Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / Japan 2020 | OpenShift Commons Gathering / 10 Dec 2020
Red Hat OpenShift / Japan 2020 | OpenShift Commons Gathering / 10 Dec 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: BS2 4 日本マイクロソフト 大溝様 日本ヒューレット・パッカード 惣道様

Description

OpenShift Commons Gathering Japan 20200
December 10, 2020
https://commons.openshift.org/gatherings/Japan_OpenShift_Commons_Gathering_2020.html

A

Today, I would like to hold a session with Mr. Tetsuya Sword of Hewlett Packer Japan and Mr. Tetsuya Sword of Japan Co., Ltd. and Sakura Miso of Microsoft Japan Co., Ltd. on the theme of architecture for safe and secure use of OpenShift in the public cloud.

A

Red Hat has been partnering with Microsoft for about five years now to provide it on Mazuru,, especially with regard to OpenShift, Coober Netis' distribution for enterprises. In addition,. We are collaborating with hpe as a partner to support the introduction of the product,, and we.

A

Have formed a cooperative system with three companies, red hat and Microsoft hp.

A

First of all, I would like to introduce Red Hat OpenShift in the first half, and in the second half, I would like to hear from Mitsusan about the rihwa racer architecture.

A

Those of you, who have already listened to this session may already know about the couvermetis platform,, but OpenShift is a cloud service function that is added to cubanaitis.

A

Azure, red hat is a smart, open shift platform that provides service functions and application frameworks for shrimpers. It will be OpenShift. This managed OpenShift can easily deploy an OpenShift cluster on Azure in a matter of minutes. Functionally,.

A

It also supports enterprise-grade operations and security. Compliance. It is.

A

Easy to combine with various paas functions such as ci cd functions necessary for agile development, 2. Also,, since it is a cloud,, it is possible to flexibly scale out and scale up the density of running the same application. It's.

A

Normal.

A

Well,, even if you run an open shift cluster on the cloud,, the cloud side will take care of the next part of the bottom layer,, but the network on top of that. In terms of things like monitoring and security,. You have to manage them. Yourself.

A

Red hat Openshift In, this case, users can leave the infrastructure-related parts to Microsoft Azure, and how to operate and develop applications on it.

A

This azure red hat, open shift can be used very easily on azure, and the deployment itself can be easily deployed using Ajiuri's, cli, and azure. You can use it only with a contract,. So you.

A

Don't need to purchase an OpenShift license, separately. There.

A

Is also the advantage that you can stop using it immediately.In.

A

Fact,, if you actually try using this OpenShift,, it's normal,, you 'll have a hard time with Red, Hat, Push and OpenShift from the cluster manager,. But from there you can pull secrets. and deploy using dazure's cli, well,, it's 2 minutes.At the end,. When the cluster is completed,, you can easily use the cluster with the network, configuration etc.

A

Why azure If, you ask if it's a red hat, open shift,. It's.

A

After all, Pushing on azure has the advantage of being able to make good use of azure's. Infrastructure. You can also.

A

Use virtual networks to make it possible to use it even in a network-closed environment.You.

A

Can also increase availability by deploying clusters in multiple availability, zones. In addition, azure has already obtained various compliance, certifications, such as Fisk and pci dss,. So it is a reliable cloud platform and baptism. The best part of OpenShift,, which is a cluster of Cooper Natis,.

A

Is the red hat OpenShift. Managed services are fine. I think you may be worried about 10 red hat Openshift,, but you can assign administrators the adwin role that Guber Lettis lived, in,, run prefecture, containers, and install crd. Therefore, flexible cluster management is possible.

A

Also, for authentication and authorization,, you can use authentication providers supported by OpenShift. I.

A

Think that the fact that operators can be used with OpenShift will be an important point,. But of course you can also use the operator hub just like with normal OpenShift,, and you can also use the operator hub for lending. It's also possible to install it.If you're going to go to great.

A

Lengths to run it in the cloud,, you want to use the value of MacLeod in various.

A

Ways.

A

Also,, the main job of the public cloud is to operate the platform,, so.

A

Performance and reliability will be improved.. The quality of the service has become extremely high,, and by linking it with various services,, it has become possible to create new scenarios.

A

Trying.

A

Out.

A

Shift is an easy way to start using the value of the cloud.In. The.

A

Case of public clouds,, a managed empty version of Lentis' service is generally provided., Among them,. The reason why OpenShift's managed service is selected is that in the case of OpenShift,, the cluster management function that has the Coover name. This + alpha function is also supported,, so there are various service. Meshes. You can also use functions such as log-in logging and metering, functions. You.

