View
76
Download
1
Category
Preview:
Citation preview
Brandon Philips@brandonphilips | brandon.philips@coreos.com | coreos.com
Good Morning!
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Image Specs, Build, & Hosting
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Container Image Build, Hosting, & Specs
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Container Image Build, Hosting, & Specs
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
The shared foundation of thisecosystem is the container
And CoreOS is ensuring that the shared foundation is built on standards
Open Container Initiative
OCI AnnouncedJune 2015
OCI 1.0Q1 2017
rkt OCI supportJuly 2016
OCI Image Spec AddedApril 2016
Quay, Kubernetes, etcQ2 2017
OCI 1.0 RC-1July 2016
Create developer collaboration
Build interoperating products
Confidence in ecosystem stability
Investment in standards
An update aboutthe pod native container engine
rkt community traction
● Laptop Kubernetes, minikube, can use rkt with a single flag
● BlaBlaCar (Series D, $350m) rkt in prod and moving to Kubernetes
● Container Linux services now run under rkt
● Google GKE using rkt for Kubelet mount management
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
Quick Reminder: Pod Basics
cache(pid 5)
asset fetcher(pid 8)
web server(pid 9)
pod sandbox
Quick Reminder: Pod Lifecycle
wor
ker
node
sco
ntro
llers
no
des
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
Quick Reminder: Pod Lifecycle
A1
KubernetesScheduler
KubeAPI
Monitoring Service
wor
ker
node
sco
ntro
llers
no
des
Quick Reminder: Pod Lifecycle
A1
KubernetesScheduler
KubeAPI
Monitoring Service
wor
ker
node
sco
ntro
llers
no
des
Quick Reminder: Pod Lifecycle
A1
KubernetesScheduler
KubeAPI
Monitoring Service
J2
wor
ker
node
sco
ntro
llers
no
des
Quick Reminder: Pod Lifecycle
A1
KubernetesScheduler
KubeAPI
Monitoring Service
J2
wor
ker
node
sco
ntro
llers
no
des
Container Runtime Interface
cache(pid 5)
asset fetcher(pid 8)
web server(pid 9)
pod sandbox
Container Runtime Interface
cache(pid 5)
asset fetcher(pid 8)
web server(pid 9)
pod sandbox
Container Runtime Interface
cache(pid 5)
asset fetcher(pid 8)
web server(pid 9)
pod sandboxHealth Check Fail
Container Runtime Interface
cache(pid 5)
asset fetcher(pid 8)
pod sandbox
Container Runtime Interface
cache(pid 5)
asset fetcher(pid 8)
pod sandbox
web server(pid 10)
rkt and CRI will help enable faster innovation in Kubernetes in 2017.
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
rkt and runc
cache(pid 5)
asset fetcher(pid 8)
web server(pid 8)
runc runc runc
pod sandbox
Kubernetes & rkt integration via CRI
Support all OCI standards as they reach 1.0
Continue innovation in design and security
Roadmap for rkt
rkt is the only container engine with both Linux native and VM isolation.
rkt is the only container engine with both Linux native and VM isolation.
We continue to explore new ideas.
Normal rkt execution
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
pod sandbox
cache(pid 10)
debug agent(pid 38)
web server(pid 20)
pod sandbox
VM rkt execution
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
pod sandbox
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
pod sandbox
bash(uid 1001, pid 8)
Lifecycle of a process
bash(uid 1001, pid 9)
fork()identical perms
su(uid 0, pid 9)
exec() setuid binaryelevate perms
bash(uid 0, pid 9)
exec()identical perms
Normal Execution Path
bash(uid 1001, pid 8)
Lifecycle of a process
bash(uid 1001, pid 9)
fork()identical perms
bash(uid 0, pid 9)
open() kernel exploitelevate perms
Exploit Execution Path
Container Terminated
VM rkt execution
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
kvm virtual machine
Privilege EscalationValidator
pod sandboxCan PID 8
open /proc/9/environ it
is uid 0?
VM rkt execution
Yes, valid elevation to uid 0
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
kvm virtual machine
Privilege EscalationValidator
pod sandbox
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
kvm virtual machine
VM rkt execution
rootkit payload
Privilege EscalationValidator
pod sandbox
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
kvm virtual machine
VM rkt execution
rootkit payload
Privilege EscalationValidator
pod sandboxCan PID 9
open /etc/shadow it is
uid 0?
