Red Hat Security Symposium @ Phoenix: A DevSecOps State of Mind: Continuous Security with Kuberenetes

Slide 1

Slide 1 text

A DevSecOps State of Mind: Continuous Security with Kubernetes Do not use: Make a copy Chris Van Tuin Chief Technologist, West @chrisvantuin cvantuin@redhat.com

Slide 2

Slide 2 text

ENABLING INNOVATION

Slide 3

Slide 3 text

“Only the paranoid survive” - Andy Grove, 1996

Slide 4

Slide 4 text

THE WORLD IS AUTOMATING Those who succeed in automation will win

Slide 5

Slide 5 text

THE STRATEGIC DIFFERENTIATOR The Fab  Powered by Automation “copy exactly” The Software Factory Powered by Automation

Slide 6

Slide 6 text

Slide 7

Slide 7 text

NOT JUST A WEBSITE, THE DISRUPTERS = Empowered organization Speed Up   Innovation Time Change Move Fast, Break Things Culture of experimentation A 20% vs. 25% Shorten the Feedback Loop Real-time data-driven intelligence & personalization AI /  ML Data, Data, Data B $4.3 billion in unsold inventory H&M gets hit with the ‘Amazon effect’ https://www.marketwatch.com/story/hm-gets-hit-with-the-amazon-effect-2018-04-03

Slide 8

Slide 8 text

6 months SUPPLY CHAIN BOTTLENECK in Era of Fast Fashion

Slide 9

Slide 9 text

3 months 6 months SUPPLY CHAIN BOTTLENECK in Era of Fast Fashion

Slide 10

Slide 10 text

1 to 8  weeks 3 months 6 months SUPPLY CHAIN BOTTLENECK in Era of Fast Fashion

Slide 11

Slide 11 text

SALES GROWTH VS LEAD TIMES

Slide 12

Slide 12 text

2 year % STOCK PERFORMANCE +105% -9% -57% (13 year low)

Slide 13

Slide 13 text

I.T. MUST EVOLVE

Slide 14

Slide 14 text

HOW DOES I.T. ACCELERATE   BUSINESS INNOVATION? 6 to 9 months Innovation Hours to Weeks

Slide 15

Slide 15 text

“H&M need to make   sure they’re innovating   ahead of the curve,   not just to catch up” H&M’s position is magnified by the fact that they recognized the problem later than their peers H&M investing in I.T. to … Speed Up Innovation Amplify & Shorten  Feedback Loop

Slide 16

Slide 16 text

I.T. MUST TRANSFORM FROM A COST CENTER   INTO AN INNOVATION CENTER Powered by DevOps + Automation + + DEV QA OPS Culture Process   Automation Technology Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Cloud Native Applications Hybrid Cloud Open Source Agile, Iterative, Continuous, Infrastructure as Code Collaborative Transparent Open THE SOFTWARE FACTORY

Slide 17

Slide 17 text

I.T. MUST EVOLVE FROM A COST CENTER   TO INNOVATION CENTER Development Model Application Architecture Deployment & Packaging Application Infrastructur e Storage Waterfall Agile Monolithic N-tier Bare Metal Virtual Servers Data Center Hosted Scale Up Scale Out DevOps MicroServices Containers Hybrid Cloud Storage as a Service

Slide 18

Slide 18 text

CONTINUOUS SECURITY

Slide 19

Slide 19 text

DEV QA OPS SECURITY IS AN AFTERTHOUGHT | SECURITY | “Patch? The servers are behind the firewall.” - Anonymous (far too many to name), 2005 - …

Slide 20

Slide 20 text

BARE METAL VIRTUAL PRIVATE CLOUD OFF-PREMISE ON-PREMISE PUBLIC CLOUD DATA DATA DISTRIBUTED APPLICATIONS

Slide 21

Slide 21 text

ANY COMBINATION, WHETHER TRADITIONAL OR CONTAINERIZED LEGACY APPS (1,000+) BARE METAL PRIVATE CLOUD PUBLIC CLOUD VIRTUAL PRODUCTION DEV/TEST HYBRID CLOUD ENVIRONMENTS

Slide 22

Slide 22 text

MULTI-TENANCY

Slide 23

Slide 23 text

DEVSECOPS + + End to End Security DEV QA OPS Culture Process Technology Linux + Containers IaaS Orchestration CI/CD Source Control Management Collaboration Build and Artifact Management Testing Frameworks Open Source

