From Minikube to Production, Never Miss a Step in Getting Your K8s Ready

A presentation at Kubecon Europe 2020 in August 2020 in by Horacio Gonzalez

Slide 1

Slide 1

From Minikube to Production Never Miss a Step in Getting Your K8s Ready Kevin Georges Horacio Gonzalez

Slide 2

Slide 2

Who are we? Introducing ourselves and introducing OVHcloud

Slide 3

Slide 3

Horacio Gonzalez @LostInBrittany Spaniard lost in Brittany, developer, dreamer and all-around geek Flutter

Slide 4

Slide 4

Kevin Georges @0xd33d33 Kubernetes Engineering Manager

Slide 5

Slide 5

OVHcloud: A Global Leader 200k Private cloud VMs running Dedicated 1 IaaS Europe Hosting capacity : 1.3M Physical Servers 360k Servers already deployed 30 Datacenters Own 20Tbps Netwok with 35 PoPs

1.3M Customers in 138 Countries

Slide 6

Slide 6

OVHcloud: 4 Universes of Products WebCloud Domain / Email Baremetal Cloud Compute Standalone, Cluster VM Domain names, DNS, SSL, Redirect General Purpose Email, Open-Xchange, Exchange Collaborative Tools, NextCloud Baremetal SuperPlan Game T2 >20e Virtualization Mutu, CloudWeb Plesk, CPanel Database T4 >300e Bigdata T5 >600e HCI AI 12KVA /32KVA VDI Cloud Game PaaS with Platform.sh Network VPS aaS MarketPlace Storage File, Block, Object, Archive VMware SDDC, vSAN 1AZ / 2AZ vCD, Tanzu, Horizon, DBaaS, DRaaS Nutanix HCI 1AZ / 2AZ, Databases, DRaaS, VDI Databases SQL, noSQL, Messaging, Dashboard IP FO, NAT, LB, VPN, Router, DNS, DHCP, TCP/SSL Offload Virtuozzo Cloud Security Wordpress, Magento, Prestashop CRM, Billing, Payment, Stats PaaS for DevOps Network pCC DC SaaS K8S, IA IaaS OpenStack IAM, Compute (VM, K8S) Stortage, Network, Databases Storage Ontap Select, Nutanix File Virtual servers VPS, Dedicated Server Hosted Private Cloud Hosted Private Cloud T3 >80e Storage PaaS for Web Public Cloud Wholesales IAM, MFA, Encrypt, KMS Support, Managed High Intensive CPU/GPU, Support Basic Encrypt Support thought Partners KMS, HSM Managed services Encrypt (SGX, Network, Storage) AI ElementAI, HuggingFace, Deepopmatic, Systran, EarthCube Bigdata / Analitics / ML Cloudera over S3, Dataiku, Saagie, Tableau, IT Integrators, Cloud Storage, CDN, Database, ISV, WebHosting OpenIO, MinIO, CEPH Zerto, Veeam, Atempo IA, DL Hybrid Cloud Standard Tools for AI, AI Studio, vRack Connect, Edge-DC, Private DC IA IaaS, Hosting API AI Dell, HP, Cisco, OCP, MultiCloud Bigdata, ML, Analytics Datalake, ML, Dashboard Secured Cloud GOV, FinTech, Retail, HealtCare

Slide 7

Slide 7

Orchestrating containers Like herding cats… but in hard mode!

Slide 8

Slide 8

From bare metal to containers Another paradigm shift

Slide 9

Slide 9

Containers are easy… For developers

Slide 10

Slide 10

Less simple if you must operate them Like in a production context

Slide 11

Slide 11

And what about microservices? Are you sure you want to operate them by hand?

Slide 12

Slide 12

Taming microservices with Kubernetes

Slide 13

Slide 13

Desired State Management

Slide 14

Slide 14

Having identical, software defined environments

Slide 15

Slide 15

I have deployed on Minikube, woah! A great fastlane into Kubernetes

Slide 16

Slide 16

Running a full K8s in your laptop A great learning tool

Slide 17

Slide 17

Your laptop isn’t a true cluster Don’t expect real performances

Slide 18

Slide 18

Beyond the first deployment So I have deployed my distributed architecture on K8s, everything is good now, isn’t it?

Slide 19

Slide 19

Minikube is only the beginning

Slide 20

Slide 20

From Minikube to prod A journey not for the faint of heart

Slide 21

Slide 21

Kubernetes can be wonderful For both developers and devops

Slide 22

Slide 22

But it comes with a price…

Slide 23

Slide 23

An example among many others

Slide 24

Slide 24

An example among many others

Slide 25

Slide 25

An example among many others

Slide 26

Slide 26

An example among many others

Slide 27

Slide 27

An example among many others

Slide 28

Slide 28

The truth is somewhere inside…

Slide 29

Slide 29

A network example: KubeProxy KubeProxy: 3 proxy modes ● Userspace ● IPTables ● IPVS

Slide 30

Slide 30

A network example: KubeProxy iptables by default

Slide 31

Slide 31

A network example: KubeProxy

Slide 32

Slide 32

A network example: KubeProxy Cluster networking will be slower and slower

Slide 33

Slide 33

A network example: KubeProxy IPVS to the rescue!

Slide 34

Slide 34

Kubernetes networking is complex…

Slide 35

Slide 35

The storage dilemma

Slide 36

Slide 36

The storage dilemma Volumes are handle through CSI CSI provide an interface between Kubernetes and storage technologie

Slide 37

Slide 37

The storage dilemma Most CSI assume perfect sync between Kubernetes and the storage backend

Slide 38

Slide 38

The storage dilemma Storage backend are subject to errors or maintenance Potential state shifts between storage and Kubernetes

Slide 39

Slide 39

The storage dilemma I0724 13:03:20.853645 1 csi_handler.go:100] Error processing “csi-afcb533080943”: failed to attach: rpc error: code = NotFound desc = ControllerPublishVolume Volume not found

Slide 40

Slide 40

The storage dilemma I0724 13:03:19.012008 1 csi_handler.go:100] Error processing “csi-2259b290c”: failed to attach: rpc error: code = Internal desc = ControllerPublishVolume Attach Volume failed with error failed to attach 9aa1b78d-503d-49ec-8e51-11e7c7a2dee7 volume to ea295f86-9fa8-497a-aeb9-4ad27a99a8ce compute: Bad request with: [POST https://compute.cloud.net/v2.1/327b346ae2034427b84dd/servers/ea295f86-9fa8-4 97a-aeb9-4ad27a99b76de/os-volume_attachments], error message: {“badRequest”: {“message”: “Invalid input received: Invalid volume: Volume status must be available to reserve. (HTTP 400) (Request-ID: req-8c41d48a-9a32-4225-b423-8e84131a3db8)”, “code”: 400}}

Slide 41

Slide 41

The storage dilemma I0724 13:03:15.997499 1 csi_handler.go:100] Error processing “csi-69164e184900”: failed to attach: rpc error: code = Internal desc = ControllerPublishVolume Attach Volume failed with error disk 57dbca1b-9611-4496-a960-ab13e355g23a is attached to a different instance (1621db21-b4af-4bd8-9419-954ed70gh892)

Slide 42

Slide 42

The ETCD vulnerability

Slide 43

Slide 43

Security Hardening your Kubernetes

Slide 44

Slide 44

The security journey

Slide 45

Slide 45

Kubernetes is insecure by design* It’s a feature, not a bug. Up to K8s admin to secure it according to needs

Slide 46

Slide 46

Not everybody has the same security needs

Slide 47

Slide 47

Kubernetes allows to enforce security practices as needed

Slide 48

Slide 48

Listing some good practices

Slide 49

Slide 49

Security defaults Kubernetes is insecure by default:

Slide 50

Slide 50

Security defaults Kubernetes is insecure by default:

Slide 51

Slide 51

Close open access Close all by default, open only the needed ports Follow the least privileged principle

Slide 52

Slide 52

Define and implement RBAC According to your needs

Slide 53

Slide 53

Define and implement network policies

Slide 54

Slide 54

Use RBAC and Network Policies to isolate your sensitive workload

Slide 55

Slide 55

Always keep up to date Both Kubernetes and plugins

Slide 56

Slide 56

Because Kubernetes is a big target

Slide 57

Slide 57

And remember, even the best can get hacked Remain attentive, don’t get too confident

Slide 58

Slide 58

Extensibility Enhance your Kubernetes

Slide 59

Slide 59

Kubernetes is modular Let’s see how some of those plugins can help you

Slide 60

Slide 60

Helm A package management for K8s

Slide 61

Slide 61

Complex deployments

Slide 62

Slide 62

Using static YAML files

Slide 63

Slide 63

Complex deployments

Slide 64

Slide 64

Istio A service mesh for Kubernetes… and much more!

Slide 65

Slide 65

Istio: A service mesh… but not only

Slide 66

Slide 66

Service discovery

Slide 67

Slide 67

Traffic control

Slide 68

Slide 68

Encrypting internal communications

Slide 69

Slide 69

Routing and load balancing

Slide 70

Slide 70

Rolling upgrades

Slide 71

Slide 71

Rolling upgrades

Slide 72

Slide 72

A/B testing

Slide 73

Slide 73

Monitoring your cluster

Slide 74

Slide 74

Velero Backing up your Kubernetes

Slide 75

Slide 75

Kubernetes: Desired State Management

Slide 76

Slide 76

YAML files allows to clone a cluster

Slide 77

Slide 77

But what about the data?

Slide 78

Slide 78

Velero Backup and migrate Kubernetes applications and their persistent volumes

Slide 79

Slide 79

S3 based backup On any S3 protocol compatible store

Slide 80

Slide 80

Backup all or part of a cluster

Slide 81

Slide 81

Schedule backups

Slide 82

Slide 82

Backups hooks

Slide 83

Slide 83

Conclusion And one more thing…

Slide 84

Slide 84

Kubernetes is easy to begin with Minikube, K3s…

Slide 85

Slide 85

Kubernetes is powerful It can make Developers’ and DevOps’ lives easier

Slide 86

Slide 86

But there is a price: operating it Lot of things to think about

Slide 87

Slide 87

We have seen some of them

Slide 88

Slide 88

Different roles Each role asks for very different knowledge and skill sets

Slide 89

Slide 89

Operating a Kubernetes cluster is hard But we have a good news…

Slide 90

Slide 90

Most companies don’t need to do it! As they don’t build and rack their own servers!

Slide 91

Slide 91

If you don’t need to build it, choose a certified managed solution You get the cluster, the operator get the problems

Slide 92

Slide 92

Like our OVH Managed Kubernetes Made with 💗 by the Platform team

Slide 93

Slide 93

Do you want to try? Come to our (virtual) booth!

Slide 94

Slide 94

Thank you for listening