How to Gracefully Terminate Istio Sidecar for Kubernetes Jobs and CronJobs

How to Gracefully Terminate Istio Sidecar for Kubernetes Jobs and CronJobs

When adopting Istio as a service mesh in Kubernetes, teams gain powerful tools for secure communication, observability, and traffic control. However, Istio's sidecar proxy, istio-proxy, can introduce lifecycle management challenges in specific Kubernetes workloads, such as Jobs and CronJobs. A common issue occurs when these workloads hang indefinitely, failing to terminate gracefully due to the sidecar's behavior. This blog explores the root cause of the problem and provides actionable solutions.

The Problem: Jobs/CronJobs Hanging with Istio-proxy Sidecar

Kubernetes Jobs and CronJobs are designed to run tasks to completion. When Istio's istio-proxy sidecar is injected into these pods, it establishes secure mTLS (mutual TLS) connections, ensuring compliance with security policies. However, the sidecar's lifecycle often outlives the main application container, preventing the Job or CronJob pod from terminating.

The issue stems from how Kubernetes handles pod termination and Istio's reliance on open connections for managing traffic. Without explicit intervention, the Job/CronJob waits for the istio-proxy container to shut down, which may not happen as expected.

Why This Happens

1. Sidecar Lifecycle Independence: By default, the istio-proxy runs independently of the primary application container. Even when the main container exits, the proxy continues running until all its processes and connections terminate.
2. Kubernetes Pod Termination: Kubernetes attempts to terminate all containers in a pod, but it doesn’t distinguish between primary and secondary containers. If the istio-proxy doesn’t shut down, the pod remains in a terminating state.
3. No Built-in PreStop Hook: Without a proper preStop lifecycle hook, the sidecar lacks a signal to cleanly terminate itself.

These issues are well-documented in both Istio and Kubernetes communities (e.g., Istio issue #6324 and Kubernetes issue #25908), but no universal fix has been implemented yet.

Solutions to Terminate Istio-proxy Gracefully

1. Add a Lifecycle PreStop Hook

One of the most effective solutions is to define a preStop hook for the istio-proxy. This hook sends a termination signal to the proxy, ensuring it exits cleanly. Here’s how to configure it:

lifecycle:
  preStop:
    exec:
      command: ["/bin/sh", "-c", "curl -s -XPOST http://localhost:15020/quitquitquit"]

This hook leverages Istio's /quitquitquit endpoint, which instructs the sidecar to shut down gracefully.

You can apply this directly to your pod spec or use Istio's annotation for sidecar lifecycle hooks:

metadata:
  annotations:
    sidecar.istio.io/lifecycle: |
      preStop:
        exec:
          command: ["/bin/sh", "-c", "curl -s -XPOST http://localhost:15020/quitquitquit"]

This approach ensures that when the Job or CronJob completes, the sidecar also terminates properly.

2. Adjust terminationGracePeriodSeconds

Another key configuration is terminationGracePeriodSeconds. This Kubernetes setting controls how long the pod should wait for containers to terminate before forcefully killing them. Set this value high enough to allow the Istio proxy to close connections and clean up:

spec:
  terminationGracePeriodSeconds: 30

This is particularly useful in scenarios where the istio-proxy needs additional time to complete its shutdown processes.

3. Disable Sidecar Injection for Non-Critical Jobs

If the Job or CronJob does not require mTLS connections or Istio's service mesh features, you can disable sidecar injection entirely:

metadata:
  annotations:
    sidecar.istio.io/inject: "false"

This bypasses the problem altogether but should only be used for workloads where Istio features are unnecessary.

4. Use holdApplicationUntilProxyStarts

Starting with Istio 1.12, you can use the annotation proxy.istio.io/config to synchronize the application and sidecar lifecycle. This ensures the application container waits until the istio-proxy is fully ready. For Jobs, this helps maintain consistency during startup and shutdown.

metadata:
  annotations:
    proxy.istio.io/config: |
      proxyMetadata:
        HOLD_APPLICATION_UNTIL_PROXY_STARTS: "true"

This approach helps avoid race conditions between the application and sidecar.

5. Refactor with Init Containers

If your Job or CronJob has specific initialization tasks, consider moving them to an init container. This ensures critical setup tasks are completed before the primary container runs, minimizing reliance on Istio's proxy during the main workload.

Example:

initContainers:
  - name: init-task
    image: busybox
    command: ["sh", "-c", "echo 'Initialization complete!'"]

