Develop and deploy Kubernetes applications with Docker - IBM Index 2018
Download as PPTX, PDF5 likes3,066 views
The document outlines the development and deployment of Kubernetes applications using Docker, highlighting its core principles of independence, openness, and simplicity. It discusses modernizing traditional applications with Docker's container platform, emphasizing efficiency gains and cost reductions. Additionally, it provides insights into the integration of Kubernetes within Docker and architectural details of Docker Enterprise Edition for enhanced security and management.
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
- 1. Patrick Chanezon, @chanezon February 2018 Develop and deploy Kubernetes applications with Docker
- 2. French Polyglot Platforms Software Plumber San Francisco Developer Relations @chanezon
- 3. Agenda 1. Intro: the Docker Platform 2. Modernizing Traditional Applications 3. Kubernetes in Docker 4. Demo: Kubernetes in Docker Desktop 5. General CE/EE Architectures 6. Demo: Kubernetes in Docker EE 2.0 7. EE: Topics on mixed workloads 8. Q&A
- 5. Traditional Micro services ISV / COTS IoT Big Data ML AI ...Serverless Cloud VM Bare Metal Edge Device Docker Platform
- 6. Docker Momentum Docker Hosts 21.0M Growth in Docker job listings 77K% Container downloads 24B Industry Standards
- 7. Enterprise Momentum Portability Agility Security 50% total cost savings
- 8. The Docker Container Platform Enabling the Software Supply Chain • Diverse Applications • Disparate Infrastructure • Lifecycle Management • Orchestrate Complex Systems • Secure by Default • Edge / IoT • Serverless Anywhere
- 9. DEVELOPERS OPERATORS Applications Infrastructure The Docker Platform in a nutshell
- 10. INDEPENDENCE OPENNESS SIMPLICITY Core Principles of the Docker Platform
- 11. Docker Enterprise Edition Docker Community Edition containerd 1 2 3 4 The best container development workflow The best enterprise container security and management Native Kubernetes integration provides full ecosystem compatibility Industry-standard container runtime Docker with Swarm and Kubernetes
- 12. Docker Community Edition Developers EnterpriseContainer Ecosystem The Docker Innovation Model Docker Enterprise Edition 9,149 Open Source Contributors 8800 PRs/Year
- 15. The Innovation Challenge Average IT Spend By Type INNOVATION MAINTENANCE 20% 80% 20% 40% 60% 80% 100% 0% 1% Windows Server 2008 Windows Server 2012 Windows Server 2000 Windows Server 2003 Red Hat, Other Linux, Other OS Server OS Market Share Sources: Bank of America, Spiceworks, SolarWinds 18% 45% 24% 12%
- 16. Source: RightScale 2017 State of the Cloud Report Top Priority for Enterprise IT 2016 2017 39% 50% 27% 29% 23% 9% 10% 10% Leverage Hybrid Cloud Use Public Cloud Build Private Cloud Use Hosted Cloud Enterprise Priority: Portability
- 17. 50+% 79% Major Release Frequency 0 Weekly Monthly Quarterly Annually 5% 10% 15% 20% 25% More than 2 years Enterprise Priority: Agility Source: Plutora, CIO Insight Release 6x or less per year Set increasing release velocity as top IT priority
- 18. Enterprise Priority: Security 60% Source: Forbes 2017 State Of Cloud Adoption And Security Report security concerns slowing cloud adoption
- 19. The Docker Modernize Traditional Apps POC Program Partner Consulting Services Partner Infrastructure Docker Enterprise Edition Portable Agile Secure Efficient < 5 days + + No Code Changes App Existing Application Convert to a Docker EE container Modern Infrastructure
- 20. Reducing total costs by 50% MTA POC Impact Hybrid Cloud-Ready Portability Agility 2x Faster Security Isolation & Integrity
- 21. The Modernization Journey App Existing Application Modern Methodologies Convert to a Docker EE Container Modern Infrastructure Ongoing Innovation
- 22. 22 KEY CHALLENGES • Accumulated thousands of apps, 400+ systems of record and 5 infrastructures over 150 years • Difficult to innovate with majority of budget spent on maintenance SOLUTION • Leverage Docker MTA program to modernize the email opt- out app with Docker EE to drive down total costs Docker EE and MTA create self funding model for container adoption -70% VMs -67% Cores 10x Average CPU utilization + + -66% Total Cost of Ownership 593 Applications RESULTS • Modernization of single app completed in 1 day • Applying model to other apps built with same technology • Business case forecasts a 66% cost reduction
- 23. 23 KEY CHALLENGES • Maintenance costs of managing traditional apps on prem • Code quality was increasingly difficult with outsource software house • App delivery process was too slow for the pace of the business SOLUTION • Leverage Docker MTA program jointly with their trusted partner Accenture App Visibility and Consistency at 50% the Cost RESULTS • 50% savings across all applications • Unified architecture for the first time • New visibility into their outsourced applications
- 25. What is a container orchestrator? Management of containers running in one or more container runtimes
- 27. Docker Enterprise Edition Docker Community Edition containerd The best container development workflow The best enterprise container security and management Docker: Now Powered by Swarm and Kubernetes Native Kubernetes integration provides full ecosystem compatibility Industry-standard container runtime
- 28. Lifecycle of a Kubernetes API Request Kubernetes API Server Authentication Authorization Admission Control etcd
- 29. Orchestrator: Docker Engine with Swarm-Mode Enabled ● github.com/docker/swarmkit ● Declarative State through the “Service” construct ● Built-in Routing Mesh & Overlay networking ● In-memory Raft Store for all state (persisted to disk) ● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints
- 30. Orchestrator: Kubernetes ● github.com/kubernetes/kubernetes ● Scheduling Unit: Pods ● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet … ● Load balancing via Services and Ingresses ● Flat Networking model delegated to plugins
- 31. Docker EE 2.0: A conformant kubernetes distribution
- 32. Test locally on Swarm and Kubernetes Develop with Docker Community Edition on your workstation Deploy to production in Swarm Deploy to production in Kubernetes Docker Community Edition All in one development for Swarm and Kubernetes
- 33. Demo: Kubernetes in Docker Desktop
- 34. Kubernetes in Docker Desktop
- 36. Linuxkit VM Kubernetes CLI Swarm Mode Kubernetes etcd Docker CLI kubeadm Kubernetes in Docker CE (Windows and Mac) Compose CRD Single Docker Engine vpnkitHost fs mounts hyperkit / hyperv
- 37. Docker EE now includes Kubernetes Docker Enterprise Edition Production Ready Windows and IBM P/Z Support Pods, batch jobs, blue-green deployments, horizontal pod auto-scaling Docker Swarm Swarm-Mode Kubernetes Private Image Registry Secure Access and User Management App and Cluster Management Image Security Scanning Content Trust and Verification Policy Management
- 38. GUI Universal Control Plane Trusted Registry Kubernetes CLI Docker Engine Swarm-Mode Docker Swarm Kubernetes etcd CA OIDC Provider Docker CLI Node Agent Reconciler Kubernetes in Docker EE
- 39. Docker EE Architectural Highlights ● Conformant Kubernetes components ran as Docker containers ● Swarm Managers are Kubernetes Masters ● Swarmkit node inventory is source of truth ● Cryptographic Node Identity and mTLS used throughout
- 40. - Easy High Availability provisioning - Cryptographic node identity Features Swarm Support - Registry - Content Trust - Secure Scanning - Clean upstream integration - Full ecosystem compatibility - Role Based Access Control - Authorization, Authentication - Node Segmentation Secure Cluster Lifecycle Secure Supply Chain 100% Interoperability Secure Multi-tenancy Management Dashboard Supported and Certified on Windows Server and Major Linux Distributions Kubernetes Support Docker Enterprise Edition Management for Swarm and Kubernetes
- 41. Demo: Kubernetes in Docker EE 2.0
- 42. Uses of Kubernetes Plugin Interfaces
- 43. Authentication ● X509 Client Certificates ○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature ● OpenID Connect Identity Provider ○ GUI sessions use a custom identity provider and a token exchange service to authenticate with the OIDC authentication plugin
- 44. Authorization ● All requests authorized via the Authorization Webhook plugin ● Custom RBAC system shared between Swarm and Kubernetes: ○ Users, Teams, Organizations, Service Accounts ○ Custom Roles ○ Hierarchical “Grants” ● No support for the rbac.authorization.k8s.io API, future plans for API translation
- 45. Admission Control ● Allows plugins to inspect, mutate or reject API requests after authorization ● Used for: ○ Orchestrator Selection ○ Linking nodes to namespaces ○ User Impersonation for Stacks ○ Image Signing policy enforcement
- 46. Orchestrator Selection ● Each node is running both kubernetes and swarm system components ● Administrators can toggle between (kubernetes, swarm or mixed) for any given node ● When toggling orchestrators, workloads of the previous orchestrator will be evicted ● An admission controller ensures that kubernetes workloads can only be scheduled on nodes labelled as “kubernetes” nodes. ● Workloads of multiple orchestrators on the same node can lead to resource contention Manager Node (K8s, Swarm) Worker Node (Swarm) Worker Node (Kubernetes) Worker Node (Kubernetes) Kubelet Swarm Agents Kubelet Kubelet Kubelet Swarm Agents Swarm Agents Swarm Agents
- 47. Linking Nodes to Namespaces ● Allows users to uniquely assign nodes to namespaces. ● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system
- 48. Image Signing Policy Enforcement ● Enforces that all workloads deployed in the cluster have a fully qualified image reference ● Resolves image references to always include a digest ● Contacts the registry to ensure that the referenced image has been signed by an authorized user.
- 49. The Tao of Docker
- 50. 之道 Tao, The Way
- 51. 之道 Tao
- 52. 无为 Wu-wei, Effortless action
- 53. 无为 Wu-wei, Effortless action
- 55. 自然 Ziran, Naturalness container based No state No couplingbounded context
- 56. 无为 Modernize traditional applications without coding The Docker 之道 自然 Create microservice applications with the container platform that started the container revolution
- 57. www.docker.com/kubernetes Beta signup is open! GENERALLY AVAILABLE Q1 2018 Docker: Now powered by Swarm and Kubernetes
Editor's Notes
- #4: General Architecture: Compose, DCT Plugins, Networking HA, Reconciliation, Promotion Installation/Upgrade ?? (optional, talk with vivek) Storage Mixed Workloads: Interop, mixed “stacks” Resource Contention
- #38: Windows containers are different
- #40: Runs on Docker EE engine Swarm-mode Managers are Kubernetes Masters Swarm-modet node inventory is source of truth Cryptographic Node Identity and mTLS used throughout Unmodified Kubernetes components run as Docker containers UCP Agent/Reconciler manages component lifecycle Manager / Worker states Certificate validity Patching and upgrades Leverage Kubernetes extension model (webhooks, initializers, flexvolume, CNI, etc.) We will submit the product and aim to pass the Certified Kubernetes Conformance program
- #46: Requests arriving to the UCP controller against the kubernetes API will have their session token exchanged for a long-lived identity token. The request is then forwarded to the kubernetes API server which is configured to trust UCP’s identity tokens.
- #47: A Grant is either a RoleBinding or a ClusterRoleBinding
- #48: Grant creation is UCP-specific