Kubernetes is at the center of the container revolution today. What began with Docker has gone beyond the confines of a single organization or tool. The container movement has brought the entire IT industry to consolidate around open standards that benefit all organizations, not just a few powerful vendors. This is what Kubernetes represents — a world of software delivery that is built on an open foundation.
Yet, this openness isn’t just about Kubernetes. Rather, it is evident in all the tools and solutions built around Kubernetes. This is only possible because of the deliberately open architecture that Kubernetes was built with. When Google released Kubernetes to the world, there were a lot of gaping voids in the platform that needed filling. While it showed promise, few knew if there would be enough rallying support around it. But to everyone’s surprise, the consensus around Kubernetes has been virtually unanimous. Key to this is the various solutions that have cropped up over the past few years — and most of them open source. Here are the key open source projects spawned by Kubernetes (in no particular order).
Helm is a package manager for Kubernetes. It helps automate manual installation tasks. Helm has a feature called Charts, which is a YAML file that describes a list of Kubernetes resources.
Beyond installation, it helps make deployments easier and more predictable. By bringing a systematic approach to CI/CD, Helm helps streamline the software delivery pipeline. It integrates well with Kubernetes and is part of the CNCF.
Created by CoreOS, which is now part of Red Hat, the Operator Framework provides abstraction and simplicity when building Kubernetes-native applications. An operator is a method to deploy applications on Kubernetes. Currently, when building an application on Kubernetes, there’s a lot of low-level APIs and boilerplate code to be written. The Operator Framework aims to improve that by providing an SDK that helps manage application development and further management of the entire application lifecycle.
gVisor is one of the few tools that focus on securing Kubernetes clusters. Specifically, it handles container isolation, which is critical to security. gVisor can be used to run applications that you don’t fully trust in sandboxed gVisor containers. These sandboxed containers are sufficiently isolated from the rest of the system, and thus provide a layer of protection should anything go wrong with the application. In the past there have been solutions for machine-based isolation with virtual machines, and rules-based isolation with tools like seccomp, SELinux, and AppArmor. gVisor works at a layer above these tools and improves handling of system calls. Every application running on gVisor gets its own kernel and distinct host resources. This way you can more boldly run applications in production during the initial phase.
Granted, you need more than gVisor to truly secure your applications in Kubernetes. In fact, you’ll need a whole strategy to manage open source risk management. This risk can come even from badly managing open source tools, leaving them vulnerable. Tools like Whitesource are key to staying compliant while using open source tools.
Istio is the hottest container networking tool for Kubernetes today. It is based on the “service mesh” model. It uses Envoy sidecar agents, which act as a mesh of proxies and enable better communication between the various services of a microservices application. Istio handles load balancing across the network. It enforces policies that control traffic flow and encryption of network requests. Still pre-v1.0, Istio doesn’t support all container orchestrators like Mesos, but Kubernetes support is strong. Adoption of Istio has been robust over the past year, and it is here to stay.
Prometheus is the top monitoring tool for Kubernetes. It focuses on capturing and delivering streaming real-time metrics for analysis. When managing Kubernetes, you need real-time monitoring, and Prometheus does this well. Prometheus leverages another open source tool, Kibana, for visualization, but it itself has powerful querying features that let you get the most out of your monitoring metrics. The biggest benefit of Prometheus is that you can set up real-time alerts based on metrics. These alerts can be delivered via email or an external tool like Pagerduty. Other monitoring tools include Heapster and cAdvisor, but Prometheus has by far the most adoption.
With the complexity of a microservices architecture, network communication is a big challenge. As requests pass through the network they touch multiple services. Being able to trace network requests down to the minute details is a necessity for administrators. Built with the microservices model in mind, OpenTracing delivers deep visibility into network requests, enabling the tracing of the complete path from start to end, and with zero in on issues along the way. It delivers a visual representation of how long each step takes, and when combined with metrics and logs, is a powerful tool for debugging and security.
The command line is a powerful tool that is often underutilized. Kops looks to change this by allowing developers to easily create and manage Kubernetes clusters on cloud platforms like AWS, Google Cloud, and Digital Ocean. Support for more cloud vendors is on the way. Kops lets you easily create clusters from the CLI with simple commands that can perform complex tasks. It does this by abstracting the complexities and baking in strong defaults and easily customizable templates. Just as you use kubectl to run commands inside clusters, you use Kops to run commands on clusters. The benefits, of course, are automated and abstracted cluster management and improved efficiency. Kops also integrates with Terraform templates to let you create K8s clusters on cloud platforms.
A unique tool, Project Calico provides policy-based network security. Calico takes a granular and distributed approach to security. Unlike traditional peripheral firewalls that once left the entire system vulnerable, Calico encapsulates each service within the system with a microfirewall.
Another networking tool, gRPC handles remote procedure calls — that is communication between client and server when they are located on separate hosts. gRPC specializes in managing load balancing for requests in a Kubernetes network. It enables rules for routing of requests so that the system performs at peak capacity and no single node is overloaded. It handles retries and timeouts, thus making sure that not long-running requests choke up system resources. By introducing bidirectional streaming of requests, gRPC makes service-to-service communication real-time. By sorting out the key challenges with communication gRPC lets Kubernetes admins focus on application logic and higher-value tasks.
Brave new open source Kubernetes world
As you move toward a more Kubernetes-centric stack, the challenges are new and so should the solutions be as well. These solutions are not coming from large vendors who enforce their own vision of what the future of cloud computing should be. Rather, they are coming from an entire community of developers creating solutions to problems they face and sharing it with the world to further improve and perfect. In this new economy, open source is not the foster child or an afterthought — it is the key to the entire puzzle that is cloud computing. Whether it’s security, networking, monitoring, or better management, there’s an open source tool for that. So, keep those expensive, proprietary, locked-in vendor tools aside, and enter the brave new world of open source Kubernetes tools.
Featured image: Shutterstock