Kubernetes: beyond Minikube

SFEIR Lunch Lille - 2020-12/18 Kubernetes: Beyond Minikube Horacio Gonzalez @LostInBrittany SFEIR Lunch Lille

Who are we? Introducing myself and introducing OVH OVHcloud SFEIR Lunch Lille

Horacio Gonzalez @LostInBrittany Spaniard lost in Brittany, developer, dreamer and all-around geek Flutter SFEIR Lunch Lille

OVHcloud: A Global Leader 250k Private cloud VMs running 1 Dedicated IaaS Europe 30 Datacenters Own 20Tbps Hosting capacity : 1.3M Physical Servers 360k Servers already deployed SFEIR Lunch Lille Netwok with 35 PoPs

1.3M Customers in 138 Countries

OVHcloud: Our solutions Cloud Web Hosting Mobile Hosting Telecom VPS Containers ▪ Dedicated Server Domain names VoIP Public Cloud Compute ▪ Data Storage Email SMS/Fax Private Cloud ▪ Network and Database CDN Virtual desktop Serveur dédié Security Object Storage Web hosting Cloud HubiC Over theBox ▪ Licences Cloud Desktop Securities MS Office Hybrid Cloud Messaging MS solutions SFEIR Lunch Lille

Orchestrating containers Like herding cats… but in hard mode! SFEIR Lunch Lille

From bare metal to containers Another paradigm shift SFEIR Lunch Lille

Containers are easy… For developers SFEIR Lunch Lille

Less simple if you must operate them Like in a production context SFEIR Lunch Lille

And what about microservices? Are you sure you want to operate them by hand? SFEIR Lunch Lille

Taming microservices with Kubernetes SFEIR Lunch Lille

Kubernetes Way more than a buzzword! SFEIR Lunch Lille

Masters and nodes SFEIR Lunch Lille

Some more details SFEIR Lunch Lille

Desired State Management SFEIR Lunch Lille

Extending Kubernetes SFEIR Lunch Lille

Multi-environment made easy Dev, staging, prod, multi-cloud… SFEIR Lunch Lille

Declarative infrastructure Multi-environment made easy SFEIR Lunch Lille

Having identical, software defined envs SFEIR Lunch Lille

I have deployed on Minikube, woah! A great fastlane into Kubernetes SFEIR Lunch Lille

Running a full K8s in your laptop A great learning tool SFEIR Lunch Lille

Your laptop isn’t a true cluster Don’t expect real performances SFEIR Lunch Lille

Beyond the first deployment So I have deployed my distributed architecture on K8s, everything is good now, isn’t it? SFEIR Lunch Lille

Minikube is only the beginning SFEIR Lunch Lille

From Minikube to prod A journey not for the faint of heart SFEIR Lunch Lille

Kubernetes can be wonderful For both developers and devops SFEIR Lunch Lille

But it comes with a price… SFEIR Lunch Lille

Describing some of those traps To ease and empower your path to production SFEIR Lunch Lille

The truth is somewhere inside… SFEIR Lunch Lille

The network is going to feel it… SFEIR Lunch Lille

The storage dilemma SFEIR Lunch Lille

The ETCD vulnerability SFEIR Lunch Lille

Security Hardening your Kubernetes SFEIR Lunch Lille

The security journey SFEIR Lunch Lille

Kubernetes is insecure by design It’s a feature, not a bug. Up to K8s admin to secure it according to needs SFEIR Lunch Lille

Not everybody has the same security needs SFEIR Lunch Lille

Kubernetes allows to enforce security practices as needed SFEIR Lunch Lille

Listing some good practices SFEIR Lunch Lille

Close open access Close all by default, open only the needed ports Follow the least privileged principle SFEIR Lunch Lille

Define and implement RBAC According to your needs SFEIR Lunch Lille

Define and implement network policies SFEIR Lunch Lille

Use RBAC and Network Policies to isolate your sensitive workload SFEIR Lunch Lille

Always keep up to date Both Kubernetes and plugins SFEIR Lunch Lille

And remember, even the best can get hacked Remain attentive, don’t get too confident SFEIR Lunch Lille

Extensibility Enhance your Kubernetes SFEIR Lunch Lille

Kubernetes is modular Let’s see how some of those plugins can help you SFEIR Lunch Lille

Helm A package management for K8s SFEIR Lunch Lille

Complex deployments SFEIR Lunch Lille

Using static YAML files SFEIR Lunch Lille

Complex deployments SFEIR Lunch Lille

Istio A service mesh for Kubernetes… and much more! SFEIR Lunch Lille

Istio: A service mesh but not only SFEIR Lunch Lille

Service discovery SFEIR Lunch Lille

Traffic control SFEIR Lunch Lille

Encrypting internal communications SFEIR Lunch Lille

Routing and load balancing SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

Rolling upgrades SFEIR Lunch Lille

A/B testing SFEIR Lunch Lille

Monitoring your cluster SFEIR Lunch Lille

Velero Backing up your Kubernetes SFEIR Lunch Lille

Kubernetes: Desired State Management SFEIR Lunch Lille

YAML files allows to clone a cluster SFEIR Lunch Lille

But what about the data? SFEIR Lunch Lille

Velero Backup and migrate Kubernetes applications and their persistent volumes SFEIR Lunch Lille

S3 based backup On any S3 protocol compatible store SFEIR Lunch Lille

Backup all or part of a cluster SFEIR Lunch Lille

Schedule backups SFEIR Lunch Lille

Backups hooks SFEIR Lunch Lille

Conclusion And one more thing… SFEIR Lunch Lille

Kubernetes is powerful It can make Developers’ and DevOps’ lives easier SFEIR Lunch Lille

But there is a price: operating it Lot of things to think about SFEIR Lunch Lille

We have seen some of them SFEIR Lunch Lille

One more thing… Who should do what? SFEIR Lunch Lille

Different roles Each role asks for very different knowledge and skill sets SFEIR Lunch Lille

Most companies don’t need to operate the clusters As they don’t build and rack their own servers! SFEIR Lunch Lille

If you don’t need to build it, choose a certified managed solution You get the cluster, the operator get the problems SFEIR Lunch Lille

Like our OVH Managed Kubernetes Made with 💗 by the Platform team SFEIR Lunch Lille

Do you want to try? Send me an email to get some vouchers… horacio.gonzalez@corp.ovh.com SFEIR Lunch Lille

Thank you for listening SFEIR Lunch Lille