Building a Bank with Kubernetes – Kubecon 2016

Transcript

1. Building a Bank with Kubernetes

2. Oliver Beattie @obeattie Head of Engineering, Monzo

3. None
4. None
5. None
6. None
7. None
8. None
9. None
10. None

11. Pre-application 9 months Application 6 months Mobilisation 4–8 months

12. Extensible Efficient Resilient Secure

13. Extensible Efficient Resilient Secure

14. Application Database

15. Application Database Cache

16. Application Database Cache Load balancer Cache Cache Application Application

17. Database Cache Load balancer Database Database Cache Cache Application Application

    Application

18. Database Cache Load balancer Database Database Cache Cache Application Application

    Application

19. Application Database Cache Load balancer Application Application Database Database Cache

    Cache
20. None
21. None
22. None

23. Extensible Efficient Resilient Secure

24. None

25. app

26. app

27. core app

28. None
29. None

30. Extensible Efficient Resilient Secure

31. None
32. None

33. Load balancing Tracing Circuit breakers Retries Canarying Load shedding Error

    tracking Metrics Service discovery Logging Timeouts Expirations Security policies Back-offs Retry budgets Dynamic routing

34. Minimise latency ⏱ Maximise success

35. linkerd Finagle

36. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3

37. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3

38. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3

39. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3 Host: service. → 10.224.17.2

40. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 10.224.15.3 Host:

    service. GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 10.224.16.3 HOST n edge CONTAINER 10.224.18.2 service.cruft CONTAINER 10.224.18.1 LINKERD 10.102.36.110 10.224.18.3 HOST n edge CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.32.192 10.224.16.3 GET / HTTP/1.1 → service. ELB

41. AWS eu-west-1

42. AWS eu-west-1

43. None

44. Co-location uk-1 Co-location uk-2 AWS eu-west-1

45. Co-location uk-1 Co-location uk-2 AWS eu-west-1 ⚡

46. Co-location uk-1 Co-location uk-2 AWS eu-west-1 ⚡

47. Co-location uk-1 Co-location uk-2 AWS eu-west-1 BGP BGP BGP BGP

48. Co-location uk-1 Co-location uk-2 AWS eu-west-1 BGP BGP BGP BGP

    ⚡ ⚡

49. Co-location uk-1 Co-location uk-2 AWS eu-west-1 BGP BGP ⚡ ⚡

50. “Connectivity” Pod BGP IPSec BGP BGP StrongSwan (IPSec) GNU Zebra


    (BGP) Hardware VPN device Services Services Services AWS Co-location Third parties

51. Extensible Efficient Resilient Secure

52. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management

53. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management

54. k8s-master Availability Zone A Availability Zone B Availability Zone C

    admin user data k8s-worker dmz

55. k8s-master Availability Zone A Availability Zone B Availability Zone C

    k8s-worker dmz

56. Calico + network policy

57. zone: super-secure

58. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: super-secure-zone spec: podSelector: matchLabels:

    zone: super-secure ingress: - from: - podSelector: matchLabels: zone: super-secure ports: - protocol: tcp

59. Extensible Efficient Resilient Secure

60. monzo.com/careers

61. Q&A .

62. @obeattie