The now and then of cloud native application in the enterprise using containers | BRK3238

The now and then of cloud native application in the enterprise using containers | BRK3238

Show Video

Cool, thank. You for, coming I'm Brendon. And it. Says presentation, title here I swear I was gonna put a presentation, title there. But. This is covering. Cloud native deployments. And application, development in kubernetes, and Azure kubernetes, service and specific, I'm. Brendan I run. The, community, service at Asher I'm actually one of the people who started the kubernetes project, a long long long time ago so, it's. It's. A real pleasure to have a chance to get here and talk to you I, want, to talk a little bit about why I'm here, because. I think. It's an important motivation it sets the stage for a lot of what we're doing I'm. Incredibly. Excited about, helping people do. More and do more with the cloud I think, that's the thing that gets me up in the morning that's the thing that brings me to places like this that's, the thing that I am thinking about most of the time is how do I build services. And how. Do I build capabilities. And into Azure and specific, but. Open source as well that, help you do things that were previously impossible. Or maybe just previously, very hard at. The same time I think it's really great for us to think about why you are here so. I I have, some hypothesis. Hypotheses. And perhaps. As we go through the talk we'll find out if those are true and hopefully the the things that we talked about align with them and. In. Particular I wanted to talk about the agenda, for for what we. Are doing here which is I want to talk a little bit about cloud native motivations. Which I think hopefully the reasons why you're here, talking. About how we go from code to the cloud which is an interesting and challenging topic. Talking, about how we take this notion of cloud native which is sort of aspirational, and. Hype, ish to, say, the least and talk, about it in the real world and then talk about controlling, your environment conclude. It a little bit there'll, be some questions and answers at the end hopefully and. There's a number of demos which if the people are smiling, at me if the guys are smiling at me we'll. Hopefully we'll. Go and work properly I'm. Gonna ask actually can you bring, the house lights down just a tiny bit I'm finding them slightly, blinding. I don't, know it's just, a little bit bright out here, anyway. Well hopefully happen otherwise I'm gonna be staring down here a lot all, right are. You a cloud native so I think that I want is the part where I really want to understand where everybody's, at who, out there has, used, containers. More. Or less everybody, a, little bit how about kubernetes a, bunch. Of people a little bit slightly fewer I, would. Say that they're building cloud, native applications. Assuming you even know what that means, a. Few. Of you because it's hard to know sometimes what, that actually means all right cool thank you I think that helps sense the stage I think we have the right kind of material, for you so hopefully, that, that. Answers. But the more important question I would say is why, why. Are you a cloud native why are you interested in these ideas I, think it resolves, a lot around not the technology at least I hope it doesn't have anything to do with the technology, and instead. Is about, doing, things like improving your team and products agility I think.

For Most people who. Our who. We talk to this. Is the number one thing that they're interested in they, realize, either because of the competitive, landscape that, they find themselves in or simply because of the frustrations, that they're feeling that, they need their teams to move faster, they need their teams to not be doing. A lockstep we can deploy once a month they, need their product to evolve faster so that they can get new ideas out to the market so that they can test ideas quickly fail, fast keep, up with the competitive, pressures I think this is the number one reason why people are starting to say things like cloud native it's. It's the thing that is driving most, of the innovation the need to get from deploying software, once, a year once every six months once every quarter once, a month once, a week, possibly. Once an hour maybe. Even continuously. This, is the primary motivation, behind both, the interest, and the development, of a lot of the technology, that we're doing I think, at the same time though reliability. Is also the pressures of reliability, are also always. Always always increasing. It used to be okay I mean I I'm sure we all remember a, long, time ago when people would say things like the, websites gonna be down from you know 12 to 1 or 12 to 2 or whatever it was for, routine maintenance or weekly maintenance or whatever that meant. That's, no longer okay, you. Don't get to do that anymore, you, don't get to take, your site down you don't get to take your api's down you. Are expected. To be running and upgrading. And updating, and behaving, in an agile way behind. An API and a application. That is always on and always available and, always reliable. This. Is hard, and hopefully. The other motivation, for being, interested, in cloud native applications, and in this technology that we're going to talk about is improving, your product reliability but, I think awesome honestly, coming with that also. Is a notion that we. Need to improve the human experience, as well we, have to make sure that the people who are on call aren't. Repeatedly, doing the same thing over and over and over again right we have to eliminate toil, wherever, we find it if you have a, web page full of things to cut and paste into a terminal it's. Not a healthy, experience for anybody it's not a reliable experience either and so I think the other reason people are motivated to take on this sort of cloud native journey is we've, got to improve the health of the people who. Are doing operations, for these applications, and I would actually argue we need to improve the health of our teams in general we. Need to have people believing that the code that they write today, is going to be code that's running in the product tomorrow you. Have people who are responsible for products knowing that if a customer finds a bug today it, can be fixed possibly. Even and pushed out even, within the same day that really. Is a motivator, for better teams for healthier teams for, teams that aren't frustrated, by a lack of progress I think, these are all the right, motivations. For thinking about why you would take on this, journey from applications. That you may have written in the past all the way through to cloud native applications. All. Right I already, did this one where I asked where you were at I skipped, that slide or at least it will skip through that I wanted, to take a step a little bit closer to the world of cloud native and talk about the challenges, of going from code to cloud because, ultimately I think when we're talking about cloud native applications, that's really what we're talking about we're, talking about getting, code that a developer, is written out to the cloud as quickly and as safely as, possible, so. We have code we.

Want To take it to the cloud simple, right we're done but. Unfortunately, when we actually start unpacking this problem, when we actually started looking at what it takes to go from code to, cloud it, turns out there's, a bunch of tools right. The, first thing you're going to do is you're going to say oh you, need to take my code I'm gonna take a compiler, I'm gonna turn it into a binary I'm, gonna write a docker file I'm gonna take that docker command. Line I'm gonna turn it into a docker image, I'm gonna write some kubernetes yamo I'm gonna take cubed control get. It out to the cloud huzzah, right, so now at this point your, developers, have had to learn 3 differents languages. The. Code, that they're writing in the docker file language, which is different communities, animal which is different three different tools that you need to install and maintain and, update and learn how to use and everything else like that the, compiler, the docker, tooling, cube control tooling, and you. Know the truth is that we. Need to go even beyond that, this. Is just the beginning this is just sort of the like can I in a toy way get. My application from, code to cloud, let's. Talk about unit tests how are you gonna do unit tests so if you really want to push your code out to the cloud you're gonna have to do testing you're gonna need a unit test framework you're, gonna need something and hopefully you're already or are writing unit tests you need to integrate that into your build process so, that as you go through the process of building an image you run all your unit tests you make sure your unit tests pass then, you build the image and, you push it out to the to, the cluster. That's running in the cloud so. Now actually maybe we have safe. Code going, to the cloud now. We're gonna run integration, tests because of course we're all building micro services so we have to make sure that not only did my unit tests pass but, all of the different services is they integrate together they're still, performing. The right ways so we're gonna run code. Into, tests, into, a docker image into cube control into, integration tests, and. Now hopefully we actually have some degree of safety. And a belief that we're actually putting. Safe stuff out into the cloud it gets even worse of course the code is actually slipped, off to the left there we've, seen a little bit of the compilers is left behind. We're. Adding in a roll out process because if any of your applications, is not. Is only in a single region. You're. Doing it wrong right you need to be able in multiple. Regions for reasons of availability, for, reasons of latency, possibly. For reasons, of data sovereignty there's. A lot of different reasons why your application is going to be deployed in to lots of different regions so now in addition to building the code running, the tests building, the image getting. The kubernetes configs, ready running the integration, tests you have to think about how do I roll out to all these regions I don't, want to push to all my regions at once because, remember that whole thing about product. Reliability, and not, having the downtime from 12:00 to 2:00 every morning well, the only way you do that is by pushing, to a region one at a time having. Load balancers, that can spray, traffic, and move traffic away from a region if it becomes sick you, need a rollout process, right. So all of this together becomes. The, act of building. A cloud native application, and if. You're feeling a little overwhelmed, it's okay and you'll notice that there's a bunch of question marks here because, while in some of these places the tooling is well understood and, well sorted, out in many. Of these places it's kind of a do-it-yourself, exercise, or at least a like well there's six of these solutions and you could choose one of them and it'll work probably if you figure out how to run it right right. So this there's a ton of different. Pieces and moving parts that get you from code. Out to the cloud in in a native way, but. Of course the, hope and the the. Promise, and the claim is that. Even. If there are too many tools out there tools. Actually are valuable right. I mean we didn't build all of these tools because. You. Know it was fun or because, like we really had a deep. Desire to build a you, know a new tool we. Built all these tools because, they were useful and they had a value, and they were something.

That Needed to get done. But. At the same time we've ended up in this world where every, single person is expected, to learn how to use every, single little tool along the way and it's. Very clear to me in talking to people that this, actually, distracts. From both, the team health because people feel overwhelmed, and also, from the team agility, because you spend more time learning how to craft the, tools together and, learning how to use the tools then, you you actually writing the code in the first place so. I want to take a look at how we can say well you know what tools are extremely, important, absolutely, have to have a lot of these tools but, how do we actually take tooling and make it helpful, how, do we take tooling, and put it gets put it together so that that, big long pipe that we had there is actually, something that's approachable, for you and how, do we you, know effectively. Get, back to that world where we go from code to cloud without, any of the intervening, bits I want. To take a brief moment here to talk about the first step along this way which, is some of the work that we've done integrating. Visual, studio code, with, kubernetes. So. This would be the first exercise. In the in. The demo gods so we'll see how that goes. First. Trying to remember my password so I worked. All right can people see that okay or does this need to be zoomed, in a little bit hmm. All, right. All. Right better. We. Could do like the eye test thing you know it better worse. All. Right so this is a studio code how many people out there users you'll see you code. That's. Pretty good. Definitely. My favorite editor I really really really love it it's, super cool it's, the it, just I don't know super cool anyway, I'm a big fan. What. We did with this though as we said hey look people are not just writing code people, are actually in. This environment deploying. Things out to their clusters thinking, about their clusters, and so, you, know we went and actually built, an extension when. You install the, kubernetes. Extension, you obviously get a little extension thing down here and. You also if you have a cluster created, well first of all I could actually can help you create a cluster if you don't have a cluster created, but once you have a cluster going, you, can actually see it here and. We can actually start exploring, it this is a cluster that I have running up in IKS and, we. Can actually explore it and we can say well hey look we got some nodes here. And. They. Have containers on them we can actually see the containers, that are running on those nodes you. Can see there's a little green dot indicates, it's healthy and I think here you're starting to see why this tooling, is valuable, right. Because I can actually in an integrated way give you a little status, about your container, none. Of this is stuff that I couldn't get from the API or from a command-line tool or anything else like that in fact it's coming from the same API and command-line tool but, I can integrate it all together into, an environment. That is just easier for you to for, you to deal with so, let's take a look over here at the. Workloads. So. The, in. The workload section, we have all of our running stuff and if we look into the deployments, we can see here that I have an engine X deployment.

This. Engine X is a. Simple, web server if I click on the deployment I actually get the community's animal here so this is the actual, yamo. That represents, the kubernetes application. You. Can imagine that, it's a little bit intimidating. Initially, right, there's a lot of text going on here a lot of words not necessarily, always exactly, clear what everything, means and. So again this is a place where tooling can come and make, it easier for you as you're onboarding, into this cloud native experience with kubernetes, we. Can actually flip, into explain, mode so we can actually say kubernetes. Explain. It's. A it's activated, as a city activated, the explain API and now if I go over here and hover over say anything let's see well what does image pull policy do image. Pool policy is one of always, never if not present defaults, to always if, the latest tag is specified or if not present otherwise can't. Be updated, a little more info if you want to see it same, thing here if I want to say well what's the termination, message path little. Description of the termination Nashes path again, none, of this is stuff that wasn't available to you in other environments in fact it's pulling from existing tooling, but it's integrating, them into a place such that if you're editing one of these configs, and you want to understand what's going on you. Can actually, you. Know immediately get, access to specifically. That information, because, by the way while this is contextualized. When, you actually go and discover all this information, it's in a web page about this big right so, by taking it into our tool and making it accessible field, by field we're, actually not, just presenting, the information but, actually I think making it more digestible. And. Additionally. And I add we. Have things like this so, if you hover over here. It's. Gonna kill that I. Really. Want to get, the tooltip, I'm, going to turn off explain. Alright. Because, what I want to also show you is the tooltip, here. So, we are actually also, providing. Linting, one, of the things that we noticed very early on was. That when people create, containers. They often don't initially specify, resources, they don't actually say hey this container needs two cores and ten gigs of memory they, just say well, it'll. Hopefully it all work out, and. It. Works usually. Until they go out to production and, a. Bunch, more load, than normal, lands on their cluster memory, usage spikes up things, get starved, bad things happen, they call me that yell it's, unpleasant for anybody everybody involved so, we said well let's go back to the tools and solve this and what, we added here is some basic linting, right. And so and, it's actually extensible, so you can add your own lint rules if you want so now if you're editing one of these things just like you if you're editing code you, get a little warning get, a little thing that says hey no resource limit specified for this container could starve other processes, we, could fix it if we wanted to sooner, or later maybe we'll add a quick fix that would be pretty awesome we, haven't done that part yet and this is the part where I should point out that this whole extension, is out, as an open source project on, github and so. If adding. Quick fixes to our computer. Nettie's extension, is something that makes you excited, we'd, be excited to have a PR for something like that or really anything that you see, that that you think would have to your experience, using this. Sort of tooling to integrate with kubernetes I want to demonstrate one other piece here which. Is that we can actually go over here, if we scroll up and we can say hey look, replicas. I want replicas to be three. And. I'm, actually going to some replicas, oh I guess. They explain fbi's still there i this. Is the desired number of pods we're gonna scale it up to three and I can actually save, this and, then. Apply it. And. What. I'm actually going to do is it's actually going to show me again. Using, the integration in the environment, it's going to give me a diff and it's going to show me, look this, is what's changing, this is the only thing that's changing so I have a lot of confidence now that this change I can apply I know, exactly what it's going to do it's only gonna scale. It up I actually just waited too, long. To. Do. That so let's try this again it. Was, asking for a confirmation and I talked too long. Yes. I want to apply that change. It's. Been configured. Close. This out, there. We go over here, now, we have our three containers up and running and the last piece of this it's, nice that I can make changes to my running cluster like that but, the other thing is sometimes, we need to debug things and since.

