2016 London
2017 Berlin
2018 Copenhagen
North America, Europe, China
This is our lovely hotel – there definitely weren’t any cheaper hotels in the area Jim
The venue for this year’s talk was the Fira Gran Via in Barcelona’s new business development area. This site was enormous covering a floor space of almost 250,000 square metres, meaning walking between meetings took some time – we covered on average 20,000 steps a day. The production value of the event was outstanding, with massive KubeCon branding, enormous screens, good food & drink and excellent organisation.
Every morning and evening the keynotes would be held in this huge room with giant screens.
Talk about the kid who was still in German High School who had done two years military service, ported Kubernetes to a stack of Rasberry Pies, created a company and was sub contracting to IBM for Kubernetes work.
Talks were very interesting, some a lot better than others. You were able to preview the slides before choosing which talks you were going to attend.
Tutorials required an early sign up and we would have missed out on a lot of talks.
The showcase hall was enourmous which had a ton of vendors in.
All the big players; Redhat, AWS, GCP, Azure, VMWare, Suse
Not as much free swag as we thought and we're still receiving emails!
A ton of companies out there – a lot providing similar managed services, logging and devops solutions
CNCF founded in 2015 to promote containers
Containers reduced app downtime and associated costs by 57%!
Every dollar invested in digital business innovation will require enterprises to spend three times that on continuously modernizing their legacy applications
CNCF Cloud Native Landscape
Greyed Icons not open sourced
Mobilise at the bottom next to Samsung and Mirantis
CNCF offers services to projects they take on such as: Program Management, Event Management, Marketing Services and Communications, Certification & Training and a neutral home for your project.
Three different types of project:
Sanbox – The entry point for projects into CNCF, nurturing phase (Examples; OpenEBS - containerized storage and related storage services, Network Service Mesh (NSM) is a novel approach solving complicated L2/L3 use cases in Kubernetes that are tricky to address with the existing Kubernetes Network Model. Inspired by Istio. Doesn’t use traditional concepts of routers, ip addresses etc.
Incubating – Next stage in the projects life, wide adoption and support (Examples: HELM, LinkerD, OpenTracing)
HELM
Harbor
Rook
CRI - O
Graduated – Kubernetes was the first project to gradate from the CNCF in early 2018, other projects include Prometheus and FluentD
Last year, the CNCF’s cloud native survey made it clear that the “preferred method for packaging is Helm (68%) followed by managed Kubernetes offerings (19%).
Users find that Helm is a great way to:
Manage complexity: describe complex Kubernetes applications in a “chart.”
Share charts: search for shared charts on public and private chart repositories.
Easily update Kubernetes applications: in-place upgrades and rollbacks
Tiller, the server-side component of Helm 2, requires additional security steps and Helm 2 was created for developers to install applications when Kubernetes did not yet have role-based access control (RBAC). This complexity isn’t needed in recent releases of Kubernetes, so for Helm 3 tiller has been removed entirely – so no more security concerns around Tillers sudo like permissions.
New templating language called Lua which aims to bring together all of the third party languages such as Go, Jinja and raw python.
Releases are now confined to a namespace
An open source trusted cloud native registry project that stores, signs, and scans content.
Harbor solves common challenges by delivering trust, compliance, performance, and interoperability. It fills a gap for organizations and applications that cannot use a public or cloud-based registry, or want a consistent experience across clouds.
Security and vulnerability analysis
Content signing and validation
Multi-tenant
Extensible API and web UI
Image replication across multiple harbour instances – take advantage of Harbors remote replication features to create replicas of image repository in data centres across different regions
Identity integration and role-based access control
Open Source, Cloud Native Storage for Kubernetes providing production ready File, Block and Object Storage
It’s essentially a storage orchestrator for Kubernetes…
turning distributed storage systems into self-managing, self-scaling, self-healing storage services.
It uses the power of the Kubernetes platform to deliver its services: cloud-native container management, scheduling, and orchestration. Rook orchestrates multiple storage solutions, providing a common framework across all of them. Choose the best storage provider for your scenarios, and Rook ensures that they all run well on Kubernetes with the same, consistent experience.
It automates the tasks of a storage administrator: deployment, bootstrapping, configuration, provisioning, scaling, upgrading, migration, disaster recovery, monitoring, and resource management
the same, consistent experience.
