Running containers in production, the ING storyThijs Ebbers
- ING is transforming itself into a digital bank and using containers and microservices as part of its cloud native journey.
- ING has developed its own container hosting platform called ICHP, which runs on OpenShift and provides self-service capabilities for development teams to host applications.
- ICHP aims to provide reliable hosting while minimizing handovers and enabling development teams to focus on delivering value to the business rather than managing infrastructure.
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
An explanation of how ING deals with local persistence at scale in secure and compliant manner for Elastic and Prometheus workloads today and other Data Services in the future.
In more detail we will elaborate on the following topics
How we solve local persistence
Type of workloads now and in the future
Typical requirements for a banking environment
Automation
Scale
Resilience
Security / Compliance
Service offering / demarcation
About Tor and Luuk:
Tor and Luuk are experienced engineers working at ING for over 10 years and working in the Kubernetes area for the last 5 years. They are specialized in and responsible for the Data Services OpenShift clusters in ING and have a strong focus on resilience, automation and security.
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
Introducing An Architectural Deep Dive With Kubernetes And Containers PowerPoint Presentation Slides. Present the need for the containers in an organization with the help of a readily available PPT slideshow. Discuss container architecture, use cases details to make your presentation elaborative. Showcase the features, architecture, installation roadmap, and the 30-60-90 day plan in Kubernetes with the help of modern-designed PPT infographics. Familiarize your viewers with the various components of Kubernetes with the help of content-ready Kubernetes Docker PPT visuals. Make full use of high-quality icons to make your presentation attention-grabbing and meaningful. Compare and contrast Kubernetes with docker swarm based on various parameters with the help of this attention-grabbing PPT slideshow. Elaborate on Kubelet, Kubectl, and Kubeadm with the help of labeled diagrams. Showcase the networking model of Kubernetes, security measures, and the development process with this easy-to-use docker Architecture PowerPoint template. Therefore, hit the download button now to grab this amazing presentation. https://bit.ly/3vtLeFb
The document discusses the transition from traditional capacity management to FinOps at Swisscom. It outlines how FinOps provides daily optimization of cloud costs based on actual business needs rather than multi-year capacity planning. The FinOps framework at Swisscom focuses on visibility through cost allocation, optimization of rates and usage, and generating insights into maturity, potential cost savings, and areas for improvement. Significant potential for cost savings is seen through stronger governance, phasing out old infrastructure, leveraging variable cloud costs, and monitoring applications.
VMware is introducing new platforms to better support cloud-native applications, including containers. The Photon Platform is a lightweight, API-driven control plane optimized for massive scale container deployments. It includes Photon OS, a lightweight Linux distribution for containers. vSphere Integrated Containers allows running containers alongside VMs on vSphere infrastructure for a unified hybrid approach. Both aim to provide the portability and agility of containers while leveraging VMware's management capabilities.
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. This training helps you understand key concepts within 3 hours.
Docker Kubernetes Istio
Understanding Docker and creating containers.
Container Orchestration based on Kubernetes
Blue Green Deployment, AB Testing, Canary Deployment, Traffic Rules based on Istio
Running containers in production, the ING storyThijs Ebbers
- ING is transforming itself into a digital bank and using containers and microservices as part of its cloud native journey.
- ING has developed its own container hosting platform called ICHP, which runs on OpenShift and provides self-service capabilities for development teams to host applications.
- ICHP aims to provide reliable hosting while minimizing handovers and enabling development teams to focus on delivering value to the business rather than managing infrastructure.
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
An explanation of how ING deals with local persistence at scale in secure and compliant manner for Elastic and Prometheus workloads today and other Data Services in the future.
In more detail we will elaborate on the following topics
How we solve local persistence
Type of workloads now and in the future
Typical requirements for a banking environment
Automation
Scale
Resilience
Security / Compliance
Service offering / demarcation
About Tor and Luuk:
Tor and Luuk are experienced engineers working at ING for over 10 years and working in the Kubernetes area for the last 5 years. They are specialized in and responsible for the Data Services OpenShift clusters in ING and have a strong focus on resilience, automation and security.
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
Introducing An Architectural Deep Dive With Kubernetes And Containers PowerPoint Presentation Slides. Present the need for the containers in an organization with the help of a readily available PPT slideshow. Discuss container architecture, use cases details to make your presentation elaborative. Showcase the features, architecture, installation roadmap, and the 30-60-90 day plan in Kubernetes with the help of modern-designed PPT infographics. Familiarize your viewers with the various components of Kubernetes with the help of content-ready Kubernetes Docker PPT visuals. Make full use of high-quality icons to make your presentation attention-grabbing and meaningful. Compare and contrast Kubernetes with docker swarm based on various parameters with the help of this attention-grabbing PPT slideshow. Elaborate on Kubelet, Kubectl, and Kubeadm with the help of labeled diagrams. Showcase the networking model of Kubernetes, security measures, and the development process with this easy-to-use docker Architecture PowerPoint template. Therefore, hit the download button now to grab this amazing presentation. https://bit.ly/3vtLeFb
The document discusses the transition from traditional capacity management to FinOps at Swisscom. It outlines how FinOps provides daily optimization of cloud costs based on actual business needs rather than multi-year capacity planning. The FinOps framework at Swisscom focuses on visibility through cost allocation, optimization of rates and usage, and generating insights into maturity, potential cost savings, and areas for improvement. Significant potential for cost savings is seen through stronger governance, phasing out old infrastructure, leveraging variable cloud costs, and monitoring applications.
VMware is introducing new platforms to better support cloud-native applications, including containers. The Photon Platform is a lightweight, API-driven control plane optimized for massive scale container deployments. It includes Photon OS, a lightweight Linux distribution for containers. vSphere Integrated Containers allows running containers alongside VMs on vSphere infrastructure for a unified hybrid approach. Both aim to provide the portability and agility of containers while leveraging VMware's management capabilities.
K8s in 3h - Kubernetes Fundamentals TrainingPiotr Perzyna
Kubernetes (K8s) is an open-source system for automating deployment, scaling, and management of containerized applications. This training helps you understand key concepts within 3 hours.
Docker Kubernetes Istio
Understanding Docker and creating containers.
Container Orchestration based on Kubernetes
Blue Green Deployment, AB Testing, Canary Deployment, Traffic Rules based on Istio
Streaming all over the world Real life use cases with Kafka Streamsconfluent
This document discusses using Apache Kafka Streams for stream processing. It begins with an overview of Apache Kafka and Kafka Streams. It then presents several real-life use cases that have been implemented with Kafka Streams, including data conversions from XML to Avro, stream-table joins for event propagation, duplicate elimination, and detecting absence of events. The document concludes with recommendations for developing and operating Kafka Streams applications.
This document summarizes Netflix's use of Kafka in their data pipeline. It discusses how Netflix evolved from using S3 and EMR to introducing Kafka and Kafka producers and consumers to handle 400 billion events per day. It covers challenges of scaling Kafka clusters and tuning Kafka clients and brokers. Finally, it outlines Netflix's roadmap which includes contributing to open source projects like Kafka and testing failure resilience.
