What does “production ready” really mean for a Kubernetes cluster?

Lucas Käldström - CNCF Ambassador

7th of May, 2019 - Umeå

Image credit: @ashleymcnamara

1

$ whoami

Lucas Käldström, High School Student, 19 years old�

CNCF Ambassador, Certified Kubernetes Administrator and Kubernetes SIG Lead�

KubeCon Speaker in Berlin, Austin,

Copenhagen, Shanghai & Seattle�

Kubernetes Approver and Subproject Owner, active in the community for ~3 years. Got kubeadm to GA.�

Driving luxas labs which currently performs contracting for Weaveworks�

A guy that has never attended a computing class

​

2

Agenda

1. Define the buzzwords!
1. What does “production-ready” mean to you?
2. What are the requirements for a highly available cluster?
2. What to think about when securing the cluster
• TLS certificates for all components
• Enable and set up RBAC (Role Based Access Control)
• Attack vectors you might not have thought about before

​

3

Agenda

3. Make the cluster highly-available if needed
1. Do you need it?
2. How to set up a HA cluster with kubeadm
3. “Attack vectors” you might not have thought about before
4. Use the Cluster API for controlling the cluster declaratively
• Intro to the Cluster API
• How to set up Kubernetes using the Cluster API and upgrade/rollback

4

Agenda

• Essential Kubernetes Addons
• Container Runtime & Registry
• Monitoring the cluster
• Centralized Logging & Audit Logging
• Out-of-tree Cloud Providers
• Ingress Controllers
• Persistent Storage with CSI

5

Which layer are you talking about?

Focusing on�this layer

6

1. Define what “production-ready” �means to you

Buzzwords all around...

7

“The cluster is production ready�when it is in a good enough shape �for the user to serve real-world traffic”

8

“Your offering is production ready when it�slightly exceeds your customer’s expectations�in a way that allows for business growth”

-- Carter Morgan, Google (@_askcarter)

9

It’s all about tradeoffs (!!)

10

Okay, so what does this mean�in terms of technical work items?

11

Production-ready cluster?

• The cluster is reasonably secure�
• The cluster components are highly available enough for the user’s needs�
• All elements in the cluster are declaratively controlled�
• Changes to the cluster state can be safely applied (upgrades/rollbacks)�
• The cluster passes as many end-to-end tests as possible

12

Kubernetes’ high-level component architecture

Nodes

Master

Node 3

OS

Container

Runtime

Kubelet

Networking

Node 2

OS

Container

Runtime

Kubelet

Networking

Node 1

OS

Container

Runtime

Kubelet

Networking

API Server (REST API)

Controller Manager

(Controller Loops)

Scheduler

(Bind Pod to Node)

etcd (key-value DB, SSOT)

User

Legend:

CNI

CRI

OCI

Protobuf

gRPC

JSON

​

13

What about “high availability”?

• Instances (>=1) of a component can fail without causing the cluster to fail
• Machines (>=1) in the cluster can fail without causing the cluster to fail

​

More about this in section III.

14

2. Securing Kubernetes

Things to keep in mind

15

1. TLS-secured communication everywhere!

• Use mutual TLS for all communication
• Certificates/identities should be rotatable
• Use a separate CA for etcd
• Use the Certificates/CSR API, with an external key signer if possible
• Encrypt Secrets stored in etcd

16

• API Authentication and Authorization

• Disable ABAC, Anonymous Authentication and Insecure HTTP access
• Enforce the RBAC and Node Authorizers
• It’s recommended to delegate user authentication to a 3rd-party service
• Enable Advanced Audit Logging

17

• Lock down the kubelets in the cluster

• Each kubelet should have:
1. unique client credentials
2. a serving cert signed by the cluster CA
• Disable the readonly port (10255) & public (!) cAdvisor port (4194)
• Enforce authn & authz for the main kubelet port (10250)
• Enable automatic certificate rotation for the kubelets

18

• Be careful with the Dashboard and Helm 2

• Don’t give them (or any app!) cluster-admin power; very easy to escalate privileges
• The security of the dashboard has improved since v1.7.0
• The dashboard now has a login screen and delegates privileges
• Specify the exact operations tiller may perform with RBAC
• Secure the Helm <-> Tiller communication with TLS certificates

19

• Deny by default -- best security practices

• Deny-all with RBAC
• Deny-all with NetworkPolicy
• Set up a restrictive PodSecurityPolicy as the default

20

Setting up a dynamic TLS-secured cluster

Nodes

Control Plane

API Server

Controller Manager

Scheduler

CN=system:kube-controller-manager

CN=system:kube-scheduler

Kubelet: node-1

HTTPS (6443)

Kubelet client

O=system:masters

Self-signed HTTPS (10250)

CN=system:node:node-1

O=system:nodes

Kubelet: node-2 (to be joined)

Self-signed HTTPS (10250)

Bootstrap Token & trusted CA

CN=system:node:node-2

O=system:nodes

CSR Approver

CSR Signer

node-1 CSR

node-2 CSR

Bootstrap Token

CSR=Certificate Signing Request, SAR=Subject Access Review

21

More information about Kubernetes security

1. Try out Aqua Security’s kube-bench project
2. Official docs: Best Practices for Securing a Kubernetes Cluster
3. Hacking and Hardening Kubernetes Clusters by Example [I] - Brad Geesaman
4. 11 Ways (Not) to Get Hacked on the Kubernetes blog

22

​

• Minimize the points of failure �in the cluster

Proactively avoid disasters

23

kubeadm

Master 1

Master N

Node 1

Node N

kubeadm

kubeadm

kubeadm

kubeadm

Cloud Provider

Load Balancers

Monitoring

Logging

Cluster API Spec

Cluster API

Cluster API Implementation

Addons

Kubernetes API

Bootstrapping

Machines

Infrastructure

= The official tool to bootstrap a minimum viable, best-practice Kubernetes cluster

Layer 2

kubeadm

Layer 3

Addon Operators

Layer 1

Cluster API

24

How achieve HA with kubeadm?

HA etcd cluster

External Load Balancer or DNS-based API server resolving

etcd

etcd

etcd

25

Is this cluster setup highly-available?

No

HA etcd cluster

etcd

etcd

etcd

Nodes

Kubelet 1

Kubelet 2

Kubelet 3

Kubelet 4

Kubelet 5

Single point of failure :(

26

Other things to keep in mind with a HA cluster

1. Remember to keep the CoreDNS replicas >= 1, and use Pod anti-affinity�
2. Some certificates need to be identical across control plane nodes
1. e.g. the ServiceAccount signing private key for the controller-manager
2. => Needs to be rotated for all instances at the same time�
3. Monitoring the cluster components becomes increasingly more important with a HA cluster that is expected to have a high SLO
• You can for example use Prometheus and kube-state-metrics as a starting point�
4. Do you need a HA cluster?
• Is it worth the added cost and complexity?

27

“Monitor it so you know when it fails�before your customers do”

-- Justin Santa Barbara, Google (@justinsb)

28

• Declarative cluster control �with the Cluster API

Manage clusters like applications

29

Cluster API

• The What and the Why of Cluster API
• “To make the management of (X) clusters across (Y) providers simple, secure, and configurable.”�
• “How can I manage any number of clusters in a similar fashion to how I manage deployments in Kubernetes?”
• “How do I manage other lifecycle events across that infrastructure (upgrades, deletions, etc.)?”
• “How can we control all of this via a consistent API across providers?”

30

“GitOps” for your cluster(s)

• With Kubernetes we manage our applications declaratively
1. Why not for the cluster itself?
• With the Cluster API, we can declaratively define the desired cluster state
• Operator implementations reconcile the state
• Use Spec & Status like the rest of k8s
• Common management solutions for e.g. upgrades, autoscaling and repair
• Allows for “GitOps” workflows

​

31

• Essential Kubernetes Addons

For enhanced insight and functionality

32

Cloud Native Trail Map

Trail Map: l.cncf.io

33

Choose your runtime & registry

Docker is the most common runtime, but you could consider using containerd (Graduated) or cri-o (Incubating) instead for less footprint and attack area.

​

Also, an internal container image registry might be needed. Harbor can set up a scalable registry for you on Kubernetes.

34

Monitoring the cluster

Now that the cluster is up and running, let’s start monitoring it. As a good starting point, you can use the prometheus-operator Helm Chart.

​

That gives you a Prometheus instance running in Kubernetes, good preset rules for monitoring (kube-state-metrics), and Grafana dashboards for visualization.

