$30 off During Our Annual Pro Sale. View Details »

Cilium on APPUiO Cloud

Cilium on APPUiO Cloud

APPUiO Cloud is VSHNs Namespace as a Service offering with Red Hat OpenShift 4. We use Cilium under the hood, these slides give a short impression of why and what we're doing with it.

The talk was given at the eBPF Summit Watch Party on September 28th in the Isovalent Office in Zurich.

Tobias Brunner

September 29, 2022

More Decks by Tobias Brunner

Other Decks in Technology


  1. APPUiO – Swiss Container Platform Tobias Brunner, CTO Cilium on

    APPUiO Cloud A Multi-Tenant OpenShift Cluster No notes on this slide. Speaker notes 1
  2. APPUiO – Swiss Container Platform Pronounced ˈvɪʒn – like "vision"

    Founded 2014, ~50 VSHNeers in Zürich and Vancouver Running applications on OpenShift and Kubernetes Automate all the things! Self-service all the things! First Swiss Kubernetes Certified Service Provider Open company handbook: handbook.vshn.ch No notes on this slide. Speaker notes 2
  3. APPUiO – Swiss Container Platform "Namespace as a Service" Multiple

    Zones Multi-Tenancy Only pay for what you use Full Self-Service VSHN Application Catalog First I’d like to introduce APPUiO Cloud to you, so that you know what we’re talking about. APPUiO Cloud is VSHN’s Namespace-as-a-Service offering. It is based on Red Hat OpenShift 4 and is available on multiple zones. A zone is an instance of an OpenShift 4 cluster on a cloud provider. We currently offer two zones, one at cloudscale.ch and one at Exoscale, more zones are planned. An APPUiO Cloud zone is fully multi-tenant capable, so that many customers can share a cluster while maintaining the boundaries between them. In APPUiO Cloud we use a concept of an organization, which represents a tenant which can own one or many Kubernetes namespaces. For RBAC reasons, an organization can further be structured into teams. You only pay for what you use. For that we have a metering system which measures how much memory and CPU is requested and used, by the minute. It generates invoices on that numbers. All features of APPUiO Cloud are available in full self- service and through the Kubernetes API. Even the APPUiO Cloud control API is just another Kubernetes API endpoint, the APPUiO Cloud portal web application directly uses this API under the hood. As announced earlier this month, we now have the very first service available in the VSHN Application Catalog - Object Storage. Ordering such a service is as easy as creating a Kubernetes object. Speaker notes 3
  4. APPUiO – Swiss Container Platform Security Scalability Observability Multi-Tenancy Challenges

    As mentioned in the last slide, APPUiO Cloud consists of fully multi-tenant OpenShift clusters, which brings its own challenges. I want to share three examples where we face challenges in this setup. First we have to make sure that security has the highest priority. Although OpenShift is already hardened by default, it’s not enough for APPUiO Cloud. Another big topic is scalability of such an environment, where it’s usually impossible to know what the user is up to and how the demand changes. A lot of different workloads is running in APPUiO Cloud which wildly differs in the requirements to networking, storage and compute. Users want to be able to debug when something doesn’t work or is off. In a security constrained environment like APPUiO Cloud, we can’t allow access to privileged operations or even access to the underlying servers, which restricts what the user can do for debugging a lot. Usually the only thing a user can do is to read logs and exec into a running Pod, but that’s usually it. Speaker notes 4
  5. APPUiO – Swiss Container Platform Tight access control Policy engine

    Network security Challenges Solved Pt. 1 Some additional security measures we take in addition to the already available OpenShift default security configuration is to have more tight RBAC rules. We also have Kyverno as a policy engine running which enforces additional rules in an admission webhook. Kyverno also makes sure that there are additional network policies deployed to further restrict networking. Speaker notes 5
  6. APPUiO – Swiss Container Platform Scalable CNI Advanced Network Security

    Insights via Hubble Runtime security enforcement Multi-Cluster networking Integration of legacy systems Isovalent Cilium Enterprise for Support We’ve chosen Cilium to be part of the solution to solve more challenges we have. We use Cilium as the CNI plugin in OpenShift which brings us a very scalable networking infrastructure. It also allows us to make use of the advanced network policy features of Cilium to further strengthen the network security. To give our users insights to what’s going on in terms of networking, we use Hubble with advanced RBAC. It’s currently not available yet to the end-user, but it’s coming soon. With Hubble a user can have deep observability into many details of their workload running on APPUiO Cloud. We’re also planning to make use of Cilium Tetragon to enforce security during runtime and with that further harden the platform. To interconnect the various APPUiO Cloud zones we plan to make use of the multi-cluster networking feature of Cilium. That allows a customer to deploy workload on several zones and communicate securely over the network between zones. Some customers need to integrate legacy systems, such as databases. For that we can make use of the possibility to run Cilium on classic virtual machines and integrate into the Cilium CNI. Last but not least we rely on the stability and support of Isovalent. All APPUiO Cloud zones are using Isovalent Cilium Enterprise. Speaker notes 6
  7. APPUiO – Swiss Container Platform Installation and configuration with Commodore

    Configuration Management github.com/projectsyn/component-cilium hub.syn.tools/cilium syn.tools To install, configure and maintain Cilium and its components we use our Open Source configuration management system for Kubernetes called Project Syn. Specifically the tool Commodore compiles a GitOps catalog of manifests to apply to a Kubernetes Cluster. So-called Commodore Components are the puzzle pieces which together specify what’s installed on a Cluster-wide level. For Cilium we made a Commodore Component which is capable of managing Cilium Open Source and Isovalent Cilium Enterprise on OpenShift and Kubernetes clusters. The code for it can be found on GitHub and the documentation is available on the Component Hub. If you’d like to learn more about Project Syn, all its documentation is available under syn.tools, it is fully Open Source. Speaker notes 7
  8. APPUiO – Swiss Container Platform Voucher Code: ebpfwatch Trial appuio.cloud/register

    If you want to give APPUiO Cloud with Isovalent Cilium Enterprise under the hood a try, you can register for a demo account using the voucher code on this slide on the website available at appuio.cloud/register or just scan the QR code. Speaker notes 8
  9. APPUiO – Swiss Container Platform  Q&A No notes on

    this slide. Speaker notes 9
  10. APPUiO – Swiss Container Platform Tobias Brunner, CTO – VSHN

    AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – – Thanks! tobias.brunner@vshn.ch vshn.ch info@vshn.ch Many thanks for your attention! Speaker notes 10
  11. APPUiO – Swiss Container Platform Supports OLM and Helm Supports

    OSS and Enteprise Properly tested for OpenShift Should work on other distros It’s YAML and Jsonnet Commodore Component Details github.com/projectsyn/component-cilium No notes on this slide. Speaker notes 11