SlideShare uma empresa Scribd logo

Deep Dive into Kubernetes - Part 2

Imesh Gunaratne
Imesh Gunaratne

This is the second session of Deep Dive into Kubernetes. It includes information on optimizing Docker image size, persistent volumes, container security, and different aspects of running Kubernetes on GKE and AWS.

Tecnologia
1 de 48
Baixar para ler offline
Deep Dive into Kubernetes Part 2 Imesh Gunaratne, WSO2
Agenda ● Docker Image Size Optimization ● Docker Image Size Optimization Demo ● Persistent Volumes ○ Static Volumes ○ Dynamic Volumes ● Container Security ○ File System Permissions ○ Pod Security Context ○ Pod Security Policies
Agenda Cont. ● Kubernetes on Google Cloud Platform ● GKE Demo ● Kubernetes on AWS ● Kubernetes on Azure
Docker Image Size Optimization
A Sample Dockerfile FROM anapsix/alpine-java:8 ARG USER_GROUP_ID=1000 ARG USER_GROUP=bar ARG USER_ID=2000 ARG USER=foo RUN addgroup -S -g ${USER_GROUP_ID} ${USER_GROUP} && adduser -S -g ${USER_GROUP_ID} -u ${USER_ID} ${USER} COPY --chown=foo:bar helloworld-* /tmp/ USER ${USER_ID} ENTRYPOINT [ "java", "-jar", "/tmp/helloworld-2.5.3-SNAPSHOT.jar" ]
Docker Image Size Optimization 1. Use a smaller base image 2. Install only application dependent software 3. Minimize layers and combine RUN commands RUN groupadd --system -g ${USER_GROUP_ID} ${USER_GROUP} && useradd --system --create-home --home-dir ${USER_HOME} --no-log-init -g ${USER_GROUP_ID} -u ${USER_ID} ${USER} 4. List layers according to change frequency
Docker Image Size Optimization Cont. 5. Use --no-install-recommends on apt-get install: RUN apt-get update && apt-get install -y --no-install-recommends <package-name> 6. Add rm -rf /var/lib/apt/lists/* to same layer as apt-get installs: RUN apt-get update && apt-get install -y --no-install-recommends <package-name> rm -rf /var/lib/apt/lists/*
7. Copy archive files after extracting them locally: COPY ${FILES}/${JDK} ${USER_HOME}/java/ 8. Use --chown key instead of chown command when copying files: COPY --chown=wso2carbon:wso2 ${FILES}/${JDK} ${USER_HOME}/java/ Docker Image Size Optimization Cont.
Finally use docker history command to verify the image structure: Docker Image Size Optimization Cont.
Docker Image Size Optimization Demo
Persistent Volumes
Persistent Volume Usage Design Pod Persistent Volume Claim Persistent Volume Physical Storage
Persistent Volume Provisioning Types ● Static ○ Manually map physical storage to PVs ● Dynamic ○ When static PVs are unavailable, K8S will check the availability of dynamic PVs ○ It dynamically creates volumes using storage provisioners ○ The storage provisioner may use a single physical storage for providing multiple dynamic PVs https://kubernetes.io/docs/concepts/storage/persistent-volumes/ https://github.com/kubernetes-incubator/external-storage/
Persistent Volume Claims kind: PersistentVolumeClaim apiVersion: v1 metadata: name: myclaim spec: accessModes: - ReadWriteOnce volumeMode: Filesystem resources: requests: storage: 8Gi storageClassName: slow selector: matchLabels: release: "stable" matchExpressions: - {key: environment, operator: In, values: [dev]} Pod Persistent Volume Claim Physical Storage Persistent Volume
Static Persistent Volumes apiVersion: v1 kind: PersistentVolume metadata: name: pv0003 spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Recycle storageClassName: slow mountOptions: - hard - nfsvers=4.1 nfs: path: /tmp server: 172.17.0.2 Pod Persistent Volume Claim Physical Storage Persistent Volume
Dynamic Persistent Volumes kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: gluster-vol-default provisioner: kubernetes.io/glusterfs parameters: resturl: "http://192.168.10.100:8080" restuser: "" secretNamespace: "" secretName: "" allowVolumeExpansion: true Pod Persistent Volume Claim Physical Storage Persistent Volume Storage Class Storage Provisioner
Persistent Volume Volume Modes ● Filesystem ● Block https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-modes apiVersion: v1 kind: PersistentVolume metadata: name: block-pv spec: capacity: storage: 10Gi accessModes: - ReadWriteOnce volumeMode: Block persistentVolumeReclaimPolicy: Retain fc: targetWWNs: ["50060e801049cfd1"] lun: 0 readOnly: false
Persistent Volume Access Modes ● ReadWriteOnce ○ read-write by a single node ● ReadOnlyMany ○ read-only by many nodes ● ReadWriteMany ○ read-write by many nodes https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
Persistent Volume Binding ● Binding a PVC to PV will be done based on requested: ○ Amount of storage ○ Access mode ○ Storage Class (Optional) https://kubernetes.io/docs/concepts/storage/persistent-volumes/
Persistent Volume Re-claim Policies ● Retain ○ Manual reclamation ● Recycle ○ Basic scrub (rm -rf /thevolume/*) on the volume and makes it available again for a new claim ● Delete ○ Deletion removes both the PV object from Kubernetes, as well as the associated storage asset in the external infrastructure https://kubernetes.io/docs/concepts/storage/persistent-volumes/
Container Security
Container Security ● Container host operating system security ● Container operating system security ● Application security ● Container registry permissions ● Network isolation ● Container filesystem permissions ● Persistent volume permissions ● Container/container cluster manager API endpoint permissions
File System Permission Management
File System Permissions RUN groupadd --system -g ${USER_GROUP_ID} ${USER_GROUP} && useradd --system --create-home --home-dir ${USER_HOME} --no-log-init -g ${USER_GROUP_ID} -u ${USER_ID} ${USER} 1. Create an OS user and a group in the container image: COPY --chown=user:group ${FILES}/${JDK} ${USER_HOME}/java/ 2. Specify user and the group for granting permissions to the filesystem:
File System Permissions Cont. USER ${USER_ID} ... ENTRYPOINT ${SERVER_HOME}/bin/server.sh 3. Define the user id in the container image before the entrypoint:
apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: gcr.io/google-samples/node-hello:1.0 volumeMounts: - name: sec-ctx-vol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false Pod Security Context https://kubernetes.io/docs/tasks/config ure-pod-container/security-context/ Define the user id and the group id in the pod under security context:
Persistent Volume Permissions ● By default PVs would get root permissions (root:root). ● If the container is designed to run using a non-root user, that user may not have permissions for accessing the PVs. ● Therefore, the user group (gid) used in the container may need to be used for granting access to PVs. ● This can be done by: ○ Defining the gid in the PV. ○ By using a Pod Security Policy and defining the gid using the fsGroup property.
Define Group ID in Persistent Volume kind: PersistentVolume apiVersion: v1 metadata: name: pv1 annotations: pv.beta.kubernetes.io/gid: "1234" Define the group id specified in the container image in the PV: https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/
Pod Security Policies Control Aspect Field Names Running of privileged containers privileged Usage of the root namespaces hostPID, hostIPC Usage of host networking and ports hostNetwork, hostPorts Usage of volume types volumes Usage of the host filesystem allowedHostPaths White list of FlexVolume drivers allowedFlexVolumes Allocating an FSGroup that owns the pod’s volumes fsGroup https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Pod Security Policies Cont. Control Aspect Field Names Requiring the use of a read only root file system readOnlyRootFilesystem The user and group IDs of the container runAsUser, supplementalGroups Restricting escalation to root privileges allowPrivilegeEscalation, defaultAllowPrivilegeEsca lation Linux capabilities defaultAddCapabilities, requiredDropCapabilities, allowedCapabilities https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Pod Security Policies Cont. Control Aspect Field Names The SELinux context of the container seLinux The AppArmor profile used by containers annotations The seccomp profile used by containers annotations The sysctl profile used by containers annotations https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Defining File System Group (fsGroup) apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: ... spec: ... fsGroup: rule: 'MustRunAs' ranges: # Allow following gid range for accessing PVs - min: 1000 max: 1000
Defining Run As User, Supplemental Groups apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example spec: ... # start container using following uid and gid range: runAsUser: rule: MustRunAs ranges: supplementalGroups: rule: RunAsAny ... ● runAsUser ○ MustRunAs (uid range) ○ MustRunAsNonRoot ○ RunAsAny ● supplementalGroups: ○ MustRunAs (gid range) ○ RunAsAny
Kubernetes on Google Cloud Platform
Kubernetes on Google Cloud ● It’s called Google Kubernetes Engine (GKE) ● Kubernetes is provided as a service ○ Masters are provided for free ● IAM: Role based access with Google Accounts ● Private container registries ● Autoscaling ● Auto upgrade Kubernetes clusters ● Logging and Monitoring with Stackdriver https://cloud.google.com/kubernetes-engine/
Kubernetes on Google Cloud Cont. ● Databases: ○ Cloud SQL: MySQL, PostgreSQL ● Persistent Volumes: ○ GCEPersistentDisk: ReadWriteOnce, ReadOnlyMany ○ NFS, Glusterfs: ReadWriteMany ● Load Balancers: ○ Ingresses/Load Balancer Type Services creates Google Cloud Load Balancers https://cloud.google.com/kubernetes-engine/
GKE Demo
Kubernetes on AWS
Kubernetes on AWS ● Recently announced: Amazon Elastic Container Service (EKS) ● Kubernetes will be provided as a service with EKS ○ Masters will be provided for free ● AWS Auth for role based access ● Currently, KOPs can be used for creating a self managed Kubernetes clusters on AWS https://aws.amazon.com/eks/
Kubernetes on AWS ● Databases: ○ RDS: Amazon Aurora, MySQL, PostgreSQL, MariaDB, Oracle, MS SQL ● Persistent Volumes: ○ EBS: ReadWriteOnce ○ EFS, NFS, Glusterfs -> ReadWriteMany ● Load Balancers: ○ Ingresses/Load Balancer Type Services creates AWS Load Balancers https://aws.amazon.com/eks/
Kubernetes on Azure
Kubernetes on Azure ● Azure Container Service (AKS) ● Currently in preview mode ● A managed Kubernetes service: ○ Masters will be provided for free ● Private container registries ● Autoscaling ● Automated Kubernetes cluster upgrades https://azure.microsoft.com/en-us/services/container-service/
Kubernetes on Azure ● Databases: ○ Azure SQL: MySQL, PostgreSQL, MS SQL ● Persistent Volumes: ○ AzureDisk-> ReadWriteOnce ○ AzureFile, NFS, Glusterfs: ReadWriteOnce, ReadOnlyMany, ReadWriteMany ● Load Balancers: ○ Ingresses/Load Balancer Type Services creates Azure Load Balancers https://azure.microsoft.com/en-us/services/container-service/
Questions & Feedback
References
References ● Tips to Reduce Docker Image Sizes: ○ https://hackernoon.com/tips-to-reduce-docker-image-sizes-87609 5da3b34 ● Introduction to Container Security: ○ https://www.docker.com/sites/default/files/WP_IntrotoContainerS ecurity_08.19.2016.pdf ● Ten Layers of Container Security: ○ https://www.redhat.com/cms/managed-files/cl-container-security- openshift-cloud-devops-tech-detail-f7530kc-201705-en.pdf
References Cont. ● Kubernetes Persistent Volumes: ○ https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ● Kubernetes External Storage Plugins, Provisioners, and Helper Libraries: ○ https://github.com/kubernetes-incubator/external-storage/ ● Pod Security Policies: ○ https://kubernetes.io/docs/concepts/policy/pod-security-policy/
Thank You!

Recomendados

Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryRevolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryImesh Gunaratne
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Stanislav Pogrebnyak
 
Deploying WSO2 Middleware on Kubernetes
Deploying WSO2 Middleware on KubernetesDeploying WSO2 Middleware on Kubernetes
Deploying WSO2 Middleware on KubernetesImesh Gunaratne
 
Kubernetes Basic Operation
Kubernetes Basic OperationKubernetes Basic Operation
Kubernetes Basic OperationSimon Su
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Platform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerPlatform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerJulian Strobl
 

Recomendados

Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryRevolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryImesh Gunaratne
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Stanislav Pogrebnyak
 
Deploying WSO2 Middleware on Kubernetes
Deploying WSO2 Middleware on KubernetesDeploying WSO2 Middleware on Kubernetes
Deploying WSO2 Middleware on KubernetesImesh Gunaratne
 
Kubernetes Basic Operation
Kubernetes Basic OperationKubernetes Basic Operation
Kubernetes Basic OperationSimon Su
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014brendandburns
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introductionSparkbit
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Platform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerPlatform Orchestration with Kubernetes and Docker
Platform Orchestration with Kubernetes and DockerJulian Strobl
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Dockerdocker-athens
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architectureJanakiram MSV
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginnersDominique Dumont
 
Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Opcito Technologies
 
Containers in production with docker, coreos, kubernetes and apache stratos
Containers in production with docker, coreos, kubernetes and apache stratosContainers in production with docker, coreos, kubernetes and apache stratos
Containers in production with docker, coreos, kubernetes and apache stratosWSO2
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Kubernetes with docker
Kubernetes with dockerKubernetes with docker
Kubernetes with dockerDocker, Inc.
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesRohman Muhamad
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformMichael O'Sullivan
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introductionJason Hu
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseCloud Technology Experts
 
Demystifying the Nuts & Bolts of Kubernetes Architecture
Demystifying the Nuts & Bolts of Kubernetes ArchitectureDemystifying the Nuts & Bolts of Kubernetes Architecture
Demystifying the Nuts & Bolts of Kubernetes ArchitectureAjeet Singh Raina
 
Intro to Kubernetes
Intro to KubernetesIntro to Kubernetes
Intro to KubernetesJoonathan Mägi
 
Apache Stratos 4.1.0 Architecture
Apache Stratos 4.1.0 ArchitectureApache Stratos 4.1.0 Architecture
Apache Stratos 4.1.0 ArchitectureImesh Gunaratne
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with KubernetesOleg Chunikhin
 
Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Imesh Gunaratne
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 

Mais conteúdo relacionado

Mais procurados

Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Dockerdocker-athens
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopBob Killen
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architectureJanakiram MSV
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtimeDocker, Inc.
 
Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Opcito Technologies
 
Containers in production with docker, coreos, kubernetes and apache stratos
Containers in production with docker, coreos, kubernetes and apache stratosContainers in production with docker, coreos, kubernetes and apache stratos
Containers in production with docker, coreos, kubernetes and apache stratosWSO2
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Ryan Jarvinen
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Kubernetes with docker
Kubernetes with dockerKubernetes with docker
Kubernetes with dockerDocker, Inc.
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesRohman Muhamad
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKESreenivas Makam
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformMichael O'Sullivan
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introductionJason Hu
 
Demystifying the Nuts & Bolts of Kubernetes Architecture
Demystifying the Nuts & Bolts of Kubernetes ArchitectureDemystifying the Nuts & Bolts of Kubernetes Architecture
Demystifying the Nuts & Bolts of Kubernetes ArchitectureAjeet Singh Raina
 
Apache Stratos 4.1.0 Architecture
Apache Stratos 4.1.0 ArchitectureApache Stratos 4.1.0 Architecture
Apache Stratos 4.1.0 ArchitectureImesh Gunaratne
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with KubernetesOleg Chunikhin
 
Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Imesh Gunaratne
 

Mais procurados (20)

Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtime
 
kubernetes for beginners
kubernetes for beginnerskubernetes for beginners
kubernetes for beginners
 
Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6Kubernetes Introduction & Whats new in Kubernetes 1.6
Kubernetes Introduction & Whats new in Kubernetes 1.6
 
Containers in production with docker, coreos, kubernetes and apache stratos
Containers in production with docker, coreos, kubernetes and apache stratosContainers in production with docker, coreos, kubernetes and apache stratos
Containers in production with docker, coreos, kubernetes and apache stratos
 
Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17Hands-On Introduction to Kubernetes at LISA17
Hands-On Introduction to Kubernetes at LISA17
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Kubernetes with docker
Kubernetes with dockerKubernetes with docker
Kubernetes with docker
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
 
Docker and kubernetes_introduction
Docker and kubernetes_introductionDocker and kubernetes_introduction
Docker and kubernetes_introduction
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
 
Demystifying the Nuts & Bolts of Kubernetes Architecture
Demystifying the Nuts & Bolts of Kubernetes ArchitectureDemystifying the Nuts & Bolts of Kubernetes Architecture
Demystifying the Nuts & Bolts of Kubernetes Architecture
 
Intro to Kubernetes
Intro to KubernetesIntro to Kubernetes
Intro to Kubernetes
 
Apache Stratos 4.1.0 Architecture
Apache Stratos 4.1.0 ArchitectureApache Stratos 4.1.0 Architecture
Apache Stratos 4.1.0 Architecture
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with Kubernetes
 
Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1Deep Dive into Kubernetes - Part 1
Deep Dive into Kubernetes - Part 1
 

Semelhante a Deep Dive into Kubernetes - Part 2

K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Marko Bevc
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deployment Security best practices for kubernetes deployment
Security best practices for kubernetes deployment Aqua Security
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deploymentMichael Cherny
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Gluster Contenarized Storage for Cloud Applications
Gluster Contenarized Storage for Cloud ApplicationsGluster Contenarized Storage for Cloud Applications
Gluster Contenarized Storage for Cloud ApplicationsHumble Chirammal
 
Gluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster.org
 
Kubernetes talk at DDDSydney 2017
Kubernetes talk at DDDSydney 2017Kubernetes talk at DDDSydney 2017
Kubernetes talk at DDDSydney 2017Hesham Amin
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
containerD
containerDcontainerD
containerDstrikr .
 
AWS Update | London - Elastic Beanstalk
AWS Update | London - Elastic BeanstalkAWS Update | London - Elastic Beanstalk
AWS Update | London - Elastic BeanstalkAmazon Web Services
 
Philipp Krenn, Elastic. From Containers to Kubernetes Operators
Philipp Krenn, Elastic. From Containers to Kubernetes OperatorsPhilipp Krenn, Elastic. From Containers to Kubernetes Operators
Philipp Krenn, Elastic. From Containers to Kubernetes OperatorsIT Arena
 
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOAltinity Ltd
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021SoKube
 
What Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationWhat Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationFreddy Rolland
 
Helm Security Webinar
Helm Security WebinarHelm Security Webinar
Helm Security WebinarDeep Datta
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewMaría Angélica Bracho
 

Semelhante a Deep Dive into Kubernetes - Part 2 (20)

K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deployment Security best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Gluster Contenarized Storage for Cloud Applications
Gluster Contenarized Storage for Cloud ApplicationsGluster Contenarized Storage for Cloud Applications
Gluster Contenarized Storage for Cloud Applications
 
Gluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud ApplicationsGluster Containerized Storage for Cloud Applications
Gluster Containerized Storage for Cloud Applications
 
Kubernetes talk at DDDSydney 2017
Kubernetes talk at DDDSydney 2017Kubernetes talk at DDDSydney 2017
Kubernetes talk at DDDSydney 2017
 
Container security
Container securityContainer security
Container security
 
containerD
containerDcontainerD
containerD
 
AWS Update | London - Elastic Beanstalk
AWS Update | London - Elastic BeanstalkAWS Update | London - Elastic Beanstalk
AWS Update | London - Elastic Beanstalk
 
Philipp Krenn, Elastic. From Containers to Kubernetes Operators
Philipp Krenn, Elastic. From Containers to Kubernetes OperatorsPhilipp Krenn, Elastic. From Containers to Kubernetes Operators
Philipp Krenn, Elastic. From Containers to Kubernetes Operators
 
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021GitOps & the deployment branching models - DevOps D-day Marseille 2021
GitOps & the deployment branching models - DevOps D-day Marseille 2021
 
What Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationWhat Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource Allocation
 
Helm Security Webinar
Helm Security WebinarHelm Security Webinar
Helm Security Webinar
 
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless OverviewOpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
OpenShift Meetup - Tokyo - Service Mesh and Serverless Overview
 

Mais de Imesh Gunaratne

Planning WSO2 Deployments on Pivotal Cloud Foundry
Planning WSO2 Deployments on Pivotal Cloud FoundryPlanning WSO2 Deployments on Pivotal Cloud Foundry
Planning WSO2 Deployments on Pivotal Cloud FoundryImesh Gunaratne
 
Planning WSO2 Deployments on DC/OS
Planning WSO2 Deployments on DC/OSPlanning WSO2 Deployments on DC/OS
Planning WSO2 Deployments on DC/OSImesh Gunaratne
 
WSO2 API Manager Reference Architecture for DC/OS
WSO2 API Manager Reference Architecture for DC/OSWSO2 API Manager Reference Architecture for DC/OS
WSO2 API Manager Reference Architecture for DC/OSImesh Gunaratne
 
WSO2 API Manager Reference Architecture for Pivotal Cloud Foundry
WSO2 API Manager Reference Architecture for Pivotal Cloud FoundryWSO2 API Manager Reference Architecture for Pivotal Cloud Foundry
WSO2 API Manager Reference Architecture for Pivotal Cloud FoundryImesh Gunaratne
 
WSO2 Kubernetes Reference Architecture - Nov 2017
WSO2 Kubernetes Reference Architecture - Nov 2017WSO2 Kubernetes Reference Architecture - Nov 2017
WSO2 Kubernetes Reference Architecture - Nov 2017Imesh Gunaratne
 
WSO2 Cloud and Platform as a Service Strategy
WSO2 Cloud and Platform as a Service StrategyWSO2 Cloud and Platform as a Service Strategy
WSO2 Cloud and Platform as a Service StrategyImesh Gunaratne
 
Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud StrategyImesh Gunaratne
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersImesh Gunaratne
 
Multitenancy in WSO2 Carbon 5 (C5)
Multitenancy in WSO2 Carbon 5 (C5)Multitenancy in WSO2 Carbon 5 (C5)
Multitenancy in WSO2 Carbon 5 (C5)Imesh Gunaratne
 
Deploying WSO2 Middleware on Mesos
Deploying WSO2 Middleware on MesosDeploying WSO2 Middleware on Mesos
Deploying WSO2 Middleware on MesosImesh Gunaratne
 
Service Oriented Architecture & Beyond
Service Oriented Architecture & BeyondService Oriented Architecture & Beyond
Service Oriented Architecture & BeyondImesh Gunaratne
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java DevelopersImesh Gunaratne
 
WSO2 Cloud Strategy Update
WSO2 Cloud Strategy UpdateWSO2 Cloud Strategy Update
WSO2 Cloud Strategy UpdateImesh Gunaratne
 
Scale into Multi-Cloud with Containers
Scale into Multi-Cloud with ContainersScale into Multi-Cloud with Containers
Scale into Multi-Cloud with ContainersImesh Gunaratne
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology InnovationsImesh Gunaratne
 
Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0Imesh Gunaratne
 
Private PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaS
Private PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaSPrivate PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaS
Private PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaSImesh Gunaratne
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 

Mais de Imesh Gunaratne (20)

Planning WSO2 Deployments on Pivotal Cloud Foundry
Planning WSO2 Deployments on Pivotal Cloud FoundryPlanning WSO2 Deployments on Pivotal Cloud Foundry
Planning WSO2 Deployments on Pivotal Cloud Foundry
 
Planning WSO2 Deployments on DC/OS
Planning WSO2 Deployments on DC/OSPlanning WSO2 Deployments on DC/OS
Planning WSO2 Deployments on DC/OS
 
WSO2 Container Strategy
WSO2 Container StrategyWSO2 Container Strategy
WSO2 Container Strategy
 
WSO2 API Manager Reference Architecture for DC/OS
WSO2 API Manager Reference Architecture for DC/OSWSO2 API Manager Reference Architecture for DC/OS
WSO2 API Manager Reference Architecture for DC/OS
 
WSO2 API Manager Reference Architecture for Pivotal Cloud Foundry
WSO2 API Manager Reference Architecture for Pivotal Cloud FoundryWSO2 API Manager Reference Architecture for Pivotal Cloud Foundry
WSO2 API Manager Reference Architecture for Pivotal Cloud Foundry
 
WSO2 Kubernetes Reference Architecture - Nov 2017
WSO2 Kubernetes Reference Architecture - Nov 2017WSO2 Kubernetes Reference Architecture - Nov 2017
WSO2 Kubernetes Reference Architecture - Nov 2017
 
WSO2 Cloud and Platform as a Service Strategy
WSO2 Cloud and Platform as a Service StrategyWSO2 Cloud and Platform as a Service Strategy
WSO2 Cloud and Platform as a Service Strategy
 
Planning Your Cloud Strategy
Planning Your Cloud StrategyPlanning Your Cloud Strategy
Planning Your Cloud Strategy
 
Deploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on ContainersDeploying WSO2 Middleware on Containers
Deploying WSO2 Middleware on Containers
 
Multitenancy in WSO2 Carbon 5 (C5)
Multitenancy in WSO2 Carbon 5 (C5)Multitenancy in WSO2 Carbon 5 (C5)
Multitenancy in WSO2 Carbon 5 (C5)
 
Deploying WSO2 Middleware on Mesos
Deploying WSO2 Middleware on MesosDeploying WSO2 Middleware on Mesos
Deploying WSO2 Middleware on Mesos
 
Service Oriented Architecture & Beyond
Service Oriented Architecture & BeyondService Oriented Architecture & Beyond
Service Oriented Architecture & Beyond
 
Docker for Java Developers
Docker for Java DevelopersDocker for Java Developers
Docker for Java Developers
 
WSO2 Cloud Strategy Update
WSO2 Cloud Strategy UpdateWSO2 Cloud Strategy Update
WSO2 Cloud Strategy Update
 
An Introduction to Go
An Introduction to GoAn Introduction to Go
An Introduction to Go
 
Scale into Multi-Cloud with Containers
Scale into Multi-Cloud with ContainersScale into Multi-Cloud with Containers
Scale into Multi-Cloud with Containers
 
Making a Better World with Technology Innovations
Making a Better World with Technology InnovationsMaking a Better World with Technology Innovations
Making a Better World with Technology Innovations
 
Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0Introduction to WSO2 Private PaaS 4.1.0
Introduction to WSO2 Private PaaS 4.1.0
 
Private PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaS
Private PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaSPrivate PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaS
Private PaaS for the Enterprise - Apache Stratos & WSO2 Private PaaS
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 

Último

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Deep Dive into Kubernetes - Part 2

  • 1. Deep Dive into Kubernetes Part 2 Imesh Gunaratne, WSO2
  • 2. Agenda ● Docker Image Size Optimization ● Docker Image Size Optimization Demo ● Persistent Volumes ○ Static Volumes ○ Dynamic Volumes ● Container Security ○ File System Permissions ○ Pod Security Context ○ Pod Security Policies
  • 3. Agenda Cont. ● Kubernetes on Google Cloud Platform ● GKE Demo ● Kubernetes on AWS ● Kubernetes on Azure
  • 4. Docker Image Size Optimization
  • 5. A Sample Dockerfile FROM anapsix/alpine-java:8 ARG USER_GROUP_ID=1000 ARG USER_GROUP=bar ARG USER_ID=2000 ARG USER=foo RUN addgroup -S -g ${USER_GROUP_ID} ${USER_GROUP} && adduser -S -g ${USER_GROUP_ID} -u ${USER_ID} ${USER} COPY --chown=foo:bar helloworld-* /tmp/ USER ${USER_ID} ENTRYPOINT [ "java", "-jar", "/tmp/helloworld-2.5.3-SNAPSHOT.jar" ]
  • 6. Docker Image Size Optimization 1. Use a smaller base image 2. Install only application dependent software 3. Minimize layers and combine RUN commands RUN groupadd --system -g ${USER_GROUP_ID} ${USER_GROUP} && useradd --system --create-home --home-dir ${USER_HOME} --no-log-init -g ${USER_GROUP_ID} -u ${USER_ID} ${USER} 4. List layers according to change frequency
  • 7. Docker Image Size Optimization Cont. 5. Use --no-install-recommends on apt-get install: RUN apt-get update && apt-get install -y --no-install-recommends <package-name> 6. Add rm -rf /var/lib/apt/lists/* to same layer as apt-get installs: RUN apt-get update && apt-get install -y --no-install-recommends <package-name> rm -rf /var/lib/apt/lists/*
  • 8. 7. Copy archive files after extracting them locally: COPY ${FILES}/${JDK} ${USER_HOME}/java/ 8. Use --chown key instead of chown command when copying files: COPY --chown=wso2carbon:wso2 ${FILES}/${JDK} ${USER_HOME}/java/ Docker Image Size Optimization Cont.
  • 9. Finally use docker history command to verify the image structure: Docker Image Size Optimization Cont.
  • 12. Persistent Volume Usage Design Pod Persistent Volume Claim Persistent Volume Physical Storage
  • 13. Persistent Volume Provisioning Types ● Static ○ Manually map physical storage to PVs ● Dynamic ○ When static PVs are unavailable, K8S will check the availability of dynamic PVs ○ It dynamically creates volumes using storage provisioners ○ The storage provisioner may use a single physical storage for providing multiple dynamic PVs https://kubernetes.io/docs/concepts/storage/persistent-volumes/ https://github.com/kubernetes-incubator/external-storage/
  • 14. Persistent Volume Claims kind: PersistentVolumeClaim apiVersion: v1 metadata: name: myclaim spec: accessModes: - ReadWriteOnce volumeMode: Filesystem resources: requests: storage: 8Gi storageClassName: slow selector: matchLabels: release: "stable" matchExpressions: - {key: environment, operator: In, values: [dev]} Pod Persistent Volume Claim Physical Storage Persistent Volume
  • 15. Static Persistent Volumes apiVersion: v1 kind: PersistentVolume metadata: name: pv0003 spec: capacity: storage: 5Gi volumeMode: Filesystem accessModes: - ReadWriteOnce persistentVolumeReclaimPolicy: Recycle storageClassName: slow mountOptions: - hard - nfsvers=4.1 nfs: path: /tmp server: 172.17.0.2 Pod Persistent Volume Claim Physical Storage Persistent Volume
  • 16. Dynamic Persistent Volumes kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: gluster-vol-default provisioner: kubernetes.io/glusterfs parameters: resturl: "http://192.168.10.100:8080" restuser: "" secretNamespace: "" secretName: "" allowVolumeExpansion: true Pod Persistent Volume Claim Physical Storage Persistent Volume Storage Class Storage Provisioner
  • 17. Persistent Volume Volume Modes ● Filesystem ● Block https://kubernetes.io/docs/concepts/storage/persistent-volumes/#volume-modes apiVersion: v1 kind: PersistentVolume metadata: name: block-pv spec: capacity: storage: 10Gi accessModes: - ReadWriteOnce volumeMode: Block persistentVolumeReclaimPolicy: Retain fc: targetWWNs: ["50060e801049cfd1"] lun: 0 readOnly: false
  • 18. Persistent Volume Access Modes ● ReadWriteOnce ○ read-write by a single node ● ReadOnlyMany ○ read-only by many nodes ● ReadWriteMany ○ read-write by many nodes https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
  • 19. Persistent Volume Binding ● Binding a PVC to PV will be done based on requested: ○ Amount of storage ○ Access mode ○ Storage Class (Optional) https://kubernetes.io/docs/concepts/storage/persistent-volumes/
  • 20. Persistent Volume Re-claim Policies ● Retain ○ Manual reclamation ● Recycle ○ Basic scrub (rm -rf /thevolume/*) on the volume and makes it available again for a new claim ● Delete ○ Deletion removes both the PV object from Kubernetes, as well as the associated storage asset in the external infrastructure https://kubernetes.io/docs/concepts/storage/persistent-volumes/
  • 22. Container Security ● Container host operating system security ● Container operating system security ● Application security ● Container registry permissions ● Network isolation ● Container filesystem permissions ● Persistent volume permissions ● Container/container cluster manager API endpoint permissions
  • 24. File System Permissions RUN groupadd --system -g ${USER_GROUP_ID} ${USER_GROUP} && useradd --system --create-home --home-dir ${USER_HOME} --no-log-init -g ${USER_GROUP_ID} -u ${USER_ID} ${USER} 1. Create an OS user and a group in the container image: COPY --chown=user:group ${FILES}/${JDK} ${USER_HOME}/java/ 2. Specify user and the group for granting permissions to the filesystem:
  • 25. File System Permissions Cont. USER ${USER_ID} ... ENTRYPOINT ${SERVER_HOME}/bin/server.sh 3. Define the user id in the container image before the entrypoint:
