Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Building a Bank with Kubernetes

View Slide

Oliver Beattie
@obeattie
Head of Engineering, Monzo

View Slide

View Slide

Application
Database

View Slide

Application
Database Cache

View Slide

Application
Database Cache
Load balancer
Application
Application

View Slide

Application
Database Cache
Load balancer
Cache
Cache
Application
Application

View Slide

Application
Database Cache
Load balancer
Database
Database
Cache
Cache
Application
Application

View Slide

Application
Database Cache
Load balancer
Application
Application
Database
Database
Cache
Cache

View Slide

View Slide

Efficient
Resilient
Extensible
Secure

View Slide

View Slide

Efficient
Resilient
Extensible
Secure

View Slide

View Slide

k8 -worker hosts
POD #2
CONTAINER
POD #1
CONTAINER
POD #3
CONTAINER
POD #4
CONTAINER
1000MB memory; 100% utilised
250MB 250MB
250MB
250MB

View Slide

Efficient
Resilient
Extensible
Secure

View Slide

View Slide

Load balancing
Tracing
Circuit breakers
Retries
Canarying
Service discovery
Logging
Timeouts
Expirations
Security policies

View Slide

linkerd

View Slide

HOST A
service.
CONTAINER
10.224.15.2
LINKERD
10.102.32.198
10.224.15.3
GET / HTTP/1.1
Host: service.
HOST A
service.cruft
CONTAINER
10.224.16.2
service.cruft
CONTAINER
10.224.16.1
LINKERD
10.102.34.192
10.224.16.3
HOST C
service.
CONTAINER
10.224.17.2
LINKERD
10.102.36.187
10.224.17.3
service.cruft
CONTAINER
10.224.17.1
service.cruft
CONTAINER
10.224.15.1

View Slide

HOST A
service.
CONTAINER
10.224.15.2
service.cruft
CONTAINER
10.224.15.1
LINKERD
10.102.32.198
10.224.15.3
Host: service.
→ 10.224.17.3
GET / HTTP/1.1
Host: service.
HOST A
service.cruft
CONTAINER
10.224.16.2
service.cruft
CONTAINER
10.224.16.1
LINKERD
10.102.34.192
10.224.16.3
HOST C
service.
CONTAINER
10.224.17.2
service.cruft
CONTAINER
10.224.17.1
LINKERD
10.102.36.187
10.224.17.3

View Slide

HOST A
service.
CONTAINER
10.224.15.2
service.cruft
CONTAINER
10.224.15.1
LINKERD
10.102.32.198
10.224.15.3
Host: service.
→ 10.224.17.3
GET / HTTP/1.1
Host: service.
HOST A
service.cruft
CONTAINER
10.224.16.2
service.cruft
CONTAINER
10.224.16.1
LINKERD
10.102.34.192
10.224.16.3
HOST C
service.
CONTAINER
10.224.17.2
service.cruft
CONTAINER
10.224.17.1
LINKERD
10.102.36.187
10.224.17.3
Host: service.
→ 10.224.17.2

View Slide

View Slide

AWS region
eu-west-1

View Slide

View Slide

Co-location
uk-1
Co-location
uk-2
AWS region
eu-west-1

View Slide

Co-location
uk-1
Co-location
uk-2
AWS region
eu-west-1
⚡

View Slide

Co-location
uk-1
Co-location
uk-2
AWS region
eu-west-1
BGP
BGP
BGP
BGP

View Slide

Co-location
uk-1
Co-location
uk-2
AWS region
eu-west-1
BGP
BGP
BGP
BGP
⚡ ⚡

View Slide

Co-location
uk-1
Co-location
uk-2
AWS region
eu-west-1
BGP
BGP
⚡ ⚡

View Slide

Connectivity Pod
BGP
IPSec
BGP BGP
Openswan
(IPSec VPN)
GNU Zebra 
(BGP)
Hardware VPN
device
Services
Services
Services
AWS Co-location Third parties

View Slide

Efficient
Resilient
Extensible
Secure

View Slide

Device isolation
Process isolation
Data encryption
Filesystem isolation
Privilege isolation
Network isolation
Resource isolation
Principle of least privilege
Log monitoring
Secret management

View Slide

k8s-master
Availability Zone A Availability Zone B Availability Zone C

admin
user
data
k8s-worker
dmz

View Slide

k8s-master
Availability Zone A Availability Zone B Availability Zone C

k8s-worker
dmz

View Slide

zone: super-secure

View Slide

apiVersion: v1
kind: Namespace
metadata:
name: bees

View Slide

apiVersion: v1
kind: Namespace
metadata:
name: bees
annotations:
net.beta.kubernetes.io/network-policy: |
{
"ingress": {
"isolation": "DefaultDeny"
}
}

View Slide

apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: super-secure-zone
spec:
podSelector:
matchLabels:
zone: super-secure
ingress:
- from:
- podSelector:
matchLabels:
zone: super-secure
ports:
- protocol: tcp

View Slide

@obeattie

View Slide

Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Oliver Beattie

More Decks by Oliver Beattie

Other Decks in Technology

Featured

Transcript