SlideShare a Scribd company logo
DecompileD 2018
2018-04-06
SANDOR SZÜCS
@sszuecs
Kubernetes Ingress
in production
2
WE ARE CONSTANTLY INNOVATING TECHNOLOGY
HOME-BREWED,
CUTTING-EDGE
& SCALABLE
technology solutions
~ 2,000
employees from
tech locations
(HQs in Berlin)7
77
nations
help our brand to
WIN ONLINE
3
ZALANDO TECH’S
INFRASTRUCTURE
4
FOUR ERAS AT ZALANDO TECH
ZOMCATPHP STUPS KUBERNETES
2010 2015 2016
Data center
WAR
LXC
AWS
Docker
Cloud Formation
Low level (AWS API)
AWS
Docker
Cloud Formation
Kubernetes manifest
Higher abstraction level
Data center
PHP files
5
LARGE SCALE?
7
KUBERNETES
8
DEPLOYMENT - PODs
A deployment defines
A set of PODS
9
SERVICE
A service is an cluster
internal TCP loadbalancer
TO PODS
10
INGRESS
AN EXTERNAL ACCESS POINT
TO SERVICES
11
Infrastructure &
Automation
12
Logical Target picture
ALB
Node Skipper Node Skipper
MyApp MyApp MyApp
Service Service
K8s network
EC2 network
TLS
HTTP
13
Technical Target picture
ALB
Node Skipper Node Skipper
MyApp MyApp MyApp
K8s network
EC2 network
TLS
HTTP
14
ingress
15
Skipper
• Skipper → HTTP Route
$ curl -H “Host: my-app.example.org” http://172.1.2.6:9999/
https://github.com/zalando/skipper
16
Kube-ingress-aws-controller
• Kubernetes Ingress Controller for AWS → ALB+TLS
$ curl -k -H “Host: my-app.example.org” 
https://aws-5178-lb-z82sf5u4ae0v-1194901579.eu-central-1.elb.amazonaws.com/
https://github.com/zalando-incubator/kube-ingress-aws-controller
17
External DNS
• External DNS → DNS name
$ curl https://my-app.example.org/
https://github.com/kubernetes-incubator/external-dns
18
Skipper Intro
19
Skipper: Predicate
https://github.com/zalando/skipper
Routing Table
Route
FilterPredicate
Predicate
Predicate Filter
Filter
Route
Route
Route
Request
20
Skipper: Filter
Cookie pictogram created by iconoci from the Noun Project
Filter
Filter
FilterResponse
Filter
Filter
FilterRequest
Filter Request_1Request
ResponseResponse_1
/api /
21
Skipper - syntax
Ingress annotations:
• zalando.org/skipper-predicate: pred1 && pred2
• zalando.org/skipper-filter: fltr1 -> fltr2
22
Ship to production
• Skipper highlevel patterns
• Shadow traffic
• Blue-green deployments
23
Dev lifecycle
Dev
TestProduction
Deploy
24
Dev lifecycle - real world
Dev
TestFAIL
Deploy
25
Shadow Traffic
Skipper
live
new
26
Shadow traffic
27
Blue-Green deployment
Skipper
v1
v2
90%
10%
28
Traffic Switching - Ingress configuration
https://github.com/zalando/skipper
29
Traffic Switching - interface
$ kubectl plugin skipper traffic 
myapp v1 v2 10
# traffic <ingress> <svc-old> <svc-new> <perc>
https://github.com/sszuecs/kubectl-plugins
30
Test new features
• Skipper highlevel patterns
• Feature toggle
• A/B tests
31
Feature Toggle
https://github.com/zalando/skipper
Skipper alpha
?v=alpha
caller
32
Feature Toggle
33
A/B tests part 1
https://github.com/zalando/skipper
Skipper
A
B
10%
rest
Request
Response
with Cookie
34
A/B part 1
10% chance
35
A/B part 1
36
A/B tests part 2
https://github.com/zalando/skipper
Skipper
A
B
flavor=A
flavor=B
Request with
Cookie
Response
37
A/B part 2 - matching cookie
38
A/B part 2 - matching cookie
54
Open Source LINKS
Skipper HTTP Ingress Router
https://github.com/zalando/skipper
Skipper documentation
https://zalando.github.io/skipper
Kubectl plugin skipper
https://github.com/szuecs/kubectl-plugins
Kube AWS Ingress Controller
https://github.com/zalando-incubator/kube-ingress-aws-controller
External DNS
https://github.com/kubernetes-incubator/external-dns
Zalando Cluster Configuration
https://github.com/zalando-incubator/kubernetes-on-aws
QUESTIONS?
SANDOR SZÜCS
TECH INFRASTRUCTURE
SOFTWARE ENGINEER
sandor.szuecs@zalando.de
@sszuecs
Illustrations by @01k

