plus anything else you want to talk about...

Containers, Kubernetes, and DevSecOps with Red Hat

Jason DudashOpen Source Architect & Builder

1

Chris YatesDoD Solutions Architect

Dudash

AGENDA

2

What we’ll be discussing today

AGENDA

3

Deploying and Managing Software

Containers and VMs

Kubernetes

OpenShift Container Platform

DevSecOps

CI/CD Pipelines

Trusted Supply Chain

Building a Secure Software Factory

4

DEVOPS

5

DEVOPS

Software systems require complicated installation and integration every time they are deployed leading to:

● Slow service delivery● Reduced service quality● Frequent down times

The problem with software delivery

6

DEVOPS

OPERATIONS &MAINTENANCE

DEVELOPMENTTEAM

Each team has different concerns

7

DEVOPS

DevOps based software delivery

Adopting a container strategy is a modern way to allow applications to be easily shared and deployed

● Consistent env and tools● Predictable building blocks● Faster deployment

8

DEVOPS

Everything as code

Automate everything

Application is always “releasable”

Continuous Integration/Delivery

Application monitoring

Rapid feedback

Delivery pipeline

Rebuild vs. Repair

DevOps Practices

Requires a consistent env and predictable building blocks

9

CONTAINERS

But what are containers?

● Application processes on a shared kernel

● Simpler, lighter, and denser than VMs

● Portable across different environments

● Package apps with all dependencies

● Deploy to any environment in seconds

● Easily accessed and shared

INFRASTRUCTURE APPLICATIONS

10

CONTAINERS

Virtual machines and containers?

VIRTUAL MACHINES CONTAINERS

VM isolates the hardware Container isolates the process

VM

OS Dependencies

Kernel

Hypervisor

Hardware

App App App App

Container Host (Kernel)

Container

App

OS deps

Container

App

OS deps

Container

App

OS deps

Container

App

OS deps

Hypervisor

Hardware

11

CONTAINERS

Application portability with virtual machines

Virtual machines are NOT portable across hypervisor and do NOT provide portable packaging for applications

VM Type X

Application

OS dependencies

Operating System

BARE METAL PRIVATE CLOUD PUBLIC CLOUDVIRTUALIZATIONLAPTOP

Application

OS dependencies

Operating System

VM Type Y

Application

OS dependencies

Operating System

VM Type Z

Application

OS dependencies

Operating System

Guest VM

Application

OS dependencies

Operating System

12

CONTAINERS

Application portability with containers

LAPTOP

Container

Application

OS dependencies

Guest VM

RHEL

BARE METAL

Container

Application

OS dependencies

RHEL

VIRTUALIZATION

Container

Application

OS dependencies

Virtual Machine

RHEL

PRIVATE CLOUD

Container

Application

OS dependencies

Virtual Machine

RHEL

PUBLIC CLOUD

Container

Application

OS dependencies

Virtual Machine

RHEL

RHEL Containers + RHEL Host = Guaranteed PortabilityAcross Any Infrastructure

13

CONTAINERS

Containers are layered - enables rapid patching

Base Image

Image Layer 1

Image Layer 2

Image Layer 3

Base RHEL

OS Update Layer

Java Runtime Layer

Application Layer

Container Image Layers Example Container Image

14

CONTAINERS

Containers are a key enabler to modern software delivery

Hardware

Virtual Machine

Operating System

Container

AppManaged by Developers

Managed by Operations

15

CONTAINERS

Why use containers?

● Securely isolate applications and services● Eliminate inconsistencies

OPERATIONAL EFFICIENCY WORKLOAD DENSITY

● More lightweight and portable than VMs● Accelerate software delivery/deployment

PHYSICAL VIRTUAL CONTAINER

CONFIDENTIAL Designator

DEMO

16

CI/CD

CONFIDENTIAL Designator

OpenShift Container Platform

17

DevOps

18

OPENSHIFT

Just one container is useless

19

OPENSHIFT

Many containers are hard

20

OPENSHIFT

OpenShift Container Platform

RED HAT ENTERPRISE LINUX (OS)

DOCKER / CRI-O (CONTAINER RUNTIME/API)

KUBERNETES (ORCHESTRATION & MANAGEMENT)

OPENSHIFTAutomatic container builds, intelligent deployments, image management,

web console, IDE plugins, and more.

21

OPENSHIFT

It’s core is Kubernetes

22

OPENSHIFT

Based on lessons learned at Google

“When you spend 15 years working on cloud engineering and cloud infrastructure youlearn what works and what doesn't.”

“Kubernetes is us taking the learnings of what works and what doesn't in managing production containers at scale and doing it in the open source.”

* Greg DeMichillieDirector of Product Management, Google Cloud Platform

https://www.youtube.com/watch?v=6a2Nirr8cI0

23

OPENSHIFT

OpenShift = Kubernetes++

LIFECYCLE AUTOMATION

ENTERPRISE-GRADE CONTAINER OS(Red Hat Enterprise Linux & RHCoreOS)

Business AutomationCONTAINER CONTAINER

Integration

CONTAINER

Languages & Runtimes

CONTAINER

Web & Mobile

CONTAINER

3rd party frameworks

CONTAINER INFRASTRUCTURE SERVICES

OPS MANAGEMENT(CloudForms,

Satellite)

OPS AUTOMATION(Ansible)

DEV TOOLS(Developer Studio, Container Dev Kit)

STORAGE(RH Storage)

PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD

NETWORKING

PUBLIC REGISTRY(RH Registry)

STORAGE

REGISTRY

SECURITY

SELF-SERVICE

CI/CD(Jenkins) IMAGE BUILD

CONTAINER ENGINE

CONTAINER MANAGEMENT

SERVICE CATALOG

ORCHESTRATION(Kubernetes)

