SlideShare una empresa de Scribd logo

Kubernetes Multitenancy Karl Isenberg - KubeCon NA 2019

Karl Isenberg
Karl Isenberg

Cruise has been working on self-driving cars for six years and growing exponentially for most of that time. Two years ago they started using Kubernetes, betting on namespace-level multitenancy to provide isolation between teams and projects. Today they have over 40 internal tenants, 100,000 pods, 4,000 nodes, and… an embarrassing number of KubeDNS replicas. This session will take you through the motivations, story, and results of migrating to multitenant Kubernetes, along with some hard-earned Pro Tips from the trenches. You’ll also learn about the open source tooling they built around Spinnaker, Vault, Google Cloud, and Istio in order to integrate with our multitenant Kubernetes. Come see how they went from barely isolated to very isolated and saved a few million dollars doing it!

Software
1 de 31
Descargar para leer sin conexión
Kubernetes at Cruise Two Years of Multitenancy Karl Isenberg, Cruise @karlkfi
2 Building the world’s most advanced autonomous vehicles... ...and running the backend on Kubernetes. Kubernetes at Cruise: Two Years of Multitenancy
3Kubernetes at Cruise: Two Years of Multitenancy Kubernetes Cloud Storage Cloud Routers Interconnects Physical Routers On-Premises Cloud NAT Internet
4Kubernetes at Cruise: Two Years of Multitenancy Ingre RBACSync [C] GKE Spinnaker Ingress Controller (private) Runscope Stackdriver LoggingNetwork Load Balancer Private Cloud DNS Internal Load Balancer Container Registry Ingress Security Deployment Observability Forge Image Builder [C] Cruise PaaS Ingress Controller (public) Cloud NAT Egress Management Juno [C] Isopod [C] [C] Cruise Projects Other logos unaffiliated with Cruise. [C]
Multitenancy at Scale 5 Clusters: 12-26 Largest Cluster: ~1,000 nodes (64 or 32 vCPU each) Kubernetes at Cruise: Two Years of Multitenancy
6Kubernetes at Cruise: Two Years of Multitenancy Multitenancy is when multiple applications operate in a shared environment. Tenants are logically isolated, but physically integrated. The more physical integration, the harder it is to preserve logical isolation.
7 Why Multitenancy? Lower Cloud Costs Higher collocation allows for higher utilization of cloud resources (compute, network, storage). Fewer clusters can be managed by fewer platform engineers. Validate real workloads at real scale by postponing clusters proliferation. Focus on production readiness and tenant-facing improvements before scaling cluster operations. Lower Operational Costs Higher Scale Validation Higher Consistency Kubernetes at Cruise: Two Years of Multitenancy
88 Multitenancy: Layers of Isolation Kubernetes at Cruise: Two Years of Multitenancy Domain Isolation Identity Isolation Permission Isolation Resource Isolation Network Isolation Integration Isolation System Isolation Isolation/Cost
Identity Isolation 9Kubernetes at Cruise: Two Years of Multitenancy
Identity & Authentication User Identity - G Suite User Accounts - Okta Single Sign-On (SSO) - Duo Security (2FA) Service Identity - GCP Service Accounts - K8s Service Accounts - Signed Certificates - JSON Web Tokens (JWT) 10Kubernetes at Cruise: Two Years of Multitenancy
Kubernetes at Cruise: Two Years of Multitenancy In-Memory Volume App Container Kubernetes Pod Secrets Login [C] Cruise Projects Other logos unaffiliated with Cruise. [C] Vault Login Kubernetes service accounts used for Vault authentication. Secrets Injection DAYTONA Init container side-loads secrets Identity Translation Vault generates temporary credentials on-demand (OSS) https://github.com/cruise-automation/daytona Vault client for servers & containers. See also: GKE Workload Identity (beta)
Audit Validating webhook logs policy violations Enforce Validating webhook optionally enforces policies Apply Defaults Mutating webhook applies policy defaults Kubernetes at Cruise: Two Years of Multitenancy Prevent Privilege Escalation & Lateral Movement - No Bind Mounts - No Host Network - No Host PID - No New Capabilities - No Privileged Container - No Helm Tiller - Default Docker Seccomp profile (OSS) https://github.com/cruise-automation/k-rail [C] Cruise Projects Other logos unaffiliated with Cruise. [C] Security & operational policy enforcement tool. See also: GKE Metadata Concealment (beta)
Domain Isolation 13Kubernetes at Cruise: Two Years of Multitenancy Environmental Dev, Test, Stage, Prod Organizational Org, Dept, Team, Personal Architectural Project, System, Component
Environmental vs Organizational Domains 14 Pods Dev Staging Prod Team A Team B Team C Pods Pods Pods Pods Pods Pods Pods Pods Clusters Namespaces Kubernetes at Cruise: Two Years of Multitenancy
Environmental vs Architectural Domains 15 Pods Dev Staging Prod Project A Project B Project C Pods Pods Pods Pods Pods Pods Pods Pods Clusters Namespaces Kubernetes at Cruise: Two Years of Multitenancy
Permission Isolation 16Kubernetes at Cruise: Two Years of Multitenancy
