Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for...
Transcript of Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for...
![Page 1: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/1.jpg)
Going from OpenShift PoC to ProductionAccelerate your path with HPE
Red Hat Summit | May 2018
![Page 2: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/2.jpg)
Presenters
KA WAI LEUNGHPE Solutions Product Management
MICHAEL MATTSSONHPE Nimble StorageProduct Management
2
![Page 3: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/3.jpg)
Agenda
– Bringing containers to production—different adoption paths
– Impact on people, process, and governance
– Technology considerations (including data management and protection)
– HPE Pointnext Services for OpenShift
– Planning for success
3
![Page 4: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/4.jpg)
OpenShift adoption options
4
![Page 5: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/5.jpg)
Four options for container adoption
5
1 Deploy containerized commercial appsUp in days, not months; verified and secure
2 Containerize monolithsMigrate to hybrid cloud or bare metal; get better CAPEX/OPEX versus VM
3 Containerize monolith; transform to microservicesLook for shared services to transform agility, DevOps, distributed architecture
4 Enable new microservices and apps Greenfield cloud native or containers as a service (CaaS)
![Page 6: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/6.jpg)
Moving from PoC to productionKey considerations
6
People and organization
Dev and release process
Governance
Technology and platform
Complete PoCOften a minimal viable product (MVP)
Production
![Page 7: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/7.jpg)
People, organization, governance
7
![Page 8: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/8.jpg)
People and organization
8
Traditional waterfall
development model
1-3 releases/year4-12 month cycles
Customer
or BU
Dev & QA IT Ops
Agile and DevOps
model
4-12+ releases/year1-3 month cycles
Integrated teams
CAPEX vs
OPEX model?
![Page 9: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/9.jpg)
Dev/release process and governance
9
Command and control
Request for change, change control board
Change record as part of CI/CD pipeline
Dev controls app stackDev controls app image, Ops controls standardized base image via catalogs
Waterfall model Continuous delivery model
Ops owns security and
monitoring
Dev assumes more control on security and apps performance monitoring
Integrated and empowered
![Page 10: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/10.jpg)
Technology considerations
10
![Page 11: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/11.jpg)
OpenShift in production
11
High availability
Security
Lifecyclemanagement
Orchestration
Data protection and management
Scaling
Monitoring
Resource management
The OpenShift
production
ecosystem
![Page 12: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/12.jpg)
Technology considerationsSecurity
12
– Safe images: Security for private registry (scanning, access control)
– OpenSCAP scanning (integrate into CI/CD)
– Detailed audit trail for compliance, regulation, and forensics
– Safeguarding sensitive data
– Run-time protection and continuous monitoring
– Harden OS (SELinux mandatory for OpenShift)
– Leverage security context constraints (SCC)
– Strong remediation and alerting
Container registry
Red Hat® Linux®
Hardware firmware and BIOS
Container images
Lack of education/training for those involved in software development
Securing the stack
![Page 13: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/13.jpg)
Technology considerationsMonitoring
13
(Source: SysDig)
– Host, container, and application monitoring
– Root cause analysis and remediation
– Data store for trending and archival analysis
– Canned metrics and dashboards
– Software as a service (SaaS) versus an on-premises monitoring approach
– Open source versus pay-for products
– Monitoring tools: CloudForms, SysDig, Datadog, CoScale, Prometheus/Grafana
Top five layers to monitor
Services
Kubernetes deployment
Kubernetes internals
Host nodes
Application
![Page 14: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/14.jpg)
Technology considerationsResource management
– Developers are not good at sizing estimates
– Tendency to overcommit resources
– Overprovision for “safety”
– Leads to inefficient CPU and memory usage
– Magnified exponentially with thousands of pods
– Analyser tools: cAdvisor, Prometheus/Grafana, Densify, Turbonomics
14
![Page 15: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/15.jpg)
PoC to production configuration considerations
15
PoC, Dev/QA, or SMB
deployment
Mid-range production
configuration
Enterprise production starter
