Kubernetes

Kubernetes Needs You (To Engineer Lots of Things)!

Key Takeaways

  • Public cloud providers offer simplified Kubernetes deployment via AKS, EKS, and GKE.
  • Engineering practices for secure, repeatable, and reliable Kubernetes clusters entail significant costs.
  • These costs are often overlooked initially but can escalate if security measures are retrofitted later.
  • Appvia Wayfinder addresses this challenge by providing enterprise processes and security for EKS/AKS/GKE usage from Day 1.

Introduction

Kubernetes is now the leading technology used to help businesses deliver reliable distributed cloud scale applications. However, up until recently, the technology was only available to teams who were comfortable with working at the bleeding edge of enterprise software architectures. While extremely powerful, Kubernetes is also extremely complicated to set up, run and manage, requiring a very deep level of knowledge around infrastructure, networking, containerization, storage, CI/CD, container runtimes, container repositories and a whole load more. What’s more, keeping up with the pace of the open source Kubernetes project was an impossible task to do in enterprise environments.

The offering of public cloud Kubernetes services moved us from bleeding edge to a technology stack that is consumable by anyone. AKS/EKS/GKS services provide complete Kubernetes infrastructure and services all managed by the public cloud provider and made available at the push of a button. This was a massive step in removing the barrier of complexity in adopting Kubernetes and containerization as a way to manage and run applications in the enterprise. Public cloud Kubernetes makes it easy to run Kubernetes, but that’s not the end of the story.

I have spent many years working with organisations who have tried to build and automate processes that help speed up the delivery of software, from the creation of platforms for project teams through to the automated deployment process of code into production. The aim of getting Kubernetes at the push of a button is awesome. But getting this into platform engineering processes needs…more.

What I want to focus on is the early part of the process: getting the Kubernetes platform into the hands of project teams, securely, repeatedly, and quickly, ready to start coding. There are many questions to ask when defining how to provide platform services:

In defining our engineering process, we need consistency in getting platforms into the hands of project teams. The questions posed above are just some of the things that we want to solve to get a rapid software development process in place.

This might sound like a trivial set of items to solve, but I have worked in teams that have spent years and a considerable sum of money in building out these processes. It’s not easy!

This is exactly why we created Appvia Wayfinder. We have worked in this space for a long time building out these processes for other organisations. Our expertise in this area led us to create the tools that get you to delivering secure, repeatable self service Kubernetes environment to multiple project teams for multiple clouds.

How do we give projects access to public cloud accounts to create clusters?

A question that lies at the heart of your public cloud multi account strategy. Do you want to give each project their own account, to build clusters or control from a more central account? There are lots of good practice ways of account management, but how to use it with my platform engineering process?

The Appvia Wayfinder solution

Appvia Wayfinder works with any type of cloud account and allows you to configure the account credentials to make accounts available to your users. Your users will not have direct access to the cloud account, but will be creating services and clusters, under the covers using these credentials.

Why?

So that you are not giving access to cloud accounts to every developer, keeping better control of costs and cloud proliferation.

How do we organise our processes and scripts to work as independent projects?

We want to segregate the project teams' access to create and maintain their environments. We want a separation of concerns as to how we organise clusters, projects and the tools to manage these. We need a way of providing creation scripts to multiple projects but in a secure, repeatable way.

The Appvia Wayfinder solution

Appvia Wayfinder provides a concept called Workspaces. A Workspace is essentially a department, team or project scoped mechanism for grouping clusters, people and policy.

Why

So that you can secure and segregate project teams and clusters to provide fine grained levels of control without having to create your own solutions.

How do we onboard individuals to get access to clusters?

You want to provide a repeatable way to assign roles and access to people who need to work on projects or clusters or create service accounts for CI/CD processes to use.

The Appvia Wayfinder solution

Appvia Wayfinder links through to a single sign on provider (Open ID Connect compatible) to authenticate people against your corporate identity solutions. Wayfinder then assigns roles to authenticated users that gives access to Wayfnder workspaces and clusters created within the workspaces.

Why?

So that you can provide fine grained role based access to all of the components in your environments, without needing to create any additional integrations, scripts or processes.

How do we create administrators as higher level cluster admin?

Whether through scripts or managing cloud accounts you want to provide some level of administrative access to your environments, providing ways to add used manage access and manage environments.

The Appvia Wayfinder solution

Appvia Wayfinder manages policy based on Workspaces, a workspace has an administrator role which allows users to create team personnel, create cluster policies and control access to how Kubernetes clusters are created and accessed.

Why?

So that you can have separation of concerns at every level of managing your Kubernetes environments.

How do we give escalated privileges to project team members to do cluster admin needed work?

Cluster admin in Kubernetes is a very special user who has access to everything in a cluster. It’s an essential role that is needed to create project specific components or activities at a cluster wide level. We need to manage cluster admin access in a controlled auditable way.

The Appvia Wayfinder solution

Appvia Wayfinder allows the Workspace administrator to allow elevated cluster admin privileges to be assigned to a user for a time bound period.

Why?

Security is at the heart of everything we have built into Appvia Wayfinder. Providing security hooks that meet regulated environment requirements is very important to us. We have built this into everything we do, using our expertise gained in working with highly secure and regulated customers such as the Home Office and Bank of England, so that you don’t have to build separate processes and scripts.

How do we make sure that project teams only create clusters a certain way so that we have consistency?

You want to make sure that your project teams have some guard rails on the clusters they create. Maybe you want to restrict the compute node sizes, or restrict which cloud regions are available to the project teams.

The Appvia Wayfinder solution

Appvia Wayfinder implements an OPA based policy tool which allows you to define policies that can be applied to cluster creation and operation. Policies are grouped into Appvia Wayfinder Plans. On creating a cluster, a user is required to select a plan from which the cluster policies will apply.

Why?

Managing differences between projects and the project’s use of infrastructure and clusters is important. We provide a fine grained level of control over the policies that you can apply to users and clusters.

How do we provide core cluster capabilities in a consistent way?

There are a set of core Kubernetes components that are common and you want your projects to not worry about such as creating ingress controllers, assigning network ranges, configuring DNS etc.

The Appvia Wayfinder solution

Appvia Wayfinder allows administrators to create certain components that are used in almost every Kubernetes project but not included as standard. Ingress controllers, certification manager, and DNS are just some of the features that are provided by Appvia Wayfinder.

Why?

Consistency and ease of onboarding are key to getting projects up and running. We have taken the core components and made them an automated part of the cluster creation process.

How do we provide Kubernetes for more than one public cloud?

Starting off with a single public cloud Kubernetes is great. What about when another department insists on using a different cloud provider? I lose all consistency in my management of Kubernetes platforms.

The Appvia Wayfinder solution

Appvia Wayfinder is an abstraction on top of the public cloud Kubernetes services. Once you have configured access through public cloud accounts, you can create clusters on any of the three big public cloud offerings AKS, EKS or GKE. Configuration differences are managed for you.

Why?

What seems like a complicated task of offering multi-cloud to your projects is made very simple through the abstraction that Apvia Wayfinder provides. You can offer the choice of clouds to your users.

Summary

Using Kubernetes is “easy” but building project delivery using Kubernetes isn’t. This is why we created Appvia Wayfinder: to take away the burden of creating a secure, reliable and repeatable Kubernetes infrastructure that your projects can use to get push button clusters.

If you are planning on using Kubernetes to deliver applications then you need Appvia Wayfinder. Without it, your engineering effort is being spent in the wrong place, which is expensive and time consuming. You need your engineering talent to be working on helping drive business outcomes and taking apps to market, not building commodity platforms.

Latest Articles