Understanding Shift to Custom Kubernetes Resources with Oum Kale @ Cloud Native London

6月 8, 2023

2 min read

Understanding Shift To Custom Kubernetes Resources (Kale Oum Nivrathi, JFrog)
In the era of containerization and orchestration, Kubernetes is highly brisking. The future of the orchestration platforms will be Custom Resources Definitions (CRD) and APIs. Whereas writing k8s operator is the best way of extending APIs for our application, Operators are clients of the Kubernetes API that act as controllers for a Custom Resource. Operator lets us extend the functionality of the Kubernetes API, enabling it to configure, create, and manage instances of applications automatically using a structured process. In this talk, we will take a deep dive into the capabilities of Kubernetes controllers, and lifecycle management, including backup, recovery, and automatic configuration tuning. We will also explore the uses of Kubernetes Operator Writing Controller logic and its unique way to manage application deployments as a use case.

Linting Rego with Rego! Introducing Regal the Rego linter (Anders Eknert, Styra)
With origins in logic programming and Datalog, Rego is a powerful language for asking queries on structured data, such as that commonly represented as JSON or YAML. Logic programming is however an unfamiliar domain for most developers, and learning both a new domain and a new language requires good resources for learning. While documentation and style guides are great, what if we could automate parts of the learning process? In this first-ever talk, Anders will introduce you to Regal — a new (and first!) linter for Rego, with the goal of providing “guardrails for your guardrails” — i.e. your Rego policies, as well as to be a learning tool for people new to the language. What’s more, Regal itself is written mostly in Rego!

Platform engineering in cloud repatriation era (Bartek Antoniak, VirtusLab)
This presentation delves into the journey from infrastructure baseline via developer community to its current state of platform engineering.It highlights the advantages of platform engineering over the do-it-yourself approach and how enabling teams can seamlessly integrate with platform engineering.The second part of the presentation focuses on the measures how we assist application teams in public cloud and how platform engineering can be effectively implemented in the cloud repatriation era.Finally, we’ll explore the relevance of public cloud and the current trends among technology organisations. By providing a comprehensive overview, this as a whole should make the question: “Where do we go from here?” much easier to answer.

View Oum's Slides Here

Speakers

Oum Kale

Software Engineer, R & D

Oum Kale, is a Software Engineer(RnD Team) at JFrog working on the Installer team to build Kubernetes Operator for deployment and management applications. He is also a Core-Contributor/Member of the CNCF Incubating project LitmusChaos.  He is a Sporty guy International Rated Chess Player.

Video Transcript

should work this way

hello hello hello please come on down take a seat

hey welcome welcome

come on down grab a seat anywhere you like

cookies

that’s good to know probably wrong

okay I know there’s some more folks who are

still up there

we are running slightly uh slightly behind today so I’m going to kick off and assume that people will filter in

over the next minute or two anyway Welcome to Cloud native London

it is really great see that you’ve come out especially on such a beautiful evening

we are a strong open diverse developer Community around the cloud native platform and Technologies in London

my name’s Cheryl I’m your host for the evening you can find me on on Twitter at oi Cheryl and we’ll also be tweeting

with the hashtag cloudnative Lun tonight

so we’ve got three talks for you this evening our first one is from Kell he’s going to talk about understanding the

shift to custom kubernetes resources and then our second speaker 7 15 will be

Linton Rego with Rego introducing Rigo Regal the Rego linta oh this is a tough

one to say tongue twister exactly you have to say that fast

um and then we’re going to take a 15 minute break 7 45 8 o’clock comeback for our third talk which will be platform

Engineering in Cloud rep in the cloud rips

thank you okay and then a30 we’re going to wrap up we’ll go down to the pub downstairs

which is the conductor and we’ll just hang out and chill and stay as long as you want

so thank you to tonight’s sponsors um do we have any just eat folks do you want to say uh

no you don’t say it okay thank you very much for hosting us for having us here at your office this evening

um virtuous lab so whereas do you want to come and

do a do a little intro or you want to do that as part of your talk

got it okay all right stop uh do you want to do

a little thing you do uh yeah you do your little thing all right uh I’m

Anders from styra which is the creators and the maintainers of the open policy

agent project uh or oppa which is in a topic from for my talk today

so besides uh maintaining that we also uh we have two commercial products one

which is steridas which is a commercial control plane for managing open scale and there’s uh an Enterprise oppa you

could say uh that’s basically amazing thank you very much and then

last but not least cystig I think this is where we have a couple of slides from the systic folks we have someone from

cystic here who’s going to give the intro okay I’ll give it on their behalf sister

do cloud and container security um based on Falco evpf

here is a selection of the open source projects that they contribute to

and they particularly wanted to mention this Workshop which is called Falco on tour which is coming up and there is a

QR code if you are interested in learning more about Falco okay

uh one more shout out Farm open UK which is an organization which released this

report about the state of Open Source in the UK in April time a few months ago they’re

now looking to do a survey for the next uh next phase of their

this reports so this survey closes in about a week’s time and please do uh

please do take the survey I think they it’ll be very interesting to see what the results are

okay that’s it from the sponsors thank you very much again for supporting us supporting the community

um now I want to ask some questions about you so please grab your phone and go to this link oyshell.com p

and I’m gonna do we’ll do a little bit of live polling you don’t need to sign up or anything it’s just a web link you

just skip when they ask for your name I want to ask two questions about you and then three questions about how you use

cloud native which have been submitted by our speakers

so the first well people already started actually the first question is is this

your first time at Cloud native London you should see two yeah here we go two

buttons yes and no so just click if it’s your first time or not

you’ve been for years now I think you might be one of the longest ones longest running ones there are people joining on

YouTube and Twitter as well though so they might be joining for the first time too all right looks like we have 80

returning 20 first timers 20 oh still

some people are still uh still voting here so amazing whether you come for a first

time or you’ve come back it is wonderful to have you here second question what’s your job title

just pick whatever you’re closest to so architect application developer back-end developer

engineering manager SRE devops engineer security engineer or anything else

and it looks like a lot of anything else is today but otherwise it’s a pretty even mix

between yeah Architects application Architects and back-end developers and some SRE people and some security people

as well amazing okay our first our next question was

submitted by Cal I believe

um have you used kubernetes controllers before so yes no or um not part of my role

um so I think Kelly’s on the line yes yeah yeah yeah so uh

just seen the results come in is this is this what you were expecting when you asked this question

uh yes yes really more than what I was expecting oh more than you are what

you’re expecting what were you expecting uh 50 15 but yeah

okay interesting so I hope people will learn a little bit more about this do your talk today looks like yeah about 50

50 between yes and no or not not in my role next question where are you currently

running a policy as code solution so nowhere I guess implying you don’t

have one kubernetes admission control as part of your infrastructure uh as part

of your authorization or other Anders this is your question this came

from you yeah so let’s see 60 50 60 saying part of your infrastructure

nobody’s saying kubernetes admission control and is this uh is this what you were expecting what do

you think it’s a bit surprising that’s very diplomatic art he said

depends on the audience so what what were you thinking like yeah

yeah of course no I think like oppa is a very

versatile tool so we see it’s used for all kinds of uh stuff you know and of course what I will talk about today is

probably the the most odd use case ever for Opa so but uh yeah I yeah

um hopefully like next time I come back we’ll see more people using it for authorization and admission control

interesting okay amazing thank you very much and uh third and last question uh

from us because what is your operating model in the infrastructure space

so app teams build and manage infrastructure themselves you have a central managed platform and

your app teams host your workloads in your platform or hybrid but it makes

so where is

Lucas would you submit this question yes okay so as the results coming in

um looks like most people are doing is sort of Central or hybrid model so does that sound like what you’ve seen

before using for

okay excellent it seems like yeah that’s what you expected

doing the do-it-yourself yeah okay

fantastic all right thank you very much everyone for joining with the live polling today submitting your answers

um oh I need a selfie for the purposes of social media so just a smiling way

for me

I’m not coming I’m sorry Cal I’ll take a picture of you

as well for uh nice

and uh if you want to come and speak or sponsor then go to cloudnativelun.com

you can request a speaking slot from next year you can also help us out with pizza you can also share your own events

if you want to and that is it from me so keep hold of that polling link because we’re going to

use it um for the uh for questions to the or to the

speakers later other than that Cal I’m gonna hand over to you so feel free to share your screen

and kick off

think you’re on mute hey everybody how are you

[Music] I’m only one hello hello hello hello everyone said

hello okay hey everyone uh today I’m going to talk on uh our understanding the shift

to custom kubernetes resources uh we have seen that there is a large amount of audience already there who is

aware of kubernetes controllers and all so it’s uh easy for them to correlate

also those who uh don’t have any idea I will take from scratch so

uh let’s go for a short intro uh this is home I’m certified kubernetes

administrator also a software engineer on the RND team at J frog India office

uh additionally I’m maintainer of cncf integrating project litmus course and

when I don’t work I like to I’m a sporty guy I am International related sales

player so feel free to ping me after the stop uh if somebody wants to play chess

and uh one more thing uh wherever I go I

take a raffle with me so uh scan the QR and open the link there is a

short survey and get a chance to win uh Nintendo switch

uh wrongs will be offered like in the first week of July they will be contacted

through email reduce a couple of seconds

and yeah that’s all okay let’s talk about uh

kubernetes right uh everyone knows everyone is using kubernetes in Daily uh

live right so what do you get when you hear kubernetes name let’s start from scratch

anybody is there I’m expecting Infinity people at least

just figuring out how to turn the audience microphone on okay

okay anyone answer I will just throw it into the audience otherwise

okay so we get a lot of things in our mind orchestration managing load

persistent things and lot of things right so we get about uh we get to know about

like a lot of about orchestrations right uh let’s take example there are a few

things like around the outer ceiling a lot of speeches are there around Aqua

station right and around kubernetes right what we use uh use them and we

worked out on that so let’s discuss few of them and we will discuss about the orchestration as well

so orchestration in the orchestration we can see uh in kubernetes there are a lot of resources right uh kubernetes

resources we get from kubernetes only uh so these these things like

kubernetes resources three of them I just listed here the poor service deployment persistence right and there

is a configuration around that which is actually uh stating as orchestration right suppose a pod what is the Pod is

giving us uh giving a container or our application storage Network and many

configurations right so is this is is this orchestration right yes in

deployment also it having uh it is having their own responsibilities services having their own responsibilities

storage is having their own responsibility persistent volume and persistence right so this is these are

the two orchestrations right which are there in kubernetes which is actually helping us to work out

on that right so what exactly an orchestration is there is isn’t it something playing or running internally

which is uh uh which is giving this thing right support Paul as we discussed about the

power right so a lot of configurations around that and it’s having the responsibility to manage the containers

right so there is somewhere the configuration is right that is stating as the orchestration

uh like example like persistent volume claim and position storage also right uh

storage is uh very important thing uh because storage isn’t something like we

manage like instances right so and kubernetes give us a very uh very good config very easy configurations on the

top of that to configure the storage to claim the storage and we can

so there are configurations right on top of some resource which is actually

playing some role and giving us a some they’re playing some uh specific

role so why don’t we have our own uh

own uh orchestration we can say like that own uh object right which is

playing their own responsibility now let’s take example I have a application and

my application’s responsibilities to run for some time stop for some time or

any kind of a list as a like any kind of role or some applications responsibilities that and we wanted to

code or we wanted to uh arrive that in our kubernetes cluster right similar like uh kind export right

objective for deployment Service uh volume similar that why don’t we have our own which is playing their own

responsibility right so this is like where the uh shift is right

uh this is where we get lot of resources from kubernetes and it’s time to write

our own resource on the top of that which is playing there uh special responsibility in the later on demo uh I

will take a sample application put that to head uh we are Potato Head application is there and we have a

operator or contact we have a controller which is actually installing the portrait application and what is the

advantage you will say right now we will say no no we don’t want that we have there or we have the old templating or

manifest or hand based installation ways right why why what is the requirement of having our own object right so whatever

we have been achieving with the uh older ways right or current ways

to install our application we can use uh we can use that same uh end result or we

can use our desired State we can get our disaster state by using controllers as

well uh the advantage is that controller will give us a full phase control or we

can access to kubernetes API we can use in any API and we can tune that API with

our application to actually web application uh responsibility now let’s say example uh I have application uh

which goes down for some time right now you will see kubernetes itself feel that right okay but some application is only

having some issue and or some application want to

uh have their specific check suppose example before the application runs we

want to tune few things to before the application runs we can actually write a logic around that and we can tune that

thing uh let’s say example our application which breaks after upgrade few things right and if you use the helm

we do upgrade uh it just uh template based it’s upgrading and it’s failing and now uh now let’s say example we have

our own object custom kubernetes resource and in that resource we have a written a logic on the top of that which

is actually fixing that upgrade path right so whenever upgrade comes that method gets called and it which actually

fix that thing so which enables us to seamless upgrade so a lot of things are

there we have just taken example so it’s a shift basically so writing our object

is uh and which is actually sounds good it’s also like uh what do you think everyone uh whatever

yep

okay so yeah so that was a yes A couple of

yes thank you thank you so I believe that though soon people our

audience will look for their own time yeah there are the a number of

advantages of that writing uh our uh our own kind so basically uh there

are the kind right what we recently discuss about is the kubernetes object so uh to get that at you there are

multiple ways uh there are already Frameworks as well and basically we will

Design what exactly happened we what exactly internally it will happen we’ll discuss few things about that so

basically we will design a custom kubernetes uh resource definition which is actually holding the definition of

our object

configurations so we will Design our own uh

manifest uh after that designing their manifest uh we can see that right there

will be one actual State let’s say example we have a deployment right and we update the deployment image and again

we apply the deployment uh we apply that right we see that it shows

the deployment configured right and some new parts comes up on the basis of upgrade policies uh Newports comes up

and it’s having actually the newer image right so what exactly internally happening it’s checking the actual State

versus desired State and it’s updating our uh deployment ports right so this uh con

this uh controller is basically actually responsible for that uh with the help of

helpers and other things it actually checks the disaster at an actual State

and it reconciles whenever the different uh whenever the new state found so and the all methods and methodologies

get called and whatever the logic we have written it get configured and new

it get uh updates our resources so internalists are things will flow like

this so as we discussed right so there are multiple ways to write these controllers

and operators right so one is like to use the operator SDK framework from

operator framework uh second one is Cube Builder which operator SDK it’s actually using the cube Builder only and the

other way is actually writing from scratch writing helpers uh

and a lot of things setting up uh caching and all and setting up our

controller and we can achieve that way as well to get this done basically uh the

operator framework which provides actually uh all the abstracted way of all the abstractions including all the

obstructions and it gives a simple logic or where it provides us the place to

write our logic basically it abstracts all the things and provides us a easy thing to write our own controller

we’ll see a small demo whatever we were discussing like manifest uh how and what

let’s so we all have seen all yaml files right

so we all have seen that uh deployment and other configurations right so similar configurations

basically our configurations will be there I have taken here as a portrait example it’s a sample CNC project which

