A Microservices Guide for Spring Cloud Kubernetes Reference Architecture
Andriy Kalashnykov
This Reference Architecture demonstrates design, development, and deployment of Spring Boot microservices on Kubernetes. Each section covers architectural recommendations and configuration for each concern when applicable.
High-level key recommendations:
- Consider Best Practices in Cloud Native Applications and The 12 Factor App
- Keep each microservice in a separate Maven or Gradle project
- Prefer using dependencies when inheriting from parent project instead of using relative path
- Use Spring Initializr a web application that can generate a Spring Boot project structure, fill in your project details, pick your options, and download a bundled up project
This architecture demonstrates a complex Cloud Native application that addresses following concerns:
- Externalized configuration using ConfigMaps, Secrets, and PropertySource
- Kubernetes API server access using ServiceAccounts, Roles, and RoleBindings
- Health checks using Application Probes
- readinessProbe
- livenessProbe
- startupProbe
- Reporting application state using Spring Boot Actuators
- Service discovery across namespaces using DiscoveryClient
- Exposing API documentation using Swagger UI
- Building a Docker image using best practices
- Layering JARs using the Spring Boot plugin
- Observing the application using Prometheus exporters
Reference Architecture
The reference architecture demonstrates an organization where each unit has its own application designed using a microservices architecture. Microservices are exposed as REST APIs utilizing Spring Boot in an embedded Tomcat server and deployed on Kubernetes.
Each microservice is deployed in its own namespace. Placing microservices in separate namespaces allows logical grouping that makes it easier to manage access privileges by assigning them only to a team responsible for a particular application. Spring Cloud Kubernetes Discovery Client makes internal communication between microservices seamless. It communicates with the Kubernetes API to discover the IPs of all services, running in Pods.
The application implemented in this Reference Architecture is built with several open source components, commonly found in most Spring Boot microservices deployments. These include:
Spring Cloud Kubernetes: Provides integration with the Kubernetes API server to allow service discovery, configuration and load balancing used by Spring Cloud.
Spring Cloud: provides tools for developers to quickly build common patterns in distributed systems.
- OpenFeign - Java to HTTP client binder
- Ribbon (via Kubernetes services) - client-side load balancing in calls to another microservice
- Zuul - routing and filtering requests to a microservice
- Sleuth - a distributed tracing tool
- Swagger - a set of open-source tools built around the OpenAPI Specification that can design, build, document and consume REST APIs
- Swagger UI - provides interaction and visualization of API resources without writing custom logic.
Reference Architecture Environment
Each microservice runs in its own container, one container per pod and one pod per service replica. The application is built using a microservices architecture and represented by replicated containers calling each other.
Spring Cloud Kubernetes
Spring Cloud Kubernetes provides Spring Cloud implementations of common interfaces that consume Kubernetes native services. Its objective is to facilitate integration of Spring Cloud and Spring Boot applications running inside Kubernetes.
Spring Cloud Kubernetes integrates with the Kubernetes API and allows service discovery, configuration, and load balancing. This Reference Architecture demonstrates the use of the following Spring Cloud Kubernetes features:
- Discovering services across all namespaces using the Spring Cloud DiscoveryClient
- Using ConfigMap and Secrets as Spring Boot property sources with Spring Cloud Kubernetes Config
- Implementing health checks using Spring Cloud Kubernetes pod health indicator
Get source code
The sample application’s source code is located at
and is available
under the master
Run the following command to clone the repository:
git clone git@github.com:AndriyKalashnykov/spring-microservices-k8s.git
cd spring-microservices-k8s
git checkout tags/1.0.1
Source Code Directory Structure
The application’s source code is structured as follows:
$ tree -d -L 2
├── department-service # department microservice project
│ └── src
├── employee-service # employee microservice project
│ └── src
├── gateway-service # gateway project
│ └── src
├── k8s # kubernetes YAML manifests
├── organization-service # organization microservice project
│ └── src
└── scripts # shell scripts to create, build, install, and deploy microservices
10 directories
Enable Spring Cloud Kubernetes
Add the following dependency to enable Spring Cloud Kubernetes features in the project. The library contains modules for service discovery, configuration, and Ribbon load balancing.
Enable Service Discovery Across All Namespaces
Spring Cloud Kubernetes achieves Kubernetes service discovery with Spring Boot applications by providing an implementation of DiscoveryClient. Ribbon client communicates directly to pods rather than through Kubernetes services. This enables more complete balancing as opposed to round robin, which is forced when going through Kubernetes services. Ribbon is used by a higher-level HTTP client, OpenFeign. MongoDB is used for data storage. Swagger2 is an open source project used to generate the REST API documents for RESTful web services.
@RibbonClients(defaultConfiguration = RibbonConfiguration.class)
public class DepartmentApplication {
public static void main(String[] args) {
SpringApplication.run(DepartmentApplication.class, args);
public Docket swaggerApi() {
return new Docket(DocumentationType.SWAGGER_2)
.apiInfo(new ApiInfoBuilder().version("1.0").title("Department API").description("Documentation Department API v1.0").build());
To enable discovery across all namespaces, the all-namespaces
property needs
to be set to true
kind: ConfigMap
apiVersion: v1
name: department
spring.cloud.kubernetes.discovery.all-namespaces: "true"
# other config removed for brevity.
Feign is a declarative web service client. In order to communicate with
from department-service
we need to create an interface and
use the @FeignClient
annotation. In the @FeignClient
annotation the String
value "employee"
is an arbitrary client name, which is used to create a Ribbon
load balancer. The name of the bean in the application context is the fully
qualified name of the interface. At run-time, employee
will be resolved with a
look up in the discovery server to a IP address of employee
service in Kubernetes.
@FeignClient(name = "employee")
public interface EmployeeClient {
List<Employee> findByDepartment(@PathVariable("departmentId") String departmentId);
Create Kubernetes namespaces
Create Kubernetes namespaces for each microservice
kubectl create namespace department
kubectl create namespace employee
kubectl create namespace gateway
kubectl create namespace organization
kubectl create namespace mongo
Configure Spring Cloud Kubernetes to access Kubernetes API
Spring Cloud Kubernetes requires access to the Kubernetes API in order to be
able to retrieve the list of IP addresses of the pods that are fronted by a
single service. The simplest way to do that is to define a ClusterRole
list of resources and verbs.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
namespace: default
name: microservices-kubernetes-namespace-reader
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "pods", "services", "endpoints", "secrets"]
verbs: ["get", "list", "watch"]
Then create it in the default
kubectl apply -f ../k8s/rbac-cluster-role.yaml -n default
create service accounts api-service-account
kubectl create serviceaccount api-service-account -n department
kubectl create serviceaccount api-service-account -n employee
kubectl create serviceaccount api-service-account -n gateway
kubectl create serviceaccount api-service-account -n organization
kubectl create serviceaccount api-service-account -n mongo
bind Service Accounts api-service-account
from each namespace to
kubectl create clusterrolebinding service-pod-reader-department --clusterrole=microservices-kubernetes-namespace-reader --serviceaccount=department:api-service-account
kubectl create clusterrolebinding service-pod-reader-employee --clusterrole=microservices-kubernetes-namespace-reader --serviceaccount=employee:api-service-account
kubectl create clusterrolebinding service-pod-reader-gateway --clusterrole=microservices-kubernetes-namespace-reader --serviceaccount=gateway:api-service-account
kubectl create clusterrolebinding service-pod-reader-organization --clusterrole=microservices-kubernetes-namespace-reader --serviceaccount=organization:api-service-account
kubectl create clusterrolebinding service-pod-reader-mongo --clusterrole=microservices-kubernetes-namespace-reader --serviceaccount=mongo:api-service-account
and make sure that deployment manifests for microservices reference service account
# other config removed for brevity. serviceAccountName: api-service-account
Kubernetes Service Naming
Every Service defined in the cluster (including the DNS server itself) is
assigned a DNS name. “Normal” (not headless) Services are assigned a DNS A or
AAAA record, depending on the IP family of the service, for a name of the form
. This resolves to the cluster
IP of the Service.
The DNS records for each service are as follows.