configuration (bare metal)
Deployment
scenario
All services, masters, workers on VM
(with persistent storage supported),
HA supported
VM or bare metal workers with
persistent storage
All services, masters, workers on bare
metal
Total
physical
nodes
3 nodes 6+ nodes 8+ nodes
Number of
instances
All on VMs:
– 3 master
– 3 etcd
– 3 infrastructure
– 2 high availability (HA) proxy
– 3 workers
– 3 masters/etcd, infrastructure, HA proxy on VMs over 3 physical nodes
– 3+ physical nodes for N number workers on VMs or bare metal
– 3 nodes—3 master, 3 etcd
– 2 nodes—infrastructure, HA load balancer, and HA registry management tools, such as Ansible Tower
– 3+ nodes—k8s workers on bare metal
Key SW – OpenShift
– Red Hat Hyperconverged Infrastructure (RHHI)
– OpenShift, RHV + external storage array
– Or OpenShift, RHHI (for SW defined storage)
– OpenShift
– Monitoring, logging, billing apps
– Persistent storage plugin
![Page 16: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/16.jpg)
Accelerate OpenShift adoption with HPE
16
De
plo
ym
en
t s
ca
le
Operations optimized
Development Production
Accelerate developer productivity
Simplify the IT experience
Consistent platform from DEV to OPs
Reference architectures HPE OpenShift solutions(Services component, ecosystem, deployment guide, and automation)
![Page 17: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/17.jpg)
HPE Composable Systems: the ideal container platformSolution for enterprise scale container deployment
17
HPE Synergy and
3PAR/Nimble
Centralize container life cycle
managementReduce updates from hours to minutes
Advanced container data managementData protection and storage efficiency for containers
Flex container resources up and downEfficient resource allocation by business demands
Deploy containers at cloud-like speedImprove application time to value
![Page 18: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/18.jpg)
Data management and protection
18
![Page 19: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/19.jpg)
Use cases for persistent storage with Red Hat OpenShift
19
Lift and shift
– LAMP apps, ERP systems
– From VMs or bare-metal
CaaS
– Self-service for developers
– Secure and predictable
– Jenkins, Microsoft® VSTS, CircleCI
– Release more, faster, and better
DevOps CI/CD pipelines
– Atlassian Tools, ELK stack, LAMP apps
– Simplified security—easy to manage
IT operations
Build Ship Run
Apps
ABC XYZ
![Page 20: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/20.jpg)
Hardware versus software
20
Capability External storage Software-defined storage
Consistency model Synchronous Eventually consistent/tunable
Data services Snapshot, clone, async/sync replication Varies
Performance Sized to workload Limited – server bound
Storage reduction Dedupe, compress, thin Requires multiple copies (replicas)
Scale and grow As needed Need storage – add compute
Efficiency Data processed externally Compromised app latency
CAPEX/OPEX/TCO High / Low / Low Low to Extremely High / High / High
Protocol FC / iSCSI / NFS Container only, block, object, NFS
Security Granular encryption Varies
Backup, recovery, archive Strong, built-in Weak – varies, high impact RTO
Reliability, availability, serviceability Unmatched – fully integrated Questionable
Cloud native Storage-as-a-Service Self-hosted
OpenShift
Kernel
App
VFSKernel
VFS
SDS
Kernel
VFS
SDS
Kernel
VFS
OpenShift
SDS
App
![Page 21: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/21.jpg)
Solution: HPE Persistent Storage platform for containers
21
Speed upDevOps
Self-service automation
rich container platform integration
Comprehensive REST APIs
plug into Ansible, Puppet, Chef
Simplify container operations
Container QoS, securityIOPS, encryption
Container data protection: clean up and retention for snaps and
clones
Simple, fast, efficient:predictive flash for six-nines
availability, support
Lift and shift data with applications
Multicloud onramp
for data using HPE Cloud Volumes
Onboard data easily
by instantly converting legacy volumes
to persistent volumes
HPE
Cloud Volumes
![Page 22: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/22.jpg)
HPE Persistent Storage platform for Red Hat OpenShift
22
3PAR Nimble Storage
HPE Docker Volume plugins
Plugin Unix Socket
Docker Volume API
FlexVolume Driver
FlexVolume plugin
Provisioner
OpenShift Container Platform 3.5 to 3.9OpenShift Origin
Open APIs + HPE Storage open-source software*
Coming soon: HPE Cloud Volumes*https://github.com/hpe-storage/dory
HPE
Cloud Volumes
![Page 23: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/23.jpg)
HPE Nimble Kube Storage Controller overview
23
Features
Lifecycle
Highly-available, volume scoping, user-defined
descriptions, control remove and detach behavior.
