A surge of Kubernetes deployments in retail location, assembly lines and other “edge computing” environments is leading to cluster sprawl, which can be a security hazard, as Keith Basil, Rancher vice president of edge solutions, will discuss in his upcoming session at this year’s KubeCon + CloudNativeCon Europe, taking place this week virtually.
In fact, Rancher, which is being acquired by SUSE, contends it is seeing a fundamental shift in Kubernetes usage towards the edge.
“The Kubernetes cluster as we know it, is no longer in the data center,” Basil said in an interview with The New Stack.
Basil’s presentation, “Managing Cluster Sprawl,” will take place Thursday, at 16:10 CEST. He will discuss the management challenges of security, heterogeneous architectures, and connectivity that must be overcome when managing clusters at a massive scale.
Rancher’s K3s, a slimmed-down version of Kubernetes distribution crafted for resource-constrained environments, has been a quiet success for the company. Currently, Rancher is seeing about 20,000 downloads per week, many of which are from companies evaluating K3s for possibly production usage,
In many cases, K3s is being used in edge deployments, such as in retail stores, fast food stores, and industrial production pipelines. These are not the general-purpose, large-scale Kubernetes clusters most people are familiar with. Instead, each deployment may run a single application on a single-node cluster, Basil said. Each location has its own cluster, that runs maybe only a few GPUs and a single copy of K3s.
So many companies are in the position of managing a large number of small, remote clusters, or “micro-clusters” as Basil calls them. Reviewing Rancher data, Basil found that many customers had 500-700 clusters, with a few even running tens of thousands of clusters. The average was nearly 1,700 clusters per company.
“The question is, ‘how do you manage that?'” Basil asked.
The security posture is essential, given that compute and storage resources can be in a “very hostile environment,” Basil said. “If somebody were to get access to your machines from a command and control perspective, they’re essentially on your network. So that as a threat vector needs to be addressed.” Basil, who, prior to joining Rancher, worked in cloud security, prefers the “command-and-control” military approach to securing an environment.
In a cloud native environment, this could entail a GitOps approach, in which configurations are declaratively by the developer, then pushed into a git repository and rolled out on demand. “We’ve found from an architectural perspective that the best way to manage clusters at scale is for the clusters to pull their configuration down from some centralized location,” he said.
As it turns out, Rancher has its own tool for this, called Fleet, to manage large numbers of clusters. With Fleet, an agent is installed on a cluster that can configure that cluster then load the application. It “basically acts as your remote hands, if you will,” Basil said.
KubeCon + CloudNativeCon is a sponsor of The New Stack.