SlideShare une entreprise Scribd logo

What's New in Kubernetes 1.18 Webinar Slides

Mirantis
Mirantis

Slides from webinar about the latest Kubernetes release. Watch the webinar recording: https://bit.ly/k8s-1-18-slide-deck

Technologie
1  sur  88
Télécharger pour lire hors ligne
Copyright © 2020 Mirantis, Inc. All rights reserved What's New in Kubernetes 1.18 WEBINAR | March 17, 2020
2 The content contained herein is for informational purposes only, may not be referenced or added to any contract, and should not be relied upon to make purchasing decisions. It is not a commitment, promise, or legal obligation to provide any features, functionality, capabilities, code, etc. or to provide anything within any schedule, date, time, etc. All Mirantis product and service decisions remain at Mirantis sole and exclusive discretion. Plus, I can't guarantee what features actually make it into Kubernetes 1.18 when it's released next week. Disclaimer
3 Featured Presenter Nick Chase Head of Technical Content at Mirantis Nick Chase is Head of Technical Content for Mirantis and a former member of the Kubernetes release team. He is a former software developer and author or co-author of more than a dozen books on various programming topics, including the OpenStack Architecture Guide, Understanding OPNFV, and Machine Learning for Mere Mortals. Reach him on Twitter @NickChase.
4 A Little Housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
5 ● Generally Available ● Beta ● Alpha ● Q&A Agenda
Copyright © 2020 Mirantis, Inc. All rights reserved Generally available Production ready and enabled by default
7 RunAsUsername for Windows
8 ● Windows worker nodes ● Controllers still run on Linux RunAsUserName for Windows
9 apiVersion: v1 kind: Pod metadata: name: username-demo-pod spec: securityContext: windowsOptions: runAsUserName: "ContainerUser" containers: - name: username-demo image: mcr.microsoft.com/windows/servercore:ltsc2019 command: ["ping", "-t", "localhost"] nodeSelector: kubernetes.io/os: windows RunAsUserName for Windows
10 kubectl apply -f run-as-username-pod.yaml kubectl exec -it username-demo-pod -- powershell echo $env:USERNAME ContainerUser RunAsUserName for Windows
11 ● Limitations ○ Must be valid (non-empty) user (DOMAINUSER) ○ DOMAIN ■ Optional ■ NetBios name or DNS name ○ USER ■ <= 20 characters ■ Can have dots or spaces ■ No control characters ■ Not in / : * ? " < > | RunAsUserName for Windows
12 Support gMSA for Windows workloads
13 ● Group Managed Service Account ○ Password management ○ Single identity for group of servers ● Deploy GMSACredentialSpec CRD ● Install validation webhooks (multiple steps) ● Provision gMSAs in Active Directory Support gMSA for Windows workloads
14 ● Create the GMSACredentialSpec object: apiVersion: windows.k8s.io/v1alpha1 kind: GMSACredentialSpec metadata: name: gmsa-WebApp1 #This is an arbitrary name but it will be used as a reference credspec: ActiveDirectoryConfig: GroupManagedServiceAccounts: - Name: WebApp1 #Username of the GMSA account Scope: CONTOSO #NETBIOS Domain Name - Name: WebApp1 #Username of the GMSA account Scope: contoso.com #DNS Domain Name CmsPlugins: - ActiveDirectory DomainJoinConfig: DnsName: contoso.com #DNS Domain Name DnsTreeName: contoso.com #DNS Domain Name Root Guid: 244818ae-87ac-4fcd-92ec-e79e5252348a #GUID MachineAccountName: WebApp1 #Username of the GMSA account NetBiosName: CONTOSO #NETBIOS Domain Name Sid: S-1-5-21-2126449477-2524075714-3094792973 #SID of GMSA Support gMSA for Windows workloads
15 ● Configure cluster role to enable RBAC on specific gMSA credential specs apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: webapp1-role rules: - apiGroups: ["windows.k8s.io"] resources: ["gmsacredentialspecs"] verbs: ["use"] resourceNames: ["gmsa-WebApp1"] Support gMSA for Windows workloads
16 ● Assign role to service accounts to use specific gMSA credentialspecs apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow-default-svc-account-read-on-gmsa-WebApp1 namespace: default subjects: - kind: ServiceAccount name: default namespace: default roleRef: kind: ClusterRole name: webapp1-role apiGroup: rbac.authorization.k8s.io Support gMSA for Windows workloads
17 ● Configure Pod to use the gMSA credential spec apiVersion: apps/v1beta1 kind: Deployment metadata: labels: run: with-creds name: with-creds namespace: default spec: replicas: 1 selector: matchLabels: run: with-creds Support gMSA for Windows workloads template: metadata: labels: run: with-creds spec: securityContext: windowsOptions: gmsaCredentialSpecName: gmsa-webapp1 containers: - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 imagePullPolicy: Always name: iis nodeSelector: beta.kubernetes.io/os: windows
18 ● Configure container to use the gMSA spec apiVersion: apps/v1beta1 kind: Deployment metadata: labels: run: with-creds name: with-creds namespace: default spec: replicas: 1 selector: matchLabels: run: with-creds Support gMSA for Windows workloads template: metadata: labels: run: with-creds spec: containers: - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 imagePullPolicy: Always name: iis securityContext: windowsOptions: gmsaCredentialSpecName: gmsa-Webapp1 nodeSelector: beta.kubernetes.io/os: windows
19 Raw block device using persistent volume source
20 ● Raw block devices -- non-networked storage ○ AWSElasticBlockStore ○ AzureDisk ○ CSI ○ FC (Fibre Channel) ○ GCEPersistentDisk ○ iSCSI ○ Local volume ○ OpenStack Cinder ○ RBD (Ceph Block Device) ○ VsphereVolume Raw block device using persistent volume source
21 ● Persistent Volumes using a Raw Block Volume apiVersion: v1 kind: PersistentVolume metadata: name: block-pv spec: capacity: storage: 10Gi accessModes: - ReadWriteOnce volumeMode: Block persistentVolumeReclaimPolicy: Retain fc: targetWWNs: ["50060e801049cfd1"] lun: 0 readOnly: false Raw block device using persistent volume source
22 ● Persistent Volume Claim requesting a Raw Block Volume apiVersion: v1 kind: PersistentVolumeClaim metadata: name: block-pvc spec: accessModes: - ReadWriteOnce volumeMode: Block resources: requests: storage: 10Gi Raw block device using persistent volume source
