SlideShare une entreprise Scribd logo

Running containers in production, the ING story

T
Thijs Ebbers

- ING is transforming itself into a digital bank and using containers and microservices as part of its cloud native journey. - ING has developed its own container hosting platform called ICHP, which runs on OpenShift and provides self-service capabilities for development teams to host applications. - ICHP aims to provide reliable hosting while minimizing handovers and enabling development teams to focus on delivering value to the business rather than managing infrastructure.

Technologie
1  sur  31
Télécharger pour lire hors ligne
Running Containers in Production Thijs Ebbers The ING Story San Diego, November 18th 2019
Thijs Ebbers ING Enterprise Architect, Infrastructure Domain Currently working on: • ING’s Cloud Native Journey • Container Hosting (“Kubernetes”) • Data Services (Object (“S3”) & File Services (“NFS”)) • and all the Risk/Security topics touched by this innovation Introduction 2 2
ING is a global financial institution with a strong European base, offering retail and wholesale banking services to customers in over 40 countries. The purpose of ING is empowering people to stay a step ahead in life and in business. ING Bank has more than 52,000 employees. As at the end of 2018, we had 38.4 million retail customers, with 12.5 million considered primary customers. About ING 3
ING is transforming itself with a bold strategy towards a digital bank. The transformation is happening now. 4 “In the end, our digital future and the move to ecosystems, lies with IT. The IT transformation comes with big investments (EUR 800 million in the coming five years) and a dictionary: ING Private Cloud, Modular Architecture and Bank-wide Shared Services.” Strategy day 2016 “IT has an important contribution to laying foundation for further convergence that drives faster time-to-market, improve cost efficiency and improve customer experience.” “To implement the Think Forward strategy and to unite IT we introduced the Concept of One” Source: IT Strategy webcast Feb 2017 Ralph Hamers CEO ING Group Ron van Kemenade CIO ING Group
ING One Way Of Working 15 E2E responsibility • Bus, Dev and Ops • Full life cycle; from cradle 2 grave • Full stack: Risk, compliance LCM, etc. Customer Journey experts, Dev and Ops Engineers in one team (Squad) working together on the solution and run All required knowledge and access rights in ‘one hand’ Shift of responsibility • BizDevOps responsible for full stack • Infra consumption • Self-serve Infra What does a BusDevOps team look like How does it contribute to Accelerate • Removes handovers • Focuses on value delivery What is the impact • Full stack engineering in Squads: • Different Mindset & and Capabilities • Organisational change; Dev and Ops together in one team Bus We minimize the number of handovers by making the teams responsible for the full lifecycle and full stack
Communicating a paradigm shift like the move from “traditional IT” to “Cloud Native” to the involved stakeholders is hard… What helps is having a model. Although a model is by definition never an exact representation of reality, it helps you to visualize relevant information in the discussions with the various parties (like management, risk, engineers, auditors, suppliers,…) Dealing with a paradigm shift 6 Image courtesy of : https://twitter.com/danieldibswe/status/1169485819993841664
The Cloud Native ecosystem Kube 7 7 » A model of a Cloud Native ecosystem without local persistency (“12 Factor”) and fit for a regulated Enterprise » Purpose: To make you familiar with the concepts & terminology » Not to be confused with the CNCF’s Cloud Native landscape (https://landscape.cncf.io/)
The Cloud Native ecosystem Kube - The real short explanation 8 » It’s not just about Kubernetes ! » Clear demarcation between provider and consumer (“Namespace-as-a-Service”) » DevOps team is autonomous within its namespace(s) » Workloads are “Immutable”, “Stateless” & “Short Living” » Data is persisted externally in Data Services » “Shift Left” of security controls into the pipeline & the production cluster is hands-off » Automate Everything ! » (full explanation in the reserve slides ;-))
No ☺. The container platform, relational database platform, event bus, security services, CI/CD platforms and network platforms are all live and in production (however improvement opportunities are always present…). The object storage platform is in beta and will go in production in 2020. In the rest of this presentation we will focus on ING’s Kubernetes platform (using the OpenShift 3.11 OKD distribution, moving towards 3.11 Enterprise), called ICHP (ING Container Hosting Platform). Is this just a model? 9
The ING Container Hosting Platform is a container management framework platform, part of the IPC (=ING’s corporate Private Cloud) family, designed to host all ING’s 12-Factor/Cloud-Native applications. ICHP Objectives: 1. Bring self-service capabilities to engineers • Multiple data grade hosting levels: non-production & production • Multiple resilience levels: active-passive, active-active, TPA (=ING’s proprietary Service Mesh; A-A client side load balancing) • Multiple consumption patterns. Namespace(s) in: Shared Multitenant clusters (default) / Dedicated Nodes in shared Multitenant clusters (near future) / Dedicated clusters (future) • Hands-off operations in production clusters • 2nd day operations, for instance resize namespace, firewall automation, etc. 2. Deliver a service that is compliant with the latest insights from risk & compliance • In line with ING corporate risk & security standards • Have an agreed and publicly available risk profile for the service offering ("in control statement") • CAS (=Corporate Audit Services) performs regular audits to ensure validity of the in control statement 3. Ensure users are happy with the services • Deliver what is promised • Hide complexity for maintaining Kubernetes infrastructure • Reliable uptime What is ICHP ? 1 0
