Konteynerlashtirish va orkestrlash
1) Nima uchun konteynerlar va k8s iGaming
Oʻzgarish tezligi: bashorat qilinadigan rasmlar, yagona CI/CD payplaynlar.
Barqarorlik: avto-qayta ishga tushirish, gorizontal skeyl, self-xiling.
Ma’lumotlar/hududlarni izolyatsiya qilish: yurisdiksiya ostidagi neyspeyslar/klastyerlar.
Operatsion standartlar: resurslar siyosati, yagona log/metrika/treyslar.
Kerak bo’lmaganda: kichik jamoa, 2-3 ta xizmat, noyob relizlar - PaaS/modulli monolitdan boshlang.
2) Tasvirlar va reyestrlar (OCI/Docker)
2. 1 Tasvirlarni yigʻish - tamoyillar
Multi-stage: bild → rantaym (ingichka asosiy tasvirlar’distroless’,’alpine’ehtiyotkorlik bilan).
Takrorlanuvchanlik :/sha256,’COPY --chown’,’-mount = type = cache’ni BuildKit’ga oʻrnating.
SBOM va imzo:’cosign sign/verify’,’slsa provenance’, faqat imzolangan siyosat.
Slim-down: dev-toolsni olib tashlang,’USER nonroot’,’readOnlyRootFilesystem’ni yoqing.
Dockerfile (Node. js)
dockerfile build
FROM node:22-bookworm AS build
WORKDIR /app
COPY package. json./
RUN npm ci --omit=dev
COPY..
RUN npm run build
runtime (distroless)
FROM gcr. io/distroless/nodejs22
WORKDIR /srv
COPY --from=build /app/dist./dist
COPY --from=build /app/node_modules./node_modules
USER 10001
ENV NODE_ENV=production
CMD ["dist/server. js"]2. 2. Reyestrlar va siyosatlar
GDPR latentligini va muvofiqligini pasaytirish uchun Private registry + geo-replikalar (EU/NA).
Retention/immutability: taglarni qayta yozishni taqiqlash, PoP’da keshni isitish.
Admission-control: faqat imzolangan/skan qilingan rasmlar (cosign + Trivy/Grype).
3) Orkestratsiya: Kubernetes bazaviy patternlari
3. 1 primitivlar
Deployment - stateless-services (lobbi, API).
StatefulSet - hamyon/navbat/ombor (fix nomi, barqaror jildlar).
DaemonSet - log agentlari/tarmoq komponentlari.
Job/CronJob - migratsiya, hisobotlar, ETL.
3. 2 Resurslar va QoS
’requests/limits’ (CPU/Memory) → QoS sinflari va oldindan aytiladigan rejalashtirish.
Burstable faqat ongli ravishda; tanqidiy - Guaranteed.
Tanqidiy to’lov PODlarini ajratilgan pullarga (taints/tolerations, node-affinity) joylashtiring.
3. 3 Barqarorlik va relizlar
Probes:’startup’,’liveness’,’readiness’(taymaut va davrlar bilan).
Rollout: `maxSurge/maxUnavailable`, canary через вес в Ingress/Gateway/Service Mesh.
PDB (PodDisruptionBudget) + graceful shutdown (PreStop hook, `terminationGracePeriodSeconds`).
Yangilashda Drain/cordon nod.
4) Tarmoq: CNI, servislar, kirish trafigi
4. 1 CNI qatlami
Calico/Cilium/Weave - tarmoq siyosati (NetworkPolicy), ishlash uchun eBPF.
Nomlar orasidagi qoidalar: minimal zarur egress/ingress.
4. 2 Xizmatlar va kirish
Service: `ClusterIP/NodePort/LoadBalancer`.
L7 uchun Ingress yoki Gateway API: yo’l/xeder/xost yo’nalishlari, TLS, kanar og’irligi.
mTLS klaster ichida: servis-mesh orqali (Istio/Linkerd) - TLS va siyosatni ushlash.
HTTPRoute misoli (Gateway API, kanar ogʻirligi)
yaml apiVersion: gateway. networking. k8s. io/v1 kind: HTTPRoute spec:
rules:
- backendRefs:
- name: lobby-v1 weight: 90 port: 8080
- name: lobby-v2 weight: 10 port: 80805) Saqlash: CSI/PV/PVC, jildlar klasslari
Provayderning CSI-drayverlari (EBS/PD/Premium SSD) +’storageClass’ning ishlash parametrlari.
Sharing uchun RWX (NFS/FSx/Filestore) - qulflash bilan ehtiyot bo’ling.
Backup/restore: Velero/Kasten, davriy snapshotlar, tiklanishni tekshirish.
Shifrlash: disk darajasida va DB (KMS) darajasida.