23 ● Add to container ○ Specify device path instead of mount path apiVersion: v1 kind: Pod metadata: name: pod-with-block-volume spec: containers: - name: fc-container image: fedora:26 command: ["/bin/sh", "-c"] args: [ "tail -f /dev/null" ] volumeDevices: - name: data devicePath: /dev/xvda volumes: - name: data persistentVolumeClaim: claimName: block-pvc Raw block device using persistent volume source
24 Cloning a PVC
25 ● Use an existing PersistentVolumeClaim as the DataSource for a new PVC apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cloned-pvc spec: storageClassName: my-csi-plugin dataSource: name: existing-src-pvc-name kind: PersistentVolumeClaim accessModes: - ReadWriteOnce resources: requests: storage: 10Gi Cloning a PVC
26 Kubectl diff
27 ● Similar to kubectl apply kubectl diff -f some-resources.yaml ● Specify KUBECTL_EXTERNAL_DIFF to use your favorite diff tool KUBECTL_EXTERNAL_DIFF=meld kubectl diff -f some-resources.yaml kubectl diff
28 APIServer DryRun
29 kubectl apply --server-dry-run APIServer DryRun
30 Pass Pod information in CSI calls
31 ● Adds new fields to volume_context for NodePublishVolumeRequest ○ csi.storage.k8s.io/pod.name: {pod.Name} ○ csi.storage.k8s.io/pod.namespace: {pod.Namespace} ○ csi.storage.k8s.io/pod.uid: {pod.UID} ○ csi.storage.k8s.io/serviceAccount.name: {pod.Spec.ServiceAccountName} Pass Pod information in CSI calls
32 ● Manually include CSIDriver object in driver manifests ● Used to need cluster-driver-registrar sidecar container ● Container creates CSIDriver Object automatically Pass Pod information in CSI calls
33 apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: testcsidriver.example.com spec: podInfoOnMount: true Pass Pod information in CSI calls
34 Skip attach for non-attachable CSI volumes
35 ● Some CSI volume types don't have attach operations: ○ NFS ○ Secrets ○ Ephemeral Skip attach for non-attachable CSI volumes
Copyright © 2020 Mirantis, Inc. All rights reserved Beta Enabled by default, but not necessarily ready for production environments. Not likely to change.
37 CertificateSigningRequest API
38 ● Create the request ● Create the object and send to K8s ● Approve the request ○ Manual or automatic ● Associated with a private key ○ Can be held by a pod ■ Identity ■ Authorization ● Be careful who can approve requests! CertificateSigningRequest API
39 ● Must be set up to serve the certificates API ● Default signer implementation in controller manager ○ Pass CA's keypair --cluster-signing-cert-file and --cluster-signing-key-file to controller manager CertificateSigningRequest API
40 cat <<EOF | cfssl genkey - | cfssljson -bare server { "hosts": [ "my-svc.my-namespace.svc.cluster.local", "my-pod.my-namespace.pod.cluster.local", "192.0.2.24", "10.0.34.2" ], "CN": "my-pod.my-namespace.pod.cluster.local", "key": { "algo": "ecdsa", "size": 256 } } EOF 2017/03/21 06:48:17 [INFO] generate received request 2017/03/21 06:48:17 [INFO] received CSR 2017/03/21 06:48:17 [INFO] generating key: ecdsa-256 2017/03/21 06:48:17 [INFO] encoded CSR CertificateSigningRequest API
41 ● Generates 2 files ○ Actual request (server.csr) ○ Encoded key for the final certificate (server-key.pem) kubectl get csr NAME AGE REQUESTOR CONDITION my-svc.my-namespace 10m yourname@example.com Pending kubectl certificate approve my-svc.my-namespace ● Download to server.crt kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' | base64 --decode > server.crt ● Use server.crt and server-key.pem as keypair for HTTPS server CertificateSigningRequest API
42 Even pod spreading across failure domains
43 ● Affinity = infinite ● Antiaffinity = 1 apiVersion: v1 kind: Pod metadata: name: mypod spec: topologySpreadConstraints: - maxSkew: <integer> topologyKey: <string> whenUnsatisfiable: <string> labelSelector: <object> Even pod spreading across failure domains
44 ● Default policy (alpha) apiVersion: kubescheduler.config.k8s.io/v1alpha2 kind: KubeSchedulerConfiguration profiles: pluginConfig: - name: PodTopologySpread args: defaultConstraints: - maxSkew: 1 topologyKey: failure-domain.beta.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway Even pod spreading across failure domains
45 Add pod-startup liveness-probe holdoff for slow starting pods
46 apiVersion: v1 kind: Pod metadata: labels: test: liveness name: liveness-exec spec: containers: - name: liveness image: k8s.gcr.io/busybox args: - /bin/sh - -c - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 Add pod-startup liveness-probe holdoff for slow-starting pods
47 Kubeadm for Windows
48 ● Create a K8s node on Windows ● Run Windows-based containers ○ For Windows containers get Windows Server 2019 license (or higher) ● Control plane still runs on Linux Kubeadm for Windows
49 New Endpoint API
50 ● Services with > 100 endpoints -> EndpointSlices ● EndpointSliceProxying feature gate (apha) ● Will replace v1 New Endpoint API
51 Node Topology Manager
52 ● Performance/latency sensitive operations ● CPU vs Device manager ● Hint providers ● Four supported policies (--topology-manager-policy) ○ none (default) ○ best-effort ○ restricted ○ single-numa-node ● Only none takes pod specs into account Node Topology Manager
53 ● No requests or limits ● BestEffort QoS class spec: containers: - name: nginx image: nginx resources: limits: memory: "200Mi" requests: memory: "100Mi" Node Topology Manager
54 ● requests < limits ● Burstable QoS class spec: containers: - name: nginx image: nginx resources: limits: memory: "200Mi" cpu: "2" example.com/device: "1" requests: memory: "200Mi" cpu: "2" example.com/device: "1" Node Topology Manager
55 ● requests == limits ● Guaranteed QoS class spec: containers: - name: nginx image: nginx resources: limits: example.com/deviceA: "1" example.com/deviceB: "1" requests: example.com/deviceA: "1" example.com/deviceB: "1" Node Topology Manager
