Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo
Confidential │ ©2020 VMware, Inc.
Building Kubernetes
images at scale
With Tanzu Build Service
May 2020
Alexandre Roman
Solution Engineer, VMware Tanzu
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 2
Alexandre Roman
Solution Engineer, VMware Tanzu
@Alexandre_Roman
/alexandreroman
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman
Agenda
3
Building a secure software supply chain
Leveraging Tanzu Build Service
How Build Service fits in the Tanzu portfolio
Modernize your applications
Live demos
Look ma: no Dockerfile!
4Confidential │ ©2020 VMware, Inc.
Building a secure software
supply chain
Leveraging Tanzu Build Service
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 5
Building secure
Docker images is hard
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 6
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 7
Keep Docker images
secure is even harder
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 8
Case study:
OpenSSL CVE-2016-6304
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 9
Base OS image
FROM alpine
RUN apk add --update openssl
...
App
FROM nodejs
COPY myapp .
RUN npm install
...
NodeJS
FROM baseimage
RUN apt-get install nodejs
...
Built with a custom base image
Typical NodeJS app: everything works just fine
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 10
Base OS image
NodeJS
App
FROM baseimage
RUN apt-get install nodejs
...
FROM alpine
RUN apk add --update openssl
...
FROM nodejs
COPY myapp .
RUN npm install
...
A new critical CVE is made public
Until that day...
!Base OS image
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 11
How long does it take to fix all these containers?
What if you had to update 200+ containers at once?
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 12
How long does it take to fix all these containers?
What if you had to update 200+ containers at once?
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 13
Individually managed
Dockerfiles: done wrong
App #1
Custom NodeJS
Ubuntu Trusty
App #2
NodeJS RPM
CentOS
App #3
Official NodeJS
Alpine
App #4
Patched NodeJS
abc768c
ETA to mitigation:
months, years…?
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 14
Operator managed
Dockerfiles: done right
App #1
Corp NodeJS
Ubuntu Trusty
App #2
Corp NodeJS
Ubuntu Trusty
App #3
Corp NodeJS
Ubuntu Trusty
App #4
Corp NodeJS
Ubuntu Trusty
ETA to mitigation:
time to re-build, re-test, re-deploy these apps
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 15
We can do better
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 16
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 17
Introducing Cloud Native Buildpacks
An API for creating pluggable, modular tools that
translate source code into OCI images
Goals
❏ Portability via the OCI standard
❏ Greater modularity
❏ Faster builds
❏ Reproducible image builds
❏ Unprivileged containers
❏ Widely adopted standard
An easy way to build Docker images
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 18
2011 2013 2015 2018 2020
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 19
They use Cloud Native Buildpacks
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 20
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
Lifecycle
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 21
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
➔ Tests groups of buildpacks against source, in order
(via each buildpack’s detect binary)
➔ First group that passes is selected
NPM CNBNode CNB
Yarn CNBNode CNBsrc/
package.json
yarn.lock
...
Lifecycle: Detect
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 22
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
analyze
➔ metadata about OCI layers generated during a
previous build are made available to buildpacks
Lifecycle: Restore & Analyze
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 23
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
➔ For previously-selected group, executes each
buildpack’s build executable in order
src/
package.json
yarn.lock
...
Lifecycle: Build
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 24
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
➔ Assembles final layers into image
➔ Combines information from analyze phase to ensure
only changed layers are updated
cache
Lifecycle: Export & Cache
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 25
+ = Build Service
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 26
Take control of your container image supply chain
Introducing Tanzu Build Service
Tanzu Build
Service
OCI Runtime
Platforms
Image
Repositories
Security
Scanning
CI/CD
Pipelines
Enterprise Delivery
Toolchain
Stack
Base Image
Regularly patched
Buildpacks
Provide middleware
Modular
Dictates image layers
Your Application
Broad language support
Build from source
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 27
Tanzu Build Service is a kpack distribution tailored for enterprise needs
Leveraging open-source components
kpack
Build Service
powered by Tanzu buildpacks
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 28
Declarative Configuration Model:
➔ Tell Build Service what you want your app to
look like by creating an image configuration,
and Build Service will build against it and keep
it up to date when new dependencies are
available.
Hello Tanzu Build Service
source:
git:
url:
https://github.com/alexandreroman/myapp.git
revision: master
build:
env:
- name: BP_JAVA_VERSION
value: 11.*
image:
tag: harbor.withtanzu.com/alexandreroman/myapp
What you need to do to build an image
$ pb image apply -f myapp-image.yml
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 29
Build Service nicely fits in your existing pipeline
Add Tanzu Build Service to your CI/CD workflow
Compile and run tests with your existing tool:
Jenkins / GitLab / Concourse / etc
Confidential │ ©2020 VMware, Inc. 30
How Build Service fits in the
Tanzu portfolio?
