Red Hat Advanced Cluster Manager Details
- 1. CONFIDENTIAL designator Advanced Cluster Management John Gammon Senior Account Solution Architect Aly Ibrahim Cloud App Dev Solutions Architect 1
- 2. CONFIDENTIAL designator 2 Lunch & Learn Agenda ● Advanced Cluster Management Presentation (~ 25 minutes) ○ Why Advanced Cluster Management? ○ Features of Advanced Cluster Management? ● Demo ---------------------------------------------------------------- (~30 minutes) ○ Cluster Lifecycle Management ○ Policy and Governance ○ Application Lifecycle Deployments John Gammon Senior Account Solution Architect Aly Ibrahim Cloud App Dev Solutions Architect
- 3. CONFIDENTIAL designator Why Advanced Cluster Management?
- 4. CONFIDENTIAL designator Educated Prediction of Future Conditions If we accept that enterprise kubernetes is going to grow,, what can we predict? Years 2 3 4 5 For Every 1000 Applications 1,000 1,000 1,000 1,000 % Containerized 20.00% 30.00% 40.00% 60.00% Containerized Apps 200 300 400 600 Number of Kubernetes Clusters (Dev/Test/Prod) 10 20 25 30 Sub-Total Containerized Apps 2,000 6,000 10,000 18,000 Concurrency Factor 1.40 1.40 1.40 1.40 Total Containerized Apps 2,800 8,400 14,000 25,200 Annual Frequency of Change Slow (1 per week) 145,600 436,800 728,000 1,310,400 Medium (2 per week) 291,200 873,600 1,456,000 2,620,800 Fast (daily) 1,022,000 3,066,000 5,110,000 9,198,000 Years 2 3 4 5 Volume of Daily Pipelines Slow (1 per week) 560 1,680 2,800 5,040 Medium (2 per week) 2,240 6,720 11,200 20,160 Fast (daily) 2,800 8,400 14,000 25,200 Let’s do the Math For Your Average Large Company Expected Pace of Change
- 6. CONFIDENTIAL designator Advanced Cluster Management to the Rescue RHACM Hub Red Hat Openshift Platform Pre & Post
- 7. CONFIDENTIAL designator Policies can be written by the security team and enforced at each cluster, allowing environments to conform to your policy. Ease compliance Red Hat OpenShift and Red Hat Advanced Cluster Management for Kubernetes Benefits 7 Placement rules can allow quick deployment of clusters across distributed locations for availability, capacity, and security reasons. Increase application availability Self-service provisioning allows app dev teams to request clusters directly from a catalog removing central IT as a bottleneck. Accelerate development to production Centralized management of clusters reduces operational cost, makes the environment consistent, and removes the need to manually manage individual clusters. Reduce costs Red Hat Advanced Cluster Management for Kubernetes
- 8. CONFIDENTIAL designator Advanced Cluster Management
- 9. CONFIDENTIAL designator Advanced Cluster Management for Kubernetes Red Hat Advanced Cluster Management 9 Hub Sizing Requirements OpenShift Node Role Availability Zones Data Stores Total reserved memory (lower bound) Total reserved CPU (lower bound) Master 3 etcd x 3 Per OpenShift sizing guidelines Per OpenShift sizing guidelines Worker 3 redisgraph/redis x 1 12Gi 6 CPU 2.0 *Observed usage consumes around 2 CPU steady state for 30+ clusters + About 20Gi of persistent storage
- 10. CONFIDENTIAL designator Availability Zone 1 Red Hat Advanced Cluster Management RHACM 2.x Fault Domains 10 Availability Zone 2 Availability Zone 3 openshift-etcd- 0 openshift-etcd- 1 openshift-etcd- 2 acm-ui pods (multiple services) acm-ui pods (multiple services) acm-api pods (multiple services) acm-api pods (multiple services) ● Fault domains spread pods across AZs via podAntiAffinity ● Stateful datastores require 3 replicas ● All Stateless UI & API services will be run with at least 2 replicas to support rolling updates and fault domain outages ● Thanos requires an S3 object store that can be run inside or outside the cluster ● Redis/RedisGraph provides an in-memory index for search; search data re-indexed in case of Pod or Node failure High Availability acm-redisgraph-0 Observability acm-observability API acm-thanos datastore S3-compatible Object Store acm-grafana acm-thanos memcached Observability acm-observability API acm-thanos datastore S3-compatible Object Store acm-grafana acm-thanos memcached Observability acm-observability API acm-thanos datastore S3-compatible Object Store acm-grafana acm-thanos memcached
- 11. 11 11 • Centrally create, update and delete Kubernetes clusters across multiple private and public clouds • Search, find and modify any kubernetes resource across the entire domain. • Quickly troubleshoot and resolve issues across your federated domain Unified Multi-Cluster Management Single Pane for all your Kubernetes Clusters
- 12. 12 12 ● Create, Upgrade and Destroy OCP clusters running on Bare-metal as well as public cloud ● Leverage Hive API for OCP cluster deployment ● Wizard or YAML based create cluster flow ● Launch to an OCP Console from ACM ● Access cluster login credentials and download kubeadmin configuration Creating & Importing Clusters Multi-Cluster Lifecycle Management IT Operations DevOps/SRE
- 13. OpenShift Compliance Operator: Declarative Security Compliance (As of 10/22) = Install, upgrade, reconcile, config Describe intent with declarative config Monitor, scale, troubleshoot, backup Summarize Observe ComplianceSuite Scan (results) 1 A compliance profile is selected 2 The operator runs the scan for the profile against nodes, collect results, and (optionally) performs remeditations 3 Accreditors or Auditors can examine the scan results for compliance status, After review, if desired, remediations can be manually applied by the cluster-admin. ComplianceCheckResult ComplianceRemediations Security and Compliance With 4.6, a limited set of RHCOS checks will be implemented. Additional compliance checks will be delivered roughly every 2 months. 13 For Each OpenShift Cluster
- 14. 14 14 Policy based Governance, Risk and Compliance • Centrally set & enforce policies for security, applications, & infrastructure • Quickly visualize detailed auditing on configuration of apps and clusters • Built-in CIS compliance policies and audit checks • Immediate visibility into your compliance posture based on your defined standards Don’t wait for your security team to tap you on the shoulder
- 15. 15 15 Policy based Governance, Risk and Compliance ● Standard Policies out of the box ○ FISMA ○ HIPAA ○ NIST ○ PCI ● Leverage Different Categories to Represent more standards (if Needed) ● Use Labels to enforce policies against clusters ● Use inform to view policy violations ● Use enforce to view violations and automatically remediate Don’t wait for your security team to tap you on the shoulder Security Ops IT Operations
- 16. 16 16 Advanced Application Lifecycle Management • Easily Deploy Applications at Scale • Deploy Applications from Multiple Sources • Quickly visualize application relationships across clusters and those that span clusters Simplify your Application Lifecycle
- 17. Application LifeCycle Management Advanced Cluster Manager
- 18. F18017-190601 RHACM Hub Managed Clusters 18 Integration Architecture Overview for Application Life Cycle Red Hat Openshift Platform RHACM Klusterlet Red Hat Openshift Platform Red Hat Ansible Automation Platform IT Systems Security Network Application CM APP A APP A Kubernetes resources Channel 1 2 3 4 2 Kubernetes Job 1 3 4 Managed Clusters install resources based on channel it subscribed ACM hub call Ansible Tower with Template Job ID define in Application Pre & Post Action Ansible Tower executes Job ACM hub receives feedback from Job execution and show all Kubernetes resources in topology including Ansible Job status Pre & Post +