56 ● Limitations for Non-Uniform Memory Access ● Max NUMA nodes = 8. ○ state explosion ● Scheduler inot topology-aware ○ Can still fail ● Only Device Manager and the CPU Manager support Topology Manager's HintProvider interface. ○ Memory and Hugepages not considered Node Topology Manager
57 IPv6 support
58 ● Feature parity with IPv4 ● kubeadm uses default gateway network interface ○ advertise address for API server. ○ Specify kubeadm init --apiserver-advertise-address=<ip-address> to change ○ For example --apiserver-advertise-address=fd00::101 IPv6 support added
59 Pod overhead: account resources tied to the pod sandbox, but not specific containers
60 kind: RuntimeClass apiVersion: node.k8s.io/v1beta1 metadata: name: kata-fc handler: kata-fc overhead: podFixed: memory: "120Mi" cpu: "250m" ... Pod Overhead: account resources tied to the pod sandbox, but not specific containers apiVersion: v1 kind: Pod metadata: name: test-pod spec: runtimeClassName: kata-fc containers: - name: busybox-ctr image: busybox stdin: true tty: true resources: limits: cpu: 500m memory: 100Mi - name: nginx-ctr image: nginx resources: limits: cpu: 1500m memory: 100Mi
61 Adding AppProtocol to Services and Endpoints
62 ● AppProtocol ● Optional field ○ Endpoint ○ EndpointSlice ○ Service ■ UDP, TCP, SCTP Adding AppProtocol to Services and Endpoints
63 ● Specific protocol ○ postgresql:// ○ https:// ○ mysql:// Adding AppProtocol to Services and Endpoints
Copyright © 2020 Mirantis, Inc. All rights reserved Alpha Disabled by default, may change in the future
65 Skip Volume ownership change
66 ● Changes to match securityContext by default ● For large volumes can be slow ● fSGroupChangePolicy ● No effect on ephemeral volumes ○ secret ○ configMap ○ ephemeral Skip Volume Ownership Change
67 Configurable scale velocity for HPA
68 ● Horizontal Pod Autoscaler ● Highest recommendation in window ● Configure with ○ --horizontal-pod-autoscaler-downscale-stabilization ○ behavior.scaleDown.stabilizationWindowSeconds ● Specify periodSeconds ○ Length of time for which condition must be true Configurable scale velocity for HPA
69 ● Create defaults Configurable scale velocity for HPA behavior: scaleDown: stabilizationWindowSeconds: 300 policies: - type: Percent value: 100 periodSeconds: 15 scaleUp: stabilizationWindowSeconds: 0 policies: - type: Percent value: 100 periodSeconds: 15 - type: Pods value: 4 periodSeconds: 15 selectPolicy: Max
70 ● Limit scale down: behavior: scaleDown: policies: - type: Percent value: 10 periodSeconds: 60 - type: Pods value: 5 periodSeconds: 60 selectPolicy: Max Configurable scale velocity for HPA
71 behavior: scaleDown: policies: - type: Pods value: 4 periodSeconds: 60 - type: Percent value: 10 periodSeconds: 60 Configurable scale velocity for HPA
72 Provide ODIC discovery for service account token issuer
73 ● Enables federation of clusters ● Identity provider --> relying parties ● Must be OIDC compliant ● system:service-account-issuer-discovery ClusterRole ○ No role bindings included ○ Admin binds to system:authenticated or system:unauthenticated Provide OIDC discovery for service account token issuer
74 Immutable Secrets and Configuration
75 ● Can be set individually ● Prevents changes ● Can't be un-set Immutable Secrets and ConfigMaps
76 Kubectl debug
77 ● For containers with no OS / debugging capabilities ● Provides debugging container kubectl alpha debug -it ephemeral-demo --image=busybox --target=ephemeral-demo Defaulting debug container name to debugger-8xzrl. If you don't see a command prompt, try pressing enter. / # Kubectl debug
78 Run multiple scheduling profiles
79 ● Policies vs Profiles ● Policies ○ Filter (PodFitsHostPorts, CheckNodeMemoryPressure) ○ Scoring (SelectorSpreadPriority, ImageLocalityPriority) Run multiple Scheduling Profiles
80 ● Profiles ○ Uses plugins ○ Can be enabled, disabled, reordered ○ Extension points (ie QueueSort, Permit, Un-reserve) ■ Single QueueSort plugin; only one pending pods queue ○ For example: NodePreferAvoidPods, VolumeRestrictions, PrioritySort ● Request specific profile using pod's .spec.schedulerName field Run multiple Scheduling Profiles
81 Generic data populators
82 ● Populate a new PVC via a CRD ● Must have a controller installed ● Same namespace ● Dynamic provisioners must support that resource ● Write your own ○ Create the PV ○ Bind it to the PVC Generic data populators
83 Extending the HugePage feature
84 ● Not supported in Windows ● Must be pre-allocated ● requests == limits ● Isolated at the container level ● Each container has own limit on their cgroup sandbox as per spec ● Control via ResourceQuota (like cpu or memory using hugepages-<size> token) ● Multiple sizes Extending the HugePage feature
85 apiVersion: v1 kind: Pod metadata: name: huge-pages-example spec: volumes: - name: hugepage-2mi emptyDir: medium: HugePages-2Mi - name: hugepage-1gi emptyDir: medium: HugePages-1Gi ... Extending the HugePage feature containers: - name: example image: fedora:latest command: - sleep - inf volumeMounts: - mountPath: /hugepages-2Mi name: hugepage-2mi - mountPath: /hugepages-1Gi name: hugepage-1gi resources: limits: hugepages-2Mi: 100Mi hugepages-1Gi: 2Gi memory: 100Mi requests: memory: 100Mi
86 Training Promotion Special Offer
87 Mirantis Training - Kubernetes training.mirantis.com Webinar attendees! Get 15% off Mirantis training! Use coupon code: WEBMIR2020 Kubernetes & Docker Bootcamp I (KD100) Learn Docker and Kubernetes to deploy, run, and manage containerized applications 2 days Kubernetes & Docker Bootcamp II (KD200) Advanced training for Kubernetes professionals, preparation for CKA exam 3 days Accelerated Kubernetes & Docker Bootcamp (KD250) Most popular course! A combination of KD100 & KD200 at an accelerated pace, preps for the CKA exam 4 days Kubernetes in Production Bootcamp (KP300) In Development Advanced training focused on production grade architecture, operational best practices, and cluster management. 2 days
88 Thank You! Q&A Download the slides: bit.ly/k8s-1-18_slides We’ll send you the slides & recording later this week.

