Build your own private Cloud environment

Nico Meisenzahl
Nico MeisenzahlCloud Solution Architect | Head of DevOps Consulting & Operations
Build your own private Cloud environment Nico Meisenzahl, panagenda nico.meisenzahl@panagenda.com @nmeisenzahl
Make Your Data Work For You Build your own private Cloud environment Nico Meisenzahl DNUG 46, Essen
@panagenda Consultant. Blogger, speaker IBM Cloud Champion & Docker Community Leader Loves K8s, containers & automation. His desk is a ping pong table. Nico Meisenzahl @nmeisenzahl https://meisenzahl.org nico@meisenzahl.org https://panagenda.com/modernization nico.meisenzahl@panagenda.com
What is Cloud? • someone else’s computer • you do not need to care about everything • can abstract – Hardware → Infrastructure-as-a-Service – underlying OS/machine → Platform-as-a-Service – everything except your business logic → Function-as-a-Service 4
What is a private on-premises Cloud? • for your colleagues – someone else’s computer – a platform which abstracts various things – examples: • deploy, run and scale containers • just care about the code and let the system manage everything else • for you – your computer 😉 – a complex environment with multiple requirements • flexibel, scalable and fast • secure and state-of-the-art – various topics like compute, storage, high-availability, security, …. 5
Some words on Containers • A container consists of one or more processes that are isolated from the rest of the system • All files necessary for execution are provided by a separate image 6
Some words on Kubernetes • open-source system for automating deployment, scaling, and management of containerized applications using a declarative approach • greek for captain • abstracts underlying machines and OS • state-of-the-art for modern application deployment • used to manage your workload – Think of “vSphere for your containers” 7
Things you need to take care of • Kubernetes environment – provisioning, scalability, high-availability – update/backup strategy • Storage • Monitoring, Metrics • Log management • Security – Authentication, Authorisation, RBAC – Workload security • Surroundings – Registry, CI/CD, Vulnerability scanning, Operators, etc. – Service mesh, Functions/Serverless 8
Kubernetes provisioning • Kubernetes can be complex • “Kubernetes the hard way” is great for learning but not for production • Tools which can support you – Rancher Kubernetes Engine (RKE) – KubeOne by Loodse – IBM Cloud Private – kubeadm – https://kubernetes.io/docs/setup/pick-right-solution • design and size your cluster based on your needs – 1,3,5,7 master nodes, worker nodes, etcd nodee? • external dependencies: Storage, Load-Balancer, vSphere... 9
Kubernetes update strategy • one minor releases (1.x) every 3 months • the last 3 minor releases are maintained/supported – EOL after 9 months! • define your update strategy based on your needs – “in-place update” by adding/removing nodes – “side-by-side” migration 10
Kubernetes Nodes • Nodes aren’t persistent! – scaling up/down nodes based on your workload (autoscaling!) – updates (create new ones and delete old ones) • therefore use – a immutable approach instead of inplace upgrades – automation and Infrastructure-as-Code approaches • rethink your OS and Container Runtime – do you need a full-blown OS? – is Docker Engine needed? 11
Kubernetes backup strategy • Kubernetes API is stateful, everything else is stateless – stores its data in a etcd database • Applications deployed in the Cluster store their data externally • Restore etcd – recreate your scripted infrastructure – restore etcd snapshot • Rebuild everything with IaC – recreate your scripted infrastructure – run your pipelines to deploy your applications 12
Persistent Storage • stateful applications need volumes to store their data • worker nodes need to be stateless – scaling services on a multi-node environment – up/down scaling nodes • auto-provisioning is key – no manual tasks when deploying/scaling services – Persistent Volume Claims with Provisioner • NFS, Ceph, GlusterFS, Minio, ... 13
Log management • a central log management is needed to effectively debug applications – applications are scaled on multiple nodes – complex applications consist of many microservices • collect logs using – a logging agent on node-level • stdout/stderr are collected by Container runtime – a sidecar container approach • logging container collects logs and forwards them • Elasticsearch, Logstash/Fluentd, Kibana as logging stack 14
Monitoring & Metrics • the chosen system needs to “understand” Kubernetes • Prometheus is the common solution for monitoring and metrics collection for services as well as Kubernetes itself – collects and stores metrics – altering using Alertmanager – Dashboards with Grafana • Prometheus pulls metrics using HTTP – from URL – using Prometheus Exporter library or sidecar – dynamic Container monitoring using Kubernetes API (kube-state-metrics agent) 15
Authentication, Authorisation • external service to provide/manage users • Authentication – X509 Client certificates – OpenID – Bearer Tokens – static password file – Service Account (managed by K8s) – ... • Authorisation – used to define access level for different users and namespaces – Role Based Access Control (RBAC) is recommended – resources access is defined with verbs (get, create, delete, …) and identities (user, group, ...) 16
Cluster workload security • you will run different applications in one cluster! • use Pod Security Policies (PSP) to define what a pod is allowed to do – permit root, allowed user/group IDs – allowed volume types – allowed Linux capabilities, namespaces – ... • only use secure Images (vulnerability scanning) • permit usage of untrusted Container Registries 17
Ecosystem • Container Registry / Chart repository – to store internal images – include security topics like vulnerability scanning • Kubernetes Operators – can be used to deploy and manage custom ressources by extending the API – example: Resource called “mongodb” which deploys a production ready cluster • CI/CD – build continuous pipelines to package/build/deploy your applications – use templating to be able to deploy to various environments (e.g. Helm) 18
Some more thoughts ... • move logic from your code into your platform by using a service mesh – timeout/retry management, load-balancing, ... – end-to-end encryption • allow your Devs to only care about their code – until now, we only talked about Platform-as-a-Service – built Function-as-a-Service on top of K8s 19
Questions? • Slides → https://www.slideshare.net/nmeisenzahl 20
Headquarters, Austria: panagenda GmbH (Ltd.) Schreyvogelgasse 3/10 AT 1010 Vienna Phone: +43 1 89 012 89 Fax: +43 1 89 012 89-15 E-Mail: info@panagenda.com Headquarters, Germany: panagenda GmbH (Ltd.) Lahnstraße 17 DE 64646 Heppenheim Phone: +49 6252 67 939-00 Fax: +49 6252 67 939-16 E-Mail: info@panagenda.com USA: panagenda Inc. 60 State Street, Suite 700 MA 02109 Boston Phone: +1 617 855 5961 Fax: +1 617 488 2292 E-Mail: info@panagenda.com Germany: panagenda Consulting GmbH (Ltd.) Donnersbergstrasse 1 DE 64646 Heppenheim Phone: +49 6252 67 939-86 Fax: +49 6252 67 939-16 E-Mail: info@panagenda.com The Netherlands: Trust Factory B.V. 11th Floor, Koningin Julianaplein 10 NL 2595 AA The Hague Phone: +31 70 80 801 96 E-Mail: info@trust-factory.com © 2007-2015 panagenda Make Your Data Work For You
DNUG e.V. Pappelallee 78/79 10437 Berlin Telefon: +49 30 20898805 0 Telefax: +49 30 20898805 1 E-Mail: info@dnug.de Web: http://www.dnug.de
1 of 22

