15 Common Kubernetes Pitfalls & Challenges - Spacelift

## 1. Deploying Containers With the "Latest" Tag Arguably one of the most frequently violated Kubernetes best practices is using the `latest` tag when you deploy containers. This puts you at risk of unintentionally receiving major changes which could break your deployments. The `latest` tag is used in different ways by individual authors, but most will point `latest` to the newest release of their project. Using `helm:latest` today will deliver Helm v3, for example, but it'll immediately update to v4 after that release is launched. When you use `latest`, the actual versions of the images in your cluster are unpredictable and subject to change. Kubernetes will *always* pull the image when a new Pod is started, even if a version is already available on the host Node. This differs from other tags, where the existing image on the Node will be reused when it exists. … The affinity system is capable of supporting complex scheduling behavior, but it's also easy to misconfigure affinity rules. When this happens, Pods will unexpectedly schedule to incorrect Nodes, or refuse to schedule or all. Inspect affinity rules for contradictions and impossible selectors, such as labels which no Nodes possess. ## 4. Forgetting Network Policies Network policies control the permissible traffic flows to Pods in your cluster. Each `NetworkPolicy` object targets a set of Pods and defines the IP address ranges, Kubernetes namespaces, and other Pods that the set can communicate with. Pods that aren't covered by a policy have no networking restrictions imposed. This is a security issue because it unnecessarily increases your attack surface. A compromised neighboring container could direct malicious traffic to sensitive Pods without being subject to any filtering. … ## 5. No Monitoring/Logging Accurate visibility into cluster utilization, application errors, and real-time performance data is essential as you scale your apps in Kubernetes. Spiking memory consumption, Pod evictions, and container crashes are all problems you should know about, but standard Kubernetes doesn't come with any observability features to alert you when problems occur. To enable monitoring for your cluster, you should deploy an observability stack such as Prometheus. This collects metrics from Kubernetes, ready for you to query and visualize on dashboards. It includes an alerting system to notify you of important events. … ## Key Points Kubernetes is the industry-standard orchestrator for cloud-native systems, but popularity doesn't mean perfection. To get the most from Kubernetes, your developers, and operators need to correctly configure your cluster and its objects to avoid errors, sub-par scaling, and security vulnerabilities. This guide has covered 15 challenges to look for each time you use Kubernetes. While these will solve the most commonly encountered issues, you should review Kubernetes best practices to get even more out of your cluster. And check out also Kubernetes use cases.