The document discusses containers and Kubernetes. It begins with an overview of containers and the container hype cycle, noting that containers are maturing from an initial hype phase. It then covers container principles like running as a non-privileged user, building container images using layers, tagging images, and deploying containerized applications on Kubernetes. The overall message is that containers are becoming a mainstream deployment approach but require systematic processes for operations and security.

1. Containers were never your end state!
Duncan Winn Will Arroyo
@duncwinn @WillAArroyo

2. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Why This Talk?
2
Embedded OS
(Windows & Linux)
NSX-T
CPI
v1
v2
v3
...
CVEs
Product Updates
Java | .NET | NodeJS
Pivotal Application
Service (PAS)
Application Code & Frameworks
Buildpacks | Spring Boot | Spring Cloud |
Steeltoe
Elastic | Packaged Software | Spark
Pivotal Container
Service (PKS)
>cf push >kubectl run
YOU build the container
vSphere
Azure &
Azure StackGoogle CloudAWSOpenstack
Pivotal
Network
“3Rs”
Github
Concourse
Concourse
Pivotal Services
Marketplace
Pivotal and
Partner Products
Continuous
delivery
Public Cloud Services
Customer
Managed
Services
OpenServiceBrokerAPI
Repair
— CVEs
Repave Rotate
—
Credhub
The PLATFORM builds
the container

3. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Where Are We?

4. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
This is not your end state…
4

5. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 5
…more like…
Hype Cycle

6. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Container Hype Cycle
6

7. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Container Hype Cycle

8. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Container Hype Cycle
•Mature Deployment Approach
•Systematic Process for Day 2 Ops
•Ecosystem Integration
•Understand Failure / Security Boundaries
•Appropriate Workloads
1. Container Principles
2.Building Container Images
3.Running Container Images
4.Deploying Kubernetes

9. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Container Principles

10. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
image
Container Image
kubelet
CRI
Container Runtime Interface
Container Runtime
Container Principles

11. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Container Runtime Interface
kubelet
Container
gRPC Client CRI ShimgRPC Server
Container Runtime
Container
image

12. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Running As A Non-Privileged User
12

13. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Running As A Non-Privileged User
13

14. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Getting Root Access
14

15. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Building Container Images

16. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Image Layers Build
Base OS
Middleware/Runtime
App+Dependencies

17. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Image Layers Build
App+Dependencies
Middleware/Runtime
Base OS

18. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 18
Use Layers Wisely
1. add
2. copy
3. run

19. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 19
Use Layers Wisely
1. add
2. copy
3. run

20. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 20
Use Layers Wisely
1. add
2. copy
3. run

21. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 21
Use Layers Wisely
1. add
2. copy
3. run

22. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 22
Use Layers Wisely
1. add
2. copy
3. run

23. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Building Images
App+Dependencies
Middleware/Runtime
Base
1 to Many
1 to Many

24. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Building Images
App+Dependencies
Middleware/Runtime
Base
1 to Many
1 to Many
Build args

25. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Build Args Are Not Secure
25

26. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Build Args Are Not Secure
26

27. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Tagging Is Important
27
ubuntu:14.04
ubuntu:latestFROM ubuntu
ubuntu:16.10

28. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Tagging Is Important
28
ubuntu:14.04
ubuntu:latestFROM ubuntu
ubuntu:16.10 ubuntu:18.04

29. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Tagging Is Important
29
ubuntu:14.04
ubuntu:latestFROM ubuntu
ubuntu:16.10 ubuntu:18.04
ubuntu:14.04
ubuntu:latestFROM ubuntu:latest
ubuntu:16.10 ubuntu:18.04
ubuntu:14.04
ubuntu:latest
FROM ubuntu:14.04 ubuntu:16.10 ubuntu:18.04

30. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Image Layers Build
App+Dependencies
Middleware/Runtime
Base V3.8
1 to Many
V8u181
1 to Many
V1.1

31. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Running Container Images

32. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Image Layers (Run)
App+Dependencies
Middleware/Runtime
Base
Deploy Time
Configuration
1 to Many
1 to Many
V3.8
V8u181
V1.1
Code Repo

33. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploy Apps
Package Manager kubectl
helm install ./my-cart
Kubectl create -f ./mycart/frontend-service.yml
Kubectl create -f ./mycart/frontend-deployment.yml
Kubectl create -f ./mycart/api-service.yml
Kubectl create -f ./mycart/api-deployment.yml
Kubectl create -f ./mycart/redis-service.yml
Kubectl create -f ./mycart/db-service.yml
Kubectl create -f ./mycart/redis-deployment.yml
Kubectl create -f ./mycart/db-deployment.yml

34. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Big “A”pp
Deploy Apps
Small “a”pp
Small “a”pp
Small “a”pp
Small “a”pp
Small “a”pp
Small

35. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploy Apps
Package Manager kubectl
helm install ./my-cart
Kubectl create -f ./mycart/frontend-service.yml
Kubectl create -f ./mycart/frontend-deployment.yml
Kubectl create -f ./mycart/api-service.yml
Kubectl create -f ./mycart/api-deployment.yml
Kubectl create -f ./mycart/redis-service.yml
Kubectl create -f ./mycart/db-service.yml
Kubectl create -f ./mycart/redis-deployment.yml
Kubectl create -f ./mycart/db-deployment.yml

36. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Trusted Registry

37. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Trusted Registry
• OpenJDK Docker Image
• Pulled Directly from Docker hub
• Image created 9 hrs Prior
• Scanned by Harbor
• Signed by Harbor

38. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Trusted Registry

39. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Apps Pipelines
Code Repo
env var
args
build args
Configuration

40. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Git Ops
Config Repo
Code Repo
Kube Cluster
build args
env var
args

41. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploying Kubernetes

42. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploying K8s
Kubeadm RKE

43. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploying a k8s cluster with PKS

44. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploying K8s

45. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Deploying K8s

46. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Securing K8s

47. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
K8s Day 2 Ops (Patching and Updating)
ISO IaaS

48. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
K8s Day 2 Ops (Patching and Updating)
MasterMaster
Node 1 Node 2
Node 3 Node 4
Node 1

49. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
Take Aways

50. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/
1. Choose a deployment method (close to upstream k8s)
2. Understand k8s components
3. Careful building docker images (governance + security)
4. Automate everything (platform, images, apps)
Takeaways
Repeat

51. Unless otherwise indicated, these slides are © 2013-2018 Pivotal Software, Inc. and licensed under a Creative Commons
Attribution-NonCommercial license: http://creativecommons.org/licenses/by-nc/3.0/ 51
> kubectl
Multi-Cloud PKS
Kubernetes Dashboard
vRealize Ops
PKS Control Plane
GCP Service
Broker
> pks
Operations
Manager
vRealize Operations
Dev / Apps
App User
IT / Platform Ops
…in support of an end state…

52. > Stay Connected.
@duncwinn
@willaarroyo
#springon@s1

53. Container Principles
1. Quick To Create
2. Resource Consolidation
3. App Portability
Control Resources
Isolate and Secure Processes

54. Container Principles
Docker Images
Droplets+Stack
File System

55. Container Misconceptions
Walls
Resource Limits
Namespaces
There Is No Container

56. Container Misconceptions
Docker Images
Droplets+Stack
File System
Docker-Engine
Guardian
Docker-CLI
Garden
Management
RunC
Implementation
API-CLI RuntimeIT DOES NOT
MATTER

57. Containers are not
enough
Container Misconceptions