Full Example: Kubernetes Job with Istio Sidecar
Here’s a complete YAML configuration for a Job that integrates the above solutions:

apiVersion: batch/v1
kind: Job
metadata:
  name: istio-job
  annotations:
    sidecar.istio.io/inject: "true"
    sidecar.istio.io/lifecycle: |
      preStop:
        exec:
          command: ["/bin/sh", "-c", "curl -s -XPOST http://localhost:15020/quitquitquit"]
spec:
  template:
    spec:
      containers:
        - name: app
          image: busybox
          command: ["sh", "-c", "echo 'Job Running'; sleep 30;"]
      restartPolicy: Never
      terminationGracePeriodSeconds: 30

Monitoring and Debugging

To ensure proper termination, monitor the following:

1. Pod Events: Use kubectl describe pod to check for termination-related errors.
2. Istio-proxy Logs: Inspect the proxy logs for shutdown messages

3. kubectl logs <pod-name> -c istio-proxy
   

4. Readiness and Liveness Probes: Configure probes to validate the state of your application and proxy.

Advanced Considerations

• Upgrade Istio: Ensure you’re running the latest Istio version. Newer releases often include fixes and improvements for lifecycle management.
• Automation: Use tools like Helm or Kustomize to apply consistent lifecycle configurations across workloads.
• ServiceAccount Permissions: Verify that the Job's ServiceAccount has necessary permissions for Istio features like mTLS.

Conclusion

Managing Istio sidecar termination for Kubernetes Jobs and CronJobs is critical for ensuring workload reliability. By leveraging preStop hooks, lifecycle annotations, and proper configuration, you can prevent Jobs from hanging indefinitely while maintaining secure mTLS communication.

With these techniques, you’ll not only solve the immediate problem but also enhance your understanding of Istio and Kubernetes lifecycle management, enabling you to build more robust systems.

Tags:

"How to Gracefully Terminate Istio Sidecar for Kubernetes Jobs and CronJobs"

"Fixing Kubernetes Job Hang Issues with Istio Sidecar Injection"

"Troubleshooting Istio Sidecar Termination in Kubernetes Jobs"

"Istio Sidecar Management for Kubernetes Jobs: Best Practices"

"Solving the Istio-proxy Hang Problem in Kubernetes CronJobs"

"A Guide to Properly Shutting Down Istio Sidecars in Kubernetes Jobs"

"Avoiding Job Stalls: Handling Istio Sidecars in Kubernetes"

"Istio Sidecar Lifecycle Management for Kubernetes Jobs and CronJobs"

"Ensuring Smooth Termination of Istio Sidecars in Kubernetes Workloads"

"How to Prevent Kubernetes CronJobs from Hanging with Istio"

#kubernetes #istio #docker #devops #servicemesh

Understanding Service Mesh Architecture: A Comprehensive Overview

 In today’s microservices-dominated landscape, managing inter-service communication is crucial. Service mesh architecture has emerged as a powerful solution to address these challenges by enhancing observability, security, and reliability of service-to-service communication. Let’s dive deeper into what service mesh is, how it works, and why it matters.

What Is a Service Mesh?

A service mesh is an infrastructure layer that manages communication between microservices in a distributed application. It abstracts the complexities of service-to-service communication, providing critical functionalities such as traffic management, observability, and security.

In essence, it allows developers to focus on application logic while the service mesh handles network-level concerns. Examples of popular service meshes include Istio, Linkerd, and Consul Connect.

Why Do We Need a Service Mesh?

As applications transition from monoliths to microservices, they face new challenges:

1. Inter-Service Communication: Microservices often need to communicate over a network, which introduces latency, failures, and inconsistencies.
2. Scalability: As the number of services grows, so does the complexity of managing their interactions.
3. Security Risks: Distributed systems are vulnerable to attacks such as man-in-the-middle (MITM) attacks.
4. Observability: Monitoring and troubleshooting performance issues across microservices is inherently more complex.

A service mesh provides built-in solutions for these issues, ensuring robust and seamless communication.

Core Components of Service Mesh Architecture

A service mesh consists of two key components:

1. Data Plane

   • Comprises lightweight sidecar proxies deployed alongside each service instance.
   • Handles tasks like traffic routing, load balancing, and encryption.
   • Examples of sidecars: Envoy (used by Istio), HAProxy, and Linkerd-proxy.

2. Control Plane

• Centralized management layer responsible for configuring the data plane.
• Provides policies for traffic routing, authentication, and observability.
• Examples: Istio's Pilot, Linkerd’s Controller.

Here's a diagram illustrating the Service Mesh Architecture. 

Key Features and Functionalities

1. Traffic Management

   • Service meshes enable fine-grained traffic control, including load balancing, retries, and failover.
   • Advanced features like traffic shadowing and canary releases allow safe testing of new changes.

2. Service Discovery

   • Dynamically detects services in a cluster and enables communication without hardcoding endpoints.

3. Security

   • Provides mutual TLS (mTLS) to encrypt communication between services.
   • Automates authentication and authorization with service-level policies.

4. Observability

   • Collects and aggregates metrics, logs, and traces for insights into service performance.
   • Integrates with tools like Prometheus, Grafana, and Jaeger for monitoring and visualization.

