MicroservicesTV Episode 18 – Kubernetes, Istio, & Project Calico at KubeCon 2017

MicroservicesTV Episode 18 – Kubernetes, Istio, & Project Calico at KubeCon 2017


Hi, welcome back to another episode of microservicesTV. This week we’re on location at KubeCon 2017
in Austin, Texas. And I have Chris working with me here and
we’re going to go over some of the greatest announcements that we’ve had this past week
and just what is the kind of, what is blowing up around microservices, containers, Kubernetes,
and where we’re looking to move for some of that. So why don’t intro yourself and then we’ll
jump into it. Sure, my name’s Christopher Liljenstolpe. I am the CTO for Solutions and one of the
Co-Founders of Tigera, and home of Project Calico and a number of other open source projects
that we’re working on as part of this committee. So if you’ve been paying attention to microservicesTV,
you’ve probably been under an inundation of other Cloud Native, containerization, next-generation
application news, where Kubernetes has kind of won the mind-share of the next-generation
platforms. There’s a lot that it’s doing but there’s
also a lot that the community is still building into a contributing and kind of growing as
well. So why don’t you give us a little overview
of what Kubernetes is and then one of the biggest projects & one of the hottest projects
this week, Istio. Sure, so Kubernetes is really a Cloud Native,
microservices-focused orchestration system. So it’s a way of very easily describing your
applications, defining your applications, componentizing them, and deploying them in
an automated, scalable self-healing manner. Works on, as we’ve seen recently any of the
major cloud platforms, as well as private cloud etc. It seems to have, as you said, won the battle
as far as application deployment environments. As far as Istio, one of the things Kubernetes
is actually mainly a scheduler & orchestration system. It relies on other components to deliver other
parts of the overall solution. So there are plugin infastructure for things
like networking and storage etc but there’s another major component of this new microservices
world, which is what’s called the Service Mesh. The ability to take your applications and
have them dynamically find the other things they need to talk to, allowing them to enter,
to communicate, to do so in a secure manner, load-balanced, adjust for failure etc. Istio is a platform that provides Service
Mesh. It’s a project that has been, was originally
kicked off by IBM and Google and is now gotten a number of other contributors like Tigera,
the company I work for, Red Hat, and others. So there’s a lot of industry momentum now
behind Istio as the thing that will provide your Service Mesh, your application layer
connectivity for your application stack. And one of the major tenets, or one of the
founding principles of microservices / distributed systems done right and some of the the other
pieces there is, you know, the smart endpoints, dumb pipes type of mentality. And that’s really what we’re seeing here is,
where like you said, Kubernetes being the application scheduler and Istio now being
more of the smart endpoints with the combination of the policies and Envoy as the sidecar proxy,
being able to really, at a super fine-grained level, touch on everything that you need from
routing, security, and all the other pieces in there. What is some of the work that Tigera and Calico
are doing around this to even make that much more of a programmable down to the API level. Sure. So, a little background on Project Calico.
which is one of our open source projects, is we have a networking and network security
layer that plugs into Kubernetes, as well as other orchestration platforms, and that
allows you to define in a very explicit way security policy at the network layer. So you can say things that are LDAP servers
can receive traffic from things that are LDAP clients using LDAP protocols. That’s something we can do at the network
layer. Istio has the same kind of capabilities at
a much finer-grained application level and not everything is going to use gRPC, HTTP,
etc and so the networking layer is important. You know there’s a lot of legacy stuff out
there, but for the more modern things, Istio provides the same level of capability, only
at the application level. As-in am I allowed to make this kind of call
to that endpoint? What we’ve done, in conjunction with IBM,
and the rest of the Istio community, is developed some capabilities within Calico to allow you
to define a single policy. Saying that this kind of endpoint can talk
to this kind of endpoint making this API call and the same policy will then be rendered
and functional from the networking layer up through the application connectivity. So from layer 3 to layer 7, so instead of
maintaining a separate policy for network and another policy for applications, you now
have a single security policy that works across all the layers. You as a developer don’t need to think about
where it’s going to be deployed. You just write the policy and the platform
