Kubernetes and Docker are two of the top open source projects, and they’re built around abstractions and metadata. These two concepts are the key to architecting in the future. Come with me as I dig a little deeper into these concepts within k8s and Docker and provide some examples from my own work.
4. The current data center is...challenging...
RHEL
6.9
Dev
RHEL
6.8
Test
RHEL
6.6
Prod
Dev Test Prod
RHEL
6.7
Prod
Admin Admin Admin Admin Admin Admin
Dev
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
Ubuntu
Trusty
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
@barkerd427
5. The new data center is understandable and usable.
Developer Access Production Controlled
Network
Storage
Compute
Platform
Deployment Pipeline
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
@barkerd427
6. Docker - the early
● Docker is an
abstraction
○ cgroups
○ Namespaces
@barkerd427
● Not Included
○ Metadata
○ Volumes
○ Secrets
○ Services
○ Network
14. Security
Linux Kernel Capabilities
● Specific privs
● Restricted defaults
● Not granular enough
● Still an improvement
Seccomp Security Profiles
● Syscall granularity
● Sane defaults
● Least privilege
● Big improvement
@barkerd427
17. Services
● Identifies pods using label selectors
○ Any label
○ Specific to avoid errant selections
● Passes requests to pods internally
○ Routes and Services are different
● Abstraction for a Route to pass traffic
@barkerd427
19. One Route, One Service, One Application
Route
Service
Pod
@barkerd427
20. The Route directs to the Service application0
➜ ~ oc export routes application0
apiVersion: v1
kind: Route
[...]
spec:
host: application0-presentation...
to:
kind: Service
name: application0
weight: 100
[...]
@barkerd427
21. The Service matches on the label “deploymentconfig” with the value “application0”.
➜ ~ oc export svc application0
apiVersion: v1
kind: Service
spec:
selector:
deploymentconfig: application0
@barkerd427
22. The Pod has many labels.
➜ ~ oc export -o yaml po/application0-1-ao16l
apiVersion: v1
kind: Pod
metadata:
labels:
app: application0
deploymentconfig: application0
environment: dev
partition: customerA
release: stable
tier: frontend
[...]
@barkerd427
23. The Service now matches on the label “tier” with the value “frontend”.
➜ ~ oc export svc application0
apiVersion: v1
kind: Service
spec:
selector:
tier: frontend
@barkerd427
24. One Route, One Service, Two Applications
Route
Application
Application
Service
Service
@barkerd427
25. Curling the same Route results in two different applications responding. @barkerd427
26. The Pod has many labels.
➜ ~ oc export -o yaml po/application0-beta-1-ao16l
apiVersion: v1
kind: Pod
metadata:
labels:
app: application0-beta
deploymentconfig: application0-beta
environment: dev
partition: customerA
release: stable
tier: frontend
[...]
@barkerd427
36. Operators
● Represents human
operational knowledge
in software
● Uses 3rd-party
resources
○ Controller of controllers and
resources
@barkerd427
● Identical model to k8s
controllers
○ OODA Loop
● Not supported in
OpenShift
37. Operators
● Deployed into k8s
cluster
● Interactions through
new controller
○ kubectl get prometheuses
○ kubectl get alertmanagers
@barkerd427
● Abstraction around k8s
primitives
○ Users just want to use a MySQL
cluster.
● Complex tasks that can
be performed
○ Rotating credentials, certs, versions,
backups
44. The value of Pipelines
● Abstract audit and compliance
○ Approvals added dynamically
● Trivialities eliminated
○ Tabs vs. spaces
○ Semicolons or not
● Security checks occur early and often
○ Feedback is important
@barkerd427
45. The value of Pipelines
● Test all the things!
● Nimble security
● Common artifact repositories
○ Restrict dependencies
○ Automated security vulnerability notification
● Standardized/Centralized approval system
● Applications will become secure by default
@barkerd427
47. Help us get better!
my talk
http://bit.ly/BSidesKCTal
kEval
the conference
http://bit.ly/BSidesKCEv
entEval
anything else
http://bit.ly/IqT6zt
Please provide feedback on…
Editor's Notes
Start with one admin and one dev.
The dev needs prod access, so we’ll just stand up a new node.
Decide to add another app.
Then another environment.
Need a 6.8 to match test.
Where did 6.4 come from.
6.7 matches the dev/prod host
Ubuntu!!!
And a 6.6 to match prod after experiencing additional problems when migrating.
Scale admins!!!
Need another. Then another.
Then dev is duplicated in test and prod, because requirements...revenue...clients...whatever it takes to get it into prod
Where did 6.6 go.
Ubuntu!!!
The new platform will bring consistency to the developer.
These were dark days. I began working with Docker in late 2013.
Docker slowly expanded their feature set with additional abstractions
metadata via labels
Not all were around at the beginning, but most were. We’ll only discuss a couple.
Not all were around at the beginning, but most were. We’ll only discuss a couple.
Change to match on tier.
Labels can be dangerous if not used correctly. Notice that the Service is the same, but the DeploymentConfig is different.
Applications that are truly different could wreak havok with requestors. I can actually create a service that uses two separate sites as the backend.
Change to match on tier.
This is one way to do an A/B test, but there are much better solutions built into OpenShift.
The time of secret potions and illusions is over.
It’s time we codify our knowledge to be leveraged by others