The document is a presentation by Dan Barker at BSidesKC 2017 discussing improvements in data center architecture and application deployment using technologies like Docker, Kubernetes, and OpenShift. It covers key concepts such as microservices, pipeline configurations, and security measures, highlighting the benefits of modern orchestrations and abstractions in software deployment and management. The talk emphasizes the importance of services, imagestreams, and automated processes to enhance developer experience and application security.

1. Thank you to our BSidesKC 2017 sponsors!

2. Architecting the Future
Abstractions and Metadata
Dan Barker @barkerd427
danbarker.codes

4. The current data center is...challenging...
RHEL
6.9
Dev
RHEL
6.8
Test
RHEL
6.6
Prod
Dev Test Prod
RHEL
6.7
Prod
Admin Admin Admin Admin Admin Admin
Dev
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
Ubuntu
Trusty
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
@barkerd427

5. The new data center is understandable and usable.
Developer Access Production Controlled
Network
Storage
Compute
Platform
Deployment Pipeline
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
@barkerd427

6. Docker - the early
● Docker is an
abstraction
○ cgroups
○ Namespaces
@barkerd427
● Not Included
○ Metadata
○ Volumes
○ Secrets
○ Services
○ Network

7. Docker - the latter
● Volumes
● Secrets
● Networks
@barkerd427
● Plugins
● Services
● Labels

8. https://devopscube.com

9. http://isagoksu.com/

10. Kubernetes (k8s)
● Secrets
● PersistentVolumes
● Services
● Pods
@barkerd427
● Ingress
● DaemonSets
● ReplicaSets
● Deployments

11. Kubernetes Architecture
https://www.slideshare.net/erialc_w/kubernetes-50626679

12. OpenShift
● Routes > Ingress
● DeploymentConfig
> Deployments
@barkerd427
● ImageStream
● BuildConfig

13. http://blog.
openshift.
com

14. Security
Linux Kernel Capabilities
● Specific privs
● Restricted defaults
● Not granular enough
● Still an improvement
Seccomp Security Profiles
● Syscall granularity
● Sane defaults
● Least privilege
● Big improvement
@barkerd427

16. Services will
change your life
@barkerd427

17. Services
● Identifies pods using label selectors
○ Any label
○ Specific to avoid errant selections
● Passes requests to pods internally
○ Routes and Services are different
● Abstraction for a Route to pass traffic
@barkerd427

18. Services
http://blog.openshift.com

19. One Route, One Service, One Application
Route
Service
Pod
@barkerd427

20. The Route directs to the Service application0
➜ ~ oc export routes application0
apiVersion: v1
kind: Route
[...]
spec:
host: application0-presentation...
to:
kind: Service
name: application0
weight: 100
[...]
@barkerd427

21. The Service matches on the label “deploymentconfig” with the value “application0”.
➜ ~ oc export svc application0
apiVersion: v1
kind: Service
spec:
selector:
deploymentconfig: application0
@barkerd427

22. The Pod has many labels.
➜ ~ oc export -o yaml po/application0-1-ao16l
apiVersion: v1
kind: Pod
metadata:
labels:
app: application0
deploymentconfig: application0
environment: dev
partition: customerA
release: stable
tier: frontend
[...]
@barkerd427

23. The Service now matches on the label “tier” with the value “frontend”.
➜ ~ oc export svc application0
apiVersion: v1
kind: Service
spec:
selector:
tier: frontend
@barkerd427

24. One Route, One Service, Two Applications
Route
Application
Application
Service
Service
@barkerd427

25. Curling the same Route results in two different applications responding. @barkerd427

26. The Pod has many labels.
➜ ~ oc export -o yaml po/application0-beta-1-ao16l
apiVersion: v1
kind: Pod
metadata:
labels:
app: application0-beta
deploymentconfig: application0-beta
environment: dev
partition: customerA
release: stable
tier: frontend
[...]
@barkerd427

27. We’ve deleted application1 and added application0-beta. @barkerd427

28. ImageStreams
are an image
abstraction
@barkerd427

29. ImageStreams
● Contains images from:
○ Integrated registry
○ Other ImageStreams
○ External registries
● Automatic event triggers
http://blog.openshift.com
@barkerd427

