Slide 1

Slide 1 text

Liz Rice & Gareth Rushgrove Kubernetes, Metadata and You

Slide 2

Slide 2 text

@lizrice

Slide 3

Slide 3 text

@garethr

Slide 4

Slide 4 text

- What do we mean by metadata - Relevant Kubernetes features - Who is metadata useful for? - Tools, examples and demos

Slide 5

Slide 5 text

Metadata What is it and why do we care

Slide 6

Slide 6 text

metadata /ˈmɛtədeɪtə/ noun data that provides information about other data

Slide 7

Slide 7 text

Understanding metadata from Jenn Riley

Slide 8

Slide 8 text

Descriptive metadata describes a resource for purposes such as discovery and identification Understanding Metadata, Jenn Riley

Slide 9

Slide 9 text

Structural metadata is metadata about a grouping of data and indicates how compound objects are put together Understanding Metadata, Jenn Riley

Slide 10

Slide 10 text

Administrative metadata provides information to help manage a resource, such as when and how it was created Understanding Metadata, Jenn Riley

Slide 11

Slide 11 text

Metadata use cases - Resource discovery - Organising resources - Facilitating interoperability - Identification - Archiving and preservation Understanding Metadata, Jenn Riley

Slide 12

Slide 12 text

Kubernetes and metadata Useful features for storing and using metadata

Slide 13

Slide 13 text

Labels

Slide 14

Slide 14 text

Labels are key/value pairs that are attached to objects, such as pods "labels": { "key1" : "value1", "key2" : "value2" }

Slide 15

Slide 15 text

Labels are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users, but do not directly imply semantics to the core system

Slide 16

Slide 16 text

Filter objects with label selectors $ kubectl get pods -l environment=production,tier=frontend $ kubectl get pods -l 'environment in (production),tier in (frontend)' $ kubectl logs -l app=nginx

Slide 17

Slide 17 text

An item of metadata should be a label if - It is used by Kubernetes to identify this resource - It is useful to expose to operators for the purpose of querying the system From the Helm Chart best practices

Slide 18

Slide 18 text

Annotations

Slide 19

Slide 19 text

You can use annotations to attach arbitrary non-identifying metadata to objects

Slide 20

Slide 20 text

- Build, release or image information like timestamps or git branch - Links to logging, monitoring, analytics or audit tools - Support contact details

Slide 21

Slide 21 text

Example annotations on Ingress apiVersion: extensions/v1beta1 kind: Ingress metadata: name: cafe-ingress-with-annotations annotations: nginx.org/proxy-connect-timeout: "30s" nginx.org/proxy-read-timeout: "20s" nginx.org/client-max-body-size: "4m"

Slide 22

Slide 22 text

Expose labels and annotations to containers ... volumeMounts: - name: podinfo mountPath: /etc readOnly: false volumes: - name: podinfo downwardAPI: items: - path: "labels" fieldRef: fieldPath: metadata.labels - path: "annotations" fieldRef: fieldPath: metadata.annotations

Slide 23

Slide 23 text

Docker images also have labels, which can be set at build time LABEL "com.example.vendor"="ACME Incorporated" LABEL com.example.label-with-value="foo" LABEL version="1.0"

Slide 24

Slide 24 text

OCI Image Spec defines annotations

Slide 25

Slide 25 text

What’s missing? Observations and gaps in metadata capabilities

Slide 26

Slide 26 text

Image labels / annotations are fixed at build time Kubernetes labels and annotations are associated with deployed software

Slide 27

Slide 27 text

Post-build / pre-deployment metadata use cases - Sign-off status - Test reports - Vulnerability scanning

Slide 28

Slide 28 text

Users Who is this metadata for?

Slide 29

Slide 29 text

There are different types of user for Kubernetes, but no widely agreed upon personas

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

Kubernetes platform operators - Manages API Server, etcd and kubelet - Ensures a stable platform for other users - May manage underlying infrastructure - Might be a cloud provider or third party

Slide 34

Slide 34 text

Application developers - Build applications - Shouldn’t have to care about K8S at all - May also operate the application

Slide 35

Slide 35 text

Application operators - Manages tools used to access K8S - Looking at Helm, ksonnet and similar - Sets standards for others - May deploy apps or build pipelines

Slide 36

Slide 36 text

Examples and demos Building useful things with metadata

Slide 37

Slide 37 text

Demo 1 Routing support issues using metadata

Slide 38

Slide 38 text

As an application operator So that failing apps get prompt support I want to alerts to reach the right support contact Without having to redeploy when support contact changes

Slide 39

Slide 39 text

manifesto - storing image metadata registry myorg/myrepo images data blobs metadata

Slide 40

Slide 40 text

manifesto - storing image metadata registry myorg/myrepo images data blobs _manifesto metadata

Slide 41

Slide 41 text

Demo - alert current contact on CrashLoopBackoff 52.170.3.92 Some really flaky app code

Slide 42

Slide 42 text

Health checks → restart failing pod CrashLoopBackoff → it needs attention Contact details associated with image

Slide 43

Slide 43 text

Alert current support contact if health check fails // If pod reaches CrashLoopBackoff, find the container image and call this function func contactAboutImage(image string) { // Get contact info from manifesto cmd := exec.Command("manifesto", "get", image, "contact") content, _ := cmd.Output() var c ContactFile json.Unmarshal(content, &c) message := "hey there, " + image + " needs some attention" send(message, c.Phone) // Sends message via Twilio }

Slide 44

Slide 44 text

Modify metadata without changing deployed code $ cat contact.file { "phone": "<--phone number goes here-->" } $ manifesto put lizrice/hello:healthcheck contact contact.file

Slide 45

Slide 45 text

Demo 2 Being aware of security vulnerabilities

Slide 46

Slide 46 text

As an application operator So that I can keep my containers security patched I want to know which contain vulnerabilities

Slide 47

Slide 47 text

registry grafeas - storing & querying software metadata myorg/myrepo images Grafeas Occurrences Notes

Slide 48

Slide 48 text

grafeas - storing & querying software metadata registry myorg/myrepo images Grafeas Occurrences Notes Which images have vulnerability CVE-1234? CVE-1234 CVE-3456

Slide 49

Slide 49 text

grafeas - storing & querying software metadata registry myorg/myrepo images Grafeas Occurrences Notes Which images have vulnerability CVE-1234? CVE-1234 CVE-3456

Slide 50

Slide 50 text

Demo - vulnerability scan data stored in Grafeas

Slide 51

Slide 51 text

Grafeas Notes & Occurrences Demo - vulnerability scan data stored in Grafeas Aqua scanner Itay’s reformatter manifesto Grafeas Grafeas queries webhook

Slide 52

Slide 52 text

As an application operator So that I can maintain standards I want to automate pre-deployment checks

Slide 53

Slide 53 text

Admission control pattern Start deploy Is image OK? Run image Fail Check the metadata for the image ● Test results? ● Signed? ● Vulnerability policies?

Slide 54

Slide 54 text

Demo 3 Using multiple sources of metadata

Slide 55

Slide 55 text

As an application operator So that I can help teams with audits I want to know what software packages different teams are using

Slide 56

Slide 56 text

Introducing Lumogon

Slide 57

Slide 57 text

Lumogon exports data about running containers $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock puppet/lumogon scan { "$schema": "http://puppet.com/lumogon/core/draft-01/schema#1", "generated": "2017-05-09 07:59:24.287008012 +0000 UTC", "owner": "default", "group": [ "default" ], "client_version": { "BuildVersion": "development", "BuildTime": "2017-05-09 06:56:22 UTC", "BuildSHA": "9e8f684432ff12b04b5b5d594caa0ebcce86b844" }, "reportid": "c73a79dc-8612-4af8-8bd8-22e32ea11e38", "containers": { "5982d3f16bbbf9530ae09915b22a0d189044e3b953e5e417e2783b90de579034": { "$schema": "http://puppet.com/lumogon/containerreport/draft-01/schema#1", "generated": "2017-05-09 07:59:03.513739277 +0000 UTC", "container_report_id": "8d17e541-11b3-4f25-b145-4ad9d3045995", "container_id": "5982d3f16bbbf9530ae09915b22a0d189044e3b953e5e417e2783b90de579034",

Slide 58

Slide 58 text

Lumogon is a component part of Puppet Discovery

Slide 59

Slide 59 text

Kubernetes labels provide - A way to map services/pods to teams Lumogon provides - Metadata about packages in containers

Slide 60

Slide 60 text

Combining information from multiple sources $ ./collect_data_from_api_and_lumogon.py | ./output_package_table.py +------------------------+--------------------------+------------+----------------+ | Package | Version | Occurrences | Teams | +------------------------+--------------------------+------------+----------------+ | acl | 2.2.52-2 | 1 | team-humphrey | | adduser | 3.113+nmu3 | 3 | team-humphrey | | | | | team-shamu | | alpine-baselayout | 3.0.4-r0 | 2 | team-keiko | | alpine-keys | 2.1-r1 | 2 | team-keiko | | apk-tools | 2.7.3-r0 | 2 | team-keiko | | apt | 0.9.7.9+deb7u7 | 2 | team-shamu | | apt | 1.0.9.8.4 | 1 | team-humphrey | | base-files | 7.1wheezy8 | 2 | team-shamu | | base-files | 8+deb8u9 | 1 | team-humphrey | | base-passwd | 3.5.26 | 2 | team-shamu | | base-passwd | 3.5.37 | 1 | team-humphrey | | bash | 4.2+dfsg-0.1+deb7u3 | 2 | team-shamu | | bash | 4.3-11+deb8u1 | 1 | team-humphrey | | bsdutils | 1:2.25.2-6 | 1 | team-humphrey | | bsdutils | 1:2.20.1-5.3 | 2 | team-shamu | https://gist.github.com/garethr/dcdb5cd54b72bb80f422be95a2585bd3

Slide 61

Slide 61 text

Demo 4 Enforcing metadata standards

Slide 62

Slide 62 text

As an application operator So that I can rely on metadata I want to enforce some standards around labels and annotations

Slide 63

Slide 63 text

A word document or markdown file is not a reliable way of ensuring standards are enforced

Slide 64

Slide 64 text

Introducing kubetest

Slide 65

Slide 65 text

Run tests against your configurations $ kubetest rc.yaml --verbose INFO rc.yaml should not use latest images WARN rc.yaml ReplicationController should have at least 4 replicas

Slide 66

Slide 66 text

Tests enforcing a team label #// vim: set ft=python: def test_for_team_label(): if spec["kind"] == "Deployment": labels = spec["spec"]["template"]["metadata"]["labels"] assert_contains(labels, "team", "should indicate which team owns the deployment") test_for_team_label()

Slide 67

Slide 67 text

Conclusions If all you remember is...

Slide 68

Slide 68 text

As a Kubernetes operator Think about what metadata would make debugging a platform problem easier

Slide 69

Slide 69 text

As an application developer Add metadata to your applications, those operating it in production (maybe you) will thank you

Slide 70

Slide 70 text

As an application operator Think about schemas for metadata, and look at ways of encouraging or enforcing it’s usage

Slide 71

Slide 71 text

Metadata provides a flexible platform for building useful tools that make managing Kubernetes systems easier

Slide 72

Slide 72 text

Thanks for listening - aquasecurity/manifesto - puppet/lumogon - grafeas/grafeas A few useful GitHub projects