Configure MongoDB
MongoDB deployment
The MongoDB deployment is instructed to read a ConfigMap to get the database-name
and read the Secret to get database-user
and database-password
apiVersion: apps/v1
kind: Deployment
name: mongodb
app: mongodb
replicas: 1
app: mongodb
app: mongodb
- name: mongodb
image: mongo:4.2.3
- containerPort: 27017
name: mongodb
key: database-name
name: mongodb
key: database-user
name: mongodb
key: database-password
cpu: "0.2"
memory: 300Mi
cpu: "1.0"
memory: 300Mi
port: 27017
initialDelaySeconds: 50
timeoutSeconds: 2
periodSeconds: 20
failureThreshold: 5
port: 27017
initialDelaySeconds: 50
timeoutSeconds: 2
periodSeconds: 20
failureThreshold: 5
serviceAccountName: api-service-account
MongoDB ConfigMap
In a ConfigMap the name of the Mongo database is set under database-name
apiVersion: v1
kind: ConfigMap
name: mongodb
database-name: admin
MongoDB Secret
The username and password is set under database-user
and database-password
respectively. Since this is a Secret object, the values must be base64 encoded.
apiVersion: v1
kind: Secret
name: mongodb
type: Opaque
database-user: bW9uZ28tYWRtaW4=
database-password: bW9uZ28tYWRtaW4tcGFzc3dvcmQ=
Use Spring Cloud Kubernetes ConfigMap PropertySource
By using the Spring Cloud Kubernetes PropertySources you’re coupling the application to Kubernetes. Without PropertySources, Kubernetes provides mechanisms like mounting configurations and secrets to the containers file system. This enables an application to ingest configuration without knowledge of where it is running.
It’s advised you consider these trade-offs before proceeding. We use PropertySource to access ConfigMap for demonstration purposes, thinking that it will be used by many Spring developers because of it ease of use and convenience.
The Spring Cloud Kubernetes PropertySource feature enables consumption of
and Secret
objects directly in the application without injecting them into a
The default behavior is based on metadata.name
inside ConfigMap or Secret,
which has to be the same as an application name defined by spring.application.name
For example, the department-service
breaks down as follows.
spring: application: name: department # other config removed for brevity.
kind: ConfigMap apiVersion: v1 metadata: name: department data: logging.pattern.console: "%clr(%d{yy-MM-dd E HH:mm:ss.SSS}){blue} %clr(%-5p) %clr(${PID}){faint} %clr(---){faint} %clr([%8.15t]){cyan} %clr(%-40.40logger{0}){blue} %clr(:){red} %clr(%m){faint}%n" spring.cloud.kubernetes.discovery.all-namespaces: "true" spring.data.mongodb.database: "admin" spring.data.mongodb.host: "mongodb.mongo.svc.cluster.local" spring.output.ansi.enabled: "ALWAYS"
: define log patterndata.spring.cloud.kubernetes.discovery.all-namespaces
: allow multi-namespace discoveryspring.data.mongodb.database
: Mongo DB namespring.data.mongodb.host
: Mongo DB locationspring.output.ansi.enabled
: Enforce ANSI output
Use Secret through mounted volume
Kubernetes has the notion of Secrets for storing sensitive data such as passwords, OAuth tokens, etc.
While there are several ways to share secrets with a container, we recommend sharing secrets through mounted volumes. If you enable consuming secrets through the API, we recommend limiting access with RBAC authorization policies.
NOTE: secrets are not secure, they are merely an obfuscation
In this example, a secret named department
is mounted to the file
via volume mongodb
for the following microservices:
