The documentation you are viewing is for Dapr v0.11 which is an older version of Dapr. For up-to-date documentation, see the latest version.
Guidelines for production ready deployments on Kubernetes
Cluster capacity requirements
For a production ready Kubernetes cluster deployment, it is recommended you run a cluster of 3 worker nodes to support a highly-available setup of the control plane. The Dapr control plane pods are designed to be lightweight and require the following resources in a production-ready setup:
Note: For more info on CPU and Memory resource units and their meaning, see this link
|Operator||Limit: 1, Request: 100m||Limit: 200Mi, Request: 20Mi|
|Sidecar Injector||Limit: 1, Request: 100m||Limit: 200Mi, Request: 20Mi|
|Sentry||Limit: 1, Request: 100m||Limit: 200Mi, Request: 20Mi|
|Placement||Limit: 1, Request: 250m||Limit: 500Mi, Request: 100Mi|
|Dashboard||Limit: 200m, Request: 50m||Limit: 200Mi, Request: 20Mi|
To change the resource assignments for the Dapr sidecar, see the annotations here. The specific annotations related to resource constraints are:
The following Dapr control plane deployments are optional:
- Placement - Needed for Dapr Actors
- Sentry - Needed for mTLS for service to service invocation
- Dashboard - Needed for operational view of the cluster
Sidecar resource requirements
The Dapr sidecar requires the following resources in a production-ready setup:
|Limit: 4, Request: 100m||Limit: 4000Mi, Request: 250Mi|
Note: Since Dapr is intended to do much of the I/O heavy lifting for your app, it’s expected that the resources given to Dapr enable you to drastically reduce the resource allocations for the application
The CPU and memory limits above account for the fact that Dapr is intended to do a lot of high performant I/O bound operations. Based on your app needs, you can increase or decrease those limits accordingly.
Deploying Dapr with Helm
When deploying to a production cluster, it’s recommended to use Helm. The Dapr CLI installation into a Kubernetes cluster is for a development and test only setup. You can find information here on how to deploy Dapr using Helm.
When deploying Dapr in a production-ready configuration, it’s recommended to deploy with a highly available configuration of the control plane:
helm install dapr dapr/dapr --version=<Dapr chart version> --namespace dapr-system --set global.ha.enabled=true
This command will run 3 replicas of each control plane pod in the dapr-system namespace.
Note: The Dapr Helm chart automatically deploys with affinity for nodes with the label
kubernetes.io/os=linux. You can deploy the Dapr control plane to Windows nodes, but most users should not need to. For more information see Deploying to a Hybrid Linux/Windows K8s Cluster
Upgrading Dapr with Helm
Dapr supports zero downtime upgrades. The upgrade path includes the following steps:
- Upgrading a CLI version (optional but recommended)
- Updating the Dapr control plane
- Updating the data plane (Dapr sidecars)
Upgrading the CLI
To upgrade the Dapr CLI, download the latest version of the CLI. After you downloaded the binary, it’s recommended you put the CLI binary in your path.
Updating the control plane
Saving the current certificates
When upgrading to a new version of Dapr, it is recommended you carry over the root and issuer certificates instead of re-generating them, which might cause a downtime for applications that make use of service invocation or actors.
Exporting certs with the Dapr CLI
To get your current certs with the Dapr CLI, run the following command:
dapr mtls export -o ./certs
This will save any existing root cert, issuer cert and issuer key in the output dir of your choice.
Exporting certs manually
To get the current root and issuer certificates, run the following command:
kubectl get secret dapr-trust-bundle -o yaml -n dapr-system apiVersion: v1 data: ca.crt: <ROOT-CERTIFICATE-VALUE> issuer.crt: <ISSUER-CERTIFICATE-VALUE> issuer.key: <ISSUER-KEY-VALUE> kind: Secret
Copy the contents of
issuer.key and base64 decode them. Save these certificates as files.
You should have the following files containing the base64 decoded text from the secret saved on your disk:
Updating the control plane pods
Note: To upgrade Dapr from 0.11.x to 1.0.0 version, please refer to this section.
Next, you need to find a Helm chart version that installs the new desired version of Dapr and perform a
helm upgrade operation.
First, update the Helm Chart repos:
helm repo update
List all charts in the Dapr repo:
helm search repo dapr --devel NAME CHART VERSION APP VERSION DESCRIPTION dapr/dapr 1.0.0-rc.1 1.0.0-rc.1 A Helm chart for Dapr on Kubernetes
The APP VERSION column tells us which Dapr runtime version is installed by the chart. Now, use the following command to upgrade Dapr to your desired runtime version providing a path to the certificate files you saved before:
--set global.ha.enabled=trueif current Dapr installation has not been deployed in HA mode.
