Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Get SaaSy with Red Hat
OpenShift on AWS
Nicholas Gerasimatos
Emerging Technologies Evangelist, Red Hat
Mandus Momberg
Principal Solutions Architect, AWS
C O N 3 0 5 - S

So many things to consider

Elasticity
Agility
Availability

Shift to the left
Microservices
Breaking down the monolith

ADMIN
EXPERIENCE
SECURITY GUIDANCEAPPLICATION
SERVICES
RED HAT OPENSHIFT

SERVICE CATALOG
(LANGUAGE RUNTIMES, MIDDLEWARE, DATABASES, …)
SELF-SERVICE
APPLICATION LIFECYCLE MANAGEMENT
(CI / CD)
BUILD AUTOMATION DEPLOYMENT AUTOMATION
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
NETWORKING SECURITYSTORAGE REGISTRY
LOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT
(KUBERNETES)
COREOS/
RED HAT ENTERPRISE LINUX
OCI CONTAINER RUNTIME & PACKAGING
INFRASTRUCTURE AUTOMATION & COCKPIT
OPENSHIFT = ENTERPRISE KUBERNETES+

Multi-lane highway

NEW ADMIN-FOCUSED CONSOLE
Users have a choice of experience based on
their role or technical abilities
● Admin/CaaS experience with heavy
exposure to Kubernetes
● AppDev/PaaS experience with
standard OpenShift UX
● Sessions are not shared across the
Consoles but credentials are
● Both hosted on cluster, in openshift-
console and openshift-webconsole
namespaces

VISIBILITY INTO NODES
Expanded ability to manage and
troubleshoot cluster Nodes
● Node status events are extremely
helpful in diagnosing resource pressure
and other failures
● Runs node-exporter as DaemonSet on
all nodes, with a default set of scraped
metrics from kube-state-metrics
project
● Protected through RBAC so metrics
aren’t world readable
● Cluster-reader and above can view
metrics

ACCESS CONTROL MANAGEMENT
Visual management of the cluster’s RBAC
Roles and RoleBindings
● Track down users and service accounts
with a specific Role
● View cluster-wide or namespaced
bindings
● Visually audit a Role’s verbs and objects
Project admins can self-manage roles and
bindings scoped to their namespace

CLUSTER-WIDE EVENT STREAM
Cluster-wide event stream helps you debug
quickly
● All namespaces accessible by anyone
who can list NS and Events
● Per-namespace accessible for all project
viewers
● Optionally filter by category and object
type

Embed unique
operational knowledge
Package and install
on OCP clusters
OPERATOR SDK
Tools to get started quickly embedding
application business logic into an Operator
● Saves you from doing the dirty work
to set up scaffolding
● Help run end-to-end tests of your
logic on a local or remote cluster
● Used by Couchbase, MongoDB, Redis
and more

BUILDS & JENKINS
● Jenkins plugin: Stability improvements with
upgrades to Java client libraries
● Jenkins: Updated to 2.121.3
● Builds: Use ConfigMap for input
oc new-build --build-config-map=mysecrets
● Builds: Ability to set image change triggers,
without immediately triggering builds

* Note: Red Hat Quay releases are not tied to OpenShift releases (standalone product) | ** Clair has independent release cycles, too
Quay v3* (targeted for e/o Nov 2018)
● OCI distribution spec v2_2
○ Manifest list support
○ Required for multi-arch
○ Required to store arbitrary mime-
types (Operator CSVs)
● Quay v3 release
○ Rebranded (Logo, UI)
○ RHEL base image
RED HAT QUAY INCLUDING CLAIR
Clair v3** (planned to be released with Quay v3)
● v3 gRPC API and HTTP/JSON via gRPC Gateway
● A new immutable data model
○ Images can now be scanned by multiple
namespaces
○ Support for programming languages is made
possible
○ Support for offline is made possible
● Differentiation between binary + source
packages
● Supported k8s deployment (via Helm) for ClairOpenSourcing Quay targeted for e/o CY18

AWS AUTOSCALE GROUPS
Enable elasticity for your application workload with AWS auto-scaler
Documentation: https://docs.openshift.com/container-platform/3.11/admin_guide/cluster-autoscaler.html (Not live yet)
https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md (Upstream community documentation)
How it works
● OCP auto-scaler repeatedly checks to see how many pods are pending node allocation and ensures that enough nodes
are active to run your pods and that the number of active nodes is proportional to current demand
● Requires the following assets to be previously configured
1. AWS Auto Scaling group: Logical representation of a set of machines
■ Configured with minimum, maximum, and desired number of machines per group. (Configured from AWS
Command Line Interface (AWS CLI))
2. AWS Launch Configurations (LC): A template that an Auto Scaling group uses to launch instances
■ You specify information such as the AMI ID, instance type (e.g., m4.large), key pair, one or more security
groups, or subnets. (Configured from AWS CLI)
3. Primed (Golden) Image: Image that runs when a new instance is provisioned
■ Bootstrapped node image that is capable of automatically joining the cluster (without any manual
intervention) once provisioned by the Auto Scaling group LC
■ ‘build_ami.yml’ playbook can be used to produce a primed image, which can be utilized by the auto-scaler
● Instance running the CA must have permissions to scale up/down
● Auto-scaler must manually be deployed as described in the OpenShift documentation

ROUTER (HAPROXY) ENHANCEMENTS
HTTP/2 Implements HAproxy router HTTP/2 support (terminating
at the router)
$ oc set env dc/router ROUTER_ENABLE_HTTP2=true
Performance Increase the number of threads that can be used by
HAproxy so that we can serve more routes
Scale down the default router and create a new router using 2 threads:
$ oc scale dc/router --replicas=0
$ oc adm router myrouter --threads=2 --images='openshift3/ose-
haproxy-router:v3.x'
Set a new thread count (e.g. 7) for the HAproxy router:
$ oc set env dc/myrouter ROUTER_THREADS=7
Dynamic changes Implement changes to the HAproxy router without
requiring a full router reload
$ oc set env dc/router ROUTER_HAPROXY_CONFIG_MANAGER=true
Client SSL/TLS cert
validation
Enable mTLS for route support of older clients/services
that don’t support SNI, but where certificate verification is
a requirement
$ oc adm router myrouter --mutual-tls-auth=optional --mutual-
tls-auth-ca=/root/ca.pem --images="$image"
Logs captured by
aggregated
logging/EFK
Collect access logs so Operators can see them. Longer
term: send to ES for users to access logs for their
respective projects
Create a router with an rsyslog container:
$ oc adm router myrouter --extended-logging --images='xxxx'
Set log level:
$ oc set env dc/myrouter ROUTER_LOG_LEVEL=debug
Check the access logs in the rsyslog container:
$ oc logs -f myrouter-x-xxxxx -c syslog

Security Context Constraints (SCCs) allow administrators to
control permissions for pods.
SCCs define a set of conditions that a pod must run with in
order to be accepted into the system. Red Hat has
contributed this feature to Kubernetes as Pod
Security Policies (PSPs).
PSPs are not yet as mature as SCCs. We will enable
customers to migrate from SCCs to PSPs as soon as we have
feature parity. We are also working to ensure that SCCs
support new settings available with PSPs. Additional
information on these new settings is available in Kubernetes
documentation.
SECURITY CONTEXT CONSTRAINTS &
POD SECURITY POLICIES

Prometheus Cluster Monitoring
Prometheus Cluster Monitoring is now GA, providing deep insights into an OpenShift cluster with
out-of-the-box alerts and Grafana dashboards
How it works
● Installed by default with every OCP 3.11+ cluster. You can opt-out by setting the Ansible variable
`openshift_cluster_monitoring_operator_install` to `false`
○ All components are installed via the Cluster Monitoring Operator in the following order: Prometheus Operator (v0.23.2),
Grafana (v5.2.1), Prometheus (v2.3.2), Alertmanager (v0.15.2), Node Exporter (0.16.0), kube-state-metrics (v1.3.1)
○ Installed into the `openshift-monitoring` namespace
○ Operator also configures out-of-the-box alerting rules and Grafana dashboards
● Configure the Cluster Monitoring Operator through Ansible variables inside your inventory file. Options are
○ Enable persistent storage and configure volume size for Prometheus and Alertmanager (by default persistent storage is
disabled and metrics are stored in-memory)
○ Overwrite default Alertmanager configuration to set up, for example, your own receiver, such as PagerDuty
○ Select nodes where pods should be placed
● Prometheus Cluster Monitoring currently collects metrics from the following sources: Cluster Monitoring Operator, Prometheus
itself, Prometheus Operator, Alertmanager, Kubernetes API server, kubelets including cAdvisor, kube-schedulers, kube-state-metrics,
and node-exporter
○ You can query what metrics are being collected through the Prometheus UI using `sum({job=„<job-name>“}) by
(__name__)` query and replacing `<job-name>` with any of the above targets (e.g., `node-exporter`)

LOGGING
Elasticsearch 5 and Kibana 5 – New
features
• ES5 is based on Lucene 6 – Brings better
resource usage and performance (*)
• Better resiliency
• New numeric types, half_float and
scaled_float, have been added
• Instant aggregations in Kibana 5 – Make
it faster
• New API that returns an explanation of
why ES shards are unassigned
(*) Covered later

Thank you!

Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018

Semelhante a Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018 (20)

Mais de Amazon Web Services

Mais de Amazon Web Services (20)

Get SaaSy with Red Hat OpenShift on AWS (CON305-S) - AWS re:Invent 2018