, employee-service
, organization-service
name: department
enabled: true
- /etc/secretspot
enableApi: false
# other config removed for brevity.
apiVersion: apps/v1
kind: Deployment
name: department
app: department
replicas: 1
app: department
app: department
- name: mongodb
mountPath: /etc/secretspot
- name: mongodb
secretName: department
# other config removed for brevity.
Mongo credentials are defined inside Secret object /spring-microservices-k8s/k8s/department-secret.yaml
apiVersion: v1
kind: Secret
name: department
type: Opaque
spring.data.mongodb.username: bW9uZ28tYWRtaW4=
spring.data.mongodb.password: bW9uZ28tYWRtaW4tcGFzc3dvcmQ=
Use Spring Boot Actuator to export metrics for Prometheus
Prometheus is an open-source monitoring system. Spring
Boot uses Micrometer, an application metrics facade to
integrate Spring Boot
metrics with external monitoring systems. It supports several monitoring systems
like Prometheus, Netflix Atlas, AWS CloudWatch, Datadog, InfluxData, SignalFx,
Graphite, Wavefront, etc. The
module provides all of Spring Boot’s production-ready
To integrate Actuator with Prometheus, you need to add following dependencies in maven project for each microservice:
configure metrics
and prometheus
endpoints in ConfigMap for each project
, employee-configmap.yaml
, organization-configmap.yaml
kind: ConfigMap
apiVersion: v1
# removed for brevity
# removed for brevity
management.endpoints.web.exposure.include: "health,info,metrics,prometheus"
management.metrics.enable.all: "true"
and add MeterRegistryCustomizer
for Grafana Spring Boot 2.1
Statistics dashboard in following
classes: DepartmentApplication
, GatewayApplication
, OrganizationApplication
make sure
to set .commonTags("applicsation", "<microservice_name>")
to actual
microservice name:
import io.micrometer.core.instrument.MeterRegistry;
// removed for brevity
public class DepartmentApplication {
// removed for brevity
MeterRegistryCustomizer meterRegistryCustomizer(MeterRegistry meterRegistry){
return registry -> {
meterRegistry.config().commonTags("application", "department");
Exposed endpoints are available at http://<host>:<port>/actuator/metrics
with metrics data formatted specifically for Prometheus.
Build Spring Applications
Building department-service
As of Spring Boot 2.3.1.RELEASE, Spring Boot can help you package up Spring Boot applications into Docker images with Layered Jars
After building the project with layered JARs using jarmode
support, install the
package using Maven.
cd /spring-microservices-k8s/department-service/
mvn clean install
The resulting JAR can be tested to check that layers were added.
cd /spring-microservices-k8s/department-service/
java -Djarmode=layertools -jar target/department-service-1.1.jar list
The commands above will produce the following output and create the following directories. they should be added:
- dependencies
- snapshot-dependencies
- spring-boot-loader
- application
Build Docker Images for Spring Applications
To create images compliant with best practices, Dockerfile
s must
consider the following.
- Removing build dependencies from runtime
- via multi-stage builds
- Putting dependencies (JARs) in their own layer
- Layering the application JAR
- Ensuring image pushes only contain changed files
- Running as non-root and using a minimal runtime image
- via use of the distroless image
FROM maven:${MVN_VERSION}-jdk-${JDK_VERSION}-slim as build
WORKDIR /build
COPY pom.xml .
# creates layer with maven dependencies
# first build will be significantly slower than subsequent
RUN mvn dependency:go-offline
COPY ./pom.xml /tmp/
COPY ./src /tmp/src/
# build the project
RUN mvn clean package
# extract JAR Layers
WORKDIR /tmp/target
RUN java -Djarmode=layertools -jar *.jar extract
# runtime image
FROM gcr.io/distroless/java:${JDK_VERSION} as runtime
USER nonroot:nonroot
WORKDIR /application
# copy layers from build image to runtime image as nonroot user
COPY --from=build --chown=nonroot:nonroot /tmp/target/dependencies/ ./
COPY --from=build --chown=nonroot:nonroot /tmp/target/snapshot-dependencies/ ./
COPY --from=build --chown=nonroot:nonroot /tmp/target/spring-boot-loader/ ./
COPY --from=build --chown=nonroot:nonroot /tmp/target/application/ ./
ENV _JAVA_OPTIONS "-XX:MinRAMPercentage=60.0 -XX:MaxRAMPercentage=90.0 \
-Djava.security.egd=file:/dev/./urandom \
-Djava.awt.headless=true -Dfile.encoding=UTF-8 \
-Dspring.output.ansi.enabled=ALWAYS \
# set entrypoint to layered Spring Boot application
ENTRYPOINT ["java", "org.springframework.boot.loader.JarLauncher"]
Build the Docker image for department-service
cd /spring-microservices-k8s/department-service/
docker build -t vmware/department:1.1 .
and build the other microservices: employee-service
, gateway-service
List Docker images
docker images
The Dive tool can be used to explore and
analyze Docker images and layers. The below displays the build
image. Docker
Image Id
can be used to explore details of the image.
dive 258a7b40a719
As you can see all 98MB of Maven dependencies have been pushed to a separate layer and can be reused later.