5. Fault Tolerance

   • Implements circuit breakers, rate limiting, and retries to improve resilience.

How Does Service Mesh Work?

Each microservice is paired with a sidecar proxy that intercepts incoming and outgoing traffic. These proxies communicate with the control plane to enforce policies and collect telemetry data.

When Service A communicates with Service B:

1. Service A’s sidecar encrypts the request using mTLS.
2. The encrypted request is routed to Service B’s sidecar.
3. The control plane validates the policies and allows the communication if authorized.
4. Service B processes the request and sends the response back via its sidecar.

Benefits of Using a Service Mesh

1. Simplified Development

   • Developers can focus on business logic rather than implementing network-level features.

2. Improved Security

   • Automated encryption and policy enforcement reduce vulnerabilities.

3. Enhanced Observability

   • Real-time metrics and tracing improve debugging and system health monitoring.

4. Increased Resilience

   • Built-in fault tolerance features reduce downtime during failures.

5. Scalability

   • Effortlessly handles communication for hundreds or thousands of services.

Challenges of Adopting a Service Mesh

Despite its advantages, service mesh introduces some challenges:

1. Operational Complexity: Deploying and managing a service mesh requires expertise.
2. Performance Overhead: Sidecar proxies add latency and resource consumption.
3. Cost: The additional infrastructure and computational requirements can increase costs.

Organizations must evaluate their requirements to determine whether the benefits of a service mesh outweigh these challenges.

Conclusion

Service mesh architecture is revolutionizing how microservices communicate. By offloading critical concerns such as traffic management, security, and observability to a dedicated infrastructure layer, service meshes empower developers to build robust and scalable systems. While the technology isn’t a one-size-fits-all solution, its adoption continues to grow as modern applications embrace microservices at scale.

If you’re planning to implement a service mesh, tools like Istio and Linkerd are excellent starting points. Begin by identifying your system’s pain points and gradually introduce the service mesh layer to simplify your microservices architecture.

How to disable Ingress in Kubernetes (K8s)

 Introduction

There are multiple ways you can disable Ingress in Kubernetes / K8s. Here are the 5 different ways you can directly or indirectly disable the Ingress

1. Deleting the Ingress Resource

If you need to completely remove ingress functionality from your Kubernetes cluster, the most straightforward approach is to delete the ingress resource. This stops all traffic from being routed through it.

Command

kubectl delete ingress <ingress-name> -n <namespace>

For example :

kubectl delete ingress my-ingress -n default

2. Scaling Down the Ingress Controller

If you only want to temporarily stop ingress traffic without removing anything permanently, you can scale down the ingress controller to zero replicas. This effectively halts ingress without deleting the controller.

    (i) First, identify the ingress controller deployment:

kubectl get deployments -n <controller-namespace>

    (ii) Then, scale the deployment down to zero replicas:

kubectl scale deployment <controller-deployment-name> --replicas=0 -n <controller-namespace>

    For example :

kubectl scale deployment <controller-deployment-name> --replicas=0 -n <controller-namespace>

3. Modifying Network Access

Another way to disable ingress traffic is by adjusting the network access or firewall settings at the external level. For example, you can modify the load balancer settings or block access via firewall rules to prevent any external traffic from reaching the ingress controller.

4. Editing the Ingress Configuration

If you want to disable certain routes or services but keep the ingress resource active, you can edit the configuration directly. Simply comment out or remove the paths you want to disable in the rules section of the ingress YAML file:

rules:
  - host: example.com
    http:
      paths:
        # - path: /old-path
        #   backend:
        #     service:
        #       name: old-service
        #       port:
        #         number: 80
        - path: /new-path
          backend:
            service:
              name: new-service
              port:
                number: 80

    Once you've updated the file, apply the changes:

kubectl apply -f <ingress-file>.yaml

5. Using Ingress Annotations

Some ingress controllers, like NGINX, allow you to control the availability of specific rules or the entire ingress resource using annotations. To disable an ingress resource entirely, you can add the following annotation:

metadata:
  annotations:
    nginx.ingress.kubernetes.io/enable: "false"

    Once you've updated the file, apply the changes:

kubectl apply -f <ingress-file>.yaml

Based on the scenario, we can choose one solution to disable ingress in Kubernetes.

Think You Know Kubernetes? Test Yourself with These 60 Questions

Kubernetes, often abbreviated as K8s, is a powerful open-source platform for automating the deployment, scaling, and management of containerized applications. Originally developed by Google, it is now maintained by the Cloud Native Computing Foundation (CNCF).

At its core, Kubernetes helps organizations run applications reliably across clusters of machines by abstracting infrastructure complexities. It enables features like automatic scaling, self-healing, load balancing, and seamless rollouts/rollbacks. With its rich ecosystem of tools and integrations, Kubernetes has become the backbone of modern DevOps and cloud-native architectures.