Group Role Binding 17 apiVersion: rbacsync.getcruise.com/v1alpha kind: RBACSyncConfig metadata: name: namespace-bindings namespace: backend spec: bindings: - group: backend-gke-admin@example.com roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: namespace-admin - group: backend-gke-user@example.com roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: namespace-editor RBACSyncConfig ClusterRoleBindingRoleBinding ClusterRoleRole Groups GSuite RBACSync Kubernetes at Cruise: Two Years of Multitenancy (OSS) https://github.com/cruise-automation/rbacsyncSee also: Google Groups for GKE (beta)
Vault Workspaces 18Kubernetes at Cruise: Two Years of Multitenancy Group Permissions Path Tenant Admin admin secret/<prefix>/<namespace>/* Tenant Contractor list secret/<prefix>/<namespace>/* App Service Account list, get secret/<prefix>/<namespace>/<env>/<app>/* Standard hierarchy for storing and authorizing application secrets.
Kubernetes at Cruise: Two Years of Multitenancy Isopod (OSS) https://github.com/cruise-automation/isopod Domain Specific Language Loosely typed with local runtime type validation Less YAML Skylark backed by Kubernetes Go Client Flexible Reuse Alternative to Helm & Terraform for addon management DSL for Kubernetes configuration without YAML.
Kubernetes at Cruise: Two Years of Multitenancy (internal project) Juno Resource Management - GCP Project - Vault Workspace - K8s Namespace Related OSS Projects - namespace-configuration-operator - rbac-permissions-operator Cruise infra self-service resource provisioner.
Resource Isolation Built-In Types - CPU, GPU - Memory - Persistent Storage (for each Storage Class) - Ephemeral Storage Storage Volumes - OS Root - Container Images - Container Root - Ephemeral Storage Volumes - Persistent Local Storage Volumes Quotas & Limits - Resource Quota: Namespace Limits & Usage - Limit Range: Pod Default Requests & Limits - Defaults & Overrides (Juno) 21Kubernetes at Cruise: Two Years of Multitenancy
Network Isolation 22Kubernetes at Cruise: Two Years of Multitenancy
23 Shared Tunnels NAT Gateways - NAT Gateway Terraform Module (network label routing) - Cloud NAT - Whitelists Ingress / Egress QPS - No Built-In Isolation - Network Stack shared with Network Storage (NAS/SAN/Cloud) Bandwidth - No Built-In Isolation - CNI Bandwidth Plugin (Calico) - Istio Rate Limits (Quota Rules) Kubernetes at Cruise: Two Years of Multitenancy
Mesh Boundary 24 Virtual Firewalls Network Policy - IP Block - Namespace Selector - Pod Selector Service Authorization - Istio mTLS - Istio Authorization Policy Rule Based Access - Istio Denier Rule - Istio List Checker Adapter Kubernetes at Cruise: Two Years of Multitenancy Workload Pods Workload Container Istio Sidecar Workload Pods Workload Container Istio Sidecar Egress Gateway Private Ingress Gateway Public Ingress Gateway External Service Private Network Local Client Public Client
Integration Isolation 25Kubernetes at Cruise: Two Years of Multitenancy
Shared Ingress Isolation Options - Separate Private & Public (shown) - Dedicated Ingress Node Pool - Dedicated Ingress VMs (shown) - Dedicated Ingress Per Tenant Kubernetes at Cruise: Two Years of Multitenancy
Shared DNS Isolation Options - Node Local Cache - Dedicated DNS Per Node Pool - Dedicated DNS Per Cluster NodeNode Kubernetes at Cruise: Two Years of Multitenancy Application PodKubeDNS Pod SkyDNS DnsMasq Sidecar (probes) Datadog Daemon Google Cloud DNS CoreDNS AWS Route 53 etcd *.cluster.local Private Zones DNS Requests (UDP) Application Default Resolver resolv.conf DataDog Agent Datadog Daemon DataDog Agent Network Local Cache
Shared Observability Logs - Log Visibility (Container, Platform, Audit) - Log-Based Metrics (Edit Perms) - Fluentd DaemonSet Vertical Autoscaling Metrics - Kube State Metrics not HA - DaemonSet Agent HA & Slow or Local & Fast - Sidecar Agent Duplicate Metrics - DogStatsD vs Prometheus Style Distributed Tracing - OpenTelemetry vs OpenCensus vs OpenTracing - Stackdriver vs DataDog vs Jaeger vs Zipkin Dashboard Management - Platform Dashboards - Workload Dashboards - Dashboard Templates Kubernetes at Cruise: Two Years of Multitenancy Container & Ingress Log Export Team Project PaaS Project Kubernetes Engine Monitoring Logging Logging Logs Based Metrics Cloud Load Balancing Cloud Pub/SubKubernetes Engine Container Logs Ingress Logs
No Isolation (Shared Cluster Admin) 29 System Isolation Machines - Dedicated Node Pool - Dedicated Cluster Cluster Components - API Server - Scheduler - Cluster Autoscaler - Kube Proxy (iptables) Networks - Dedicated IP Ranges - Dedicated Subnet - Dedicated Network - Dedicated Interconnects Kubernetes at Cruise: Two Years of Multitenancy Logical Isolation (Soft Multitenancy) Physical Isolation (Hard Multitenancy) System Isolation (Single Tenancy)
Was it worth it? Costs - Shared Downtime - Incompatible Tooling Challenges - Single Tenant Integrations - Managed CRD Installation - Managed Internal Platform Model - Kubernetes Itself Benefits - Lower Cloud Costs - Lower Operational Costs - Higher Scale Validation - Higher Consistency - Prioritized Security Investments - Expertise Building 30Kubernetes at Cruise: Two Years of Multitenancy
Thank you Karl Isenberg, Cruise @karlkfi

