Slides for the CloudNativeCon EU 2018 talk. https://youtu.be/4mBJSIhs2xQ
This talk introduces the Open Policy Agent (OPA) project and goes into detail on how you can use OPA to enforce various kinds of policy across the stack.
The Istio service mesh provides a highly extensible platform to connect, manage, and secure microservices. Istio’s highly extensible nature is one of the main selling points as it allows you to enforce your own organization-specific policies across large fleets of microservices. At the same time, new technology always has a learning curve, and with all this extensibility and generality the task can be quite daunting.
In this talk, Limin Wang (Software Engineer at Google) and Torin Sandall (Technical Lead of the Open Policy Agent project) explain how Istio’s Mixer works and lead a deep dive into Mixer Adapter development. The talk shows (with demos) how the Mixer Adapter model enables custom policy enforcement and how the model is used to integrate third party policy engines like the Open Policy Agent.
This talk is targeted at platform engineers interested in using the Istio service mesh to enforce custom policies in their microservices. The talk also provides new ideas about the kinds of policies that can be enforced in Istio today.
Enforcing Bespoke Policies in KubernetesTorin Sandall
Kubernetes enables fully-automated, self-service management of large-scale, heterogenous deployments. These deployments are often managed by distributed engineering teams that have unique requirements for how the platform treats their workloads, but at the same time, they must conform to organization-wide constraints around cost, security, and performance. As Kubernetes matures, extensibility has become a critical feature that organizations can leverage to enforce their organization’s bespoke policies.
In this talk, Torin explains how to use extensibility features in Kubernetes (e.g., External Admission Control) to enforce custom policies over workloads. The talk shows how to build custom admission controllers using Initializers and Webhooks, and shows how the same features lay the groundwork for policy-based control through integration with third party policy engines like the Open Policy Agent project.
Container Network Interface: Network Plugins for Kubernetes and beyondKubeAcademy
With the rise of modern containers comes new problems to solve – especially in networking. Numerous container SDN solutions have recently entered the market, each best suited for a particular environment. Combined with multiple container runtimes and orchestrators available today, there exists a need for a common layer to allow interoperability between them and the network solutions.
As different environments demand different networking solutions, multiple vendors and viewpoints look to a specification to help guide interoperability. Container Network Interface (CNI) is a specification started by CoreOS with the input from the wider open source community aimed to make network plugins interoperable between container execution engines. It aims to be as common and vendor-neutral as possible to support a wide variety of networking options — from MACVLAN to modern SDNs such as Weave and flannel.
CNI is growing in popularity. It got its start as a network plugin layer for rkt, a container runtime from CoreOS. Today rkt ships with multiple CNI plugins allowing users to take advantage of virtual switching, MACVLAN and IPVLAN as well as multiple IP management strategies, including DHCP. CNI is getting even wider adoption with Kubernetes adding support for it. Kubernetes accelerates development cycles while simplifying operations, and with support for CNI is taking the next step toward a common ground for networking. For continued success toward interoperability, Kubernetes users can come to this session to learn the CNI basics.
This talk will cover the CNI interface, including an example of how to build a simple plugin. It will also show Kubernetes users how CNI can be used to solve their networking challenges and how they can get involved.
KubeCon schedule link: http://sched.co/4VAo
NGINX Ingress Controller for KubernetesNGINX, Inc.
Presentation by Michael Pleshakov from NGINX to GDG Cloud Düsseldorf Meetup group on using NGINX as an Ingress Controller for Kubernetes. This presentation is for Kubernetes users, looking to deliver applications on Kubernetes in production. You will learn how to:
- install the Ingress Controller through Kubernetes manifests or Helm;
- configure the Ingress Controller to load balance HTTP and TCP/UDP applications;
- monitor the Ingress Controller using Prometheus;
- troubleshoot the Ingress Controller in case of problems;
- extend the Ingress Controller to support advanced load balancing requirements.
Slides for the CloudNativeCon EU 2018 talk. https://youtu.be/4mBJSIhs2xQ
This talk introduces the Open Policy Agent (OPA) project and goes into detail on how you can use OPA to enforce various kinds of policy across the stack.
The Istio service mesh provides a highly extensible platform to connect, manage, and secure microservices. Istio’s highly extensible nature is one of the main selling points as it allows you to enforce your own organization-specific policies across large fleets of microservices. At the same time, new technology always has a learning curve, and with all this extensibility and generality the task can be quite daunting.
In this talk, Limin Wang (Software Engineer at Google) and Torin Sandall (Technical Lead of the Open Policy Agent project) explain how Istio’s Mixer works and lead a deep dive into Mixer Adapter development. The talk shows (with demos) how the Mixer Adapter model enables custom policy enforcement and how the model is used to integrate third party policy engines like the Open Policy Agent.
