Installing Kubernetes is easy. Ensuring it complies with your organization’s enterprise governance and security requirements isn’t.
How do you use the technologies while meeting enterprise security requirements? We'll summarize common prerequisites for running Kubernetes in production, and how to leverage fine-grained controls and separation of responsibilities to meet enterprise governance and security needs.
This deck includes basic requirements for audit, security, authentication, authorization, integration with existing identity broker, logging, and monitoring. Additionally, we'll go into whether cloud-hosted Kubernetes cover these requirements, how to integrate a compliant Kubernetes installation with their existing cloud infrastructure and how to handle cross-team communication (network/compute/storage/security).
Since on-premise Kubernetes deployments have their challenges, limitations of a bare-metal installation, interactions with vSphere’s API, achieving HA, reliability and disaster recovery, as well as handling OS upgrades, security patches, and Kubernetes upgrades are also considered.
1. Kubernetes in Highly Restrictive Environments
Oleg Atamanenko | Team Lead, Architect
2. Introductions
Oleg Atamanenko
Team Lead, Architect
Working w/ Kubernetes since its release in 2015
Part of the team who built Kublr—an enterprise
ready container management platform
Twitter @real_atamanenko; @kublr
Like what you hear? Tweet at us!
6. What We’ll Discuss Today
1. Requirements
2. Managed solutions and their limitations
3. Cross-team responsibilities
4. On-premises struggles
5. What to do next?
@real_atamanenko; @kublr
9. Requirements | Security
Integration with Identity
Broker
Fine-grained role-based access
control (RBAC)
Authentication
Authorization
Storing secrets
Internal CA
@real_atamanenko; @kublr
10. Requirements | Audit
Kubernetes API server audit
Audit support for the logging and monitoring
dashboards
Audit support for the cluster provisioning tool
(cluster install, update, upgrade, delete)
@real_atamanenko; @kublr
11. Requirements | Logging
Integration with existing logging solution
RBAC for application logs across teams
• per project
• per team
• per environment
@real_atamanenko; @kublr
12. Requirements | Monitoring
Integration with existing solution
RBAC for application metrics across teams
• per project
• per team
• per environment
@real_atamanenko; @kublr
13. Requirements | Isolated Environment
Where to get the required OS packages?
How to provide the required Docker
containers?
Binary repository?
@real_atamanenko; @kublr
14. Requirements | Support Existing Tooling
Integration with existing processes and
tools for deployment, logging and
monitoring
@real_atamanenko; @kublr
15. Now that the functional
requirements are met, what’s next?
@real_atamanenko; @kublr
16. What are Your Options?
Managed Kubernetes from public cloud
providers
Home grown solution
3rd party vendor
@real_atamanenko; @kublr
17. Managed Solutions and Their Limitations
May not meet your requirements and/or regulations
No access to master nodes
No or limited capability to customize K8S configuration
No access to the logs from the master
May not support on-prem installations
@real_atamanenko; @kublr
18. Home Grown Solutions
Will cover your needs
Requires extra time and efforts that could
be spent on innovation
With 4 major releases per year, it’s REALLY
hard to keep up with upstream Kubernetes!
@real_atamanenko; @kublr
19. 3rd Party Vendor
Will cover most of your needs
Custom development still may be required
Choose wisely!
@real_atamanenko; @kublr
21. On Premises Struggles
Pure bare metal limitations
vSphere API interactions
Realizing HA for Kubernetes
Disaster recovery
OS upgrades
Security updates
Kubernetes upgrades
Air-gap/offline mode
@real_atamanenko; @kublr
22. Best Practices for Security
Utilize RBAC
SELinux/seccomp
PodSecurityPolicies
NetworkPolicy
Admission Web Hooks
@real_atamanenko; @kublr
24. Q&A
Take Kublr for a test drive!
kublr.com/deploy
Free non-production license.
@real_atamanenko; @kublr
25. Stay in touch! Signup for our
newsletter at kublr.com
Oleg Atamanenko
Team Lead, Architect
oatamanenko@kublr.com
@real_atamanenko
Kublr | kublr.com
@kublr
Hinweis der Redaktion
There are a lot of options available, some common open source tools are kops, kubeadm.
Let’s use one of those and run our production workload for it.
Probably. Some times. Maybe.