The latest articles on DEV Community by Claudio (@klaus82). https://dev.to/klaus82 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F599478%2F20d6b645-f090-4252-866a-1b9837653bcc.jpeg https://dev.to/klaus82 en Claudio Wed, 11 Feb 2026 08:28:13 +0000 https://dev.to/klaus82/sandboxing-ai-coding-agents-with-devcontainers-4ja3 https://dev.to/klaus82/sandboxing-ai-coding-agents-with-devcontainers-4ja3 <p>The rise of AI-powered coding assistants like GitHub Copilot, Cursor, and various autonomous agents built on Claude or GPT-4 has fundamentally changed how we write code. These tools can read your codebase, suggest changes, and even execute commands. This capability is powerful, but it also raises a big security concern: you're giving an AI system access to your development environment. The question isn't whether these tools are malicious; it's about implementing proper isolation as a matter of principle.</p> <p>Unlike standalone command-line tools that you invoke explicitly, IDE-integrated AI agents run continuously in the background. GitHub Copilot, for instance, analyzes your code as you type, maintains context across files, and can access any file your editor can see. This creates a unique security challenge: traditional containerization approaches that isolate individual processes don't work when the agent is embedded in your code editor.</p> <p>Your development environment typically contains far more than just your current project. Your home directory likely holds SSH private keys in <code>~/.ssh</code>, cloud provider credentials in <code>~/.aws</code> or <code>~/.gcp</code>, API tokens in <code>~/.netrc</code>, browser session data, email archives, and countless other projects with their own secrets. When Copilot or similar tools run in your native IDE, they can potentially access all of this data.</p> <p>The risk isn't necessarily malicious behavior by the AI itself. Bugs in the agent's implementation, compromised dependencies, prompt injection attacks, or misconfigurations could lead to unintended data exfiltration. The security model we need mirrors the principle of least privilege: the agent should have access to exactly what it needs to perform its function, and nothing more.</p> <h2> Devcontainers: The Solution for IDE-Based Agents </h2> <p>VS Code's devcontainer feature solves this issue by running your whole development setup in a Docker container. This includes the IDE and all its extensions. When you open a project with a devcontainer, VS Code starts a container. It installs your chosen extensions, like Copilot, and connects to it remotely. From your perspective, you're using VS Code normally, but everything actually runs in isolation.</p> <p>This approach provides several critical security benefits. The AI agent can only see files you explicitly mount into the container. Your SSH keys, AWS credentials, and other projects remain completely invisible. If the agent has a bug or gets compromised, the blast radius is limited to the specific project directory you've granted access to. And because the configuration is stored in your repository, every team member automatically gets the same secure, isolated environment.</p> <h2> Basic Devcontainer Setup </h2> <p>Let's start with a minimal devcontainer configuration that sandboxes GitHub Copilot. Create a <code>.devcontainer</code> directory in your project root with two files:</p> <p><strong><code>.devcontainer/devcontainer.json</code></strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sandboxed Python Development"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"workspaceFolder"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/workspace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="p">,</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vscode"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extensions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"GitHub.copilot"</span><span class="p">,</span><span class="w"> </span><span class="s2">"GitHub.copilot-chat"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong><code>.devcontainer/Dockerfile</code></strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> mcr.microsoft.com/devcontainers/python:3.11-bullseye</span> <span class="c"># The base image already creates a non-root vscode user (UID 1000)</span> <span class="k">USER</span><span class="s"> vscode</span> <span class="k">WORKDIR</span><span class="s"> /workspace</span> </code></pre> </div> <p>This minimal configuration creates a containerized Python environment with Copilot installed. When you open this project in VS Code and click "Reopen in Container," the entire development environment runs in isolation. Copilot can only see the files in your project directory, nothing else on your system exists from its perspective.</p> <h2> Security Control 1: Surgical Volume Mounting </h2> <p>The most critical security control is restricting filesystem access through volume mounts. By default, devcontainers only mount your project directory, but you can be even more explicit and add additional read-only resources.</p> <p>Here's a configuration that demonstrates precise control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sandboxed Development Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mounts"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"source=${localWorkspaceFolder},target=/workspace,type=bind"</span><span class="p">,</span><span class="w"> </span><span class="s2">"source=${localWorkspaceFolder}/../shared-templates,target=/templates,type=bind,readonly"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"workspaceFolder"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/workspace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>mounts</code> array explicitly defines what gets mounted and how:</p> <ul> <li> <code>${localWorkspaceFolder}</code> mounts only your current project directory (read-write by default)</li> <li>The shared templates directory is mounted read-only, preventing the agent from modifying common resources</li> <li>Everything else on your system is invisible to the container</li> </ul> <p>This is radically different from mounting your entire home directory, which would expose all your personal data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">❌</span><span class="w"> </span><span class="err">DANGEROUS</span><span class="w"> </span><span class="err">-</span><span class="w"> </span><span class="err">Don't</span><span class="w"> </span><span class="err">do</span><span class="w"> </span><span class="err">this</span><span class="w"> </span><span class="nl">"mounts"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"source=${localEnv:HOME},target=/home/vscode,type=bind"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>With the dangerous configuration, Copilot could access your <code>~/.ssh</code> keys, <code>~/.aws</code> credentials, browser data, and every other project you've ever worked on.</p> <h2> Security Control 2: Enforcing Unprivileged Users </h2> <p>Running containers as root undermines container security. By default, the root user inside a container maps to the root user on the host system. If a container breakout vulnerability exists, a root process inside becomes a root process outside.</p> <p>Devcontainers make it easy to enforce unprivileged execution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sandboxed Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="p">,</span><span class="w"> </span><span class="nl">"workspaceFolder"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/workspace"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>remoteUser</code> setting controls what user VS Code connects as, while <code>containerUser</code> sets the user for all container processes. The Microsoft devcontainer base images create a <code>vscode</code> user with UID 1000, mapping to a regular user account on the host.</p> <p>Your Dockerfile should reinforce this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> mcr.microsoft.com/devcontainers/python:3.11-bullseye</span> <span class="c"># Install system packages as root</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> git curl ca-certificates <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Switch to non-root user for everything else</span> <span class="k">USER</span><span class="s"> vscode</span> <span class="k">WORKDIR</span><span class="s"> /workspace</span> <span class="c"># Configure git to trust the workspace</span> <span class="k">RUN </span>git config <span class="nt">--global</span> safe.directory /workspace </code></pre> </div> <p>All subsequent operations: installing Python packages, running tests, and using Copilot execute as an unprivileged user. Even if a malicious package attempts to modify system files, it lacks the necessary permissions.</p> <h2> Security Control 3: Dropping Linux Capabilities </h2> <p>Linux capabilities divide root privileges into distinct units. Most development containers don't need any elevated capabilities, yet Docker grants several by default. Devcontainers let you remove all capabilities through the <code>runArgs</code> array:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Hardened Development Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--cap-drop=ALL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--security-opt=no-new-privileges"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>--cap-drop=ALL</code> flag removes all Linux capabilities from the container. The <code>--security-opt=no-new-privileges</code> flag prevents processes from gaining additional privileges through setuid binaries or other mechanisms. This blocks an entire class of privilege escalation attacks.</p> <p>For additional hardening, make the container's root filesystem read-only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Read-Only Filesystem Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--read-only"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--tmpfs=/tmp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--cap-drop=ALL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--security-opt=no-new-privileges"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"mounts"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"source=${localWorkspaceFolder},target=/workspace,type=bind"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>--read-only</code> flag makes the entire container filesystem immutable except for explicitly mounted volumes and tmpfs mounts. The agent can still write to <code>/workspace</code> (your project directory) and <code>/tmp</code> (in-memory temporary storage), but cannot modify system files or install additional packages at runtime.</p> <h2> Security Control 4: Network Isolation </h2> <p>AI coding agents typically need internet access to query their APIs, but this creates a potential data exfiltration vector. Devcontainers support Docker's network isolation features.</p> <p>For agents that don't need network access at all, disable networking completely:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Network-Isolated Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--network=none"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>For agents that need to reach specific API endpoints, you have several options. The simplest is to use Docker's default bridge network but implement firewall rules on the host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Restricted Network Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--network=restricted-dev"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Then create the network with specific configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker network create restricted-dev <span class="se">\</span> <span class="nt">--driver</span> bridge <span class="se">\</span> <span class="nt">--subnet</span> 172.28.0.0/16 </code></pre> </div> <p>You can then use iptables rules on the host to restrict what external addresses the container can reach, implementing an allowlist of approved API endpoints (like <code>api.github.com</code> for Copilot).</p> <p>For more sophisticated setups, consider using an HTTP proxy container that enforces domain allowlists:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Proxy-Controlled Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dockerComposeFile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"docker-compose.yml"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"devcontainer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong><code>docker-compose.yml</code></strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">devcontainer</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">../..:/workspaces:cached</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s">service:proxy</span> <span class="na">proxy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">sameersbn/squid:3.5.27-2</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./squid.conf:/etc/squid/squid.conf:ro</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">3128:3128"</span> </code></pre> </div> <p>The proxy can enforce strict domain allowlists, log all requests for auditing, and block access to potentially sensitive endpoints.</p> <h2> Security Control 5: Secrets Management </h2> <p>AI agents often need API keys to function. Storing these keys in environment variables or mounting them from your home directory defeats the purpose of isolation. Devcontainers support secure secrets mounting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Secrets-Aware Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mounts"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"source=${localWorkspaceFolder},target=/workspace,type=bind"</span><span class="p">,</span><span class="w"> </span><span class="s2">"source=${localEnv:HOME}/.secrets/anthropic-key,target=/run/secrets/anthropic-key,type=bind,readonly"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"containerEnv"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ANTHROPIC_API_KEY_FILE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/run/secrets/anthropic-key"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This configuration:</p> <ol> <li>Mounts the API key file from a dedicated secrets directory in your home folder</li> <li>Places it at <code>/run/secrets/anthropic-key</code> inside the container (a standard location for secrets)</li> <li>Makes the mount read-only so the agent cannot modify it</li> <li>Sets an environment variable pointing to the file location rather than containing the secret itself</li> </ol> <p>Your application code reads from the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="k">def</span> <span class="nf">get_api_key</span><span class="p">():</span> <span class="n">key_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">ANTHROPIC_API_KEY_FILE</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="n">key_file</span> <span class="ow">and</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">key_file</span><span class="p">):</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">key_file</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">return</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p>On the host, ensure the secrets file has restrictive permissions and is excluded from version control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/.secrets <span class="nb">echo</span> <span class="s2">"your-api-key"</span> <span class="o">&gt;</span> ~/.secrets/anthropic-key <span class="nb">chmod </span>400 ~/.secrets/anthropic-key </code></pre> </div> <p>Add to your <code>.gitignore</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.secrets/ **/*-key **/*.key </code></pre> </div> <h2> Security Control 6: Resource Constraints </h2> <p>While not strictly a security control, resource limits prevent a misbehaving agent from consuming all available system resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Resource-Limited Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--memory=4g"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--memory-swap=4g"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--cpus=2"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--cap-drop=ALL"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>These constraints limit the container to 4GB of RAM and 2 CPU cores. If Copilot has a bug that causes infinite memory allocation or a runaway loop, it cannot bring down your entire system. The container gets terminated when it hits the limit.