THE DISRUPTERS EMBRACING DEVOPS Empowered organization Speed Up Innovation Time Change Move Fast, Break Things Culture of experimentation A 20% vs. 25% Shorten the Feedback Loop Real-time data-driven intelligence & personalization AI / ML Data, Data, Data B
ANY COMBINATION, WHETHER TRADITIONAL OR CONTAINERIZED LEGACY APPS (1,000+) BARE METAL PRIVATE CLOUD PUBLIC CLOUD VIRTUAL PRODUCTION DEV/TEST HYBRID CLOUD ENVIRONMENTS
LAPTOP Container Application OS dependencies Guest VM LINUX BARE METAL Container Application OS dependencies LINUX VIRTUALIZATION Container Application OS dependencies Virtual Machine LINUX PRIVATE CLOUD Container Application OS dependencies Virtual Machine LINUX PUBLIC CLOUD Container Application OS dependencies Virtual Machine LINUX CONTAINERS - Build Once, Deploy Anywhere Reducing Risk and Improving Security with Improved Consistency
● No security on K8s dashboard ● IT infrastructure credentials exposed ● Enabled access to a large part of Weight Watchers' network ● K8s dashboard exposed ● AWS environment with telemetry data compromised ● Tesla’s infrastructure was used for crypto mining THE CONTAINERS NEWS YOU DON’T WANT ● 17 tainted crypto-mining containers on dockerhub ● Remained for ~1 year with 5 million pulls and ● Harvested ~90k in crypto currency.
Web Database replicas=1, role=db replicas=2, role=web HEALTH CHECK Pods Nodes Services role=web role=db role=web Controller Manager & Data Store (etcd)
4 ● Are there known vulnerabilities in the application layer? ● Are the runtime and OS layers up to date? ● How frequently will the container be updated and how will I know when it’s updated? CONTENT: EACH LAYER MATTERS CONTAINER OS RUNTIME APPLICATION CONTENT: EACH LAYER MATTERS AYER MATTERS CONTAINER OS RUNTIME APPLICATION JAR CONTAINER
Best Practices • Treat as a Blueprint • Specify a user, defaults to root • Don’t login to build/configure • Version control build file • Be explicit with versions, not latest • Each Run creates a new layer CONTAINER BUILDS FROM fedora:1.0 CMD echo “Hello” Build file Build
64% of official images in Docker Hub contain high priority security vulnerabilities examples: ShellShock (bash) Heartbleed (OpenSSL) Poodle (OpenSSL) Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf) WHAT’S INSIDE THE CONTAINER MATTERS
Version 1.2 Version 1.2 Version 1.2 RECREATE WITH DOWNTIME Use Case • Non-mission critical services Cons • Downtime Pros • Simple, clean • No Schema incompatibilities • No API versioning
Each container/pod is updated one by one Version 1.2 Version 1.2 Version 1.2 100% Use Case • Horizontally scaled • Backward compatible API/data • Microservices Cons • Require backward compatible APIs/data • Resource overhead Pros • Zero downtime • Reduced risk, gradual rollout w/health checks • Ready for rollback
Version 1 BLUE / GREEN DEPLOYMENT Rollback Route Version 1.2 BLUE GREEN Use Case • Self-contained micro services (data) Cons • Resource overhead • Data synchronization Pros • Low risk, never change production • No downtime • Production like testing • Rollback
”only about 1/3 of ideas improve the metrics they were designed to improve.” Ronny Kohavi, Microsoft (Amazon) MICROSERVICES RAPID INNNOVATION & EXPERIMENTATION
Kubernetes Logical Network Model NETWORK SECURITY • Kubernetes uses a flat SDN model • All pods get IP from same CIDR • And live on same logical network • Assumes all nodes communicate Traditional Physical Network Model • Each layer represents a Zone with increased trust - DMZ > App > DB, interzone flow generally one direction • Intrazone traffic generally unrestricted
NETWORK SECURITY MODELS Co-Existence Approaches One Cluster Multiple Zones Kubernete Cluster Physical Compute isolation based on Network Zones Kubernete Cluster One Cluster Per Zone Kubernete Cluster B Kubernete Cluster A Kubernetes Cluster B C D https://blog.openshift.com/openshift-and-network-security-zones-coexistence-approaches/
Local Storage Quota Security Context Constraints STORAGE SECURITY Sometimes we can also have storage isolation requirements: pods in a network zone must use different storage endpoints than pods in other network zones. We can create one storage class per storage endpoint and then control which storage class(es) a project can use
CRI-O v1.10 Feature(s): CRI-O v1.10 Description: CRI-O is an OCI compliant implementation of the Kubernetes Container Runtime Interface. By design it provides only the runtime capabilities needed by the kubelet. CRI-O is designed to be part of Kubernetes and evolve in lock-step with the platform. CRI-O brings: ● A minimal and secure architecture ● Excellent scale and performance ● Ability to run any OCI / Docker image ● Familiar operational tooling and commands Improvements include: ● crictl CLI for debugging and troubleshooting ● Podman for image tagging & management ● Installer integration & fresh install time decision: openshift_use_crio=True ○ Not available for existing cluster upgrades Kubelet Storage Image RunC CNI Networking
cvantuin
foursue
harukasakihara
kubukoz
tatematsu_san
oogfranz
sue445
masashi_sutou
sumiren
oekazuma
daina0321
oracle4engineer
tarao
kneath
rmw
jakevdp
maltzj
erikaheidi
tammielis
denniskardys
keithpitt
jonrohan
danielanewman
addyosmani