Related Source Code https://github.com/abdennour/meetup-deployment-k8s
Intro
Why Deployment ?
What’s Deployment ?
How Deployment?
Deployment Strategies ( in general & in k8s )
Deployment Features
Demo ( distributed )
If you’re working with just a few containers, managing them isn't too complicated. But what if you have hundreds or thousands? Think about having to handle multiple upgrades for each container, keeping track of container and node state, available resources, and more. That’s where Kubernetes comes in. Kubernetes is an open source container management platform that helps you run containers at scale. This talk will cover Kubernetes components and show how to run applications on it.
OpenShift is a Platform-as-a-Service that provides development environments on demand using containers. It automates application lifecycles including build, deploy, and retirement. OpenShift uses containers to package applications and dependencies in a portable way. Red Hat addresses concerns around adopting containers at scale through OpenShift, which provides security, scalability, integration, management and certification capabilities. OpenShift runs on a user's choice of infrastructure and orchestrates applications across nodes using Kubernetes.
Microk8s allows running a single node Kubernetes cluster on any Linux system using only a snap installation. It provides a lightweight way to use Kubernetes for local development, testing, or CI/CD workloads. Key features include enabling and disabling addons like DNS, dashboard, storage, and ingress controllers with simple commands and switching between Kubernetes versions by changing channels.
Apache Iceberg - A Table Format for Hige Analytic DatasetsAlluxio, Inc.
Data Orchestration Summit
www.alluxio.io/data-orchestration-summit-2019
November 7, 2019
Apache Iceberg - A Table Format for Hige Analytic Datasets
Speaker:
Ryan Blue, Netflix
For more Alluxio events: https://www.alluxio.io/events/
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Kai Wähner
High level introduction to Confluent REST Proxy and Schema Registry (leveraging Apache Avro under the hood), two components of the Apache Kafka open source ecosystem. See the concepts, architecture and features.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
GitOps è un nuovo metodo di CD che utilizza Git come unica fonte di verità per le applicazioni e per l'infrastruttura (declarative infrastructure/infrastructure as code), fornendo sia il controllo delle revisioni che il controllo delle modifiche. In questo talk vedremo come implementare workflow di CI/CD Gitops basati su Kubernetes, dalla teoria alla pratica passando in rassegna i principali strumenti oggi a disposizione come ArgoCD, Flux (aka Gitops engine) e JenkinsX
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...QAware GmbH
CloudNativeCon North America 2017, Austin (Texas, USA): Talk by Josef Adersberger (@adersberger, CTO at QAware)
Abstract:
Running applications on Kubernetes can provide a lot of benefits: more dev speed, lower ops costs, and a higher elasticity & resiliency in production. Kubernetes is the place to be for cloud native apps. But what to do if you’ve no shiny new cloud native apps but a whole bunch of JEE legacy systems? No chance to leverage the advantages of Kubernetes? Yes you can!
We’re facing the challenge of migrating hundreds of JEE legacy applications of a major German insurance company onto a Kubernetes cluster within one year. We're now close to the finish line and it worked pretty well so far.
The talk will be about the lessons we've learned - the best practices and pitfalls we've discovered along our way. We'll provide our answers to life, the universe and a cloud native journey like:
- What technical constraints of Kubernetes can be obstacles for applications and how to tackle these?
- How to architect a landscape of hundreds of containerized applications with their surrounding infrastructure like DBs MQs and IAM and heavy requirements on security?
- How to industrialize and govern the migration process?
- How to leverage the possibilities of a cloud native platform like Kubernetes without challenging the tight timeline?
Apache Kafka 0.8 basic training - VerisignMichael Noll
Apache Kafka 0.8 basic training (120 slides) covering:
1. Introducing Kafka: history, Kafka at LinkedIn, Kafka adoption in the industry, why Kafka
2. Kafka core concepts: topics, partitions, replicas, producers, consumers, brokers
3. Operating Kafka: architecture, hardware specs, deploying, monitoring, P&S tuning
4. Developing Kafka apps: writing to Kafka, reading from Kafka, testing, serialization, compression, example apps
5. Playing with Kafka using Wirbelsturm
Audience: developers, operations, architects
Created by Michael G. Noll, Data Architect, Verisign, https://www.verisigninc.com/
Verisign is a global leader in domain names and internet security.
Tools mentioned:
- Wirbelsturm (https://github.com/miguno/wirbelsturm)
- kafka-storm-starter (https://github.com/miguno/kafka-storm-starter)
Blog post at:
http://www.michael-noll.com/blog/2014/08/18/apache-kafka-training-deck-and-tutorial/
Many thanks to the LinkedIn Engineering team (the creators of Kafka) and the Apache Kafka open source community!
Azure Kubernetes Service (AKS) is a managed container orchestration service that allows users to deploy, scale, and manage containerized applications. It offers fully managed Kubernetes clusters, enabling end-to-end deployment, scalability, and high availability. AKS manages the control plane of Kubernetes which includes components like etcd and the API server, allowing users to focus on managing applications. It provides a way to deploy and manage containerized applications without having to stand up or manage Kubernetes infrastructure.
Spark can run on Kubernetes containers in two ways - as a static cluster or with native integration. As a static cluster, Spark pods are manually deployed without autoscaling. Native integration treats Kubernetes as a resource manager, allowing Spark to dynamically acquire and release containers like in YARN. It uses Kubernetes custom controllers to create driver pods that then launch worker pods. This provides autoscaling of resources based on job demands.
This document provides an overview of cloud native concepts including:
- Cloud native is defined as applications optimized for modern distributed systems capable of scaling to thousands of nodes.
- The pillars of cloud native include devops, continuous delivery, microservices, and containers.
- Common use cases for cloud native include development, operations, legacy application refactoring, migration to cloud, and building new microservice applications.
- While cloud native adoption is growing, challenges include complexity, cultural changes, lack of training, security concerns, and monitoring difficulties.
Organizations are grappling to manually classify and create an inventory for distributed and heterogeneous data assets to deliver value. However, the new Azure service for enterprises – Azure Synapse Analytics is poised to help organizations and fill the gap between data warehouses and data lakes.
AKS reduces the complexity of managing Kubernetes by offloading operations to Azure. It allows easy creation and management of Kubernetes clusters through simple CLI commands. AKS supports advanced networking features in Azure like VNET integration and ingress controllers. It also enables integration with other Azure services for storage, databases, and monitoring through open service brokers.
Presentation given at Open Source Summit Japan 2016 about the state of the cloud native technology (Cloud Native Computing Foundation) and the standardization of container technology (Open Container Initiative)
Pivotal Container Service (PKS) provides an enterprise-grade Kubernetes platform that can be deployed on any cloud infrastructure using the open source BOSH tool. PKS handles operations tasks like provisioning and upgrading Kubernetes clusters, integrates with VMware technologies for networking and security, and provides a centralized control plane for managing multiple clusters and tenants. It aims to deliver the benefits of Kubernetes to enterprises by adding capabilities for high availability, multi-tenancy, security and automation.
