How Can Enterprises Govern Surging Kubernetes Use?
Kubernetes has emerged as a de facto container orchestrator. A full 88% of companies surveyed by Red Hat now use Kubernetes for container orchestration. However, not all Kubernetes initiatives are successful. D2IQ found that only 42% of applications running on Kubernetes have been successfully deployed.
Kicking off a Kubernetes initiative might take longer than you think. Though operating a single cluster might produce gains early on, organizations quickly begin to adopt multiple clusters. And without introducing some level of governance, a large organization could end up managing many inconsistent Kubernetes deployments.
I recently met with Haseeb Budhani, co-founder and CEO, Rafay Systems, to explore common challenges enterprises run into as they expand their reliance on Kubernetes. According to Budhani, increased governance and sharing of standard cluster configurations will enable large enterprises to leverage Kubernetes with greater control and agility.
Rapid Embrace of Containers and K8s
Kubernetes adoption continues to surge, with many new cloud-native offerings designed to be K8s-native. So, why have we seen such astronomical growth of containers and support for Kubernetes?
According to Budhani, the movement toward containers addresses the need to deliver new capabilities and advance overall digitalization. It also goes hand-in-hand with microservices architecture, enabling companies to iteratively improve individual software components instead of releasing large monolithic chunks on long timescales.
Although there have been alternative container schedulers on the market, Kubernetes has shown the most promise. According to Budhani, this is due to K8s being such an open system—it provides engineers a DIY ability to insert components according to their business needs. This flexible and open system is a “good recipe for success,” he says.
What’s surprising is the sheer rapid movement we’ve witnessed, says Budhani. What was once pure talk of container experimentation within enterprises only a few short years ago has turned into a standard modernization practice. “It’s shocking, actually, how fast this motion is playing out,” he adds.
A Common Journey
The problem is this rapid adoption could have negative consequences. In the rush to Kubernetes, Budhani notices that companies tend to follow a similar trajectory. First, they naively assume that since they’re going fully cloud-managed using EKS on AWS, they have all the tools they need. “If you’re not sure you need anything else, you’re early on,” says Budhani.
Managing the life cycle of a single cluster can be a burden, involving many layers, Budhani explains. There’s upgrading, distribution, and managing the networking layer. And then, when you reach multiple clusters, policy management becomes more of a concern to avoid inconsistent access between clusters. Finally, you must deploy the application with a CI/CD engine. “How many tools did you just invest in?”
There’s plenty of tooling now in the market to avoid building from scratch, but still, the exact implementation is quite variable. “There’s no manual for this yet—each of these enterprises is learning by doing,” says Budhani. “This journey happens again and again in the industry.”
Tips To Govern Kubernetes at Scale
Centralization. One possibility is to use a central platform for Kubernetes, which Budhani calls a shared services platform (SSP). A platform engineering or DevOps team would use this to set standard company-wide usage patterns. Another approach to any new digital transformation initiative is to create a Cloud Center of Excellence (CCoE).
Blueprints. Use templates to create and share standard configurations across clusters. This could help quickly populate clusters with the relevant operational tools, including auditing, observability, RBAC, policies, logging and other components. “Developers shouldn’t have to worry about this, and they don’t necessarily have to understand the template itself,” says Budhani.
Role-based access control. To secure Kubernetes usage across multiple clouds, you might need a common layer for RBAC. Budhani describes this as having a central way to manage identity and access management (IAM) across clouds.
Policy system. Enforce policies as standard configurations that promote safe practices. For example, a policy could be to only pull container images from approved registries. Open Policy Agent (OPA) is one flexible and robust toolset to construct and enforce such cloud-native policies.
Drift detection. Once policies are in place, you need to ensure they can’t be altered. For example, if a developer with complete administrative access removes a security module, you need to know of the change as it could negatively affect other systems. To ensure your cluster is not drifting or changing configurations, Budhani recommends using drift detection to analyze clusters.
Life cycle management. A Kubernetes distribution must be upgraded from time to time. But it’s not just K8s itself—all open source tools are constantly changing. From Prometheus, FluentD to Velero, you may be using 20 to 30 components in a cluster before the application shows up, says Budhani. And each of these components has its own life cycle. Therefore, staying on top of patches is important to protect the software supply chain.
Thinking Governance First
With the proper governance and blueprints in place, organizations could quickly generate clusters with the necessary boilerplate components. This would, in turn, alleviate some pressure on developers and accelerate the application development process. Setting guardrails is also critical in large ecosystems to avoid things like misconfigurations or compliance issues.
Kubernetes is becoming critical infrastructure. But this field is still new, and governance is just one of many emerging K8s best practices out there. Budhani encourages enterprises to think about standardization and governance first before undertaking a hasty Kubernetes transition in which you “learn by failing.”