What does an ICHP deployment look like ? 11 Yellow = Consumer Blue = Provider This describes the minimum footprint of a (set of) cluster(s) It can be deployed on Bare Metal or VM. It can be deployed on-premise or on public cloud Max impact for a single node failure: 25% (hence we expect minimal customer impact) A cluster will survive an availability zone outage, however with customer impact
Patterns within ICHP 1 2 Additional Isolation in Multi-tenant (roadmap item) • “Dedicated Nodes” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Shared cluster environment • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service Multi-tenant (Default) • Shared environment in IPC (ING’s corporate Private Cloud) • Pay-per-request • Platform Compliancy Evidence delivered as part of the service Local deployment (only after Group CIO approval) • Systems are located in local datacenters (e.g. Australia, Turkey, …) for latency and/or regulatory purposes. Allowing a smoother migration towards IPC (ING’s corporate Private Cloud) with less risk • Systems are to be deployed/managed according to ICHP principles, design & procedures • Build to order, delivery can take months • Local IT organization assumes Risk&Compliance responsibility in case of deviations Single-tenant (only after CIO approval) • “Dedicated Cluster” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service
As of today the following features exist within ICHP • Request a “project” via our Self-Service portal which gives you in our shared multitenant clusters: • A K8S Namespace with the requested #CPU & #Memory in both the primary and secondary DC • A dedicated SDN attached to your namespace (per cluster) • A dedicated Egress IP attached to your namespace (per cluster) • A secret you can use to connect your Deployment Pipeline to the namespace (per cluster) • A registration of the project in the CMDB on your behalf (note: we do not register container instances!) • The capability to delete a “project” (note: it must be empty for the operation to succeed!) • Request to add firewalls rules to open traffic to/from your “project(s)” from outside the K8S clusters (note: you will still need to create ingress/routes inside the cluster!) • The capability to resize (CPU/Memory) a “project” • Dedicated Prometheus instance per namespace for application events The following features are roadmap • Dedicated nodes to host your projects on • Dedicated clusters to host your projects on • Project requests via API calls What is available in ICHP today? 1 3
• In Asia as of November 2018 ING went live with its fully digital, mobile-only bank in the Phillipines: https://www.ing.com.ph/ The front-end of this bank is hosted on ING’s container hosting platform. • In Europe multiple ING application landscapes have started onboarding ING’s container hosting platform as of May 2019. • In October 2019 DARE went live. DARE is a global ING-AXA partnership to launch a digital protection (“Assurance”) platform across six different markets within the ING Challenger & Growth division. DARE will provide innovative protection integrated in ING digital channels. DARE consumes services of our One Technology Platform to enable rapid global scaling. • It is prognosed the majority of ING’s API’s will eventually be hosted on ICHP, constructing services like ING’s digital channels, fraud detection, data lake analytics, etc.. What are we (going to be) hosting ? 14
15 ? & Future
What did the container squad spend their time on? 16 30 8 20 6 7 7 4 4 10 4 Risk Evidence / Compliance Security Improvements Implementing / Tuning Monitoring Educating internal customers Automation of K8S deployment Building Self-Service Capabilities PoC's Travel (global squad, global customers) Integration with other services Actual K8S configuration/operations In 2 years time: 18 FTE container squad (equally spread over Amsterdam, Frankfurt & Katowice) 1 FTE architecture (3 architects spending part of their time (50/25/25)) 1 FTE product owner The ambition is to grow the footprint of the container landscape without growing the container squad, by automating everything.
• Communicating a paradigm shift is hard, use any advantage you can get… • A container hosting service is only part of the cloud-native eco-system you need… • ING is NOT aiming to rehost VM’s to containers… Purpose is to have the best possible hosting environment for 12-factor apps ! • If a DevOps teams manages to properly refactor their VM into a set of container images they are welcome • Hands-off approach in production. If teams feel not comfortable with this they should stay on VM’s! • Automate Everything! • Design for failure (instead of failing to do a proper design…) • A Namespace-as-a-Service fits our Way-of-Working, perhaps yours too? • Kubernetes/OpenShift is only a small (although very important) part of the time spend to build/run a container hosting service.. • Being in a regulated industry is not always fun… • Tuning Monitoring is an Art, which takes time to Master… • Find the right partners, both within and outside your own enterprise Conclusions 17
Questions 18
Thank You! 19 Slides available on : https://www.slideshare.net/ThijsEbbers/
Reserve Slides 20
Side 0 – The DevOps Team’s input: 21 21 » Container Image • Immutable, Stateless, Short Living • Base Image (the “operating system”) - Where was it obtained? - Is it vulnerability free? - Who will provide patched versions (in time…)? • Code (standard SDLC) » Deployment Config • YAML files containing all information needed to deploy an image successfully » Network Config • All information needed to have communication paths outside the cluster to/from your application in place
Side 1 – The Data Services: 22 22 » Defined by Bindings • Data Service instance location + secrets to connect it + driver (optional) » Purposes: • To persist your state outside the cluster • To push out logs & events
Side 2 – The Security Services: 23 23 » Purpose: Externalizing your users / certificates / passwords (Directories, PKI solutions, Password Vaults, …) » No interfaces for SIEM and VS/TSCM in Runtime! • SIEM listens on Topics • VS/TSCM is performed during Build (& enforce immutability in Runtime)
Side 3 – The Container Hosting Platform: 24 24 » Node: (Physical/Virtual) machine hosting k8s code supplying resources to the Cluster » Cluster: Namespace manager • Production – Non Production - Only allow verified (scanned & signed, (known) vulnerability free) workloads on your production cluster. - Do not allow any valuable data to be hosted/accessible from your non-production cluster. • (virtual) Data Center 1 – (virtual) Data Center 2 – (virtual) Data Center n • Payload specific Clusters » Namespace: • SLA on resources (CPU/Memory) • Unit of isolation (no access by default) » Platform: The collection of Clusters » Replica’s • Enforce a minimum safe number in your production clusters!
Side 4 – The CI/CD Platform: 25 25 » The CI/CD platform supports/manages the creation of deployable artifacts, either via a pipeline or via legacy methods (portals,…) » The Scanning engines here provide your VS/TSCM evidence (in combination with immutability of your nodes & containers…) as well as detecting license violations and unwanted configuration settings
Side 5 – The Network Platform: 26 26 » Load Balancing provides the capabilities to balance load over multiple clusters (and hence enables HA/DR/LCM of clusters) » The DMZ’s provide capabilities to securely connect the applications hosted on the Container platform to the Internet or other insecure networks (e.g. the Workplace area’s) » Firewalling enables access to/from other networks e.g. Data Services, Security Services, CI/CD, legacy application landscapes, ...
Embrace the 12-factor principles (“https://12factor.net”). Translated into K8S application hosting: • Hands-off Production: Only allow access to production via pipelines. No SSH/Terminal Access/… as images run immutable! (I/V) • Separate Stateless from Statefull (State resides in services outside the stateless K8S application hosting clusters) (III/VI/VIII) • Design for failure. Your Nodes/Containers will fail ! (IX) • Design for short lifecycles/immutability. Your Nodes/Containers will develop vulnerabilities! (IX) • Cycle your nodes and containers regularly. Interval should be shorter than the maximum response time for low and medium vulnerabilities in your organisations security policy (Because you won’t need to scan your runtime estate in this case…) • Have the automation & procedures in place for an immediate emergency cycle in the case of unmitigated high- or critical vulnerabilities Or in short : “Immutable, Stateless, Short Living” Non-compliance means “Computer says No” and hence the application has to be deployed on VM’s! ICHP Principles 27
By consuming the ICHP service, many operational tasks that currently (read : hosting on VM’s) are your own responsibility are now executed at platform level. Other tasks remain the responsibility of the consumer. There is a clear separation between platform provider and consumer. Examples include: What does ICHP (not) do for me? 2 8 Consumer • Only access to “project” (and only via a deployment pipeline in Production clusters!) • Enable SEM-A for application related events • Implement patches on hosted code (by redeploying a higher version of the image!) • Configure password vault for NPA’s • Implement SOLL and perform SOLL/IST comparisons • Implement Bindings to Data Services • Implement deployment pipelines • Implement load balancing and firewall access outside the ICHP platform • etc. Provider • Access to container hosting platform (service) only in emergency situations • Ensures availability of the platform • Guarantees security by implementing relevant SEM and TSCM controls at platform level • Provides platform Risk Evidence • Performance tuning on platform • etc.
As explained in ING’s Way-of-Working we aim to make our DevOps teams autonomous. We also want to enable those DevOps teams to deliver maximum value to the business, by not bothering them with IT-Infrastructure problems, nor bothering them with having to deliver compliancy evidence for the hosting platform. Hence offering a Namespace-as-a-Service is for us the sweet spot: • Clear demarcation between (Infra)Provider and Consumer • Enabling hand-over of compliance evidence • Enabling multi-tenancy (hence fast time-to-market/self-service consumption, and the potential for efficient utilization of resources) • The DevOps team can assume responsibility for (almost) the full stack (only the kernel stays shared). They have liberty/responsibility to choose/maintain their (versions of) base image, runtime engine, libraries, etc. (within the boundaries set by the ING corporate risk&compliancy rules !) ING probably will offer a K8S Cluster-as-a-Service in the future, however this will be a limited offering only available to teams managing Data Services (e.g. an Event Bus, Relational Database, Object Store, ….). If those teams choose to stray from the default settings the burden of delivering compliancy evidence lands back on their plate! Why ICHP only offers a “Namespace-as-a-Service” 29
Construct your own Kube 30
Running containers in production, the ING story

Recommandé

ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfThijs Ebbers
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAThijs Ebbers
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container PlatformDLT Solutions
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshiftMamathaBusi
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift IntroductionRed Hat Developers
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatAmazon Web Services
 

Recommandé

ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdf
ING Container Hosting Platform - 3 years onward_with Kube_for distribution.pdfThijs Ebbers
 
ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023ING Data Services hosted on ICHP DoK Amsterdam 2023
ING Data Services hosted on ICHP DoK Amsterdam 2023DoKC
 
Presentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAPresentation ING for ISC2 Secure Summits EMEA
Presentation ING for ISC2 Secure Summits EMEAThijs Ebbers
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container PlatformDLT Solutions
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshiftMamathaBusi
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...SlideTeam
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift IntroductionRed Hat Developers
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatAmazon Web Services
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installationRobert Bohne
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes BasicsEueung Mulyana
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
MicroServices at Netflix - challenges of scale
MicroServices at Netflix - challenges of scaleMicroServices at Netflix - challenges of scale
MicroServices at Netflix - challenges of scaleSudhir Tonse
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfJuanSalinas593459
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4HngNguyn748044
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on AzurePatrick Chanezon
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-updateSaeidVarmazyar
 
Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Ahmed Misbah
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 

Contenu connexe

Tendances

DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionStefan Schimanski
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installationRobert Bohne
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Chris Aniszczyk
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep diveWinton Winton
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsOpsta
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker ComposeAjeet Singh Raina
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
MicroServices at Netflix - challenges of scale
MicroServices at Netflix - challenges of scaleMicroServices at Netflix - challenges of scale
MicroServices at Netflix - challenges of scaleSudhir Tonse
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfJuanSalinas593459
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment StrategiesAbdennour TM
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes IntroductionEric Gustafson
 
Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4HngNguyn748044
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityRaphaël PINSON
 

Tendances (20)

DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
Introduction to Docker Compose
Introduction to Docker ComposeIntroduction to Docker Compose
Introduction to Docker Compose
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
MicroServices at Netflix - challenges of scale
MicroServices at Netflix - challenges of scaleMicroServices at Netflix - challenges of scale
MicroServices at Netflix - challenges of scale
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdf
 
Kubernetes Deployment Strategies
Kubernetes Deployment StrategiesKubernetes Deployment Strategies
Kubernetes Deployment Strategies
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4
 
Docker Ecosystem on Azure
Docker Ecosystem on AzureDocker Ecosystem on Azure
Docker Ecosystem on Azure
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-update
 

Similaire à Running containers in production, the ING story

Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Ahmed Misbah
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Ken Owens
 
Overview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca ArbezzanoOverview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca ArbezzanoGianluca Arbezzano
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays
 
Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Slobodan Sipcic
 
Are you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkMegan O'Keefe
 
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformationEvolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformationSlobodan Sipcic
 
Cloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyondCloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyondUgo Landini
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science PlatformDecision Science Community
 
