Breaking the Kubernetes Kill Chain: Host Path Mount
Â
Creating Microservices Application with IBM Cloud Private (ICP) - introduction to ibm cloud private
1. Š 2019 IBM Corporation
IBM Cloud Private Overview
1
2. NOTE: The above is a representative example only
To accelerate digital transformation, enterprises are
extending their applications and data to âcloudsââŚ
Current Application Landscape
Private Clouds
Datacenter Datacenter
Infrastructure &
Platform Services
AI, Blockchain &
IoT Services
The New Application Landscape
The new landscape will be multi-cluster & multi-cloud
3. Application
Portfolio
Customer Information
Payment Systems
Business Process
Evolution to Cloud-
based Application
⢠Base Virtualization with
Standardization &
Automation
On-premises | Off-premises
VMs | Containers | aPaaS
| iPaaS | Event Driven
Transformation uses multiple concurrent approaches
⌠to minimize risk & cost while leveraging new & existing investments to innovate & differentiate
⢠Cloud native
⢠Loosely-Coupled
⢠12-factor
⢠Horizontal Scaling
⢠Eventually consistent
⢠Microservices
⢠Auto-scaling
⢠DevOps & CI
⢠Self-recovering
⥠Lift-Standardize-Consolidate-Automate-Shift
⥠Contain-Expose-Extend
⥠Refactor / Create as Cloud-Native / Microservices
New Applications
⥠Data Classification, Movement & Governance
Bare metal, VMs, Containers, Automation - SDDC
API Creation & Management, Connectivity & Integration
Event-Driven, aPaas, Containers, Microservices
Cognitive Data Classification, High-volume data transfer,
Metadata Management
4. Containers &
Common Services
Next Generation
Middleware,
Data & Analytics
Automation &
Orchestration
Cloud-enabled
middleware
Self-service Experience
Integration Services
& Cloud Native
Programming Models
Integration & Hybrid
Cloud
APIs
Public
Cloud
Services
Machine Learning
on p/z
Blockchain
Business Process
Data & Apps
Cloud Native
Services & Runtimes
New
Applications
New Applications
On-Premises
Software
& Services
Containers &
Common Services
Automation &
Orchestration
Containers &
Common Services
Automation &
Orchestration
Use cases driving private cloud adoption
Optimize
legacy apps
with cloud
Open your datacenter to
work with cloud services
Create new cloud
native
applications
5. Enterprises will face new challenges in broadening the
adoption of Cloud to critical applications âŚ.
APPLICATION PORTABILITY
Regulations
Data Locality
Provider Availability in Region
Cost
CHALLENGES
DATA MOVEMENT & GOVERNANCE
New Analytics & AI Services
Data Privacy & Risk
Data Gravity & Performance
Network Cost
Data Gravity & Lock-in
APPLICATION ARCHITECTURE
& DEVELOPMENT
Microservices
New Languages & Runtimes
APIs
DevOps & Skills
INTEGRATION
APIs & API Management
Existing Applications
Transactions
Agility
SERVICE MANAGEMENT
Monitoring/SRE
SLAs
Problem Diagnosis
HA/DR
Scale & Dynamicity
SECURITY & COMPLIANCE
Identity & Authorization
Audit
Shared Responsibility Models
Regulatory Compliance
CHALLENGES
6. IBM Cloud Private
Kubernetes based
container platform
Common Services
For prescribed
application development
& deployment
IBM Middleware,
Data & Analytics
Services
Industry leading container
orchestration platform
across private, dedicated
& public clouds
To simplify operations
management, DevOps
and hybrid integration
Cloud enabled
middleware, application
runtimes, messaging,
databases and analytics
to optimize current
investments and rapidly
innovate
Cloud Foundry
7. IBM DevOps Tools + Open Source
- Urban Code Release/Deploy
- Cloud Automation Manager
IBM Supported Languages & Frameworks
- Container Images & Buildpacks for Java, Node, Swift. .Net
- Frameworks: Spring, JEE, Mobile, Many Node & Reactive
IBM Cloud Private Catalog
- Helm Charts
- Patterns
- Cloud Foundry Services
IBM API Connect
- API Management
- Multi-cloud
- Open Standards
Management
- For Containers &
Cloud Foundry
- Metrics
- Common Ops
functions
- Identity, RBAC &
Policies
- Capacity &
Placement with
Cloud Matrix
Common Services
- Monitoring: Prometheus, Grafana
- Logging: ELK
- IAM: Built-in + Federation to
Enterprise
- Metering: Product insights
- Key Management: Vault
Optimized runtimes
for workloads
â˝ Automation
Patterns &
Orchestration
â˝ Container
images
â˝ Container
Orchestration
â˝ Buildpacks
â˝ Actions, Events
& Integrations
- Reuse existing infrastructure & virtualization
- Multiplatform support (Intel, System p & z)
- IBM Managed services
- IBM Storage
Built upon Open Technologies
IBM Cloud Private capabilities
8. The Four Tenets
Enterprise grade. Open by design.
Rapid
Innovation
Hybrid
Integration
Investment
Leverage
Management and
Compliance
Built on 4 Key Tenets to
Drive Enterprise Transformation
9. IBM Cloud Private brings cloud native to the enterprise
Open Kubernetes-based
container platform
Cloud Foundry for app
dev and deployment
Integrated DevOps
toolchain
Integration capabilities
to unlock and connect
Secure access to
public cloud services
(AI, Blockchain)
Consistent experience
across private/public
Containerized versions
of IBM Middleware
(WebSphere, MQ, DB2, DSX
and popular Open Source)
Prescriptive guidance to
optimize workloads
Work with existing apps,
data, skills, infrastructure
Core operational
services including
logging, monitoring,
security
Flexibility to integrate
with existing tools
and processes
Rapid
Innovation
Hybrid
Integration
Investment
Leverage
Management and
Compliance
10. Broadening the adoption of cloud
Preserve, standardize
and automate subset of
existing applications
Target: 20-30%
Full Automation
Modernize and cloud-
enable majority of
infrastructure and
applications
Target: 70-80%
Cloud-first approach to
new applications and
processes
Target: All new applications
Key Challenges:
⢠Cultural transformation is complex and limits the scope & velocity of movement to cloud native
development & management
⢠Lack of integrated solutions and tools to build new cloud native applications while integrating &
evolving existing applications
⢠Operational challenges in integrating, managing and securing cloud and on-premises applications
and data
Š 2019 IBM Corporation 10
11. Key use cases are driving private cloud adoption
11Š 2019 IBM Corporation
Use Case #1 Use Case #2 Use Case #3
Multi-cloud management and orchestration
Modernize and
optimize existing
applications
Opening up enterprise
data centers to work
with cloud services
Create new cloud-
native applications
12. Key use cases are driving private cloud adoption
12Š 2019 IBM Corporation
Use Case #1 Use Case #2 Use Case #3
Multi-cloud management and orchestration
Modernize and
optimize existing
applications
Opening up enterprise
data centers to work
with cloud services
Create new cloud-
native applications
13. IBMâs Capabilities:
⢠IBM Microclimate
⢠APM for Microservices
⢠Enterprise grade application development
services integrated with the platform runtimes,
data and analytics, messaging, DevOps
services, âŚ
Use case #1: Developers need access to a platform of capabilities to create cloud native
applications that meet the security and regulatory requirements of their organization.
Use case #1: IBM Cloud Private for cloud-native applications
Š 2019 IBM Corporation 13
14. Key use cases are driving private cloud adoption
14Š 2019 IBM Corporation
Use Case #1 Use Case #2 Use Case #3
Multi-cloud management and orchestration
Modernize and
optimize existing
applications
Opening up enterprise
data centers to work
with cloud services
Create new cloud-
native applications
15. IBMâs capabilities
⢠Transformation Advisor provides guidance on where to run your critical workloads
⢠Next generation versions of industry leading IBM Middleware and Analytics (WAS,
MQ, DB2) to speed innovation and gain new insights into data
⢠Vulnerability assessment
⢠Elastic runtimes enable the enterprise to scale up and scale down as needed
Use case #2: Developers need to cloud enable applications that meet security and
regulatory needs. IBM Cloud private provides the platform for rapidly developing and
deploying cloud enabled applications, while meeting the security and regulatory needs of the
enterprise.
Use case #2: IBM Cloud Private to cloud-enable applications
Š 2019 IBM Corporation 15
16. Key use cases are driving private cloud adoption
16Š 2019 IBM Corporation
Use Case #1 Use Case #2 Use Case #3
Multi-cloud management and orchestration
Modernize and
optimize existing
applications
Opening up enterprise
data centers to work
with cloud services
Create new cloud-
native applications
17. IBMâs capabilities
⢠Kubernetes-based orchestration platform
⢠API Management, Application Integration Suite
⢠Cloud foundry platform for service syndication
⢠Multi-cloud deployments through CAM
⢠APM for Hybrid Workload
Use case #3: Enterprises need to integrate data and application services (from other
locations) in their new cloud native and cloud enabled applications which are running in
their own data center.
Use case #3: IBM Cloud Private for hybrid cloud applications
Š 2019 IBM Corporation 17
18. Front-end
Micro AppsMicro AppsNative Apps
Public
Off-Premise
Public
Very fast life cycle
Speed of deploy and execution
Scale for the unpredictable
Coding Artifacts
Life Cycle Management
Data Artifacts Micro Services Containers
Fast and automated life cycle
Fast repeatable deploys
Elastic behavior
Back-endBL-Tier
Enabled Apps Transactions
Private
On/Off-Premise
Private
On-Premise
Hybrid Integration
Records
Master Data
Transaction Data
Processes
Applications
Traditional Apps
More stable and predictable life cycle
API/WS exposure for up stream levels
Elastic throttling
Blueprints
Use case #3: New applications need an agile cloud architecture
18
19. IBM Cloud Private changes your daily work routine
Todd
Operations / Admin
Responsible for infrastructure,
security, and management of the
environment.
Jane
Enterprise Developer
Responsible for modernizing existing
applications and creating new Cloud Native
Workloads.
IBM Cloud Private empowers both developers and administrators to meet business
demands:
⢠IT Operations and Administrators can quickly set up a modern, flexible, and compliant private cloud
on enterprise infrastructure that enables enterprise developers to innovate; they can also integrate
with their existing management tools and processes
⢠Developers can create new cloud-native applications, optimize existing ones, and securely connect
their applications with data and services across all clouds
22. Stateless
Stateless Stateful
Batch System
Kubernetes brings
orchestration
primitives to
support different styles
of workloads:
⢠Stateless
(ReplicaSets)
⢠Stateful
(StatefulSets)
⢠Batch (Jobs)
⢠System
(DaemonSets)
23. How do you manage these
containers in production?
23
24. Every container produces logs
Logs are critical for debugging and post-
mortem in production failures
25. 12-factor apps break
down into many microservices
so youâre really
debugging logs
across many containers
Many logs are written in files
within the container
.. and IBM containers use filebeat
to stream these logs
ELK + Filebeat is part of
IBM Cloud Private
26. 26IBM Cloud / DOC ID / Month XX, 2017 / Š 2017 IBM Corporation
27. Every container must have its health monitored
Basic liveness probes in Kubernetes ensure failed
pods are restarted.
But this is only the beginning of your monitoring
challenge across a containerized platform
28. Every app container
.. every middleware container
.. produces health metrics
.. we configure custom prometheus
collectors for custom metrics
Custom metrics help provide
insights and building blocks for custom alerts
and custom dashboards
Prometheus + Grafana is part of IBM Cloud Private
29. 29IBM Cloud / DOC ID / Month XX, 2017 / Š 2017 IBM Corporation
30. Every container must be managed for license usage
Showback per namespace is supported now
IBM Metering is part of IBM Cloud Private
31. 31IBM Cloud / DOC ID / Month XX, 2017 / Š 2017 IBM Corporation
32. Containers are constantly changing
IBM Vulnerability Advisor is
part of IBM Cloud Private
⌠⌠⌠âŚ
V1 V2 V3 V5V4
Vulnerabilities must be identified on an ongoing basis
33. 33IBM Cloud / DOC ID / Month XX, 2017 / Š 2017 IBM Corporation
34. Containers are everything!
IBM Cloud Automation Manager enables
hybrid workload management
which is part of IBM Cloud Private
⌠but not everything is a container yet.
35. Most apps today arenât in containers
IBM Transformation Advisor enables
insights into existing apps which is part of
IBM Cloud Private
⌠and customers need help
to modernize these
workloads
36. IBM Cloud / Š 2019 IBM Corporation 36
Transformation Advisor is a tool that
These inputs are combined with rules and
insights gained from years of working with WebSphere
and WebSphere applications to provide
recommendations for your cloud journey.
Leverage existing
application logic
Need to accelerate
application development
and maintenance
Monolithic applications
that are complex and
brittle
Included and deployed on
IBM Cloud Private
Introspects existing
WebSphere Deployments
THE source of truth
Provides
recommendations for
Application Modernization Enabling app modernization for our existing
estates is part of IBM Cloud Private
37. Transforming innovative ideas
IBM Microclimate enables rapid creation of
new apps which is part of IBM Cloud Private
⌠into business value delivered
through containers
38. IBM Cloud / Š 2019 IBM Corporation 38
Microclimate is an
Applications are run in from day one and can be
delivered into production on through an automated
DevOps pipeline using . Microclimate can be installed
locally or on
Providing an integrated
DevOps experience for
all apps is part of
IBM Cloud Private
39. Helm - Introduction
39
Helm helps you manage Kubernetes applications â
Helm Charts helps you define, install, and upgrade
even the most complex Kubernetes application.
40. Charts, Repositories and
Releases
40
Charts: A bundle of Kubernetes
resources
Repository: A collection of charts.
Releases: A chart instance loaded into
Kubernetes . Same chart can be
deployed several times and each
becomes its own release
Providing an easy to use, extend, and
compose catalog of IBM and Third-Party
content is part of IBM Cloud Private
41. ⢠Logging
⢠Monitoring
⢠Alerts
⢠IBM Metering
⢠IBM Vulnerability Analysis
⢠IBM Cloud Automation Manager
⢠IBM Transformation Advisor
⢠IBM Microclimate
⢠A rich catalog of content
Ensuring seamless ongoing updates for
all services is part of IBM Cloud Private
So weâve talked about:
All of these services require ongoing
updates
42. ⢠Logging
⢠Monitoring
⢠Alerts
⢠IBM Metering
⢠IBM Vulnerability Analysis
⢠IBM Cloud Automation Manager
⢠IBM Transformation Advisor
⢠IBM Microclimate
⢠A rich catalog of content
⌠as Jane or Todd, how do I
interact with these services?
Identity & Access Management ensures
consistent identity across all
platform services and is part of
IBM Cloud Private
43. We introduce âTeamsâ on top of
raw Kubernetes Roles/ClusterRoles
Teams bind a collection of resources â
both inside and outside of Kubernetes
⌠to a set of users with
defined roles
Our team model is based on the proven
access control model from UrbanCode
Deploy which is part of IBM Cloud Private
Operator
Editor
Team
⢠Namespaces
⢠Image Repos
⢠Helm Repos
⢠Helm Charts
⢠⌠and more
44. ⢠Logging
⢠Monitoring
⢠Alerts
⢠IBM Metering
⢠IBM Vulnerability Analysis
⢠IBM Cloud Automation Manager
⢠IBM Transformation Advisor
⢠IBM Microclimate
⢠A rich catalog of content
Ensuring data in transit and data at rest
security for all platform services is part of
IBM Cloud Private
All of these services expose network
endpoints via TLS
All of these services store data which is
encrypted at rest
45. ⢠Logging
⢠Monitoring
⢠Alerts
⢠IBM Metering
⢠IBM Vulnerability Analysis
⢠IBM Cloud Automation Manager
⢠IBM Transformation Advisor
⢠IBM Microclimate
⢠A rich catalog of content
Ensuring consistent audit trails for all
platform services is part of IBM Cloud Private
All of these services must provide audit
logs for actions performed, when they
were performed, and who performed the
action
46. Security & Compliance Roadmap Overview
46
Complete Next steps
March
2-3 months
4Q
Continued Compliance Expansion
(3.next)
ď§Image patching improvements
ď§Image signing & provenance
ď§Secrets Management: Vault,
integrated w/ customer solutions
ď§Forensic Analysis Capabilities
(quarantine workloads, root cause
analysis, event timeline)
ď§Expanded Multi-Cluster Security /
Compliance *
ď§Expanded Federal Compliance
ď§Focus on NIST Framework
ď§FISMA / FedRAMP / FIPS
ď§HIPAA Compliant Configurations
3Q
PCI Compliant Configurations
(3.1.0)
ď§ Audit Logging â expanded
ď§ SIEM Integration
ď§ File integrity monitoring using
âMutation Advisorâ feature in VA
ď§ Image patching improvements
ď§ Integrated Key & Certificate
Management w/ customer solutions
ď§ Certificate-Based Authentication
ď§ Custom roles for RBAC (Auditor)
ď§ SAML/Open ID federation to
enterprise identity provider
ď§ Complete 3rd Party PCI Audit
ď§ Document & Publish Validated PCI
Compliant Configurations
2Q
PCI Readiness (2.1.0.3)
ď§Audit Logging â authentication &
authorization
ď§Secrets Management: CLI for
Secrets Lifecycle Mgmt
ď§Key & Certificate Management (Beta,
Docs)
ď§Service ID/API Key enhancements
ď§GDPR Compliance Ready
1Q
2.1.0.2 Release â Whatâs New
ď§New Kubernetes version 1.9.1
with additional audit log features
ď§More capabilities in the
management console, like:
managing secrets, better control
of images, and upgrade/roll-back
of releases
ď§Role Based Access Controls for
Helm repositories and service
brokers
ď§Vulnerability Advisor (VA)
ď§Helm API secured with TLS
May September December
2-3 months 2-3 months
* PCI Audit to begin June * PCI Remediation Complete in
Sept.
47. IBM Cloud Private Editions
47Š 2019 IBM Corporation 4747
Community
Platform
⢠Kubernetes (+ Helm)
⢠Core services
⢠Content catalog
Freely Available
in Docker Hub
Cloud Native Enterprise
IBM Enterprise Software
⢠Microclimate
⢠WebSphere Liberty
⢠IBM SDK for node.js
⢠Cloud Automation Manager
Cloud Foundry (Optional)
Platform
⢠Kubernetes (+ Helm)
⢠Core services
⢠Content catalog (Containers)
Platform
⢠Kubernetes (+Helm)
⢠Core services
⢠Content catalog (Containers)
Cloud Foundry (Optional)
IBM Enterprise Software
Cloud Native Edition, plus:
+ WAS ND
+ MQ Advanced
+ API Connect Professional
Community Edition