I have taken here so it’s a we have written our kind as object

uh this is IPI version where we wanted to our kubernetes version where we have

this object uh metadata and specs we can Define actually all respect whatever we want we

can mention here uh our whatever the required right suppose I have application my applications required

some uh resource names uh or some admission

controller name or any and anything we can provide we can write our we can

first create our CID and it’s actually holding this

definition of this object so you can have any uh object

specification this is just sample and we actually get this uh CID also from

operator framework only where we have to Define our types so we get this type of definition

so it’s enables us to create all our objects

Okay so

let me take uh let me just apply this now this is Potato Head is having multiple

Services where uh we will apply our manifest our manifest or internally operator will be running that will

create all the services yes oh

I think few things are already trying out install the required permissions uh

service upon to authorize our container Guru teams we play with our kubernetes

server yeah this is the CR basically CR

manifest potato which we recently saw so operator uh namespace operator

deployment was created uh which is having actually controller logic uh reconciling and all happened uh which

actually takes our CR configurations and create

create all this application that’s created all the application things so uh I’m just uh trying to uh say Harris we

we can have our own object question uh object uh and you can write

our logic behind that to take the fields from our object and on the top of that

we can write our n number of methodologies functionalities to deploy our application in a much better and

efficient way and since it is having a lot of advantages to play with kubernetes API servers you can use any

APA we can use for kubernetes client and play with any

API endpoint to make this uh happen in a much better way

so our applications got installed and sounds good right or I’m just speaking

and something boring happened

hello hello hello

okay so uh after this uh I have a small uh

announcement as well so uh with your permission so

J frog in uh upcoming days like it’s hosting and one day it is a cops event at beautiful Mandarin uh

Oriental hide part on June 27th so we would like to invite Cloud native London

members to attend for free uh day of secure experts will be there I

saw that there were security guys as well seven percent of there so it will be big for them there’s a cops experts

will be there so securing your uh software supply chain analyzing the

code for security and many more so use this QR code to register yourself

and secure your free spot and next thing

for to contact with me uh use olum Kaylee handle uh

you can connect me on LinkedIn Twitter uh I have you can check out GitHub

profile and uh blogs as well and last thing

but not the least I would like to thank you to everyone thank you so much for

giving this opportunity to speak and I hope this talk uh help you thank you Cheryl thank you team and

thank you everyone thank you audience thank you so much

thank you thank you I’m gonna oh yeah it’s an echo here

okay I’m going to take over this screen share again and uh

not sure why I’m getting Echo

that sound got it okay so uh questions you can either use

The Orange Box or you can submit it through the polls we have sort of

five-ish minutes any questions

okay I don’t think we have any at the moment but you have all of the oh no here we go

okay we have one systems with many controller Loops can get very complicated and slow due to

exponential back off do you have any tips for debugging in such cases

where are you there okay so this question

okay so first question like systems with menu controller Loops can get very complicated and slow due to exponential

back off do you have any tips for debugging in such cases okay so first thing in

control arrive so yeah I agree that a lot of controller lips happens

and here one thing we need to check that uh

the configurations whatever we have written right so it will run again again because any small event will happen

which will trigger reconciliation right so in such cases we can’t do directly

but yeah uh we can allocate proper resources memory and CPU

uh that thing we can do uh in my opinion and also we can write uh improvise our

logic and in such a way that it Loops will happen your consolations

will happen but uh we need to write logic in fashion that it will not

actually trigger unwanted methodologies or functions

all right let’s take the second question um I see The Operators implementing a go

how much code is required and what is the learning curve for writing an operator like for an experience to go

developer Okay so

uh in operator right so as we discussed that operator framework provides us

abstracted way already where we have to write our methodologies so experience go

developer for them it’s actually it’s very straightforward uh they need to just play with the kubernetes API server

they have to get uh there are documentation in such a great manner

that if you go through that you’ll get to know how to set up that uh typed outgo crds generating that installing it

running it after running it uh we just have to write install manage application

updating status and few more minutes about this so uh I will share few

Resources with you uh including sample operator uh what we have seen in Deno as well it will give you a

straightforward heads of uh most of methodologies are there you can take reference from that them and you can

build your own operator from scratch actually using the operator framework

that will help we’ll share with you resources uh and

one more is this answers your question

um I’m not sure who else who asked the question but I guess it’s a difficult question to

answer right yes how much how much effort is it depends on okay your experience yeah it

depends on Whose case and then yeah um so this one did you use Cube build or

operator framework I think you already said I think I use both but yeah it depends

on use case also like uh operator framework is also using uh YouTube Builder but if you are completely from

uh you are already aware of most of the kubernetes let’s go land things then you

go you can go with the cube Builder but if you are looking for first time or need to get into it then operate a

framework operator HD case better than alrighty I think that is the end of the

question so again if you have any others you can direct and Via Twitter or LinkedIn um another round for Applause please

thank you thank you everyone next time I would like to connect from

in person so that I can help pizza or save some pizza for you okay please

um let’s welcome to the stage our second speaker Anders be happy to use a uh yeah

I’m not sure how to do okay

um this is on okay uh

see here share your screen [Music]

it seem to work yeah it seems to work uh I’m not sure uh

I have some live coding included I’m not sure how to do that with the microphone

but we’ll uh maybe someone can help me okay so uh yeah the topic for today is I

guess a bit a little unusual uh the topic is Regal the RICO linter linding rhaeger with Rego so

uh and Emma Anders and I’m a developer Advocate at styra

I have a pretty long background in software development I’ve worked primarily with identity

systems so basically uh proving who you are in various systems

which eventually led me uh into oppa like once you know who somebody is uh

what do you do with that information and uh what is that information allow that person to do

or that system to do which is basically authorization so that is how I got into Opa I think I’ve been around in this

community now for four years or so and when I’m not I’m interested in cooking food football

and uh if you want to reach out later um yeah basically my first name followed by my last name in in most social

channels so how many of you are familiar with open policy agent

okay a few a few so I’m gonna try and be I’m gonna try to to not be too

go too deep today but there will be some uh yeah fairly advanced stuff as well I

hope I can make it interesting so uh for all who are not familiar what

is what is policy before we uh before we examine what an open policy agent is we

might want to know what is policy in the first place so policy basically is is

basically a set of rules uh so this can be organizational rules these can be

permissions for authorization kubernetes admission control none of you used Opa

for yet uh it could be CI CD pipelines data filtering basically anywhere where you

have rules uh that is a policy whether you recognize it as such or not

uh we’re not just interested in policy in the rules themselves though we’re interested in uh treating policy as code

so we want to work with these policies these rules uh who previously have belonged in PDF documents Google Docs or

whatnot uh belonging to to uh the management

tier and then eventually trickle down into being uh implemented

um it was not an ideal model we wanted we want to work with policy as we want to work with anything else so we want to

be able to review policy we want to be able to test it we want uh to

collaborate on it we want uh static analysis linters and and so on so no

more PDF documents uh a core principle of of oppa and uh

policies code in general is this idea that we want to decouple policy we want

to move it out from our business logic uh or application concerns and treat it

as an entity in its own right which means that we can we can make updates to

policy uh without having to redeploy or modify our applications and we can work

with policy independently from the application life cycle so and this of course also allows clear

separation of responsibilities as one team can work on policies and another team on on other kinds of logic

so Opa it’s an open source general purpose policy ending you know what a policy is now so a policy engine is

basically what makes this happen uh so as of February 2021 it’s a graduated

cncf project it provides a unified tool set and a framework for working with

policy across the whole stack again decoupling a key concept open

decouples policy from application logic it separates policy decision from enforcement enforcement is still done by

applications but oppa makes the decisions to enforce

policies are written in a declarative language called Rego and we’re going to look at that in a bit

but first oppa is a general purpose policy and it integrates with I think over 100 other or known Integrations

that it could obviously integrate with much more so the way it works then is basically

this very simple model we have a service that service it’ll basically be anything it could be

a Kafka broker it could be a microservice in a kubernetes cluster it could be the cube API anything servicing

a request from a user or another machine when that request is received that

service says I’m not going to decide whether to allow this or not but I’m rather going to consult the policy

engine which in this case is oppa so it sends a policy query says I have

this user or I have this Cube resource or I have this uh

terraform plan whatever it might be anything that’s valid Json is could be a

valid policy query you know but then based on the policy it has and then and optionally external data makes a

decision it sends back that decision to the service so we’ve decoupled uh the policy making

from our services and and have had oppa handle that

that’s Opa any questions so far it’s clear sounds like a like a

reasonable idea no objections

okay so Rego then that was part of the topics uh topic of today

so Regal it’s a declarative high level policy language that’s that’s what we use to to Define our policies

it allows you to describe policy across the whole Cloud native stack so it is not specific to kubernetes or terraform

or any other language it is not a general purpose programming language there are uh some uh well-defined

limitations by Design so so you’re not you’re not meant to have policies run

forever for example they should be strained in time and so on

just as a real world policies that a legal policy is basically any number of rules

these rules when evaluated they return either true or false allowed this user

or not or uh or a more Rich data set

and that could be things like obligations yeah this could be allowed if you go back and log in with another

Factor and things like that uh I said one thing we wanted to do with

policy is tested both by ships with a unit test framework to allow that

it’s a quite well-documented project uh I’m biased of course having right

written some of that docs myself but there is also a playground so you can

try it out without even downloading opal okay so at this point I I figured out I

would do a little short little demo uh and I’m not sure how to do that with the with the microphone but

uh you think it will still be heard or

okay the other side

okay so uh just a short demonstration of Rego we have a file called policy.rego

uh we’re gonna say package I’m just going to call it policy for the sake of uh of of a name

the first thing I want to do here uh is I want to say like uh by default

allow a sequel to false meaning that’s that seems like a pretty sensible default for authorization

policy if if I don’t know anything like I’m just gonna say no so what could make uh this allow rule

true and allow in this case is the name of the rule it doesn’t mean anything to Oppa Opa is generic so it doesn’t have

any uh meaning like that so if we say allow and this is kind of an inverted if else

statement so uh if we say something like in a in a regular programming language we’d say

if this oh sorry and that

then Oppa kind of inverts that and and with rather says if our or that then if

so we’re basically saying here allow is equal [Music] to

to if some condition in the body is also

true we could for example say if input user role

we’re going to iterate over that and if one of the rules encountered in

the input which is that Json document we sent to Oppa one of the user roles is admin we’re going to say allow is equal

to true so it’s a conditional assignment that’s basically what a rule is

that is a two minute crash course to Rego this does that make sense

is it readable yep okay great I think you can we can take a break from from I can I

can hold that for a while but uh there are two more demos so you’re gonna have to run a bit

yeah okay so so that was a very simple introduction to Rego uh you define a

policy you send it some data it returns uh a decision

so uh so you could say oppa is basically policy powered God Rays you build God

Rays either around your offer your applications your infrastructure and so on to protect it from brats and uh

All-Star hostilities but it’s just as much to protect it from yourself because uh it’s it’s probably more

likely that you make a mistake than you actually having a hacker trying to

get at your resources so if if you were to accidentally deploy an insecure S3

bucket for example I would it’s pretty neat to have some something to tell you that you made a mistake before it goes

out in prod but who guards the guard rails who how

do we know that our policy is correct so two years ago I had an idea

what if we could lint rhaego would Rego what if we could apply these guard rails

on rhaego itself like I love knowing that oh I made a

mistake again before it reaches prod but I don’t have that safety net when I

write grego that’s kind of odd so we can have we Empower all these other systems but not

really ourselves I did not have the time uh to do to kind

of proceed with that uh what it did instead I started writing on a regular style guide

well if if we because there’s uh Rego has been around now for five or six years and it has evolved over time so

new kind of new things have been added some things have been deprecated so I

figured like let’s try and document uh the current state of the art porego

somewhat opinionated but but still

and it looks something like this basically said first for reg for red decks uh use uh rather than using like

double quotes use these backticks because then you don’t need to to to W

Escape some characters and so on so some simple advice uh and uh the feedback I got from this was

positive but it was also somewhat surprising to me uh because I I merely meant meant it to be

a style guide but so many people told me like I learned a lot um about rhaegar from this

and it it might even be better than the docs on Oppa I was that was surprising but uh

obviously I was I was happy about that too so that inspired this idea even further

uh to kind of take that one step further and and actually get hacking on this

linter so linters of course uh they’re mostly known for for helping maintain code

quality or catch bugs but I think done right maybe day two could serve as Educational

Tools uh somewhat like the Rego style guide uh so the problem with documentation is

of course and I’ve written a lot of docs in my days it’s it’s that it requires that you know what to look for

and this is particularly uh difficult with rhaego or and other more like uh

programming languages which might not be like the traditional C based or

JavaScript things that are a bit uh from a different Paradigm or so

so you might not even know what to search for that that is one problem with documentation if you haven’t if you haven’t heard of a

concept before like how would you know what to search for and another problem with docs is of

course this constant switching of context where uh you write something and

then you hop out in into the docs and then hop back and so on

linters on the other hand they catch possible bugs mistakes style issues

without you having to actually do anything you just write some code and then you run the linter or have it even integrated in your editor it will just

tell you what you do the other the only thing you will need to do is of course to write code containing possible bugs mistakes and

style issues that is the easy part and I think this is a great opportunity

to teach for us and a great opportunity to learn

and one way of doing this is of course to maybe link these two concepts so whenever we report an issue you did

something look back at that style guide how I did it there and link to something like that

don’t just say that something is wrong or you did something wrong but explain why and how you can make something

better so basically the question is could we automate the regular style guide rather

than have have our users uh browse through that whole document could we

have a tool that would just tell you if you if you did something that was not in

alignment with the style guide

another inspiration here is halolint uh I don’t know Has anyone used that

no one used that it’s a it’s a linter for Docker files and uh I don’t I don’t really use Docker

that much uh for work uh but when I do use Docker I’m sure I do a lot of

mistakes because I don’t use Docker that much so whenever I write a Docker file this

is a great tool for me because uh I too can’t be bothered like reading all through all the docker Docs

so rather when I do something like this I say in my Docker file let’s say app get install

and hayderland will tell me uh there is a y flag that you should use here

because if not if you’re not using that but this tool might ask you uh which is

if you really want to do this which isn’t great in an automated process of course

so this is great I love this uh so that was another source of

inspiration so white ray golden I I figured like

most of the users are Opa Rego probably familiar with the language so that would make it easier for them to contribute

