Kubernetes and industries
Kubernetes is an open source container orchestration engine for automating deployment, scaling, and management of containerized applications. The open source project is hosted by the Cloud Native Computing Foundation Kubernetes was created at Google in 2014
Kubernetes architecture
Control plane decides on which worker node run each container, checks health state of a cluster, provides an API to communicate with cluster and many more. If one of the nodes will go down and if some containers were running on that broken machine, it will take care of rerunning those applications on other nodes.
Inside control plane we can find several, smaller components:
- kube-api-server — it’s responsible for providing an API to a cluster, it provides endpoints, validates requests and delegates them to other components,
- kube-scheduler — constantly checks if there are new applications (Pods, to be specific, the smallest objects in K8s, representing applications) and assign them to nodes,
- kube-controller-manager — contains a bunch of controllers, which are watching a state of a cluster, checking if a desire state is the same as current state and if not they communicate with kube-api-server to change it; this process is called control loop and it concerns several Kubernetes objects (like nodes, Pod replicas and many more); for each K8s object there is one controller which manages its lifecycle,
- etcd — it’s a reliable key-value store database, which stores configuration data for the entire cluster,
- cloud controller manager — holds controllers that are specific for a cloud providers, it’s available only when you use at least one cloud service in a cluster.
part from the control plane each Kubernetes cluster can have one or more workorder nodes on which application are running. To integrate them with K8s each one of them has:
- kubelet — is responsible of managing Pods inside the node and communicating with control plane (both components talk with each other when a state of a cluster needs to be changed),
- kube-proxy — take care of networking inside a cluster, make specific rules etc.
Features of Kubernetes
Scalability
One of the most important features of Kuberentes, that was already partially mentioned, is that it allows to scale number of application instances based on CPU usage (horizontal autoscaling).
This is one of the cloud fundamental concept that depending on how busy an application is (how much of CPU it requires) K8s could decide to run additional instances of the same Pod to prevent low latencies or even crushes.
High Availability
When big companies are running their application they want to do that in reliable way. It means that they won’t accept a situation that even for a minute an application could be not working, because they might lose customers and therefore money.
Monitoring & Observability
As it was mentioned before Kubernetes has an ability to autoscale number of application instances based on CPU usage. It collects metrics from every application about resources usage through the Metrics API, so that it can decide when to increase/decrease number of Pods. Also it can provide current consumption information on a dashboard.
Some of its features include:
- The ability to automatically place containers according to your resource requirements, without affecting availability.
- Service discovery and load balancing: no need to use an external mechanism for service discovery as Kubernetes assigns containers their own IP addresses and a unique DNS name for a set of containers and can balance the load on them.
- Planning: it is in charge of deciding in which node each container will run according to the resources it requires and other restrictions. It mixes critical and best-effort workloads to enhance resource utilization and savings.
- Enable storage orchestration: automatically set up the storage system as a public cloud provider. Or an on-premise networked storage system such as NFS, iSCSI, Gluster, Ceph, Cinder and others.
- Batch execution: in addition to services, Kubernetes can manage batch and IC workloads, replacing failed containers.
- Configuration and secret management: sensitive information such as passwords or ssh keys are stored in Kubernetes hidden in ‘secrets’. Both the application’s configuration and secrets are deployed and updated without having to rebuild the image or expose sensitive information.
- Self-repair: restart failed containers, replace and re-program them when nodes die. Also remove unresponsive containers and do not publish them until they are ready.
- Execution of automated deployments where changes to the application or its configuration are progressively implemented, while its status is monitored. This ensures that you do not delete all your instances at once. If something goes wrong, Kubernetes will reverse the change.
Kubernetes offers these capabilities to a business:
- Multi-cloud flexibility: As more enterprises run on multi-cloud platforms, they benefit from Kubernetes, as it easily runs any application on any public cloud service or a combination of public and private clouds.
- Faster time to market: Because Kubernetes can help the development team break down into smaller units to focus on single, targeted, smaller micro-services, these smaller teams tend to be more agile.
- IT cost optimization: Kubernetes can help a company reduce infrastructure costs quite dramatically if it is operating on a large scale.
- Improved scalability and availability: Kubernetes serves as a critical management system that can scale an application and its infrastructure whenever the workload increases, and reduce it as the load decreases.
- Effective migration to the cloud: Kubernetes can handle rehosting, re-platforming and refactoring. It offers a seamless route to effectively move an application from the facility to the cloud .
IBM and Kubernetes
Challenge
IBM Cloud offers public, private, and hybrid cloud functionality across a diverse set of runtimes from its OpenWhisk-based function as a service (FaaS) offering, managed Kubernetes and containers, to Cloud Foundry platform as a service (PaaS). These runtimes are combined with the power of the company’s enterprise technologies, such as MQ and DB2, its modern artificial intelligence (AI) Watson, and data analytics services. Users of IBM Cloud can exploit capabilities from more than 170 different cloud native services in its catalog, including capabilities such as IBM’s Weather Company API and data services. In the later part of 2017, the IBM Cloud Container Registry team wanted to build out an image trust service.
Solution
The work on this new service culminated with its public availability in the IBM Cloud in February 2018. The image trust service, called Portieris, is fully based on the Cloud Native Computing Foundation (CNCF) open source project Notary, according to Michael Hough, a software developer with the IBM Cloud Container Registry team. Portieris is a Kubernetes admission controller for enforcing content trust. Users can create image security policies for each Kubernetes namespace, or at the cluster level, and enforce different levels of trust for different images. Portieris is a key part of IBM’s trust story, since it makes it possible for users to consume the company’s Notary offering from within their IKS clusters. The offering is that Notary server runs in IBM’s cloud, and then Portieris runs inside the IKS cluster. This enables users to be able to have their IKS cluster verify that the image they’re loading containers from contains exactly what they expect it to, and Portieris is what allows an IKS cluster to apply that verification.
Impact
IBM’s intention in offering a managed Kubernetes container service and image registry is to provide a fully secure end-to-end platform for its enterprise customers. “Image signing is one key part of that offering, and our container registry team saw Notary as the de facto way to implement that capability in the current Docker and container ecosystem,” Hough says. The company had not been offering image signing before, and Notary is the tool it used to implement that capability. “We had a multi-tenant Docker Registry with private image hosting,” Hough says. “The Docker Registry uses hashes to ensure that image content is correct, and data is encrypted both in flight and at rest. But it does not provide any guarantees of who pushed an image. We used Notary to enable users to sign images in their private registry namespaces if they so choose.”