kubernetes, the day after

Download Kubernetes, The Day After

Post on 23-Jan-2017




0 download

Embed Size (px)


  • Neeraj Gupta (@negupta) SVP Product and Engineering

    Kubecon 2015

    Kubernetes, The Day After

  • Not an In-Depth Technical Kubernetes Talk

    Operating a system like Kubernetes in production!

    Cloud native infrastructure!

    Based on lessons learned!

  • Start at the End

    Production environments are all about trust! What does a workload contain?! Where does a workload run?! Are the right resources in play for the

    right workload?! Can information flow only in a secure

    manner?! Bigger the deploy, harder it is to !

    maintain the trust!

    Super hard with multi-clouds!

  • The Best Tool to Get to Trust: Policy

    Get out of the way of the Dev! Let Ops do real operations work! Reduce friction around deployments! Create systems that are built for change!

  • IT Policy for utilizing infrastructure

    IT Policy for configuring environments

    IT Policy for regulatory compliance

    IT Policy for securing access control

    IT Policy for implementing new technologies

    IT Policy for reliable deployments

    Distributed Policy Evalua3on & Enforcement is cri3cal to get Trust.

    Governance & Control are Priorities

  • What Does Kubernetes Offer Now? (stable)

    Compute resource limits! CPU! Memory!

    Object counts limits! Pods! Services! Secrets! RCs! PV claims!

    Per namespace (good!)!

  • Kubernetes is in Good Company

    EC2 instance parameters, network firewall control, network topologies!

    Role based access control! If team members have edit permission, then they can

    modify instances and also access the instances using ssh. If team members are authorized as owners, they are also able to create Google Compute Engine resources in the project.!

    Checkboxes, oh so many checkboxes!

  • What Would Be Better?

    Pervasive! Explicit! Automatically Enforced!

  • Pervasive Means:

    Resource limits! CPU! Memory! Per instance/total! Object counts! Disk space (!)! Network usage (!)!

  • Pervasive Means:

    Workload-to-workload connections! Per port, not per container! Per protocol, not per container! Automatic bi-directional trust is less


  • Pervasive Means:

    Ingress / Egress! External connectivity and routing!


  • Pervasive Means:

    Software components version control! Deployment pipeline!

  • Pervasive Means:

    Log access! Policy editing! Permissible operations between

    frontend and backend!

  • Policy Structure

    Language! Namespaces are important! With namespaces, you can target:!

    Per person, per project, !Per environment (dev/test/prod), !Per org unit (team, division, etc.)!

    Hierarchical namespaces are !even cooler!

  • Policy Structure: Tips

    Make sandboxes! Think hard about your structures! Apply policy as close to the leaves in

    your namespace as possible! Consider generating policy through


  • Apcera Platform

    A single, policy-driven, system that sits above all clouds, !private and public!

    Reduces complexity, while enabling enterprise-wide governance and maximum agility!

    Apcera enables cloud adoption with enterprise grade policy system

  • Lets Bring Kubernetes and Apcera Together

    Kubernetes provides good abstraction and great API!

    Apcera provides enterprise grade policy with support for hybrid-cloud and multi-workload!

    Support for Kubernetes API and abstraction with Apcera platform brings the best of both worlds!

  • Cloud Native Compute Node Kurma.io

    Minimalist OS designed to host containers, with a built in container engine and container management service.!!

    Built on the notion that everything is a container. Allows containers to be managed and orchestrated by other processes.!


  • Cloud Native Messaging (NATS.io)

    Light weight and high performance (~8M messages / sec) publish-subscribe and distributed queuing messaging system!

    Created by Derek Collison Architected Tibco Rendezvous, EMS and Cloud Foundry!

    Widely used (Cloud Foundry, Baidu, HTC, etc.). Docker image downloads available.!

    Sender Throughput (msg/sec) Receiver Throughput (msg/sec)

  • We are Hiring! Get in Touch!