</p> <p>You can also set I/O limits to prevent disk-based denial of service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--memory=4g"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--cpus=2"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--device-read-bps=/dev/sda:10mb"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--device-write-bps=/dev/sda:10mb"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Complete Reference Implementation </h2> <p>Here's a production-ready devcontainer configuration that combines all security controls:</p> <p><strong><code>.devcontainer/devcontainer.json</code></strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sandboxed AI Development Environment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dockerfile"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Dockerfile"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="s2">".."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mounts"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"source=${localWorkspaceFolder},target=/workspace,type=bind"</span><span class="p">,</span><span class="w"> </span><span class="s2">"source=${localWorkspaceFolder}/../shared-templates,target=/templates,type=bind,readonly"</span><span class="p">,</span><span class="w"> </span><span class="s2">"source=${localEnv:HOME}/.secrets/github-copilot-token,target=/run/secrets/github-token,type=bind,readonly"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"workspaceFolder"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/workspace"</span><span class="p">,</span><span class="w"> </span><span class="nl">"remoteUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerUser"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vscode"</span><span class="p">,</span><span class="w"> </span><span class="nl">"runArgs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"--cap-drop=ALL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--security-opt=no-new-privileges"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--memory=4g"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--memory-swap=4g"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--cpus=2"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"containerEnv"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"GITHUB_TOKEN_FILE"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/run/secrets/github-token"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"customizations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vscode"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extensions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"GitHub.copilot"</span><span class="p">,</span><span class="w"> </span><span class="s2">"GitHub.copilot-chat"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ms-python.python"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ms-python.vscode-pylance"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"settings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"terminal.integrated.defaultProfile.linux"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bash"</span><span class="p">,</span><span class="w"> </span><span class="nl">"python.defaultInterpreterPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/usr/local/bin/python"</span><span class="p">,</span><span class="w"> </span><span class="nl">"github.copilot.enable"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"*"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"yaml"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"plaintext"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"features"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ghcr.io/devcontainers/features/git:1"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span><span class="w"> </span><span class="nl">"ghcr.io/devcontainers/features/common-utils:2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"installZsh"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"installOhMyZsh"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"upgradePackages"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"postCreateCommand"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pip install --no-cache-dir -r requirements.txt"</span><span class="p">,</span><span class="w"> </span><span class="nl">"shutdownAction"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stopContainer"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong><code>.devcontainer/Dockerfile</code></strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> mcr.microsoft.com/devcontainers/python:3.11-bullseye</span> <span class="c"># Install only necessary system packages as root</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nt">--no-install-recommends</span> <span class="se">\ </span> git <span class="se">\ </span> curl <span class="se">\ </span> ca-certificates <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># Create necessary directories with proper permissions</span> <span class="k">RUN </span><span class="nb">mkdir</span> <span class="nt">-p</span> /workspace /templates /run/secrets <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chown</span> <span class="nt">-R</span> vscode:vscode /workspace /templates <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">chmod </span>755 /workspace /templates <span class="c"># Switch to non-root user</span> <span class="k">USER</span><span class="s"> vscode</span> <span class="c"># Set working directory</span> <span class="k">WORKDIR</span><span class="s"> /workspace</span> <span class="c"># Pre-configure git for security</span> <span class="k">RUN </span>git config <span class="nt">--global</span> safe.directory /workspace <span class="o">&amp;&amp;</span> <span class="se">\ </span> git config <span class="nt">--global</span> user.name <span class="s2">"Developer"</span> <span class="o">&amp;&amp;</span> <span class="se">\ </span> git config <span class="nt">--global</span> user.email <span class="s2">"dev@example.com"</span> </code></pre> </div> <p>This configuration creates a fully isolated development environment where:</p> <ul> <li> <strong>Filesystem access</strong> is strictly limited to the project directory and read-only templates</li> <li> <strong>All processes</strong> run as an unprivileged user (UID 1000)</li> <li> <strong>Linux capabilities</strong> are completely dropped</li> <li> <strong>Privilege escalation</strong> is blocked by <code>no-new-privileges</code> </li> <li> <strong>Resource consumption</strong> is capped at 4GB RAM and 2 CPU cores</li> <li> <strong>Secrets</strong> are mounted read-only from a dedicated location</li> <li> <strong>Extensions</strong> including Copilot run entirely within the sandbox</li> </ul> <h2> Workflow: Using Your Sandboxed Environment </h2> <p>Using a devcontainer-based setup is straightforward:</p> <ol> <li> <strong>Initial setup</strong>: Create the <code>.devcontainer</code> directory in your project root, add the configuration files shown above, and commit them to version control.</li> <li> <strong>Opening the environment</strong>: Open the project in VS Code. You'll see a notification: "Folder contains a Dev Container configuration file." Click "Reopen in Container."</li> <li> <strong>First-time build</strong>: VS Code builds the Docker image, starts the container, installs extensions, and runs the <code>postCreateCommand</code>. This takes a few minutes the first time but is cached for subsequent launches.</li> <li> <strong>Development</strong>: Once connected, everything looks and feels like normal VS Code. The terminal, file explorer, and all extensions (including Copilot) work normally. The only difference is everything runs in isolation.</li> <li> <strong>File access</strong>: When you open files, edit code, or run scripts, you're working inside the container. Copilot can see and analyze your project files but has no access to anything outside the mounted directory.</li> <li> <strong>Exiting</strong>: Close VS Code or click "Reopen Locally" to exit the container environment. Your changes persist in your local project directory.</li> </ol> <h2> Conclusion </h2> <p>AI coding assistants represent a fundamental shift in how we develop software. As these tools become more powerful and prevalent, implementing proper isolation becomes not just a best practice but a necessity. Devcontainers provide an elegant solution that balances security, usability, and team consistency.<br> The techniques described here represent current best practices, but the security landscape evolves constantly. Stay informed about container security advisories, regularly update your base images, and periodically audit your devcontainer configurations to ensure they still meet your security requirements.<br> Defense in depth isn't a one-time configuration, it's an ongoing commitment to protecting your development environment from both known and unknown threats. By treating AI agents with the same security rigor we apply to production systems, we can harness their power while maintaining the integrity and confidentiality of our development workflows.</p> <p>Ready to secure your AI-powered development workflow? Share your implementation, learn from others' experiences, and stay ahead of emerging threats.</p> ai agents containers security Claudio Tue, 07 Oct 2025 13:00:00 +0000 https://dev.to/klaus82/understanding-kubernetes-networking-clusterip-nodeport-and-loadbalancer-services-1m21 https://dev.to/klaus82/understanding-kubernetes-networking-clusterip-nodeport-and-loadbalancer-services-1m21 <p>If you've ever deployed an application to Kubernetes and wondered "How do other pods find my service?" or "How do external users access my application?", you're not alone. Kubernetes networking can seem mysterious at first, especially when you encounter terms like ClusterIP, NodePort, and LoadBalancer.</p> <p>In this comprehensive guide, we'll demystify Kubernetes Services and networking. By the end, you'll understand exactly how traffic flows in a Kubernetes cluster and which Service type to use for different scenarios.</p> <h2> The Networking Challenge in Kubernetes </h2> <p>Before we dive into Services, let's understand the problem they solve. Imagine you're running a microservices architecture in Kubernetes:</p> <ul> <li>Your frontend application needs to talk to a backend API</li> <li>The backend API needs to connect to a database</li> <li>Users need to access your frontend from the internet</li> <li>You have multiple replicas of each component for high availability</li> </ul> <p>Here's the challenge: <strong>Pods in Kubernetes are ephemeral</strong>. They can be created, destroyed, and rescheduled at any time. Each pod gets its own IP address, but these IPs change when pods restart. How do you maintain stable networking in such a dynamic environment?</p> <p>Consider this scenario without Services:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Three backend pods with different IPs</span> <span class="na">backend-pod-1</span><span class="pi">:</span> <span class="s">10.244.1.5</span> <span class="na">backend-pod-2</span><span class="pi">:</span> <span class="s">10.244.2.8</span> <span class="na">backend-pod-3</span><span class="pi">:</span> <span class="s">10.244.3.12</span> </code></pre> </div> <p>If your frontend needs to connect to the backend, which IP should it use? What happens when <code>backend-pod-2</code> crashes and gets replaced with a new pod at <code>10.244.1.20</code>? Your frontend would need to constantly track and update backend IP addresses—an impossible task at scale.</p> <h2> Enter Kubernetes Services </h2> <p>A Kubernetes Service is an abstraction that defines a logical set of pods and a policy for accessing them. Think of it as a <strong>stable endpoint</strong> that sits in front of your pods, providing:</p> <ol> <li> <strong>Stable IP address</strong>: A Service gets a virtual IP (VIP) that doesn't change</li> <li> <strong>DNS name</strong>: Each Service gets a DNS name for easy discovery</li> <li> <strong>Load balancing</strong>: Traffic is distributed across healthy pods</li> <li> <strong>Service discovery</strong>: Pods can find each other using Service names</li> </ol> <p>Services use <strong>labels and selectors</strong> to identify which pods they should route traffic to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Backend Deployment with labels</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="c1"># These labels are crucial</span> <span class="na">tier</span><span class="pi">:</span> <span class="s">api</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp/backend:v1</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <p>Now, let's explore the three main types of Services and when to use each.</p> <h2> ClusterIP: Internal Service Discovery </h2> <h3> What is ClusterIP? </h3> <p>ClusterIP is the <strong>default Service type</strong>. It exposes the Service on an internal IP address that's only reachable from within the cluster. This is perfect for internal communication between your microservices.</p> <h3> How ClusterIP Works </h3> <p>When you create a ClusterIP Service:</p> <ol> <li>Kubernetes assigns it a virtual IP from the cluster's service IP range</li> <li>The Service is registered in the cluster's DNS</li> <li>kube-proxy on each node configures iptables rules to route traffic</li> <li>Traffic sent to the Service IP is load-balanced across all matching pods</li> </ol> <p>Here's a visual representation of traffic flow:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F19orgcqv7u7rfjmkyuxv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F19orgcqv7u7rfjmkyuxv.png" alt="ClusterIp" width="800" height="611"></a></p> <h3> Creating a ClusterIP Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># backend-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-service</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="c1"># This is optional since ClusterIP is the default</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="c1"># Matches pods with this label</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="c1"># Port exposed by the Service</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Port on the container</span> </code></pre> </div> <p>Let's break down the key fields:</p> <ul> <li> <strong>selector</strong>: Identifies which pods belong to this Service (must match pod labels)</li> <li> <strong>port</strong>: The port the Service listens on</li> <li> <strong>targetPort</strong>: The port on the pod where traffic is forwarded</li> </ul> <h3> Practical Example: Microservices Communication </h3> <p>Let's build a complete example with a frontend and backend:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># backend-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SERVICE_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">backend"</span> <span class="nn">---</span> <span class="c1"># backend-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">backend-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">backend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="nn">---</span> <span class="c1"># frontend-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">image</span><span class="pi">:</span> <span class="s">curlimages/curl:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">sh'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">-c'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">while</span><span class="nv"> </span><span class="s">true;</span><span class="nv"> </span><span class="s">do</span><span class="nv"> </span><span class="s">sleep</span><span class="nv"> </span><span class="s">30;</span><span class="nv"> </span><span class="s">done'</span><span class="pi">]</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># The backend service DNS name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">BACKEND_URL</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://backend-service:8080"</span> </code></pre> </div> <p>Deploy these resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> backend-deployment.yaml kubectl apply <span class="nt">-f</span> frontend-deployment.yaml <span class="c"># Test connectivity from frontend to backend</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> deployment/frontend <span class="nt">--</span> curl http://backend-service:8080 </code></pre> </div> <h3> DNS Resolution in Kubernetes </h3> <p>Kubernetes provides built-in DNS service discovery. Services can be reached using:</p> <ol> <li> <strong>Short name</strong> (same namespace): <code>backend-service</code> </li> <li> <strong>Fully qualified domain name</strong>: <code>backend-service.default.svc.cluster.local</code> </li> </ol> <p>The DNS format is: <code>&lt;service-name&gt;.