Cilium on APPUiO Cloud

APPUiO – Swiss Container Platform
Tobias Brunner, CTO
Cilium on APPUiO
Cloud
A Multi-Tenant OpenShift Cluster
No notes on this slide.
Speaker notes
1

View Slide

Pronounced ˈvɪʒn – like "vision"
Founded 2014, ~50 VSHNeers in Zürich and Vancouver
Running applications on OpenShift and Kubernetes
Automate all the things! Self-service all the things!
First Swiss Kubernetes Certified Service Provider
Open company handbook: handbook.vshn.ch
Speaker notes
2

View Slide

"Namespace as a Service"
Multiple Zones
Multi-Tenancy
Only pay for what you use
Full Self-Service
VSHN Application Catalog
First I’d like to introduce APPUiO Cloud to you, so that
you know what we’re talking about.
APPUiO Cloud is VSHN’s Namespace-as-a-Service
offering. It is based on Red Hat OpenShift 4 and is
available on multiple zones. A zone is an instance of an
OpenShift 4 cluster on a cloud provider. We currently
offer two zones, one at cloudscale.ch and one at
Exoscale, more zones are planned.
An APPUiO Cloud zone is fully multi-tenant capable, so
that many customers can share a cluster while
maintaining the boundaries between them.
In APPUiO
Cloud we use a concept of an organization, which
represents a tenant which can own one or many
Kubernetes namespaces. For RBAC reasons, an
organization can further be structured into teams.
You only pay for what you use. For that we have a
metering system which measures how much memory
and CPU is requested and used, by the minute. It
generates invoices on that numbers.
All features of APPUiO Cloud are available in full self-
service and through the Kubernetes API. Even the
APPUiO Cloud control API is just another Kubernetes API
endpoint, the APPUiO Cloud portal web application
directly uses this API under the hood.
As announced earlier this month, we now have the very
first service available in the VSHN Application Catalog -
Object Storage. Ordering such a service is as easy as
creating a Kubernetes object.
Speaker notes
3

View Slide

Security
Scalability
Observability
Multi-Tenancy Challenges
As mentioned in the last slide, APPUiO Cloud consists
of fully multi-tenant OpenShift clusters, which brings its
own challenges.
I want to share three examples where we face
challenges in this setup.
First we have to make sure that security has the
highest priority. Although OpenShift is already hardened
by default, it’s not enough for APPUiO Cloud.
Another big topic is scalability of such an environment,
where it’s usually impossible to know what the user is
up to and how the demand changes. A lot of different
workloads is running in APPUiO Cloud which wildly
differs in the requirements to networking, storage and
compute.
Users want to be able to debug when something
doesn’t work or is off. In a security constrained
environment like APPUiO Cloud, we can’t allow access
to privileged operations or even access to the
underlying servers, which restricts what the user can do
for debugging a lot. Usually the only thing a user can do
is to read logs and exec into a running Pod, but that’s
usually it.
Speaker notes
4

View Slide

Tight access control
Policy engine
Network security
Challenges Solved Pt. 1
Some additional security measures we take in addition
to the already available OpenShift default security
configuration is to have more tight RBAC rules.
We also have Kyverno as a policy engine running which
enforces additional rules in an admission webhook.
Kyverno also makes sure that there are additional
network policies deployed to further restrict networking.
Speaker notes
5

View Slide

Scalable CNI
Advanced Network Security
Insights via Hubble
Runtime security enforcement
Multi-Cluster networking
Integration of legacy systems
Isovalent Cilium Enterprise for Support
We’ve chosen Cilium to be part of the solution to solve
more challenges we have.
We use Cilium as the CNI plugin in OpenShift which
brings us a very scalable networking infrastructure. It
also allows us to make use of the advanced network
policy features of Cilium to further strengthen the
network security.
To give our users insights to what’s going on in terms of
networking, we use Hubble with advanced RBAC. It’s
currently not available yet to the end-user, but it’s
coming soon. With Hubble a user can have deep
observability into many details of their workload running
on APPUiO Cloud.
We’re also planning to make use of Cilium Tetragon to
enforce security during runtime and with that further
harden the platform.
To interconnect the various APPUiO Cloud zones we
plan to make use of the multi-cluster networking feature
of Cilium. That allows a customer to deploy workload on
several zones and communicate securely over the
network between zones.
Some customers need to integrate legacy systems,
such as databases. For that we can make use of the
possibility to run Cilium on classic virtual machines and
integrate into the Cilium CNI.
Last but not least we rely on the stability and support of
Isovalent. All APPUiO Cloud zones are using Isovalent
Cilium Enterprise.
Speaker notes
6

View Slide

Installation and configuration with Commodore
Configuration Management
github.com/projectsyn/component-cilium
hub.syn.tools/cilium
syn.tools
To install, configure and maintain Cilium and its
components we use our Open Source configuration
management system for Kubernetes called Project Syn.
Specifically the tool Commodore compiles a GitOps
catalog of manifests to apply to a Kubernetes Cluster.
So-called Commodore Components are the puzzle
pieces which together specify what’s installed on a
Cluster-wide level.
For Cilium we made a Commodore Component which is
capable of managing Cilium Open Source and Isovalent
Cilium Enterprise on OpenShift and Kubernetes
clusters.
The code for it can be found on GitHub and the
documentation is available on the Component Hub.
If you’d like to learn more about Project Syn, all its
documentation is available under syn.tools, it is fully
Open Source.
Speaker notes
7

View Slide

Voucher Code: ebpfwatch
Trial
appuio.cloud/register
If you want to give APPUiO Cloud with Isovalent Cilium
Enterprise under the hood a try, you can register for a
demo account using the voucher code on this slide on
the website available at appuio.cloud/register or just
scan the QR code.
Speaker notes
8

View Slide


Q&A
Speaker notes
9

View Slide

Tobias Brunner, CTO –
VSHN AG – Neugasse 10 – CH-8005 Zürich – +41 44 545 53 00 – –
Thanks!
[email protected]
vshn.ch [email protected]
Many thanks for your attention!
Speaker notes
10

View Slide

Supports OLM and Helm
Supports OSS and Enteprise
Properly tested for OpenShift
Should work on other distros
It’s YAML and Jsonnet
Commodore Component Details
github.com/projectsyn/component-cilium
Speaker notes
11

View Slide

Cilium on APPUiO Cloud

Cilium on APPUiO Cloud

Tobias Brunner

More Decks by Tobias Brunner

Other Decks in Technology

Featured

Transcript