Running Kubernetes from development into production – how to avoid the pitfalls!

A presentation at Cloud Expo Europe in March 2020 in London, UK by Horacio Gonzalez

Slide 1

Slide 1

2020-03-11 Kubernetes in production Horacio Gonzalez @LostInBrittany

Slide 2

Slide 2

Who are we? Introducing myself and introducing OVH OVHcloud

Slide 3

Slide 3

Horacio Gonzalez @LostInBrittany Spaniard lost in Brittany, developer, dreamer and all-around geek Flutter

Slide 4

Slide 4

OVHcloud: A Global Leader 250k Private cloud VMs running 1 Dedicated IaaS Europe 30 Datacenters Own 20Tbps Hosting capacity : 1.3M Physical Servers 360k Servers already deployed Netwok with 35 PoPs

1.3M Customers in 138 Countries

Slide 5

Slide 5

OVHcloud: Our solutions Cloud Web Hosting Mobile Hosting Telecom VPS Containers ▪ Dedicated Server Domain names VoIP Public Cloud Compute ▪ Data Storage Email SMS/Fax Private Cloud ▪ Network and Database CDN Virtual desktop Serveur dédié Security Object Storage Web hosting Cloud HubiC Over theBox ▪ Licences Cloud Desktop Securities MS Office Hybrid Cloud Messaging MS solutions

Slide 6

Slide 6

Orchestrating containers Like herding cats… but in hard mode!

Slide 7

Slide 7

From bare metal to containers Another paradigm shift

Slide 8

Slide 8

Containers are easy… For developers

Slide 9

Slide 9

Less simple if you must operate them Like in a production context

Slide 10

Slide 10

And what about microservices? Are you sure you want to operate them by hand?

Slide 11

Slide 11

Taming microservices with Kubernetes

Slide 12

Slide 12

Kubernetes Way more than a buzzword!

Slide 13

Slide 13

Masters and nodes

Slide 14

Slide 14

Some more details

Slide 15

Slide 15

Desired State Management

Slide 16

Slide 16

Extending Kubernetes

Slide 17

Slide 17

Multi-environment made easy Dev, staging, prod, multi-cloud…

Slide 18

Slide 18

Declarative infrastructure Multi-environment made easy

Slide 19

Slide 19

Having identical, software defined environments

Slide 20

Slide 20

I have deployed on Minikube, woah! A great fastlane into Kubernetes

Slide 21

Slide 21

Running a full K8s in your laptop A great learning tool

Slide 22

Slide 22

Your laptop isn’t a true cluster Don’t expect real performances

Slide 23

Slide 23

Beyond the first deployment So I have deployed my distributed architecture on K8s, everything is good now, isn’t it?

Slide 24

Slide 24

Minikube is only the beginning

Slide 25

Slide 25

From Minikube to prod A journey not for the faint of heart

Slide 26

Slide 26

Kubernetes can be wonderful For both developers and devops

Slide 27

Slide 27

But it comes with a price…

Slide 28

Slide 28

Describing some of those traps To ease and empower your path to production

Slide 29

Slide 29

The truth is somewhere inside…

Slide 30

Slide 30

The network is going to feel it…

Slide 31

Slide 31

The storage dilemma

Slide 32

Slide 32

The ETCD vulnerability

Slide 33

Slide 33

Security Hardening your Kubernetes

Slide 34

Slide 34

The security journey

Slide 35

Slide 35

Kubernetes is insecure by design It’s a feature, not a bug. Up to K8s admin to secure it according to needs

Slide 36

Slide 36

Not everybody has the same security needs

Slide 37

Slide 37

Kubernetes allows to enforce security practices as needed

Slide 38

Slide 38

Listing some good practices

Slide 39

Slide 39

Close open access Close all by default, open only the needed ports Follow the least privileged principle

Slide 40

Slide 40

Define and implement RBAC According to your needs

Slide 41

Slide 41

Define and implement network policies

Slide 42

Slide 42

Use RBAC and Network Policies to isolate your sensitive workload

Slide 43

Slide 43

Always keep up to date Both Kubernetes and plugins

Slide 44

Slide 44

And remember, even the best can get hacked Remain attentive, don’t get too confident

Slide 45

Slide 45

Extensibility Enhance your Kubernetes

Slide 46

Slide 46

Kubernetes is modular Let’s see how some of those plugins can help you

Slide 47

Slide 47

Helm A package management for K8s

Slide 48

Slide 48

Complex deployments

Slide 49

Slide 49

Using static YAML files

Slide 50

Slide 50

Complex deployments

Slide 51

Slide 51

Istio A service mesh for Kubernetes… and much more!

Slide 52

Slide 52

Istio: A service mesh… but not only

Slide 53

Slide 53

Service discovery

Slide 54

Slide 54

Traffic control

Slide 55

Slide 55

Encrypting internal communications

Slide 56

Slide 56

Routing and load balancing

Slide 57

Slide 57

Rolling upgrades

Slide 58

Slide 58

Rolling upgrades

Slide 59

Slide 59

A/B testing

Slide 60

Slide 60

Monitoring your cluster

Slide 61

Slide 61

Velero Backing up your Kubernetes

Slide 62

Slide 62

Kubernetes: Desired State Management

Slide 63

Slide 63

YAML files allows to clone a cluster

Slide 64

Slide 64

But what about the data?

Slide 65

Slide 65

Velero Backup and migrate Kubernetes applications and their persistent volumes

Slide 66

Slide 66

S3 based backup On any S3 protocol compatible store

Slide 67

Slide 67

Backup all or part of a cluster

Slide 68

Slide 68

Schedule backups

Slide 69

Slide 69

Backups hooks

Slide 70

Slide 70

Conclusion And one more thing…

Slide 71

Slide 71

Kubernetes is powerful It can make Developers’ and DevOps’ lives easier

Slide 72

Slide 72

But there is a price: operating it Lot of things to think about

Slide 73

Slide 73

We have seen some of them

Slide 74

Slide 74

One more thing… Who should do what?

Slide 75

Slide 75

Different roles Each role asks for very different knowledge and skill sets

Slide 76

Slide 76

Most companies don’t need to operate the clusters As they don’t build and rack their own servers!

Slide 77

Slide 77

If you don’t need to build it, choose a certified managed solution You get the cluster, the operator get the problems

Slide 78

Slide 78

Like our OVH Managed Kubernetes Made with 💗 by the Platform team

Slide 79

Slide 79

Do you want to try? Send me an email to get some vouchers… horacio.gonzalez@corp.ovh.com

Slide 80

Slide 80

Thank you for listening