&lt;namespace&gt;.svc.cluster.local</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From any pod in the default namespace</span> curl http://backend-service:8080 <span class="c"># From a pod in a different namespace</span> curl http://backend-service.default.svc.cluster.local:8080 </code></pre> </div> <h3> When to Use ClusterIP </h3> <p>Use ClusterIP when:</p> <ul> <li>Communication is between services within the cluster</li> <li>You're building microservices that only need internal connectivity</li> <li>You want to keep services private and not expose them externally</li> <li>Examples: databases, internal APIs, caching layers, message queues</li> </ul> <p><strong>Common Use Cases:</strong></p> <ul> <li>Backend API → Database</li> <li>Frontend → Backend API</li> <li>API Gateway → Microservices</li> <li>Application → Redis/Memcached</li> </ul> <h2> NodePort: External Access via Node IPs </h2> <h3> What is NodePort? </h3> <p>NodePort extends ClusterIP by opening a specific port on <strong>all nodes</strong> in the cluster. External traffic can reach your Service by connecting to any node's IP address on the allocated port.</p> <h3> How NodePort Works </h3> <p>When you create a NodePort Service:</p> <ol> <li>Kubernetes creates a ClusterIP Service (internal access)</li> <li>Opens the same port (30000-32767 range) on every node</li> <li>Routes traffic from <code>&lt;NodeIP&gt;:&lt;NodePort&gt;</code> to the Service</li> <li>The Service then load-balances to the backend pods</li> </ol> <p>Traffic flow:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fau2we0kq5o8qd9jkfv8r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fau2we0kq5o8qd9jkfv8r.png" alt="Node port" width="800" height="642"></a></p> <h3> Creating a NodePort Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># frontend-nodeport-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">frontend-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">frontend</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="c1"># ClusterIP port</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Container port</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">30080</span> <span class="c1"># Port opened on each node (optional, auto-assigned if omitted)</span> </code></pre> </div> <p>Key points about NodePort:</p> <ul> <li> <strong>nodePort range</strong>: 30000-32767 by default (configurable in kube-apiserver)</li> <li> <strong>Auto-assignment</strong>: If you don't specify nodePort, Kubernetes assigns one automatically</li> <li> <strong>All nodes</strong>: The port is opened on every node, even those not running your pods</li> </ul> <h3> Practical Example: Exposing a Web Application </h3> <p>Let's deploy a simple web application and expose it via NodePort:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># webapp-deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginxdemos/hello:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="nn">---</span> <span class="c1"># webapp-nodeport-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">NodePort</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">nodePort</span><span class="pi">:</span> <span class="m">30100</span> </code></pre> </div> <p>Deploy and test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> webapp-deployment.yaml <span class="c"># Get the NodePort</span> kubectl get service webapp-service <span class="c"># Get node IPs</span> kubectl get nodes <span class="nt">-o</span> wide <span class="c"># Access the application</span> <span class="c"># Replace &lt;NODE_IP&gt; with any node's IP address</span> curl http://&lt;NODE_IP&gt;:30100 </code></pre> </div> <h3> NodePort Limitations and Considerations </h3> <p><strong>Limitations:</strong></p> <ol> <li> <strong>Port range constraints</strong>: Limited to 30000-32767 (can become restrictive)</li> <li> <strong>No automatic DNS</strong>: Users must know node IPs</li> <li> <strong>Manual load balancing</strong>: You need an external load balancer to distribute traffic across nodes</li> <li> <strong>Security exposure</strong>: Opens ports on all nodes</li> <li> <strong>Node failure</strong>: If a node fails, clients using that node's IP will lose connectivity</li> </ol> <p><strong>When to Use NodePort:</strong></p> <p>NodePort is useful for:</p> <ul> <li>Development and testing environments</li> <li>On-premises clusters without load balancer integration</li> <li>Exposing services when you have a limited number of external IPs</li> <li>Temporary external access needs</li> <li>Integrating with external load balancers manually</li> </ul> <h2> LoadBalancer: Cloud-Native External Access </h2> <h3> What is LoadBalancer? </h3> <p>LoadBalancer is the most straightforward way to expose a Service to the internet. It provisions an external load balancer (if your cluster runs in a supported cloud environment) and assigns it a public IP address.</p> <h3> How LoadBalancer Works </h3> <p>When you create a LoadBalancer Service:</p> <ol> <li>Kubernetes creates a NodePort Service</li> <li>Kubernetes creates a ClusterIP Service</li> <li>Kubernetes requests an external load balancer from the cloud provider</li> <li>The cloud provider provisions a load balancer and assigns a public IP</li> <li>The load balancer forwards traffic to the NodePorts on your cluster nodes</li> </ol> <p>Traffic flow:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fth4tmlgr6prdlcr5nhks.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fth4tmlgr6prdlcr5nhks.png" alt="Load balancer" width="800" height="820"></a></p> <h3> Creating a LoadBalancer Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># webapp-loadbalancer-service.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-lb-service</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Cloud-specific annotations (examples)</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nlb"</span> <span class="c1"># AWS</span> <span class="c1"># cloud.google.com/load-balancer-type: "Internal" # GCP</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="c1"># External port on load balancer</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="c1"># Container port</span> <span class="c1"># Optional: Restrict source IP ranges</span> <span class="na">loadBalancerSourceRanges</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">203.0.113.0/24"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">198.51.100.0/24"</span> </code></pre> </div> <h3> Practical Example: Production Web Application </h3> <p>Let's deploy a complete production-ready application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># production-webapp.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-prod</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">5</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mycompany/webapp:v2.1.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ENVIRONMENT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="c1"># Health checks</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">250m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">512Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-lb</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># AWS-specific annotations</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nlb"</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># Health check configuration</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-healthcheck-path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/health"</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">LoadBalancer</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="na">sessionAffinity</span><span class="pi">:</span> <span class="s">ClientIP</span> <span class="c1"># Sticky sessions</span> <span class="na">sessionAffinityConfig</span><span class="pi">:</span> <span class="na">clientIP</span><span class="pi">:</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">3600</span> </code></pre> </div> <p>Deploy and access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> production-webapp.yaml <span class="c"># Watch the load balancer being provisioned</span> kubectl get service webapp-lb <span class="nt">-w</span> <span class="c"># Once EXTERNAL-IP is assigned (may take 1-5 minutes)</span> kubectl get service webapp-lb <span class="c"># NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)</span> <span class="c"># webapp-lb LoadBalancer 10.96.45.123 203.0.113.10 80:31234/TCP</span> <span class="c"># Access your application</span> curl http://203.0.113.10 </code></pre> </div> <h3> Cloud Provider Integration </h3> <p>Different cloud providers have specific features and annotations:</p> <h3> AWS (EKS) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Network Load Balancer (Layer 4)</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">nlb"</span> <span class="c1"># Classic Load Balancer (default)</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">clb"</span> <span class="c1"># Internal load balancer</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-internal</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># SSL certificate</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-ssl-cert</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:acm:..."</span> <span class="c1"># Backend protocol</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-backend-protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http"</span> <span class="c1"># Connection draining</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout</span><span class="pi">:</span> <span class="s2">"</span><span class="s">60"</span> </code></pre> </div> <h3> GCP (GKE) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Internal load balancer</span> <span class="na">cloud.google.com/load-balancer-type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Internal"</span> <span class="c1"># Backend configuration</span> <span class="na">cloud.google.com/backend-config</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"ports":</span><span class="nv"> </span><span class="s">{"80":"backend-config"}}'</span> <span class="c1"># NEG (Network Endpoint Groups) for container-native load balancing</span> <span class="na">cloud.google.com/neg</span><span class="pi">:</span> <span class="s1">'</span><span class="s">{"ingress":</span><span class="nv"> </span><span class="s">true}'</span> </code></pre> </div> <h3> Azure (AKS) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">metadata</span><span class="pi">:</span> <span class="na">annotations</span><span class="pi">:</span> <span class="c1"># Internal load balancer</span> <span class="na">service.beta.kubernetes.io/azure-load-balancer-internal</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="c1"># Subnet</span> <span class="na">service.beta.kubernetes.io/azure-load-balancer-internal-subnet</span><span class="pi">:</span> <span class="s2">"</span><span class="s">apps-subnet"</span> <span class="c1"># Public IP name</span> <span class="na">service.beta.kubernetes.io/azure-pip-name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">myPublicIP"</span> </code></pre> </div> <h3> LoadBalancer Cost Considerations </h3> <p>Each LoadBalancer Service provisions a separate cloud load balancer, which incurs costs:</p> <ul> <li> <strong>AWS NLB</strong>: ~$0.0225/hour + data processing charges</li> <li> <strong>GCP Load Balancer</strong>: ~$0.025/hour + forwarding rule charges</li> <li> <strong>Azure Load Balancer</strong>: ~$0.025/hour + data processing</li> </ul> <p>For multiple services, consider using an <strong>Ingress Controller</strong> instead, which allows multiple services to share a single load balancer.</p> <h3> When to Use LoadBalancer </h3> <p>Use LoadBalancer when:</p> <ul> <li>You need to expose a service to the internet</li> <li>You're running in a cloud environment with load balancer support</li> <li>You want automatic cloud load balancer provisioning</li> <li>You need a public IP address for your service</li> <li>You have a small number of services to expose (due to cost)</li> </ul> <p><strong>Best Practices:</strong></p> <ul> <li>Use for production applications requiring external access</li> <li>Combine with Ingress for HTTP/HTTPS routing to multiple services</li> <li>Enable health checks for automatic pod traffic management</li> <li>Use SSL/TLS termination at the load balancer when possible</li> <li>Configure appropriate timeout and connection settings</li> </ul> <h2> Comparing the Service Types </h2> <p>Let's see all three types side by side:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>ClusterIP</th> <th>NodePort</th> <th>LoadBalancer</th> </tr> </thead> <tbody> <tr> <td><strong>Accessibility</strong></td> <td>Internal only</td> <td>External via node IPs</td> <td>External via load balancer IP</td> </tr> <tr> <td><strong>DNS Name</strong></td> <td>Yes (internal)</td> <td>Yes (internal)</td> <td>Yes (internal) + External IP</td> </tr> <tr> <td><strong>Port Range</strong></td> <td>Any</td> <td>30000-32767</td> <td>Any</td> </tr> <tr> <td><strong>Load Balancing</strong></td> <td>Internal only</td> <td>Manual external LB needed</td> <td>Automatic</td> </tr> <tr> <td><strong>Cloud Provider Required</strong></td> <td>No</td> <td>No</td> <td>Yes</td> </tr> <tr> <td><strong>Cost</strong></td> <td>Free</td> <td>Free</td> <td>Load balancer costs</td> </tr> <tr> <td><strong>Use Case</strong></td> <td>Microservices</td> <td>Dev/test, on-prem</td> <td>Production external access</td> </tr> <tr> <td><strong>IP Address</strong></td> <td>Cluster IP</td> <td>Node IPs + Cluster IP</td> <td>External IP + Node IPs + Cluster IP</td> </tr> </tbody> </table></div> <h2> Advanced Service Patterns </h2> <h3> Multi-Port Services </h3> <p>Services can expose multiple ports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">multi-port-service</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">https</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">443</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8443</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">metrics</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9090</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9090</span> </code></pre> </div> <h3> Headless Services </h3> <p>Sometimes you don't want load balancing, but need DNS records for individual pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">database-headless</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="c1"># This makes it headless</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">database</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">5432</span> </code></pre> </div> <p>With a headless service, DNS returns the IP addresses of all pods instead of a single service IP. Useful for:</p> <ul> <li>Stateful applications (databases)</li> <li>Service discovery without load balancing</li> <li>Direct pod-to-pod communication</li> </ul> <h3> ExternalName Services </h3> <p>Map a service to an external DNS name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external-database</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ExternalName</span> <span class="na">externalName</span><span class="pi">:</span> <span class="s">database.example.com</span> </code></pre> </div> <p>This allows you to use <code>external-database</code> in your cluster, which resolves to <code>database.example.com</code>.