This talk is targeted at platform engineers interested in using the Istio service mesh to enforce custom policies in their microservices. The talk also provides new ideas about the kinds of policies that can be enforced in Istio today.
Enforcing Bespoke Policies in KubernetesTorin Sandall
Kubernetes enables fully-automated, self-service management of large-scale, heterogenous deployments. These deployments are often managed by distributed engineering teams that have unique requirements for how the platform treats their workloads, but at the same time, they must conform to organization-wide constraints around cost, security, and performance. As Kubernetes matures, extensibility has become a critical feature that organizations can leverage to enforce their organization’s bespoke policies.
In this talk, Torin explains how to use extensibility features in Kubernetes (e.g., External Admission Control) to enforce custom policies over workloads. The talk shows how to build custom admission controllers using Initializers and Webhooks, and shows how the same features lay the groundwork for policy-based control through integration with third party policy engines like the Open Policy Agent project.
Container Network Interface: Network Plugins for Kubernetes and beyondKubeAcademy
With the rise of modern containers comes new problems to solve – especially in networking. Numerous container SDN solutions have recently entered the market, each best suited for a particular environment. Combined with multiple container runtimes and orchestrators available today, there exists a need for a common layer to allow interoperability between them and the network solutions.
As different environments demand different networking solutions, multiple vendors and viewpoints look to a specification to help guide interoperability. Container Network Interface (CNI) is a specification started by CoreOS with the input from the wider open source community aimed to make network plugins interoperable between container execution engines. It aims to be as common and vendor-neutral as possible to support a wide variety of networking options — from MACVLAN to modern SDNs such as Weave and flannel.
CNI is growing in popularity. It got its start as a network plugin layer for rkt, a container runtime from CoreOS. Today rkt ships with multiple CNI plugins allowing users to take advantage of virtual switching, MACVLAN and IPVLAN as well as multiple IP management strategies, including DHCP. CNI is getting even wider adoption with Kubernetes adding support for it. Kubernetes accelerates development cycles while simplifying operations, and with support for CNI is taking the next step toward a common ground for networking. For continued success toward interoperability, Kubernetes users can come to this session to learn the CNI basics.
This talk will cover the CNI interface, including an example of how to build a simple plugin. It will also show Kubernetes users how CNI can be used to solve their networking challenges and how they can get involved.
KubeCon schedule link: http://sched.co/4VAo
NGINX Ingress Controller for KubernetesNGINX, Inc.
Presentation by Michael Pleshakov from NGINX to GDG Cloud Düsseldorf Meetup group on using NGINX as an Ingress Controller for Kubernetes. This presentation is for Kubernetes users, looking to deliver applications on Kubernetes in production. You will learn how to:
- install the Ingress Controller through Kubernetes manifests or Helm;
- configure the Ingress Controller to load balance HTTP and TCP/UDP applications;
- monitor the Ingress Controller using Prometheus;
- troubleshoot the Ingress Controller in case of problems;
- extend the Ingress Controller to support advanced load balancing requirements.
These are the slides for the Rego deep dive session from CloudNativeCon EU 2018: https://youtu.be/4mBJSIhs2xQ
These slides explain how the Open Policy Agent policy language works. The slides walk through the fundamentals of the language and then cover a few miscellaneous topics like composition, negation, etc.
Kubernetes와 Kubernetes on OpenStack 환경의 비교와 그 구축방법에 대해서 알아봅니다.
1. 클라우드 동향
2. Kubernetes vs Kubernetes on OpenStack
3. Kubernetes on OpenStack 구축 방벙
4. Kubernetes on OpenStack 운영 방법
OpenStack DevStack Install - 2부 (Multi-nodes)Ian Choi
OLC 온라인 강좌 중 DevStack에 대한 두 번째 자료입니다.
( URL: http://olc.kr/course/course_online_view.jsp?id=480&cid=523 )
DevStack은 OpenStack을 실제 구성하는 대신, 개발 및 테스트 용도로 쉽게 설치 가능한 스크립트입니다.
2부에서는 Multi-nodes 모드 설치 과정을 설명하며, Icehouse Release 기반의 실습 내용을 포함하였습니다.
Locking down your Kubernetes cluster with LinkerdBuoyant
In this hands-on workshop, we cover the basics of locking down in-cluster network traffic using the new traffic policies introduced in Linkerd 2.11. Using Linkerd’s ability to authorize traffic based on workload identity, we cover a variety of practical use cases, including restricting access to a critical service, preventing traffic across namespaces, and locking down traffic while still allowing metrics scrapes, health checks, and other meta-traffic.