6) Avto-masshtablash: HPA/VPA/KEDA
HPA (CPU/RAM/maxsus metriklar bo’yicha - RPS, p95): API/lobbi uchun.
VPA (tavsiyalar/avto) - barqaror vorkerlar uchun.
KEDA (event-driven) - Kafka/SQS/Redis, Cron-shedulalar navbati boʻyicha masshtab.
Cluster Autoscaler - yuk bo’yicha uzellar; cho’qqilar uchun warm-pullar (turnirlar/oqimlar).
7) Servis-mesh (zarurat bo’yicha)
mTLS/servis servis siyosati, identifikatsiyalar bo’yicha avtorizatsiya (SPIFFE).
Circuit-breaker/timeout/retry, outlier-ejection, oynalash (shadow).
Qutidan telemetriya: yagona metrika va trassalar.
Nozik trafik menejmenti (to’lovlar, o’yin provayderlari) kerak bo’lgan joylarda foydalaning.
8) Xavfsizlik: sirlar, siyosat, muvofiqlik
Secrets: tashqi menejer (AWS/GCP/Azure KMS, External Secrets), rotatsiya.
Policy-as-code: OPA/Gatekeeper/Kyverno - taqiq’: latest’, root-USER, hostPath, imtiyozlar.
Huquqlarning kuchayishi: Namespaces + RBAC, Dev/Stage/Prod bo’linishi, audit.
Image Security: CI/CD skan, imzo (cosign), imzo admission.
mTLS va JWT ichki (mesh), WAF/Rate-limit kirish joyida (Ingress/Gateway).
9) Kuzatuv va SLO
Metrics: Prometheus/OpenTelemetry, p50/95/99, 4xx/5xx, saturations.
Logs: tuzilmaviy JSON → Loki/Elastic, maskalash PII/PAN/IBAN.
Traces: OTLP → Tempo/Jaeger;’trace _ id’shlyuzdan keladi.
SLO: masalan,’Deposit p95 ≤ 300 ms, success ≥ 98. 5%’, alertlar burn-rate.
Proaktivligi: per-service/per-route dashbordlari, DLQ bo’yicha watchdog va navbat laglari.
10) CI/CD, Helm, GitOps
CI: linterlar, testlar (unit/contract/integration), SAST/DAST, SBOM.
Helm/Jsonnet/Kustomize: s’values.’ning deklarativ chartlari.
GitOps (ArgoCD/Flux): single-source-of-truth, PR-revyu manifestlar, rollback tugmasi.
Strategiyalar: blue-green, canary, shadow; sxemalar migratsiyasi - expand-and-contract.
Values fragmenti. yaml (resurslar/namunalar)
yaml resources:
requests: { cpu: "200m", memory: "256Mi" }
limits: { cpu: "500m", memory: "512Mi" }
livenessProbe: { httpGet: { path: /healthz, port: 8080 }, initialDelaySeconds: 20, periodSeconds: 10 }
readinessProbe: { httpGet: { path: /readyz, port: 8080 }, initialDelaySeconds: 5, periodSeconds: 5 }11) Rejalashtirish va izolyatsiya qilish
NodePools: to’lovlarni/hamyonni tezkor diskli «past shovqinli» uzellarga ajrating.
Taints/Tolerations: kritik yuklar uchun himoyalangan pullar.
(Anti-) Affinity: replikalarni zonalar/tugunlarga (HA) bo’lg.
ResourceQuota/LimitRange - «shovqinli qo’shnilarga» qarshi himoya.
12) Multiklaster, ko’p mintaqa, DR
Yurisdiksiyalar bo’yicha bo’linish: EU/LatAm/ROW klastyerlari; rezidentlarning ma’lumotlari - mahalliy.
Kirish joyidagi GSLB/Anycast, kuzatuv va alerta.
- Warm standby (tavsiya etiladi): tanqidiy ma’lumotlarning sinx-nusxasi, davriy tekshiruvlar failover.
- Oʻqish/mintaqaviy marshrutlash uchun Active-active.
- Zaxiralash: backaplar (Velero), rehearal tiklanish.
13) iGaming-spetsifikasi
To’lovlar/hamyon: p95 ≤ 300-500 ms, alohida pullar va qat’iy PDB; canary 1→5→10%.
Lobbi/kontent: RPS/INP bo’yicha tajovuzkor HPA, isitilgan tasvirlar/vektor kesh.
Hayot o’yinlari/oqimlari: LC/minimal retray, uzun soket taymautlari, ulanish bo’yicha sticky.
Komplayens: qattiq Policy bilan neyspeyslar, KMS orqali sirlar, Helm-relizlarni o’zgartirish auditi.
Mas’uliyatli o’yin: limitlar/blokirovkalar xizmati - ustuvor trafik (siyosat bo’yicha fail-open/close).
