Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes"

•

1 like•706 views

One of the main sources of concerns when switching to the container paradigm is security. When dealing with big amounts of sensitive customer data it’s very important to be able to guarantee that the data is transported safely between the different components of the system. This talk will focus on how to setup a Flink cluster to run on a Kubernetes environment taking into account all security aspects to ensure secured communication between the nodes of the cluster, state backend and also for job submission, all taking advantage of Kubernetes tools.

Technology

Deploying a secured Flink
cluster on Kubernetes
Edward Rojas Clavijo
Software Engineer
IBM France

Use case
• Multiple sources of data => Kafka
• Different storage targets
• Multiple environments
• Sensitive customer data => Secured
• Highly available
• Fault tolerant

Zookeeper
Job Manager
HA
Task Manager
Task Manager
Task Manager
Task Manager
Task Manager
Storage
checkpoints
/ savepoints
Flink
Client
Flink
Client
Flink
Client
Submit job
Flink Architecture – use case
1.5.3

Flink on Kubernetes
JM
Service
TM
Flink
Client
TM
TM
JM
JM
Deployment
TM
Deployment
Pods
• Job Manager Deployment
• Maintain 1 replica
• Job Manager Service
• Task Manager Deployment
• Maintain n replicas
• One Pod per Flink Job
• Fixed amount of jobs
• Endless stateful jobs
• ConfigMap for flink conf

Flink SSL/TLS
• Certificates generation
• Dynamic IP
• TM Dynamic hostnames
JM
Service
TM
Flink
Client
TM
TM
JM
JM
Deployment
TM
Deployment
Pods

Flink SSL/TLS
• Hostname validation
• Task managers => Statefulset
• Predictable hostnames
• flink-tm-0.flink-tm-svc.<namespace>.svc.cluster.local
• flink-tm-1.flink-tm-svc.<namespace>.svc.cluster.local
JM
Service
TM
Flink
Client
TM
TM
JM
JM
Deployment
TM
Statefulset
Pods
TM
Service
TM service
• Wildcard certificate

Flink SSL/TLS
• One single purpose certificate
• Truststore and Keystore with only that certificate
• Deactivate hostname validation
Expose as secrets
Mount on Pods
base64 encoded

Sources and Sinks
SSL
SASLHTTPS
Kerberos

Sources and Sinks - Kerberos
• Keytab file exposed as k8s secret
• Configuration properties on ConfigMap => env vars
• Realm, Principal, KDC
• Dockerfile
• COPY krb5.conf template – /etc/krb5.conf - set access rights
• COPY core-site.xml template
• Docker entrypoint:
• Set krb5.conf
• Flag for each service
• Set flink conf properties
• Set hadoop conf
• Kafka consumer/producer
• sasl.kerberos.service.name
• security.protocol => SASL_PLAINTEXT

$Sources and Sinks - SSL • Expose certificates as secrets => mount on pods • Dockerfile • Set access rights to $JAVA_HOME/lib/security/cacerts • Docker entrypoint: • Flag for each service • Import certificate into pods trustore keytool -importcert -file ${CERT_FILE} -alias ${certName} -keystore $JAVA_HOME/lib/security/cacerts - noprompt -storepass changeit$

Sources and Sinks - SSL
• Elasticsearch 6.x => REST
• ElasticsearchSink – only Flink 1.6
=> Custom ElasticsearchSink
Flink 1.6 =>

Checkpoints / Savepoints
• Persistent volume
• NFS
• Encryption in-flight and at-rest
• Encrypt Job state
=> Custom State Serializer
PV
TM
TM
TM
JM

What next?
• Enforce with k8s security config
• Use RBAC
• Restrict access to kubectl
• Use Network Policy
• Pod security policy
• Single job cluster -> Flink 1.6

Thanks for your attention!
Edward Alexander Rojas Clavijo

What's hot

AtlasCamp 2015: How to deliver radical architectural change without the custo...

Atlassian

Submariner enables direct networking between Pods and Services in different Kubernetes clusters, either on-premises or in the cloud. As Kubernetes gains adoption, teams are finding they must deploy and manage multiple clusters to facilitate features like geo-redundancy, scale, and fault isolation for their applications. With Submariner, your applications and services can span multiple cloud providers, data centers, and regions. Submariner is completely open source, and designed to be network plugin (CNI) agnostic. Submariner Provides: cross-cluster L3 connectivity using encrypted VPN tunnels; service Discovery across clusters; subctl, a friendly deployment tool; support for interconnecting clusters with overlapping CIDRs

Kubernetes in Hybrid Environments with Submariner

Kublr

Dive into DevOps | March, Traefik as kubernetes ingress controller, Ihor Borodin

Provectus

Docker, Atomic Host and Kubernetes.

