3 Kool things from Kubecon 2018 & an ongoing challenge

I am currently engaged by a large European company building a Multi-tenant, Containerized, Service Mesh on bare metal using Open Source for Mobility applications, so I thought attending KubeCon was a good idea. As others have written, it was a huge event, crowded and a bit difficult to navigate. I usually avoid the bigger keynote presentations (although the few I saw were very good) and larger rooms, seeking out the smaller and more focused technical presentations. Here are three interesting things, as with many parts of k8s these are still relatively new components.

Rook Rook is a storage orchestrator for k8s. Storage flexibility is one of the key benefits of k8s. Multiple types of storage can be directly attached to a container and there are many types of storage drivers available. Called Persistent volumes, k8s manages the allocation of these volumes but the underlying subsystems that provide the volumes are additional components managed by the operator. Rook provides an automation system for the more popular storage systems within k8s, in particular CEPH, making the implementation and management of storage in k8s much simpler.

Network Service Mesh Distinct from Application Service Mesh technology such as ISTIO, the Network Service Mesh uses k8s networking to decompose network functions facilitating the migration of network functions into micro-services. Network Function Virtualization didn’t really dramatically change the structure of networking due to the difficulty of implementing a virtualization infrastructure and networking vendors doing not much more than making VM’s with the same architectural characteristics of their hardware platforms in an effort to prolong the use of dedicated hardware. Network Service Mesh forces an architectural change of how network services are delivered and will more simply integrate network specific functions into k8s.

OPA Open Policy Agent is a general purpose policy engine that can be integrated with k8s. Access Control remains an emerging area within k8s as the Open Source version of k8s has a limited set of security functionality. OPA can be integrated with the k8s API server providing admission control. In addition to improving security through policy validation it also supports mutating policies which can help create uniformity and address configuration of k8s artifacts. Common uses include intercepting the use of external container registries with user notification. As it is a general purpose agent, it can be used by other applications and services hosted on a k8s platform. Its the most mature of the three and has broad production use and should be a component of any production k8s system.

Container Security remains a challenging problem for those building bare metal clusters using Open Source. One of the key benefits of k8s is the ability to share data between applications and users without the burden of strict isolation provided by virtualization. However building a robust security framework that meets compliance and security requirements without compromising data sharing is difficult. A specific operational area where significant operational benefit can realized is changing the mechanisms used to control lateral movement within the system. In legacy systems this functionality is provided by a combination of networking and virtualization. The legacy network function is firewall rules, any operator already knows that this is a process that needs to be addressed. k8s offers this opportunity to allow developers and policy (see above) combined with the careful use of CNI’s and service mesh technology to programmatically address firewall security. Lateral movement within systems via the Operating System is the second problem. Basic OS tools exist such as apparmor and selinux, they should be used today. The development of more robust tools is still a work in progress, gVisor is the most well known however remains immature and can have a significant impact on system performance. Achieving the balance between security and sharing will remain the unsolved compromise for many years to come. However do not ignore Container Security, any operator of a k8s system should have a robust security architecture and not count on vendors or providers for protection.