어떻게 하면 배포 프로세스를 빠르게 개선할 수 있을까요?
git branch를 푸시하고 개별 테스트 서버를 만드려면 어떻게 해야 할까요?
쿠버네티스와 GitOps, Argo CD를 이용한 배포 방법을 소개 합니다.
Open Infrastructure & Cloud Native Days Korea 2019 발표자료
원본 슬라이드 다운로드 - http://bit.ly/subicura-gitops
네트워크 엔지니어에게 왜 쿠버네티스가 필요한지 설명하는 내용입니다.
영상은 아래의 링크에서 제공됩니다. https://www.inflearn.com/course/%EC%BF%A0%EB%B2%84%EB%84%A4%ED%8B%B0%EC%8A%A4-%EC%89%BD%EA%B2%8C%EC%8B%9C%EC%9E%91/lecture/97562
In just a few years, Open Policy Agent (OPA) has emerged as one of the hotter technologies for policy management and fine grained access control in the cloud native ecosystem. Now it’s coming for your APIs!
In this session we will explore the underlying concepts and some of the components involved in OPA before we get hands on in live coding test driven authorization policies to protect API endpoints.
[Container 기반의 DevOps] Cloud Native
열린기술공방에서 처음으로 런칭한 교육 프로그램의 트렌드 세션 자료입니다. 급변하는 환경에 맞춘 SW를 개발하고 배포하기 위해, 빠른 의사결정을 할 수 있는 환경과 프로세스가 더욱 중요해지고 있는데요. 기업들에게 왜 클라우드 네이티브 전략이 필수적인지에 대해 소개한 자료입니다.
열린기술공방의 교육 과정을 통해 Kubernetes위에서 동작하는 Application의 빌드부터 배포까지의 과정을 한 눈에 확인하실 수 있습니다.
These are the slides for the Rego deep dive session from CloudNativeCon EU 2018: https://youtu.be/4mBJSIhs2xQ
These slides explain how the Open Policy Agent policy language works. The slides walk through the fundamentals of the language and then cover a few miscellaneous topics like composition, negation, etc.
Kubernetes와 Kubernetes on OpenStack 환경의 비교와 그 구축방법에 대해서 알아봅니다.
1. 클라우드 동향
2. Kubernetes vs Kubernetes on OpenStack
3. Kubernetes on OpenStack 구축 방벙
4. Kubernetes on OpenStack 운영 방법
OpenStack DevStack Install - 2부 (Multi-nodes)Ian Choi
OLC 온라인 강좌 중 DevStack에 대한 두 번째 자료입니다.
( URL: http://olc.kr/course/course_online_view.jsp?id=480&cid=523 )
DevStack은 OpenStack을 실제 구성하는 대신, 개발 및 테스트 용도로 쉽게 설치 가능한 스크립트입니다.
2부에서는 Multi-nodes 모드 설치 과정을 설명하며, Icehouse Release 기반의 실습 내용을 포함하였습니다.
Locking down your Kubernetes cluster with LinkerdBuoyant
In this hands-on workshop, we cover the basics of locking down in-cluster network traffic using the new traffic policies introduced in Linkerd 2.11. Using Linkerd’s ability to authorize traffic based on workload identity, we cover a variety of practical use cases, including restricting access to a critical service, preventing traffic across namespaces, and locking down traffic while still allowing metrics scrapes, health checks, and other meta-traffic.
어떻게 하면 배포 프로세스를 빠르게 개선할 수 있을까요?
git branch를 푸시하고 개별 테스트 서버를 만드려면 어떻게 해야 할까요?
쿠버네티스와 GitOps, Argo CD를 이용한 배포 방법을 소개 합니다.
Open Infrastructure & Cloud Native Days Korea 2019 발표자료
원본 슬라이드 다운로드 - http://bit.ly/subicura-gitops
네트워크 엔지니어에게 왜 쿠버네티스가 필요한지 설명하는 내용입니다.
영상은 아래의 링크에서 제공됩니다. https://www.inflearn.com/course/%EC%BF%A0%EB%B2%84%EB%84%A4%ED%8B%B0%EC%8A%A4-%EC%89%BD%EA%B2%8C%EC%8B%9C%EC%9E%91/lecture/97562
In just a few years, Open Policy Agent (OPA) has emerged as one of the hotter technologies for policy management and fine grained access control in the cloud native ecosystem. Now it’s coming for your APIs!
In this session we will explore the underlying concepts and some of the components involved in OPA before we get hands on in live coding test driven authorization policies to protect API endpoints.
[Container 기반의 DevOps] Cloud Native
열린기술공방에서 처음으로 런칭한 교육 프로그램의 트렌드 세션 자료입니다. 급변하는 환경에 맞춘 SW를 개발하고 배포하기 위해, 빠른 의사결정을 할 수 있는 환경과 프로세스가 더욱 중요해지고 있는데요. 기업들에게 왜 클라우드 네이티브 전략이 필수적인지에 대해 소개한 자료입니다.
