Kubernetes, The Day After

Neeraj Gupta (@negupta) SVP Product and Engineering

Kubecon 2015

Kubernetes, The Day After

Not an In-Depth Technical Kubernetes Talk

• Operating a system like Kubernetes in production

• Cloud native infrastructure

• Based on lessons learned

Start at the End

• Production environments are all about trust• What does a workload contain?• Where does a workload run?• Are the right resources in play for the

right workload?• Can information flow only in a secure

manner?• Bigger the deploy, harder it is to

maintain the trust

• Super hard with multi-clouds

The Best Tool to Get to Trust: Policy

• Get out of the way of the Dev• Let Ops do real operations work• Reduce friction around deployments• Create systems that are built for change

IT Policy for utilizing infrastructure

IT Policy for configuring environments

IT Policy for regulatory compliance

IT Policy for securing access control

IT Policy for implementing new technologies

IT Policy for reliable deployments

Distributed  Policy  Evaluation  &  Enforcement  is  critical  to  get  Trust.

Governance & Control are Priorities

What Does Kubernetes Offer Now? (stable)

• Compute resource limits• CPU• Memory

• Object counts limits• Pods• Services• Secrets• RCs• PV claims

• Per namespace (good!)

Kubernetes is in Good Company

• EC2 instance parameters, network firewall control, network topologies

• Role based access control• “If team members have edit permission, then they can

modify instances and also access the instances using ssh. If team members are authorized as owners, they are also able to create Google Compute Engine resources in the project.”

• Checkboxes, oh so many checkboxes

What Would Be Better?

• Pervasive• Explicit• Automatically Enforced

Pervasive Means:

• Resource limits• CPU• Memory• Per instance/total• Object counts• Disk space (!)• Network usage (!)

Pervasive Means:

• Workload-to-workload connections• Per port, not per container• Per protocol, not per container• Automatic bi-directional trust is less

secure

Pervasive Means:

• Ingress / Egress• External connectivity and routing• Multi-cloud

Pervasive Means:

• Software components version control• Deployment pipeline

Pervasive Means:

• Log access• Policy editing• Permissible operations between

frontend and backend

Policy Structure

• Language• Namespaces are important• With namespaces, you can target:

• Per person, per project, Per environment (dev/test/prod), Per org unit (team, division, etc.)

• Hierarchical namespaces are even cooler

Policy Structure: Tips

• Make sandboxes• Think hard about your structures• Apply policy as close to the leaves in

your namespace as possible• Consider generating policy through

automation

Apcera Platform

• A single, policy-driven, system that sits above all clouds, private and public

• Reduces complexity, while enabling enterprise-wide governance and maximum agility

Apcera enables cloud adoption with enterprise grade policy system

Let’s Bring Kubernetes and Apcera Together

• Kubernetes provides good abstraction and great API

• Apcera provides enterprise grade policy with support for hybrid-cloud and multi-workload

• Support for Kubernetes API and abstraction with Apcera platform brings the best of both worlds

Cloud Native Compute Node – Kurma.io

• Minimalist OS designed to host containers, with a built in container engine and container management service.

• Built on the notion that everything is a container. Allows containers to be managed and orchestrated by other processes.

K

Cloud Native Messaging (NATS.io)

• Light weight and high performance (~8M messages / sec) publish-subscribe and distributed queuing messaging system

• Created by Derek Collison – Architected Tibco Rendezvous, EMS and Cloud Foundry

• Widely used (Cloud Foundry, Baidu, HTC, etc.). Docker image downloads available.

Sender  Throughput  (msg/sec)Receiver  Throughput  (msg/sec)

We are Hiring! Get in Touch!

www.apcera.com

[email protected]