Implementing SaaS on Kubernetes

Similar documents
Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Kubernetes 1.8 and Beyond

Building a Kubernetes on Bare-Metal Cluster to Serve Wikipedia. Alexandros Kosiaris Giuseppe Lavagetto

Building an on premise Kubernetes cluster DANNY TURNER

Hacking and Hardening Kubernetes

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

Certificate of Registration

KUBERNETES IN A GROWN ENVIRONMENT AND INTEGRATION INTO CONTINUOUS DELIVERY

CLOUD AND AWS TECHNICAL ESSENTIALS PLUS

Cloud I - Introduction

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

Using Custom Resources to Provide Cloud Native API Management Frank B Greco Jr, Cloud Native Engineer, Northwestern Mutual

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

Evolving & Supporting Stateful, Multi-Tenant Decisioning Applications in Production. B. Frazier, K. Gasser & G. Mead, Software Engineers, Capital One

Continuous delivery while migrating to Kubernetes

gcp / gke / k8s microservices

Kubernetes 101. Doug Davis, STSM September, 2017

TEN LAYERS OF CONTAINER SECURITY

Introduction to Kubernetes

Secure Kubernetes Container Workloads

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

Kubernetes on Openstack

How can you implement this through a script that a scheduling daemon runs daily on the application servers?

Developing Microsoft Azure Solutions (70-532) Syllabus

Kubernetes Integration Guide

Cloud Computing. Amazon Web Services (AWS)

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

OPENSHIFT 3.7 and beyond

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introduction to Cloud Computing

OpenShift Dedicated 3 Release Notes

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

CONTAINERS AND MICROSERVICES WITH CONTRAIL

CogniFit Technical Security Details

Kuber-what?! Learn about Kubernetes

VMWARE PIVOTAL CONTAINER SERVICE

Scheduling in Kubernetes October, 2017

Module Day Topic. 1 Definition of Cloud Computing and its Basics

Two years of on Kubernetes

Code: Slides:

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Defining Security for an AWS EKS deployment

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

70-532: Developing Microsoft Azure Solutions

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

A Comparision of Service Mesh Options

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Kubernetes - Load Balancing For Virtual Machines (Pods)

70-532: Developing Microsoft Azure Solutions

Customer s journey into the private cloud with Cisco Enterprise Cloud Suite

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Open Service Broker API: Creating a Cross-Platform Standard Doug Davis IBM Shannon Coen Pivotal

Exam Questions AWS-Certified- Developer-Associate

Amazon Web Services Training. Training Topics:

Reactive Microservices Architecture on AWS

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM


Kubernetes introduction. Container orchestration

10 Kube Commandments

Building a Microservices Platform, Patterns and Best Practices

NGINX: From North/South to East/West

Microsoft Azure Course Content

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Distributed Systems. 31. The Cloud: Infrastructure as a Service Paul Krzyzanowski. Rutgers University. Fall 2013

Introduction to the Open Service Broker API. Doug Davis

Microservices on AWS. Matthias Jung, Solutions Architect AWS

Multitenancy Deep Dive

Amazon Web Services (AWS) Training Course Content

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

Enabling Multi-Cloud with Istio Stretching an Istio service mesh between Public & Private Clouds. John Joyce Robert Li

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

DISTRIBUTED SYSTEMS [COMP9243] Lecture 8a: Cloud Computing WHAT IS CLOUD COMPUTING? 2. Slide 3. Slide 1. Why is it called Cloud?

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Research at PNNL: Powered by AWS NLIT 2018

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Cloud Computing and Service-Oriented Architectures

Course Overview This five-day course will provide participants with the key knowledge required to deploy and configure Microsoft Azure Stack.

Developing Microsoft Azure Solutions (70-532) Syllabus

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

The speed of containers, the security of VMs. KataContainers.io

Overview of AWS Security - Database Services

Microservices Architekturen aufbauen, aber wie?

Cloud Technologies. for Enterprise

Developing Microsoft Azure Solutions (70-532) Syllabus

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Kubernetes: Twelve KeyFeatures

Federated Prometheus Monitoring at Scale

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

Containers Infrastructure for Advanced Management. Federico Simoncelli Associate Manager, Red Hat October 2016

Introduction to cloud computing

ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

AWS Solution Architect Associate

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Introduction to Database Services

LINUX, WINDOWS(MCSE),

Transcription:

Implementing SaaS on Kubernetes Multi-Tenancy and Tenant Isolation on Kubernetes Michael Knapp Senior Software Engineer October 11, 2018 Certified Kubernetes Administrator Andrew Gao Software Engineer October 11, 2018

Goals Understand how Software as a Service products can be architected on Kubernetes.