30. ImageStreams - Metadata
● Commands
● Entrypoint
● EnvVars
@barkerd427
● Layers
● Labels
● Ports

31. http://blog.openshift.com
ImageStreams

33. CoreOS
Operators are
magical
(not really)
@barkerd427

34. Not this

35. This

36. Operators
● Represents human
operational knowledge
in software
● Uses 3rd-party
resources
○ Controller of controllers and
resources
@barkerd427
● Identical model to k8s
controllers
○ OODA Loop
● Not supported in
OpenShift

37. Operators
● Deployed into k8s
cluster
● Interactions through
new controller
○ kubectl get prometheuses
○ kubectl get alertmanagers
@barkerd427
● Abstraction around k8s
primitives
○ Users just want to use a MySQL
cluster.
● Complex tasks that can
be performed
○ Rotating credentials, certs, versions,
backups

40. Deployment
Pipeline’s have
fallen behind
@barkerd427

41. Pipelines
● Stages
● Steps
● Application
@barkerd427
● PipelineTemplate
● PipelineConfig

42. An Application includes a Pipeline, based on an opinionated PipelineTemplate. These combine as a PipelineConfig.
apiVersion: v1
kind: Application
name: app1
cap:
template:
name: approvedTemplates/Tomcat8.yaml
pipeline:
notifications:
mattermost:
team: cloud
channel: general
on_success: never
on_failure: always
dependencies:
- name: authn
dnsName: authn
- name: key-management
username: reference_to_username
password: reference_to_password
stages:
- name: build
steps:
- action: build
baseImage:
version: 8.0.41
- name: dev
approvers:
- role: app1-dev
steps:
- action: deploy
params:
environment: dev
apiVersion: v1
kind: PipelineTemplate
name: Tomcat8
labels:
type: application
build:
manager: maven
version: latest
builderImage: java8-builder
version: latest
baseImage: tomcat8
version: latest
deploy:
deploymentType: canary
maxUnavailable: 10%
maxSurge: 20%
apiVersion: v1
kind: PipelineConfig
name: app1-pipeline
labels:
type: application
pipeline:
notifications:
mattermost:
team: cloud
channel: general
on_success: never
on_failure: always
dependencies:
- name: authn
dnsName: authn
- name: key-management
username: reference_to_username
password: reference_to_password
stages:
- name: build
steps:
- action: build
manager: maven
builderImage: java8-builder
baseImage: tomcat8
version: 8.0.41
- name: dev
approvers:
- role: app1-dev
steps:
- action: deploy
params:
environment: dev
@barkerd427

43. An Application and PipelineTemplate also combine to create a DeploymentConfig.
apiVersion: v1
kind: Application
name: app1
cap:
template:
name: approvedTemplates/Tomcat8.yaml
pipeline:
notifications:
mattermost:
team: cloud
channel: general
on_success: never
on_failure: always
dependencies:
- name: authn
dnsName: authn
- name: key-management
username: reference_to_username
password: reference_to_password
stages:
- name: build
steps:
- action: build
baseImage:
version: 8.0.41
- name: dev
approvers:
- role: app1-dev
steps:
- action: deploy
params:
environment: dev
apiVersion: v1
kind: PipelineTemplate
name: Tomcat8
labels:
type: application
build:
manager: maven
version: latest
builderImage: java8-builder
version: latest
baseImage: tomcat8
version: latest
deploy:
deploymentType: canary
maxUnavailable: 10%
maxSurge: 20%
apiVersion: v1
kind: DeploymentConfig
metadata:
name: app1-pipeline
type: application
spec:
replicas: 2
selector:
name: frontend
template: { ... }
triggers:
- type: ConfigChange
- imageChangeParams:
automatic: true
containerNames:
- helloworld
from:
kind: ImageStreamTag
name: hello-openshift:latest
type: ImageChange
strategy:
type: Rolling
@barkerd427

44. The value of Pipelines
● Abstract audit and compliance
○ Approvals added dynamically
● Trivialities eliminated
○ Tabs vs. spaces
○ Semicolons or not
● Security checks occur early and often
○ Feedback is important
@barkerd427

45. The value of Pipelines
● Test all the things!
● Nimble security
● Common artifact repositories
○ Restrict dependencies
○ Automated security vulnerability notification
● Standardized/Centralized approval system
● Applications will become secure by default
@barkerd427

46. Thanks!
Contact me:
Dan Barker
drbarker@dstsystems.com
dan@danbarker.codes
danbarker.codes
@barkerd427

47. Help us get better!
my talk
http://bit.ly/BSidesKCTal
kEval
the conference
http://bit.ly/BSidesKCEv
entEval
anything else
http://bit.ly/IqT6zt
Please provide feedback on…