Tarmak, why do we need another Kubernetes provisioner?

Tarmak, why do we need another Kubernetes provisioner?

This is a talk given at cfgmgmtcamp 2019

Tarmak is an open-source toolkit for Kubernetes cluster lifecycle management.
It is focused on best-practice cluster security, management and operation.
This talk will clarify the reasoning behind creating Tarmak, the architecture and technologies used.
With Tarmak we tried to not reinvent the full wheel, that is why we have chosen to depend on a lot open-source tools (Terraform, Puppet, Vault, …).
This talk will explain how all of this is tied together.

7f5f569240454fa3844a188440361a6e?s=128

Mattias Gees

February 05, 2019
Tweet

Transcript

  1. 3.

    What is Tarmak? jetstack.io @MattiasGees Tarmak is an open-source toolkit

    for Kubernetes cluster lifecycle management. It is focused on best-practice cluster security, management and operation. https://github.com/jetstack/tarmak
  2. 4.

    jetstack.io Kubernetes kubectl storage (etcd) API server scheduler controller-manager Node

    kubelet proxy docker Node kubelet proxy docker Control Plane Other clients jetstack.io @MattiasGees
  3. 5.

    History jetstack.io @MattiasGees • 1st and 2nd generation (around k8s

    1.0) ◦ CoreOS ◦ CloudFormation and Terraform ◦ Cloud-init Bash ◦ Ruby and Shell scripts
  4. 6.

    Lessons jetstack.io @MattiasGees • Immutable is not always needed •

    Testing / Debugging • Dependencies need to be versioned • PKI Management • Terraform abstraction
  5. 7.

    Motivations jetstack.io @MattiasGees • Shorter feedback loop • Reusability of

    code • Continuous roll-out of changes • Dry-run • Tried and tested tools
  6. 8.
  7. 14.

    Vault jetstack.io @MattiasGees • PKI Management • Vault-unsealer • Backed

    by Consul • Short lived certificates • Automatic renew
  8. 17.

    Wing jetstack.io @MattiasGees • Wrapper • Installed with boot-init •

    Get Puppet manifests • Puppet apply • Report status
  9. 23.

    Advantages jetstack.io @MattiasGees • Security • Encryption • Close to

    upstream Kubernetes • Cluster Autoscaler • Logging to Elasticsearch • Monitoring • Multiple instance pools
  10. 24.

    Downsides jetstack.io @MattiasGees • Rolling upgrades are a pain •

    Spot instances • Logging outputs • AWS only* • No public images *