Recomendados

CI/CD Across Multiple Environments
CI/CD Across Multiple EnvironmentsCI/CD Across Multiple Environments
CI/CD Across Multiple EnvironmentsKarl Isenberg
 
Container Orchestration Wars (Micro Edition)
Container Orchestration Wars (Micro Edition)Container Orchestration Wars (Micro Edition)
Container Orchestration Wars (Micro Edition)Karl Isenberg
 
CI/CD with Docker, DC/OS, and Jenkins
CI/CD with Docker, DC/OS, and JenkinsCI/CD with Docker, DC/OS, and Jenkins
CI/CD with Docker, DC/OS, and JenkinsKarl Isenberg
 
Cloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosCloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosKarl Isenberg
 
Mesos vs kubernetes comparison
Mesos vs kubernetes comparisonMesos vs kubernetes comparison
Mesos vs kubernetes comparisonKrishna-Kumar
 
Deploying Containers in Production and at Scale
Deploying Containers in Production and at ScaleDeploying Containers in Production and at Scale
Deploying Containers in Production and at ScaleMesosphere Inc.
 
Mesos and the Architecture of the New Datacenter
Mesos and the Architecture of the New DatacenterMesos and the Architecture of the New Datacenter
Mesos and the Architecture of the New DatacenterQAware GmbH
 
2013 05-multicloud-paas-interop-scenarios-fia-dublin
2013 05-multicloud-paas-interop-scenarios-fia-dublin2013 05-multicloud-paas-interop-scenarios-fia-dublin
2013 05-multicloud-paas-interop-scenarios-fia-dublinAlex Heneveld
 

Recomendados

CI/CD Across Multiple Environments
CI/CD Across Multiple EnvironmentsCI/CD Across Multiple Environments
CI/CD Across Multiple EnvironmentsKarl Isenberg
 
Container Orchestration Wars (Micro Edition)
Container Orchestration Wars (Micro Edition)Container Orchestration Wars (Micro Edition)
Container Orchestration Wars (Micro Edition)Karl Isenberg
 
CI/CD with Docker, DC/OS, and Jenkins
CI/CD with Docker, DC/OS, and JenkinsCI/CD with Docker, DC/OS, and Jenkins
CI/CD with Docker, DC/OS, and JenkinsKarl Isenberg
 
Cloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosCloud Surfing: Kubernetes on Mesos
Cloud Surfing: Kubernetes on MesosKarl Isenberg
 
Mesos vs kubernetes comparison
Mesos vs kubernetes comparisonMesos vs kubernetes comparison
Mesos vs kubernetes comparisonKrishna-Kumar
 
Deploying Containers in Production and at Scale
Deploying Containers in Production and at ScaleDeploying Containers in Production and at Scale
Deploying Containers in Production and at ScaleMesosphere Inc.
 
