Kubernetes is well on its way to becoming the de facto automation tool for deploying, scaling and managing enterprise applications. Besides the core feature set that makes Kubernetes so attractive for the enterprise, one other reason for its widespread adoption is the extensibility of Kubernetes. Third party tools either from vendors or open source ones can easily be integrated into already existing Kubernetes environments.
This ease of extension has resulted in the emergence of an entire ecosystem of tools built specifically for Kubernetes.
This ecosystem of tools falls broadly into two categories. The first category of tools complement Kubernetes by extending its feature-set or making it easier to configure already existing native Kubernetes artefacts. This category includes tools for security, networking and storage etc.
The second category is aimed at making it easier to manage and operate Kubernetes itself. This category would include tools for cluster management, observability, testing, logging and tracing etc.
In this blog post we will outline tools in both categories and provide quick descriptions of each.
So let's get started.
Security is of paramount importance for any enterprise environment. In cloudnative Kubernetes environments it is even more so, given the additional orchestration layers that it introduces. In addition to the already existing infrastructure or cloud layer, teams also have to secure the cluster, container and application layers.
Below we provide an overview of some Kubernetes security tools from the CNCF landscape.
Alcide is a security platform tailored for cloud native Kubernetes environments. Alcide provides a suite of tools with a diverse featureset encompassing cluster vulnerability scanning, log analysis and audit and firewalls.
Alcide’s Kadvisor makes it easier to undertake security assessments for Kubernetes environments and helps security teams identify and score security risks, misconfigurations and overall cluster health. Kaudit is another tool that helps audit and analyze Kubernetes logs as well as detect security policy violations. KArt in addition to serving as a microservices firewall also allows teams to structure and enforce network policies, scan container images for vulnerabilities, and protect against security incidents.
Anchore is featured on the CNCF landscape for Kubernetes security tooling and provides a comprehensive toolset for securing software and ensuring compliance. Anchore integrates into already existing CICD pipelines to analyze container images and perform policy checks. Anchore also helps security teams to implement best practices for container image security and comply with CIS benchmarks. It also integrates into container image registries to ensure the container images are free from vulnerabilities and comply with organizational security policies.
Aqua’s Kubernetes security solution helps security teams automate the security and compliance of Kubernetes environments. Security teams can identify and prioritize Kubernetes security risks in real time, control workload admission, ensure containers and pods are secure and complaint, assess Kubernes RBAC for vulnerabilities and implement CIS benchmarks. In addition to the capabilities outlined above, Aqua’s Kubernetes security solution also allows penetration testing of Kubernetes clusters, log and audit security events and enforce container level network rules.
Kubernetes was initially designed to handle stateless applications. With enterprise adoption however came the need to support stateful applications needing to persist data. To support these applications, Kubernetes introduced persistent volumes that allow storage to be decoupled from the pod lifecycle. CNCF outlines several cloud native storage solutions that support persistent volumes and make it easier to manage and operate scalable storage solutions for Kubernetes.
Longhorn is an open source cloud native distributed storage solution from Rancher. Longhorn makes it easy to deploy highly available persistent block storage for Kubernetes environments. For enterprise use cases requiring high availability and disaster recovery, Longhorn supports block storage replication across nodes and data centers and the creation of cross cluster data backups. It also allows recurring volume snapshots and backups to NFS or S3 compatible backup storage as well as volume restore from backups.
GlusterFS is another open source cloud native storage solution featured on the CNCF cloud native landscape. GlusterFS is a scalable file storage framework that allows Kubernetes admins to deploy flexible storage volumes into the Kubernetes environments. GlusterFS volume lifecycle can be easily managed using Heketi, a RESTFUL management interface. Heketi allows multiple GlusterFS volumes to be provisioned programmatically and distributed across multiple domains, reducing the impact of localized outages and improving availability. In addition GlusterFS utilizes the consistent hashing algorithm to reduce access times and improved volume horizontal scalability.
Rook is an open source storage orchestrator that takes over the heavy lifting involved in managing multiple storage backends required by enterprise cloud native applications. Kubernetes administrators can provision file, block, and object storage with multiple storage providers including CEPH, EdgeFS and Cassondra. Rook also supports several other enterprise operational requirements including volume snapshots and restore, volume cloning, health identity and quorum monitoring, OSD management and health monitoring and disaster recovery.
OpenEBS can be easily installed and configured on cloud native Kubernetes environments using Helm. OpenEBS acts as an abstraction layer between Kubernetes applications and the underlying storage providers, creating a software defined storage infrastructure. With OpenEBS storage controllers can be abstracted as Kubernetes pods allowing them to be easily managed and operated using all available Kubernetes tooling including kubectl, Helm, Prometheus, and Grafana. Since OpenEBS is a collection of Storage Engines, Kubernetes administrators can also pick and choose the right storage solution depending on application requirements. Besides this OpenEBS also supports volume replication across availability zones, volume backup and restore and the creation of granular storage policies.