More Related Content

What's hot

Sdn users group_january_2016v5
Sdn users group_january_2016v5Sdn users group_january_2016v5
Sdn users group_january_2016v5
Joel W. King
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
Zalando Technology
 
Kubernetes Logging
Kubernetes LoggingKubernetes Logging
Kubernetes Logging
Denys Havrysh
 
Deploying OpenShift Container Platform on AWS by Red Hat
Deploying OpenShift Container Platform on AWS by Red HatDeploying OpenShift Container Platform on AWS by Red Hat
Deploying OpenShift Container Platform on AWS by Red Hat
Amazon Web Services
 
Flexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongFlexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with Kong
Sven Bernhardt
 
Containers vs serverless - Navigating application deployment options
Containers vs serverless - Navigating application deployment optionsContainers vs serverless - Navigating application deployment options
Containers vs serverless - Navigating application deployment options
Daniel Krook
 
At the helm of kubernetes
At the helm of kubernetesAt the helm of kubernetes
At the helm of kubernetes
Daniel Ramos
 
X by orange; una telco en la nube
X by orange;   una telco en la nubeX by orange;   una telco en la nube
X by orange; una telco en la nube
Juan Vicente Herrera Ruiz de Alejo
 
Building and Running Workloads the Knative Way
Building and Running Workloads the Knative WayBuilding and Running Workloads the Knative Way
Building and Running Workloads the Knative Way
QAware GmbH
 
Die große Cloud-native FaaS-Hitparade
Die große Cloud-native FaaS-HitparadeDie große Cloud-native FaaS-Hitparade
Die große Cloud-native FaaS-Hitparade
QAware GmbH
 
Containers and Kubernetes
Containers and KubernetesContainers and Kubernetes
Containers and Kubernetes
Nills Franssens
 
PaaS is dead, Long live PaaS - Defrag 2016
PaaS is dead, Long live PaaS - Defrag 2016PaaS is dead, Long live PaaS - Defrag 2016
PaaS is dead, Long live PaaS - Defrag 2016
brendandburns
 
SFScon18 - Gerhard Sulzberger - Jason Tevnan - gitops with gitlab + terraform
SFScon18 - Gerhard Sulzberger - Jason Tevnan  - gitops with gitlab + terraformSFScon18 - Gerhard Sulzberger - Jason Tevnan  - gitops with gitlab + terraform
SFScon18 - Gerhard Sulzberger - Jason Tevnan - gitops with gitlab + terraform
South Tyrol Free Software Conference
 
Serverless APIs with Apache OpenWhisk
Serverless APIs with Apache OpenWhiskServerless APIs with Apache OpenWhisk
Serverless APIs with Apache OpenWhisk
Daniel Krook
 
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Haufe-Lexware GmbH & Co KG
 
Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI
Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CISecure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI
Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI
Mitchell Pronschinske
 
Dockerfy Your CI/CD - DevOpsDays Austin 2014
Dockerfy Your CI/CD - DevOpsDays Austin 2014Dockerfy Your CI/CD - DevOpsDays Austin 2014
Dockerfy Your CI/CD - DevOpsDays Austin 2014
DevOpsDays Austin 2014
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API:  Leveraging network programmability in security incid...Goodbye CLI, hello API:  Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Joel W. King
 
3 - Delen Private Bank: FOSS adventures in a Cloud Native world
3 - Delen Private Bank: FOSS adventures in a Cloud Native world3 - Delen Private Bank: FOSS adventures in a Cloud Native world
3 - Delen Private Bank: FOSS adventures in a Cloud Native world
Kangaroot
 
Building serverless applications with Apache OpenWhisk
Building serverless applications with Apache OpenWhiskBuilding serverless applications with Apache OpenWhisk
Building serverless applications with Apache OpenWhisk
Daniel Krook
 

What's hot (20)

Sdn users group_january_2016v5
Sdn users group_january_2016v5Sdn users group_january_2016v5
Sdn users group_january_2016v5
 
Radical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the CloudRadical Agility with Autonomous Teams and Microservices in the Cloud
Radical Agility with Autonomous Teams and Microservices in the Cloud
 
