Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Transcript

1. Building a Bank with Kubernetes

2. Oliver Beattie @obeattie Head of Engineering, Monzo

3. None
4. None
5. None
6. None
7. None
8. None
9. None

10. Application Database

11. Application Database Cache

12. Application Database Cache Load balancer Application Application

13. Application Database Cache Load balancer Cache Cache Application Application

14. Application Database Cache Load balancer Database Database Cache Cache Application

    Application

15. Application Database Cache Load balancer Application Application Database Database Cache

    Cache

16. Application Database Cache Load balancer Application Application Database Database Cache

    Cache
17. None
18. None

19. Efficient Resilient Extensible Secure

20. None

21. Efficient Resilient Extensible Secure

22. None

23. k8 -worker hosts POD #2 CONTAINER POD #1 CONTAINER POD

    #3 CONTAINER POD #4 CONTAINER 1000MB memory; 100% utilised 250MB 250MB 250MB 250MB

24. Efficient Resilient Extensible Secure

25. None
26. None

27. Load balancing Tracing Circuit breakers Retries Canarying Service discovery Logging

    Timeouts Expirations Security policies

28. linkerd

29. HOST A service. CONTAINER 10.224.15.2 LINKERD 10.102.32.198 10.224.15.3 GET /

    HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 LINKERD 10.102.36.187 10.224.17.3 service.cruft CONTAINER 10.224.17.1 service.cruft CONTAINER 10.224.15.1

30. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3

31. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3

32. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3 Host: service. → 10.224.17.2
33. None

34. AWS region eu-west-1

35. None

36. Co-location uk-1 Co-location uk-2 AWS region eu-west-1

37. Co-location uk-1 Co-location uk-2 AWS region eu-west-1 ⚡

38. Co-location uk-1 Co-location uk-2 AWS region eu-west-1 ⚡

39. Co-location uk-1 Co-location uk-2 AWS region eu-west-1 BGP BGP BGP

    BGP

40. Co-location uk-1 Co-location uk-2 AWS region eu-west-1 BGP BGP BGP

    BGP ⚡ ⚡

41. Co-location uk-1 Co-location uk-2 AWS region eu-west-1 BGP BGP ⚡

    ⚡

42. Connectivity Pod BGP IPSec BGP BGP Openswan (IPSec VPN) GNU

    Zebra
 (BGP) Hardware VPN device Services Services Services AWS Co-location Third parties

43. Efficient Resilient Extensible Secure

44. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management

45. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management

46. k8s-master Availability Zone A Availability Zone B Availability Zone C

    admin user data k8s-worker dmz

47. k8s-master Availability Zone A Availability Zone B Availability Zone C

    k8s-worker dmz

48. zone: super-secure

49. apiVersion: v1 kind: Namespace metadata: name: bees

50. apiVersion: v1 kind: Namespace metadata: name: bees annotations: net.beta.kubernetes.io/network-policy: |

    { "ingress": { "isolation": "DefaultDeny" } }

51. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: super-secure-zone spec: podSelector: matchLabels:

    zone: super-secure ingress: - from: - podSelector: matchLabels: zone: super-secure ports: - protocol: tcp

52. @obeattie