SlideShare una empresa de Scribd logo

Running containers in production, the ING story

T
Thijs Ebbers

- ING is transforming itself into a digital bank and using containers and microservices as part of its cloud native journey. - ING has developed its own container hosting platform called ICHP, which runs on OpenShift and provides self-service capabilities for development teams to host applications. - ICHP aims to provide reliable hosting while minimizing handovers and enabling development teams to focus on delivering value to the business rather than managing infrastructure.

Tecnología
1 de 31
Descargar para leer sin conexión
Running Containers in Production Thijs Ebbers The ING Story San Diego, November 18th 2019
Thijs Ebbers ING Enterprise Architect, Infrastructure Domain Currently working on: • ING’s Cloud Native Journey • Container Hosting (“Kubernetes”) • Data Services (Object (“S3”) & File Services (“NFS”)) • and all the Risk/Security topics touched by this innovation Introduction 2 2
ING is a global financial institution with a strong European base, offering retail and wholesale banking services to customers in over 40 countries. The purpose of ING is empowering people to stay a step ahead in life and in business. ING Bank has more than 52,000 employees. As at the end of 2018, we had 38.4 million retail customers, with 12.5 million considered primary customers. About ING 3
ING is transforming itself with a bold strategy towards a digital bank. The transformation is happening now. 4 “In the end, our digital future and the move to ecosystems, lies with IT. The IT transformation comes with big investments (EUR 800 million in the coming five years) and a dictionary: ING Private Cloud, Modular Architecture and Bank-wide Shared Services.” Strategy day 2016 “IT has an important contribution to laying foundation for further convergence that drives faster time-to-market, improve cost efficiency and improve customer experience.” “To implement the Think Forward strategy and to unite IT we introduced the Concept of One” Source: IT Strategy webcast Feb 2017 Ralph Hamers CEO ING Group Ron van Kemenade CIO ING Group
ING One Way Of Working 15 E2E responsibility • Bus, Dev and Ops • Full life cycle; from cradle 2 grave • Full stack: Risk, compliance LCM, etc. Customer Journey experts, Dev and Ops Engineers in one team (Squad) working together on the solution and run All required knowledge and access rights in ‘one hand’ Shift of responsibility • BizDevOps responsible for full stack • Infra consumption • Self-serve Infra What does a BusDevOps team look like How does it contribute to Accelerate • Removes handovers • Focuses on value delivery What is the impact • Full stack engineering in Squads: • Different Mindset & and Capabilities • Organisational change; Dev and Ops together in one team Bus We minimize the number of handovers by making the teams responsible for the full lifecycle and full stack
Communicating a paradigm shift like the move from “traditional IT” to “Cloud Native” to the involved stakeholders is hard… What helps is having a model. Although a model is by definition never an exact representation of reality, it helps you to visualize relevant information in the discussions with the various parties (like management, risk, engineers, auditors, suppliers,…) Dealing with a paradigm shift 6 Image courtesy of : https://twitter.com/danieldibswe/status/1169485819993841664
The Cloud Native ecosystem Kube 7 7 » A model of a Cloud Native ecosystem without local persistency (“12 Factor”) and fit for a regulated Enterprise » Purpose: To make you familiar with the concepts & terminology » Not to be confused with the CNCF’s Cloud Native landscape (https://landscape.cncf.io/)
The Cloud Native ecosystem Kube - The real short explanation 8 » It’s not just about Kubernetes ! » Clear demarcation between provider and consumer (“Namespace-as-a-Service”) » DevOps team is autonomous within its namespace(s) » Workloads are “Immutable”, “Stateless” & “Short Living” » Data is persisted externally in Data Services » “Shift Left” of security controls into the pipeline & the production cluster is hands-off » Automate Everything ! » (full explanation in the reserve slides ;-))
No ☺. The container platform, relational database platform, event bus, security services, CI/CD platforms and network platforms are all live and in production (however improvement opportunities are always present…). The object storage platform is in beta and will go in production in 2020. In the rest of this presentation we will focus on ING’s Kubernetes platform (using the OpenShift 3.11 OKD distribution, moving towards 3.11 Enterprise), called ICHP (ING Container Hosting Platform). Is this just a model? 9
The ING Container Hosting Platform is a container management framework platform, part of the IPC (=ING’s corporate Private Cloud) family, designed to host all ING’s 12-Factor/Cloud-Native applications. ICHP Objectives: 1. Bring self-service capabilities to engineers • Multiple data grade hosting levels: non-production & production • Multiple resilience levels: active-passive, active-active, TPA (=ING’s proprietary Service Mesh; A-A client side load balancing) • Multiple consumption patterns. Namespace(s) in: Shared Multitenant clusters (default) / Dedicated Nodes in shared Multitenant clusters (near future) / Dedicated clusters (future) • Hands-off operations in production clusters • 2nd day operations, for instance resize namespace, firewall automation, etc. 2. Deliver a service that is compliant with the latest insights from risk & compliance • In line with ING corporate risk & security standards • Have an agreed and publicly available risk profile for the service offering ("in control statement") • CAS (=Corporate Audit Services) performs regular audits to ensure validity of the in control statement 3. Ensure users are happy with the services • Deliver what is promised • Hide complexity for maintaining Kubernetes infrastructure • Reliable uptime What is ICHP ? 1 0
