PKS Automation Station...All Aboard: Enabling Team Access to PKS with a Concourse Pipeline
0 likes489 views
The document outlines strategies for team access to Pivotal Kubernetes Service (PKS) using a concourse pipeline, detailing onboarding challenges and solutions at Dick's Sporting Goods. It covers key topics such as team collaboration, application modernization, and the configuration of access workflows involving LDAP and UAA. Additionally, it includes discussions on infrastructure as code, automated user access, and various use cases for PKS workloads.
![21
Add-Ons for subdomain nameserver
PKS ADD-ONS
apiVersion: v1
kind: ConfigMap
metadata:
name: kube-dns
namespace: kube-system
data:
stubDomains: |
{"dsgtech.co": ["10.0.8.5"]}](https://image.slidesharecdn.com/pks-presentation-dsg-191017225906/85/PKS-Automation-Station-All-Aboard-Enabling-Team-Access-to-PKS-with-a-Concourse-Pipeline-21-320.jpg)
PKS Automation Station...All Aboard: Enabling Team Access to PKS with a Concourse Pipeline
- 1. PKS Automation Station...All Aboard: Enabling Team Access to PKS with a Concourse Pipeline SpringOne Platform October 8, 2019
- 2. 2 Vaseeharan Seevaratnam Platform Engineer svasee John Paice Senior Platform Engineer @johnny_platform INTRODUCTIONS
- 3. 3 • DSG’s Container Journey • Challenges • PKS Workloads • Onboarding Prerequisites • Demo! AGENDA
- 4. 4 • Monolith application to microservices • Teams were were working in silos more collaborative • Buy vs. Build • Cloud Native • Twelve Factor Apps CONTAINER JOURNEY
- 5. 5 Application Archaeology: Accelerating App Modernization at DICK’S Sporting Goods Today 4:20pm–5:30pm 16AB Pivotal Vanguard Customer Deep Dive Expedition: Pearls of Wisdom Wednesday 4:20pm–5:30pm. 17AB Multi-cloud Deployments Thursday. 9:15am Main Stage #DSGTECH
- 6. 6 • Team onboarding challenges • Short SLAs • Consistent results • Snowflake effects • Peer code review • PKS Challenges PLATFORM CHALLENGES
- 7. 7 PKS WORKLOADS • Not all applications fit the same mold – Applications with custom containers – Not twelve factor – Applications that need persistent storage • Kafka • ELK • RabbitMQ
- 8. 8 • Infrastructure as a code • Easy auditing • Predefined access control • Build repeatable PKS clusters • No snowflakes of servers, all the configurations are version controlled • Minimal administration of the cluster • Delegated access control REQUIREMENTS
- 9. 9 • Cloud Provider - vSphere, Azure, GCP, AWS • Active Directory LDAP Integration for user access control • Git as a source code repository • Concourse pipeline • PKS SOLUTION
- 10. 10 ACCESS WORKFLOW Create and configure LDAP groups Configure UAA > LDAP in the PKS tile Map LDAP group to UAA scope using UAAC Create a service user account in UAA Log in to the PKS CLI as a Cluster Admin Run pks get- credentials to generate kubeconfig Use kubectl to create a Admin ClusterRoleBinding Run pks get- kubeconfig targeting the cluster PKS CLI generates kubeconfig Use kubectl to access the cluster Operator Concourse PipelineDeveloper PKS INSTALL PKS CLUSTER CREATION PKSCLUSTER DAYTODAY ACTIVITY
- 11. 11 ACCESS WORKFLOW Create and configure LDAP groups Configure UAA > LDAP in the PKS tile Map LDAP group to UAA scope using UAAC Create a service user account in UAA Log in to the PKS CLI as a Cluster Admin Run pks get- credentials to generate kubeconfig Use kubectl to create a Admin ClusterRoleBinding Run pks get- kubeconfig targeting the cluster PKS CLI generates kubeconfig Use kubectl to access the cluster Operator Concourse PipelineDeveloper PKS INSTALL PKS CLUSTER CREATION PKSCLUSTER DAYTODAY ACTIVITY
- 12. 12 LDAP STRUCTURE LDAP Groups and Uses structure for PKS integration: pks-managerpks-cluster-admin pks-cluster-ro [email protected] [email protected]@dsgtech.co K8s Operator K8s Developer K8s Viewer
- 13. 13 ACCESS WORKFLOW Create and configure LDAP groups Configure UAA > LDAP in the PKS tile Map LDAP group to UAA scope using UAAC Create a service user account in UAA Log in to the PKS CLI as a Cluster Admin Run pks get- credentials to generate kubeconfig Use kubectl to create a Admin ClusterRoleBinding Run pks get- kubeconfig targeting the cluster PKS CLI generates kubeconfig Use kubectl to access the cluster Operator Concourse PipelineDeveloper PKS INSTALL PKS CLUSTER CREATION PKSCLUSTER DAYTODAY ACTIVITY
- 14. 14 UAA CONFIGURATION • Enable created clusters to use UAA as the OIDC provider. Login to Ops Manager and perform following configurations on PKS UAA: • Configure PKS UAA to use LDAP Server as external authentication mechanisms.
