Kubernetes 1.8 and Beyond Aparna Sinha, Group Product Manager, Google OpenShift Commons Gathering - Austin, Texas
Why do users choose Kubernetes? Open Source Community Frequent releases Resource efficiency Runs anywhere Fast deployments
Enterprise IT
Why do users choose Kubernetes? Open Source Community Frequent releases Resource efficiency Runs anywhere Fast deployments $ kubectl apply -f dir/
The Hybrid reality Traditional Virtualized Fully managed & optimized for Containers
What matters most? We want to move to the cloud Developer productivity, service innovation, scale, while navigating legacy and regulatory We need a between public and private We need applications & infrastructure Train once run everywhere Scalable management Developer flow should be consistent and fast, operations team needs to be efficient and scale across Retain programmatic control and transparency across public and on-premises
Kubernetes 1.8 and 1.9 Themes Stability & Conformance Security Extensibility
1.8 Features overview Maturing security (RBAC, Network policy) Changes to Apps and Batch workloads CRDs replace TPRs! Notable experimental features (Scheduling, Storage...) Progress on big data (Spark, GPUs)
Security: Auth Role Based Access Control (RBAC) is GA allows cluster administrators to dynamically define roles to enforce access policies through the Kubernetes API enforces organizational security requirements Users are bounds to roles (ClusterRoles and Roles) via bindings (ClusterRoleBindings and RoleBindings) supports custom roles if k8s default roles are not right for your organization
Network Policy Network Policy is beta specifies how groups of pods are allowed to communicate with each other and other network endpoints allow and block traffic to your pod through a NetworkPolicy resource filters outbound traffic through network policies enforces regulatory security requirements network policy is implemented with network plugins such as those by Calico, Weave, and Romana.
Stability: Workloads API The Road to GA extensions/v1beta1 apps/v1beta1 apps/v1beta2 apps/v1 (k8s v1.9) Deployment Deployment Deployment Deployment DaemonSet StatefulSet DaemonSet DaemonSet ReplicaSet ReplicaSet ReplicaSet... StatefulSet StatefulSet Legend: Recommended, Deprecated, Future
API Extensibility in 1.8 Client kube-apiserver service-catalog-apiserver Deployment ClusterServiceBroker CronJob ClusterServiceClass CustomResourceDefinition ServiceInstance EtcdCluster ServiceBinding A Brief History of the Cloud
Architecture of a Hybrid cloud Kubernetes Istio Open Service Broker Platform for deployment, scaling, and execution of containers Service mesh routing control plane Provision and bind to managed services Decouples development and deployment Decouples deployment and traffic management/security Decouples service producers and consumers Container-level policy enforcement and telemetry Endpoint-level policy enforcement and telemetry Service-level policy enforcement
Benefits Raised level of abstraction Decouples development and deployment Decouples deployment and traffic management/security Decouples service producers and consumers Developer focus Services not infrastructure Legacy and modern Open Multi-cloud Portable
Beyond Stability & Conformance Security -> Multi-tenancy Extensibility -> Build on top
Looking forward: Cloud-Ready 1. Start immediately without filing a ticket 2. Discover and reuse services managed by others 3. Easily secure applications 4. Recover quickly and imperceptibly from infrastructure errors 5. Pay for only the resources consumed 6. Develop / port to any platform that suits the application 7. Scale or degrade gracefully
Q&A
Scheduling Priority / Preemption in alpha Preempt (evict) lower priority pods for higher priority pods when pods are pending (unable to schedule pods in nodes) Create one or more PriorityClass(es) Create pods with PriorityClassName
Cluster Lifecycle: Kubeadm Easy upgrades beta kubeadm upgrade plan - shows which versions you can upgrade to kubeadm upgrade apply <version> - upgrades your cluster --dry-run - flag allows for a non-intrusive dry run of the upgrade Self Hosting is in alpha control plane components, api server, scheduler are workloads managed as k8s primitives (e.g. can run schedulers as a daemonset on all masters, rolling upgrades automatically upgrade control plane components, etc.) kubeadm join is in beta
Appendix