Whether you're managing a microservices-based application or scaling a monolithic app, Kubernetes provides the flexibility and control needed to operate in dynamic, production-grade environments.

Kubernetes Knowledge Boost: 60 Advanced Questions Explained

Here is a list of 60 advanced Kubernetes questions with concise answers. They cover architecture, concepts, troubleshooting, security, and more:

---

Kubernetes Architecture and Core Concepts

1. What is a Kubernetes control plane?

   • The control plane manages the Kubernetes cluster, maintaining the desired state via components like kube-apiserver, etcd, kube-scheduler, kube-controller-manager, and cloud-controller-manager.

2. What is etcd, and why is it important?

   • etcd is a distributed key-value store that Kubernetes uses to store all cluster data, such as configurations, secrets, and states.

3. Explain how a Kubernetes scheduler works.

   • The scheduler assigns Pods to nodes by evaluating resource requirements, policies, and constraints, ensuring an optimal placement.

4. What is a Pod? Why is it the smallest deployable unit in Kubernetes?

   • A Pod is a group of one or more containers sharing the same network namespace and storage. It encapsulates the application and its dependencies, making it the basic unit of deployment.

5. How do you ensure high availability in a Kubernetes cluster?

   • By setting up a multi-master architecture, load balancers for the API server, and using tools like kubeadm, Kops, or managed Kubernetes services.

---

Advanced Networking

6. What is a Kubernetes Service?

   • A Service abstracts a set of Pods, providing stable networking and load balancing. Types include ClusterIP, NodePort, LoadBalancer, and ExternalName.

7. How does kube-proxy work?

   • kube-proxy maintains network rules to allow communication between Pods and Services using IP tables, IPVS, or user-space proxies.

8. What is the role of CNI in Kubernetes?

   • Container Network Interface (CNI) is a standard for configuring container networking, enabling plugins like Flannel, Calico, and Weave.

9. What are Network Policies?

   • Network Policies control traffic between Pods or Pods and external endpoints, using rules to allow or deny ingress and egress.

10. How do you expose an application in Kubernetes to external traffic?

    • Use a Service of type LoadBalancer or NodePort, or an Ingress resource with an Ingress controller.

---

Storage

11. What is Persistent Volume (PV) and Persistent Volume Claim (PVC)?

    • PV is a storage resource in the cluster, while PVC is a request for storage by a user. PVCs bind to PVs for dynamic or static provisioning.

12. How does dynamic volume provisioning work?

    • StorageClasses define storage types, and when a PVC is created, Kubernetes dynamically provisions a matching PV.

13. What is CSI in Kubernetes?

    • The Container Storage Interface (CSI) standardizes storage plugin management for dynamic provisioning and attaching volumes.

14. What is ephemeral storage?

    • Temporary storage tied to the Pod lifecycle, used for caching, logs, or temporary files.

15. How can you back up and restore etcd?

    • Use etcdctl commands to take snapshots and restore the data to another etcd cluster.

---

Security

16. What is RBAC, and how does it work?

    • Role-Based Access Control (RBAC) manages access to Kubernetes resources using roles and bindings.

17. What are Kubernetes Secrets, and how are they used?

    • Secrets store sensitive data like credentials securely, referenced by Pods via volumes or environment variables.

18. What is Pod Security Admission (PSA)?

    • PSA enforces security standards for Pods by controlling privilege levels like baseline or restricted.

19. How do you secure the API server?

    • By using TLS, enabling RBAC, restricting anonymous access, and enabling audit logs.

20. What are Pod security contexts?

    • Security contexts define Pod-level permissions, such as running as a non-root user or mounting filesystems as read-only.

---

Troubleshooting

21. How do you troubleshoot Pod CrashLoopBackOff?

    • Check logs using kubectl logs, inspect events using kubectl describe pod, and validate container configurations.

22. How do you debug network issues in Kubernetes?

    • Use tools like kubectl exec, network policies, traceroute, or external tools like cilium and tcpdump.

23. What is the significance of Node Conditions?

    • Node Conditions (e.g., MemoryPressure, DiskPressure) indicate health and resource status, guiding scheduler decisions.

24. How do you handle etcd failure?

    • Restore from a backup and ensure quorum by adding healthy nodes.

25. What tools can you use for Kubernetes observability?

    • Prometheus, Grafana, Fluentd, ELK stack, and Jaeger.

---

Scaling and Performance

26. How does Kubernetes autoscaling work?

    • Kubernetes supports horizontal (HPA), vertical (VPA), and cluster autoscaling based on resource utilization or custom metrics.

27. What is a ReplicaSet, and how does it differ from a Deployment?

    • A ReplicaSet ensures a specified number of Pod replicas, while Deployments manage ReplicaSets for updates and rollbacks.

28. How do you optimize resource usage in a cluster?

    • Define resource requests/limits, monitor usage with tools like Prometheus, and right-size workloads.

29. What is pod affinity and anti-affinity?

    • Affinity defines Pod co-location preferences, while anti-affinity enforces separation.

30. How do you handle resource contention in a cluster?

    • Use priorities, preemption, and resource quotas.

---

Custom Resources and Operators

31. What are Custom Resource Definitions (CRDs)?

    • CRDs enable users to define and manage custom Kubernetes objects.

32. What is a Kubernetes Operator?

    • An Operator automates operational tasks for applications using custom controllers and CRDs.

33. How do you extend Kubernetes functionality?

    • Use CRDs, admission controllers, or plugins like CNI and CSI.

34. How do you write a custom controller?

    • Use Kubernetes client libraries (e.g., client-go) to reconcile the desired and actual states of resources.

35. What are finalizers in Kubernetes?

    • Finalizers delay resource deletion until specific cleanup tasks complete.

---

Cluster Administration

36. How do you upgrade a Kubernetes cluster?

    • Upgrade control plane components first, then worker nodes, following the Kubernetes release cycle.

37. What is taint and toleration in Kubernetes?

    • Taints prevent Pods from scheduling on specific nodes unless they tolerate the taint.

38. How do you perform node maintenance in Kubernetes?

    • Drain the node (kubectl drain) and cordon it to prevent scheduling.

39. What is kubelet, and what is its role?

    • Kubelet is an agent running on each node, responsible for managing Pods and reporting to the control plane.

40. How does Kubernetes handle rolling updates?

    • Deployments update Pods incrementally, creating new Pods while scaling down old ones.

---

Advanced Scenarios

41. What is the difference between StatefulSets and Deployments?

    • StatefulSets manage stateful applications with stable network identities, while Deployments are for stateless applications.

42. How do you ensure consistency in StatefulSets?

    • Use headless services and persistent volumes.

43. What is a Helm chart, and how is it used?

    • Helm is a package manager for Kubernetes, and Helm charts define application configurations and resources.

44. What are the differences between DaemonSets and Deployments?

    • DaemonSets ensure one Pod runs on each node, while Deployments scale Pods across nodes.

45. How do you implement canary deployments?

    • Use multiple versions of Deployments with traffic splitting via Ingress or a Service mesh.

---

Security and Best Practices

46. What is a Pod disruption budget (PDB)?

    • PDB defines minimum available or maximum unavailable Pods during disruptions.

47. What is Kubernetes admission control?

    • Admission controllers validate and mutate API requests based on policies.

48. How do you implement encryption for Secrets?

    • Enable encryption at rest using Kubernetes encryption configuration.

49. What are the best practices for managing ConfigMaps and Secrets?

    • Use immutable ConfigMaps/Secrets, manage access with RBAC, and avoid exposing sensitive data in logs.

50. What are namespace quotas?

    • Quotas limit resource consumption in namespaces, ensuring fair resource distribution.

---

Miscellaneous

51. What is kubeadm, and how is it used?

    • Kubeadm bootstraps Kubernetes clusters by setting up the control plane and nodes.

52. What is the difference between a job and a cronjob?

    • A job runs a task to completion, while a cronjob schedules jobs at regular intervals.

53. What is kube-state-metrics?

    • It exposes Kubernetes resource states as Prometheus metrics for monitoring.

54. How do you use Service mesh in Kubernetes?

    • Service meshes like Istio or Linkerd add features like traffic routing, observability, and security to microservices.

55. What is Horizontal Pod Autoscaler (HPA)?

    • HPA scales Pods based on CPU/memory utilization or custom metrics.

---

Emerging Trends

56. How does Kubernetes integrate with serverless frameworks?

    • Use Knative or OpenFaaS to run serverless workloads on Kubernetes.

57. What is Kubernetes Federation?

    • Federation manages multiple clusters for global deployment and high availability.

58. What is the role of policy engines like OPA/Gatekeeper?

    • Open Policy Agent (OPA) enforces policies like security or compliance in Kubernetes.

59. What is KubeEdge?

    • KubeEdge extends Kubernetes to edge devices for IoT and edge computing.

60. What is Multi-tenancy in Kubernetes?

• Multi-tenancy isolates resources and workloads for different users or teams within a cluster.

That all for important advanced Kubernetes Questions and Answers that will help you in clearing DevOps Interviews.

Ultimate Ansible Interview Guide: 30 Advanced Questions and Solutions

 Ansible is a configuration management tools and it comes under continues delivery / deployment in DevOps Lifecycle

Here are few important Ansible questions and answers which will help you to crack interview easily. I have tried to cover all the important questions and Answers

Understanding Sealed Class in Java and its use-case

Introduction to Sealed Class and Interfaces

Sealed Class in Java are used to allow / permit specific named Class which can extend the Sealed Class. 

