Innovation Time Change Move Fast, Break Things Culture of experimentation A 20% vs. 25% Shorten the Feedback Loop Real-time data-driven intelligence & personalization AI / ML Data, Data, Data B
Culture Process Technology Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source
exposed • Enabled access to a large part of Weight Watchers' network • K8s dashboard exposed • AWS environment with telemetry data compromised • Tesla’s infrastructure was used for crypto mining THE CONTAINERS NEWS YOU DON’T WANT • 17 tainted crypto-mining containers on dockerhub • Remained for ~1 year with 5 million pulls and • Harvested ~90k in crypto currency.
Container Application OS dependencies LINUX VIRTUALIZATION Container Application OS dependencies Virtual Machine LINUX PRIVATE CLOUD Container Application OS dependencies Virtual Machine LINUX PUBLIC CLOUD Container Application OS dependencies Virtual Machine LINUX CONTAINERIZED MICROSERVICES Build Once, Deploy Anywhere
DOES DEPLOYMENTS EVERY 6 TO 9 MONTHS. Walled off people, walled off processes, walled off technologies with surprisingly little to no automation DEV QA OPS THE AVERAGE ENTERPRISE DOES DEPLOYMENTS EVERY 6 TO 9 MONTHS. Walled off people, walled off processes, walled off technologies with surprisingly little to no automation
web replicas: 1, role: app replicas: 2, role: web role: web Controller Manager & Data Store (etcd) Ingress / Routes Health Check HEALTH CHECK Resiliency
services, Kubernetes persistent volumes TREAT CONTAINERS AS IMMUTABLE To keep containerized apps portable Application Language runtimes OS dependencies
OS dependencies Environment Variable or Volume/File CONTAINER INSTANCE key:value from directories, files, or values KUBERNETES CONFIGMAP APPLICATION CONFIG FILE Application Configuration File e.g. XML etcd Pod Source Code Repository EnvVar require pod restart Files refresh in time
file as a Blueprint • Version control build file • Be explicit with versions, not latest • Always list registry pulling FROM • Each Run creates a new layer • Specify USER, default is root • Sign and validate images BUILD FILE BEST PRACTICES FROM registry.redhat.com/rhel7 RUN groupadd -g 999 appuser && \ useradd -r -u 999 -g appuser appuser USER appuser CMD echo “Hello” Build file
Security Guide for RHEL CCE-27002-5 Set Password Minimum Length Content Scan physical servers, virtual machines, docker images and containers for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)
A Ingress CANARY DEPLOYMENTS Tests / CI CANARY DEPLOYMENTS Build confidence in new version Service selector: app=demo version=A label: app=demo version=A 25% Conversion Rate ??% Conversion Rate label: app=demo version=B
Version A Ingress CANARY DEPLOYMENTS CANARY DEPLOYMENTS Requires app to support side-by-side version Deploy new version and wait until it’s ready… Health Check: readiness probe e.g. tcp, http, script Version 1 Version 1 Version 1.2 Version 1 Rollingupdate maxUnavailable=0 maxSurge=1 Service Service selector: app=demo label: app=demo version=A 25% Conversion Rate ??% Conversion Rate label: app=demo version=B
Version A Ingress CANARY DEPLOYMENTS CANARY DEPLOYMENTS Requires app to support side-by-side version Service Service selector: app=demo label: app=demo version=A 25% Conversion Rate 30% Conversion Rate label: app=demo version=B
EXTERNAL SERVICES Using CNAME redirection mongodb:// <dbuser>: <dbpassword> @mongo:<port>/dev mongodb://<dbuser>:<dbpassword> @mongo52101.domain.name:52101/dev Cloud Mongo Database Service WebApp role=webapp replicas=2, role=webapp .name EXTERNAL SERVICE Connecting to Service with dynamic URI with a static ExternalName Kubernetes service
/ location, Short lived Data Sensitive, e.g. Finance Multi-AZ, Multi/ Hybrid cloud Production, Mission critical Bare metal HPC, AI/ML Security Scale Availability Latency Portability Performance Large cluster, multi/ hybrid cloud Internet, SaaS Efficiency Large cluster, Bare Metal, Recreate Many apps, Large scale Consistent OS & Kubernetes version 1 app anywhere, e.g. ISVs Local, Small Cluster IoT, Retail
a flat SDN model • All pods get IP from same CIDR • And live on same logical network • Assumes all nodes communicate Traditional Physical Network Model • Each layer represents a Zone with increased trust - DMZ > App > DB, interzone flow generally one direction • Intrazone traffic generally unrestricted
Cluster Physical Compute isolation based on Network Zones Kubernete Cluster One Cluster Per Zone Kubernete Cluster B Kubernete Cluster A Kubernetes Cluster B C D https://blog.openshift.com/openshift-and-network-security-zones-coexistence-approaches/
traffic from any other pods in the same namespace.” apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress - Egress Tip: default allows all ingress/egress from pods within namspace, create a deny all ingress/egress policy
cvantuin@redhat.co Be • Don’t ru • If you m limit Lin • Limit SS • Use nam • Define r • Enable • Apply S • Apply S and se • Run pro unprivile http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit File Docker Image Container CLI SYSTEMD Cgroups Namespaces SELinux Drivers seccomp Read Only mounts Capabilities CONTAINER HOST SECURITY CONTAINERS ARE LINUX
Container Runtime Management, Monitoring, Logs, Security, Registry Storage Chris Van Tuin Chief Technologist, NA West / Silicon Valley cvantuin@redhat.co Best Practices • Don’t run as root • If you must, limit Linux Capabilities • Limit SSH Access • Use namespaces • Define resource quotas • Enable logging • Apply Security Errata • Apply Security Context and seccomp filters • Run production unprivileged containers as read-only http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-deployment.html Kernel Hardware (Intel, AMD) or Virtual Machine Containers Containers Containers Unit File Docker Image Container CLI SYSTEMD Cgroups Namespaces SELinux Drivers seccomp Read Only mounts Capabilities CONTAINER HOST SECURITY
MESH WITH ISTIO Dedicated infrastructure layer for making service-to-service communication safe, fast, and reliable Deploy as a lightweight side-car network proxy
JVM service C app logic Pod Sidecar Container Envoy Container JVM service A app logic Pod Sidecar Container Envoy Container JVM service B app logic Pod Sidecar Container Envoy