cloud native, microservices, security, and scale
TRANSCRIPT
CloudNative,Microservices, Security,& Scale
@mikegstoweMike Stowe
AboutMe
• API & Security Fanatic
• Open Source Contributor
• Speaker, Author, Consultant
• 10+ years Hacking Professional Code
• Community Guy at Tigera
https://www.mikestowe.com
AboutMe
• API & Security Fanatic
• Open Source Contributor
• Speaker, Author, Consultant
• 10+ years Hacking Professional Code
• Community Guy at Tigera
https://www.mikestowe.com
Felix
Current Stateof Enterprises
Today, enterprises face unprecedented threats,from thebarrier of entry across industries beingsignificantly lowered, to agingand slowinginfrastructure.
Current Stateof Enterprises
Today, enterprises face unprecedented threats,from thebarrier of entry across industries beingsignificantly lowered, to agingand slowinginfrastructure.
12%of Fortune 500s survived from 1955 through 2014
Current Stateof Enterprises
Today, enterprises face unprecedented threats,from thebarrier of entry across industries beingsignificantly lowered, to agingand slowinginfrastructure.
12%of Fortune 500s survived from 1955 through 2014Another 40%will no longer exist in 10 years
EnterprisesNeed
• Innovation
• Speed
• Scale
• Security
• Resiliency
EnterprisesNeed
In the TransformationAge– it’s nolonger just about budget or presence- it’s disrupt or bedisrupted.
Innovation
EnterprisesNeed
In the TransformationAge– it’s nolonger just about budget or presence- it’s disrupt or bedisrupted.
Innovation
EnterprisesNeed Speed
“Thenumber-one issue companiesare facing is the speedof changeandthe transformation this requires.”
-Edwin vanBommel, Chief CognitiveOfficer, IPsoft
EnterprisesNeed Scale
Anenterprise scale needs to scale toservemore than twenty billion queriesper hour, andup to tens of billions ofdatabase transactions permonth.
- Allan Leinwand, CTO , ServiceNow
EnterprisesNeed Security
It’s no longer if, butwhenyouwill behacked-andhow to contain breaches.
EnterprisesNeed
$252M
Security
It’s no longer if, butwhenyouwill behacked-andhow to contain breaches.
$35M Just in IT Repairs ?
EnterprisesNeed Resiliency
Downtime can cost an enterprise asmuchas$100,000 perminute,with anaveragecost of$730,000per data center outage.
EnterprisesNeed Resiliency
Downtime can cost an enterprise asmuchas$100,000 perminute,with anaveragecost of$730,000per data center outage.
$150M Loss over 3 Days Billons Lost in ~2 Hours Live ↓ 9x in <1 Month
TheReality Is
Most enterprise architectures are not designedtomeet these needs.
TheReality Is
Most enterprise architectures are not designedtomeet these needs.
LegacyArchitecture
TheReality Is
Most enterprise architectures are not designedtomeet these needs.
LegacyArchitecture
LegacyCode
TheReality Is
Most enterprise architectures are not designedtomeet these needs.
LegacyArchitecture
LegacyCode
People overAutomation
TheReality Is
Most enterprise architectures are not designedtomeet these needs.
LegacyArchitecture
LegacyCode
People overAutomation
LegacyInfrastructure
Dilbert.com
GoingCloudNative
CloudNative
[CloudNative is] anewcomputingparadigm that is optimized formoderndistributed systemenvironments capableof scaling to tens of thousandsof selfhealingmulti-tenant nodes.
–CloudNative Computing FoundationManifesto
Great –ButWhat Is It?
Container packaged. Running applications and processes in software containers as an isolated unit of application deployment, and as a mechanism to achieve high levels of resource isolation. Improves overall developer experience, fosters code and component reuse and simplify operations for cloud native applications.
Dynamically managed. Actively scheduled and actively managed by a central orchestrating process. Radically improve machine efficiency and resource utilization while reducing the cost associated with maintenance and operations.
Micro-services oriented. Loosely coupled with dependencies explicitly described (e.g. through service endpoints). Significantly increase the overall agility and maintainability of applications. The foundation will shape the evolution of the technology to advance the state of the art for application management, and to make the technology ubiquitous and easily available through reliable interfaces.
InOtherWords
CloudNative is anapproach toallowenterprises to ship faster, reduce risk, andincrease efficiency bybuilding smaller,autonomous (yet composable) servicesthat canbe startedand stoppedon-demandwith little to no consequence.