Recommandé

Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataMirantis
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesComparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesMirantis
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 

Recommandé

Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataMirantis
 
How to Build a Basic Edge Cloud
How to Build a Basic Edge CloudHow to Build a Basic Edge Cloud
How to Build a Basic Edge CloudMirantis
 
Your Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesYour Application Deserves Better than Kubernetes Ingress: Istio vs. Kubernetes
Your Application Deserves Better than Kubernetes Ingress: Istio vs. KubernetesMirantis
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
Comparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesComparison of Current Service Mesh Architectures
Comparison of Current Service Mesh ArchitecturesMirantis
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Shifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsShifting security left simplifying security for k8s open shift environments
Shifting security left simplifying security for k8s open shift environmentsLibbySchulze
 
Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]Mark Waite
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Canada
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX, Inc.
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sQAware GmbH
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPOlivia LaMar
 
Choose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesChoose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesYusuf Hadiwinata Sutandar
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureAlexandra N. Martinez
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...VMware Tanzu
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
Monitoring hybrid container environments
Monitoring hybrid container environments Monitoring hybrid container environments
Monitoring hybrid container environments Samuel Vandamme
 

Contenu connexe

Tendances

Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Matt Raible
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkSandeep Jayashankar
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]Mark Waite
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-ServiceNGINX, Inc.
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Canada
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackjarito030506
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX, Inc.
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Eric Smalling
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sQAware GmbH
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPOlivia LaMar
 
Choose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesChoose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesYusuf Hadiwinata Sutandar
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXNGINX, Inc.
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Codemotion
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureAlexandra N. Martinez
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...VMware Tanzu
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 

Tendances (20)

Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020Security Patterns for Microservice Architectures - London Java Community 2020
Security Patterns for Microservice Architectures - London Java Community 2020
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
 
Secured APIM-as-a-Service
Secured APIM-as-a-ServiceSecured APIM-as-a-Service
Secured APIM-as-a-Service
 
Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop Cisco Cloud Networking Workshop
Cisco Cloud Networking Workshop
 
Barbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStackBarbican 1.0 - Open Source Key Management for OpenStack
Barbican 1.0 - Open Source Key Management for OpenStack
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
NGINX DevSecOps Workshop
NGINX DevSecOps WorkshopNGINX DevSecOps Workshop
NGINX DevSecOps Workshop
 
Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!Hacking into your containers, and how to stop it!
Hacking into your containers, and how to stop it!
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAPSecuring Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
Securing Kubernetes Clusters with NGINX Plus Ingress Controller & NAP
 
Choose the Right Container Storage for Kubernetes
Choose the Right Container Storage for KubernetesChoose the Right Container Storage for Kubernetes
Choose the Right Container Storage for Kubernetes
 
Control Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINXControl Kubernetes Ingress and Egress Together with NGINX
Control Kubernetes Ingress and Egress Together with NGINX
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB ArchitectureToronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
 
Outpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev opsOutpost24 webinar mastering container security in modern day dev ops
Outpost24 webinar mastering container security in modern day dev ops
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 

Similaire à What's New in Kubernetes 1.18 Webinar Slides

Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
Monitoring hybrid container environments
Monitoring hybrid container environments Monitoring hybrid container environments
Monitoring hybrid container environments Samuel Vandamme
 
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Pierre Mavro
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should UseDevOps.com
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalPatrick Chanezon
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...Oleg Shalygin
 
Kubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleKubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleJeff Zellner
 
Using Docker Platform to Provide Services
Using Docker Platform to Provide ServicesUsing Docker Platform to Provide Services
Using Docker Platform to Provide ServicesGLC Networks
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows AzureIdo Flatow
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Weaveworks
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsIs It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsDoKC
 
Heroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success storyHeroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success storyJérémy Wimsingues
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenSheikhMoonwaraAnjumM
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleParis Container Day
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesQAware GmbH
 
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Alex Thissen
 
Protecting data with CSI Volume Snapshots on Kubernetes
Protecting data with CSI Volume Snapshots on KubernetesProtecting data with CSI Volume Snapshots on Kubernetes
Protecting data with CSI Volume Snapshots on KubernetesDoKC
 

Similaire à What's New in Kubernetes 1.18 Webinar Slides (20)

Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
Monitoring hybrid container environments
Monitoring hybrid container environments Monitoring hybrid container environments
Monitoring hybrid container environments
 
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
Traefik on Kubernetes at MySocialApp (CNCF Paris Meetup)
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - Technical
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
Kubernetes at (Organizational) Scale
Kubernetes at (Organizational) ScaleKubernetes at (Organizational) Scale
Kubernetes at (Organizational) Scale
 
Using Docker Platform to Provide Services
Using Docker Platform to Provide ServicesUsing Docker Platform to Provide Services
Using Docker Platform to Provide Services
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows Azure
 
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)Free GitOps Workshop (with Intro to Kubernetes & GitOps)
Free GitOps Workshop (with Intro to Kubernetes & GitOps)
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes OperatorsIs It Safe? Security Hardening for Databases Using Kubernetes Operators
Is It Safe? Security Hardening for Databases Using Kubernetes Operators
 
Heroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success storyHeroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success story
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKraken
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
Securité des container
Securité des containerSecurité des container
Securité des container
 
Security in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie FrazelleSecurity in a containerized world - Jessie Frazelle
Security in a containerized world - Jessie Frazelle
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019
 
Protecting data with CSI Volume Snapshots on Kubernetes
Protecting data with CSI Volume Snapshots on KubernetesProtecting data with CSI Volume Snapshots on Kubernetes
Protecting data with CSI Volume Snapshots on Kubernetes
 

Plus de Mirantis

How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...Mirantis
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security WorkshopMirantis
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceMirantis
 
Mirantis life
Mirantis lifeMirantis life
Mirantis lifeMirantis
 
OpenStack and the IoT: Where we are, where we're going, what we need to get t...
OpenStack and the IoT: Where we are, where we're going, what we need to get t...OpenStack and the IoT: Where we are, where we're going, what we need to get t...
OpenStack and the IoT: Where we are, where we're going, what we need to get t...Mirantis
 
