Building Kubernetes images at scale with Tanzu Build Service
- 1. Confidential │ ©2020 VMware, Inc.
Building Kubernetes
images at scale
With Tanzu Build Service
May 2020
Alexandre Roman
Solution Engineer, VMware Tanzu
- 2. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 2
Alexandre Roman
Solution Engineer, VMware Tanzu
@Alexandre_Roman
/alexandreroman
- 3. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman
Agenda
3
Building a secure software supply chain
Leveraging Tanzu Build Service
How Build Service fits in the Tanzu portfolio
Modernize your applications
Live demos
Look ma: no Dockerfile!
- 4. 4Confidential │ ©2020 VMware, Inc.
Building a secure software
supply chain
Leveraging Tanzu Build Service
- 9. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 9
Base OS image
FROM alpine
RUN apk add --update openssl
...
App
FROM nodejs
COPY myapp .
RUN npm install
...
NodeJS
FROM baseimage
RUN apt-get install nodejs
...
Built with a custom base image
Typical NodeJS app: everything works just fine
- 10. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 10
Base OS image
NodeJS
App
FROM baseimage
RUN apt-get install nodejs
...
FROM alpine
RUN apk add --update openssl
...
FROM nodejs
COPY myapp .
RUN npm install
...
A new critical CVE is made public
Until that day...
!Base OS image
- 11. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 11
How long does it take to fix all these containers?
What if you had to update 200+ containers at once?
- 12. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 12
How long does it take to fix all these containers?
What if you had to update 200+ containers at once?
- 13. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 13
Individually managed
Dockerfiles: done wrong
App #1
Custom NodeJS
Ubuntu Trusty
App #2
NodeJS RPM
CentOS
App #3
Official NodeJS
Alpine
App #4
Patched NodeJS
abc768c
ETA to mitigation:
months, years…?
- 14. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 14
Operator managed
Dockerfiles: done right
App #1
Corp NodeJS
Ubuntu Trusty
App #2
Corp NodeJS
Ubuntu Trusty
App #3
Corp NodeJS
Ubuntu Trusty
App #4
Corp NodeJS
Ubuntu Trusty
ETA to mitigation:
time to re-build, re-test, re-deploy these apps
- 17. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 17
Introducing Cloud Native Buildpacks
An API for creating pluggable, modular tools that
translate source code into OCI images
Goals
❏ Portability via the OCI standard
❏ Greater modularity
❏ Faster builds
❏ Reproducible image builds
❏ Unprivileged containers
❏ Widely adopted standard
An easy way to build Docker images
- 20. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 20
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
Lifecycle
- 21. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 21
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
➔ Tests groups of buildpacks against source, in order
(via each buildpack’s detect binary)
➔ First group that passes is selected
NPM CNBNode CNB
Yarn CNBNode CNBsrc/
package.json
yarn.lock
...
Lifecycle: Detect
- 22. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 22
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
analyze
➔ metadata about OCI layers generated during a
previous build are made available to buildpacks
Lifecycle: Restore & Analyze
- 23. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 23
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
➔ For previously-selected group, executes each
buildpack’s build executable in order
src/
package.json
yarn.lock
...
Lifecycle: Build
- 24. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 24
What happens when you build a container with buildpacks
detect
restore
analyze
build
export
cache
➔ Assembles final layers into image
➔ Combines information from analyze phase to ensure
only changed layers are updated
cache
Lifecycle: Export & Cache
- 26. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 26
Take control of your container image supply chain
Introducing Tanzu Build Service
Tanzu Build
Service
OCI Runtime
Platforms
Image
Repositories
Security
Scanning
CI/CD
Pipelines
Enterprise Delivery
Toolchain
Stack
Base Image
Regularly patched
Buildpacks
Provide middleware
Modular
Dictates image layers
Your Application
Broad language support
Build from source
- 27. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 27
Tanzu Build Service is a kpack distribution tailored for enterprise needs
Leveraging open-source components
kpack
Build Service
powered by Tanzu buildpacks
- 28. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 28
Declarative Configuration Model:
➔ Tell Build Service what you want your app to
look like by creating an image configuration,
and Build Service will build against it and keep
it up to date when new dependencies are
available.
Hello Tanzu Build Service
source:
git:
url:
https://github.com/alexandreroman/myapp.git
revision: master
build:
env:
- name: BP_JAVA_VERSION
value: 11.*
image:
tag: harbor.withtanzu.com/alexandreroman/myapp
What you need to do to build an image
$ pb image apply -f myapp-image.yml
- 29. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 29
Build Service nicely fits in your existing pipeline
Add Tanzu Build Service to your CI/CD workflow
Compile and run tests with your existing tool:
Jenkins / GitLab / Concourse / etc
- 30. Confidential │ ©2020 VMware, Inc. 30
How Build Service fits in the
Tanzu portfolio?
Modernize your applications
- 31. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 31
VMware Tanzu + Pivotal Labs
Comprehensive stack to modernize your applications
Dev Framework
Spring
Tanzu Application
Service
Tanzu Build Service
Tanzu Application
Catalog
powered by Bitnami
VCF VMC Public Cloud Edge
Tanzu Kubernetes Grid | PKS
TanzuMissionControl
Wavefront
PivotalLabsservices
BUILD
RUN
Application
Runtime
Modern
Infrastructure
MANAGE
- 33. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 33
Resources
It’s dangerous to go alone: take this!
Source code:
➔ github.com/alexandreroman/cnb-springboot
➔ github.com/alexandreroman/cnb-nodejs
➔ github.com/alexandreroman/cnb-javawar
➔ github.com/alexandreroman/cnb-php
➔ github.com/alexandreroman/kpack-at-scale-demo
Let’s keep in touch!
Sources:
➔ The Heartbleed Bug
➔ NSA Said to Have Used Heartbleed Bug, Exposing Consumers
➔ Oracle JRE : Security Vulnerabilities Published In 2019
➔ Top ten Docker images contain over 8000 vulnerable paths
Evaluate kpack / Tanzu Build Service:
➔ github.com/pivotal/kpack
➔ tanzu.vmware.com/build-service
@Alexandre_Roman
/alexandreroman
- 34. Confidential │ ©2020 VMware, Inc. @Alexandre_Roman 34
Want more?
I’ve got you covered
Using Tanzu Kubernetes Grid to
Deploy Kubernetes with Ease
May 13th
Tanzu Observability for Spring
Boot Applications
May 19th
Reactive Spring Virtual
Workshop
May 20th
SpringOne 2020 Virtual Event
Starting September 2nd