Kubernetes can be complex to manage at enterprise scale! Cloud provider services like Amazon EKS solves the challenge of bringing up a Kubernetes control plane. However, production Kubernetes requires multi-layer security, access controls, load-balancing, monitoring, logging, governance, secrets management, policy management, and several other considerations. In this fast paced talk, we will cover how enterprises can address each of these areas and discuss best practices to fast track deployments.
2. 2
Kubernetes is the new Cloud OS
Use Containers
& Microservices
Leverage Open
Source Innovation
Adopt a
Dev-Ops Culture
3. 3
…but remains complex to manage at scale!
Source: Market Pulse Survey of Kubernetes Adoption
Management complexity is
the biggest hurdle overall
to wider adoption
5. 5
About me
• Founder and CEO at Nirmata
• Developing large-scale distributed
systems since the early 90’s (Go,
Java, JS, C++)
• Core focus on centralized
management for complex systems
@JimBugwadia
jim@nirmata.com
6. Multi-Cloud Kubernetes Management with Nirmata!
6
Service Mgmt VisibilityGovernance Compliance Optimization
The Nirmata Platform
Change Mgmt. Audit Logs Health Capacity Isolation Policies TuningDiscovery
Managed Kubernetes
GKE AKS EKS PKS
Custom Kubernetes
Bare Metal vSphere GPUs
Cloud-Native Applications
Cluster Services
Traditional Applications
Cluster Services
Your Cloud
Nirmata Cloud
or
Private Edition
Your Apps
10. 10
EKS Install
1. eksctl
o Command line that creates a new VPC and EKS
o eksctl.io
2. Terraform, etc.
o AWS provider (https://learn.hashicorp.com/terraform/aws/eks-intro)
3. Nirmata
o Policy based cluster and add-on management
o https://try.nirmata.io
13. 13
EKS Core Features
• Networking
o VPC networking support
o Elastic Load Balancing
o Service Mesh (AWS AppMesh)
o Service Registry (AWS CloudMap)
• Managed Control Plane
• Integrated with IAM
• Logging (AWS CloudTrail)
• Storage
o GP2 (AWS EBS)
o CSI drivers for EFS and FSx
(Lustre) in alpha
23. 23
Challenges
1. Cluster Management
• Consistent configuration of clusters
• Version control and upgrades all each tool
• Security and governance
2. Usage and Workload management
25. 25
Namespaces
Kubernetes supports multiple virtual clusters backed by the
same physical cluster. These virtual clusters are called
namespaces.
https://kubernetes.io/docs/concepts/over
view/working-with-objects/namespaces/
26. 26
Role-based access control (RBAC)
• Users are authenticated via OIDC, X.509 certificates,
tokens, etc.
• The auth result provides user information. However, Users
and User Groups are managed externally.
• Kubernetes has a fine grained permission model
• Role (namespace) / ClusterRole
• Roles are mapped to users or groups via role bindings
• RoleBinding (namespace) / ClusterRoleBinding
27. 27
Network Policies
• By default, Kubernetes pods are
“non-isolated”
• They accept network connections from any
source and can initiate connection requests
to any destination
• Network Policies define traffic rules
for Kubernetes pods
• ingress (inbound traffic)
• egress (outbound traffic)
Network Policy
Pod Selector
Ingress
Ingress Rule
Ingress Rule
Ingress Rule
Egress
Ingress Rule
Ingress Rule
Egress Rule
28. 28
Resource Management
• Pods can have resource requests and limits
• This allows three quality of service models
GuaranteedBurstable
• A namespace can have limits and default allocations
https://opensource.com/article/18/12/optimizing-
kubernetes-resource-allocation-production
32. 32
One more thing…
Pod Security Policy (PSP)
o Controls runtime security
settings for pods
o Enabled at the API Controller
o Requires a role binding between
pod Service Account and the
PSP
33. 33
Policy Management
• Policies can provide common
configurations and enforce best
practices
• Kyverno is a open source policy
management tool designed for
Kubernetes
• Kyverno allows you to validate,
generate, and enforce
configurations per namespace /
workload
kyverno.io
34. 34
Challenges (recap)
1. Cluster Management
• Consistent configuration of clusters
• Version control and upgrades all each tool
• Security and governance
2. Usage and Workload management
• Providing teams with virtual clusters
• Providing shared services per virtual cluster
• Securing workloads
36. 36
Summary
• Amazon EKS provide a reliable way of provisioning and
managing the Kubernetes control plane
• For production enterprise Kubernetes managing cluster
add-ons, shared services, and Kubernetes configurations is
essential
• Nirmata provide an easy way to build self-service secure
virtual clusters on EKS (or any other managed K8s service).