Modernize your applications
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 31
VMware Tanzu + Pivotal Labs
Comprehensive stack to modernize your applications
Dev Framework
Spring
Tanzu Application
Service
Tanzu Build Service
Tanzu Application
Catalog
powered by Bitnami
VCF VMC Public Cloud Edge
Tanzu Kubernetes Grid | PKS
TanzuMissionControl
Wavefront
PivotalLabsservices
BUILD
RUN
Application
Runtime
Modern
Infrastructure
MANAGE
32Confidential │ ©2020 VMware, Inc.
Live demos
Look ma: no Dockerfile!
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 33
Resources
It’s dangerous to go alone: take this!
Source code:
➔ github.com/alexandreroman/cnb-springboot
➔ github.com/alexandreroman/cnb-nodejs
➔ github.com/alexandreroman/cnb-javawar
➔ github.com/alexandreroman/cnb-php
➔ github.com/alexandreroman/kpack-at-scale-demo
Let’s keep in touch!
Sources:
➔ The Heartbleed Bug
➔ NSA Said to Have Used Heartbleed Bug, Exposing Consumers
➔ Oracle JRE : Security Vulnerabilities Published In 2019
➔ Top ten Docker images contain over 8000 vulnerable paths
Evaluate kpack / Tanzu Build Service:
➔ github.com/pivotal/kpack
➔ tanzu.vmware.com/build-service
@Alexandre_Roman
/alexandreroman
Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 34
Want more?
I’ve got you covered
Using Tanzu Kubernetes Grid to
Deploy Kubernetes with Ease
May 13th
Tanzu Observability for Spring
Boot Applications
May 19th
Reactive Spring Virtual
Workshop
May 20th
SpringOne 2020 Virtual Event
Starting September 2nd
Confidential │ ©2020 VMware, Inc.
Thank You

More Related Content

Building Kubernetes images at scale with Tanzu Build Service

  • 1. Confidential │ ©2020 VMware, Inc. Building Kubernetes images at scale With Tanzu Build Service May 2020 Alexandre Roman Solution Engineer, VMware Tanzu
  • 2. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 2 Alexandre Roman Solution Engineer, VMware Tanzu @Alexandre_Roman /alexandreroman
  • 3. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman Agenda 3 Building a secure software supply chain Leveraging Tanzu Build Service How Build Service fits in the Tanzu portfolio Modernize your applications Live demos Look ma: no Dockerfile!
  • 4. 4Confidential │ ©2020 VMware, Inc. Building a secure software supply chain Leveraging Tanzu Build Service
  • 5. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 5 Building secure Docker images is hard
  • 6. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 6
  • 7. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 7 Keep Docker images secure is even harder
  • 8. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 8 Case study: OpenSSL CVE-2016-6304
  • 9. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 9 Base OS image FROM alpine RUN apk add --update openssl ... App FROM nodejs COPY myapp . RUN npm install ... NodeJS FROM baseimage RUN apt-get install nodejs ... Built with a custom base image Typical NodeJS app: everything works just fine
  • 10. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 10 Base OS image NodeJS App FROM baseimage RUN apt-get install nodejs ... FROM alpine RUN apk add --update openssl ... FROM nodejs COPY myapp . RUN npm install ... A new critical CVE is made public Until that day... !Base OS image
  • 11. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 11 How long does it take to fix all these containers? What if you had to update 200+ containers at once?
  • 12. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 12 How long does it take to fix all these containers? What if you had to update 200+ containers at once?
  • 13. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 13 Individually managed Dockerfiles: done wrong App #1 Custom NodeJS Ubuntu Trusty App #2 NodeJS RPM CentOS App #3 Official NodeJS Alpine App #4 Patched NodeJS abc768c ETA to mitigation: months, years…?