A similar evaluation can be performed for the runtime image. This can be seen below.
dive vmware/department:1.1
All JAR layers created by Spring Boot have been copied to the runtime image.
Deploy a Spring Boot Application
We have created department
namespace, assigned cluster-admin
and built
Docker images in previous steps.
Kubernetes deployment manifest
apiVersion: apps/v1
kind: Deployment
name: department
app: department
replicas: 1
app: department
app: department
- name: department
image: vmware/department:1.1
- containerPort: 8080
cpu: "0.2"
memory: 300Mi
cpu: "1.0"
memory: 300Mi
port: 8080
path: /actuator/health
initialDelaySeconds: 60
timeoutSeconds: 2
periodSeconds: 20
failureThreshold: 5
port: 8080
path: /actuator/info
initialDelaySeconds: 60
timeoutSeconds: 2
periodSeconds: 20
failureThreshold: 5
serviceAccountName: api-service-account
Workloads should always explicitly specify
and keep
equal since RAM is not a
compressible resource like CPU.
Application probes recommendations:
: Always; makes app available to traffic after checks pass.livenessProbe
: Usually; should only check for conditions where restarting the application is an appropriate solution. Be sure to not link this check to external dependencies, such as database connectivity, or it may introduce cascading failures. A good check can be hitting an endpoint, allocating some memory (e.g. byte array) and returning200
: Rarely; Readiness and liveness probes (with a delay) can typically solve the use case startupProbes attempt to solve for. If a specific check is appropriate for an application that has a slow startup and the check should never be run again, astartupProbe
may be justified.
Kubernetes leverages probes to determine if the app is ready to accept traffic and whether the app is alive
- If
does not return code 200 - no traffic will be routed to it - If
does not return code 200 - Kubernetes restarts the Pod
Spring Boot has a built-in set of endpoints from the Actuator module:
- /actuator/health : provides basic application health information
- /actuator/info: provides arbitrary application info
To add the Actuator to a Maven based project, add the following ‘Starter’ dependency.
To deploy department-service
onto Kubernetes execute following command.
kubectl apply -n department -f ./spring-microservices-k8s/k8s/department-configmap.yaml
Octant - is a great open-source tool that can can graphically visualize Kubernetes objects dependencies, forward local ports to a running pod, inspect pod logs, navigate through different clusters and help developers to understand how applications run on a Kubernetes.
Overview of the department
Resources associated with the pod deployed in the department
Expose a Service
We use port 8080 and NodePort type to expose all microservices. The following service definition groups all pods labeled with the field app
equal to department
apiVersion: v1
kind: Service
name: department
app: department
- port: 8080
protocol: TCP
app: department
type: NodePort
Configure Gateway service
We use gateway-service
service to expose auto-generated Swagger documentation
via Swagger UI web interface for all microservices distributed across multiple
namespaces. To do that we use Spring Cloud Netflix Zuul which integrates with
Kubernetes discovery via Ribbon client.
Required dependencies:
Configuration of the routes is straightforward and uses Spring Cloud Kubernetes Discovery.
apiVersion: v1
kind: ConfigMap
name: gateway
logging.pattern.console: "%d{HH:mm:ss} ${LOG_LEVEL_PATTERN:-%5p} %m%n"
spring.cloud.kubernetes.discovery.all-namespaces: "true"
zuul.routes.department.path: "/department/**"
zuul.routes.employee.path: "/employee/**"
zuul.routes.organization.path: "/organization/**"
Since Zuul proxy is automatically integrated with DiscoveryClient it is easy to configure dynamic resolution of microservices endpoints by Swagger.
