, but also can enhance the overall security posture of Kubernetes.
Some may not consider operation and maintenance team of resource consumption is an important safety issue, at least not Kubernetes protection against internal and external network *** important. But this view is not correct. Because the powerful *** will use dysfunctional infrastructure, to find a way *** Kubernetes components.
"Safety is not just 'Do not break into my house', but 'how do I make my house has been maintained in good working condition,'" a senior solutions architect Rancher Labs of Adrian Goins representation.
Operation and maintenance team requires maximum use Kubernetes Pods (a set of one or more containers having a shared storage and network resources) consume resources, to ensure that each user can have the best performance, and to monitor the use of cost allocation Happening. "Using equal to the cost," Goins said, "because Kubernetes resources are running on the underlying AWS, Google cloud, cloud, etc. Ali cloud provider's computing infrastructure, all resources consumed all thought that the cost of money. Even in the cluster data running on bare metal center will cost too much use of hardware, electricity and other resources. "
By default, when Configuration container, and its amount of resources that can be used without any restrictions. If the container can not run efficiently, organizations deploy vessels will pay overage charges. Fortunately, Kubernetes have to help operations teams to manage and optimize capacity utilization Kubernetes resources functions.
Pods management of resources
When the administrator defines Pod, they can choose to specify how much CPU and memory (RAM) each container needs. When the container is specified resource requests, the scheduler can better decide which node on the Pod. According to Kubernetes document, when the container specified limit, you can press the resources on the manner specified node contention.
By default, all cluster resources Kubernetes are in the default namespace created. Namespace is a logical method to the cluster group resources, including the designation of options for resource quotas.
The administrator can set on a namespace resource limits or quotas, allocated a certain amount of CPU workloads or applications running in the namespace, RAM or storage --Kubernetes cluster of three resources. "If you start another resource will exceed pre-set quota in the namespace, then any new resources are unable to start," Goins said.
"When you apply a quota resources, which means you force all content running in the namespace resource constraints limit set for itself, there are two types: reserved, and the maximum limit," Goins explained. For example, by reserving, the administrator can make Kubernetes cluster allocation of 128 MB of RAM for WordPress sites. For each WordPress Pod deployment, the server itself will ensure that 128 MB of RAM. Therefore, if an administrator sets the resource request and resource quota to 1GB of combined, the user can only run eight WordPress Pod before exceeding its limit. After that, they will not be able to use the RAM.
The second part is the maximum resource limit. Administrators can set aside 128 MB of resource requests and up to 256 MB of RAM. "If the Pod Chaoguo 256 MB of RAM usage, Kubernetes will kill it and restart it," Goins said. "So since the user can influence the process and runaway from the noisy neighbor."
Project and resource quota
Platforms like Rancher, aims to simplify Kubernetes management by providing an intuitive interface and centralized management tasks (such as the role of the global layer of description).
As the previous article about the insider threat protection, Rancher contain "Project (Project)" a cluster management help to reduce the burden on resources to go beyond the namespace. In the Rancher, Project allows administrators to more namespaces are managed as a single entity. Therefore, Rancher resource quotas can be applied to Projects.
In the standard Kubernetes deployment, resource quotas can only be applied to individual namespaces. However, the administrator can not pass a single operation, while the quota applies to the namespace. After several resource quota must operate.
However, Rancher, administrators can apply to quota resources Project, and then spread to the quota for each namespace. Then, Kubernetes will use the native version of the resource quotas, the administrator to enforce restrictions. If administrators want to change the quota particular namespace, you can overwrite the previous quota.
Strengthen and optimize Kubernetes
Needless to say, Kubernetes has become the standard container arrangement, which also contributed to most of the cloud and virtualization vendors to provide infrastructure as a standard. However, the security issues associated with Kubernetes general lack of awareness of the environment, can cause a variety of components exposed to the network *** from inside and outside the cluster.
On two of this article series provides some practical steps to tell you how to use Kubernetes function and container management solutions (such as Rancher), to strengthen Kubernetes guard against external and internal network threats. Enterprises should verify protection Kubernetes API accessible from the outside through role-based access control (RBAC) and a strong identity. For internal personnel protection, since the multi-user Kubernetes cluster, so the need to protect the tissue by cross-communication RBAC, and logical isolation NetworkPolicies.
In order to prevent other tenants monopoly CPU, memory, storage, and other resources which dragged down the performance of the entire cluster, Kubernetes provide resource constraints and quotas and other functions, operation and maintenance team to help manage and optimize resource utilization Kubernetes function. Finally, in addition to the default settings available, the industry there are some very effective tool to help users manage and protect Kubernetes complete cluster. For example platforms like Rancher is a highly optimized container management solution specifically designed for deploying multiple clusters into production of tissue building, business users can more easily manage and Kubernetes throughout the operation. It protects from external cluster Kubernetes *** threats, hidden inside even noisy neighbor.