Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kubernetes Configuration Management

Kubernetes Configuration Management

Adrian Kosmaczewski

October 05, 2021
Tweet

More Decks by Adrian Kosmaczewski

Other Decks in Technology

Transcript

  1. VSHN – The DevOps Company
    Aarno Aukia, CTO
    Adrian Kosmaczewski, Developer Relations
    Kubernetes
    Configuration
    Management
    Swiss Re TEC Conference –
    Tuesday, October 5th, 2021
    Hello, my name is Aarno Aukia, CTO and co-founder of
    VSHN and with me today is Adrian Kosmaczewski,
    Developer Relations, to talk about Kubernetes
    Configuration Management.
    Speaker notes
    1

    View full-size slide

  2. VSHN – The DevOps Company
    VSHN - The DevOps Company
    Challenges of managing Kubernetes on different cloud providers
    Project Syn
    Demo
    Agenda
    First, a few words about VSHN the company
    Then, the challenges we faced in 2019 when managing
    hundreds of clusters with hundreds of applications each
    Then, introducing Project syn, our open source tool to
    solve these challenges
    And lastly, a live demo by Adrian
    Speaker notes
    2

    View full-size slide

  3. VSHN – The DevOps Company
    Pronounced ˈvɪʒn – like "vision"
    The DevOps Company
    Founded 2014, 47 VSHNeers located in Zürich
    Switzerland’s leading DevOps, Docker & Kubernetes partner
    24x7 support
    ISO 27001 certified
    ISAE 3402 Type 1 & 2 audited
    First Swiss Kubernetes Certified Service Provider
    Just a few words about VSHN; that’s how you
    pronounce the name, and we’re "The DevOps
    Company". We’ve been in Zurich since 2014, we’re 47
    VSHNeers and we’re Switzerland’s leading DevOps,
    Docker & Kubernetes partner, offering 24/7 support to
    our customers. We’ve got a few certifications, and most
    importantly, we were the First Swiss Kubernetes
    Certified Service Provider by the CNCF.
    Speaker notes
    3

    View full-size slide

  4. VSHN – The DevOps Company
    We provide Kubernetes as a Service under the APPUiO
    brand name, with Red Hat OpenShift and SUSE Rancher
    Kubernetes.
    Today we’re going to tell you more about Project Syn,
    the kubernetes configuration management tool
    And K8up, our Kubernetes backup operator that we
    launched already at Kubecon 2019
    All of our products are 100% open source, we have
    about 350 repositories in total on GitHub.
    Speaker notes
    4

    View full-size slide

  5. VSHN – The DevOps Company
    We’re partners with many companies very active in the
    Cloud Native space, you might recognize some of the
    logos on this slide.
    Speaker notes
    5

    View full-size slide

  6. VSHN – The DevOps Company
    Using Kubernetes on AWS, Azure, GCP, Exoscale, and on-premises
    - all different distributions
    Terraform ok for creating clusters, operators for long-term cluster
    management
    Provisioning native CSP services outside of the cluster
    Abstracting CSP & Kubernetes differences
    Uniform insights, secrets, maintenance-updates, policies, GitOps
    Challenges
    The main challenge we faced in 2019 was to manage
    hundreds of Kubernetes clusters of different
    distribution type on different infrastructures:
    hyperscalers, regional service providers customers' on-
    premises private clouds. There was no tooling at the
    time to manage EKS, AKS, GKE, SKS, OpenShift and
    Rancher Kubernetes at the same time.
    We were used to provision infrastructure using
    Terraform, but Terraforms approach to manage "the
    whole infrastructure" and the fast-paced change of
    contents in the Kubernetes cluster led us to want to
    use Kubernetes Operators instead
    We also saw the need to provision services outside of
    the Kubernetes cluster, for example databases as a
    service or object storage buckets.
    And we wanted to abstract a minimal set, a greatest
    common denominator, of common services across all
    these cloud providers, so that users can for example
    declaratively specify the need for a mysql-compatible
    database without having to know if their application will
    be deployed on AWS or Azure or on-premises.
    Many hyperscalers provide proprietary monitoring or
    secrets management services, to be able to have one
    unified solution that also works on-premises was yet
    another challenge to overcome.
    Speaker notes
    6

    View full-size slide

  7. VSHN – The DevOps Company
    Integrating:
    ArgoCD for GitOps
    Vault for secrets management
    Crossplane for service provisioning
    Kapitan for Kubernetes configuration templates
    Renovate for Maintenance/Updates
    GitLab for SCM
    K8up for backups
    OPA for security policies
    Prometheus, Grafana, Loki for insights
    Integrating a lot of existing open source tools
    Speaker notes
    7

