Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Image Specs, Build, & Hosting
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
Slide 4
Slide 4 text
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Container Image Build, Hosting, & Specs
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
Slide 5
Slide 5 text
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Container Image Build, Hosting, & Specs
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
Slide 6
Slide 6 text
The shared foundation of this
ecosystem is the container
Slide 7
Slide 7 text
And CoreOS is ensuring that the shared
foundation is built on standards
Slide 8
Slide 8 text
Open Container Initiative
OCI Announced
June 2015
OCI 1.0
Q1 2017
rkt OCI support
July 2016
OCI Image Spec Added
April 2016
Quay, Kubernetes, etc
Q2 2017
OCI 1.0 RC-1
July 2016
Slide 9
Slide 9 text
Create developer collaboration
Build interoperating products
Confidence in ecosystem stability
Investment in standards
Slide 10
Slide 10 text
An update about
the pod native container engine
Slide 11
Slide 11 text
rkt community traction
● Laptop Kubernetes, minikube, can use rkt with a single flag
● BlaBlaCar (Series D, $350m) rkt in prod and moving to Kubernetes
● Container Linux services now run under rkt
● Google GKE using rkt for Kubelet mount management
Slide 12
Slide 12 text
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
Slide 13
Slide 13 text
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
Slide 14
Slide 14 text
Quick Reminder: Pod Basics
cache
(pid 5)
asset fetcher
(pid 8)
web server
(pid 9)
pod sandbox
Slide 15
Slide 15 text
Quick Reminder: Pod Lifecycle
worker
nodes
controllers
nodes
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
Slide 16
Slide 16 text
Quick Reminder: Pod Lifecycle
A1
Kubernetes
Scheduler
Kube
API
Monitoring
Service
worker
nodes
controllers
nodes
Slide 17
Slide 17 text
Quick Reminder: Pod Lifecycle
A1
Kubernetes
Scheduler
Kube
API
Monitoring
Service
worker
nodes
controllers
nodes
Slide 18
Slide 18 text
Quick Reminder: Pod Lifecycle
A1
Kubernetes
Scheduler
Kube
API
Monitoring
Service
J2
worker
nodes
controllers
nodes
Slide 19
Slide 19 text
Quick Reminder: Pod Lifecycle
A1
Kubernetes
Scheduler
Kube
API
Monitoring
Service
J2
worker
nodes
controllers
nodes
Slide 20
Slide 20 text
Container Runtime Interface
cache
(pid 5)
asset fetcher
(pid 8)
web server
(pid 9)
pod sandbox
Slide 21
Slide 21 text
Container Runtime Interface
cache
(pid 5)
asset fetcher
(pid 8)
web server
(pid 9)
pod sandbox
Slide 22
Slide 22 text
Container Runtime Interface
cache
(pid 5)
asset fetcher
(pid 8)
web server
(pid 9)
pod sandbox Health Check Fail
Container Runtime Interface
cache
(pid 5)
asset fetcher
(pid 8)
pod sandbox
web server
(pid 10)
Slide 25
Slide 25 text
rkt and CRI will help enable faster
innovation in Kubernetes in 2017.
Slide 26
Slide 26 text
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
Slide 27
Slide 27 text
rkt and runc
cache
(pid 5)
asset fetcher
(pid 8)
web server
(pid 8)
runc runc runc
pod sandbox
Slide 28
Slide 28 text
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
Slide 29
Slide 29 text
rkt is the only container engine with both
Linux native and VM isolation.
Slide 30
Slide 30 text
rkt is the only container engine with both
Linux native and VM isolation.
We continue to explore new ideas.
Slide 31
Slide 31 text
Normal rkt execution
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
pod sandbox
cache
(pid 10)
debug agent
(pid 38)
web server
(pid 20)
pod sandbox
Slide 32
Slide 32 text
VM rkt execution
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
pod sandbox
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
pod sandbox
Slide 33
Slide 33 text
bash
(uid 1001, pid 8)
Lifecycle of a process
bash
(uid 1001, pid 9)
fork()
identical perms
su
(uid 0, pid 9)
exec() setuid binary
elevate perms
bash
(uid 0, pid 9)
exec()
identical perms
Normal Execution Path
VM rkt execution
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
kvm virtual machine
Privilege
Escalation
Validator
pod sandbox
Can PID 8 open
/proc/9/environ it
is uid 0?
Slide 36
Slide 36 text
VM rkt execution
Yes, valid
elevation to uid 0
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
kvm virtual machine
Privilege
Escalation
Validator
pod sandbox
Slide 37
Slide 37 text
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
kvm virtual machine
VM rkt execution
rootkit payload
Privilege
Escalation
Validator
pod sandbox
Slide 38
Slide 38 text
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
kvm virtual machine
VM rkt execution
rootkit payload
Privilege
Escalation
Validator
pod sandbox
Can PID 9 open
/etc/shadow it is
uid 0?
Slide 39
Slide 39 text
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
kvm virtual machine
VM rkt execution
rootkit payload
No, invalid
transition to uid 0
Privilege
Escalation
Validator
pod sandbox
Slide 40
Slide 40 text
cache
(pid 5)
debug agent
(pid 8)
web server
(pid 9)
kvm virtual machine
pod sandbox
VM rkt execution
Privilege
Escalation
Validator
Container
Terminated
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
Tectonic will support users with
Docker Engine or rkt engine.
End-to-end.
Slide 43
Slide 43 text
Kubernetes scales.