Boris Renski: OpenStack Summit Keynote Austin 2016
Boris Renski: OpenStack Summit Keynote Austin 2016Boris Renski: OpenStack Summit Keynote Austin 2016
Boris Renski: OpenStack Summit Keynote Austin 2016Mirantis
 
Digital Disciplines: Attaining Market Leadership through the Cloud
Digital Disciplines: Attaining Market Leadership through the CloudDigital Disciplines: Attaining Market Leadership through the Cloud
Digital Disciplines: Attaining Market Leadership through the CloudMirantis
 
Decomposing Lithium's Monolith with Kubernetes and OpenStack
Decomposing Lithium's Monolith with Kubernetes and OpenStackDecomposing Lithium's Monolith with Kubernetes and OpenStack
Decomposing Lithium's Monolith with Kubernetes and OpenStackMirantis
 
OpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryMirantis
 
Accelerating the Next 10,000 Clouds
Accelerating the Next 10,000 CloudsAccelerating the Next 10,000 Clouds
Accelerating the Next 10,000 CloudsMirantis
 
Containers for the Enterprise: It's Not That Simple
Containers for the Enterprise: It's Not That SimpleContainers for the Enterprise: It's Not That Simple
Containers for the Enterprise: It's Not That SimpleMirantis
 
Protecting Yourself from the Container Shakeout
Protecting Yourself from the Container ShakeoutProtecting Yourself from the Container Shakeout
Protecting Yourself from the Container ShakeoutMirantis
 
It's Not the Technology, It's You
It's Not the Technology, It's YouIt's Not the Technology, It's You
It's Not the Technology, It's YouMirantis
 
OpenStack as the Platform for Innovation
OpenStack as the Platform for InnovationOpenStack as the Platform for Innovation
OpenStack as the Platform for InnovationMirantis
 
Moving AWS workloads to OpenStack
Moving AWS workloads to OpenStackMoving AWS workloads to OpenStack
Moving AWS workloads to OpenStackMirantis
 
Your 1st Ceph cluster
Your 1st Ceph clusterYour 1st Ceph cluster
Your 1st Ceph clusterMirantis
 
App catalog (Vancouver)
App catalog (Vancouver)App catalog (Vancouver)
App catalog (Vancouver)Mirantis
 
Tales From The Ship: Navigating the OpenStack Community Seas
Tales From The Ship: Navigating the OpenStack Community SeasTales From The Ship: Navigating the OpenStack Community Seas
Tales From The Ship: Navigating the OpenStack Community SeasMirantis
 
OpenStack Overview and History
OpenStack Overview and HistoryOpenStack Overview and History
OpenStack Overview and HistoryMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 

Plus de Mirantis (20)

How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
How to Accelerate Your Application Delivery Process on Top of Kubernetes Usin...
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
 
Demystifying Cloud Security Compliance
Demystifying Cloud Security ComplianceDemystifying Cloud Security Compliance
Demystifying Cloud Security Compliance
 
Mirantis life
Mirantis lifeMirantis life
Mirantis life
 
OpenStack and the IoT: Where we are, where we're going, what we need to get t...
OpenStack and the IoT: Where we are, where we're going, what we need to get t...OpenStack and the IoT: Where we are, where we're going, what we need to get t...
OpenStack and the IoT: Where we are, where we're going, what we need to get t...
 
Boris Renski: OpenStack Summit Keynote Austin 2016
Boris Renski: OpenStack Summit Keynote Austin 2016Boris Renski: OpenStack Summit Keynote Austin 2016
Boris Renski: OpenStack Summit Keynote Austin 2016
 
Digital Disciplines: Attaining Market Leadership through the Cloud
Digital Disciplines: Attaining Market Leadership through the CloudDigital Disciplines: Attaining Market Leadership through the Cloud
Digital Disciplines: Attaining Market Leadership through the Cloud
 
Decomposing Lithium's Monolith with Kubernetes and OpenStack
Decomposing Lithium's Monolith with Kubernetes and OpenStackDecomposing Lithium's Monolith with Kubernetes and OpenStack
Decomposing Lithium's Monolith with Kubernetes and OpenStack
 
OpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service Delivery
 
Accelerating the Next 10,000 Clouds
Accelerating the Next 10,000 CloudsAccelerating the Next 10,000 Clouds
Accelerating the Next 10,000 Clouds
 
Containers for the Enterprise: It's Not That Simple
Containers for the Enterprise: It's Not That SimpleContainers for the Enterprise: It's Not That Simple
Containers for the Enterprise: It's Not That Simple
 
Protecting Yourself from the Container Shakeout
Protecting Yourself from the Container ShakeoutProtecting Yourself from the Container Shakeout
Protecting Yourself from the Container Shakeout
 
It's Not the Technology, It's You
It's Not the Technology, It's YouIt's Not the Technology, It's You
It's Not the Technology, It's You
 
OpenStack as the Platform for Innovation
OpenStack as the Platform for InnovationOpenStack as the Platform for Innovation
OpenStack as the Platform for Innovation
 
Moving AWS workloads to OpenStack
Moving AWS workloads to OpenStackMoving AWS workloads to OpenStack
Moving AWS workloads to OpenStack
 
Your 1st Ceph cluster
Your 1st Ceph clusterYour 1st Ceph cluster
Your 1st Ceph cluster
 
App catalog (Vancouver)
App catalog (Vancouver)App catalog (Vancouver)
App catalog (Vancouver)
 
Tales From The Ship: Navigating the OpenStack Community Seas
Tales From The Ship: Navigating the OpenStack Community SeasTales From The Ship: Navigating the OpenStack Community Seas
Tales From The Ship: Navigating the OpenStack Community Seas
 
OpenStack Overview and History
OpenStack Overview and HistoryOpenStack Overview and History
OpenStack Overview and History
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 

Dernier

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Dernier (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