What does an ICHP deployment look like ? 11 Yellow = Consumer Blue = Provider This describes the minimum footprint of a (set of) cluster(s) It can be deployed on Bare Metal or VM. It can be deployed on-premise or on public cloud Max impact for a single node failure: 25% (hence we expect minimal customer impact) A cluster will survive an availability zone outage, however with customer impact
Patterns within ICHP 1 2 Additional Isolation in Multi-tenant (roadmap item) • “Dedicated Nodes” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Shared cluster environment • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service Multi-tenant (Default) • Shared environment in IPC (ING’s corporate Private Cloud) • Pay-per-request • Platform Compliancy Evidence delivered as part of the service Local deployment (only after Group CIO approval) • Systems are located in local datacenters (e.g. Australia, Turkey, …) for latency and/or regulatory purposes. Allowing a smoother migration towards IPC (ING’s corporate Private Cloud) with less risk • Systems are to be deployed/managed according to ICHP principles, design & procedures • Build to order, delivery can take months • Local IT organization assumes Risk&Compliance responsibility in case of deviations Single-tenant (only after CIO approval) • “Dedicated Cluster” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service
As of today the following features exist within ICHP • Request a “project” via our Self-Service portal which gives you in our shared multitenant clusters: • A K8S Namespace with the requested #CPU & #Memory in both the primary and secondary DC • A dedicated SDN attached to your namespace (per cluster) • A dedicated Egress IP attached to your namespace (per cluster) • A secret you can use to connect your Deployment Pipeline to the namespace (per cluster) • A registration of the project in the CMDB on your behalf (note: we do not register container instances!) • The capability to delete a “project” (note: it must be empty for the operation to succeed!) • Request to add firewalls rules to open traffic to/from your “project(s)” from outside the K8S clusters (note: you will still need to create ingress/routes inside the cluster!) • The capability to resize (CPU/Memory) a “project” • Dedicated Prometheus instance per namespace for application events The following features are roadmap • Dedicated nodes to host your projects on • Dedicated clusters to host your projects on • Project requests via API calls What is available in ICHP today? 1 3
• In Asia as of November 2018 ING went live with its fully digital, mobile-only bank in the Phillipines: https://www.ing.com.ph/ The front-end of this bank is hosted on ING’s container hosting platform. • In Europe multiple ING application landscapes have started onboarding ING’s container hosting platform as of May 2019. • In October 2019 DARE went live. DARE is a global ING-AXA partnership to launch a digital protection (“Assurance”) platform across six different markets within the ING Challenger & Growth division. DARE will provide innovative protection integrated in ING digital channels. DARE consumes services of our One Technology Platform to enable rapid global scaling. • It is prognosed the majority of ING’s API’s will eventually be hosted on ICHP, constructing services like ING’s digital channels, fraud detection, data lake analytics, etc.. What are we (going to be) hosting ? 14
15 ? & Future
What did the container squad spend their time on? 16 30 8 20 6 7 7 4 4 10 4 Risk Evidence / Compliance Security Improvements Implementing / Tuning Monitoring Educating internal customers Automation of K8S deployment Building Self-Service Capabilities PoC's Travel (global squad, global customers) Integration with other services Actual K8S configuration/operations In 2 years time: 18 FTE container squad (equally spread over Amsterdam, Frankfurt & Katowice) 1 FTE architecture (3 architects spending part of their time (50/25/25)) 1 FTE product owner The ambition is to grow the footprint of the container landscape without growing the container squad, by automating everything.
• Communicating a paradigm shift is hard, use any advantage you can get… • A container hosting service is only part of the cloud-native eco-system you need… • ING is NOT aiming to rehost VM’s to containers… Purpose is to have the best possible hosting environment for 12-factor apps ! • If a DevOps teams manages to properly refactor their VM into a set of container images they are welcome • Hands-off approach in production. If teams feel not comfortable with this they should stay on VM’s! • Automate Everything! • Design for failure (instead of failing to do a proper design…) • A Namespace-as-a-Service fits our Way-of-Working, perhaps yours too? • Kubernetes/OpenShift is only a small (although very important) part of the time spend to build/run a container hosting service.. • Being in a regulated industry is not always fun… • Tuning Monitoring is an Art, which takes time to Master… • Find the right partners, both within and outside your own enterprise Conclusions 17
Questions 18
Thank You! 19 Slides available on : https://www.slideshare.net/ThijsEbbers/
Reserve Slides 20
Side 0 – The DevOps Team’s input: 21 21 » Container Image • Immutable, Stateless, Short Living • Base Image (the “operating system”) - Where was it obtained? - Is it vulnerability free? - Who will provide patched versions (in time…)? • Code (standard SDLC) » Deployment Config • YAML files containing all information needed to deploy an image successfully » Network Config • All information needed to have communication paths outside the cluster to/from your application in place
Side 1 – The Data Services: 22 22 » Defined by Bindings • Data Service instance location + secrets to connect it + driver (optional) » Purposes: • To persist your state outside the cluster • To push out logs & events
Side 2 – The Security Services: 23 23 » Purpose: Externalizing your users / certificates / passwords (Directories, PKI solutions, Password Vaults, …) » No interfaces for SIEM and VS/TSCM in Runtime! • SIEM listens on Topics • VS/TSCM is performed during Build (& enforce immutability in Runtime)
Side 3 – The Container Hosting Platform: 24 24 » Node: (Physical/Virtual) machine hosting k8s code supplying resources to the Cluster » Cluster: Namespace manager • Production – Non Production - Only allow verified (scanned & signed, (known) vulnerability free) workloads on your production cluster. - Do not allow any valuable data to be hosted/accessible from your non-production cluster. • (virtual) Data Center 1 – (virtual) Data Center 2 – (virtual) Data Center n • Payload specific Clusters » Namespace: • SLA on resources (CPU/Memory) • Unit of isolation (no access by default) » Platform: The collection of Clusters » Replica’s • Enforce a minimum safe number in your production clusters!
Side 4 – The CI/CD Platform: 25 25 » The CI/CD platform supports/manages the creation of deployable artifacts, either via a pipeline or via legacy methods (portals,…) » The Scanning engines here provide your VS/TSCM evidence (in combination with immutability of your nodes & containers…) as well as detecting license violations and unwanted configuration settings
Side 5 – The Network Platform: 26 26 » Load Balancing provides the capabilities to balance load over multiple clusters (and hence enables HA/DR/LCM of clusters) » The DMZ’s provide capabilities to securely connect the applications hosted on the Container platform to the Internet or other insecure networks (e.g. the Workplace area’s) » Firewalling enables access to/from other networks e.g. Data Services, Security Services, CI/CD, legacy application landscapes, ...
Embrace the 12-factor principles (“https://12factor.net”). Translated into K8S application hosting: • Hands-off Production: Only allow access to production via pipelines. No SSH/Terminal Access/… as images run immutable! (I/V) • Separate Stateless from Statefull (State resides in services outside the stateless K8S application hosting clusters) (III/VI/VIII) • Design for failure. Your Nodes/Containers will fail ! (IX) • Design for short lifecycles/immutability. Your Nodes/Containers will develop vulnerabilities! (IX) • Cycle your nodes and containers regularly. Interval should be shorter than the maximum response time for low and medium vulnerabilities in your organisations security policy (Because you won’t need to scan your runtime estate in this case…) • Have the automation & procedures in place for an immediate emergency cycle in the case of unmitigated high- or critical vulnerabilities Or in short : “Immutable, Stateless, Short Living” Non-compliance means “Computer says No” and hence the application has to be deployed on VM’s! ICHP Principles 27
By consuming the ICHP service, many operational tasks that currently (read : hosting on VM’s) are your own responsibility are now executed at platform level. Other tasks remain the responsibility of the consumer. There is a clear separation between platform provider and consumer. Examples include: What does ICHP (not) do for me? 2 8 Consumer • Only access to “project” (and only via a deployment pipeline in Production clusters!) • Enable SEM-A for application related events • Implement patches on hosted code (by redeploying a higher version of the image!) • Configure password vault for NPA’s • Implement SOLL and perform SOLL/IST comparisons • Implement Bindings to Data Services • Implement deployment pipelines • Implement load balancing and firewall access outside the ICHP platform • etc. Provider • Access to container hosting platform (service) only in emergency situations • Ensures availability of the platform • Guarantees security by implementing relevant SEM and TSCM controls at platform level • Provides platform Risk Evidence • Performance tuning on platform • etc.
As explained in ING’s Way-of-Working we aim to make our DevOps teams autonomous. We also want to enable those DevOps teams to deliver maximum value to the business, by not bothering them with IT-Infrastructure problems, nor bothering them with having to deliver compliancy evidence for the hosting platform. Hence offering a Namespace-as-a-Service is for us the sweet spot: • Clear demarcation between (Infra)Provider and Consumer • Enabling hand-over of compliance evidence • Enabling multi-tenancy (hence fast time-to-market/self-service consumption, and the potential for efficient utilization of resources) • The DevOps team can assume responsibility for (almost) the full stack (only the kernel stays shared). They have liberty/responsibility to choose/maintain their (versions of) base image, runtime engine, libraries, etc. (within the boundaries set by the ING corporate risk&compliancy rules !) ING probably will offer a K8S Cluster-as-a-Service in the future, however this will be a limited offering only available to teams managing Data Services (e.g. an Event Bus, Relational Database, Object Store, ….). If those teams choose to stray from the default settings the burden of delivering compliancy evidence lands back on their plate! Why ICHP only offers a “Namespace-as-a-Service” 29
Construct your own Kube 30
Running containers in production, the ING story