The Dawn of time you've learned that if you right-click on things interesting things happen and we've done the same thing here let's say I want to get a terminal or get the logs if I click here I can actually say yeah you know what give me a terminal, and I'm. Actually going to be running. Inside of that container so. Now actually, it looks just like I'm at the terminal, but I'm in fact inside, that container in, the AKS, cluster, in the azure data center, somewhere. I'm. Not actually even sure where that. The data center is in this particular case so, I've, had, the ability to pull all the way from that distance, into. The, browser right here or sorry into the tooling right here and I can actually start, taking a look at what's going on look, at the web pages and everything else like that similarly, I can actually port. Forward as well so I can actually sorry, I can actually right click here. Say. Port, forward. I'll. Say 80. To. 80. Now. I have port forwarding running and if I drop over to the browser and I, go to localhost. There's. My application, running so again being able to securely, pull, the. Application. Running in the kubernetes cluster all, the way down locally, to my machine via the network I can contact, it I can probe, it I can make calls to it again without anything being exposed on the public Internet I can. Debug and whatever I need to do. And that's a pretty useful way to do, your development, as well so hopefully that gives you an illustration of. The beginnings, of how tooling, can actually take some of these problems make it a lot easier we didn't have to learn anything about the cube control command-line tool even though it's behind the scenes and, we've got other tools with draft and helm that can actually make the application packaging. And deployment, easier as well all right I'm going to jump back to the. Jump. Back to my I'm gonna exit, out of. My. Terminal, jump. Back to my slides all, right cool. All. Right so, now. We hopefully, have some ideas about how we're going to get to get, from code to cloud using, better, tools but we still need to talk through it we. Need to put together a complete pipeline, for this right, so it's great that you can do your development it's great you can explore your kubernetes, cluster but, we need you to actually also be able to set up an end-to-end pipeline, using, something like github actions. Or. Azure DevOps so. The, basics here are starting out with a git repo hopefully, every everybody, out there has their kubernetes configs, already in a git repo if you don't please. Do it's, the right thing to do you'll be very happy you'll, be very sad if you don't, get. Everything into a git repo. Somehow. Though we need magic to get us from that git repo into the cloud. And. And the magic actually comes from github actions, so, it the first step in this is saying hey I can actually go from code, in my git repo the. Github. Actions, to, images. Running out in the Azure container registry. You. Can actually go, ahead and. Take. That and say, ok I can actually use the, same approach. Different, tooling, within the same approach but the same approach to go from a Cuban eighties config, in, a. Github repository out, to the azure kubernetes service. So. With a with, a simple llamó file dropped, into your, github repository. You, can describe, not. Only building. Your container image pushing it to the azure container registry and distributing, it around the world but, also taking. The config, pushing. It to. Pushing. It to the a. Jacuz Bonetti service, that happens to be running all the way around the world again with, nothing. But a text. File that's been added to your repository so it's a pretty powerful way to define. Your complete pipeline, but of course this isn't all you need because. In reality you're. Gonna have to be in multiple regions and again. If you're thinking about being in multiple regions you have to think about how do I take a single. Template because you don't want to cut and paste and copy and make all kinds of errors and consistency, problems, between multiple, configurations.

