3. Operational
Efficiency
● Employ 500:1 developer
to operator ratio
● Perform zero-downtime
upgrades
● Runs the same way
on every public/private
cloud
Developer
Productivity
Comprehensive
Security
● Accelerate feedback
loops by improving
delivery velocity
● Focus on applications,
not infrastructure
● Give developers the
tools and frameworks
to build resilient apps
● Adopt a defense-in-
depth approach
● Continuously update
platforms to limit
threat impact
● Apply the 3 R’s →
repair, repave, rotate
● Run platforms that
stay online under
all circumstances
● Scale up and down,
in and out, through
automation
● Deploy multi-cloud
resilience patterns
High Availability
Platform Team Delivering Real Value
4. Can we realize these benefits for other workloads too?
MONOLITHIC
APPLICATIONS
More
MICROSERVICES
Stateful
or
Clusters
CONTAINERS COTS
DATA SERVICES
MICROSERVICES
MONOLITHIC
APPLICATIONS
Some Some .NET APPLICATIONS
5. Can we realize these benefits for other workloads too?
MONOLITHIC
APPLICATIONS
More
MICROSERVICES
Stateful
or
Clusters
CONTAINERS COTS
DATA SERVICES
MICROSERVICES
MONOLITHIC
APPLICATIONS
Some Some .NET APPLICATIONS
12. Storage NetworkingCompute
Dev / Apps
App User
IT / Ops
> kubectl
Kubernetes Dashboard
Load Balancing / Routing
Container Image
Registry
App Monitoring
App Logging
OS Updates
OS Images
K8S Updates
K8S Images
Log & Monitor
Recover & Restart
Backup & Restore
External
Data Services
Cluster
Provisioning
Provision & Scale
Command Line
/ API
Management
GUI
Monitoring GUI
...but Kubernetes alone is not enough for enterprises
13. Storage NetworkingCompute
Pivotal Container Service (PKS) provides what’s missing
Dev / Apps
App User
IT / Ops
> kubectl
Kubernetes Dashboard
Load Balancing / Routing
OS Updates
OS Images
K8S Updates
K8S Images
Log & Monitor
Recover & Restart
Backup & Restore
External
Data Services
Cluster
Provisioning
Provision & Scale
PKS Control Plane
> pks
Operations Manager
vRealize Operations*
Container Image
Registry
vRealize
LogInsight
14. on any Cloud
Dev / Apps
App User
IT / Ops
> kubectl
Kubernetes Dashboard
Load Balancing / Routing
Container Image
Registry
OS Updates
OS Images
K8S Updates
K8S Images
Log & Monitor
Recover & Restart
Backup & Restore
External
Data Services
Cluster
Provisioning
Provision & Scale
vRealize
LogInsight
PKS Control Plane
> pks
Operations Manager
vRealize Operations*
15. What PKS adds to Kubernetes
PKS value-
added
features
Built into
Kubernetes
Multi-container pods
Stateful Sets of pods
Persistent disks
Single tenant ingress
Pod scaling and high availability
Rolling upgrades to pods
Cluster provisioning and scaling
Embedded, hardened Operating System
Monitoring and recovery of cluster VMs and processes
Rolling upgrades to cluster infrastructure
Secure multi-tenant ingress
Secure container registry
16. “On a good day our DIY k8s solution could provision a cluster
in 45 minutes. On a bad day it would fail to deploy ~30
times” - IT Operator
17. Cover w/ Image
Turnkey solution. All the things you need to use
and operate a container runtime. In one package.
On every cloud.
Enterprise readiness, control and security.
Continually updated platform, embedded OS,
secure container registry, policy-driven networking,
integrated IdM. Controllable and customizable by
service plans.
Developer empowerment. Consume app services,
popular tools “just work” with vanilla Kubernetes via
constant compatibility. Developers get the
Kubernetes they want, for their choice of workloads.
Multi cloud. Run it on any infrastructure of choice.
On premises or in the public cloud.
Our investment themes
18. Is your network ready?
(How mature is your SDN?)
Answer: Probably not; if you require
tickets/manual process for network or
firewall rules, you aren’t ready
● Microsegmentation with NSX-T
● Automated IP allocation and
load balancer provisioning
● Monitoring & troubleshooting
with familiar VMware tooling
How many clusters are
you going to need?
Answer: More than one required to
provide true multi-tenancy
● Self-service, on-demand
provisioning of clusters
● Pre-defined T-shirt size
clusters
● Scale clusters up and down
How many times does
K8s release per year?
Answer: Major releases quarterly;
minor releases/patches frequently
● Automated upgrades on-
demand with BOSH
● Automatic patching with
Concourse pipelines
● Self-healing nodes on failure
Upgrades Multi-tenancy Network
PIVOTAL’S OPINION PIVOTAL’S OPINION
Three Questions
PIVOTAL’S OPINION
20. BOSH
Reliable and consistent operational experience for any cloud.
BOSH
Harbor
NSX-T
Kubernetes
K8s Cluster
K8s Cluster
K8s Cluster
PKS Control Plane
Use the PKS CLI and API to
create, operate, and scale your
clusters.
VMware GCP Azure Openstack AWS
PKSControlPlane
Built with open-source
Kubernetes
Constant compatibility with the
latest stable release Kubernetes
—no proprietary extensions.
Harbor
An enterprise-class container registry.
Includes vulnerability scanning,
identity management, and more.
NSX-T
Network management, security, and
load balancing out-of-the-box with
VMware NSX-T. Multi-cloud, multi-
hypervisor.
Enterprise-Grade Kubernetes
24. BOSH is an open source
tool for release
engineering, deployment,
lifecycle management,
and monitoring of
distributed systems.
25. ➔ Health monitoring (server & processes)
➔ Self-healing w/ Resurrector
➔ Storage management
➔ Rolling upgrades with canaries
➔ Easy scaling of clusters
➔ Repeatability and Consistency
➔ Packaging w/ embedded OS
➔ Server provisioning on any IaaS
➔ Software deployment across AZs
28. Availability Zone B
Availability Zone A
Bosh distributes deployments across AZ’s
Availability Zone A
Availability Zone B
Kubelet
Kube-proxy
Pod
Pod
K8s Worker
Pod
API Server
Kube Scheduler
K8s Master
Controller
Manager
Kubelet watches and restart containers
Bosh agent watches and restarts processes
Bosh director watches and restarts nodes
Bosh agent
Bosh agent
Bosh Health
Manager
PKS Health Management
31. Two models supported
Multi-tenant clusters
● Leverage Kubernetes namespaces
Limitations with Kubernetes alone
● Noisy neighbors (workloads can affect other
tenants)
● Share the same network
● Share DNS
● Shared Configuration
● ...
We add
● Network microsegmentation with NSX-T
○ Eliminating “Share the same network”
Multi (Single-tenant) clusters
It is having an API for creation and management
that enables this!!!
● Every tenant gets their own cluster
Addresses limitations
● Single tenant worker VMs (depend on the
hypervisor to ensure host is properly shared)
● Every cluster has own network segment
● Every cluster has own DNS
● Every cluster has own configuration
● ...
No other “on
prem” solution
has this!!!
32. Two models supported
Multi-tenant clusters
● Leverage Kubernetes namespaces
Limitations with Kubernetes alone
● Noisy neighbors (workloads can affect other
tenants)
● Share the same network
● Share DNS
● Shared Configuration
● ...
We add
● Network microsegmentation with NSX-T
○ Eliminating “Share the same network”
Multi (Single-tenant) clusters
It is having an API for creation and management
that enables this!!!
● Every tenant gets their own cluster
Addresses limitations
● Single tenant worker VMs (depend on the
hypervisor to ensure host is properly shared)
● Every cluster has own network segment
● Every cluster has own DNS
● Every cluster has own configuration
● ...
No other “on
prem” solution
has this!!!
33.
34. Multi-Tenancy - Single Cluster vs Multi-Cluster
Shared Compute/Storage/Network
Tenant 1
Tenant 2
Kube API
Server
Kube SchedulerDNS Cont. Mgr.
Kubelet Kubelet Kubelet
Worker Worker Worker
PKS Control Plane
Master Node(s)
Shared Compute/Storage/Network
Kube API
Server
Kube
Scheduler
DNS
Cont. Mgr.
Kubelet Kubelet Kubelet
Worker Worker Worker
PKS Control Plane
Master Node(s)
Kube API
Server
Kube
Scheduler
DNS
Cont. Mgr.
Master Node(s)
Kubelet
Worker
Tenant 1 Tenant 2
41. Role-Based Access Control (RBAC)
LDAP/AD Integration
Image Vulnerability Scanning (Clair)
Notary Image Signing
Policy-Based Image Replication
Graphical User Portal & RESTful API
Image Deletion & Garbage Collection
Auditing
An enterprise-class registry server for
Docker images
Build Image
Push
Image
Scan
Image
for CVEs
Sign
Image
kubectl
run
Dev Team
Image
Registry
Clair Notary
R
B
A
C
UAA
Auth
R
E
P
L
42. Physical Infrastructure
Container
Registry
vSphere vSAN, NFS, iSCSI, FC Datastores
NSX-T
BOSH
masteretcd workermasteretcd worker
PKS Control Plane
Integrations w/ VMware
vRealize
Automation
vRealize
Log Insight
vRealize
Operations
vRealize
Network
Insight
Wavefront
by VMware
44. ● Install/Manage PKS
● Configure cluster plans
● Apply a patch / update
● Onboard Cluster Owner
via RBAC
● Operate Bosh
Platform Operator (Alana)
A Day in Life with PKS
● Create a cluster
● Scale a cluster
● Create Network Policy
● Onboard App Dev via
RBAC
● ...
Cluster Owner (Cody)
● Deploy an app
● Expose app with service
type: LoadBalancer
● Expose app with Ingress
● ...
App Dev (Naomi)
● Health Management (server & process)
● Network Automation
Automation
49. PKS User Interaction
● The PKS Management VM runs the PKS API
together with the Broker, UAA and a MySQL DB.
● The PKS API orchestrates the initial kubernetes
cluster deployments and scaling of those clusters.
● A single PKS VM can manage hundreds of
Kubernetes cluster.
● The PKS CLI is a single binary that can be installed
on a Mac, Windows, or Linux to drive the PKS API.
PKS CLI
PKS
Control Plane
PKS API
50. Creating a new K8s Cluster
Platform User
PKSControlPlane
CLI
API
PKS CREATE CLUSTER
BOSH
deploy
Kubernetes cluster
Create
Harbor
NSX-T
Master
Worker
WorkerWorker
etcd Worker
Master
etcd
51. Scaling a Kubernetes Cluster
Platform User
PKSControlPlane
CLI
API
PKS SCALE CLUSTER
BOSH
deploy
Kubernetes cluster
Scale
Harbor
NSX-T
Master
Worker
WorkerWorker
etcd
Worker
Master
etcd
Worker