Slide 24

Slide 24 text

DEVSECOPS Continuous Security Improvement Process Optimization Security Automation Dev QA Prod Reduce Risks, Lower Costs, Speed Delivery, Speed Reaction

Slide 25

Slide 25 text

CONTAINERS AT SCALE

Slide 26

Slide 26 text

docker.io Registry Private Registry FROM fedora:1.0 CMD echo “Hello” Build file Physical, Virtual, Cloud Container Image Container Instance Build Run Ship CONTAINERS ENABLE DEVOPS

Slide 27

Slide 27 text

LAPTOP Container Application OS dependencies Guest VM LINUX BARE METAL Container Application OS dependencies LINUX VIRTUALIZATION Container Application OS dependencies Virtual Machine LINUX PRIVATE CLOUD Container Application OS dependencies Virtual Machine LINUX PUBLIC CLOUD Container Application OS dependencies Virtual Machine LINUX CONTAINERIZED MICROSERVICES  Build Once, Deploy Anywhere

Slide 28

Slide 28 text

Image Format Distribution Spec Runtime Spec

Slide 29

Slide 29 text

Scheduling Monitoring Persistence Discovery Lifecycle & health Scaling Aggregation Security MORE THAN CONTAINERS…

Slide 30

Slide 30 text

BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD Automated Software Factory  Speed, Resiliency, Scalability, Security  

Slide 31

Slide 31 text

Databases Images Automation MANAGING CONTAINERIZED MICROSERVICES  WITH KUBERNETES A/B Testing Migrations External  Services Deployment Strategies Security What’s Next… CI/CD Scanning ENABLING DEVSECOPS WITH KUBERNETES External   Services Databases Migrations Infrastructure Version 1 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100%

Slide 32

Slide 32 text

KUBERNETES AUTOMATION

Slide 33

Slide 33 text

Web Application replicas: 1,   role: app image: myapp:1.0 replicas: 2,   role: web image: httpd:1.7.9 ORCHESTRATION Declarative, Deployment Controller Manager & Data Store (etcd)

Slide 34

Slide 34 text

Web Application ORCHESTRATION Declarative, Deployment Nodes Controller Manager & Data Store (etcd) Physical, VM,   Cloud Instances replicas: 2,   role: web image: httpd:1.7.9 replicas: 1,   role: app image: myapp:1.0

Slide 35

Slide 35 text

role: app role: web role: web Pods Nodes Image Registry ORCHESTRATION Schedule + Provision Pods (Compute/Storage/Network) Web Application replicas: 2,   role: web image: httpd:1.7.9 replicas: 1,   role: app image: myapp:1.0

Slide 36

Slide 36 text

Web Application role: web role: app role: web replicas: 1,   selector role: app replicas: 2,   selector role: web ORCHESTRATION Services (Load Balancer), Service discovery with selectors and pod labels Pods Nodes Services Controller Manager & Data Store (etcd)

Slide 37

Slide 37 text

Web Application ORCHESTRATION Service (Load Balancer) Pods Nodes Controller Manager & Data Store (etcd) Ingress / Routes role: web role: app role: web replicas: 1,   role: app replicas: 2,   role: web Services

Slide 38

Slide 38 text

HEALTH CHECK Monitoring & Logging Pods Nodes Services Web Application role: web role: app role: web Ingress / Routes Health Check replicas: 1,   role: app replicas: 2,   role: web

Slide 39

Slide 39 text

Pods Nodes Services Web Application role: web role: app role: web replicas: 1,   role: app replicas: 2,   role: web role: web Controller Manager & Data Store (etcd) HEALTH CHECK Readiness Probe e.g. tcp, http, script Ingress / Routes

Slide 40

Slide 40 text

Web Application replicas: 1,   role: app replicas: 2,   role: web Pods Nodes Services role: web role: app role: web Controller Manager & Data Store (etcd) HEALTH CHECK Ingress / Routes

Slide 41

Slide 41 text

Web Application AUTO-SCALE Monitoring & Logging 80% CPU Pods Nodes Services role: web role: app role: web Ingress / Routes replicas: 1,   role: app replicas: 2,   role: web

