Kubernetes and Docker are two of the top open source projects, and they’re built around abstractions and metadata. These two concepts are the key to architecting in the future. Come with me as I dig a little deeper into these concepts within k8s and Docker and provide some examples from my own work on Deployment Pipelines.
3. The current data center is...challenging...
RHEL
6.9
Dev
RHEL
6.8
Test
RHEL
6.6
Prod
Dev Test Prod
RHEL
6.7
Prod
Admin Admin Admin Admin Admin Admin
Dev
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
Ubuntu
Trusty
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
RHEL
6.7
Dev
RHEL
6.4
Dev
RHEL
6.8
Dev
Ubuntu
Trusty
RHEL
6.9
Dev
RHEL
6.6
Dev
@barkerd427
4. The new data center is understandable and usable.
Developer Access Production Controlled
Network
Storage
Compute
Platform
Deployment Pipeline
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App1
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
RHEL
6.9
App2
@barkerd427
5. Docker - the early
● Docker is an abstraction
○ cgroups
○ Namespaces
● Not Included
○ Metadata
○ Volumes
○ Secrets
○ Services
○ Network
○ Plugins
@barkerd427
16. Services
● Identifies a set of pods using label selectors
○ Can be any label
○ Should be specific to avoid picking up disparate applications unintentionally
● Passes requests to pods internally to a Kubernetes cluster
○ Routes and Services are different
● Provides an abstraction for a Route to pass traffic from outside the cluster
to desired endpoints
@barkerd427
18. One Route, One Service, One Application
Route
Service
Pod
@barkerd427
19. The Route directs to the Service application0
➜ ~ oc export routes application0
apiVersion: v1
kind: Route
[...]
spec:
host: application0-presentation...
to:
kind: Service
name: application0
weight: 100
[...]
@barkerd427
20. The Service matches on the label “deploymentconfig” with the value “application0”.
➜ ~ oc export svc application0
apiVersion: v1
kind: Service
spec:
selector:
deploymentconfig: application0
@barkerd427
21. The Pod has many labels.
➜ ~ oc export -o yaml po/application0-1-ao16l
apiVersion: v1
kind: Pod
metadata:
labels:
app: application0
deploymentconfig: application0
environment: dev
partition: customerA
release: stable
tier: frontend
[...]
@barkerd427
22. The Service now matches on the label “tier” with the value “frontend”.
➜ ~ oc export svc application0
apiVersion: v1
kind: Service
spec:
selector:
tier: frontend
@barkerd427
23. One Route, One Service, Two Applications
Route
Application
Application
Service
Service
@barkerd427
24. Curling the same Route results in two different applications responding. @barkerd427
25. The Pod has many labels.
➜ ~ oc export -o yaml po/application0-beta-1-ao16l
apiVersion: v1
kind: Pod
metadata:
labels:
app: application0-beta
deploymentconfig: application0-beta
environment: dev
partition: customerA
release: stable
tier: frontend
[...]
@barkerd427
36. Operators
● Represents human operational knowledge in software to reliably manage
an application
○ AI?
● Uses the Kubernetes concept of 3rd-party resources
○ Operates as a controller of controllers and resources
● Identical model to current Kubernetes controllers
○ Observe, Analyze, Act
○ Deployments, DaemonSets, ReplicationControllers
● Not supported in OpenShift
@barkerd427
37. Operators
● Deployed into a k8s cluster
● Interactions occur through the new controller
○ kubectl get prometheuses --all-namespaces
○ kubectl get alertmanagers --all-namespaces
● Abstraction around k8s primitives
○ Users just want to use a MySQL cluster.
● Complex tasks that can be performed
○ Rotating credentials, certs, versions
○ Perform backups
@barkerd427
45. The value of Pipelines
● Abstract the details of audit and compliance
○ Approvals are added dynamically and automatically
● Trivialities eliminated
○ Tabs vs. spaces
○ Curly braces placement
○ Semicolons or not
● Security checks occur early and often with helpful feedback
○ When a violation of policy or vulnerability is detected a direction for remediating it should
be provided with additional resources or contacts available
@barkerd427
46. The value of Pipelines
● Inject security testing across all applications easily
● Update security tooling and configuration centrally
● Utilize common artifact repositories
○ Restrict undesirable dependencies
○ Notify dependent applications when a vulnerability is discovered
● Standardized/Centralized approval system for Audit/Compliance
● Applications will become secure by default as the pipeline enforces
additional policies
@barkerd427