Sandbox Flashcards
FaaS adv and disadv
Advantages:
q No provisioning of servers.
q Automatic scaling.
q Reduction of costs.
q Underlying servers shared among different function invocations.
Disadvantages:
q Focused on stateless functions.
q Performance variations due to restart latencies.
q Not suitable for heavy compute-intensive workloads, own VMs might be cheaper.
q Limited security: shared VMs, no control over the network
Containers vs VMs
Containers
§ Using Linux primitives.
§ Share Linux Kernel.
§ Fast Starts, minimal overheads.
§ Flexible Isolation.
Virtual Machines
§ Virtualisation or emulate hardware components.
§ Completely separate kernels.
§ Slower starts, must boot kernel and set-up
hardware.
Container Ecosystem
CRI
Defines an API between K8s and the container runtime.
OCI
Specifications for container images and running containers.
Runc
Implementation of the OCI Spec.
Responsible for creating and running the container processes.
Containerd
Industry-standard container runtime.
Manages complete container lifecycle of its host system, e.g., image transfer and storage,
container execution and supervision.
Fully supports OCI runtime specification for running containers.
Supports snapshotting.
Supports running sandboxes through containerd-shims.
shim
Piece of software that resides between
containerd and a low-level container runtime
(runc, runsc).
Abstract low-level runtimes.
Lives as long as the container process.
In contrast, OCI runtimes just start a fork/exec
container process and then exits.
Intercepts container’s stdin, stdout and stderr
streams and redirects them to logs.
gVisor
Open-source, secure-container runtime, developed by Google
Sentry intercepts the syscalls made by the application
Only few syscalls are made by the sentry to the host linux kernel
Seccomp profile for filtering allowed syscalls by the sentry
Access to filesystem via a separate process called gofer.
Drawbacks:
* Not well suited for syscall heavy workloads
* Not all syscalls are implemented
* Uses containerd-shim-v1 API
AWS Firecracker
VMM that uses KVM to create and manage microVMs.
q Specifically designed for serverless computing.
Kata Containers
Secure and isolated containers with a seperate kernel
WebAssembly
Binary format, with alternative human-readable
text representation
WebAssembly module
Application code as WASM ISA
Defines functions, globals, memories, imports,
exports, static data
WebAssembly Embedder
Parses WASM modules and executes the
application code
Execution strategies:
* Interpreter (Blockchain Smart Contracts,
Browser)
* JIT (Browser, Standalone)
* AOT (Standalone)
krustlet
Enables running WebAssembly workloads natively on Kubernetes
Knative
Platform which deploys on top of K8s.
Knative Eventing enables event-driven
architecture for applications, e.g.,
producer/consumer
Knative Serving
Provides scale-to-zero, request-driven
functionality
Traditional CI/CD Push-based Workflow
Starts with the CI system and then continues its path through a series of encoded scripts
to push changes to the Kubernetes cluster.
Adv:
✚ ease of use
✚ Not bound to the specific tool
Disadv:
− Cluster credentials are inside the build
system, requires to open the firewall.
− CI/CD through scripts is not declarative and
takes effort to make idempotent and
reconcile the state.
GitHub actions
Platform that allows to automate the build, test, and deployment pipeline.
GitOps
A way to manage cloud-native applications/Infrastructure.
A GitOps agent (Flux, ArgoCD) automatically applies all code, configuration, &
policies across environments.
If there is any divergence between Git and what’s running in a cluster, Kubernetes
reconcilers automatically update or roll back the cluster.
GitOps Pull Workflow for Application Deployment
In pull-based approach, all changes are applied from inside the cluster.
* There is an operator/agent inside the cluster, that regularly scans the associated git
repositories and docker registries and if a change occurs, the cluster state will be
updated from inside.
Adv:
✚ No external client has the right to publish
to the cluster, all updates are coming
from inside.
✚ changes can be automatically detected
and applied without human intervention
easier scaling of identical clusters
Disadv:
− Through the pull approach, you are
bound to the tools executing the pull.
− limited to Kubernetes only
Kustomize.io
Kustomize is a configuration management solution.
* It leverages layering to preserve the base settings of your applications and components
* Selectively override default settings without actually changing the original files by
overlaying declarative yaml artifacts (called patches).
Continuous Delivery Sync (ArgoCD)
- It is a declarative, GitOps continuous delivery tool for Kubernetes.
- ArgoCD follows the GitOps pattern of using Git repositories as the source of truth.
- Kubernetes manifests in ArgoCD can be specified in several ways:
- kustomize applications
- helm charts
- jsonnet files
- Plain directory of YAML/json manifests
- ArgoCD is implemented as a Kubernetes controller.
- It continuously monitors running applications and compares the current, live state
against the desired target state (as specified in the Git repo).
Infrastructure-as-Code Automation (Terraform)
Terraform is an infrastructure
as code tool that allows to
build, change, and version
infrastructure safely and
efficiently.
Open Policy Agent (OPA)
- Policy engine to provide a common framework
for applying policy-as-code to any domain. - OPA provides a high-level declarative language
(Rego) for writing policy as code. - When a policy decision needs to be made, a
service sends JSON as input to OPA, then OPA
after evaluation returns the decision.
Policy-as-Code in IaC Automation using Regula
PaC can be integrated with IaC to
automatically enforce infrastructural policies.
* Regula is a tool that evaluates IaC files for
potential security and compliance violations
prior to deployment.
* Regula includes a library of rules written in
Rego.
* The Regula CLI is built using Go and it reads in
infrastructure as code files and uses OPA to
evaluate them against Regula’s library of rules.