Resume_Achhar_Kalia
Resume_Achhar_KaliaResume_Achhar_Kalia
Resume_Achhar_KaliaAchhar Kalia
 
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On KubernetesHow To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On KubernetesLightbend
 
IBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome ChallengeIBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome ChallengeIBM France
 
Microservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They MatterMicroservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They MatterAlexander Arda
 
Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption Michelle Holley
 
CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure Gunnar Menzel
 
IBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxIBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxssuser666667
 
Container Technologies and Transformational value
Container Technologies and Transformational valueContainer Technologies and Transformational value
Container Technologies and Transformational valueMihai Criveti
 

Similaire à Running containers in production, the ING story (20)

Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)Istio as an enabler for migrating to microservices (edition 2022)
Istio as an enabler for migrating to microservices (edition 2022)
 
Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!Enabling application portability with the greatest of ease!
Enabling application portability with the greatest of ease!
 
Overview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca ArbezzanoOverview and Opentracing in theory by Gianluca Arbezzano
Overview and Opentracing in theory by Gianluca Arbezzano
 
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
apidays LIVE Paris 2021 - Synchronous Communication Patterns by Sébastien Ber...
 
Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019Toyota Financial Services Digital Transformation - Think 2019
Toyota Financial Services Digital Transformation - Think 2019
 
Are you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the networkAre you ready to be edgy? Bringing applications to the edge of the network
Are you ready to be edgy? Bringing applications to the edge of the network
 
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformationEvolutionary evnt-driven-architecture-for-accelerated-digital-transformation
Evolutionary evnt-driven-architecture-for-accelerated-digital-transformation
 
Cloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyondCloudify your applications: microservices and beyond
Cloudify your applications: microservices and beyond
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Technology insights: Decision Science Platform
Technology insights: Decision Science PlatformTechnology insights: Decision Science Platform
Technology insights: Decision Science Platform
 
Resume_Achhar_Kalia
Resume_Achhar_KaliaResume_Achhar_Kalia
Resume_Achhar_Kalia
 
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On KubernetesHow To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
How To Build, Integrate, and Deploy Real-Time Streaming Pipelines On Kubernetes
 
IBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome ChallengeIBM s'associe au SmartHome Challenge
IBM s'associe au SmartHome Challenge
 
Microservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They MatterMicroservices - How Microservices Have Changed and Why They Matter
Microservices - How Microservices Have Changed and Why They Matter
 
Flying in the cloud
Flying in the cloud Flying in the cloud
Flying in the cloud
 
The rise of microservices
The rise of microservicesThe rise of microservices
The rise of microservices
 
Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption Accelerating Edge Computing Adoption
Accelerating Edge Computing Adoption
 
CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure CWIN16 UK Event - The Future of Infrastructure
CWIN16 UK Event - The Future of Infrastructure
 
IBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptxIBM RedHat OCP Vs xKS.pptx
IBM RedHat OCP Vs xKS.pptx
 
Container Technologies and Transformational value
Container Technologies and Transformational valueContainer Technologies and Transformational value
Container Technologies and Transformational value
 

Dernier

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Running containers in production, the ING story

