This document discusses how Kubernetes operators can help automate DevSecOps processes. It begins by explaining why organizations adopt containers and Kubernetes. It then discusses the challenges of managing containerized workloads at scale and how Kubernetes operators can provide orchestration and management. It provides an overview of what operators are, how the Operator Framework works, and the phases of building an operator. It demonstrates building a sample memcached operator in Golang using the Operator SDK tools. Finally, it discusses different options for installing operators like Helm, Ansible, and custom operators and provides some useful links for learning more.

3. How Kubernetes Operators can Rescue
DevSecOps in midst of a Pandemic?
Shikha Srivastava
Distinguished Engineer, Master Inventor, IBM
Twitter: @shikhasthoughts
LinkedIn : https://www.linkedin.com/in/shikhasriva/
Swati Shridhar Nair
Software Engineer, IBM
Twitter: @swatn73
LinkedIn: https://www.linkedin.com/in/swatishr/

4. Cloud adoption brings a dramatic shift in speed
and scale
• Speed to Market
• Modular and Decoupled
• Scalable
• Performance and Stability
• Secure
Automated
deployment

5. Why Containers
Organizations are adopting containers to improve developer
productivity, efficiency in DevOps, and application portability
• Lightweight packaging that includes the software and all its
dependencies
• Easily portable across on-premises and public cloud environments
• More efficient use of infrastructure than traditional VM deployments
• Improved Security, containers help isolate each part of your system
and provides better control of each component of your system
• No more : ‘it works on my laptop’
Containers services the basis of enabling
decomposed microservices architecture of
cloud native application

6. Everyone’s container journey starts with one container….

7. At first the growth is easy to handle….

8. But soon it is overwhelming… chaos reigns

9. As adoption grows, organizations need orchestration and
management for their containerized workloads:
• Automated deployment, scaling, and management of
containerized applications
• Self-healing
• Automated rollouts and rollbacks of applications
Regain control with Kubernetes

10. Kubernetes
• Orchestrates, runs and manages containers
• Continuously monitors and manages your containers
• Will scale your application to handle changes in load
• Helps reduce infrastructure requirements by gracefully
scaling up and down your entire platform
• Coordinates what containers run where and when across
your system
• Supports multiple cloud and bare-metal environments
• 100% Open source, written in Go
• Manage applications, not machines
• Rich ecosystem of plug-ins for scheduling, storage, networking
Kubernetes is an open-source system
for automating deployment, scaling,
and management of containerized
applications.
https://kubernetes.io/docs/concepts/ov
erview/what-is-kubernetes/

11. KubernetesArchitecture
API
UI
CLI
Kubernetes
Master
Worker Node 1
Worker Node 2
Worker Node 3
Worker Node n
Image Registry
• Etcd
• API Server
• Controller Manager
• Scheduler
Flexible, loosely-coupled architecture with at least one
master and multiple compute nodes
- Nodes: the workhorses, hosts that run Kubernetes
applications. Set of nodes makes up cluster
- Master nodes: Controls and manages the cluster
- API server Front end for the Kubernetes
- Etcd: distributed and reliable key value store
- Scheduler: for distributing containers across nodes
- Controller: brain behind orchestration
- Kubelet: agents on the nodes
- Pods: Smallest deployment unit in K8s
- Collection of containers that run on a worker node
- Each has its own IP
- Pod shares a PID namespace, network, and
hostname
- Service: Collections of pods exposed as an endpoint
- Information stored in the K8s cluster state and
networking info propagated to all worker nodes

12. Great for Stateless applications
• Kubernetes provides powerful primitives for deploying and managing
stateless applications like web apps, api server etc
• Deployment resources provides a mechanism to declare the desired
state, and to roll out changes in a controlled way
• Kubernetes Example increasing the replicaset can be via kubectl
command
• Service resources provides a mechanism to expose the deployment
externally or internally within
Deployment Pod
Desired
count=3
Current
count=1
Kubectl
Scale up
Deployment Pod
Desired
count=3
Current
count=3
Kubectl
start
$ Kubectl scale deployments/my-app – replicas=3

13. Real world has stateful apps
• Backups
• Requires coordination among instances
• Upscaling / Downscaling / upgrade with no data loss
• Requires coordination for availability
• Re-Configurations
• Requires template generations
• Healing
• Restore backups, join/ rejoin database clusters

14. What is an Operator
• A design pattern made public in 2016 by CoreOS (now RedHat)
• Application-specific controllers that extend the Kubernetes API
to create, configure, and manage instances of complex stateful
applications on behalf of a Kubernetes user
• Extend the Kubernetes API through the Custom Resources
(CRD) mechanism Reconciling desired state for your
application
Observe
Analyze
Act
Current state
Compare state to
desired state
Perform all necessary
action to make
current state meet
the desired state

15. Why Operators
• Automates common Day 1(Installation, Configuration, etc.) and
Day-2 (re-configuration, update, backup, failover, restore, etc.)
• Extends the power of Kubernetes, especially to stateful apps
• Include domain specific knowledge to automate the application
lifecycle in a scalable, repeatable standardized style
• Operator improves resiliency
• Operators makes hybrid and multi cloud easy
Domain
knowledge
Kubernetes
Application
Kubernetes Operators:
take all the knowledge
about an application’s
lifecycle that a
DevSecOps team
practices manually and
systematize it.

