Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pushing Kubernetes Forward

Pushing Kubernetes Forward

KubeCon EU 2016

Brandon Philips

March 16, 2016
Tweet

More Decks by Brandon Philips

Other Decks in Technology

Transcript

  1. CoreOS, Inc (2013 - today) Mission: "Secure the Internet" Started

    at the OS level: CoreOS Linux • Modern, minimal operating system • Self-updating (read-only) image • Updates must be automatic and seamless
  2. app1 app2 app3 server1 app4 app5 server2 app6 app7 server3

    needs reboot With orchestration magical orchestrator
  3. server1 app4 app5 app1 app3 server2 app6 app7 app2 server3

    needs reboot With orchestration magical orchestrator
  4. server1 app4 app5 app1 app3 server2 app6 app7 app2 server3

    rebooting... With orchestration magical orchestrator
  5. server1 app4 app5 app1 app3 server2 app6 app7 app2 server3

    updated! With orchestration magical orchestrator
  6. app2 app3 server1 app4 app5 app1 server2 app6 app7 server3

    updated! With orchestration magical orchestrator
  7. 90+ Projects on GitHub, 1,000+ Contributors OPEN SOURCE CoreOS.com -

    @coreoslinux - github/coreos Secure solutions, support plans, training + more ENTERPRISE [email protected] - tectonic.com - quay.io
  8. Where We Are Pushing Kubernetes Simpler to deploy and configure

    clusters Increasing scale of clusters throughout stack Security based on good practices rkt engine powering Kubernetes nodes Standards to ensure portability
  9. And a few more pieces in containers DNS addon replica

    set Heapster and InfluxDB Networking daemon set Identity and authz services
  10. That seems hard, what do we get? Bootstrap requirements down

    to working SSH Rolling updates for Kubernetes itself! Kubelet version controlled by API Help Wanted! Goal: working in v1.3
  11. https://coreos.com/blog/improving-kubernetes-scheduler-performance.html 10x Improvement in scheduler throughput Ongoing work to track

    upstream performance Let's make similarly large gains in v1.3 Help wanted: Kubemark dashboard!
  12. etcd v3.0 - "Scaling etcd to thousands of nodes" •

    Efficient transport via gRPC and HTTP/2 • New powerful API based on k8s use-case • Disk-backed and memory efficient storage • Incremental snapshot for consistent performance • Fix re-list issues with longer and memory-efficient key history
  13. v3 API - Transactions • compare and swap ◦ compare:

    foo=bar ◦ success: foo=bar2 • multiple object transaction ◦ compare: cond1=true && cond2=true ◦ success: pass=true ◦ failure: pass=false
  14. v3 API - Watches • support multiple keys and prefixes

    per stream ◦ watchKey(foo) ◦ watchPrefix(coreos) • support watch from historical point ◦ watchKey(foo, index_of_an_hour_ago) ◦ user-driven history compaction
  15. v3 API - Lease l := lease.Create(10*second) kv.Put("foo", "bar", l.ID)

    // key will be removed without keeping // alive the lease go KeepAlive(l.id)
  16. Help Wanted: mirror maker Label queries are the new DNS

    Need API mirrors to give queries 100% uptime Help wanted, no work started.
  17. When is it in k8s? • etcd v3 k8s issue

    #22448 ◦ Refactoring the storage interface ◦ Proof of concept working
  18. Dex - OIDC Provider Open source standards based identity-provider SQL,

    LDAP, and other identity backend connectors Applicable outside of Kubernetes but that is our use case
  19. Webhook Authorizer "kind": "SubjectAccessReview", "spec": { "resourceAttributes": { "namespace": "default",

    "verb": "GET", "group": "group3", "resource": "pods" }, "user": "ada", "group": ["read-prod", "admin-stage" ] } authorizer service OK?
  20. no central daemon no (mandatory) API apps run directly under

    spawning process rkt - simple CLI tool
  21. • TPM, Trusted Platform Module ◦ physical chip on the

    motherboard ◦ cryptographic keys + processor • Used to "measure" system state • Historically just use to verify bootloader/OS (on proprietary systems) rkt TPM measurement
  22. • CoreOS added support to GNU Grub • rkt can

    now record information about running pods in the TPM • attestable record of what images and pods are running on a system rkt TPM measurement
  23. TPM Attestation in k8s 1. Generated timestamp 2. Ask TPM

    for sig of time + log value 3. Submit to API server in nodeStatus
  24. rkt TPM measurement For more TPM and rkt, see Matthew

    Garrett's talk: "Integrated trusted computing in Kubernetes" 11: 30am today
  25. TLS Bootstrap of Nodes (#20439) 1. Generate CSR 2. Submit

    CSR to API server 3. Poll for approved CSR
  26. • Coordinate promotion of Cloud Native architectures • A home

    for Cloud Native OSS projects like Kubernetes ◦ Technical board to evaluate additional projects • Provides shared resources to projects like video conferencing, test servers, etc
  27. • Creating technical standards for containers • Started with runC

    and a runtime specification • Large mandate to standardize an image format ◦ In-progress
  28. Multiple Image Formats in v1.3 API • Today Kubernetes only

    supports the Docker Image Format and naming • Use cases for executing other formats ◦ OCI Image Format ◦ tar archive chroots ◦ jar? ◦ static binary? • Support signing and content verification
  29. Help Push Kubernetes Forward Simpler to deploy and configure clusters

    Increasing scale of clusters throughout stack Security based on good practices rkt engine powering Kubernetes nodes Standards to ensure portability
  30. Thank you! Brandon Philips @brandonphilips | [email protected] | coreos.com We’re

    hiring in all departments! Email: [email protected] Positions: coreos.com/ careers