Streaming all over the world Real life use cases with Kafka Streamsconfluent
This document discusses using Apache Kafka Streams for stream processing. It begins with an overview of Apache Kafka and Kafka Streams. It then presents several real-life use cases that have been implemented with Kafka Streams, including data conversions from XML to Avro, stream-table joins for event propagation, duplicate elimination, and detecting absence of events. The document concludes with recommendations for developing and operating Kafka Streams applications.
This document summarizes Netflix's use of Kafka in their data pipeline. It discusses how Netflix evolved from using S3 and EMR to introducing Kafka and Kafka producers and consumers to handle 400 billion events per day. It covers challenges of scaling Kafka clusters and tuning Kafka clients and brokers. Finally, it outlines Netflix's roadmap which includes contributing to open source projects like Kafka and testing failure resilience.
Related Source Code https://github.com/abdennour/meetup-deployment-k8s
Intro
Why Deployment ?
What’s Deployment ?
How Deployment?
Deployment Strategies ( in general & in k8s )
Deployment Features
Demo ( distributed )
If you’re working with just a few containers, managing them isn't too complicated. But what if you have hundreds or thousands? Think about having to handle multiple upgrades for each container, keeping track of container and node state, available resources, and more. That’s where Kubernetes comes in. Kubernetes is an open source container management platform that helps you run containers at scale. This talk will cover Kubernetes components and show how to run applications on it.
OpenShift is a Platform-as-a-Service that provides development environments on demand using containers. It automates application lifecycles including build, deploy, and retirement. OpenShift uses containers to package applications and dependencies in a portable way. Red Hat addresses concerns around adopting containers at scale through OpenShift, which provides security, scalability, integration, management and certification capabilities. OpenShift runs on a user's choice of infrastructure and orchestrates applications across nodes using Kubernetes.
Microk8s allows running a single node Kubernetes cluster on any Linux system using only a snap installation. It provides a lightweight way to use Kubernetes for local development, testing, or CI/CD workloads. Key features include enabling and disabling addons like DNS, dashboard, storage, and ingress controllers with simple commands and switching between Kubernetes versions by changing channels.
Apache Iceberg - A Table Format for Hige Analytic DatasetsAlluxio, Inc.
Data Orchestration Summit
www.alluxio.io/data-orchestration-summit-2019
November 7, 2019
Apache Iceberg - A Table Format for Hige Analytic Datasets
Speaker:
Ryan Blue, Netflix
For more Alluxio events: https://www.alluxio.io/events/
Confluent REST Proxy and Schema Registry (Concepts, Architecture, Features)Kai Wähner
High level introduction to Confluent REST Proxy and Schema Registry (leveraging Apache Avro under the hood), two components of the Apache Kafka open source ecosystem. See the concepts, architecture and features.
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
As the adoption of Kubernetes continues to grow, so does the need for securing containerized applications and their data. One effective security model that has gained popularity is Zero Trust Networking, which assumes that all resources, devices and users are untrusted, and access to resources is granted only after proper authentication and authorization. However, implementing Zero Trust Networking in Kubernetes can be challenging, given the dynamic nature of containerized workloads and the complexity of network policies.
In this presentation, we will explore how to implement Zero Trust Networking in Kubernetes using Cilium, Hubble & Grafana. We will start by setting up Cilium on a Kubernetes cluster, which provides network security by enforcing identity-based access control policies using eBPF. Next, we will export Network Policy Verdict metrics using Hubble, which allows us to visualize network policies and track security events in real-time. Finally, we will use a Grafana dashboard to visualize these metrics and demonstrate how to secure a Kubernetes namespace without affecting existing traffic in the namespace.
By the end of this presentation, attendees will have a good understanding of the importance of Zero Trust Networking in Kubernetes and how to implement it using Cilium, Hubble & Grafana. They will also learn how to secure a Kubernetes namespace and monitor network policies using a Grafana dashboard.
GitOps è un nuovo metodo di CD che utilizza Git come unica fonte di verità per le applicazioni e per l'infrastruttura (declarative infrastructure/infrastructure as code), fornendo sia il controllo delle revisioni che il controllo delle modifiche. In questo talk vedremo come implementare workflow di CI/CD Gitops basati su Kubernetes, dalla teoria alla pratica passando in rassegna i principali strumenti oggi a disposizione come ArgoCD, Flux (aka Gitops engine) e JenkinsX
Migrating Hundreds of Legacy Applications to Kubernetes - The Good, the Bad, ...QAware GmbH
CloudNativeCon North America 2017, Austin (Texas, USA): Talk by Josef Adersberger (@adersberger, CTO at QAware)
Abstract:
Running applications on Kubernetes can provide a lot of benefits: more dev speed, lower ops costs, and a higher elasticity & resiliency in production. Kubernetes is the place to be for cloud native apps. But what to do if you’ve no shiny new cloud native apps but a whole bunch of JEE legacy systems? No chance to leverage the advantages of Kubernetes? Yes you can!
We’re facing the challenge of migrating hundreds of JEE legacy applications of a major German insurance company onto a Kubernetes cluster within one year. We're now close to the finish line and it worked pretty well so far.
The talk will be about the lessons we've learned - the best practices and pitfalls we've discovered along our way. We'll provide our answers to life, the universe and a cloud native journey like:
- What technical constraints of Kubernetes can be obstacles for applications and how to tackle these?
- How to architect a landscape of hundreds of containerized applications with their surrounding infrastructure like DBs MQs and IAM and heavy requirements on security?
- How to industrialize and govern the migration process?
- How to leverage the possibilities of a cloud native platform like Kubernetes without challenging the tight timeline?
Apache Kafka 0.8 basic training - VerisignMichael Noll
Apache Kafka 0.8 basic training (120 slides) covering:
1. Introducing Kafka: history, Kafka at LinkedIn, Kafka adoption in the industry, why Kafka
2. Kafka core concepts: topics, partitions, replicas, producers, consumers, brokers
3. Operating Kafka: architecture, hardware specs, deploying, monitoring, P&S tuning
4. Developing Kafka apps: writing to Kafka, reading from Kafka, testing, serialization, compression, example apps
5. Playing with Kafka using Wirbelsturm
Audience: developers, operations, architects
Created by Michael G. Noll, Data Architect, Verisign, https://www.verisigninc.com/
Verisign is a global leader in domain names and internet security.
Tools mentioned:
- Wirbelsturm (https://github.com/miguno/wirbelsturm)
- kafka-storm-starter (https://github.com/miguno/kafka-storm-starter)
Blog post at:
http://www.michael-noll.com/blog/2014/08/18/apache-kafka-training-deck-and-tutorial/
Many thanks to the LinkedIn Engineering team (the creators of Kafka) and the Apache Kafka open source community!
Azure Kubernetes Service (AKS) is a managed container orchestration service that allows users to deploy, scale, and manage containerized applications. It offers fully managed Kubernetes clusters, enabling end-to-end deployment, scalability, and high availability. AKS manages the control plane of Kubernetes which includes components like etcd and the API server, allowing users to focus on managing applications. It provides a way to deploy and manage containerized applications without having to stand up or manage Kubernetes infrastructure.
Spark can run on Kubernetes containers in two ways - as a static cluster or with native integration. As a static cluster, Spark pods are manually deployed without autoscaling. Native integration treats Kubernetes as a resource manager, allowing Spark to dynamically acquire and release containers like in YARN. It uses Kubernetes custom controllers to create driver pods that then launch worker pods. This provides autoscaling of resources based on job demands.
This document provides an overview of cloud native concepts including:
- Cloud native is defined as applications optimized for modern distributed systems capable of scaling to thousands of nodes.
- The pillars of cloud native include devops, continuous delivery, microservices, and containers.
- Common use cases for cloud native include development, operations, legacy application refactoring, migration to cloud, and building new microservice applications.
- While cloud native adoption is growing, challenges include complexity, cultural changes, lack of training, security concerns, and monitoring difficulties.
Organizations are grappling to manually classify and create an inventory for distributed and heterogeneous data assets to deliver value. However, the new Azure service for enterprises – Azure Synapse Analytics is poised to help organizations and fill the gap between data warehouses and data lakes.
AKS reduces the complexity of managing Kubernetes by offloading operations to Azure. It allows easy creation and management of Kubernetes clusters through simple CLI commands. AKS supports advanced networking features in Azure like VNET integration and ingress controllers. It also enables integration with other Azure services for storage, databases, and monitoring through open service brokers.
Presentation given at Open Source Summit Japan 2016 about the state of the cloud native technology (Cloud Native Computing Foundation) and the standardization of container technology (Open Container Initiative)
Pivotal Container Service (PKS) provides an enterprise-grade Kubernetes platform that can be deployed on any cloud infrastructure using the open source BOSH tool. PKS handles operations tasks like provisioning and upgrading Kubernetes clusters, integrates with VMware technologies for networking and security, and provides a centralized control plane for managing multiple clusters and tenants. It aims to deliver the benefits of Kubernetes to enterprises by adding capabilities for high availability, multi-tenancy, security and automation.
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
Microservices and APIs built for digital transformation products require agile, reliable, and scalable cloud native infrastructure to truly meet customer expectations for a great "always there" user experience. Whether deployed on-premises or hosted in a public cloud, understanding and leveraging the right approach is key to success. This session takes up where the development process leaves off, tracking the standardization of containers and container orchestration for automated deployment, including current and future platform trends WSO2 and others are following.
Mr. Anirban Ghosh has over 10 years of experience in Java, JEE, Hadoop, databases, and other technologies. He has strong skills in programming languages, web tools, databases, operating systems, big data ecosystems, and domains like telecom, airlines, and more. He has worked as a senior consultant, senior developer, team lead, and individual contributor on various projects involving technologies such as Java, web services, databases, Hadoop, Hive, and more.
Ultimate Guide to Microservice Architecture on Kuberneteskloia
This document provides an overview of microservice architecture on Kubernetes. It discusses:
1. Benefits of microservice architecture like independent deployability and scalability compared to monolithic applications.
2. Best practices for microservices including RESTful design, distributed configuration, client code generation, and API gateways.
3. Tools for microservices on Kubernetes including Prometheus for monitoring, Elasticsearch (ELK) stack for logging, service meshes, and event sourcing with CQRS.
Building Cloud Native Applications with Oracle Autonomous Database.Oracle Developers
This document discusses building cloud native applications with Oracle Autonomous Database. It provides an overview of:
1) The evolution of computing and development from monolithic to cloud native applications.
2) The challenges of managing databases with microservices, and how Oracle Autonomous Database can serve as a single database for all development needs.
3) How to build, deploy, and manage cloud native applications using Oracle Cloud Infrastructure services like the Container Engine for Kubernetes, Functions, and the Autonomous Transaction Processing database.
This document discusses infrastructure design for Kubernetes and how Pivotal Container Service (PKS) addresses challenges of managing Kubernetes at scale. It describes user stories of different roles managing containers and highlights issues around frequent updates, scaling clusters, and security patching. PKS is presented as providing a production-grade solution that automates deployment and management of Kubernetes through integration with VMware technologies. It allows for full stack automation and scaling to reduce operations workload from managing multiple Kubernetes releases, OS updates, and cluster upgrades across a large infrastructure.
Continuous Everything in a Multi-cloud and Multi-platform EnvironmentVMware Tanzu
This document discusses continuous delivery strategies using Pivotal technologies like Pivotal Build Service, Pivotal Container Service, and Spinnaker. Pivotal Build Service allows building Docker images without Dockerfiles using buildpacks. Spinnaker is an open source multi-cloud delivery platform that provides deployment strategies and rollback capabilities. The document demonstrates continuous deployment of a Spring Boot app to PKS using Concourse CI and Spinnaker for deployment automation and monitoring.
Tim Hall [InfluxData] | InfluxDB Roadmap | InfluxDays Virtual Experience NA 2020InfluxData
Tim Hall, VP of Products at InfluxData, discusses InfluxDB's roadmap. InfluxDB 2.0 is now generally available. Next steps include advancing Flux, improving performance, and adding operational controls. Kapacitor will enable using existing investments with InfluxDB 2.x. Future plans involve expanded metrics, self-service backup/import, cloud-native data acquisition, and connecting edge devices to the cloud. The roadmap aims to help developers build applications and help operations teams administer systems.
Migrating a Large Fortune 100 Healthcare Company to Kubernetes in 7 monthsKonveyor Community
Watch the presentation: https://youtu.be/E3LeAmH6Ems
At the beginning of 2019, Chris Nuland and team were tasked with migrating a large mesosphere DC/OS cluster with hundreds of running containers to Kubernetes for a large fortune 100 healthcare company. One of the key challenges with this migration was the need to finish it within a 7 month timeframe to allow the sunsetting of DC/OS before the cluster’s end of life. In conjunction with this migration, there was also the need to containerize a couple hundred applications and deploy them into the newly built cluster. These tasks were completed in the desired time frame using a variety of migration and onboarding techniques, including the use of a few migration tools, like pathfinder, that would eventually be part of the Konveyor suite of applications.
This presentation will go over many of the challenges of that migration, how certain tooling aided in the process, and how the process would look differently now given many of the migration tooling advantages found in the Konveyor suite of applications.
Presenter: Christopher Nuland, Architect at Red Hat
Transforming mission-critical applications on mainframes for innovationEranea
[This presentation is available without detailled notes at https://www.slideshare.net/eranea/2015-0701eraneatransformationinnovationenwww]
Eranea's solution can be used to "clone" legacy applications (mainframe, Cobol) to x86/Java/web to delliver many flavours of innovations.
Those innovations - required by digital transformation of traditional large corporations - then smoothly integrate to existing mission-critical processes in order to spread quickly and be efficient at scale.
