Containers
Use the native logging mechanisms of containers
Just write to stdout and stderr.
GKE provides fluentd and Cloud Logging. Fluent pod read logs file (host filesystem stdout and stderr) and send logs to Cloud Logging or Elasticsearch.
Use JSON log format
Log aggregator sidecar pattern
Use a logging agent (sidecar in the same pod with the app container) to access the same emptyDir volume for logs.
Ensure the your containers are stateless and immutable
Statelessness: use Cloud Storage, Redis/Memcached, persistent disks.
Immutability: use Secrets and ConfigMaps
Avoid privileged containers (has access to all the devices of the host machine)
Can be forbidden by a specific Pod Security Policy.
Make your application easy to monitor
Can use either Cloud Monitoring or Prometheus
Make applications expose metrics in the Prometheus format by
Metrics HTTP endpoint
Sidecar pattern for monitoring (exposes /metrics endpoint)
Expose the health of your application
Liveness/readiness probes
Carefully choose the image version
Use specific tag instead of :latest
Dockerfile layer ordering
Because an image is built during the final stage of the build process, you can minimize image layers by leveraging build cache. For example, if your build contains several layers, you can order them from the less frequently changed (to ensure the build cache is reusable) to the more frequently changed:
Install tools you need to build your application
Install or update library dependencies
Generate your application