devsecops with red hat containers, kubernetes,...
TRANSCRIPT
plus anything else you want to talk about...
Containers, Kubernetes, and DevSecOps with Red Hat
Jason DudashOpen Source Architect & Builder
1
Chris YatesDoD Solutions Architect
Dudash
AGENDA
2
What we’ll be discussing today
AGENDA
3
Deploying and Managing Software
Containers and VMs
Kubernetes
OpenShift Container Platform
DevSecOps
CI/CD Pipelines
Trusted Supply Chain
Building a Secure Software Factory
4
DEVOPS
5
DEVOPS
Software systems require complicated installation and integration every time they are deployed leading to:
● Slow service delivery● Reduced service quality● Frequent down times
The problem with software delivery
6
DEVOPS
OPERATIONS &MAINTENANCE
DEVELOPMENTTEAM
Each team has different concerns
7
DEVOPS
DevOps based software delivery
Adopting a container strategy is a modern way to allow applications to be easily shared and deployed
● Consistent env and tools● Predictable building blocks● Faster deployment
8
DEVOPS
Everything as code
Automate everything
Application is always “releasable”
Continuous Integration/Delivery
Application monitoring
Rapid feedback
Delivery pipeline
Rebuild vs. Repair
DevOps Practices
Requires a consistent env and predictable building blocks
9
CONTAINERS
But what are containers?
● Application processes on a shared kernel
● Simpler, lighter, and denser than VMs
● Portable across different environments
● Package apps with all dependencies
● Deploy to any environment in seconds
● Easily accessed and shared
INFRASTRUCTURE APPLICATIONS
10
CONTAINERS
Virtual machines and containers?
VIRTUAL MACHINES CONTAINERS
VM isolates the hardware Container isolates the process
VM
OS Dependencies
Kernel
Hypervisor
Hardware
App App App App
Container Host (Kernel)
Container
App
OS deps
Container
App
OS deps
Container
App
OS deps
Container
App
OS deps
Hypervisor
Hardware
11
CONTAINERS
Application portability with virtual machines
Virtual machines are NOT portable across hypervisor and do NOT provide portable packaging for applications
VM Type X
Application
OS dependencies
Operating System
BARE METAL PRIVATE CLOUD PUBLIC CLOUDVIRTUALIZATIONLAPTOP
Application
OS dependencies
Operating System
VM Type Y
Application
OS dependencies
Operating System
VM Type Z
Application
OS dependencies
Operating System
Guest VM
Application
OS dependencies
Operating System
12
CONTAINERS
Application portability with containers
LAPTOP
Container
Application
OS dependencies
Guest VM
RHEL
BARE METAL
Container
Application
OS dependencies
RHEL
VIRTUALIZATION
Container
Application
OS dependencies
Virtual Machine
RHEL
PRIVATE CLOUD
Container
Application
OS dependencies
Virtual Machine
RHEL
PUBLIC CLOUD
Container
Application
OS dependencies
Virtual Machine
RHEL
RHEL Containers + RHEL Host = Guaranteed PortabilityAcross Any Infrastructure
13
CONTAINERS
Containers are layered - enables rapid patching
Base Image
Image Layer 1
Image Layer 2
Image Layer 3
Base RHEL
OS Update Layer
Java Runtime Layer
Application Layer
Container Image Layers Example Container Image
14
CONTAINERS
Containers are a key enabler to modern software delivery
Hardware
Virtual Machine
Operating System
Container
AppManaged by Developers
Managed by Operations
15
CONTAINERS
Why use containers?
● Securely isolate applications and services● Eliminate inconsistencies
OPERATIONAL EFFICIENCY WORKLOAD DENSITY
● More lightweight and portable than VMs● Accelerate software delivery/deployment
PHYSICAL VIRTUAL CONTAINER
CONFIDENTIAL Designator
DEMO
16
CI/CD
CONFIDENTIAL Designator
OpenShift Container Platform
17
DevOps
18
OPENSHIFT
Just one container is useless
19
OPENSHIFT
Many containers are hard
20
OPENSHIFT
OpenShift Container Platform
RED HAT ENTERPRISE LINUX (OS)
DOCKER / CRI-O (CONTAINER RUNTIME/API)
KUBERNETES (ORCHESTRATION & MANAGEMENT)
OPENSHIFTAutomatic container builds, intelligent deployments, image management,
web console, IDE plugins, and more.
21
OPENSHIFT
It’s core is Kubernetes
22
OPENSHIFT
Based on lessons learned at Google
“When you spend 15 years working on cloud engineering and cloud infrastructure youlearn what works and what doesn't.”
“Kubernetes is us taking the learnings of what works and what doesn't in managing production containers at scale and doing it in the open source.”
