In their recent report Container Adoption in the Enterprise, Forrester found that 86% of IT leaders are prioritizing increasing container usage for developer agility and improved collaboration between IT operations teams and developers. However, the report also states:
Companies using container management platforms struggle with compliance (meeting industry regulations and enforcing policies) and portability (building and deploying across multiple cloud environments).
Lets explore why Kubernetes configuration management can be perceived as complex and then discuss a Kubernetes native solution to address this complexity.
Containers simplify application management by providing common packaging and runtimes for apps, independently of their programming language or the architecture of the application. Kubernetes has quickly become the de-facto standard for managing containers, with wide adoption across public and private cloud environments.
A key principle of Kubernetes is declarative configuration management. In programming theory, there are two styles of programming languages: imperative and declarative. Imperative languages are ones where a programmer instructs the system exactly what to do next, and a program is a series of such instructions. Whereas in declarative programming, the programmer specifies the desired outcome and the system determines the best way to achieve the desired outcomes.
Similarly, system interfaces and configuring infrastructure and systems can follow either style. In an imperative interface the operator tells the system how to perform a task. With a declarative interface the operator tells the system what needs to be done, and the system determines the best way to perform the necessary tasks.
Kubernetes is declarative. Developers and operators specify the desired state and Kubernetes controllers will try and reconcile the current state with the desired state.
While the declarative nature of Kubernetes makes it very powerful, and provides self-healing capabilities, it also greatly increases the amount of configuration that has to be managed. To properly declare and control state, Kubernetes provides a lot of configuration knobs – and these will keep growing over time as new capabilities are added. Another challenge is determining whose responsibility is it to configure the right settings, for security, best practices, and standardization.
The solution to this challenge is to use policies to validate configurations for best practices and security compliance, and also automatically modify and generate additional configurations when needed.
Kyverno (which means “govern” in Greek) is a Kubernetes policy engine that runs as an admission controller and can validate, mutate, and generate any configuration data based on customizable policies. While other general purpose policy solutions were retrofitted to Kubernetes, the Nirmata team designed Kyverno for Kubernetes. Like Kubernetes, Kyverno adopts a declarative management paradigm. Kyverno policies are simply Kubernetes resources, and do not require learning a new language. Kyverno works well with other existing Kubernetes developer tools, like kubectl, Kustomize and Git.
If you are operating Kubernetes environments, check out Kyverno (https://kyverno.io) to help address Kubernetes complexity and easily enforce security and best practice policies across clusters and workloads.
From their research, Forrester concludes that companies are looking for container management solutions that are, “Secure, Reliable, And Easy To Use”. We believe that the Nirmata platform, which provides a cloud management plane and is integrated with Kyverno, is the most flexible, easy to use, and secure way to manage Kubernetes clusters and workloads across any public or private cloud.
You can try Nirmata for free at: https://try.nirmata.io.