Connectivity is here (5 g, swarm,...). now, let's build interplanetary apps! (1)Samy Fodil
Webinar recording: https://youtu.be/t30Aa-mq93Q
Do you need to build scalable 5G and IoT applications? Or, maybe distribute the computing required by AR/VR throughout the data path? Perhaps you need to implement Digital Twins? Well you've come to the right place.
Edge Computing is a paradigm that distributes computing and data storage between the Cloud and the users. In fact, the data center infrastructure that sits between you and the Cloud is actually larger than all the Cloud data centers combined. For over two decades, thanks to that Edge infrastructure you've been able to watch videos and smoothly surf the web. Today the "Edge" is powering all the automation around you; for example, smart cities, smart cars, smart factories, etc.
GCP Meetup #3 - Approaches to Cloud Native Architecturesnine
Talk by Daniel Leahy and Nic Gibson, given at the Google Cloud Meetup on March 3, 2020, hosted by Nine Internet Solutions AG - Your Swiss Managed Cloud Service Provider.
Bandwidth: Use Cases for Elastic Cloud on Kubernetes Elasticsearch
Bandwidth has been an avid user of the Elastic Stack for aggregating their logs from its many data centers. Learn how Bandwidth uses Elastic Cloud on Kubernetes to help satisfy various use cases.
This document introduces self-service application deployment with Kubernetes and OpenShift. It discusses how containers and container orchestration tools like Kubernetes and OpenShift address issues with traditional application deployment processes by allowing developers to deploy applications without needing access to infrastructure. It provides an overview of Kubernetes and OpenShift concepts and components that enable this self-service deployment model.
Presentazione dello speech tenuto da Carmine Spagnuolo (Postdoctoral Research Fellow - Università degli Studi di Salerno/ ACT OR) dal titolo "Technology insights: Decision Science Platform", durante il Decision Science Forum 2019, il più importante evento italiano sulla Scienza delle Decisioni.
OpenStack and Kubernetes - A match made for Telco HeavenTrinath Somanchi
OpenStack and Kubernetes can work well together for telco applications by leveraging their complementary strengths in orchestrating and securing cloud infrastructure. Projects like Airship and Kata Containers are evolving OpenStack support for containers to address challenges in telco clouds. Airship provides a declarative way to introduce OpenStack on Kubernetes for lifecycle management at scale. Kata Containers adds virtualization capabilities to containers to achieve the security of VMs with the speed of containers. Together, these technologies can help telecom providers optimize resource utilization and quickly scale virtual network functions in response to fluctuating mobile data traffic demands.
Pivotal Container Service (PKS) at SF Cloud Foundry Meetupcornelia davis
Overview of Pivotal Container Service (PKS), built on the open source Cloud Foundry Container Runtime (CFCR). Covers what Kubernetes is, how PKS presents a complete platform that includes Kubernetes and much more, and key cloud principles.
Presented at the San Francisco-Bay Area Cloud Foundry meetup.
Similar to ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf (20)
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Driving Business Innovation: Latest Generative AI Advancements & Success Story
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
1. ING Container Hosting Platform, 3 years onward
ING Tech Infra&Engineering
Growing and sustaining a Private Cloud Container Hosting Platform
October 2022
2. 2
Introductions
ING is a global bank with a strong European base. Our more than
57,000 employees serve around 38 million customers, corporate
clients and financial institutions in over 40 countries. Our
purpose is to empower people to stay a step ahead in life and in
business.
* ING is undergoing a transition to close our Wholesale Banking offices in Argentina, Brazil and Kazakhstan as
announced on 5 November 2020. ING has exited the Austrian and Czech retail banking markets as of the end of
2021. We announced in December 2021 that we will leave the retail banking market in France after a strategic
review of our retail banking operations there. We announced June 24th 2022 we will leave the Philippines retail
banking market as of then end of 2022.
For ING’s position regarding Russia and the Ukraine see our Feb 28 2022 statement
Thijs Ebbers
Architecting Cloud Native @ING
since 2016 (employee since 2001)
Architecture Lead for the
Runtime Domain (“VM & Container
Hosting”), for ING Private & Public
Clouds
Sandeep Kaul
IT Area Lead (“Head of IT”) for
Cloud/PaaS, a.o. responsible for
the delivery of ICHP towards
internal customers.
3. 3
Short Recap
At 2019’s San Diego OpenShift Commons ING presented “Running Containers in Production, the ING Story”
where we introduced ING’s Container Hosting Platform (“ICHP”) and explained:
• the drivers behind our transformation
• the “Cloud Native ecosystem Kube” we use(d) to communicate with our stakeholders
• ICHP’s deployment model & its delivery patterns
• which topics took the most time during the first 2 years of engineering and operation.
So for the remainder of this presentation we assume this content is known ;-)
and if not catch up afterwards :
5. 5
ICHP –> ICH* (aka abstracting for multi cloud)
ING Container Hosting Platform (“ICHP”) was ING’s first standardized Container Hosting environment, but
it has evolved into a family we now call ICH which consists of:
• The private cloud ICHP platform based on OCP
• The ICHA platform on Azure AKS (still being engineered)
• The ICHG platform on GCP GKE (still being engineered)
All these platforms abide to the same defined interfaces to enable application portability between the
ICH family members, for both re-useability as well as regulatory reasons. And making deployments to
multiple target clouds with defined interfaces mandatory will empower our engineers with the skills they
need.
Why not use (managed) OpenShift on Azure & GCP ?
• ING believes the value of public clouds is in the integrated ecosystem and the cloud vendors native
services will be the 1st to benefit from innovations in those ecosystems. This means we should
consume SaaS rather then PaaS rather then IaaS to make use of those innovations as soon as possible.
• Hence we consume Azure and GCP native services wherever possible and we try to avoid IaaS services
For the remainder of this presentation we’ll focus on ICHP
Note : 2 of our ING colleagues are presenting this KubeCon on “HPC Batch computing for Analytics Workloads “
(Wednesday 2:30 pm), attend and learn but be aware this environment is not (yet) hosted on ICH*
6. K8s technology = Amazing
• Almost infinite # use cases…
But
• Mixing multiple distinct use cases
together in the same clusters =
a recipe for (regulatory) disaster…
This table shows the attempt of ING to
categorize in order to give each service
its appropriate (risk&security) treatment.
white = (partially) available as a service
grey = currently not available as a service
This table is not intended to be static…
Meaning ING is very opinionated on
what workloads should be hosted on our
Immutable container hosting service…
Don’t make any wrong assumptions,
we do get a lot of requests for hosting
software which in our opinion belongs
on services currently unavailable (grey)
“No” is a valid answer…, as ING Tech chooses to focus on a limited set (since we have scarce engineering capacity). Spinning up those other
services would require additional DevOps squads to engineer and run those services. Requesters can still run that software on VM’s...
