jakarta, indonesia 9 april 2019 #ciscoconnectid · cisco ci/cd for containers l4/l7 tenant alpha sg...

Jakarta, Indonesia 9 April 2019

#CiscoConnectID

Cisco Multicloud: Cloud ConsumeHelps you deploy, monitor, and optimize applications in multicloud and container environments

Mohammad ImaduddinDC System Engineer, Cisco Systems

Accelerating Innovation

“56% of cloud adopters use cloud services to enable innovation,

50% to improve business agility”

“MicroservicesMomentum Accelerates”

“Digital disruption drives CIOs to double down on innovation”

“The more programmers on a company’s platform, the more

software applications are created, attracting customers and still more developers — a flywheel of growth and profit.”

“Large enterprises increasingly embrace open-source software to attract

developers and keep up with digital-native competitors.”

3

The reality is anything but simple

Multiple public cloud

services

New data protection regulations

Private data centers still

crucial

SaaS adoption

rising

IoT exploding

4

Google trends

Docker

OpenStack

5 years

LTRACI-2967 5

Google trends

5 years

Kubernetes

OpenStackLTRACI-2967 6

Google trends

5 years

Kubernetes

vsphereLTRACI-2967 7

2013

Dev Prod

Dev Ops

I need a resources for a new project Please submit a

help desk ticket

Never mind…

Test

2019

Dev Ops

I need a resourcesfor a new project

Never mind…

Kubernetes Anywhere

Please submit ahelp desk ticket

Dev ProdTest

• Focused on Developer

• Creates a mechanism for developers to operationalize what they work on (DevOps)

On Premises

Blood and Sweat

Cloud

11

Cisco IT: A Spectrum of Workloads

Virtual VM

2500 Business apps & 500 SaaS In Use

90 SaaS assets (revenue gathering)

50 engineering apps(for 40k developers)

Multi Cloud Operating Model

On Prem Public

Baremetal UCS x86

Private Cloud Public CloudsBRKCLD-1823

Growth Enablement

Cisco IT Cloud Evolution

GLOBAL DATA CENTER STRATEGY

Capacity(Optimize & Extend)

Software-Defined Intelligence

Speed

App/Data Transformation

MULTICLOUD STRATEGY

2007-2015 Today & Future

TRANSFORMATION

Capacity (Build)

Resiliency

Service Transformation

UI/Manual API Driven

Past Future

Operating Model

Traditional Cloud

Provisioning UI API

Architecture Integrated Cloud Native

Driven by Limited Automation

Software Defined Everything

Resiliency App Level Cloud Native

Security Enforced Pervasive

Customer Base

Mostly IT All

VISION

Cisco Connect 2019 Malaysia, Kuala Lumpur . 18 April 2019

How did we get there?

Web Frontend

App

Backend

DB

Traffic patterns to

monitor

Web Server

Auth

Cart Payment

Search Recommendations

Other Service

Traffic patterns to monitor

Server1

Server2

Server3

Server5

Server4

Data Center 1 Data Center 2 Public Cloud

Operating the Death Star

14

BRKCLD-1003


Microservices: what do I need?

Security

Automation

Visibility


Problems to solve

• Diverse traffic patterns with no context

• Network and Security teams have limited to no visibility into container workloads

• Segmentation and security internal to the cluster can only be done by cluster administrators.

• Missing tools to troubleshoot network issues

Kubernetes most common objects in one slide

PodDeployment Service

Namespace

Cluster-IP

NodePort

LoadBalancer

Persistent Volume

Persistent Volume Claim

C

C

PodC

C

Internal to cluster

Port binding to node

Exposed VIP

Abstracts a slice of storage

Request of storage

Define replicas1 or more containers

1 or more containers

Virtual cluster


Segmentation

• Secure K8s infrastructure:

• network isolation for infrastructure related objects

• Network isolation between namespaces

• Controlling access between Kubernetes services and external services

PODPOD

POD

Frontend-EPG

PODPOD

POD

API-Gateway-EPG

Policy

PODPOD

POD

Backend-EPG

PODPOD

POD

Monitoring-EPG

Policy

Policy Policy


Communications outside of the Cluster

• Non-Cluster endpoints communicating with Cluster:

• Exposing external services, how? NodePort? LoadBalancer?

• Scaling-out ingress controllers, how can you scale?