Kubernetes Logging
Kubernetes LoggingKubernetes Logging
Kubernetes Logging
 
Deploying OpenShift Container Platform on AWS by Red Hat
Deploying OpenShift Container Platform on AWS by Red HatDeploying OpenShift Container Platform on AWS by Red Hat
Deploying OpenShift Container Platform on AWS by Red Hat
 
Flexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with KongFlexible, hybrid API-led software architectures with Kong
Flexible, hybrid API-led software architectures with Kong
 
Containers vs serverless - Navigating application deployment options
Containers vs serverless - Navigating application deployment optionsContainers vs serverless - Navigating application deployment options
Containers vs serverless - Navigating application deployment options
 
At the helm of kubernetes
At the helm of kubernetesAt the helm of kubernetes
At the helm of kubernetes
 
X by orange; una telco en la nube
X by orange;   una telco en la nubeX by orange;   una telco en la nube
X by orange; una telco en la nube
 
Building and Running Workloads the Knative Way
Building and Running Workloads the Knative WayBuilding and Running Workloads the Knative Way
Building and Running Workloads the Knative Way
 
Die große Cloud-native FaaS-Hitparade
Die große Cloud-native FaaS-HitparadeDie große Cloud-native FaaS-Hitparade
Die große Cloud-native FaaS-Hitparade
 
Containers and Kubernetes
Containers and KubernetesContainers and Kubernetes
Containers and Kubernetes
 
PaaS is dead, Long live PaaS - Defrag 2016
PaaS is dead, Long live PaaS - Defrag 2016PaaS is dead, Long live PaaS - Defrag 2016
PaaS is dead, Long live PaaS - Defrag 2016
 
SFScon18 - Gerhard Sulzberger - Jason Tevnan - gitops with gitlab + terraform
SFScon18 - Gerhard Sulzberger - Jason Tevnan  - gitops with gitlab + terraformSFScon18 - Gerhard Sulzberger - Jason Tevnan  - gitops with gitlab + terraform
SFScon18 - Gerhard Sulzberger - Jason Tevnan - gitops with gitlab + terraform
 
Serverless APIs with Apache OpenWhisk
Serverless APIs with Apache OpenWhiskServerless APIs with Apache OpenWhisk
Serverless APIs with Apache OpenWhisk
 
Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019Nils Rhode - Does it always have to be k8s - TeC Day 2019
Nils Rhode - Does it always have to be k8s - TeC Day 2019
 
Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI
Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CISecure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI
Secure Infrastructure Provisioning with Terraform Cloud, Vault + GitLab CI
 
Dockerfy Your CI/CD - DevOpsDays Austin 2014
Dockerfy Your CI/CD - DevOpsDays Austin 2014Dockerfy Your CI/CD - DevOpsDays Austin 2014
Dockerfy Your CI/CD - DevOpsDays Austin 2014
 
Goodbye CLI, hello API: Leveraging network programmability in security incid...
Goodbye CLI, hello API:  Leveraging network programmability in security incid...Goodbye CLI, hello API:  Leveraging network programmability in security incid...
Goodbye CLI, hello API: Leveraging network programmability in security incid...
 
3 - Delen Private Bank: FOSS adventures in a Cloud Native world
3 - Delen Private Bank: FOSS adventures in a Cloud Native world3 - Delen Private Bank: FOSS adventures in a Cloud Native world
3 - Delen Private Bank: FOSS adventures in a Cloud Native world
 
Building serverless applications with Apache OpenWhisk
Building serverless applications with Apache OpenWhiskBuilding serverless applications with Apache OpenWhisk
Building serverless applications with Apache OpenWhisk
 

Similar to 2018 04-06 kubernetes ingress in production

2018 10-31 modern-http_routing-lisa18
2018 10-31 modern-http_routing-lisa182018 10-31 modern-http_routing-lisa18
2018 10-31 modern-http_routing-lisa18
Sandor Szuecs
 
AWS CDK Introduction
AWS CDK IntroductionAWS CDK Introduction
AWS CDK Introduction
Kasun Dilunika
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
QAware GmbH
 
ITGM#14 - How do we use Kubernetes in Zalando
ITGM#14 - How do we use Kubernetes in ZalandoITGM#14 - How do we use Kubernetes in Zalando
ITGM#14 - How do we use Kubernetes in Zalando
Uri Savelchev
 
Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...
Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...
Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...
Henning Jacobs
 