What's New in Kubernetes 1.18 Webinar Slides

  • 1. Copyright © 2020 Mirantis, Inc. All rights reserved What's New in Kubernetes 1.18 WEBINAR | March 17, 2020
  • 2. 2 The content contained herein is for informational purposes only, may not be referenced or added to any contract, and should not be relied upon to make purchasing decisions. It is not a commitment, promise, or legal obligation to provide any features, functionality, capabilities, code, etc. or to provide anything within any schedule, date, time, etc. All Mirantis product and service decisions remain at Mirantis sole and exclusive discretion. Plus, I can't guarantee what features actually make it into Kubernetes 1.18 when it's released next week. Disclaimer
  • 3. 3 Featured Presenter Nick Chase Head of Technical Content at Mirantis Nick Chase is Head of Technical Content for Mirantis and a former member of the Kubernetes release team. He is a former software developer and author or co-author of more than a dozen books on various programming topics, including the OpenStack Architecture Guide, Understanding OPNFV, and Machine Learning for Mere Mortals. Reach him on Twitter @NickChase.
  • 4. 4 A Little Housekeeping ● Please submit questions in the Questions panel. ● We’ll provide a link where you can download the slides at the end of the webinar.
  • 5. 5 ● Generally Available ● Beta ● Alpha ● Q&A Agenda
  • 6. Copyright © 2020 Mirantis, Inc. All rights reserved Generally available Production ready and enabled by default
  • 8. 8 ● Windows worker nodes ● Controllers still run on Linux RunAsUserName for Windows
  • 9. 9 apiVersion: v1 kind: Pod metadata: name: username-demo-pod spec: securityContext: windowsOptions: runAsUserName: "ContainerUser" containers: - name: username-demo image: mcr.microsoft.com/windows/servercore:ltsc2019 command: ["ping", "-t", "localhost"] nodeSelector: kubernetes.io/os: windows RunAsUserName for Windows
  • 10. 10 kubectl apply -f run-as-username-pod.yaml kubectl exec -it username-demo-pod -- powershell echo $env:USERNAME ContainerUser RunAsUserName for Windows
  • 11. 11 ● Limitations ○ Must be valid (non-empty) user (DOMAINUSER) ○ DOMAIN ■ Optional ■ NetBios name or DNS name ○ USER ■ <= 20 characters ■ Can have dots or spaces ■ No control characters ■ Not in / : * ? " < > | RunAsUserName for Windows
  • 12. 12 Support gMSA for Windows workloads
  • 13. 13 ● Group Managed Service Account ○ Password management ○ Single identity for group of servers ● Deploy GMSACredentialSpec CRD ● Install validation webhooks (multiple steps) ● Provision gMSAs in Active Directory Support gMSA for Windows workloads
  • 14. 14 ● Create the GMSACredentialSpec object: apiVersion: windows.k8s.io/v1alpha1 kind: GMSACredentialSpec metadata: name: gmsa-WebApp1 #This is an arbitrary name but it will be used as a reference credspec: ActiveDirectoryConfig: GroupManagedServiceAccounts: - Name: WebApp1 #Username of the GMSA account Scope: CONTOSO #NETBIOS Domain Name - Name: WebApp1 #Username of the GMSA account Scope: contoso.com #DNS Domain Name CmsPlugins: - ActiveDirectory DomainJoinConfig: DnsName: contoso.com #DNS Domain Name DnsTreeName: contoso.com #DNS Domain Name Root Guid: 244818ae-87ac-4fcd-92ec-e79e5252348a #GUID MachineAccountName: WebApp1 #Username of the GMSA account NetBiosName: CONTOSO #NETBIOS Domain Name Sid: S-1-5-21-2126449477-2524075714-3094792973 #SID of GMSA Support gMSA for Windows workloads
  • 15. 15 ● Configure cluster role to enable RBAC on specific gMSA credential specs apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: webapp1-role rules: - apiGroups: ["windows.k8s.io"] resources: ["gmsacredentialspecs"] verbs: ["use"] resourceNames: ["gmsa-WebApp1"] Support gMSA for Windows workloads
  • 16. 16 ● Assign role to service accounts to use specific gMSA credentialspecs apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: allow-default-svc-account-read-on-gmsa-WebApp1 namespace: default subjects: - kind: ServiceAccount name: default namespace: default roleRef: kind: ClusterRole name: webapp1-role apiGroup: rbac.authorization.k8s.io Support gMSA for Windows workloads
  • 17. 17 ● Configure Pod to use the gMSA credential spec apiVersion: apps/v1beta1 kind: Deployment metadata: labels: run: with-creds name: with-creds namespace: default spec: replicas: 1 selector: matchLabels: run: with-creds Support gMSA for Windows workloads template: metadata: labels: run: with-creds spec: securityContext: windowsOptions: gmsaCredentialSpecName: gmsa-webapp1 containers: - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 imagePullPolicy: Always name: iis nodeSelector: beta.kubernetes.io/os: windows
  • 18. 18 ● Configure container to use the gMSA spec apiVersion: apps/v1beta1 kind: Deployment metadata: labels: run: with-creds name: with-creds namespace: default spec: replicas: 1 selector: matchLabels: run: with-creds Support gMSA for Windows workloads template: metadata: labels: run: with-creds spec: containers: - image: mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2019 imagePullPolicy: Always name: iis securityContext: windowsOptions: gmsaCredentialSpecName: gmsa-Webapp1 nodeSelector: beta.kubernetes.io/os: windows
  • 19. 19 Raw block device using persistent volume source
  • 20. 20 ● Raw block devices -- non-networked storage ○ AWSElasticBlockStore ○ AzureDisk ○ CSI ○ FC (Fibre Channel) ○ GCEPersistentDisk ○ iSCSI ○ Local volume ○ OpenStack Cinder ○ RBD (Ceph Block Device) ○ VsphereVolume Raw block device using persistent volume source
  • 21. 21 ● Persistent Volumes using a Raw Block Volume apiVersion: v1 kind: PersistentVolume metadata: name: block-pv spec: capacity: storage: 10Gi accessModes: - ReadWriteOnce volumeMode: Block persistentVolumeReclaimPolicy: Retain fc: targetWWNs: ["50060e801049cfd1"] lun: 0 readOnly: false Raw block device using persistent volume source