Build your own private Cloud environment

Download to read offline
Technology

Besuchen Sie Nicos Vortrag um zu erfahren wie Sie Ihre eigene Private Cloud on-premises aufbauen können. Ziel dieser Session ist es, dass Sie einen Überblick erhalten, wie man eine Private Cloud Umgebung auf Basis von Kubernetes, unter Berücksichtigung notwendiger Anforderungen, aufbaut. Nico wird mit Ihnen über das Cluster Provisioning selbst sowie die benötigte Toolchain sprechen, die Sie benötigen um die eigene Umgebung erfolgreich zu betreiben. Im Vordergrund stehen dabei Themen wie Infrastructure as Code, CI/CD, Storage, Monitoring, Hochverfügbarkeit und Sicherheit. Erhalten Sie das notwendige Wissen sowie Best Practices, die Ihnen beim Aufbau Ihrer eigenen Private Cloud-Umgebung helfen.

Nico Meisenzahl
Nico MeisenzahlCloud Solution Architect | Head of DevOps Consulting & Operations

Recommended

Automate your development and operation processes!Automate your development and operation processes!
Automate your development and operation processes!Nico Meisenzahl
339 views21 slides
Global Azure Bootcamp: Container, Docker & Kubernetes BasicsGlobal Azure Bootcamp: Container, Docker & Kubernetes Basics
Global Azure Bootcamp: Container, Docker & Kubernetes BasicsNico Meisenzahl
867 views24 slides
Virtual Azure Community Day: Azure Kubernetes Service BasicsVirtual Azure Community Day: Azure Kubernetes Service Basics
Virtual Azure Community Day: Azure Kubernetes Service BasicsNico Meisenzahl
179 views36 slides
Docker Rosenheim Meetup: Policy & Governance for KubernetesDocker Rosenheim Meetup: Policy & Governance for Kubernetes
Docker Rosenheim Meetup: Policy & Governance for KubernetesNico Meisenzahl
98 views25 slides
Kubernetes on OpenStack @eBayKubernetes on OpenStack @eBay
Kubernetes on OpenStack @eBaySriram Subramanian
1.8K views19 slides
CloudStack EU user group - fast SAP provisioningCloudStack EU user group - fast SAP provisioning
CloudStack EU user group - fast SAP provisioningShapeBlue
947 views25 slides

More Related Content

What's hot

What's hot(20)

'Cloud-Native' Ecosystem - Aug 2015'Cloud-Native' Ecosystem - Aug 2015
'Cloud-Native' Ecosystem - Aug 2015
Lenny Pruss17K views
AKS - Azure Kubernetes Services - kubernetes meetup may 2018AKS - Azure Kubernetes Services - kubernetes meetup may 2018
AKS - Azure Kubernetes Services - kubernetes meetup may 2018
Jorge Arteiro671 views
TechTalk - Building Serverless Applications with IBM BluemixTechTalk - Building Serverless Applications with IBM Bluemix
TechTalk - Building Serverless Applications with IBM Bluemix
Janakiram MSV509 views
Deep dive into Kubernetes on AzureDeep dive into Kubernetes on Azure
Deep dive into Kubernetes on Azure
Jorge Arteiro431 views
AKS Azure Kubernetes Services Workshop Jorge ArteiroAKS Azure Kubernetes Services Workshop Jorge Arteiro
AKS Azure Kubernetes Services Workshop Jorge Arteiro
Jorge Arteiro92 views
GitHub Actions 101GitHub Actions 101
GitHub Actions 101
Nico Meisenzahl112 views
Build your First IoT Application with IBM Watson IoTBuild your First IoT Application with IBM Watson IoT
Build your First IoT Application with IBM Watson IoT
Janakiram MSV420 views
Cloudstack container serviceCloudstack container service
Cloudstack container service
ShapeBlue650 views
Who needs containers in a serverless worldWho needs containers in a serverless world
Who needs containers in a serverless world
Matthias Luebken263 views
Azure kubernetes service (aks)Azure kubernetes service (aks)
Azure kubernetes service (aks)
Akash Agrawal4.1K views
Event sourcing your React-Redux applicationsEvent sourcing your React-Redux applications
Event sourcing your React-Redux applications
Maurice De Beijer [MVP]796 views
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learnedRebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Rebuilding Legacy Apps with Domain-Driven Design - Lessons learned
Kacper Gunia2.9K views
Build a Cloud Day ParisBuild a Cloud Day Paris
Build a Cloud Day Paris
Sebastien Goasguen2.6K views
TechTalk Webinar Series - Getting Started with Apache OpenWhiskTechTalk Webinar Series - Getting Started with Apache OpenWhisk
TechTalk Webinar Series - Getting Started with Apache OpenWhisk
Janakiram MSV638 views
Managing add-ons across clustersManaging add-ons across clusters
Managing add-ons across clusters
LibbySchulze72 views
Container orchestration k8s azure kubernetes servicesContainer orchestration k8s azure kubernetes services
Container orchestration k8s azure kubernetes services
Rajesh Kolla55 views
Brendon Foxen (Channel 4) - Speeding up Software Delivery at Channel 4Brendon Foxen (Channel 4) - Speeding up Software Delivery at Channel 4
Brendon Foxen (Channel 4) - Speeding up Software Delivery at Channel 4
Outlyer497 views
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
Bitnami1.1K views
The busy developer guide to DockerThe busy developer guide to Docker
The busy developer guide to Docker
Maurice De Beijer [MVP]444 views
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPC
Mark Corwin388 views

