SlideShare uma empresa Scribd logo

Policy-based Resource Placement

L
LinuxCon ContainerCon CloudOpen China

Resource placement is a policy-rich problem, particularly across multi-cluster, multi-geography and multi-cloud environments. Placement may be based on company conventions, external regulation, pricing, performance requirements, or complex combinations of those. Furthermore, placement policies evolve over time and vary across organizations. As a result, it is very difficult to anticipate the policy requirements of all users. In this presentation, Torin Sandal (Lead Engineer of Open Policy Agent) will present, along with Irfan Ur Rehman, and demonstrate the work they've done integrating OPA into the Kubernetes Cluster Federation Control Plane. This enables high level policies to be expressed in a easy to understand policy language, and automatically enforced across federations of Kubernetes clusters.

Tecnologia
1 de 12
Baixar para ler offline
Policy-based Resource Placement ...across Hybrid-Cloud Federations of Kubernetes Clusters Irfan UR Rehman (Huawei) @irfanurrehman Torin Sandall (Styra) @sometorin
Federation: Overview federation-apiserver federation-controller app app Federation Control Plane Federated Deployment etcd Federated Clusters
Federation: Placement federation-apiserver federation-controller kind: ReplicaSet metadata: annotations: replica-set-preferences: | {“clusters”: { “us-west-1”: {“weight”:1}, “asia-se-2”: {“weight”:1} }} ● Placement can be controlled per-resource via annotations ● 2 annotations supported: federation.kubernetes.io/replica-set-preferences federation.alpha.kubernetes.io/cluster-selector ● federation-controller evaluates annotations to produce final placement ReplicaSet created 1 2 3 4
Policy-based Placement federation-apiserver federation-controller ● Resource placement is a “policy-rich” problem space ○ Legal regulation, cost, technical constraints, internal conventions, etc. ● Goal: give admins greater control and flexibility ○ Automated & programmable ○ Expressiveness ○ Leverage context ○ Ease management ● Decouple developer intent from admin policy ○ Avoid duplication ○ Prevent (and detect) violations ○ Abstract policy implementation ● Policy Engine decides which clusters app runs on ○ Pluggable ○ Simple interface opa
Architecture federation-apiserver federation-controller opaadmission controller kind: ReplicaSet metadata: name: my-app annotations: customer: acmecorp ● Admission Controller inside federation-apiserver queries Policy Engine when resources are created or updated ● Admission Controller implements “fail-closed” model in case query fails. POST /v1/data/k8s/placement input: resource: metadata: name: my-app annotations: customer: acmecorp ... HTTP/1.1 200 OK result: annotations: replica-set-preferences: clusters: us-west-1: {weight: 1} asia-se-3: {weight: .5} Example Query
Architecture host cluster pod federation-apiserver federation-controller opa admission controller etcd sidecar external state policy definition
Example Apps labelled with customer name. Customers are associated with a jurisdiction. Furthermore, apps may be labelled with criticality. If low then public cloud clusters may be used, otherwise, on-prem clusters must be used.
Visibility & Remediation federation-apiserveropa sidecar which of customer x’s apps are deployed in EU? which customers are affected if cluster X is no longer PCI certified? policy clusters, deployments, services, ...
Conflicts ● Developers could accidentally specify conflicting intent (result: empty set) ● Developers could explicitly request invalid clusters (result: error) ● Resolve conflicts within policy engine whenever possible ○ Policy is the only place where all intent is known kind: ReplicaSet metadata: annotations: customer: acmetel-US criticality: low replica-set-preferences: clusters: - us-west-2 - eu-central-1 ... not_allowed[cluster] { requested_clusters[cluster] not allowed_clusters[cluster] } errors[“invalid cluster(s)”] { not_allowed != set() }
Future Work ● Improve policy management ○ Current: policies stored as ConfigMaps in the federation-apiserver ○ Future: policies represented as first-class API objects ○ Cleaner mechanism for reporting policy enforcement status ■ Installed, errors, etc. ● Demonstrate new use cases ○ Cost-based policies ■ Replicate external data representing resource pricing (e.g., cpu, memory, etc.) ■ Pick clusters based on pricing data ■ Cluster inter-connect may be expensive federation-apiserver federation-controller opa
● Kubernetes Federation enables hybrid-cloud deployments for a variety of use cases ● Resource placement is a policy-rich problem that must address important business requirements ● Policy solution should empower admins with greater control and flexibility Conclusion federation-apiserver federation-controller opa
Thank You! SIG-Federation Open Policy Agent (OPA) github.com/open-policy-agent/opa

Recomendados

Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT IsolationLinuxCon ContainerCon CloudOpen China
 
Running Legacy Applications with Containers
Running Legacy Applications with ContainersRunning Legacy Applications with Containers
Running Legacy Applications with ContainersLinuxCon ContainerCon CloudOpen China
 
64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVMLinuxCon ContainerCon CloudOpen China
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesLinuxCon ContainerCon CloudOpen China
 
Introduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving ContainerIntroduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving ContainerLinuxCon ContainerCon CloudOpen China
 
Rethinking the OS
Rethinking the OSRethinking the OS
Rethinking the OSLinuxCon ContainerCon CloudOpen China
 
Unikernelized Linux
Unikernelized LinuxUnikernelized Linux
Unikernelized LinuxLinuxCon ContainerCon CloudOpen China
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsLinuxCon ContainerCon CloudOpen China
 

Recomendados

Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT IsolationLinuxCon ContainerCon CloudOpen China
 
Running Legacy Applications with Containers
Running Legacy Applications with ContainersRunning Legacy Applications with Containers
Running Legacy Applications with ContainersLinuxCon ContainerCon CloudOpen China
 
64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVM64-bit ARM Unikernels on uKVM
64-bit ARM Unikernels on uKVMLinuxCon ContainerCon CloudOpen China
 
Scale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesScale Kubernetes to support 50000 services
Scale Kubernetes to support 50000 servicesLinuxCon ContainerCon CloudOpen China
 
Introduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving ContainerIntroduction to OCI Image Technologies Serving Container
Introduction to OCI Image Technologies Serving ContainerLinuxCon ContainerCon CloudOpen China
 
Rethinking the OS
Rethinking the OSRethinking the OS
Rethinking the OSLinuxCon ContainerCon CloudOpen China
 
Unikernelized Linux
Unikernelized LinuxUnikernelized Linux
Unikernelized LinuxLinuxCon ContainerCon CloudOpen China
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsLinuxCon ContainerCon CloudOpen China
 
Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for ContainersLinuxCon ContainerCon CloudOpen China
 
Global Operations with Docker Enterprise
Global Operations with Docker EnterpriseGlobal Operations with Docker Enterprise
Global Operations with Docker EnterpriseNicola Kabar
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootLinuxCon ContainerCon CloudOpen China
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded LinuxLinuxCon ContainerCon CloudOpen China
 
OpenStack on AArch64
OpenStack on AArch64OpenStack on AArch64
OpenStack on AArch64LinuxCon ContainerCon CloudOpen China
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...LinuxCon ContainerCon CloudOpen China
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210Che-Chia Chang
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 
Docker Orchestration at Production Scale
Docker Orchestration at Production Scale Docker Orchestration at Production Scale
Docker Orchestration at Production Scale Docker, Inc.
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling LinuxCon ContainerCon CloudOpen China
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSDocker, Inc.
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in MesosLinuxCon ContainerCon CloudOpen China
 
IITCC15: Xen Project 4.6 Update
IITCC15: Xen Project 4.6 UpdateIITCC15: Xen Project 4.6 Update
IITCC15: Xen Project 4.6 UpdateThe Linux Foundation
 
Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Opcito Technologies
 
Kubernetes Meetup - Seattle 2017-06-01
Kubernetes Meetup - Seattle 2017-06-01Kubernetes Meetup - Seattle 2017-06-01
Kubernetes Meetup - Seattle 2017-06-01Bassam Tabbara
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVMPradeep Kumar
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentLinuxCon ContainerCon CloudOpen China
 
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalDocker Meetup: Docker Networking 1.11, by Madhu Venugopal
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalMichelle Antebi
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Etsuji Nakai
 
How Open Source Communities do Standardization
How Open Source Communities do StandardizationHow Open Source Communities do Standardization
How Open Source Communities do StandardizationLinuxCon ContainerCon CloudOpen China
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackLinuxCon ContainerCon CloudOpen China
 

Mais conteúdo relacionado

Mais procurados

Global Operations with Docker Enterprise
Global Operations with Docker EnterpriseGlobal Operations with Docker Enterprise
Global Operations with Docker EnterpriseNicola Kabar
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...LinuxCon ContainerCon CloudOpen China
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210Che-Chia Chang
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 
Docker Orchestration at Production Scale
Docker Orchestration at Production Scale Docker Orchestration at Production Scale
Docker Orchestration at Production Scale Docker, Inc.
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling LinuxCon ContainerCon CloudOpen China
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSDocker, Inc.
 
Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Opcito Technologies
 
Kubernetes Meetup - Seattle 2017-06-01
Kubernetes Meetup - Seattle 2017-06-01Kubernetes Meetup - Seattle 2017-06-01
Kubernetes Meetup - Seattle 2017-06-01Bassam Tabbara
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVMPradeep Kumar
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetupNathan Ness
 
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalDocker Meetup: Docker Networking 1.11, by Madhu Venugopal
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalMichelle Antebi
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Etsuji Nakai
 

Mais procurados (20)

Simplify Networking for Containers
Simplify Networking for ContainersSimplify Networking for Containers
Simplify Networking for Containers
 
Global Operations with Docker Enterprise
Global Operations with Docker EnterpriseGlobal Operations with Docker Enterprise
Global Operations with Docker Enterprise
 
UEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS BootUEFI HTTP/HTTPS Boot
UEFI HTTP/HTTPS Boot
 
Status of Embedded Linux
Status of Embedded LinuxStatus of Embedded Linux
Status of Embedded Linux
 
OpenStack on AArch64
OpenStack on AArch64OpenStack on AArch64
OpenStack on AArch64
 
See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...See what happened with real time kvm when building real time cloud pezhang@re...
See what happened with real time kvm when building real time cloud pezhang@re...
 
K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210K8s storage-glusterfs-20180210
K8s storage-glusterfs-20180210
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
 
Docker Orchestration at Production Scale
Docker Orchestration at Production Scale Docker Orchestration at Production Scale
Docker Orchestration at Production Scale
 
Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling Is there still room for innovation in container orchestration and scheduling
Is there still room for innovation in container orchestration and scheduling
 
Unikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOSUnikernels: the rise of the library hypervisor in MirageOS
Unikernels: the rise of the library hypervisor in MirageOS
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in Mesos
 
IITCC15: Xen Project 4.6 Update
IITCC15: Xen Project 4.6 UpdateIITCC15: Xen Project 4.6 Update
IITCC15: Xen Project 4.6 Update
 
Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6
 
Kubernetes Meetup - Seattle 2017-06-01
Kubernetes Meetup - Seattle 2017-06-01Kubernetes Meetup - Seattle 2017-06-01
Kubernetes Meetup - Seattle 2017-06-01
 
Virtualization Architecture & KVM
Virtualization Architecture & KVMVirtualization Architecture & KVM
Virtualization Architecture & KVM
 
KuberNETes - meetup
KuberNETes - meetupKuberNETes - meetup
KuberNETes - meetup
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Docker Meetup: Docker Networking 1.11, by Madhu VenugopalDocker Meetup: Docker Networking 1.11, by Madhu Venugopal
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
 

Destaque

点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in DianrongLinuxCon ContainerCon CloudOpen China
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...LinuxCon ContainerCon CloudOpen China
 

Destaque (18)

How Open Source Communities do Standardization
How Open Source Communities do StandardizationHow Open Source Communities do Standardization
How Open Source Communities do Standardization
 
Quickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStackQuickly Debug VM Failures in OpenStack
Quickly Debug VM Failures in OpenStack
 
There is NO Open Source Business Model
There is NO Open Source Business ModelThere is NO Open Source Business Model
There is NO Open Source Business Model
 
Build Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and ContainersBuild Robust Blockchain Services with Hyperledger and Containers
Build Robust Blockchain Services with Hyperledger and Containers
 
Flowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoTFlowchain: A case study on building a Blockchain for the IoT
Flowchain: A case study on building a Blockchain for the IoT
 
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
点融网区块链即服务实践 - The Practice of Blockchain as a Service in Dianrong
 
Practical CNI
Practical CNIPractical CNI
Practical CNI
 
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
High Performance Linux Virtual Machine on Microsoft Azure: SR-IOV Networking ...
 
Releasing a Distribution in the Age of DevOps.
Releasing a Distribution in the Age of DevOps. Releasing a Distribution in the Age of DevOps.
Releasing a Distribution in the Age of DevOps.
 
kdump: usage and_internals
kdump: usage and_internalskdump: usage and_internals
kdump: usage and_internals
 
OpenDaylight OpenStack Integration
OpenDaylight OpenStack IntegrationOpenDaylight OpenStack Integration
OpenDaylight OpenStack Integration
 
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 ArchitectureObstacles & Solutions for Livepatch Support on ARM64 Architecture
Obstacles & Solutions for Livepatch Support on ARM64 Architecture
 
LiteOS
LiteOS LiteOS
LiteOS
 
Hyperledger Technical Community in China.
Hyperledger Technical Community in China. Hyperledger Technical Community in China.
Hyperledger Technical Community in China.
 
Linuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharborLinuxcon secureefficientcontainerimagemanagementharbor
Linuxcon secureefficientcontainerimagemanagementharbor
 
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoTZephyr: Creating a Best-of-Breed, Secure RTOS for IoT
Zephyr: Creating a Best-of-Breed, Secure RTOS for IoT
 
Libvirt API Certification
Libvirt API CertificationLibvirt API Certification
Libvirt API Certification
 
Building a Better Thermostat
Building a Better ThermostatBuilding a Better Thermostat
Building a Better Thermostat
 

Semelhante a Policy-based Resource Placement

Policy-based Resource Placement Across Hybrid Cloud
Policy-based Resource Placement Across Hybrid CloudPolicy-based Resource Placement Across Hybrid Cloud
Policy-based Resource Placement Across Hybrid CloudTorin Sandall
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsDigitalOcean
 
Uber Business Metrics Generation and Management Through Apache Flink
Uber Business Metrics Generation and Management Through Apache FlinkUber Business Metrics Generation and Management Through Apache Flink
Uber Business Metrics Generation and Management Through Apache FlinkWenrui Meng
 
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdfŁukasz Piątkowski
 
Practical advice on deployment and management of enterprise workloads
Practical advice on deployment and management of enterprise workloadsPractical advice on deployment and management of enterprise workloads
Practical advice on deployment and management of enterprise workloadsJarek Miszczyk
 
Running Java Applications inside Kubernetes with Nested Container Architectur...
Running Java Applications inside Kubernetes with Nested Container Architectur...Running Java Applications inside Kubernetes with Nested Container Architectur...
Running Java Applications inside Kubernetes with Nested Container Architectur...Jelastic Multi-Cloud PaaS
 
Platform Resource Scheduler Holistic Application Policy in Heat
Platform Resource Scheduler Holistic Application Policy in HeatPlatform Resource Scheduler Holistic Application Policy in Heat
Platform Resource Scheduler Holistic Application Policy in HeatYong Feng
 
Achieve big data analytic platform with lambda architecture on cloud
Achieve big data analytic platform with lambda architecture on cloudAchieve big data analytic platform with lambda architecture on cloud
Achieve big data analytic platform with lambda architecture on cloudScott Miao
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsRightScale
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 
Sprint 38 review
Sprint 38 reviewSprint 38 review
Sprint 38 reviewManageIQ
 
Velocity 2018 preetha appan final
Velocity 2018 preetha appan finalVelocity 2018 preetha appan final
Velocity 2018 preetha appan finalpreethaappan
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveSanjeev Rampal
 
Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)
Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)
Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)Amazon Web Services Korea
 
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCDDevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCDDevOps_Fest
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Idan Atias
 
Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Katherine Golovinova
 
IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...
IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...
IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...IRJET Journal
 

Semelhante a Policy-based Resource Placement (20)

Policy-based Resource Placement Across Hybrid Cloud
Policy-based Resource Placement Across Hybrid CloudPolicy-based Resource Placement Across Hybrid Cloud
Policy-based Resource Placement Across Hybrid Cloud
 
Kubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby StepsKubernetes: Beyond Baby Steps
Kubernetes: Beyond Baby Steps
 
Uber Business Metrics Generation and Management Through Apache Flink
Uber Business Metrics Generation and Management Through Apache FlinkUber Business Metrics Generation and Management Through Apache Flink
Uber Business Metrics Generation and Management Through Apache Flink
 
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
2022-05-23-DevOps pro Europe - Managing Apps at scale.pdf
 
Practical advice on deployment and management of enterprise workloads
Practical advice on deployment and management of enterprise workloadsPractical advice on deployment and management of enterprise workloads
Practical advice on deployment and management of enterprise workloads
 
Running Java Applications inside Kubernetes with Nested Container Architectur...
Running Java Applications inside Kubernetes with Nested Container Architectur...Running Java Applications inside Kubernetes with Nested Container Architectur...
Running Java Applications inside Kubernetes with Nested Container Architectur...
 
Platform Resource Scheduler Holistic Application Policy in Heat
Platform Resource Scheduler Holistic Application Policy in HeatPlatform Resource Scheduler Holistic Application Policy in Heat
Platform Resource Scheduler Holistic Application Policy in Heat
 
Achieve big data analytic platform with lambda architecture on cloud
Achieve big data analytic platform with lambda architecture on cloudAchieve big data analytic platform with lambda architecture on cloud
Achieve big data analytic platform with lambda architecture on cloud
 
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOpsKubernetes and Terraform in the Cloud: How RightScale Does DevOps
Kubernetes and Terraform in the Cloud: How RightScale Does DevOps
 
Sprint 68
Sprint 68Sprint 68
Sprint 68
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
Sprint 38 review
Sprint 38 reviewSprint 38 review
Sprint 38 review
 
Velocity 2018 preetha appan final
Velocity 2018 preetha appan finalVelocity 2018 preetha appan final
Velocity 2018 preetha appan final
 
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep DiveKubecon US 2019: Kubernetes Multitenancy WG Deep Dive
Kubecon US 2019: Kubernetes Multitenancy WG Deep Dive
 
Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)
Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)
Kubernetes/ EKS - 김광영 (AWS 솔루션즈 아키텍트)
 
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCDDevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
DevOps Fest 2020. Дмитрий Кудрявцев. Реализация GitOps на Kubernetes. ArgoCD
 
Sprint 71
Sprint 71Sprint 71
Sprint 71
 
Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)Introduction to Container Storage Interface (CSI)
Introduction to Container Storage Interface (CSI)
 
Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?Infrastructure as Code for Azure: ARM or Terraform?
Infrastructure as Code for Azure: ARM or Terraform?
 
IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...
IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...
IRJET-Framework for Dynamic Resource Allocation and Efficient Scheduling Stra...
 