* Greg DeMichillieDirector of Product Management, Google Cloud Platform
https://www.youtube.com/watch?v=6a2Nirr8cI0
23
OPENSHIFT
OpenShift = Kubernetes++
LIFECYCLE AUTOMATION
ENTERPRISE-GRADE CONTAINER OS(Red Hat Enterprise Linux & RHCoreOS)
Business AutomationCONTAINER CONTAINER
Integration
CONTAINER
Languages & Runtimes
CONTAINER
Web & Mobile
CONTAINER
3rd party frameworks
CONTAINER INFRASTRUCTURE SERVICES
OPS MANAGEMENT(CloudForms,
Satellite)
OPS AUTOMATION(Ansible)
DEV TOOLS(Developer Studio, Container Dev Kit)
STORAGE(RH Storage)
PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
NETWORKING
PUBLIC REGISTRY(RH Registry)
STORAGE
REGISTRY
SECURITY
SELF-SERVICE
CI/CD(Jenkins) IMAGE BUILD
CONTAINER ENGINE
CONTAINER MANAGEMENT
SERVICE CATALOG
ORCHESTRATION(Kubernetes)
MONITORING
POLICY MANAGEMENT(CloudForms) SECURITY ANALYSIS
CAPACITY MGMTPaaS
CaaS
IaaS
Red Hat Application Services
Red Hat OpenShift Container Platform (incl. CloudForms)
Red Hat Enterprise Linux & RHCoreOS
24
OPENSHIFT
OpenShift high level architecture
EXISTING AUTOMATION TOOLSETS
SCM(GIT)
CI/CD
SERVICE LAYER
ROUTING LAYER
PERSISTENTSTORAGE
REGISTRY
RHEL
NODE
c
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
C
C
C C
C
C
C CC C
RED HATENTERPRISE LINUX
MASTER
API/AUTHENTICATION
DATA STORE
SCHEDULER
HEALTH/SCALING
PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
CONFIDENTIAL Designator
Secure Platform andTrusted Supply Chain
25
CI/CD
26
OPENSHIFT
Start with trusted sources because…You can’t inspect quality into a product
Red Hat Container Catalog Trusted ISVs
CONFIDENTIAL Designator
DEMO
27
CI/CD
CONFIDENTIAL Designator
Continuous IntegrationContinuous Deployment& DevSecOps
28
CI/CD
29
CI/CD
An automated process to get your app delivered
CONFIDENTIAL Designator
DEMO
30
CI/CD
31
CI/CD
32
CI/CD - JENKINS PIPELINE
33
CI/CD - ENRICHING EXISTING DELIVERY PROCESS WITH OPENSHIFT
OPENSHIFTIMAGE
REGISTRY
OPENSHIFTCLUSTER
OPENSHIFTIMAGEREGISTRY
OPENSHIFTCLUSTER(S)
NON-PROD PRODDEV TEST UAT
EXISTINGDELIVERYPROCESS
EXISTINGIMAGEREGISTRY
DEVSECOPS
34
● Sec○ Establish your security policy and posture before the first
line of code is written (establish quality thresholds)● Dev
○ Write your software and package it● Sec
○ Scan and enforce your security policy and posture, including quality thresholds
● Ops○ Deploy to prod and manage the system
● Sec○ Continuously monitor what is deployed for new
vulnerabilities and exploits
DevSecOps = Include security throughout DevOps
Next time: Operating a cluster● Projects/Namespaces● Quotas and Limits● Role-Based Access Control● Security Context Constraints● Operators● more...
35
Cluster Operations/Adm
inistration
LINKS
36
learn.openshift.com(interactive free learning portal)
developers.redhat.com(free videos/blogs/books)
Where to learn more?
MONDAY TUESDAY WEDNESDAY THURSDAY
2019 SUMMIT RECAP● https://www.youtube.com/user/redhatsummit/videos● https://blog.openshift.com/openshift-commons-gathering-at-red-hat-summit-boston-2019-recap-with-slides/
VolkswagenEli Lilly
Thyssenkrupp ElevatorsBest Buy
NASASabre
MicrosoftNGA
Royal Bank of Canada UPS
OptusBell Canada
Deutsche TelekomBanco Hipotecario
Suomen AsiakastietoVMware
DeltaLockheed Martin
DBS Bank LimitedExxonMobilVolkswagen
AirbusKaloom
IBMSpark New ZealandUnitedHealth Group
Societe GeneraleMicrosoft
Sysdig
MeteorcommOptum
Volvo CarsRoyal Bank of Scotland Government of Canada Cox Communications
IntelDell
Kohl’sAvaloqSolo.io
TurbonomicDeutsche Bank
Kohl’sWorld Wide Technology
Florida BluePerficient Inc
DynatraceAtos
SIX GroupBank of Montreal (BMO)
Poste ItalianeCIBC
BPMicrosoft
BBVASabre
X by OrangeBooz Allen Hamilton
IBMCapgemini
BMWHCA HealthcareEmirates NBD
UPSNVIDIA
MicrosoftLightbend
ElsevierPenguin Computing
HealthPartnersAlly Bank
Norwegian Cruise LinesHelvetia Insurance
OptusDynatrace
SupermicroAbercrombie and Fitch
CouchbaseBoston Children's Hospital
Deutsche BankAetna
AmazonDeutsche Telekom IT
AmadeusExxonMobil
Solutions & ServicesOpenShift IntegratedAccenture | Aporeto | Appranix | Aqua Security | Arista Networks | Atos Syntel | Avi Networks | AWS | Cisco | Cloudera | Cockroach Labs |Collabnet | Couchbase | Crunchy Data | CyberArk | Dell EMC | Deloitte | Diamante | DXC Technologies | Dynatrace | F5 | Forty8Fifty Labs | H20.ai | HAProxy | HCL | Hitachi | HPE | IBM | Influx Data | InfoSys | Instana | Intel | Juniper | Lenovo | Lightbend |LINBIT | LogDNA | MariaDB | Microsoft | NeuVector | NGINX | Nuage Networks | NuoDB | OpsMX | Portworx | ProphetStor | Pupet Labs | Pure Storage | Rackspace | Redis Labs | Robin Systems | SAP | Shadow-Soft | Sonatype | Splunk | StackRox | StorageOS | Synopsys | Synk | Sysdig | Tata Consulting | Thales Security | Tigera | Tremolo Security | Trisotech | Twistlock | Vizuri | WWT | Zabbix
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
Red Hat is the world’s leading provider of enterprise
open source software solutions. Award-winning
support, training, and consulting services make
Red Hat a trusted adviser to the Fortune 500.
Thank you
38