Similar to Build your own private Cloud environment

Similar to Build your own private Cloud environment(20)

OSDC 2018 | Three years running containers with Kubernetes in Production by T...OSDC 2018 | Three years running containers with Kubernetes in Production by T...
OSDC 2018 | Three years running containers with Kubernetes in Production by T...
NETWAYS246 views
Kubernetes solutionsKubernetes solutions
Kubernetes solutions
Eric Cattoir615 views
Running Microservices in Production with IBMRunning Microservices in Production with IBM
Running Microservices in Production with IBM
LetsConnect61 views
Social Connections 14 - Running Microservices in Production with IBMSocial Connections 14 - Running Microservices in Production with IBM
Social Connections 14 - Running Microservices in Production with IBM
panagenda1.1K views
Running Microservices in Production with IBMRunning Microservices in Production with IBM
Running Microservices in Production with IBM
Nico Meisenzahl190 views
Kubernetes – An open platform for container orchestrationKubernetes – An open platform for container orchestration
Kubernetes – An open platform for container orchestration
inovex GmbH508 views
Simplify Your Way To Expert Kubernetes ManagementSimplify Your Way To Expert Kubernetes Management
Simplify Your Way To Expert Kubernetes Management
DevOps.com269 views
Private Cloud with Open Stack, DockerPrivate Cloud with Open Stack, Docker
Private Cloud with Open Stack, Docker
Davinder Kohli2.9K views
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos
Miguel Zuniga3.1K views
Hybrid cloud openstack meetupHybrid cloud openstack meetup
Hybrid cloud openstack meetup
dfilppi507 views
Kubernetes for Enterprise DevOpsKubernetes for Enterprise DevOps
Kubernetes for Enterprise DevOps
Jim Bugwadia337 views
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections Pink
Nico Meisenzahl1.2K views
Why kubernetes mattersWhy kubernetes matters
Why kubernetes matters
Platform93K views
Centralizing Kubernetes and Container OperationsCentralizing Kubernetes and Container Operations
Centralizing Kubernetes and Container Operations
Kublr2.5K views
DNUG46 - Automate your development and operation processes!DNUG46 - Automate your development and operation processes!
DNUG46 - Automate your development and operation processes!
panagenda233 views
Un-clouding the cloudUn-clouding the cloud
Un-clouding the cloud
Davinder Kohli1K views
Building a PaaS Platform like Bluemix on OpenStackBuilding a PaaS Platform like Bluemix on OpenStack
Building a PaaS Platform like Bluemix on OpenStack
Animesh Singh6.3K views
Why Kubernetes as a container orchestrator is a right choice for running spar...Why Kubernetes as a container orchestrator is a right choice for running spar...
Why Kubernetes as a container orchestrator is a right choice for running spar...
DataWorks Summit1.4K views
Azure meetup cloud native concepts - may 28th 2018Azure meetup cloud native concepts - may 28th 2018
Azure meetup cloud native concepts - may 28th 2018
Jim Bugwadia289 views
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingVTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
Sachin Gowda3.1K views

More from Nico Meisenzahl

More from Nico Meisenzahl(20)

