Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
A Is for OpenStack Antelope
Mar 22nd 2023 7:41am, by Steven J. Vaughan-Nichols
Grab a Snapshot of Your Container Image with Checkpoint
Mar 11th 2023 6:00am, by Jack Wallen
How to Identify Your Wasteful Processes
Mar 6th 2023 7:00am, by Sean Scott
5 Things to Consider When Building a Kubernetes Platform
Mar 2nd 2023 10:00am, by Ram Iyengar
Check for Container Image Vulnerabilities with Trivy
Mar 18th 2023 6:00am, by Jack Wallen
Grab a Snapshot of Your Container Image with Checkpoint
Mar 11th 2023 6:00am, by Jack Wallen
How to Work with Containers in TrueNAS
Mar 4th 2023 6:00am, by Jack Wallen
From a Fan: On the Ascendance of PostgreSQL
Mar 3rd 2023 7:12am, by Josh Long
Analyst Report: What CTOs Must Know about Kubernetes and Containers 
Feb 28th 2023 6:14am, by Jess Lulka
Rich Harris Talks SvelteKit and What’s Next for Svelte
Mar 20th 2023 3:00am, by Loraine Lawson
The Distance from Data to You in Edge Computing
Mar 19th 2023 6:00am, by Paul Scanlon
7 Hardware Devices for Edge Computing Projects in 2023
Mar 15th 2023 6:42am, by Charles Mahler
The Need for Speed: Why Eleventy Leaves Bundlers Behind
Mar 10th 2023 8:18am, by Loraine Lawson
What the Heck Is the Edge — and Why Should You Care?
Mar 8th 2023 10:00am, by Glauber Costa
What Is Microservices Architecture?
Feb 23rd 2023 4:22am, by Eric Schabell
Java's History Could Point the Way for WebAssembly
Jan 12th 2023 3:00am, by B. Cameron Gain
Limiting the Deployment Blast Radius
Nov 15th 2022 8:14am, by Steven Lohrenz
Do ... or Do Not: Why Yoda Never Used Microservices
Oct 25th 2022 6:00am, by Samar Abbas
The Gateway API Is in the Firing Line of the Service Mesh Wars 
Oct 17th 2022 7:00am, by B. Cameron Gain
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Palo Alto Networks Adds AI to Automate SASE Admin Operations
Mar 17th 2023 6:00am, by Chris J. Preimesberger
TrueNAS SCALE Network Attached Storage Meets High Demand
Mar 2nd 2023 7:13am, by Jack Wallen
How Secure Is Your API Gateway?
Feb 28th 2023 5:16am, by Andrew Stiefel
Bullet-Proofing Your 5G Security Plan
Feb 24th 2023 7:24am, by Anand Oswal
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
TriggerMesh: Open Sourcing Event-Driven Applications
Mar 13th 2023 12:14pm, by Jessica Wachtel
Ably Touts Real-Time Starter Kits for Vercel and Netlify
Mar 8th 2023 10:56am, by Loraine Lawson
Going Serverless on AWS Lambda? Recognize Potential Risks 
Mar 6th 2023 5:00am, by Sarabjeet Chugh
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
Historical Data and Streaming: Friends, Not Foes
Mar 20th 2023 4:00am, by Michael Drogalis
Bosch IoT and the Importance of Application-Driven Analytics
Mar 9th 2023 8:30am, by Jay Runkel
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Toolkit Allows JavaScript Devs to Program Embedded Devices
Mar 23rd 2023 11:06am, by Loraine Lawson
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Vercel Brings Logging, Monitoring to Its Observability Suite
Mar 22nd 2023 3:00am, by Jessica Wachtel
JavaScript Library Lets Devs Add AI Capabilities to Web
Mar 20th 2023 10:32am, by Loraine Lawson
Rich Harris Talks SvelteKit and What’s Next for Svelte
Mar 20th 2023 3:00am, by Loraine Lawson
Toolkit Allows JavaScript Devs to Program Embedded Devices
Mar 23rd 2023 11:06am, by Loraine Lawson
5 Myths about Puppet
Mar 23rd 2023 10:18am, by Jain Waldrip
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by Loraine Lawson
What TypeScript Brings to Node.js
Dec 26th 2022 3:00am, by Paul Ferrill
Improve your TypeScript Skills with Type Challenges
Nov 11th 2022 3:00am, by Danni White
TypeScript on Mars: How HubSpot Brought TypeScript to Its Product Engineers
Aug 19th 2022 10:00am, by George Kemp and Duncan Walter
PayPal Enhances JavaScript SDK with TypeScript Type Definitions
Aug 17th 2022 12:38pm, by Jessica Wachtel
VMware and Other Wasm Players Want WebAssembly 
Mar 23rd 2023 8:52am, by B. Cameron Gain
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
MIT-Created Compiler Speeds up Python Code
Mar 14th 2023 11:38am, by Loraine Lawson
Can WebAssembly Solve Serverless's Problems?
Mar 3rd 2023 5:13am, by B. Cameron Gain
Figma Targets Developers While it Waits for Adobe Deal News
Feb 27th 2023 9:42am, by Richard MacManus
Unlock the Next Wave of Machine Learning with the Hybrid Cloud
Mar 22nd 2023 10:00am, by Kjell Carlsson
Getting the Most from Kubernetes Autoscaling
Mar 21st 2023 7:06am, by Brian Likosar
ScyllaDB Challenges DynamoDB on Latency and Pricing
Mar 20th 2023 9:00am, by Jessica Wachtel
Multiple Vendors Make Data and Analytics Ubiquitous
Mar 20th 2023 5:00am, by Andrew Brust
Let’s Talk about Cloud Threat Hunting 
Mar 16th 2023 7:33am, by Guilherme (Gui) Alvarenga