</p> <h3> Session Affinity </h3> <p>Maintain sticky sessions by routing requests from the same client to the same pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-sticky</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">sessionAffinity</span><span class="pi">:</span> <span class="s">ClientIP</span> <span class="na">sessionAffinityConfig</span><span class="pi">:</span> <span class="na">clientIP</span><span class="pi">:</span> <span class="na">timeoutSeconds</span><span class="pi">:</span> <span class="m">10800</span> <span class="c1"># 3 hours</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">8080</span> </code></pre> </div> <h2> Conclusion </h2> <p>Kubernetes Services are the backbone of cluster networking, providing stable endpoints for your applications. Understanding the three main Service types is crucial:</p> <ul> <li> <strong>ClusterIP</strong>: Internal communication between microservices (default choice)</li> <li> <strong>NodePort</strong>: External access for development, testing, or on-premises clusters</li> <li> <strong>LoadBalancer</strong>: Production-grade external access with cloud-native load balancing</li> </ul> <p><strong>Key Takeaways:</strong></p> <ol> <li> <strong>Start with ClusterIP</strong> for all internal services</li> <li> <strong>Use LoadBalancer</strong> for production external access in cloud environments</li> <li> <strong>Consider NodePort</strong> for development or when LoadBalancer isn't available</li> <li> <strong>Leverage DNS</strong> for service discovery instead of hard-coding IPs</li> <li> <strong>Monitor endpoints</strong> to ensure healthy pod registration</li> <li> <strong>Implement network policies</strong> for security</li> <li> <strong>Use labels and selectors</strong> correctly to route traffic</li> </ol> <p>As you build more complex applications, you'll likely use all three Service types together. Internal microservices communicate via ClusterIP, while user-facing applications use LoadBalancer for external access. Some administrative tools might use NodePort for restricted access.</p> <p>Remember that Services are abstractions—they don't run your application; they simply provide a stable way to access it. Understanding this distinction is key to mastering Kubernetes networking.</p> kubernetes networking network Claudio Fri, 03 Oct 2025 13:52:38 +0000 https://dev.to/klaus82/configmaps-and-secrets-managing-configuration-in-kubernetes-3ahk https://dev.to/klaus82/configmaps-and-secrets-managing-configuration-in-kubernetes-3ahk <p>When you're building applications for Kubernetes, one of the first challenges you'll face is: "Where do I put my configuration data?" Should database connection strings live in your Docker image? What about API keys? How do you handle different configurations for development, staging, and production environments?</p> <p>This is where Kubernetes ConfigMaps and Secrets come to the rescue. In this post, I would like to explore, with you, these essential Kubernetes resources that separate your application code from its configuration, making your deployments more secure, flexible, and maintainable.</p> <h2> The Problem: Hardcoded Configuration </h2> <p>Before we dive into the solution, let's understand the problem. Consider this simple Node.js application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app.js - DON'T DO THIS</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">mysql</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">mysql2</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Hardcoded configuration - BAD PRACTICE</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3000</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mysql-prod.company.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">super-secret-password</span><span class="dl">'</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">production_db</span><span class="dl">'</span> <span class="p">},</span> <span class="na">apiKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sk-1234567890abcdef</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">connection</span> <span class="o">=</span> <span class="nx">mysql</span><span class="p">.</span><span class="nf">createConnection</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">database</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">port</span><span class="p">);</span> </code></pre> </div> <p>This approach has several critical problems:</p> <ol> <li> <strong>Security Risk</strong>: Sensitive data like passwords and API keys are embedded in your code</li> <li> <strong>Environment Rigidity</strong>: The same image can't work across different environments</li> <li> <strong>Secret Exposure</strong>: Passwords end up in your Git repository and Docker images</li> <li> <strong>Deployment Complexity</strong>: Changing configuration requires rebuilding and redeploying your entire application</li> </ol> <h2> The Kubernetes Solution: Externalizing Configuration </h2> <p>Kubernetes provides two primary resources for managing configuration:</p> <ul> <li> <a href="https://kubernetes.io/docs/concepts/configuration/configmap/" rel="noopener noreferrer"><strong>ConfigMaps</strong></a>: For non-sensitive configuration data</li> <li> <a href="https://kubernetes.io/docs/concepts/configuration/secret/" rel="noopener noreferrer"><strong>Secrets</strong></a>: For sensitive information like passwords, tokens, and keys</li> </ul> <p>Both resources follow the same core principle: <strong>separate configuration from application code</strong>.</p> <h2> ConfigMaps: Your Configuration Data Store </h2> <h3> What is a ConfigMap? </h3> <p>A ConfigMap is a Kubernetes API object that stores configuration data as key-value pairs. Think of it as a dictionary or hash map that your applications can reference at runtime.</p> <h3> Creating ConfigMaps </h3> <p>There are several ways to create ConfigMaps. Let's explore each method:</p> <h3> Method 1: Using kubectl with Literal Values </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create configmap app-config <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">PORT</span><span class="o">=</span>3000 <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DATABASE_HOST</span><span class="o">=</span>mysql.default.svc.cluster.local <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DATABASE_NAME</span><span class="o">=</span>myapp <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">LOG_LEVEL</span><span class="o">=</span>info </code></pre> </div> <h3> Method 2: From a Configuration File </h3> <p>First, create a configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># app.properties PORT=3000 DATABASE_HOST=mysql.default.svc.cluster.local DATABASE_NAME=myapp LOG_LEVEL=info DEBUG_MODE=false </code></pre> </div> <p>Then create the ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create configmap app-config <span class="nt">--from-file</span><span class="o">=</span>app.properties </code></pre> </div> <h3> Method 3: Using YAML Manifests (Recommended) </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># configmap.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">data</span><span class="pi">:</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3000"</span> <span class="na">DATABASE_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mysql.default.svc.cluster.local"</span> <span class="na">DATABASE_NAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">myapp"</span> <span class="na">LOG_LEVEL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">info"</span> <span class="na">DEBUG_MODE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># You can also include entire configuration files</span> <span class="na">app.properties</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">PORT=3000</span> <span class="s">DATABASE_HOST=mysql.default.svc.cluster.local</span> <span class="s">DATABASE_NAME=myapp</span> <span class="s">LOG_LEVEL=info</span> <span class="s">DEBUG_MODE=false</span> </code></pre> </div> <p>Apply the ConfigMap:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> configmap.yaml </code></pre> </div> <h3> Consuming ConfigMaps in Your Applications </h3> <p>There are three primary ways to use ConfigMaps in your pods:</p> <h3> 1. Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># Individual environment variables</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PORT</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">PORT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DATABASE_HOST</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_HOST</span> <span class="c1"># Or load all ConfigMap keys as environment variables</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> </code></pre> </div> <h3> 2. Volume Mounts </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/config</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">config-volume</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> </code></pre> </div> <p>With this approach, your configuration files will be available at <code>/etc/config/</code> inside the container.</p> <h3> 3. Command Line Arguments </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">./myapp"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--port=$(PORT)"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--database-host=$(DATABASE_HOST)"</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">PORT</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">PORT</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DATABASE_HOST</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">configMapKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-config</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_HOST</span> </code></pre> </div> <h2> Secrets: Protecting Sensitive Data </h2> <h3> What is a Secret? </h3> <p>A Secret is similar to a ConfigMap, but specifically designed for sensitive data. Kubernetes stores Secrets in base64 encoding and provides additional security features like:</p> <ul> <li>Secrets are stored in etcd in encrypted form (when encryption at rest is enabled)</li> <li>Secrets are only sent to nodes that have pods requiring them</li> <li>Secrets are stored in memory (tmpfs) and never written to disk</li> <li>Access can be controlled with RBAC policies</li> </ul> <h3> Types of Secrets </h3> <p>Kubernetes supports several Secret types:</p> <ol> <li> <strong>Opaque</strong>: Generic secrets for arbitrary user data (default)</li> <li> <strong>kubernetes.io/dockerconfigjson</strong>: Docker registry credentials</li> <li> <strong>kubernetes.io/tls</strong>: TLS certificates and keys</li> <li> <strong>kubernetes.io/service-account-token</strong>: Service account tokens</li> </ol> <h3> Creating Secrets </h3> <h3> Method 1: Using kubectl with Literal Values </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create secret generic app-secrets <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">DATABASE_PASSWORD</span><span class="o">=</span>super-secret-password <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">API_KEY</span><span class="o">=</span>sk-1234567890abcdef <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">JWT_SECRET</span><span class="o">=</span>my-jwt-secret-key </code></pre> </div> <h3> Method 2: From Files </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create files with sensitive data</span> <span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'super-secret-password'</span> <span class="o">&gt;</span> db-password.txt <span class="nb">echo</span> <span class="nt">-n</span> <span class="s1">'sk-1234567890abcdef'</span> <span class="o">&gt;</span> api-key.txt kubectl create secret generic app-secrets <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span><span class="nv">DATABASE_PASSWORD</span><span class="o">=</span>db-password.txt <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span><span class="nv">API_KEY</span><span class="o">=</span>api-key.txt <span class="c"># Clean up the files</span> <span class="nb">rm </span>db-password.txt api-key.txt </code></pre> </div> <h3> Method 3: Using YAML Manifests </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># secret.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secrets</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># Values must be base64 encoded</span> <span class="na">DATABASE_PASSWORD</span><span class="pi">:</span> <span class="s">c3VwZXItc2VjcmV0LXBhc3N3b3Jk</span> <span class="c1"># super-secret-password</span> <span class="na">API_KEY</span><span class="pi">:</span> <span class="s">c2stMTIzNDU2Nzg5MGFiY2RlZg==</span> <span class="c1"># sk-1234567890abcdef</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s">bXktand0LXNlY3JldC1rZXk=</span> <span class="c1"># my-jwt-secret-key</span> </code></pre> </div> <p><strong>Pro Tip</strong>: Use the <code>stringData</code> field to avoid manual base64 encoding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secrets</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">DATABASE_PASSWORD</span><span class="pi">:</span> <span class="s">super-secret-password</span> <span class="na">API_KEY</span><span class="pi">:</span> <span class="s">sk-1234567890abcdef</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s">my-jwt-secret-key</span> </code></pre> </div> <h3> Consuming Secrets </h3> <p>Secrets are consumed in the same ways as ConfigMaps:</p> <h3> Environment Variables </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">DATABASE_PASSWORD</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secrets</span> <span class="na">key</span><span class="pi">:</span> <span class="s">DATABASE_PASSWORD</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">API_KEY</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">secretKeyRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secrets</span> <span class="na">key</span><span class="pi">:</span> <span class="s">API_KEY</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">app-secrets</span> </code></pre> </div> <h3> Volume Mounts </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">myapp:latest</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secrets</span> <span class="na">readOnly</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secret-volume</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">app-secrets</span> <span class="na">defaultMode</span><span class="pi">:</span> <span class="m">0400</span> <span class="c1"># Read-only for owner only</span> </code></pre> </div> <p>In the next post we’ll see how to use <code>secrets</code> and <code>ConfigMap</code> in a complete application setup.</p> <h2> Real-World Example: Complete Application Setup </h2> <p>Let's put it all together with a realistic example. We'll deploy a Node.js application that connects to a MySQL database.</p> <h3> Step 1: Create the ConfigMap </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># configmap.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-config</span> <span class="na">data</span><span class="pi">:</span> <span class="na">PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3000"</span> <span class="na">NODE_ENV</span><span class="pi">:</span> <span class="s2">"</span><span class="s">production"</span> <span class="na">DATABASE_HOST</span><span class="pi">:</span> <span class="s2">"</span><span class="s">mysql.default.svc.cluster.local"</span> <span class="na">DATABASE_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3306"</span> <span class="na">DATABASE_NAME</span><span class="pi">:</span> <span class="s2">"</span><span class="s">webapp"</span> <span class="na">LOG_LEVEL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">info"</span> <span class="na">CACHE_TTL</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3600"</span> <span class="na">RATE_LIMIT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100"</span> </code></pre> </div> <h3> Step 2: Create the Secret </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># secret.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-secrets</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">DATABASE_USER</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">DATABASE_PASSWORD</span><span class="pi">:</span> <span class="s">my-secure-password-123</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s">super-secret-jwt-key-that-should-be-random</span> <span class="na">API_KEY</span><span class="pi">:</span> <span class="s">sk-live-1234567890abcdef</span> </code></pre> </div> <h3> Step 3: Create the Deployment </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># deployment.