Consensus Store
CHALLENGE
GOALS
Store critical data
Replicate data
Provide distributed lock
Automatically handle
machine failures
Slide 9
Slide 9 text
Chubby
At the Heart of Google
Slide 10
Slide 10 text
At the Heart of Kubernetes
Slide 11
Slide 11 text
PERSIST
Slide 12
Slide 12 text
ACTIVE
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
ACTIVE
Slide 15
Slide 15 text
Upcoming Improvements
API
Efficient GRPC protocol
Multi-key transactions
DATASTORE
Longer event history
Better memory efficiency
Slide 16
Slide 16 text
Future Outcomes
Improved utilization and application density
Scaling of clusters to 100,000 pods and beyond
User runnable performance benchmarks
Slide 17
Slide 17 text
Establish Kubernetes as the high-scale
distributed application kernel
GOAL
Slide 18
Slide 18 text
Distributed Trusted Computing
Only software your company allows will run
Slide 19
Slide 19 text
Distributed Trusted Computing
Only software your company allows will run
On hardware your team controls
Slide 20
Slide 20 text
Identity
YOUR TEAM YOUR SERVERS
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
Web Identity
Powered by OpenID Connect and OAuth 2.0
Slide 23
Slide 23 text
Dex
User Identity for Cloud Native
Open Source
Built on web standards
Integrates with Kubernetes
Cryptographic best practices
Slide 24
Slide 24 text
Dex groups for organizing teams
Use existing directory IDs
Certifications from OpenID
Easily protect apps inside cluster
Future Identity Work
Slide 25
Slide 25 text
Server Identity
Machine Identity and Admission
Slide 26
Slide 26 text
Kubernetes API
node 1 node 2 node 3
Slide 27
Slide 27 text
Kubernetes API
node 1 node 2 node 3
Slide 28
Slide 28 text
Kubernetes API
node 1 node 2 node 3
Slide 29
Slide 29 text
Kubernetes API
node 1 node 2 node 3
Slide 30
Slide 30 text
Kubernetes API
node 1 node 2 node 3
Slide 31
Slide 31 text
Kubernetes API
node 1 node 2 node 3
Slide 32
Slide 32 text
Build distributed systems with strong
cryptographic identity that operators trust
GOAL
Slide 33
Slide 33 text
Container Lifecycle
Audit
1. Build
2. Distribute
3. Run
Slide 34
Slide 34 text
Image Format
Naming & Discovery
Runtime
Identity & Signing
Building the Standard Software Container
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
A Standard for Software Shipping Containers
Slide 37
Slide 37 text
Experiment with new container build systems
Support image mirrors and "air-gapped" systems
Create new container runtimes like rkt
Provide a reliable contract to application writers
Slide 38
Slide 38 text
Runtime
Standard Software Container
APPC
OCI
Image format
Naming & Discovery
Runtime
Signing
Slide 39
Slide 39 text
Runtime
Standard Software Container
APPC
OCI
Image format
Naming & Discovery
Runtime
Signing
Slide 40
Slide 40 text
Security Scanning
After scanning millions of
containers we found that over
80% still had Heartbleed
80%
Slide 41
Slide 41 text
Clair
Open Source Container Image Auditing
Slide 42
Slide 42 text
container
image
Slide 43
Slide 43 text
/bin/java
/opt/app.jar
/pkg.db
Slide 44
Slide 44 text
/bin/java
/opt/app.jar
/pkg.db
Slide 45
Slide 45 text
/bin/java
/opt/app.jar
/pkg.db
Slide 46
Slide 46 text
Future Work
More data sources
Integration with Kubernetes
Create standard for auditable
container metadata
Slide 47
Slide 47 text
Create software container standards so
developers can build and ship apps confidently
GOAL
Slide 48
Slide 48 text
Enabling Kubernetes Adoption
Networking and Onboarding
Slide 49
Slide 49 text
10.0.1.10
10.0.1.20
pod 1
pod 2
pod 3
pod 4
10.0.0.3
10.0.0.8
Slide 50
Slide 50 text
PROBLEMS
VALUE
Less complex
DNS Works
Same IP inside
Multiple IPs is a
challenge in many
networks
Kubernetes Networking
Slide 51
Slide 51 text
Default Easy Networking Option
Slide 52
Slide 52 text
192.168.1.10
192.168.1.40
Slide 53
Slide 53 text
10.0.1.10
10.0.1.20
pod 1
pod 2
pod 3
pod 4
10.0.0.3
10.0.0.8
Slide 54
Slide 54 text
10.0.0.3
10.0.0.8
10.0.1.10
10.0.1.20
192.168.1.10
192.168.1.40
pod 1
pod 2
pod 3
pod 4
Slide 55
Slide 55 text
192.168.1.10
192.168.1.40
10.0.0.0/24 10.0.1.0/24
Slide 56
Slide 56 text
A Reasonable Default
Provide easy IPv4 overlay pod networking
Slide 57
Slide 57 text
Container Network Interface
Simple network plugins
Un-opinionated and minimal interface
Engaged by networking ecosystem
Adopted in rkt and Kubernetes
Slide 58
Slide 58 text
Easy and centrally managed IPSec encryption
Future of Flannel
Future of CNI
Continued network vendor adoption
Release of first revision of the standard
Promoted as default Kubernetes network plugin
Increasing Adoption
Operational Guides to Recovery
Bootstrap and configuration of cluster
Upgrades from Kubernetes releases
Disaster recovery of etcd and Kubernetes
Slide 61
Slide 61 text
Increase adoption of Kubernetes through
integration and ease of use in any environment
GOAL
Slide 62
Slide 62 text
Our Role in CNCF
Slide 63
Slide 63 text
Develop Standard Software Container
Donate appc and release appc 1.0
Slide 64
Slide 64 text
Donate etcd and flannel
Donate Critical Software
Slide 65
Slide 65 text
Shared Plugin Model
Donate Container Networking Interface
And help create a Container Volume Interface
Slide 66
Slide 66 text
Join us
Slide 67
Slide 67 text
Join us
To build critical infrastructure
software as open source
Slide 68
Slide 68 text
Join us
To establish Kubernetes as the
ubiquitous cluster kernel
Slide 69
Slide 69 text
Join us
To create container specifications
that solve problems simply
Slide 70
Slide 70 text
Thank You
Brandon Philips
CTO, CoreOS
@brandonphilips