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Get More out of Machine Learning with Data Preprocessing
Mar 21st 2023 5:00am, by Alexander T. Williams
JavaScript Library Lets Devs Add AI Capabilities to Web
Mar 20th 2023 10:32am, by Loraine Lawson
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
Nvidia Hones in on Apple-Like Approach to AI with CUDA
Mar 23rd 2023 7:34am, by Agam Shah
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Unlock the Next Wave of Machine Learning with the Hybrid Cloud
Mar 22nd 2023 10:00am, by Kjell Carlsson
Get More out of Machine Learning with Data Preprocessing
Mar 21st 2023 5:00am, by Alexander T. Williams
Multiple Vendors Make Data and Analytics Ubiquitous
Mar 20th 2023 5:00am, by Andrew Brust
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Cloud Malware: Types of Attacks and How to Defend Against Them
Mar 22nd 2023 10:13am, by Faith Kilonzi
Build Software Supply Chain Trust with a DevSecOps Platform
Mar 21st 2023 8:23am, by Diego Lapiduz
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Check for Container Image Vulnerabilities with Trivy
Mar 18th 2023 6:00am, by Jack Wallen
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Build Software Supply Chain Trust with a DevSecOps Platform
Mar 21st 2023 8:23am, by Diego Lapiduz
Simplify CI/CD with a General-Purpose Software Catalog
Mar 14th 2023 6:24am, by Zohar Einy
Enabling DevOps Control for Those Who Need It Most — Developers
Mar 13th 2023 6:46am, by Venkat Thiruvengadam
Setting Kubernetes Standards with Platform Engineering
Mar 10th 2023 7:39am, by Zohar Einy
Which Features Does Your Platform Engineering Portal Need?
Mar 7th 2023 4:00am, by B. Cameron Gain
5 Myths about Puppet
Mar 23rd 2023 10:18am, by Jain Waldrip
LinkedIn Unifies Stream and Batch Processing with Apache Beam
Mar 23rd 2023 8:00am, by Jessica Wachtel
Observability — Freeing Your Load Tests from the Black Box
Mar 22nd 2023 8:26am, by Ken Hamric
Reducing the Cognitive Load Associated with Observability
Mar 22nd 2023 6:44am, by Alex Gervais
Is Your Incident Response Better Than an Energy Company’s?
Mar 21st 2023 9:04am, by Paige Cruz
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Simplify CI/CD with a General-Purpose Software Catalog
Mar 14th 2023 6:24am, by Zohar Einy
IBM Donates SBOM Code to OWASP
Mar 7th 2023 7:51am, by Steven J. Vaughan-Nichols
Slim.AI: Automating Vulnerability Remediation for a Shift-Left World
Feb 21st 2023 10:00am, by John Amaral
DevPod: Uber's MonoRepo-Based Remote Development Platform
Jan 26th 2023 3:00am, by Jessica Wachtel
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Stephen Thaler Claims He's Built a Sentient AI
Mar 16th 2023 8:10am, by David Cassel
How Tech Leaders Are Managing Anxieties after SVB Failure
Mar 15th 2023 10:59am, by Heather Joslyn and Colleen Coll
Chatops: Where Automation, Collaboration and DevOps Culture Meet
Mar 15th 2023 8:19am, by Blair Rampling
What We Can Learn from Twitter's Outages
Mar 13th 2023 9:00am, by Jennifer Riggins
Historical Data and Streaming: Friends, Not Foes
Mar 20th 2023 4:00am, by Michael Drogalis
Defining DORA-Like Metrics for Security Engineering
Mar 17th 2023 9:00am, by Daniel Koch
Chatops: Where Automation, Collaboration and DevOps Culture Meet
Mar 15th 2023 8:19am, by Blair Rampling
Build Machine Learning Apps in Your Notebook with Tecton
Mar 15th 2023 6:00am, by Richard MacManus
Is Cluster API Really the Future of Kubernetes Deployment?
Mar 14th 2023 10:00am, by Steve Francis
A Is for OpenStack Antelope
Mar 22nd 2023 7:41am, by Steven J. Vaughan-Nichols
Getting the Most from Kubernetes Autoscaling
Mar 21st 2023 7:06am, by Brian Likosar
Is Cluster API Really the Future of Kubernetes Deployment?
Mar 14th 2023 10:00am, by Steve Francis
Can WebAssembly Solve Serverless's Problems?
Mar 3rd 2023 5:13am, by B. Cameron Gain
5 Things to Consider When Building a Kubernetes Platform
Mar 2nd 2023 10:00am, by Ram Iyengar
Reducing the Cognitive Load Associated with Observability
Mar 22nd 2023 6:44am, by Alex Gervais
Vercel Brings Logging, Monitoring to Its Observability Suite
Mar 22nd 2023 3:00am, by Jessica Wachtel
Is Your Incident Response Better Than an Energy Company’s?
Mar 21st 2023 9:04am, by Paige Cruz
Why Audit Logs Are Important
Mar 16th 2023 8:34am, by James Walker
5 Steps to Effective Cloud Detection and Response 
Mar 15th 2023 10:30am, by Faith Kilonzi
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
AmeriSave Moved Its Microservices to the Cloud with Traefik's Dynamic Reverse Proxy
Sep 8th 2022 2:02pm, by Ann R. Thryft
Can You Now Safely Remove the Service Mesh Sidecar?
Sep 8th 2022 9:19am, by B. Cameron Gain
eBPF or Not, Sidecars are the Future of the Service Mesh
Aug 12th 2022 10:00am, by William Morgan
Containers / Kubernetes

Kubernetes Apps Are Snowflakes: Find an Extensible Protection Framework

The flexibility and extensibility of Kubernetes (using custom resource definitions), which makes it so popular with developers, makes it harder to protect Kubernetes applications because there is no standard way to determine what needs to be backed up to enable a successful recovery after a disaster.
May 16th, 2022 2:00am by
Featued image for: Kubernetes Apps Are Snowflakes: Find an Extensible Protection Framework
Feature image via Pixabay.

Sayan Saha
Sayan Saha is a seasoned product executive with 12+ years of open source software product management experience spanning Linux-based platform software, containers, Kubernetes, high availability/clustering software, and software-defined storage. At NetApp, he is a Senior Director of Product Management for Astra, a fully managed (SaaS) multi-hybrid cloud data management service for Kubernetes applications, and Trident, an open source solution for consuming persistent storage for containerized workloads.

As developers and application teams choose containers and Kubernetes as their preferred technologies for building, deploying, running, and scaling applications, more applications with data land on Kubernetes every day. Increasingly, independent software vendors (ISVs) are distributing their applications packaged as containers to be run on Kubernetes, proliferating their usage in all industry verticals. Many such applications are business-critical, whose outage can cause serious revenue, productivity, and reputation loss.

As enterprises realize the business need for protecting their Kubernetes applications, they turn to do-it-yourself open source or commercial solutions available in the market. Protecting a Kubernetes application usually entails the ability to recover an application after a disaster, cyberattack, malicious or unintended user error:

  • Within the same cluster
  • A different cluster in the same region
  • A separate cluster in region/geography

Applying these solutions to protect and move Kubernetes applications often does not work out of the box. The flexibility and extensibility of Kubernetes (using custom resource definitions), which makes it so popular with developers, makes it harder to protect Kubernetes applications because there is no standard way to determine what needs to be backed up to enable a successful recovery after a disaster.

Real-world Kubernetes Applications Are Snowflakes

Not having a standard Kubernetes specification that defines what comprises an application makes the problem of identifying what resources to backup and clone particularly challenging. Consequently, solutions that focus on Kubernetes application protection — providing backup/restore and disaster recovery (DR) — make assumptions about how developers will architect their applications and try to do their best in figuring out what constitutes an actual application — and how best to protect it.

