Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Gaps in the Serverless Mesh: Deployment, Discovery, and Auth

195 visualizaciones

Publicado el

Given at Serverlessconf SF 2018

Publicado en: Software
  • Sé el primero en comentar

Gaps in the Serverless Mesh: Deployment, Discovery, and Auth

  1. 1. Gaps in the Serverless Mesh: Deployment, Discovery, and Auth Ben Kehoe Cloud Robotics Research Scientist at iRobot AWS Serverless Hero @ben11kehoe 2018-08-01
  2. 2. iRobot 2018 | 2@ben11kehoe Deployment
  3. 3. iRobot 2018 | 3@ben11kehoe
  4. 4. iRobot 2018 | 4@ben11kehoe Deployment • Red/black imposes requirements on clients • Blue/green is the direction providers are headed • Existing paradigm: • Blue/green controller is part of your component graph • Update component graph in-place • Controller manages roll-out
  5. 5. iRobot 2018 | 5@ben11kehoe What does blue/green deployment look like for a component graph? (i.e., a CloudFormation stack)
  6. 6. iRobot 2018 | 6@ben11kehoe A B1 A B2
  7. 7. iRobot 2018 | 7@ben11kehoe A B1 A B1Definition Reality A B1 B2 A B2 A B1 B2 A B2 “UPDATING” “DONE”
  8. 8. iRobot 2018 | 8@ben11kehoe Definition Reality “UPDATING” “DONE”A B1 Ctrl A B2 Ctrl Ctrl A B1 Ctrl A B1 B2 traffic Ctrl A B2
  9. 9. iRobot 2018 | 9@ben11kehoe API Function
  10. 10. iRobot 2018 | 10@ben11kehoe v1 Function version v2 Function router API
  11. 11. iRobot 2018 | 11@ben11kehoe API router v1 Function version v2 Function router API version v1 v2
  12. 12. iRobot 2018 | 12@ben11kehoe API router v1 Function version v2 API version v1 v2 Function/code versions must be first-class citizens in infrastructure
  13. 13. iRobot 2018 | 13@ben11kehoe API router v1 Function version v2 API version v1 v2 Function placeholder Function router
  14. 14. iRobot 2018 | 14@ben11kehoe C1 A B C2 A BC1 C2 A B
  15. 15. iRobot 2018 | 15@ben11kehoe D E1 A D E2 A D E1 A E2 ???
  16. 16. iRobot 2018 | 16@ben11kehoe D E1 A D E2 A D E1 A E2 A
  17. 17. iRobot 2018 | 17@ben11kehoe Function Role Policy
  18. 18. iRobot 2018 | 18@ben11kehoe v1 v1 Function Role Policy v2 v2 Continuity of role may be necessary v1 allow v1 deny both allow both deny v2 allow v2 deny both allow both deny ? ? ?
  19. 19. iRobot 2018 | 19@ben11kehoe v1 v1 Function Role Policy v1 v2 v2 v2 v1 allow v1 deny both allow both deny v2 allow v2 deny both allow both deny v1 allow v2 allow both allow both deny
  20. 20. iRobot 2018 | 20@ben11kehoe Source Deployed Tool Blue Blue Green Cyan Green
  21. 21. iRobot 2018 | 21@ben11kehoe Authentication and Authorization
  22. 22. iRobot 2018 | 22@ben11kehoe Policy Resource
  23. 23. iRobot 2018 | 23@ben11kehoe Policy Resource Problems: • Cross-account • # of policies attached
  24. 24. iRobot 2018 | 24@ben11kehoe Policy Resource Problems: • # of callers • Deployment to add permission
  25. 25. iRobot 2018 | 25@ben11kehoe Policy Resource Problems: • Coarse, or • 1-1 service-group Group/OU
  26. 26. iRobot 2018 | 26@ben11kehoe Policy Resource Problems: • Push the problem to AssumeRole permissions Role
  27. 27. iRobot 2018 | 27@ben11kehoe What do I really want? • Caller defines desired permissions • Service could provide standard polices • Checked against org rules • Attached to caller • Assuming x-acct and # policies issues don’t matter
  28. 28. iRobot 2018 | 28@ben11kehoe Auto-generated policies • Deriving policies from code is not a good idea • Permissions should help stop malicious code • But you’d derive malicious permissions from malicious code • Need explicit declarations • Then check against code for mismatch (in either direction)
  29. 29. iRobot 2018 | 29@ben11kehoe Discovery
  30. 30. iRobot 2018 | 30@ben11kehoe Containers have it easy A Mesh proxy B Mesh proxy Gossip
  31. 31. iRobot 2018 | 31@ben11kehoe Functions miss out Time Invocation Sync state Invocation Sync state #FOMO
  32. 32. iRobot 2018 | 32@ben11kehoe Config aaS • Requirements • Availability over consistency • Public/private • Cross-account • Consequence: long-lived resources → blue/green • AWS SSM Parameter Store
  33. 33. iRobot 2018 | 33@ben11kehoe Parameter Store for discovery • Each microservice has a space in the parameter hierarchy • Discoverable parameters are tagged as public • Public parameters are sync’d across all accounts (via a central account) • Sync is organizational infrastructure • Each microservice only needs to look at the account-local Parameter Store for discovery
  34. 34. iRobot 2018 | 34@ben11kehoe Details on cross-account Parameter Store sync • Set up as infrastructure; clients of Parameter Store don’t need to care where parameters are coming from • Each account: • Pushes to a central account’s Parameter Store • Subscribes to SNS topic of central store updates • Periodically queries central store
  35. 35. Questions?

×