Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Building a Bank with Kubernetes – Kubernetes London Meetup, Autumn 2016

Presented at the Kubernetes London Meetup, Autumn 2016

In this talk, Oliver Beattie, Head of Engineering at Monzo, talks about how Monzo is building a modern bank.

* How Monzo has architected its backend as a collection of microservices
* How the communication between microservices is one of the most important parts of the system
* How Monzo interconnects cloud and overlay networks with physical hardware and third parties

Acab65d674375c233a783d1aad163528?s=128

Oliver Beattie

October 19, 2016
Tweet

Transcript

  1. 3.
  2. 4.
  3. 5.
  4. 6.
  5. 7.
  6. 8.
  7. 9.
  8. 17.
  9. 18.
  10. 20.
  11. 22.
  12. 23.

    k8 -worker hosts POD #2 CONTAINER POD #1 CONTAINER POD

    #3 CONTAINER POD #4 CONTAINER 1000MB memory; 100% utilised 250MB 250MB 250MB 250MB
  13. 25.
  14. 26.
  15. 28.
  16. 29.

    HOST A service. CONTAINER 10.224.15.2 LINKERD 10.102.32.198 10.224.15.3 GET /

    HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 LINKERD 10.102.36.187 10.224.17.3 service.cruft CONTAINER 10.224.17.1 service.cruft CONTAINER 10.224.15.1
  17. 30.

    HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  18. 31.

    HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3
  19. 32.

    HOST A service. CONTAINER 10.224.15.2 service.cruft CONTAINER 10.224.15.1 LINKERD 10.102.32.198

    10.224.15.3 Host: service. → 10.224.17.3 GET / HTTP/1.1 Host: service. HOST A service.cruft CONTAINER 10.224.16.2 service.cruft CONTAINER 10.224.16.1 LINKERD 10.102.34.192 10.224.16.3 HOST C service. CONTAINER 10.224.17.2 service.cruft CONTAINER 10.224.17.1 LINKERD 10.102.36.187 10.224.17.3 Host: service. → 10.224.17.2
  20. 33.
  21. 35.
  22. 42.

    Connectivity Pod BGP IPSec BGP BGP Openswan (IPSec VPN) GNU

    Zebra
 (BGP) Hardware VPN device Services Services Services AWS Co-location Third parties
  23. 44.

    Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management
  24. 45.

    Device isolation Process isolation Data encryption Filesystem isolation Privilege isolation

    Network isolation Resource isolation Principle of least privilege Log monitoring Secret management
  25. 51.

    apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: super-secure-zone spec: podSelector: matchLabels:

    zone: super-secure ingress: - from: - podSelector: matchLabels: zone: super-secure ports: - protocol: tcp
  26. 52.