Mesos and the Architecture of the New Datacenter
Mesos and the Architecture of the New DatacenterMesos and the Architecture of the New Datacenter
Mesos and the Architecture of the New DatacenterQAware GmbH
 
2013 05-multicloud-paas-interop-scenarios-fia-dublin
2013 05-multicloud-paas-interop-scenarios-fia-dublin2013 05-multicloud-paas-interop-scenarios-fia-dublin
2013 05-multicloud-paas-interop-scenarios-fia-dublinAlex Heneveld
 
Kubernetes on Top of Mesos on Top of DCOS
Kubernetes on Top of Mesos on Top of DCOSKubernetes on Top of Mesos on Top of DCOS
Kubernetes on Top of Mesos on Top of DCOSStefan Schimanski
 
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)Sharma Aashish
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Miguel Zuniga
 
HA Kubernetes on Mesos / Marathon
HA Kubernetes on Mesos / MarathonHA Kubernetes on Mesos / Marathon
HA Kubernetes on Mesos / MarathonCobus Bernard
 
Migrating from Azure Search to SearcStax
Migrating from Azure Search to SearcStaxMigrating from Azure Search to SearcStax
Migrating from Azure Search to SearcStaxVarunNehra
 
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案inwin stack
 
ACROPOLIS CONTAINER SERVICES
ACROPOLIS CONTAINER SERVICESACROPOLIS CONTAINER SERVICES
ACROPOLIS CONTAINER SERVICESTREEPTIK
 
Scaling Like Twitter with Apache Mesos
Scaling Like Twitter with Apache MesosScaling Like Twitter with Apache Mesos
Scaling Like Twitter with Apache MesosMesosphere Inc.
 
Container Orchestration @Docker Meetup Hamburg
Container Orchestration @Docker Meetup HamburgContainer Orchestration @Docker Meetup Hamburg
Container Orchestration @Docker Meetup HamburgTimo Derstappen
 
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...OpenStack Korea Community
 
Musings on Mesos: Docker, Kubernetes, and Beyond.
Musings on Mesos: Docker, Kubernetes, and Beyond.Musings on Mesos: Docker, Kubernetes, and Beyond.
Musings on Mesos: Docker, Kubernetes, and Beyond.Timothy St. Clair
 
Puppet + Windows Nano Server
Puppet + Windows Nano ServerPuppet + Windows Nano Server
Puppet + Windows Nano ServerAlessandro Pilotti
 
Federated mesos clusters for global data center designs
Federated mesos clusters for global data center designsFederated mesos clusters for global data center designs
Federated mesos clusters for global data center designsKrishna-Kumar
 
Mesos swam-kubernetes-vds-02062017
Mesos swam-kubernetes-vds-02062017Mesos swam-kubernetes-vds-02062017
Mesos swam-kubernetes-vds-02062017Christophe Furmaniak
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesKublr
 
Highly Available And Distributed Containers - ContainerCon NA 2016
Highly Available And Distributed Containers - ContainerCon NA 2016Highly Available And Distributed Containers - ContainerCon NA 2016
Highly Available And Distributed Containers - ContainerCon NA 2016{code}
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day Indiaopenstackindia
 
Mesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overviewMesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overviewKrishna-Kumar
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rookRohan Gupta
 
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack PlatformOpenStack Korea Community
 
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupMetal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupLaure Vergeron
 
Kubernetes extensibility
Kubernetes extensibilityKubernetes extensibility
Kubernetes extensibilityDocker, Inc.
 

Más contenido relacionado

La actualidad más candente

Kubernetes on Top of Mesos on Top of DCOS
Kubernetes on Top of Mesos on Top of DCOSKubernetes on Top of Mesos on Top of DCOS
Kubernetes on Top of Mesos on Top of DCOSStefan Schimanski
 
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)Sharma Aashish
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Miguel Zuniga
 
HA Kubernetes on Mesos / Marathon
HA Kubernetes on Mesos / MarathonHA Kubernetes on Mesos / Marathon
HA Kubernetes on Mesos / MarathonCobus Bernard
 
Migrating from Azure Search to SearcStax
Migrating from Azure Search to SearcStaxMigrating from Azure Search to SearcStax
Migrating from Azure Search to SearcStaxVarunNehra
 
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案inwin stack
 
ACROPOLIS CONTAINER SERVICES
ACROPOLIS CONTAINER SERVICESACROPOLIS CONTAINER SERVICES
ACROPOLIS CONTAINER SERVICESTREEPTIK
 
Scaling Like Twitter with Apache Mesos
Scaling Like Twitter with Apache MesosScaling Like Twitter with Apache Mesos
Scaling Like Twitter with Apache MesosMesosphere Inc.
 
