7 best practices for operating containers

7 best practices for operating containers proposed by Google. These can serve as blueprint for ensuring resilient solutions.

Below are some of the best practices for operating containers proposed by Google. These can serve as blueprint for ensuring resilient solutions.

  1. Use native logging mechanisms or containers
    • JSON logs
    • Log aggregator sidecar pattern
  2. Ensure that containers are stateless and immutable
  3. Avoid privileged containers
  4. Make application easy to monitor
    • Metrics HTTP endpoint
    • Sidecar pattern for monitoring
  5. Expose the health of your application
    • Liveness probe
    • Readiness probe
  6. Avoid running as root
  7. Carefully choose image version

For full details of each line item check this link:


Kubernetes Cheat Sheet

A list of commonly used commands when working with Kubernetes cluster.

Below is a list of common and useful commands for working with kubernetes.

Note: appending <-o wide> to some of the commands below will provide more details.

Get all nodes in a cluster

kubectl get nodes
kubectl get nodes -o wide

Get all services in a cluster

kubectl get services

Get all pods in a cluster

kubectl get pods

Create a resource (Deployment, Service)

kubectl create -f <resource.yaml>

Modify a resource

kubectl apply -f <resourcce.yaml>

Get into a pod with ‘bash’ command

kubectl exec -it <podid> -- bash


Get secrets

kubectl get secrets

Create secrets

From string literals:

kubectl create secret generic myunsafesecret --from-literal=password=Password123

From file:

# Create files
echo -n 'admin' > ./username.txt
echo -n '1f2d1e2e67df' > ./password.txt

kubectl create secret generic db-user-pass --from-file=./username.txt --from-file=./password.txt

From yaml resource:

# Content of secret.yaml
apiVersion: v1
kind: Secret
  name: mysecret
  type: Opaque
  username: {{username}}
  password: {{password}}

kubectl create -f ./secret.yaml

Ref: https://kubernetes.io/docs/concepts/configuration/secret/


Get storage classes

kubectl get sc

Get persistent volumes

kubectl get pv

Get persistent volume claims

kubectl get pvc


Get deployments

kubectl get deploy

Get deployment details

kubectl describe deploy <deploymentname>

Get replica sets

kubectl get rs -o wide

Get deployment rollout status

kubectl rollout status deploy <deploymentname>

Get deployment rollout history

kubectl rollout history deploy <deploymentname>

Tip: Adding –record flag to kubctl apply will stick the command to the object, so that it will appear under CHANGE-CAUSE in history

Get details for a particular deployment revision

kubectl rollout history deploy <deploymentname> --revision=<revisionnumber>

Rollback a deployment

kubectl rollout undo deploy <deploymentname>

Tip: It is better to avoid this rollback mechanism, and downgrade the version in the deployment.yaml itself and reposting it with “kubectl apply”. This “imperative” way could cause inconsistent environment, where the version of the running container instance doesn’t match the yaml manifest, and any redeployment could accidentally deploy unwanted version. “Declarative” approach is preferred.


Get snapshot logs for a particular pod with only one container

kubctl logs <pod name>

Run kubectl logs -h for all options

Ref: https://kubernetes.io/docs/concepts/cluster-administration/logging/


Run a container directly

kubectl run -i --tty <name> --image=<imagename> <command>
kubectl run -i --tty loader --image=busybox /bin/sh

Note: This command will create a pod and will run the container inside it. if “–replica=<number>” is used, it will also create a replication controller in the cluster and will monitor the pod. This is useful when testing (i.e.: hitting a service and generating load, checking service/pod network, etc)

Summary and References

This post contains a list of commonly used commands when interacting with a Kubernetes cluster. Shout out to @nigelpoulton and his great ACG course: “Kubernetes Deep Dive“. Also, here is a far better Cheat Sheet from original kubernetes team.