I also wanted to allow users to write their own custom rules

uh for their own team or organization because these types of style guides or so are often highly opinionated

so it means of course you can you might be able to disable rules uh

but you also also might want to to customize them or write your own

Rego however Rego evaluation it works with Json as you saw we had some Json input it doesn’t work with Rego itself

however duraco abstract syntax tree is everyone familiar with what an abstract syntax

tree is yep a few times up uh yeah so it’s

basically a low level representation of code which is easier to parse and digest

or programmatically so we we can uh we can extract from a

policy we can extract the the abstract syntax tree as Json

and voila now we can actually send that into oppa and treat uh Rego policies any

other uh Json input and write policy on policy

some challenges of using Rego in this context rhaegar does not allow recursion so some things you might want to do in a

linter uh turned out to be quite problematic there’s a walk built-in

function though so there’s some some ways to Traverse a tree

originally we didn’t have location data in this output it was just Json or it

said like you know here’s a function here’s its arguments and so on and if you if you’re writing a linter

it’s fairly useless to tell someone here you made a mistake I don’t know where it

is or I can’t tell you where it is but somewhere in your code you’ve made a mistake you obviously want to provide a

location that was fixed some time ago I mean Charlie over there so thanks Charlie

that kind of enabled us to move on with this project

uh another product another problem is of course like if you only want to use Opa

for linting you’re going to need to use a general purpose tool which is not really made for this we don’t have like

a nice UI for linting or so on so that was some of the challenges

uh okay a quick demo here I think we might I think I can actually hold the

mic here coming back here to to this policy just try and memorize what it looks like

and I’m gonna try and say oppa see I need to

open parse let’s see what that

what that looks like as an AST

hard writing with only one hand so

okay so if if we extracted the abstract syntax tree it’s going to look something

like this we have a package declaration as we had in the policy and then we have

a number of rules we had a default default rule which said uh that by

default things should be false allow should be false and then we had uh another rule

where we where we went down into the inputs user role and and and looped over

that so that if you think this sound read doesn’t really isn’t really readable that’s all right it’s it’s not

really meant to be read by us but it’s this is perfect for a

linter or other tools that uh scan code programmatically

so that’s basically what the AST looks like you have it you have an idea

so with with all that we are ready to introduce Regal

with the goal of making Rigo magnificent so what Regal provides it’s a standalone

binary for linting Rego based on the RDS presented uh just now

the goals of the project is to identify common mistakes bugs and inefficiencies and Regal policies and suggest better

approaches provide advice and best practices coding style and tooling

allow users teams and organizations to enforce custom rules uh for their own use

we basically want to be the guardian of the Guard race and this tool was released

I think two uh two hours ago for for for the London cncf Meetup so you are the

first to hear about it and I I’m sure the first to download it uh once we’re done here

so so far we have about 30 linked to rules each of these linta rules uh are

accompanied by detailed documentation so and to help catch bugs but also to

teach Rego uh and to teach best practices and good coding Style

a custom configuration is is there already so you can say that I I don’t agree with this opinionated rule I want

to disable that for my Repository it’s also possible to ignore single

violations uh in the comment directive custom rules can be provided by the user

as well if they want their own we provide a few different helper

functions to to help uh you write custom policy different output formats uh for now we

have like a pretty one compact format and Json if you want to uh process this

further programmatically and finally rules May uh optionally be

written in go as well okay so I think for for this I could use

somebody to just hold the hold my microphone

the orange mic yeah I think you might have to bend over

a bit with this one though it’s not very cool I just talk in that okay yeah it works

oh it actually works okay so what I have here uh is another example of a policy

very similar in nature to what we wrote but the logic here is kind of inverted we’d rather say by default we deny but

uh should not deny if admin is not an input user roles

uh okay so fairly simple policy what is Regal think about this

actually from and if so if we say Regal lint

linked me Rodrigo uh I see pre-violations reported

that says first of all you’re using the not equals operator in a loop which is

probably not what you want uh you’re using an explicit or prefer to

use an explicit future keyword Imports and I’m going to go through this later and and also prefer using colon equals

or equals for assignment so you might not understand why or that’s fine that’s the whole purpose of this Tool uh so uh

what we want to provide here for the users of course how do I why why is that why should I

not use not equals in a type in a loop

so so again inspired by the Halo linter on something like this so what you

should avoid and what you should rather use in this case you can just say

deny if if there’s not an admin in in producer roles uh and there’s a long

rationale here I don’t think I need to go through this all but I think you all uh see the point and

the benefit of this model I made a mistake I’m immediately not just told that I made a mistake but also I can

learn something from this so a linter and a learning tool all in

one all right back to back to the microphone

okay so uh what’s what’s on the roadmap then uh obviously more rules we have 30

so far it’s already a useful tool uh I have run it against some of the larger

policy repos on GitHub and it’s already catched a few bugs

uh we want to add a category for customizable rules so even the rules

that we provide should be more customizable uh

simplified custom rules offering by providing command first first scaffolding so uh if you want to write

your own rules we should just provide you with all like something that provides all the boilerplate and so on

so you can just focus on writing your custom rules utilities for writing rules uh that

can’t be enforced using the AST alone uh there are some things that are might not

easily be represented in an AST or where you might need data from elsewhere

having more rules considered uh nested AST constructs some of these rules currently don’t Traverse uh into nested

constructs a GitHub action is is also uh something

I really want to do so you can get these type of advices in your pull requests and so on

and a vs code extension okay so I have one ask here since we

just released this project uh if you can help Kickstart the project by visiting

uh the project site and give the project a star and be very delighted

I’m going to give you all a minute or not but a few seconds

any questions while uh while we do so one up there

uh did this Ray go have a uh it does not it is not yet it’s been

like uh it’s been another one of these projects that I’ve been waiting two and a half years to do the linter came first

but who knows maybe I’ll be here in three years and talk about the language server that I wrote

the location problem of

yep all right uh that was that was actually

fixed in Oh by itself since we needed it this for Rego so open now provides or

optionally provides location in in the abstract syntax tree

that was it any other questions or no pause okay thanks

um put up the questions again so let’s give a couple of minutes and if you have any

questions feel free to submit them

not you can look at that beautiful view outside look at that

can I can I give you this microphone so it’s recorded for the the thing after all right

thanks I just wondered what you caught using it anything yet

sorry uh yeah like I I said I I tried to use it just for testing basically I I

used to I ran it against some of the larger policy repositors out there

I’m not going to name any names here uh not naming and shaming but uh yeah it

did find a few bugs uh I think only one was more or less serious uh and but of

course it found a lot of of issues in style and and so on uh and and another

thing like since we’ve added a lot of like new features uh there’s also a lot of code

that does not take that into account so and the linger will tell you about that as well so you can make your code more

idiomatic so on my dad it’s going to find it’s going to find way more bugs we still only have 30 rules too so

yep um does it provide options for

formatting the um the results formatting the results of the winter

yeah so for example what the results to be in Json instead of the thing that you

showed earlier or instead of that table yeah yes it does it does you have three output formats uh that able format

there’s a more compact one and there’s also Json

yeah thanks very much

thank you how exciting to have a like a world First Premiere at our Meetup

okay um we’re gonna take a break now so

we’re gonna take a 15 minute break come back at eight o’clock feel free to go up and grab any remaining drinks or pizza

um I’ll see you at eight but okay

foreign

foreign

[Music] screen and it’s terrible on this yeah

[Music]

anyways

yeah

it looks pretty cool

because what’s up yeah that’s it this is just

when I when I get home I just switch multiplications

yeah yeah yeah no instructions

especially when your payments

for example this time [Music] um

there is actually extremely there is here

I use I use best friend because I don’t understand

[Music] for example Sports

[Music] all right

[Music]

um

[Music]