- 15. 15 ACCESS WORKFLOW Create and configure LDAP groups Configure UAA > LDAP in the PKS tile Map LDAP group to UAA scope using UAAC Create a service user account in UAA Log in to the PKS CLI as a Cluster Admin Run pks get- credentials to generate kubeconfig Use kubectl to create a Admin ClusterRoleBinding Run pks get- kubeconfig targeting the cluster PKS CLI generates kubeconfig Use kubectl to access the cluster Operator Concourse PipelineDeveloper PKS INSTALL PKS CLUSTER CREATION PKSCLUSTER DAYTODAY ACTIVITY
- 16. 16 MAP LDAP GROUP • Grant pks.clusters.admin scope to PKS Operators team by Log In as a UAA . uaac group map --name pks.clusters.admin CN=pks-cluster-admin,OU=Groups,DC=dsgtech,DC=co
- 17. 17 ACCESS WORKFLOW Create and configure LDAP groups Configure UAA > LDAP in the PKS tile Map LDAP group to UAA scope using UAAC Create a service user account in UAA Log in to the PKS CLI as a Cluster Admin Run pks get- credentials to generate kubeconfig Use kubectl to create a Admin ClusterRoleBinding Run pks get- kubeconfig targeting the cluster PKS CLI generates kubeconfig Use kubectl to access the cluster Operator Concourse PipelineDeveloper PKS INSTALL PKS CLUSTER CREATION PKSCLUSTER DAYTODAY ACTIVITY
- 18. 18 AUTOMATION SERVICE ACCOUNT • Grant Enterprise PKS Access to a user by Log In as a UAA Admin. uaac user add srv-pksadmin --email [email protected] -p <password> uaac member add pks.clusters.admin srv-pksadmin
- 19. 19 Add-Ons for tiller service account part of cluster provisioning. PKS ADD-ONS apiVersion: v1 kind: ServiceAccount metadata: name: tiller namespace: kube-system apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: tiller namespace: kube-system
- 20. 20 Add-Ons for Storage Class PKS ADD-ONS apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: default annotations: storageclass.kubernetes.io/is-default-class: "true" parameters: cachingmode: ReadOnly kind: Managed storageaccounttype: Standard_LRS provisioner: kubernetes.io/azure-disk reclaimPolicy: Delete apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: managed-premium parameters: kind: Managed storageaccounttype: Premium_LRS provisioner: kubernetes.io/azure-disk reclaimPolicy: Delete
- 21. 21 Add-Ons for subdomain nameserver PKS ADD-ONS apiVersion: v1 kind: ConfigMap metadata: name: kube-dns namespace: kube-system data: stubDomains: | {"dsgtech.co": ["10.0.8.5"]}
- 22. 22 ACCESS WORKFLOW Create and configure LDAP groups Configure UAA > LDAP in the PKS tile Map LDAP group to UAA scope using UAAC Create a service user account in UAA Log in to the PKS CLI as a Cluster Admin Run pks get- credentials to generate kubeconfig Use kubectl to create a Admin ClusterRoleBinding Run pks get- kubeconfig targeting the cluster PKS CLI generates kubeconfig Use kubectl to access the cluster Operator Concourse PipelineDeveloper PKS INSTALL PKS CLUSTER CREATION PKSCLUSTER DAYTODAY ACTIVITY
- 23. 23 • Concourse Pipeline • Parameter variable values: Git: – git_repo_uri – git_branch – git_private_key PKS: – pks_api – pks_cli_username – pks_cli_password – pks_env CONCOURSE PARAMETERS
- 24. 24 DEMO
- 26. Q&A