TheGoal of CloudNative
Thegoal is not only to allowenterprises to takeadvantageof auto-scaling cloudarchitectures, but to allow themtodecouple theirmonolithic systems, allowing themto:
TheGoal of CloudNative
Thegoal is not only to allowenterprises to takeadvantageof auto-scaling cloudarchitectures, but to allow themtodecouple theirmonolithic systems, allowing themto:
MODERNArchitecture
TheGoal of CloudNative
Thegoal is not only to allowenterprises to takeadvantageof auto-scaling cloudarchitectures, but to allow themtodecouple theirmonolithic systems, allowing themto:
MODERNArchitecture
MODERNCode
TheGoal of CloudNative
Thegoal is not only to allowenterprises to takeadvantageof auto-scaling cloudarchitectures, but to allow themtodecouple theirmonolithic systems, allowing themto:
MODERNArchitecture
MODERNCode
AUTOMATIONover People
TheGoal of CloudNative
Thegoal is not only to allowenterprises to takeadvantageof auto-scaling cloudarchitectures, but to allow themtodecouple theirmonolithic systems, allowing themto:
MODERNArchitecture
MODERNCode
AUTOMATIONover People
MODERNInfrastructure
CloudNativeBringsOperations Together
CloudNative is also designed to bring teams together,letting themworkautonomously, butwith greatertransparencyand collaboration.
CloudNativeBringsOperations Together
CloudNative is also designed to bring teams together,letting themworkautonomously, butwith greatertransparencyand collaboration.
Replicated EnvironmentsCI/CD + Cloud + Containers
CloudNativeBringsOperations Together
CloudNative is also designed to bring teams together,letting themworkautonomously, butwith greatertransparencyand collaboration.
Replicated EnvironmentsCI/CD + Cloud + Containers
Discoverability + Easy AccessMicroservices + APIs
Sadly if you’ve seen my car, this isn’t too far off 😫
My car has black tape, not brown though…
There’s no such thingas a silver bullet. Justprocesses that if implemented correctly canhaveapositive effect, and if implemented
incorrectly, becomedetrimental.
Nano,Mini,& Microservices
What areMicroservices?
Microservices are small services that are designedto doone thingwell. Theyare designed to be self-contained, agile, flexible, and if composable: accessible andabstractedbyanAPI.
AMicroservice Focus
• Business value over technical strategy
• Strategic goals over project-specific benefits
• Intrinsic interoperability over custom integration
• Shared services over specific-purpose implementations
• Flexibility over optimization
• Evolutionary refinement over pursuit of initial perfection
InOtherWords
Services are unassociated, loosely coupled units of functionality that are self-contained. Each service implements at least one action, such as submitting an online application for an account, retrieving an online bank statement or modifying an online booking or airline ticket order.
RepeatingHistory?
Theproblem is that these definitions are not new,in fact they are the definitions for SOA–or ServiceOrientedArchitectures.
MicroservicesNeed toBeDecoupled
TheAPI for themicroservice needs to be itsabstraction. IntegratinganAPI that is tightlycoupled to its underlying service is the equivalentof integrating that service directly.
MicroservicesNeed toBeDecoupled
Instead, services and their abstractions (APIs) should bedesignedwith the idea that the servicewill fail, allowing theAPI to begeneric enough forwhatever new servicemay replace the existingone.
MicroservicesNeed toBeDecoupled
Oncea service becomes disposable,we cancontainerize it – allowing for services to be spunupor downbasedondemand, andallow for brokenservices to be restarted.
Great forDevelopers andEffiecency
Andbecause they are small, autonomous, andabstracted, developers are able to use thetechnologies thatmake themost sense for thatproject, allowing you to utilize their skillsets.
Great forDiscoverability andReuse
WithAPIs as the point of abstraction for theservice, it’s alsomuch easier to allow re-useof theservice (while also reducing risk) via anAPI Portalwith supportingAPIDocumentation. Tools such asRAMLor Swaggermake this process even easier.
Docker& Containers
What ExactlyAreContainers?
Containers are objects that canbeused to hold ortransport something, such as a largemetal boxofa standard design and size used for thetransportation of goods.
Fast, ScalableDeployment
Outsideof hosting the source code, containers alsohave their ownenvironments. Thismeans you candeploy and runanapplicationonamix ofmachineswithout having tomanually installoutside operating systems or extensions.
WhyDocker?
• Compose applications from microserviceswithout worrying about environmental inconsistencies, and without locking into any platform or language.
• Manage the entire SDLC, from development to deployment with a consistent user interface.
• Runs reliably on a wide variety of platforms.
• Enterprise-grade, Production tested
DeployingContainers
Deploying the CentOS container with Docker is as easy as:
DeployingContainers
Deploying the CentOS container with Docker is as easy as:
We are now in an CentOS Container (notice the different user/ host)
More Info
Learn more at
http://docker.com
More Info
Also check out
Docker for Developersby Chris Tankersley
available on phparch.com
Shameless plug for a friend
AutomatedContainerManagement
GoingBeyondMicroservices
Oneof the keybenefits of CloudNative is self-healingapplications, ormicroservices that are deployed incontainerized environments, allowing themtoberestartedor replacedwhen they fail.
However, trying tomonitor all of these containersmanuallywould be extremely time consuming. Thankfullythere are several tools thatmake this process simple.
