kubernetes in highly restrictive environments · logging monitoring observability api usage...
TRANSCRIPT
![Page 1: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/1.jpg)
Kubernetes in Highly Restrictive EnvironmentsOleg Chunikhin | CTO, Kublr
![Page 2: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/2.jpg)
Introductions
Oleg ChunikhinCTO, Kublr
20 years in software architecture & development
Working w/ Kubernetes since its release in 2015
Software architect behind Kublr—an enterprise ready container management platform
Twitter @olgch; @kublr
Like what you hear? Tweet at us!
![Page 3: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/3.jpg)
Automation
Ingress
CustomClusters
Infrastructure
Logging Monitoring
Observability
APIUsage
Reporting
RBAC IAM
Air Gap TLS
CertificateRotation
Audit
Storage NetworkingContainerRegistry
CI / CD App Mgmt
Infrastructure
Container Runtime Kubernetes
OPERATIONS SECURITY &GOVERNANCE
What’s Kublr?
@olgch; @kublr
![Page 4: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/4.jpg)
Creating a Production-Grade Kubernetes Cluster
1. Install with kubeadm/other tools[1,2]
2. ...installer works its magic...
3. Done?
@olgch; @kublr
[1] https://kubernetes.io/docs/setup/independent/install-kubeadm/[2] https://kubernetes.io/docs/setup/
![Page 5: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/5.jpg)
Creating a Production-Grade Kubernetes Cluster
Unfortunately, it’s not that easy!
@olgch; @kublr
![Page 6: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/6.jpg)
What We’ll Discuss Today
1. Cloud native, Kubernetes, and Enterprise
2. Enterprise Restrictions and Requirements
3. Kubernetes enterprise deployment patterns
4. Kubernetes solution categories and their limitations
5. On-premises struggles
@olgch; @kublr
![Page 7: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/7.jpg)
Cloud Native and Enterprise
@olgch; @kublr
![Page 8: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/8.jpg)
Cloud Native
Cloud Native Precursors
SRE, DevOps, 12factor app
API (management), Microservices
Containers, Cloud, Virtualization
Empower IT teams to respond to business requirements quickly, reliably, and predictably
Larger Enterprises can benefit most, but adoption is lagging behind
@olgch; @kublr
![Page 9: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/9.jpg)
Cloud Native Attributes
Lightweight containers
Language agnostic
Microservices
API
Stateless/stateful separation
Self-service infrastructure
Isolated from OS/server deps
Agile DevOps processes
Highly automated
Declarative resource mgmt
@olgch; @kublr
![Page 10: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/10.jpg)
Enterprise Requirements
Multiple/complex environments (On-prem, Clouds, Hybrid)
Centralized management and governance
Provisioning, Monitoring, Log Collection, IdM/AAA, Cost
Integration with existing tools
Security (Infrastructure, OS, IdM/AAA)
Software management (Patches, Packages, Images)
@olgch; @kublr
![Page 11: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/11.jpg)
Enterprise Constraints
Separation of Responsibilities
Infrastructure, Operations, Security, Legal
Network Access (white/black-listing, air gap)
Security Tools and Processes (infra, OS, platform, apps)
OS, Platform, and Software Practices and Standards
Vendor and version certification; configuration practices; custom package repositories; etc
@olgch; @kublr
![Page 12: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/12.jpg)
Cloud NativeEnterprise
Requirements and Patterns
@olgch; @kublr
![Page 13: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/13.jpg)
Cross-Team Responsibilities
Large organizations often separate teams by:
• Compute
• Network
• Traffic ingestion
• Storage
• Security
“Cloud native” paradigm shift is necessary
@olgch; @kublr
![Page 14: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/14.jpg)
Centralized Management
Unification, standardization, governance
Centralized vs distributed management
Management API
RBAC and IdM/AAA; integration
@olgch; @kublr
![Page 15: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/15.jpg)
Logging and Monitoring
Centralized collection and analysis
Integration with existing solutions
RBAC for logs and metrics across teams
• per project
• per team
• per environment
@olgch; @kublr
![Page 16: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/16.jpg)
Security
Identity Broker
Fine-grained role-based access control (RBAC)
IdM/AAA
Secret management and support for external secret storage
Cluster secrets storage/rotation
Internal CA
Support for external CA
Infrastructure mgmt integration
@olgch; @kublr
![Page 17: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/17.jpg)
K8S Security Tools and Best PracticesUtilize RBAC
SELinux/seccomp
PodSecurityPolicies
NetworkPolicy
Authentication and Authorization Integration
OIDC, Web Hooks, Authenticating Proxy
Admission Web Hooks
@olgch; @kublr
![Page 18: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/18.jpg)
Audit
Kubernetes API server audit
Audit support for the logging and monitoring dashboards
Audit support in the cluster provisioning tool (cluster install, update, upgrade, delete)
@olgch; @kublr
![Page 19: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/19.jpg)
Complex Environment
Heterogeneous/Hybrid/On prem
Infrastructure management differences
Infrastructure automation
Network connectivity and protection
@olgch; @kublr
![Page 20: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/20.jpg)
Complex Environment
Isolated/Air Gap
Where to get the required OS packages?
How to provide the required container images?
Binary repository (for helm and agents)?
@olgch; @kublr
![Page 21: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/21.jpg)
Requirements | Support Existing Tooling
Integration with existing processes and tools for deployment, logging and monitoring, security, software management etc
@olgch; @kublr
![Page 22: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/22.jpg)
Requirements | Cloud Native Platform
Kubernetes
Cloud native storage
Cloud native DB
Network policy
Image management
Backup and DR
Integrated CI/CD
@olgch; @kublr
![Page 23: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/23.jpg)
On Premises Struggles
Pure bare metal limitations
vSphere API interactions
Realizing HA for Kubernetes
Disaster recovery
OS upgrades
Security updates
Kubernetes upgrades
Air-gap/offline mode
@olgch; @kublr
![Page 24: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/24.jpg)
What are Your Options?
Cloud provider managed Kubernetes
Home grown solution
3rd party vendors
@olgch; @kublr
![Page 25: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/25.jpg)
Cloud Provider Managed Solution
Quick, easy, integrated, managed
but
May not meet your requirements and/or regulations
Access to masters and Kubernetes components in general
No or limited K8S configuration customizations
Support for on-prem / hybrid installations
@olgch; @kublr
![Page 26: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/26.jpg)
Home Grown Solution
Will cover your needs
but
Requires extra time and efforts that could be spent on innovation
With 4 major releases per year, it may be hard to keep up with upstream Kubernetes
@olgch; @kublr
![Page 27: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/27.jpg)
Vendor Solution
Will cover your needs
but
Careful requirement definition and feature analysis is necessary; choose wisely!
Custom development and integration may still be required
@olgch; @kublr
![Page 28: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/28.jpg)
What’s Next?
Infrastructure as a code
Immutable Infrastructure
CI/CD for infrastructure
GitOps
@olgch; @kublr
![Page 29: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/29.jpg)
Q&ATake Kublr for a test drive!kublr.com/deploy
Free non-production license
@olgch; @kublr
![Page 30: Kubernetes in Highly Restrictive Environments · Logging Monitoring Observability API Usage Reporting RBAC IAM Air Gap TLS ... Kubernetes enterprise deployment patterns 4. Kubernetes](https://reader030.vdocuments.net/reader030/viewer/2022011920/6023b4c7028a9304a32990c0/html5/thumbnails/30.jpg)
Stay in touch! Signup for our newsletter at kublr.com
Oleg ChunikhinCTO, Kublr
@olgch
Kublr | kublr.com
@kublr