Most enterprise cloud native applications are composed of fleets of containerized microservices, deployed using Kubernetes. These microservices need to communicate in complex mesh networks. Add to this the networking requirements of the underlying cloud layer and the network quickly becomes complex. The CNCF cloud native landscape outlines a number of cloud native networking tools that are recommended to manage the networking requirement of cloud native Kubernetes environments. Below we identify and describe some of these tools.
Contiv/VPP is a Kubernetes network plugin that provides network connectivity between pods in a Kubernetes cluster. Contiv/VPP is deployed as a series of pods on both the master node as well as on each individual worker node. The main VPP component runs on each node in the cluster and is responsible for providing inter-cluster pod-to-pod connectivity. In addition it also handles host-to-pod and outside-to-pod connectivity. Contiv/VPP maps Kubernetes policy and service mechanisms to FD.io dataplace making them network aware and allowing applications to benefit from optimal transport services. This mapping is aided by a Ligato-based VPP agent that makes it programmable. In addition it also supports IPV6 configuration which helps avoid complexity and also improves scalability and performance.
Cilium is an open source Kubernetes networking plugin with an additional observability and security featureset. The most basic deployment architecture of Cilium is a layer 3 network that spans across multiple clusters and connects application containers. The network can be deployed in two multi node configurations including Overlay and native routing. It also implements a traffic load balancing mechanism between containers as well as to external services. Load balancing is highly scalable because of its implementation in eBFP using efficient hastables. Ciliums’ bandwidth management feature is implemented using efficient EDT-based rate-limiting with eBPF for container traffic that is egressing a node. This results in a significant reduction in latency. In addition Cilium also provides a monitoring and troubleshooting featureset that provides event monitoring, policy decision tracing and metrics export via prometheus.
Flannel from CoreOs allows Kuberentes administrators to easily configure a layer 3 Kubernetes network. It works by running the flanneld agent on each host in the Kubernetes cluster, which in turn allocates a subnet lease to each host out of a preconfigured address space. Flannel uses both the Kubernetes API or etcd to store network configuration, allocated subnets and any auxiliary data. Packet forwarding can be handled by any of several mechanisms including VXLAN. Flannel does not support the Kubetnetes network policy resource and also does not control container to container or container to host traffic.
Calico is an open source networking solution for Kubernetes with built-in support for multiple data planes including eBFP, Windows NHS and the standard Linux networking data plane. Calico has built-in support for the Kubernetes network policy resource and also provides IP address management. The network policy model is configurable allowing Kubernetes administrators to manage traffic and enforce traffic rules on the container, host as well as the microservices layer. Calico can avoid overlays in most situations, in the process reducing overheads related to traffic encapsulation. Another feature is secure and seamless support for connectivity between Kubernetes and non-Kubernetes workloads including public cloud, on-premise or bare metal servers.
The processes and practices involved in IT cost management have undergone radical overhauls over the last couple of decades. These changes have been driven in most part by the way enterprises procure and consume IT infrastructure. Privately hosted on premise infrastructure required a completely different set of cost management processes as compared to the cloud. Kubernetes now requires another update in how these enterprises manage and control IT infrastructure costs.
Replex is a silver member of the CNCF foundation and is the only FinOps tool built from the ground up for cloud native Kuberentes environments. Replex comes pre-loaded with a rich feature-set providing insights and control over Kuberentres costs for the entire spectrum of FinOps stakeholders from executive and engineering to DevOps, finance and procurement. Kubernetes administrators can deploy it with ease using a simple Helm chart install. Metrics start aggregating in minutes delivering granular visibility and control over Kubernetes costs.
Replex aggregates billing information from cloud billing APIs and correlates it with cluster topology information and performance metrics from monitoring tools like Prometheus or Instana.
Kubernetes administrators can also add custom cost models for private cloud or on-premise infrastructure. FinOps teams can then create custom dashboards for their unique cost visibility requirements or use one of the native screens to create and monitor budgets, generate cost alerts, aggregate and allocate costs for custom organizational groupings and identify opportunities for cost cutting.
Want to dig deeper into Kubernetes based cloud native environments? Download the Complete CIOs Guide to Kubernetes:
Fan of all things cloud, containers and micro-services!
Part 4 of our Introduction to FinOps for Kubernetes: Challenges and Best Practices article series, which outlines a comprehensive list of best practices aimed at implementing FinOps processes for cloud native Kubernetes environments.
August 26, 2021
6 min read
In a recent report, CNCF identified "a more granular and active Kubernetes cost-monitoring strategy" as a primary means of reducing K8s cost. In this article we identify major takeaways from the report and outline the contours of a comprehensive Kubernetes cost monitoring strategy.
August 12, 2021
6 min read
Part 3 of our Introduction to FinOps for Kubernetes: Challenges and Best Practices article series, which outlines a comprehensive list of best practices aimed at implementing FinOps processes for cloud native Kubernetes environments.
July 12, 2021
6 min read