Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Bank with Kubernetes – Kubecon 2016

Building a Bank with Kubernetes – Kubecon 2016

Acab65d674375c233a783d1aad163528?s=128

Oliver Beattie

November 09, 2016
Tweet

More Decks by Oliver Beattie

Other Decks in Technology

Transcript

  1. Building a Bank with Kubernetes

  2. Oliver Beattie @obeattie Head of Engineering, Monzo

  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. Pre-application 9 months Application 6 months Mobilisation 4–8 months

  12. Extensible Efficient Resilient Secure

  13. Extensible Efficient Resilient Secure

  14. Application Database

  15. Application Database Cache

  16. Application Database Cache Load balancer Cache Cache Application Application

  17. Database Cache Load balancer Database Database Cache Cache Application Application

    Application
  18. Database Cache Load balancer Database Database Cache Cache Application Application

    Application
  19. Application Database Cache Load balancer Application Application Database Database Cache

    Cache
  20. None
  21. None
  22. None
  23. Extensible Efficient Resilient Secure

  24. None
  25. app

  26. app

  27. core app

  28. None
  29. None
  30. Extensible Efficient Resilient Secure

  31. None
  32. None
  33. Load balancing Tracing Circuit breakers Retries Canarying Load shedding Error

    tracking Metrics Service discovery Logging Timeouts Expirations Security policies Back-offs Retry budgets Dynamic routing
  34. Minimise latency ⏱ Maximise success

  35. linkerd Finagle

  36. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  37. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  38. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  39. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3 Host: service. → 10.224.17.2
  40. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 10.224.15.3 Host:

    service. GET / HTTP/1.1 Host: service. HOST B service. CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 10.224.16.3 HOST n edge CONTAINER 10.224.18.2 service.cruft CONTAINER 10.224.18.1 LINKERD 10.102.36.110 10.224.18.3 HOST n edge CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.32.192 10.224.16.3 GET / HTTP/1.1 → service. ELB
  41. AWS eu-west-1

  42. AWS eu-west-1

  43. None
  44. Co-location uk-1 Co-location uk-2 AWS eu-west-1

  45. Co-location uk-1 Co-location uk-2 AWS eu-west-1 ⚡

  46. Co-location uk-1 Co-location uk-2 AWS eu-west-1 ⚡

  47. Co-location uk-1 Co-location uk-2 AWS eu-west-1 BGP BGP BGP BGP

  48. Co-location uk-1 Co-location uk-2 AWS eu-west-1 BGP BGP BGP BGP

    ⚡ ⚡
  49. Co-location uk-1 Co-location uk-2 AWS eu-west-1 BGP BGP ⚡ ⚡

  50. “Connectivity” Pod BGP IPSec BGP BGP StrongSwan (IPSec) GNU Zebra


    (BGP) Hardware VPN device Services Services Services AWS Co-location Third parties
  51. Extensible Efficient Resilient Secure

  52. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management
  53. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management
  54. k8s-master Availability Zone A Availability Zone B Availability Zone C

    admin user data k8s-worker dmz
  55. k8s-master Availability Zone A Availability Zone B Availability Zone C

    k8s-worker dmz
  56. Calico + network policy

  57. zone: super-secure

  58. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: super-secure-zone spec: podSelector: matchLabels:

    zone: super-secure ingress: - from: - podSelector: matchLabels: zone: super-secure ports: - protocol: tcp
  59. Extensible Efficient Resilient Secure

  60. monzo.com/careers

  61. Q&A .

  62. @obeattie