Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building a Bank with Kubernetes – Kubernetes Lo...

Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Presented at the Kubernetes London Meetup, Autumn 2016

In this talk, Oliver Beattie, Head of Engineering at Monzo, talks about how Monzo is building a modern bank.

* How Monzo has architected its backend as a collection of microservices
* How the communication between microservices is one of the most important parts of the system
* How Monzo interconnects cloud and overlay networks with physical hardware and third parties

Oliver Beattie

October 19, 2016
Tweet

More Decks by Oliver Beattie

Other Decks in Technology

Transcript

  1. k8 -worker hosts POD #2 CONTAINER POD #1 CONTAINER POD

    #3 CONTAINER POD #4 CONTAINER 1000MB memory; 100% utilised 250MB 250MB 250MB 250MB
  2. HOST A service. CONTAINER 10.224.15.2 LINKERD 10.102.32.198 10.224.15.3 GET /

    HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 LINKERD 10.102.36.187 10.224.17.3 service.cruft CONTAINER 10.224.17.1 service.cruft CONTAINER 10.224.15.1
  3. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  4. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  5. HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3 Host: service. → 10.224.17.2
  6. Connectivity Pod BGP IPSec BGP BGP Openswan (IPSec VPN) GNU

    Zebra
 (BGP) Hardware VPN device Services Services Services AWS Co-location Third parties
  7. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management
  8. Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management
  9. apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: super-secure-zone spec: podSelector: matchLabels:

    zone: super-secure ingress: - from: - podSelector: matchLabels: zone: super-secure ports: - protocol: tcp