What really is an Enterprise Grade Kubernetes Platform?
I have spent 2020 working with many enterprise clients, and every one is trying to figure out how best they can leverage microservices and containers to accelerate the pace of their business value.
It is clear that speed to market and creating business value to their clients is a top priority. It is also clear that switching from monolithic based applications with new releases every 3–6 months to microservices based applications with daily-weekly releases are becoming table stakes.
2020 has been a year like no other, and the way consumers interacted with business starting around March began taking dramatic shifts. Increased Digital transformation was needed more rapidly across many industries.
Retailers, Medical, Prescription Drugs, Groceries, Restaurants, Workout facilities, and others including how I engaged with my clients shifted from a physical interaction to a digital interaction, and frankly many business were not prepared to make this transition in a few short weeks.
This increase in digital transformation is reflected in StackRox fall 2020 edition of “State of Container and Kubernetes Security” report. StackRox found that 91% of those surveyed are using Kubernetes, and 75% of those survey are using it in production.
No question that a Kubernetes based orchestration of containers leads to enabling developers to quickly pivot with the needs of the business and rollout new digital experiences across all sorts of industries in 2020.
With a microservices based approach, developers can test out new features and functions to a subset of their customers to see what really resonates with them and determine what will give their business an edge over their competitors.
Still, I see too many businesses devoting some of their best developers to building and maintaining their own Kubernetes based platform. While Kubernetes is a keystone to a platform for container based orchestration, Kubernetes is not an enterprise platform which developers can just consume alone for microservices based development.
The Enterprise Kubernetes based platform needs many surrounding components to allow easy consumption to enable business acceleration. The winners in this digital transformation race understand the key outcomes are: agility and speed to market, innovation, and enterprise productivity.
Do you really want to devote DevSecOps squads to building and maintaining the physical infrastructure, the platform, the tools, and the integration and lifecycle maintenance of that entire stack? I see clients realizing the answer to this question is no, and many clients want to shift from DIY Kubernetes to a container platform product.
One alternative to DIY Kubernetes, is to consume Red Hat OpenShift Container Platform as either a product or as a managed service from Red Hat/IBM.
Red Hat OpenShift provides a consistent DevSecOps experience across Public and Private Cloud, and across Enterprise platforms(x86, Power, IBM Z
Red Hat OpenShift enables Developers to focus on the applications and their entire lifecycle management by providing a robust platform and tools to enable that business acceleration and digital transformation.
Key components which come with the OpenShift subscription include:
- CI/CD Automation and Pipelines — OpenShift Pipelines (Tekton) or Integrated Jenkins
- Network functionality — DNS, Load balancing, Ingress Routing, SDN, Service Mesh via Operators, OpenShift Route, and Istio/OSSM)
- Container Engine — (CRI-O)
- Image Registry (Quay), Imaging Scanning (Clair)
- Operating System — Red Hat Enterprise Linux, Red Hat CoreOS
- Automation — Certified Operators via OperatorHub.io
- Monitoring, Logging — EFK
- Serverless — Knative
- CodeReady Workspaces
- OpenShift Virtualization — Run VMs in OpenShift
- Metering — Metering Operator
- Webconsole and extended CLI — OpenShift Web Console / OCP CLI
Red Hat OpenShift does the certification of the hardware, the software, and the Public Cloud providers, ensuring you will be able to consume an enterprise ready, production grade, Kubernetes certified platform.
One key aspect of an Enterprise grade Kubernetes platform is ensuring security of the newly developed microservices based applications is easy for developers to bake in at every step of the application lifecycle. Default Kubernetes enables too many security gaps to be inadvertently created if the developers are not extremely skilled, and if additional tools are not added to based Kubernetes.
StackRox fall 2020 edition of “State of Container and Kubernetes Security” report, they uncovered that security and compliance challenges remain a top concern in container strategies and 90% of respondents experienced a security incident in their container and Kubernetes environments over the last 12 months. Consequently, 44% of respondents have delayed moving an application into production because of security concerns. These findings come from StackRox’s survey of more than 400 IT and security professionals.
Let’s look at Red Hat OpenShift approach to enterprise security for microservices based applications.
Linux Host Security is achieved via: Red Hat CoreOS Immutable user space, SELinux+, LUKS volume encryption / FIPS mode, and Non-root containers
Configuration & Lifecycle Management is achieved via: OpenShift operators manage drift, OLM manages operator privileges & dependencies, RH supply chain (backport fixes), One maintenance window for the full stack, Upgrades with zero application downtime, and ArgoCD integration
Authentication & Authorization is achieved via: Built-in token based authentication, Support for 9 Identity Providers including AD/LDAP, Pre-configured RBAC with Multi-Level Access Control, and Secrets and certificate management
Networking Isolation is achieved via: Ingress / Egress control, Multus CNI plugin, Network microsegmentation
Integrated Audit, Logging, Monitoring is achieved via: Host and Kubernetes event audit on by default, Monitoring on by default, Applications can use cluster monitoring
Developer Tools: IDE plugins for dependency analysis, Code Ready Workspaces, Jenkins / Tekton Pipelines
Image Security is achieved via: Red Hat Trusted Content with Health Index, ImageStreams track changes to external images, Image Scanning (Quay with Clair), and Deployment policies (admission controllers)
Runtime protection is achieved via: SCC (Security Context Controls), No privileged containers by default, Projects with SELinux annotations control Access to Resources, and Automated Compliance Audit and Remediation
Data Protection is achieved via: Encrypt secrets at rest (etcd datastore), All traffic to master nodes is encrypted by default, Configure cipher suites, and Encrypt east / west traffic (Service Mesh)
One of the key benefits of OpenShift is Automated management of the entire infrastructure. The greater the automation, the more consistent the outcome.
Much of this automation is via certified Red Hat OpenShift operators. Below is a list of some key operators around security.
As I stated before, the real objectives in making this digital transformation successful are: Agility and speed to market, innovation, and enterprise productivity. It is not about siphoning off some of your key skills and resources to build, maintain, and lifecycle maintenance the Kubernetes based platform that enables the digital transformation.
Red Hat OpenShift allows you to build, deploy and manage applications at scale on containers which in turn allows your people to concentrate on business innovation and business results. Red Hat OpenShift provides a certified Kubernetes based application platform with a trusted software supply chain and it serves to simply the DevSecOps experience across Public Clouds, Private Clouds, and across various enterprise hardware platforms (x86, Power, IBM Z).
Digital transformation has occurred at an accelerated pace in 2020 and there are no signs of it slowing down in 2021. Arm your business with Red Hat OpenShift as your Enterprise Grade Kubernetes Platform and you will be enabling your business to succeed.
Let me know what you think.