Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What Does “Production Ready” Really Mean for a ...

What Does “Production Ready” Really Mean for a Kubernetes Cluster?

This talk was given at KubeCon Europe 2018 in Copenhagen

Video recording: https://youtu.be/EjSiZgGdRqk
Description: http://sched.co/Dqvh
Online slides: https://docs.google.com/presentation/d/1oaBm68OQmz3xW1t5trc0i6MNbaxVpZ_2QN58Nfgelpo/edit#slide=id.p
Location: Bella Center, Copenhagen, Denmark

Abstract: How would you describe and set up a “production ready” Kubernetes cluster? How are the buzzword terms “production ready” and “highly available” defined anyway?

Can a cluster be created so that it’s end-to-end secured, has no single points of failure, is upgradable without control plane downtime and is conformant?

If you have access to automated infrastructure, e.g. via a Cluster API controller, you should be able to do CI testing of your cluster, as well as CD of new configuration and versions. Some call this pattern “GitOps”; to write the desired cluster state declaratively and let a controller reconcile the cluster state.
By the end of this talk, you should be able to tell:
- What you may consider a “production ready” cluster to be and identify the moving parts
- How to secure cluster component traffic
- How to minimize failure points
- How to manage clusters using the Cluster API

Lucas Käldström

May 04, 2018
Tweet

More Decks by Lucas Käldström

Other Decks in Technology

Transcript

  1. What does “production ready” really mean for a Kubernetes cluster?

    Lucas Käldström 4th of May 2018 - KubeCon Copenhagen
  2. $ whoami Lucas Käldström, Upper Secondary School Student, 18 years

    old CNCF Ambassador, Certified Kubernetes Administrator and Kubernetes SIG Lead Speaker at KubeCon in Berlin & Austin in 2017 Kubernetes approver and subproject owner, active in the community for ~3 years Driving luxas labs which currently performs contracting for Weaveworks A guy that has never attended a computing class
  3. Agenda 1. Define the buzzwords! a. What does “production-ready” mean

    to you? b. What are the requirements for a highly available cluster? 2. What to think about when securing the cluster a. TLS certificates for all components b. Enable and set up RBAC (Role Based Access Control) c. Attack vectors you might not have thought about before
  4. Agenda 3. Make the cluster highly-available if needed a. Do

    you need it? b. How to set up a HA cluster with kubeadm c. “Attack vectors” you might not have thought about before 4. Use the Cluster API for controlling the cluster declaratively a. Intro to the Cluster API b. How to set up Kubernetes using the Cluster API and upgrade/rollback
  5. Which layer are you talking about? Master A Master N

    Node 1 Node N Kubernetes cluster Machines Application A Application B App C App D App E Applications Focusing on this layer
  6. “The cluster is production ready when it is in a

    good enough shape for the user to serve real-world traffic”
  7. “Your offering is production ready when it slightly exceeds your

    customer’s expectations in a way that allows for business growth” -- Carter Morgan, Google (@_askcarter)
  8. 1. The cluster is reasonably secure 2. The cluster components

    are highly available enough for the user’s needs 3. All elements in the cluster are declaratively controlled 4. Changes to the cluster state can be safely applied (upgrades/rollbacks) 5. The cluster passes as many end-to-end tests as possible Production-ready cluster?
  9. Nodes Master Kubernetes’ high-level component architecture Node 3 OS Container

    Runtime Kubelet Networking Node 2 OS Container Runtime Kubelet Networking Node 1 OS Container Runtime Kubelet Networking API Server (REST API) Controller Manager (Controller Loops) Scheduler (Bind Pod to Node) etcd (key-value DB, SSOT) User Legend: CNI CRI OCI Protobuf gRPC JSON
  10. What about “high availability”? 1. Instances (>=1) of a component

    can fail without causing the cluster to fail 2. Machines (>=1) in the cluster can fail without causing the cluster to fail More about this in section III.
  11. 1. TLS-secured communication everywhere! a. Certificates/identities should be rotatable b.