    View full-size slide

  8. VSHN – The DevOps Company
    Contributing
    Steward: in-cluster agent
    Lieutenant: CMDB REST API
    Commodore: hierarchical configuration generator using
    Kapitan
    Enterprise Support including 24x7
    Also available as managed service
    We contribute these three projects plus, optionally,
    provide 24x7 support and operations services
    Speaker notes
    8

    View full-size slide

  9. VSHN – The DevOps Company
    Open source
    syn.tools
    github.com/projectsyn
    No notes on this slide.
    Speaker notes
    9

    View full-size slide

  10. VSHN – The DevOps Company
    Prod infrastructure
    Steward
    ArgoCD
    Services
    Crossplane
    Backup
    K8up
    Insights
    Vault
    CSP services
    S3, RDS, etc
    Applications
    Persistent
    Volumes
    Corp infrastructure
    Git repositories for
    company/tenant/cluster/project
    level configurations
    Renovate
    Lieutenant
    Inventory
    Component
    templates
    Commodore &
    Kapitan
    Git repository
    for compiled
    cluster
    configuration
    Vault
    Insights
    Git
    VSHN
    CNCF
    Let me show you how the different parts work together.
    On the left is the cluster to be managed, on the right is
    the management infrastructure - the "headquarter" so
    to speak.
    To bootstrap the management of a new cluster, you
    install the Steward agent on it and provide it a secret to
    be able to authenticate at the Lieutenant inventory
    service.
    The Lieutenant verifies the request, and creates a set
    of Git repositories if they don’t exist yet. It also saves
    the cluster metadata like cloud provider, region,
    Kubernetes type and version in the inventory. Then it
    kicks off the Commodore service.
    The Commodore service looks up the configuration for
    this specific cluster based on a company-wide, a
    tenant-wide and a cluster specific configuration Git
    repo. This enables the administrator to set sensible
    defaults and/or to enforce certain configurations for all
    tenants and clusters. The configuration references
    templates, e.g. for a cloud provider or service, that are
    called "commodore components", which can then
    reference helm charts, operators, containers, etc.
    Renovate makes sure to detect and inform about new
    versions of upstream elements using Git pull requests.
    Commodore assembles all component templates
    according to the configuration and inventory, and saves
    it as actual Kubernetes config in a separate Git
    repository.
    Steward gets this repo, and deploys and configures
    ArgoCD, which can then pull the clusters configuration
    Speaker notes
    10

    View full-size slide

  11. VSHN – The DevOps Company
    One of the things we’re working on is a Components
    Hub, showcasing the 64+ components already available
    for Commodore!
    Speaker notes
    11

    View full-size slide

  12. VSHN – The DevOps Company
    …for Dev
    …for Ops
    …for Sec
    ⇒ for DevSecOps
    Benefits
    To answer this question, we are going to show
    advantages for each of the components of DevSecOps
    Speaker notes
    12

    View full-size slide

  13. VSHN – The DevOps Company
    Automated service deployment with
    Backup of data with , using
    GitOps with
    Secrets management with
    Service monitoring, alerting, metrics, and logs with ,
    , , ,
    Benefits for Developers
    Crossplane
    K8up Restic
    Argo CD
    Vault
    Prometheus
    Alertmanager Signalilo Grafana Loki
    The main benefit for users of the clusters is the
    "batteries included" approach to being able to
    declaratively configure not only the application itself but
    also all dependencies like services to have a single
    source of truth in Git: GitOps
    Speaker notes
    13

    View full-size slide

  14. VSHN – The DevOps Company
    Configuration management with , and
    with a hierarchical store in Git
    Central cluster registry and inventory (including GitOps Git
    repository management) provided by ,
    and
    Automated component maintenance with
    Policy control through
    Benefits for Operations
    Commodore Kapitan
    Jsonnet
    Lieutenant API Lieutenant
    Operator Steward
    Renovate
    Open Policy Agent
    The automation of operations procedures supports
    visibility, reproducibility, and manageability.
    Speaker notes
    14

    View full-size slide

  15. VSHN – The DevOps Company
    GitOps: auditability, rollback
    Container Registry: vulnerability scanning & management
    Maintenance: immutability through hash verification
    Logging: traceability
    Policy Management: enforceability
    Benefits for DevSecOps
    No notes on this slide.
    Speaker notes
    15

    View full-size slide

  16. VSHN – The DevOps Company
    See it in live action!
    Demo
    No notes on this slide.
    Speaker notes
    16

    View full-size slide

  17. VSHN – The DevOps Company
    Call to Action
    vshn.ch/syn
    syn.tools
    github.com/projectsyn
    You can participate too! The development of Project Syn
    is 100% open source, including the design documents
    and decision processes.
    Speaker notes
    17

    View full-size slide

  18. VSHN – The DevOps Company
    Aarno Aukia, CTO & Adrian Kosmaczewski, Developer Relations
    VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – –
    Thanks!
    vshn.ch [email protected]
    No notes on this slide.
    Speaker notes
    18

    View full-size slide