Live Chat Software by Kayako
Kubernetes TLS tweaks whet user appetite for easier management
Posted by Thang Le Toan on 05 October 2018 06:46 AM
Kubernetes TLS bootstrap improvements in version 1.12 tackle container management complexity, and users hope there's more where that came from.
IT pros have said Kubernetes TLS bootstrap is a step in the right direction, and they have professed hope that it's the first of many more to come.
Automated Transport Layer Security (TLS) bootstrap is now a stable, production-ready feature as of last week's release of Kubernetes 1.12 to the open source community. Previously, IT pros set up secure communication between new nodes, as they were added to a Kubernetes cluster separately and often manually. The Kubernetes TLS bootstrap feature automates the way Kubernetes nodes launch themselves into TLS-secured clusters at startup.
"The previous process was more complicated and error-prone. [TLS bootstrap] enables simpler pairing similar to Bluetooth or Wi-Fi push-button pairing," said Tim Pepper, a senior staff engineer at VMware and release lead for Kubernetes 1.12 at the Cloud Native Computing Foundation.
Kubernetes maintainers predict this automation will discourage sys admins' previous workarounds to ease management, such as the use of a single TLS credential for an entire cluster. This workaround prevented the use of Kubernetes security measures that require each node to have a separate credential, such as node authorization and admission controls.
Kubernetes 1.12 pushed to beta a similarly automated process for TLS certificate requests and rotation once clusters are setup. Stable support for such long-term manageability tops Kubernetes users' wish list.
"TLS bootstrap helps, but doesn't completely automate the process of TLS handshakes between nodes and the Kubernetes master," said Arun Velagapalli, principal security engineer at Kabbage Inc., a fintech startup in Atlanta. "It's still a lot of manual work within the [command-line interface] right now."
Kubernetes TLS bootstrap automates TLS communication between Kubernetes nodes, but security in depth also requires Kubernetes TLS management between pods and even individual containers. This has prompted Kabbage engineers to explore the Istio service mesh and HashiCorp Vault for automated container security management.
Kubernetes management challenges linger
Industry analysts overwhelmingly agreed that Kubernetes is the industry standard for container orchestration. A 451 Research survey of 200 enterprise decision-makers and developers in North America conducted in March 2018 found 84% of respondents plan to adopt Kubernetes, rather than use multiple container orchestration tools.
"It will take one to three years for most enterprises to standardize on Kubernetes, and we still see some use of Mesos, which has staying power for data-rich applications," said Jay Lyman, analyst at 451 Research. "But Kubernetes is well-timed as a strong distributed application framework for use in hybrid clouds."
Still, while many enterprises plan to deploy Kubernetes, IT experts questioned the extent of its widespread production use.
"A lot of people say they're using Kubernetes, but they're just playing around with it," said Jeremy Pullen, CEO and principal consultant at Polodis Inc., a DevSecOps and Lean management advisory firm in Tucker, Ga., which works with large enterprise clients. "The jury's still out on how many companies have actually adopted it, as far as I'm concerned."
The Kubernetes community still must make the container orchestration technology accessible to enterprise customers. Vendors such as Red Hat, Rancher and Google Cloud Platform offer Kubernetes distributions that automate cluster setup, but IT pros would like to see such features enter the standard Kubernetes upstream distribution, particularly for on-premises use.
"Manually creating on-premises Kubernetes is not a simple proposition, and the automation features for load balancers, storage, etc., are really public-cloud-centric," said Chris Riley, director of solutions architecture at cPrime Inc., an Agile software development consulting firm in Foster City, Calif. "If that same ease of use [came to] the default distro, I think that would help clients who are still sensitive about public cloud consider Kubernetes."
Kubernetes community leaders don't rule out this possibility as they consider the future of the project. Features in the works include the Kubernetes Cluster API and a standardized container storage interface slated for stable release by the end of 2018. Standardized and accessible cluster management is the top priority for the Kubernetes architecture special interest group.
"The question is, how many and which variations on [Kubernetes cluster management automation] does the community test there, and how do we curate the list we focus on?" Pepper said. "It becomes complicated to balance that. So, for now, we rely on service providers to do opinionated infrastructure integrations."