Slide 42

Slide 42 text

Web Application 80% CPU Pods Nodes Services role: web role: app role: web Controller Manager & Data Store (etcd) role: app AUTO-SCALE Ingress / Routes replicas: 2   role: app replicas: 2,   role: web

Slide 43

Slide 43 text

Pods Nodes Services Web Application 50% CPU role: web role: app role: app role: web Controller Manager & Data Store (etcd) AUTO-SCALE Ingress / Routes replicas: 2,   role: web replicas: 2,   role: app

Slide 44

Slide 44 text

CONTAINER IMAGES

Slide 45

Slide 45 text

CONTAINER IMAGE JAR CONTAINER IMAGE Application Application Language runtimes OS dependencies 1.2/latest 1.1

Slide 46

Slide 46 text

Config Data Kubernetes configmaps secrets Container image Traditional   data services, Kubernetes   persistent volumes TREAT CONTAINERS AS IMMUTABLE To keep containerized apps portable Application Language runtimes OS dependencies

Slide 47

Slide 47 text

KUBERNETES CONFIGMAP Decouple configuration from container image Application Language runtimes OS dependencies Environment Variable or Volume/File CONTAINER INSTANCE key:value from directories, files, or values KUBERNETES  CONFIGMAP APPLICATION CONFIG FILE Application Configuration File e.g. XML etcd Pod Source Code Repository EnvVar require pod restart Files refresh in time

Slide 48

Slide 48 text

CONTINUOUS BUILDS

Slide 49

Slide 49 text

A CONVERGED SOFTWARE   SUPPLY CHAIN

Slide 50

Slide 50 text

CI/CD PIPELINE WITH KUBERNETES BARE METAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD

Slide 51

Slide 51 text

CUSTOM SUPPLY CHAIN CASCADING REBUILDS

Slide 52

Slide 52 text

Java Build Environment Language runtimes OS dependencies Build Image Java Code Application Language runtimes OS dependencies Container Image Image Registry Source Repository Image Registry REPRODUCIBLE BUILDS Source to Image with Build Images Source v3.1 v1.0.1 v3.1

Slide 53

Slide 53 text

CONTAINER SCANNING

Slide 54

Slide 54 text

WHAT’S INSIDE MATTERS…

Slide 55

Slide 55 text

PRIVATE REGISTRY

Slide 56

Slide 56 text

Security CONTINUOUS INTEGRATION WITH SECURITY SCAN

Slide 57

Slide 57 text

AUTOMATED SECURITY SCANNING with OpenSCAP Reports & Remediation Scan SCAP Security Guide for RHEL CCE-27002-5 Set Password Minimum Length Content Scan physical servers, virtual machines, docker images and containers  for Security Policy Compliance (CCEs) and known Security Vulnerabilities (CVEs)

Slide 58

Slide 58 text

DEPLOYMENT STRATEGIES

Slide 59

Slide 59 text

CONTINUOUS DELIVERY WITH CONTAINERS CI/CD - CONTAINER UPDATES

Slide 60

Slide 60 text

CI/CD DEPLOYMENT STRATEGIES  Automate and reduce deployment risk DEPLOYMENT STRATEGIES • Recreate • Rolling updates • Blue / Green deployment • Canary with A/B testing

Slide 61

Slide 61 text

Recreate

Slide 62

Slide 62 text

Version 1 Version 1 Version 1 Version 1.2 ` Tests / CI RECREATE WITH DOWNTIME RECREATE WITH DOWNTIME  Using Recreate deployment strategy Kubernetes  Service

Slide 63

Slide 63 text

Version 1 Version 1 Version 1 Version 1.2 ` Tests / CI RECREATE WITH DOWNTIME RECREATE WITH DOWNTIME  Shutdown existing deployment Kubernetes  Service

Slide 64

Slide 64 text

Version 1.2 Version 1.2 Version 1.2 RECREATE WITH DOWNTIME Use Case • Non-mission critical services Pros • Simple, clean • No Schema incompatibilities • No API versioning Cons • Downtime RECREATE WITH DOWNTIME  Shutdown existing deployment Kubernetes  Service