A

Can also use a monitoring tool to do something like monitoring for Don.I. Think the most important thing when using it in an enterprise is the support. System.Support is provided together in partnership with red hat and Microsoft.. We are.

A

Able to provide solid support without having to be together with you when you raise your support,, so even prize customers can use it with confidence. I.

A

Think there are a lot of requirements for enterprise customers who have various difficult sovereignty and want to separate the network or want to use it securely. Open shift +6 azure It can also be linked with Perth and saas services, such as databases and Kai Pia Management, Cognitive Services,, and it is also possible to easily achieve network isolation and connection with on-premises.

A

In terms of ensuring the security of petroleum as infrastructure,, we are now able to realize authentication using Majour ads,. So it is a platform that enterprise customers can use with peace of mind.

A

From here, on, I would like Mr. Sword to talk about the design considerations for actual use in the enterprise.

B

In the service business division,, we are doing system construction, design, proposals for customers, and in particular, we have a track record of building OpenShift,, which we will introduce this time, for customers in various environments. I heard from Mr. Aro. We jointly created what is called the Kuniwa Reference Architecture,. So today, I would like to introduce the contents of that. At. The end of the first half, Mr. Omizo introduced that it would be very easy to get started,, but of course it is also possible to use it on a full-scale enterprise. Basis.

B

It is necessary to have a proper design,, so in the second half of this section, I would like to introduce some of the best practices for that design.

B

Instead, I think there are ideas that can be partially used in public lard,, so please use it as a reference. In.

B

Most cases, in the case of the cloud, I think there are many cases where other cloud resources are deployed and used in conjunction with each other. Therefore,. With regard to cloud resources,, it.

B

Is thought that using managed services such as Pance and saas as much as possible will lead to a float in the operational load of the entire system. For? The.

B

Aro.

A

Cluster,.

B

You can use the oc command or the cube, control command, and use the OpenShift Ev Console to operate. For, the azure resource, you can use the az command or the Hatajuru Portal. I think that it is a point that should be recognized at the beginning of the design that, if you do it,, the operation will become Kate. It.

B

Is necessary to mix and interweave both the perspective of design for enterprise and the appraisal of cloud design for post-enterprise. Let.

B

Me summarize, r has been published as a technical reference architecture since around October.I.

B

Would like to introduce the link, url, etc. That's? Why I would like to introduce some of them. Overall, as written on this page,? There are four major design. Perspectives. One is the network configuration,, which I would like to introduce later.

B

Then,. We will talk about security and ministry authorization, and.

B

Also,.

B

About operation and maintenance for the entire board, maintenance, cluster. I.

B

Would like to introduce some of Emmett's later stories.

B

As, you can see on the left, side, master nodes and workers are deployed as VMs,, but unfortunately other network sources are also automatically configured in the form of load, balancers and public IP sources. If, you don't understand the default sewing correctly and design and configure it appropriately,. You may end up with a fragile and loose infrastructure configuration from a security perspective,. So you need to be careful about that.

B

For example,, it is made with a fault configuration and the api can be accessed from the public Internet,. So, depending on the situation,, there may be cases where an unauthorized third party accesses and allows unauthorized. Access. It is also necessary to pay attention to the point that.

B

From the viewpoint of network configuration,, it is further divided into four, as shown here.

B

Due to time constraints, today, I would like to focus on Bloom and the separation, and I would like to introduce Taipei's private tomorrow.

B

In, the first place, this is not limited to aro,, but when you use a cloud service such as 10 colors in an enterprise,, it's a story of a school student,, but in the case of an enterprise,, it's generally the case. In the case of azure,, which connects from the base of play to the cloud, I.

B

Think that it will be in the form of using the resources of Giroud by using the express route and having a good season for weight. In, this case, as a network design pattern, there are a variety of patterns called hub and spoke.

B

The idea is that if you put it on the net, a.

B

Professional chair will be placed.. It is relatively common to design such a network where the spokes, where the system is located, can access the net.

B

On, the other hand, from a security point of view,. This is the Zion play,, which is an extension of the so-called sound play.

B

As for the security design at that time,, if you were to think of it like a church defense,, you would only apply security to the places that enter from the outside, for example,, with firewalls, etc. In. The unlikely event that an intrusion could occur. Inside. There, is a risk of allowing a horizontal attack.