Jooho Lee

Clocker - The Docker Cloud Maker

Andrew Kennedy

Hello istio

Jooho Lee

Since July 2014 Shopify's been serving thousands of requests per second of production web traffic from Docker containers. This was an 8 month effort, with multiple pivots of direction from the team—and we're only getting started. This talk covers the lessons learned through the trial and error of an in-flight architecture redesign, spanning hundreds of hosts, as well as the technical vision of the future of our platform.

Docker at Shopify: From This-Looks-Fun to Production by Simon Eskildsen (Shop...

Docker, Inc.

[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus

OpenStack Korea Community

Running your dockerized application(s) on AWS Elastic Container Service

Marco Pas

Micro service architectures result in up to 20 times larger environments than their monolithic counterparts. In such big and interconnected environments container metrics will tell you about infrastructure health but not service health. Even if you have implemented service health checks to quickly react on service failures, in a resilient system you will see intermediary mushroom cloud effects of a large number of services being affected temporarily. How do you find out what really caused the problem and how to distinguish effect vs. cause? In this session we will do post-mortem analysis by walking through different cases of failures we've observed in a real-world large e-commerce production environment and show you how to figure out what actually caused the failures.

The Mushroom Cloud Effect or What Happens When Containers Fail? by Alois Mayr...

Docker, Inc.

Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? Oleg Chunikhin addressed those questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and cost-effective resources on AWS, coupled with the ability to deliver a minimum set of functionalities that cover the majority of needs – without configuration complexity. You’ll get a run-down of the pitfalls and things to keep in mind for this route.

Implement Advanced Scheduling Techniques in Kubernetes

Kublr

In this meetup, Oleg, CTO at Kublr, walks you through the basics of K8s persistence management functionality and how it can be used to simplify managing persistent applications across different environments - in the cloud or on premise. Oleg will use a demo environment with clusters in different clouds to show K8s persistence in practice. We will cover: • Persistent data abstractions in K8s: persistent volumes (PV) and their attributes • PV specifics in different clouds • Using PV in K8s: persistent volume claims (PVC) and storage classes (SC) • Automatic volume provisioning • Persistence and scheduling interrelationships • Practical examples Kubernetes (K8s) is a powerful and flexible open source container orchestration system. The power of K8s comes from its modularity and simplicity of basic concepts. Each of these basic concepts build on the other and, from the most basic elements to more advanced ones, each is responsible for its own well-defined logic and behavior.

Kubernetes persistence 101

Kublr

Kubernetes on CloudStack with coreOS

Sebastien Goasguen

Container Orchestration

dfilppi

Advanced Scheduling in Kubernetes

Kublr

Kubernetes intro public - kubernetes user group 4-21-2015

reallavalamp

Docker on docker leveraging kubernetes in docker ee

Docker, Inc.

Network services on Kubernetes on premise

Hans Duedal

Bitbucket Pipelines - Powered by Kubernetes

Nathan Burrell

ContainerCon sysdig Slides

Loris Degioanni

What's hot (20)

AtlasCamp 2015: How to deliver radical architectural change without the custo...

Kubernetes in Hybrid Environments with Submariner

Dive into DevOps | March, Traefik as kubernetes ingress controller, Ihor Borodin

Docker, Atomic Host and Kubernetes.

Clocker - The Docker Cloud Maker

Hello istio

Docker at Shopify: From This-Looks-Fun to Production by Simon Eskildsen (Shop...

[OpenInfra Days Korea 2018] Day 2 - E6 - OpenInfra monitoring with Prometheus

Running your dockerized application(s) on AWS Elastic Container Service

The Mushroom Cloud Effect or What Happens When Containers Fail? by Alois Mayr...

