Earlier this week, Microsoft made the Kubernetes container orchestration service generally available on Azure Container Service, alongside the other predominant container orchestration engines Docker Swarm and Mesosphere’s Data Center Operating System (DC/OS). The move is one more step in building out the service, Kubernetes co-founder Brendan Burns told The New Stack.
Burns moved from Google to Microsoft seven months ago to run ACS with the vision of turning it into “a really managed service” that can deliver not just tools for working with containers, but work as a whole Containers-as-a-Service (CaaS) platform.
Focusing on Apps and PaaS
As the technology matures, the emphasis shifts from how you use containers to what you use them for, he pointed out. “There a lot of talk in the Kubernetes community, and the container community in general, about how containers and orchestration need to become boring. It’s been a very hot and popular topic, but in some sense, it’s just a piece of infrastructure. It’s the apps you build on top that are really exciting and interesting.”
Getting that infrastructure in place, so you can see the benefits of containers over familiar-but-broken processes, needs to be fast. “If it takes six months or a year to get the benefit, nobody is going to do that,” Burns warns; “If you get the benefits immediately I think people will jump at it, and that’s one of the places ACS can really help. Setting up these things up, figuring out how to run and manage and deploy these container orchestrators can be tricky, finding the best practices around how to deploy them. Really, what ACS does for you is take that problem off your plate.”
ACS needs to help people through the transition to using containers, as an “application-oriented abstraction,” he explained. “We’re going from being machine-oriented to being application-oriented in the cloud and that’s a huge development, because except for the ops people who are thinking about machines, everyone else wants to be thinking about apps.”
And in the new cloud world, those aren’t just individual apps; they’ll also be PaaS products, because container services make creating PaaS far easier for developers — which means we’ll see more PaaS aimed at niche and vertical markets, rather than just broad, generic tools.
“The people who build PaaS no longer have to be distributed systems experts. Because the container orchestrators have taken over large numbers of the distributed systems problems, you’re going to see really targeted PaaS that provide a really incredible developer experience in specific, targeted verticals,” Burns said.
He believes this will also bring technology choices closer to the development team, rather than having to be a major strategic decision. “What you’ll see is those experiences then become deployed onto a container orchestrator side by side. If I need the one for my mobile apps and games, I deploy that onto my container service; if I need the one for web apps, I deploy that onto my container service — and they use the same underlying container orchestrator. That means the choice of platform isn’t as large a choice; individual development teams can make that choice as opposed to a CTO making it for an entire company.”
Choice of Containers
That kind of choice is why ACS supports multiple container orchestrators. “We find most customers have multiple needs, whether that’s because they’re a big enterprise with multiple different departments, or they’re a small company but they still need to do big data analysis. This is about finding the solutions that work best for every user.”
Kubernetes support for Windows Server containers (the Windows equivalent of the familiar Linux Docker containers) is now in preview, alongside Docker Swarm support.“When you run Kubernetes and Windows Server containers, you’re building Windows Container apps and you’re deploying them via the Kubernetes API and the Kubernetes tooling,” Burns said.
ACS also lets you have hybrid clusters that use Windows Server and Linux side by side. “In the ACS Engine, which is the open source core of ACS, we have hybrid clusters which have some Linux nodes and some Windows nodes. So, you can use service discovery and naming to build hybrid applications that use some components from Windows and some components from Linux.”
Further down the line, ACS is likely to support Hyper-V containers as well; a Docker container that runs in a very lightweight virtual machine based on Windows Nano Server for security and kernel isolation, but can otherwise be managed like any other container. That will need the nested virtualization that will be possible once Azure moves to running on Windows Server 2016, and that’s due to happen sometime in 2017. Burns called Hyper-V containers an exciting option with a lot of business uses.
“One of the last big open issues in containers is how do you get these things to be secure? Because everybody loves the deployment patterns and the utilization you can drive, but there are a lot of cases where you really want to make sure malicious actor can’t escape from one application into another application, and I think Hyper-V containers are going to be the solution for that. So, having the ability to orchestrate those will be important,” Burns said.
Because Hyper-V containers are still Docker containers and running a container as Hyper-V rather than a Windows Server container is something you choose when you deploy it, “you can make a decision, on a case by case basis, which are the ones you need to secure which are the ones you think are more trusted,” Burns noted.
The Azure Advantage
As is increasingly the case at Microsoft, the engineers working on ACS also work on the open source projects for the tools they’re integrating. That’s something Burns says customers value. “One of my engineers is the release manager for the next Kubernetes release; he’s going to do a lot of testing to make sure that upgrades work correctly, so when you go from one version of Kubernetes to the next version of Kubernetes it works. That not just going to benefit Azure users; that’s going to benefit the entire community.”
It’s also important that ACS integrates well with other Azure services, like the Azure Resource Manager (a team Burns also runs). He admits that’s challenging. “The APIs for orchestrators that we’re exposing in ACS are open source APIs so we don’t have as much control over the shape and feel of those as we do with traditional Azure APIs. ARM [Azure Resource Manager] makes some assumptions about what happens when you make an API call, in particular, it makes the assumption that you can always do the same call over and again and it will have the same effect; that every call is idempotent. Not all APIs do that and sometimes they expect certain paths.”
He’s hoping to find ways to bring that ARM model to some of the open source projects, starting with identity — which for Microsoft shops means Active Directory support. “Right now, when you authenticate to one of these clusters after you’ve created it, you use a different set of credentials than your Active Directory credentials. We want to make it so you can use your Active Directory credentials to authenticate to the cluster.”
Identity is going to be increasingly important for containers, and not just for ops who need to manage the lifecycle of ever-increasing numbers of containers. “Identity is an absolutely critical piece and not just for retirement and grouping; it’s also for communications. I want to be able to say this class of container can talk to this other class of container but nobody else can.”
Without that, the proliferation of identities will be just too hard to manage. “If every app has to have its own [identity system], then it’s not just one brand new one — it’s five or size or seven brand new ones. That’s a recipe for forgetting to remove somebody from a group after they leave the company.”
Container orchestration tools will need to mature to enable this, he noted. “They don’t have that notion of identity deeply baked in yet. That’s an area where we’re going to have to do a lot of work as we go forward, and with the upstream projects. This isn’t something Azure will do in a vacuum; it’s something we will do in conjunction with the open source communities, so that it works wherever people are running because Active Directory and Azure Active Directory are used all over.”
The immutable infrastructure containers provide is more reliable than the alternatives, but it’s also a big change for people who are used to logging into servers and running commands to install software. Containers might sound as if they’ve taken over the world but Burns compared the state of the market to virtualization in 2002 or 2003:
“It’s not ‘those crazy kids out there, virtualizing things’ but it’s not fully embraced by everyone either. We’re still in the early days of adoption — but the wins are very real and the wins are there for both developers and ops. With virtualization, the wins were more the ops side than on the development side, but with containers it’s a little bit more balanced. There’s wins on both sides, so progress will be faster.”