Today’sMost Popular Tools
• Kubernetes
• Docker Swarm
• Mesos
• OpenStack
• Rancher
WhyKubernetes
• Auto binpacking
• Horizontal scaling
• Automated rollouts and rollbacks
• Storage orchestration
• Self-healing
• Service discovery and load balancing
• Secret and configuration management
• Batch execution
• Enterprise-grade, Production tested
Who’sUsingKubernetes
More Info
Learn more at
http://kubernetes.io
Because this won’t get you in trouble at all…👻
There’s JustOneProblemwith this Solution…
Ok… Several Problems…
DistributedContainer basedenvironments increaseworkloadsfor hosts by
10x
Whilemicroservices havea shorterlifespan…bymore than
90%
Which creates a churnper host ofmore than
100x
Meaning your first-generation,centralized SDNcontroller isn’table tomanageand scalewith thisnew style of network…
Andyounowhavehundreds tothousands to tens of thousandsofcontainers spinningupanddown,making container specific,centralized firewall securityimpossible.
I have never done this, I’m proud to say 😇😎
ScalableNetworking& Fine-Grained Security
Networking andSecuringPods
Project Calico is anopensourceproject designed toallow for simple, scalable IPnetworkinganddynamic,distributed container policyenforcement.
WhyProject Calico
• 100% Open Source
• Easy to use tooling, built into kops
• Supports Kubernetes, Docker, Mesos, OpenStack, and others
• Highly Scalable – Layer 3 approach using the same principles and protocols as the internet
• Allows for simple or advanced policy application at container/ cluster/ pod level with namespaces, names, and tags
• Enterprise-grade, Production tested
ScalableNetworking
ScalableNetworkingmeansnooverlays, noencapsulation, just a straight-forward, native(flat) IP fabric using the same technologiesandprinciples as the internet.
Remember
Security is not somuchanindestructiblewall as it isamaze,with eachcheckpoint beingsurroundedbynumerousmore securitymeasures.
Typical Container Configuration (without Project Calico)
Containers are set behind a firewall with limited access. However, each container is able to communicate with the other – meaning each becomes vulnerable upon a firewall breach
Project CalicoPolicy EnforcedContainer Configuration
Containers or Clusters can be namespaced, specifying which other containers, clusters, or namespaces they are allowed to listen or send data to. Breaching namespace A means they will have access to B, but not namespaces C or D.
Project CalicoPolicy EnforcedContainer Configuration
More advanced configurations still keep A and B separate from C and D, but allow D to push data to B, but not access A. At the same time, B is not able to push data to D, nor does it have access to C.
EnforcingPolicieswithProject CalicoonKubernetes
In Project Calico, these policies are easily declared in a NetworkPolicy YAML file, which are then pulled in via the kubectl annotate and create commands.
NetworkPolicy Structure
Pod metadata (namespace and name)
NetworkPolicy Structure
Allow incoming
NetworkPolicy Structure
Allowed labels
EnforcingPolicieswithProject CalicoonKubernetes
More advanced policies can be defined by using ingress and outgress, as well as utilizing actions and tags.
kind: profilemetadata:name: k8s_ns.advanced-policy-demotags: - k8s_ns.advanced-policy-demospec:
egress:- action: allow
destination: {}source: {}
ingress: - action: deny
destination: {}source: {}
Allow/DenyProfile Structure
Allow to be referenced by tag
kind: profilemetadata:name: k8s_ns.advanced-policy-demotags: - k8s_ns.advanced-policy-demospec:
egress:- action: allow
destination: {}source: {}
ingress: - action: deny
destination: {}source: {}
Allow/DenyProfile Structure
kind: profilemetadata:name: k8s_ns.advanced-policy-demotags: - k8s_ns.advanced-policy-demospec:
egress:- action: allow
destination: {}source: {}
ingress: - action: deny
destination: {}source: {}
Allow all outgoing data to other pods
Allow/DenyProfile Structure
kind: profilemetadata:name: k8s_ns.advanced-policy-demotags: - k8s_ns.advanced-policy-demospec:
egress:- action: allow
destination: {}source: {}
ingress: - action: deny
destination: {}source: {}
Deny all incoming data from other pods
EnforcingPolicieswithProject CalicoonKubernetes
And of course, you can do much more in terms of setting up and managing your distributed policies with Project Calico. You can even create multiple policies that are carried out in specific orders.
kind: policy metadata:
name: advanced-policy-demo.allow-dnsspec:
selector: has(calico/k8s_ns) order: 400 egress:- action: allow
protocol: udpdestination:
selector: calico/k8s_ns == 'kube-system' && k8s-app == 'kube-dns'
ports: [53]
More Info
Learn more at
http://projectcalico.org
Join the Community on Slack: http://slack.projectcalico.org
THANKYOU!!!!@tigeraio