cna3045bu what’s new containers on sddc or distribution · for the cluster components themselves...
TRANSCRIPT
Brandon Henry, GarminCornelia Davis, PivotalPaul Dul, VMware
CNA3045BU
#VMworld #CNA3045BU
What’s NewContainers on SDDC
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#CNA3045BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Purpose-built container service to operationalize Kubernetes
for the multi-cloud enterprises and service providers
Fully Supported Kubernetes
Runs on vSphere and VMC
Unified VM + Containers on SDDC
Deep Integration with NSX
Hardened, Production-grade
HA, Security, Multi-tenancy, Tools
VMware and Pivotal Collaborate toDeliver VMware Pivotal Container Service
#CNA3045BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
Physical Infrastructure
VMware PKS
Kubernetes on BOSH (Kubo)
BOSH
NSX
Analytics Automation
SecurityOperations
Monitoring
GCP
Service Brokeretcd worker
Logging
vSANvSphere
etcd workerContainer
Registrymaster master
vRealize
VMware PKS in SDDC Portfolio
#CNA3045BU CONFIDENTIAL 4
VMworld 2017 Content: Not fo
r publication or distri
bution
1 Garmin Kubernetes Deployment
2 Introducing VMware Pivotal Container Service (PKS)
3 PKS integrations with VMware
4 Q & A
Containers on SDDC – VMware Pivotal Container Service
#CNA3045BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
6
Kube Architecture
Developer Customer
kube2consul
Garmin Developed
#CNA3045BU CONFIDENTIAL 6
VMworld 2017 Content: Not fo
r publication or distri
bution
Cluster Administration
• Scaling the cluster
• User Management (Auth)
• Service Registration
• Load Balancing
7#CNA3045BU CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Cluster Administration
• Scaling the cluster
• User Management (Auth)
• Service Registration
• Load Balancing
8
kube-puppet
Garmin Developed
#CNA3045BU CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
Cluster Administration
• Scaling the cluster
• User Management (Auth)
• Service Registration
• Load Balancing
9
cert scripts
Garmin Developed
#CNA3045BU CONFIDENTIAL 9
VMworld 2017 Content: Not fo
r publication or distri
bution
10
Cluster Administration
kube2consul
Garmin Developed
• Scaling the cluster
• User Management (Auth)
• Service Registration
• Load Balancing
#CNA3045BU CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
11
Cluster Administration
• Scaling the cluster
• User Management (Auth)
• Service Registration
• Load Balancing
Garmin Developed
consul-templates
#CNA3045BU CONFIDENTIAL 11
VMworld 2017 Content: Not fo
r publication or distri
bution
12
Monitoring
• Cluster Monitoring
• Application/Service Monitoring
#CNA3045BU CONFIDENTIAL 12
VMworld 2017 Content: Not fo
r publication or distri
bution
13
Monitoring
• Cluster Monitoring
• Application/Service Monitoring
kube-monitor
Garmin Developed
#CNA3045BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
14
Monitoring
• Cluster Monitoring
• Application/Service Monitoring
consul2zabbix
Garmin Developed
#CNA3045BU CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
15
Logging
• Cluster Logging
• Application Logging
• Correlating Node/Cluster/Container Events
#CNA3045BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
16
Logging
• Cluster Logging
• Application Logging
• Correlating Node/Cluster/Container Events
kube-monitorplumber
Garmin Developed
#CNA3045BU CONFIDENTIAL 16
VMworld 2017 Content: Not fo
r publication or distri
bution
17
Logging
• Cluster Logging
• Application Logging
• Correlating Node/Cluster/Container Events
docker app logger
Garmin Developed
#CNA3045BU CONFIDENTIAL 17
VMworld 2017 Content: Not fo
r publication or distri
bution
18
Logging
• Cluster Logging
• Application Logging
• Correlating Node/Cluster/Container Events
kube-monitor
Garmin Developed
#CNA3045BU CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
19
Security
• Dependency Access (Firewalls)
• Image Signing
• Image Updating
• Vulnerability Scanning
• Credential Management
#CNA3045BU CONFIDENTIAL 19
VMworld 2017 Content: Not fo
r publication or distri
bution
20
Security
• Dependency Access (Firewalls)
• Image Signing
• Image Updating
• Vulnerability Scanning
• Credential Management
#CNA3045BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
21
Security
• Dependency Access (Firewalls)
• Image Signing
• Image Updating
• Vulnerability Scanning
• Credential Management
#CNA3045BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
22
Security
• Dependency Access (Firewalls)
• Image Signing
• Image Updating
• Vulnerability Scanning
• Credential Management
#CNA3045BU CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
23
Security
• Dependency Access (Firewalls)
• Image Signing
• Image Updating
• Vulnerability Scanning
• Credential Management
#CNA3045BU CONFIDENTIAL 23
VMworld 2017 Content: Not fo
r publication or distri
bution
24
Security
• Dependency Access (Firewalls)
• Image Signing
• Image Updating
• Vulnerability Scanning
• Credential Management
#CNA3045BU CONFIDENTIAL 24
VMworld 2017 Content: Not fo
r publication or distri
bution
1 Garmin Kubernetes Deployment
2 Introducing VMware Pivotal Container Service (PKS)
3 PKS integrations with VMware
4 Q & A
Containers on SDDC – VMware Pivotal Container Service
#CNA3045BU CONFIDENTIAL 25
VMworld 2017 Content: Not fo
r publication or distri
bution
Workeretcdetcd
Kubernetes
etcd
kubectlRouting
MasterMaster
WorkerWorker
access app
Serving up Kubernetes Dial-tone
#CNA3045BU CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
High Availability. No out-of-the-box fault-tolerance for the cluster components themselves (masters and etcd nodes).