  • 1. Running Containers in Production Thijs Ebbers The ING Story San Diego, November 18th 2019
  • 2. Thijs Ebbers ING Enterprise Architect, Infrastructure Domain Currently working on: • ING’s Cloud Native Journey • Container Hosting (“Kubernetes”) • Data Services (Object (“S3”) & File Services (“NFS”)) • and all the Risk/Security topics touched by this innovation Introduction 2 2
  • 3. ING is a global financial institution with a strong European base, offering retail and wholesale banking services to customers in over 40 countries. The purpose of ING is empowering people to stay a step ahead in life and in business. ING Bank has more than 52,000 employees. As at the end of 2018, we had 38.4 million retail customers, with 12.5 million considered primary customers. About ING 3
  • 4. ING is transforming itself with a bold strategy towards a digital bank. The transformation is happening now. 4 “In the end, our digital future and the move to ecosystems, lies with IT. The IT transformation comes with big investments (EUR 800 million in the coming five years) and a dictionary: ING Private Cloud, Modular Architecture and Bank-wide Shared Services.” Strategy day 2016 “IT has an important contribution to laying foundation for further convergence that drives faster time-to-market, improve cost efficiency and improve customer experience.” “To implement the Think Forward strategy and to unite IT we introduced the Concept of One” Source: IT Strategy webcast Feb 2017 Ralph Hamers CEO ING Group Ron van Kemenade CIO ING Group
  • 5. ING One Way Of Working 15 E2E responsibility • Bus, Dev and Ops • Full life cycle; from cradle 2 grave • Full stack: Risk, compliance LCM, etc. Customer Journey experts, Dev and Ops Engineers in one team (Squad) working together on the solution and run All required knowledge and access rights in ‘one hand’ Shift of responsibility • BizDevOps responsible for full stack • Infra consumption • Self-serve Infra What does a BusDevOps team look like How does it contribute to Accelerate • Removes handovers • Focuses on value delivery What is the impact • Full stack engineering in Squads: • Different Mindset & and Capabilities • Organisational change; Dev and Ops together in one team Bus We minimize the number of handovers by making the teams responsible for the full lifecycle and full stack
  • 6. Communicating a paradigm shift like the move from “traditional IT” to “Cloud Native” to the involved stakeholders is hard… What helps is having a model. Although a model is by definition never an exact representation of reality, it helps you to visualize relevant information in the discussions with the various parties (like management, risk, engineers, auditors, suppliers,…) Dealing with a paradigm shift 6 Image courtesy of : https://twitter.com/danieldibswe/status/1169485819993841664
  • 7. The Cloud Native ecosystem Kube 7 7 » A model of a Cloud Native ecosystem without local persistency (“12 Factor”) and fit for a regulated Enterprise » Purpose: To make you familiar with the concepts & terminology » Not to be confused with the CNCF’s Cloud Native landscape (https://landscape.cncf.io/)
  • 8. The Cloud Native ecosystem Kube - The real short explanation 8 » It’s not just about Kubernetes ! » Clear demarcation between provider and consumer (“Namespace-as-a-Service”) » DevOps team is autonomous within its namespace(s) » Workloads are “Immutable”, “Stateless” & “Short Living” » Data is persisted externally in Data Services » “Shift Left” of security controls into the pipeline & the production cluster is hands-off » Automate Everything ! » (full explanation in the reserve slides ;-))
  • 9. No ☺. The container platform, relational database platform, event bus, security services, CI/CD platforms and network platforms are all live and in production (however improvement opportunities are always present…). The object storage platform is in beta and will go in production in 2020. In the rest of this presentation we will focus on ING’s Kubernetes platform (using the OpenShift 3.11 OKD distribution, moving towards 3.11 Enterprise), called ICHP (ING Container Hosting Platform). Is this just a model? 9
  • 10. The ING Container Hosting Platform is a container management framework platform, part of the IPC (=ING’s corporate Private Cloud) family, designed to host all ING’s 12-Factor/Cloud-Native applications. ICHP Objectives: 1. Bring self-service capabilities to engineers • Multiple data grade hosting levels: non-production & production • Multiple resilience levels: active-passive, active-active, TPA (=ING’s proprietary Service Mesh; A-A client side load balancing) • Multiple consumption patterns. Namespace(s) in: Shared Multitenant clusters (default) / Dedicated Nodes in shared Multitenant clusters (near future) / Dedicated clusters (future) • Hands-off operations in production clusters • 2nd day operations, for instance resize namespace, firewall automation, etc. 2. Deliver a service that is compliant with the latest insights from risk & compliance • In line with ING corporate risk & security standards • Have an agreed and publicly available risk profile for the service offering ("in control statement") • CAS (=Corporate Audit Services) performs regular audits to ensure validity of the in control statement 3. Ensure users are happy with the services • Deliver what is promised • Hide complexity for maintaining Kubernetes infrastructure • Reliable uptime What is ICHP ? 1 0
