Get best of the week

Best practices and guidelines for launching containers and Kubernetes in production environments


The ecosystem of containerization technologies is rapidly developing and changing, therefore, good working practices are lacking in this area. Nevertheless, Kubernetes and containers are being used more and more often - both for upgrading old applications and for developing modern cloud applications. 

The Mail.ru Kubernetes aaS team has gathered forecasts, tips and best practices for market leaders from Gartner, 451 Research, StacxRox and others. They will enable and accelerate the deployment of containers in production environments.

How to understand if your company is ready to deploy containers in a production environment


According to Gartner , in 2022 more than 75% of organizations will use containerized applications in production. This is significantly more than at present, when less than 30% of companies use such applications. 

According to 451 Research , the forecasted market for the use of container technologies in 2022 will be $ 4.3 billion. This is more than double the amount projected in 2019, with a market growth rate of 30%.

In a survey by Portworx and Aqua Security, 87% of respondents said they currently use container technology. For comparison, in 2017 there were 55% of such respondents. 

Despite the growing interest and growth in the introduction of containers, their launch into production requires training due to technological immaturity and lack of know-how. Organizations must realistically look at business processes that require application containerization. IT leaders should evaluate whether they have a set of skills to move forward with the need for quick training. 

Gartner experts believe that the questions in the figure below will help you understand if you are ready to deploy containers in production:


The most common mistakes when using containers in production


Organizations often underestimate the effort required to operate containers in production. Gartner discovered several common errors in customer scripts when using containers in production environments:


How to ensure container safety


Safety cannot be dealt with "later." It must be built into the DevOps process, so even a special term has appeared - DevSecOps. Organizations need to plan the protection of the container environment throughout the entire development life cycle, which includes the assembly and development process, deployment and launch of the application.

Recommendations from Gartner

  1. / (CI/CD). . , . — .
  2. Center for Internet Security (CIS), Docker, Kubernetes.
  3. Be sure to apply access control, provide separation of duties, and implement a security management policy. Confidential information, such as Secure Sockets Layer (SSL) keys or database credentials, is encrypted by the orchestra or third-party management services and is provided at run time
  4. Avoid elevated privilege containers by managing security policies, this will reduce the potential risks of hacking.
  5. Use security tools that provide whitelisting, behavioral monitoring, and anomaly detection to prevent malicious activity.

Recommendations from StacxRox :

  1. Kubernetes. , . , , . , . . 
  2. . , , , « » . , .
  3. Set network policies: isolate modules to restrict access to them; explicitly allow Internet access to those modules that need it using labels; explicitly allow communication between those modules that need to communicate with each other. 

How to organize monitoring of containers and services in them


Security and monitoring are the main concerns of companies when deploying Kubernetes clusters. Developers are always more focused on the features of the applications that they are developing than on the monitoring aspects of these applications

Recommendations from Gartner :

  1. Try to monitor the status of containers or services in them together with monitoring host systems.
  2. Give preference to manufacturers and instruments with deep integration in container orchestration, especially Kubernetes.
  3. Choose tools that provide detailed logging, automatic discovery of services and recommendations in real time using analytics and / or machine learning.

The SolarWinds blog advises :

  1. Use tools to automatically detect and track container metrics, correlate performance metrics such as processor, memory, and uptime.
  2. Ensure optimal capacity planning by predicting the timing of capacity exhaustion based on container monitoring indicators.
  3. , , , , .
  4. , .
  5. , , , .
  6. , (, ) , , .


With the increase in the number of working containers with state preservation, clients need to consider the location of data outside the host, as well as the need to protect this data. 

According to a survey by Portworx and Aqua Security , data security is on the first place in the list of security problems noted by the majority of respondents (61%). 

Data encryption is the main security strategy (64%), but respondents also use runtime monitoring (49%), registry vulnerability scanning (49%), vulnerability scanning in CI / CD pipelines (49%) and anomaly blocking through runtime protection (48%).

Recommendations from Gartner :

  1. , . , , , API, ,  .
  2. . , Kubernetes , CSI (Container Storage Interfaces).


The traditional corporate network model, where IT specialists create network environments for development, testing, quality assurance and production for each project, is not always in good agreement with the continuous development workflow. In addition, container networks span multiple levels.

The Magalix blog has compiled high-level rules that the implementation of a cluster-network solution must comply with:

  1. Pods scheduled on the same node must be able to communicate with other modules without using NAT (network address translation).
  2. All system daemons (background processes, for example kubelet) running on a particular node can interact with pods running on the same node.
  3. Pods that use the host network should be able to communicate with all other pods on all other nodes without using NAT. Note that the host network is only supported on Linux hosts.

Networking solutions must be tightly integrated with Kubernetes primitives and policies. IT executives should strive for a high degree of network automation, provide developers with the right tools and sufficient flexibility.