figures out where to put it. And that goes as far as also bringing in things
like TLS encryption as an authentication and security mechanism, people are now more and
more concerned about the sort of Zero Trust. How do I work across an infrastructure that
is not really trustworthy? One of the ways is doing what we just talked
about, but also grafting encryption onto it, something Istio does, can be controlled by
policy. Such that you know the endpoints you’re talking
to are the endpoints that you think you’re talking to and that communication is secured
and encrypted and away from prying eyes. That’s a, when I was reading some of the press
releases and some information on this, it’s really you know a testament to how far we’ve
come from an App Dev / Enterprise Architecture / Cloud Native / kind of Next-Gen system,
whereas I still remember, and I’m possibly dating myself when you know WebSphere Application
Server was, some of the new features were security by default and that was a big thing,
and everybody was pushing back on that. Whereas now you mentioned Zero Trust, that’s
kind of assumed now where, when we’re trying to look in developing new systems and working
with their systems where you wanna make sure you know everyone who’s calling your service,
you want to build that into it from Day One, you don’t want to don’t have any open holes,
be it you know outside the firewall, inside the firewall, regardless of your API Gateway
and then just kind of start building that from Day One and Day Zero being able to do
that. So that’s a lot of great information there. Sure I mean I think it go to the Zero Trust
Model, this is something that we’ve known academically in security for quite some time,
that you really can’t trust. There is no such thing as a sterile interior. Unfortunately many people in the more practical
side of the world have thought that if they build a perimeter, build a firewall, everything
on the outside is bad, everything on the inside is good, once you got through that firewall,
you’re sterile, you’re clean. There have been so many examples over the
last couple years, where that’s been patently untrue. I can think of credit rating agencies, large
retailers, and many other people who have been schooled in the fact that the internal
infrastructure is, not only as untrustworthy as the outside but possibly even more so. So I think what we’re seeing here and the
community is even more and more in and we’re hearing it today already, in this conference,
is this concept that you can’t trust anything unless you’ve actually evaluated it and applied
controls to reach a specific level of trust. The concept of Zero Trust networking and things
like Istio and Calico together can help you get a long way to reaching a Zero Trust model
within your organization. You mentioned this week all the things we’ve
done this week have just shown how far we’ve come and I’m anxious to get this episode published,
and get some feedback from our viewers, because that’s, leading up to this week, it’s all
been, it’s all I’ve heard about is Istio, the Istio Summit today has been pretty well
packed. Pretty beyond packed. How many times did they reorganize the room? They reorganized the room about 3 times to
fit more people into it. So it’s definitely something that is on the
tip of everybody’s mind here and then just kind of with, this is even before the conference
has officially kicked off. So I’m interested to see where it goes this
week and as far as from keynotes and sessions and workshops, this is going to be a great
week. Very interesting keynote on Thursday, where
we’re gonna be talking about small stuff we’ve released and crypto etc. So there’s an Istio keynote on Thursday where
we’re gonna be discussing this and actually giving a demonstration, so if anyone’s watching
this that is going to be at KubeCon, you should come to some of those keynotes and other things. I think one of the things that we haven’t
talked about in the Kubernetes community is it really is a community. They’re a bunch of individuals and companies
that are collaborating together that are you know sometimes partner, sometimes competitors
but we see this as a big enough shift in the industry that we realize we all have to get
this right. Now I think it’s what’s been amazing is to
watch how every one is coming together. Contributing to projects and it’s just been
a really interesting thing to watch. Well that’s, from the Istio workshop this
morning, there were participants from IBM, from Google, from Microsoft, basically everybody
having their own Kubernetes platform. Where again, we’re all coming up together
and kind of bringing a similar platform to everybody else and then layering it again,
the community aspects of that with Istio and everything else, just to have that universality
of Cloud Native and next-generation distributed systems. So really looking forward to where we go from
here and I hope that if the conference is any much as successful as today was, it’s
gonna be a great week. I agree. Alright, thank you for watching everyone.

Leave a Reply

Your email address will not be published. Required fields are marked *