16. Operator Framework
• A set of tools and APIs to build, manage, and monitor Kubernetes Operators
• Includes:
Assists developers to
build Kubernetes operators
Oversees installation, updates, and
lifecycle management of all the operators
running across the Kubernetes cluster
Enables usage reporting for
operators
Source: https://coreos.com/operators/

17. Operator Phases

18. • Writing an operator from scratch is difficult and time-
consuming
• An open source toolkit to manage Kubernetes operators
• Operator-SDK provides:
o Command line tools for generating boilerplate code
o High level APIs and abstractions to write the operator
logic
o Extensions to cover common operator use cases
Operator SDK

19. Enough Talking, Lets see in Action
• Golang Operator Demo
Prerequisites
Know your application
Create a new golang operator project
Add Custom Resource Definition
Add Controller
Explore multiple Operator run options
Run operator locally

20. Prerequisites
• You know Golang, Kubernetes
• You know your application
• You have access to a Kubernetes v1.11.3+ cluster
• Operator-SDK is installed (We will be working with v0.18.2)
https://sdk.operatorframework.io/docs/installation/install-operator-sdk/

21. Know Your Application
• Memcached Application
• Controlled using a k8s deployment
• Will have multiple replicas.
• Operator will make replicas to be
configurable
• It uses default port of 11211
• Uses public docker image
Memcached:1.4.36-alpine

22. How to Build An Operator?
• Create a new project
operator-sdk new memcached-operator --repo=github.com/swatishr/memcached-operator
• Add Memcached API using operator-sdk add api
• Add the configurable fields you need the DevOps to control
• numOfReplicas (desired state)
• overallStatus (shows current state)
• Add controller (brain of the operator)
• Add watch for Memcached CR and Memcached Deployment
• Add reconciliation logic for current state  desired state
Memcached
CRD
cache.demo.com/v1alpha1
CR
kind: Memcached
spec:
size: 3
status:
overallStatus:

23. Create New Operator Project

24. Add MemcachedAPI

26. Edit _types.go

27. GenerateCRD

28. Add Controller

29. Fetch
Memcached
instance
Matches
desired
state?
Deployment
Exists?
Not
Found
?
Create new
deployment
Exist
?
Return
Update deployment
to match desired
state
Requeue the
request with
error
Return & don't
requeue
Update
Memcached
Status
Yes No
No
No
No
YesYes
Yes
Reconcile logic

31. Run Operator
• Run as a deployment in Kubernetes Cluster
• Build operator image and push in a registry
• Replace fields in operator.yaml deployment spec
• Deploy CRDs, RBAC resources, operator deployment
• Apply CR
• Run locally (Used during development)
• Create CRD
• Run operator locally using operator-sdk run local
• Apply CR

33. You can achieve even more!
https://github.com/ianlewis/memcached-operatorRef:

34. Useful Links
• Kubernetes: https://kubernetes.io/
• Containers and Kubernetes :https://medium.com/ibm-cloud/7-missing-factors-from-12-factor-
application-2a3e1169bd9d
• Operator SDK: https://sdk.operatorframework.io/
• Operator framework: https://github.com/operator-framework
• Operator Hub for existing operators: https://operatorhub.io/
• OLM : https://docs.openshift.com/container-platform/4.1/applications/operators/olm-understandi
olm.html

35. ThankYou

36. Backup

37. Operator Constructs
Memcached CRD
cache.demo.com/v1alpha1
CR
kind: Memcached
spec:
size: 3
status:
memcachedStatus:
DesiredState
Operator Controller
- Watches memcached CR
instance and resultant
memcached deployment
- Reconcilation logic
Current State  Desired State
- Operator itself is deployed as a
Deployment and runs in a Pod
Memcached deployment
Pod#1 Pod#2 Pod#3
Current State

38. Install options: Helm, Ansible, Operators
• Helm
o Package management system for Kubernetes.
o Kubernetes equivalent of yum or apt
o Provides commands/tools to support Day 1 activities (install, upgrade, rollback, delete)
• Ansible
o Application automation tool; supports Day 1 operations
o Supports container build, cluster management with external integrations, application lifecycle
• Operators
o Complete automation of Day 1 and Day2 operations using Go-based operators, along with advanced support
for k8s use cases
o Steep learning curve for Go operators
o But, Operator-SDK provides support to build helm and ansible operators as well