Skip to main content
  1. Posts/

Lessons from Kubecon/CloudNativeCon 2018 Europe

··835 words·4 mins
Author
Hairizuan Noorazman
Software engineering experiments, implementation notes, and lessons learned.

The following set of summaries are from the Kubecon and Cloud Native Con Europe in Denmark from 2-4 May 2018.

These summaries are from conference talks that I thought provided more interesting thinking points.

The videos for the conference can be found here:
https://www.youtube.com/watch?v=OUYTNywPk-s&list=PLj6h78yzYM2N8GdbjmhVU65KYm_68qBmo

Below are some of the talks that I found quite interesting (just my own preference)
I took some of my personal notes so that I don’t need to rewatch the videos once more just to get the main point the video seem to talk about.

Anatomy of a Production Kubernetes Outage
#

Cloud Native Landscape Intro
#

Accelerating Kubernetes Native Applications
#

Kubernetes Project Update
#

  • Security
    • Network Policy
    • Encrypted Secrets
    • RBAC
    • TLS Cert Rotation
    • Pod Security Policy
    • Threat Detection (Not really part of Kubernetes - GKE Cloud Security Command Centre)
    • Sandbox Applications (Providing a tiny kernel for the container - gVisor)
  • Applications
    • Batch Applications
    • Workload Controllers, Local Storage
    • GPU access
    • Container Storage Interface
    • (Mention about a Spark operator - a software which manages the running of a Spark cluster)
    • Stackdriver. Integrates deeply with Prometheus
  • Developer Experience
    • Skaffold (Allows debug tool to be attached allowing interactive debugging with custom deployments)

The Challenges of Migrating 150+ microservices
#

  • Tools out there kind of follow the same cycle: Genesis -> Custom Built solutions -> Product Offering -> Commodity.
  • Chart from here: https://medium.com/wardleymaps/anticipation-89692e9b0ced
  • Link to whole blog post: https://medium.com/wardleymaps
  • When companies are big, moving and innovating becomes expensive (its not a technology problem but more of a human, community, company problem). So essentially, one can consider this as innovation tokens; tokens that should only be spent wisely, else failure would be result.
  • Choose boring technology. http://mcfunley.com/choose-boring-technology
  • One way to reduce risk is to run the applications on 2 parallel stacks but it is very expensive in terms of complexity and human effort. When doing this, one needs note of the costs of doing this kind of test
  • Such tests have an impact on cost - might be good to rope in the people with this on the test being run, the hypothesis of what that should be happening and the benefits that the company will have

Container-Native dev and ops experience
#

Container Native observability & security from Google Cloud
#

Continuously Deliver your Kubernetes Infrastructure
#

  • Philosophy for setting kubernetes clusters
    • No pet clusters (No special custom configuration for 80 clusters)
    • Always provide the latest stable Kubernetes version
    • Continuous and non-disruptive cluster updates
    • “Fully” automated operations (Able to redeploy by just doing PRs)
  • Cluster setup
    • Provision in AWS via cloud formation
    • Etcd stack outside Kubernetes
    • Container Linux
    • Multi-AZ worker nodes
    • HA control plane setup behind ELB
    • Cluster configuration in git
    • e2e test on Jenkins
  • Cluster registry
    • List of clusters available of access
  • https://github.com/zalando-incubator/kubernetes-on-aws
  • https://github.com/zalando-incubator/cluster-lifecycle-manager
  • Multiple “channels” of Kubernetes
    • Cluster upgrade moves from dev, alpha, beta clusters
    • dev (Cluster to play around with)
    • alpha (Main infrastructure cluster that is used by infrastructure team for testing)
    • beta (Main cluster rest of org uses)
    • Has e2e tests
    • Conformance tests (https://github.com/cncf/k8s-conformance)
    • Statefulset tests (Test attachment volumes - testing to use redis cluster?)
    • Has monitoring on each cluster to ensure behaviour
    • https://github.com/mikkeloscar/kubernetes-e2e
  • Hints for running e2e tests
    • Run with flake attempts=2. Some tests can fail due to autoscaling
    • Update e2e images with each release of Kubernetes
    • Disable broken e2e tests with -skip parameter
    • Remove completed pods from kube-system to make room for other pods of testing to enter (To save money)

Related

Trying out skaffold

··497 words·3 mins
When developing application that are meant to be deployed to the Kubernetes platform, it involves a bunch of steps on top of your usual local development work: Writing a Dockerfile to package the application (Multi stage applications are optional here - useful for compiled based languages) Build and tagging the docker image of the application with the target repository Either use kubectl commands or use kubernetes config resource files to define the resources required for deploying the applications. Use those commands/configurations to define the resources on the staging/production application Repeat the process for each update of the application (Repeat second point onwards) As you see from above, it starts to be pain to do so after each iteration of the application development. The building of the docker containers process as well as the applying of the new images to each cluster, (sometimes with slightly changed configuration files) - the kubernetes secret and config files can change across different environments.

Lessons from Gophercon SG

··686 words·4 mins
This is the list of talks provided in the reccent Gophercon Conference held in Singapore on 4th May 2018 Go with Versions Project-driven journey to learning Go Resilency in Distributed Systems Understanding Running Go Program Go for Grab Optimize for Correctness Build your own distributed database The Scandalous Sotry of Dreadful Code Written by the Best of Us Erlang for Go developers Go and the future of offices Reflections on Trusting Trust for Go The lost art of bondage Below are some of the more interesting points raised during the talk (View the full talk to understand the context on what and why a certain point was raised.)

Building a code assessment tool but in Kubernetes

··1933 words·10 mins
Container based security measures Smaller images for code execution platform Not running the container as root Kubernetes related Run the deployment in different namespace Setting up a new Service account in kubernetes Ensuring service account token is not mounted in potentially vulnerable pods Ensuring that the container is started with non-root access Ensuring resource limits are set Set security context Setting network policy Using a stricter seccomp/apparmor profile Tool related Ensure limited logs sniffed Ensure that there is a time limit of code executions Future efforts I had previously attempted to build a code assessment tool in docker. That involves doing the following: