Professional Documents
Culture Documents
Dzone Refcard 344 k8s Governance 2022
Dzone Refcard 344 k8s Governance 2022
Kubernetes Multi-
CONTENTS
• Introduction
Cluster Management
• What Is Multi-Cluster
Management?
and Governance
• Core Practices for Successful
Kubernetes Governance
Kubernetes is an open-source container management system Proper multi-cluster management ensures consistent operations
designed by Google that brings significant agility, automation, and across all environments, enterprise-grade security, and workload
optimization to those running containers in a DevOps environment. management.
Thanks to Kubernetes’ extensibility, it’s able to meet the most diverse Below is a visual representation of an example Kubernetes multi-
requirements and constraints in application development, and sits cluster architecture.
firmly in the prime spot as the most common open-source container
orchestration framework.
Figure 1
Leveraging multiple Kubernetes clusters can solve many of the • Defining the resource quotas among the clusters
aforementioned problem scenarios, but managing multiple clusters is a
• Creating pod budget policies
difficult task. As the cluster grows, the complexity in managing them
• Creating network and governance policies
also increases. There are multiple operations that occur in a well-
managed Kubernetes cluster, such as adding/removing a node, securing • Defining taints and toleration on the clusters
the cluster, upgrading it from time to time, maintaining the cluster, etc. • Scanning for risks and vulnerabilities
These operations' complex nature at scale requires a proper Kubernetes One of the important strategies for managing multiple Kubernetes
multi-cluster management system to monitor everything happening clusters in the industry is to have a proper cluster isolation pattern.
on all the clusters. Taking a best practice approach, SREs in operations The isolation we're discussing here improves the security within an
teams can better monitor the health of the cluster environment and application.
maintain application performance when multi-cluster architecture is
more uniform. Figure 2
To achieve the isolation boundary, you must optimize the use of Many of the above tools share the following features for managing
Kubernetes namespaces. These will help you in defining the scope of multiple clusters with ease and visibility:
cluster usage and its resources by a team or application. Namespaces
• Central cluster management with automatic application
are a logical way to break a cluster up into logical constructs and also
delivery
allow you to define RBAC; pod security policies; network policies (to
• Reduced operation cost by unifying all management
separate workloads); and quotas.
• Increased application availability by deploying across
Figure 3
distributed clusters
− Helm
TEAM-BASED STRUCTURE
One of the best practice approaches to working in Kubernetes is to
− Kubespray
create smaller multi-clusters and multiple environments (development
• Security and monitoring and production) per cluster. That way, they will all be connected to
− Aqua each other over the organization network. The two main reasons for
such an approach are to separate concerns and limit the blast radius
− cAdvisor
of unforeseen events. This architectural framework approach sees the
− Falco formation of multiple Kubernetes clusters across an organization.
The advantage of this approach is that teams can leverage Kube features Finally, for Kubernetes governance, you should optimize policy
like service discovery across the wider organization while maintaining management. Think about how Kubernetes is going to impact your
complete control of their own resources. engineering culture and how to find the right balance for developers’
flexibility within it. Governance — with an appropriate level of flexibility
Consider your project and business needs from the outset when
— ensures that you can meet customer needs and deploy critical
thinking about adopting a multi-cluster strategy. For example, do
services in a uniform and consistent way.
you really need hard multitenancy? Hard multitenancy is an approach
that assumes all tenants are high risk and as such requires the most The two governance dimensions consist of:
stringent of responses, which will automatically require a multi-cluster
• Policy scope: where a specific rule should be applied, enforced,
approach. After that, consider your compliance requirements and if
or verified
you have the operational capacity to handle the overheads of a multi-
• Policy targets: what should be enforced and verified
cluster architecture.
When you think about policy targets for governance, there can be
WHAT IS KUBERNETES GOVERNANCE?
many aspects. Here, we are discussing security policies, network
Governance is about synchronizing clusters and enforcing centralized
management, access management, and image management.
policy management. Kubernetes governance refers to a set of rules
created through policies that need to be enforced on all Kube clusters. LIMIT USER ACCESS
This is a critical component for enterprises being production-ready In security policies for Kubernetes governance, it’s important to limit
and working at scale in Kubernetes. Typically, this process means users' access on the pods in the clusters. Users of the cluster should
enforcing conformance rules across Kubernetes multi-clusters as well have well-defined access depending on the privilege, which is based
as applications running in those clusters. on their role. To achieve this, implement security policies in place that
will have rules and conditions related to access and privileges. In these
It would help if you had a solid plan in place to be production-ready at
policies, define that the containers should have only read access to the
scale. Kubernetes governance may sound dull, but it’s going to pay off
file system and enforce allowPrivilegeEscalation=false in the
in the long run, especially if implemented across a large organization.
policy so that the containers and child processes cannot be subject to
Suppose you continue to grow the number of clusters in use without
privilege changes.
governance. In that case, they will exist in different pockets with
different rules and implementations, which basically translates to a
NETWORK POLICIES
huge amount of extra time and work for your teams to manage in the
Network policies play a very important role in defining which service can
near future. However, there are only a few very important components
talk to each other. Here, define which pod and service can communicate
for creating successful Kubernetes governance, and these are outlined
with each other and where the isolation must be established. This
below.
comes under the pod security in Kubernetes governance. These policies
help you control the traffic inside the Kubernetes clusters. These
CORE PRACTICES FOR SUCCESSFUL
network policies can be pod-based, namespace-based, or IP-based,
KUBERNETES GOVERNANCE
depending on your requirement for governance. In these policies,
When considering a successful Kubernetes governance strategy, the
you define entities such as spec, podSelector/namespaceSelector,
first component is ensuring that good multi-cluster management and
policyTypes, ingress (rules defined for traffic), egress, etc.
visibility are well in place. It is necessary to maintain control over how
and where clusters are provisioned and configured, as well as which
ACCESS ADMINISTRATION AND MANAGEMENT
versions of software can be used. For visibility, ideally, you should be
In access management, while configuring the RBAC (role-based access
able to centrally view and manage clusters to better optimize resources
control) policy, admins need to take the responsibility to limit access to
and troubleshoot issues. Improved management practices and better
cluster resources. There are multiple Kubernetes objects such as Role,
visibility can also save you the headache of having to deal with a number
ClusterRole, RoleBinding, and ClusterRoleBinding, which helps
of security risks and performance issues down the road.
you define access to the cluster resources in detail.
Image management is also a part of Kubernetes governance. Any This approach will help in reducing complexity and ensure that
and all images to be used on the cluster must be audited first for any applications running on the clusters are highly available.
vulnerabilities. There are a number of approaches to vulnerability
You will also see an improvement in performance because you can
scanning — how and where you check will depend on your preferred
deploy your application on a cluster in the nearest available region
workflows. However, it is recommended that images be tested and
where your application needs to be deployed.
passed before deploying on the cluster.
These policies are a must for better Kubernetes governance. After these • Reduced complexity
policies and rules are in place, verify that they are all enforced in the • Enhanced cluster visibility
organization as a part of internal compliance rules and policies. Monitor
• Better application availability
teams and projects comprehensively to ensure that everyone in the
organization follows the policies defined and do not bypass them. • Improved monitoring and logging
CONCLUSION
There are many established vendors like D2iQ, Red Hat OpenShift,
Google Anthos, Rancher, and VMware Tanzu that are capable of
supporting you in the management and governance of Kubernetes
multi-clusters at scale.
applications can run at scale across the globe without any hiccups. Cherre is the leader in real estate data and insight.
Optimizing such a tool can also help you reduce manual effort amongst We help companies connect and unify their
disparate real estate data so they can make faster,
your engineers through the multiple automated solutions available in
smarter decisions.
their features.
Stefan is an IT professional with 20+ years management and
hands-on experience providing technical and DevOps solutions to
Here too, the ability of any one of these vendors to help you reduce
support strategic business objectives.
the workforce power involved and the bandwidth required to manage
multiple Kubernetes clusters across a large-scale enterprise can vary.
Research and test before selecting.
600 Park Offices Drive, Suite 300
Research Triangle Park, NC 27709
So, when considering how to manage multi-cloud, multi-distribution
888.678.0399 | 919.678.0300
clusters, DevOps teams should take a look at these platforms as an
At DZone, we foster a collaborative environment that empowers developers and
alternative to overcome the pain of multi-cluster management and tech professionals to share knowledge, build skills, and solve problems through
content, code, and community. We thoughtfully — and with intention — challenge
governance on their own. the status quo and value diverse perspectives so that, as one, we can inspire
positive change through technology.
REFERENCES
2020. Cloud Container Adoption In The Enterprise. [PDF] Forrester Copyright © 2022 DZone, Inc. All rights reserved. No part of this publication
may be reproduced, stored in a retrieval system, or transmitted, in any form or
Consulting. Available at: <https://www.capitalone.com/tech/cloud- by means of electronic, mechanical, photocopying, or otherwise, without prior
written permission of the publisher.
container-adoption-report/> [Accessed 30 December 2020].