Implement Advanced Scheduling Techniques in Kubernetes

Kubernetes persistence 101

Kubernetes on CloudStack with coreOS

Container Orchestration

Advanced Scheduling in Kubernetes

Kubernetes intro public - kubernetes user group 4-21-2015

Docker on docker leveraging kubernetes in docker ee

Network services on Kubernetes on premise

Bitbucket Pipelines - Powered by Kubernetes

ContainerCon sysdig Slides

Similar to Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes"

It worked on my machine! How many times have you heard (or even said) this sentence? Keeping consistent environments across your development, test, and production systems can be a complex task. Enter containers! Containers offer a way to develop and test your application in the same environment in which it runs in production. Developers can use tools such as Docker Compose for local testing of complex applications; Jenkins and AWS CodePipeline for building and orchestration; and Amazon ECS to manage and scale their containers. Come to this session to learn how to build containers into your continuous deployment workflow, accelerating the testing and building phases and leading to more frequent software releases. Attendees will learn to use Docker containers to develop their applications and test locally with Docker Compose (or Amazon ECS local), integrate containers in building, deploy complex applications on Amazon ECS, and orchestrate continuous development workflows with CodePipeline.

(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers

Amazon Web Services

Through a combination of Amazon ECS and open source technologies, customers are able to build portable CI/CD pipelines on AWS. As container based deployments become more complex, they require additional rigging for integration. In this session, we show how popular Apache products like Kakfa, Storm, and Zookeeper are being deployed on top of Amazon ECS. We hear from HERE, a provider of mapping data, technologies, and services to the automotive, consumer, and enterprise sectors about an approach that leverages Consul from Hashicorp and Amazon ECS clusters for short-cycle deployments and tag-based environment promotion.

AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...

Amazon Web Services

Docker containers provide an ideal foundation for running Kafka-as-a-Service on-premises or in the public cloud. However, using Docker containers in production environments for Big Data workloads using Kafka poses some challenges – including container management, scheduling, network configuration and security, and performance. In this session at Kafka Summit in August 2017, Nanda Vijyaydev of BlueData shared lessons learned from implementing Kafka-as-a-Service with Docker containers. https://kafka-summit.org/sessions/kafka-service-docker-containers

Best Practices for Running Kafka on Docker Containers

BlueData, Inc.

Continuous Delivery with Docker and Amazon ECS

Amazon Web Services

Our web hosting company is using many different services for managing e-mail, spam-filters, DNS, domain registrations, SSL registrations, ticket systems and more. Some of these services have well defined Web API’s, others can only be managed by simple command line scripts. In this session we will explain how we tried to automate the various workflows by using a messaging system such as RabbitMQ for communication between our cfml based customer control panel and these services.

ITB2019 Multi-language / multi-OS communication using RabbitMQ - Wil de Bruin

Ortus Solutions, Corp

Multi-language/multi-OS communication using RabbitMQ

Wil de Bruin

컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015

Amazon Web Services Korea

WebSphere and Docker

David Currie

Openstack days sv building highly available services using kubernetes (preso)

Allan Naim

Automating Software Development Life Cycle - A DevOps Approach

Akshaya Mahapatra

It worked on my machine!" How many times have you heard (or even said) this sentence? Keeping consistent environments across your development, test, and production systems can be a complex task. Enter containers! Containers offer a way to develop and test your application in the same environment in which it runs in production. Developers can use tools such as Docker Compose for local testing of complex applications; Jenkins and AWS CodePipeline for building and orchestration; and Amazon ECS to manage and scale their containers. Come to this session to learn how to build containers into your continuous deployment workflow, accelerating the testing and building phases and leading to more frequent software releases. Attendees will learn to use Docker containers to develop their applications and test locally with Docker Compose (or Amazon ECS local), integrate containers in building, deploy complex applications on Amazon ECS, and orchestrate continuous development workflows with CodePipeline.

TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft

Amazon Web Services

We are sharing our process of migrating to the container based DroneCI platform and our lessons learned when scaling it up for an active open source project like ownCloud. Our journey started with a static legacy CI system, which was gradually replaced with, at first, a static DroneCI infrastructure. Over the course of half a year, we further more migrated to a cloud provider in order to dynamically scale the CI system based on the build volume. The lessons learned during this journey, were transformed and contributed to the DroneCI project and resulted in the DroneCI autoscaler - which allows for automatic scaling of infrastructure resources with common cloud providers.

How we scale DroneCi on demand

Patrick Jahns

Terraform is a tool for building and safely iterating on infrastructure, while Consul provides service discovery, monitoring and orchestration. In this talk we discuss using Terraform and Consul together to build a Docker-based Service Oriented Architecture at scale. We use Consul to provide the runtime control plane for the datacenter, and Terraform is used to modify the underlying infrastructure to allow for elastic scalability.

Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto

Docker, Inc.