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
kvm virtual machine
VM rkt execution
rootkit payload
No, invalid transition to uid 0
Privilege EscalationValidator
pod sandbox
cache(pid 5)
debug agent(pid 8)
web server(pid 9)
kvm virtual machine
pod sandbox
VM rkt execution
Privilege EscalationValidator
Container Terminated
Tectonic will support users withDocker Engine or rkt engine.
End-to-end.
Kubernetes scales.And we have worked end-to-end
to make it happen
● Clients talk to Kubernetes API server
● API is stateless and horizontally scales
● State from API persisted to etcd DB
Quick Reminder: Kubernetes Architecture
● etcd introduced in 2013 by CoreOS
● Persistent database of Kubernetes
● Auto-leader election for availability
etcd Overview
etcd is the foundation of Kubernetes
CoreOS ensures it isscalable, simple, solid
etcd is the foundation of Kubernetes
Scaling Milestones of Kubernetes
100 Nodes300 PodsJune 2015
2,000 Nodes60,000 Pods
November 2016
1,000 Nodes30,000 Pods
March 2016
5,000 Nodes150,000 PodsDecember 2016
● Google Chubby
● etcd by CoreOS
● ZooKeeper by Apache
● Consul by Hashicorp
Consistent Key-Value Database
● Google Chubby (closed source)
1.etcd by CoreOS
2.ZooKeeper by Apache
3.Consul by Hashicorp
Consistent Key-Value Database, Benchmark
Memory, key to scalability
Latency, key to reliability
Latency, key to reliability
etcd's delivers consistent latency
Scaling Milestones of Kubernetes
2,000 Nodes60,000 Pods
November 2016
1,000 Nodes30,000 Pods
March 2016
5,000 Nodes150,000 PodsDecember 2016
20,000 Nodes600,000 Pods
2017
CoreOS ensures it isscalable, simple, solid
etcd is the foundation of Kubernetes
etcd Operator
etcd Operator
etcd Operator
etcd Operator
CoreOS ensures it isscalable, simple, solid
etcd is the foundation of Kubernetes
etcd is Trusted by 100s of OSS Projects
Google. Amazon. Microsoft.
etcd is Trusted by 100s of OSS Projects
Including Projects From Teams At
Self-driving architecture simplifies Kubernetes.
$ uname -s minix$ gcc linux.c
$ uname -s minix$ gcc linux.c
$ uname -s linux$ gcc linux.c
$ uname -s linux$ gcc linux.c
Self-Hosted Architecture
wor
ker
node
sco
ntro
llers
no
des
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
EC2 VM EC2 VM EC2 VM
Self-Hosted Architecture
KubernetesScheduler
KubeAPI
Monitoring Service
cont
rolle
rs
node
s
A1
J2
wor
ker
node
s
Self-Hosted Architecture
KubernetesScheduler
KubeAPI MS
cont
rolle
rs
node
s
A1
J2
wor
ker
node
s
KS
Self-Hosted Architecture
KubernetesScheduler
KubeAPI MS
cont
rolle
rs
node
s
A1
J2
wor
ker
node
s
KS
Toil is the kind of work tied to running a production service that tends to be manual, repetitive, automatable, tactical, devoid of enduring value, and that scales linearly as a service grows.
Self-Driving Removes Toil
CHECK
But... Failures Still Happen
Self-Driving Removes Toil
Self-Driving Monitoring Architecture
KubernetesScheduler
KubeAPI
Monitoring Service
cont
rolle
rs
node
s
Self-Driving Monitoring Architecture
KubernetesScheduler
KubeAPI
Monitoring Service
cont
rolle
rs
node
s
"Self-hosted" is being adopted in the Kubernetes community.
Kubernetes User Identity
Kubernetes User Identity
Kubernetes User Identity
Kubernetes User Identity
OpenID Connect (OIDC) provider with LDAP plugin.
Integrated into upstream Kubernetes.
No external databases, simply use the Kubernetes API.
Default in Tectonic.
CoreOS is ensuring that the shared foundation is built on standards
rkt will help enable faster innovation in Kubernetes in 2017.
Kubernetes scales.And we have worked end-to-end
to make it happen.
Self-driving architecture simplifies and removes toil.
Experts at Every Layer of the Stack
Linux
Container Engines & Runtime Specs
Container Image Build, Hosting, & Specs
Clustered Database
Cloud Independence & Lifecycle
Identity & Federation
THANK YOU!!
@brandonphilips | brandon.philips@coreos.com | coreos.com
Recommended