I had lost it

but you know what when we do this yeah it’s less appealing when you don’t even

looks

[Music]

oh okay very awesome okay

how much is it actually the first first is

[Music] but you know what I use it towards the

horizontal for example for a language

on a zoom what’s wrong for example

[Music] um

as

foreign

[Music]

foreign

[Music]

[Music]

foreign

is

all right yeah then we do um

[Music] that we do another pretty high then we go up to

istanbulance we come back and do a female agreement and it’s something else

[Music] um the other one and then we go to the patterns and that’s the end of my Cruise

Line songs

machines [Music]

appearance yeah yeah that’s it she said

all the restaurants don’t make their prices

yeah yeah yeah yeah but then you’re a small business you know you’ve kind of

got lately yeah

and there’s so much going on because

um okay yeah because my part-time news

okay it’s completely different the landscape is different now cultural is different because I’m also doing this

through our journey yeah yeah yeah yeah so it’s completely unrecognizable okay

yeah yeah yeah

well that’s it or tourism is spreading everywhere Now

isn’t it you know yeah it was like yeah [Music]

but unfortunately yeah

it was British yeah yeah

sometimes has to be done yeah at some points all day like Portuguese guys because they have two hours like me two

hours friends okay yeah and JP 300 I always pay maximum 100 because maximum

there’s a lot of people yeah yeah yeah unfortunately yeah

because when everyone else so we go

to ground in the area Professor obviously because it’s guaranteed Sun most of the time but if

you don’t really store holidays uh I feel like each is about 350. see if

there’s four of you going you know you can still play as much as the others that’s one of those six and we’ll just

get them and then the hotel

yeah [Music] but because next month

the producer is nice yeah yeah I don’t know why did you get to it

because of where the discs yeah it just fits the distance yeah yeah

because this is

that’s true

because yeah it’s very bad because we had apologize

[Music] yeah

it’s an absolutely because

all right I mean in German yeah

[Music]

yes

remember

foreign

[Music]

okay

come on down please get seated we’re going to kick off in just a moment

something I’ve forgot to mention earlier but I want to tell you now next month’s

Cloud native London is going to be our sixth anniversary so foreign

hopefully I’ll see you there we might put on some cake and like little fun stuff but um especially because last

year the fifth anniversary we didn’t do anything because it was still at the end of pandemic so come along next month and

celebrate with me all right I’m gonna hand over now to bartek who’s gonna present to us

um our third Talk of the evening so round of applause please

thank you okay hi everyone thank you for having me I’m super glad I have a chance to be

here and this is actually the first time for me at Cloud native London uh Meetup and today I want to talk about platform

Engineering in Cloud repatriation era and this presentation is actually based on our Eternal studies so together with

my colleague we spent some time to analyze the subject and we are planning

to publish some comprehensive paper in this space let’s say but first I thought

it might be interesting to share a few concepts with you of course we have very limited type just half an hour so we can

barely attach the surface but if you are interested in platform engineering I’m more than happy to have a follow-up

conversation with you after uh the session so without further Ado my name

is bartek antoniak I’m head of cloud engineering at virtus lab we are software engineering Services a company

from Poland from Krakow specifically and we hope our clients with digital

transformation in our ears of cloud of course data analytics data engineering application development devtooling

basically we have holistic approach to technology and business problems and

myself I operate at the crossroads of Engineering Management and Leadership which means I

um basically help to steer and grow the cloud line of business in the company on the other hand I help clients to

navigate in this complex Cloud native technology landscape and this usually involves areas such as kubernetes as a

core infrastructure automation platforms of course and designing all of that at scale I specialize in navigating in a

complex Enterprise environments with multiple stakeholders big projects multiple teams to align and sometimes

even conflicting incentives is challenging of course but I somehow find this interesting because small problems

in a small or medium-sized company money or relatively easy to solve but small problems in a big company this is

completely a different game besides that I built and manage engineering teams and

for the last six years I was involved in building and shaping platform engineering efforts in a various forms

ranging from single tenant to multi-tenant platforms from heavily

decentralized architecture to decentralized and distributed architectures and more

and today I want to talk about our journey from infrastructure Baseline to

developer Community to its current state of platform engineering and we’ll highlight a few benefits of managed

platforms over do-it-yourself approach and how enabling teams can seamlessly integrate in platform engineering and

the second part of the presentation focuses on what we actually done to help application teams in the public cloud

and what’s the way going forward in terms of the cloud repatriation and how

platform engineering can be effectively implemented in the moment of cost optimization or economic downturn or

repatriating workloads back on-prem and also I wanted to share a few insights what we see in the industry what we hear

from our clients and how they basically find themselves in the in the current um difficult situation

and this will hopefully give us enough context to reason uh where do we go from

here so I would like to start with the following statement that successful companies invest in platform engineering

because spinning up production great infrastructure this is significant effort which can take up to even six

months depending on your expertise um on the you know structure of the organization and on the other hand uh

you need to take into consideration ongoing costs in terms of the maintenance keep it keeping up with the

latest changes in technology procedures and by Bridging the Gap between application and infrastructure space and

creating some kind of census called a sense of community we create basically increase the

productivity and and we increase the collaboration between application teams

and also having a dedicated space for developers to show their work exchange some ideas

um this boosts their agency which is quite important these days according to the like very like hard to finding uh

Talent on the market and finally platform engineering doesn’t have to be a story of engineering Excellence

instead it can be story of minimizing the downtime and maximizing the productivity where with a relatively

small platform that is opinionated that’s one thing well we can see positive results early on we don’t have

to build a fully blown platform with like 20 different capabilities from the day one and this light represents our

journey where roughly in 2016 um we joined application team and that

was the time where Cloud native was actually getting more traction and this Technologies wasn’t uh like really

mature um and our mission was to help this team overcome some challenges uh in the area

of infrastructure reliability basically our mission was to minimize the downtime

and this goal was achieved by designing highly available architectures with

Monterey John traffic failover disaster recovery and also launching the very

first kubernetes installment at the company and of course the Second Step was to automate all of that using common

infrastructures called tooling and with the current scale of the organization

um assuming almost 2 000 developers we came up with with the with the idea that

probably there are a number of teams that can benefit it from our work so later on we decided to put more emphasis

on infrastructure standardization on compliance and basically Distributing this automation components across the

entire organization which means we launched internal open source initiative

alongside the technical documentation uh contribution model so developers could

basically issue a pull request add some tests contribute missing

capabilities fix some issues and this has been adopted by the majority of

application teams in the public cloud and we saw like a significant success however also we saw a lot of challenges

initially related to people struggling to connect the dots so basically

these people didn’t know to how to glue everything together how to combine all

these building blocks and provision production ready infrastructure even when they had um ready to use

infrastructure modules so we decided to build a reference architecture that was

the next step in our evolutionary approach um we’ve we’ve basically the Baseline in

