Contents
- kubernetes-networking-networking-and-pod-to-pod-communication
- kubernetes-networking-load-balancing
- kubernetes-networking-external-access-to-services
Roadmap info from roadmap website
Services and Networking
Services and networking are key components that enable communication between pods and external clients. Services provide a stable endpoint for accessing a set of pods, while networking plugins and configuration options enable pod-to-pod communication and network isolation. These features are designed to be scalable, reliable, and flexible, making it easier for developers to manage and orchestrate complex microservices architectures. Additional features like Ingress and DNS-based service discovery provide flexible external access to services and simplify service discovery within a cluster.
Learn more from the following resources:
- officialService - Documentation
- officialThe Kubernetes Network Model
- feedExplore top posts about Networking
Best Practices
| Best Practice | ConfigMaps | Secrets |
|---|---|---|
| Storage | Store non-sensitive, configuration data such as environment variables, configuration files, etc. | Store sensitive data like passwords, API keys, and tokens. |
| Encryption | Data is stored in plain text; consider encrypting values before storing if necessary. | Use Kubernetesโ built-in encryption feature to encrypt Secrets at rest. |
| Environment Variables vs Volumes | Can be used as environment variables or mounted as volumes depending on the use case. | Prefer mounting as volumes over environment variables to avoid exposure in process lists. |
| Access Control | Use RBAC to restrict access to ConfigMaps to necessary resources only. | Apply strict RBAC policies to restrict access to Secrets and avoid exposing them unnecessarily. |
| Use of Namespaces | Store ConfigMaps in the same namespace as the application to avoid cross-namespace access issues. | Keep Secrets in the same namespace as the application to limit exposure. |
| Version Control | Avoid storing ConfigMaps directly in version control; use tools for templates like Helm to manage configurations. | Never store Secrets in version control; instead, use external secret management tools (e.g., HashiCorp Vault, AWS Secrets Manager). |
| Lifecycle Management | Regularly update and review ConfigMaps to ensure they are up-to-date with the applicationโs requirements. | Rotate Secrets periodically, especially after key changes or potential exposure. |
| Security | Ensure no sensitive data is stored in ConfigMaps, as they are not encrypted. | Enable Kubernetes secrets encryption and ensure secrets are stored in a secure manner. |
| Size Limitation | ConfigMaps should be kept small (under 1 MB), as they are stored in etcd. | Same as ConfigMaps, keep Secrets small (under 1 MB), as they are stored in etcd. |
| External Management | Consider using external systems for complex configurations. | Leverage external secret management solutions for better security and secret lifecycle management. |
| Auditing | Enable logging and auditing of ConfigMap changes to track misconfigurations. | Regularly audit Secrets to ensure proper handling and monitor for unauthorized access. |