Pre-Requisites Have a basic understanding of restful web APIs. Preferred: basic knowledge of Kubernetes: Namespaces Pods Deployments Services Volumes Config Maps Ingress

Agenda Kubernetes Review Kubernetes Tools for Isolation Tools for distributed applications in Kubernetes Architecture of SaaS in Kubernetes

Problem Assumption: Your team is running a Kubernetes cluster Problem: External teams or people must collaborate with your team to run their software on your platform. Examples: Add a Flink application to a Flink cluster Provision apache NiFi instances on demand Create a new Flink cluster Create a custom database Score events with a machine learning model

SaaS? Software as a Service At a user s request, we deploy a software application and make it available to them. Examples: RDS DynamoDB Elasticache SQS SNS

Challenge Match these up: Amazon s Elastic Container Service for Kubernetes (EKS) Infrastructure as a Service (IaaS) Amazon s ElasticCache Platform as a Service (PaaS) Amazon s Elastic Compute Cloud (EC2) Software as a Service (SaaS)

Challenge Match these up: Amazon s Elastic Container Service for Kubernetes (EKS) Infrastructure as a Service (IaaS) Amazon s ElasticCache Platform as a Service (PaaS) Amazon s Elastic Compute Cloud (EC2) Software as a Service (SaaS)

Brief Kubernetes Review

Kubernetes Architecture https://kubernetes.io/docs/concepts/architecture/cloud-controller/

Deployment

Kubernetes Tools for Isolation

NetworkPolicy

Constraining Resources

Role Based Access Control You can assign ServiceAccounts to pods!

Role Based Access Control

Pop Quiz What can we leverage to prevent tenants from hogging all the RAM in our cluster? a) Roles, RoleBinding, RBAC b) NetworkPolicy c) ResourceQuota d) LimitRange

Pop Quiz What can we leverage to prevent tenants from hogging all the RAM in our cluster? a) Roles, RoleBinding, RBAC b) NetworkPolicy A LimitRange may constrain c) ResourceQuota d) LimitRange the RAM usage of a single pod, but it cannot limit the total number of pods. A ResourceQuota can.

Kubernetes Tools for Distributed Applications

ETCD for your clustered deployment Overview Open-source key value store Built for clusters Backbone of K8s Advantages Automated restore from backup upon cluster node failure Use etcd revision watchers for ordered/reliable/atomic event streams Out-of-the-box leader election

Making a Mesh with Istio Overview Service mesh Load Balancing Metrics Advantages Discovery Rate Limiting Canary Releases A/B testing

A/B Testing

Kubernetes Software as a Service

Custom Resource Definition (CRD) Defines a nomenclature for an object. Does NOT define fields that it has! The controller-manager dictates what fields it has. apiversion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tenants.example.com spec: group: example.com version: v1 scope: Cluster names: plural: tenants singular: tenant kind: Tenant shortnames: - tnt

Follow this example: https://github.com/kubernetes/sample-controller

Questions 1. Why are the custom API server and the custom controller manager separate? 2. Why have a separate custom API server? Why not just use the Kube-APIServer?

Answer 1. Why are the custom API server and the custom controller manager separate? Update them separately Can post CRDs directly to the Kube-APIServer.

Answer 2. Why have a separate custom API server? Why not just use the Kube-APIServer? Tenants don t need to learn Kubernetes. Don t want tenants to even know Kubernetes is hosting their software. Limit tenants to only deploying our approved software.

Any Questions?

Supplemental Material

Tip: Use Kubernetes Labels Label tenant resources: Tenant Name (i.e. red-team) Creator (i.e. bob) Software Application Name (i.e. redis) Software Instance Name (i.e. bobs-redis) Makes it much easier to discover who is causing problems, and to manage their resources. For instance, you can bounce all their pods, or delete their software instance all together with one command.

Common API Endpoints CRUD create, read, update, delete. List/Query all instances of CRD for tenant. Usually has some method of filtering. Describe provides thorough information about the resource and its status. For your CRD and also tenant instances.

Middleware aka Web Filters Nonce prevents repeat attacks Login/API key check Authentication Signature check hashes the nonce and other request parameters to confirm the user made the request. Authorization To use this API To act on behalf of this tenant Admin? Or tenant member? Read-only vs Write access To view/alter the specific resource

More Information https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resourcedefinitions/ https://github.com/kubernetes/sample-controller

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback