Develop and deploy Kubernetes applications with Docker - IBM Index 2018

Patrick Chanezon, @chanezon February 2018 Develop and deploy Kubernetes applications with Docker

French Polyglot Platforms Software Plumber San Francisco Developer Relations @chanezon

Agenda 1. Intro: the Docker Platform 2. Modernizing Traditional Applications 3. Kubernetes in Docker 4. Demo: Kubernetes in Docker Desktop 5. General CE/EE Architectures 6. Demo: Kubernetes in Docker EE 2.0 7. EE: Topics on mixed workloads 8. Q&A

Introduction The Docker Platform

Traditional Micro services ISV / COTS IoT Big Data ML AI ...Serverless Cloud VM Bare Metal Edge Device Docker Platform

Docker Momentum Docker Hosts 21.0M Growth in Docker job listings 77K% Container downloads 24B Industry Standards

Enterprise Momentum Portability Agility Security 50% total cost savings

The Docker Container Platform Enabling the Software Supply Chain • Diverse Applications • Disparate Infrastructure • Lifecycle Management • Orchestrate Complex Systems • Secure by Default • Edge / IoT • Serverless Anywhere

DEVELOPERS OPERATORS Applications Infrastructure The Docker Platform in a nutshell

INDEPENDENCE OPENNESS SIMPLICITY Core Principles of the Docker Platform

Docker Enterprise Edition Docker Community Edition containerd 1 2 3 4 The best container development workflow The best enterprise container security and management Native Kubernetes integration provides full ecosystem compatibility Industry-standard container runtime Docker with Swarm and Kubernetes

Docker Community Edition Developers EnterpriseContainer Ecosystem The Docker Innovation Model Docker Enterprise Edition 9,149 Open Source Contributors 8800 PRs/Year

runc Notary Registry LibNetworkVPNKit DataKit HyperKitCompose

Modernizing Traditional Applications

The Innovation Challenge Average IT Spend By Type INNOVATION MAINTENANCE 20% 80% 20% 40% 60% 80% 100% 0% 1% Windows Server 2008 Windows Server 2012 Windows Server 2000 Windows Server 2003 Red Hat, Other Linux, Other OS Server OS Market Share Sources: Bank of America, Spiceworks, SolarWinds 18% 45% 24% 12%

Source: RightScale 2017 State of the Cloud Report Top Priority for Enterprise IT 2016 2017 39% 50% 27% 29% 23% 9% 10% 10% Leverage Hybrid Cloud Use Public Cloud Build Private Cloud Use Hosted Cloud Enterprise Priority: Portability

50+% 79% Major Release Frequency 0 Weekly Monthly Quarterly Annually 5% 10% 15% 20% 25% More than 2 years Enterprise Priority: Agility Source: Plutora, CIO Insight Release 6x or less per year Set increasing release velocity as top IT priority

Enterprise Priority: Security 60% Source: Forbes 2017 State Of Cloud Adoption And Security Report security concerns slowing cloud adoption

The Docker Modernize Traditional Apps POC Program Partner Consulting Services Partner Infrastructure Docker Enterprise Edition Portable Agile Secure Efficient < 5 days + + No Code Changes App Existing Application Convert to a Docker EE container Modern Infrastructure

Reducing total costs by 50% MTA POC Impact Hybrid Cloud-Ready Portability Agility 2x Faster Security Isolation & Integrity

The Modernization Journey App Existing Application Modern Methodologies Convert to a Docker EE Container Modern Infrastructure Ongoing Innovation

22 KEY CHALLENGES • Accumulated thousands of apps, 400+ systems of record and 5 infrastructures over 150 years • Difficult to innovate with majority of budget spent on maintenance SOLUTION • Leverage Docker MTA program to modernize the email opt- out app with Docker EE to drive down total costs Docker EE and MTA create self funding model for container adoption -70% VMs -67% Cores 10x Average CPU utilization + + -66% Total Cost of Ownership 593 Applications RESULTS • Modernization of single app completed in 1 day • Applying model to other apps built with same technology • Business case forecasts a 66% cost reduction

23 KEY CHALLENGES • Maintenance costs of managing traditional apps on prem • Code quality was increasingly difficult with outsource software house • App delivery process was too slow for the pace of the business SOLUTION • Leverage Docker MTA program jointly with their trusted partner Accenture App Visibility and Consistency at 50% the Cost RESULTS • 50% savings across all applications • Unified architecture for the first time • New visibility into their outsourced applications

What is a container orchestrator? Management of containers running in one or more container runtimes

Docker Enterprise Edition Docker Community Edition containerd The best container development workflow The best enterprise container security and management Docker: Now Powered by Swarm and Kubernetes Native Kubernetes integration provides full ecosystem compatibility Industry-standard container runtime

Lifecycle of a Kubernetes API Request Kubernetes API Server Authentication Authorization Admission Control etcd

Orchestrator: Docker Engine with Swarm-Mode Enabled ● github.com/docker/swarmkit ● Declarative State through the “Service” construct ● Built-in Routing Mesh & Overlay networking ● In-memory Raft Store for all state (persisted to disk) ● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints

Orchestrator: Kubernetes ● github.com/kubernetes/kubernetes ● Scheduling Unit: Pods ● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet … ● Load balancing via Services and Ingresses ● Flat Networking model delegated to plugins

Docker EE 2.0: A conformant kubernetes distribution

Test locally on Swarm and Kubernetes Develop with Docker Community Edition on your workstation Deploy to production in Swarm Deploy to production in Kubernetes Docker Community Edition All in one development for Swarm and Kubernetes

Demo: Kubernetes in Docker Desktop

Linuxkit VM Kubernetes CLI Swarm Mode Kubernetes etcd Docker CLI kubeadm Kubernetes in Docker CE (Windows and Mac) Compose CRD Single Docker Engine vpnkitHost fs mounts hyperkit / hyperv

Docker EE now includes Kubernetes Docker Enterprise Edition Production Ready Windows and IBM P/Z Support Pods, batch jobs, blue-green deployments, horizontal pod auto-scaling Docker Swarm Swarm-Mode Kubernetes Private Image Registry Secure Access and User Management App and Cluster Management Image Security Scanning Content Trust and Verification Policy Management

GUI Universal Control Plane Trusted Registry Kubernetes CLI Docker Engine Swarm-Mode Docker Swarm Kubernetes etcd CA OIDC Provider Docker CLI Node Agent Reconciler Kubernetes in Docker EE

Docker EE Architectural Highlights ● Conformant Kubernetes components ran as Docker containers ● Swarm Managers are Kubernetes Masters ● Swarmkit node inventory is source of truth ● Cryptographic Node Identity and mTLS used throughout

- Easy High Availability provisioning - Cryptographic node identity Features Swarm Support - Registry - Content Trust - Secure Scanning - Clean upstream integration - Full ecosystem compatibility - Role Based Access Control - Authorization, Authentication - Node Segmentation Secure Cluster Lifecycle Secure Supply Chain 100% Interoperability Secure Multi-tenancy Management Dashboard Supported and Certified on Windows Server and Major Linux Distributions Kubernetes Support Docker Enterprise Edition Management for Swarm and Kubernetes

Demo: Kubernetes in Docker EE 2.0

Uses of Kubernetes Plugin Interfaces

Authentication ● X509 Client Certificates ○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature ● OpenID Connect Identity Provider ○ GUI sessions use a custom identity provider and a token exchange service to authenticate with the OIDC authentication plugin

Authorization ● All requests authorized via the Authorization Webhook plugin ● Custom RBAC system shared between Swarm and Kubernetes: ○ Users, Teams, Organizations, Service Accounts ○ Custom Roles ○ Hierarchical “Grants” ● No support for the rbac.authorization.k8s.io API, future plans for API translation

Admission Control ● Allows plugins to inspect, mutate or reject API requests after authorization ● Used for: ○ Orchestrator Selection ○ Linking nodes to namespaces ○ User Impersonation for Stacks ○ Image Signing policy enforcement

Orchestrator Selection ● Each node is running both kubernetes and swarm system components ● Administrators can toggle between (kubernetes, swarm or mixed) for any given node ● When toggling orchestrators, workloads of the previous orchestrator will be evicted ● An admission controller ensures that kubernetes workloads can only be scheduled on nodes labelled as “kubernetes” nodes. ● Workloads of multiple orchestrators on the same node can lead to resource contention Manager Node (K8s, Swarm) Worker Node (Swarm) Worker Node (Kubernetes) Worker Node (Kubernetes) Kubelet Swarm Agents Kubelet Kubelet Kubelet Swarm Agents Swarm Agents Swarm Agents

Linking Nodes to Namespaces ● Allows users to uniquely assign nodes to namespaces. ● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system

Image Signing Policy Enforcement ● Enforces that all workloads deployed in the cluster have a fully qualified image reference ● Resolves image references to always include a digest ● Contacts the registry to ensure that the referenced image has been signed by an authorized user.

无为 Wu-wei, Effortless action

自然 Ziran, Naturalness container based No state No couplingbounded context

无为 Modernize traditional applications without coding The Docker 之道自然 Create microservice applications with the container platform that started the container revolution

www.docker.com/kubernetes Beta signup is open! GENERALLY AVAILABLE Q1 2018 Docker: Now powered by Swarm and Kubernetes

Develop and deploy Kubernetes applications with Docker - IBM Index 2018

More Related Content

What's hot

Similar to Develop and deploy Kubernetes applications with Docker - IBM Index 2018

More from Patrick Chanezon

Recently uploaded

Develop and deploy Kubernetes applications with Docker - IBM Index 2018

Editor's Notes