With Sealed Class, we can say that Class A can only be extended by Class B and Class C and not any other class, thus limiting who can extend a particular Java Class

Detailed Explanation and use-case

Let's start with a very simple example. Consider we are creating a base class name Animal which implements basic feature of animal like walking, running etc

Now, We want few classes to extend Animal class like Cat, Dog, Lion, Tiger etc which we can do it easily and implement specific respective feature

Since this Animal Class can be extended by any class, someone can accidentally extend Animal class for Pigeon too which is not correct

 In other words, Sealed Class / Interface permits (or restricts) which all Class / Interface can use them. It prevents misuse of Java Class / Interface

Advantage and Disadvantage of using Sealed Class

Lets discuss Advantage first

Advantage of Sealed Class and Interface:

• The developer of Sealed Class can manage who can use / or whose code can implement it
• If we compare with access modifier, Sealed Class provide a more declarative way to restrict use of super class
• Sealed Class and its permitted sub-class can be used as Pattern Matching using Switch statement

Disadvantage of Sealed Class and Interface

• If not properly designed / thought about its all permitted sub-class, need to revisit code of super class to add more permitted sub-class
• In few use-cases, unit testing would be difficult
• Permitted class uses cannot be detected at compile time, so if it has been used and its not in list of permitted sub-class, it cannot throw compile time error
• Limitation of usage of permitted sub-class within same module only

How to declare Sealed Class:

Sealed class can be declared with using the keyword sealed along with its permit sub-classes with keyword permits

Example of How to create Sealed Classes:

package com.tech693.java.examples.seal;

public sealed class Animal permits Cat, Dog {

    public void getIdentity(){

        System.out.println("Animal");
    }
}

Notice the sealed and permits keywords. Its mandatory to declare one sub-class using permits keyword when using sealed. 

By this we are declaring that only Cat and Dog sub-class can extend the Animal class and no other class is allowed to extend Animal class

Now, lets see how to create Cat and Dog class

Example of how to create Sealed sub-class:

package com.tech693.java.example.seal;

// Pls note its mandatory to declare sub class as either sealed or non-sealed or final
public non-sealed class Cat extends Animal { 
    
    public void getIdentity(){
        System.out.println("Cat");
    }    
}

package com.tech693.java.example.seal;

// Pls note its mandatory to declare sub class as either sealed or non-sealed or final
public final class Dog extends Animal {
    
    public void getIdentity(){
    System.out.println("Dog");
    }  
}

Also, the sub-class should directly extend the sealed class.

for eg.  Suppose, A is a sealed class which permits B to extend it and B is also a sealed class that permits C. In this scenario C cannot directly extend A

Its mandatory to declare sub class as either sealed or non-sealed or final which has different relevance

• Sub-class as Sealed: - Can only be further extended by sub-class permitted class
• Sub-class as final :- Cannot be further extended
• Sub-class as non-sealed - Can be extended further by any class
• The idea to have non-sealed is to know the developer that it extends the sealed class and is not accidently allowing further extended by its sub-class

Now lets run the above code using Main class as shown below:

package com.tech693.java.example.seal;

public class SealedClassExample {
    public static void main(String[] args) {
        Animal animal = new Cat();
        animal.getIdentity();

        Animal animal1 = new Dog();
        animal1.getIdentity();
    }
}

Output

So when Animal class is declared as cat, it will print Cat when getIdentity() is called

Here is the output of the above code :

Output:

Cat
Dog

Sealed Interface:

Sealed interface acts similarly as Sealed Class. The only difference is the difference between abstract class and interface (we have have some business logic code in abstract class but cannot have it in interface)

Sealed Interface Example:

Let's see some code example of implementing sealed as Interface

package com.tech693.java.examples.seal;

public sealed interface Animal permits Cat, Dog {

    public void getIdentity(){}
}

package com.tech693.java.example.seal;

// Pls note its mandatory to declare sub class as either sealed or non-sealed or final
public non-sealed class Cat implements Animal { 
    
    public void getIdentity(){
        System.out.println("Cat");
    }    
}

package com.tech693.java.example.seal;

// Pls note its mandatory to declare sub class as either sealed or non-sealed or final
public final class Dog implements Animal {
    
    public void getIdentity(){
    System.out.println("Dog");
    }  
}

Till now we have got the basic idea about Sealed Classes and its permitted sub-class.

Lets understand further in more depth about its use-case and how Java implemented Sealed class

Record class as permitted subclasses of a Sealed Class

Since Record class are implicitly final we can use record class in the permits clause of a Sealed Class or Interface. 