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mycompany/webapp:v1.2.0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">3000</span> <span class="c1"># Load non-sensitive config as environment variables</span> <span class="na">envFrom</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">configMapRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-config</span> <span class="c1"># Load sensitive data as environment variables</span> <span class="pi">-</span> <span class="na">secretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-secrets</span> <span class="c1"># Health checks</span> <span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/health</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">httpGet</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/ready</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="c1"># Resource limits</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">100m"</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">256Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">200m"</span> </code></pre> </div> <h3> Step 4: Updated Application Code </h3> <p>Now your application code becomes much cleaner:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// app.js - Clean configuration management</span> <span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">mysql</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">mysql2/promise</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="c1">// Configuration from environment variables</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PORT</span> <span class="o">||</span> <span class="mi">3000</span><span class="p">,</span> <span class="na">nodeEnv</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_HOST</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_PORT</span> <span class="o">||</span> <span class="mi">3306</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_USER</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">root</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_PASSWORD</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_NAME</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">myapp</span><span class="dl">'</span> <span class="p">},</span> <span class="na">jwtSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_KEY</span><span class="p">,</span> <span class="na">logLevel</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">LOG_LEVEL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="na">cacheTtl</span><span class="p">:</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CACHE_TTL</span><span class="p">)</span> <span class="o">||</span> <span class="mi">3600</span><span class="p">,</span> <span class="na">rateLimit</span><span class="p">:</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">RATE_LIMIT</span><span class="p">)</span> <span class="o">||</span> <span class="mi">100</span> <span class="p">};</span> <span class="c1">// Validate required configuration</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">config</span><span class="p">.</span><span class="nx">jwtSecret</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">JWT_SECRET is required</span><span class="dl">'</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">config</span><span class="p">.</span><span class="nx">apiKey</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">API_KEY is required</span><span class="dl">'</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Initialize database connection</span> <span class="kd">let</span> <span class="nx">connection</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">initDatabase</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">connection</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">mysql</span><span class="p">.</span><span class="nf">createConnection</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">database</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database connected successfully</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database connection failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Health check endpoints</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/health</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">healthy</span><span class="dl">'</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/ready</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">connection</span><span class="p">.</span><span class="nf">ping</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">200</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ready</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">503</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">not ready</span><span class="dl">'</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// Start the application</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">start</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">initDatabase</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">port</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Server running on port </span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Environment: </span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">nodeEnv</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Log Level: </span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">logLevel</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">start</span><span class="p">().</span><span class="k">catch</span><span class="p">(</span><span class="nx">error</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to start application:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Step 5: Deploy Everything </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> configmap.yaml kubectl apply <span class="nt">-f</span> secret.yaml kubectl apply <span class="nt">-f</span> deployment.yaml </code></pre> </div> <h2> Advanced Patterns and Best Practices </h2> <h3> 1. Environment-Specific Configurations </h3> <p>Use different ConfigMaps and Secrets for different environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Development</span> kubectl create configmap webapp-config <span class="nt">--from-env-file</span><span class="o">=</span>dev.env kubectl create secret generic webapp-secrets <span class="nt">--from-env-file</span><span class="o">=</span>dev-secrets.env <span class="c"># Production</span> kubectl create configmap webapp-config <span class="nt">--from-env-file</span><span class="o">=</span>prod.env kubectl create secret generic webapp-secrets <span class="nt">--from-env-file</span><span class="o">=</span>prod-secrets.env </code></pre> </div> <h3> 2. Configuration Validation </h3> <p>Add configuration validation to your application:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">joi</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">joi</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">configSchema</span> <span class="o">=</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">port</span><span class="p">().</span><span class="nf">required</span><span class="p">(),</span> <span class="na">nodeEnv</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">valid</span><span class="p">(</span><span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">database</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">hostname</span><span class="p">().</span><span class="nf">required</span><span class="p">(),</span> <span class="na">port</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">port</span><span class="p">().</span><span class="nf">required</span><span class="p">(),</span> <span class="na">user</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">required</span><span class="p">(),</span> <span class="na">password</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">8</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">database</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">required</span><span class="p">()</span> <span class="p">}).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">jwtSecret</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">required</span><span class="p">(),</span> <span class="na">logLevel</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">valid</span><span class="p">(</span><span class="dl">'</span><span class="s1">error</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">warn</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">debug</span><span class="dl">'</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">cacheTtl</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">rateLimit</span><span class="p">:</span> <span class="nx">joi</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="nf">required</span><span class="p">()</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span><span class="p">,</span> <span class="nx">value</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">configSchema</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="nx">config</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Configuration validation failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">.</span><span class="nx">details</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Hot Reloading Configuration </h3> <p>Monitor ConfigMap changes and reload configuration without restarting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// If using volume mounts</span> <span class="kd">function</span> <span class="nf">watchConfigFile</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">configPath</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/etc/config/app.properties</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">configPath</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">watchFile</span><span class="p">(</span><span class="nx">configPath</span><span class="p">,</span> <span class="p">(</span><span class="nx">curr</span><span class="p">,</span> <span class="nx">prev</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Configuration file changed, reloading...</span><span class="dl">'</span><span class="p">);</span> <span class="nf">loadConfigFromFile</span><span class="p">(</span><span class="nx">configPath</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">loadConfigFromFile</span><span class="p">(</span><span class="nx">filePath</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">filePath</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newConfig</span> <span class="o">=</span> <span class="nf">parseConfig</span><span class="p">(</span><span class="nx">content</span><span class="p">);</span> <span class="c1">// Update non-critical configuration</span> <span class="nx">config</span><span class="p">.</span><span class="nx">logLevel</span> <span class="o">=</span> <span class="nx">newConfig</span><span class="p">.</span><span class="nx">LOG_LEVEL</span><span class="p">;</span> <span class="nx">config</span><span class="p">.</span><span class="nx">cacheTtl</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">newConfig</span><span class="p">.</span><span class="nx">CACHE_TTL</span><span class="p">);</span> <span class="nx">config</span><span class="p">.</span><span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">newConfig</span><span class="p">.</span><span class="nx">RATE_LIMIT</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Configuration reloaded successfully</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to reload configuration:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> 4. Secret Rotation </h3> <p>Implement graceful secret rotation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">class</span> <span class="nc">SecretManager</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">currentSecrets</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">loadSecrets</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nf">watchSecrets</span><span class="p">();</span> <span class="p">}</span> <span class="nf">loadSecrets</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">jwtSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_KEY</span><span class="p">,</span> <span class="na">databasePassword</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_PASSWORD</span> <span class="p">};</span> <span class="p">}</span> <span class="nf">watchSecrets</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Watch for secret file changes if using volume mounts</span> <span class="kd">const</span> <span class="nx">secretsPath</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/etc/secrets</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">secretsPath</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">watch</span><span class="p">(</span><span class="nx">secretsPath</span><span class="p">,</span> <span class="p">(</span><span class="nx">eventType</span><span class="p">,</span> <span class="nx">filename</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">eventType</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">change</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Secret </span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2"> changed, preparing rotation...`</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">rotateSecret</span><span class="p">(</span><span class="nx">filename</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">rotateSecret</span><span class="p">(</span><span class="nx">secretName</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">newSecret</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`/etc/secrets/</span><span class="p">${</span><span class="nx">secretName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Graceful rotation logic here</span> <span class="c1">// For example, accept both old and new JWT secrets temporarily</span> <span class="k">if </span><span class="p">(</span><span class="nx">secretName</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">JWT_SECRET</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">gracefulJwtRotation</span><span class="p">(</span><span class="nx">newSecret</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Failed to rotate secret </span><span class="p">${</span><span class="nx">secretName</span><span class="p">}</span><span class="s2">:`</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">gracefulJwtRotation</span><span class="p">(</span><span class="nx">newSecret</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Keep both secrets active for a transition period</span> <span class="k">this</span><span class="p">.</span><span class="nx">acceptedJwtSecrets</span> <span class="o">=</span> <span class="p">[</span><span class="k">this</span><span class="p">.</span><span class="nx">currentSecrets</span><span class="p">.</span><span class="nx">jwtSecret</span><span class="p">,</span> <span class="nx">newSecret</span><span class="p">];</span> <span class="c1">// After transition period, use only the new secret</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">currentSecrets</span><span class="p">.</span><span class="nx">jwtSecret</span> <span class="o">=</span> <span class="nx">newSecret</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">acceptedJwtSecrets</span> <span class="o">=</span> <span class="p">[</span><span class="nx">newSecret</span><span class="p">];</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">JWT secret rotation completed</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="mi">300000</span><span class="p">);</span> <span class="c1">// 5 minutes</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Security Best Practices </h2> <h3> 1. Principle of Least Privilege </h3> <p>Only give pods access to the ConfigMaps and Secrets they actually need:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-service-account</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-config-reader</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">configmaps"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">webapp-config"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">webapp-secrets"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-config-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-service-account</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-config-reader</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <h3> 2. Avoid Logging Sensitive Data </h3> <p>Never log environment variables or configuration that might contain secrets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// DON'T DO THIS</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Starting with config:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">));</span> <span class="c1">// DO THIS INSTEAD</span> <span class="kd">const</span> <span class="nx">safeConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">port</span><span class="p">,</span> <span class="na">nodeEnv</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">nodeEnv</span><span class="p">,</span> <span class="na">logLevel</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">logLevel</span><span class="p">,</span> <span class="c1">// Mask sensitive data</span> <span class="na">databaseHost</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">database</span><span class="p">.