Prepare Your Application

To make the most out of Compliant Kubernetes, prepare your application so it features:

• some REST endpoints: NodeJS, .NET;
• structured logging: NodeJS, .NET;
• metrics endpoint: NodeJS, .NET;
• Dockerfile, which showcases:
  • How to run as non-root: NodeJS, .NET;
• Helm Chart, which showcases:
  • HTTPS Ingresses;
  • ServiceMonitor for metrics collection;
  • PrometheusRule for alerting;
  • topologySpreadConstraints for tolerating single Node or single Zone failure;
  • resources for capacity management;
  • NetworkPolicies for network segmentation;
• Grafana dashboards for metrics visualization;
• script for local development and testing;

Bonus:

• ability to make it crash (/crash).

Feel free to clone our user demo for inspiration:

git clone https://github.com/elastisys/compliantkubernetes/
cd compliantkubernetes/user-demo

Make Sure Your Application Tolerates Nodes Replacement

Important

This section helps you implement ISO 27001, specifically:

• A.12.6.1 Management of Technical Vulnerabilities

Compliant Kubernetes recommends against PodDisruptionBudgets (PDBs). PDBs can easily be misconfigured to block draining Nodes, which interferes with automatic OS patching and compromises the security posture of the environment. Instead, prefer engineering your application to deal with disruptions. The user demo already showcases how to achieve this with replication and topologySpreadConstraints. Make sure to move state, even soft state, to specialized services.

Further reading:

• Dealing with Disruptions