Towards Trading on Kubernetes: Operating Multi-Tenant and Secure Clusters - Andrew Kochut &
Two Sigma, a financial company, performs large-scale data processing for modeling and trading while facing risks, such as data exfiltration. We present how we addressed this by building multi-tenant K …
| Talk Title | Towards Trading on Kubernetes: Operating Multi-Tenant and Secure Clusters - Andrew Kochut & |
| Speakers | Javier Diaz-Montes (Software Engineer, Two Sigma), Andrzej (Andrew) Kochut (Vice President, Two Sigma) |
| Conference | KubeCon + CloudNativeCon North America |
| Conf Tag | |
| Location | Seattle, WA, USA |
| Date | Dec 9-14, 2018 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Two Sigma, a financial company, performs large-scale data processing for modeling and trading while facing risks, such as data exfiltration. We present how we addressed this by building multi-tenant Kubernetes clusters to run over 500 services on 30K cores and 200TB of RAM. These include parts of our trading system and our document translation system, build and test farms, and artifact caches. Kubernetes doesn’t provide full tenant isolation so users often create per-tenant clusters. Two Sigma has many teams with unique data and service access needs, so such a model would have large overheads. We built multi-tenant clusters by coupling namespace, RBAC and PSPs with Two Sigma’s entitlement system. We also integrated Kerberos via annotations to inject tickets, keytabs, and SSL certs into Pods. We discuss lessons operating this both on-prem and public cloud, including pros and cons of GKE.