And we have worked end-to-end
to make it happen
Slide 44
Slide 44 text
● Clients talk to Kubernetes API server
● API is stateless and horizontally scales
● State from API persisted to etcd DB
Quick Reminder: Kubernetes Architecture
Slide 45
Slide 45 text
● etcd introduced in 2013 by CoreOS
● Persistent database of Kubernetes
● Auto-leader election for availability
etcd Overview
Slide 46
Slide 46 text
etcd is the foundation of Kubernetes
Slide 47
Slide 47 text
CoreOS ensures it is
scalable, simple, solid
etcd is the foundation of Kubernetes
Slide 48
Slide 48 text
Scaling Milestones of Kubernetes
100 Nodes
300 Pods
June 2015
2,000 Nodes
60,000 Pods
November 2016
1,000 Nodes
30,000 Pods
March 2016
5,000 Nodes
150,000 Pods
December 2016
Slide 49
Slide 49 text
● Google Chubby
● etcd by CoreOS
● ZooKeeper by Apache
● Consul by Hashicorp
Consistent Key-Value Database
Slide 50
Slide 50 text
● Google Chubby (closed source)
1. etcd by CoreOS
2. ZooKeeper by Apache
3. Consul by Hashicorp
Consistent Key-Value Database, Benchmark
Slide 51
Slide 51 text
Memory, key to scalability
Slide 52
Slide 52 text
Latency, key to reliability
Slide 53
Slide 53 text
Latency, key to reliability
etcd's delivers consistent latency
Slide 54
Slide 54 text
Scaling Milestones of Kubernetes
2,000 Nodes
60,000 Pods
November 2016
1,000 Nodes
30,000 Pods
March 2016
5,000 Nodes
150,000 Pods
December 2016
20,000 Nodes
600,000 Pods
2017
Slide 55
Slide 55 text
CoreOS ensures it is
scalable, simple, solid
etcd is the foundation of Kubernetes
Slide 56
Slide 56 text
etcd Operator
Slide 57
Slide 57 text
etcd Operator
Slide 58
Slide 58 text
etcd Operator
Slide 59
Slide 59 text
etcd Operator
Slide 60
Slide 60 text
CoreOS ensures it is
scalable, simple, solid
etcd is the foundation of Kubernetes
Slide 61
Slide 61 text
No content
Slide 62
Slide 62 text
etcd is Trusted by 100s of OSS Projects
Slide 63
Slide 63 text
Google. Amazon. Microsoft.
etcd is Trusted by 100s of OSS Projects
Including Projects From Teams At
Slide 64
Slide 64 text
Self-driving architecture
simplifies Kubernetes.
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
$ uname -s
minix
$ gcc linux.c
Slide 67
Slide 67 text
$ uname -s
minix
$ gcc linux.c
Slide 68
Slide 68 text
No content
Slide 69
Slide 69 text
$ uname -s
linux
$ gcc linux.c
Slide 70
Slide 70 text
$ uname -s
linux
$ gcc linux.c
Slide 71
Slide 71 text
Self-Hosted Architecture
worker
nodes
controllers
nodes
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
Slide 72
Slide 72 text
Self-Hosted Architecture
Kubernetes
Scheduler
Kube
API
Monitoring
Service
controllers
nodes
A1
J2
worker
nodes
Slide 73
Slide 73 text
Self-Hosted Architecture
Kubernetes
Scheduler
Kube
API
MS
controllers
nodes
A1
J2
worker
nodes
KS
Slide 74
Slide 74 text
Self-Hosted Architecture
Kubernetes
Scheduler
Kube
API
MS
controllers
nodes
A1
J2
worker
nodes
KS
Slide 75
Slide 75 text
No content
Slide 76
Slide 76 text
Toil is the kind of work tied to
running a production service that
tends to be manual, repetitive,
automatable, tactical, devoid of
enduring value, and that scales
linearly as a service grows.
Self-Driving Removes Toil
Slide 77
Slide 77 text
CHECK
But...
Failures Still Happen
Self-Driving Removes Toil
Slide 78
Slide 78 text
Self-Driving Monitoring Architecture
Kubernetes
Scheduler
Kube
API
Monitoring
Service
controllers
nodes
Slide 79
Slide 79 text
Self-Driving Monitoring Architecture
Kubernetes
Scheduler
Kube
API
Monitoring
Service
controllers
nodes
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
"Self-hosted" is being adopted in the
Kubernetes community.
Slide 82
Slide 82 text
Kubernetes User Identity
Slide 83
Slide 83 text
Kubernetes User Identity
Slide 84
Slide 84 text
Kubernetes User Identity
Slide 85
Slide 85 text
Kubernetes User Identity
Slide 86
Slide 86 text
OpenID Connect (OIDC) provider
with LDAP plugin.
Integrated into upstream
Kubernetes.
No external databases, simply
use the Kubernetes API.
Default in Tectonic.
Slide 87
Slide 87 text
No content
Slide 88
Slide 88 text
CoreOS is ensuring that the shared
foundation is built on standards
Slide 89
Slide 89 text
rkt will help enable faster innovation in
Kubernetes in 2017.
Slide 90
Slide 90 text
Kubernetes scales.
And we have worked end-to-end
to make it happen.
Slide 91
Slide 91 text
Self-driving architecture
simplifies and removes toil.
Slide 92
Slide 92 text
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Container Image Build, Hosting, & Specs
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation