jakarta, indonesia 9 april 2019 #ciscoconnectid · cisco ci/cd for containers l4/l7 tenant alpha sg...
TRANSCRIPT
Jakarta, Indonesia 9 April 2019
#CiscoConnectID
Cisco Multicloud: Cloud ConsumeHelps you deploy, monitor, and optimize applications in multicloud and container environments
Mohammad ImaduddinDC System Engineer, Cisco Systems
Accelerating Innovation
“56% of cloud adopters use cloud services to enable innovation,
50% to improve business agility”
“MicroservicesMomentum Accelerates”
“Digital disruption drives CIOs to double down on innovation”
“The more programmers on a company’s platform, the more
software applications are created, attracting customers and still more developers — a flywheel of growth and profit.”
“Large enterprises increasingly embrace open-source software to attract
developers and keep up with digital-native competitors.”
3
The reality is anything but simple
Multiple public cloud
services
New data protection regulations
Private data centers still
crucial
SaaS adoption
rising
IoT exploding
4
Google trends
Docker
OpenStack
5 years
LTRACI-2967 5
Google trends
5 years
Kubernetes
OpenStackLTRACI-2967 6
Google trends
5 years
Kubernetes
vsphereLTRACI-2967 7
2013
Dev Prod
Dev Ops
I need a resources for a new project Please submit a
help desk ticket
Never mind…
Test
2019
Dev Ops
I need a resourcesfor a new project
Never mind…
Kubernetes Anywhere
Please submit ahelp desk ticket
Dev ProdTest
• Focused on Developer
• Creates a mechanism for developers to operationalize what they work on (DevOps)
On Premises
Blood and Sweat
Cloud
11
Cisco IT: A Spectrum of Workloads
Virtual VM
2500 Business apps & 500 SaaS In Use
90 SaaS assets (revenue gathering)
50 engineering apps(for 40k developers)
Multi Cloud Operating Model
On Prem Public
Baremetal UCS x86
Private Cloud Public CloudsBRKCLD-1823
Growth Enablement
Cisco IT Cloud Evolution
GLOBAL DATA CENTER STRATEGY
Capacity(Optimize & Extend)
Software-Defined Intelligence
Speed
App/Data Transformation
MULTICLOUD STRATEGY
2007-2015 Today & Future
TRANSFORMATION
Capacity (Build)
Resiliency
Service Transformation
UI/Manual API Driven
Past Future
Operating Model
Traditional Cloud
Provisioning UI API
Architecture Integrated Cloud Native
Driven by Limited Automation
Software Defined Everything
Resiliency App Level Cloud Native
Security Enforced Pervasive
Customer Base
Mostly IT All
VISION
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
How did we get there?
Web Frontend
App
Backend
DB
Traffic patterns to
monitor
Web Server
Auth
Cart Payment
Search Recommendations
Other Service
Traffic patterns to monitor
Server1
Server2
Server3
Server5
Server4
Data Center 1 Data Center 2 Public Cloud
Operating the Death Star
14
BRKCLD-1003
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Microservices: what do I need?
Security
Automation
Visibility
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Problems to solve
• Diverse traffic patterns with no context
• Network and Security teams have limited to no visibility into container workloads
• Segmentation and security internal to the cluster can only be done by cluster administrators.
• Missing tools to troubleshoot network issues
Kubernetes most common objects in one slide
PodDeployment Service
Namespace
Cluster-IP
NodePort
LoadBalancer
Persistent Volume
Persistent Volume Claim
C
C
PodC
C
Internal to cluster
Port binding to node
Exposed VIP
Abstracts a slice of storage
Request of storage
Define replicas1 or more containers
1 or more containers
Virtual cluster
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Segmentation
• Secure K8s infrastructure:
• network isolation for infrastructure related objects
• Network isolation between namespaces
• Controlling access between Kubernetes services and external services
PODPOD
POD
Frontend-EPG
PODPOD
POD
API-Gateway-EPG
Policy
PODPOD
POD
Backend-EPG
PODPOD
POD
Monitoring-EPG
Policy
Policy Policy
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Communications outside of the Cluster
• Non-Cluster endpoints communicating with Cluster:
• Exposing external services, how? NodePort? LoadBalancer?
• Scaling-out ingress controllers, how can you scale?
