kubernetes, the day after
TRANSCRIPT
Neeraj Gupta (@negupta) SVP Product and Engineering
Kubecon 2015
Kubernetes, The Day After
Not an In-Depth Technical Kubernetes Talk
• Operating a system like Kubernetes in production
• Cloud native infrastructure
• Based on lessons learned
Start at the End
• Production environments are all about trust• What does a workload contain?• Where does a workload run?• Are the right resources in play for the
right workload?• Can information flow only in a secure
manner?• Bigger the deploy, harder it is to
maintain the trust
• Super hard with multi-clouds
The Best Tool to Get to Trust: Policy
• Get out of the way of the Dev• Let Ops do real operations work• Reduce friction around deployments• Create systems that are built for change
IT Policy for utilizing infrastructure
IT Policy for configuring environments
IT Policy for regulatory compliance
IT Policy for securing access control
IT Policy for implementing new technologies
IT Policy for reliable deployments
Distributed Policy Evaluation & Enforcement is critical to get Trust.
Governance & Control are Priorities
What Does Kubernetes Offer Now? (stable)
• Compute resource limits• CPU• Memory
• Object counts limits• Pods• Services• Secrets• RCs• PV claims
• Per namespace (good!)
Kubernetes is in Good Company
• EC2 instance parameters, network firewall control, network topologies
• Role based access control• “If team members have edit permission, then they can
modify instances and also access the instances using ssh. If team members are authorized as owners, they are also able to create Google Compute Engine resources in the project.”
• Checkboxes, oh so many checkboxes
What Would Be Better?
• Pervasive• Explicit• Automatically Enforced
Pervasive Means:
• Resource limits• CPU• Memory• Per instance/total• Object counts• Disk space (!)• Network usage (!)
Pervasive Means:
• Workload-to-workload connections• Per port, not per container• Per protocol, not per container• Automatic bi-directional trust is less
secure
Pervasive Means:
• Ingress / Egress• External connectivity and routing• Multi-cloud
Pervasive Means:
• Software components version control• Deployment pipeline
Pervasive Means:
• Log access• Policy editing• Permissible operations between
frontend and backend
Policy Structure
• Language• Namespaces are important• With namespaces, you can target:
• Per person, per project, Per environment (dev/test/prod), Per org unit (team, division, etc.)
• Hierarchical namespaces are even cooler
Policy Structure: Tips
• Make sandboxes• Think hard about your structures• Apply policy as close to the leaves in
your namespace as possible• Consider generating policy through
automation
Apcera Platform
• A single, policy-driven, system that sits above all clouds, private and public
• Reduces complexity, while enabling enterprise-wide governance and maximum agility
Apcera enables cloud adoption with enterprise grade policy system
Let’s Bring Kubernetes and Apcera Together
• Kubernetes provides good abstraction and great API
• Apcera provides enterprise grade policy with support for hybrid-cloud and multi-workload
• Support for Kubernetes API and abstraction with Apcera platform brings the best of both worlds
Cloud Native Compute Node – Kurma.io
• Minimalist OS designed to host containers, with a built in container engine and container management service.
• Built on the notion that everything is a container. Allows containers to be managed and orchestrated by other processes.
K
Cloud Native Messaging (NATS.io)
• Light weight and high performance (~8M messages / sec) publish-subscribe and distributed queuing messaging system
• Created by Derek Collison – Architected Tibco Rendezvous, EMS and Cloud Foundry
• Widely used (Cloud Foundry, Baidu, HTC, etc.). Docker image downloads available.
Sender Throughput (msg/sec)Receiver Throughput (msg/sec)