Scaling. Kubernetes clusters handle scaling the pod/service within the Nodes, but doesn’t provide a mechanism to scale Masters, Workers & etcd VMs.
Health checks and healing. The Kubernetes cluster does routine health checks for the workloads running on Nodes only.
Upgrades. Rolling upgrades on a large fleet of clusters is hard. Who manages the system it runs on?
BOSH
Kubernetes – Hard to Operationalize
#CNA3045BU CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
Patches Patching platform components with thousands of apps running should feel normal.
Scaling Seamlessly scale platform components to accommodate changing demand.
Upgrades. How do you roll out new versions of the platform with the lights on?
Operating Effort Operating a platform should require very few resources and minimum manual intervention. Otherwise, is it really providing operational benefits?
Multi-cloud Provide a reliable and smooth experience for any cloud.
Open APIs Allow platform operations from different toolsets and the creation of CD pipelines.
Consistency Provide a consistent setup experience, across different cloud environment configurations.
Setup time How long does it take to setup a real world working environment? Think hours, not weeks.
Day 1 - Build Day 2 - Operate
Operational Challenges with any Platform
#CNA3045BU CONFIDENTIAL 28
VMworld 2017 Content: Not fo
r publication or distri
bution
BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems.
➔ Packaging w/ embedded OS
➔ Server provisioning on any IaaS
➔ Software deployment across availability zones
➔ Scaling➔ Health monitoring (server AND
processes)
➔ Service state monitoring
➔ Self-healing w/ Resurrector
➔ Storage management
➔ Rolling upgrades with canaries
BOSH
#CNA3045BU CONFIDENTIAL 29
VMworld 2017 Content: Not fo
r publication or distri
bution
➔ Packaging w/ embedded OS
➔ Server provisioning on any IaaS
➔ Software deployment across availability zones
➔ Scaling➔ Health monitoring (server AND
processes)
➔ Service state monitoring
➔ Self-healing w/ Resurrector
➔ Storage management
➔ Rolling upgrades with canaries
Workeretcdetcd
Kubernetes
etcd
MasterMaster
WorkerWorker
BOSH
BOSH
#CNA3045BU CONFIDENTIAL 30
VMworld 2017 Content: Not fo
r publication or distri
bution
Uniform way to instantiate, deploy, and manage highly available Kubernetes clusters. On any cloud.