  • 22. 22 ● Persistent Volume Claim requesting a Raw Block Volume apiVersion: v1 kind: PersistentVolumeClaim metadata: name: block-pvc spec: accessModes: - ReadWriteOnce volumeMode: Block resources: requests: storage: 10Gi Raw block device using persistent volume source
  • 23. 23 ● Add to container ○ Specify device path instead of mount path apiVersion: v1 kind: Pod metadata: name: pod-with-block-volume spec: containers: - name: fc-container image: fedora:26 command: ["/bin/sh", "-c"] args: [ "tail -f /dev/null" ] volumeDevices: - name: data devicePath: /dev/xvda volumes: - name: data persistentVolumeClaim: claimName: block-pvc Raw block device using persistent volume source
  • 25. 25 ● Use an existing PersistentVolumeClaim as the DataSource for a new PVC apiVersion: v1 kind: PersistentVolumeClaim metadata: name: cloned-pvc spec: storageClassName: my-csi-plugin dataSource: name: existing-src-pvc-name kind: PersistentVolumeClaim accessModes: - ReadWriteOnce resources: requests: storage: 10Gi Cloning a PVC
  • 27. 27 ● Similar to kubectl apply kubectl diff -f some-resources.yaml ● Specify KUBECTL_EXTERNAL_DIFF to use your favorite diff tool KUBECTL_EXTERNAL_DIFF=meld kubectl diff -f some-resources.yaml kubectl diff
  • 30. 30 Pass Pod information in CSI calls
  • 31. 31 ● Adds new fields to volume_context for NodePublishVolumeRequest ○ csi.storage.k8s.io/pod.name: {pod.Name} ○ csi.storage.k8s.io/pod.namespace: {pod.Namespace} ○ csi.storage.k8s.io/pod.uid: {pod.UID} ○ csi.storage.k8s.io/serviceAccount.name: {pod.Spec.ServiceAccountName} Pass Pod information in CSI calls
  • 32. 32 ● Manually include CSIDriver object in driver manifests ● Used to need cluster-driver-registrar sidecar container ● Container creates CSIDriver Object automatically Pass Pod information in CSI calls
  • 33. 33 apiVersion: storage.k8s.io/v1beta1 kind: CSIDriver metadata: name: testcsidriver.example.com spec: podInfoOnMount: true Pass Pod information in CSI calls
  • 35. 35 ● Some CSI volume types don't have attach operations: ○ NFS ○ Secrets ○ Ephemeral Skip attach for non-attachable CSI volumes
  • 36. Copyright © 2020 Mirantis, Inc. All rights reserved Beta Enabled by default, but not necessarily ready for production environments. Not likely to change.
  • 38. 38 ● Create the request ● Create the object and send to K8s ● Approve the request ○ Manual or automatic ● Associated with a private key ○ Can be held by a pod ■ Identity ■ Authorization ● Be careful who can approve requests! CertificateSigningRequest API
  • 39. 39 ● Must be set up to serve the certificates API ● Default signer implementation in controller manager ○ Pass CA's keypair --cluster-signing-cert-file and --cluster-signing-key-file to controller manager CertificateSigningRequest API
  • 40. 40 cat <<EOF | cfssl genkey - | cfssljson -bare server { "hosts": [ "my-svc.my-namespace.svc.cluster.local", "my-pod.my-namespace.pod.cluster.local", "192.0.2.24", "10.0.34.2" ], "CN": "my-pod.my-namespace.pod.cluster.local", "key": { "algo": "ecdsa", "size": 256 } } EOF 2017/03/21 06:48:17 [INFO] generate received request 2017/03/21 06:48:17 [INFO] received CSR 2017/03/21 06:48:17 [INFO] generating key: ecdsa-256 2017/03/21 06:48:17 [INFO] encoded CSR CertificateSigningRequest API
  • 41. 41 ● Generates 2 files ○ Actual request (server.csr) ○ Encoded key for the final certificate (server-key.pem) kubectl get csr NAME AGE REQUESTOR CONDITION my-svc.my-namespace 10m yourname@example.com Pending kubectl certificate approve my-svc.my-namespace ● Download to server.crt kubectl get csr my-svc.my-namespace -o jsonpath='{.status.certificate}' | base64 --decode > server.crt ● Use server.crt and server-key.pem as keypair for HTTPS server CertificateSigningRequest API
  • 42. 42 Even pod spreading across failure domains
  • 43. 43 ● Affinity = infinite ● Antiaffinity = 1 apiVersion: v1 kind: Pod metadata: name: mypod spec: topologySpreadConstraints: - maxSkew: <integer> topologyKey: <string> whenUnsatisfiable: <string> labelSelector: <object> Even pod spreading across failure domains
  • 44. 44 ● Default policy (alpha) apiVersion: kubescheduler.config.k8s.io/v1alpha2 kind: KubeSchedulerConfiguration profiles: pluginConfig: - name: PodTopologySpread args: defaultConstraints: - maxSkew: 1 topologyKey: failure-domain.beta.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway Even pod spreading across failure domains
  • 46. 46 apiVersion: v1 kind: Pod metadata: labels: test: liveness name: liveness-exec spec: containers: - name: liveness image: k8s.gcr.io/busybox args: - /bin/sh - -c - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 livenessProbe: exec: command: - cat - /tmp/healthy initialDelaySeconds: 5 periodSeconds: 5 Add pod-startup liveness-probe holdoff for slow-starting pods
  • 48. 48 ● Create a K8s node on Windows ● Run Windows-based containers ○ For Windows containers get Windows Server 2019 license (or higher) ● Control plane still runs on Linux Kubeadm for Windows
  • 50. 50 ● Services with > 100 endpoints -> EndpointSlices ● EndpointSliceProxying feature gate (apha) ● Will replace v1 New Endpoint API
  • 52. 52 ● Performance/latency sensitive operations ● CPU vs Device manager ● Hint providers ● Four supported policies (--topology-manager-policy) ○ none (default) ○ best-effort ○ restricted ○ single-numa-node ● Only none takes pod specs into account Node Topology Manager
  • 53. 53 ● No requests or limits ● BestEffort QoS class spec: containers: - name: nginx image: nginx resources: limits: memory: "200Mi" requests: memory: "100Mi" Node Topology Manager
  • 54. 54 ● requests < limits ● Burstable QoS class spec: containers: - name: nginx image: nginx resources: limits: memory: "200Mi" cpu: "2" example.com/device: "1" requests: memory: "200Mi" cpu: "2" example.com/device: "1" Node Topology Manager
  • 55. 55 ● requests == limits ● Guaranteed QoS class spec: containers: - name: nginx image: nginx resources: limits: example.com/deviceA: "1" example.com/deviceB: "1" requests: example.com/deviceA: "1" example.com/deviceB: "1" Node Topology Manager
  • 56. 56 ● Limitations for Non-Uniform Memory Access ● Max NUMA nodes = 8. ○ state explosion ● Scheduler inot topology-aware ○ Can still fail ● Only Device Manager and the CPU Manager support Topology Manager's HintProvider interface. ○ Memory and Hugepages not considered Node Topology Manager
  • 58. 58 ● Feature parity with IPv4 ● kubeadm uses default gateway network interface ○ advertise address for API server. ○ Specify kubeadm init --apiserver-advertise-address=<ip-address> to change ○ For example --apiserver-advertise-address=fd00::101 IPv6 support added
  • 59. 59 Pod overhead: account resources tied to the pod sandbox, but not specific containers
  • 60. 60 kind: RuntimeClass apiVersion: node.k8s.io/v1beta1 metadata: name: kata-fc handler: kata-fc overhead: podFixed: memory: "120Mi" cpu: "250m" ... Pod Overhead: account resources tied to the pod sandbox, but not specific containers apiVersion: v1 kind: Pod metadata: name: test-pod spec: runtimeClassName: kata-fc containers: - name: busybox-ctr image: busybox stdin: true tty: true resources: limits: cpu: 500m memory: 100Mi - name: nginx-ctr image: nginx resources: limits: cpu: 1500m memory: 100Mi
  • 62. 62 ● AppProtocol ● Optional field ○ Endpoint ○ EndpointSlice ○ Service ■ UDP, TCP, SCTP Adding AppProtocol to Services and Endpoints
  • 63. 63 ● Specific protocol ○ postgresql:// ○ https:// ○ mysql:// Adding AppProtocol to Services and Endpoints
  • 64. Copyright © 2020 Mirantis, Inc. All rights reserved Alpha Disabled by default, may change in the future
  • 66. 66 ● Changes to match securityContext by default ● For large volumes can be slow ● fSGroupChangePolicy ● No effect on ephemeral volumes ○ secret ○ configMap ○ ephemeral Skip Volume Ownership Change
  • 68. 68 ● Horizontal Pod Autoscaler ● Highest recommendation in window ● Configure with ○ --horizontal-pod-autoscaler-downscale-stabilization ○ behavior.scaleDown.stabilizationWindowSeconds ● Specify periodSeconds ○ Length of time for which condition must be true Configurable scale velocity for HPA
  • 69. 69 ● Create defaults Configurable scale velocity for HPA behavior: scaleDown: stabilizationWindowSeconds: 300 policies: - type: Percent value: 100 periodSeconds: 15 scaleUp: stabilizationWindowSeconds: 0 policies: - type: Percent value: 100 periodSeconds: 15 - type: Pods value: 4 periodSeconds: 15 selectPolicy: Max
  • 70. 70 ● Limit scale down: behavior: scaleDown: policies: - type: Percent value: 10 periodSeconds: 60 - type: Pods value: 5 periodSeconds: 60 selectPolicy: Max Configurable scale velocity for HPA
  • 71. 71 behavior: scaleDown: policies: - type: Pods value: 4 periodSeconds: 60 - type: Percent value: 10 periodSeconds: 60 Configurable scale velocity for HPA
  • 72. 72 Provide ODIC discovery for service account token issuer
  • 73. 73 ● Enables federation of clusters ● Identity provider --> relying parties ● Must be OIDC compliant ● system:service-account-issuer-discovery ClusterRole ○ No role bindings included ○ Admin binds to system:authenticated or system:unauthenticated Provide OIDC discovery for service account token issuer
  • 75. 75 ● Can be set individually ● Prevents changes ● Can't be un-set Immutable Secrets and ConfigMaps
  • 77. 77 ● For containers with no OS / debugging capabilities ● Provides debugging container kubectl alpha debug -it ephemeral-demo --image=busybox --target=ephemeral-demo Defaulting debug container name to debugger-8xzrl. If you don't see a command prompt, try pressing enter. / # Kubectl debug
  • 79. 79 ● Policies vs Profiles ● Policies ○ Filter (PodFitsHostPorts, CheckNodeMemoryPressure) ○ Scoring (SelectorSpreadPriority, ImageLocalityPriority) Run multiple Scheduling Profiles
  • 80. 80 ● Profiles ○ Uses plugins ○ Can be enabled, disabled, reordered ○ Extension points (ie QueueSort, Permit, Un-reserve) ■ Single QueueSort plugin; only one pending pods queue ○ For example: NodePreferAvoidPods, VolumeRestrictions, PrioritySort ● Request specific profile using pod's .spec.schedulerName field Run multiple Scheduling Profiles
  • 82. 82 ● Populate a new PVC via a CRD ● Must have a controller installed ● Same namespace ● Dynamic provisioners must support that resource ● Write your own ○ Create the PV ○ Bind it to the PVC Generic data populators
  • 84. 84 ● Not supported in Windows ● Must be pre-allocated ● requests == limits ● Isolated at the container level ● Each container has own limit on their cgroup sandbox as per spec ● Control via ResourceQuota (like cpu or memory using hugepages-<size> token) ● Multiple sizes Extending the HugePage feature
  • 85. 85 apiVersion: v1 kind: Pod metadata: name: huge-pages-example spec: volumes: - name: hugepage-2mi emptyDir: medium: HugePages-2Mi - name: hugepage-1gi emptyDir: medium: HugePages-1Gi ... Extending the HugePage feature containers: - name: example image: fedora:latest command: - sleep - inf volumeMounts: - mountPath: /hugepages-2Mi name: hugepage-2mi - mountPath: /hugepages-1Gi name: hugepage-1gi resources: limits: hugepages-2Mi: 100Mi hugepages-1Gi: 2Gi memory: 100Mi requests: memory: 100Mi
  • 87. 87 Mirantis Training - Kubernetes training.mirantis.com Webinar attendees! Get 15% off Mirantis training! Use coupon code: WEBMIR2020 Kubernetes & Docker Bootcamp I (KD100) Learn Docker and Kubernetes to deploy, run, and manage containerized applications 2 days Kubernetes & Docker Bootcamp II (KD200) Advanced training for Kubernetes professionals, preparation for CKA exam 3 days Accelerated Kubernetes & Docker Bootcamp (KD250) Most popular course! A combination of KD100 & KD200 at an accelerated pace, preps for the CKA exam 4 days Kubernetes in Production Bootcamp (KP300) In Development Advanced training focused on production grade architecture, operational best practices, and cluster management. 2 days
  • 88. 88 Thank You! Q&A Download the slides: bit.ly/k8s-1-18_slides We’ll send you the slides & recording later this week.