</span><span class="nx">host</span><span class="p">,</span> <span class="na">databaseUser</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">database</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/./g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// Don't log secrets at all</span> <span class="p">};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Starting with config:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">safeConfig</span><span class="p">));</span> </code></pre> </div> <h3> 3. Use Dedicated Service Accounts </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">template</span><span class="pi">:</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceAccountName</span><span class="pi">:</span> <span class="s">webapp-service-account</span> <span class="c1"># Dedicated service account</span> <span class="na">automountServiceAccountToken</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># Don't mount unless needed</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">mycompany/webapp:v1.2.0</span> <span class="c1"># ... rest of configuration</span> </code></pre> </div> <h2> Troubleshooting Common Issues </h2> <h3> Problem 1: ConfigMap Not Updating in Pods </h3> <p><strong>Symptoms</strong>: You updated a ConfigMap, but your pods still see the old values.</p> <p><strong>Causes and Solutions</strong>:</p> <ol> <li> <p><strong>Environment Variables</strong>: Environment variables are set at pod startup and don't update automatically.<br> </p> <pre class="highlight shell"><code><span class="c"># Force pod recreation</span> kubectl rollout restart deployment/webapp </code></pre> </li> <li> <p><strong>Volume Mounts</strong>: May take up to 60 seconds to propagate.<br> </p> <pre class="highlight shell"><code><span class="c"># Check if files are updated</span> kubectl <span class="nb">exec</span> <span class="nt">-it</span> webapp-xxx <span class="nt">--</span> <span class="nb">cat</span> /etc/config/app.properties </code></pre> </li> </ol> <h3> Problem 2: Secret Values Not Decoding Properly </h3> <p><strong>Symptoms</strong>: Your application receives base64-encoded values instead of plain text.</p> <p><strong>Solution</strong>: Kubernetes automatically decodes Secret values. If you're getting encoded values, check if you're reading from the wrong source:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Wrong - reading from a manually created file</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">/tmp/my-secret</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Still encoded</span> <span class="c1">// Right - from environment variable or volume mount</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_SECRET</span><span class="p">;</span> <span class="c1">// Automatically decoded</span> </code></pre> </div> <h3> Problem 3: Permission Denied Errors </h3> <p><strong>Symptoms</strong>: Pods can't read ConfigMaps or Secrets.</p> <p><strong>Solution</strong>: Check RBAC permissions and service account configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check service account</span> kubectl get pods webapp-xxx <span class="nt">-o</span> yaml | <span class="nb">grep </span>serviceAccount <span class="c"># Check RBAC permissions</span> kubectl auth can-i get configmap <span class="nt">--as</span><span class="o">=</span>system:serviceaccount:default:webapp-service-account <span class="c"># Debug with a temporary pod</span> kubectl run debug <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--restart</span><span class="o">=</span>Never <span class="nt">--</span> sh </code></pre> </div> <h2> Performance Considerations </h2> <h3> 1. ConfigMap and Secret Size Limits </h3> <ul> <li>ConfigMaps and Secrets have a 1MB size limit</li> <li>For larger configuration files, consider using init containers or external configuration services</li> </ul> <h3> 2. Update Propagation </h3> <ul> <li>Environment variables: Require pod restart</li> <li>Volume mounts: Propagate within ~60 seconds</li> <li>Choose the right method based on your update frequency needs</li> </ul> <h3> 3. Memory Usage </h3> <ul> <li>Secrets are stored in memory (tmpfs) and count against container memory limits</li> <li>Consider this when setting memory limits for pods with large secrets</li> </ul> <h2> Monitoring and Observability </h2> <p>Track ConfigMap and Secret usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Add labels for better organization</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">webapp-config</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">webapp</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v1.2.0</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">config-type</span><span class="pi">:</span> <span class="s">application</span> <span class="na">data</span><span class="pi">:</span> <span class="c1"># ... configuration data</span> </code></pre> </div> <p>Monitor configuration changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Watch for ConfigMap changes</span> kubectl get events <span class="nt">--field-selector</span> involvedObject.kind<span class="o">=</span>ConfigMap <span class="nt">-w</span> <span class="c"># Check ConfigMap history</span> kubectl describe configmap webapp-config </code></pre> </div> <h2> Conclusion </h2> <p>ConfigMaps and Secrets are fundamental building blocks for managing configuration in Kubernetes. They enable you to:</p> <ul> <li> <strong>Separate concerns</strong>: Keep configuration separate from application code</li> <li> <strong>Enhance security</strong>: Protect sensitive data with proper access controls</li> <li> <strong>Improve flexibility</strong>: Use the same container images across different environments</li> <li> <strong>Simplify operations</strong>: Update configuration without rebuilding images</li> </ul> <p>Key takeaways for entry-level engineers:</p> <ol> <li> <strong>Use ConfigMaps for non-sensitive data</strong> like database hostnames, port numbers, and feature flags</li> <li> <strong>Use Secrets for sensitive data</strong> like passwords, API keys, and certificates</li> <li> <strong>Choose the right consumption method</strong> based on your update requirements</li> <li> <strong>Follow security best practices</strong> with proper RBAC and service accounts</li> <li> <strong>Validate configuration</strong> in your application code</li> <li> <strong>Monitor and log safely</strong> without exposing sensitive information</li> </ol> <p>As you continue your Kubernetes journey, remember that good configuration management is not just about the technology—it's about creating maintainable, secure, and scalable applications. ConfigMaps and Secrets provide the foundation, but how you use them will determine the success of your deployments.</p> <p>Start small, experiment with different approaches, and gradually build more sophisticated configuration management patterns as your applications and team grow. The investment in proper configuration management will pay dividends in reduced deployment complexity, improved security, and faster development cycles.</p> <p>👉 If you enjoyed this post, consider supporting me by <a href="https://buymeacoffee.com/klaus82" rel="noopener noreferrer">buying me a coffee</a>.</p> <p>👉 If you want to stay updated with similar posts, consider joining my <a href="https://thefridaydeployer.substack.com/?utm_campaign=profile_chips" rel="noopener noreferrer">newsletter</a>. </p> kubernetes devops beginners Claudio Mon, 01 Sep 2025 08:06:25 +0000 https://dev.to/klaus82/go-125-the-container-native-release-5dfd https://dev.to/klaus82/go-125-the-container-native-release-5dfd <p>The Go team has just released Go 1.25, and it's packed with features that modern cloud-native developers have been waiting for. This release doesn't introduce breaking language changes, but it delivers significant runtime improvements, experimental features, and developer experience enhancements that make it one of the most impactful releases in recent memory.</p> <h2> The Big Three: What Makes Go 1.25 Special </h2> <h3> 1. Container-Aware GOMAXPROCS: Finally! </h3> <p>The biggest game-changer in Go 1.25 is the introduction of container-aware <code>GOMAXPROCS</code>. If you've ever deployed Go applications to Kubernetes and wondered why your carefully set CPU limits weren't being respected by the Go runtime, this update is for you.</p> <p><strong>What's Changed:</strong></p> <ul> <li>On Linux, the runtime now considers cgroup CPU bandwidth limits</li> <li>If your container has a CPU limit lower than the number of logical CPUs, <code>GOMAXPROCS</code> automatically adjusts to match</li> <li>The runtime periodically updates <code>GOMAXPROCS</code> if CPU availability changes</li> <li>Both behaviors are disabled if you manually set <code>GOMAXPROCS</code> </li> </ul> <p>This means no more manually setting <code>GOMAXPROCS</code> based on Kubernetes CPU limits or dealing with over-aggressive goroutine scheduling in constrained environments. Your Go applications will finally "just work" in containerized environments.</p> <h3> 2. Experimental "Green Tea" Garbage Collector </h3> <p>Go 1.25 introduces an experimental garbage collector with the delightful codename "Green Tea GC." This isn't just a minor tweak—it's a fundamental redesign focused on improving performance for workloads with many small objects.</p> <p><strong>The Promise:</strong></p> <ul> <li>10-40% reduction in GC overhead for real-world applications</li> <li>Better locality and CPU scalability for marking and scanning</li> <li>Improved performance when heavily using the garbage collector</li> </ul> <p><strong>How to Try It:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">GOEXPERIMENT</span><span class="o">=</span>greenteagc go build your-app </code></pre> </div> <p>The Go team is actively seeking feedback, so if you're working on GC-intensive applications, this is your chance to influence the future of Go's memory management.</p> <h3> 3. Experimental JSON v2: Performance That Actually Matters </h3> <p>JSON processing gets a major overhaul with the experimental <code>encoding/json/v2</code> package. While maintaining backward compatibility, the new implementation delivers substantial performance improvements.</p> <p><strong>Key Benefits:</strong></p> <ul> <li>Encoding performance at parity with v1</li> <li>Significantly faster decoding</li> <li>New configuration options for marshaling and unmarshaling</li> <li>Lower-level <code>encoding/json/jsontext</code> package for custom implementations</li> </ul> <p><strong>Testing the Waters:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">GOEXPERIMENT</span><span class="o">=</span>jsonv2 go build your-app </code></pre> </div> <p>Given how much Go code deals with JSON, these improvements could have widespread impact across the ecosystem.</p> <h2> Developer Experience Improvements </h2> <h3> New <code>go doc -http</code> Flag </h3> <p>Remember when you needed to run <code>godoc</code> locally? Those days are over. The new <code>go doc -http</code> flag starts a documentation server and automatically opens your browser to the relevant documentation.</p> <h3> Enhanced <code>go.mod</code> Management </h3> <p>The new <code>ignore</code> directive in <code>go.mod</code> lets you specify directories the <code>go</code> command should ignore. Perfect for excluding example code, scripts, or other non-package directories from pattern matching.</p> <h3> VMA Names on Linux </h3> <p>On supported Linux kernels, Go 1.25 annotates memory mappings with context about their purpose (e.g., <code>[anon: Go: heap]</code>). This makes debugging memory issues significantly easier.</p> <h2> Under the Hood: Compiler and Runtime </h2> <h3> DWARF 5 Debug Information </h3> <p>The compiler now generates DWARF 5 debug information by default, resulting in:</p> <ul> <li>Smaller debug information in binaries</li> <li>Faster linking, especially for large applications</li> <li>Better debugging experience with modern tools</li> </ul> <h3> Stricter Nil Pointer Checks </h3> <p>A compiler bug that allowed some nil pointer dereferences to pass silently has been fixed. Code like this will now properly panic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">f</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Open</span><span class="p">(</span><span class="s">"nonExistentFile"</span><span class="p">)</span> <span class="n">name</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">()</span> <span class="c">// This will now panic if err != nil</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> </code></pre> </div> <p>While this might break some existing code, it ensures Go programs behave according to the language specification.</p> <h3> Enhanced Stack Allocation </h3> <p>The compiler can now allocate slice backing stores on the stack in more situations, improving performance. However, this change may amplify issues with incorrect <code>unsafe.Pointer</code> usage—the new <code>bisect</code> tool can help track down these problems.</p> <h2> Standard Library Enhancements </h2> <h3> New <code>testing/synctest</code> Package </h3> <p>Testing concurrent code gets easier with the new <code>testing/synctest</code> package. It provides:</p> <ul> <li>Isolated "bubble" environments for testing</li> <li>Fake clock operations</li> <li> <code>Wait()</code> function to wait for all goroutines to block</li> </ul> <h3> Crypto Performance Improvements </h3> <p>Several cryptographic operations see significant performance boosts:</p> <ul> <li>SHA-1 hashing 2x faster on amd64 with SHA-NI</li> <li>SHA-3 hashing 2x faster on Apple M processors</li> <li>ECDSA and Ed25519 signing 4x faster in FIPS mode</li> <li>RSA key generation 3x faster</li> </ul> <h3> TLS Security Hardening </h3> <p>The TLS implementation becomes more secure and compliant:</p> <ul> <li>SHA-1 signature algorithms disallowed in TLS 1.2 (can be re-enabled with <code>GODEBUG=tlssha1=1</code>)</li> <li>Stricter spec compliance for both clients and servers</li> <li>Extended Master Secret required in FIPS mode</li> </ul> <h2> What This Means for You </h2> <p><strong>For Container Users:</strong> Go 1.25 eliminates a major pain point in Kubernetes deployments. Your applications will automatically respect CPU limits without manual intervention.</p> <p><strong>For Performance-Critical Applications:</strong> The experimental GC and JSON improvements offer substantial performance gains. Consider testing these features in your staging environments.</p> <p><strong>For Library Authors:</strong> The new crypto interfaces (<code>MessageSigner</code>) and hash interfaces (<code>Cloner</code>, <code>XOF</code>) provide more flexibility for implementing cryptographic functionality.</p> <p><strong>For Tool Builders:</strong> Enhanced reflection capabilities, better AST traversal, and improved debugging support make building Go development tools easier.</p> <h2> Getting Started </h2> <p>Go 1.25 is expected to release in August 2025, but you can try the development version now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>go <span class="nb">install </span>golang.org/dl/go1.25@latest <span class="nv">$ </span>go1.25 download </code></pre> </div> <p>For the experimental features:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ GOEXPERIMENT</span><span class="o">=</span>greenteagc,jsonv2 go build </code></pre> </div> <h2> Migration Checklist </h2> <ol> <li> <strong>Test your containerized applications</strong> - The new GOMAXPROCS behavior should improve performance, but verify in your environment</li> <li> <strong>Check for nil pointer dereferences</strong> - The stricter compiler may catch bugs that were previously hidden</li> <li> <strong>Experiment with the new GC</strong> - If you have GC-intensive workloads, the Green Tea GC could provide significant improvements</li> <li> <strong>Try JSON v2</strong> - Test your JSON-heavy applications with the experimental implementation</li> <li> <strong>Update your debugging workflows</strong> - Take advantage of VMA names and DWARF 5 improvements</li> </ol> <h2> Looking Ahead </h2> <p>Go 1.25 represents a maturation of the language for cloud-native environments. The container-aware runtime changes alone make this a must-upgrade for most production deployments. Combined with the experimental performance improvements and enhanced tooling, it's clear that the Go team continues to focus on the real-world needs of modern developers.