OPENSHIFT ORIGIN V3

OVERVIEW
SUMMARY
CONCEPTS OVERVIEW
ARCHITECTURE OVERVIEW
INSTALLATION ARCHITECTURE
NETWORKING
PERSISTENT STORAGE
BUILD & DEPLOY IMAGES
CONTINUOUS INTEGRATION & CONTINUOUS DELIVERY
SECURITY
MONITORING, LOGGIN & METRICS
OKD Platform Overview
CONCEPTS OVERVIEW
A container is the smallest compute unit
Containers are created from container images
Container images are stored in an image
registry grouped in image repositories.
An image repository contains all version of an
image in the image registry.
Containers are wrapped in Pods which are the
smallest deployment and management units
A Pod's configuration is defined in a
Deployment
Services provide internal load-balancing and
service discovery accross Pods.
Apps can talk to each other via Services
Routes add Services to the external Load-
Balancer and expose them at a hostname.
Projects isolate Apps accross environments, groups and users.
ARCHITECTURE OVERVIEW
 OKD runs on your infrastructure of choice:
Physical Machines, Virtual Machines, Public Cloud
Infrastructures (OpenStack)
Nodes are instances of CenOS where Apps will run.
App services run on docker containers inside of Pods
on each Node.
Master represents the Control Plane which
leverages k8s to orechestrate Nodes/Pods
The Master provides an authenticated API for users and services.
The Master uses etcd key-value data store for persisting its state and
storing the current and desired state of the cluster.
The Master provides a k8s scheduler which places Pods on Nodes
based on a scheduling policy.
The Master uses a Controller Manager that watches etcd for changes
and uses the API to enforce the desired state.
Service Layer allows related Pods to communicate with each other.
OKD Provides an integrated container registry.
Containers can use Persistent Storage to store their data inside or
outside the cluster.
Routing Layer routes external requests to Pods through Services.
Users can access OKD via its Web Console or CLI.
INSTALLATION ARCHITECTURE
An infrastructure node is a node dedicated for
infrastructure pods such as the router and image
registry.
High Availability Architecture
NETWORKING
Service Discovery and internal Load Balancing
Service Discovery and internal Load Balancing
Routing and external Load Balancing

• A router enables routes that

expose a service at a hostname
externally
• The routing layer is pluggable
• HAProxy Router
• F5 Router
• Router features can be used to support
deployment strategies such as A/B,
Canary and Blue/Green Deployments
PERSISTENT STORAGE
Persistent Storage
• Persistent Volume (PV) is tied to a piece of networked storage.
• Provisioned statically or dynamically by an administrator
• Allows admins to describe storage and users to request it via a Persistent
Volume Claim (PVC)
• Assigned to Pods based on the requested storage amount, access mode
and/or storage class.
• OKD supports many PV types
Static Volume Provisioning
Dynamic Volume Provisioning
BUILD & DEPLOY IMAGES
Build and deploy container images

Deploy Deploy Deploy

Source Code App Binary Container Image
Deploy Source Code with Source-To-Image (S2I)
Deploy App Binary with Source-To-Image (S2I)
Deploy App Binary with Source-To-Image (S2I)
CONTINUOUS INTEGRATION (CI)
& CONTINUOUS DELIVERY (CD)
CI/CD with Builds and Deployments
BUILDS
• Webhook trigger: build the app image whenever the code changes in
the repo.
• Image trigger: build the app image when a new version of an
upstream image is available.
DEPLOYMENTS
• Deployment triggers: redeploy the app pods whenever the
configuration or the image stream tag changes
Jenkins-as-a-Service
• Certified Jenkins images with pre-installed plugins
• Provided out-of-the-box
• Follows Jenkins 2.x LTS version
• Jenkins S2I Builder to customize the Jenkins image
• Install plugins
• Configure Jenkins
• Configure Build Jobs
• Dynamically deploy Jenkins Agents
• Incuded as Build Strategy (Pipeline Build)
Hybrid Jenkins Infrastructure
• Scale existing Jenkins Infrastructure by dynamically provisioning
Agents on OKD using the Kubernetes plug-in
Pipeline Build Strategy
• Defines a CI/CD workflow using a Jenkins pipeline which can be
started, monitored and managed like the other Builds.
• Automatic provisioning of Jenkins Server (Master).
• Dynamic provisioning of Jenkins Agents (Slaves).
CI/CD Pipeline
CI/CD Pipeline
CI/CD Pipeline
CI/CD Pipeline
SECURITY
How is OKD secured
• The OKD and Kubernetes APIs authenticate users who present credentials,
and then authorize them based on their role.
• Both developers and administrators can be authenticated via several
means, primarily OAuth tokens and X.509 client certificates
• Infrastructure components (like nodes) use client certificates generated by
the system that contain their identities
• Infrastructure components that run inside containers use a token
associated with their service accounts to connect to the API.
• All communication channels with the REST API, as well as between master
components such as etcd and the API server, are secured with TLS
MONITORING, LOGGING &
METRICS
Prometheus Cluster Monitoring

• OKD ships with a pre-configured and self-updating monitoring stack

that is based on the Prometheus open source project
• It provides monitoring of cluster components
• It ships with a set of alerts to immediately notify the cluster
administrator about any occurring problems and a set
of Grafana dashboards.
Prometheus Cluster Monitoring
Prometheus Cluster Monitoring

• OKD Cluster Monitoring Operator (CMO) watches over the deployed

monitoring components and resources, and ensures that they are
always up to date.
• The Prometheus Operator (PO) creates, configures, and manages
Prometheus and Alertmanager instances.
• Node-exporter is an agent deployed on every node to collect metrics
about it.
• The kube-state-metrics exporter agent converts Kubernetes objects to
metrics consumable by Prometheus.
 LOG MANAGEMENT WITH EFK
• OKD Cluster administrators can deploy the EFK stack to aggregate logs for a
range of OKD services.
• EFK stack aggregates logs from nodes and applications
• Elasticsearch: Search and analytics engine where logs are stored.
• Fluentd: Gathers logs from nodes and feeds them to Elasticsearch.
• Kibana: A web UI for Elasticsearch.
• Curator: Removes old logs from Elasticsearch.
• Access Control
• Cluster administrators can view all logs
• Users can only view their projects' logs
• Ability to send logs elsewhere
• External Elasticsearch instance, Syslog server
Cluster Metrics
 Cluster Metrics
• An OKD administrator can view a cluster’s metrics from all containers
and components in one user interface whereas Users are limited to viewing
their projects' metrics.
• kubelet exposes metrics that can be collected and stored in back-ends
by Heapster.
• Heapster retrieves a list of all nodes from the master server, then contacts each
node individually through the /stats endpoint. From there, Heapster scrapes
the metrics for CPU, memory and network usage, then exports them into
Hawkular Metrics.
• Hawkular metrics is a metrics storage engine which It provides means of
creating, accessing and managing historically stored metrics.
• Cassandra is a datastore used by Hawkular metrics.