Cloud-Native & Sustainability: How and Why to Build Sustainable WorkloadsCloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Cloud-Native & Sustainability: How and Why to Build Sustainable Workloads
Nico Meisenzahl51 views
Container Day Security: How to Prevent Your Kubernetes Cluster From Being HackedContainer Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Container Day Security: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl30 views
Festive Tech Calendar: Festive time with AKS networkingFestive Tech Calendar: Festive time with AKS networking
Festive Tech Calendar: Festive time with AKS networking
Nico Meisenzahl23 views
ContainerConf 2022: Hijack KubernetesContainerConf 2022: Hijack Kubernetes
ContainerConf 2022: Hijack Kubernetes
Nico Meisenzahl58 views
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl194 views
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl53 views
KCD Munich 2022: Hijack a Kubernetes Cluster - a WalkthroughKCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
KCD Munich 2022: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl15 views
Cloud Love Conference: Kubernetes is awesome, but...Cloud Love Conference: Kubernetes is awesome, but...
Cloud Love Conference: Kubernetes is awesome, but...
Nico Meisenzahl11 views
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being Hacked
Nico Meisenzahl53 views
Container Days: Hijack a Kubernetes Cluster - a WalkthroughContainer Days: Hijack a Kubernetes Cluster - a Walkthrough
Container Days: Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl16 views
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl70 views
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Azure Zürich User Group: Azure Kubernetes Service – more than just a managed ...
Nico Meisenzahl94 views
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl125 views
azdevcom - Hijack a Kubernetes Clusterazdevcom - Hijack a Kubernetes Cluster
azdevcom - Hijack a Kubernetes Cluster
Nico Meisenzahl138 views
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Continuous Lifecycle: Enhance Your Compliance and Governance With Policy-Base...
Nico Meisenzahl164 views
Continuous Lifecycle: Hijack KubernetesContinuous Lifecycle: Hijack Kubernetes
Continuous Lifecycle: Hijack Kubernetes
Nico Meisenzahl53 views
Hijack a Kubernetes Cluster - a WalkthroughHijack a Kubernetes Cluster - a Walkthrough
Hijack a Kubernetes Cluster - a Walkthrough
Nico Meisenzahl102 views
GitLab Commit: Enhance your Compliance with Policy-Based CI/CDGitLab Commit: Enhance your Compliance with Policy-Based CI/CD
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl586 views
Azure Meetup Hamburg: Production-Ready Terraform Deployments on AzureAzure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Azure Meetup Hamburg: Production-Ready Terraform Deployments on Azure
Nico Meisenzahl287 views
Microsoft DevOps Forum 2021 – DevOps & Security Microsoft DevOps Forum 2021 – DevOps & Security
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl247 views

Recently uploaded

Recently uploaded(20)

[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf
Eleanor McHugh34 views
MemVerge: Gismo (Global IO-free Shared Memory Objects)MemVerge: Gismo (Global IO-free Shared Memory Objects)
MemVerge: Gismo (Global IO-free Shared Memory Objects)
CXL Forum108 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation23 views
TE Connectivity: Card Edge InterconnectsTE Connectivity: Card Edge Interconnects
TE Connectivity: Card Edge Interconnects
CXL Forum93 views
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
"AI Startup Growth from Idea to 1M ARR", Oleksandr Uspenskyi
Fwdays23 views
Business Analyst Series 2023 - Week 2 Session 3Business Analyst Series 2023 - Week 2 Session 3
Business Analyst Series 2023 - Week 2 Session 3
DianaGray10307 views
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad..."Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad...
"Ukrainian Mobile Banking Scaling in Practice. From 0 to 100 and beyond", Vad...
Fwdays33 views
GigaIO: The March of Composability Onward to Memory with CXLGigaIO: The March of Composability Onward to Memory with CXL
GigaIO: The March of Composability Onward to Memory with CXL
CXL Forum118 views
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier19 views
Micron CXL product and architecture updateMicron CXL product and architecture update
Micron CXL product and architecture update
CXL Forum23 views
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...
BookNet Canada99 views
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
"Thriving Culture in a Product Company — Practical Story", Volodymyr Tsukur
Fwdays35 views
PyCon ID 2023 - Ridwan Fadjar Septian.pdfPyCon ID 2023 - Ridwan Fadjar Septian.pdf
PyCon ID 2023 - Ridwan Fadjar Septian.pdf
Ridwan Fadjar163 views
MemVerge: Memory Viewer SoftwareMemVerge: Memory Viewer Software
MemVerge: Memory Viewer Software
CXL Forum115 views
JCon Live 2023 - Lice coding some integration problemsJCon Live 2023 - Lice coding some integration problems
JCon Live 2023 - Lice coding some integration problems
Bernd Ruecker61 views
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk75 views
Liqid: Composable CXL PreviewLiqid: Composable CXL Preview
Liqid: Composable CXL Preview
CXL Forum118 views
AMD: 4th Generation EPYC CXL DemoAMD: 4th Generation EPYC CXL Demo
AMD: 4th Generation EPYC CXL Demo
CXL Forum117 views
"Fast Start to Building on AWS", Igor Ivaniuk"Fast Start to Building on AWS", Igor Ivaniuk
"Fast Start to Building on AWS", Igor Ivaniuk
Fwdays31 views
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver23 views