Container Orchestration @Docker Meetup Hamburg
Container Orchestration @Docker Meetup HamburgContainer Orchestration @Docker Meetup Hamburg
Container Orchestration @Docker Meetup HamburgTimo Derstappen
 
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...OpenStack Korea Community
 
Musings on Mesos: Docker, Kubernetes, and Beyond.
Musings on Mesos: Docker, Kubernetes, and Beyond.Musings on Mesos: Docker, Kubernetes, and Beyond.
Musings on Mesos: Docker, Kubernetes, and Beyond.Timothy St. Clair
 
Federated mesos clusters for global data center designs
Federated mesos clusters for global data center designsFederated mesos clusters for global data center designs
Federated mesos clusters for global data center designsKrishna-Kumar
 
Mesos swam-kubernetes-vds-02062017
Mesos swam-kubernetes-vds-02062017Mesos swam-kubernetes-vds-02062017
Mesos swam-kubernetes-vds-02062017Christophe Furmaniak
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesKublr
 
Highly Available And Distributed Containers - ContainerCon NA 2016
Highly Available And Distributed Containers - ContainerCon NA 2016Highly Available And Distributed Containers - ContainerCon NA 2016
Highly Available And Distributed Containers - ContainerCon NA 2016{code}
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day Indiaopenstackindia
 
Mesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overviewMesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overviewKrishna-Kumar
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rookRohan Gupta
 
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack PlatformOpenStack Korea Community
 

La actualidad más candente (20)

Kubernetes on Top of Mesos on Top of DCOS
Kubernetes on Top of Mesos on Top of DCOSKubernetes on Top of Mesos on Top of DCOS
Kubernetes on Top of Mesos on Top of DCOS
 
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
Cloudjiffy vs Pivotal Cloud Foundry (private cloud)
 
Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos Platform as a Service with Kubernetes and Mesos
Platform as a Service with Kubernetes and Mesos
 
HA Kubernetes on Mesos / Marathon
HA Kubernetes on Mesos / MarathonHA Kubernetes on Mesos / Marathon
HA Kubernetes on Mesos / Marathon
 
Migrating from Azure Search to SearcStax
Migrating from Azure Search to SearcStaxMigrating from Azure Search to SearcStax
Migrating from Azure Search to SearcStax
 
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
整合Cloud Foundry 和 Kubernetes 技術打造企業級雲應用平台解決方案
 
ACROPOLIS CONTAINER SERVICES
ACROPOLIS CONTAINER SERVICESACROPOLIS CONTAINER SERVICES
ACROPOLIS CONTAINER SERVICES
 
Scaling Like Twitter with Apache Mesos
Scaling Like Twitter with Apache MesosScaling Like Twitter with Apache Mesos
Scaling Like Twitter with Apache Mesos
 
Container Orchestration @Docker Meetup Hamburg
Container Orchestration @Docker Meetup HamburgContainer Orchestration @Docker Meetup Hamburg
Container Orchestration @Docker Meetup Hamburg
 
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
[OpenStack Day in Korea 2015] Track 3-1 - OpenStack Storage Infrastructure & ...
 
Musings on Mesos: Docker, Kubernetes, and Beyond.
Musings on Mesos: Docker, Kubernetes, and Beyond.Musings on Mesos: Docker, Kubernetes, and Beyond.
Musings on Mesos: Docker, Kubernetes, and Beyond.
 
Puppet + Windows Nano Server
Puppet + Windows Nano ServerPuppet + Windows Nano Server
Puppet + Windows Nano Server
 
Federated mesos clusters for global data center designs
Federated mesos clusters for global data center designsFederated mesos clusters for global data center designs
Federated mesos clusters for global data center designs
 
Mesos swam-kubernetes-vds-02062017
Mesos swam-kubernetes-vds-02062017Mesos swam-kubernetes-vds-02062017
Mesos swam-kubernetes-vds-02062017
 
Intro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on KubernetesIntro into Rook and Ceph on Kubernetes
Intro into Rook and Ceph on Kubernetes
 
Highly Available And Distributed Containers - ContainerCon NA 2016
Highly Available And Distributed Containers - ContainerCon NA 2016Highly Available And Distributed Containers - ContainerCon NA 2016
Highly Available And Distributed Containers - ContainerCon NA 2016
 
Copr HD OpenStack Day India
Copr HD OpenStack Day IndiaCopr HD OpenStack Day India
Copr HD OpenStack Day India
 
Mesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overviewMesos and Kubernetes ecosystem overview
Mesos and Kubernetes ecosystem overview
 
Introduction to rook
Introduction to rookIntroduction to rook
Introduction to rook
 
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
[OpenStack Days Korea 2016] Track1 - Red Hat enterprise Linux OpenStack Platform
 

Similar a Kubernetes Multitenancy Karl Isenberg - KubeCon NA 2019

Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupMetal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupLaure Vergeron
 
Kubernetes extensibility
Kubernetes extensibilityKubernetes extensibility
Kubernetes extensibilityDocker, Inc.
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
Dayta AI Seminar - Kubernetes, Docker and AI on Cloud
Dayta AI Seminar - Kubernetes, Docker and AI on CloudDayta AI Seminar - Kubernetes, Docker and AI on Cloud
Dayta AI Seminar - Kubernetes, Docker and AI on CloudJung-Hong Kim
 