Slide 65

Slide 65 text

Rolling Updates

Slide 66

Slide 66 text

Version 1 Version 1 Version 1 Version 1.2 ` Tests / CI ROLLING UPDATES with ZERO DOWNTIME Rollingupdate  maxUnavailable=0 maxSurge=1 ROLLING UPDATES  Replace each pod using RollingUpdate deployment strategy Kubernetes  Service

Slide 67

Slide 67 text

Deploy new version and wait until it’s ready… Health Check: readiness probe e.g. tcp, http, script Version 1 Version 1 Version   1.2 Version 1 Rollingupdate  maxUnavailable=0 maxSurge=1 ROLLING UPDATES  Deploy new version, wait until it’s ready Kubernetes  Service

Slide 68

Slide 68 text

Each container/pod is updated one by one Version 1.2 50% Version 1 V1 V1.2 ROLLING UPDATES  Requires backward compatibility, as two versions run side-by-side Kubernetes  Service

Slide 69

Slide 69 text

Each container/pod is updated one by one Version 1.2 Version 1.2 Version 1.2 100% Use Case • Horizontally scaled • Backward compatible API/data • Microservices Pros • Zero downtime • Reduced risk, gradual rollout w/health checks • Ready for rollback Cons • Require backward compatible APIs/data • Resource overhead ROLLING UPDATES Kubernetes  Service

Slide 70

Slide 70 text

Blue / Green Deployment

Slide 71

Slide 71 text

BLUE Version 1 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% BLUE / GREEN DEPLOYMENT  Single service, run two complete Deployments BLUE Version 1 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% Service  selector:  production=BLUE Kubernetes  Deployment

Slide 72

Slide 72 text

BLUE GREEN Version 1 Version 2 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% Health Check: readiness probe e.g. tcp, http, script BLUE / GREEN DEPLOYMENT  Using Deployments, Ingress Service  selector:  production=BLUE Kubernetes  Deployment Kubernetes  Deployment

Slide 73

Slide 73 text

BLUE GREEN Version 1 Version 2 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% BLUE / GREEN DEPLOYMENT  Route all new request to Green, Blue sessions Service  selector:  version=GREEN

Slide 74

Slide 74 text

BLUE GREEN Version 1 Version 2 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% BLUE / GREEN DEPLOYMENT  Using Deployments, Ingress Service  selector:  production=GREEN

Slide 75

Slide 75 text

BLUE GREEN Version 1 Version 2 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% BLUE / GREEN DEPLOYMENT  Scale-down, reduce resources Service  selector:  production=GREEN

Slide 76

Slide 76 text

BLUE GREEN Version 1 Version 2 Ingress e.g haproxy BLUE / GREEN DEPLOYMENT Using Ingress 100% BLUE / GREEN DEPLOYMENT  Hot Backup Service  selector:  production=GREEN Version 2

Slide 77

Slide 77 text

BLUE / GREEN DEPLOYMENT Rollback BLUE GREEN Version 1 Version 2 Ingress Use Case • Self-contained micro services (data) Pros • Low risk, never change production • No downtime • Production like testing • Rollback Cons • Resource overhead • Data synchronization BLUE / GREEN DEPLOYMENT  Rollback Service  selector:  production=BLUE

Slide 78

Slide 78 text

RAPID INNOVATION & EXPERIMENTATION WITH A/B TESTING

Slide 79

Slide 79 text

”only about 1/3 of ideas improve the metrics   they were designed to improve.”  Ronny Kohavi, Microsoft (Amazon) MICROSERVICES RAPID INNNOVATION & EXPERIMENTATION

Slide 80

Slide 80 text

A/B TESTING USING CANARY DEPLOYMENTS

Slide 81

Slide 81 text

25% Conversion Rate ?! Conversion Rate 100% Version B Version A Ingress CANARY DEPLOYMENTS Tests / CI CANARY DEPLOYMENTS  Build confidence in new version Service  selector:  app=demo version=A label:  app=demo  version=A 25% Conversion Rate ??% Conversion Rate

Slide 82

Slide 82 text

25% Conversion Rate 30% Conversion Rate 75% 25% Version B Version A Ingress CANARY DEPLOYMENTS CANARY DEPLOYMENTS  Requires app to support side-by-side version Service Service  selector:  app=demo label:  app=demo  version=A 25% Conversion Rate % Conversion Rate label:  app=demo  version=B