Kubernetes on AWS @ Zalando Tech
Kubernetes on AWS @ Zalando TechKubernetes on AWS @ Zalando Tech
Kubernetes on AWS @ Zalando Tech
Michael Dürgner
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
Cloud 66
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes:  awesome stuff coming your wayRed Hat and kubernetes:  awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
Johannes Brännström
 
Resume
ResumeResume
Resume
Alen Badel
 
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
HostedbyConfluent
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
Mario-Leander Reimer
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
QAware GmbH
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
Packet
 
The Developer's Journey through IBM Cloud Pak for Applications
The Developer's Journey through IBM Cloud Pak for ApplicationsThe Developer's Journey through IBM Cloud Pak for Applications
The Developer's Journey through IBM Cloud Pak for Applications
Miroslav Resetar
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
Serhat Dirik
 
Fabio rapposelli pks-vmug
Fabio rapposelli   pks-vmugFabio rapposelli   pks-vmug
Fabio rapposelli pks-vmug
VMUG IT
 
Discover the benefits of Kubernetes to host a SaaS solution
Discover the benefits of Kubernetes to host a SaaS solutionDiscover the benefits of Kubernetes to host a SaaS solution
Discover the benefits of Kubernetes to host a SaaS solution
Scaleway
 
An introduction to Serverless
An introduction to ServerlessAn introduction to Serverless
An introduction to Serverless
Adrien Blind
 
Sven Vogel: Running CloudStack and OpenShift with NetApp on KVM
Sven Vogel: Running CloudStack and OpenShift with NetApp on KVMSven Vogel: Running CloudStack and OpenShift with NetApp on KVM
Sven Vogel: Running CloudStack and OpenShift with NetApp on KVM
ShapeBlue
 
Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?
Adrien Blind
 

Similar to 2018 04-06 kubernetes ingress in production (20)

2018 10-31 modern-http_routing-lisa18
2018 10-31 modern-http_routing-lisa182018 10-31 modern-http_routing-lisa18
2018 10-31 modern-http_routing-lisa18
 
AWS CDK Introduction
AWS CDK IntroductionAWS CDK Introduction
AWS CDK Introduction
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
ITGM#14 - How do we use Kubernetes in Zalando
ITGM#14 - How do we use Kubernetes in ZalandoITGM#14 - How do we use Kubernetes in Zalando
ITGM#14 - How do we use Kubernetes in Zalando
 
Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...
Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...
Large Scale Kubernetes on AWS at Europe's Leading Online Fashion Platform - A...
 
Kubernetes on AWS @ Zalando Tech
Kubernetes on AWS @ Zalando TechKubernetes on AWS @ Zalando Tech
Kubernetes on AWS @ Zalando Tech
 
Introduction to the Container Networking and Security
Introduction to the Container Networking and SecurityIntroduction to the Container Networking and Security
Introduction to the Container Networking and Security
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes:  awesome stuff coming your wayRed Hat and kubernetes:  awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
 
Resume
ResumeResume
Resume
 
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
Safer Commutes & Streaming Data | George Padavick, Ohio Department of Transpo...
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
 
How we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platformHow we built Packet's bare metal cloud platform
How we built Packet's bare metal cloud platform
 
The Developer's Journey through IBM Cloud Pak for Applications
The Developer's Journey through IBM Cloud Pak for ApplicationsThe Developer's Journey through IBM Cloud Pak for Applications
The Developer's Journey through IBM Cloud Pak for Applications
 
Cloud Native Applications on OpenShift
Cloud Native Applications on OpenShiftCloud Native Applications on OpenShift
Cloud Native Applications on OpenShift
 
Fabio rapposelli pks-vmug
Fabio rapposelli   pks-vmugFabio rapposelli   pks-vmug
Fabio rapposelli pks-vmug
 
Discover the benefits of Kubernetes to host a SaaS solution
Discover the benefits of Kubernetes to host a SaaS solutionDiscover the benefits of Kubernetes to host a SaaS solution
Discover the benefits of Kubernetes to host a SaaS solution
 
An introduction to Serverless
An introduction to ServerlessAn introduction to Serverless
An introduction to Serverless
 
Sven Vogel: Running CloudStack and OpenShift with NetApp on KVM
Sven Vogel: Running CloudStack and OpenShift with NetApp on KVMSven Vogel: Running CloudStack and OpenShift with NetApp on KVM
Sven Vogel: Running CloudStack and OpenShift with NetApp on KVM
 
Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?
 

