284 lines
4.6 KiB
Markdown
284 lines
4.6 KiB
Markdown
# Kubernetes Migration Guide
|
|
|
|
**Date**: 2025-01-27
|
|
**Purpose**: Guide for migrating projects to shared Kubernetes clusters
|
|
**Status**: Complete
|
|
|
|
---
|
|
|
|
## Overview
|
|
|
|
This guide provides instructions for migrating projects to shared Kubernetes clusters with namespace isolation.
|
|
|
|
---
|
|
|
|
## Prerequisites
|
|
|
|
- Access to shared Kubernetes cluster
|
|
- kubectl configured
|
|
- Appropriate RBAC permissions
|
|
- Project containerized (Docker/Kubernetes manifests)
|
|
|
|
---
|
|
|
|
## Migration Steps
|
|
|
|
### Step 1: Prepare Namespace
|
|
|
|
Create namespace using Terraform module:
|
|
|
|
```hcl
|
|
module "namespace" {
|
|
source = "../../infrastructure/terraform/modules/kubernetes/namespace"
|
|
|
|
name = "my-project"
|
|
|
|
labels = {
|
|
app = "my-project"
|
|
env = "production"
|
|
managed = "terraform"
|
|
}
|
|
|
|
resource_quota = {
|
|
"requests.cpu" = "4"
|
|
"requests.memory" = "8Gi"
|
|
"limits.cpu" = "8"
|
|
"limits.memory" = "16Gi"
|
|
}
|
|
}
|
|
```
|
|
|
|
Or create manually:
|
|
|
|
```bash
|
|
kubectl create namespace my-project
|
|
kubectl label namespace my-project app=my-project env=production
|
|
```
|
|
|
|
### Step 2: Update Kubernetes Manifests
|
|
|
|
#### Update Namespace References
|
|
|
|
**Before**:
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: my-project
|
|
```
|
|
|
|
**After**: Remove namespace creation (managed by Terraform)
|
|
|
|
#### Update Resource Requests/Limits
|
|
|
|
Ensure resources match namespace quotas:
|
|
|
|
```yaml
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
```
|
|
|
|
### Step 3: Configure Ingress
|
|
|
|
Use shared ingress controller:
|
|
|
|
```yaml
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: my-project
|
|
namespace: my-project
|
|
annotations:
|
|
kubernetes.io/ingress.class: nginx
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
spec:
|
|
tls:
|
|
- hosts:
|
|
- my-project.example.com
|
|
secretName: my-project-tls
|
|
rules:
|
|
- host: my-project.example.com
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: my-project
|
|
port:
|
|
number: 80
|
|
```
|
|
|
|
### Step 4: Configure Secrets
|
|
|
|
Use shared Key Vault or Kubernetes secrets:
|
|
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: my-project-secrets
|
|
namespace: my-project
|
|
type: Opaque
|
|
stringData:
|
|
database-url: "postgresql://..."
|
|
api-key: "..."
|
|
```
|
|
|
|
### Step 5: Deploy Application
|
|
|
|
```bash
|
|
# Apply manifests
|
|
kubectl apply -f k8s/ -n my-project
|
|
|
|
# Verify deployment
|
|
kubectl get pods -n my-project
|
|
kubectl get services -n my-project
|
|
kubectl get ingress -n my-project
|
|
```
|
|
|
|
---
|
|
|
|
## Namespace Isolation
|
|
|
|
### Resource Quotas
|
|
|
|
Enforced at namespace level:
|
|
|
|
```yaml
|
|
apiVersion: v1
|
|
kind: ResourceQuota
|
|
metadata:
|
|
name: my-project-quota
|
|
namespace: my-project
|
|
spec:
|
|
hard:
|
|
requests.cpu: "4"
|
|
requests.memory: 8Gi
|
|
limits.cpu: "8"
|
|
limits.memory: 16Gi
|
|
```
|
|
|
|
### Network Policies
|
|
|
|
Isolate network traffic:
|
|
|
|
```yaml
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: my-project-policy
|
|
namespace: my-project
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: shared-services
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: shared-services
|
|
```
|
|
|
|
---
|
|
|
|
## Monitoring Integration
|
|
|
|
### ServiceMonitor (Prometheus)
|
|
|
|
```yaml
|
|
apiVersion: monitoring.coreos.com/v1
|
|
kind: ServiceMonitor
|
|
metadata:
|
|
name: my-project
|
|
namespace: my-project
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: my-project
|
|
endpoints:
|
|
- port: metrics
|
|
path: /metrics
|
|
```
|
|
|
|
### Logging
|
|
|
|
Logs automatically collected by shared Loki instance.
|
|
|
|
---
|
|
|
|
## Best Practices
|
|
|
|
### Resource Management
|
|
- Set appropriate requests/limits
|
|
- Use horizontal pod autoscaling
|
|
- Monitor resource usage
|
|
|
|
### Security
|
|
- Use RBAC for access control
|
|
- Implement network policies
|
|
- Use secrets management
|
|
|
|
### Monitoring
|
|
- Expose metrics endpoints
|
|
- Configure ServiceMonitor
|
|
- Set up alerts
|
|
|
|
---
|
|
|
|
## Troubleshooting
|
|
|
|
### Pod Not Starting
|
|
|
|
**Check**:
|
|
- Resource quotas
|
|
- Resource requests/limits
|
|
- Image pull secrets
|
|
- Service account permissions
|
|
|
|
### Network Issues
|
|
|
|
**Check**:
|
|
- Network policies
|
|
- Service endpoints
|
|
- Ingress configuration
|
|
|
|
### Storage Issues
|
|
|
|
**Check**:
|
|
- Persistent volume claims
|
|
- Storage classes
|
|
- Access modes
|
|
|
|
---
|
|
|
|
## Migration Checklist
|
|
|
|
- [ ] Create namespace
|
|
- [ ] Configure resource quotas
|
|
- [ ] Update Kubernetes manifests
|
|
- [ ] Configure ingress
|
|
- [ ] Set up secrets
|
|
- [ ] Deploy application
|
|
- [ ] Verify deployment
|
|
- [ ] Configure monitoring
|
|
- [ ] Set up network policies
|
|
- [ ] Test functionality
|
|
- [ ] Update documentation
|
|
|
|
---
|
|
|
|
**Last Updated**: 2025-01-27
|
|
|