SlideShare ist ein Scribd-Unternehmen logo

Kubernetes Deployments: A "Hands-off" Approach

R
Rodrigo Reis

Rodrigo Reis describes Zalando's Kubernetes Deployments using their self-made CDP (Continuous Delivery Platform), a CI/CD solution to automate all of it, so developers can focus more on the software they're building, and less on how to build / deploy.

Technologie
1 von 47
Downloaden Sie, um offline zu lesen
KUBERNETES DEPLOYMENTS A “HANDS-OFF” APPROACH KUBERNETES MEETUP DORTMUND RODRIGO REIS 2018-01-24
2 ZALANDO IN NUMBERS > 4.5billion EUR 2017 > 200 million visits per month > 14,000 employees in Europe > 70% of visits via mobile devices > 22 million active customers > 250,000 product choices ~ 2,000 brands 15 countries
3 WE BRING FASHION TO PEOPLE IN 15 COUNTRIES 2008-2009 2010 2012-2013 2011
4 OUR FOOTPRINT AROUND EUROPE as of November 2017 1 8 10 11 12 13 BERLIN HEADQUARTERS AND OUTLET BRIESELANG FULFILLMENT CENTER ERFURT FULFILLMENT CENTER AND TECH OFFICE MÖNCHENGLADBACH FULFILLMENT CENTER AND TECH OFFICE LAHR FULFILLMENT CENTER DORTMUND TECH HUB FRANKFURT OUTLET DUBLIN TECH HUB HELSINKI TECH HUB MILAN (STRADELLA) FULFILLMENT CENTER KÖLN OUTLET PARIS (MOISSY-CRAMAYEL) FULFILLMENT CENTER SZCZECIN (GRYFINO) FULFILLMENT CENTER HAMBURG ADTECH LAB STOCKHOLM (BRUNNA) FULFILLMENT CENTER (start winter 2017) 10 9 7 6 5 3 2 1 11 12 13 4 14 15 15 14 9 8 7 6 5 4 3 2 1
5 OUR FOOTPRINT AROUND EUROPE TECH as of November 2017 1 8 10 11 12 13 BERLIN HEADQUARTERS AND OUTLET BRIESELANG FULFILLMENT CENTER ERFURT FULFILLMENT CENTER AND TECH OFFICE MÖNCHENGLADBACH FULFILLMENT CENTER AND TECH OFFICE LAHR FULFILLMENT CENTER DORTMUND TECH HUB FRANKFURT OUTLET DUBLIN TECH HUB HELSINKI TECH HUB MILAN (STRADELLA) FULFILLMENT CENTER KÖLN OUTLET PARIS (MOISSY-CRAMAYEL) FULFILLMENT CENTER SZCZECIN (GRYFINO) FULFILLMENT CENTER HAMBURG ADTECH LAB STOCKHOLM (BRUNNA) FULFILLMENT CENTER (start winter 2017) 10 9 7 6 5 3 2 1 11 12 13 4 14 15 15 14 9 8 7 6 5 4 3 2 1
6 WE ARE CONSTANTLY INNOVATING TECHNOLOGY HOME-BREWED, CUTTING-EDGE & SCALABLE technology solutions ~ 1,900 employees from tech locations (HQs in Berlin)7 77 nations help our brand to WIN ONLINE
7 TECH INFRASTRUCTURE
8 ZALANDO TECH PLATFORM THE COMPLETE HISTORY (ABRIDGED) ZOMCATPHP STUPS KUBERNETES 2010 2015 2016 Data center WAR LXC AWS Docker Cloud Formation Low level (AWS API) AWS Docker Cloud Formation Kubernetes manifest Higher abstraction level Data center PHP files 2008
9 SCALE? 66 Clusters 329 Accounts
10 GROWTH
11 GROWTH
12 OUR KUBERNETES ARCHITECTURE
13 CLUSTER COMPONENTS Hosted in AWS Three Cloud Formation stacks ● Master & Worker ASGs + etcd ● Nodes with Container Linux Kubernetes manifests applied separately ● Kube-system Deployments ● DaemonSets OPEN SOURCE ☺ https://github.com/zalando-incubator/kubernetes-on-aws
14 etcd etcd AT A GLANCE ... ... kubectl Worker Node Kubelet Pod Container Pod Container Container Master Node API Server Scheduler Controller Manager etcd USER
15 ISOLATED AWS ACCOUNTS Internet *.xpto.example.org Product XYZ xpto Account Load Balancer xpti Account Load Balancer *.xpti.example.org
16 Cloud Formation Stack CLUSTER PROVISIONING USER Autoscaling Group create CLUSTER LIFECYCLE MANAGER apply manifests GIT CLUSTER REGISTRY Post gres AWS API provision CF resources create CF stack Master Node API Server Master Node Worker Node Worker Node Worker Node
17 ● Compliance ● How To Deploy ● Ease Of Use CHALLENGES
18 BUT FIRST... Motivation for Kubernetes ● Resource Efficiency ● Cost Efficiency ● Velocity ● Cloud Independence THIS IS AN OPPORTUNITY FOR CHANGE
19 CHALLENGES COMPLIANCE Some Of Our Compliance Rules ● Applications must run on certified (or whitelisted) AMIs ● All images must: ○ Come from an authorized Docker repository ○ Contain an SCM Source file ○ Be versioned ● Code changes must be peer reviewed and approved (4 eyes principle)
20 CHALLENGES HOW TO DEPLOY Options for CI/CD ● Jenkins ● GoCD ● Concourse ● Spinnaker ● Travis Enterprise ● AWS CodeBuild, CodePipeline Problems ● Non reproducible builds ● Not cloud ready ● No automatic setup ● Difficult to scale up/down ● 2 Configuration Steps ● Manual credential configuration ● Lack of Kubernetes support
21 CHALLENGES EASE OF USE IDEA DESIGN PLAN CODE TEST BUILDDEPLOY VERSION? COMPLIANCE? SIZING? COST? CI/CD
22 QUESTION What if the developer didn’t have to worry about those steps?* *coding not included
23 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
24 A DIFFERENT APPROACH ● Hands Off ● Compliant By Default ● Secure By Default ➢ No Manual Access to Live* ➢ Automate Setup/Deployment Steps ➢ Separate Test and Live Environments *Some exceptions apply
25 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
26 A DIFFERENT APPROACH HANDS OFF Back to our Options for CI/CD.... ● Jenkins ● GoCD ● Concourse ● Spinnaker ● Travis Enterprise ● AWS CodeBuild, CodePipeline
27 A DIFFERENT APPROACH HANDS OFF Back to our Options for CI/CD.... ● Jenkins ● GoCD ● Concourse ● Spinnaker ● Travis Enterprise ● AWS CodeBuild, CodePipeline ● In-house developed (CDP)
28 A DIFFERENT APPROACH HANDS OFF CDP ● Fully Integrated With Kubernetes ● No Need To Manage CI Infrastructure ● Triggered By Code Changes ● More To Come...
29 CDP DEPLOYMENT PIPELINE CDPGHE xpto Account deploytrigger deploypush code pull
30 CDP DEPLOYMENT DEFINITION delivery.yaml version: "2017-09-20" pipeline: - id: deployment desc: Deploy to xpto type: process target: xpto process: microservice_standard_deployment config: apply_permanent_resources: env: TARGET: playground APPLICATION: nginx-hello-world IMAGE: registry.opensource.zalan.do/teapot/nginx-hello-world VERSION: "0.2" REPLICAS: "3”
31 CDP CONFIGURATION ├── delivery.yaml # CDP Config └── deploy └── apply ├── deployment.yaml # K8S Deployment ├── ingress.yaml # K8S Ingress └── service.yaml # K8S Service $ zkubectl init --kubernetes-cluster=xpto Writing delivery.yaml.. OK Writing NOTES.txt.. OK Writing deploy/apply/deployment.yaml.. OK Writing deploy/apply/ingress.yaml.. OK Writing deploy/apply/service.yaml.. OK
32 CDP DEPLOY PIPELINES
33 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
34 A DIFFERENT APPROACH COMPLIANT BY DEFAULT Kubernetes AMIs ● Developers don’t have to choose instance type or AMI ○ Deployments result in Pods running in existing Worker Nodes ● All Kubernetes Nodes are based in compliant, whitelisted AMIs Docker Repository ● CDP only pulls images from authorized repositories ● When pushing images, CDP automatically includes: ○ SCM Source information ○ Version tagging
35 CDP BUILD PIPELINE CDPGHE trigger buildpush code push
36 CDP BUILD DEFINITION delivery.yaml version: "2017-09-20" pipeline: - id: build type: script commands: - desc: Build and push Docker image cmd: | IMAGE=pierone.stups.zalan.do/kraken/knowledge-base RELEASE_VERSION=${CDP_SOURCE_BRANCH}-${CDP_BUILD_VERSION} RELEASE_IMAGE=${IMAGE}:${CDP_BUILD_VERSION} docker build --build-arg BUILD_VERSION=${RELEASE_VERSION} -t ${RELEASE_IMAGE} . docker push ${RELEASE_IMAGE} Auto-generated by CDP
37 DEVELOPER CONSOLE CREATING A NEW REPOSITORY
38 DEVELOPER CONSOLE CREATING A NEW REPOSITORY When a repository is created through the console: ● A hook is configured for triggering CDP ● Zappr is configured, enforcing Pull Request approvals before merge ○ Zappr is a Github extension developed in Zalando OPEN SOURCE ☺ https://zappr.opensource.zalan.do
39 A DIFFERENT APPROACH COMPLIANT BY DEFAULT Our Compliance Rules ● Applications must run on certified (or whitelisted) AMIs ✓ ● All images must: ✓ ○ Come from an authorized Docker repository ✓ ○ Contain an SCM Source file ✓ ○ Be versioned ✓ ● Code changes must be peer reviewed and approved (4 eyes principle) ✓
40 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
41 A DIFFERENT APPROACH SECURE BY DEFAULT ● Test and Production environments are completely isolated ● A Kubernetes Test Cluster is also provisioned ○ Manual access is permitted ● IAM Credentials are isolated between test and live environments ○ Different OAuth Provider in test environment
42 SO THIS... Internet *.xpto.example.org Product XYZ xpto Account Load Balancer xpti Account Load Balancer *.xpti.example.org
43 IS ACTUALLY THIS *.xpto.example.org *.xpti.example.org xpti Account Load Balancerxpto Account Load Balancer xpto-test Account Load Balancer *.xpto-test.example.org xpti-test Account Load Balancer *.xpti-test.example.org Internet
44 Trigger PUTTING IT ALL TOGETHER CDPGHE Prod Deploy Test Deploy PR M erge M aster 1. A user creates a Pull Request (PR) in Github Enterprise (GHE) 2. PR Triggers CDP ➢ CDP Deploys the PR to the Test Kubernetes Cluster 3. Another user approves the PR and merges to Master 4. Merge to Master triggers again CDP ➢ CDP Deploys Master to the Production Kubernetes Cluster xpto Account xpto-test Account
45 CONCLUSION ● CDP enables hands off deployments to Kubernetes ● Compliance is automatically handled by CDP and Developer Console ● Test and Production are guaranteed to be separated through Credentials Isolation Automation saves time New features go live faster Isolation secures environments Developers focus on business specific features
46 LINKS Kubernetes on AWS Docs http://kubernetes-on-aws.readthedocs.io/en/latest/admin-guide/kubernetes-in-production.html Zalando Cluster Configuration https://github.com/zalando-incubator/kubernetes-on-aws Skipper HTTP Ingress Router https://github.com/zalando/skipper/ Kube AWS Ingress Controller https://github.com/zalando-incubator/kube-ingress-aws-controller External DNS https://github.com/kubernetes-incubator/external-dns PostgreSQL Operator https://github.com/zalando-incubator/postgres-operator Zappr https://zappr.opensource.zalan.do
THANK YOU QUESTIONS? rodrigo.reis@zalando.de Thanks to Dimitrij Holev 2018-01-23 RODRIGO REIS DIGITAL FOUNDATION SOFTWARE ENGINEER

Empfohlen

Using kubernetes to lose your fear of using containers
Using kubernetes to lose your fear of using containersUsing kubernetes to lose your fear of using containers
Using kubernetes to lose your fear of using containers
josfuecas
 
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Running I/O intensive workloads on Kubernetes, by Nati ShalomRunning I/O intensive workloads on Kubernetes, by Nati Shalom
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Cloud Native Day Tel Aviv
 
Managing kubernetes deployment with operators
Managing kubernetes deployment with operatorsManaging kubernetes deployment with operators
Managing kubernetes deployment with operators
Cloud Technology Experts
 
OpenShift Application Development | DO288 | Red Hat OpenShift
OpenShift Application Development | DO288 | Red Hat OpenShiftOpenShift Application Development | DO288 | Red Hat OpenShift
OpenShift Application Development | DO288 | Red Hat OpenShift
Global Knowledge Technologies
 
Kubernetes debug like a pro
Kubernetes debug like a proKubernetes debug like a pro
Kubernetes debug like a pro
Gianluca Arbezzano
 
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
Cloud Native Day Tel Aviv
 
Kubernetes Logging
Kubernetes LoggingKubernetes Logging
Kubernetes Logging
Denys Havrysh
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
Phil Estes
 

Empfohlen

Using kubernetes to lose your fear of using containers
Using kubernetes to lose your fear of using containersUsing kubernetes to lose your fear of using containers
Using kubernetes to lose your fear of using containers
josfuecas
 
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Running I/O intensive workloads on Kubernetes, by Nati ShalomRunning I/O intensive workloads on Kubernetes, by Nati Shalom
Running I/O intensive workloads on Kubernetes, by Nati Shalom
Cloud Native Day Tel Aviv
 
Managing kubernetes deployment with operators
Managing kubernetes deployment with operatorsManaging kubernetes deployment with operators
Managing kubernetes deployment with operators
Cloud Technology Experts
 
OpenShift Application Development | DO288 | Red Hat OpenShift
OpenShift Application Development | DO288 | Red Hat OpenShiftOpenShift Application Development | DO288 | Red Hat OpenShift
OpenShift Application Development | DO288 | Red Hat OpenShift
Global Knowledge Technologies
 
Kubernetes debug like a pro
Kubernetes debug like a proKubernetes debug like a pro
Kubernetes debug like a pro
Gianluca Arbezzano
 
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
K8s Pod Scheduling - Deep Dive. By Tsahi Duek.
Cloud Native Day Tel Aviv
 
Kubernetes Logging
Kubernetes LoggingKubernetes Logging
Kubernetes Logging
Denys Havrysh
 
FOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project UpdateFOSDEM 2019: A containerd Project Update
FOSDEM 2019: A containerd Project Update
Phil Estes
 
Elasticsearch Monitoring in Openshift
Elasticsearch Monitoring in OpenshiftElasticsearch Monitoring in Openshift
Elasticsearch Monitoring in Openshift
Lukas Vlcek
 
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
Building Developer Pipelines with PKS, Harbor, Clair, and ConcourseBuilding Developer Pipelines with PKS, Harbor, Clair, and Concourse
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
VMware Tanzu
 
WTF Do We Need a Service Mesh?
WTF Do We Need a Service Mesh? WTF Do We Need a Service Mesh?
WTF Do We Need a Service Mesh?
Anton Weiss
 
Remote debugging of Application in Kubernetes
Remote debugging of Application in KubernetesRemote debugging of Application in Kubernetes
Remote debugging of Application in Kubernetes
ConSol Consulting & Solutions Software GmbH
 
Container Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor SalcedaContainer Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor Salceda
Cloud Native Day Tel Aviv
 
Introduction to Kubernetes - Docker Global Mentor Week 2016
Introduction to Kubernetes - Docker Global Mentor Week 2016Introduction to Kubernetes - Docker Global Mentor Week 2016
Introduction to Kubernetes - Docker Global Mentor Week 2016
Opsta
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
Greg Hoelzer
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
Phil Estes
 
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
DevOps.com
 
K8s debugging talk
K8s debugging talkK8s debugging talk
K8s debugging talk
ConSol Consulting & Solutions Software GmbH
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
MamathaBusi
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
DevConf 2017 - Realistic Container Platform Simulations
DevConf 2017 - Realistic Container Platform SimulationsDevConf 2017 - Realistic Container Platform Simulations
DevConf 2017 - Realistic Container Platform Simulations
Jeremy Eder
 
Monitoring Cockpit for OpenShift Clusters
Monitoring Cockpit for OpenShift ClustersMonitoring Cockpit for OpenShift Clusters
Monitoring Cockpit for OpenShift Clusters
ConSol Consulting & Solutions Software GmbH
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
Phil Estes
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeAcademy
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine Evolution
Phil Estes
 
Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...
Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...
Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...
Red Hat Developers
 
State of Builder and Buildkit by Tonis Tiigi (Docker)
State of Builder and Buildkit by Tonis Tiigi (Docker)State of Builder and Buildkit by Tonis Tiigi (Docker)
State of Builder and Buildkit by Tonis Tiigi (Docker)
Docker, Inc.
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019
Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019
Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019
Henning Jacobs
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
Building Developer Pipelines with PKS, Harbor, Clair, and ConcourseBuilding Developer Pipelines with PKS, Harbor, Clair, and Concourse
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
VMware Tanzu
 
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
DevOps.com
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
Kublr
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeAcademy
 

Was ist angesagt? (20)

Elasticsearch Monitoring in Openshift
Elasticsearch Monitoring in OpenshiftElasticsearch Monitoring in Openshift
Elasticsearch Monitoring in Openshift
 
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
Building Developer Pipelines with PKS, Harbor, Clair, and ConcourseBuilding Developer Pipelines with PKS, Harbor, Clair, and Concourse
Building Developer Pipelines with PKS, Harbor, Clair, and Concourse
 
WTF Do We Need a Service Mesh?
WTF Do We Need a Service Mesh? WTF Do We Need a Service Mesh?
WTF Do We Need a Service Mesh?
 
Remote debugging of Application in Kubernetes
Remote debugging of Application in KubernetesRemote debugging of Application in Kubernetes
Remote debugging of Application in Kubernetes
 
Container Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor SalcedaContainer Runtime Security with Falco, by Néstor Salceda
Container Runtime Security with Falco, by Néstor Salceda
 
Introduction to Kubernetes - Docker Global Mentor Week 2016
Introduction to Kubernetes - Docker Global Mentor Week 2016Introduction to Kubernetes - Docker Global Mentor Week 2016
Introduction to Kubernetes - Docker Global Mentor Week 2016
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Extended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use casesExtended and embedding: containerd update & project use cases
Extended and embedding: containerd update & project use cases
 
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
Five Lessons Learned from Large-scale Implementation of Kubernetes in the Ent...
 
K8s debugging talk
K8s debugging talkK8s debugging talk
K8s debugging talk
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
 
Multi-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with VeleroMulti-cloud Kubernetes BCDR with Velero
Multi-cloud Kubernetes BCDR with Velero
 
DevConf 2017 - Realistic Container Platform Simulations
DevConf 2017 - Realistic Container Platform SimulationsDevConf 2017 - Realistic Container Platform Simulations
DevConf 2017 - Realistic Container Platform Simulations
 
Monitoring Cockpit for OpenShift Clusters
Monitoring Cockpit for OpenShift ClustersMonitoring Cockpit for OpenShift Clusters
Monitoring Cockpit for OpenShift Clusters
 
Let's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for KubernetesLet's Try Every CRI Runtime Available for Kubernetes
Let's Try Every CRI Runtime Available for Kubernetes
 
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an EnterpriseKubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
KubeCon EU 2016: ITNW (If This Now What): Orchestrating an Enterprise
 
Docker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine EvolutionDocker London Meetup: Docker Engine Evolution
Docker London Meetup: Docker Engine Evolution
 
Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...
Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...
Profile your Java apps in production on Red Hat OpenShift with Cryostat | Dev...
 
State of Builder and Buildkit by Tonis Tiigi (Docker)
State of Builder and Buildkit by Tonis Tiigi (Docker)State of Builder and Buildkit by Tonis Tiigi (Docker)
State of Builder and Buildkit by Tonis Tiigi (Docker)
 

Ähnlich wie Kubernetes Deployments: A "Hands-off" Approach

Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Weaveworks
 
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Henning Jacobs
 
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Henning Jacobs
 
SACON NY 19: "Creating an effective developer experience for cloud-native apps"
SACON NY 19: "Creating an effective developer experience for cloud-native apps"SACON NY 19: "Creating an effective developer experience for cloud-native apps"
SACON NY 19: "Creating an effective developer experience for cloud-native apps"
Daniel Bryant
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
Weaveworks
 
Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...
Henning Jacobs
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Acquia
 
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
Daniel Bryant
 

Ähnlich wie Kubernetes Deployments: A "Hands-off" Approach (20)

Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
 
Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019
Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019
Developer Experience at Zalando - Handelsblatt Strategisches IT-Management 2019
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
 
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on ...
 
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
 
Velocity NY 2018 "The Cloud Native Developer Workflow"
Velocity NY 2018 "The Cloud Native Developer Workflow"Velocity NY 2018 "The Cloud Native Developer Workflow"
Velocity NY 2018 "The Cloud Native Developer Workflow"
 
Advanced Code Flow, Notes From the Field
Advanced Code Flow, Notes From the FieldAdvanced Code Flow, Notes From the Field
Advanced Code Flow, Notes From the Field
 
DevSecOps - Security in DevOps
DevSecOps - Security in DevOpsDevSecOps - Security in DevOps
DevSecOps - Security in DevOps
 
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
Why Kubernetes? Cloud Native and Developer Experience at Zalando - OWL Tech &...
 
Full stack development best practice and toolset
Full stack development best practice and toolsetFull stack development best practice and toolset
Full stack development best practice and toolset
 
SACON NY 19: "Creating an effective developer experience for cloud-native apps"
SACON NY 19: "Creating an effective developer experience for cloud-native apps"SACON NY 19: "Creating an effective developer experience for cloud-native apps"
SACON NY 19: "Creating an effective developer experience for cloud-native apps"
 
Delivery Pipelines as a First Class Citizen @deliverAgile2019
Delivery Pipelines as a First Class Citizen @deliverAgile2019Delivery Pipelines as a First Class Citizen @deliverAgile2019
Delivery Pipelines as a First Class Citizen @deliverAgile2019
 
Free GitOps Workshop
Free GitOps WorkshopFree GitOps Workshop
Free GitOps Workshop
 
Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)Avoid the Vendor Lock-in Trap (with App Deployment)
Avoid the Vendor Lock-in Trap (with App Deployment)
 
Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - DevOpsCo...
 
Digital twins IoT - for industry 4.0 (meetup Wireless & Networks, Poznan 12.1...
Digital twins IoT - for industry 4.0 (meetup Wireless & Networks, Poznan 12.1...Digital twins IoT - for industry 4.0 (meetup Wireless & Networks, Poznan 12.1...
Digital twins IoT - for industry 4.0 (meetup Wireless & Networks, Poznan 12.1...
 
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development WorkflowImprove Code Quality and Time to Market: 100% Cloud-Based Development Workflow
Improve Code Quality and Time to Market: 100% Cloud-Based Development Workflow
 
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
 
Production-Ready Kubernetes: It's Not About Technology
Production-Ready Kubernetes: It's Not About TechnologyProduction-Ready Kubernetes: It's Not About Technology
Production-Ready Kubernetes: It's Not About Technology
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Kubernetes Deployments: A "Hands-off" Approach

  • 2. 2 ZALANDO IN NUMBERS > 4.5billion EUR 2017 > 200 million visits per month > 14,000 employees in Europe > 70% of visits via mobile devices > 22 million active customers > 250,000 product choices ~ 2,000 brands 15 countries
  • 3. 3 WE BRING FASHION TO PEOPLE IN 15 COUNTRIES 2008-2009 2010 2012-2013 2011
  • 4. 4 OUR FOOTPRINT AROUND EUROPE as of November 2017 1 8 10 11 12 13 BERLIN HEADQUARTERS AND OUTLET BRIESELANG FULFILLMENT CENTER ERFURT FULFILLMENT CENTER AND TECH OFFICE MÖNCHENGLADBACH FULFILLMENT CENTER AND TECH OFFICE LAHR FULFILLMENT CENTER DORTMUND TECH HUB FRANKFURT OUTLET DUBLIN TECH HUB HELSINKI TECH HUB MILAN (STRADELLA) FULFILLMENT CENTER KÖLN OUTLET PARIS (MOISSY-CRAMAYEL) FULFILLMENT CENTER SZCZECIN (GRYFINO) FULFILLMENT CENTER HAMBURG ADTECH LAB STOCKHOLM (BRUNNA) FULFILLMENT CENTER (start winter 2017) 10 9 7 6 5 3 2 1 11 12 13 4 14 15 15 14 9 8 7 6 5 4 3 2 1
  • 5. 5 OUR FOOTPRINT AROUND EUROPE TECH as of November 2017 1 8 10 11 12 13 BERLIN HEADQUARTERS AND OUTLET BRIESELANG FULFILLMENT CENTER ERFURT FULFILLMENT CENTER AND TECH OFFICE MÖNCHENGLADBACH FULFILLMENT CENTER AND TECH OFFICE LAHR FULFILLMENT CENTER DORTMUND TECH HUB FRANKFURT OUTLET DUBLIN TECH HUB HELSINKI TECH HUB MILAN (STRADELLA) FULFILLMENT CENTER KÖLN OUTLET PARIS (MOISSY-CRAMAYEL) FULFILLMENT CENTER SZCZECIN (GRYFINO) FULFILLMENT CENTER HAMBURG ADTECH LAB STOCKHOLM (BRUNNA) FULFILLMENT CENTER (start winter 2017) 10 9 7 6 5 3 2 1 11 12 13 4 14 15 15 14 9 8 7 6 5 4 3 2 1
  • 6. 6 WE ARE CONSTANTLY INNOVATING TECHNOLOGY HOME-BREWED, CUTTING-EDGE & SCALABLE technology solutions ~ 1,900 employees from tech locations (HQs in Berlin)7 77 nations help our brand to WIN ONLINE
  • 8. 8 ZALANDO TECH PLATFORM THE COMPLETE HISTORY (ABRIDGED) ZOMCATPHP STUPS KUBERNETES 2010 2015 2016 Data center WAR LXC AWS Docker Cloud Formation Low level (AWS API) AWS Docker Cloud Formation Kubernetes manifest Higher abstraction level Data center PHP files 2008
  • 13. 13 CLUSTER COMPONENTS Hosted in AWS Three Cloud Formation stacks ● Master & Worker ASGs + etcd ● Nodes with Container Linux Kubernetes manifests applied separately ● Kube-system Deployments ● DaemonSets OPEN SOURCE ☺ https://github.com/zalando-incubator/kubernetes-on-aws
  • 15. 15 ISOLATED AWS ACCOUNTS Internet *.xpto.example.org Product XYZ xpto Account Load Balancer xpti Account Load Balancer *.xpti.example.org
  • 16. 16 Cloud Formation Stack CLUSTER PROVISIONING USER Autoscaling Group create CLUSTER LIFECYCLE MANAGER apply manifests GIT CLUSTER REGISTRY Post gres AWS API provision CF resources create CF stack Master Node API Server Master Node Worker Node Worker Node Worker Node
  • 17. 17 ● Compliance ● How To Deploy ● Ease Of Use CHALLENGES
  • 18. 18 BUT FIRST... Motivation for Kubernetes ● Resource Efficiency ● Cost Efficiency ● Velocity ● Cloud Independence THIS IS AN OPPORTUNITY FOR CHANGE
  • 19. 19 CHALLENGES COMPLIANCE Some Of Our Compliance Rules ● Applications must run on certified (or whitelisted) AMIs ● All images must: ○ Come from an authorized Docker repository ○ Contain an SCM Source file ○ Be versioned ● Code changes must be peer reviewed and approved (4 eyes principle)
  • 20. 20 CHALLENGES HOW TO DEPLOY Options for CI/CD ● Jenkins ● GoCD ● Concourse ● Spinnaker ● Travis Enterprise ● AWS CodeBuild, CodePipeline Problems ● Non reproducible builds ● Not cloud ready ● No automatic setup ● Difficult to scale up/down ● 2 Configuration Steps ● Manual credential configuration ● Lack of Kubernetes support
  • 21. 21 CHALLENGES EASE OF USE IDEA DESIGN PLAN CODE TEST BUILDDEPLOY VERSION? COMPLIANCE? SIZING? COST? CI/CD
  • 22. 22 QUESTION What if the developer didn’t have to worry about those steps?* *coding not included
  • 23. 23 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
  • 24. 24 A DIFFERENT APPROACH ● Hands Off ● Compliant By Default ● Secure By Default ➢ No Manual Access to Live* ➢ Automate Setup/Deployment Steps ➢ Separate Test and Live Environments *Some exceptions apply
  • 25. 25 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
  • 26. 26 A DIFFERENT APPROACH HANDS OFF Back to our Options for CI/CD.... ● Jenkins ● GoCD ● Concourse ● Spinnaker ● Travis Enterprise ● AWS CodeBuild, CodePipeline
  • 27. 27 A DIFFERENT APPROACH HANDS OFF Back to our Options for CI/CD.... ● Jenkins ● GoCD ● Concourse ● Spinnaker ● Travis Enterprise ● AWS CodeBuild, CodePipeline ● In-house developed (CDP)
  • 28. 28 A DIFFERENT APPROACH HANDS OFF CDP ● Fully Integrated With Kubernetes ● No Need To Manage CI Infrastructure ● Triggered By Code Changes ● More To Come...
  • 30. 30 CDP DEPLOYMENT DEFINITION delivery.yaml version: "2017-09-20" pipeline: - id: deployment desc: Deploy to xpto type: process target: xpto process: microservice_standard_deployment config: apply_permanent_resources: env: TARGET: playground APPLICATION: nginx-hello-world IMAGE: registry.opensource.zalan.do/teapot/nginx-hello-world VERSION: "0.2" REPLICAS: "3”
  • 31. 31 CDP CONFIGURATION ├── delivery.yaml # CDP Config └── deploy └── apply ├── deployment.yaml # K8S Deployment ├── ingress.yaml # K8S Ingress └── service.yaml # K8S Service $ zkubectl init --kubernetes-cluster=xpto Writing delivery.yaml.. OK Writing NOTES.txt.. OK Writing deploy/apply/deployment.yaml.. OK Writing deploy/apply/ingress.yaml.. OK Writing deploy/apply/service.yaml.. OK
  • 33. 33 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
  • 34. 34 A DIFFERENT APPROACH COMPLIANT BY DEFAULT Kubernetes AMIs ● Developers don’t have to choose instance type or AMI ○ Deployments result in Pods running in existing Worker Nodes ● All Kubernetes Nodes are based in compliant, whitelisted AMIs Docker Repository ● CDP only pulls images from authorized repositories ● When pushing images, CDP automatically includes: ○ SCM Source information ○ Version tagging
  • 36. 36 CDP BUILD DEFINITION delivery.yaml version: "2017-09-20" pipeline: - id: build type: script commands: - desc: Build and push Docker image cmd: | IMAGE=pierone.stups.zalan.do/kraken/knowledge-base RELEASE_VERSION=${CDP_SOURCE_BRANCH}-${CDP_BUILD_VERSION} RELEASE_IMAGE=${IMAGE}:${CDP_BUILD_VERSION} docker build --build-arg BUILD_VERSION=${RELEASE_VERSION} -t ${RELEASE_IMAGE} . docker push ${RELEASE_IMAGE} Auto-generated by CDP
  • 38. 38 DEVELOPER CONSOLE CREATING A NEW REPOSITORY When a repository is created through the console: ● A hook is configured for triggering CDP ● Zappr is configured, enforcing Pull Request approvals before merge ○ Zappr is a Github extension developed in Zalando OPEN SOURCE ☺ https://zappr.opensource.zalan.do
  • 39. 39 A DIFFERENT APPROACH COMPLIANT BY DEFAULT Our Compliance Rules ● Applications must run on certified (or whitelisted) AMIs ✓ ● All images must: ✓ ○ Come from an authorized Docker repository ✓ ○ Contain an SCM Source file ✓ ○ Be versioned ✓ ● Code changes must be peer reviewed and approved (4 eyes principle) ✓
  • 40. 40 ● Hands Off ● Compliant By Default ● Secure By Default A DIFFERENT APPROACH
  • 41. 41 A DIFFERENT APPROACH SECURE BY DEFAULT ● Test and Production environments are completely isolated ● A Kubernetes Test Cluster is also provisioned ○ Manual access is permitted ● IAM Credentials are isolated between test and live environments ○ Different OAuth Provider in test environment
  • 42. 42 SO THIS... Internet *.xpto.example.org Product XYZ xpto Account Load Balancer xpti Account Load Balancer *.xpti.example.org
  • 43. 43 IS ACTUALLY THIS *.xpto.example.org *.xpti.example.org xpti Account Load Balancerxpto Account Load Balancer xpto-test Account Load Balancer *.xpto-test.example.org xpti-test Account Load Balancer *.xpti-test.example.org Internet
  • 44. 44 Trigger PUTTING IT ALL TOGETHER CDPGHE Prod Deploy Test Deploy PR M erge M aster 1. A user creates a Pull Request (PR) in Github Enterprise (GHE) 2. PR Triggers CDP ➢ CDP Deploys the PR to the Test Kubernetes Cluster 3. Another user approves the PR and merges to Master 4. Merge to Master triggers again CDP ➢ CDP Deploys Master to the Production Kubernetes Cluster xpto Account xpto-test Account
  • 45. 45 CONCLUSION ● CDP enables hands off deployments to Kubernetes ● Compliance is automatically handled by CDP and Developer Console ● Test and Production are guaranteed to be separated through Credentials Isolation Automation saves time New features go live faster Isolation secures environments Developers focus on business specific features
  • 46. 46 LINKS Kubernetes on AWS Docs http://kubernetes-on-aws.readthedocs.io/en/latest/admin-guide/kubernetes-in-production.html Zalando Cluster Configuration https://github.com/zalando-incubator/kubernetes-on-aws Skipper HTTP Ingress Router https://github.com/zalando/skipper/ Kube AWS Ingress Controller https://github.com/zalando-incubator/kube-ingress-aws-controller External DNS https://github.com/kubernetes-incubator/external-dns PostgreSQL Operator https://github.com/zalando-incubator/postgres-operator Zappr https://zappr.opensource.zalan.do
  • 47. THANK YOU QUESTIONS? rodrigo.reis@zalando.de Thanks to Dimitrij Holev 2018-01-23 RODRIGO REIS DIGITAL FOUNDATION SOFTWARE ENGINEER