Containers are quickly becoming the default foundation for modern applications. As a public cloud provider, IBM has been an early champion of containers in the cloud and has built an enterprise ready container service as part of IBM Bluemix. IBM has a long heritage of supporting, contributing to, and building offerings on top of open technologies and IBM carries this commitment to the open development of container solutions by being an active/founding member of the Open Containers Initiative and Cloud Native Computing Foundation. In this session, we will explore the enduring commitment to open technology as well as the advantages of using a pure containers service where the user has access to total solution life cycle management through integration of lessons learned, cutting edge enhancements/development and end-to-end support on the user's underlying infrastructure. We will explore topics such as exploiting bare metal servers, applying overlay networking to containers, ensuring isolation and security in a truly multi-tenant container environment and managing a global service deployment.

Production Ready Containers from IBM and Docker

Docker, Inc.

Kubernetes: training micro-dragons for a serious battle

Amir Moghimi

Building Bizweb Microservices with Docker

Khôi Nguyễn Minh

Containers have had an incredibly large adoption rate since Docker was launched, especially from the developer community, as it provides an easy way to package, ship, and run applications. Securing your container-based application is now becoming a critical issue as applications move from development into production. In this session, you learn ways to implement storing secrets, distributing AWS privileges using IAM roles, protecting your container-based applications with vulnerability scans of container images, and incorporating automated checks into your continuous delivery workflow.

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

Amazon Web Services

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

Amazon Web Services

20170831 - Greg Palmier: Terraform & AWS at Tempus

DevOps Chicago

CKA_1st.pptx

YIJHEHUANG

Similar to Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes" (20)

(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers

AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...

Best Practices for Running Kafka on Docker Containers

Continuous Delivery with Docker and Amazon ECS

ITB2019 Multi-language / multi-OS communication using RabbitMQ - Wil de Bruin

Multi-language/multi-OS communication using RabbitMQ

컴퓨팅 서비스 업데이트 - EC2, ECS, Lambda (김상필) :: re:Invent re:Cap Webinar 2015

WebSphere and Docker

Openstack days sv building highly available services using kubernetes (preso)

Automating Software Development Life Cycle - A DevOps Approach

TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft

How we scale DroneCi on demand

Orchestrating Docker with Terraform and Consul by Mitchell Hashimoto

Production Ready Containers from IBM and Docker

Kubernetes: training micro-dragons for a serious battle

Building Bizweb Microservices with Docker

AWS re:Invent 2016: Securing Container-Based Applications (CON402)

20170831 - Greg Palmier: Terraform & AWS at Tempus

CKA_1st.pptx

More from Flink Forward

Apache Flink is a distributed stream processing framework that allows users to process and analyze data in real-time. At LinkedIn, we developed a fully managed stream processing platform on Flink running on K8s to power hundreds of stream processing pipelines in production. This platform is the backbone for other infra systems like Search, Espresso (internal document store) and feature management etc. We provide a rich authoring and testing environment which allows users to create, test, and deploy their streaming jobs in a self-serve fashion within minutes. Users can focus on their business logic, leaving the Flink platform to take care of management aspects such as split deployment, resource provisioning, auto-scaling, job monitoring, alerting, failure recovery and much more. In this talk, we will introduce the overall platform architecture, highlight the unique value propositions that it brings to stream processing at LinkedIn and share the experiences and lessons we have learned.

Building a fully managed stream processing platform on Flink at scale for Lin...

Flink Forward

Flink Forward San Francisco 2022. When running Flink jobs, skew is a common problem that results in wasted resources and limited scalability. In the past years, we have helped our customers and users solve various skew-related issues in their Flink jobs or clusters. In this talk, we will present the different types of skew that users often run into: data skew, key skew, event time skew, state skew, and scheduling skew, and discuss solutions for each of them. We hope this will serve as a guideline to help you reduce skew in your Flink environment. by Jun Qin & Karl Friedrich

Evening out the uneven: dealing with skew in Flink

Flink Forward

Flink Forward San Francisco 2022. To improve Amazon Alexa experiences and support machine learning inference at scale, we built an automated end-to-end solution for incremental model building or fine-tuning machine learning models through continuous learning, continual learning, and/or semi-supervised active learning. Customer privacy is our top concern at Alexa, and as we build solutions, we face unique challenges when operating at scale such as supporting multiple applications with tens of thousands of transactions per second with several dependencies including near-real time inference endpoints at low latencies. Apache Flink helps us transform and discover metrics in near-real time in our solution. In this talk, we will cover the challenges that we faced, how we scale the infrastructure to meet the needs of ML teams across Alexa, and go into how we enable specific use cases that use Apache Flink on Amazon Kinesis Data Analytics to improve Alexa experiences to delight our customers while preserving their privacy. by Aansh Shah

“Alexa, be quiet!”: End-to-end near-real time model building and evaluation i...