Launched by Pivotal & Google Feb 2017, Donated to Cloud Foundry Foundation June 2017
“Day 1” Build● Deploy Kubernetes cluster via BOSH
“Day 2” Operate● Self-healing VMs and monitoring via
BOSH● Elastic scaling for clusters● Rolling upgrades to latest Kubernetes
release● High-availability and multi-AZ support
Project Kubo
#CNA3045BU CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
Workeretcdetcd
Kubernetes
etcd
MasterMaster
WorkerWorker
BOSH
Platform team is then
responsible for assembly into
desired clusters
Release
templates
Manifest
Kubo Release
bosh deploy
Kubo Defines a Kubernetes Cluster
32
VMworld 2017 Content: Not fo
r publication or distri
bution
Provides the control plane for provisioning and managing Kubo releases
Joint development effort between Pivotal, VMWare and Google
Kubernetes Dial Tone:
• Health management
• Aggregated Metrics and Logging
• Autoscaling
• Persistence interface
Control Plane:
• Provisioning Engine
• Self-service Clusters
• Software Update Automation
• Load balancing
• Networking
• Multi-tenancy
#CNA3045BU CONFIDENTIAL 33
VMworld 2017 Content: Not fo
r publication or distri
bution
PKS Service Broker
Release
templates
Manifest
Kubo Release
BOSH
VMware PKS: Provisioning Engine
#CNA3045BU CONFIDENTIAL 34
VMworld 2017 Content: Not fo
r publication or distri
bution
PKS Service Broker
Release
templates
Manifest
Kubo Release
BOSH
create cluster(with upgrade policy)
VMware PKS: Self-service Clusters
#CNA3045BU CONFIDENTIAL 35
VMworld 2017 Content: Not fo
r publication or distri
bution
PKS Service Broker
Release
templates
Manifest
Kubo Release
BOSH
create cluster(with upgrade policy)
Load
Bal
anci
ng
access app
VMware PKS: Dynamic Routing (Different Options Available)
#CNA3045BU CONFIDENTIAL 36
VMworld 2017 Content: Not fo
r publication or distri
bution
PKS Service Broker
Release
templates
Manifest
Kubo Release
BOSH
Ro
ute
r
VMware PKS: Dynamic Routing (One Option)
#CNA3045BU CONFIDENTIAL 37
VMworld 2017 Content: Not fo
r publication or distri
bution
BOSH
BOSH network
Worker Worker
10.0.30.12
ContainerContainerContainer
10.200.2.6C2C overlay 10.200.1.510.200.1.4
10.0.30.11
kube-proxy
iptables
kube-proxy
iptables
Service network
Service
VMware PKS: Networking (Different Options Available)
#CNA3045BU CONFIDENTIAL 38
VMworld 2017 Content: Not fo
r publication or distri
bution
1 Garmin Kubernetes Deployment
2 Introducing VMware Pivotal Container Service (PKS)
3 PKS integrations with VMware
4 Q & A
Containers on SDDC – VMware Pivotal Container Service
#CNA3045BU CONFIDENTIAL 39
VMworld 2017 Content: Not fo
r publication or distri
bution
PaaS Control Plane
etcd
API-Server
Scheduler
NCM
Infra
Kubernetes
Adapter
CloudFoundry
Adapter
Libnetwork
Adapter
NSX Container Plugin
Mesos
Adapter
NSX
Manager
API Client
Proj: foo Proj: bar
NSX topology for K8s / CF
• NSX Container Plugin (NCP) for integrating with Kubernetes
• NSX Features for K8s PODs
• IP address per container / POD
• Container Network – Routed (BGP) & NATed mode
• Microsegmentation – via K8s Network Policy or native NSX APIs (mapping
K8s labels to NSX tags)
• Network & Security automation – created as part of app deployment
• Multi-tenant network topologies
NSX-T Integration
#CNA3045BU CONFIDENTIAL 40
VMworld 2017 Content: Not fo
r publication or distri
bution
Need Harbor screenshot
Registry – Enterprise-grade Private Registry
user management & access control
role-based access control
AD/LDAP integration
security
vulnerability scanning
content trust - image signing
policy based image replication
audit and logs
restful API
lightweight & easy deployment
open-source under Apache 2 license
#CNA3045BU CONFIDENTIAL 41
VMworld 2017 Content: Not fo
r publication or distri
bution
Content Trust enabled via Notary service
Image signed by publisher’s private key during pushing
Image verified using publisher’s public key during pulling
Optionally, unsigned images cannot be pulled
Need Harbor screenshot
Registry – Content Trust, Image Signing and Validation
#CNA3045BU CONFIDENTIAL 42
VMworld 2017 Content: Not fo
r publication or distri
bution
Registry – Content Trust, When Enabled Un-signed Images Can’t Be Pulled
#CNA3045BU CONFIDENTIAL 43
VMworld 2017 Content: Not fo
r publication or distri
bution
Vulnerability scanning
Scan on push to registry
Set vulnerability threshold
Optionally, prevent images from being pulled if they exceed threshold
Periodic scanning based on updated vulnerability database
Registry – Image Vulnerability Scanning
#CNA3045BU CONFIDENTIAL 44
VMworld 2017 Content: Not fo
r publication or distri
bution
Structured Data
Metrics Alerts Events
VMware vRealize
Operations
Capacity, Performance and
Configuration Management Events
Launch in Context
Unstructured Data
Logs Messages
VMware vRealize
Log Insight
Log analytics, aggregation,
and search
Virtual Applications
vRealize Ops, vRealize Log Insight For Comprehensive Visibility
#CNA3045BU CONFIDENTIAL 45
VMworld 2017 Content: Not fo
r publication or distri
bution
K8S Summary –Nodes, Pods, etc.
