Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cilium on APPUiO Cloud

Cilium on APPUiO Cloud

APPUiO Cloud is VSHNs Namespace as a Service offering with Red Hat OpenShift 4. We use Cilium under the hood, these slides give a short impression of why and what we're doing with it.

The talk was given at the eBPF Summit Watch Party on September 28th in the Isovalent Office in Zurich.

Tobias Brunner

September 29, 2022
Tweet

More Decks by Tobias Brunner

Other Decks in Technology

Transcript

  1. APPUiO – Swiss Container Platform
    Tobias Brunner, CTO
    Cilium on APPUiO
    Cloud
    A Multi-Tenant OpenShift Cluster
    No notes on this slide.
    Speaker notes
    1

    View full-size slide

  2. APPUiO – Swiss Container Platform
    Pronounced ˈvɪʒn – like "vision"
    Founded 2014, ~50 VSHNeers in Zürich and Vancouver
    Running applications on OpenShift and Kubernetes
    Automate all the things! Self-service all the things!
    First Swiss Kubernetes Certified Service Provider
    Open company handbook: handbook.vshn.ch
    No notes on this slide.
    Speaker notes
    2

    View full-size slide

  3. APPUiO – Swiss Container Platform
    "Namespace as a Service"
    Multiple Zones
    Multi-Tenancy
    Only pay for what you use
    Full Self-Service
    VSHN Application Catalog
    First I’d like to introduce APPUiO Cloud to you, so that
    you know what we’re talking about.
    APPUiO Cloud is VSHN’s Namespace-as-a-Service
    offering. It is based on Red Hat OpenShift 4 and is
    available on multiple zones. A zone is an instance of an
    OpenShift 4 cluster on a cloud provider. We currently
    offer two zones, one at cloudscale.ch and one at
    Exoscale, more zones are planned.
    An APPUiO Cloud zone is fully multi-tenant capable, so
    that many customers can share a cluster while
    maintaining the boundaries between them.
    In APPUiO
    Cloud we use a concept of an organization, which
    represents a tenant which can own one or many
    Kubernetes namespaces. For RBAC reasons, an
    organization can further be structured into teams.
    You only pay for what you use. For that we have a
    metering system which measures how much memory
    and CPU is requested and used, by the minute. It
    generates invoices on that numbers.
    All features of APPUiO Cloud are available in full self-
    service and through the Kubernetes API. Even the
    APPUiO Cloud control API is just another Kubernetes API
    endpoint, the APPUiO Cloud portal web application
    directly uses this API under the hood.
    As announced earlier this month, we now have the very
    first service available in the VSHN Application Catalog -
    Object Storage. Ordering such a service is as easy as
    creating a Kubernetes object.
    Speaker notes
    3

    View full-size slide

  4. APPUiO – Swiss Container Platform
    Security
    Scalability
    Observability
    Multi-Tenancy Challenges
    As mentioned in the last slide, APPUiO Cloud consists
    of fully multi-tenant OpenShift clusters, which brings its
    own challenges.
    I want to share three examples where we face
    challenges in this setup.
    First we have to make sure that security has the
    highest priority. Although OpenShift is already hardened
    by default, it’s not enough for APPUiO Cloud.
    Another big topic is scalability of such an environment,
    where it’s usually impossible to know what the user is
    up to and how the demand changes. A lot of different
    workloads is running in APPUiO Cloud which wildly
    differs in the requirements to networking, storage and
    compute.
    Users want to be able to debug when something
    doesn’t work or is off. In a security constrained
    environment like APPUiO Cloud, we can’t allow access
    to privileged operations or even access to the
    underlying servers, which restricts what the user can do
    for debugging a lot. Usually the only thing a user can do
    is to read logs and exec into a running Pod, but that’s
    usually it.
    Speaker notes
    4

    View full-size slide

  5. APPUiO – Swiss Container Platform
    Tight access control
    Policy engine
    Network security
    Challenges Solved Pt. 1
    Some additional security measures we take in addition
    to the already available OpenShift default security
    configuration is to have more tight RBAC rules.
    We also have Kyverno as a policy engine running which
    enforces additional rules in an admission webhook.
    Kyverno also makes sure that there are additional
    network policies deployed to further restrict networking.
    Speaker notes
    5

    View full-size slide

  6. APPUiO – Swiss Container Platform
    Scalable CNI
    Advanced Network Security
    Insights via Hubble
    Runtime security enforcement
    Multi-Cluster networking
    Integration of legacy systems
    Isovalent Cilium Enterprise for Support
    We’ve chosen Cilium to be part of the solution to solve
    more challenges we have.
    We use Cilium as the CNI plugin in OpenShift which
    brings us a very scalable networking infrastructure. It
    also allows us to make use of the advanced network
    policy features of Cilium to further strengthen the
    network security.
    To give our users insights to what’s going on in terms of
    networking, we use Hubble with advanced RBAC. It’s
    currently not available yet to the end-user, but it’s
    coming soon. With Hubble a user can have deep
    observability into many details of their workload running
    on APPUiO Cloud.
    We’re also planning to make use of Cilium Tetragon to
    enforce security during runtime and with that further
    harden the platform.
    To interconnect the various APPUiO Cloud zones we
    plan to make use of the multi-cluster networking feature
    of Cilium. That allows a customer to deploy workload on
    several zones and communicate securely over the
    network between zones.
    Some customers need to integrate legacy systems,
    such as databases. For that we can make use of the
    possibility to run Cilium on classic virtual machines and
    integrate into the Cilium CNI.
    Last but not least we rely on the stability and support of
    Isovalent. All APPUiO Cloud zones are using Isovalent
    Cilium Enterprise.
    Speaker notes
    6

    View full-size slide

  7. APPUiO – Swiss Container Platform
    Installation and configuration with Commodore
    Configuration Management
    github.com/projectsyn/component-cilium
    hub.syn.tools/cilium
    syn.tools
    To install, configure and maintain Cilium and its
    components we use our Open Source configuration
    management system for Kubernetes called Project Syn.
    Specifically the tool Commodore compiles a GitOps
    catalog of manifests to apply to a Kubernetes Cluster.
    So-called Commodore Components are the puzzle
    pieces which together specify what’s installed on a
    Cluster-wide level.
    For Cilium we made a Commodore Component which is
    capable of managing Cilium Open Source and Isovalent
    Cilium Enterprise on OpenShift and Kubernetes
    clusters.
    The code for it can be found on GitHub and the
    documentation is available on the Component Hub.
    If you’d like to learn more about Project Syn, all its
    documentation is available under syn.tools, it is fully
    Open Source.
    Speaker notes
    7

    View full-size slide

  8. APPUiO – Swiss Container Platform
    Voucher Code: ebpfwatch
    Trial
    appuio.cloud/register
    If you want to give APPUiO Cloud with Isovalent Cilium
    Enterprise under the hood a try, you can register for a
    demo account using the voucher code on this slide on
    the website available at appuio.cloud/register or just
    scan the QR code.
    Speaker notes
    8

    View full-size slide

  9. APPUiO – Swiss Container Platform

    Q&A
    No notes on this slide.
    Speaker notes
    9

    View full-size slide

  10. APPUiO – Swiss Container Platform
    Tobias Brunner, CTO –
    VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – –
    Thanks!
    [email protected]
    vshn.ch [email protected]
    Many thanks for your attention!
    Speaker notes
    10

    View full-size slide

  11. APPUiO – Swiss Container Platform
    Supports OLM and Helm
    Supports OSS and Enteprise
    Properly tested for OpenShift
    Should work on other distros
    It’s YAML and Jsonnet
    Commodore Component Details
    github.com/projectsyn/component-cilium
    No notes on this slide.
    Speaker notes
    11

    View full-size slide