• Cluster endpoints communicating with non-cluster endpoints:

• POD access to external services and endpoints

Policy

PODPOD

POD

Frontend-EPG

PODPOD

POD

API-Gateway-EPG

Policy

PODPOD

POD

Backend-EPG

PODPOD

POD

Monitoring-EPG

Policy

Policy Policy


Storage Access from Nodes

• Applications running in Kubernetes Pods that need high-bandwidth, low-latency traffic to data external to the cluster suffer the bottleneck imposed by the egress router implementation. i.e. centralized storage from node or PODs:

• iSCSI, NFS, GlusterFS, CEPH, etc.

• HyperFlex


Operations

• Skills gap between network and Kubernetes admins

• Visibility and governance of network policies

• Simplified Network Operations

Developer Network AdministratorInfosec

Demo:Container Visibility with ACI

In this live demo:

• Control Plane view

➢ K8S node mapping

➢ K8S objects mapping

• Data Plane view

➢ EPG mapping

➢ Namespace annotation

Visibility


ACI makes containers visibile and manageable!

• Seamless experience to Kubernetes users

• Network admins have visibility at control plane and data plane level

• Network admin can create consistent policies encompassing baremetal, virtual machine and container domains

• Flexible EPG mapping model, can enable enforcement by annotating deployments

Everybody is happy, everything is green! ☺


Problems to solve

• Resources used are out of control

• Misuse of public cloud resources

• Where are my corporate policies?

Demo:CCPTenant Cluster Creation

AutomationVisibility


Silence LB SVC

SilenceAPI Server

K8S Deployment

Fool

Clu

ster-

IP

SV

C

Jungle LB SVC

JungleWeb Frontend

K8S Deployment

StairwayTraffic/Incidents

K8S Deployment

RainbowMusic Events

K8S Deployment

FoolWeather Service

K8S Deployment

Rain

bow

C

lust

er-

IP

SV

C

Sta

irw

ay

Clu

ster-

IP

SV

C

Tarantula Architecture


Cisco CI/CD for Containers

Tenant AlphaL4/L7 SG

User commit1 Jenkins detects it and

downloadscode

2

Jenkins buildscontainer images and uploads to

registry

3Jenkins requests CCC to deploy the App

4

CCC gets the images and deploys to K8S

5

Services are created in K8S and ACI

6That’s it7

Demo:CI/CD

• CI/CD workflow demo

• Container services in CloudCenter

• CloudCenter Application Profile

Automation


Wait! Why CloudCenter when I can use K8S directly?

• Governance!

• Mixed apps (VM/Containers)

• Multi/hybrid cloud with single profilemodeling (Model once, deploy everywhere)• This includes multiple k8s clusters

(technically different Clouds/Regions)


Multiple Clouds – Multiple Interfaces

DEVNET-1139


Multiple Clouds – With CloudCenter

DEVNET-1139


CloudCenter – Container Clouds

Model app tiers from vanilla OS

New version = new instance

LB in the Application Profile

VM Clouds

Deploy new VMs to scale

Rolling Updates (5.x)

Native in K8S (replicas)

Leverage pre-built images

Native in K8S

Container Clouds


Problem solved!

• Easy way to create managed, monitored and scalable Kubernetes clusters with CCP

• Support CI/CD chain with:

• Governance

• Multi-tenancy

• Cost control

• Agnostic application modeling

Back in control ☺


The Multicloud Consume so far…

Reliable and flexible infrastructures

Analytics and Monitoring

Uptime

Scale

Prevent

React

CI/CD Infrastructure and tools

Agility

Governance


Security problems to solve

• Core business apps run in vulnerable infrastructures

• Lack of granular, intent-based security policies

Address the security issues withTetration

• Assess Kubernetes node vulnerability

• Create and monitor flexible policies based on Kubernetes annotations

VisibilitySecurity

Address the performance issuewith AppD

• AppD machine agent

• Server monitor

• App Helicopter view

• App Drill down and waterfall

Visibility


App security and performance monitor

• Assessed infrastructure vulnerability

• Implemented filters to create flexible, extremely granular policies based on arbitrary tags

• Assess performance from an application and infrastructure point of view

• Drilled down and analyzed each single step of the applicatione2e experience

Bullet proof applications!

Let’s sum it up


Tetration

AppDynamics

CloudCenter

The integrated story

K8S Master

K8S Workers

Tenant Cluster AlphaCCP Control Plane

Tenant Alpha


Microservices: what we offer

Security

Automation

We own the full stack!

Visibility

CCP CloudCenter

TetrationAppD

Tetration

ACI CCP

Malaysia, Kuala Lumpur . 18 April 2019

#CiscoConnectID

Indonesia, Jakarta . 09 April 2019

jakarta, indonesia 9 april 2019 #ciscoconnectid · cisco ci/cd for containers l4/l7 tenant alpha sg...

Documents