35

Enable Fluent Bit for logging

In order to store container logs for a long period of time, you need to enable a log forwarder from the container runtime to some kind of logging aggregation service like ElasticSearch.

​

You can use the fluent-bit-kubernetes-logging project as a good starting point for this task. Bonus points for also aggregating the Audit Logs

36

Enable cloud/environment extensions

What’s traditionally called Cloud Providers for Kubernetes; handles Node creation/deletion with the environment, and Type=LoadBalancer Services, and optional other features.

​

Anyone can create a so-called Cloud Provider integration for their environment. Example to the right.

37

Set up an Ingress controller

In order to expose your Services to the outer world, you need some kind of 3rd-party Ingress Controller.

​

Ingress Controllers makes your Ingress objects in Kubernetes work. You might want the controller itself to be a Type=LoadBalancer Service.

​

The ones you could look out for are Traefik, Nginx Ingress, and Contour.

38

Persistent Storage is key

Lastly, you most likely need Persistent Storage for many of your applications. Kubernetes supports the Container Storage Interface (CSI) for providers to implement.

​

Rook implements various types of clustered storage in a Kubernetes-native way. Alternatively, you can use your cloud provider’s solution.

39

Recap

1. Identify the needs of your business
1. How much money and effort do you want to put into HA & security?
2. High Availability != multiple masters
• Multiple masters are a requirement for high availability
3. Pay attention to the certificate identities for your components
• And make sure you lock things down well with RBAC, disable unnecessary ports, etc.
4. Declarative control over your cluster is better than imperative
• The Cluster API and the GitOps models are worth checking out

40

Thank you!

@luxas on Github

@luxas on Kubernetes’ Slack

@kubernetesonarm on Twitter

lucas@luxaslabs.com

41

Related resources (in no particular order)

1. https://5pi.de/2017/12/15/production-grade-kubernetes/
2. https://youtu.be/PXJu8ujNEmU
3. https://thenewstack.io/ebooks/kubernetes/state-of-kubernetes-ecosystem/
4. https://kccncna17.sched.com/event/CU5x/101-ways-to-crash-your-cluster-i-marius-grigoriu-emmanuel-gomez-nordstrom
5. https://kccncna17.sched.com/event/CU6H/certifik8s-all-you-need-to-know-about-certificates-in-kubernetes-i-alexander-brand-apprenda
6. https://kccncna17.sched.com/event/CU86/shipping-in-pirate-infested-waters-practical-attack-and-defense-in-kubernetes-a-greg-castle-cj-cullen-google
7. https://kccncna17.sched.com/event/CU6z/hacking-and-hardening-kubernetes-clusters-by-example-i-brad-geesaman-symantec
8. https://kccncna17.sched.com/event/CUFK/keynote-kubernetes-at-github-jesse-newland-principal-site-reliability-engineer-github
9. https://kccncna17.sched.com/event/CU8b/what-happens-when-something-goes-wrong-on-kubernetes-reliability-i-marek-grabowski-tina-zhang-google
10. https://kccncna17.sched.com/event/CU64/automating-and-testing-production-ready-kubernetes-clusters-in-the-public-cloud-ron-lipke-gannetusa-today-network
11. https://stripe.com/blog/operating-kubernetes
12. https://blog.envoyproxy.io/introduction-to-modern-network-load-balancing-and-proxying-a57f6ff80236
13. https://jvns.ca/blog/2017/10/10/operating-a-kubernetes-network/
14. https://acotten.com/post/kube17-security
15. https://applatix.com/making-kubernetes-production-ready/
16. https://www.aquasec.com/wiki/display/containers/Kubernetes+in+Production
17. https://www.weave.works/blog/provisioning-lifecycle-production-ready-kubernetes-cluster/
18. https://www.weave.works/blog/demystifying-production-ready-apps-on-kubernetes-with-carter-morgan
19. https://www.slideshare.net/gn00023040/all-the-troubles-you-get-into-when-setting-up-a-production-ready-kubernetes-cluster
20. https://www.slideshare.net/gn00023040/a-million-ways-of-deploying-a-kubernetes-cluster
21. https://blog.sophaskins.net/blog/misadventures-with-kube-dns/
22. https://thenewstack.io/kubernetes-high-availability-no-single-point-of-failure/

42