  • 11. What does an ICHP deployment look like ? 11 Yellow = Consumer Blue = Provider This describes the minimum footprint of a (set of) cluster(s) It can be deployed on Bare Metal or VM. It can be deployed on-premise or on public cloud Max impact for a single node failure: 25% (hence we expect minimal customer impact) A cluster will survive an availability zone outage, however with customer impact
  • 12. Patterns within ICHP 1 2 Additional Isolation in Multi-tenant (roadmap item) • “Dedicated Nodes” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Shared cluster environment • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service Multi-tenant (Default) • Shared environment in IPC (ING’s corporate Private Cloud) • Pay-per-request • Platform Compliancy Evidence delivered as part of the service Local deployment (only after Group CIO approval) • Systems are located in local datacenters (e.g. Australia, Turkey, …) for latency and/or regulatory purposes. Allowing a smoother migration towards IPC (ING’s corporate Private Cloud) with less risk • Systems are to be deployed/managed according to ICHP principles, design & procedures • Build to order, delivery can take months • Local IT organization assumes Risk&Compliance responsibility in case of deviations Single-tenant (only after CIO approval) • “Dedicated Cluster” in IPC • Build to order system, delivery of the pattern can take up to 2 months • Dedicated hardware for one (set of) consumer(s), no pay-per-use • Platform Compliancy Evidence delivered as part of the service
  • 13. As of today the following features exist within ICHP • Request a “project” via our Self-Service portal which gives you in our shared multitenant clusters: • A K8S Namespace with the requested #CPU & #Memory in both the primary and secondary DC • A dedicated SDN attached to your namespace (per cluster) • A dedicated Egress IP attached to your namespace (per cluster) • A secret you can use to connect your Deployment Pipeline to the namespace (per cluster) • A registration of the project in the CMDB on your behalf (note: we do not register container instances!) • The capability to delete a “project” (note: it must be empty for the operation to succeed!) • Request to add firewalls rules to open traffic to/from your “project(s)” from outside the K8S clusters (note: you will still need to create ingress/routes inside the cluster!) • The capability to resize (CPU/Memory) a “project” • Dedicated Prometheus instance per namespace for application events The following features are roadmap • Dedicated nodes to host your projects on • Dedicated clusters to host your projects on • Project requests via API calls What is available in ICHP today? 1 3
  • 14. • In Asia as of November 2018 ING went live with its fully digital, mobile-only bank in the Phillipines: https://www.ing.com.ph/ The front-end of this bank is hosted on ING’s container hosting platform. • In Europe multiple ING application landscapes have started onboarding ING’s container hosting platform as of May 2019. • In October 2019 DARE went live. DARE is a global ING-AXA partnership to launch a digital protection (“Assurance”) platform across six different markets within the ING Challenger & Growth division. DARE will provide innovative protection integrated in ING digital channels. DARE consumes services of our One Technology Platform to enable rapid global scaling. • It is prognosed the majority of ING’s API’s will eventually be hosted on ICHP, constructing services like ING’s digital channels, fraud detection, data lake analytics, etc.. What are we (going to be) hosting ? 14
  • 16. What did the container squad spend their time on? 16 30 8 20 6 7 7 4 4 10 4 Risk Evidence / Compliance Security Improvements Implementing / Tuning Monitoring Educating internal customers Automation of K8S deployment Building Self-Service Capabilities PoC's Travel (global squad, global customers) Integration with other services Actual K8S configuration/operations In 2 years time: 18 FTE container squad (equally spread over Amsterdam, Frankfurt & Katowice) 1 FTE architecture (3 architects spending part of their time (50/25/25)) 1 FTE product owner The ambition is to grow the footprint of the container landscape without growing the container squad, by automating everything.
  • 17. • Communicating a paradigm shift is hard, use any advantage you can get… • A container hosting service is only part of the cloud-native eco-system you need… • ING is NOT aiming to rehost VM’s to containers… Purpose is to have the best possible hosting environment for 12-factor apps ! • If a DevOps teams manages to properly refactor their VM into a set of container images they are welcome • Hands-off approach in production. If teams feel not comfortable with this they should stay on VM’s! • Automate Everything! • Design for failure (instead of failing to do a proper design…) • A Namespace-as-a-Service fits our Way-of-Working, perhaps yours too? • Kubernetes/OpenShift is only a small (although very important) part of the time spend to build/run a container hosting service.. • Being in a regulated industry is not always fun… • Tuning Monitoring is an Art, which takes time to Master… • Find the right partners, both within and outside your own enterprise Conclusions 17
  • 19. Thank You! 19 Slides available on : https://www.slideshare.net/ThijsEbbers/
  • 21. Side 0 – The DevOps Team’s input: 21 21 » Container Image • Immutable, Stateless, Short Living • Base Image (the “operating system”) - Where was it obtained? - Is it vulnerability free? - Who will provide patched versions (in time…)? • Code (standard SDLC) » Deployment Config • YAML files containing all information needed to deploy an image successfully » Network Config • All information needed to have communication paths outside the cluster to/from your application in place
  • 22. Side 1 – The Data Services: 22 22 » Defined by Bindings • Data Service instance location + secrets to connect it + driver (optional) » Purposes: • To persist your state outside the cluster • To push out logs & events
  • 23. Side 2 – The Security Services: 23 23 » Purpose: Externalizing your users / certificates / passwords (Directories, PKI solutions, Password Vaults, …) » No interfaces for SIEM and VS/TSCM in Runtime! • SIEM listens on Topics • VS/TSCM is performed during Build (& enforce immutability in Runtime)
  • 24. Side 3 – The Container Hosting Platform: 24 24 » Node: (Physical/Virtual) machine hosting k8s code supplying resources to the Cluster » Cluster: Namespace manager • Production – Non Production - Only allow verified (scanned & signed, (known) vulnerability free) workloads on your production cluster. - Do not allow any valuable data to be hosted/accessible from your non-production cluster. • (virtual) Data Center 1 – (virtual) Data Center 2 – (virtual) Data Center n • Payload specific Clusters » Namespace: • SLA on resources (CPU/Memory) • Unit of isolation (no access by default) » Platform: The collection of Clusters » Replica’s • Enforce a minimum safe number in your production clusters!
  • 25. Side 4 – The CI/CD Platform: 25 25 » The CI/CD platform supports/manages the creation of deployable artifacts, either via a pipeline or via legacy methods (portals,…) » The Scanning engines here provide your VS/TSCM evidence (in combination with immutability of your nodes & containers…) as well as detecting license violations and unwanted configuration settings
  • 26. Side 5 – The Network Platform: 26 26 » Load Balancing provides the capabilities to balance load over multiple clusters (and hence enables HA/DR/LCM of clusters) » The DMZ’s provide capabilities to securely connect the applications hosted on the Container platform to the Internet or other insecure networks (e.g. the Workplace area’s) » Firewalling enables access to/from other networks e.g. Data Services, Security Services, CI/CD, legacy application landscapes, ...
  • 27. Embrace the 12-factor principles (“https://12factor.net”). Translated into K8S application hosting: • Hands-off Production: Only allow access to production via pipelines. No SSH/Terminal Access/… as images run immutable! (I/V) • Separate Stateless from Statefull (State resides in services outside the stateless K8S application hosting clusters) (III/VI/VIII) • Design for failure. Your Nodes/Containers will fail ! (IX) • Design for short lifecycles/immutability. Your Nodes/Containers will develop vulnerabilities! (IX) • Cycle your nodes and containers regularly. Interval should be shorter than the maximum response time for low and medium vulnerabilities in your organisations security policy (Because you won’t need to scan your runtime estate in this case…) • Have the automation & procedures in place for an immediate emergency cycle in the case of unmitigated high- or critical vulnerabilities Or in short : “Immutable, Stateless, Short Living” Non-compliance means “Computer says No” and hence the application has to be deployed on VM’s! ICHP Principles 27
  • 28. By consuming the ICHP service, many operational tasks that currently (read : hosting on VM’s) are your own responsibility are now executed at platform level. Other tasks remain the responsibility of the consumer. There is a clear separation between platform provider and consumer. Examples include: What does ICHP (not) do for me? 2 8 Consumer • Only access to “project” (and only via a deployment pipeline in Production clusters!) • Enable SEM-A for application related events • Implement patches on hosted code (by redeploying a higher version of the image!) • Configure password vault for NPA’s • Implement SOLL and perform SOLL/IST comparisons • Implement Bindings to Data Services • Implement deployment pipelines • Implement load balancing and firewall access outside the ICHP platform • etc. Provider • Access to container hosting platform (service) only in emergency situations • Ensures availability of the platform • Guarantees security by implementing relevant SEM and TSCM controls at platform level • Provides platform Risk Evidence • Performance tuning on platform • etc.
  • 29. As explained in ING’s Way-of-Working we aim to make our DevOps teams autonomous. We also want to enable those DevOps teams to deliver maximum value to the business, by not bothering them with IT-Infrastructure problems, nor bothering them with having to deliver compliancy evidence for the hosting platform. Hence offering a Namespace-as-a-Service is for us the sweet spot: • Clear demarcation between (Infra)Provider and Consumer • Enabling hand-over of compliance evidence • Enabling multi-tenancy (hence fast time-to-market/self-service consumption, and the potential for efficient utilization of resources) • The DevOps team can assume responsibility for (almost) the full stack (only the kernel stays shared). They have liberty/responsibility to choose/maintain their (versions of) base image, runtime engine, libraries, etc. (within the boundaries set by the ING corporate risk&compliancy rules !) ING probably will offer a K8S Cluster-as-a-Service in the future, however this will be a limited offering only available to teams managing Data Services (e.g. an Event Bus, Relational Database, Object Store, ….). If those teams choose to stray from the default settings the burden of delivering compliancy evidence lands back on their plate! Why ICHP only offers a “Namespace-as-a-Service” 29