Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

You've Made Kubernetes Available to Your Developers, Now What?

Congratulations! You’ve built out your Kubernetes infrastructure and it’s ready for prime-time. But if you want to optimize for Developer Productivity, Operational Efficiency, Security Posture, you have more to do. Do your developers know how to build secure containers? Do they know about persistent volumes and claims? Setting pod security policies? Are they willing to take on operational responsibilities (and are you ok delegating that to them?). Who’s responsible for addressing OS vulnerabilities?

Kubernetes doesn’t address these concerns, but it’s likely you are responsible for finding the answers. In this session we’ll equip you with tools and techniques to solve these problems, based on our experience deploying hundreds of thousands of containers across Fortune 500 organizations.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

You've Made Kubernetes Available to Your Developers, Now What?

  1. 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 You’ve Made Kubernetes Available to Your Developers, Now What? Cornelia Davis Vice President, Technology, Pivotal August 2019
  2. 2. Cover w/ Image Me? Developer (wasn’t Ops) Web architectures for nearly 15 years Cloud-native for 7+ years Cloud Foundry for 7+ years @cdavisafc
  3. 3. This presentation contains statements which are intended to outline the general direction of certain of Pivotal's offerings. It is intended for information purposes only and may not be incorporated into any contract. Any information regarding the pre- release of Pivotal offerings, future updates or other planned modifications is subject to ongoing evaluation by Pivotal and is subject to change. All software releases are on an “if and when available” basis and are subject to change. This information is provided without warranty or any kind, express or implied, and is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions regarding Pivotal's offerings. Any purchasing decisions should only be based on features currently available. The development, release, and timing of any features or functionality described for Pivotal's offerings in this presentation remain at the sole discretion of Pivotal. Pivotal has no obligation to update forward-looking information in this presentation. This presentation contains statements relating to Pivotal’s expectations, projections, beliefs, and prospects which are "forward- looking statements” and by their nature are uncertain. Words such as "believe," "may," "will," "estimate," "continue," "anticipate," "intend," "expect," "plans," and similar expressions are intended to identify forward-looking statements. Such forward-looking statements are not guarantees of future performance, and you are cautioned not to place undue reliance on these forward-looking statements. Actual results could differ materially from those projected in the forward-looking statements as a result of many factors. All information set forth in this presentation is current as of the date of this presentation. These forward-looking statements are based on current expectations and are subject to uncertainties, risks, assumptions, and changes in condition, significance, value and effect as well as other risks disclosed previously and from time to time by us. Additional information we disclose could cause actual results to vary from expectations. Pivotal disclaims any obligation to, and does not currently intend to, update any such forward-looking statements, whether written or oral, that may be made from time to time except as required by law. Safe Harbor Statement
  4. 4. DevOps I’m going to assume this is the goal. Let me tell you why…
  5. 5. https://cloud.google.com/blog/products/devops-sre/the-2019-accelerate-state-of-devops-elite-performance-productivity-and-scaling
  6. 6. https://cloud.google.com/blog/products/devops-sre/the-2019-accelerate-state-of-devops-elite-performance-productivity-and-scaling
  7. 7. Who is “you”? Who are the “developers”? You’ve Made Kubernetes Available to Your Developers, Now What?