Here is an example of Record class as subclasses of a sealed class

package com.example.records.expressions;

sealed interface Expr permits ConstantExpr, PlusExpr, TimesExpr, NegExpr {
    public int eval();
}

record ConstantExpr(int i) implements Expr {
    public int eval() { return i(); }
}

record PlusExpr(Expr a, Expr b) implements Expr {
    public int eval() { return a.eval() + b.eval(); }
}

record TimesExpr(Expr a, Expr b) implements Expr {
    public int eval() { return a.eval() * b.eval(); }
}

record NegExpr(Expr e) implements Expr {
    public int eval() { return -e.eval(); }
}

Note that we haven't declare any modifier (final, non-sealed or sealed) to sub-class. This is because Record class are final by default.

Design considerations when using Sealed Classes and Interfaces

We should keep in mind following consideration while designing Sealed Classes or Interface

• Design Decision - We should carefully consider which class should be declared sealed before start implementing only. Sealed class / interface consideration often results in tightly coupled design instead of loosely coupled
• Backward Compatibility - If we plan to use sealing class, it can impact backward compatibility. Adding new permitted sub-class in future release can break existing code that depends on the sealed API
• Package / Module Arrangement - We should carefully construct Java Module / Package structure when used sealed classes or interface as the scope of sealed class and its permitted sub-class is scoped under a single module.

Sealed Class as Pattern Matching case:

This is very important to understand. The introduction of Sealed class in Java opens up a new paradigm of using Permitted classes as Pattern Matching in switch case

Let's first understand how Sealed Class is implemented in JDK. 

Although sealed is a class modifier, there is no ACC_SEALED flag in the ClassFile structure. Instead, the class file of a sealed class has a PermittedSubclasses attribute which implicitly indicates the sealed modifier and explicitly specifies the permitted subclasses:

PermittedSubclasses_attribute {

    u2 attribute_name_index;

    u4 attribute_length;

    u2 number_of_classes;

    u2 classes[number_of_classes];

Code Example: Consider above example of Animal as sealed class and Cat and Dog as its permitted sub class. 

Here is the example where we can use sealed class in switch case

private static String checkAnimal(Animal animal){                                     
    return switch (animal) {                                                          
        case Cat c -> c.getIdentity();                                                
        case Dog d -> d.getIdentity();                                                
        default -> throw new IllegalArgumentException("Unexpected Input: " + animal); 
    };                                                                                
}

Frequently Asked Question:

Why Sealed Class is introduced in Java, what problem does it solves?

 

The purpose of sealed class is to have more control on sub-class / interface hierarchy. It provides a way to create hierarchy of classes and its sub-classes. It also solves the problem of using sealed class as Pattern Matching using switch case

What is the difference between sealed and final class?

Final class means no other class can extend it whereas sealed class means only permitted sub-class can extend it

What is the difference between sealed and abstract class?

Sealed class can be used along with abstract keyword and its a good idea because in most of the use-case sealed class is abstract and its permitted sub-class has actual implementation. for eg - Shape sealed class can have Rectangle, Triangle as its permitted sub-class and the actual implementation of its area, radius, circumference and diameter code is in its permitted sub-class

Why sealed class is often look with switch use case?

Sealed class being restricted to which sub-class it can extends, beautifully make it to be used in switch use case. As we know which all sub-class it can extend, using in switch use case is possible with each case being permitted sub-class

Here is the example where we can use sealed class in switch case

private static String checkAnimal(Animal animal){                                     
    return switch (animal) {                                                          
        case Cat c -> c.getIdentity();                                                
        case Dog d -> d.getIdentity();                                                
        default -> throw new IllegalArgumentException("Unexpected Input: " + animal); 
    };                                                                                
}

Can we create object of sealed class?

Yes why not, being class defined as sealed does not restrict you to create its object. It only restricts the sub-class who can extend from it. However, being said, in most of the architectural scenario, you wont need to create object of sealed class, so its better to define sealed class as abstract (to avoid accidental creation of object) in such use case

What is the point of extending a sealed class with a non-sealed class?

Well, in most of scenario you would not need to further extend the sub-class of sealed class but but but there can be some use case where you would like to have sub-class of sealed class as abstract and can allow its subclass to have business logic

What is the difference between a final and a non-sealed class?

final keyword allows the class unable to get extended by any other class while non-sealed keyword allows class to be further extended. Do note that every permitted subclass must define a modifier: final, sealed, or non-sealed

5 Best Online Course to Learn Amazon Web Services AWS in 2023

Amazon Web Services (AWS) is undoubtedly the most popular Cloud Computing Services today that provides on-demand cloud computing platform. 

Why learning AWS is worthful?

AWS has around 1/3rd of market share which indicates its popularity and indirectly relates to more jobs opening for AWS Engineers as compared to other Clouds. So learning AWS is worthful for System Administrator as well as Developers / Architects.