Service Typical use case(s)
Immutable
Containers
Capability to host immutable container workloads like 12 Factor Apps (commonly: “API’s”)
Functions as a
Service
Capability to execute backend code directly without having to manage any servers
Data Services
Capability to provide data persistence as a service e.g. Object Storage, Elastic, Kafka, MS-SQL,
Oracle, Cassandra, Redis, etc.
HPC
Capability to provide High Performance Compute (e.g. GPU, fast local cache, etc.) as a service
for machine learning and analytics.
Centralized End-
User
Capability to provide a managed, dedicated set-up for specific user(s) e.g. for data science,
educational and training set-ups etc.
Infrastructure
Management
Capability to manage IT assets as Desired State Custom Resources (e.g. Crossplane)
Non-12 factor
apps (“VM”s) – K8S
Hosting of non-12 factor apps (“VM’s in a container package”), typically large images
containing monolithic applications, not ready for hands off operations, could be requiring
managed local persistency. Hosted on a K8s or equivalent platform.
Standalone - Non-
12 factor apps
(“VM”s)
Hosting of non-12 factor apps (“VM’s in a container package”), typically large images
containing monolithic applications, not ready for hands off operations, could be requiring
managed local persistency. Hosted on Standalone “Docker” instances.
6
Divide & Conquer (aka Distinct Services deserve Distinct Treatment)
7. 7
Security
• ING Container Security Standard in place as of Q2
2019
(“Zero Privilege”, do not trust “Zero Trust”…)
• Comprehensive Vulnerability Scanning in
OnePipeline enforced as of Q4 2021
(thank you Log4J for the priority…)
• Immutable Workloads, enforced as of Q1 2022
(privileged NPA’s removed from production namespaces,
Break Glass available, mandatory redeploy afterwards)
• Immutable Platform (Clusters), as of Q3 2022
(OCP 4.10.30 IPI for Bare Metal dependency)
• Anomaly Detection & Policy-as-Code capability as
of Q3 2022 (OCP 4.10/ K8s kernel version dependency)
• As of Q3 2022 ICHP has implemented all controls
as specified in the Container Security Standard
8. 8
OpenShift LCM
Generic learnings:
• Not all consuming DevOps teams understand the full scope of going Cloud Native and might be unaware of their
shortcomings
• In particular we noticed the value of automated testing wasn't always recognized, which did hamper our Platform
LCM
• Application redeployment should be “the new normal”, not “something to be scared of”…
Migrating OpenShift 3.11 OKD to OpenShift 3.11 Enterprise (Q1 2020):
• Clusters were redeployed (1 DC at a time), forcing downtime (in practice a DR-excersize) upon our consumers. This
wasn’t well received and led us to rethink our migration strategy for the next LCM moment…
Migrating OpenShift 3.11 Enterprise to OpenShift 4.10 Enterprise (“ICHP v2”) (Q3 2022):
• Running on Bare Metal nodes doesn’t help if new OpenShift
versions are first released for VM based clusters… It took Red Hat
until version 4.10.30 to deliver the quality ING needed to do a
fully automated IPI based install in our DC’s (which was kind of
challenging looking at the EOS of OCP 3.11…)
• This time we opted to spin up new clusters in parallel to the old
environment, and offer our customers a migration window to
redeploy their workloads. We opened the migration Sep 15th 2022
for our Non-Prod clusters and our Prod clusters are planned to go live this week
More details on how we build our NaaS on top of OCP 4.10 IPI in the other ING presentation today
9. In Q3 2019 ICHP had 18 FTE and hosted :
• 250 Prod namespaces whose API’s only
processed a marginal number of transactions
(most still preparing for actual workloads)
• about 1000 Non-Prod Namespaces
In Q3 2022 ICHP hosted:
• 600 namespaces in Production whose
API’s processed 50% of ING retail customer
transactions
• 1690 namespaces in Non-Production
And did this with the same 18 FTE, we only
added an additional Ops squad to manage
the environment (+6 FTE) from a partner
(hired as of Q1 2022, for new total of 24 FTE)
9
Growing pains : exponential growth for Immutable App hosting
So looking back ICHP coped with a sustained 100% growth each year (measured in installed CPU/memory
capacity) (for the last 3 years) & this growth is expected to continue into 2023. As a result the price/unit
has now become very competitive and ICHP’s Immutable Container hosting in this way supports the
broader ING Tech Strategy to enable to grow our business at marginal cost
10. Green line is actual ICHP Prod DC1
usage (Prod DC2 usage is similar)
Red line is available ICHP Prod DC1
capacity (Prod DC2 capacity is identical)
Drop in capacity end of August ’21
due to bug in OpenShift 3.11 icw
Atomic requiring ICHP to scale
back from 250 pods to 160 pods
per node to become stable again
(with OpenShift 4/CoreOS its fixed)
Customers were impacted (mainly
in the non-Prod environment) in
the Q3 2021 due to this shortage
As a provider we had to scavenge
additional nodes everywhere to
remain stable…
The drop in Feb 2022 was due to an
unintended reboot of multiple nodes by
one of our suppliers
Growing pains : Bugs (pending pods / pods per node)
10
Pending pods ->
Pods/node back to 160
Running out of
capacity…
Blue Line
measuring
“pending pods”
introduced
11. Q1 2022
Multiple outages impacting ING customers on workloads hosted on ICHP (For the record : ICHP has had zero
unplanned platform downtime…). Analysis concluded most were avoidable… by properly defining K8s
application deployment configs. Lesson learned : Developer Autonomy is good thing, but never forget to
validate the results…
Q2 2022
• ING CTO&CIO’s decided on mandatory (not yet enforced) use of :
canary releasing
resilient pod placement
liveness & readiness probes
• ICHP published ING specific workload resilience documentation
Q3 2022
• ICHP provides Dashboards giving ING CIO’s (& developers) insight in
the quality of the deployments on ICHP
• Additional internal templates & resilience training materials being developed (by partner enabling teams)
Future Step : Policy enforcement via Policy-as-Code (K8s deployment config insufficient -> deploy job fails)
11
Growing pains : workload resilience
12. 12
ICHP Partnerships
Ingested products
(products or data provided by other platforms
that are exposed through this platform)
supplied-services
(provided by other platforms
required for platform functions)
engineered product builds
(developed and maintained by one or multiple
squads)
CONSUME ENGINEER
INGEST
Exposed platform
services
EXPOSE
Exposed product builds
(semi finished product used as supplied
product build by the consuming
platform)
Complement
(add value)
ING “BTP” (Topics & Service Mesh & Workload Deployment Templates)
ING “IPC” (DBaaS, Keyspace-aaS, Object Storage, Cloud Automation)
ING “Security Tribe” (IAM & Workload Security Monitoring & Workload Certs)
ING “MDPL” (Workload Observability)
ING “One Pipeline” (Workload CI/CD)
ING Banking Technology Platform
ING Group Services
ING Retail Banks
ING Wholesale
ING Infra&Engineering
ING “DCN” (Networking)
ING “IPC” (Object Storage)
ING “MDPL” (Platform Observability)
ING “One Pipeline” (Platform CI/CD)
ING “Security Tribe” (IAM & Platform Security Monitoring & Platform Certs)
ING “IPC” (Nodes BM & VM)
Red Hat (OpenShift)
Portworx (local persistency)
13. 13
Strategy (part 1 : why do we do what we do ?)