  8. 8. The Cloud Platform Evolution TRADITIONAL IAAS Virtualization Platform Operating System Database Web Server Messaging Your Application Code Physical Servers Database Web Server Messaging Your Application Code IAAS Your Application Code Virtualized Infrastructure PLATFORM
  9. 9. Application Dial Tone Emits application “dial tone” • Config • Runtime • Logs • Metrics • Health Management • Security • Operations Your Application Code Virtualized Infrastructure
  10. 10. Teams Delivering Outcomes Your Application Code Virtualized Infrastructure PLATFORM Platform Team Application Team Iteratively building and delivering digital offerings to the consumer Enabling the app teams all while maintaining Security Compliance Resilience Cost Efficiency
  11. 11. “You” are the platform team
  12. 12. What Do the App Teams do? (Developers)
  13. 13. App teams do this! ! Write Code " Build Containers # Deploy Applications $ Care for Applications (Day 2)
  14. 14. There is a relationship between cloud native Software and cloud native Platforms App Teams Platform Teams
  15. 15. Let’s take a closer look ! Write Code " Build Containers # Deploy Applications $ Care for Applications (Day 2)
  16. 16. Write Code Write for Operations
  17. 17. I like to describe Cloud-native Software as that which is Highly Distributed and experiencing Constant Change
  18. 18. Horizontally Scaled, Load Balanced Services SERVICE LOADBALANCING SERVICE SERVICE What’s the harm of a few sticky sessions? ▸ While we hope not… ▸ …often mutable state creeps in and we resort to sticky sessions
  19. 19. Retries CLIENT SERVICE Timeouts? If we don’t hear back, try again CIRCUIT BREAKERS https://martinfowler.com/bliki/CircuitBreaker.html ▸ Client must consider failure ▸ Decide on fall-back behavior ▸ Likely including retries ▸ But then we need to handle downstream consequences of these (retry) behaviors
  20. 20. !22 “Few words can better express the Spring domination of the Java ecosystem than this graph. 4 in 10 developers are using Spring Boot in their applications”
 Java Magazine / Synk.io Spring usage has increased significantly year on year, especially Spring Framework 4.x 
 (49% in 2016 vs. 38% in 2015)
 Redmonk Spring is the leading framework for Java... Use supported Java, Spring and Tomcat Pivotal
 Spring Runtime
  21. 21. Comprehensive Support for *All* Your Java Workloads Software and support for OpenJDK, Spring, and Apache Tomcat for any enterprise Pivotal’s Java Experts Support 24/7 Simple & Fair Pricing
  22. 22. The Myth: Kubernetes is Kubernetes is Kubernetes You, the platform team, are building the Kubernetes platform(s) for your organization!
  23. 23. Build Containers Trusted Container Pipeline
  24. 24. Configured PLATFORM Infrastructure deploy configureProvision configure
  25. 25. Configured PLATFORM Infrastructure deploy configure Designed for self-service!
  26. 26. configure configure configure deploy deploy deploy Configured PLATFORM Infrastructure deploy configure Designed for self-service!
  27. 27. configure configure configure deploy deploy deploy Configured PLATFORM Infrastructure deploy configure Designed for self-service! deploy
  28. 28. configure configure configure deploy deploy deploy Configured PLATFORM Infrastructure deploy configure Designed for self-service! deploy
  29. 29. root FS Runtime Layer App Layer HOST Host OS (Kernel) OS Image Runtime Layer Application Layer Securely assemble, deploy, and update code Pivotal
 Build 
 Service deploy configure What do I do in this earlier phase? Decide on root FS Add dependencies “Install” app But then WHO makes these decisions?
  30. 30. root FSRuntime LayerApp Layer
  31. 31. configure configure configure deploy deploy deploy Configured PLATFORM Infrastructure deploy configure Designed for self-service! deploy
  32. 32. Role-Based Access Control (RBAC) LDAP/AD Integration Image Vulnerability Scanning Notary Image Signing Policy-Based Image Replication Graphical User Portal & RESTful API Image Deletion & Garbage Collection Auditing An enterprise-class registry server for Docker images Build Image Push Image Scan Image for CVEs Sign Image kubectl run Dev Team Image Registry Clair Notary R B A C UAA Auth R E P L