Último

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Policy-based Resource Placement

  • 1. Policy-based Resource Placement ...across Hybrid-Cloud Federations of Kubernetes Clusters Irfan UR Rehman (Huawei) @irfanurrehman Torin Sandall (Styra) @sometorin
  • 2. Federation: Overview federation-apiserver federation-controller app app Federation Control Plane Federated Deployment etcd Federated Clusters
  • 3. Federation: Placement federation-apiserver federation-controller kind: ReplicaSet metadata: annotations: replica-set-preferences: | {“clusters”: { “us-west-1”: {“weight”:1}, “asia-se-2”: {“weight”:1} }} ● Placement can be controlled per-resource via annotations ● 2 annotations supported: federation.kubernetes.io/replica-set-preferences federation.alpha.kubernetes.io/cluster-selector ● federation-controller evaluates annotations to produce final placement ReplicaSet created 1 2 3 4
  • 4. Policy-based Placement federation-apiserver federation-controller ● Resource placement is a “policy-rich” problem space ○ Legal regulation, cost, technical constraints, internal conventions, etc. ● Goal: give admins greater control and flexibility ○ Automated & programmable ○ Expressiveness ○ Leverage context ○ Ease management ● Decouple developer intent from admin policy ○ Avoid duplication ○ Prevent (and detect) violations ○ Abstract policy implementation ● Policy Engine decides which clusters app runs on ○ Pluggable ○ Simple interface opa
  • 5. Architecture federation-apiserver federation-controller opaadmission controller kind: ReplicaSet metadata: name: my-app annotations: customer: acmecorp ● Admission Controller inside federation-apiserver queries Policy Engine when resources are created or updated ● Admission Controller implements “fail-closed” model in case query fails. POST /v1/data/k8s/placement input: resource: metadata: name: my-app annotations: customer: acmecorp ... HTTP/1.1 200 OK result: annotations: replica-set-preferences: clusters: us-west-1: {weight: 1} asia-se-3: {weight: .5} Example Query
  • 6. Architecture host cluster pod federation-apiserver federation-controller opa admission controller etcd sidecar external state policy definition
  • 7. Example Apps labelled with customer name. Customers are associated with a jurisdiction. Furthermore, apps may be labelled with criticality. If low then public cloud clusters may be used, otherwise, on-prem clusters must be used.
  • 8. Visibility & Remediation federation-apiserveropa sidecar which of customer x’s apps are deployed in EU? which customers are affected if cluster X is no longer PCI certified? policy clusters, deployments, services, ...
  • 9. Conflicts ● Developers could accidentally specify conflicting intent (result: empty set) ● Developers could explicitly request invalid clusters (result: error) ● Resolve conflicts within policy engine whenever possible ○ Policy is the only place where all intent is known kind: ReplicaSet metadata: annotations: customer: acmetel-US criticality: low replica-set-preferences: clusters: - us-west-2 - eu-central-1 ... not_allowed[cluster] { requested_clusters[cluster] not allowed_clusters[cluster] } errors[“invalid cluster(s)”] { not_allowed != set() }
  • 10. Future Work ● Improve policy management ○ Current: policies stored as ConfigMaps in the federation-apiserver ○ Future: policies represented as first-class API objects ○ Cleaner mechanism for reporting policy enforcement status ■ Installed, errors, etc. ● Demonstrate new use cases ○ Cost-based policies ■ Replicate external data representing resource pricing (e.g., cpu, memory, etc.) ■ Pick clusters based on pricing data ■ Cluster inter-connect may be expensive federation-apiserver federation-controller opa
  • 11. ● Kubernetes Federation enables hybrid-cloud deployments for a variety of use cases ● Resource placement is a policy-rich problem that must address important business requirements ● Policy solution should empower admins with greater control and flexibility Conclusion federation-apiserver federation-controller opa
  • 12. Thank You! SIG-Federation Open Policy Agent (OPA) github.com/open-policy-agent/opa