Build your own private Cloud environment

  • 1. Build your own private Cloud environment Nico Meisenzahl, panagenda nico.meisenzahl@panagenda.com @nmeisenzahl
  • 2. Make Your Data Work For You Build your own private Cloud environment Nico Meisenzahl DNUG 46, Essen
  • 3. @panagenda Consultant. Blogger, speaker IBM Cloud Champion & Docker Community Leader Loves K8s, containers & automation. His desk is a ping pong table. Nico Meisenzahl @nmeisenzahl https://meisenzahl.org nico@meisenzahl.org https://panagenda.com/modernization nico.meisenzahl@panagenda.com
  • 4. What is Cloud? • someone else’s computer • you do not need to care about everything • can abstract – Hardware → Infrastructure-as-a-Service – underlying OS/machine → Platform-as-a-Service – everything except your business logic → Function-as-a-Service 4
  • 5. What is a private on-premises Cloud? • for your colleagues – someone else’s computer – a platform which abstracts various things – examples: • deploy, run and scale containers • just care about the code and let the system manage everything else • for you – your computer 😉 – a complex environment with multiple requirements • flexibel, scalable and fast • secure and state-of-the-art – various topics like compute, storage, high-availability, security, …. 5
  • 6. Some words on Containers • A container consists of one or more processes that are isolated from the rest of the system • All files necessary for execution are provided by a separate image 6
  • 7. Some words on Kubernetes • open-source system for automating deployment, scaling, and management of containerized applications using a declarative approach • greek for captain • abstracts underlying machines and OS • state-of-the-art for modern application deployment • used to manage your workload – Think of “vSphere for your containers” 7
  • 8. Things you need to take care of • Kubernetes environment – provisioning, scalability, high-availability – update/backup strategy • Storage • Monitoring, Metrics • Log management • Security – Authentication, Authorisation, RBAC – Workload security • Surroundings – Registry, CI/CD, Vulnerability scanning, Operators, etc. – Service mesh, Functions/Serverless 8
  • 9. Kubernetes provisioning • Kubernetes can be complex • “Kubernetes the hard way” is great for learning but not for production • Tools which can support you – Rancher Kubernetes Engine (RKE) – KubeOne by Loodse – IBM Cloud Private – kubeadm – https://kubernetes.io/docs/setup/pick-right-solution • design and size your cluster based on your needs – 1,3,5,7 master nodes, worker nodes, etcd nodee? • external dependencies: Storage, Load-Balancer, vSphere... 9
  • 10. Kubernetes update strategy • one minor releases (1.x) every 3 months • the last 3 minor releases are maintained/supported – EOL after 9 months! • define your update strategy based on your needs – “in-place update” by adding/removing nodes – “side-by-side” migration 10
  • 11. Kubernetes Nodes • Nodes aren’t persistent! – scaling up/down nodes based on your workload (autoscaling!) – updates (create new ones and delete old ones) • therefore use – a immutable approach instead of inplace upgrades – automation and Infrastructure-as-Code approaches • rethink your OS and Container Runtime – do you need a full-blown OS? – is Docker Engine needed? 11
  • 12. Kubernetes backup strategy • Kubernetes API is stateful, everything else is stateless – stores its data in a etcd database • Applications deployed in the Cluster store their data externally • Restore etcd – recreate your scripted infrastructure – restore etcd snapshot • Rebuild everything with IaC – recreate your scripted infrastructure – run your pipelines to deploy your applications 12