Flink Forward

Flink Forward San Francisco 2022. Probably everyone who has written stateful Apache Flink applications has used one of the fault-tolerant keyed state primitives ValueState, ListState, and MapState. With RocksDB, however, retrieving and updating items comes at an increased cost that you should be aware of. Sometimes, these may not be avoidable with the current API, e.g., for efficient event-time stream-sorting or streaming joins where you need to iterate one or two buffered streams in the right order. With FLIP-220, we are introducing a new state primitive: BinarySortedMultiMapState. This new form of state offers you to (a) efficiently store lists of values for a user-provided key, and (b) iterate keyed state in a well-defined sort order. Both features can be backed efficiently by RocksDB with a 2x performance improvement over the current workarounds. This talk will go into the details of the new API and its implementation, present how to use it in your application, and talk about the process of getting it into Flink. by Nico Kruber

Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...

Flink Forward

Flink Forward San Francisco 2022. The Apache Flink Kubernetes Operator provides a consistent approach to manage Flink applications automatically, without any human interaction, by extending the Kubernetes API. Given the increasing adoption of Kubernetes based Flink deployments the community has been working on a Kubernetes native solution as part of Flink that can benefit from the rich experience of community members and ultimately make Flink easier to adopt. In this talk we give a technical introduction to the Flink Kubernetes Operator and demonstrate the core features and use-cases through in-depth examples." by Thomas Weise

Introducing the Apache Flink Kubernetes Operator

Flink Forward

Flink Forward San Francisco 2022. Resource Elasticity is a frequently requested feature in Apache Flink: Users want to be able to easily adjust their clusters to changing workloads for resource efficiency and cost saving reasons. In Flink 1.13, the initial implementation of Reactive Mode was introduced, later releases added more improvements to make the feature production ready. In this talk, we’ll explain scenarios to deploy Reactive Mode to various environments to achieve autoscaling and resource elasticity. We’ll discuss the constraints to consider when planning to use this feature, and also potential improvements from the Flink roadmap. For those interested in the internals of Flink, we’ll also briefly explain how the feature is implemented, and if time permits, conclude with a short demo. by Robert Metzger

Autoscaling Flink with Reactive Mode

Flink Forward

Flink Forward San Francisco 2022. Flink consumers read from Kafka as a scalable, high throughput, and low latency data source. However, there are challenges in scaling out data streams where migration and multiple Kafka clusters are required. Thus, we introduced a new Kafka source to read sharded data across multiple Kafka clusters in a way that conforms well with elastic, dynamic, and reliable infrastructure. In this presentation, we will present the source design and how the solution increases application availability while reducing maintenance toil. Furthermore, we will describe how we extended the existing KafkaSource to provide mechanisms to read logical streams located on multiple clusters, to dynamically adapt to infrastructure changes, and to perform transparent cluster migrations and failover. by Mason Chen

Dynamically Scaling Data Streams across Multiple Kafka Clusters with Zero Fli...

Flink Forward

Flink Forward San Francisco 2022. Next time you want to integrate with a new destination for a demo, concept or production application, the Async Sink framework will bootstrap development, allowing you to move quickly without compromise. In Flink 1.15 we introduced the Async Sink base (FLIP-171), with the goal to encapsulate common logic and allow developers to focus on the key integration code. The new framework handles things like request batching, buffering records, applying backpressure, retry strategies, and at least once semantics. It allows you to focus on your business logic, rather than spending time integrating with your downstream consumers. During the session we will dive deep into the internals to uncover how it works, why it was designed this way, and how to use it. We will code up a new sink from scratch and demonstrate how to quickly push data to a destination. At the end of this talk you will be ready to start implementing your own Flink sink using the new Async Sink framework. by Steffen Hausmann & Danny Cranmer

One sink to rule them all: Introducing the new Async Sink

Flink Forward

Flink Forward San Francisco 2022. In normal situations, the default Kafka consumer and producer configuration options work well. But we all know life is not all roses and rainbows and in this session we’ll explore a few knobs that can save the day in atypical scenarios. First, we'll take a detailed look at the parameters available when reading from Kafka. We’ll inspect the params helping us to spot quickly an application lock or crash, the ones that can significantly improve the performance and the ones to touch with gloves since they could cause more harm than benefit. Moreover we’ll explore the partitioning options and discuss when diverging from the default strategy is needed. Next, we’ll discuss the Kafka Sink. After browsing the available options we'll then dive deep into understanding how to approach use cases like sinking enormous records, managing spikes, and handling small but frequent updates.. If you want to understand how to make your application survive when the sky is dark, this session is for you! by Olena Babenko