MONITORING

POLICY MANAGEMENT(CloudForms) SECURITY ANALYSIS

CAPACITY MGMTPaaS

CaaS

IaaS

Red Hat Application Services

Red Hat OpenShift Container Platform (incl. CloudForms)

Red Hat Enterprise Linux & RHCoreOS

24

OPENSHIFT

OpenShift high level architecture

EXISTING AUTOMATION TOOLSETS

SCM(GIT)

CI/CD

SERVICE LAYER

ROUTING LAYER

PERSISTENTSTORAGE

REGISTRY

RHEL

NODE

c

RHEL

NODE

RHEL

NODE

RHEL

NODE

RHEL

NODE

RHEL

NODE

C

C

C C

C

C

C CC C

RED HATENTERPRISE LINUX

MASTER

API/AUTHENTICATION

DATA STORE

SCHEDULER

HEALTH/SCALING

PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID

CONFIDENTIAL Designator

Secure Platform andTrusted Supply Chain

25

CI/CD

26

OPENSHIFT

Start with trusted sources because…You can’t inspect quality into a product

Red Hat Container Catalog Trusted ISVs

CONFIDENTIAL Designator

DEMO

27

CI/CD

CONFIDENTIAL Designator

Continuous IntegrationContinuous Deployment& DevSecOps

28

CI/CD

29

CI/CD

An automated process to get your app delivered

CONFIDENTIAL Designator

DEMO

30

CI/CD

31

CI/CD

32

CI/CD - JENKINS PIPELINE

33

CI/CD - ENRICHING EXISTING DELIVERY PROCESS WITH OPENSHIFT

OPENSHIFTIMAGE

REGISTRY

OPENSHIFTCLUSTER

OPENSHIFTIMAGEREGISTRY

OPENSHIFTCLUSTER(S)

NON-PROD PRODDEV TEST UAT

EXISTINGDELIVERYPROCESS

EXISTINGIMAGEREGISTRY

DEVSECOPS

34

● Sec○ Establish your security policy and posture before the first

line of code is written (establish quality thresholds)● Dev

○ Write your software and package it● Sec

○ Scan and enforce your security policy and posture, including quality thresholds

● Ops○ Deploy to prod and manage the system

● Sec○ Continuously monitor what is deployed for new

vulnerabilities and exploits

DevSecOps = Include security throughout DevOps

Next time: Operating a cluster● Projects/Namespaces● Quotas and Limits● Role-Based Access Control● Security Context Constraints● Operators● more...

35

Cluster Operations/Adm

inistration

LINKS

36

learn.openshift.com(interactive free learning portal)

developers.redhat.com(free videos/blogs/books)

Where to learn more?

MONDAY TUESDAY WEDNESDAY THURSDAY

2019 SUMMIT RECAP● https://www.youtube.com/user/redhatsummit/videos● https://blog.openshift.com/openshift-commons-gathering-at-red-hat-summit-boston-2019-recap-with-slides/

VolkswagenEli Lilly

Thyssenkrupp ElevatorsBest Buy

NASASabre

MicrosoftNGA

Royal Bank of Canada UPS

OptusBell Canada

Deutsche TelekomBanco Hipotecario

Suomen AsiakastietoVMware

DeltaLockheed Martin

DBS Bank LimitedExxonMobilVolkswagen

AirbusKaloom

IBMSpark New ZealandUnitedHealth Group

Societe GeneraleMicrosoft

Sysdig

MeteorcommOptum

Volvo CarsRoyal Bank of Scotland Government of Canada Cox Communications

IntelDell

Kohl’sAvaloqSolo.io

TurbonomicDeutsche Bank

Kohl’sWorld Wide Technology

Florida BluePerficient Inc

DynatraceAtos

SIX GroupBank of Montreal (BMO)

Poste ItalianeCIBC

BPMicrosoft

BBVASabre

X by OrangeBooz Allen Hamilton

IBMCapgemini

BMWHCA HealthcareEmirates NBD

UPSNVIDIA

MicrosoftLightbend

ElsevierPenguin Computing

HealthPartnersAlly Bank

Norwegian Cruise LinesHelvetia Insurance

OptusDynatrace

SupermicroAbercrombie and Fitch

CouchbaseBoston Children's Hospital

Deutsche BankAetna

AmazonDeutsche Telekom IT

AmadeusExxonMobil

Solutions & ServicesOpenShift IntegratedAccenture | Aporeto | Appranix | Aqua Security | Arista Networks | Atos Syntel | Avi Networks | AWS | Cisco | Cloudera | Cockroach Labs |Collabnet | Couchbase | Crunchy Data | CyberArk | Dell EMC | Deloitte | Diamante | DXC Technologies | Dynatrace | F5 | Forty8Fifty Labs | H20.ai | HAProxy | HCL | Hitachi | HPE | IBM | Influx Data | InfoSys | Instana | Intel | Juniper | Lenovo | Lightbend |LINBIT | LogDNA | MariaDB | Microsoft | NeuVector | NGINX | Nuage Networks | NuoDB | OpsMX | Portworx | ProphetStor | Pupet Labs | Pure Storage | Rackspace | Redis Labs | Robin Systems | SAP | Shadow-Soft | Sonatype | Splunk | StackRox | StorageOS | Synopsys | Synk | Sysdig | Tata Consulting | Thales Security | Tigera | Tremolo Security | Trisotech | Twistlock | Vizuri | WWT | Zabbix

linkedin.com/company/red-hat

youtube.com/user/RedHatVideos

facebook.com/redhatinc

twitter.com/RedHat

Red Hat is the world’s leading provider of enterprise

open source software solutions. Award-winning

support, training, and consulting services make

Red Hat a trusted adviser to the Fortune 500.

Thank you

38