  33. 33. Deploy Applications GitOps & Immutable Infrastructure
  34. 34. End User Machine Kubernetes is about deployments Rich Web App App Server Upload Preferences Service - repeatable deployments
  35. 35. End User Machine Kubernetes is about deployments - repeatable deployments Rich Web App App Server Upload Preferences Service
  36. 36. End User Machine Kubernetes is about deployments - repeatable deployments Rich Web App App Server Upload Preferences Service Process Service ?Nope!
  37. 37. End User Machine Kubernetes is about deployments - repeatable deployments Rich Web App App Server Upload Preferences Service Process Service docker run --volume … --mount … docker run --volume … --mount …
  38. 38. Kubernetes is about deployments - repeatable deployments App Server Upload Preferences Service Process Service deployment: replicaset: name: upload_preferences number: 2 volume: volume1 … replicaset: name: process number: 3 volume: volume1 … volume: name: volume1 …
  39. 39. But remember this picture… PROCESS SERVICE LOADBALANCING PROCESS SERVICE PROCESS SERVICE You provide this! And this!
  40. 40. What you have to do today K8s (PKS) Worker App Load Balancer K8s API client (kubectl) K8s (PKS) Worker App Master Master Load Balancer workload client Load Balancer Load Balancer With the creation of each load balancer comes the creation of DNS records Is that via ticket?
  41. 41. K8s (PKS) K8s (PKS) Worker App Load Balancer K8s API client (kubectl) K8s (PKS) Worker App Master Master workload client WorkerWorker Mesh Ingress (Envoy) Mesh Control Plane (Istio) Get routing as a managed service Pivotal
 Service 
 Mesh A demonstrably better way… This allows app teams to work autonomously! A routing functionality designed for greater levels of dynamism
  42. 42. And what about bound services? PROCESS SERVICE LOADBALANCING PROCESS SERVICE PROCESS SERVICE You provide this! And this!
  43. 43. Services App Server Upload Preferences Service Process Service
  44. 44. External Services App Server Upload Preferences Service Process Service How will app teams get credentials? How will they supply them to their microservices? (spoiler: into ConfigMaps) How will credentials be rotated?
  45. 45. https://www.openservicebrokerapi.org/ Consume on- or off-platform services Pivotal
 Services Marketplace
  46. 46. In fact, there are a whole host of things “you” need to bring K8s Cluster App Teams Tooling for Managing Workloads: ➤ kubectl ➤ Kubernetes Dashboard Compute Storage Networking Routing ImageReg ExternalSvc ... Tooling for Managing Kubernetes: ➤ Installation ➤ Upgrades ➤ Patch mgmt ➤ Resilience ➤ Monitoring/ Logging ➤ Backup/ Recovery ➤ … Platform Team Kubernetes Master
  47. 47. There is a whole ton you need to learn and supply You have to think about: ● What app teams are allowed to do on the K8s clusters: ● RBAC ● Admission Controllers ● Pod Security Policies ● Providing access to infrastructure ● Persistent Volumes and Claims ● Network segments ● Observability ● Monitoring ● Logging ● …
  48. 48. Confidential │ ©2019 VMware, Inc. 50 Run Build Manage We can help Enterprise Kubernetes On-premises  |  Public Cloud  |  Edge Single Control Point Multi-cloud Multi-cluster Multi-team Modern Applications Traditional  |  COTS  |  Cloud Native
  49. 49. Applications Day 2 Monitor, Scale, Patch, Upgrade
  50. 50. Teams Delivering Outcomes Your Application Code Virtualized Infrastructure PLATFORM Platform Team Application Team Iteratively building and delivering digital offerings to the consumer Enabling the app teams all while maintaining Security Compliance Resilience Cost Efficiency
  51. 51. Partitioning the Stack → Partitioning the Responsibilities Database Web Server Messaging Your Application Code Virtualized Infrastructure PLATFORM Platform Team Application Team Dev Ops Nope! ? ?
  52. 52. Partitioning the Stack → Partitioning the Responsibilities Your Application Code Virtualized Infrastructure Platform Team Application Team Dev & Ops Dev & Ops Dev Ops
