Welcome readers to the first Leaseweb Labs blog in our series on the topic of container solutions. This post is written by Santhosh Chami, a veteran Engineer with vast experience building IaaS/Cloud platforms from the ground up.
What are Containers as a Service (CaaS)?
Containers as a Service (CaaS) is a hosted container infrastructure that offers an easy way to deploy containers on elastic infrastructure. CaaS is suitable in contexts where developers want more control over container orchestration. With CaaS, developers can deploy complex applications on containers without worrying about the limitations of certain platforms.
As a Senior Infrastructure Engineer at Leaseweb, my primary focus is on exceptional operational delivery. Container-based infrastructure and technology is an integral part of operations for myself and my team. We can deliver the power of Kubernetes to our applications quickly, securely, and efficiently using CaaS.
This blog portrays a high-level CaaS solution on bare metal servers with rich elastic features. This may be useful for those who want to deploy on-premise enterprise-level Kubernetes clusters for the production workloads.
Things to consider in a CaaS Solution
CaaS platforms are built on top of open hyper-converged infrastructure (HCI). They combine compute, storage, and network fabric into one platform – using low-cost commodity x86 hardware, which adds more value by throwing in software-defined systems, as well as horizontally scalable underlying infrastructure for CaaS.
Container Orchestration (Kubernetes)
Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. We are using Kubernetes for container orchestration in our CaaS platform.
Storage (Class / volume plug-in)
The Storage Class provides a way for administrators to describe the classes of storage they offer. Different Classes might map to quality-of-service levels. We are using volume plug-in RBD for high-performance workloads, and general workloads with NFS in our CaaS.
We are using cluster networking/CNI through Calico. Calico provides highly scalable networking and network policy solution for connecting Kubernetes pods based on the same IP networking principles as the internet.
Cluster Networking makes use of layer 3 network and features the BGP routing protocol, network policy, and route reflector. This is when the nodes act as a client and peering to the controller servers, and controller servers use the BIRD Internet routing daemon to have better performance and stability.
Load Balancing (on bare metal)
Kubernetes does not offer an implementation of network load-balancers for bare metal clusters. We have deployed load balancing such as L4 with MetalLB and L7 with Ingress. MetalLB is a load-balancer implementation for bare metal Kubernetes clusters, using standard routing protocols. We deployed MetalLB with BGP routing protocols.
In Kubernetes, an Ingress is an object that allows access to your Kubernetes services from outside the Kubernetes cluster. You configure access by creating a collection of rules that define which inbound connections reach which services using Nginx Ingress Controller.
We have a number of security measures in our solution. These include:
- Transport Level Security (TLS) for all API traffic
- Network policies for a namespace to restrict access to pods/ports, and controlling the placement of pods onto nodes pools
- Separate namespaces for isolation between components
- Role-Based Access Control (RBAC)
- Limiting resource usage on a cluster using resource quota limits
- Using etcd ACLs
- Enabling audit logging to analysis in the event of a compromise.
Kubernetes logging and monitoring
Monitoring and logging for CaaS solution means using tools like:
- Icinga2 distributed monitoring – for underlying infrastructures
- Prometheus/Grafana – for Kubernetes Cluster monitoring.
- Elasticsearch, Fluentd, and Kibana (EFK) for stack managing logging
Provisioning and life cycle
Infrastructure architecture diagram
With this design, I am able to manage the underlying infrastructure and the Kubernetes cluster within the same umbrella. The solution is cost-effective and can be deployed with low-cost commodity x86 hardware.
This CaaS solution is implemented using open-source technologies, so IT teams should consider the learning and development that is needed for developers to implement and manage this solution. Stay tuned for the next post, expect a detailed technical blog in each domain.