Tuning Apache Kafka Connectors for Flink.pptx

Flink Forward

Flink Forward San Francisco 2022. Pinterest is a visual discovery engine that serves over 433MM users. Stream processing allows us to unlock value from realtime data for pinners. At Pinterest, we adopt Flink as the unified streaming processing engine. In this talk, we will share our journey in building a stream processing platform with Flink and how we onboarding critical use cases to the platform. Pinterest has supported 90+near realtime streaming applications. We will cover the problem statement, how we evaluate potential solutions and our decision to build the framework. by Rainie Li & Kanchi Masalia

Flink powered stream processing platform at Pinterest

Flink Forward

Flink Forward San Francisco 2022. This talk will take you on the long journey of Apache Flink into the cloud-native era. It started all the way from where Hadoop and YARN were the standard way of deploying and operating data applications. We're going to deep dive into the cloud-native set of principles and how they map to the Apache Flink internals and recent improvements. We'll cover fast checkpointing, fault tolerance, resource elasticity, minimal infrastructure dependencies, industry-standard tooling, ease of deployment and declarative APIs. After this talk you'll get a broader understanding of the operational requirements for a modern streaming application and where the current limits are. by David Moravek

Apache Flink in the Cloud-Native Era

Flink Forward

Flinkn Forward San Francisco 2022. In this talk, we will cover various topics around performance issues that can arise when running a Flink job and how to troubleshoot them. We’ll start with the basics, like understanding what the job is doing and what backpressure is. Next, we will see how to identify bottlenecks and which tools or metrics can be helpful in the process. Finally, we will also discuss potential performance issues during the checkpointing or recovery process, as well as and some tips and Flink features that can speed up checkpointing and recovery times. by Piotr Nowojski

Where is my bottleneck? Performance troubleshooting in Flink

Flink Forward

Flink Forward San Francisco 2022. Running natively on Kubernetes, using the new Apache Flink Kubernetes Operator is a great way to deploy and manage Flink application and session deployments. In this presentation, we provide: - A brief overview of Kubernetes operators and their benefits. - Introduce the five levels of the operator maturity model. - Introduce the newly released Apache Flink Kubernetes Operator and FlinkDeployment CRs - Dockerfile modifications you can make to swap out UBI images and Java of the underlying Flink Operator container - Enhancements we're making in: - Versioning/Upgradeability/Stability - Security - Demo of the Apache Flink Operator in-action, with a technical preview of an upcoming product using the Flink Kubernetes Operator. - Lessons learned - Q&A by James Busche & Ted Chang

Using the New Apache Flink Kubernetes Operator in a Production Deployment

Flink Forward

Flink Forward San Francisco 2022. The Table API is one of the most actively developed components of Flink in recent time. Inspired by databases and SQL, it encapsulates concepts many developers are familiar with. It can be used with both bounded and unbounded streams in a unified way. But from afar it can be difficult to keep track of what this API is capable of and how it relates to Flink's other APIs. In this talk, we will explore the current state of Table API. We will show how it can be used as a batch processor, a changelog processor, or a streaming ETL tool with many built-in functions and operators for deduplicating, joining, and aggregating data. By comparing it to the DataStream API we will highlight differences and elaborate on when to use which API. We will demonstrate hybrid pipelines in which both APIs interact with one another and contribute their unique strengths. Finally, we will take a look at some of the most recent additions as a first step to stateful upgrades. by David Andreson

The Current State of Table API in 2022

Flink Forward

Flink Forward San Francisco 2022. Based on the new Flink-Pulsar connector, we implemented Flink's TableAPI and Catalog to help users to interact with the Pulsar cluster via Flink SQL easily. We would like to go through the design and implementation of the SQL connector in the following aspects: 1. Two different modes of use Pulsar as a metadata store 2. Data format transformation and management 3. SQL semantics support within Pulsar context by Sijie Guo & Neng Lu

Flink SQL on Pulsar made easy

Flink Forward

Flink Forward San Francisco 2022. At Bloomberg, we deal with high volumes of real-time market data. Our clients expect to be notified of any anomalies in this market data, which may indicate volatile movements in the markets, notable trades, forthcoming events, or system failures. The parameters for these alerts are always evolving and our clients can update them dynamically. In this talk, we'll cover how we utilized the open source Apache Flink and Siddhi SQL projects to build a distributed, scalable, low-latency and dynamic rule-based, real-time alerting system to solve our clients' needs. We'll also cover the lessons we learned along our journey. by Ajay Vyasapeetam & Madhuri Jain

