Yes, it is the holy grail. Yes, the documentation is a bit spotty in some cases. We've been using kubernetes in GCE for about 1 year. We run both interactive services and batch jobs in 2 clusters: dev and production. The production cluster runs fully with declarative configs (we have a jenkins instance that performs the deployments of committed k8s configs). There are a couple of features that we are missing: (pod anti-affinity now in 1.6) and better support for storage. But in general kubernetes has the right concepts for running services, imho. We have 0 ops people.
Our clusters run on large VMs with 10s of PODs in the same VM. We can get high cpu/mem utilization; resilience to failures; logging; monitoring (via prometheus - GCE /stackdriver is awful). I don't think there is anything out there that comes close in terms of supporting the right abstractions and being ready to use in production.
Yes. It may not cover some of the most recent advances (e.g. deep learning) but it lays the foundations required to understand them. Besides, it is really really accessible. And fun. I enjoyed taking the class.
We use it in conjunction with kubernetes service proxy
https://github.com/pedro-r-marques/k8s-service-proxy to access all of our internal services and debug ports deployed in the k8s/GKE cluster. oauth2 proxy authenticates, service discovery in k8s means that we can keep publishing apps. We don't use fine grain ACLs... But i guess that we could if we wanted to.
As others have mentioned there are multiple options. If you want micro-segmentation (one network per app-tier) with fine-grain access control you can use the OpenContrail plugin https://github.com/Juniper/contrail-kubernetes. It has the added advantage that you have a tenant network span k8s, openstack, vlans, or anything else you can plug into a reasonable mid-tier router.
[Disclosure: i'm currently working on this project]
My guess is that the "entrepreneurial" solution here would be a combination of:
- A browser that doesn't support cookies and provides the server with a client controlled session-id (perhaps a user-id also).
- Only uses SSL sessions to avoid middle-box injection of HTML headers (this still leaves the provider with the ability to inject data as IP options / TCP headers).
- A micropayment solution that allows content providers to get revenue from content rather than ads.
OpenContrail can be used as an overlay network for docker: the overlay is implemented as a kernel module and comes very close to the theoretical maximum iperf performance on a server with 2x10G links.
This script https://github.com/pedro-r-marques/opencontrail-netns/blob/m... can be used to associate any docker container created with "--net=none" with an overlay network. Better yet you get all the semantics of the OpenStack neutron API: floating-ip, dhcp options, source-nat, LBaaS.
The kernel module also collects flow records of all the traffic and there is a web-ui that can display the analytics of all the traffic flows in your network.
Install guide: https://github.com/Juniper/contrail-controller/wiki/OpenCont...
Support on freenode.net #opencontrail.