• Cluster endpoints communicating with non-cluster endpoints:
• POD access to external services and endpoints
Policy
PODPOD
POD
Frontend-EPG
PODPOD
POD
API-Gateway-EPG
Policy
PODPOD
POD
Backend-EPG
PODPOD
POD
Monitoring-EPG
Policy
Policy Policy
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Storage Access from Nodes
• Applications running in Kubernetes Pods that need high-bandwidth, low-latency traffic to data external to the cluster suffer the bottleneck imposed by the egress router implementation. i.e. centralized storage from node or PODs:
• iSCSI, NFS, GlusterFS, CEPH, etc.
• HyperFlex
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Operations
• Skills gap between network and Kubernetes admins
• Visibility and governance of network policies
• Simplified Network Operations
Developer Network AdministratorInfosec
Demo:Container Visibility with ACI
In this live demo:
• Control Plane view
➢ K8S node mapping
➢ K8S objects mapping
• Data Plane view
➢ EPG mapping
➢ Namespace annotation
Visibility
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
ACI makes containers visibile and manageable!
• Seamless experience to Kubernetes users
• Network admins have visibility at control plane and data plane level
• Network admin can create consistent policies encompassing baremetal, virtual machine and container domains
• Flexible EPG mapping model, can enable enforcement by annotating deployments
Everybody is happy, everything is green! ☺
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Problems to solve
• Resources used are out of control
• Misuse of public cloud resources
• Where are my corporate policies?
Demo:CCPTenant Cluster Creation
AutomationVisibility
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Silence LB SVC
SilenceAPI Server
K8S Deployment
Fool
Clu
ster-
IP
SV
C
Jungle LB SVC
JungleWeb Frontend
K8S Deployment
StairwayTraffic/Incidents
K8S Deployment
RainbowMusic Events
K8S Deployment
FoolWeather Service
K8S Deployment
Rain
bow
C
lust
er-
IP
SV
C
Sta
irw
ay
Clu
ster-
IP
SV
C
Tarantula Architecture
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Cisco CI/CD for Containers
Tenant AlphaL4/L7 SG
User commit1 Jenkins detects it and
downloadscode
2
Jenkins buildscontainer images and uploads to
registry
3Jenkins requests CCC to deploy the App
4
CCC gets the images and deploys to K8S
5
Services are created in K8S and ACI
6That’s it7
Demo:CI/CD
• CI/CD workflow demo
• Container services in CloudCenter
• CloudCenter Application Profile
Automation
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Wait! Why CloudCenter when I can use K8S directly?
• Governance!
• Mixed apps (VM/Containers)
• Multi/hybrid cloud with single profilemodeling (Model once, deploy everywhere)• This includes multiple k8s clusters
(technically different Clouds/Regions)
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Multiple Clouds – Multiple Interfaces
DEVNET-1139
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Multiple Clouds – With CloudCenter
DEVNET-1139
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
CloudCenter – Container Clouds
Model app tiers from vanilla OS
New version = new instance
LB in the Application Profile
VM Clouds
Deploy new VMs to scale
Rolling Updates (5.x)
Native in K8S (replicas)
Leverage pre-built images
Native in K8S
Container Clouds
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Problem solved!
• Easy way to create managed, monitored and scalable Kubernetes clusters with CCP
• Support CI/CD chain with:
• Governance
• Multi-tenancy
• Cost control
• Agnostic application modeling
Back in control ☺
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
The Multicloud Consume so far…
Reliable and flexible infrastructures
Analytics and Monitoring
Uptime
Scale
Prevent
React
CI/CD Infrastructure and tools
Agility
Governance
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Security problems to solve
• Core business apps run in vulnerable infrastructures
• Lack of granular, intent-based security policies
Address the security issues withTetration
• Assess Kubernetes node vulnerability
• Create and monitor flexible policies based on Kubernetes annotations
VisibilitySecurity
Address the performance issuewith AppD
• AppD machine agent
• Server monitor
• App Helicopter view
• App Drill down and waterfall
Visibility
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
App security and performance monitor
• Assessed infrastructure vulnerability
• Implemented filters to create flexible, extremely granular policies based on arbitrary tags
• Assess performance from an application and infrastructure point of view
• Drilled down and analyzed each single step of the applicatione2e experience
Bullet proof applications!
Let’s sum it up
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Tetration
AppDynamics
CloudCenter
The integrated story
K8S Master
K8S Workers
Tenant Cluster AlphaCCP Control Plane
Tenant Alpha
Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019
Microservices: what we offer
Security
Automation
We own the full stack!
Visibility
CCP CloudCenter
TetrationAppD
Tetration
ACI CCP
Malaysia, Kuala Lumpur . 18 April 2019
#CiscoConnectID
Indonesia, Jakarta . 09 April 2019