  53. 53. root FS Runtime Layer App Layer HOST Host OS (Kernel) OS Image Runtime Layer Application Layer Securely assemble, deploy, and update code Pivotal
 Build 
 Service deploy configure What do I do in this earlier phase? Decide on root FS Add dependencies “Install” app But then WHO makes these decisions? And when??
  54. 54. HOST Host OS (Kernel) OS Image Runtime Layer Application Layer OS Image Runtime Layer HOST Host OS (Kernel) Application Layer HOST Host OS (Kernel) OS Image Runtime Layer Application Layer OS Image Runtime Layer OS Image Runtime Layer Application Layer Application Layer Platform- team Provided App-team Provided Trusted Container Pipeline Host OS (Kernel) Host OS (Kernel)
  55. 55. (platform team managed)
  56. 56. Once again, this is but a small sampling You have to think about: ● Tenancy: ● RBAC ● Admission Controllers ● Pod Security Policies ● Quotas ● Patch management ● Credential rotation ● Persistent Volumes and Claims ● Network segments ● …
  57. 57. Confidential │ ©2019 VMware, Inc. 60 Run Build Manage We can help Enterprise Kubernetes On-premises  |  Public Cloud  |  Edge Single Control Point Multi-cloud Multi-cluster Multi-team Modern Applications Traditional  |  COTS  |  Cloud Native
  58. 58. Providing the Right Platform and Responsibilities 1. 1. Both app ops and platform ops 1. Cloud-native Patterns yield autonomy between app and platform teams 2. Delivering your organization’s Kubernetes: 1. Is a way to introduce enterprise controls 2. Determines what apps will run (i.e. privileged containers) 2. 1. What is allowed to go into containers? (i.e. certified, licensed SW) 2. How do you keep them from being tampered with 3. How do you keep them from containing vulnerabilities You Them You You You You & Them ! Write Code - Write for Operations " Build Containers - Trusted Container Pipeline
  59. 59. Providing the Right Platform and Responsibilities 3. 1. Create deployment topology 2. Access infra resources, such as storage and load balancers 3. Services brokering 4. 1. Quotas so that app team can control scale 2. Patch 3. Credential Rotation 4. Upgrade — that is, the frequent deploy Them You You You You (& Them) Most definitely Them!!!!! Them You (& Them) # Deploy Applications - GitOps and Immutable Infrastructure $ Care for Applications (Day 2) - Monitor, Patch, Scale, Upgrade
  60. 60. https://cloud.google.com/blog/products/devops-sre/the-2019-accelerate-state-of-devops-elite-performance-productivity-and-scaling
  61. 61. It is a dance, between cloud native Software and cloud native Platforms
  62. 62. © Copyright 2019 Pivotal Software, Inc. All rights Reserved. Thank you! Cornelia Davis Vice President, Technology, Pivotal cdavis@pivotal.io • @cdavisafc
  63. 63. https://my.vmworld.com/widget/vmware/vmworld19us/us19catalog?search.modernapps=155131370075700264Ci
  64. 64. © Copyright 2019 Pivotal Software, Inc. All rights Reserved. Thank you! Cornelia Davis Vice President, Technology, Pivotal cdavis@pivotal.io • @cdavisafc

    Be the first to comment

    Login to see the comments

  • ArgunTolgaKln

    Aug. 30, 2019
  • diazcarrete

    Aug. 31, 2019
  • DanTaylor30

    Sep. 1, 2019
  • matthewskelton

    Sep. 1, 2019
  • up1

    Sep. 1, 2019
  • mmaglana

    Sep. 2, 2019

Congratulations! You’ve built out your Kubernetes infrastructure and it’s ready for prime-time. But if you want to optimize for Developer Productivity, Operational Efficiency, Security Posture, you have more to do. Do your developers know how to build secure containers? Do they know about persistent volumes and claims? Setting pod security policies? Are they willing to take on operational responsibilities (and are you ok delegating that to them?). Who’s responsible for addressing OS vulnerabilities? Kubernetes doesn’t address these concerns, but it’s likely you are responsible for finding the answers. In this session we’ll equip you with tools and techniques to solve these problems, based on our experience deploying hundreds of thousands of containers across Fortune 500 organizations.

Views

Total views

2,391

On Slideshare

0

From embeds

0

Number of embeds

101

Actions

Downloads

56

Shares

0

Comments

0

Likes

6

×