CNCFs replacement for Docker on Kubernetes, CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes.
It is a lightweight alternative to using Docker as the runtime for kubernetes. It allows Kubernetes to use any OCI-compliant runtime as the container runtime for running pods.
Today it supports runc and Kata Containers as the container runtimes but any OCI-conformant runtime can be plugged in principle.
Principles
Designed – Optimised for Kubernetes
Stable – Committed to passing Kubernetes tests
Any Image, Any Registry – Pull from any compliant registry, run any OCI-compliant container
Adantages…
Save on CPU core per node, increased security and better integration with Kubernetes (ie no extra fudging steps to get docker installed)
The Kubernetes project is number 2 in pull requests on GitHub, second only to linux with 31,000 contributions, 164,000 commits and 1.2 million comments.
During the event There was a big focus on the Kubernetes community and how it is one of the healthiest on GitHub – enabling people to easily get involved with the project. There is a large amount of community support available including a dedicated Slack workspace – with people always willing to offer support and advice.
Keen to demonstrate how important Kubernetes has become
Established, global organizations like Uber, Bloomberg, Blackrock, The New York Times, Lyft, eBay & Goldman Sachs and many others use Kubernetes in production at massive scale. Three of the largest cloud providers offer their own managed Kubernetes services. Furthermore, according to Redmonk (analyst firm), 71 percent of the Fortune 100 use containers and more than 50 percent of Fortune 100 companies use Kubernetes as their container orchestration platform.
Kubernetes 1.15, is focused far more on introducing new features than stable ones, and spending time building those features up before declaring them stable.
Scalability improvements. FOR EXAMPLE; Node status updates - are very expensive, updated every 10 seconds - stored in etcd (even though the node hasn’t changed), for a 5000 node cluster that means 5-6MB per minute. In etcdNewAPI NodeLease has been introduced which is much more lightweight
numerous additions to custom resource definitions (CRDs).
Continued preparation on cloud provider extraction and code organization.
Nodes now support third-party monitoring plugins.
A new Scheduling Framework for schedule plugins is now Alpha
kubeadm has promoted high availability (HA) capability to beta, allowing users to use the familiar kubeadm init and kubeadm join commands to configure and deploy a HA control plane.
An honest and insightful look into the world of KOPS and how people try their best to maintain it while working full time jobs. KOPS are changing the way they do development, so we should see quicker releases and more frequently – with a release of KOPS 30-60 days after a Kubernetes release (although they promise to deliver an alpha release sooner). Etcd3 will be included shortly and etcd-manager will be merging with etcdadm to provide automated backups of clusters and cluster resizing etc.
The Service Mesh Interface (SMI) was also introduced during a keynote speech which promises to provide a common set of APIs for vendors developing a service mesh. This means that users of Kubernetes can now change between service meshes without getting tied into specific vendors. There was a lot of focus on the Service Mesh during keynotes – with the main focus on intelligent networks; pushing network logic from the application and onto Kubernetes means developers can focus on writing feature rich code rather than coding for network issues. The service mesh also introduces a lot of telemetry information which provides great observability of running applications including logging, metrics and tracing.
OpenTelemetry is combining two products, Googles OpenCensus and CNCF’s OpenTracing into one application. can collect traces and metrics from processes instrumented by OpenTelemetry or other monitoring/tracing libraries (Jaeger, Prometheus, etc.), handles aggregation and smart sampling, and export traces and metrics to one or more monitoring/tracing backends.
The mantra maybe two years ago was definitely don’t store any data in the cluster, that has now swung a little to ‘maybe store data in the cluster if you need to’. Projects like Rook extend Kubernetes with custom types and controllers to orchestrate storage. Automates scaling, upgrading, migration Disaster Recovery, monitoring and resource management.
EKS is making great improvements including AWS own CNI which lets you use the ALB instead of ingress allowing you to use multiple ssl certs in ACM without writing more yaml.
The number of pods is defined by the size of the instance and the allocation of CIDR blocks given to the cluster – which can be increased, Recommendation is a minimum of four CIDR blocks so that all Azs can be hit.
Kube2IAM replacement coming from AWS in months.
Databases are still a no-no in the cluster as they make upgrades and failovers a lot more difficult.
Make sure you use a blue/green deployment strategy to upgrade your cluster as ETCD3 cannot be rolled back if there are any issues.
A Pod Security Policy is a cluster-level resource that controls security sensitive aspects of the pod specification. The PodSecurityPolicyobjects define a set of conditions that a pod must run with in order to be accepted into the system, as well as defaults for the related fields. Control user and group ids run in containers, linux capabilities, privileged usage.
Pusher monitors config and secrets for changes and automatically redeploys an application if this changes so the app can reload the new config – for apps that can't dynamically reload config.
Kube Resource Report shows amount of slack in the system and costs associated
Kubesec.io - Risk score for running YAML into cluster – So you can go to the website online and submit your YAML to see how risky it is. Or install a copy locally. CIS scores added shortly
Goss can be used in Kubernetes at runtime to validate the image and its runtime dependencies; process is installed and running, necessary ports open, user accounts are set, filesystem properties, URLs responding with expected content. Mount goss as a sidecar container which runs tests against the pod before its allowed to come up
kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks against the cluster - documented in the CIS Kubernetes Benchmark.
EKSCTL from weaveworks
Production proofing EKS – list of 20 topics to build on top of EKS
Kubernetes creating Kubernetes clusters
A library of Kubernetes operators
Spotify managed to keep 100% of their service online after deleting a cluster by having tried and tested failover
Envoy – which is the CNCF service proxy can be used to deploy to on prem legacy apps. You can then communicate to your on prem apps using a service mesh – consistent, reliable communication.
Panatir Technologies (Defence Company) – Run a million pods a day, 10,000 nodes per day are destroyed and rebuilt to ensure the latest patches are deployed and improve security posture.
Hoggs Boson particle was rediscovered using Kubernetes jobs to submit 1500 concurrent workloads on stage in 5 minutes!
Where are we going to put a Kubernetes service?
Managed; EKS, AKS etc. - May not be able to employ specific security concerns that you need access to (e.g. etcd, audit logs)
Roll your own
MISSTEPS
Go all in with managed Kubernetes; no access with control plane (couldn’t turn on security policies)
One size fits all tool (does everything from start to finish) - don’t understand the pipeline that builds your cluster (build tool)
Principles
Yesterday, today, and tomorrow - declarative nature means you can easily change your deployment in the future
Use the tools you have today that makes sense for your business, dont go grabbing new shiny tools
Enables your stakeholders - give them the access they need to look at logs, RBAC for logs etc. More buying from stakeholders = :-)
MISSTEPS
Solving problems that you don’t yet have; do you need service mesh? Yes its cool to have one, but it will add unnecessary complication that you don’t need
Perfect is the enemy of done - wasting sprints guessing about requirements, too much time spent not getting an MVP out
Bedrock
There are somethings you won’t change - get these right first
Container Networking
Persistent Storage
Connectivity
MISSTES
Trading battle tested for cutting-edge
Open source is not free…it requires diligence
Community health
Release cycles
GitHub starts (most important)
Security
Consistent Authorisation and Authentication. Use OADC and connect existing federation services to Kubernetes
Policies - Resource Quota etc.
Backup & Restore - ARC (Velero)
MISSTEPS
Getting security on early
Not easy to bolt security on later (e.g. adding network policies to existing cluster - hard work)
Use different cluster types for example a PCI compliant application can go on a PCI compliant cluster rather than changing existing cluster
Scale Out
500 nodes is the maximum number you should be running on before having to tune Kubernetes
Should be in a multi cluster mindset - migrate workloads to the new cluster with new features
Resources - don’t use generic tools for federations, use Jenkins workflows or pipelines instead
MISSTEPS
Mega clusters - big blast radius, go with smaller clusters for security and cleaner upgrades/ application changes
Embrace and Extend but dont go off the rails - build on the same patterns that Kubernetes is founded on (CRDs)
After a day of talks there were some great social events including a party in a 16th century church hosted by Mirantis (K8SorDie party) that included cocktail bars, mountain bikers jumping off stage and street skateboarders outside the event.
And the official party which was held in Poble Espanyol – a purpose built Spanish village displaying architecture from all over spain throughout its history. Set up on the hill of Montjuic overlooking Barcelona offering street food and drinks throughout.
And the official party which was held in Poble Espanyol – a purpose built Spanish village displaying architecture from all over spain throughout its history. Set up on the hill of Montjuic overlooking Barcelona offering street food and drinks throughout.