Kubernetes Administration from Zero to Hero.pdf
Kubernetes Administration from Zero to Hero.pdfKubernetes Administration from Zero to Hero.pdf
Kubernetes Administration from Zero to Hero.pdfArzooGupta16
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesQAware GmbH
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull RequestKasper Nissen
 
OpenEBS Technical Workshop - KubeCon San Diego 2019
OpenEBS Technical Workshop - KubeCon San Diego 2019OpenEBS Technical Workshop - KubeCon San Diego 2019
OpenEBS Technical Workshop - KubeCon San Diego 2019MayaData Inc
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalPatrick Chanezon
 
Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...
Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...
Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...Victor Morales
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceBen Hall
 
Scaling docker with kubernetes
Scaling docker with kubernetesScaling docker with kubernetes
Scaling docker with kubernetesLiran Cohen
 
Managing Container Clusters in OpenStack Native Way
Managing Container Clusters in OpenStack Native WayManaging Container Clusters in OpenStack Native Way
Managing Container Clusters in OpenStack Native WayQiming Teng
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackQAware GmbH
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17Mario-Leander Reimer
 
.NET Developer Days - So many Docker platforms, so little time...
.NET Developer Days - So many Docker platforms, so little time....NET Developer Days - So many Docker platforms, so little time...
.NET Developer Days - So many Docker platforms, so little time...Michele Leroux Bustamante
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)QAware GmbH
 
Episode 3: Kubernetes and Big Data Services
Episode 3: Kubernetes and Big Data ServicesEpisode 3: Kubernetes and Big Data Services
Episode 3: Kubernetes and Big Data ServicesMesosphere Inc.
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Michael Man
 

Similar a Kubernetes Multitenancy Karl Isenberg - KubeCon NA 2019 (20)

Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes MeetupMetal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
 
Kubernetes extensibility
Kubernetes extensibilityKubernetes extensibility
Kubernetes extensibility
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
Dayta AI Seminar - Kubernetes, Docker and AI on Cloud
Dayta AI Seminar - Kubernetes, Docker and AI on CloudDayta AI Seminar - Kubernetes, Docker and AI on Cloud
Dayta AI Seminar - Kubernetes, Docker and AI on Cloud
 
Kubernetes Administration from Zero to Hero.pdf
Kubernetes Administration from Zero to Hero.pdfKubernetes Administration from Zero to Hero.pdf
Kubernetes Administration from Zero to Hero.pdf
 
Cloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit KubernetesCloud-native .NET Microservices mit Kubernetes
Cloud-native .NET Microservices mit Kubernetes
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
OpenEBS Technical Workshop - KubeCon San Diego 2019
OpenEBS Technical Workshop - KubeCon San Diego 2019OpenEBS Technical Workshop - KubeCon San Diego 2019
OpenEBS Technical Workshop - KubeCon San Diego 2019
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - Technical
 
Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...
Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...
Kubernetes based Cloud-region support in ONAP to bring up VM and container ba...
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container Service
 
Scaling docker with kubernetes
Scaling docker with kubernetesScaling docker with kubernetes
Scaling docker with kubernetes
 
Managing Container Clusters in OpenStack Native Way
Managing Container Clusters in OpenStack Native WayManaging Container Clusters in OpenStack Native Way
Managing Container Clusters in OpenStack Native Way
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
 
.NET Developer Days - So many Docker platforms, so little time...
.NET Developer Days - So many Docker platforms, so little time....NET Developer Days - So many Docker platforms, so little time...
.NET Developer Days - So many Docker platforms, so little time...
 
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
Kubernetes One-Click Deployment: Hands-on Workshop (Mainz)
 
Episode 3: Kubernetes and Big Data Services
Episode 3: Kubernetes and Big Data ServicesEpisode 3: Kubernetes and Big Data Services
Episode 3: Kubernetes and Big Data Services
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 

Último

Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 

Último (20)

Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 

Kubernetes Multitenancy Karl Isenberg - KubeCon NA 2019

  • 1. Kubernetes at Cruise Two Years of Multitenancy Karl Isenberg, Cruise @karlkfi
  • 2. 2 Building the world’s most advanced autonomous vehicles... ...and running the backend on Kubernetes. Kubernetes at Cruise: Two Years of Multitenancy
  • 3. 3Kubernetes at Cruise: Two Years of Multitenancy Kubernetes Cloud Storage Cloud Routers Interconnects Physical Routers On-Premises Cloud NAT Internet
  • 4. 4Kubernetes at Cruise: Two Years of Multitenancy Ingre RBACSync [C] GKE Spinnaker Ingress Controller (private) Runscope Stackdriver LoggingNetwork Load Balancer Private Cloud DNS Internal Load Balancer Container Registry Ingress Security Deployment Observability Forge Image Builder [C] Cruise PaaS Ingress Controller (public) Cloud NAT Egress Management Juno [C] Isopod [C] [C] Cruise Projects Other logos unaffiliated with Cruise. [C]
  • 5. Multitenancy at Scale 5 Clusters: 12-26 Largest Cluster: ~1,000 nodes (64 or 32 vCPU each) Kubernetes at Cruise: Two Years of Multitenancy
  • 6. 6Kubernetes at Cruise: Two Years of Multitenancy Multitenancy is when multiple applications operate in a shared environment. Tenants are logically isolated, but physically integrated. The more physical integration, the harder it is to preserve logical isolation.
  • 7. 7 Why Multitenancy? Lower Cloud Costs Higher collocation allows for higher utilization of cloud resources (compute, network, storage). Fewer clusters can be managed by fewer platform engineers. Validate real workloads at real scale by postponing clusters proliferation. Focus on production readiness and tenant-facing improvements before scaling cluster operations. Lower Operational Costs Higher Scale Validation Higher Consistency Kubernetes at Cruise: Two Years of Multitenancy
  • 8. 88 Multitenancy: Layers of Isolation Kubernetes at Cruise: Two Years of Multitenancy Domain Isolation Identity Isolation Permission Isolation Resource Isolation Network Isolation Integration Isolation System Isolation Isolation/Cost
  • 9. Identity Isolation 9Kubernetes at Cruise: Two Years of Multitenancy
  • 10. Identity & Authentication User Identity - G Suite User Accounts - Okta Single Sign-On (SSO) - Duo Security (2FA) Service Identity - GCP Service Accounts - K8s Service Accounts - Signed Certificates - JSON Web Tokens (JWT) 10Kubernetes at Cruise: Two Years of Multitenancy
  • 11. Kubernetes at Cruise: Two Years of Multitenancy In-Memory Volume App Container Kubernetes Pod Secrets Login [C] Cruise Projects Other logos unaffiliated with Cruise. [C] Vault Login Kubernetes service accounts used for Vault authentication. Secrets Injection DAYTONA Init container side-loads secrets Identity Translation Vault generates temporary credentials on-demand (OSS) https://github.com/cruise-automation/daytona Vault client for servers & containers. See also: GKE Workload Identity (beta)
  • 12. Audit Validating webhook logs policy violations Enforce Validating webhook optionally enforces policies Apply Defaults Mutating webhook applies policy defaults Kubernetes at Cruise: Two Years of Multitenancy Prevent Privilege Escalation & Lateral Movement - No Bind Mounts - No Host Network - No Host PID - No New Capabilities - No Privileged Container - No Helm Tiller - Default Docker Seccomp profile (OSS) https://github.com/cruise-automation/k-rail [C] Cruise Projects Other logos unaffiliated with Cruise. [C] Security & operational policy enforcement tool. See also: GKE Metadata Concealment (beta)
  • 13. Domain Isolation 13Kubernetes at Cruise: Two Years of Multitenancy Environmental Dev, Test, Stage, Prod Organizational Org, Dept, Team, Personal Architectural Project, System, Component
  • 14. Environmental vs Organizational Domains 14 Pods Dev Staging Prod Team A Team B Team C Pods Pods Pods Pods Pods Pods Pods Pods Clusters Namespaces Kubernetes at Cruise: Two Years of Multitenancy
  • 15. Environmental vs Architectural Domains 15 Pods Dev Staging Prod Project A Project B Project C Pods Pods Pods Pods Pods Pods Pods Pods Clusters Namespaces Kubernetes at Cruise: Two Years of Multitenancy
  • 16. Permission Isolation 16Kubernetes at Cruise: Two Years of Multitenancy
  • 17. Group Role Binding 17 apiVersion: rbacsync.getcruise.com/v1alpha kind: RBACSyncConfig metadata: name: namespace-bindings namespace: backend spec: bindings: - group: backend-gke-admin@example.com roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: namespace-admin - group: backend-gke-user@example.com roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: namespace-editor RBACSyncConfig ClusterRoleBindingRoleBinding ClusterRoleRole Groups GSuite RBACSync Kubernetes at Cruise: Two Years of Multitenancy (OSS) https://github.com/cruise-automation/rbacsyncSee also: Google Groups for GKE (beta)
