kubernetes, the day after
Post on 23-Jan-2017
Embed Size (px)
Neeraj Gupta (@negupta) SVP Product and Engineering
Kubernetes, The Day After
Not an In-Depth Technical Kubernetes Talk
Operating a system like Kubernetes in production!
Cloud native infrastructure!
Based on lessons learned!
Start at the End
Production environments are all about trust! What does a workload contain?! Where does a workload run?! Are the right resources in play for the
right workload?! Can information flow only in a secure
manner?! Bigger the deploy, harder it is to !
maintain the trust!
Super hard with multi-clouds!
The Best Tool to Get to Trust: Policy
Get out of the way of the Dev! Let Ops do real operations work! Reduce friction around deployments! Create systems that are built for change!
IT Policy for utilizing infrastructure
IT Policy for configuring environments
IT Policy for regulatory compliance
IT Policy for securing access control
IT Policy for implementing new technologies
IT Policy for reliable deployments
Distributed Policy Evalua3on & Enforcement is cri3cal to get Trust.
Governance & Control are Priorities
What Does Kubernetes Offer Now? (stable)
Compute resource limits! CPU! Memory!
Object counts limits! Pods! Services! Secrets! RCs! PV claims!
Per namespace (good!)!
Kubernetes is in Good Company
EC2 instance parameters, network firewall control, network topologies!
Role based access control! If team members have edit permission, then they can
modify instances and also access the instances using ssh. If team members are authorized as owners, they are also able to create Google Compute Engine resources in the project.!
Checkboxes, oh so many checkboxes!
What Would Be Better?
Pervasive! Explicit! Automatically Enforced!
Resource limits! CPU! Memory! Per instance/total! Object counts! Disk space (!)! Network usage (!)!
Workload-to-workload connections! Per port, not per container! Per protocol, not per container! Automatic bi-directional trust is less
Ingress / Egress! External connectivity and routing!
Software components version control! Deployment pipeline!
Log access! Policy editing! Permissible operations between
frontend and backend!
Language! Namespaces are important! With namespaces, you can target:!
Per person, per project, !Per environment (dev/test/prod), !Per org unit (team, division, etc.)!
Hierarchical namespaces are !even cooler!
Policy Structure: Tips
Make sandboxes! Think hard about your structures! Apply policy as close to the leaves in
your namespace as possible! Consider generating policy through
A single, policy-driven, system that sits above all clouds, !private and public!
Reduces complexity, while enabling enterprise-wide governance and maximum agility!
Apcera enables cloud adoption with enterprise grade policy system
Lets Bring Kubernetes and Apcera Together
Kubernetes provides good abstraction and great API!
Apcera provides enterprise grade policy with support for hybrid-cloud and multi-workload!
Support for Kubernetes API and abstraction with Apcera platform brings the best of both worlds!
Cloud Native Compute Node Kurma.io
Minimalist OS designed to host containers, with a built in container engine and container management service.!!
Built on the notion that everything is a container. Allows containers to be managed and orchestrated by other processes.!
Cloud Native Messaging (NATS.io)
Light weight and high performance (~8M messages / sec) publish-subscribe and distributed queuing messaging system!
Created by Derek Collison Architected Tibco Rendezvous, EMS and Cloud Foundry!
Widely used (Cloud Foundry, Baidu, HTC, etc.). Docker image downloads available.!
Sender Throughput (msg/sec) Receiver Throughput (msg/sec)
We are Hiring! Get in Touch!