For Different regions you, want a single template that gets, executed to, parameterize, it for the different regions the small changes that you need between them that's, where helm comes in so, if you haven't played around with helm you should definitely take a look at that for our parameterizing. Your template from a single, sort of master template out to a bunch of different specific regions, and then, those can fire their way through github actions, out to the various kubernetes cluster as your kubernetes clusters that you have running, in all of these different places and, so. If we put it all together we. Have this process as one pipeline to. Go from a git repository in, your code all the way through to the azure container registry and this. Process for another because your azure container registry will. Either trigger a notification that, there's a new build and that notification can, either go to you as a human who then decides this is the release build that we're going to use or, you can even automate the entire flow, so. That the notification, comes from the azure container registry, goes. Into another git, repository, containing your kubernetes configs, triggers. More actions, to perform helm, to, template out to, perform more actions to deploy those templates one by one in a safe way out to, the various regions, that you have running in Azure, and, honestly, in any cloud anywhere, so. The other thing that's really exciting about all of the pipeline's work that we were doing with github actions, is that, it can target kubernetes, no matter where kubernetes, is that's. Really powerful for people who are looking at on-premise, deployments, who are looking at deployments, to other clouds other, environments. The same configurations. The same, code. In the same registry. Can be pushed to any location, all. Right I want. To take hopefully that gives you at least a brief thought. Overview about how you might thinking about a plot building, out the, cloud native development with containers as well as a pipeline, for, building. And releasing, your applications, out into, into. A cloud, native deployment, but I wanted to talk actually about the real world because, it's the place where we all actually, live it's, the place where there are people like regulators, and people like compliance, officers, and the CSO, of your company and everything else like that who, are saying things like it's great we really we applaud the fact that you are deploying. Code every, hour or whenever it happens to be but. Are, you sock compliant, are, you PCI compliance, are, you pushing. Vulnerabilities, that are going to get my company shut down right. So the truth is that why we want to be doing all this agile stuff all, this, agile stuff actually, makes a number of people very very nervous and, honestly. If you think about the fact that you know if you expose. 50. Million 100 million social security IDs. Out to people. On the internet you, should maybe be a little bit nervous too right, so it is it's I make fun a little bit but the truth is these are very real problems, that are actually incredibly, important for us to solve and so, I think while the technology focuses.

A Little bit on hey, speed, and fast and agile in tech and it's awesome I think, it's important, to take the step back and say look yes absolutely. But. We need to bring those real world concerns, along with us as we go, the. Truth is that kubernetes, is everywhere this, has become the foundation for, us to take cloud native and without kubernetes, being everywhere. We. We really wouldn't have a foundation on which this cloud native revolution, could be happening, but. The, truth is we, have to also as a sure I think say what can we do if. Kubernetes. Is everywhere and it, really is, what. Can we as Azure, do to, help you with that problem to, help you manage, and and make useful. All of these clusters that are popping up all over the place. Kubernetes. Is spanning, all of these different environments it's spanning, multi cloud it's, in the data center it's hosted, by people. Really. All of these wide variety, of different environments, you might be renting kubernetes in but, you still need the same consistent, management interfaces the same consistent, policy, its spanning all of these different devices I. Don't. Know if people, looked at the Jedi stuff, that happened recently but, like we're gonna have kubernetes, in people's backpacks, right, that's, crazy, at some. Level but it's also really cool we've got address tack edge here, that we talked about which, is a single server that you can rack in all the way through big. Fully. Integrated, systems right so like what we're really seeing is there's all of these different form, factors, there's all of these different clouds, and the but the unifying, thing about it is they're. All gonna have kubernetes on them and, they're. All gonna be capable of being managed, from the azure control. And management plane and they're all going to be capable being deployed to via. Things like github pipelines, so we came up with this idea of Arc, kubernetes, where. You're. Gonna have the ability to run Azure data services, on communities, anywhere you're. Going to be able to extend. The, management, that Azure can do out across all of your environments, you're, going to be able to have, cloud. Native development, no matter where your code needs to be and. We talked to people who have ships and that ship, is gonna be floating around the world and they, need cloud, native deployments. And development, when that ship comes into port they. Need to roll out new software onto it when, it's maybe out on a faraway. Low-bandwidth. Land maybe not so much right, and then finally we need to have that kind of security we need to have the, assurances, of management no, matter where your code happens to be running and that's really the promise and the premise of Ark I hope you saw it in the keynote on Monday I'm incredibly, excited about it large, chunk of my teams are focused very much on this product and.