Dynamic Rule-based Real-time Market Data Alerts

Flink Forward

Flink Forward San Francisco 2022. At Stripe we have created a complete end to end exactly-once processing pipeline to process financial data at scale, by combining the exactly-once power from Flink, Kafka, and Pinot together. The pipeline provides exactly-once guarantee, end-to-end latency within a minute, deduplication against hundreds of billions of keys, and sub-second query latency against the whole dataset with trillion level rows. In this session we will discuss the technical challenges of designing, optimizing, and operating the whole pipeline, including Flink, Kafka, and Pinot. We will also share our lessons learned and the benefits gained from exactly-once processing. by Xiang Zhang & Pratyush Sharma & Xiaoman Dong

Exactly-Once Financial Data Processing at Scale with Flink and Pinot

Flink Forward

Flink Forward San Francisco 2022. What if my data is already in order? Stream Processing has given us an elegant and powerful solution for running analytic queries and logic over high volumes of continuously arriving data. However, in both Apache Flink and Apache Beam, the notion of time-ordering is baked in at a very low level, making it difficult to express computations that are interested in a semantic-, rather than time-ordering of the data. In financial services, what often matters the most about the data moving between systems is not when the data was created, but in what order, to the extent that many institutions engineer a global sequencing over all data entering and produced by their systems to achieve complete determinism. How, then, can financial institutions and others best employ Stream Processing on streams of data that are already ordered? I will cover various techniques that can make this work, as well as seek input from the community on how Flink might be improved to better support these use-cases. by Patrick Lucas

Processing Semantically-Ordered Streams in Financial Services

Flink Forward

Flink Forward San Francisco 2022. In modern data platform architectures, stream processing engines such as Apache Flink are used to ingest continuous streams of data into data lakes such as Apache Iceberg. Streaming ingestion to iceberg tables can suffer by two problems (1) small files problem that can hurt read performance (2) poor data clustering that can make file pruning less effective. To address those two problems, we propose adding a shuffling stage to the Flink Iceberg streaming writer. The shuffling stage can intelligently group data via bin packing or range partition. This can reduce the number of concurrent files that every task writes. It can also improve data clustering. In this talk, we will explain the motivations in details and dive into the design of the shuffling stage. We will also share the evaluation results that demonstrate the effectiveness of smart shuffling. by Gang Ye & Steven Wu

Tame the small files problem and optimize data layout for streaming ingestion...

Flink Forward

Flink Forward San Francisco 2022. Goldman Sachs's Data Lake platform serves as the firm's centralized data platform, ingesting 140K (and growing!) batches per day of Datasets of varying shape and size. Powered by Flink and using metadata configured by platform users, ingestion applications are generated dynamically at runtime to extract, transform, and load data into centralized storage where it is then exported to warehousing solutions such as Sybase IQ, Snowflake, and Amazon Redshift. Data Latency is one of many key considerations as producers and consumers have their own commitments to satisfy. Consumers range from people/systems issuing queries, to applications using engines like Spark, Hive, and Presto to transform data into refined Datasets. Apache Iceberg allows our applications to not only benefit from consistency guarantees important when running on eventually consistent storage like S3, but also allows us the opportunity to improve our batch processing patterns with its scalability-focused features. by Andreas Hailu

Batch Processing at Scale with Flink & Iceberg

Flink Forward

More from Flink Forward (20)

Building a fully managed stream processing platform on Flink at scale for Lin...

Evening out the uneven: dealing with skew in Flink

“Alexa, be quiet!”: End-to-end near-real time model building and evaluation i...

Introducing BinarySortedMultiMap - A new Flink state primitive to boost your ...

Introducing the Apache Flink Kubernetes Operator

Autoscaling Flink with Reactive Mode

Dynamically Scaling Data Streams across Multiple Kafka Clusters with Zero Fli...

One sink to rule them all: Introducing the new Async Sink

Tuning Apache Kafka Connectors for Flink.pptx

Flink powered stream processing platform at Pinterest

Apache Flink in the Cloud-Native Era

Where is my bottleneck? Performance troubleshooting in Flink

Using the New Apache Flink Kubernetes Operator in a Production Deployment

The Current State of Table API in 2022

Flink SQL on Pulsar made easy

Dynamic Rule-based Real-time Market Data Alerts

Exactly-Once Financial Data Processing at Scale with Flink and Pinot

Processing Semantically-Ordered Streams in Financial Services

Tame the small files problem and optimize data layout for streaming ingestion...

Batch Processing at Scale with Flink & Iceberg

Recently uploaded

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Navi Mumbai Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Navi Mumbai Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Navi Mumbai Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

DBX First Quarter 2024 Investor Presentation

Dropbox

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

A Beginners Guide to Building a RAG App Using Open Source Milvus

MINDCTI Revenue Release Quarter One 2024

A Year of the Servo Reboot: Where Are We Now?

presentation ICT roal in 21st century education

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Ransomware_Q4_2023. The report. [EN].pdf

Manulife - Insurer Transformation Award 2024

Artificial Intelligence Chap.5 : Uncertainty

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DBX First Quarter 2024 Investor Presentation

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Corporate and higher education May webinar.pptx

AWS Community Day CPH - Three problems of Terraform

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes"

1. Deploying a secured Flink cluster on Kubernetes Edward Rojas Clavijo Software Engineer IBM France

2. Use case • Multiple sources of data => Kafka • Different storage targets • Multiple environments • Sensitive customer data => Secured • Highly available • Fault tolerant

3. Zookeeper Job Manager HA Task Manager Task Manager Task Manager Task Manager Task Manager Storage checkpoints / savepoints Flink Client Flink Client Flink Client Submit job Flink Architecture – use case 1.5.3

4. Flink on Kubernetes JM Service TM Flink Client TM TM JM JM Deployment TM Deployment Pods • Job Manager Deployment • Maintain 1 replica • Job Manager Service • Task Manager Deployment • Maintain n replicas • One Pod per Flink Job • Fixed amount of jobs • Endless stateful jobs • ConfigMap for flink conf

5. Flink SSL/TLS • Certificates generation • Dynamic IP • TM Dynamic hostnames JM Service TM Flink Client TM TM JM JM Deployment TM Deployment Pods

6. Flink SSL/TLS • Hostname validation • Task managers => Statefulset • Predictable hostnames • flink-tm-0.flink-tm-svc.<namespace>.svc.cluster.local • flink-tm-1.flink-tm-svc.<namespace>.svc.cluster.local JM Service TM Flink Client TM TM JM JM Deployment TM Statefulset Pods TM Service TM service • Wildcard certificate

7. Flink SSL/TLS • One single purpose certificate • Truststore and Keystore with only that certificate • Deactivate hostname validation Expose as secrets Mount on Pods base64 encoded

8. Sources and Sinks SSL SASLHTTPS Kerberos

9. Sources and Sinks - Kerberos • Keytab file exposed as k8s secret • Configuration properties on ConfigMap => env vars • Realm, Principal, KDC • Dockerfile • COPY krb5.conf template – /etc/krb5.conf - set access rights • COPY core-site.xml template • Docker entrypoint: • Set krb5.conf • Flag for each service • Set flink conf properties • Set hadoop conf • Kafka consumer/producer • sasl.kerberos.service.name • security.protocol => SASL_PLAINTEXT

10. Sources and Sinks - SSL • Expose certificates as secrets => mount on pods • Dockerfile • Set access rights to $JAVA_HOME/lib/security/cacerts • Docker entrypoint: • Flag for each service • Import certificate into pods trustore keytool -importcert -file ${CERT_FILE} -alias ${certName} -keystore $JAVA_HOME/lib/security/cacerts - noprompt -storepass changeit

11. Sources and Sinks - SSL • Elasticsearch 6.x => REST • ElasticsearchSink – only Flink 1.6 => Custom ElasticsearchSink Flink 1.6 =>

12. Checkpoints / Savepoints • Persistent volume • NFS • Encryption in-flight and at-rest • Encrypt Job state => Custom State Serializer PV TM TM TM JM

13. What next? • Enforce with k8s security config • Use RBAC • Restrict access to kubectl • Use Network Policy • Pod security policy • Single job cluster -> Flink 1.6

14. Thanks for your attention! Edward Alexander Rojas Clavijo

Editor's Notes

Generic
StreamExecutionEnvironmentregisterTypeWithKryoSerializer

Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes"

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes"

Similar to Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes" (20)

More from Flink Forward

More from Flink Forward (20)

Recently uploaded

Recently uploaded (20)

Flink Forward Berlin 2018: Edward Alexander Rojas Clavijo - "Deploying a secured Flink cluster on Kubernetes"

Editor's Notes