Yes, it is the holy grail. Yes, the documentation is a bit spotty in some cases. We've been using kubernetes in GCE for about 1 year. We run both interactive services and batch jobs in 2 clusters: dev and production. The production cluster runs fully with declarative configs (we have a jenkins instance that performs the deployments of committed k8s configs). There are a couple of features that we are missing: (pod anti-affinity now in 1.6) and better support for storage. But in general kubernetes has the right concepts for running services, imho. We have 0 ops people.
Our clusters run on large VMs with 10s of PODs in the same VM. We can get high cpu/mem utilization; resilience to failures; logging; monitoring (via prometheus - GCE /stackdriver is awful). I don't think there is anything out there that comes close in terms of supporting the right abstractions and being ready to use in production.
Yes. It may not cover some of the most recent advances (e.g. deep learning) but it lays the foundations required to understand them. Besides, it is really really accessible. And fun. I enjoyed taking the class.
We use it in conjunction with kubernetes service proxy
https://github.com/pedro-r-marques/k8s-service-proxy to access all of our internal services and debug ports deployed in the k8s/GKE cluster. oauth2 proxy authenticates, service discovery in k8s means that we can keep publishing apps. We don't use fine grain ACLs... But i guess that we could if we wanted to.
As others have mentioned there are multiple options. If you want micro-segmentation (one network per app-tier) with fine-grain access control you can use the OpenContrail plugin https://github.com/Juniper/contrail-kubernetes. It has the added advantage that you have a tenant network span k8s, openstack, vlans, or anything else you can plug into a reasonable mid-tier router.
[Disclosure: i'm currently working on this project]
My guess is that the "entrepreneurial" solution here would be a combination of:
- A browser that doesn't support cookies and provides the server with a client controlled session-id (perhaps a user-id also).
- Only uses SSL sessions to avoid middle-box injection of HTML headers (this still leaves the provider with the ability to inject data as IP options / TCP headers).
- A micropayment solution that allows content providers to get revenue from content rather than ads.