public class GatewayApi {
ZuulProperties properties;
public SwaggerResourcesProvider swaggerResourcesProvider() {
return () -> {
List<SwaggerResource> resources = new ArrayList<>();
.forEach(route -> resources.add(createResource(route.getId(), "2.0")));
return resources;
private SwaggerResource createResource(String location, String version) {
SwaggerResource swaggerResource = new SwaggerResource();
swaggerResource.setLocation("/" + location + "/v2/api-docs");
return swaggerResource;
Configure Ribbon client to allow discovery across all namespaces:
public class RibbonConfiguration {
private DiscoveryClient discoveryClient;
private String serviceId = "client";
protected static final String VALUE_NOT_SET = "__not__set__";
protected static final String DEFAULT_NAMESPACE = "ribbon";
public RibbonConfiguration () {
public RibbonConfiguration (String serviceId) {
this.serviceId = serviceId;
public ServerList<?> ribbonServerList(IClientConfig config) {
Server[] servers = discoveryClient.getInstances(config.getClientName()).stream()
.map(i -> new Server(i.getHost(), i.getPort()))
return new StaticServerList(servers);
Ribbon configuration needs to be applied in the main class of the application:
@RibbonClients(defaultConfiguration = RibbonConfiguration.class)
public class GatewayApplication {
public static void main(String[] args) {
SpringApplication.run(GatewayApplication.class, args);
Gateway Swagger UI
Swagger UI is exposed on the Gateway service and showcases an advantage of cross
namespace discovery where employee-service
, department-service
are available via gateway-service
Configure Ingress
Kubernetes Ingress is a collection of rules that allow incoming requests to
reach the downstream services. It works almost as a service with type
LoadBalancer, but you can set custom routing rules. YAML manifest needs to set
to a hostname under which the gateway will be available. In our
microservices architecture, Ingress has a role of an API gateway.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
name: gateway-ingress
nginx.ingress.kubernetes.io/rewrite-target: /
serviceName: default-http-backend
servicePort: 80
- host: microservices-cluster.info
- path: /employee
serviceName: employee
servicePort: 8080
- path: /department
serviceName: department
servicePort: 8080
- path: /organization
serviceName: organization
servicePort: 8080
Execute the following commands to apply the configuration above to the Kubernetes cluster
cd /spring-microservices-k8s/k8s/
kubectl apply -f ingress.yaml
Testing Ingress
Execute following commands to populate MongoDB with test data
cd /spring-microservices-k8s/scrips/
Execute following command to check that department-service
is available via Ingress
curl http://microservices-cluster.info/department/1/with-employees | jq
Example output from department-service
"address": "Main Street",
"id": "1",
"name": "MegaCorp"
"departments": [
"employees": [
"age": 25,
"id": 1,
"name": "Smith",
"position": "engineer"
"age": 45,
"id": 2,
"name": "Johns",
"position": "manager"
"id": 1,
"name": "RD Dept."
"employees": [
"age": 25,
"id": 1,
"name": "Smith",
"position": "engineer"
"age": 45,
"id": 2,
"name": "Johns",
"position": "manager"
Frequently Asked Questions
What is Spring Cloud Kubernetes?
Spring Cloud Kubernetes is a Kubernetes API server integration that allows for service discovery, configuration, and load balancing used by Spring Cloud; it provides Spring Cloud implementations of common interfaces that consume Kubernetes.
How do you enable Spring Cloud Kubernetes?
Spring Cloud Kubernetes can be enabled by adding a dependency that contains modules for service discovery, configuration, and Ribbon load balancing to the Spring Cloud Kubernetes in your project
What are the best practices for the design, development, and deployment of Spring Boot microservices on Kubernetes?
Best practices for Spring Boot microservices on Kubernetes include using the twelve-factor methodology, keeping each microservice in a separate Maven or Gradle project, using dependencies when inheriting form parent project instead of using relative path, and using Spring Initializr to generate project structure, fill in project details, pick your options, and download a bundled up project.
What are the main concerns addressed by the Spring Cloud Kubernetes reference architecture?
The main concerns addressed by the Spring Cloud Kubernetes reference architecture include externalized configurations, Kubernetes API server access, health checks, reporting application state using Spring Boot Actuator, service discovery, exposing API documentation, building docker images with best practices, layering JARs, and observing the application.
How do you configure Spring Cloud Kubernetes to access Kubernetes API?
The simplest way to configure Spring Cloud Kubernetes to access Kubernetes API is to define a ClusterRole with a list of resources and verbs, create a YAML file in the default namespace, create service accounts, bind service accounts from each namespace to ClusterRole, and finally, make sure that deployment manifests for the correct microservices service account.