So We're really excited at this idea of taking not just kubernetes, but honestly as your management everywhere, I wanted. To give you a quick demo of what this looks like hopefully. It's not too redundant. With things that you saw in the keynote if. You saw them in the keynote. Go. Over. To the demo machine. Close, that out. It's. Not big enough. All. Right. I. Have. A kubernetes. Cluster here. It's. A really small cube renée's cluster it's just a single, node it's running literally right, here on my laptop literally. The kubernetes cluster is here running on my laptop and. We're gonna actually install, arc on that. So. It's using hike it's using. Its. Using. Helm to install the. Process haiku was the internal code name if people want to know secret stuff haiku is the internal code name before it was launched so we've, now installed. The. Arc work here, on the, cluster that's running here we can actually say queue control good, oh. It's. Nothing there no wait it's in the. You. Can tell that this wasn't a scripted demo. All. Right so there it is the containers, are being pulled down across. Hopefully. Not the conference, Wi-Fi. Yeah. I'm on the demo Wi-Fi all right so the containers. Are being pulled down across, the the. Conference Wi-Fi and they're going to be doing, a number of different things first, of all they're going to be registering, this cluster, with, Azure, so. They this, agent, lands onto the kerbin Nettie's cluster and again this is a kubernetes cluster that, was created with the kind kind, tool, which stands for kubernetes, in docker it's, an open source tool it, can create kubernetes, clusters, they're really for development, but kubernetes. Cluster anywhere, you want to run a kubernetes, cluster from. Your laptop to you. Know any other cloud any, other kind of environment, they the, agent comes down it. Actually registers. Itself with Azure it, gets itself, set up to receive, updates from the Azure control, plane so, we have an, agent, on board inside the cluster that, has the ability to sort of watch the Azure control plane watch. For changes in policy, that you might request or anything else like that and then enforce, those changes, on, the on the, kubernetes cluster itself, so if we get they're, still downloading, we'll keep we'll keep our fingers crossed through the download actually, works and. Once, that knowledge. Happens, and I'm gonna overtalk. My slides a little bit but actually. I'll just move forward with the slides while we're waiting for that to happen um, you. Know the truth is that by, giving yourself that as a resource ID the. Resource, ID is the key to Azure, it's. The key to unlocking, all, of these different, experiences. Within the Azure project, and so by the fact that this, kubernetes, cluster that's on my laptop now is going to have an azure identity. It. Unlocks things like as you're monitoring I can, install as you're monitoring, using, that resource ID and suddenly, all of the integration, with container insights, and everything else like that lights up right. So the, the fact that we've made as you're aware of things they're not in Azure, suddenly. Unlocks a whole world, of products. That have been built, around. The azure ecosystem. To, be used throughout. Your, on-premise. Or your your. Cloud native environments, no matter where they happen to be it's a massive. Step forward because while it's a hybrid world and we want to be in all of these different environment, you're you want to be in all of these different environments, the truth is that you don't really want to have multiple different portals and multiple different management planes for understanding, are you alerting, in cloud one or are you learning on Prem you need all of that stuff integrated, into a single pane of glass to.

Really Understand what you're doing and I think that really is the promise of arc so we'll pop, back over and hope this is installed. No. They are still pulling I'm. Gonna blame the Wi-Fi. All. Right well I'll keep we'll keep going on the slides and we will hope that that pool continues, all right and. So. I wanted to talk about another Azure environment, or. Not another environment. Another. Kubernetes, environment, this is in my basement back. In Seattle. This. Is my own little personal kubernetes, cluster running. In a bunch, of Intel, knucks which are cool. Little computers, if you ever get a chance to them. That's, my rack that I built so. It's got three three three nodes, here cube zero in the middle cube zero is actually also powering, the network switch with that USB cable that you see sticking out of the front into, the network switch that you see hanging down, sort. Of in the the. Bottom, area there with some. Network cables going into it I'm pretty proud of the cleanliness, of my datacenter here I, actually. Had to crop in really tight because honest to god my basement is not a place that you want to see on. But. Anyway this. Is my little kubernetes cluster. And. If, we go back over, to. The. The. Demo here I've actually registered, that kubernetes, cluster, here. I'm, actually going to check, see. If we're up and running it no. They're still pulling. I've. Actually registered that cluster here, with, the kubernetes service and so when I go into. When. I go into viewing my kubernetes services, I actually see. My. Home cluster, running. On my machine at home present. In the. Azure portal, right. It's it's actually here it's all of the information and you can see the difference here is the, the kubernetes cluster says, as your arc that's, one important difference another interesting difference is it's running version 1.16. We're, actually still qualifying, 1.16. For the azure kubernetes, service and. So I'm running 1.16. On my machine but are on my machines but we're actually still in the process of qualifying it out for IKS another, way that you know that it's not actually, a. Criminales, cluster in the azure kubernetes, service but it's still present in my subscription it's. Still in a side of a resource group and I can still manage it visualize, it and understand, it through, an azure API. Is. It refreshing. Yeah. What is alright I'm going to just they're gonna have to pull the chain on that one and say we're gonna keep moving um I, don't know what's going on there. But. In, particular, what this allows us to do is it allows us to say hey look we can actually start running things like container insights, on, the. On premise, communities cluster and so if I go if I go back over to. Here and I take a look at container insights. You. Can actually see that same cluster, here, are the. You can see here that there are 3 nodes. That. This is the this is a little spike a load test that I ran a while ago you, can actually see, that, I'm monitoring. I'm having, information flowing from those. Machines in my basement into, an azure data center, visualized. In the azure portal, so, that I can actually manage, that kubernetes, cluster right. Alongside all. Of my IKS clusters, and everything else right, so I have a single pane of glass that. Allows me to see my application, no matter where it happens to be running and I can even drive in and say hey let's take a look at. The. Things. I have going on here and I have that exact same engine X that, I was running on my, main cluster, here. In my in. This cluster at my house as well one. Of them is running on cube - one of them is running on cube actually start two of them are running on cube - and one of them are running on cube one right, and this allows me then to actually, have a complete understanding of. My container and cloud native landscape, no matter where it happens to be running.

