A presentation at Cloud Expo Europe in March 2020 in London, UK by Horacio Gonzalez
2020-03-11 Kubernetes in production Horacio Gonzalez @LostInBrittany
Who are we? Introducing myself and introducing OVH OVHcloud
Horacio Gonzalez @LostInBrittany Spaniard lost in Brittany, developer, dreamer and all-around geek Flutter
OVHcloud: A Global Leader 250k Private cloud VMs running 1 Dedicated IaaS Europe 30 Datacenters Own 20Tbps Hosting capacity : 1.3M Physical Servers 360k Servers already deployed Netwok with 35 PoPs
1.3M Customers in 138 Countries
OVHcloud: Our solutions Cloud Web Hosting Mobile Hosting Telecom VPS Containers ▪ Dedicated Server Domain names VoIP Public Cloud Compute ▪ Data Storage Email SMS/Fax Private Cloud ▪ Network and Database CDN Virtual desktop Serveur dédié Security Object Storage Web hosting Cloud HubiC Over theBox ▪ Licences Cloud Desktop Securities MS Office Hybrid Cloud Messaging MS solutions
Orchestrating containers Like herding cats… but in hard mode!
From bare metal to containers Another paradigm shift
Containers are easy… For developers
Less simple if you must operate them Like in a production context
And what about microservices? Are you sure you want to operate them by hand?
Taming microservices with Kubernetes
Kubernetes Way more than a buzzword!
Masters and nodes
Some more details
Desired State Management
Extending Kubernetes
Multi-environment made easy Dev, staging, prod, multi-cloud…
Declarative infrastructure Multi-environment made easy
Having identical, software defined environments
I have deployed on Minikube, woah! A great fastlane into Kubernetes
Running a full K8s in your laptop A great learning tool
Your laptop isn’t a true cluster Don’t expect real performances
Beyond the first deployment So I have deployed my distributed architecture on K8s, everything is good now, isn’t it?
Minikube is only the beginning
From Minikube to prod A journey not for the faint of heart
Kubernetes can be wonderful For both developers and devops
But it comes with a price…
Describing some of those traps To ease and empower your path to production
The truth is somewhere inside…
The network is going to feel it…
The storage dilemma
The ETCD vulnerability
Security Hardening your Kubernetes
The security journey
Kubernetes is insecure by design It’s a feature, not a bug. Up to K8s admin to secure it according to needs
Not everybody has the same security needs
Kubernetes allows to enforce security practices as needed
Listing some good practices
Close open access Close all by default, open only the needed ports Follow the least privileged principle
Define and implement RBAC According to your needs
Define and implement network policies
Use RBAC and Network Policies to isolate your sensitive workload
Always keep up to date Both Kubernetes and plugins
And remember, even the best can get hacked Remain attentive, don’t get too confident
Extensibility Enhance your Kubernetes
Kubernetes is modular Let’s see how some of those plugins can help you
Helm A package management for K8s
Complex deployments
Using static YAML files
Istio A service mesh for Kubernetes… and much more!
Istio: A service mesh… but not only
Service discovery
Traffic control
Encrypting internal communications
Routing and load balancing
Rolling upgrades
A/B testing
Monitoring your cluster
Velero Backing up your Kubernetes
Kubernetes: Desired State Management
YAML files allows to clone a cluster
But what about the data?
Velero Backup and migrate Kubernetes applications and their persistent volumes
S3 based backup On any S3 protocol compatible store
Backup all or part of a cluster
Schedule backups
Backups hooks
Conclusion And one more thing…
Kubernetes is powerful It can make Developers’ and DevOps’ lives easier
But there is a price: operating it Lot of things to think about
We have seen some of them
One more thing… Who should do what?
Different roles Each role asks for very different knowledge and skill sets
Most companies don’t need to operate the clusters As they don’t build and rack their own servers!
If you don’t need to build it, choose a certified managed solution You get the cluster, the operator get the problems
Like our OVH Managed Kubernetes Made with 💗 by the Platform team
Do you want to try? Send me an email to get some vouchers… horacio.gonzalez@corp.ovh.com
Thank you for listening