    Use a separate CA for etcd c. Use the Certificates/CSR API, with an external key signer if possible
  12. 2. API Authentication and Authorization a. Disable anonymous authentication and

    localhost:8080 b. Enforce the RBAC and Node authorizers
  13. 3. Lock down the kubelets in the cluster a. Each

    kubelet should have its unique identity b. Disable the readonly port (10255) & public (!) cAdvisor port (4194)
  14. 4. Be careful with the Dashboard and Helm a. Don’t

    give them cluster-admin power, then it’s very easy to escalate privileges b. The security of the dashboard has improved since v1.7.0 i. The dashboard now has a login screen and delegates privileges c. Specify the exact operations tiller may perform with RBAC d. Secure the Helm <-> Tiller communication with TLS certificates
  15. 5. Deny by default -- best practices security-wise a. Deny-all

    with RBAC b. Deny-all with NetworkPolicy c. Set up a restrictive PodSecurityPolicy as the default
  16. Setting up a dynamic TLS-secured cluster Nodes Master API Server

    Controller Manager Scheduler CN=system:kube-controller-manager CN=system:kube-scheduler Kubelet: node-1 HTTPS (6443) Kubelet client O=system:masters Self-signed HTTPS (10250) CN=system:node:node-1 O=system:nodes Kubelet: node-2 (to be joined) Self-signed HTTPS (10250) Bootstrap Token & trusted CA CN=system:node:node-2 O=system:nodes CSR Approver CSR Signer Legend: Logs / Exec calls Normal HTTPS POST CSR SAR Webhook PATCH CSR node-1 CSR node-2 CSR Bootstrap Token CSR=Certificate Signing Request, SAR=Subject Access Review
  17. More information about Kubernetes security 1. Try out Aqua Security’s

    kube-bench project 2. Official docs: Best Practices for Securing a Kubernetes Cluster 3. Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman
  18. What is kubeadm and why should I care? = A

    tool that sets up a minimum viable, best-practice Kubernetes cluster Master A Master N Node 1 Node N kubeadm kubeadm kubeadm kubeadm Cloud Provider Load Balancers Monitoring Logging Cluster API Spec Cluster API Cluster API Implementation Addons Kubernetes API Bootstrapping Machines Infrastructure Layer 2 Layer 3 Layer 1
  19. HA etcd cluster External Load Balancer or DNS-based API server

    resolving How achieve HA with kubeadm today? Master A (kubeadm init) API Server Controller Manager Scheduler Shared certificates etcd etcd etcd Master B (kubeadm init) API Server Controller Manager Scheduler Shared certificates Master C (kubeadm init) API Server Controller Manager Scheduler Shared certificates Nodes (kubeadm join) Kubelet 1 Kubelet 2 Kubelet 3 Kubelet 4 Kubelet 5 Do-it-yourself 1. Set up HA etcd cluster 2. Copy certificates from master A to B and C 3. Set up a loadbalancer in front of the API servers
  20. Is this cluster setup highly-available? HA etcd cluster Master A

    API Server Controller Manager Scheduler Shared certificates etcd etcd etcd Master B API Server Controller Manager Scheduler Shared certificates Master C API Server Controller Manager Scheduler Shared certificates Nodes Kubelet 1 Kubelet 2 Kubelet 3 Kubelet 4 Kubelet 5 Master D Loadbalancer No Single point of failure :(
  21. Other things to keep in mind with a HA cluster

    1. Remember to keep the kube-dns replicas >= 1, and use Pod anti-affinity 2. Many certificates need to be identical across masters a. e.g. the ServiceAccount signing private key for the controller-manager b. => Needs to be rotated for all instances at the same time 3. Monitoring the cluster components becomes increasingly more important with a HA cluster that is expected to have a high SLO a. You can for example use Prometheus and kube-state-metrics as a starting point 4. Do you need a HA cluster? a. Is it worth the added cost and complexity?
  22. “Monitor it so you know when it fails before your

    customers do” -- Justin Santa Barbara, Google (@justinsb)
  23. What’s the Cluster API? • A declarative way to create,

    configure, and manage a cluster ◦ apiVersion: "cluster-api.k8s.io/v1alpha1" ◦ kind: Cluster • Controllers will reconcile desired vs. actual state ◦ These could run inside or outside the cluster • Cloud Providers will implement support for their IaaS ◦ GCE, AWS, Azure, Digital Ocean, Terraform, etc. • Port existing tools to target Cluster API ◦ Cluster upgrades, auto repair, cluster autoscaler
  24. “GitOps” for your cluster with the Cluster API 1. With

    Kubernetes we manage our applications declaratively a. Why don’t we (in some cases) do that for the clusters as well? 2. With the Cluster API, we can declaratively define what the cluster should look like a. The installer tools will then consume this “standard” API and act on it b. These API types can be stored in a CRD or on disk apiVersion: cluster.k8s.io/v1alpha1 kind: MachineSet metadata: name: my-first-machineset spec: replicas: 3 selector: matchLabels: foo: bar template: metadata: labels: foo: bar spec: providerConfig: value: apiVersion: "gceproviderconfig/v1alpha1" kind: "GCEProviderConfig" zone: "us-central1-f" machineType: "n1-standard-1" image: "ubuntu-1604-lts" versions: kubelet: 1.10.2 containerRuntime: name: docker version: 1.12.0
  25. Recap 1. Identify the needs of your business a. How

    much money and effort do you want to put into HA & security? 2. High Availability != multiple masters a. Multiple masters are a requirement for high availability 3. Pay attention to the certificate identities for your components a. And make sure you lock things down well with RBAC, disable unnecessary ports, etc. 4. Declarative control over your cluster is better than imperative a. The Cluster API (still alpha) and the GitOps models might be worth checking out
  26. Related resources (in no particular order) 1. https://5pi.de/2017/12/15/production-grade-kubernetes/ 2. https://youtu.be/PXJu8ujNEmU

    3. https://thenewstack.io/ebooks/kubernetes/state-of-kubernetes-ecosystem/ 4. https://kccncna17.sched.com/event/CU5x/101-ways-to-crash-your-cluster-i-marius-grigoriu-emmanuel-gomez-nordstrom 5. https://kccncna17.sched.com/event/CU6H/certifik8s-all-you-need-to-know-about-certificates-in-kubernetes-i-alexander-brand-apprenda 6. https://kccncna17.sched.com/event/CU86/shipping-in-pirate-infested-waters-practical-attack-and-defense-in-kubernetes-a-greg-castle-cj-cu llen-google 7. https://kccncna17.sched.com/event/CU6z/hacking-and-hardening-kubernetes-clusters-by-example-i-brad-geesaman-symantec 8. https://kccncna17.sched.com/event/CUFK/keynote-kubernetes-at-github-jesse-newland-principal-site-reliability-engineer-github 9. https://kccncna17.sched.com/event/CU8b/what-happens-when-something-goes-wrong-on-kubernetes-reliability-i-marek-grabowski-tina-zha ng-google 10. https://kccncna17.sched.com/event/CU64/automating-and-testing-production-ready-kubernetes-clusters-in-the-public-cloud-ron-lipke-gann etusa-today-network 11. https://stripe.com/blog/operating-kubernetes 12. https://blog.envoyproxy.io/introduction-to-modern-network-load-balancing-and-proxying-a57f6ff80236 13. https://jvns.ca/blog/2017/10/10/operating-a-kubernetes-network/ 14. https://acotten.com/post/kube17-security 15. https://applatix.com/making-kubernetes-production-ready/ 16. https://www.aquasec.com/wiki/display/containers/Kubernetes+in+Production 17. https://www.weave.works/blog/provisioning-lifecycle-production-ready-kubernetes-cluster/ 18. https://www.weave.works/blog/demystifying-production-ready-apps-on-kubernetes-with-carter-morgan 19. https://www.slideshare.net/gn00023040/all-the-troubles-you-get-into-when-setting-up-a-production-ready-kubernetes-cluster 20. https://www.slideshare.net/gn00023040/a-million-ways-of-deploying-a-kubernetes-cluster 21. https://blog.sophaskins.net/blog/misadventures-with-kube-dns/ 22. https://thenewstack.io/kubernetes-high-availability-no-single-point-of-failure/