HOW KUBERNETES IS USED IN INDUSTRIES AND WHAT USE CASES ARE SOLVED BY KUBERNETES?
Since 2014, Kubernetes has grown immensely in popularity. The adoption of this container deployment tool is still growing among IT professionals, partly because it is highly secure and easy to learn.
✨What is Kubernetes?🤔
Kubernetes (also known as k8s or “Kube”) is an open-source container orchestration platform that automates many of the manual processes involved in deploying, managing, and scaling containerized applications.
Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available.
The name Kubernetes originates from Greek, meaning helmsman or pilot. Google open-sourced the Kubernetes project in 2014. Kubernetes combines over 15 years of Google’s experience running production workloads at scale with best-of-breed ideas and practices from the community.
✨ What can you do with Kubernetes?
The primary advantage of using Kubernetes in your environment, especially if you are optimizing app dev for the cloud, is that it gives you the platform to schedule and run containers on clusters of physical or virtual machines (VMs).
More broadly, it helps you fully implement and rely on a container-based infrastructure in production environments. And because Kubernetes is all about automation of operational tasks, you can do many of the same things other application platforms or management systems let you do — but for your containers.
With Kubernetes you can:
- Orchestrate containers across multiple hosts.
- Make better use of hardware to maximize the resources needed to run your enterprise apps.
- Control and automate application deployments and updates.
- Mount and add storage to run stateful apps.
- Scale containerized applications and their resources on the fly.
- Declaratively manage services, which guarantees the deployed applications are always running the way you intended them to run.
- Health-check and self-heal your apps with auto-placement, auto-restart, auto replication, and autoscaling.
✨ HOW KUBERNETES IS USED IN INDUSTRIES
Let’s understand how IBM solved challenges using Kubernetes services
CASE STUDY: IBM
Building an Image Trust Service on Kubernetes with Notary and TUF
✔ Challenges Faced:
IBM Cloud offers public, private, and hybrid cloud functionality across a diverse set of runtimes from its OpenWhisk-based function as a service (FaaS) offering, managed Kubernetes and containers, to Cloud Foundry platform as a service (PaaS). These runtimes are combined with the power of the company’s enterprise technologies, such as MQ and DB2, its modern artificial intelligence (AI) Watson, and data analytics services. Users of IBM Cloud can exploit capabilities from more than 170 different cloud-native services in its catalog, including capabilities such as IBM’s Weather Company API and data services. In the later part of 2017.
The IBM Cloud Container Registry team wanted to build out an image trust service
✔ The solution they came up with:
The work on this new service culminated with its public availability in the IBM Cloud in February 2018. The image trust service, called Portieris, is fully based on the Cloud Native Computing Foundation (CNCF) open source project Notary, according to Michael Hough, a software developer with the IBM Cloud Container Registry team.
“Portieris is a Kubernetes admission controller for enforcing content trust. Users can create image security policies for each Kubernetes namespace, or at the cluster level, and enforce different levels of trust for different images. Portieris is a key part of IBM’s trust story, since it makes it possible for users to consume the company’s Notary offering from within their IKS clusters.”
The offering is that Notary server runs in IBM’s cloud, and then Portieris runs inside the IKS cluster. This enables users to be able to have their IKS cluster verify that the image they’re loading containers from contains exactly what they expect it to, and Portieris is what allows an IKS cluster to apply that verification.
✔ Impact on the industry:
IBM’s intention in offering a managed Kubernetes container service and image registry is to provide a fully secure end-to-end platform for its enterprise customers.
“Image signing is one key part of that offering, and our container registry team saw Notary as the de facto way to implement that capability in the current Docker and container ecosystem,” Hough says.
The company had not been offering image signing before, and Notary is the tool it used to implement that capability.
“We had a multi-tenant Docker Registry with private image hosting,” Hough says.
“The Docker Registry uses hashes to ensure that image content is correct, and data is encrypted both in-flight and at rest. But it does not provide any guarantees of who pushed an image. We used Notary to enable users to sign images in their private registry namespaces if they so choose.”
✔ The key reason for selecting Notary
The key reason for selecting Notary was that it was already compatible with the existing authentication stack IBM’s container registry was using. So was the design of TUF, which does not require the registry team to have to enter the business of key management. Both of these were “attractive design decisions that confirmed our choice of Notary,” Michael Hough says.
“Image signing is one key part of our Kubernetes container service offering, and our container registry team saw Notary as the de facto way to implement that capability in the current Docker and container ecosystem” — MICHAEL HOUGH, A SOFTWARE DEVELOPER WITH THE IBM CLOUD CONTAINER REGISTRY TEAM
Now that the Notary-implemented service is generally available in IBM’s public cloud as a component of its existing IBM Cloud Container Registry, it is deployed as a highly available service across five IBM Cloud regions. This high-availability deployment has three instances across two zones in each of the five regions, load balanced with failover support. “We have also deployed it with end-to-end TLS support through to our back-end IBM Cloudant persistence storage service,” Hough says.
✔ Growth of IBM due to Kubernetes
“After contribution to CNCF of both TUF and Notary, we perceived that it was becoming the de facto standard for image signing in the container ecosystem”, says Michael Hough, a software developer with the IBM Cloud Container Registry team.
The IBM team has created and open-sourced a Kubernetes admission controller called Portieris, which uses Notary signing information combined with customer-defined security policies to control image deployment into their cluster. “We are hoping to drive adoption of Portieris through its use of our Notary offering,” Hough says.
IBM has been a key player in the creation and support of open source foundations, including CNCF. Todd Moore, IBM’s vice president of Open Technology, is the current CNCF governing board chair and a number of IBMers are active across many of the CNCF member projects.
“With our IBM Cloud Kubernetes as-a-service offering and the admission controller we have made available, it allows both IBM services as well as customers of the IBM public cloud to use security policies to control service deployment.” — MICHAEL HOUGH, A SOFTWARE DEVELOPER WITH THE IBM CLOUD CONTAINER REGISTRY TEAM
“Given that, we see CNCF as a safe haven for cloud-native open-source, providing stability, longevity, and expected maintenance for member projects — no matter the originating vendor or project,” Hough says. Because the entire cloud-native world is a fast-moving area with many competing vendors and solutions, “we see the CNCF model as an arbiter of openness and fair play across the ecosystem,” he says.
With both TUF and Notary as part of CNCF, IBM expects there to be standardization around these capabilities beyond just de facto standards for signing and provenance. IBM has determined to not simply consume Notary, but also to contribute to the open-source project where applicable. “IBMers have contributed a CouchDB backend to support our use of IBM Cloudant as the persistent store; and are working on the generalization of the pkcs11 provider, allowing support of other security hardware devices beyond Yubikey,” Hough says.
“There are new projects addressing these challenges, including within CNCF. We will definitely be following these advancements with interest. We found the Notary community to be an active and friendly community open to changes, such as our addition of a CouchDB backend for persistent storage.” — MICHAEL HOUGH, A SOFTWARE DEVELOPER WITH THE IBM CLOUD CONTAINER REGISTRY TEAM