Recently uploaded

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 

Recently uploaded (20)

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 

2018 04-06 kubernetes ingress in production

Editor's Notes

  1. Welcome to DecompileD! Today, my talk is about - Kubernetes Ingress in production. To have some context I will show you some Zalando numbers.
  2. There are about 2000 employees working for Zalando Tech. We have 7 tech hubs in Europe. My customers are all developer teams and we need to scale!
  3. Let&amp;apos;s have a brief look into zalando’s technology stack to have more technical context
  4. We started as PHP magento shop. We rewrote it with Java and Postgres and deployed it into Linux containers. With a management shift we went to the AWS cloud and now evolve into a state of the art kubernetes infrastructure. We use Docker as deploy artifacts and Kubernetes to orchestrate them.
  5. What is meant by large scale?
  6. Let’s have a very brief look into Kubernetes objects relevant to the talk
  7. A Deployment creates a set of Pods. &amp;lt;wait&amp;gt;
  8. A Kubernetes service selects a set of PODs and acts as TCP loadbalancer to them &amp;lt;wait&amp;gt;
  9. An ingress is an external access point to services &amp;lt;wait&amp;gt;
  10. Because we have about 300 teams that want to deploy, we need automations that build loadbalancer infrastructure. We do this based on the Ingress definition. Let’s see what we want to build and how we do it.
  11. There are 2 loadbalancer components involved: The application loadbalancer ALB, and skipper. You see the blue boxes.&amp;lt;wait&amp;gt; Request processing is going from top to bottom: First TLS is terminated on the ALB Skipper is target of all ALBs. Skipper runs on every worker node and does http routing. Skipper selects MyApp PODs via Kubernetes service MyApp boxes are your application PODs.
  12. Technically, skipper bypasses Kubernetes service to reach PODs directly. Like this we can do proper loadbalancing and do retries on failing connections. &amp;lt;wait&amp;gt;
  13. An ingress object is glueing the blue loadbalancer together with the green backends. You see two marked definitions: host is the host header for the frontend http routing And backend is used to find the application
  14. If we created this ingress object, Skipper creates an HTTP route based on the provided configuration.&amp;lt;wait&amp;gt; From cluster nodes we can call a skipper endpoint with the specified Host header to reach our application. &amp;lt;wait&amp;gt;
  15. Kube-ingress-aws-controller creates an ALB with attached certificates pointing to skipper. With this inplace, you can create an HTTPS request to an ALB.&amp;lt;wait&amp;gt; The ALB target shown is a route53 ALIAS record.&amp;lt;wait&amp;gt; With the correct host header set, a request will reach your application.&amp;lt;wait&amp;gt;
  16. External DNS creates a public DNS record to the ALB.&amp;lt;wait&amp;gt; Now, we have everything we need to serve public traffic from the internet.&amp;lt;wait&amp;gt; Everything is automated and a deployer has only to provide an ingress definition.
  17. To understand highlevel deployment patterns, I will give you a brief introduction to skipper.&amp;lt;wait&amp;gt; Skipper is a flexible cloud native http proxy router. It is made for frequently changing configurations.&amp;lt;wait&amp;gt; Additionally, skipper has 2 building blocks seen by users: Predicates and Filters
  18. Skipper has a routing table proven to scale beyond 200.000 routes.&amp;lt;wait&amp;gt; A routing table consists of a number of routes.&amp;lt;wait&amp;gt; An http request will be mapped by Predicates to a specific Route.&amp;lt;wait&amp;gt; Each route has a set of filters.&amp;lt;wait&amp;gt;
  19. HTTP requests and responses can be changed by Filters. &amp;lt;wait&amp;gt; For example we can change the path of the request from /api to / &amp;lt;wait&amp;gt;, which we might add in the response again.&amp;lt;wait&amp;gt; We can also set a Cookie in the response. &amp;lt;wait&amp;gt;
  20. Predicates and Filters can both be set by Ingress annotations: &amp;lt;wait&amp;gt; skipper-predicate and skipper-filter &amp;lt;wait&amp;gt; You now have an understanding of required details for the next sections.
  21. Besides the Kubernetes rolling update strategy, skipper supports &amp;lt;wait&amp;gt; Shadow traffic &amp;lt;wait&amp;gt; and blue-green deployments.&amp;lt;wait&amp;gt; Let’s see why..
  22. A common development cycle looks like this.&amp;lt;wait&amp;gt; We develop and test and if these are successful.&amp;lt;wait&amp;gt; We deploy and go production.&amp;lt;wait&amp;gt; We do this all the day. &amp;lt;wait&amp;gt; If not we drink coffee and attend meetings.&amp;lt;wait&amp;gt;
  23. In real world we see failures after new deployments, &amp;lt;wait&amp;gt; because the newer version might be slower than before.