열린기술공방의 교육 과정을 통해 Kubernetes위에서 동작하는 Application의 빌드부터 배포까지의 과정을 한 눈에 확인하실 수 있습니다.
오픈스택 커뮤니티 - 제1회 공개 SW 커뮤니티데이 (2017년 9월 정기 세미나 대체)
- 일시: 9월 22일 금요일
- 발표자: 장태희 (운영진, 스터디 매니저)
- 행사 정보: https://www.facebook.com/groups/openstack.kr/permalink/1826976907316452/
데브시스터즈의 Cookie Run: OvenBreak 에 적용된 Kubernetes 기반 다중 개발 서버 환경 구축 시스템에 대한 발표입니다.
Container orchestration 기반 개발 환경 구축 시스템의 필요성과, 왜 Kubernetes를 선택했는지, Kubernetes의 개념과 유용한 기능들을 다룹니다. 아울러 구축한 시스템에 대한 데모와, 작업했던 항목들에 대해 리뷰합니다.
*NDC17 발표에서는 데모 동영상을 사용했으나, 슬라이드 캡쳐로 대신합니다.
Kerberos Authentication - 버티카 케르베로스 연동하기Kee Hoon Lee
2019년 4월 30일 버티카 웨비나 진행 자료
주제: Kerberos Authentication - 버티카 케르베로스 연동하기
버티카가 하둡 환경과 연동하는 환경에서는 종종 케르베로스가 구성되어 있는 경우가 많습니다. 이번 웨비나에서는 케르베로스에 대한 이해와 버티카와 케르베로스 연동 시 진행해야 하는 작업에 대해 안내해 드리도록 하겠습니다.
웨비나 녹화 링크: https://www.youtube.com/watch?v=c9-H8nsSgm0
RabbitMQ/ActiveMQ 와 같은 비동기 메시징 미들웨어를 이용하여 다량의 서버를 orchestration(command & control) 할 수 있는 mcollective에 대한 한글 ppt 자료입니다. 상세한 내용은 http://wiki.tunelinux.pe.kr/x/LQAy 를 참고하시면 됩니다.
7. 사용자 요청처리 요약
virtualbox
kubernetes
cert-manager
Client
① helloworld.com
IP 질의
② 집공유기 IP리턴
③ 서비스 요청
④ 포트포워딩
⑤ 응답
① 사용자가 요청한 도메인(예: helloworld.com)에 대한 IP질의
② 도메인에 해당하는 IP리턴(이 실습에서는 집 공유기 IP사용)
③ IP로 서비스를 요청하면 공유기가 쿠버네티스 ingress로 포트포워딩
④ ingress는 서비스를 처리하고 응답
집공유기
15. virtualbox
kubernetes
cert-manager
① ssl인증서 신청
② ssl인증서 생성
도메인 발급
③ 인증서
사용
준비
▪ 외부접속이 가능한 쿠버네티스 클러스터
▪ nginx-ingress
▪ service-type: loadbalancer
▪ 온프레미스는 metaLB사용
▪ 도메인
▪ cloudflare 네임서버 연동
16. 준비
▪ cloudflare api token을 생성하고 쿠버네티스 secret에 저장
※ toekn생성 공식문서: https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/#api-keys
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-key-secret
type: Opaque
stringData:
api-key: <API Key>
17. Issuer 발급
※ git wiki: https://github.com/choisungwook/portfolio/wiki/cert-manager-letsencrypt
▪ stage, prod clusterissuer발급
▪ 이메일 수정
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your@email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the challenge provider
solvers:
- dns01:
cloudflare:
email: <your-email>
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <your@email>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-prod
# Enable the challenge provider
solvers:
- dns01:
cloudflare:
email: <your-email>
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
19. deployment, 서비스 생성
▪ 요청을 처리할 pod, svc생성
▪ pod의 이미지는 nginx:latest사용
kubernetes
cert-manager
② ssl인증서 생성
※ git wiki: https://github.com/choisungwook/portfolio/wiki/cert-manager-letsencrypt#%EC%9D%B8%EC%A6%9D%EC%84%9C-
%EC%A0%81%EC%9A%A9-%EC%98%88%EC%A0%9C
20. 인증서 발급과 ingress 연동
▪ 인증서를 만들고 -> 저장된 인증서 secret을 ingress에 적용
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: acme-crt
spec:
secretName: acme-crt-secret
...
kubernetes
cert-manager
① ssl인증서 생성
② 인증서
사용 apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-test
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
- test.choilab.xyz
secretName: acme-crt-secret
...