Recommendations from Gartner :

  1. Find out if your CaaS (container as a service) or your SDN (Software Defined Network) Kubernetes networks are supported. If not or if support is insufficient, use the Container Network Interface (CNI) for your containers, which supports the necessary functionality and policies.
  2. , CaaS PaaS ( ) / , . , service mesh.
  3. Linux , .


For automated and uninterrupted application delivery, you need to complement container orchestration with other automation tools, such as infrastructure products like code (IaC). These include Chef, Puppet, Ansible and Terraform. 

Also required are automation tools for assembling and rolling out applications (see “The Magic Quadrant for Orchestrating Application Release ”). Containers also provide expansion capabilities similar to those that existed when deploying virtual machines (VMs). Therefore, IT managers must have container lifecycle management tools .

Recommendations from Gartner :

  1. , .
  2. , , .
  3. CaaS , .


Key functionality for deploying containers is provided at the orchestration and planning levels. When planning containers are placed on the most optimal hosts in the cluster, as prescribed by the requirements of the level of orchestration. 

Kubernetes has become the de facto standard for container orchestration with an active community, supported by most leading commercial suppliers. 

Recommendations from Gartner :

  1. Define the basic requirements for security controls, monitoring, policy management, data storage, network management, and container lifecycle.
  2. Based on these requirements, select the tool that best suits your requirements and usage scenarios.
  3. Gartner (. « Kubernetes»), Kubernetes .
  4. , , .


Gartner believes that interest in deploying containers in the public IaaS cloud is growing due to the availability of pre-built CaaS offers, as well as the close integration of these offers with other products offered by cloud providers.

IaaS clouds offer on-demand resource consumption, fast scalability, and service management to help avoid the need for in-depth knowledge of the infrastructure and its maintenance. Most cloud providers offer container management services, and some offer several orchestration options. 

Key cloud providers of managed services are presented in the table: 

Cloud providerType of serviceProduct / Service
AlibabaNative cloud serviceAlibaba Cloud Container Service, Alibaba Cloud Container Service for Kubernetes
Amazon Web Services (AWS)Native Cloud ServiceAmazon Elastic Container Services (ECS), Amazon ECS for Kubernetes (EKS), AWS Fargate
Giant SwarmMSPGiant Swarm Managed Kubernetes Infrastructure
GoogleNative Cloud ServiceGoogle Container Engine (GKE)
IBMNative Cloud ServiceIBM Cloud Kubernetes Service
MicrosoftNative Cloud ServiceAzure Kubernetes Service, Azure Service Fabric
OracleNative Cloud ServiceOCI Container Engine for Kubernetes
Platform9MSPManaged Kubernetes
Red HatHosted ServiceOpenShift Dedicated & Online
VMwareHosted ServiceCloud PKS (Beta)
Mail.ru Cloud Solutions*Native Cloud ServiceMail.ru Cloud Containers

* Let's not hide it, we added ourselves here during the translation :)

Providers of public clouds also add new features and release local products. In the near future, cloud providers will develop support for hybrid clouds and multi-cloud environments. 

Gartner recommendations :

  1. Objectively evaluate your organization’s ability to deploy and manage the appropriate tools, and consider alternative cloud container management services.
  2. Choose your software carefully, use open source where possible.
  3. Choose vendors with single operating models in hybrid environments that offer integrated cluster management from a single dashboard, as well as providers that make it easy to use IaaS independently.

Some tips for choosing a Kubernetes aaS provider from the Replex blog :

  1. It is worth looking for distributions that support high availability out of the box. This includes support for several core architectures, high-availability etcd components, as well as backup and restore.
  2. For mobility in Kubernetes environments, it’s best to choose cloud providers that support a wide range of deployment models: from on-premises to hybrid and multi-cloud. 
  3. Provider offers are also worth evaluating, taking into account the ease of setup, installation, and cluster creation, as well as updates, monitoring, and troubleshooting. The basic requirement is support for fully automated cluster updates with zero downtime. The solution you choose should also allow you to run updates manually. 
  4. , . , Kubernetes , . RBAC .
  5. , , , CNI, Flannel, Calico, kube-router OVN.

The introduction of containers into production is becoming the main focus, as evidenced by the results of a survey conducted at the Gartner session on infrastructure, operations and cloud strategies (IOCS) in December 2018:


As you can see, 27% of respondents already use containers in their work, and 63% are going to do it.

In a survey by Portworx and Aqua Security, 24% of respondents said they invest more than half a million dollars a year on container technology, and 17% of respondents spend more than a million dollars a year on it. 

This article was prepared by the Mail.ru Cloud Solutions team of the cloud platform .

What else to read on the topic :

  1. DevOps Best Practices: DORA Report .
  2. Kubernetes .
  3. - Kubernetes.

More articles:


All Articles