K8S Topology -Health
K8S Pods - Health
vRealize Ops – Managing Kubernetes Clusters
#CNA3045BU CONFIDENTIAL 46
VMworld 2017 Content: Not fo
r publication or distri
bution
K8S Pod Relationship to Components
K8S Alerts
K8S Alerts
vRealize Ops – Kubernetes Integration Details
#CNA3045BU CONFIDENTIAL 47
VMworld 2017 Content: Not fo
r publication or distri
bution
UI and API Backend
Advanced Analytics Engine
Metrics Collection and Storage
Iterate&TroubleshootIssues
Trend & Alert on Anomalies
Visualize Metrics at Scale
Self-Service Metrics Analytics for All
Engineering & Business
Introducing Wavefront By VMware SaaS-Based Metrics Monitoring and Analytics Platform
#CNA3045BU CONFIDENTIAL 48
VMworld 2017 Content: Not fo
r publication or distri
bution
App Containers
Docker Host
Docker Swarm
Container Metric Collector
Docker Host
Docker Host
Docker Cluster
AmazonECS
Real-time insight into Docker containers and orchestration
systems Kubernetes, Pivotal Cloud Foundry, Amazon ECS
Wavefront Container Monitoring Suite
49
VMworld 2017 Content: Not fo
r publication or distri
bution
CATALOGEntitlements, Approvals, Policies
CD PIPELINE
Developers, CI/CD LOB Users
MA
NA
GE
ME
NT
& O
PE
RA
TIO
NS
PRIVATE CLOUDOR DATA CENTER
PUBLICCLOUD
BRANCH/EDGECOMPUTE
APP FRAMEWORKS
PAAS CAAS FAAS
GLOBALLY CONSISTENT INFRASTRUCTURE AS CODE
IAAS ORCHESTRATION
BLUEPRINT
CLOUD APIS
CLOUD APIs
Consume native services
on any cloud
1
BLUEPRINTS & ITERATIVE
DEVELOPMENT
Compose applications using
simplified YAML iteratively
2
INTEGRATED CATALOG
AND PIPELINE
Catalog for self-service &
pipeline for CI/CD
3
vRealize Automation – Simplify Developer Consumption
#CNA3045BU CONFIDENTIAL 50
VMworld 2017 Content: Not fo
r publication or distri
bution
Physical Infrastructure
VMware PKS
Kubernetes on BOSH (Kubo)
BOSH
NSX
Analytics Automation
SecurityOperations
Monitoring
GCP
Service Brokeretcd worker
Logging
vSANvSphere
etcd workerContainer
Registrymaster master
vRealize
VMware PKS in SDDC Portfolio
#CNA3045BU CONFIDENTIAL 51
VMworld 2017 Content: Not fo
r publication or distri
bution
Questions?
#CNA3045BU CONFIDENTIAL 52
VMworld 2017 Content: Not fo
r publication or distri
bution
Registry – Based on Widely-adopted Project Harbor
#CNA3045BU CONFIDENTIAL 53
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
© 2014 VMware Inc. All rights reserved.
Thank You!@cloudnativeapps
vmware.github.io
blogs.vmware.com/cloudnative
VMworld 2017 Content: Not fo
r publication or distri
bution
Registry – Image Vulnerability Scanning Details
#CNA3045BU CONFIDENTIAL 57
VMworld 2017 Content: Not fo
r publication or distri
bution
What’s New with Containers on SDDC [CNA3045BU]
Brandon Henry, Garmin
Cornelia Davis, Pivotal
Paul Dul, VMware
VMworld 2017 Content: Not fo
r publication or distri
bution
Challenges in Rolling Your Own Kubernetes Container Service
CLUSTER ADMINISTRATION
• Scaling the cluster
• User Management (Auth)
• Service Registration
• Load Balancing
59CONFIDENTIAL
MONITORING
• Cluster Monitoring
• Application/Service Monitoring
LOGGING
• Cluster Logging vRLI
• Application Logging
• Correlating Node/Cluster/Container Events
SECURITY
• Dependency Access (Firewalls)
• Image Signing
• Vulnerability Scanning
• Credentials Management
#CNA3045BU CONFIDENTIAL 59
VMworld 2017 Content: Not fo
r publication or distri
bution
vR Ops Log Insight managing Pivotal Cloud Foundry
#CNA3045BU CONFIDENTIAL 60
VMworld 2017 Content: Not fo
r publication or distri
bution