Slide 83

Slide 83 text

25% Conversion Rate 30% Conversion Rate 100% Version B Version A Ingress CANARY DEPLOYMENTS Service  selector:  app=demo version=B label:  app=demo  version=A 25% Conversion Rate 30% Conversion Rate label:  app=demo  version=B

Slide 84

Slide 84 text

Slide 85

Slide 85 text

EXTERNAL SERVICES

Slide 86

Slide 86 text

EXTERNAL SERVICES Database outside cluster with IP address External Mongo Database Service External Mongo Database Service Development Production IP=10.200.0.2 port=27017 IP=10.100.0.9 port=27017

Slide 87

Slide 87 text

Slide 88

Slide 88 text

EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes Services WebApp role=webapp replicas=2,   role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017 Database name=mongo port=27017 targetport=27017 Endpoint IP=10.200.0.2 port=27017 Database kind=Service type=ClusterIP name=mongo port=27017 targetport=27017

Slide 89

Slide 89 text

EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes Services WebApp role=webapp replicas=2,   role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017 Database name=mongo port=27017 targetport=27017 Endpoint IP=10.200.0.2 port=27017 Connect with mongodb://mongo Database kind=Service type=ClusterIP name=mongo port=27017 targetport=27017 kind=Endpoints name=mongo ip=10.200.0.2 port=27017

Slide 90

Slide 90 text

EXTERNAL SERVICES Database outside cluster with IP address Pods Nodes Services WebApp role=webapp replicas=2,   role=webapp External Mongo Database Service IP=10.200.0.2 port=27017 Network External Mongo Database Service IP=10.100.0.9 port=27017 Database name=mongo port=27017 targetport=27017 Endpoint IP=10.100.0.9 port=27017 kind=Service type=ClusterIP name=mongo port=27017 targetport=27017 kind=Endpoints name=mongo ip=10.200.0.9 port=27017 Connect with mongodb://mongo Database

Slide 91

Slide 91 text

Pods Nodes Services Database name: mongo type: ExternalName externalName: mongo52101.domain,.name EXTERNAL SERVICES Using CNAME redirection mongodb://  :    @mongo:/dev   mongodb://:  @mongo52101.domain.name:52101/dev Cloud Mongo Database Service WebApp role=webapp replicas=2,   role=webapp .name EXTERNAL SERVICE Connecting to Service with dynamic URI with a static ExternalName Kubernetes service

Slide 92

Slide 92 text

DATABASES

Slide 93

Slide 93 text

PERSISTENT VOLUMES Host Container Host Container Host Container Data in Container Data lost when Container terminates Data lost when Host terminates Independent of Container & Host Data in a Host Volume Networked Volume Data lost when Cloud instance terminates Data lost when Container terminates Independent of   Container &   Cloud instance DATA PERSISTENCE

Slide 94

Slide 94 text

1. Maintains a sticky network ID/name across restarts  e.g. mongo-0, mongo-1, mongo-2 2. Ordered Operations with ordinal index   e.g. name-0, name-1, name-2 3. Stable, persistent storage (linked to ordinal index/name) 4. Mandatory headless service (no single IP) for integrations KUBERNETES  STATEFULSETS

Slide 95

Slide 95 text

role=mongo type=leader Nodes Pods Services Mongo StatefulSet replicas=2 role=mongo Client mongo-0 D A B C C DATABASE STATEFUL SETS StatefulSet with 2 replicas , headless service, direct access to pods pvc Read / Write Persistent Volume

Slide 96

Slide 96 text

DATABASE STATEFUL SETS role=mongo type=leader role=mongo type=follower Nodes Pods Services Client Mongo-0 Mongo-1 D A B C C Mongo StatefulSet replicas=2 role=mongo pvc pvc Read / Write Read / Only Persistent Volume

Slide 97

Slide 97 text

role=mongo type=leader role=mongo type=follower role=mongo type=follower Nodes Pods Services Mongo-0 Mongo-1 Mongo-2 pvc pvc pvc Persistent Volume A B C C D Mongo StatefulSet replicas=3 role=mongo Read / Write Read / Only Read / Only DATABASE STATEFUL SETS Scale to 3 replicas Client

Slide 98

Slide 98 text

role=mongo type=leader role=mongo type=follower role=mongo type=follower Nodes Pods Services Mongo-0 Mongo-1 Mongo-2 pvc pvc pvc Persistent Volume A B C D Mongo StatefulSet replicas=3 role=mongo DATABASE STATEFUL SETS Unresponsive Pod Client