helm upgrade dapr dapr/dapr \ --version <Dapr chart version> \ --namespace dapr-system \ --reset-values \ --set-file dapr_sentry.tls.root.certPEM=certs/ca.crt \ --set-file dapr_sentry.tls.issuer.certPEM=certs/issuer.crt \ --set-file dapr_sentry.tls.issuer.keyPEM=certs/issuer.key \ --set global.ha.enabled=true
Kubernetes now performs a rolling update. Wait until all the new pods appear as running:
kubectl get po -n dapr-system -w NAME READY STATUS RESTARTS AGE dapr-dashboard-86b94bb768-w4wmj 1/1 Running 0 39s dapr-operator-67d7d7bb6c-qqkk7 1/1 Running 0 39s dapr-placement-server-0 1/1 Running 0 39s dapr-sentry-647759cd46-nwzkw 1/1 Running 0 39s dapr-sidecar-injector-74648c9dcb-px2m5 1/1 Running 0 39s
You can verify the health and version of the control plane using the Dapr CLI:
dapr status -k NAME NAMESPACE HEALTHY STATUS REPLICAS VERSION AGE CREATED dapr-sidecar-injector dapr-system True Running 1 1.0.0-rc.1 1m 2020-11-16 14:42.19 dapr-sentry dapr-system True Running 1 1.0.0-rc.1 1m 2020-11-16 14:42.19 dapr-dashboard dapr-system True Running 1 0.3.0 1m 2020-11-16 14:42.19 dapr-operator dapr-system True Running 1 1.0.0-rc.1 1m 2020-11-16 14:42.19 dapr-placement-server dapr-system True Running 1 1.0.0-rc.1 1m 2020-11-16 14:42.19
Note: If new fields have been added to the target Helm Chart being upgraded to, the
helm upgrade command will fail. If that happens, you need to find which new fields have been added in the new chart and add them as parameters to the upgrade command, for example:
Updating the data plane (sidecars)
The last step is to update pods that are running Dapr to pick up the new version of the Dapr runtime.
To do that, simply issue a rollout restart command for any deployment that has the
kubectl rollout restart deploy/<Application deployment name>
To see a list of all your Dapr enabled deployments, you can either use the Dapr Dashboard or run the following command using the Dapr CLI:
dapr list -k APP ID APP PORT AGE CREATED nodeapp 3000 16h 2020-07-29 17:16.22
Upgrade from Dapr 0.11.x to 1.0.0
Run the below commands first to migrate from 0.11.x placement service safely:
kubectl annotate deployment dapr-placement "helm.sh/resource-policy"=keep -n dapr-system kubectl annotate svc dapr-placement "helm.sh/resource-policy"=keep -n dapr-system
Then export certs manually.
dapr mtls export -o ./certs
Upgrade Dapr using the below commands; this example upgrades Dapr from 0.11.x to 1.0.0-rc.1 with HA mode.
helm repo update helm upgrade dapr dapr/dapr --version 1.0.0-rc.1 --namespace dapr-system --reset-values --set-file dapr_sentry.tls.root.certPEM=./certs/ca.crt --set-file dapr_sentry.tls.issuer.certPEM=./certs/issuer.crt --set-file dapr_sentry.tls.issuer.keyPEM=./certs/issuer.key --set global.ha.enabled=true --wait
Once Dapr is installed completely, ensure that 0.11.x dapr-placement is still running and wait until all pods are running
kubectl get pods -n dapr-system -w NAME READY STATUS RESTARTS AGE dapr-dashboard-69f5c5c867-mqhg4 1/1 Running 0 42s dapr-operator-5cdd6b7f9c-9sl7g 1/1 Running 0 41s dapr-operator-5cdd6b7f9c-jkzjs 1/1 Running 0 29s dapr-operator-5cdd6b7f9c-qzp8n 1/1 Running 0 34s dapr-placement-5dcb574777-nlq4t 1/1 Running 0 76s ---- 0.11.x placement dapr-placement-server-0 1/1 Running 0 41s dapr-placement-server-1 1/1 Running 0 41s dapr-placement-server-2 1/1 Running 0 41s dapr-sentry-84565c747b-7bh8h 1/1 Running 0 35s dapr-sentry-84565c747b-fdlls 1/1 Running 0 41s dapr-sentry-84565c747b-ldnsf 1/1 Running 0 29s dapr-sidecar-injector-68f868668f-6xnbt 1/1 Running 0 41s dapr-sidecar-injector-68f868668f-j7jcq 1/1 Running 0 29s dapr-sidecar-injector-68f868668f-ltxq4 1/1 Running 0 36s
Update pods that are running Dapr to pick up the new version of the Dapr runtime.
kubectl rollout restart deploy/<Application deployment name>
Once the deployment is completed, delete 0.11.x dapr-placement service by following commands:
kubectl delete deployment dapr-placement -n dapr-system kubectl delete svc dapr-placement -n dapr-system
Recommended security configuration
Properly configured, Dapr not only be secured with regards to it’s control plane and sidecars communication, but can also make your application more secure with a number of built-in features.
It is recommended that a production-ready deployment includes the following settings:
Mutual Authentication (mTLS) should be enabled. Note that Dapr has mTLS on by default. For details on how to bring your own certificates, see here
Dapr API authentication is enabled (this is the between your application and the Dapr sidecar). To secure the Dapr API from unauthorized access, it is recommended to enable Dapr’s token based auth. See here for details
All component YAMLs should have secret data configured in a secret store and not hard-coded in the YAML file. See here on how to use secrets with Dapr components
The Dapr control plane is installed on a separate namespace such as
dapr-system, and never into the
Dapr also supports scoping components for certain applications. This is not a required practice, and can be enabled according to your Sec-Ops needs. See here for more info.
Tracing and metrics configuration
Dapr has tracing and metrics enabled by default. To configure a tracing backend for Dapr visit this link.
For metrics, Dapr exposes a Prometheus endpoint listening on port 9090 which can be scraped by Prometheus.
It is recommended that you set up distributed tracing and metrics for your applications and the Dapr control plane in production. If you already have your own observability set-up, you can disable tracing and metrics for Dapr.
To setup Prometheus, Grafana and other monitoring tools with Dapr, visit this link.