14) Chek-varaqlar
Servisni joylashtirishdan oldin
- Multi-stage tasviri, USER nonroot, imzo cosign, skaner o’tkazildi.
- Tashqi menejerdan Requests/limits, probes, env/secret.
- PDB, `maxUnavailable ≤ 1`, graceful shutdown.
- SLO/alertlar, shlyuzdan DBgacha trassalar.
- Kanar sxemasi va orqaga qaytish rejasi.
- OPA/Kyverno siyosati (no root, no hostPath, no: latest).
Klaster/platforma
- CNI va NetworkPolicy kiritilgan; mTLS (mesh) kerak bo’lganda.
- StorageClass/retenshn, backap/restore tekshirildi.
- HPA/VPA/KEDA sozlangan; Cluster Autoscaler и warm-pool.
- RBAC minimal, audit kiritilgan, sirlar KMS dan.
- GitOps: repozitoriyadagi chartlar/manifestlar, PR sharhi talab qilinadi.
15) Anti-patternlar
’latest’, root-foydalanuvchi, «qalin» asosiy qatlamlar.
No’requests/limits’→ eviksiyalar/trottling.
Readiness = liveness.
Steytful/statelessni taintssiz bitta pulda aralashtirish.
expand-and-contract’siz «peshonaga» sxemalarini koʻchirish.
Mintaqaviy izolyatsiyasiz «barcha bozorlarga» yagona klaster.
PII/PAN loglari, ConfigMap sirlari.
PDB/drenaj yo’qligi → cho’qqilar va yangilanishlar paytida uzilishlar.
16) Platforma metrikasi (minimal)
Кластер: CPU/mem requests vs allocatable, pod-churn, node-pressure.
Tarmoq: p95 per-route, 4xx/5xx, reset/timeout, retry-rate, mTLS xatolari.
Saqlovchilar: IOPS/latency, queue-depth, CSI xatolari.
Avtoskeyl: HPA decisions, CA events, isish vaqti.
Biznes: TTP, TtW, FTD-success, provayder bo’yicha to’lovlarni rad etish.
Xavfsizlik: OPA nomuvofiqliklari, imzolanmagan tasvirlar, muddati o’tgan sirlar.
17) Manifestlar misollari
Deployment (API, kanar label)
yaml apiVersion: apps/v1 kind: Deployment metadata: { name: wallet-api, labels: { app: wallet, track: stable } }
spec:
replicas: 4 strategy: { type: RollingUpdate, rollingUpdate: { maxSurge: 1, maxUnavailable: 1 } }
selector: { matchLabels: { app: wallet, track: stable } }
template:
metadata: { labels: { app: wallet, track: stable } }
spec:
serviceAccountName: wallet-sa containers:
- name: api image: registry. local/wallet/api@sha256:...
ports: [{ containerPort: 8080 }]
resources:
requests: { cpu: "250m", memory: "256Mi" }
limits: { cpu: "500m", memory: "512Mi" }
readinessProbe: { httpGet: { path: /readyz, port: 8080 }, periodSeconds: 5 }
livenessProbe: { httpGet: { path: /healthz, port: 8080 }, initialDelaySeconds: 20 }
securityContext:
runAsNonRoot: true readOnlyRootFilesystem: truePDB (hamyon)
yaml apiVersion: policy/v1 kind: PodDisruptionBudget spec:
minAvailable: 3 selector: { matchLabels: { app: wallet } }HPA (custom-metrics orqali RPS bo’yicha)
yaml apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler spec:
minReplicas: 4 maxReplicas: 40 metrics:
- type: Pods pods:
metric:
name: http_requests_per_second target:
type: AverageValue averageValue: "50"18) Joriy etish jarayoni (sprintlar bo’yicha)
1. Multi-stage, SBOM, imzolar, admission siyosati.
2. k8s bazaviy platformasi: CNI, Ingress/Gateway, monitoring/logi/treys, StorageClass.
3. CI/CD va GitOps: Helm-chartlar, chorshanba, canary/rollback, sxemalar koʻchiriladi.
4. Skeyl va barqarorlik: HPA/VPA/KEDA, PDB, node-pullar, taints/affinity, DR-reja.
Yakuniy shpargalka
Nozik, imzolangan rasmlar + ruxsat siyosati = xavfsizlik asosi.
Namunalar, resurslar, PDB, drain = relizlarning barqarorligi.
HPA/VPA/KEDA + tyuning pulov = masshtab «cho’kmasdan».
Gateway/Ingress + mTLS/OPA = xavfsiz perimetr va ichki aloqa.
Observability + SLO + GitOps = boshqariladigan oʻzgarishlar.
Mintaqaviy izolyatsiya va DR = komplayens va ishdan chiqish chidamliligi.