ING’s Tech strategy : “To build Scaleable Tech which enables Growing our business at marginal cost”
• ICHP is a core example of technologies engineered by ING to support this goal, as explained earlier
Additional Strategy goals are “Self-Service”, “Re-useability” & Automation
• The immutable container hosting is delivered as a Namespace-aaS from our private cloud portal
• The ICHP platform hosts applications from almost every ING segment and for most of the countries
• The ICHP platform is fully automated, both for Namespace & Cluster provisioning (“Immutable”)
ICHP’s Unique Selling Point : Compliance-out-of-the-Box
• Immutability is the key tool in achieving this goal. Hence ICHP focused on Immutable container hosting
over the past period and this will stay it’s core delivery
ING Tech is looking into “Team Topologies” as a way to optimize the internal
organization and as it turns out ICHP ticks all the boxes for a
“Thinnest Viable Platform” (since 2018, the book was published in 2019…)
Our platform is compelling for consumers, with our NaaS approach which reduces
cognitive load, it simplifies the risk evidencing burden & we are strongly partnered
with key “stream aligned”, “enabling” & “platform” teams in different ING segments
to help guide our backlog/roadmap
14. 14
Strategy (part 2 : what’s next?)
For the Immutable container hosting service there’s still work to be done:
• Pets -> Cattle for the clusters, which is aided by
• Hypervisor based Nodes (currently all production is on Bare Metal)
• Multi-Cluster Management (“MCM”) : Pattern(s)/Solution(s) to be investigated
• Anomaly Detection and Policy-as-Code capabilities have been released with ICHPv2 based on
OpenShift 4.10, but scope wise we have lots of opportunities to expand rulesets… Workload resilience
will be high on that backlog…
But ING does recognize other K8s use cases as explained before:
• ICHP is hosting Elastic & Prometheus environments on dedicated
OpenShift clusters (with local persistency)
• ICHP is working on a Cluster-aaS delivery for Platform Teams
• And ICHP is tracking the maturity of the market:
• To determine when best to start investing our scarce engineering resources (Scarcity does create focus...).
• The Multi-Cluster Services (“MCS”) developments have our special attention (perhaps Skupper + KCP…?)
In the mean time non-Immutable workloads can still be hosted on our Private Cloud VM offering…
(no exceptions/no specials in our multi-tenant Immutable Container hosting, or else we risk losing our USP…)
Last but not least we strive to be a more engaged participant in the community, more on that topic in the
other ING presentation today…
15. Of course we’re hiring ;-)
https://www.ing.jobs/tech
15
Thank you / Questions
Slides will be made available at
https://www.slideshare.net/ThijsEbbers/
17. Whilst we treaded the eye of the needle
in our Production clusters when we hit the
“Pending Pods bug”, we weren’t so “lucky”
with our Non-Production clusters.
On several occasions consumer (DTA)
workloads did encounter negative impact,
and since hardware replenishment was
difficult we moved D/T workloads to
newly added VM based nodes (which
explains the decline in the green line) in
order to free up Bare Metal nodes to be
used to stabilize the Production clusters
as well as to keep the Acceptance
workloads as stable as possible on the
remaining Bare Metal nodes
Meanwhile, in Non-Prod…
17
Pods/node
back to 160
Pending
pods
Introduction
of additional
(VM based)
nodes
Non-Prod
Environment
stabilized
18. • From ING’s Daily Banking Tribe talk at GOTO 2022 conference (“Spotify Model : On Radical
Improvements From The Trenches Of Change”):
• Deployment time : 62% build & deploy speed improvement
• Development capacity : 27% more Backlog items done (measured per year in 2020/21)
• More Coding : 16% more coding time per team
• No more VM’s : Less infra costs, no patching, more secure, less issues with auditing the stack
(More cool ING Tech talks on our YouTube Channel)
• Building a Global Investments Platform in 12 Months (2020-21)
• Building a Digital Platform for Insurance Products (“ING-AXA partnership”) in 9 Months (2019)
• Building a (Mobile Only Digital) Bank in 9 Months (“The Manila Miracle”) (2018)
• And more to come…
ICHP(‘s-ecosystem) enabled our Internal ING Customers to achieve :
18
19. Platform (“ICHP”) Adds e.g. :
• ING Compliance
• ING Integrations (SEM,
Monitoring, AZDO, …)
• ING Hardening
Distribution (e.g. “OpenShift”, “RKE”, “GKE”, “AKS”)
Adds e.g. : RBAC, SDN
Container Management Framework
(“Kubernetes”)
Adds e.g. :
Scaling, resilience
Application Containers to Container Hosting Platforms
19
Containers
20. • Important aspect to be taken into consideration: The ING Container Hosting Platform Immutable
Container hosting is NOT aiming to rehost VM’s to containers… Purpose is to have the best possible
hosting environment for immutable workloads!
• If a DevOps teams manages to properly refactor their VM into a set of container images they are
welcome
• Hands-off approach in production (which implies a mature team in all aspects, e.g. CI/CD !)
If teams feel not comfortable with this they should stay on VM’s!
ICHP Immutable App hosting Intended Use
20
21. ING aims to make our DevOps teams autonomous (As explained in ING’s Way-of-Working in 2019) .
We also want to enable those DevOps teams to deliver maximum value to the business, by not bothering them
with IT-Infrastructure concerns, nor bothering them with having to deliver compliancy evidence for the hosting
platform.
Hence offering a Namespace-as-a-Service is for us the sweet spot:
• Clear demarcation between (Infra)Provider and Consumer
• Enabling hand-over of compliance evidence
• Enabling multi-tenancy (hence fast time-to-market/self-service consumption, and the potential for efficient
utilization of resources)
• The DevOps team can assume responsibility for (almost) the full stack (only the kernel stays shared). They have
liberty/responsibility to choose/maintain their (versions of) base image, runtime engine, libraries, etc. (within
the boundaries set by the ING corporate risk&compliancy rules !)
ING will offer a K8S Cluster-as-a-Service in the future, however this will be a limited offering only available to
selected platform teams.
Why ICHP only offers a “Namespace-as-a-Service”
21
22. Key Objective for ING is to remain capable to exit a Public Cloud provider.
Determining the right abstractions is key to meeting this objective for a container hosting platform,
hence:
• We choose an open/industry standard (in this case: the Kubernetes ecosystem)
• We choose an intended use (in this case: Immutable Workloads)
• We clearly define the allowed interfaces (in the ICH – Interfaces standard)
• We automate our deployments by the mandatory use of One Pipeline
Note that these abstractions are design time and not runtime (as we still use the AKS service native to
Azure or the GKE service native to GCP)
However there will always be debate on the details as we try to balance innovation, time-to-market,
risk/security and/or cost-income ambitions. Therefore actually running production workloads on at
least one Kubernetes stack outside of the primary (Public) Cloud provider is the best recipe to “keep
everyone honest”, as this will prevent Cloud Provider specific “optimizations” from slipping into ING
code. Meaning there should always be at least 2 ICH standard solutions in use.