  • 26. apiVersion: v1 kind: Pod metadata: name: security-context-demo spec: securityContext: runAsUser: 1000 fsGroup: 2000 volumes: - name: sec-ctx-vol emptyDir: {} containers: - name: sec-ctx-demo image: gcr.io/google-samples/node-hello:1.0 volumeMounts: - name: sec-ctx-vol mountPath: /data/demo securityContext: allowPrivilegeEscalation: false Pod Security Context https://kubernetes.io/docs/tasks/config ure-pod-container/security-context/ Define the user id and the group id in the pod under security context:
  • 27. Persistent Volume Permissions ● By default PVs would get root permissions (root:root). ● If the container is designed to run using a non-root user, that user may not have permissions for accessing the PVs. ● Therefore, the user group (gid) used in the container may need to be used for granting access to PVs. ● This can be done by: ○ Defining the gid in the PV. ○ By using a Pod Security Policy and defining the gid using the fsGroup property.
  • 28. Define Group ID in Persistent Volume kind: PersistentVolume apiVersion: v1 metadata: name: pv1 annotations: pv.beta.kubernetes.io/gid: "1234" Define the group id specified in the container image in the PV: https://kubernetes.io/docs/tasks/configure-pod-container/configure-persistent-volume-storage/
  • 29. Pod Security Policies Control Aspect Field Names Running of privileged containers privileged Usage of the root namespaces hostPID, hostIPC Usage of host networking and ports hostNetwork, hostPorts Usage of volume types volumes Usage of the host filesystem allowedHostPaths White list of FlexVolume drivers allowedFlexVolumes Allocating an FSGroup that owns the pod’s volumes fsGroup https://kubernetes.io/docs/concepts/policy/pod-security-policy/
  • 30. Pod Security Policies Cont. Control Aspect Field Names Requiring the use of a read only root file system readOnlyRootFilesystem The user and group IDs of the container runAsUser, supplementalGroups Restricting escalation to root privileges allowPrivilegeEscalation, defaultAllowPrivilegeEsca lation Linux capabilities defaultAddCapabilities, requiredDropCapabilities, allowedCapabilities https://kubernetes.io/docs/concepts/policy/pod-security-policy/
  • 31. Pod Security Policies Cont. Control Aspect Field Names The SELinux context of the container seLinux The AppArmor profile used by containers annotations The seccomp profile used by containers annotations The sysctl profile used by containers annotations https://kubernetes.io/docs/concepts/policy/pod-security-policy/
  • 32. Defining File System Group (fsGroup) apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted annotations: ... spec: ... fsGroup: rule: 'MustRunAs' ranges: # Allow following gid range for accessing PVs - min: 1000 max: 1000
  • 33. Defining Run As User, Supplemental Groups apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: example spec: ... # start container using following uid and gid range: runAsUser: rule: MustRunAs ranges: supplementalGroups: rule: RunAsAny ... ● runAsUser ○ MustRunAs (uid range) ○ MustRunAsNonRoot ○ RunAsAny ● supplementalGroups: ○ MustRunAs (gid range) ○ RunAsAny
  • 35. Kubernetes on Google Cloud ● It’s called Google Kubernetes Engine (GKE) ● Kubernetes is provided as a service ○ Masters are provided for free ● IAM: Role based access with Google Accounts ● Private container registries ● Autoscaling ● Auto upgrade Kubernetes clusters ● Logging and Monitoring with Stackdriver https://cloud.google.com/kubernetes-engine/
  • 36. Kubernetes on Google Cloud Cont. ● Databases: ○ Cloud SQL: MySQL, PostgreSQL ● Persistent Volumes: ○ GCEPersistentDisk: ReadWriteOnce, ReadOnlyMany ○ NFS, Glusterfs: ReadWriteMany ● Load Balancers: ○ Ingresses/Load Balancer Type Services creates Google Cloud Load Balancers https://cloud.google.com/kubernetes-engine/
  • 39. Kubernetes on AWS ● Recently announced: Amazon Elastic Container Service (EKS) ● Kubernetes will be provided as a service with EKS ○ Masters will be provided for free ● AWS Auth for role based access ● Currently, KOPs can be used for creating a self managed Kubernetes clusters on AWS https://aws.amazon.com/eks/
  • 40. Kubernetes on AWS ● Databases: ○ RDS: Amazon Aurora, MySQL, PostgreSQL, MariaDB, Oracle, MS SQL ● Persistent Volumes: ○ EBS: ReadWriteOnce ○ EFS, NFS, Glusterfs -> ReadWriteMany ● Load Balancers: ○ Ingresses/Load Balancer Type Services creates AWS Load Balancers https://aws.amazon.com/eks/
  • 42. Kubernetes on Azure ● Azure Container Service (AKS) ● Currently in preview mode ● A managed Kubernetes service: ○ Masters will be provided for free ● Private container registries ● Autoscaling ● Automated Kubernetes cluster upgrades https://azure.microsoft.com/en-us/services/container-service/
  • 43. Kubernetes on Azure ● Databases: ○ Azure SQL: MySQL, PostgreSQL, MS SQL ● Persistent Volumes: ○ AzureDisk-> ReadWriteOnce ○ AzureFile, NFS, Glusterfs: ReadWriteOnce, ReadOnlyMany, ReadWriteMany ● Load Balancers: ○ Ingresses/Load Balancer Type Services creates Azure Load Balancers https://azure.microsoft.com/en-us/services/container-service/
  • 46. References ● Tips to Reduce Docker Image Sizes: ○ https://hackernoon.com/tips-to-reduce-docker-image-sizes-87609 5da3b34 ● Introduction to Container Security: ○ https://www.docker.com/sites/default/files/WP_IntrotoContainerS ecurity_08.19.2016.pdf ● Ten Layers of Container Security: ○ https://www.redhat.com/cms/managed-files/cl-container-security- openshift-cloud-devops-tech-detail-f7530kc-201705-en.pdf
  • 47. References Cont. ● Kubernetes Persistent Volumes: ○ https://kubernetes.io/docs/concepts/storage/persistent-volumes/ ● Kubernetes External Storage Plugins, Provisioners, and Helper Libraries: ○ https://github.com/kubernetes-incubator/external-storage/ ● Pod Security Policies: ○ https://kubernetes.io/docs/concepts/policy/pod-security-policy/