  24. One solution is to target your new application with current life traffic.&amp;lt;wait&amp;gt; Shadow traffic allows you to test with live traffic without notice of your users.&amp;lt;wait&amp;gt; Skipper can copy the request to a new target and drop the response from the new one.&amp;lt;wait&amp;gt; This we call shadow traffic&amp;lt;wait&amp;gt;
  25. You can use the tee() filter to copy the full request to another URL target. This gives you flexibility however your new service is structured.
  26. Another solution is to use blue-green deployments. Skipper can split traffic to different Kubernetes services. Like this you can rollout a version v2 and slowly ramp up traffic. How do you do it?
  27. Again using ingress! You see the backend-weights annotation set to 90 and 10 for the 2 service backends for hostname “my-app.example.org”. Skipper will split the traffic as you defined in ingress. Here 90% of the traffic will target my-app-v1 and 10% v2.
  28. As user interface you can use a kube control plugin to do traffic switching from v1 to v2. The last argument is the percentage of traffic you want to direct to the new service. The old one will get the rest of the traffic.
  29. How do you downgrade a feature or test that a new feature is a success? Feature toggle and A/B tests can do that and skipper can help you to implement these.
  30. A feature toggle can be easily downgraded on failure by your caller. If v equals alpha does not reply in time, call next time without this query. The caller can decide, if the feature is enabled or not.
  31. To implement a feature toggle, you create an additional ingress. If a request matches the query “v equals alpha” and the host header, skipper will proxy to alpha service.
  32. To check if implementation A is better than B, you can use A/B tests. &amp;lt;wait&amp;gt; A request without cookie matching our target has 10% chance to get a Cookie with “flavor equals A”. The rest will get “flavor equals B”
  33. We see the traffic predicate matches the route by 10% chance. And skipper sets a Cookie with flavor A in the response. &amp;lt;wait&amp;gt;
  34. Rest will get a cookie with flavor B &amp;lt;wait&amp;gt;
  35. A request with cookie “flavor equals A” will be forwarded to service A. The same applies for B. Clients will stick to the chosen backend from part 1.
  36. In case of a Cookie with flavor A, we call the backend a-app-svc &amp;lt;wait&amp;gt;
  37. In case of of Cookie with flavor B, we call the backend b-app-svc &amp;lt;wait&amp;gt;
  38. To run applications in production, you need to have visibility
  39. How do you get all logs from one request across all backends? This what X-FlowID is for. Skipper sets an X-FlowID header, if not passed in the request. Applications only have to log this header in their handlers.
  40. To find a log trace you can grep for the FlowID in this case: capital A
  41. To answer the question if your backend application is slow, or returns errors, you want to have metrics from your loadbalancer
  42. Skipper measures and exposes roundtrip metrics, errors, counters and histograms. We export metrics as json or Prometheus format.
  43. To find which part of a service is slow, you should setup opentracing. This enables you to get waterfall charts to boil down which service in the chain is slow
  44. Skipper can add automatically tracing headers to all incoming requests and reports to agents. This allows you to see skipper in traces shown before.
  45. For resiliency, we have ratelimits and automatic retries. Additionally we also have circuitbreaker and you can also add throttling or packetloss, but I will not show this today.
  46. Ratelimits can be used to protect your backends. You see incoming 1k requests per second and only 300 will be forwarded, rest will get a HTTP code 429
  47. To allow 100 requests per second to the defined backend, we setup cluster Ratelimits as skipper Filter
  48. Client side ratelimits can be used to protect your login page. For example allow 10 requests per hour rest will get a HTTP code 429
  49. The shown cluster ratelimit filter with a third parameter allows 10 requests per hour per X-Forwarded-For header to the defined backend
  50. Skipper can do retries. For example the first request goes to a POD which is ..
  51. .. failing, so skipper will get a connect refused from the backend. Skipper will do ..
  52. .. a retry to the other available POD. This is safe to do, because we only retry on errors if we did not send data.
  53. That was it for today. We would like to hear from you in github issues or our skipper google group! We are also available in K8s Slack #sig-aws and #external-dns or ping me at twitter.
  54. Questions? &amp;lt;&amp;lt;prev slide to Show the links&amp;gt;&amp;gt;