Cloud Abstractions
22
23. We do know how to build those services in grey… Our engineers are more then capable to build and
run those. But not all of them together at the same time…
Hence for each year ING determines where to allocate that engineering capacity:
• Improving existing services
• e.g. Pets -> Cattle
• Supporting additional use cases on existing services
• e.g. Data Services we today only support ELK & Prometheus, if we start to support Data Persistence Services
more critical to the bank (e.g. message bus, (non-)relational databases) we’d actually like the availability of
those Services to be independent from K8s cluster uptime (hence our interest in CNCF MCS developments)
• Introducing New Services
• We do have active instantiations of Centralized End-User & HPC use cases on K8s in ING (one is even presenting
@KubeCon Detroit). But those are currently not hosted as a centralized/standardized Service. So we could also
choose to include those in the ICH catalogue
• The one defined service we’re not likely to invest time in any time soon is FaaS, that has everything to do
with the controls currently enforced from a regulatory perspective and little with the actual technology…
Dive and Conquer additional information
23
24. IPC/ICHP hosting services (1/2) (Grey is currently not available)
24
Service Typical use case(s)
Immutable Containers Capability to host immutable container workloads like 12 Factor Apps (commonly: “API’s”)
Functions as a Service Capability to execute backend code directly without having to manage any servers
Data Services
Capability to provide data persistence as a service e.g. Object Storage, Elastic, Kafka, MS-SQL, Oracle,
Cassandra, Redis, etc.
HPC
Capability to provide High Performance Compute (e.g. GPU, fast local cache, etc.) as a service for machine
learning and analytics.
Centralized End-User
Capability to provide a managed, dedicated set-up for specific user(s) e.g. for data science, educational
and training set-ups etc.
Infrastructure
Management
Capability to manage IT assets as Desired State Custom Resources (e.g. Crossplane)
Non-12 factor apps
(“VM”s) – K8S
Hosting of non-12 factor apps (“VM’s in a container package”), typically large images containing
monolithic applications, not ready for hands off operations, could be requiring managed local persistency.
Hosted on a K8s or equivalent platform.
Standalone - Non-12
factor apps (“VM”s)
Hosting of non-12 factor apps (“VM’s in a container package”), typically large images containing
monolithic applications, not ready for hands off operations, could be requiring managed local persistency.
Hosted on Standalone “Docker” instances.
25. IPC/ICHP hosting services (2/2) (Grey is currently not available)
25
Service Unit of Delivery
(/Security)
Local
Persistency
GPU Ingress Exposed
interface(s)
End-user access to
SSH/Terminal Interfaces
Immutable
Containers
Namespace Not Available Not Available
Shared per
Traffic type
(Internal/DMZ/…
)
API (HTTPS ingress),
Eventing (“Kafka”),
File (/Object) (“S3”)
Not Allowed (in Production)
(currently still tolerated in Non-
Production clusters)
Functions as a Service Function
Not Available
TBD Shared
See “Immutable
Containers”
Not Possible
Data Services
(set of)
Namespace(s)
Available Not Available
Dedicated per
workload
TBD Not Allowed
HPC Namespace Optional Optional TBD
See “Immutable
Containers”
Not Allowed
Centralized End-User Namespace TBD TBD TBD SSH/https/… Allowed
Infrastructure
Management
Control plane Not Available Not Available Not Applicable K8s API Not Allowed
Non-12 factor apps
(“VM”s) – K8S
Namespace, VM ? TBD Not Available TBD TBD TBD
Standalone - Non-12
factor apps (“VM”s)
VM Available Not Available Dedicated No restrictions Available
26. “Immutable” =
• Any change can only be executed via an ING pipeline which has all required checks &
balances in place (and which facilitates automated evidencing for regulatory purposes)
• In short : no direct access for natural persons, no change privileges for other systems
And yes, ING’s Container Security Standard was in place before “Solarwinds” reached the
headlines in 2020…
And although most people in the IT(-Security) industry are now aware of the software
lineage issue exposed by it (that doesn’t mean its anywhere near solved…), far too few
understand it’s 2nd lesson about the dangers of overprivileged software… (what enabled
those attackers to move laterally so easily…?)
For these 2 reason ING does not trust “Zero Trust” labelled implementations as very few of
those have actually covered these concerns properly...
Security additional explanation
26
28. 28
Container Technology ING Security Reference Architecture
Image Storage and Retrieval
Container Deployment,
Management, and Operations.
Image Creation, Testing, and
Accreditation
DevOps
DevOps
DevOps
Host with
Containers
Host with
Containers
Host with
Containers
Host with
Containers
Build, Deploy,
Test, Release
Development
Registry
Any Other
Registry
Authorized
Registry
Deployment
Registry
Orchestrator
Container
Management
Framework
No Connection
No Connection
W.01 W.02 W.03
W.04 W.05
I.06 I.07 I.08 R.09 R.10 O.11
P.14 P.17 P.20 H.21
P.15 C.12
P.18 H.22
P.16 C.13
P.19 H.23
29. 29
Container Technology Security Measures Overview
Design & Code
(digitize)
Build & Test
(create)
Operate & Maintain
(detect & correct)
Deploy & Test
(assembly)
Release
(orchestrate)
Onboard and Plan
(define)
Engineering Journey
R.09
R.10
Registry
Measures
O.11
Orchestrator
Measures
I.06
I.07
I.08
Image
Measures
Measures to be implemented by
providers of CI/CD Pipeline for container
technology e.g. GEP
P.14
P.15
P.16
P.17
P.18
P.19
P.20
Platform
Measures
H.21
H.22
H.23
Host
Measures
C.12
C.13
Container
Measures
Measures to be implemented by
providers of container hosting platform
(except H.23) e.g. ICHP
W.01
W.02
W.03
W.04
W.05
Workload
Measures
Measures to be implemented by
providers of container workloads e.g.
DevOps
30. • Want to understand how to :
• Use Canary (Blue/Green) releasing using K8s cluster external loadbalancing services
• Use Canary (Blue/Green) releasing using K8s cluster internal capabilities
• Revert my traffic 100% to my stable version in case of unexpected issues
• Rollback my release to the N-1 version in case of unexpected issues with version N
• Perform Resilient Placement so a single Red or Blue outage in the underlying IaaS
layers will not affect my application availability
• Implement Liveness Probes so my pods will restart automatically in case of applicative
issues
• Implement Readiness Probes so I have the input to automatically direct my traffic in
case of applicative issues
• And would like to see examples & templates how to use above features in ING’s One
Pipeline
Workload Resilience : As an ICHP Consuming DevOps Team, I
30
31.
32.
33. The following slides come from ING Investor Update June 13th 2022 Tech& Operations
33
Strategy additional explanation