B

If it is taken, over. It is necessary to be careful not to attack the base side of the play.In recent years,. The concept of 0 trust network is used for such disks.The idea is to properly separate the stake net of each business system.. It 's in the idea called the v-net separation method.

B

Below. Isolate, the isolated part further ahead of the v-net,, create a v-neck, and expand the clusters that are there.

B

Well,, if you access, there, you'll, get access to the detachment v, net.

B

So, as an access route,, you take the spoke from the base through the hub and access. The end point of the spoke lady's private link. It is in the form of being able to access the darkness of aro.

B

There is no such thing as a route,, so there is this way of thinking that it is possible to defend against horizontal attacks.

B

If the system has a security design of this level, I think it is necessary to match it to that security level, and one of the options is a network security design like this. It's, introduced.

B

Next, I'd like to introduce you to Taipei's private.

B

Ip. It will work together to make it accessible from outside the Internet.In many enterprises,. There are many cases where access via the Internet is not permitted, and in that case,, if you deploy it as an option, as shown on the right, side, However,, it is also possible to configure the master api to be private.In.

B

This way,, the load balancer that was stunned, will be replaced with an internal load balancer.As a result,. There is a cluster that can not be accessed. In, this case,, as you have in mind,. It will be an access route that allows you to access only from the maintenance terminal there by playing to obtain a maintenance terminal in the heat of that part, and from the public ip It is possible to control whether or not to allow it.In.

B

This kind of configuration, ro's access will be accessed from the maintenance terminal on the same site network,, but as I said at the beginning,, it will be a. If. You want to access not only cloud resources but also other cloud resources like paas saas,. What should you do in the case of.

B

Agile?

B

However,, since it is on the Internet,, you have to be outside for a while,, but as an access route for that,. When you go outside from the maintenance terminal,, you can set up an azure firewall and run l-ping to make sure you can access it. By, making it pass through,. The.

A

Access.

B

System is also restricted.In addition,. It is also possible to impose access restrictions on azure ad.So in this way,. If it is an aero class,, azure resources will be networked. Separately.

B

As I just said,. There are several things to think about when it comes to the configuration of the Internet. Restrictions:.

B

We can think about output type restrictions by adding them to the network. We mentioned earlier.

B

This is an example of input route, restriction., There.

B

Are also cases such as using the function that allows secure access to the vm from the portal, and then stabbing the access. Thinking about this is an example of input, route, restrictions, and output. Type restrictions are the opposite. For example,, connecting a worker from a soil container to an external service, such as a parsing database, is an example of an output route restriction,. But here too, a firewall is used..

B

The idea of ensuring secure access by using services that can be connected by a hey route, such as a private link, is the most important point of network configuration.

B

There are many ways to manage the deliverables in the company, and about this know-how. Content,. You can see it in the upper right corner,, but if you access the link,, you.

B

Can see it as document content. We also provide the actual azure configuration and resource allocation as a script like the one I just introduced,, so you can access the azure subscription in your environment and actually introduce it. Today. It is possible to create something similar to 8 Air, Ropla class + other resource configurations.

B

Similarly, many reference architectures have been published for services,. So please take a look if you are interested.

B

Lastly, I would like to show you that this will not happen. Originally,. The minimum range of arrow clusters was only the master's, department,, workers,, etc. on the left, and the labor balance. However,. If you take a look at the network security restrictions that I introduced today,, what you see in the bottom right is the path of sound play,, but you can access it securely by separating v nets with a private link..

B

It is also possible to do a variety of things, and the upper right is the route from the Internet, and it is possible to narrow it down to a route that allows access through the Azuru fashion that I introduced a little earlier.

B

Although. It is not introduced,. It is possible to cooperate with various azure services for operation management,, in this case aka the azure firewall and go outside It.

B

Is also possible to link with jewelry or link with Azure Monitor,, which is an operation monitoring, system, or use logs in conjunction with log analysis, services such as log analytics at Shinran, Storage., It.

B

Is also possible to develop a container using a service such as Agile, place, the container image in the registry, and send it as it is to ar and have a hard time. It.

B

Is possible to build a system configuration using the script from the link I introduced earlier,? So why not try it?.

B

As, a service,, we will send you a reference by e-mail, and we will explain the guide + actually configure it in the customer's environment and touch it. The.

B

Service that provides technical support is also available as an add-on. If. You are interested in this service,, please contact Microsoft service or hp's ethane and sales department. I.

B

Would like to wrap up today's lecture with this slide. You.

A

Can also use various functions of azure to create an environment where you can.

B

Use.

B

S.

B

Hp.

A

Thank you for listening, today.