  • 13. Persistent Storage • stateful applications need volumes to store their data • worker nodes need to be stateless – scaling services on a multi-node environment – up/down scaling nodes • auto-provisioning is key – no manual tasks when deploying/scaling services – Persistent Volume Claims with Provisioner • NFS, Ceph, GlusterFS, Minio, ... 13
  • 14. Log management • a central log management is needed to effectively debug applications – applications are scaled on multiple nodes – complex applications consist of many microservices • collect logs using – a logging agent on node-level • stdout/stderr are collected by Container runtime – a sidecar container approach • logging container collects logs and forwards them • Elasticsearch, Logstash/Fluentd, Kibana as logging stack 14
  • 15. Monitoring & Metrics • the chosen system needs to “understand” Kubernetes • Prometheus is the common solution for monitoring and metrics collection for services as well as Kubernetes itself – collects and stores metrics – altering using Alertmanager – Dashboards with Grafana • Prometheus pulls metrics using HTTP – from URL – using Prometheus Exporter library or sidecar – dynamic Container monitoring using Kubernetes API (kube-state-metrics agent) 15
  • 16. Authentication, Authorisation • external service to provide/manage users • Authentication – X509 Client certificates – OpenID – Bearer Tokens – static password file – Service Account (managed by K8s) – ... • Authorisation – used to define access level for different users and namespaces – Role Based Access Control (RBAC) is recommended – resources access is defined with verbs (get, create, delete, …) and identities (user, group, ...) 16
  • 17. Cluster workload security • you will run different applications in one cluster! • use Pod Security Policies (PSP) to define what a pod is allowed to do – permit root, allowed user/group IDs – allowed volume types – allowed Linux capabilities, namespaces – ... • only use secure Images (vulnerability scanning) • permit usage of untrusted Container Registries 17
  • 18. Ecosystem • Container Registry / Chart repository – to store internal images – include security topics like vulnerability scanning • Kubernetes Operators – can be used to deploy and manage custom ressources by extending the API – example: Resource called “mongodb” which deploys a production ready cluster • CI/CD – build continuous pipelines to package/build/deploy your applications – use templating to be able to deploy to various environments (e.g. Helm) 18
  • 19. Some more thoughts ... • move logic from your code into your platform by using a service mesh – timeout/retry management, load-balancing, ... – end-to-end encryption • allow your Devs to only care about their code – until now, we only talked about Platform-as-a-Service – built Function-as-a-Service on top of K8s 19
  • 20. Questions? • Slides → https://www.slideshare.net/nmeisenzahl 20
  • 21. Headquarters, Austria: panagenda GmbH (Ltd.) Schreyvogelgasse 3/10 AT 1010 Vienna Phone: +43 1 89 012 89 Fax: +43 1 89 012 89-15 E-Mail: info@panagenda.com Headquarters, Germany: panagenda GmbH (Ltd.) Lahnstraße 17 DE 64646 Heppenheim Phone: +49 6252 67 939-00 Fax: +49 6252 67 939-16 E-Mail: info@panagenda.com USA: panagenda Inc. 60 State Street, Suite 700 MA 02109 Boston Phone: +1 617 855 5961 Fax: +1 617 488 2292 E-Mail: info@panagenda.com Germany: panagenda Consulting GmbH (Ltd.) Donnersbergstrasse 1 DE 64646 Heppenheim Phone: +49 6252 67 939-86 Fax: +49 6252 67 939-16 E-Mail: info@panagenda.com The Netherlands: Trust Factory B.V. 11th Floor, Koningin Julianaplein 10 NL 2595 AA The Hague Phone: +31 70 80 801 96 E-Mail: info@trust-factory.com © 2007-2015 panagenda Make Your Data Work For You
  • 22. DNUG e.V. Pappelallee 78/79 10437 Berlin Telefon: +49 30 20898805 0 Telefax: +49 30 20898805 1 E-Mail: info@dnug.de Web: http://www.dnug.de