of the infrastructure including the very comprehensive documentation about different networking layers traffic

management tenancy options deployment strategies and that was the

good starting point for most of the teams who are relatively new to the cloud but we faced another challenge

that it was very difficult to keep up with the latest changes in the technology incorporate new new

um new capabilities from the public Cloud um and manage life cycle of the

infrastructure in general so by this time we started having conversations about centralizing all of that and

providing a managed service for our application teams and this is this is where we are at the moment and also this

puts us in a very comfortable uh situation because we can share actual

knowledge even outside of the platform outside of the internal open source initiative we can show some deployment

patterns we can show how the good look like and people across the entire

organization benefit from this and this is one of the data points from

our projects and as you can see almost 50 percent of kubernetes clusters are

out of support in terms of compliance version in terms of some policies and of

course this creates a significant risk of accidental downtime when dealing with some

um backward incompatible changes or there is not enough confidence in keeping this up to date and the sky the

scale was quite significant and not mentioning the security risk related to the old software version

so in such case uh it’s worth thinking about platform engineering as answer to

this kind of uh challenges especially in recent years devops became de facto a

standard uh in the industry with it you’ll be able to own it approach however it didn’t scale because it

required a specialized talent that is very hard to find very expensive to meet and the bigger organization the more

duplication of effort we see and teams are basically doing the same things in a

slightly different way and um of course do it yourself approach might be tempting at first because you

have this illusion of control you know what to do you make your own technology choices but soon after it becomes an

uphill bottle of keeping up with some Network changes Landing zone changes

um changing authorization mechanisms in kubernetes and many other examples like that and the middle path might be the

middle step might be the paced path to production with do-it-yourself models so teams actually have the the sensible

level of autonomy however they use consistent tooling consistent design patterns in the cloud they follow some

standards in terms of Disaster Recovery times uh security standards such as

encryption protocols um availability requirements depending on the application tier and this is I

would say good enough for organization which is mature in terms of their

engineering capability and teams know what to do and this scale is not to be in contrast relying on platform

engineering expertise can reduce the lead time to production significantly and this metric is

becoming de facto leading metrics these days assuming the increasing load in the

you know in the engineering and also centralized approach matters because we

benefit from the economy of scale in terms of costs in terms of operational excellence in terms of some consistent

technology your choices and security and of course this is all about Traders

and as you can see this might be even presented as a spectrum of control

versus autonomy and and companies needs to find the right balance within it

um I assume most of you are already familiar with the concept of team topologies and enabling teams uh for

those of you who hear about this the first time very brief introduction so team topologies books

um describes a few interaction modes how teams can work uh work with each other

effectively and stream aligned team this is uh this is application team that is

focusing on the business value enabling team helps stream align the team to overcome obstacles and faciliate the

flow of work complicated subsystem team is involved when the specialized knowledge is

required for example it might be networking team it can be a security team and the platform team is

responsible for providing a solid foundation for the stream aligned team

to do the work effectively and speaking of platform engineering and structuring this properly I believe

enabling team can be part of the platform team it doesn’t have to be a separate team but with a relatively

small group of people we can deal with skills gaps within the organization as

long as we dedicate enough time as part of our day-to-day work to help other teams besides that we develop a new

platform features and enabling teams can be introduced in a three steps so the

first step is about cooperating and knowledge sharing this usually happens at the early stage of the onboarding

process where we need to understand the problem space what kind of challenges are our application teams have what

about external Integrations and every team will be grateful for this kind of help because no team can spur much time

helping other teams especially in a big organization because it’s always done on

the best effort basis and the second step is to support on the migration

process and of course the most anticipated direction is from do it yourself to the managed platform and

without this kind of support com teams will probably face issues for the first

time and collectively multiple teams will face the same issue over and over which is a pure waste of time and the

last step is to make sure we have a solid design in place we keep the lights on we help our application teams to

productionize their setup in the platform and this usually involves multiple res such as Disaster Recovery

especially alongside with the deployment automation so you really need to make sure application teams can redeploy

everything from code anytime they have release management instructor including

environment promotion including versioning of artifacts and also security it needs to be in the in the

right at the right level and this might work using a video virtual team pattern

that’s something that worked for us pretty well so as an example I can say

that we dedicated to Engineers from the platform team to help Nexus team to

figure out the reference architecture and highly available architecture of Nexus at scale

within the organization and then they spent a month trying to resolve all external dependencies Show Stoppers and

they came up with an idea of how Nexus can be run on top of kubernetes at scale

within a month including oh deployment Automation and the PLC and the result in

result the platform team identified some friction points identified some bottlenecks and what can be improved

over time so this is also a learning opportunity for the platform team moving on

what we actually done in the in the public Cloud to help application teams

as already mentioned at the beginning of our journey we realized that the centralized platform might be an answer

to this environment and also um it has been proved by our internal

study which shows that application teams spend more time managing infrastructure

than uh creating new features uh I know it might be a bold statement but this is

the actual truth uh that that happened in our scenario and and and we run our

platform as a product um but as a product I mean that we have a product organization we have a

dedicated product managers within the team which are working with the product strategy Vision value proposition and

trying to understand what users actually actually need with with sufficient level of transparency and in terms of the

capabilities we of course provide kubernetes that is hi compliant with

seamless upgrade and lifecycle management then this is really important because teams don’t usually have

confidence in doing this and this is probably the most complex activity in

platform engineering out of the box Integrations so the platform needs to be piped into the existing technology

landscape within the organization and based on my experience technology Integrations are the most time consuming

activities because of existing infrastructure toil because of ticket driven processes and it’s repeatable and

every time we create a new app or build a new team we duplicate the effort and of course secret management security

hardening Incident Management is quite important together with engineering

support especially if you want to support tier one application in the platform it needs 24 7 on-code structure

and some reference materials to help teams navigate in this place this is the

high level architecture of the platform of course I’m not going to spend too much time on this because this could be

a separate talk I would rather highlight a few design considerations

um first of all we have multi-region active active kubernetes clusters and we

have declarative configuration using custom resource definition format that’s

something what we discussed as part of the first presentation today so um this design is quite important to us

because instead of building a heavy abstraction on top of the kubernetes which is hard to maintain and will

probably uh become a complicated like later we can instead rely on Open

Standards in technology and use what use the existing API in terms of the authorization API schema and teams can

interact with the platform using declarative format so they can specify some environment spec they can enable

disabled features and this can be in this can be automated the most important thing

the next thing is policy compliance with gatekeeper Opa that’s also the the

subject of the second presentation it’s a shame we are not using uh stera

paid product but we we are we are doing good we are doing good with gatekeeper

and I have to admit this uh early days so probably uh we might face some

challenges and we’ll reach out to you for some help and maybe there will be some business opportunity as well

especially if you want to expand this um beyond the kubernetes environment and

basically uh provide a safe a safe environment for application teams so

they are not doing any silly mistakes and basically we enforce uh or ensure

the quality standards in the in the platform uh cicd typical stuff uh what

might be interesting for you is that we use Argo and Argo CD is part of the platform is pre-installed pre-configured

so teams consume this as a service and also we use Argo CD internally for

managing uh platform components across the fleet of kubernetes clusters Ingress typical layer 7 APK ID DNS and CDN for

additional protection layer nothing special real-time observability the main

reason why we use self-hosted Primitives graph on natanos is we really need to have real-time monitoring and we don’t

want to push data outside of the cloud to use some external Stars which is very costly especially these days and rather

