Platform as a Service

Kubernetes/Mesos + Openstack

Miguel Zunigaabout.me/miguelzunigaFreenode miguelzuniga

Agenda

• Design your Platform

• Architecture

• Managing Resources

• Managing Containers

• High Availability

• Security

• Design your Platform Services

• Rolling out new services

• Questions

Copyright © 2014 Symantec Corporation 3

Design your Platform

Copyright © 2014 Symantec Corporation4

Design your Platform

• Who will be your users/customers?– Developers / Architects / Ops – Customers

• Identify workloads and applications– CPU / Memory / IO – Stateful or Stateless

• How secure do you need to be?– Multi-tenant– Network Isolation

• Multi Cloud? Multi Datacenter? Hybrid?

Copyright © 2014 Symantec Corporation 5

Architecture

Copyright © 2014 Symantec Corporation6

Architecture – Mesos + Openstack

Copyright © 2014 Symantec Corporation7

Architecture – Kubernetes + Openstack

Copyright © 2014 Symantec Corporation8

Architecture – Kubernetes/Mesos + Openstack

Copyright © 2014 Symantec Corporation 9

Managing your Resources

Copyright © 2014 Symantec Corporation10

Managing your Resources

• Resource management is done by mesos framework.

• All the kubernetes components run as marathon tasks.

• All the pods/containers are run as mesos tasks.

• Mesos can manage either VM or Physical Servers.

Copyright © 2014 Symantec Corporation 11

Managing your Containers

Copyright © 2014 Symantec Corporation12

Managing your Containers

• Kubernetes takes care of Pod / Replica and Service Orchestration.

• Each pod and its respective containers are created by the mesos KM executor.

• Users can interact with Kubernetes either by CLI or API.

• Kubernetes maintains containers in replica controllers running constantly.

Copyright © 2014 Symantec Corporation 13

High Availability

Copyright © 2014 Symantec Corporation14

High Availability

Mesos Kubernetes Kubernetes / Mesos

• Use Marathon to keep containers up and running

• Requires external LB (hardware or software) to balance across containers.

• HA for kubernetes componentes is out of scope.

• Replicas controllers to keep pods and containers up and running

• Kube Proxy takes care of load balancing

• HA for kubernetes components is managed by mesos and marathon.

• HA for pods is handle by replicas.

• Load balancing can be done with External LB (i.e. haproxy) or kube-proxy.

Copyright © 2014 Symantec Corporation 15

Security

Copyright © 2014 Symantec Corporation16

Security

• Network Security is provided by SDN isolation.

• Provision mesos-kubernetes cluster by project or user.

• Run docker with SE Linux enabled (RHEL based).

• Enable Iptables Drop policy by default on each mesos slave.

Copyright © 2014 Symantec Corporation 17

Design your Platform Services

Copyright © 2014 Symantec Corporation18

Design your Platform Services

• Think of cattle.

• Think of processes not VMs.

• VM or Container?

• Complexity of access… To many jumps?

• You have Marathon… Use it.

• Use a private docker registry.

• Microservices? What is that?

• Your PaaS, even when is generic enough, is not a silver bullet.

Copyright © 2014 Symantec Corporation 19

Rolling out new services

Copyright © 2014 Symantec Corporation20

Rolling out new services

• Use a private docker registry to track the container images required for each application/process stack.

• Create a level of abstraction (UI) easy to use for your users.

• Manage clustered services with Marathon.

• Remember containers are processes… not condensed VM’s.

• Use CICD to create new versions of your containers.

• OSS – Continuous + Strategos

Copyright © 2014 Symantec Corporation21

Rolling out new services

Copyright © 2014 Symantec Corporation22

Links and References

• Continuous http://github.com/symantec/continuous

• Strategos available June 30 http://strategos.io

• Kubernetes http://kubernetes.io

• Mesos http://mesos.apache.org/

• Marathon https://mesosphere.github.io/marathon/

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Miguel ZunigaTwitter @mikezuniga Freenode miguelzunigaGoogle plus +MiguelZuniga

23

Questions?