I have filtered out Top 5 best online courses for AWS which you can opt for learning in 2023.

1. Ultimate AWS Certified Solutions Architect Associate SAA-C03(Udemy)

• The course instructor is Stephane Maarek an AWS Certified Cloud Practitioner, Solutions Architect,Developer
• 4.7 Instructor Rating|533,519 Reviews|1,752,022 Students|41 Courses
• Best Selling Instructor, 9x AWS Certified, Kafka Guru
• Stéphane is recognized as an AWS Hero and is an AWS Certified Solutions Architect 
• Professional & AWS Certified DevOps Professional.

Requirements:

• Know the basics of IT
• No AWS Cloud experience is necessary, we'll use the AWS Free Tier
• Windows / Linux / Mac OS X Machine

Beginners welcome: No need to know anything about AWS!

34 sections • 389 lectures • 27h 10m total length

Keypoints:

• 30-Day Money-Back Guarantee
• This course includes:
• 27 hours on-demand video
• 13 articles
• 1 downloadable resource
• 1 practice test
• Full lifetime access

2. Introduction to Cloud Computing on AWS for Beginners [2023] (Udemy)

• This course is instructed by Neal Davis | AWS Certified Solutions Architect & Developer
• AWS Solutions Architect & AWS Certified Instructor
• Instructor Rating 4.6 |106,791 Reviews |507,614 Students | 16 Courses

Requirements:

• This course is designed for Cloud Computing beginners and AWS beginners
• Absolutely no prior experience necessary

Key points:

• 12 sections • 88 lectures • 6h 52m total length
• 30-Day Money-Back Guarantee
• 7 hours on-demand video
• 2 articles
• Full lifetime access
• Access on mobile and TV
• Certificate of completion

3.  Amazon Web Services (AWS) Certified 2022 - 4 Certifications!(Udemy)

• This course is launched by BackSpace Academy and Paul Coady Cloud Technology Expert.
• The fastest route to cloud certification.
• BackSpace Academy is having 4.5 Instructor Rating 29,194 Reviews 403,020 Students 3 Courses and
• Paul Coady is 4.5 Instructor Rating 21,868 Reviews 143,105 Students 1 course
• BackSpace Academy is Providing accelerated learning programs taught by AWS professional level certified instructors since 2014. A unique approach that focusses on maximum results in the shortest possible time. Quality lecture videos reinforced with instructional and hands-on lab videos and, review tests.

• Paul Coady is Highly experienced expert in cloud architecture design and deployment, not simply a certificate collector.Amazon Web Services Certified Professional. Providing a learn-by-doing approach produces students not only ready to pass an exam but also ready for employment. BackSpace Academy, the fastest route to cloud certification. Providing AWS Training since 2014 and still going strong.

What you'll learn

• You will be fully prepared for the AWS Certified Solutions Architect Associate,
•  AWS Certified Developer Associate and AWS Certified SysOps Administrator Associate

Requirements:

• Basic understanding of computers and networking.
• The student will require an AWS account to complete hands on labs sessions.
• Windows, Linux or Mac PC to complete hands on labs sessions.

Key points:

• 5 sections • 200 lectures • 45h 55m total length
• 30-Day Money-Back Guarantee
• 46 hours on-demand video
• 7 articles
• 41 downloadable resources
• Full lifetime access
• Access on mobile and TV
• Certificate of completion

4. AWS Solutions Architect Certification Training Course (Edureka)

• Very frequent batches
• 4.5 Google Reviews |4.7 Trustpilot Reviews |4.5 G2 Reviews |4.4 Sitejabber Reviews

Key points:

• Live Interactive Learning
• World-Class Instructors
• Expert-Led Mentoring Sessions
• Instant doubt clearing
• Lifetime Access
• Course Access Never Expires
• Free Access to Future Updates
• Unlimited Access to Course Content
• 24x7 Support
• One-On-One Learning Assistance
• Help Desk Support
• Resolve Doubts in Real-time
• Hands-On Project Based Learning
• Industry-Relevant Projects
• Course Demo Dataset & Files
• Quizzes & Assignments
• Industry Recognised Certification
• Edureka Training Certificate
• Graded Performance Certificate
• Certificate of Completion

5. AWS Essentials (Udemy)

• This course is designed by Amazon Web Services (AWS) is a subsidiary of Amazon.com
• Amazon Web Services (AWS) 4.4 Instructor Rating | 24,888 Reviews | 123,221 Students |8 Courses

Keypoints:

• 7 sections • 61 lectures • 3h 22m total length
• 30-Day Money-Back Guarantee
• 3.5 hours on-demand video
• Full lifetime access
• Access on mobile and TV
• Certificate of completion

Requirements

• Fundamental understanding of IT, storage, databases, and networking.

Disclosure: This article may contain affiliate links. When you purchase, we may earn a small commission.