we use pool based monitoring so we control the amount of data and control

plane this picture represents one team’s environment only so this is a single

tenant architecture we allocate this environment to a single team or they can

share this with multiple teams under the same directorate or under the same line of business if they want but this is

flexible and control plane is responsible for managing the life cycle of these environments it can manage like

up to 20 environments like that in A1 cloud account but of course it depends

on the blast radio security requirements or some isolation techniques

okay let’s talk about cloud repatriation or economic downturn probably some of

you already heard about that there is a lot of noise on the internet and for

those of you who hear about this the first time Cloud repatriation means moving workloads from public Cloud to

private Cloud because it’s cheaper at least this is the um

um this is the perspective and and of course um costs in the cloud were overlooked in

the past and now uh you know the current economic situation gives uh some sense of urgency

um but to be honest with you um I couldn’t find any relevant example of

complete successful Cloud repatriation at scale

um of course everything started with a base camp and why we are leaving the cloud but base camp it might be a good

example but this is medium-sized company and of course they can benefit from that

apart from that we see of course the slowdown in terms of the cloud spend um

Cloud providers are reporting less and less Revenue each quarter

and and this Cloud repatriation thinks um create a lot of challenges or

opportunities uh depending how you look at this in in platform engineering because we are currently in a position

that we have platform in the public Cloud we’ve we have a good traction uh

solid foundation and the question is is this platform still relevant is it worth investment

um so we built another platform on-prem in the edge uh how we gonna decide on

the workload placement so what which workload can benefit from the public cloud or private Cloud this is not that

easy as you can imagine we had very long discussion on this subject and how to avoid disruption related to another

significant signifi signifi significant sorry migration effort uh because this will

probably result in re-platforming of applications and it’s hard to predict how much time this will take and whether

we are ready and how to keep consistent operating model between private and public cloud and how to make consistent

technology choices just to not end up in a situation where we have two platforms

and a diversity and completely different directions so um

by so platform engineering efforts can be divided into private and private

private and public Cloud offerings where we have specialized platforms that are focusing on this special use cases and

this unlocks an additional value and of course public Cloud gives us flexibility

scalability um leading reliability we have instant access to manage services we have

instant access to some specialized Hardware on the other hand private cloud is predictable in terms of costs

um and also it’s better standardized in terms of the managed Services because we can have a

selected offering and we don’t we don’t have to consume like 10 different uh data stores from

the public cloud and by focusing on unique characteristics of the workload it can

be determined whether this can benefit from public and private cloud and this is the exercise we did together with my

team to understand what what factors play important role when deciding which

workload should stay in the public or go to the private cloud and in the public cloud of course we have the requirement

of high reliability uh the workload needs to be scaled sometimes frequently

depending on the spikes uh it has to be replicated through regions availability zones and also

there is a probably tight coupling with some external Services managed services in the public Cloud which are very

expensive or even not possible to run on-prem the good example might be distributed data store on the other hand

private Cloud workload requires a standard reliability a stable load

requires minimal replication and doesn’t have much much external dependencies

and what we see in the industry and what we see in the industry so uh

first of all I would say cloud repatriation is not something that happened as a global strategy and we

observe that um hybrid Cloud scenario is becoming the more visible these days and companies

put a lot of effort to finally figure out the strategy in this space so this is not a wishful thinking this is

happening actually at the moment and what mostly differentiates these strategies is the level of

centralization and the proportion of workloads that benefit from the public or private cloud and the first example

is from the leading e-commerce company in Europe they use public Cloud only for

elasticity for reliability especially in the moment of spikes Cyber Monday Black

Monday and so on and they have very centralized infrastructure in terms of

release management all teams use one centralized instance

of CI cd2 to deploy their survey services in a consistent repeatable way

and this allows them to control for example change phrases during some you know peak

time and also they have some service capabilities in the infrastructure space so teams are not usually building

infrastructure themselves they request kubernetes cluster data store and other service and it’s managed by them they

introduce developer portal this is backstage as a central place for

documentation service catalog teams catalog and they put a strong emphasis

on running self-hosted Services instead of using managed services from the from

the cloud because of extensibility as a main use case the second example is from

the global logistics company which we work with and they decided to move

workloads from the private to the public Cloud to achieve better availability and

scale this business globally um and they also have very centralized infrastructure in area of networking and

also in our year of cloud resources so teams usually don’t don’t have

do-it-yourself approach but it’s possible this requires exception as a

default they request a cloud account is pre-created and managed by the central history team the last example is from

the leading retail company um and they recently decided to optimize

the cloud spend and move majority of the workloads to the private Cloud

um using platform engineering as a foundation for building a consistent

operating model between private and public Cloud they have product LED engineering which means that there is a

dedicated product organization working uh with application teams and

infrastructure bridging this Gap and there is a lot of effort in the area of engineering Effectiveness because having

two platforms different technology Stacks different tooling it needs to be either abstracted or well documented or

facilitated somehow so where do we go from here um I would say that platform engineering

is becoming even more essential these days for companies who want to optimize costs who want to benefit from the

economy of scale they want to standardize everything across the stock and that’s why companies start

developing through hybrid Cloud strategies and it’s finally possible with today’s Technologies we have Google

Anto stanza kubernetes great we have Azure Arc AWS Outpost so we finally can

have the same cloud-like experience on-prem and a small voice of reason at the end

of the presentation that companies must be very careful to not overspend again when repatriating workloads from public

to private Cloud because this will result in some unpredictable work that

is hard to measure and hard to predict so this is pretty much it thank you very

much for his listening and I

and I believe we will have a time for a question or two uh let’s go for a question right away

thank you very much by the way for the representation I wouldn’t answer something yeah you know you said for

example companies nowadays are using uh different Cloud strategies for different

times of the year let’s say for example different economic conditions otherwise so that means you think do we think that

going going ahead in the future it might be as it might be as simple as the for

example in a company might have let’s say I’ve got a cloud which I’ve spun out

quite I mean heavily okay complete total push and then SD as the economic

position changes by any sort of reason then they switch to the other the other

model is that right is it what you’re saying am I saying I would say the there

is an appetite to have a hybrid approach um where they have like two pillars and

they are not depending on the cloud they are not dependent on the private Cloud as well and they have Cloud light

experience cloud-like experience uh so again I was talking a lot about consistent operating model in the cloud

and on-prem and if we achieve this level of consistency it actually doesn’t

matter whether we use public cloud or private cloud and most of these

Solutions are built in-house so there is also um some like

not not the companies based on my impression of course they they are very

distant from like investing only in in SAS or off-the-shelf products and uh in

most cases these platforms are um custom and and emerge within the context of the organization I hope this

answers uh your question thanks okay we’re going to wrap up there

because we’re a couple of minutes over time uh once more please Round of Applause

okay I say thank you very much to all of our speakers for this evening and aspartate

thank you so much thank you so much to you for coming along uh Zed come along next month it will be our sixth birthday

sixth anniversary of the cloud native London Meetup so I hope I will see you there

um we will go downstairs to the conductor Pub which is just out the door

and like forwards on your left if you want to come and stay in Hangouts a little bit more otherwise have a very

good night take care together

sorry there were a couple of questions that came up but um

yeah yeah some of the Swedish challenges

yeah yeah

half an hour yeah

yeah thank you for giving this cooking at least

we’re trying to be more visible and try to you know show up thank you thank you amazing thank you

thank you so much