Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Reduce middleware complexity with Kubernetes
1. Unleashing K8S to reduce
complexities of an entire middleware
platform
Director - Architecture, WSO2
Afkham Azeez
Director - Cloud Architecture, WSO2
Lakmal Warusawithana
5. So what has this session got to do with Kubernetes?
Why are these guys at KubeCon?
Credits: http://texas-blooms.com/valentines-day-flowers-a-guys-guide/`
9. Issues with Shared Process MT
● Difficult to control how much resources a tenant can use
● Complex Java Security management
● Too many security restrictions at runtime
10. Kubernetes to the rescue!
● K8S Namespaces
● K8S Quota
● K8S Health Monitoring
● K8S Rolling Update
● K8S Secret Sharing and Volume Mounting
● K8S Autoscaling
● K8S Identity and Access Management
11. Execution Isolation with K8S Namespaces
● Tenant mapped to a k8s namespace
● Namespace provides the scope for pods, services, and
replication controllers in the cluster
● Users of tenant interacting with one namespace do not
see the content in another namespace
● Different authorization rules for each namespace.
12. K8S Resource Controlling using Quota
● Tenant creation assigned a Resource Quota for each
namespace
● Compute Resource Quota
○ Total cpu limits of containers
○ Total memory limits of containers
● Object Count Quota
○ Total number of pods
○ Total number of services
○ Total number of replication controllers
○ Total number of secrets
○ Total number of persistent volume claims
13. K8S Resource Controlling using Quota
$ kubectl describe quota quota
Name: quota
Resource Used Hard
-------- ---- ----
cpu 0m 20
memory 0 1Gi
pods 5 10
replicationcontrollers 5 20
resourcequotas 1 1
services 3 5
14. K8S Health Monitoring
● Process Health Checking
○ The Kubelet constantly asks the Docker daemon if the container
process is still running, and if not, the container process is restarted
● Application Health Checking
○ HTTP Health Checks - The Kubelet will call a web hook. If it returns
between 200 and 399, it is considered success, failure otherwise.
○ Container Exec - The Kubelet will execute a command inside your
container. If it exits with status 0 it will be considered a success
○ TCP Socket - The Kubelet will attempt to open a socket to your
container. If it can establish a connection, the container is considered
healthy, if it can't it is considered a failure.
15. K8S Rolling Update
● Tenant's application artifacts are burned into the docker
image
● New artifacts create new docker images with new
versioning/tag number
● Update replication controller using rolling-update
○ It will create new rc with a pod template that uses
the new docker image
○ Scale the old and new replication controllers until the
new controller replaces the old. This will kill the
current pods one at a time, spinning up new ones to
replace them
16. K8S Secret Sharing
● Objects of type secret are intended to hold sensitive information, such as
passwords, OAuth tokens, and ssh keys
● Secret volumes are backed by tmpfs (a RAM-backed filesystem) so they
are never written to non-volatile
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: dmFsdWUtMg0K
username: dmFsdWUtMQ0K
18. K8s Identity and Access Management with WSO2
Identity Server
● User Roles
○ Carbon Super Admin - k8s Admin
○ Carbon Tenant Admin - k8s project administrator
○ Carbon Tenant Users - k8s developer
● User Store - LDAP
● Authentication
● Authorization
19. Ops work
● Planing to use kubectl for deploying and managing
WSO2 multitenant Products
● We believed all necessary ops functionality is available
in kubectl
● If we see some gaps will hoping to contribute back to
the community
20. WSO2 Microservices Server (MSS)
● Lightweight & fast Java microservices server
● Default deployment mode is based on Docker &
Kubernetes
● GitHub: https://github.com/wso2/product-mss
● 1.0-alpha available for download https://github.
com/wso2/product-mss/releases