Resource placement is a policy-rich problem, particularly across multi-cluster, multi-geography and multi-cloud environments. Placement may be based on company conventions, external regulation, pricing, performance requirements, or complex combinations of those. Furthermore, placement policies evolve over time and vary across organizations. As a result, it is very difficult to anticipate the policy requirements of all users.
In this presentation, Torin Sandal (Lead Engineer of Open Policy Agent) will present, along with Irfan Ur Rehman, and demonstrate the work they've done integrating OPA into the Kubernetes Cluster Federation Control Plane. This enables high level policies to be expressed in a easy to understand policy language, and automatically enforced across federations of Kubernetes clusters.
7. Example
Apps labelled with customer name. Customers are associated with a
jurisdiction. Furthermore, apps may be labelled with criticality. If low then public
cloud clusters may be used, otherwise, on-prem clusters must be used.
8. Visibility & Remediation
federation-apiserveropa sidecar
which of customer
x’s apps are
deployed in EU?
which customers are
affected if cluster X is
no longer PCI
certified?
policy
clusters, deployments,
services, ...
9. Conflicts
● Developers could accidentally specify
conflicting intent (result: empty set)
● Developers could explicitly request invalid
clusters (result: error)
● Resolve conflicts within policy engine
whenever possible
○ Policy is the only place where all intent is known
kind: ReplicaSet
metadata:
annotations:
customer: acmetel-US
criticality: low
replica-set-preferences:
clusters:
- us-west-2
- eu-central-1
...
not_allowed[cluster] {
requested_clusters[cluster]
not allowed_clusters[cluster]
}
errors[“invalid cluster(s)”] { not_allowed != set() }
10. Future Work
● Improve policy management
○ Current: policies stored as ConfigMaps in the
federation-apiserver
○ Future: policies represented as first-class API objects
○ Cleaner mechanism for reporting policy enforcement
status
■ Installed, errors, etc.
● Demonstrate new use cases
○ Cost-based policies
■ Replicate external data representing resource
pricing (e.g., cpu, memory, etc.)
■ Pick clusters based on pricing data
■ Cluster inter-connect may be expensive
federation-apiserver
federation-controller
opa
11. ● Kubernetes Federation enables hybrid-cloud
deployments for a variety of use cases
● Resource placement is a policy-rich problem
that must address important business
requirements
● Policy solution should empower admins with
greater control and flexibility
Conclusion
federation-apiserver
federation-controller
opa