Recomendados

ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfThijs Ebbers
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAThijs Ebbers
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
 
Crossplane @ Mastering GitOps.pdf
Crossplane @ Mastering GitOps.pdfCrossplane @ Mastering GitOps.pdf
Crossplane @ Mastering GitOps.pdfQAware GmbH
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Cloud Native In-Depth
Cloud Native In-DepthCloud Native In-Depth
Cloud Native In-DepthSiva Rama Krishna Chunduru
 
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...James Anderson
 

Recomendados

ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfThijs Ebbers
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAThijs Ebbers
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
 
Crossplane @ Mastering GitOps.pdf
Crossplane @ Mastering GitOps.pdfCrossplane @ Mastering GitOps.pdf
Crossplane @ Mastering GitOps.pdfQAware GmbH
 
Container Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyContainer Security Vulnerability Scanning with Trivy
Container Security Vulnerability Scanning with TrivyFaheem Memon
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionMartin Danielsson
 
Cloud Native In-Depth
Cloud Native In-DepthCloud Native In-Depth
Cloud Native In-DepthSiva Rama Krishna Chunduru
 
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...
GDG Cloud Southlake #8 Steve Cravens: Infrastructure as-Code (IaC) in 2022: ...James Anderson
 
CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdBilly Yuen
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIDavid Hahn
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatAmazon Web Services
 
Cloud-native Application Development on OCI
Cloud-native Application Development on OCICloud-native Application Development on OCI
Cloud-native Application Development on OCISven Bernhardt
 
Cloud native principles
Cloud native principlesCloud native principles
Cloud native principlesDiego Pacheco
 
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDA GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDJulian Mazzitelli
 
CI/CD with Github Actions
CI/CD with Github ActionsCI/CD with Github Actions
CI/CD with Github ActionsMd. Minhazul Haque
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as CodeJulio Aziz Flores Casab
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelAmazon Web Services
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformMauricio (Salaboy) Salatino
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud NativeKarthik Gaekwad
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2RastinKenarsari
 
GitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyGitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyWeaveworks
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfamanmakwana3
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher RodeoSUSE
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplanesparkfabrik
 
Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Ahmed Misbah
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 

Más contenido relacionado

La actualidad más candente

CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdBilly Yuen
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIDavid Hahn
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatAmazon Web Services
 
Cloud-native Application Development on OCI
Cloud-native Application Development on OCICloud-native Application Development on OCI
Cloud-native Application Development on OCISven Bernhardt
 
Cloud native principles
Cloud native principlesCloud native principles
Cloud native principlesDiego Pacheco
 
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDA GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDJulian Mazzitelli
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelAmazon Web Services
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
GitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyGitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyWeaveworks
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfamanmakwana3
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher RodeoSUSE
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplanesparkfabrik
 

La actualidad más candente (20)

CI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cdCI:CD in Lightspeed with kubernetes and argo cd
CI:CD in Lightspeed with kubernetes and argo cd
 
Continuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CIContinuous Integration/Deployment with Gitlab CI
Continuous Integration/Deployment with Gitlab CI
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
 
Cloud-native Application Development on OCI
Cloud-native Application Development on OCICloud-native Application Development on OCI
Cloud-native Application Development on OCI
 
Cloud native principles
Cloud native principlesCloud native principles
Cloud native principles
 
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CDA GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
 
CI/CD with Github Actions
CI/CD with Github ActionsCI/CD with Github Actions
CI/CD with Github Actions
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day Israel
 
Pave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal PlatformPave the Golden Path On Your Internal Platform
Pave the Golden Path On Your Internal Platform
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud Native
 
Openshift argo cd_v1_2
Openshift argo cd_v1_2Openshift argo cd_v1_2
Openshift argo cd_v1_2
 
GitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott RigbyGitOps for Helm Users by Scott Rigby
GitOps for Helm Users by Scott Rigby
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
 
Rancher Rodeo
Rancher RodeoRancher Rodeo
Rancher Rodeo
 
KCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with CrossplaneKCD Italy 2022 - Application driven infrastructure with Crossplane
KCD Italy 2022 - Application driven infrastructure with Crossplane
 

Similar a Running containers in production, the ING story

Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Ahmed Misbah
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 
Overview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca ArbezzanoOverview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca ArbezzanoGianluca Arbezzano
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays
 
Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Slobodan Sipcic
 
Are you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkMegan O'Keefe
 
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformationEvolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformationSlobodan Sipcic
 
Cloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyondCloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyondUgo Landini
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science PlatformDecision Science Community
 
Resume_Achhar_Kalia
Resume_Achhar_KaliaResume_Achhar_Kalia
Resume_Achhar_KaliaAchhar Kalia
 
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On KubernetesHow To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On KubernetesLightbend
 
IBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome ChallengeIBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome ChallengeIBM France
 
Microservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They MatterMicroservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They MatterAlexander Arda
 
Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption Michelle Holley
 
CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure Gunnar Menzel
 
IBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxIBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxssuser666667
 
Container Technologies and Transformational value
Container Technologies and Transformational valueContainer Technologies and Transformational value
Container Technologies and Transformational valueMihai Criveti
 

Similar a Running containers in production, the ING story (20)

Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 
Overview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca ArbezzanoOverview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca Arbezzano
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
 
Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019
 
Are you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the network
 
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformationEvolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformation
 
Cloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyondCloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyond
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science Platform
 
Resume_Achhar_Kalia
Resume_Achhar_KaliaResume_Achhar_Kalia
Resume_Achhar_Kalia
 
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On KubernetesHow To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
 
IBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome ChallengeIBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome Challenge
 
Microservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They MatterMicroservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They Matter
 
Flying in the cloud
Flying in the cloud Flying in the cloud
Flying in the cloud
 
The rise of microservices
The rise of microservicesThe rise of microservices
The rise of microservices
 
Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption
 
CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure
 
IBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxIBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptx
 
Container Technologies and Transformational value
Container Technologies and Transformational valueContainer Technologies and Transformational value
Container Technologies and Transformational value
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Running containers in production, the ING story