This approach leads to automating the process of Kubernetes application discovery. Automating the application discovery process is desirable in Kubernetes environments that can be highly dynamic. However, automatic discovery usually works for only a subset of cases where applications are simple and confined to a namespace. If applications span multiple namespaces, have cluster-scoped resources, and/or use external fully managed databases, data stores, or messaging services — the simplistic application discovery and consequent application protection functionality offered is not adequate for protecting most Kubernetes workloads.

What Constitutes a Kubernetes Application?

Most real-world Kubernetes applications don’t conform to a standard recipe that developers follow to develop and deploy a Kubernetes application. How developers define a Kubernetes application can be a combination of the following (not an exhaustive list):

  1. App = 1..N resources in 1 namespace
  2. App = 1..N namespaces
  3. App = 1..N namespaces + 1..N cluster scoped resources
  4. App = 1..N resources in 1..N namespaces + 1..N cluster scoped resources
  5. App = 1..N resources in 1..N namespaces + 1..N cluster scoped resources + external resources (for example, a fully-managed database in a public cloud)

As is evident from the above, using namespaces as an application separator does not cover all the different ways developers define their Kubernetes applications. Automatically inferring all the components that comprise a Kubernetes application can also lead to misses in identifying Kubernetes applications’ resources.

Custom Application Definition with User Input

To effectively backup and restore an application, users must be able to specify what constitutes their Kubernetes application that provides the critical “service” whose business continuity must be ensured. Ideally, users should be given an opportunity to either define their application using Kubernetes native mechanisms or be allowed to define a custom application that conforms with the application definition patterns enumerated above.

In some cases, it is equally important to identify resources that should be excluded from the app definition as they may not be relevant in the target/destination cluster or namespace, preventing a successful restore. An effective Kubernetes application protection solution must either offer users the ability to specify these details or intelligently facilitate discovering such complex applications. Once an application is defined with all the resources that are necessary, protecting an application is no longer guesswork, leading to much more predictable results.

Hooks, Hooks, and More Hooks

Hooks or pre-scripts/post-scripts have been used by enterprise backup software for ages enabling users to insert custom actions to take application consistent backups like quiescing a database before taking a snapshot to flush in-memory tables to disk. The ability to insert custom actions with “execution hooks” has taken a whole new meaning with Kubernetes applications. Predictably controlling the end-to-end backup and recovery of a Kubernetes application to enable a successful application instantiation after recovery often requires custom actions that need to be performed on several resources that comprise a Kubernetes application before and after a backup as well as before and after a restore.

Execution hooks in Kubernetes during a backup-recovery workflow can be used to accomplish many objectives like applying network security policies dynamically before or after backup/restore, altering the registered path for an ingress controller before a clone, refresh IP addresses, and other custom application-specific actions. Kubernetes application protection solutions must allow the extensibility of backup/DR workflows with execution hooks using which custom application-specific actions can be inserted.

What Not to Backup and Restore

Identifying what application resources need to be protected is critical, but what not to backup and/or restore is equally essential. This is because certain resources like secrets, IP addresses, and node ports may not be relevant in a target cluster for disaster recovery. A bulk backup of all resources that comprise a Kubernetes application followed by a subsequent restore can cause a faulty restore because a subset of resources is simply invalid in the target cluster. Conceptually, there are usually two ways to address this situation.

  • Use filters to exclude backing up or restoring specific resources that do not make sense in the target cluster enabling Kubernetes or operators (popular design pattern for deploying and managing Kubernetes applications) to recreate these resources.
  • Transform resources before they land on the target cluster.

Kubernetes application protection solutions must allow users to do all the above to ensure correct application behavior after a restore.

Summary

As enterprises realize the need for protecting their Kubernetes applications, it’s important to evaluate these solutions for their customizability and extensibility before adopting them at scale. It’s also important to provide a set of best practices, which guides developers to stick to a recipe while architecting their Kubernetes applications including recommending a standard set of in-cluster and external services that they leverage so that it’s easier to protect them as business-critical Kubernetes applications become ubiquitous in the enterprise.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
What Is Microservices Architecture? What Is the Docker .env File and How Do You Use It? How to Implement a Security Scanner for Docker Images Is WebAssembly Really the Future?  Data, Analytics and AI: What Will Happen in 2023
TNS owner Insight Partners is an investor in: Real.
RELATED STORIES
Deploy MongoDB in a Container, Access It Outside the Cluster What Is the Docker .env File and How Do You Use It? Data, Analytics and AI: What Will Happen in 2023 Kubernetes Needs to Take a Lesson from Portainer on Ease-of-Use Check for Container Image Vulnerabilities with Trivy
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.