TL Consulting Group

Contact Us

kubernetes cost

Application Security in Kubernetes

“Shift Left” Application Security in Kubernetes with Open Policy Agent (OPA) and Tanzu Mission Control (TMC)

Uncategorised /

“Shift Left” Application Security in Kubernetes with Open Policy Agent (OPA) and Tanzu Mission Control (TMC) To secure a Kubernetes environment, we must adopt the “shift left” security approach right from the initial phases of the development, rather than wait for the deployment to complete and focus on the security at later stages of the build. Kubernetes security is constantly evolving with new features to strengthen both the application and cluster security. Kubernetes offers several mechanisms to administer security within the cluster. Some of these include enforcing resource limits, API security, standardizing containers, auditing and so on. Here we will discuss one of such mechanism, which helps to implement the shift left security in a Kubernetes cluster. What is OPA? Open Policy Agent (OPA) is an open-source policy engine that provides a way of manifesting the policies declaratively as code, which helps to ease out some of the decision-making processes with the Kubernetes cluster end users, such as developers, operations teams without impacting the agility of the development. OPA uses a policy language called Rego, which allows you to write policies as code for various services like Kubernetes, CI/CD, Chef, and Terraform using the same language. OPA enforces the separation of concern by decoupling the decision-making from the core business logic of the applications. OPA Workflow: OPA provides centralized policy management and generates policy decisions by evaluating the input data against policies (written in Rego) and data (in JSON) through RESTful APIs. Here we have some of the example policies we can enforce using OPA: Which users can access which resources? Which subnets egress traffic is allowed to? Include node and pod (anti-), affinity selectors, on Deployments Which clusters a workload must be deployed to? Ensure all the images come from a trusted registry Which OS capabilities a container can execute with. Implementing Kubernetes Admission Controllers to validate API requests. Allowing or denying Terraform changes based on compliance or safety rules. Enforcing certain deployment policies (such as resource limits, meta data types of resources) Creating Custom Policies using OPA in Tanzu Mission Control (TMC) VMware Tanzu Mission Control is a centralized hub for simplified, multi-cloud, multi-cluster Kubernetes management. Tanzu Mission Control aims to help with the following list of Kubernetes operations: Managing clusters on both public, private cloud and edge Cluster lifecycle management on supported providers Manage security across multiple clusters Centralized policy management Access management Cluster conformance VMware Tanzu Mission Control provides centralized policy management for specific policies that you can use to govern your fleet of Kubernetes clusters, The polices include access controls, image registry policies, and resource limit policies. While these cover the baseline polices, it also offers an ability to create custom policies using Open Policy Agent (OPA). Custom policies are somewhat open-ended and provide the opportunity to address aspects of cluster management that specifically suit the needs of your organization. As described above OPA implement specialized policies that enforce and govern your Kubernetes clusters. Closing thoughts: Enterprises use the OPA to enforce, govern, audit, and remediate policies across all IT environments. You can use OPA to centralize operational, security, and compliance aspects of Kubernetes, in the context of cloud-native deployments, (CI/CD) pipelines, auditing and data protection. Thus, OPA enables DevOps teams to shift control over application authorization further left to advance the adoption of best DevSecOps practices. TL Consulting TLConsulting brings its consulting and engineering personnel to application modernisation adoption and implementation by providing range of services – as If you need assistance with your Containers/Kubernetes adoption, please contact us at our kubernetes consulting services  page.

“Shift Left” Application Security in Kubernetes with Open Policy Agent (OPA) and Tanzu Mission Control (TMC) Read More »

Uncategorised, , , , , ,

How to Optimise Kubernetes Costs?

