Working a lot with development teams who have just switched to OpenShift, we strive to provide them with guidance and best practices for successfully building and deploying applications on this platform. Based on the results of this work, we have selected 14 key, in our opinion, practices, which can be divided into two categories: application reliability and application security. These categories overlap because the higher the reliability, the better the safety, and vice versa, and the list of best practices is as follows.
Application reliability
This section compiles 9 best practices to help you improve app availability, uptime, and better user experience.
1. Do not store application configuration inside a container
If the container image contains configuration for a specific environment (Dev, QA, Prod), it will not work to transfer it between environments without changes. This is bad from the point of view of the reliability of the release process, since the image that was tested in the previous stages will no longer go into production. Therefore, do not keep the application configuration for a specific environment inside the container, but keep it separately, for example, using ConfigMaps and Secrets.
2. Set resource requirements and limits in pod definitions
Without proper tuning of resource requirements, applications can create overwhelming demands on memory and processor. Conversely, with the application's explicit CPU and memory requirements, the cluster can efficiently dispatch to provide the application with the requested resources.
3. (liveness) (readiness) pod’
: , liveness, , readiness. . OpenShift Platform.
4. PodDisruptionBudget
pod’ , , , autoscaler , . , PodDistruptionBudget.
5. pod’
pod , pod', , , .
6. –
, . -, . . OpenShift Platform.
7.
Prometheus Grafana - .
8. stdout/stderr
OpenShift (ELK, Splunk). – -. , , , , .
9. Circuit breakers, Timeouts, Retries, Rate Limiting
, (Rate Limiting, Circuit Breakers) (Timeouts, Retries). OpenShift Service Mesh, , .
5 , , , .
10.
- , , , . community-, , . , , Docker Hub, – !
11.
. , , .
12. build- , runtime-
Build- , , . runtime- , , .
13. Restricted security context constraint (SCC) – ,
, restricted SCC ( . ). , , restricted SCC .
14. TLS
. , OpenShift, , TLS-, OpenShift Service Mesh , .