All. Right we, will go back. All. Right the last piece that I really want to talk about is how do you control your environment right so now we've seen how we can bring a cluster into. Into. Azure we've, seen how we can use that resource ID once brought into Azure to enable. Things like monitoring, but we can also enable things like security and, as. Your policy, right so in Azure as your policy, is sort of like the person who's patrolling, and keeping an eye on your agile resources, making sure that all of your agile resources, are compliant, our secure, are. Operating. In the right ways we've, actually extended this to, have three, modes you can, block things you can say hey look I don't want you to be able to do this you. Can append things meaning. Yeah, I'll let you do this but I'm gonna add on antivirus, or I'm gonna add on intrusion, detection I'm gonna add on some capability, that you didn't necessarily need, to know this again makes the cloud native development easier developers. Can focus on, doing the development policy. Can add in the security, posture that your CSO, or your security audit team needs and finally, you can also have audit so if you're thinking about testing a new policy you, can go ahead and see, what the effects of that would be prior. To actually, enforcing, it we can actually take this policy, and apply, it to kubernetes as well, so. In fact when you take a kubernetes, cluster and, you join it into Azure as your, policy, immediately, starts operating on that cluster and it, starts taking a look at what's going on in that cluster and it could say something like hey look. You. Need to apply this config we're. Gonna apply intrusion. Detection or, we're gonna apply vulnerability. Scanning or we're gonna apply any number. Of policy. Driven configurations. Could be doesn't, have to be security it could be logging and monitoring we're going to apply any number of configurations into. That cluster just because you joined it to Azure and this, actually this gesture, means you can actually manage. Kubernetes, at scale I could actually rack, a thousand. Of these data box edges these add your stack edges that people are using RAC a thousand, of them out into my stores every single one of them through arc joins, into Azure through, policy. Gets a bunch of configurations, applied literally. You just power them on and that's what happens right so we're actually using. This using a combination of technology, that was already in the edge of control plane and the ability to bridge on Prem, resources, into the control plane to, give you this gesture to be able to manage at scale, and. That says manage, multiple kubernetes, anywhere, and then, finally, we're actually not making this just a one-time gesture. We're. Actually it, with arc and kubernetes, using, git ops to. Make sure that we have a git repository. Behind. The. Configs. That you're pushing into the cluster which, means that if you need to update your security you have a new version of your intrusion detection new.

Version Your vulnerability, scanner or whatever it happens to be you, update a git repository and, that, configuration, is pushed out to all of your clusters right so now we're enabling both the operator, persona who, is operating the cluster and the, DevOps persona, the application, developer, who's pushing configuration. Through Azure. Pipelines, or get out github actions, the, pipeline's that we discussed at the beginning into, these clusters they, both have access in, different, ways to, the same environment. And they can apply their things that they need to do without, stepping on each other's toes enabling, that agility between, those two different teams all. Right it's wouldn't be possible what we're doing here wouldn't be possible without partnership. With a company called weave works out of the UK that build this really incredible tool called flux flux. Is what is powering this get hops integration, with kubernetes. It's, open source out on github we've, actually worked with them it's being brought to the cloud native compute, foundation, that's being donated to the cloud native compute, foundation, so, it's actually a CN CF project, at this point it's, we're excited, about and really, believe. In the idea of taking partnerships. With the open source community and figuring, out how we can bring them back into Azure and turn them into products, like the integration, with azure kubernetes. And azure arc, so. If we take a step back to securing, your environment, we, have the, you, know the flow through that we saw before we. Have the. Notion though that it's not okay just to secure the image, the flow of images into your environment you, actually also need to secure the. Environment. Itself and so, we're also really excited that as your security center is now available, to help scan, your. Kubernetes, cluster to, help scan the applications, inside, of your kubernetes, cluster and, so we can actually say we're gonna build a secure pipeline not just by scanning the images, that are in your container registry not just by securing. The way you build the image but, actually by scanning the applications, and the environment, in which those applications, run so, we have brought a bunch of native container, native technologies. Into. The azure security, center to enable you to have a better experience and, a. More integrated, experience of. Security, for your container guys applications, and, finally, we actually are also gonna be looking at the containers themselves so. It's not just about securing, the kubernetes environment, it's actually also about securing, the containers, to, make sure that every single piece of your pipeline from, the validation, phase all the way through to the runtime phase is as secure and as hardened as it can be because, it's not okay to just validate, that a application. Container is secure, because. The vulnerability, could be discovered at any time and if you're only testing, in the build part of your pipeline you, won't have knowledge, of any new vulnerabilities, that have been discovered after, you've deployed them out into into. The cluster so. We can alert for example, because this is the popular, thing to do if it turns out that your application, container is also, a Bitcoin miner, all. Right let's take a look at what that looks like so. I'm. Over here in Security Center I don't know how many people have played around the Security Center we actually have this tab over here where. We can see the containers, so. If I click over in the containers, I can see this kubernetes, cluster that, happens to be running in IKS right now it. Has two recommendations, for me so. If I go into the recommendations it, says okay, thanks. I don't, have pod security, policies set and. I don't have authorized IP ranges, set so pod security, policies, limits. What a pod can do limits what a container can do inside of the cluster, and. I don't have authorized IP ranges, set meaning I haven't locked down. My, endpoint, to only listen, to specific, IPs and in, either case if I click on these it can actually tell me, hey you. Know what here's what you need to do, and.

I Have instructions, here for how to apply Zod, security, policies, to my agile kubernetes service all, right so we've actually gone from looking. At my community service I'm sorry here looking, at my kubernetes service finding, a, policy. That I need to understand, and then actually, being. Able to take action if I choose to to lock it down. Similarly. If I go down here over to the security alerts one, of the things you'll actually see here, is that I, actually have a number of container security. Alerts that are that have been fired for me so in particular I, can. Say. It's. Detected, this is actually an application that, I deployed, that actually has both known vulnerabilities. And some. Capabilities. That it shouldn't have it's, saying hey there's a container with a sensitive, mount volume detected, so, we click on that it. Shows me where the where. This particular activity, was was, detected, similarly. It says hey look there's, a, new. High privileges, role that's been detected, so, a new, capability. A new service, account has come into my cluster that has high privileges, it's, firing an alert to say hey did you know that this happened if, you didn't know that this happened you might want to take a look and see why and when it happened, right so I'm getting capabilities. That tell me not just how to secure my environment, but capabilities, that give me a sort of running audit, log of alerts as new, software is deployed as potentially. Malicious activity, happens within the cluster agile, Security Center can fire alerts, that, tell me about how my. OP might environment, is operating, and allow me to have. That security that I need even. While applications. Are being deployed into this new cloud native environment, I'm gonna take one last stab, at seeing if this. That's. Right now you don't need to clap but now if we go here and we hit refresh. What. You'll see here is there's my there's my cluster from. My. Laptop running here on ignite that actually, and it's running 1.15. Actually because that was the version that kind created, and. So actually in the process of being, here took longer than it really should have but, in the process of being here I have, on the kubernetes cluster on my laptop paired. It up to Azure and now everything, that you've seen from the s code to. Get up actions, to, the. Container insights, and everything else can, now be used on this cluster, that, literally is here on my laptop and. So that's pretty cool and I think shows you the power and the premise of Arc all. Right obviously. Actually we hope to manage things that are not running on laptops but you. Know we take it once pick one scale unit at a time. So. To wrap up I have, I'm out of time that's what I'm gonna wrap up all right I just, want to say, briefly cloud native is really a means to an end this is a journey not, a destination we. Need to make sure that you're moving along it for the right reasons we, strongly believe that tools can help along this journey it's hard and complicated, we're trying to build tools that help from, the developer, side all the way through to the security, side and operations, in between. Kubernetes. Is everywhere, asher. Is - and we. Really hope that the vision in that we're putting forth with Azure and, Ark and everything that we're taking to the crew Benes landscape, resonates, with you we'd be happy to talk about it more. Thanks. So much I'll be up here but I want, to respect your time as well thank you very much for listening.

2020-01-18 19:23

Show Video

Other news