Uncategorised /

How to Optimise Kubernetes Costs? The increasing popularity of cloud-native applications has brought technologies like microservices and containers to the frontline. Kubernetes is the most preferred container orchestration platform by most enterprises for automating the deployment, scaling, and management of containers. Most of the Kubernetes implementations thrive to focus on technical aspects and are least bothered by the costs involved with their benefits. In a recent survey from the Cloud Native Computing Foundation (CNCF), 68% of participants reported that their Kubernetes costs increased in the past year, with bills surging more than 20% year-on-year for most organisations. So, how to optimise Kubernetes costs? How much has your Kubernetes-related spend grown in the last 12 months?   Source:  FinOps Foundation survey When looking at optimising the infrastructure costs, enterprises consider various cost-management best practices, but Kubernetes require a specialised approach. Here we will discuss some of the key aspects to reduce overall Kubernetes costs. Size of the infrastructure as per the need: First and foremost, reducing the consumption costs is to have the correct infrastructure size in terms of pods and nodes. While it is always advisable to overprovision to cater to the unusual spikes, leaving the applications to use unlimited resources can lead to unexpected repercussions. For instance, a stateful database container consumes all the available memory in the node due to an application fault; this leads other pods to wait indefinitely for the resources. This can be prevented by setting up Quotas at Pod and namespace levels. Additionally, it is good to enforce the resource request limits at a container level. Other enforcement is to limit the number of pods running on a node, as running many pods can lead to inefficient resource utilisation. Due to this issue, most cloud providers have set hard limits on their managed instances if Kubernetes. Choosing the right tools: A fundamental way of managing any cloud or infrastructure costs is by monitoring utilisation and costs involved for the resources over a period. It allows users to get better insights into storage, memory, computing, network traffic utilisation, etc, and how the costs associated are distributed between them. Irrespective of managed instances or bare-metal clusters, today, almost all the clusters support one or other tools for monitoring to get the basic information. Suppose we are looking at an enterprise with many clusters. In that case, it is always advisable to have a propriety APIM tooling like Dynatrace, New Relic, App D, Splunk, and Prometheus and so have a proper drill-down of the resources and utilisation. It enables SREs and Kubernetes admins to gain a more comprehensive view of the environment and optimise the costs. Use the monitoring insights to analyse and create actions. And start implementing more concrete actions for better utilisation and cost optimisation.  Adopting the Best Practices Across the Delivery Pipeline: DevOps is a proven practice which helps to reduce the barriers between the Development teams and Operations. It allowed users to create robust and flexible deployments through pipelines. One of the possibility of reducing the time and effort to deploy containers to the Kubernetes cluster is to automate the build and deployment pipelines using CI/CD tooling. Also, practices like GitOps are tailor-made to facilitate continuous delivery when manifests are used and version-controlled in a source code repository, greatly reducing the deployment workloads of the team. An Initial investment will be needed to set up a continuous integration to build, test, and publish containers and continuous delivery to deploy these containers on the cluster. Tools like Harness Argo CD will significantly reduce the manual errors that can cause disruptions in the application, leading to less troubleshooting. This reduced workload will allow teams to focus on more valuable tasks such as functionality development, bug fixes, and improving the security posture of the environment. Conclusion: Kubernetes deployments and operations can be very costly if implemented and managed inefficiently. Most enterprises incorporate Kubernetes without any proper practices, tooling, and personal experience in the organisation. However, without proper guidance, it is often will become unoptimised and businesses don’t think about expenses forefront and will be a heavy operational burden in the long run. Considering the above-mentioned practices could save a lot of unnecessary Kubernetes costs and encourage the implementation of best practices from the beginning. TL Consulting TLConsulting brings its consulting and engineering personnel to application modernisation adoption and implementation by providing range of services – as If you need assistance with your Containers/Kubernetes adoption, please contact us at our kubernetes consulting services  page.

How to Optimise Kubernetes Costs? Read More »

Uncategorised, , , , , , ,

How do Kubernetes and Containers Help Your Enterprise?

