Kubernetes Maturity Model: Identify What to Measure

For those who have already gone through the basics of adopting Kubernetes, you’ve spent a significant amount of time preparing, deploying and improving your Kubernetes environment. Once you’ve gained confidence, you’re ready to refine what’s been set up. The Kubernetes Maturity Model includes seven phases in the process of achieving full Kubernetes maturity. In phase six, it’s time to work on measurement and control.

So what exactly do you need to measure? The five critical areas that you need to focus on measuring include:

1. Security: Measure how many vulnerabilities exist in your containers or clusters, identify what the vulnerabilities are and quantify how often and when you are patching workloads, clusters or add-ons.
2. Auditing: Create an audit trail so that you understand who performed recent actions and can identify the actions that workloads are taking in your clusters. These audits help you identify unauthorized access and actions if and when they occur.
3. Drift: Identify which workloads don’t conform to your standards, what versions of dependencies and cluster add-ons are running, and whether workloads are compatible with future versions of Kubernetes.
4. Efficiency: Track the typical resource usage of your workloads and the typical usage of the nodes within your clusters. Measuring this will also help you understand how often your clusters are scaling.
5. Velocity: Track how often deployments are being shipped, how many users access your clusters and the most common actions being taken within your clusters. These measurements will help you improve your development velocity.

What Gets Measured…

You’ve heard the phrase, “what gets measured, gets managed.” Well, you’ll find that’s true in Kubernetes, too. Once you start collecting and measuring data in these critical areas, it’s very likely that you’ll uncover some problems. You may find some workloads that are disorganized and that they are affecting other workloads. Suddenly, you may realize that too much access from workloads is causing security issues. Now that you’re tracking it carefully, you may realize that you have reliability or scalability issues. When you’re using too many resources or not cleaning up workloads, costs can increase more than you planned.

To tackle your newly uncovered problems, you can leverage some carefully placed controls. Based on the data you’ve been collecting, it’s time to answer a few fundamental questions, which will help you establish a set of Kubernetes guardrails.

Security

Kubernetes workload security is critical. You need to decide how you’ll control cluster permissions related to:

• Who has access to clusters?
• What actions can users take within clusters?
• What actions can workloads take within clusters?
• What level of permissions do workloads have within clusters?
• What are the network policies between workloads within your clusters?

Configuration

To create solid Kubernetes environments, you need to have configuration standards for consistency. It’s time to put controls in place related to:

• Where do Kubernetes resources live? Where are they defined?
• What changes happen and when?
• What is your code review process for resources?
• What type of resources can be deployed in your clusters?
• Which namespaces are usable by which users?
• Which namespaces are workloads deployed to?
• How do you set the amount of resources available to a workload or namespace?
• What are your common standards across your workloads and deployments?

Fairwinds Insights is Kubernetes security, policy and governance software. It reduces the complexity of managing Kubernetes by providing visibility into multiple clusters and teams. Insights unites DevSecOps teams to ensure security and compliance without hindering the pace of development.

Learn More

The latest from Fairwinds

Workflow

In addition, you need to establish workflows for how workloads and services are deployed, promotion paths and responsibility:

• Who can deploy workloads and services to your clusters?
• How can workloads and services be deployed to your clusters?
• What is the promotion path between environments?
• Who is responsible for what aspects of your environment?

Start Policy-Based Configuration Changes and Enforce Them

Equipped with these answers, you now have a set of policies that you can use to begin implementing configuration changes within your clusters. At this point, Kubernetes policy enforcement is critical. Simply writing the policies down doesn’t mean you can expect your team to follow through with them. That’s why it’s important to make sure you have a way to enforce policies across your clusters.

A number of open source tools, such as Polaris, OPA and Goldilocks are available to help you check configurations for Kubernetes best practices and customize policies. Using these open source tools still requires your team to apply each tool across each cluster, which can become time-consuming if you’re managing multiple people and clusters.

Another option is to use a solution that combines vetted open source tools into a single dashboard view, which helps you to both measure cluster configurations and establish and enforce policies based on this data. This is helpful because it provides visibility into severe or medium problems relating to security, reliability and efficiency. At this stage of your Kubernetes maturity, measuring and tracking security, auditing, drift, efficiency and velocity helps you to create and enforce policies that will have an impact across your engineering teams.

The final phase of the Kubernetes Maturity Model relates to optimization and automation, which will be an ongoing process for your organization.

Joe is VP of Product Strategy for Fairwinds, where he is responsible for leading teams that build solutions to bridge the gap between developers, security, and operations.

Read more from Joe Pelletier