  • 1. Running Containers in Production Thijs Ebbers The ING Story San Diego, November 18th 2019
  • 2. Thijs Ebbers ING Enterprise Architect, Infrastructure Domain Currently working on: • ING’s Cloud Native Journey • Container Hosting (“Kubernetes”) • Data Services (Object (“S3”) & File Services (“NFS”)) • and all the Risk/Security topics touched by this innovation Introduction 2 2
  • 3. ING is a global financial institution with a strong European base, offering retail and wholesale banking services to customers in over 40 countries. The purpose of ING is empowering people to stay a step ahead in life and in business. ING Bank has more than 52,000 employees. As at the end of 2018, we had 38.4 million retail customers, with 12.5 million considered primary customers. About ING 3
  • 4. ING is transforming itself with a bold strategy towards a digital bank. The transformation is happening now. 4 “In the end, our digital future and the move to ecosystems, lies with IT. The IT transformation comes with big investments (EUR 800 million in the coming five years) and a dictionary: ING Private Cloud, Modular Architecture and Bank-wide Shared Services.” Strategy day 2016 “IT has an important contribution to laying foundation for further convergence that drives faster time-to-market, improve cost efficiency and improve customer experience.” “To implement the Think Forward strategy and to unite IT we introduced the Concept of One” Source: IT Strategy webcast Feb 2017 Ralph Hamers CEO ING Group Ron van Kemenade CIO ING Group
  • 5. ING One Way Of Working 15 E2E responsibility • Bus, Dev and Ops • Full life cycle; from cradle 2 grave • Full stack: Risk, compliance LCM, etc. Customer Journey experts, Dev and Ops Engineers in one team (Squad) working together on the solution and run All required knowledge and access rights in ‘one hand’ Shift of responsibility • BizDevOps responsible for full stack • Infra consumption • Self-serve Infra What does a BusDevOps team look like How does it contribute to Accelerate • Removes handovers • Focuses on value delivery What is the impact • Full stack engineering in Squads: • Different Mindset & and Capabilities • Organisational change; Dev and Ops together in one team Bus We minimize the number of handovers by making the teams responsible for the full lifecycle and full stack
  • 6. Communicating a paradigm shift like the move from “traditional IT” to “Cloud Native” to the involved stakeholders is hard… What helps is having a model. Although a model is by definition never an exact representation of reality, it helps you to visualize relevant information in the discussions with the various parties (like management, risk, engineers, auditors, suppliers,…) Dealing with a paradigm shift 6 Image courtesy of : https://twitter.com/danieldibswe/status/1169485819993841664
  • 7. The Cloud Native ecosystem Kube 7 7 » A model of a Cloud Native ecosystem without local persistency (“12 Factor”) and fit for a regulated Enterprise » Purpose: To make you familiar with the concepts & terminology » Not to be confused with the CNCF’s Cloud Native landscape (https://landscape.cncf.io/)
  • 8. The Cloud Native ecosystem Kube - The real short explanation 8 » It’s not just about Kubernetes ! » Clear demarcation between provider and consumer (“Namespace-as-a-Service”) » DevOps team is autonomous within its namespace(s) » Workloads are “Immutable”, “Stateless” & “Short Living” » Data is persisted externally in Data Services » “Shift Left” of security controls into the pipeline & the production cluster is hands-off » Automate Everything ! » (full explanation in the reserve slides ;-))
  • 9. No ☺. The container platform, relational database platform, event bus, security services, CI/CD platforms and network platforms are all live and in production (however improvement opportunities are always present…). The object storage platform is in beta and will go in production in 2020. In the rest of this presentation we will focus on ING’s Kubernetes platform (using the OpenShift 3.11 OKD distribution, moving towards 3.11 Enterprise), called ICHP (ING Container Hosting Platform). Is this just a model? 9
  • 10. The ING Container Hosting Platform is a container management framework platform, part of the IPC (=ING’s corporate Private Cloud) family, designed to host all ING’s 12-Factor/Cloud-Native applications. ICHP Objectives: 1. Bring self-service capabilities to engineers • Multiple data grade hosting levels: non-production & production • Multiple resilience levels: active-passive, active-active, TPA (=ING’s proprietary Service Mesh; A-A client side load balancing) • Multiple consumption patterns. Namespace(s) in: Shared Multitenant clusters (default) / Dedicated Nodes in shared Multitenant clusters (near future) / Dedicated clusters (future) • Hands-off operations in production clusters • 2nd day operations, for instance resize namespace, firewall automation, etc. 2. Deliver a service that is compliant with the latest insights from risk & compliance • In line with ING corporate risk & security standards • Have an agreed and publicly available risk profile for the service offering ("in control statement") • CAS (=Corporate Audit Services) performs regular audits to ensure validity of the in control statement 3. Ensure users are happy with the services • Deliver what is promised • Hide complexity for maintaining Kubernetes infrastructure • Reliable uptime What is ICHP ? 1 0