Uncategorised /

How do Kubernetes and Containers Help Your Enterprise? In today’s world success of any organisation heavily depends on its ability to drive innovation and deliver those at speed. And IT being an enabler for this rapid delivery model, businesses are looking at Kubernetes and containers adoption as an essential piece of technology for building, deploying, and managing their modern applications at scale. Containers provide an abstraction to the underlying applications and drive towards portability, making it possible to run anywhere, across multiple clouds and on-premises data centres. Furthermore, by providing uniform deployment, management, scaling, and availability services for all the applications, irrespective of its technology—Kubernetes offers significant advantages for your IT and development efforts. Kubernetes offers a range of benefits to the various levels of executives and developers; here we will discuss some of those key advantages. Ultimate Need of Containers and Kubernetes: Keeping up with the latest technology trends and organisational goals towards digitalisation is very tough for the IT teams for the last few years. Conventional software models, traditional VM based IT infrastructure will not be able to help in delivering these modern applications at scale. To deliver these new-age applications, one should adopt the new software practices such as agile and DevOps practices alone with cloud-native architecture. Containers and Kubernetes are the 2 key building blocks in the cloud-native architecture, which the organisations widely use to deliver faster, reliable, and efficient software with a significant cost reduction in the application life cycle. Key Advantages: Light Weight: Containers are very lightweight when compared with traditional virtual machines. A Container includes everything it needs to run, including its operation system, dependencies, libraries, and code. Multiple containers can run inside a single node of a cluster; the VM hosts the OS and container runtime, and the team can still take advantage of all the capabilities of traditional infrastructure virtualisation. Speed: Due to its lightweight nature, we can create a container image and deploy a container in a matter of seconds. Once the image is ready, it can quickly replicate containers and easily and quickly deploy as needed. Destroying a container is also a matter of seconds. This also helps with quicker development cycles and operational tasks. Portability: Containers can run anywhere if the container engine supports the underlying operating system—it is possible to run containers on Linux, Windows, MacOS, and many other operating systems. Containers can run in virtual machines, on bare metal servers, locally on a developer’s laptop and all major public clouds. They can easily be moved between on-premises machines and public cloud, and across all these environments, continue to work consistently. As per RedHat’s market dynamics report, please see how organisations benefit from containers and Kubernetes adoption. Kubernetes for ‘everyone’ Kubernetes is well known for supporting the automation of configuring, deploying, and scaling microservice-based applications that are implemented using containers. Also, microservices-based applications orchestrated by Kubernetes are highly automated in their deployment and management, as well as their maintenance, so that it’s possible to create applications that are highly responsive and adaptive to spikes in network traffic and needs for other resources.  It offers significant advantages to all IT executives and developers as below. Biggest Barriers for Kubernetes Adoption: Cost Of Adoption: One of the biggest obstacles to wider Kubernetes (K8s) adoption is deriving the cost of adoption and running the workloads in the Kubernetes clusters. Cost is the key factor for executives to make decisions to leverage the Kubernetes in their enterprise. In a recent FinOps Foundation survey , — 75% of whom reported having Kubernetes in production — highlights Kubernetes cost management difficulties. It revealed that spending on Kubernetes is spiking beyond what deployments should likely require. The survey’s subtitle isn’t exactly subtle: “Insufficient — or non-existent — Kubernetes cost monitoring is causing overspend.” Lack of Skills and Training: Another barrier for adoption is the lack of skilled and experienced personnel on containerisation and orchestration. As a result, although Kubernetes and container adoption is growing rapidly, many organisations still face a steep learning curve to effectively build, deploy, and manage Kubernetes. This is due to both the technology’s immaturity and a lack of operational excellence with it. Organisations are trying various approaches like paired programming, partners, education, and training to overcome this barrier. Visibility and monitoring: Enterprises are deploying Kubernetes clusters spanning across multiple public clouds and /or in their traditional virtualisation data centres or managed services introduce an increasing amount of complexity. To realise the greatest benefits from, organisations need to be able to visualise their entire Kubernetes footprint, including all its workloads (applications, containers, pods, nodes, namespaces, etc.), their dependencies, how they interact with each other in terms of network bandwidths, response times, and memory utilisations for cluster management and optimisation. Security and Compliance: While enterprises give priority to speed in software delivery, security and compliance sometimes are just an afterthought. Security is a major challenge in the container world, just as it has almost everywhere else in IT. Although many changes and innovations so far, security is still not on par with the traditional structure models. Due to the unique nature of Kubernetes and containerized environments, one misconfiguration can be easily multi-folded to many containers. A security breach of a container is almost identical to an operating system-level breach of a virtual machine in terms of potential application and system vulnerability. How to overcome these challenges: Many organizations want to adopt and leverage the benefits of containers but struggle to justify the total time, resources, and cost needed to develop and manage it internally. One approach is to use VMware Tanzu to organize their Kubernetes clusters across all their environments, set policies governing access and usage permissions, and enable their teams to deploy Kubernetes clusters in a self-service manner. This enables infrastructure and operations teams to gain visibility and command of their Kubernetes footprint while still empowering developers to use those resources with a focus on delivering solutions rather than worrying about infrastructure. Bottom Line: Evidently, Kubernetes adoption helps drive innovation and rapid software development with reliability

How do Kubernetes and Containers Help Your Enterprise? Read More »

Uncategorised, , , , , ,