Slide 99

Slide 99 text

role=mongo type=leader role=mongo type=follower Nodes Pods Services Mongo-0 Mongo-1 pvc pvc Persistent Volume A B D role=mongo type=follower Mongo-2 pvc C Mongo StatefulSet replicas=3 role=mongo DATABASE STATEFUL SETS Auto recovery Client

Slide 100

Slide 100 text

DATABASE MIGRATIONS

Slide 101

Slide 101 text

Application v3 Development Application V2 Test Application v1 Production DB v1 DB v2 DB v3 CI/CD PIPELINE Version control database updates, ex: flyway V3__add_table_scooter.sql V2__add_table_truck.sql V1__add_table_car.sql

Slide 102

Slide 102 text

DATABASE MIGRATIONS Version control database updates with Containers CONTAINER IMAGE CONTAINER BUILD FILE SQL MIGRATION SCRIPT Source Code Repository V2__add_table.sql Source Code Repository V2__add_table.sql /var/flyway/data Flyway flyway-mydb:v2.0.0 Registry + Dockerfile

Slide 103

Slide 103 text

Nodes Pods Services postgresql-0 Persistent Volume A B D C PostgreSQL StatefulSet replicas=1 role=postgresq pvcl DATABASE MIGRATION StatefulSet deployment with headless Service v1

Slide 104

Slide 104 text

Nodes Pods Services postgresql-0 Persistent Volume A B D C PostgreSQL StatefulSet replicas=1 role=postgresql Pvc DATABASE MIGRATIONS Create a Job for Flyway Flyway Job Secrets = Database Connection Info v1 flyway-mydb:v2.0.0 Image Registry Flyway

Slide 105

Slide 105 text

role=postgressql type=primary Nodes Pods Services postgresql-0 Persistent Volume A B D C PostgreSQL StatefulSet replicas=1 role=postgresql pvc DATABASE MIGRATIONS Apply schema changes to database Flyway Job Secrets = Database Connection Info V2 flyway-mydb:v2.0.0 Flyway

Slide 106

Slide 106 text

role=postgresql type=primary Nodes Pods Services postgresql-0 Persistent Volume A B D C PostgreSQL StatefulSet replicas=1 role=postgresql Pvc DATABASE MIGRATIONS Version control for database with Kubernetes V2

Slide 107

Slide 107 text

INFRASTRUCTURE

Slide 108

Slide 108 text

MONITORING CONSIDERATIONS Kubernetes* Container* Host Cluster services, services, pods,   deployments metrics Container native metrics Traditional resource metrics - cpu, memory, network, storage prometheus + grafana kubernetes-state-metrics probes Stack Metrics Tool node-exporter kubelet:cAdvisor Microservices Distributed applications - traditional app metrics - service discovery - distributed tracing prometheus + grafana jaeger tracing istio

Slide 109

Slide 109 text

ARCHITECTURE CONSIDERATIONS Optimize for… Cluster   per app / data / location, Short lived Data Sensitive, e.g. Finance Multi-AZ, Multi/  Hybrid  cloud Production, Mission   critical Security Scale Availability Latency Portability Performance Large cluster, multi/  hybrid cloud Internet, SaaS Efficiency Large cluster, Bare Metal, Recreate Many apps, Dev/ Test Consistent  OS & Kubernetes version 1 app anywhere, e.g. ISVs Local, Small Cluster IoT, Retail Bare metal (Multus, SR-IOV, NFD, Scheduler, CPU pin) HPC, AI/ML, NFV

Slide 110

Slide 110 text

Deployment Frequency Lead Time Deployment  Failure Rate Mean Time to Recover 99.999 Service Availability DEVSECOPS METRICS Compliance Score

Slide 111

Slide 111 text

WHAT’S NEXT

Slide 112

Slide 112 text

EXTENDING KUBERNETES kubevirt github.com/kubevirt operators coreos.com/operators knative github.com/knative istio istio.io Virtual Machines Day 2 Operations Server-  less Service Mesh

Slide 113

Slide 113 text

THANK YOU linkedin: Chris Van Tuin email: cvantuin@redhat.com twitter: @chrisvantuin