  • 11. What does an ICHP deployment look like ? 11 Yellow = Consumer Blue = Provider This describes the minimum footprint of a (set of) cluster(s) It can be deployed on Bare Metal or VM. It can be deployed on-premise or on public cloud Max impact for a single node failure: 25% (hence we expect minimal customer impact) A cluster will survive an availability zone outage, however with customer impact
  • 12. Patterns within ICHP 1 2 Additional Isolation in Multi-tenant (roadmap item) • “Dedicated Nodes” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Shared cluster environment • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service Multi-tenant (Default) • Shared environment in IPC (ING’s corporate Private Cloud) • Pay-per-request • Platform Compliancy Evidence delivered as part of the service Local deployment (only after Group CIO approval) • Systems are located in local datacenters (e.g. Australia, Turkey, …) for latency and/or regulatory purposes. Allowing a smoother migration towards IPC (ING’s corporate Private Cloud) with less risk • Systems are to be deployed/managed according to ICHP principles, design & procedures • Build to order, delivery can take months • Local IT organization assumes Risk&Compliance responsibility in case of deviations Single-tenant (only after CIO approval) • “Dedicated Cluster” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service
  • 13. As of today the following features exist within ICHP • Request a “project” via our Self-Service portal which gives you in our shared multitenant clusters: • A K8S Namespace with the requested #CPU & #Memory in both the primary and secondary DC • A dedicated SDN attached to your namespace (per cluster) • A dedicated Egress IP attached to your namespace (per cluster) • A secret you can use to connect your Deployment Pipeline to the namespace (per cluster) • A registration of the project in the CMDB on your behalf (note: we do not register container instances!) • The capability to delete a “project” (note: it must be empty for the operation to succeed!) • Request to add firewalls rules to open traffic to/from your “project(s)” from outside the K8S clusters (note: you will still need to create ingress/routes inside the cluster!) • The capability to resize (CPU/Memory) a “project” • Dedicated Prometheus instance per namespace for application events The following features are roadmap • Dedicated nodes to host your projects on • Dedicated clusters to host your projects on • Project requests via API calls What is available in ICHP today? 1 3
  • 14. • In Asia as of November 2018 ING went live with its fully digital, mobile-only bank in the Phillipines: https://www.ing.com.ph/ The front-end of this bank is hosted on ING’s container hosting platform. • In Europe multiple ING application landscapes have started onboarding ING’s container hosting platform as of May 2019. • In October 2019 DARE went live. DARE is a global ING-AXA partnership to launch a digital protection (“Assurance”) platform across six different markets within the ING Challenger & Growth division. DARE will provide innovative protection integrated in ING digital channels. DARE consumes services of our One Technology Platform to enable rapid global scaling. • It is prognosed the majority of ING’s API’s will eventually be hosted on ICHP, constructing services like ING’s digital channels, fraud detection, data lake analytics, etc.. What are we (going to be) hosting ? 14
  • 16. What did the container squad spend their time on? 16 30 8 20 6 7 7 4 4 10 4 Risk Evidence / Compliance Security Improvements Implementing / Tuning Monitoring Educating internal customers Automation of K8S deployment Building Self-Service Capabilities PoC's Travel (global squad, global customers) Integration with other services Actual K8S configuration/operations In 2 years time: 18 FTE container squad (equally spread over Amsterdam, Frankfurt & Katowice) 1 FTE architecture (3 architects spending part of their time (50/25/25)) 1 FTE product owner The ambition is to grow the footprint of the container landscape without growing the container squad, by automating everything.
  • 17. • Communicating a paradigm shift is hard, use any advantage you can get… • A container hosting service is only part of the cloud-native eco-system you need… • ING is NOT aiming to rehost VM’s to containers… Purpose is to have the best possible hosting environment for 12-factor apps ! • If a DevOps teams manages to properly refactor their VM into a set of container images they are welcome • Hands-off approach in production. If teams feel not comfortable with this they should stay on VM’s! • Automate Everything! • Design for failure (instead of failing to do a proper design…) • A Namespace-as-a-Service fits our Way-of-Working, perhaps yours too? • Kubernetes/OpenShift is only a small (although very important) part of the time spend to build/run a container hosting service.. • Being in a regulated industry is not always fun… • Tuning Monitoring is an Art, which takes time to Master… • Find the right partners, both within and outside your own enterprise Conclusions 17
  • 19. Thank You! 19 Slides available on : https://www.slideshare.net/ThijsEbbers/
  • 21. Side 0 – The DevOps Team’s input: 21 21 » Container Image • Immutable, Stateless, Short Living • Base Image (the “operating system”) - Where was it obtained? - Is it vulnerability free? - Who will provide patched versions (in time…)? • Code (standard SDLC) » Deployment Config • YAML files containing all information needed to deploy an image successfully » Network Config • All information needed to have communication paths outside the cluster to/from your application in place
  • 22. Side 1 – The Data Services: 22 22 » Defined by Bindings • Data Service instance location + secrets to connect it + driver (optional) » Purposes: • To persist your state outside the cluster • To push out logs & events
  • 23. Side 2 – The Security Services: 23 23 » Purpose: Externalizing your users / certificates / passwords (Directories, PKI solutions, Password Vaults, …) » No interfaces for SIEM and VS/TSCM in Runtime! • SIEM listens on Topics • VS/TSCM is performed during Build (& enforce immutability in Runtime)
  • 24. Side 3 – The Container Hosting Platform: 24 24 » Node: (Physical/Virtual) machine hosting k8s code supplying resources to the Cluster » Cluster: Namespace manager • Production – Non Production - Only allow verified (scanned & signed, (known) vulnerability free) workloads on your production cluster. - Do not allow any valuable data to be hosted/accessible from your non-production cluster. • (virtual) Data Center 1 – (virtual) Data Center 2 – (virtual) Data Center n • Payload specific Clusters » Namespace: • SLA on resources (CPU/Memory) • Unit of isolation (no access by default) » Platform: The collection of Clusters » Replica’s • Enforce a minimum safe number in your production clusters!
  • 25. Side 4 – The CI/CD Platform: 25 25 » The CI/CD platform supports/manages the creation of deployable artifacts, either via a pipeline or via legacy methods (portals,…) » The Scanning engines here provide your VS/TSCM evidence (in combination with immutability of your nodes & containers…) as well as detecting license violations and unwanted configuration settings
  • 26. Side 5 – The Network Platform: 26 26 » Load Balancing provides the capabilities to balance load over multiple clusters (and hence enables HA/DR/LCM of clusters) » The DMZ’s provide capabilities to securely connect the applications hosted on the Container platform to the Internet or other insecure networks (e.g. the Workplace area’s) » Firewalling enables access to/from other networks e.g. Data Services, Security Services, CI/CD, legacy application landscapes, ...
  • 27. Embrace the 12-factor principles (“https://12factor.net”). Translated into K8S application hosting: • Hands-off Production: Only allow access to production via pipelines. No SSH/Terminal Access/… as images run immutable! (I/V) • Separate Stateless from Statefull (State resides in services outside the stateless K8S application hosting clusters) (III/VI/VIII) • Design for failure. Your Nodes/Containers will fail ! (IX) • Design for short lifecycles/immutability. Your Nodes/Containers will develop vulnerabilities! (IX) • Cycle your nodes and containers regularly. Interval should be shorter than the maximum response time for low and medium vulnerabilities in your organisations security policy (Because you won’t need to scan your runtime estate in this case…) • Have the automation & procedures in place for an immediate emergency cycle in the case of unmitigated high- or critical vulnerabilities Or in short : “Immutable, Stateless, Short Living” Non-compliance means “Computer says No” and hence the application has to be deployed on VM’s! ICHP Principles 27
  • 28. By consuming the ICHP service, many operational tasks that currently (read : hosting on VM’s) are your own responsibility are now executed at platform level. Other tasks remain the responsibility of the consumer. There is a clear separation between platform provider and consumer. Examples include: What does ICHP (not) do for me? 2 8 Consumer • Only access to “project” (and only via a deployment pipeline in Production clusters!) • Enable SEM-A for application related events • Implement patches on hosted code (by redeploying a higher version of the image!) • Configure password vault for NPA’s • Implement SOLL and perform SOLL/IST comparisons • Implement Bindings to Data Services • Implement deployment pipelines • Implement load balancing and firewall access outside the ICHP platform • etc. Provider • Access to container hosting platform (service) only in emergency situations • Ensures availability of the platform • Guarantees security by implementing relevant SEM and TSCM controls at platform level • Provides platform Risk Evidence • Performance tuning on platform • etc.
  • 29. As explained in ING’s Way-of-Working we aim to make our DevOps teams autonomous. We also want to enable those DevOps teams to deliver maximum value to the business, by not bothering them with IT-Infrastructure problems, nor bothering them with having to deliver compliancy evidence for the hosting platform. Hence offering a Namespace-as-a-Service is for us the sweet spot: • Clear demarcation between (Infra)Provider and Consumer • Enabling hand-over of compliance evidence • Enabling multi-tenancy (hence fast time-to-market/self-service consumption, and the potential for efficient utilization of resources) • The DevOps team can assume responsibility for (almost) the full stack (only the kernel stays shared). They have liberty/responsibility to choose/maintain their (versions of) base image, runtime engine, libraries, etc. (within the boundaries set by the ING corporate risk&compliancy rules !) ING probably will offer a K8S Cluster-as-a-Service in the future, however this will be a limited offering only available to teams managing Data Services (e.g. an Event Bus, Relational Database, Object Store, ….). If those teams choose to stray from the default settings the burden of delivering compliancy evidence lands back on their plate! Why ICHP only offers a “Namespace-as-a-Service” 29