  • 18. Vault Workspaces 18Kubernetes at Cruise: Two Years of Multitenancy Group Permissions Path Tenant Admin admin secret/<prefix>/<namespace>/* Tenant Contractor list secret/<prefix>/<namespace>/* App Service Account list, get secret/<prefix>/<namespace>/<env>/<app>/* Standard hierarchy for storing and authorizing application secrets.
  • 19. Kubernetes at Cruise: Two Years of Multitenancy Isopod (OSS) https://github.com/cruise-automation/isopod Domain Specific Language Loosely typed with local runtime type validation Less YAML Skylark backed by Kubernetes Go Client Flexible Reuse Alternative to Helm & Terraform for addon management DSL for Kubernetes configuration without YAML.
  • 20. Kubernetes at Cruise: Two Years of Multitenancy (internal project) Juno Resource Management - GCP Project - Vault Workspace - K8s Namespace Related OSS Projects - namespace-configuration-operator - rbac-permissions-operator Cruise infra self-service resource provisioner.
  • 21. Resource Isolation Built-In Types - CPU, GPU - Memory - Persistent Storage (for each Storage Class) - Ephemeral Storage Storage Volumes - OS Root - Container Images - Container Root - Ephemeral Storage Volumes - Persistent Local Storage Volumes Quotas & Limits - Resource Quota: Namespace Limits & Usage - Limit Range: Pod Default Requests & Limits - Defaults & Overrides (Juno) 21Kubernetes at Cruise: Two Years of Multitenancy
  • 22. Network Isolation 22Kubernetes at Cruise: Two Years of Multitenancy
  • 23. 23 Shared Tunnels NAT Gateways - NAT Gateway Terraform Module (network label routing) - Cloud NAT - Whitelists Ingress / Egress QPS - No Built-In Isolation - Network Stack shared with Network Storage (NAS/SAN/Cloud) Bandwidth - No Built-In Isolation - CNI Bandwidth Plugin (Calico) - Istio Rate Limits (Quota Rules) Kubernetes at Cruise: Two Years of Multitenancy
  • 24. Mesh Boundary 24 Virtual Firewalls Network Policy - IP Block - Namespace Selector - Pod Selector Service Authorization - Istio mTLS - Istio Authorization Policy Rule Based Access - Istio Denier Rule - Istio List Checker Adapter Kubernetes at Cruise: Two Years of Multitenancy Workload Pods Workload Container Istio Sidecar Workload Pods Workload Container Istio Sidecar Egress Gateway Private Ingress Gateway Public Ingress Gateway External Service Private Network Local Client Public Client
  • 25. Integration Isolation 25Kubernetes at Cruise: Two Years of Multitenancy
  • 26. Shared Ingress Isolation Options - Separate Private & Public (shown) - Dedicated Ingress Node Pool - Dedicated Ingress VMs (shown) - Dedicated Ingress Per Tenant Kubernetes at Cruise: Two Years of Multitenancy
  • 27. Shared DNS Isolation Options - Node Local Cache - Dedicated DNS Per Node Pool - Dedicated DNS Per Cluster NodeNode Kubernetes at Cruise: Two Years of Multitenancy Application PodKubeDNS Pod SkyDNS DnsMasq Sidecar (probes) Datadog Daemon Google Cloud DNS CoreDNS AWS Route 53 etcd *.cluster.local Private Zones DNS Requests (UDP) Application Default Resolver resolv.conf DataDog Agent Datadog Daemon DataDog Agent Network Local Cache
  • 28. Shared Observability Logs - Log Visibility (Container, Platform, Audit) - Log-Based Metrics (Edit Perms) - Fluentd DaemonSet Vertical Autoscaling Metrics - Kube State Metrics not HA - DaemonSet Agent HA & Slow or Local & Fast - Sidecar Agent Duplicate Metrics - DogStatsD vs Prometheus Style Distributed Tracing - OpenTelemetry vs OpenCensus vs OpenTracing - Stackdriver vs DataDog vs Jaeger vs Zipkin Dashboard Management - Platform Dashboards - Workload Dashboards - Dashboard Templates Kubernetes at Cruise: Two Years of Multitenancy Container & Ingress Log Export Team Project PaaS Project Kubernetes Engine Monitoring Logging Logging Logs Based Metrics Cloud Load Balancing Cloud Pub/SubKubernetes Engine Container Logs Ingress Logs
  • 29. No Isolation (Shared Cluster Admin) 29 System Isolation Machines - Dedicated Node Pool - Dedicated Cluster Cluster Components - API Server - Scheduler - Cluster Autoscaler - Kube Proxy (iptables) Networks - Dedicated IP Ranges - Dedicated Subnet - Dedicated Network - Dedicated Interconnects Kubernetes at Cruise: Two Years of Multitenancy Logical Isolation (Soft Multitenancy) Physical Isolation (Hard Multitenancy) System Isolation (Single Tenancy)
  • 30. Was it worth it? Costs - Shared Downtime - Incompatible Tooling Challenges - Single Tenant Integrations - Managed CRD Installation - Managed Internal Platform Model - Kubernetes Itself Benefits - Lower Cloud Costs - Lower Operational Costs - Higher Scale Validation - Higher Consistency - Prioritized Security Investments - Expertise Building 30Kubernetes at Cruise: Two Years of Multitenancy
  • 31. Thank you Karl Isenberg, Cruise @karlkfi