  • 14. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 14 Operator managed Dockerfiles: done right App #1 Corp NodeJS Ubuntu Trusty App #2 Corp NodeJS Ubuntu Trusty App #3 Corp NodeJS Ubuntu Trusty App #4 Corp NodeJS Ubuntu Trusty ETA to mitigation: time to re-build, re-test, re-deploy these apps
  • 15. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 15 We can do better
  • 16. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 16
  • 17. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 17 Introducing Cloud Native Buildpacks An API for creating pluggable, modular tools that translate source code into OCI images Goals ❏ Portability via the OCI standard ❏ Greater modularity ❏ Faster builds ❏ Reproducible image builds ❏ Unprivileged containers ❏ Widely adopted standard An easy way to build Docker images
  • 18. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 18 2011 2013 2015 2018 2020
  • 19. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 19 They use Cloud Native Buildpacks
  • 20. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 20 What happens when you build a container with buildpacks detect restore analyze build export cache Lifecycle
  • 21. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 21 What happens when you build a container with buildpacks detect restore analyze build export cache ➔ Tests groups of buildpacks against source, in order (via each buildpack’s detect binary) ➔ First group that passes is selected NPM CNBNode CNB Yarn CNBNode CNBsrc/ package.json yarn.lock ... Lifecycle: Detect
  • 22. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 22 What happens when you build a container with buildpacks detect restore analyze build export cache analyze ➔ metadata about OCI layers generated during a previous build are made available to buildpacks Lifecycle: Restore & Analyze
  • 23. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 23 What happens when you build a container with buildpacks detect restore analyze build export cache ➔ For previously-selected group, executes each buildpack’s build executable in order src/ package.json yarn.lock ... Lifecycle: Build
  • 24. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 24 What happens when you build a container with buildpacks detect restore analyze build export cache ➔ Assembles final layers into image ➔ Combines information from analyze phase to ensure only changed layers are updated cache Lifecycle: Export & Cache
  • 25. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 25 + = Build Service
  • 26. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 26 Take control of your container image supply chain Introducing Tanzu Build Service Tanzu Build Service OCI Runtime Platforms Image Repositories Security Scanning CI/CD Pipelines Enterprise Delivery Toolchain Stack Base Image Regularly patched Buildpacks Provide middleware Modular Dictates image layers Your Application Broad language support Build from source
  • 27. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 27 Tanzu Build Service is a kpack distribution tailored for enterprise needs Leveraging open-source components kpack Build Service powered by Tanzu buildpacks
  • 28. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 28 Declarative Configuration Model: ➔ Tell Build Service what you want your app to look like by creating an image configuration, and Build Service will build against it and keep it up to date when new dependencies are available. Hello Tanzu Build Service source: git: url: https://github.com/alexandreroman/myapp.git revision: master build: env: - name: BP_JAVA_VERSION value: 11.* image: tag: harbor.withtanzu.com/alexandreroman/myapp What you need to do to build an image $ pb image apply -f myapp-image.yml
  • 29. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 29 Build Service nicely fits in your existing pipeline Add Tanzu Build Service to your CI/CD workflow Compile and run tests with your existing tool: Jenkins / GitLab / Concourse / etc
  • 30. Confidential │ ©2020 VMware, Inc. 30 How Build Service fits in the Tanzu portfolio? Modernize your applications
  • 31. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 31 VMware Tanzu + Pivotal Labs Comprehensive stack to modernize your applications Dev Framework Spring Tanzu Application Service Tanzu Build Service Tanzu Application Catalog powered by Bitnami VCF VMC Public Cloud Edge Tanzu Kubernetes Grid | PKS TanzuMissionControl Wavefront PivotalLabsservices BUILD RUN Application Runtime Modern Infrastructure MANAGE
  • 32. 32Confidential │ ©2020 VMware, Inc. Live demos Look ma: no Dockerfile!
  • 33. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 33 Resources It’s dangerous to go alone: take this! Source code: ➔ github.com/alexandreroman/cnb-springboot ➔ github.com/alexandreroman/cnb-nodejs ➔ github.com/alexandreroman/cnb-javawar ➔ github.com/alexandreroman/cnb-php ➔ github.com/alexandreroman/kpack-at-scale-demo Let’s keep in touch! Sources: ➔ The Heartbleed Bug ➔ NSA Said to Have Used Heartbleed Bug, Exposing Consumers ➔ Oracle JRE : Security Vulnerabilities Published In 2019 ➔ Top ten Docker images contain over 8000 vulnerable paths Evaluate kpack / Tanzu Build Service: ➔ github.com/pivotal/kpack ➔ tanzu.vmware.com/build-service @Alexandre_Roman /alexandreroman
  • 34. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 34 Want more? I’ve got you covered Using Tanzu Kubernetes Grid to Deploy Kubernetes with Ease May 13th Tanzu Observability for Spring Boot Applications May 19th Reactive Spring Virtual Workshop May 20th SpringOne 2020 Virtual Event Starting September 2nd
  • 35. Confidential │ ©2020 VMware, Inc. Thank You