</p> <p>The experimental features in particular signal exciting directions for future releases. The Green Tea GC could become the default garbage collector, and JSON v2 might replace the current implementation entirely.</p> <p>What features are you most excited about in Go 1.25? Have you encountered the container GOMAXPROCS issues that this release addresses? Share your thoughts and experiences in the comments below.</p> <p>Do you like this post? <br> Consider supporting my work by following my <a href="https://thefridaydeployer.substack.com" rel="noopener noreferrer">newsletter</a> and/or <a href="//www.buymeacoffee.com/klaus82">buy me a coffee</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0dfwxmnw24iwfrrpzr8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm0dfwxmnw24iwfrrpzr8.png" alt=" " width="800" height="224"></a></p> go programming productivity devops Claudio Thu, 28 Aug 2025 07:55:52 +0000 https://dev.to/klaus82/the-hidden-cost-of-docker-images-why-multi-stage-builds-are-essential-in-2025-3knk https://dev.to/klaus82/the-hidden-cost-of-docker-images-why-multi-stage-builds-are-essential-in-2025-3knk <p>In the era of microservices and cloud-native architectures, containerization has become the backbone of modern software delivery. Yet, many engineering teams are unknowingly wasting money and performance due to a fundamental misunderstanding of Docker image optimization.</p> <h2> The Anatomy of Bloated Containers </h2> <p>Modern application development involves a complex ecosystem of tools. We use TypeScript compilers, bundlers like webpack, testing frameworks, linters, and dozens of development dependencies. These tools are essential for building robust applications, but they have no place in production.<br> Consider this common Dockerfile pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> node:18</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>npm run build <span class="k">CMD</span><span class="s"> ["npm", "start"]</span> </code></pre> </div> <p>This seemingly innocent configuration creates a production container that includes:</p> <ul> <li>Development dependencies: Testing frameworks, build tools, and development utilities</li> <li>Source code: TypeScript files, component libraries, and documentation</li> <li>Build artifacts: Temporary files, caches, and intermediate compilation outputs</li> <li>System tools: Package managers, compilers, and debugging utilities</li> </ul> <p>The result is a container that's 5–10 times larger than necessary, with a dramatically expanded attack surface and slower deployment cycles.</p> <h2> The Multi-Stage Paradigm Shift </h2> <p>Multi-stage builds represent a fundamental shift in how we think about containerization. Instead of treating Docker as a single-purpose tool, we leverage it as a sophisticated build pipeline that separates concerns between development and production environments.<br> The philosophy is simple: build heavy, ship light.<br> Here's how the same service looks with multi-stage builds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Stage 1: Build Environment</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:18</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>npm run build <span class="k">RUN </span>npm <span class="nb">test</span> <span class="c"># Stage 2: Production Environment</span> <span class="k">FROM</span><span class="s"> node:18-alpine</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy only production artifacts</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist ./dist</span> <span class="k">COPY</span><span class="s"> --from=builder /app/package*.json ./</span> <span class="c"># Install only runtime dependencies</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="o">&amp;&amp;</span> npm cache clean <span class="nt">--force</span> <span class="c"># Security hardening</span> <span class="k">RUN </span>addgroup <span class="nt">-g</span> 1001 <span class="nt">-S</span> nodejs <span class="o">&amp;&amp;</span> <span class="se">\ </span> adduser <span class="nt">-S</span> nodejs <span class="nt">-u</span> 1001 <span class="k">USER</span><span class="s"> nodejs</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "dist/index.js"]</span> </code></pre> </div> <h2> Quantifying the Impact </h2> <p>The transformation isn't just theoretical. Across multiple client engagements, I've consistently observed significant improvements:<br> Performance Metrics:</p> <ul> <li>Image size reduction: 70–90%</li> <li>Container pull time: 75–85% faster</li> <li>Cold start latency: 40–60% improvement</li> <li>Registry storage costs: 80%+ reduction</li> </ul> <h2> Language-Agnostic Patterns </h2> <p>The multi-stage approach transcends specific technologies. Here's how it applies across different ecosystems:</p> <h3> Go: Maximum Efficiency </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21-alpine</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> go.mod go.sum ./</span> <span class="k">RUN </span>go mod download <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span><span class="nv">CGO_ENABLED</span><span class="o">=</span>0 <span class="nv">GOOS</span><span class="o">=</span>linux go build <span class="nt">-a</span> <span class="nt">-installsuffix</span> cgo <span class="nt">-o</span> main . <span class="k">FROM</span><span class="s"> scratch</span> <span class="k">COPY</span><span class="s"> --from=builder /app/main /</span> <span class="k">COPY</span><span class="s"> --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/main"]</span> </code></pre> </div> <p><strong>Result</strong>: A 5MB production image containing only the compiled binary.</p> <h3> Python: Dependency Optimization </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> requirements.txt .</span> <span class="k">RUN </span>pip <span class="nb">install</span> <span class="nt">--user</span> <span class="nt">-r</span> requirements.txt <span class="k">FROM</span><span class="s"> python:3.11-slim</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> --from=builder /root/.local /root/.local</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">ENV</span><span class="s"> PATH=/root/.local/bin:$PATH</span> <span class="k">CMD</span><span class="s"> ["python", "app.py"]</span> </code></pre> </div> <h2> Advanced Optimization Strategies </h2> <h3> Layer Caching Intelligence </h3> <p>Strategic ordering of Dockerfile instructions can dramatically improve build performance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Optimal layer ordering</span> COPY package<span class="k">*</span>.json ./ <span class="c"># Changes infrequently</span> RUN npm <span class="nb">install</span> <span class="c"># Cached until dependencies change</span> COPY <span class="nb">.</span> <span class="nb">.</span> <span class="c"># Changes frequently</span> RUN npm run build <span class="c"># Only runs when code changes</span> </code></pre> </div> <h3> Distroless Images for Ultimate Security </h3> <p>Google's distroless images provide the minimal runtime environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">RUN </span>go build <span class="nt">-o</span> main . <span class="k">FROM</span><span class="s"> gcr.io/distroless/base-debian12</span> <span class="k">COPY</span><span class="s"> --from=builder /app/main /</span> <span class="k">ENTRYPOINT</span><span class="s"> ["/main"]</span> </code></pre> </div> <p><strong>Benefits</strong>: No shell, no package manager, minimal attack surface.</p> <h2> Security Implications </h2> <p>Multi-stage builds significantly improve container security posture:</p> <ul> <li> <strong>Reduced Attack Surface</strong>: Eliminate unnecessary tools and dependencies</li> <li> <strong>Principle of Least Privilege</strong>: Production containers contain only runtime requirements</li> <li> <strong>Supply Chain Security</strong>: Minimize third-party components in production images</li> </ul> <h2> Implementation Strategy </h2> <p>Rolling out multi-stage builds across an organization requires thoughtful planning:</p> <h3> Phase 1: Assessment </h3> <p>Audit current image sizes and deployment times<br> Identify services with the largest optimization potential<br> Establish baseline metrics</p> <h3> Phase 2: Pilot Implementation </h3> <p>Select 2–3 non-critical services for initial migration<br> Implement multi-stage builds with comprehensive testing<br> Measure and document improvements</p> <h3> Phase 3: Organization-wide Rollout </h3> <p>Create standardized Dockerfile templates<br> Establish code review guidelines<br> Train development teams on best practices</p> <h2> Common Pitfalls and Solutions </h2> <p><strong>Dependency Mismatches</strong>: Ensure consistency between build and production base images. Use the same Linux distribution and architecture.<br> <strong>Missing Runtime Dependencies</strong>: Carefully audit what libraries your application requires at runtime versus build time.<br> <strong>Build Context Size</strong>: Use .dockerignore to exclude unnecessary files from the build context.</p> <h2> The Future of Container Optimization </h2> <p>As organizations increasingly embrace cloud-native architectures, container efficiency becomes a competitive advantage. Multi-stage builds represent just the beginning of sophisticated container optimization strategies.<br> Emerging trends include:</p> <ul> <li>BuildKit optimizations for parallel build stages</li> <li>Distroless adoption for security-conscious organizations</li> <li>Layer sharing strategies across microservice architectures</li> </ul> <h2> Conclusion </h2> <p>Multi-stage Docker builds aren't just an optimization technique - they're a paradigm shift toward production-aware development practices. By separating build-time and runtime concerns, teams can achieve dramatic improvements in deployment speed, security posture, and operational costs.<br> The question isn't whether to adopt multi-stage builds, but how quickly you can implement them across your infrastructure. In an era where deployment velocity directly impacts business outcomes, this optimization represents one of the highest-impact changes you can make to your development pipeline.<br> Start with your most problematic service - the one with the largest image or slowest deployments. Implement multi-stage builds, measure the results, and watch the transformation ripple across your organization.</p> <p>Have you implemented multi-stage builds in your organization? What challenges did you encounter, and what results did you achieve? Share your experience in the comments.</p> <p>Follow me and subscribe my newsletter <a href="https://thefridaydeployer.substack.com" rel="noopener noreferrer">here</a>, for more insights on cloud-native architecture and DevOps optimization.</p> tutorial devops python learning Claudio Tue, 04 Mar 2025 13:58:50 +0000 https://dev.to/klaus82/how-to-create-a-local-kubernetes-cluster-with-kind-5bfj https://dev.to/klaus82/how-to-create-a-local-kubernetes-cluster-with-kind-5bfj <p>Kubernetes is the de facto standard for container orchestration, but setting up a full-blown Kubernetes cluster can be daunting, especially when you just need a local development environment. Fortunately, <a href="https://kind.sigs.k8s.io/" rel="noopener noreferrer">Kind</a> (Kubernetes IN Docker) offers a lightweight and straightforward solution to spin up a Kubernetes cluster locally using Docker containers. This blog post will walk you through the steps to create and manage a local Kubernetes cluster with Kind.</p> <h3> Prerequisites </h3> <p>Before we dive in, ensure you have the following installed on your machine:</p> <ol> <li> <strong>Docker</strong>: Kind runs Kubernetes clusters inside Docker containers, so Docker needs to be installed and running. You can download Docker from <a href="https://docs.docker.com/get-docker/" rel="noopener noreferrer">here</a>.</li> <li> <strong>Kubectl</strong>: This is the Kubernetes command-line tool that lets you interact with the cluster. You can install it by following the instructions <a href="https://kubernetes.io/docs/tasks/tools/install-kubectl/" rel="noopener noreferrer">here</a>.</li> <li> <strong>Golang:</strong> This is the famous programming language from Google. You can install it by following this <a href="https://go.dev/doc/install" rel="noopener noreferrer">guide</a>.</li> <li> <strong>Kind</strong>: Install Kind by following the instructions below.</li> </ol> <h3> Step 1: Install Kind </h3> <p>You can install Kind by running a simple command after you have <code>Go</code> installed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>sigs.k8s.io/kind@v0.27.0 </code></pre> </div> <p>Alternatively, you can download a pre-built binary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-Lo</span> ./kind &lt;https://kind.sigs.k8s.io/dl/v0.27.0/kind-linux-amd64&gt; <span class="nb">chmod</span> +x ./kind <span class="nb">sudo mv</span> ./kind /usr/local/bin/kind </code></pre> </div> <p>For macOS users, the easiest way is through Homebrew:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>kind </code></pre> </div> <h3> Step 2: Create a Kubernetes Cluster with Kind </h3> <p>Once Kind is installed, you can create a Kubernetes cluster with a single command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster </code></pre> </div> <p>This command creates a local Kubernetes cluster named <code>kind</code>. The default configuration spins up a single control-plane node.</p> <p>If you want to create a cluster with a specific name, you need to run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--name</span> &lt;cluster-name&gt; </code></pre> </div> <p>From your shell you can see this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcne7zaus6osknvwm5xtb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcne7zaus6osknvwm5xtb.png" alt=" " width="800" height="468"></a></p> <h3> Step 3: Interact with Your Cluster </h3> <p>After creating the cluster, Kind automatically configures your <code>kubectl</code> context to point to the new cluster. You can verify that your cluster is up and running by checking the nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes </code></pre> </div> <p>You should see the control plane and any worker nodes you defined in your configuration file.</p> <h3> Step 4: Deploying Applications </h3> <p>Now that your cluster is up and running, you can deploy applications just like in any Kubernetes environment. For example, to deploy a simple Nginx server, you can use the following commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create deployment nginx <span class="nt">--image</span><span class="o">=</span>nginx kubectl expose deployment nginx <span class="nt">--port</span><span class="o">=</span>80 <span class="nt">--type</span><span class="o">=</span>NodePort </code></pre> </div> <p>This will create an Nginx deployment and expose it via a NodePort service. You can get the service details with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc nginx </code></pre> </div> <p>You can use <code>curl</code> on the host machine to access the service, pointing to the appropriate port:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgzw7e8ss7a0zxs0yc0t.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffgzw7e8ss7a0zxs0yc0t.png" alt=" " width="800" height="95"></a></p> <h3> Step 5: Managing Your Cluster </h3> <h3> Deleting the Cluster </h3> <p>When you're done with the cluster, you can delete it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind delete cluster </code></pre> </div> <p>This command stops and removes all Docker containers associated with the Kind cluster.