Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Centralizing Kubernetes Management in Restrictive Environments

109 Aufrufe

Veröffentlicht am

While developers see and realize the benefits of Kubernetes, how it improves efficiencies, saves time, and enables focus on the unique business requirements of each project; InfoSec, infrastructure, and software operations teams still face challenges when managing a new set of tools and technologies, and integrating them into existing enterprise infrastructure.

This is especially true for environments where security and governance requirements are so strict as to come into conflict with the cloud-native reference architectures.

During his presentation, Oleg will outline a plan that leverages open source cloud-native technologies while meeting enterprise security and governance requirements. He’ll summarize common prerequisites for running Kubernetes in production, and how to leverage fine-grained controls and separation of responsibilities to meet enterprise governance and security needs; what’s needed for a general architecture of a centralized Kubernetes operations layer based on open source components such as Prometheus, Grafana, ELK Stack, Keycloak, etc.

The presentation will cover basic requirements for audit, security, authentication, authorization, integration with existing identity management, logging, and monitoring. Additionally, the audience will learn whether cloud-hosted Kubernetes cover these requirements, how to integrate a compliant Kubernetes installation with their existing cloud infrastructure, the limitations of a bare-metal installation, interactions with vSphere’s API, achieving HA, reliability and disaster recovery, as well as handling OS upgrades, security patches, and Kubernetes upgrades.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Centralizing Kubernetes Management in Restrictive Environments

  1. 1. Centralizing Kubernetes Management in Highly Restrictive Environments Oleg Chunikhin | CTO, Kublr
  2. 2. Introductions Oleg Chunikhin CTO, Kublr  20+ years in software architecture & development  Working w/ Kubernetes since its release in 2015  CTO at Kublr—an enterprise ready container management platform  Twitter @olgch; @kublr Like what you hear? Tweet at us!
  3. 3. Kubernetes & Cloud Native in Enterprise Environment @olgch; @kublr
  4. 4. Cloud Native Attributes Lightweight containers Language agnostic Microservices API Stateless/stateful separation Self-service infrastructure Isolated from OS/server deps Agile DevOps processes Highly automated Declarative resource management @olgch; @kublr
  5. 5. Cloud Native Cloud Native Precursors SRE, DevOps, 12factor app SOA / Microservices, API (management) Containers, Cloud, Virtualization Empower IT teams to respond to business requirements quickly, reliably, and predictably Larger Enterprises can benefit most, but adoption is lagging behind @olgch; @kublr
  6. 6. Applications and Architecture Digital – Web/Mobile Data Science & Machine Learning Video Streaming Digital Transformation and App Modernization Hybrid Cloud Multi-Cloud Edge Computing Private Cloud Internet of Things @olgch; @kublr
  7. 7. Enterprise Requirements Multiple/complex environments (On-prem, Clouds, Hybrid) Centralized/unified management and governance Provisioning, Monitoring, Log Collection, IdM/AAA, Cost Integration with existing, often legacy, components Security (Infrastructure, OS, IdM/AAA) Software management (Patches, Packages, Images) @olgch; @kublr
  8. 8. Enterprise Challenges and Constraints Separation of Responsibilities Infrastructure, Operations, Security, Legal Network Access (white/black-listing, air gap) Security Tools and Processes (infra, OS, platform, apps) OS, Platform, and Software Practices and Standards Vendor and version certification; configuration practices; custom package repositories; etc Regulations Complexity @olgch; @kublr
  9. 9. Automation Ingress Custom Cfg Self-service Infrastructure Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS Secret Management Audit Storage Networking Repos & Registries CI / CD App Mgmt Infrastructure Container Runtime Kubernetes OPERATIONS SECURITY & GOVERNANCE Enterprise Cloud Native @olgch; @kublr MANAGED SERVICES APPLICATION LIFECYCLE Scanning Service MeshDataAPI Mgmt Services Backup & DR Network Policies
  10. 10. Automation Ingress Custom Cfg Self-service Infrastructure Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS Secret Management Audit Storage Networking Repos & Registries CI / CD App Mgmt Infrastructure Container Runtime Kubernetes OPERATIONS SECURITY & GOVERNANCE K8S Infrastructure Abstraction @olgch; @kublr MANAGED SERVICES APPLICATION LIFECYCLE Scanning Service MeshDataAPI Mgmt Services Backup & DR Network Policies
  11. 11. Kubernetes Management Platform @olgch; @kublr
  12. 12. Kubernetes Management K8S Clusters Cloud(s) Data center API UI Log collection Operations Monitoring IAM, RBAC, SSO, Federation DR Binary Repos Infrastructure management Cluster Registry Dev K8S API Cloud/Infra API Prod PoC Dev @olgch; @kublr
  13. 13. Infrastructure Automation Cluster Architecture Control Center MASTER OPS AGENT overlay network, discovery, connectivity K8s Master Components: etcd, scheduler, API, controller Docker KUBELET OPS AGENTKUBELET NODE Docker overlay network, discovery, connectivity Infrastructure and Application containers Orchestration Store Discovery & orchestration @olgch; @kublr Orchestration and configuration agent
  14. 14. K8S Monitoring with Prometheus • Discover nodes, services, pods via K8S API • Query metrics from discovered endpoints • Endpoint are accessed directly via internal cluster addresses Kubernetes Cluster Prometheus Nodes K8S API Grafana Pods Discovery Srv Metrics @olgch; @kublr
  15. 15. Centralized Monitoring Cluster registry PROMETHEUSGrafana K8S Proxy API nodes, pods, service endpoints Ship externally Ship externally Prometheus config Prometheus data Configurator Control plane KUBERNETES CLUSTER Prometheus (collector) Prometheus (collector) @olgch; @kublr@olgch; @kublr
  16. 16. K8S Logging with Elasticsearch • Fluentd runs on nodes • OS, K8S, and container logs collected and shipped to Elasticsearch • Kibana for visualization Kubernetes Cluster Elasticsearch Kibana Pods Logs @olgch; @kublr
  17. 17. Prometheus (collector) RabbitMQ Centralized Log Collection Cluster registry K8S Proxy API Port forwarding MQTT Ship externally Messaging config Configurator Control Plane RabbitMQ Shovel ElasticsearchLogstash Fluentd KUBERNETES CLUSTER filter filter analyze Ship externally MQTT Forwarder filter @olgch; @kublr
  18. 18. Automation Ingress Custom Cfg Self-service Infrastructure Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS Secret Management Audit Storage Networking Repos & Registries CI / CD App Mgmt Infrastructure Container Runtime Kubernetes OPERATIONS SECURITY & GOVERNANCE Enterprise Kubernetes @olgch; @kublr MANAGED SERVICES APPLICATION LIFECYCLE Scanning Service MeshDataAPI Mgmt Services Backup & DR Network Policies
  19. 19. Q&A Take Kublr for a test drive! kublr.com/deploy Free non-production license @olgch; @kublr
  20. 20. Stay in touch! Signup for our newsletter at kublr.com Oleg Chunikhin CTO, Kublr oleg@kublr.com @olgch Kublr | kublr.com @kublr

×