Performance Controls
Performance Polices
QoS Limits – IOPS and Throughput
Volume Placement
Pools and Folders
Protection Templates
Snapshot schedules and retention
Array-to-array and HPE Cloud Volumes
Security
Encrypt data at rest
Set mount point UNIX permissions
Provisioning
Specify thin or thick provisioning
Up to 127TB Volumes – default size 10GB
Dedupe & Compression
Variable block size
Zero-Copy Clones
Reuse data from production containers
Volume Import
Seamless data migration
Clone Nimble volume in a Docker Volume
description: "My Description"
destroyOnRm: "true"
Parameters
perfPolicy: "SQL Server"
limitIOPS: "32000"
limitMBPS: "512"
pool: "allflash"
folder: "My Tenant"
protectionTemplate: "local-cloud"
encryption: "true"
fsOwner: "8192:500"
fsMode: "0755"
thick: "true"
sizeInGiB: "4000"
dedupe: "true"
cloneOf: "MyDockerVol1"
snapshot: "MySnapshot"
createSnapshot: "true"
importVol: "MyNimbleVol1"
importVolAsClone: "MyNimbleVol1"
snapshot: "MySnapshot"Legacy Docker
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: my-storage-class
provisioner: hpe.com/nimble
parameters:
description: "My Description"
encryption: "true"
limitIOPS: "1000"
perfPolicy: "My Policy"
protectionTemplate: "my-prot-1"
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: my-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: my-storage-class
![Page 24: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/24.jpg)
HPE Pointnext Services for OpenShift
24
![Page 25: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/25.jpg)
OpenShift container service considerationsContainer and cloud adoption is not trivial
25
– Overall business objectives
– Determine application migration strategy
– Review networking, security, and storage requirements
– Define system architecture
– Define and implement PoC
– How best to containerize app
DeploymentDiscovery Design Pilot
Dev Build
and test
Package
and archive
Continuous integration and deployment pipeline
Release
and deploy
![Page 26: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/26.jpg)
Announcing HPE cloud native container service for OpenShift
26
– Review application requirements
– 2–3 day workshop to gather requirements and define integrations
– Create design
– Deploy container platform environment
– Pilot containerized applications
– Move to production
DeploymentPilot or trial
workloadDiscovery Design Production
Test and
evaluate
![Page 27: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/27.jpg)
Plan for success
27
![Page 28: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/28.jpg)
Move from PoC to production—Key success factors
– Implement best practices and address issues/learnings from PoC (people, process, technology)
– Have a complete OpenShift container ecosystem in place: HA, security, monitoring, data management, etc.
– Determine CAPEX vs OPEX; plan whether to do it yourself or partner
28
Accelerate this path with
HPE + Red Hat
![Page 29: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/29.jpg)
Resources and key contacts
Reference configuration
Reference configuration for Red Hat OpenShift Container Platform on HPE Synergy Composable Infrastructure
– hpe.com/V2/GetDocument.aspx?docname=a00038916enw
– Video: hpedemoportal.ext.hpe.com/search/Automated deployment of Red Hat OpenShift on HPE Synergy
HPE platform
– hpe.com/info/composableprogram
– hpe.com/us/en/storage/containers.html
Red Hat OpenShift
Container Platform datasheet
– redhat.com/en/resources/openshift-container-platform-datasheet
GitHub repositories
– github.com/RHsyseng/ocp-on-synergy
– github.com/HewlettPackard/image-streamer-reference-architectures/tree/master/RC-RHEL-OpenShift
HPE contacts
Ka Wai LeungContainers Solutions Product [email protected]
Gary Lee HarrisPointnext Container [email protected]
Michael Mattsson
HPE Storage Tech Marketing
Bob Zepf
HPE Strategic Alliances
29
![Page 30: Going from OpenShift PoC to Production - Red Hat · Security 12 –Safe images: Security for private registry (scanning, access control) – OpenSCAP scanning (integrate into CI/CD)](https://reader034.fdocuments.in/reader034/viewer/2022042219/5ec57d9d8e4736552316e668/html5/thumbnails/30.jpg)
Thank you
30