</p> <h3> Customizing Your Cluster </h3> <p>You can customize the cluster by providing a configuration file. For example, you can create a multi-node cluster with the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># cluster-config.yaml</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Cluster</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kind.x-k8s.io/v1alpha4</span> <span class="na">nodes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">control-plane</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> <span class="pi">-</span> <span class="na">role</span><span class="pi">:</span> <span class="s">worker</span> </code></pre> </div> <p>Create a cluster using this configuration file with the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--config</span><span class="o">=</span>cluster-config.yaml </code></pre> </div> <h3> Creating Multiple Clusters </h3> <p>If you need multiple clusters for testing or development, Kind makes it easy. Just specify different names when creating the clusters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--name</span><span class="o">=</span>cluster1 kind create cluster <span class="nt">--name</span><span class="o">=</span>cluster2 </code></pre> </div> <p>You can switch between clusters using <code>kubectl</code> contexts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config use-context kind-cluster1 </code></pre> </div> <h3> Step 6: Advanced Configuration </h3> <p>Kind allows you to tweak more advanced settings, such as Kubernetes versions, networking, and storage. For example, to create a cluster with a specific Kubernetes version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kind create cluster <span class="nt">--image</span> kindest/node:v1.24.0 </code></pre> </div> <p>This is useful If you want to test your software on different Kebernetes versions. My suggestion is to create a configuration file for each test so you can recreate your cluster anytime, something like of Infrastructure as Code for your local cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># cluster-config-1.21.14.yaml</span> kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane image: kindest/node:v1.21.14 - role: worker image: kindest/node:v1.21.14 - role: worker image: kindest/node:v1.21.14 </code></pre> </div> <p>You can also configure port forwarding, mount directories, or adjust resource limits through the Kind configuration file. The <a href="https://kind.sigs.k8s.io/docs/user/quick-start/" rel="noopener noreferrer">Kind documentation</a> provides a comprehensive list of all available options.</p> <h3> Troubleshooting </h3> <h3> Common Issues </h3> <ul> <li> <strong>Docker Daemon Not Running</strong>: Ensure Docker is installed and running on your machine. You can check the status with <code>docker ps</code>.</li> <li> <strong>Insufficient Resources</strong>: Running multiple nodes requires sufficient CPU and memory. If the cluster fails to start, try reducing the number of nodes or increasing Docker's resource allocation.</li> </ul> <h3> Logs and Diagnostics </h3> <p>To troubleshoot issues, you can inspect the logs for the Kind cluster nodes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker logs &lt;container_id&gt; </code></pre> </div> <p>Additionally, you can use <code>kubectl</code> commands like <code>kubectl describe</code> and <code>kubectl logs</code> to diagnose issues within the Kubernetes cluster.</p> <h3> Conclusion </h3> <p>Kind is a powerful tool that simplifies the creation and management of local Kubernetes clusters. Whether you are developing, testing, or learning Kubernetes, Kind provides an accessible and efficient way to work with Kubernetes clusters locally. By following this guide, you should be able to set up a local Kubernetes environment tailored to your needs, helping you to streamline your development workflow.</p> <p>Do you find this guide useful? If yes, please consider leaving a comment, a reaction or supporting my work by <a href="http://buymeacoffee.com/klaus82" rel="noopener noreferrer">buying me a coffee</a>.</p> kubernetes devops development Claudio Thu, 23 Jan 2025 15:52:39 +0000 https://dev.to/klaus82/blue-green-and-canary-deployments-a-deep-dive-into-modern-deployment-strategies-48ci https://dev.to/klaus82/blue-green-and-canary-deployments-a-deep-dive-into-modern-deployment-strategies-48ci <p>Software deployment has evolved significantly from the days of scheduled downtime and big-bang releases. Today's users expect services to be available 24/7, and businesses need to deploy new features and fixes continuously without disrupting their operations. In this post I want to explore two sophisticated deployment strategies that help achieve these goals: Blue-Green and Canary deployments.</p> <h2> Blue-Green Deployment: The Two-Environment Approach </h2> <p>Imagine you're performing heart surgery, but instead of operating on a beating heart, you could build a new heart alongside the existing one and simply switch over when ready. This is essentially what blue-green deployment does for your application.</p> <h3> The Core Mechanism </h3> <p>In a blue-green setup, you can maintain two identical production environments: blue and green. At any given time, only one environment serves production traffic. Let's say the blue environment is currently live. When we want to deploy a new version, we:</p> <ol> <li>Deploy the new version to the green environment</li> <li>Run tests and verify the green environment</li> <li>Switch the router/load balancer to direct traffic to green</li> <li>Keep blue as a fallback for quick rollback if needed</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqfut9xwaim8cgpq1likb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqfut9xwaim8cgpq1likb.png" alt="Blue-green deployment" width="800" height="387"></a></p> <p>Here's a code example showing how this might be implemented using Kubernetes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Blue deployment apiVersion: apps/v1 kind: Deployment metadata: name: myapp-blue spec: replicas: 3 selector: matchLabels: app: myapp version: blue template: metadata: labels: app: myapp version: blue spec: containers: - name: myapp image: myapp:1.0 --- # Green deployment apiVersion: apps/v1 kind: Deployment metadata: name: myapp-green spec: replicas: 3 selector: matchLabels: app: myapp version: green template: metadata: labels: app: myapp version: green spec: containers: - name: myapp image: myapp:2.0 --- # Service (router) apiVersion: v1 kind: Service metadata: name: myapp-service spec: selector: app: myapp version: blue # Switch this to 'green' to route traffic ports: - port: 80 targetPort: 8080 </code></pre> </div> <h2> Canary Deployment: The Gradual Revolution </h2> <p>While blue-green deployment is an all-or-nothing switch, canary deployment takes a more gradual approach. The term comes from the historical practice of using canary birds in coal mines to detect dangerous gases – if the canary died, the miners knew to evacuate.</p> <h3> Implementation Details </h3> <p>In a canary deployment, we:</p> <ol> <li>Deploy the new version alongside the old version</li> <li>Route a small percentage of traffic to the new version</li> <li>Gradually increase the traffic if metrics look good</li> <li>Roll back if we detect issues</li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F40kdcyslhg10xstwlild.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F40kdcyslhg10xstwlild.png" alt="Canary deployment" width="800" height="718"></a></p> <p>Here's an example using an Istio VirtualService to implement canary routing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: myapp-vsvc spec: hosts: - myapp.example.com http: - route: - destination: host: myapp-stable subset: v1 weight: 90 - destination: host: myapp-canary subset: v2 weight: 10 </code></pre> </div> <h2> Comparing the Strategies </h2> <p>Both strategies have their place in modern deployment practices. Blue-green deployment offers simplicity and quick rollback but requires more resources. Canary deployment provides more granular control and risk management but needs more sophisticated monitoring and traffic management.</p> <p>Consider using blue-green deployment when:</p> <ul> <li>You need atomic upgrades</li> <li>Your application is stateless</li> <li>You can afford double the infrastructure</li> </ul> <p>Choose canary deployment when:</p> <ul> <li>You want to test new features with real users</li> <li>You need fine-grained control over the rollout</li> <li>You have strong monitoring capabilities</li> </ul> <h2> Looking Ahead </h2> <p>As we move towards more sophisticated deployment strategies, we're seeing the emergence of hybrid approaches. For instance, using canary deployment within a blue-green setup, or implementing feature flags alongside these deployment strategies for even more fine-grained control.</p> <p>The future likely holds more automated and intelligent deployment strategies, possibly using machine learning to automatically detect and respond to deployment issues, and making deployment decisions based on real-time user behavior and system metrics.</p> <p>The key takeaway is that these deployment strategies aren't just technical implementations – they're fundamental building blocks of modern software delivery that enable businesses to move faster while maintaining stability. Understanding and implementing them effectively is crucial for any organization practicing continuous delivery.</p> devops Claudio Wed, 03 Jan 2024 19:50:53 +0000 https://dev.to/klaus82/role-and-skills-of-a-mlops-engineer-45al https://dev.to/klaus82/role-and-skills-of-a-mlops-engineer-45al <p>Machine Learning Operations (MLOps) is an emerging discipline that aims to integrate the practices of machine learning and operations to streamline the end-to-end process of developing, deploying, and managing ML models.<br> The role of the MLOps engineer is crucial in bridging the gap between machine learning (ML) development and production deployment to have smooth and efficient deployment, scaling, and maintenance of machine learning (ML) models. In this post, I want to give an overview of the key responsibilities and activities associated with the role:</p> <ol> <li><strong>Model Deployment:</strong></li> </ol> <ul> <li>Collaborate with data scientists to deploy machine learning models into production environments.</li> <li>Implement deployment strategies such as A/B testing or canary releases to ensure safe and controlled rollouts.</li> </ul> <ol> <li><strong>Infrastructure Management:</strong></li> </ol> <ul> <li>Design and manage the infrastructure required for hosting ML models, including cloud resources and on-premises servers.</li> <li>Utilize containerization technologies like Docker to package models and dependencies.</li> </ul> <ol> <li><strong>Continuous Integration/Continuous Deployment (CI/CD):</strong></li> </ol> <ul> <li>Develop and maintain CI/CD pipelines for automating the testing, integration, and deployment of ML models.</li> <li>Implement version control to track changes in both code and model artifacts.</li> </ul> <ol> <li><strong>Monitoring and Logging:</strong></li> </ol> <ul> <li>Establish monitoring solutions to track the performance and health of deployed models.</li> <li>Set up logging mechanisms to capture relevant information for debugging and auditing purposes.</li> </ul> <ol> <li><strong>Scalability and Resource Optimization:</strong></li> </ol> <ul> <li>Optimize ML infrastructure for scalability and cost-effectiveness.</li> <li>Implement auto-scaling mechanisms to handle varying workloads efficiently.</li> </ul> <ol> <li><strong>Security and Compliance:</strong></li> </ol> <ul> <li>Enforce security best practices to safeguard both the models and the data they process.</li> <li>Ensure compliance with industry regulations and data protection standards.</li> </ul> <ol> <li><strong>Data Management:</strong></li> </ol> <ul> <li>Oversee the management of data pipelines and data storage systems required for model training and inference.</li> <li>Implement data versioning and lineage tracking to maintain data integrity.</li> </ul> <ol> <li><strong>Collaboration with Cross-Functional Teams:</strong></li> </ol> <ul> <li>Work closely with data scientists, software engineers, and other stakeholders to understand model requirements and system constraints.</li> <li>Collaborate with DevOps teams to align MLOps practices with broader organizational goals.</li> </ul> <ol> <li><strong>Performance Optimization:</strong></li> </ol> <ul> <li>Continuously optimize and fine-tune ML models for better performance.</li> <li>Identify and address bottlenecks in the system to enhance overall efficiency.</li> </ul> <ol> <li><strong>Documentation:</strong></li> </ol> <ul> <li>Maintain comprehensive documentation for deployment processes, configurations, and system architecture.</li> <li>Communicate effectively with non-technical stakeholders, providing insights into the performance and impact of ML models.</li> </ul> <p>The MLOps engineer acts as a bridge between data science and operations, ensuring that machine learning models are not only accurate during development but also robust and scalable in real-world production scenarios. By combining technical expertise with collaboration skills, MLOps engineers contribute to the successful deployment and ongoing management of ML systems in a way that aligns with organizational goals and industry standards.</p> <h3> What are the skills of an MLOps engineer? </h3> <p>Here's a comprehensive list:</p> <ol> <li><strong>Understanding of Machine Learning and Data Science:</strong></li> </ol> <ul> <li>Knowledge of machine learning algorithms, models, and statistical concepts.</li> <li>Familiarity with data preprocessing, feature engineering, and model evaluation.</li> </ul> <ol> <li><strong>Programming Skills:</strong></li> </ol> <ul> <li>Proficiency in programming languages commonly used in data science and MLOps, such as Python, R, or Julia.</li> <li>Experience with version control systems like Git.</li> </ul> <ol> <li><strong>Cloud Computing:</strong></li> </ol> <ul> <li>Expertise in cloud platforms such as AWS, Azure, or Google Cloud Platform.</li> <li>Knowledge of deploying and managing machine learning models in cloud environments.</li> </ul> <ol> <li><strong>Containerization and Orchestration:</strong></li> </ol> <ul> <li>Experience with containerization tools like Docker.</li> <li>Knowledge of container orchestration tools like Kubernetes for managing and scaling containers.</li> </ul> <ol> <li><strong>DevOps Practices:</strong></li> </ol> <ul> <li>Understanding of continuous integration and continuous deployment (CI/CD) pipelines.</li> <li>Familiarity with infrastructure as code (IaC) tools like Terraform or CloudFormation.</li> </ul> <ol> <li><strong>Data Management:</strong></li> </ol> <ul> <li>Proficiency in working with databases and data storage solutions.</li> <li>Knowledge of data versioning and lineage tracking.</li> </ul> <ol> <li><strong>Monitoring and Logging:</strong></li> </ol> <ul> <li>Ability to implement monitoring solutions for tracking model performance and system health.</li> <li>Familiarity with logging tools for capturing relevant information during model inference.</li> </ul> <ol> <li><strong>Security:</strong></li> </ol> <ul> <li>Understanding of security best practices for machine learning systems.</li> <li>Knowledge of encryption, access control, and data privacy regulations.</li> </ul> <ol> <li><strong>Collaboration and Communication:</strong></li> </ol> <ul> <li>Effective communication skills to collaborate with data scientists, engineers, and other stakeholders.</li> <li>Ability to document and articulate technical concepts clearly for diverse audiences.</li> </ul> <ol> <li><strong>Problem-Solving Skills:</strong></li> </ol> <ul> <li>Strong analytical and problem-solving skills to troubleshoot issues in both the model and infrastructure.</li> <li>Capacity to optimize and fine-tune models for performance improvements.</li> </ul> <ol> <li><strong>Agile Methodologies:</strong></li> </ol> <ul> <li>Experience working in an Agile development environment.</li> <li>Adaptability to changing requirements and priorities.</li> </ul> <ol> <li><strong>Automation:</strong></li> </ol> <ul> <li>Proficiency in scripting and automation to streamline repetitive tasks.</li> <li>Knowledge of configuration management tools like Ansible.</li> </ul> <p>These skills collectively enable an MLOps engineer to effectively deploy, monitor, and maintain machine learning models in production environments. A successful MLOps engineer possesses technical expertise and excels in communication and collaboration to ensure seamless integration between data science and operations teams.</p> <p>If you like this post consider following my newsletter <a href="https://mlopsnotes.substack.com/" rel="noopener noreferrer">here</a> or supporting me:</p> <p><a href="https://www.buymeacoffee.com/klaus82" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhhrp6lgp4d6nbc63se27.png" alt="Buy me a coffee" width="800" height="224"></a></p> mlops machinelearning devops ai